CMDCT-4105 - updates to serverless files to make v4 work correctly

Enterprise-CMCS · Jan 13, 2025 · 4b447d1 · 4b447d1
1 parent 62dda61
commit 4b447d1
Show file tree

Hide file tree

Showing 13 changed files with 161 additions and 4,094 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -14,6 +14,10 @@ permissions:
   contents: read
   actions: read
 
+env:
+  SERVERLESS_LICENSE_KEY: ${{ secrets.SERVERLESS_LICENSE_KEY }}
+  BIFF: DUDE_DUDE_DUDE_DUDE_DUDE
+
 jobs:
   unit-tests:
     name: Unit Tests
@@ -52,27 +56,26 @@ jobs:
       - uses: actions/cache@v4
         with:
           path: "**/node_modules"
-          key: ${{ runner.os }}-modulesDDD-${{ hashFiles('**/yarn.lock', 'plugins/**') }}
+          key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock', 'plugins/**') }}
       - name: set path
         run: |
           echo "PATH=$(pwd)/node_modules/.bin/:$PATH" >> $GITHUB_ENV
       - name: deploy
-        env:
-          SERVERLESS_LICENSE_KEY: ${{ secrets.SERVERLESS_LICENSE_KEY }}
         run: |
           # When deploying multiple copies of this quickstart to the same AWS Account (not ideal), a prefix helps prevent stepping on each other.
           # This can optionally be set as an GitHub Actions Secret
           ./run deploy --stage $STAGE_PREFIX$branch_name
       - name: Endpoint
         id: endpoint
         run: |
+          echo $BIFF
           APPLICATION_ENDPOINT=$(./output.sh ui ApplicationEndpointUrl $STAGE_PREFIX$branch_name)
           echo "application_endpoint=$APPLICATION_ENDPOINT" >> $GITHUB_OUTPUT
           echo "## Application Endpoint" >> $GITHUB_STEP_SUMMARY
           echo "<$APPLICATION_ENDPOINT>" >> $GITHUB_STEP_SUMMARY
         working-directory: services
     outputs:
-      application_endpoint: ${{ steps.endpoint.outputs.application_endpoint}}
+      application_endpoint: ${{ steps.endpoint.outputs.application_endpoint }}
       BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION: ${{ steps.set_names.outputs.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION }}
       BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME: ${{ steps.set_names.outputs.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME }}
 

diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml
@@ -16,6 +16,9 @@ permissions:
   contents: read
   actions: read
 
+env:
+  SERVERLESS_LICENSE_KEY: ${{ secrets.SERVERLESS_LICENSE_KEY }}
+
 jobs:
   destroy:
     # Protected branches should be designated as such in the GitHub UI.
@@ -62,7 +65,7 @@ jobs:
   # Notify the integrations channel when a destroy action fails
   notify_on_destroy_failure:
     runs-on: ubuntu-latest
-    needs: 
+    needs:
       - destroy
     if: ${{ failure() }}
     steps:

diff --git a/package.json b/package.json
@@ -40,7 +40,6 @@
     "eslint-plugin-react-hooks": "^2.x",
     "prettier": "^2.4.1",
     "serverless": "^4.4.0",
-    "serverless-bundle": "^6.0.0",
     "serverless-dotenv-plugin": "^4.0.0",
     "serverless-iam-helper": "github:Enterprise-CMCS/serverless-iam-helper",
     "serverless-offline": "^13.5.0",

diff --git a/serverless-compose.yml b/serverless-compose.yml
@@ -2,51 +2,51 @@ services:
   # wave 1: no dependencies
   database:
     path: services/database
-  # topics:
-  #   path: services/topics
-  # ui:
-  #   path: services/ui
+  topics:
+    path: services/topics
+  ui:
+    path: services/ui
 
-  # # wave 2: depends on database
-  # uploads:
-  #   path: services/uploads
-  #   params:
-  #     MeasureTable: ${database.MeasureTable}
-  #     CoreSetTable: ${database.CoreSetTable}
-  #     RateTable: ${database.RateTable}
+  # wave 2: depends on database
+  uploads:
+    path: services/uploads
+    params:
+      MeasureTable: ${database.MeasureTable}
+      CoreSetTable: ${database.CoreSetTable}
+      RateTable: ${database.RateTable}
 
-  # app-api:
-  #   path: services/app-api
-  #   params:
-  #     CoreSetTable: ${database.CoreSetTable}
-  #     CoreSetTableStreamArn: ${database.CoreSetTableStreamArn}
-  #     MeasureTable: ${database.MeasureTable}
-  #     MeasureTableStreamArn: ${database.MeasureTableStreamArn}
-  #     RateTable: ${database.RateTable}
-  #     RateTableStreamArn: ${database.RateTableStreamArn}
-  #     BannerTableName: ${database.BannerTableName}
+  app-api:
+    path: services/app-api
+    params:
+      CoreSetTable: ${database.CoreSetTable}
+      CoreSetTableStreamArn: ${database.CoreSetTableStreamArn}
+      MeasureTable: ${database.MeasureTable}
+      MeasureTableStreamArn: ${database.MeasureTableStreamArn}
+      RateTable: ${database.RateTable}
+      RateTableStreamArn: ${database.RateTableStreamArn}
+      BannerTableName: ${database.BannerTableName}
 
-  # # wave 3: depends on many
-  # ui-auth:
-  #   path: services/ui-auth
-  #   params:
-  #     AttachmentsBucketArn: ${uploads.AttachmentsBucketArn}
-  #     ApiGatewayRestApiName: ${app-api.ApiGatewayRestApiName}
-  #     ApplicationEndpointUrl: ${ui.ApplicationEndpointUrl}
+  # wave 3: depends on many
+  ui-auth:
+    path: services/ui-auth
+    params:
+      AttachmentsBucketArn: ${uploads.AttachmentsBucketArn}
+      ApiGatewayRestApiName: ${app-api.ApiGatewayRestApiName}
+      ApplicationEndpointUrl: ${ui.ApplicationEndpointUrl}
 
-  # # wave 4: depends on most
-  # ui-src:
-  #   path: services/ui-src
-  #   params:
-  #     ApiRegion: ${app-api.Region}
-  #     ApiGatewayRestApiUrl: ${app-api.ApiGatewayRestApiUrl}
-  #     CognitoRegion: ${ui-auth.Region}
-  #     IdentityPoolId: ${ui-auth.IdentityPoolId}
-  #     UserPoolId: ${ui-auth.UserPoolId}
-  #     UserPoolClientId: ${ui-auth.UserPoolClientId}
-  #     UserPoolClientDomain: ${ui-auth.UserPoolClientDomain}
-  #     AttachmentsBucketRegion: ${uploads.Region}
-  #     AttachmentsBucketName: ${uploads.AttachmentsBucketName}
-  #     S3BucketName: ${ui.S3BucketName}
-  #     CloudFrontDistributionId: ${ui.CloudFrontDistributionId}
-  #     ApplicationEndpointUrl: ${ui.ApplicationEndpointUrl}
+  # wave 4: depends on most
+  ui-src:
+    path: services/ui-src
+    params:
+      ApiRegion: ${app-api.Region}
+      ApiGatewayRestApiUrl: ${app-api.ApiGatewayRestApiUrl}
+      CognitoRegion: ${ui-auth.Region}
+      IdentityPoolId: ${ui-auth.IdentityPoolId}
+      UserPoolId: ${ui-auth.UserPoolId}
+      UserPoolClientId: ${ui-auth.UserPoolClientId}
+      UserPoolClientDomain: ${ui-auth.UserPoolClientDomain}
+      AttachmentsBucketRegion: ${uploads.Region}
+      AttachmentsBucketName: ${uploads.AttachmentsBucketName}
+      S3BucketName: ${ui.S3BucketName}
+      CloudFrontDistributionId: ${ui.CloudFrontDistributionId}
+      ApplicationEndpointUrl: ${ui.ApplicationEndpointUrl}
diff --git a/services/app-api/serverless.yml b/services/app-api/serverless.yml
@@ -7,14 +7,12 @@ package:
   individually: true
 
 plugins:
-  # - serverless-plugin-typescript
   - serverless-associate-waf
   - "@enterprise-cmcs/serverless-waf-plugin"
   - serverless-offline-ssm
   - serverless-offline
   - serverless-stack-termination-protection
   - serverless-iam-helper
-  - serverless-s3-bucket-helper
   - serverless-dotenv-plugin
 
 custom:
@@ -81,7 +79,7 @@ provider:
     restApi: true
   iam:
     role:
-      path: ${ssm:/configuration/${self:custom.stage}/iam/path, ssm:/configuration/default/iam/path, "/"}
+      path: /delegatedadmin/developer/
       permissionsBoundary: ${ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""}
       statements:
         - Effect: "Allow"

diff --git a/services/database/serverless.yml b/services/database/serverless.yml
@@ -5,7 +5,6 @@ frameworkVersion: "4"
 plugins:
   - serverless-dynamodb
   - serverless-stack-termination-protection
-  - serverless-s3-bucket-helper
 
 custom:
   project: "qmr"

diff --git a/services/output.sh b/services/output.sh
@@ -12,10 +12,12 @@ $example}
 
 service=${1}
 output=${2}
-stage=${3:-dev}
+stage=${3}
 
 if [ $output = "url" ]; then
   output="CloudFrontEndpointUrl"
 fi
+echo $BIFF
 
-cd $service && serverless info --stage $stage --verbose | sed -e '1,/^Stack Outputs/d' -e '$d' | sed -n -e "s/^.*$output: //p" && cd ..
+cd $service
+serverless info --stage $stage --verbose | sed -e '1,/^Stack Outputs/d' -e '$d' | sed -n -e "s/^.*$output: //p" && cd ..
diff --git a/services/topics/serverless.yml b/services/topics/serverless.yml
@@ -11,7 +11,6 @@ plugins:
   - serverless-plugin-scripts
   - serverless-disable-functions
   - serverless-stack-termination-protection
-  - serverless-bundle
   - "@stratiformdigital/serverless-iam-helper"
   - "@stratiformdigital/serverless-online"
   - "@stratiformdigital/serverless-s3-security-helper"
@@ -27,7 +26,7 @@ provider:
     SERVICE: ${self:service}
   iam:
     role:
-      path: ${env:IAM_PATH, ssm:/configuration/${self:custom.stage}/iam/path, ssm:/configuration/default/iam/path, "/"}
+      path: /delegatedadmin/developer/
       permissionsBoundary: ${env:IAM_PERMISSIONS_BOUNDARY, ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""}
 
 custom:

diff --git a/services/ui-auth/serverless.yml b/services/ui-auth/serverless.yml
@@ -15,7 +15,7 @@ provider:
     SERVICE: ${self:service}
   iam:
     role:
-      path: ${ssm:/configuration/${self:custom.stage}/iam/path, ssm:/configuration/default/iam/path, "/"}
+      path: /delegatedadmin/developer/
       permissionsBoundary: ${ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""}
       statements:
         - Effect: "Allow"
@@ -26,9 +26,7 @@ provider:
 plugins:
   - serverless-stack-termination-protection
   - serverless-plugin-scripts
-  - serverless-bundle
   - serverless-iam-helper
-  - serverless-s3-bucket-helper
   - "@enterprise-cmcs/serverless-waf-plugin"
 
 custom:

diff --git a/services/ui-src/serverless.yml b/services/ui-src/serverless.yml
@@ -7,7 +7,6 @@ plugins:
   - serverless-s3-sync
   - serverless-cloudfront-invalidate
   - serverless-stack-termination-protection
-  - serverless-s3-bucket-helper
 
 provider:
   name: aws
@@ -54,6 +53,7 @@ custom:
     hooks:
       # Build the static archive and populate the config
       package:initialize: |
+        cd services/ui-src/
         set -e
         SKIP_PREFLIGHT_CHECK=true yarn run build
         export API_REGION=${self:custom.api_region}
@@ -75,6 +75,13 @@ custom:
         ./env.sh
         cp public/env-config.js build/env-config.js
 resources:
+  Resources:
+    Honk: # this is just because it won't deploy unless we have some resource being created
+      Type: AWS::SSM::Parameter
+      Properties:
+        Type: String
+        Value: 'honk'
+
   Outputs:
     ProdUrl:
       Value: !Sub ${ssm:/configuration/prodUrl, ""}
diff --git a/services/ui/serverless.yml b/services/ui/serverless.yml
@@ -12,14 +12,13 @@ provider:
     SERVICE: ${self:service}
   iam:
     role:
-      path: ${ssm:/configuration/${self:custom.stage}/iam/path, ssm:/configuration/default/iam/path, "/"}
+      path: /delegatedadmin/developer/
       permissionsBoundary: ${ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""}
 
 plugins:
   - serverless-plugin-scripts
   - serverless-stack-termination-protection
   - serverless-iam-helper
-  - serverless-s3-bucket-helper
   - "@enterprise-cmcs/serverless-waf-plugin"
 
 custom:
@@ -138,6 +137,13 @@ resources:
           ServerSideEncryptionConfiguration:
             - ServerSideEncryptionByDefault:
                 SSEAlgorithm: AES256
+        PublicAccessBlockConfiguration:
+          BlockPublicAcls: true
+          BlockPublicPolicy: true
+          IgnorePublicAcls: true
+          RestrictPublicBuckets: true
+        VersioningConfiguration:
+          Status: Enabled
       DeletionPolicy: Delete
     BucketPolicy:
       Type: AWS::S3::BucketPolicy

diff --git a/services/uploads/serverless.yml b/services/uploads/serverless.yml
@@ -9,7 +9,6 @@ plugins:
   - serverless-s3-local
   - serverless-stack-termination-protection
   - serverless-iam-helper
-  - serverless-s3-bucket-helper
 
 provider:
   name: aws
@@ -20,7 +19,7 @@ provider:
     SERVICE: ${self:service}
   iam:
     role:
-      path: ${ssm:/configuration/${self:custom.stage}/iam/path, ssm:/configuration/default/iam/path, "/"}
+      path: /delegatedadmin/developer/
       permissionsBoundary: ${ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""}
       statements:
         - Effect: "Allow"
@@ -49,8 +48,6 @@ custom:
   serverless-offline-ssm:
     stages:
       - local
-  iamPath: ${ssm:/configuration/${self:custom.stage}/iam/path, ssm:/configuration/default/iam/path,"/"}
-  iamPermissionsBoundaryPolicy: ${ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""}
   measureTable: ${env:measureTable, param:MeasureTable}
   coreSetTable: ${env:coreSetTable, param:CoreSetTable}
   rateTable: ${env:rateTable, param:RateTable}
@@ -438,12 +435,6 @@ resources:
               Principal:
                 Service: "lambda.amazonaws.com"
               Action: "sts:AssumeRole"
-        Path: ${self:custom.iamPath}
-        PermissionsBoundary:
-          Fn::If:
-            - CreatePermissionsBoundary
-            - !Sub arn:aws:iam::${AWS::AccountId}:policy${self:custom.iamPermissionsBoundaryPolicy}
-            - !Ref AWS::NoValue
         Policies:
           - PolicyName: "BucketAVScanRolePolicy"
             PolicyDocument:
@@ -506,12 +497,6 @@ resources:
               Principal:
                 Service: "lambda.amazonaws.com"
               Action: "sts:AssumeRole"
-        Path: ${self:custom.iamPath}
-        PermissionsBoundary:
-          Fn::If:
-            - CreatePermissionsBoundary
-            - !Sub arn:aws:iam::${AWS::AccountId}:policy${self:custom.iamPermissionsBoundaryPolicy}
-            - !Ref AWS::NoValue
         Policies:
           - PolicyName: "BucketAVDownloadRolePolicy"
             PolicyDocument: