Scaffold aws-cdk project

.github/workflows/_docker-build-image.yml

@@ -15,12 +15,20 @@ on:
       tag-name:
         type: string
         default: ${{ github.ref_name }}
+      deploy-key:
+        type: string
+        required: true
 
 env:
   TAG_NAME: ${{ inputs.tag-name }}
   APP_DIR: ${{ inputs.app-name }}
   REGISTRY_PATH: ghcr.io/${{ inputs.org-name }}/${{ inputs.repo-name }}/${{ inputs.app-name }}
   COMMIT_SHA: ${{github.sha}}
+  AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  AWS_REGION: us-east-2
+  ECR_REPOSITORY: tts-10x-forms-${{ inputs.deploy-key }}-image-${{ inputs.app-name }}
 
 jobs:
   setup:
@@ -48,3 +56,17 @@ jobs:
       - name: Publish to container registry
         run: |
           docker push --all-tags ${REGISTRY_PATH}
+
+      # - name: Log in to AWS ECR
+      #   run: |
+      #     aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com
+
+      # - name: Tag Docker image for ECR
+      #   run: |
+      #     docker tag ${REGISTRY_PATH}:${COMMIT_SHA} ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY}:${COMMIT_SHA}
+      #     docker tag ${REGISTRY_PATH}:${TAG_NAME} ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY}:${TAG_NAME}
+
+      # - name: Push Docker image to ECR
+      #   run: |
+      #     docker push ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY}:${COMMIT_SHA}
+      #     docker push ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY}:${TAG_NAME}

.github/workflows/_terraform-apply.yml

@@ -55,12 +55,13 @@ jobs:
         with:
           terraform_version: "1.10.4"
 
+      - name: Generate Terraform CDK provider constructs
+        shell: bash
+        run: pnpm --filter @gsa-tts/forms-infra-cdktf build:get
+
       - name: Initialize Terraform CDK configuration
         shell: bash
-        working-directory: infra/cdktf
-        run: |
-          pnpm cdktf get
-          pnpm build:tsc
+        run: pnpm turbo run --filter @gsa-tts/forms-infra-cdktf build
 
       - name: Install CloudFoundry CLI
         run: |

.github/workflows/_terraform-plan-pr-comment.yml

@@ -35,34 +35,27 @@ jobs:
         with:
           run_install: false
 
-      - name: Get pnpm store directory
-        id: pnpm-cache
-        shell: bash
-        run: |
-          echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
-
-      - uses: actions/cache@v4
-        name: Setup pnpm cache
-        with:
-          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
-
-      - name: Install dependencies
-        run: pnpm install
-
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: "1.10.4"
+          terraform_version: "1.10.5"
 
-      - name: Initialize Terraform CDK configuration
-        shell: bash
-        working-directory: infra/cdktf
-        run: |
-          pnpm cdktf get
-          pnpm build:tsc
+      # - name: Get pnpm store directory
+      #   id: pnpm-cache
+      #   shell: bash
+      #   run: |
+      #     echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
+
+      # - uses: actions/cache@v4
+      #   name: Setup pnpm cache
+      #   with:
+      #     path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
+      #     key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+      #     restore-keys: |
+      #       ${{ runner.os }}-pnpm-store-
+
+      - name: Install dependencies
+        run: pnpm install
 
       - name: Install CloudFoundry CLI
         run: |
@@ -73,10 +66,13 @@ jobs:
         run: |
           cf api https://api.fr.cloud.gov
 
-      - name: Synthesize Terraform configuration
-        working-directory: infra/cdktf
-        run: |
-          DEPLOY_ENV=${DEPLOY_ENV} pnpm cdktf synth
+      - name: Generate Terraform CDK provider constructs
+        shell: bash
+        run: pnpm --filter @gsa-tts/forms-infra-cdktf build:get
+
+      - name: Build Terraform configuration
+        shell: bash
+        run: pnpm turbo run --filter @gsa-tts/forms-infra-cdktf build
 
       - name: Get Terraform stack name
         id: get_stack_name
@@ -85,8 +81,57 @@ jobs:
           DEPLOY_ENV=${DEPLOY_ENV} pnpm cdktf output --outputs-file outputs.json
           echo "stack_name=$(jq -r 'keys[0]' outputs.json)" >> $GITHUB_OUTPUT
 
-      - name: Create Terraform plan
-        uses: dflook/terraform-plan@v1
+      - name: Generate Terraform plan
+        id: generate_terraform_plan
+        working-directory: infra/cdktf/cdktf.out/stacks/${{ steps.get_stack_name.outputs.stack_name }}
+        run: |
+          terraform plan -out=tfplan -input=false
+          terraform show -no-color tfplan | awk '
+          {
+              if (heredoc && $0 ~ /^[[:space:]]*EOT/) {
+                  heredoc = 0;
+                  print;
+                  next;
+              } else if (heredoc) {
+                  print;
+                  next;
+              } else if ($0 ~ /EOT$/) {
+                  heredoc = 1;
+              }
+
+              # Move Terraform diff markers (-, +, ~) to the beginning while preserving indentation
+              if ($0 ~ /^[[:space:]]+[-+~]/) {
+                  leading_ws = substr($0, 1, match($0, "[-+~]") - 1);  # Extract leading whitespace
+                  op = substr($0, match($0, "[-+~]"), 1);             # Extract the first change symbol (-, +, ~)
+                  rest = substr($0, match($0, "[-+~]") + 1);          # Extract the rest of the line after the symbol
+
+                  print op leading_ws rest;  # Print with the marker moved to the beginning
+                  next;
+              }
+
+              # Replace "~ " at the start with "!~ " to highlight modifications distinctly
+              sub(/^[[:space:]]*~ /, "!~ ");
+
+              # Ensure lines starting with "# (" keep their indentation properly
+              if ($0 ~ /^[[:space:]]+# \(.*/) {
+                  leading_ws = substr($0, 1, match($0, "#") - 1);  # Extract indentation
+                  rest = substr($0, match($0, "#"));              # Extract the `# (hidden elements)`
+                  print leading_ws rest;                          # Print correctly formatted line
+                  next;
+              }
+
+              print;
+          }' > tf-plan.txt
+          echo "<details><summary>$(tail -n 1 tf-plan.txt)</summary>" > pr-comment.txt
+          echo '' >> pr-comment.txt
+          echo '```diff' >> pr-comment.txt
+          cat tf-plan.txt >> pr-comment.txt
+          echo '```' >> pr-comment.txt
+          echo '</details>' >> pr-comment.txt
+
+      - name: Add comment to PR with Terraform plan
+        uses: marocchino/sticky-pull-request-comment@v2
         with:
-          path: infra/cdktf/cdktf.out/stacks/${{ steps.get_stack_name.outputs.stack_name }}
-          label: ${{ steps.get_stack_name.outputs.stack_name }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          header: terraform-plan
+          path: infra/cdktf/cdktf.out/stacks/${{ steps.get_stack_name.outputs.stack_name }}/pr-comment.txt

.github/workflows/deploy.yml

@@ -14,10 +14,13 @@ jobs:
     with:
       app-name: server-doj
       tag-name: ${{ github.ref_name }}
+      deploy-key: "${{ github.ref_name == 'main' && 'dev' || 'demo' }}"
+      #deploy-key: dev
 
   deploy:
     needs: [build-image-doj]
     uses: ./.github/workflows/_terraform-apply.yml
     secrets: inherit
     with:
       deploy-env: ${{ github.ref_name }}
+      #deploy-env: main

.github/workflows/publish-npm-packages.yml

@@ -0,0 +1,72 @@
+name: Publish to GitHub Packages
+
+on:
+  workflow_dispatch:
+  # push:
+  #   branches:
+  #     - main
+  #     - demo
+  #     - release/**
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+          registry-url: https://npm.pkg.github.com/
+          scope: "@gsa-tts"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        id: pnpm-install
+        with:
+          run_install: false
+
+      - name: Get pnpm store directory
+        id: pnpm-cache
+        shell: bash
+        run: |
+          echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
+
+      - uses: actions/cache@v4
+        name: Setup pnpm cache
+        with:
+          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Build packages
+        run: pnpm run build
+
+      - name: Authenticate with GitHub Packages
+        run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}" > ~/.npmrc
+
+      - name: Get commit hash
+        id: commit
+        run: echo "COMMIT_HASH=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+
+      - name: Get branch name
+        id: branch
+        run: echo "BRANCH_NAME=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
+
+      - name: Publish all packages with commit hash tag
+        run: pnpm -r publish --no-git-checks --tag ${{ env.COMMIT_HASH }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Tag all packages with branch name
+        run: pnpm -r dist-tag add @gsa-tts/*@$(pnpm list --depth=-1 --json | jq -r '.[].version') ${{ env.BRANCH_NAME }}
+
+      - name: Update latest tag (only for main)
+        if: github.ref == 'refs/heads/main'
+        run: pnpm -r dist-tag add @gsa-tts/*@$(pnpm list --depth=-1 --json | jq -r '.[].version') latest

.gitignore

@@ -1,5 +1,13 @@
 .DS_Store
 .env
+.env.local
+.env.development
+.env.development.local
+.env.production
+.env.production.local
+.npmrc
+
+*~
 .pnpm-store/
 *.code-workspace
 _site
@@ -17,4 +25,4 @@ packages/form-service
 /e2e/playwright-report/
 /e2e/blob-report/
 /e2e/playwright/.cache/
-__screenshots__/
+__screenshots__/

.nvmrc

@@ -1 +1 @@
-v22.12.0
+v22.14.0

apps/cli/package.json

@@ -1,6 +1,6 @@
 {
-  "name": "@gsa-tts/forms-cli-app",
-  "version": "1.0.0",
+  "name": "@gsa-tts/forms-cli",
+  "version": "1.0.0-beta.1",
   "description": "10x Forms Platform command-line interface",
   "type": "module",
   "license": "CC0",

apps/server-doj/package.json

@@ -1,10 +1,11 @@
 {
   "name": "@gsa-tts/forms-server-doj",
-  "version": "1.0.0",
+  "version": "1.0.0-beta.1",
   "description": "Form server instance for DOJ",
   "type": "module",
   "license": "CC0",
   "main": "src/index.ts",
+  "private": true,
   "scripts": {
     "build": "tsup src/* --format esm",
     "clean": "rimraf dist tsconfig.tsbuildinfo coverage",
@@ -14,6 +15,7 @@
   },
   "dependencies": {
     "@gsa-tts/forms-database": "workspace:*",
+    "@gsa-tts/forms-infra-core": "workspace:*",
     "@gsa-tts/forms-server": "workspace:*"
   },
   "devDependencies": {

apps/server-doj/src/index.ts

@@ -1,11 +1,13 @@
 import { createPostgresDatabaseContext } from '@gsa-tts/forms-database/context';
+import { getAWSSecretsManagerVault } from '@gsa-tts/forms-infra-core';
+
 import { createCustomServer } from './server.js';
 
 const port = process.env.PORT || 4321;
 
 const getCloudGovServerSecrets = () => {
   if (process.env.VCAP_SERVICES === undefined) {
-    throw new Error('VCAP_SERVICES not found');
+    return;
   }
   const services = JSON.parse(process.env.VCAP_SERVICES || '{}');
   return {
@@ -14,7 +16,35 @@ const getCloudGovServerSecrets = () => {
   };
 };
 
-const secrets = getCloudGovServerSecrets();
+const getAppRunnerSecrets = async () => {
+  const secrets = {
+    dbHost: process.env.DB_HOST,
+    dbPort: process.env.DB_PORT,
+    dbName: process.env.DB_NAME,
+    dbSecretArn: process.env.DB_SECRET_ARN,
+  }
+  if (secrets.dbHost === undefined || secrets.dbPort === undefined || secrets.dbName === undefined || secrets.dbSecretArn === undefined) {
+    return;
+  }
+
+  const vault = getAWSSecretsManagerVault();
+  const dbSecret = await vault.getSecret(secrets.dbSecretArn);
+  if (dbSecret === undefined) {
+    console.error('Error getting secret:', secrets.dbSecretArn);
+    return;
+  }
+  const secret = JSON.parse(dbSecret);
+  return {
+    dbUri: `postgresql://${secret.username}:${secret.password}@${secret.dbHost}:${secret.dbPort}/${secret.dbName}`
+  };
+};
+
+const secrets = getCloudGovServerSecrets() || (await getAppRunnerSecrets());
+if (secrets === undefined) {
+  console.error('Error getting secrets');
+  process.exit(1);
+}
+
 const db = await createPostgresDatabaseContext(secrets.dbUri, true);
 const server = await createCustomServer(db);
 server.listen(port, () => {

apps/spotlight/package.json

@@ -1,7 +1,8 @@
 {
   "name": "@gsa-tts/forms-spotlight",
   "type": "module",
-  "version": "0.0.1",
+  "version": "1.0.0-beta.1",
+  "private": true,
   "scripts": {
     "astro": "astro",
     "build": "astro build",

e2e/Dockerfile

@@ -1,5 +1,5 @@
 # base image with Node.js and playwright preinstalled
-FROM mcr.microsoft.com/playwright:v1.50.0-noble as base
+FROM mcr.microsoft.com/playwright:v1.50.1-noble as base
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 ENV NODE_ENV=test