Scaffold aws-cdk project

.github/workflows/_docker-build-image.yml

@@ -15,12 +15,19 @@ on:
       tag-name:
         type: string
         default: ${{ github.ref_name }}
+      deploy-key:
+        type: string
+        required: true
 
 env:
   TAG_NAME: ${{ inputs.tag-name }}
   APP_DIR: ${{ inputs.app-name }}
   REGISTRY_PATH: ghcr.io/${{ inputs.org-name }}/${{ inputs.repo-name }}/${{ inputs.app-name }}
   COMMIT_SHA: ${{github.sha}}
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  AWS_REGION: us-east-2
+  ECR_REPOSITORY: tts-10x-forms-${{ inputs.deploy-key }}-image-${{ inputs.app-name }}
 
 jobs:
   setup:
@@ -45,6 +52,16 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Publish to container registry
+      - name: Log in to AWS ECR
+        run: |
+          aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com
+
+      - name: Tag Docker image for ECR
+        run: |
+          docker tag ${REGISTRY_PATH}:${COMMIT_SHA} ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY}:${COMMIT_SHA}
+          docker tag ${REGISTRY_PATH}:${TAG_NAME} ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY}:${TAG_NAME}
+
+      - name: Push Docker image to ECR
         run: |
-          docker push --all-tags ${REGISTRY_PATH}
+          docker push ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY}:${COMMIT_SHA}
+          docker push ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY}:${TAG_NAME}

.github/workflows/deploy.yml

@@ -14,13 +14,15 @@ jobs:
     with:
       app-name: server-doj
       tag-name: ${{ github.ref_name }}
+      deploy-key: "${{ github.ref_name == 'main' && 'dev' || 'demo' }}"
 
   build-image-kansas:
     uses: ./.github/workflows/_docker-build-image.yml
     secrets: inherit
     with:
       app-name: server-kansas
       tag-name: ${{ github.ref_name }}
+      deploy-key: "${{ github.ref_name == 'main' && 'dev' || 'demo' }}"
 
   deploy:
     needs: [build-image-doj, build-image-kansas]

.gitignore

@@ -1,5 +1,12 @@
 .DS_Store
 .env
+.env.local
+.env.development
+.env.development.local
+.env.production
+.env.production.local
+
+*~
 .pnpm-store/
 *.code-workspace
 _site
@@ -17,4 +24,4 @@ packages/form-service
 /e2e/playwright-report/
 /e2e/blob-report/
 /e2e/playwright/.cache/
-__screenshots__/
+__screenshots__/

infra/aws-cdk/.gitignore

@@ -0,0 +1,5 @@
+cdk.out/
+cdk.context.json
+*.d.ts
+*.js
+AwsCdkStack/

infra/aws-cdk/README.md

@@ -0,0 +1,14 @@
+# Welcome to your CDK TypeScript project
+
+This is a blank project for CDK development with TypeScript.
+
+The `cdk.json` file tells the CDK Toolkit how to execute your app.
+
+## Useful commands
+
+* `npm run build`   compile typescript to js
+* `npm run watch`   watch for changes and compile
+* `npm run test`    perform the jest unit tests
+* `npx cdk deploy`  deploy this stack to your default AWS account/region
+* `npx cdk diff`    compare deployed stack with current state
+* `npx cdk synth`   emits the synthesized CloudFormation template

infra/aws-cdk/bin/aws-cdk.ts

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+import * as cdk from 'aws-cdk-lib';
+import { AwsCdkStack } from '../lib/aws-cdk-stack';
+
+const app = new cdk.App();
+new AwsCdkStack(app, 'AwsCdkStack', {
+  env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION },
+
+  /* For more information, see https://docs.aws.amazon.com/cdk/latest/guide/environments.html */
+
+
+});

infra/aws-cdk/cdk.json

@@ -0,0 +1,85 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/aws-cdk.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
+    "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false,
+    "@aws-cdk/aws-ecs:disableEcsImdsBlocking": true,
+    "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
+    "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
+    "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true,
+    "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true,
+    "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true,
+    "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": true,
+    "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true,
+    "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true,
+    "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true,
+    "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true,
+    "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true
+  }
+}

infra/aws-cdk/env.sample

@@ -0,0 +1,2 @@
+CDK_DEFAULT_ACCOUNT=
+CDK_DEFAULT_REGION=

infra/aws-cdk/jest.config.js

@@ -0,0 +1,8 @@
+module.exports = {
+  testEnvironment: 'node',
+  roots: ['<rootDir>/test'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.tsx?$': 'ts-jest'
+  }
+};

infra/aws-cdk/lib/aws-cdk-stack.ts

@@ -0,0 +1,93 @@
+import { Construct } from 'constructs';
+import * as cdk from 'aws-cdk-lib';
+import * as apprunner from 'aws-cdk-lib/aws-apprunner';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as rds from 'aws-cdk-lib/aws-rds';
+import * as changeCase from 'change-case';
+
+export class AwsCdkStack extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    const environment = new cdk.CfnParameter(this, 'Environment', {
+      type: 'String',
+      description: 'The environment for the stack (e.g., dev, prod)',
+    });
+
+    const dockerImagePath = new cdk.CfnParameter(this, 'DockerImagePath', {
+      type: 'String',
+      description: 'The Docker image url for the App Runner service',
+    });
+
+    // Create a VPC for the RDS instance
+    const vpc = new ec2.Vpc(this, 'Vpc', {
+      maxAzs: 2,
+    });
+
+    // Create a security group for the RDS instance
+    const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', {
+      vpc,
+      description: 'Allow postgres access',
+      allowAllOutbound: true,
+    });
+    securityGroup.addIngressRule(
+      ec2.Peer.anyIpv4(),
+      ec2.Port.tcp(5432),
+      'Allow postgres access from anywhere'
+    );
+
+    // Create the RDS instance
+    const databaseName = `${changeCase.snakeCase(environment.valueAsString)}_database`;
+    const rdsInstance = new rds.DatabaseInstance(this, 'RdsInstance', {
+      engine: rds.DatabaseInstanceEngine.postgres({
+        version: rds.PostgresEngineVersion.VER_15,
+      }),
+      vpc,
+      securityGroups: [securityGroup],
+      instanceType: ec2.InstanceType.of(
+        ec2.InstanceClass.BURSTABLE3,
+        ec2.InstanceSize.MICRO
+      ),
+      allocatedStorage: 20,
+      maxAllocatedStorage: 100,
+      databaseName,
+      credentials: rds.Credentials.fromGeneratedSecret('postgres'),
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+    });
+
+    // Create an IAM role for the App Runner service
+    const appRunnerRole = new iam.Role(this, 'AppRunnerRole', {
+      assumedBy: new iam.ServicePrincipal('build.apprunner.amazonaws.com'),
+      managedPolicies: [
+        iam.ManagedPolicy.fromAwsManagedPolicyName(
+          'service-role/AWSAppRunnerServicePolicyForECRAccess'
+        ),
+      ],
+    });
+
+    // Create the App Runner service
+    const appRunnerService = new apprunner.CfnService(
+      this,
+      'AppRunnerService',
+      {
+        sourceConfiguration: {
+          imageRepository: {
+            imageIdentifier: dockerImagePath.valueAsString,
+            imageRepositoryType: 'ECR',
+          },
+          authenticationConfiguration: {
+            accessRoleArn: appRunnerRole.roleArn,
+          },
+        },
+        serviceName: `${environment.valueAsString}-app-runner-service`,
+      }
+    );
+
+    // Export a publicly-accessible URL for the App Runner service
+    new cdk.CfnOutput(this, 'AppRunnerServiceUrl', {
+      value: appRunnerService.attrServiceUrl,
+      description: 'The URL for the App Runner service',
+    });
+  }
+}

infra/aws-cdk/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "@atj/infra-aws-cdk",
+  "version": "1.0.0",
+  "bin": {
+    "aws-cdk": "bin/aws-cdk.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "watch": "tsc -w",
+    "test": "jest",
+    "cdk": "cdk",
+    "synth": "cdk synth --output AwsCdkStack"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.14",
+    "@types/node": "22.7.9",
+    "aws-cdk": "2.176.0",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.2.5",
+    "ts-node": "^10.9.2",
+    "typescript": "~5.6.3"
+  },
+  "dependencies": {
+    "@atj/infra-core": "workspace:*",
+    "aws-cdk-lib": "2.176.0",
+    "change-case": "^5.4.4",
+    "constructs": "^10.0.0"
+  }
+}

infra/aws-cdk/test/aws-cdk.test.ts

@@ -0,0 +1,17 @@
+// import * as cdk from 'aws-cdk-lib';
+// import { Template } from 'aws-cdk-lib/assertions';
+// import * as AwsCdk from '../lib/aws-cdk-stack';
+
+// example test. To run these tests, uncomment this file along with the
+// example resource in lib/aws-cdk-stack.ts
+test('SQS Queue Created', () => {
+//   const app = new cdk.App();
+//     // WHEN
+//   const stack = new AwsCdk.AwsCdkStack(app, 'MyTestStack');
+//     // THEN
+//   const template = Template.fromStack(stack);
+
+//   template.hasResourceProperties('AWS::SQS::Queue', {
+//     VisibilityTimeout: 300
+//   });
+});

infra/aws-cdk/tsconfig.json

@@ -0,0 +1,31 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "commonjs",
+    "lib": [
+      "es2020",
+      "dom"
+    ],
+    "declaration": true,
+    "strict": true,
+    "noImplicitAny": true,
+    "strictNullChecks": true,
+    "noImplicitThis": true,
+    "alwaysStrict": true,
+    "noUnusedLocals": false,
+    "noUnusedParameters": false,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": false,
+    "inlineSourceMap": true,
+    "inlineSources": true,
+    "experimentalDecorators": true,
+    "strictPropertyInitialization": false,
+    "typeRoots": [
+      "./node_modules/@types"
+    ]
+  },
+  "exclude": [
+    "node_modules",
+    "cdk.out"
+  ]
+}

infra/cdktf/package.json

@@ -7,13 +7,15 @@
     "build": "pnpm build:tsc && pnpm build:synth",
     "build:get": "cdktf get",
     "build:synth": "pnpm build:synth:main && pnpm build:synth:demo",
+    "build:synth:local": "DEPLOY_GIT_REF=main DEPLOY_ENV=main cdktf synth",
     "build:synth:main": "DEPLOY_ENV=main cdktf synth",
     "build:synth:demo": "DEPLOY_ENV=demo cdktf synth",
     "build:tsc": "tsc --pretty",
     "clean": "rimraf cdktf.out dist tsconfig.tsbuildinfo",
     "clean:gen": "rimraf .gen",
     "deploy:main": "DEPLOY_ENV=main cdktf deploy",
     "deploy:demo": "DEPLOY_ENV=demo cdktf deploy",
+    "deploy:main:local": "DEPLOY_GIT_REF=main DEPLOY_ENV=main cdktf deploy",
     "dev": "tsc -w",
     "test": "jest",
     "test:watch": "jest --watch"