UNPKG

@pwrdrvr/microapps-cdk

Version:

MicroApps framework, by PwrDrvr LLC, delivered as an AWS CDK construct that provides the DynamoDB, Router service, Deploy service, API Gateway, and CloudFront distribution.

github.com/pwrdrvr/microapps-core

pwrdrvr/microapps-core

333 lines (332 loc) 12.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
import { RemovalPolicy } from 'aws-cdk-lib'; import * as acm from 'aws-cdk-lib/aws-certificatemanager'; import * as cf from 'aws-cdk-lib/aws-cloudfront'; import * as dynamodb from 'aws-cdk-lib/aws-dynamodb'; import * as r53 from 'aws-cdk-lib/aws-route53'; import { Construct } from 'constructs'; import { IMicroAppsCF } from './MicroAppsCF'; import { IMicroAppsEdgeToOrigin } from './MicroAppsEdgeToOrigin'; import { IMicroAppsS3 } from './MicroAppsS3'; import { IMicroAppsSvcs } from './MicroAppsSvcs'; /** * A CDK Construct for creating a MicroApps runtime environment used * to host Next.js, React, or any other sort of web application with * multiple versions available for comparison, quick rollbacks, quick * releases, and a complete lack of user disturbance on deploys. * * @remarks * * {@link MicroApps} provides a turn-key construct that creates all * dependencies with limited exposure of underlying AWS Resource options. * This construct is the easiest to use when exploring MicroApps for the * first time. * * {@link MicroAppsAPIGwy}, {@link MicroAppsCF}, {@link MicroAppsS3}, * and {@link MicroAppsSvcs}, and their helper static methods, can be used * to create AWS Resources more directly, to provide your own AWS Resources * (e.g. an existing CloudFront Distribution), and to have more flexibility * than the {@link MicroApps} construct offers. * * @packageDocumentation */ /** * Properties to initialize an instance of `MicroApps`. */ export interface MicroAppsProps { /** * RemovalPolicy override for child resources * * Note: if set to DESTROY the S3 buckes will have `autoDeleteObjects` set to `true` * * @default - per resource default */ readonly removalPolicy?: RemovalPolicy; /** * Passed to NODE_ENV of Router and Deployer Lambda functions. * * @default dev */ readonly appEnv: string; /** * Optional asset name root * * @example microapps * @default - resource names auto assigned */ readonly assetNameRoot?: string; /** * Optional asset name suffix * * @example -dev-pr-12 * @default none */ readonly assetNameSuffix?: string; /** * Route53 zone in which to create optional `domainNameEdge` record */ readonly r53Zone?: r53.IHostedZone; /** * Certificate in US-East-1 for the CloudFront distribution. */ readonly certEdge?: acm.ICertificate; /** * Certificate in deployed region for the API Gateway. */ readonly certOrigin?: acm.ICertificate; /** * Use a strict S3 Bucket Policy that prevents applications * from reading/writing/modifying/deleting files in the S3 Bucket * outside of the path that is specific to their app/version. * * This setting should be used when applications are less than * fully trusted. * * @default false */ readonly s3StrictBucketPolicy?: boolean; /** * Applies when using s3StrictBucketPolicy = true * * IAM Role or IAM User names to exclude from the DENY rules on the S3 Bucket Policy. * * Roles that are Assumed must instead have their AROA added to `s3PolicyBypassAROAs`. * * Typically any admin roles / users that need to view or manage the S3 Bucket * would be added to this list. * * @example ['arn:aws:iam::1234567890123:role/AdminAccess', 'arn:aws:iam::1234567890123:user/MyAdminUser'] * * @see s3PolicyBypassAROAs */ readonly s3PolicyBypassPrincipalARNs?: string[]; /** * Applies when using s3StrictBucketPolicy = true * * AROAs of the IAM Role to exclude from the DENY rules on the S3 Bucket Policy. * This allows sessions that assume the IAM Role to be excluded from the * DENY rules on the S3 Bucket Policy. * * Typically any admin roles / users that need to view or manage the S3 Bucket * would be added to this list. * * Roles / users that are used directly, not assumed, can be added to `s3PolicyBypassRoleNames` instead. * * Note: This AROA must be specified to prevent this policy from locking * out non-root sessions that have assumed the admin role. * * The notPrincipals will only match the role name exactly and will not match * any session that has assumed the role since notPrincipals does not allow * wildcard matches and does not do wildcard matches implicitly either. * * The AROA must be used because there are only 3 Principal variables available: * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable * aws:username, aws:userid, aws:PrincipalTag * * For an assumed role, aws:username is blank, aws:userid is: * [unique id AKA AROA for Role]:[session name] * * Table of unique ID prefixes such as AROA: * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-prefixes * * The name of the role is simply not available for an assumed role and, if it was, * a complicated comparison would be requierd to prevent exclusion * of applying the Deny Rule to roles from other accounts. * * To get the AROA with the AWS CLI: * aws iam get-role --role-name ROLE-NAME * aws iam get-user --user-name USER-NAME * * @example [ 'AROA1234567890123' ] * * @see s3StrictBucketPolicy */ readonly s3PolicyBypassAROAs?: string[]; /** * Optional custom domain name for the CloudFront distribution. * * @example apps.pwrdrvr.com * @default auto-assigned */ readonly domainNameEdge?: string; /** * Optional custom domain name for the API Gateway HTTPv2 API. * * @example apps-origin.pwrdrvr.com * @default auto-assigned */ readonly domainNameOrigin?: string; /** * Path prefix on the root of the CloudFront distribution * * @example dev/ */ readonly rootPathPrefix?: string; /** * Create API Gateway for non-edge invocation * * @default false */ readonly createAPIGateway?: boolean; /** * Create an extra Behavior (Route) for /api/ that allows * API routes to have a period in them. * * When false API routes with a period in the path will get routed to S3. * * When true API routes that contain /api/ in the path will get routed to API Gateway * even if they have a period in the path. * * @default true */ readonly createAPIPathRoute?: boolean; /** * Create an extra Behavior (Route) for /_next/data/ * This route is used by Next.js to load data from the API Gateway * on `getServerSideProps` calls. The requests can end in `.json`, * which would cause them to be routed to S3 if this route is not created. * * When false API routes with a period in the path will get routed to S3. * * When true API routes that contain /_next/data/ in the path will get routed to API Gateway * even if they have a period in the path. * * @default true */ readonly createNextDataPathRoute?: boolean; /** * Adds an X-Forwarded-Host-Header when calling API Gateway * * Can only be trusted if `signingMode` is enabled, which restricts * access to API Gateway to only IAM signed requests. * * Note: if true, creates OriginRequest Lambda @ Edge function for API Gateway Origin * @default true */ readonly addXForwardedHostHeader?: boolean; /** * Replaces Host header (which will be the Edge domain name) with the Origin domain name * when enabled. This is necessary when API Gateway has not been configured * with a custom domain name that matches the exact domain name used by the CloudFront * Distribution AND when the OriginRequestPolicy.HeadersBehavior is set * to pass all headers to the origin. * * Note: if true, creates OriginRequest Lambda @ Edge function for API Gateway Origin * @default true */ readonly replaceHostHeader?: boolean; /** * Requires IAM auth on the API Gateway origin if not set to 'none'. * * 'sign' - Uses request headers for auth. * 'presign' - Uses query string for auth. * * If enabled, * * Note: if 'sign' or 'presign', creates OriginRequest Lambda @ Edge function for API Gateway Origin * @default 'sign' */ readonly signingMode?: 'sign' | 'presign' | 'none'; /** * Origin region that API Gateway or Lambda function will be deployed to, used * for the config.yml on the Edge function to sign requests for * the correct region * * @default undefined */ readonly originRegion?: string; /** * Optional Origin Shield Region * * This should be the region where the DynamoDB is located so the * EdgeToOrigin calls have the lowest latency (~1 ms). * * @default originRegion if specified, otherwise undefined */ readonly originShieldRegion?: string; /** * Existing table for apps/versions/rules * * @warning - It is *strongly* suggested that production stacks create * their own DynamoDB Table and pass it into this construct, for protection * against data loss due to logical ID changes, the ability to configure * Provisioned capacity with Auto Scaling, the ability to add additional indices, etc. * * Requirements: * - Hash Key: `PK` * - Sort Key: `SK` * * @default created by construct */ readonly table?: dynamodb.ITable | dynamodb.ITableV2; /** * Pre-set table name for apps/versions/rules * * This is required when using v2 routing */ readonly tableNameForEdgeToOrigin?: string; /** * Additional edge lambda functions */ readonly edgeLambdas?: cf.EdgeLambda[]; /** * Account IDs allowed for cross-account Function URL invocations * * @default [] */ readonly allowedFunctionUrlAccounts?: string[]; /** * List of allowed locale prefixes for pages * * @example: ['en', 'fr', 'es'] * @default none */ readonly allowedLocalePrefixes?: string[]; /** * Additional IAM Role ARNs that should be allowed to invoke apps in child accounts */ readonly edgeToOriginRoleARNs?: string[]; } /** * Represents a MicroApps */ export interface IMicroApps { /** {@inheritdoc IMicroAppsCF} */ readonly cf: IMicroAppsCF; /** {@inheritdoc IMicroAppsEdgeToOrigin} */ readonly edgeToOrigin?: IMicroAppsEdgeToOrigin; /** {@inheritdoc IMicroAppsS3} */ readonly s3: IMicroAppsS3; /** {@inheritdoc IMicroAppsSvcs} */ readonly svcs: IMicroAppsSvcs; } /** * Create a new MicroApps "turnkey" construct for simple * deployments and for initial evaulation of the MicroApps framework. * * Use this construct to create a PoC working entire stack. * * Do not use this construct when adding MicroApps to an existing * CloudFront, API Gateway, S3 Bucket, etc. or where access * to all features of the AWS Resources are needed (e.g. to * add additional Behaviors to the CloudFront distribution, set authorizors * on API Gateway, etc.). * * @warning This construct is not intended for production use. * In a production stack the DynamoDB Table, API Gateway, S3 Buckets, * etc. should be created in a "durable" stack where the IDs will not * change and where changes to the MicroApps construct will not * cause failures to deploy or data to be deleted. * * @see {@link https://github.com/pwrdrvr/microapps-core/blob/main/packages/cdk/lib/MicroApps.ts | example usage in a CDK Stack } */ export declare class MicroApps extends Construct implements IMicroApps { private _cf; get cf(): IMicroAppsCF; private _edgeToOrigin?; get edgeToOrigin(): IMicroAppsEdgeToOrigin | undefined; private _s3; get s3(): IMicroAppsS3; private _svcs; get svcs(): IMicroAppsSvcs; constructor(scope: Construct, id: string, props?: MicroAppsProps); }