Forem: Kevin Lactio Kemta The latest articles on Forem by Kevin Lactio Kemta (@nivekalara237). https://forem.com/nivekalara237 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F134119%2F4f1faab3-5f05-477c-a353-4a694224da80.png Forem: Kevin Lactio Kemta https://forem.com/nivekalara237 en How to combine SQS and SNS to implement multiple Consumers (Part 2) Kevin Lactio Kemta Tue, 15 Oct 2024 04:30:00 +0000 https://forem.com/nivekalara237/how-to-combine-sqs-and-sns-to-implement-multiple-consumers-part-2-5a63 https://forem.com/nivekalara237/how-to-combine-sqs-and-sns-to-implement-multiple-consumers-part-2-5a63 <h6> <span>Day 020 - 100DaysAWSIaCDevopsChallenge</span> </h6> <p>In my previous article, <a href="https://dev.to/nivekalara237/why-you-shouldnt-use-amazon-sqs-for-multiple-consumers-choose-amazon-sns-instead-2nj3">Why you Shouldn't Use Amazon SQS for multiple Consumers—Choose Amazon SNS Instead! (Part 1)</a>, I discussed the differences between Amazon SQS and Amazon SNS from my perspective. The key takeaway was that Amazon SQS is better suited for scenarios where messages need to be processed by a single consumer, whereas Amazon SNS excels at broadcasting notifications to multiple systems simultaneously.</p> <p>Today, I'll demonstrate how to combine SNS and SQS when you have a message producer that needs to communicate with multiple consumers/subscribers.</p> <h3> Scenario </h3> <p>Let's get straight to the point. The goal of this article is to demonstrate how to create a simple and effective <code>Pub/Sub</code> system. The concept revolves around a basic user registration system. Her's an overview:</p> <ol> <li>A SpringBoot Application exposes an API that allows users to be created.</li> <li>Once a user is created, a message containing the user's information is sent to an <code>SNS Topic</code>.</li> <li>Two other applications consume the messages published to this topic throught SQS Queue: <ul> <li>the first indexes the user (for future search functionality, e.g: with OpenSearch)</li> <li>the second generates a user code (similar to a PIN) that con be used by the user to access certain services or applications.</li> </ul> </li> </ol> <p>Below is the complete scenario illustrated.</p> <pre> +--------------------------+ +------------------------+ | User Management App | | Amazon SNS Topic | | (Producer) |--------&gt;| "UserCreatedTopic" | | Spring Boot | | (Broadcast messages) | +--------------------------+ +------------------------+ / \ / \ / \ +-----------------------+ +----------------------+ | Amazon SQS Queue 1 | | Amazon SQS Queue 2 | | "SearchQueue" | | "CodeGenQueue" | +-----------------------+ +----------------------+ | | v v +--------------------------+ +--------------------------+ | Search Indexing App | | Code Generation App | | (Consumer) | | (Consumer) | | Spring Boot | | Spring Boot | +--------------------------+ +--------------------------+ </pre> <h3> Producer &amp; Consumers </h3> <p>To keep things simple and avoid complicating my life, I will use <a href="https://awspring.io/" rel="noopener noreferrer"><code>Spring Cloud AWS</code> Docs[↗]</a></p> <blockquote> <p>Spring Cloud AWS simplifies using AWS managed services in a Spring Framework and Spring Boot applications. It offers a convenient way to interact with AWS provided services using well-known Spring idioms and APIs.</p> </blockquote> <p>To configure the SNS and SQS services, this is the beans configuration class for every application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ApplicationConfiguration</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AwsRegionProvider</span> <span class="nf">customRegionProvider</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InstanceProfileRegionProvider</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AwsCredentialsProvider</span> <span class="nf">customInstanceCredProvider</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">InstanceProfileCredentialsProvider</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h5> User Management App (<code>producer</code>) </h5> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.nivekaa.msproducer.infra.messaging.producers</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.nivekaa.msproducer.core.domain.User</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.nivekaa.msproducer.core.interactors.IndexingUserInteractor</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">io.awspring.cloud.sns.core.SnsNotification</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">io.awspring.cloud.sns.core.SnsOperations</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">lombok.RequiredArgsConstructor</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.beans.factory.annotation.Value</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.stereotype.Component</span><span class="o">;</span> <span class="nd">@Component</span> <span class="nd">@RequiredArgsConstructor</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">IndexingUserProducer</span> <span class="kd">implements</span> <span class="nc">IndexingUserInteractor</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">SnsOperations</span> <span class="n">snsOperations</span><span class="o">;</span> <span class="kd">private</span> <span class="nd">@Value</span><span class="o">(</span><span class="s">"${sns.topic.users}"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">userTopic</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">pushUserAsMessage</span><span class="o">(</span><span class="nc">User</span> <span class="n">payload</span><span class="o">)</span> <span class="o">{</span> <span class="nc">SnsNotification</span><span class="o">&lt;</span><span class="nc">User</span><span class="o">&gt;</span> <span class="n">notification</span> <span class="o">=</span> <span class="nc">SnsNotification</span><span class="o">.</span><span class="na">builder</span><span class="o">(</span><span class="n">payload</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="n">snsOperations</span><span class="o">.</span><span class="na">sendNotification</span><span class="o">(</span><span class="n">userTopic</span><span class="o">,</span> <span class="n">notification</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c">## resources/application.properties </span><span class="py">sns.topic.users</span><span class="p">=</span><span class="s">UserCreatedTopic</span> </code></pre> </div> <p>The code above is the crucial part, as it handles the publication of the message after a user is created. Given that the application is fairly large and spans multiple files, I’ve decided to provide a link to the full project on GitHub for a more comprehensive view and better context. <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/master/apps/msproducer" rel="noopener noreferrer">GitHub repo: <code>User Management</code>[↗]</a></p> <h5> Search Indexing App (<code>consumer</code>) </h5> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.nivekaa.sqsconsumer.infra.messaging.consumers</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.time.LocalDateTime</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">io.awspring.cloud.sqs.annotation.SqsListener</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">lombok.extern.slf4j.Slf4j</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.stereotype.Component</span><span class="o">;</span> <span class="nd">@Slf4j</span> <span class="nd">@Component</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ExampleSQSConsumer</span> <span class="o">{</span> <span class="nd">@SqsListener</span><span class="o">(</span><span class="n">queueNames</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"${sqs.queue.index-user}"</span> <span class="o">})</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">listen</span><span class="o">(</span><span class="nc">String</span> <span class="n">payload</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="sh">""" ******************* SQS Payload *************** * User Info: {} * Received At: {} ************************************************ """</span><span class="o">,</span> <span class="n">payload</span><span class="o">,</span> <span class="nc">LocalDateTime</span><span class="o">.</span><span class="na">now</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1">## resources/application.yml</span> <span class="na">sqs</span><span class="pi">:</span> <span class="na">queue</span><span class="pi">:</span> <span class="na">index-user</span><span class="pi">:</span> <span class="s">SearchQueue-main</span> </code></pre> </div> <p>Follow the full project <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/master/apps/ms-indexing" rel="noopener noreferrer">GitHub repo[↗]</a></p> <h5> Code Generation App (<code>consumer</code>) </h5> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Slf4j</span> <span class="nd">@Component</span> <span class="nd">@RequiredArgsConstructor</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserRegisterSQSConsumer</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">LocalStorageInteractor</span> <span class="n">storageInteractor</span><span class="o">;</span> <span class="nd">@SqsListener</span><span class="o">(</span><span class="n">queueNames</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"${sqs.queue.gen-code}"</span> <span class="o">})</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">listen</span><span class="o">(</span><span class="nc">String</span> <span class="n">payload</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="sh">""" ******************* SQS Payload ***************" * Message Content: {} * Received At: {} ************************************************ """</span><span class="o">,</span> <span class="n">payload</span><span class="o">,</span> <span class="nc">Date</span><span class="o">.</span><span class="na">from</span><span class="o">(</span><span class="nc">Instant</span><span class="o">.</span><span class="na">now</span><span class="o">()));</span> <span class="c1">// Unwanted code👇🏻👇🏻...</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1">## resources/application.yml</span> <span class="na">sqs</span><span class="pi">:</span> <span class="na">queue</span><span class="pi">:</span> <span class="na">gen-code</span><span class="pi">:</span> <span class="s">CodeGenQueue-main</span> </code></pre> </div> <p>Follow the full project <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/master/apps/ms-gen-code" rel="noopener noreferrer">GitHub repo[↗]</a></p> <h3> Build infrastructure using CDK with java as language </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="c1">// MayStack.java</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyStack</span> <span class="kd">extends</span> <span class="nc">Stack</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">MyStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="kc">null</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="nf">MyStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">StackProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="n">props</span><span class="o">);</span> <span class="c1">// Create a VPC (Virtual Private Cloud) using a custom NetworkConstruct class.</span> <span class="nc">IVpc</span> <span class="n">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">NetworkContruct</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"NetworkResource"</span><span class="o">,</span> <span class="n">props</span><span class="o">).</span><span class="na">getVpc</span><span class="o">();</span> <span class="c1">// Define the first SQS queue for user code generation, using a custom QueueConstruct.</span> <span class="nc">IQueue</span> <span class="n">genUserCodeQueue</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">QueueConstruct</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"GenerateUserCodeQueueResource"</span><span class="o">,</span> <span class="k">new</span> <span class="nc">CustomQueueProps</span><span class="o">(</span><span class="s">"CodeGenQueue"</span><span class="o">),</span> <span class="n">props</span><span class="o">)</span> <span class="o">.</span><span class="na">getQueue</span><span class="o">();</span> <span class="c1">// Define the second SQS queue for user indexing, also using a custom QueueConstruct.</span> <span class="nc">IQueue</span> <span class="n">indexingUserQueue</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">QueueConstruct</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"IndexingUserQueueResource"</span><span class="o">,</span> <span class="k">new</span> <span class="nc">CustomQueueProps</span><span class="o">(</span><span class="s">"SearchQueue"</span><span class="o">,</span> <span class="kc">true</span><span class="o">),</span> <span class="n">props</span><span class="o">)</span> <span class="o">.</span><span class="na">getQueue</span><span class="o">();</span> <span class="c1">// Create an SNS topic named "UserCreatedTopic" using a custom TopicConstruct class.</span> <span class="nc">TopicConstruct</span> <span class="n">topic</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">TopicConstruct</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"TopicResource"</span><span class="o">,</span> <span class="k">new</span> <span class="nc">CustomTopicProps</span><span class="o">(</span><span class="s">"UserCreatedTopic"</span><span class="o">),</span> <span class="n">props</span><span class="o">);</span> <span class="c1">// Subscribe both SQS queues to the SNS topic, so they will receive messages when published.</span> <span class="n">topic</span><span class="o">.</span><span class="na">subscribeQueue</span><span class="o">(</span><span class="n">genUserCodeQueue</span><span class="o">);</span> <span class="n">topic</span><span class="o">.</span><span class="na">subscribeQueue</span><span class="o">(</span><span class="n">indexingUserQueue</span><span class="o">);</span> <span class="c1">// Define an EC2 instance (Compute) for the code generation service.</span> <span class="nc">ComputerConstruct</span> <span class="n">genCodeService</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">ComputerConstruct</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"GenCodeServerResource"</span><span class="o">,</span> <span class="nc">ComputerProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">allowSSHConnection</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">vpc</span><span class="o">(</span><span class="n">vpc</span><span class="o">)</span> <span class="o">.</span><span class="na">instanceName</span><span class="o">(</span><span class="s">"GenCodeServer"</span><span class="o">)</span> <span class="o">.</span><span class="na">volumeSize</span><span class="o">(</span><span class="mi">8</span><span class="o">)</span> <span class="o">.</span><span class="na">enableKeyPair</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">hostedAppPort</span><span class="o">(</span><span class="mi">8081</span><span class="o">)</span> <span class="o">.</span><span class="na">bootstrapScript</span><span class="o">(</span><span class="s">"./gen-code-webserver-startup.sh"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">(),</span> <span class="n">props</span><span class="o">);</span> <span class="c1">// Grant the EC2 instance permissions to consume messages from the SQS queue for code generation.</span> <span class="n">genCodeService</span><span class="o">.</span><span class="na">addPolicyToComputer</span><span class="o">(</span> <span class="nc">PolicyStatement</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">()</span> <span class="o">.</span><span class="na">sid</span><span class="o">(</span><span class="s">"AllowConsumingSQSMessage"</span><span class="o">)</span> <span class="o">.</span><span class="na">actions</span><span class="o">(</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="s">"sqs:DeleteMessage"</span><span class="o">,</span> <span class="s">"sqs:ReceiveMessage"</span><span class="o">,</span> <span class="s">"sqs:GetQueueAttributes"</span><span class="o">,</span> <span class="s">"sqs:GetQueueUrl"</span><span class="o">))</span> <span class="o">.</span><span class="na">resources</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="n">genUserCodeQueue</span><span class="o">.</span><span class="na">getQueueArn</span><span class="o">()))</span> <span class="o">.</span><span class="na">effect</span><span class="o">(</span><span class="nc">Effect</span><span class="o">.</span><span class="na">ALLOW</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="c1">// Define an EC2 instance for the user management service (message producer).</span> <span class="nc">ComputerConstruct</span> <span class="n">userManagementService</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">ComputerConstruct</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"ProducerComputerResource"</span><span class="o">,</span> <span class="nc">ComputerProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">volumeSize</span><span class="o">(</span><span class="mi">10</span><span class="o">)</span> <span class="o">.</span><span class="na">enableKeyPair</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">allowSSHConnection</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">hostedAppPort</span><span class="o">(</span><span class="mi">8080</span><span class="o">)</span> <span class="o">.</span><span class="na">vpc</span><span class="o">(</span><span class="n">vpc</span><span class="o">)</span> <span class="o">.</span><span class="na">instanceName</span><span class="o">(</span><span class="s">"MSProducer"</span><span class="o">)</span> <span class="o">.</span><span class="na">bootstrapScript</span><span class="o">(</span><span class="s">"./producer-webserver-startup.sh"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">(),</span> <span class="n">props</span><span class="o">);</span> <span class="c1">// Grant the user management EC2 instance permissions to publish messages to the SNS topic.</span> <span class="n">userManagementService</span><span class="o">.</span><span class="na">addPolicyToComputer</span><span class="o">(</span> <span class="k">new</span> <span class="nf">PolicyStatement</span><span class="o">(</span> <span class="nc">PolicyStatementProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">effect</span><span class="o">(</span><span class="nc">Effect</span><span class="o">.</span><span class="na">ALLOW</span><span class="o">)</span> <span class="o">.</span><span class="na">actions</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="s">"sns:Publish"</span><span class="o">,</span> <span class="s">"sns:ListTopics"</span><span class="o">,</span> <span class="s">"sns:CreateTopic"</span><span class="o">))</span> <span class="o">.</span><span class="na">resources</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="n">topic</span><span class="o">.</span><span class="na">getTopic</span><span class="o">().</span><span class="na">getTopicArn</span><span class="o">()))</span> <span class="o">.</span><span class="na">build</span><span class="o">()));</span> <span class="c1">// Define an EC2 instance for the indexing service (message consumer).</span> <span class="nc">ComputerConstruct</span> <span class="n">indexingComputer</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">ComputerConstruct</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"IndexingComputerResource"</span><span class="o">,</span> <span class="nc">ComputerProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">bootstrapScript</span><span class="o">(</span><span class="s">"./indexing-webserver-startup.sh"</span><span class="o">)</span> <span class="o">.</span><span class="na">vpc</span><span class="o">(</span><span class="n">vpc</span><span class="o">)</span> <span class="o">.</span><span class="na">instanceName</span><span class="o">(</span><span class="s">"indexing-webserver"</span><span class="o">)</span> <span class="o">.</span><span class="na">enableKeyPair</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">allowSSHConnection</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">volumeSize</span><span class="o">(</span><span class="mi">8</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">(),</span> <span class="n">props</span><span class="o">);</span> <span class="c1">// Grant the indexing EC2 instance permissions to consume messages from the SQS queue for indexing.</span> <span class="n">indexingComputer</span><span class="o">.</span><span class="na">addPolicyToComputer</span><span class="o">(</span> <span class="nc">PolicyStatement</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">()</span> <span class="o">.</span><span class="na">effect</span><span class="o">(</span><span class="nc">Effect</span><span class="o">.</span><span class="na">ALLOW</span><span class="o">)</span> <span class="o">.</span><span class="na">sid</span><span class="o">(</span><span class="s">"AllowInstanceToReceiveSQSMessage"</span><span class="o">)</span> <span class="o">.</span><span class="na">actions</span><span class="o">(</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="s">"sqs:DeleteMessage"</span><span class="o">,</span> <span class="s">"sqs:ReceiveMessage"</span><span class="o">,</span> <span class="s">"sqs:GetQueueAttributes"</span><span class="o">,</span> <span class="s">"sqs:GetQueueUrl"</span><span class="o">))</span> <span class="o">.</span><span class="na">resources</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="n">indexingUserQueue</span><span class="o">.</span><span class="na">getQueueArn</span><span class="o">()))</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> <span class="c1">// MyApp.java</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Day020App</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">App</span> <span class="n">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="o">();</span> <span class="k">new</span> <span class="nf">MyStack</span><span class="o">(</span> <span class="n">app</span><span class="o">,</span> <span class="s">"Day020Stack"</span><span class="o">,</span> <span class="nc">StackProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">env</span><span class="o">(</span><span class="nc">Environment</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">account</span><span class="o">(</span><span class="nc">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s">"CDK_DEFAULT_ACCOUNT"</span><span class="o">))</span> <span class="o">.</span><span class="na">region</span><span class="o">(</span><span class="nc">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s">"CDK_DEFAULT_REGION"</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="n">app</span><span class="o">.</span><span class="na">synth</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>🎯<a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/blob/master/day_020/src/main/java/com/nivekaa/aws100dayscodechallenge/day20/constructs/NetworkContruct.java" rel="noopener noreferrer">NetworkContruct.java - [↗]</a><br> 🎯<a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/blob/master/day_020/src/main/java/com/nivekaa/aws100dayscodechallenge/day20/constructs/ComputerConstruct.java" rel="noopener noreferrer">ComputerConstruct.java - [↗]</a><br> 🎯<a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/blob/master/day_020/src/main/java/com/nivekaa/aws100dayscodechallenge/day20/constructs/QueueConstruct.java" rel="noopener noreferrer">QueueConstruct.java - [↗]</a><br> 🎯<a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/blob/master/day_020/src/main/java/com/nivekaa/aws100dayscodechallenge/day20/constructs/TopicConstruct.java" rel="noopener noreferrer">TopicConstruct.java - [↗]</a></p> <h3> Deployment </h3> <p>⚠️⚠️ Before run the deployment command ensure that you have java installed on your host machine. I used Java 21 under MacOs to build this insfrastructure. </p> <p>Open the terminal anywhere and run the following commande:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/nivekalara237/100DaysTerraformAWSDevops.git <span class="nb">cd </span>100DaysTerraformAWSDevops/day_020 cdk bootstrap <span class="nt">--profile</span> cdk-user cdk deploy <span class="nt">--profile</span> cdk-user Day020Stack </code></pre> </div> <p>You can find the full project in my <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/day17/consumer-sqs-messages/apps/sqsconsumer" rel="noopener noreferrer">GitHub repo[↗]</a></p> cdk eventdriven springboot aws Why you Shouldn't Use Amazon SQS for multiple Consumers—Choose Amazon SNS Instead! (Part 1) Kevin Lactio Kemta Mon, 14 Oct 2024 04:30:00 +0000 https://forem.com/nivekalara237/why-you-shouldnt-use-amazon-sqs-for-multiple-consumers-choose-amazon-sns-instead-2nj3 https://forem.com/nivekalara237/why-you-shouldnt-use-amazon-sqs-for-multiple-consumers-choose-amazon-sns-instead-2nj3 <h6> <span>Day 019 - 100DaysAWSIaCDevopsChallenge</span> </h6> <p>Recently, I’ve come across questions in communities like Stack Overflow and Reddit, where users are asking how to enable multiple applications (acting as consumers) to process a single message from an Amazon SQS Queue. While it is technically possible to consume or read an SQS message multiple times, in this article, I will walk you through the best practices for handling situations where you have one queue serving multiple consumers.</p> <h3> Amazon SQS vs Amazon SNS </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Points of comparison</th> <th>Simple Queue Service</th> <th>Simple Notification Service</th> </tr> </thead> <tbody> <tr> <td><strong>Communication model</strong></td> <td> <code>Queue based</code>, SQS is used for <strong>Point-to-Point</strong> communication. The producer pushes a message to the <code>queue</code>, and only one consumer retrieves and processes it. Messages are garanteed to be processed <strong>only one time(idempotent)</strong>.</td> <td> <code>Pub/sub</code>, SNS is used to broadcast messages to multiple subscribers simultaneously. The message is published on a <code>topic</code> and all subscribers receive it in parallel.</td> </tr> <tr> <td><strong>Destination</strong></td> <td> <strong>Only one</strong> destination per message. Once the message is consumed, it is <em>desappeared/deleted</em> from the queue. It is suitable for systems where a single service must process the message</td> <td>Designed for <strong>multiple</strong> destinations. The message is sent to many consumers like applications (HTTP/S), SMS, SQS or Lambda Function. It is suitable for the broadcast at scale</td> </tr> <tr> <td><strong>Ordonnancing and duplication</strong></td> <td>There are two types of SQS: <code>STANDARD</code> and <code>FIFO</code> (<em>First-In-First-Out</em>). In the <code>STANDARD</code> version, messages can be delivered in any order and can be duplicated. In the <code>FIFO</code> version, messages are delivered exactly in the order they are sent and no duplication is allowed.</td> <td> <strong>The order is no guaranteed</strong> and no protection against duplication. Each consumer receives the message at the same time and in any order.</td> </tr> <tr> <td><strong>Message retention</strong></td> <td>Messages are <strong>retained</strong> inside the queue until they are consumed or until the retention period expires (the maximun retention period is 14 Days)</td> <td>Message are <strong>not retained</strong>. They are immediately sent to the subscribers as soon as they published. ⚠️⚠️ <strong>If the subscriber is not available, the message is lost(only if he is attached to the SQS Queue)</strong> </td> </tr> <tr> <td><strong>Use Case</strong></td> <td>Buffering 📬</td> <td>Broadcasting 🛗</td> </tr> <tr> <td><strong>Pricing</strong></td> <td>Based on the number of <strong>sent</strong> and <strong>receive requests</strong> and <strong>messages deletions</strong> </td> <td>Based on <strong>publising</strong> and <strong>noticications sent</strong> </td> </tr> </tbody> </table></div> <p>There might be other elements of comparison that I haven't mentioned here. But for now we'll stop at the most important ones here. If you think of anything else, please leave a comment, it could also help me😇.</p> <h3> Which one to choose ? </h3> <p>Now that we've established the differences between SQS and SNS, the question arises: <em>when should you use one over the other?</em></p> <p>You can use <code>SQS</code> when:</p> <ul> <li>you wish to <strong>control the order of message processing</strong> using <code>SQS FIFO</code> </li> <li>you need to handle a <strong>high volume</strong> of messages or process messages in <strong>batches</strong> </li> <li>you have an asynchronous workflow where <strong>only one consumer</strong> should process each message.</li> </ul> <p>You can use <code>SNS</code> when:</p> <ul> <li>you need to send the same message to <strong>multiple consumers simultanously</strong>.</li> <li>you're to implementing a <strong>Pub/Sub</strong>(Publish/Subscribe) model</li> <li>you require <strong>real-time proccessing</strong>, such as push notifications</li> <li>you want to <strong>alert multiple systems</strong> in real time (e.g. Email, SMS, monitoring, SQS Queue, etc.).</li> </ul> <p>To summarize:<br> ✅✅ <code>SQS</code> is suitable for systems where messages need to be processed by a <code>single consumer</code>.<br> ✅✅ <code>SNS</code> is perfect for <code>broadcasting notifications</code> to multiple systems simultaneously.</p> <p>In practice, you can combine <code>SNS</code> and <code>SQS</code>, where SNS sends notifications to multiple SQS Queues, allowing each queue to have its dedicated consumer. This will be covered in the next article (<a href="https://dev.to/nivekalara237/how-to-combine-sqs-and-sns-to-implement-multiple-consumers-part-2-5a63">How to combine SQS and SNS to implement multiple Consumers</a>). stay turned!</p> <h3> Conclusion </h3> <p>The right choice between <strong>Amazon SQS</strong> and <strong>SNS</strong> can elevate your application’s messaging capabilities. If you have any experiences, questions, or insights to share, feel free to leave a comment below 💬.</p> <p>Let’s learn and grow together!😎</p> aws sns sqs eventdriven Create an AWS SNS Topic Using CDK and consume messages with a Spring Boot Microservice Kevin Lactio Kemta Sun, 13 Oct 2024 18:59:04 +0000 https://forem.com/nivekalara237/create-an-aws-sns-topic-using-cdk-and-consume-messages-with-a-spring-boot-microservice-1nn https://forem.com/nivekalara237/create-an-aws-sns-topic-using-cdk-and-consume-messages-with-a-spring-boot-microservice-1nn <h6> <span>Day 018 - 100DaysAWSIaCDevopsChallenge</span> </h6> <p><strong>Amazon SNS (Simple Notification Service)</strong> is a fully managed Amazon messaging service that allows large number of subscribers using different delivery protocoles, such as HTTP/HTTPS, email, SQS, SMS and AWS Lambda.<br> It designed for scalable, high-throughput, push-bash messaging. It enables applications, microservices, and systems to communicate with each other asynchroniously in real time. <br> The core concept of SNS revolvers around <code>topics</code>and <code>subscriptions</code>.</p> <h3> Subscribe and Consume a SNS Messages using Springboot application </h3> <p>This guide demonstrates how to create a Spring Boot application that subscribes to and processes messages from an SNS topic. The infrastructure, built using AWS CDK (in Java), includes the following components:</p> <ul> <li>A <code>VPC</code> with a public <code>Subnet</code> to host an EC2 instance where the Spring Boot application will run.</li> <li>An <code>Internet Gateway</code> to provide the EC2 instance with internet access for downloading dependencies.</li> <li>An <code>SNS Topic</code> for publishing messages.</li> <li>An <code>EC2 Instance</code> for hosting the Spring Boot application.</li> <li>An <code>IAM Role</code> to grant the EC2 instance permissions to receive messages from the SNS topic (critical for secure communication).</li> </ul> <h3> Create the Infrastructure </h3> <p>Set up the necessary infrastructure using CDK (Java)</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcdsi8fohap6iun5rh0zc.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcdsi8fohap6iun5rh0zc.jpg" alt="diagram of infrastructure" width="800" height="697"></a></p> <h6> VPC &amp; Subnet + Internet Gateway </h6> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// constructs/NetworkConstruct.java</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">NetworkContruct</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">IVpc</span> <span class="n">vpc</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">NetworkContruct</span><span class="o">(</span><span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="nc">StackProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">Vpc</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"VpcResource"</span><span class="o">,</span> <span class="nc">VpcProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">vpcName</span><span class="o">(</span><span class="s">"my-vpc"</span><span class="o">)</span> <span class="o">.</span><span class="na">enableDnsHostnames</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">enableDnsSupport</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">createInternetGateway</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">ipProtocol</span><span class="o">(</span><span class="nc">IpProtocol</span><span class="o">.</span><span class="na">IPV4_ONLY</span><span class="o">)</span> <span class="o">.</span><span class="na">ipAddresses</span><span class="o">(</span><span class="nc">IpAddresses</span><span class="o">.</span><span class="na">cidr</span><span class="o">(</span><span class="s">"10.0.0.1/16"</span><span class="o">))</span> <span class="o">.</span><span class="na">maxAzs</span><span class="o">(</span><span class="mi">1</span><span class="o">)</span> <span class="o">.</span><span class="na">subnetConfiguration</span><span class="o">(</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="nc">SubnetConfiguration</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">name</span><span class="o">(</span><span class="s">"Public-Subnet"</span><span class="o">)</span> <span class="o">.</span><span class="na">mapPublicIpOnLaunch</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">subnetType</span><span class="o">(</span><span class="nc">SubnetType</span><span class="o">.</span><span class="na">PUBLIC</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">()))</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">IVpc</span> <span class="nf">getVpc</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">vpc</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="c1">// MyStatck.java</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyStack</span> <span class="kd">extends</span> <span class="nc">Stack</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">MyStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">StackProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="n">props</span><span class="o">);</span> <span class="nc">IVpc</span> <span class="n">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">NetworkContruct</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"NetworkResource"</span><span class="o">,</span> <span class="n">props</span><span class="o">).</span><span class="na">getVpc</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The above code will create:</p> <ul> <li>A VPC named <code>my-vpc</code> and enable DNS hostname enabled.</li> <li>A public subnet named <code>Public-Subnet</code> which allows resources to attach a public IP (if configured with one).</li> <li>An Internet Gateway to enable internet traffic.</li> </ul> <h6> SNS Topic </h6> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// MyStatck.java</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyStack</span> <span class="kd">extends</span> <span class="nc">Stack</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">MyStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">StackProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="n">props</span><span class="o">);</span> <span class="c1">//...</span> <span class="nc">String</span> <span class="n">topicName</span> <span class="o">=</span> <span class="s">"example-topic-main"</span><span class="o">;</span> <span class="nc">ITopic</span> <span class="n">topic</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Topic</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"TopicResource"</span><span class="o">,</span> <span class="nc">TopicProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">topicName</span><span class="o">(</span><span class="n">topicName</span><span class="o">)</span> <span class="o">.</span><span class="na">fifo</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The above code creates an SNS Topic named <code>example-topic-main</code>. This topic will be used for publishing messages, which the Spring Boot application will subscribe to and process.</p> <h6> EC2 Instance for Hosting the Spring Boot Application </h6> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// MyStatck.java</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyStack</span> <span class="kd">extends</span> <span class="nc">Stack</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">MyStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">StackProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="n">props</span><span class="o">);</span> <span class="c1">//...</span> <span class="nc">IVpc</span> <span class="n">vpc</span><span class="o">;</span> <span class="c1">// previously instanciated</span> <span class="nc">String</span> <span class="n">topicName</span><span class="o">;</span> <span class="kt">int</span> <span class="n">port</span> <span class="o">=</span> <span class="mi">8089</span><span class="o">;</span> <span class="nc">ITopic</span> <span class="n">topic</span><span class="o">;</span> <span class="c1">// previously instanciated</span> <span class="nc">ComputerConstruct</span> <span class="n">webserver</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">ComputerConstruct</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"ComputerResource"</span><span class="o">,</span> <span class="nc">ComputerProps</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">vpc</span><span class="o">(</span><span class="n">vpc</span><span class="o">).</span><span class="na">port</span><span class="o">(</span><span class="n">port</span><span class="o">).</span><span class="na">build</span><span class="o">(),</span> <span class="n">props</span><span class="o">);</span> <span class="nc">IInstance</span> <span class="n">instance</span> <span class="o">=</span> <span class="n">webserver</span><span class="o">.</span><span class="na">getComputer</span><span class="o">();</span> <span class="n">webserver</span><span class="o">.</span><span class="na">addPolicyToComputer</span><span class="o">(</span> <span class="nc">PolicyStatement</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">()</span> <span class="o">.</span><span class="na">effect</span><span class="o">(</span><span class="nc">Effect</span><span class="o">.</span><span class="na">ALLOW</span><span class="o">)</span> <span class="o">.</span><span class="na">resources</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="n">topic</span><span class="o">.</span><span class="na">getTopicArn</span><span class="o">()))</span> <span class="o">.</span><span class="na">actions</span><span class="o">(</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="s">"sns:ConfirmSubscription"</span><span class="o">,</span> <span class="s">"sns:Subscribe"</span><span class="o">,</span> <span class="s">"sns:GetTopicAttributes"</span><span class="o">,</span> <span class="s">"sns:ListTopics"</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="nc">ITopicSubscription</span> <span class="n">endpointSubscription</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">UrlSubscription</span><span class="o">(</span> <span class="s">"http://%s:%d/topics/%s"</span> <span class="o">.</span><span class="na">formatted</span><span class="o">(</span><span class="n">instance</span><span class="o">.</span><span class="na">getInstancePublicDnsName</span><span class="o">(),</span> <span class="n">port</span><span class="o">,</span> <span class="n">topicName</span><span class="o">),</span> <span class="nc">UrlSubscriptionProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">rawMessageDelivery</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="o">.</span><span class="na">protocol</span><span class="o">(</span><span class="nc">SubscriptionProtocol</span><span class="o">.</span><span class="na">HTTP</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="n">topic</span><span class="o">.</span><span class="na">addSubscription</span><span class="o">(</span><span class="n">endpointSubscription</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/blob/master/day_018/src/main/java/com/nivekaa/aws100dayscodechallenge/day18/constructs/ComputerConstruct.java" rel="noopener noreferrer">ComputerConstruct.java [↗]</a><br> The above CDK construct will create the following resources:</p> <ul> <li>A Security Group named <code>Webserver-security-group</code> that allows inbound traffic on <code>Port 22</code> for <strong>SSH</strong> connections and allows inbound traffic on <strong>Port 8089</strong>, which is the application connection port.</li> <li>A Key Pair named <code>ws-keypair</code> that will be used to connect to the app host via SSH. Since we are using CDK to build the infrastructure, if you need to download the private key (PEM file) after deployment, refer to my previous article on <a href="https://dev.to/nivekalara237/how-to-retrieve-the-private-key-file-pem-content-after-cloudformation-or-cdk-stack-deployment-50h4">How the retrieve the private key file PEM after Cloudformation or CDK stack creation[↗]</a>.</li> <li>An Ec2 Instance named <code>Webserver-Instance</code>.</li> <li>An IAM Role for the Ec2 Instance named <code>webserver-role</code>, which allows the spring Boot application hosted on the Ec2 Instance to establish connections with the Amazon SQS Queue (already created) and perform actions: <code>sns:ConfirmSubscription</code>, <code>sns:Subscribe</code>, <code>sns:GetTopicAttributes</code> and <code>sns:ListTopics</code>.</li> <li>An SNS Subscription for the HTTP endpoint, allowing the Spring Boot application hosted on the EC2 instance to receive and process messages from the SNS topic.</li> </ul> <h3> Create the stack </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// Day17App.java</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Day017App</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">App</span> <span class="n">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="o">();</span> <span class="k">new</span> <span class="nf">MyStack</span><span class="o">(</span><span class="n">app</span><span class="o">,</span><span class="s">"Day017Stack"</span><span class="o">,</span> <span class="nc">StackProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">env</span><span class="o">(</span> <span class="nc">Environment</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">account</span><span class="o">(</span><span class="nc">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s">"CDK_DEFAULT_ACCOUNT"</span><span class="o">))</span> <span class="o">.</span><span class="na">region</span><span class="o">(</span><span class="nc">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s">"CDK_DEFAULT_REGION"</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="n">app</span><span class="o">.</span><span class="na">synth</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Create SpringBoot Subscriber Application </h3> <p>To keep things simple and avoid complicating my life, I will use <code>Spring Cloud AWS</code> <a href="https://awspring.io/" rel="noopener noreferrer">Docs[↗]</a></p> <blockquote> <p>Spring Cloud AWS simplifies using AWS managed services in a Spring Framework and Spring Boot applications. It offers a convenient way to interact with AWS provided services using well-known Spring idioms and APIs.</p> </blockquote> <p>To configure the SNS service, add the following beans in the configuration class:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ApplicationConfiguration</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AwsRegionProvider</span> <span class="nf">customRegionProvider</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InstanceProfileRegionProvider</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AwsCredentialsProvider</span> <span class="nf">customInstanceCredProvider</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">InstanceProfileCredentialsProvider</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Finally, add a controller designed to handle incoming notifications from an AWS SNS (Simple Notification Service) topic. This controller allows the application to subscribe to the SNS topic and receive messages sent to it. It utilizes annotations from the <a href="https://awspring.io/" rel="noopener noreferrer">Spring Cloud AWS library</a> to manage SNS message mappings effectively.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/topics/${sns.topic.name}"</span><span class="o">)</span> <span class="c1">// ${sns.topic.name} will return example-topic-main</span> <span class="nd">@Slf4j</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ConsumeNotificationResource</span> <span class="o">{</span> <span class="nd">@NotificationSubscriptionMapping</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">confirmSubscription</span><span class="o">(</span><span class="nc">NotificationStatus</span> <span class="n">status</span><span class="o">)</span> <span class="o">{</span> <span class="n">status</span><span class="o">.</span><span class="na">confirmSubscription</span><span class="o">();</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Subscription confirmed"</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@NotificationMessageMapping</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">receiveMessage</span><span class="o">(</span><span class="nd">@NotificationSubject</span> <span class="nc">String</span> <span class="n">subject</span><span class="o">,</span> <span class="nd">@NotificationMessage</span> <span class="nc">String</span> <span class="n">message</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span> <span class="sh">""" ************************* SNS Notification *************** * Subject : {} * Content: {} * Date : {} ********************************************************** """</span><span class="o">,</span> <span class="n">subject</span><span class="o">,</span> <span class="n">message</span><span class="o">,</span> <span class="nc">LocalDateTime</span><span class="o">.</span><span class="na">now</span><span class="o">());</span> <span class="o">}</span> <span class="nd">@NotificationUnsubscribeConfirmationMapping</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">unsubscribe</span><span class="o">(</span><span class="nc">NotificationStatus</span> <span class="n">status</span><span class="o">)</span> <span class="o">{</span> <span class="n">status</span><span class="o">.</span><span class="na">confirmSubscription</span><span class="o">();</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Unsubscription confirmed"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>You can find the full project in my <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/day18/consumer-sns-messages/apps/snsconsumer" rel="noopener noreferrer">GitHub repo[↗]</a></p> <h3> Deployment </h3> <p>⚠️⚠️ Before run the deployment command ensure that you have java installed on your host machine. I used Java 21 under MacOs to build this insfrastructure. </p> <p>Open the terminal anywhere and run the following commande:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/nivekalara237/100DaysTerraformAWSDevops.git <span class="nb">cd </span>100DaysTerraformAWSDevops/day_018 cdk bootstrap <span class="nt">--profile</span> cdk-user cdk deploy <span class="nt">--profile</span> cdk-user Day018Stack </code></pre> </div> <h3> Resut </h3> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjoqogympqnkvgildd5vn.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjoqogympqnkvgildd5vn.gif" alt="Image description" width="600" height="330"></a></p> <p>Your can find the full source code here <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/master/day_018" rel="noopener noreferrer">#day_18</a><br> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/nivekalara237" rel="noopener noreferrer"> nivekalara237 </a> / <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops" rel="noopener noreferrer"> 100DaysTerraformAWSDevops </a> </h2> <h3> Thriving with AWS and Terraform </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <p>articles about my work 👉🏽 <a href="https://dev.to/nivekalara237/series/28339" rel="nofollow">https://dev.to/nivekalara237/series/28339</a></p> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/nivekalara237/100DaysTerraformAWSDevops" rel="noopener noreferrer">View on GitHub</a></div> </div> java aws sns springboot Building a Spring Boot Consumer Application with Amazon SQS: Setup Infrastructure Using Cloud Development Kit (CDK) Kevin Lactio Kemta Mon, 07 Oct 2024 12:59:45 +0000 https://forem.com/nivekalara237/building-a-spring-boot-consumer-application-with-amazon-sqs-setup-infrastructure-using-cloud-development-kit-cdk-41a2 https://forem.com/nivekalara237/building-a-spring-boot-consumer-application-with-amazon-sqs-setup-infrastructure-using-cloud-development-kit-cdk-41a2 <h6> <span>Day 017 - 100DaysAWSIaCDevopsChallenge</span> </h6> <p>Today in my series of <a href="https://dev.to/nivekalara237/series/28339">100 days of code challenge</a>, I will show you how to decouple microservices developed with springboot using Amazon SQS.</p> <h3> What is Amazon SQS ? </h3> <p><strong>Amazon SQS (Simple Queue Service)</strong> is a cloud service that helps applications communicate by sendyg, storing and receiving messages in a queue. It's like a waiting line where are stored until a consumer is ready to process them. This prevents systems from getting overhelmed and make sure no message is lost.</p> <h3> Consume a SQS Messages using Springboot application </h3> <p>To demonstrate how to consume SQS messages by creating a Spring Boot app that processes each message from an SQS queue. The infrastructure, built using CDK (Java), will include:</p> <ul> <li>a <strong>VPC</strong> with a public <strong>Subnet</strong> to host an EC2 instance where the Spring Boot app will run.</li> <li>An <strong>Internet Gateway</strong> for the EC2 instance to access the internet and download dependencies.</li> <li>A <strong>SQS Queue</strong> and <strong>Dead Letter Queue</strong> for message storage.</li> <li>An <strong>EC2 Instance</strong> for hosting SpringBoot App.</li> <li>An <strong>IAM Role</strong> to allow the EC2 instance to retrieve messages from the SQS queue (<em>very important</em>).</li> </ul> <h3> Create the Infrastructure </h3> <p>Set up the necessary infrastructure using CDK (Java)</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3acyxllsq9oyou50i6q.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3acyxllsq9oyou50i6q.png" alt="Messaging illustration"></a></p> <h4> VPC &amp; Subne + Internet Gateway </h4> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">NetworkContruct</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">IVpc</span> <span class="n">vpc</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">NetworkContruct</span><span class="o">(</span><span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="nc">StackProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">Vpc</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"VpcResource"</span><span class="o">,</span> <span class="nc">VpcProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">vpcName</span><span class="o">(</span><span class="s">"my-vpc"</span><span class="o">)</span> <span class="o">.</span><span class="na">enableDnsHostnames</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">enableDnsSupport</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">createInternetGateway</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">ipProtocol</span><span class="o">(</span><span class="nc">IpProtocol</span><span class="o">.</span><span class="na">IPV4_ONLY</span><span class="o">)</span> <span class="o">.</span><span class="na">ipAddresses</span><span class="o">(</span><span class="nc">IpAddresses</span><span class="o">.</span><span class="na">cidr</span><span class="o">(</span><span class="s">"10.0.0.1/16"</span><span class="o">))</span> <span class="o">.</span><span class="na">maxAzs</span><span class="o">(</span><span class="mi">1</span><span class="o">)</span> <span class="o">.</span><span class="na">subnetConfiguration</span><span class="o">(</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="nc">SubnetConfiguration</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">name</span><span class="o">(</span><span class="s">"Public-Subnet"</span><span class="o">)</span> <span class="o">.</span><span class="na">mapPublicIpOnLaunch</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">subnetType</span><span class="o">(</span><span class="nc">SubnetType</span><span class="o">.</span><span class="na">PUBLIC</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">()))</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">IVpc</span> <span class="nf">getVpc</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">vpc</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>This cdk construct will create:<br> 👉🏽 A VPC named <code>my-vpc</code> and enable DNS hostname enabled.<br> 👉🏽 A public subnet named <code>Public-Subnet</code> which allows resources to attach a public IP (if configured with one).<br> 👉🏽 An Internet Gateway to enable internet traffic.</p> <h4> SQS Queue &amp; Dead Letter Queue </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kr">public</span> <span class="kd">class</span> <span class="nc">QueueConstruct</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="kr">private</span> <span class="nx">final</span> <span class="nx">IQueue</span> <span class="nx">queue</span><span class="p">;</span> <span class="kr">public</span> <span class="nc">QueueConstruct</span><span class="p">(</span><span class="nx">Construct</span> <span class="nx">scope</span><span class="p">,</span> <span class="nb">String</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">IVpc</span> <span class="nx">vpc</span><span class="p">,</span> <span class="nx">StackProps</span> <span class="nx">props</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">);</span> <span class="nx">IQueue</span> <span class="nx">dlq</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Queue</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">DeadLetterQueue</span><span class="dl">"</span><span class="p">,</span> <span class="nx">QueueProps</span><span class="p">.</span><span class="nf">builder</span><span class="p">()</span> <span class="p">.</span><span class="nf">deliveryDelay</span><span class="p">(</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">millis</span><span class="p">(</span><span class="mi">0</span><span class="p">))</span> <span class="p">.</span><span class="nf">retentionPeriod</span><span class="p">(</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">10</span><span class="p">))</span> <span class="p">.</span><span class="nf">queueName</span><span class="p">(</span><span class="dl">"</span><span class="s2">my-queue-dlq</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">build</span><span class="p">());</span> <span class="nx">DeadLetterQueue</span> <span class="nx">deadLetterQueue</span> <span class="o">=</span> <span class="nx">DeadLetterQueue</span><span class="p">.</span><span class="nf">builder</span><span class="p">()</span> <span class="p">.</span><span class="nf">queue</span><span class="p">(</span><span class="nx">dlq</span><span class="p">)</span> <span class="p">.</span><span class="nf">maxReceiveCount</span><span class="p">(</span><span class="mi">32</span><span class="p">)</span> <span class="p">.</span><span class="nf">build</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">queue</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Queue</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">SQSQueueResource</span><span class="dl">"</span><span class="p">,</span> <span class="nx">QueueProps</span><span class="p">.</span><span class="nf">builder</span><span class="p">()</span> <span class="p">.</span><span class="nf">queueName</span><span class="p">(</span><span class="dl">"</span><span class="s2">my-queue</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">retentionPeriod</span><span class="p">(</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">15</span><span class="p">))</span> <span class="p">.</span><span class="nf">visibilityTimeout</span><span class="p">(</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">90</span><span class="p">))</span> <span class="p">.</span><span class="nf">deadLetterQueue</span><span class="p">(</span><span class="nx">deadLetterQueue</span><span class="p">)</span> <span class="p">.</span><span class="nf">build</span><span class="p">());</span> <span class="p">}</span> <span class="kr">public</span> <span class="nx">IQueue</span> <span class="nf">getQueue</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">queue</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The above CDK construct will create the following resources:</p> <ul> <li>A Queue named <code>my-queue</code>, which will be used in the Spring Boot app.</li> <li>A <strong>DeadLetter Queue</strong> named <code>my-queue-dlq</code> which <strong>captures failed messages</strong> so they can be analysed and fixed later, without blocking the main queue.</li> </ul> <h4> EC2 Instance for Hosting the Spring Boot Application </h4> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// ComputerProps.java</span> <span class="kd">public</span> <span class="n">record</span> <span class="nf">ComputerProps</span><span class="o">(</span><span class="nc">IVpc</span> <span class="n">vpc</span><span class="o">,</span> <span class="nc">String</span> <span class="n">sqsQueueArn</span><span class="o">)</span> <span class="o">{}</span> <span class="c1">// ComputerConstruct.java</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ComputerConstruct</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">IInstance</span> <span class="n">computer</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">ComputerConstruct</span><span class="o">(</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="nc">ComputerProps</span> <span class="n">computerProps</span><span class="o">,</span> <span class="nc">StackProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">);</span> <span class="nc">SecurityGroup</span> <span class="n">securityGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">SecurityGroup</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"WebserverSGResource"</span><span class="o">,</span> <span class="nc">SecurityGroupProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">allowAllOutbound</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">securityGroupName</span><span class="o">(</span><span class="s">"Webserver-security-group"</span><span class="o">)</span> <span class="o">.</span><span class="na">disableInlineRules</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">vpc</span><span class="o">(</span><span class="n">computerProps</span><span class="o">.</span><span class="na">vpc</span><span class="o">())</span> <span class="o">.</span><span class="na">description</span><span class="o">(</span><span class="s">"Allow trafic from/to webserver instance"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="n">securityGroup</span><span class="o">.</span><span class="na">addIngressRule</span><span class="o">(</span><span class="nc">Peer</span><span class="o">.</span><span class="na">anyIpv4</span><span class="o">(),</span> <span class="nc">Port</span><span class="o">.</span><span class="na">SSH</span><span class="o">,</span> <span class="s">"Allow ssh traffic"</span><span class="o">);</span> <span class="n">securityGroup</span><span class="o">.</span><span class="na">addIngressRule</span><span class="o">(</span><span class="nc">Peer</span><span class="o">.</span><span class="na">anyIpv4</span><span class="o">(),</span> <span class="nc">Port</span><span class="o">.</span><span class="na">tcp</span><span class="o">(</span><span class="mi">8089</span><span class="o">),</span> <span class="s">"Allow traffic from 8089 port"</span><span class="o">);</span> <span class="nc">KeyPair</span> <span class="n">keyPair</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">KeyPair</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"KeyPairResource"</span><span class="o">,</span> <span class="nc">KeyPairProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">keyPairName</span><span class="o">(</span><span class="s">"ws-keypair"</span><span class="o">)</span> <span class="o">.</span><span class="na">account</span><span class="o">(</span><span class="nc">Objects</span><span class="o">.</span><span class="na">requireNonNull</span><span class="o">(</span><span class="n">props</span><span class="o">.</span><span class="na">getEnv</span><span class="o">()).</span><span class="na">getAccount</span><span class="o">())</span> <span class="o">.</span><span class="na">type</span><span class="o">(</span><span class="nc">KeyPairType</span><span class="o">.</span><span class="na">RSA</span><span class="o">)</span> <span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="nc">KeyPairFormat</span><span class="o">.</span><span class="na">PEM</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="k">new</span> <span class="nf">CfnOutput</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"KeyPairId"</span><span class="o">,</span> <span class="nc">CfnOutputProps</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">value</span><span class="o">(</span><span class="n">keyPair</span><span class="o">.</span><span class="na">getKeyPairId</span><span class="o">()).</span><span class="na">build</span><span class="o">());</span> <span class="nc">Instance</span> <span class="n">ec2Instance</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">Instance</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"WebServerInstanceResource"</span><span class="o">,</span> <span class="nc">InstanceProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">securityGroup</span><span class="o">(</span><span class="n">securityGroup</span><span class="o">)</span> <span class="o">.</span><span class="na">keyPair</span><span class="o">(</span><span class="n">keyPair</span><span class="o">)</span> <span class="o">.</span><span class="na">instanceName</span><span class="o">(</span><span class="s">"Webserver-Instance"</span><span class="o">)</span> <span class="o">.</span><span class="na">machineImage</span><span class="o">(</span> <span class="nc">MachineImage</span><span class="o">.</span><span class="na">lookup</span><span class="o">(</span> <span class="nc">LookupMachineImageProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">name</span><span class="o">(</span><span class="s">"*ubuntu*"</span><span class="o">)</span> <span class="o">.</span><span class="na">filters</span><span class="o">(</span> <span class="nc">Map</span><span class="o">.</span><span class="na">ofEntries</span><span class="o">(</span> <span class="nc">Map</span><span class="o">.</span><span class="na">entry</span><span class="o">(</span><span class="s">"image-id"</span><span class="o">,</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="s">"ami-0e86e20dae9224db8"</span><span class="o">)),</span> <span class="nc">Map</span><span class="o">.</span><span class="na">entry</span><span class="o">(</span><span class="s">"architecture"</span><span class="o">,</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="s">"x86_64"</span><span class="o">))))</span> <span class="o">.</span><span class="na">windows</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">()))</span> <span class="o">.</span><span class="na">vpc</span><span class="o">(</span><span class="n">computerProps</span><span class="o">.</span><span class="na">vpc</span><span class="o">())</span> <span class="o">.</span><span class="na">role</span><span class="o">(</span><span class="n">buildInstanceRole</span><span class="o">(</span><span class="n">computerProps</span><span class="o">))</span> <span class="o">.</span><span class="na">instanceType</span><span class="o">(</span><span class="nc">InstanceType</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="nc">InstanceClass</span><span class="o">.</span><span class="na">T2</span><span class="o">,</span> <span class="nc">InstanceSize</span><span class="o">.</span><span class="na">MICRO</span><span class="o">))</span> <span class="o">.</span><span class="na">associatePublicIpAddress</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">blockDevices</span><span class="o">(</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="nc">BlockDevice</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">mappingEnabled</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">deviceName</span><span class="o">(</span><span class="s">"/dev/sda1"</span><span class="o">)</span> <span class="o">.</span><span class="na">volume</span><span class="o">(</span> <span class="nc">BlockDeviceVolume</span><span class="o">.</span><span class="na">ebs</span><span class="o">(</span> <span class="mi">10</span><span class="o">,</span> <span class="nc">EbsDeviceOptions</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">deleteOnTermination</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">volumeType</span><span class="o">(</span><span class="nc">EbsDeviceVolumeType</span><span class="o">.</span><span class="na">GP3</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">()))</span> <span class="o">.</span><span class="na">build</span><span class="o">()))</span> <span class="o">.</span><span class="na">userDataCausesReplacement</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">vpcSubnets</span><span class="o">(</span><span class="nc">SubnetSelection</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">subnetType</span><span class="o">(</span><span class="nc">SubnetType</span><span class="o">.</span><span class="na">PUBLIC</span><span class="o">).</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="nc">UserData</span> <span class="n">userData</span> <span class="o">=</span> <span class="nc">UserData</span><span class="o">.</span><span class="na">forLinux</span><span class="o">();</span> <span class="n">userData</span><span class="o">.</span><span class="na">addCommands</span><span class="o">(</span><span class="n">readFile</span><span class="o">(</span><span class="s">"./webserver-startup.sh"</span><span class="o">));</span> <span class="n">ec2Instance</span><span class="o">.</span><span class="na">addUserData</span><span class="o">(</span><span class="n">userData</span><span class="o">.</span><span class="na">render</span><span class="o">());</span> <span class="k">this</span><span class="o">.</span><span class="na">computer</span> <span class="o">=</span> <span class="n">ec2Instance</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">IInstance</span> <span class="nf">getComputer</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">computer</span><span class="o">;</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">String</span> <span class="nf">readFile</span><span class="o">(</span><span class="nc">String</span> <span class="n">filename</span><span class="o">)</span> <span class="o">{</span> <span class="nc">InputStream</span> <span class="n">scriptFileStream</span> <span class="o">=</span> <span class="n">getClass</span><span class="o">().</span><span class="na">getClassLoader</span><span class="o">().</span><span class="na">getResourceAsStream</span><span class="o">(</span><span class="n">filename</span><span class="o">);</span> <span class="k">try</span> <span class="o">{</span> <span class="k">assert</span> <span class="n">scriptFileStream</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">;</span> <span class="k">try</span> <span class="o">(</span><span class="nc">InputStreamReader</span> <span class="n">isr</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">InputStreamReader</span><span class="o">(</span><span class="n">scriptFileStream</span><span class="o">,</span> <span class="nc">StandardCharsets</span><span class="o">.</span><span class="na">UTF_8</span><span class="o">);</span> <span class="nc">BufferedReader</span> <span class="n">br</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">BufferedReader</span><span class="o">(</span><span class="n">isr</span><span class="o">))</span> <span class="o">{</span> <span class="nc">StringBuilder</span> <span class="n">content</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StringBuilder</span><span class="o">();</span> <span class="nc">String</span> <span class="n">line</span><span class="o">;</span> <span class="k">while</span> <span class="o">((</span><span class="n">line</span> <span class="o">=</span> <span class="n">br</span><span class="o">.</span><span class="na">readLine</span><span class="o">())</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">content</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">line</span><span class="o">).</span><span class="na">append</span><span class="o">(</span><span class="s">"\n"</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="n">content</span><span class="o">.</span><span class="na">toString</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">IOException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">RuntimeException</span><span class="o">(</span><span class="n">e</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">IRole</span> <span class="nf">buildInstanceRole</span><span class="o">(</span><span class="nc">ComputerProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">Role</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"WebserverInstanceRoleResource"</span><span class="o">,</span> <span class="nc">RoleProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">roleName</span><span class="o">(</span><span class="s">"webserver-role"</span><span class="o">)</span> <span class="o">.</span><span class="na">assumedBy</span><span class="o">(</span><span class="k">new</span> <span class="nc">ServicePrincipal</span><span class="o">(</span><span class="s">"ec2.amazonaws.com"</span><span class="o">))</span> <span class="o">.</span><span class="na">path</span><span class="o">(</span><span class="s">"/"</span><span class="o">)</span> <span class="o">.</span><span class="na">inlinePolicies</span><span class="o">(</span> <span class="nc">Map</span><span class="o">.</span><span class="na">ofEntries</span><span class="o">(</span> <span class="nc">Map</span><span class="o">.</span><span class="na">entry</span><span class="o">(</span> <span class="s">"sqs"</span><span class="o">,</span> <span class="k">new</span> <span class="nf">PolicyDocument</span><span class="o">(</span> <span class="nc">PolicyDocumentProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">assignSids</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">statements</span><span class="o">(</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="k">new</span> <span class="nf">PolicyStatement</span><span class="o">(</span> <span class="nc">PolicyStatementProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">effect</span><span class="o">(</span><span class="nc">Effect</span><span class="o">.</span><span class="na">ALLOW</span><span class="o">)</span> <span class="o">.</span><span class="na">actions</span><span class="o">(</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="s">"sqs:DeleteMessage"</span><span class="o">,</span> <span class="s">"sqs:ReceiveMessage"</span><span class="o">,</span> <span class="s">"sqs:SendMessage"</span><span class="o">,</span> <span class="s">"sqs:GetQueueAttributes"</span><span class="o">,</span> <span class="s">"sqs:GetQueueUrl"</span><span class="o">))</span> <span class="o">.</span><span class="na">resources</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="n">props</span><span class="o">.</span><span class="na">sqsQueueArn</span><span class="o">()))</span> <span class="o">.</span><span class="na">build</span><span class="o">())))</span> <span class="o">.</span><span class="na">build</span><span class="o">()))))</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The above CDK construct will create the following resources:</p> <ul> <li>A Security Group named <code>Webserver-security-group</code> that allow inbound traffic on <code>Port 22</code> for <strong>SSH</strong> connections and allow inbound traffic on <strong>Port 8089</strong>, which is the application connection port.</li> <li>A Key Pair named <code>ws-keypair</code> that will be used to connect to the app host via SSH. Since we are using CDK to build the infrastructure, if you need to download the private key (PEM file) after deployment, refer to my previous article on <a href="https://dev.to/nivekalara237/how-to-retrieve-the-private-key-file-pem-content-after-cloudformation-or-cdk-stack-deployment-50h4">How the retrieve the private key file PEM after Cloudformation or CDK stack creation[↗]</a>.</li> <li>An Ec2 Instance named <code>Webserver-Instance</code>.</li> <li>An IAM Role for the Ec2 Instance named <code>webserver-role</code>, which allows the spring Boot application hosted on the Ec2 Instance to establish connections with the Amazon SQS Queue (already created) and perform actions: <code>Delete Message</code>, <code>Receive Message</code>, <code>Send Message</code>, <code>Get Queue Attributes</code> and <code>Get Queue Url</code>.</li> </ul> <h4> Create the stack </h4> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// MyStack.java</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyStack</span> <span class="kd">extends</span> <span class="nc">Stack</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">MyStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">StackProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="n">props</span><span class="o">);</span> <span class="nc">IVpc</span> <span class="n">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">NetworkContruct</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"NetworkResource"</span><span class="o">,</span> <span class="n">props</span><span class="o">).</span><span class="na">getVpc</span><span class="o">();</span> <span class="nc">IQueue</span> <span class="n">queue</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">QueueConstruct</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"QueueResource"</span><span class="o">,</span> <span class="n">vpc</span><span class="o">,</span> <span class="n">props</span><span class="o">).</span><span class="na">getQueue</span><span class="o">();</span> <span class="nc">IInstance</span> <span class="n">webserver</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">ComputerConstruct</span><span class="o">(</span> <span class="k">this</span><span class="o">,</span> <span class="s">"ComputerResource"</span><span class="o">,</span> <span class="k">new</span> <span class="nc">ComputerProps</span><span class="o">(</span><span class="n">vpc</span><span class="o">,</span> <span class="n">queue</span><span class="o">.</span><span class="na">getQueueArn</span><span class="o">()),</span> <span class="n">props</span><span class="o">)</span> <span class="o">.</span><span class="na">getComputer</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="c1">// Day17App.java</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Day017App</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">App</span> <span class="n">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="o">();</span> <span class="k">new</span> <span class="nf">MyStack</span><span class="o">(</span><span class="n">app</span><span class="o">,</span><span class="s">"Day017Stack"</span><span class="o">,</span> <span class="nc">StackProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">env</span><span class="o">(</span> <span class="nc">Environment</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">account</span><span class="o">(</span><span class="nc">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s">"CDK_DEFAULT_ACCOUNT"</span><span class="o">))</span> <span class="o">.</span><span class="na">region</span><span class="o">(</span><span class="nc">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s">"CDK_DEFAULT_REGION"</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="n">app</span><span class="o">.</span><span class="na">synth</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Create SpringBoot Consumer Application </h3> <p>To keep things simple and avoid complicating my life, I will use <code>Spring Cloud AWS</code> <a href="https://awspring.io/" rel="noopener noreferrer">Docs[↗]</a></p> <blockquote> <p>Spring Cloud AWS simplifies using AWS managed services in a Spring Framework and Spring Boot applications. It offers a convenient way to interact with AWS provided services using well-known Spring idioms and APIs.</p> </blockquote> <p>To configure the SQS service in my project, I will add the following beans in the configuration class:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ApplicationConfiguration</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AwsRegionProvider</span> <span class="nf">customRegionProvider</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">InstanceProfileRegionProvider</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AwsCredentialsProvider</span> <span class="nf">customInstanceCredProvider</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">InstanceProfileCredentialsProvider</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>And the listener that captures all new message and prints their content.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Slf4j</span> <span class="nd">@Component</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ExampleSQSConsumer</span> <span class="o">{</span> <span class="nd">@SqsListener</span><span class="o">(</span><span class="n">queueNames</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"my-queue"</span> <span class="o">})</span> <span class="c1">// 👈👈</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">listen</span><span class="o">(</span><span class="nc">String</span> <span class="n">payload</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"******************* SQS Payload ***************"</span><span class="o">);</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Message Content: {}"</span><span class="o">,</span> <span class="n">payload</span><span class="o">);</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Received At: {}"</span><span class="o">,</span> <span class="nc">Date</span><span class="o">.</span><span class="na">from</span><span class="o">(</span><span class="nc">Instant</span><span class="o">.</span><span class="na">now</span><span class="o">()));</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"************************************************"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>You can find the full project in my <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/day17/consumer-sqs-messages/apps/sqsconsumer" rel="noopener noreferrer">GitHub repo[↗]</a></p> <h3> Deployment </h3> <p>⚠️⚠️ Before run the deployment commands ensure that you have java installed on your host machine. I used Java 21 under MacOs to build this insfrastructure. </p> <p>Open the terminal anywhere and run the following commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/nivekalara237/100DaysTerraformAWSDevops.git <span class="nb">cd </span>100DaysTerraformAWSDevops/day_017 cdk bootstrap <span class="nt">--profile</span> cdk-user cdk deploy <span class="nt">--profile</span> cdk-user Day017Stack </code></pre> </div> <h3> Resut </h3> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjb9lcdmxok0l5jm9gvlk.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjb9lcdmxok0l5jm9gvlk.gif" alt="Result"></a></p> <p>Your can find the full source code on <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/master/day_017" rel="noopener noreferrer">GitHub Repo↗</a></p> sqs springboot aws java Deploying SonarQube on AWS EC2 with Cloud Development Kit(CDK): Extending the Database to Amazon RDS PostgreSQL Kevin Lactio Kemta Mon, 23 Sep 2024 13:17:54 +0000 https://forem.com/nivekalara237/deploying-sonarqube-on-aws-ec2-with-cloud-development-kitcdk-extending-the-database-to-amazon-rds-postgresql-5a7a https://forem.com/nivekalara237/deploying-sonarqube-on-aws-ec2-with-cloud-development-kitcdk-extending-the-database-to-amazon-rds-postgresql-5a7a <h6> <span>Day 016 - 100DaysAWSIaCDevopsChallenge</span> </h6> <p>In my previous post, <a href="https://dev.to/nivekalara237/step-by-step-guide-to-setting-up-and-deploying-sonarqube-on-an-aws-ec2-instance-using-aws-cloud-development-kit-cdk-34ll">Step-by-Step Guide to Setting Up and Deploying SonarQube on an AWS EC2 Instance Using AWS Cloud Development Kit (CDK)[↗]</a>, I demonstrated how to deploy a SonarQube Server on an EC2 instance. As the database were self-hosted in EC2 Instance, today, I will show you how to extend the database by integrating it with an external service like Amazon RDS or Aurora, rather than keeping it self-hosted within the server.</p> <h3> Why did I need to extend the SonarQube Database to a RDS PostgreSQL Instance? </h3> <p>Extending SonarQube's database to an external service like Amazon RDS (Relational Database Service) or Aurora (Amazon Severless Database managed) instead of keeping it inside the self-hosted SonarQube sever offers several advantages:</p> <ol> <li><p><code>Scalability</code>: Managed database like RDS and Aurora can handle inscreased workloads, provide more robust storage and offer auto-scaling feature by ensuring best permformance as your SonarQube instance grows.</p></li> <li><p><code>Reliability</code>: Provide high availability through automatic backups, replication and failover mechanisms. They reduce the risk of data loss and downtime in case of hardware failure.</p></li> <li><p><code>Security</code>: Offer built-in security features, including encryption at rest and in transit, network isolation through VPC and private subnet making your data more secure than self-managed (self-hosted) databases.</p></li> <li><p><code>Maintainance</code>: AWS handles regular maintenance tasks, such as backups, patching, and updates, reducing the burden on your infrastructure team.</p></li> </ol> <h3> Update the previous infrastructure to setting up a RDS PostgreSQL Instance for SonarQube </h3> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwmr2d7ku6fr0p2b67hz1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwmr2d7ku6fr0p2b67hz1.png" alt="Image description" width="" height=""></a></p> <p>The infrastructure consists of the following components:</p> <ul> <li> <code>VPC</code> and two (02) <code>Subnets</code>(private and public subnet) to manage network traffic within the server and database instance.</li> <li> <code>Internet Gateway</code>to allow internet communication between our secured cloud environment and external networks.</li> <li> <code>Security group</code> to control access to the server and database based on IP addresses and ports connections.</li> <li> <code>EC2 Instance</code> to host the SonarQube server (including the Web Server, ElasticSearch, and Postgres Database).</li> <li> <code>Key Pair</code> the private key that allows external hosts to connect securely to the instance.</li> <li> <code>Secret Manager</code> to securely store the database user password.</li> <li> <code>IAM Role</code> to allow EC2 Instance to connect to Secret Manager and retrieve database password</li> <li> <code>Elastic IP (EIP)</code> - The static IP to attach to the EC2 Instance. It allows to maintain a fixed IP address aven if the instance is stopped of restarted.</li> <li> <code>Nat Gateway</code> to allow instance (here database instance) in a private subnet to connect to the internet or other AWS Service without exposing then to internet traffic.</li> <li> <code>RDS PostgreSQL</code> the database instance to host the sonarqube data.</li> </ul> <h4> Create the database Construct </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kr">interface</span> <span class="nx">DatabaseProps</span> <span class="kd">extends</span> <span class="nx">CustomProps</span> <span class="p">{</span> <span class="nl">vpc</span><span class="p">:</span> <span class="nx">IVpc</span><span class="p">,</span> <span class="nx">sg</span><span class="p">?:</span> <span class="nx">ISecurityGroup</span> <span class="c1">// the security group for SonarQube Server Instance</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">Database</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_dbInstanceArn</span><span class="p">:</span> <span class="nx">string</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_passwordSecretArn</span><span class="p">:</span> <span class="nx">string</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_instanceEndpointUrl</span><span class="p">:</span> <span class="nx">string</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">DatabaseProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">secret</span><span class="p">:</span> <span class="nx">ISecret</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws_secretsmanager</span><span class="p">.</span><span class="nc">Secret</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SecretResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">secretName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">database-instance-secret</span><span class="dl">'</span><span class="p">,</span> <span class="na">generateSecretString</span><span class="p">:</span> <span class="p">{</span> <span class="na">secretStringTemplate</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">username</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">databaseUsername</span> <span class="p">}),</span> <span class="na">generateStringKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">,</span> <span class="na">excludeCharacters</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/@"`()[]</span><span class="se">\'</span><span class="dl">'</span><span class="p">,</span> <span class="na">includeSpace</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">securityGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecurityGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DatabaseSecurityGroupeResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">securityGroupName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sq-database-sg</span><span class="dl">'</span><span class="p">,</span> <span class="na">disableInlineRules</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Database instance security group</span><span class="dl">'</span> <span class="p">})</span> <span class="nx">securityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span> <span class="nx">Peer</span><span class="p">.</span><span class="nf">securityGroupId</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">sg</span><span class="o">!</span><span class="p">.</span><span class="nx">securityGroupId</span><span class="p">),</span> <span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">databasePort</span> <span class="o">??</span> <span class="mi">5432</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allow EC2 to connect to the database instance</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">rds</span><span class="p">.</span><span class="nc">DatabaseInstance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DatabaseInstanceResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">engine</span><span class="p">:</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">DatabaseInstanceEngine</span><span class="p">.</span><span class="nf">postgres</span><span class="p">({</span> <span class="na">version</span><span class="p">:</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">PostgresEngineVersion</span><span class="p">.</span><span class="nx">VER_12_16</span> <span class="p">}),</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="na">networkType</span><span class="p">:</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">NetworkType</span><span class="p">.</span><span class="nx">IPV4</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nf">selectSubnets</span><span class="p">({</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span> <span class="p">}),</span> <span class="na">instanceType</span><span class="p">:</span> <span class="nx">InstanceType</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">InstanceClass</span><span class="p">.</span><span class="nx">BURSTABLE3</span><span class="p">,</span> <span class="nx">InstanceSize</span><span class="p">.</span><span class="nx">MICRO</span><span class="p">),</span> <span class="na">publiclyAccessible</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">storageType</span><span class="p">:</span> <span class="nx">StorageType</span><span class="p">.</span><span class="nx">GP3</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">Credentials</span><span class="p">.</span><span class="nf">fromSecret</span><span class="p">(</span><span class="nx">secret</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">databaseUsername</span><span class="p">),</span> <span class="na">allocatedStorage</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="na">databaseName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">databaseName</span><span class="p">,</span> <span class="na">instanceIdentifier</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sonarqube-db-1</span><span class="dl">'</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">databasePort</span> <span class="o">??</span> <span class="mi">5432</span><span class="p">,</span> <span class="na">securityGroups</span><span class="p">:</span> <span class="p">[</span> <span class="nx">securityGroup</span> <span class="p">]</span> <span class="p">})</span> <span class="k">this</span><span class="p">.</span><span class="nx">_dbInstanceArn</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nx">instanceArn</span> <span class="k">this</span><span class="p">.</span><span class="nx">_passwordSecretArn</span> <span class="o">=</span> <span class="nx">secret</span><span class="p">.</span><span class="nx">secretArn</span> <span class="k">this</span><span class="p">.</span><span class="nx">_instanceEndpointUrl</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nx">instanceEndpoint</span><span class="p">.</span><span class="nx">socketAddress</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">dbInstanceArn</span><span class="p">():</span> <span class="nx">string</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_dbInstanceArn</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">passwordSecretArn</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_passwordSecretArn</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">instanceEndpointUrl</span><span class="p">():</span> <span class="nx">string</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_instanceEndpointUrl</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The important thing to know here is the snippet code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">securityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span> <span class="nx">Peer</span><span class="p">.</span><span class="nf">securityGroupId</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">sg</span><span class="o">!</span><span class="p">.</span><span class="nx">securityGroupId</span><span class="p">),</span> <span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">databasePort</span> <span class="o">??</span> <span class="mi">5432</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allow EC2 to connect to the database instance</span><span class="dl">'</span><span class="p">)</span> </code></pre> </div> <p>This code allows communication between the database and the EC2 instance server through the specified port.</p> <h4> Update the Stack </h4> <p>This is the update for the stack created in the previous article <a href="https://dev.to/nivekalara237/step-by-step-guide-to-setting-up-and-deploying-sonarqube-on-an-aws-ec2-instance-using-aws-cloud-development-kit-cdk-34ll">[↗]</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">class</span> <span class="nc">SonarServerInfrastructureStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">CustomProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">)</span> <span class="p">....</span> <span class="kd">const</span> <span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PublicVpcResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="p">...</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">subnetConfiguration</span><span class="p">:</span> <span class="p">[{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sq-public-subnet-webserver</span><span class="dl">'</span><span class="p">,</span> <span class="na">mapPublicIpOnLaunch</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sq-private-subnet-database</span><span class="dl">'</span> <span class="p">}]</span> <span class="p">})</span> <span class="nx">sonarQubeSG</span><span class="p">.</span><span class="nf">addEgressRule</span><span class="p">(</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">anyIpv4</span><span class="p">(),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">databasePort</span> <span class="o">??</span> <span class="mi">5432</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allow outbound traffic to database instance</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// set up the database instance</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Database</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DatabaseResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="p">...</span><span class="nx">props</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">sg</span><span class="p">:</span> <span class="nx">sonarQubeSG</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">sonarQubeServer</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Instance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SonarQubeServerInstanceResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="p">...</span> <span class="na">role</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Ec2RoleResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">roleName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ec2-role-and-permission</span><span class="dl">'</span><span class="p">,</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">ec2.amazonaws.com</span><span class="dl">'</span><span class="p">),</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="na">inlinePolicies</span><span class="p">:</span> <span class="p">{</span> <span class="na">secretsManager</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyDocument</span><span class="p">({</span> <span class="na">assignSids</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">secretsManager:GetSecretValue</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">secretsManager:DescribeSecret</span><span class="dl">'</span> <span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">db</span><span class="p">.</span><span class="nx">passwordSecretArn</span><span class="p">],</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">{}</span> <span class="p">})</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="p">})</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">userDataEncoded</span> <span class="o">=</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">UserData</span><span class="p">.</span><span class="nf">forLinux</span><span class="p">()</span> <span class="nx">userDataEncoded</span><span class="p">.</span><span class="nf">addCommands</span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">./assets/sonarqube-server.sh</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf-8</span><span class="dl">'</span><span class="p">))</span> <span class="nx">sonarQubeServer</span><span class="p">.</span><span class="nf">addUserData</span><span class="p">(</span><span class="nx">userDataEncoded</span><span class="p">.</span><span class="nf">render</span><span class="p">()</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">{{DB_NAME}}</span><span class="dl">'</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">databaseName</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">sonarqube</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">{{DB_USER}}</span><span class="dl">'</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">databaseUsername</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">sonar</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">{{SECRET_ARN}}</span><span class="dl">'</span><span class="p">,</span> <span class="nx">db</span><span class="p">.</span><span class="nx">passwordSecretArn</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">{{DB_SOCKET_ADDRESS}}</span><span class="dl">'</span><span class="p">,</span> <span class="nx">db</span><span class="p">.</span><span class="nx">instanceEndpointUrl</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <code>PRIVATE_WITH_EGRESS</code> - In the vpc configuration, we had added a new entry of subnet of type PRIVATE_WITH_EGRESS, meaning that it can access the internet but is not exposed to inbound internet traffic.</li> <li> <code>Egress rule</code> - Allows the SonarQube server to send traffic to the database instance on the specified port (default 5432 for PostgreSQL)</li> <li> <p><code>New User data scripts</code> As we no longer need the self-hosted database, we have to replace the database connection properties with the new ones:<br> </p> <pre class="highlight javascript"><code><span class="err">##</span> <span class="nx">Update</span> <span class="kr">package</span> <span class="nx">index</span> <span class="nx">sudo</span> <span class="nx">apt</span> <span class="nx">update</span> <span class="err">##</span> <span class="nx">Install</span> <span class="nx">OpenJDK</span> <span class="mi">17</span> <span class="nx">sudo</span> <span class="nx">apt</span> <span class="nx">install</span> <span class="o">-</span><span class="nx">y</span> <span class="nx">openjdk</span><span class="o">-</span><span class="mi">17</span><span class="o">-</span><span class="nx">jdk</span> <span class="nx">zip</span> <span class="nx">unzip</span> <span class="err">##</span> <span class="nb">Set</span> <span class="nx">up</span> <span class="nx">the</span> <span class="nx">JAVA_HOME</span> <span class="nx">environment</span> <span class="nx">variable</span> <span class="nx">echo</span> <span class="dl">"</span><span class="s2">export JAVA_HOME=$(dirname $(dirname $(readlink -f $(which java))))</span><span class="dl">"</span> <span class="o">|</span> <span class="nx">sudo</span> <span class="nx">tee</span> <span class="o">/</span><span class="nx">etc</span><span class="o">/</span><span class="nx">profile</span><span class="p">.</span><span class="nx">d</span><span class="o">/</span><span class="nx">jdk</span><span class="p">.</span><span class="nx">sh</span> <span class="nx">source</span> <span class="o">/</span><span class="nx">etc</span><span class="o">/</span><span class="nx">profile</span><span class="p">.</span><span class="nx">d</span><span class="o">/</span><span class="nx">jdk</span><span class="p">.</span><span class="nx">sh</span> <span class="err">##</span> <span class="nx">download</span> <span class="nx">sonarqube</span> <span class="nx">server</span> <span class="o">-</span> <span class="nx">community</span> <span class="nx">version</span> <span class="nx">wget</span> <span class="nx">https</span><span class="p">:</span><span class="c1">//binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.9.6.92038.zip</span> <span class="err">##</span> <span class="nx">unzip</span> <span class="nx">content</span> <span class="nx">unzip</span> <span class="nx">sonarqube</span><span class="o">-*</span><span class="p">.</span><span class="nx">zip</span> <span class="nx">sudo</span> <span class="nx">mv</span> <span class="nx">sonarqube</span><span class="o">-</span><span class="mf">9.9</span><span class="p">.</span><span class="mf">6.92038</span> <span class="nx">sonarqube</span> <span class="nx">sudo</span> <span class="nx">mv</span> <span class="nx">sonarqube</span> <span class="o">/</span><span class="nx">opt</span><span class="o">/</span> <span class="err">##</span> <span class="nx">Create</span> <span class="nx">sonarqube</span> <span class="nx">user</span> <span class="nx">and</span> <span class="nx">its</span> <span class="nx">group</span> <span class="nx">sudo</span> <span class="nx">groupadd</span> <span class="nx">sonarqube</span> <span class="nx">sudo</span> <span class="nx">useradd</span> <span class="o">-</span><span class="nx">d</span> <span class="o">/</span><span class="nx">opt</span><span class="o">/</span><span class="nx">sonarqube</span> <span class="o">-</span><span class="nx">g</span> <span class="nx">sonarqube</span> <span class="nx">sonarqube</span> <span class="nx">sudo</span> <span class="nx">chown</span> <span class="o">-</span><span class="nx">R</span> <span class="nx">sonarqube</span><span class="p">:</span><span class="nx">sonarqube</span> <span class="o">/</span><span class="nx">opt</span><span class="o">/</span><span class="nx">sonarqube</span> <span class="err">##</span> <span class="nx">Insert</span> <span class="nx">user</span> <span class="nx">runner</span> <span class="nx">after</span> <span class="s2">`APP_NAME="SonarQube"`</span> <span class="nx">line</span> <span class="nx">sudo</span> <span class="nx">sed</span> <span class="o">-</span><span class="nx">i</span> <span class="dl">'</span><span class="s1">s/APP_NAME="SonarQube"/APP_NAME="SonarQube"</span><span class="se">\n\n</span><span class="s1">RUN_AS_USER=sonarqube/</span><span class="dl">'</span> <span class="o">/</span><span class="nx">opt</span><span class="o">/</span><span class="nx">sonarqube</span><span class="o">/</span><span class="nx">bin</span><span class="o">/</span><span class="nx">linux</span><span class="o">-</span><span class="nx">x86</span><span class="o">-</span><span class="mi">64</span><span class="o">/</span><span class="nx">sonar</span><span class="p">.</span><span class="nx">sh</span> <span class="err">##</span> <span class="nx">create</span> <span class="nx">sonarqube</span> <span class="nx">launcher</span> <span class="nx">service</span> <span class="nx">sudo</span> <span class="nx">tee</span> <span class="o">/</span><span class="nx">etc</span><span class="o">/</span><span class="nx">systemd</span><span class="o">/</span><span class="nx">system</span><span class="o">/</span><span class="nx">sonarqube</span><span class="p">.</span><span class="nx">service</span> <span class="o">&lt;&lt;</span><span class="nx">EOF</span> <span class="p">[</span><span class="nx">Unit</span><span class="p">]</span> <span class="nx">Description</span><span class="o">=</span><span class="nx">SonarQube</span> <span class="nx">service</span> <span class="nx">After</span><span class="o">=</span><span class="nx">syslog</span><span class="p">.</span><span class="nx">target</span> <span class="nx">network</span><span class="p">.</span><span class="nx">target</span> <span class="p">[</span><span class="nx">Service</span><span class="p">]</span> <span class="nx">Type</span><span class="o">=</span><span class="nx">forking</span> <span class="nx">User</span><span class="o">=</span><span class="nx">sonarqube</span> <span class="nx">Group</span><span class="o">=</span><span class="nx">sonarqube</span> <span class="nx">PermissionsStartOnly</span><span class="o">=</span><span class="kc">true</span> <span class="nx">ExecStart</span><span class="o">=</span><span class="sr">/opt/</span><span class="nx">sonarqube</span><span class="o">/</span><span class="nx">bin</span><span class="o">/</span><span class="nx">linux</span><span class="o">-</span><span class="nx">x86</span><span class="o">-</span><span class="mi">64</span><span class="o">/</span><span class="nx">sonar</span><span class="p">.</span><span class="nx">sh</span> <span class="nx">start</span> <span class="nx">ExecStop</span><span class="o">=</span><span class="sr">/opt/</span><span class="nx">sonarqube</span><span class="o">/</span><span class="nx">bin</span><span class="o">/</span><span class="nx">linux</span><span class="o">-</span><span class="nx">x86</span><span class="o">-</span><span class="mi">64</span><span class="o">/</span><span class="nx">sonar</span><span class="p">.</span><span class="nx">sh</span> <span class="nx">stop</span> <span class="nx">StandardOutput</span><span class="o">=</span><span class="nx">journal</span> <span class="nx">LimitNOFILE</span><span class="o">=</span><span class="mi">131072</span> <span class="nx">LimitNPROC</span><span class="o">=</span><span class="mi">8192</span> <span class="nx">TimeoutStartSec</span><span class="o">=</span><span class="mi">5</span> <span class="nx">Restart</span><span class="o">=</span><span class="nx">always</span> <span class="nx">SuccessExitStatus</span><span class="o">=</span><span class="mi">143</span> <span class="p">[</span><span class="nx">Install</span><span class="p">]</span> <span class="nx">WantedBy</span><span class="o">=</span><span class="nx">multi</span><span class="o">-</span><span class="nx">user</span><span class="p">.</span><span class="nx">target</span> <span class="nx">EOF</span> <span class="err">##</span> <span class="nx">Installing</span> <span class="nx">AWS</span><span class="o">-</span><span class="nx">CLI</span> <span class="nx">sudo</span> <span class="nx">snap</span> <span class="nx">install</span> <span class="nx">aws</span><span class="o">-</span><span class="nx">cli</span> <span class="o">--</span><span class="nx">classic</span> <span class="nx">sudo</span> <span class="nx">tee</span> <span class="o">/</span><span class="nx">opt</span><span class="o">/</span><span class="nx">sonarqube</span><span class="o">/</span><span class="nx">conf</span><span class="o">/</span><span class="nx">sonar</span><span class="p">.</span><span class="nx">properties</span> <span class="o">&lt;&lt;</span><span class="nx">EOF</span> <span class="nx">sonar</span><span class="p">.</span><span class="nx">web</span><span class="p">.</span><span class="nx">port</span><span class="o">=</span><span class="mi">9000</span> <span class="nx">sonar</span><span class="p">.</span><span class="nx">jdbc</span><span class="p">.</span><span class="nx">username</span><span class="o">=</span><span class="p">{{</span><span class="nx">DB_USER</span><span class="p">}}</span> <span class="nx">sonar</span><span class="p">.</span><span class="nx">jdbc</span><span class="p">.</span><span class="nx">password</span><span class="o">=</span><span class="nf">$</span><span class="p">(</span><span class="nx">aws</span> <span class="nx">secretsmanager</span> <span class="kd">get</span><span class="o">-</span><span class="nx">secret</span><span class="o">-</span><span class="nx">value</span> <span class="o">--</span><span class="nx">secret</span><span class="o">-</span><span class="nx">id</span> <span class="p">{{</span><span class="nx">SECRET_ARN</span><span class="p">}}</span> <span class="o">|</span> <span class="nx">jq</span> <span class="o">--</span><span class="nx">raw</span><span class="o">-</span><span class="nx">output</span> <span class="dl">'</span><span class="s1">.SecretString</span><span class="dl">'</span> <span class="o">|</span> <span class="nx">jq</span> <span class="o">-</span><span class="nx">r</span> <span class="p">.</span><span class="nx">password</span><span class="p">)</span> <span class="nx">sonar</span><span class="p">.</span><span class="nx">jdbc</span><span class="p">.</span><span class="nx">url</span><span class="o">=</span><span class="nx">jdbc</span><span class="p">:</span><span class="nx">postgresql</span><span class="p">:</span><span class="c1">//{{DB_SOCKET_ADDRESS}}/{{DB_NAME}}</span> <span class="nx">EOF</span> <span class="err">##</span> <span class="nx">Start</span> <span class="nx">SonarQube</span> <span class="nx">Server</span> <span class="nx">sudo</span> <span class="nx">systemctl</span> <span class="nx">enable</span> <span class="nx">sonarqube</span><span class="p">.</span><span class="nx">service</span> <span class="nx">sudo</span> <span class="nx">systemctl</span> <span class="nx">start</span> <span class="nx">sonarqube</span><span class="p">.</span><span class="nx">service</span> </code></pre> </li> </ul> <h3> Deploy the stack </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">()</span> <span class="k">new</span> <span class="nc">SonarServerInfrastructureStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Day016Stack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">cidr</span><span class="p">:</span> <span class="dl">'</span><span class="s1">10.0.0.1/16</span><span class="dl">'</span><span class="p">,</span> <span class="na">databaseName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sonarqubedb</span><span class="dl">'</span><span class="p">,</span> <span class="na">databaseUsername</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sonar</span><span class="dl">'</span><span class="p">,</span> <span class="na">databasePort</span><span class="p">:</span> <span class="mi">5000</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CDK_DEFAULT_REGION</span><span class="p">,</span> <span class="na">account</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CDK_DEFAULT_ACCOUNT</span> <span class="p">}</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">synth</span><span class="p">()</span> </code></pre> </div> <p>Open the terminal anywhere and run the following commande:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/nivekalara237/100DaysTerraformAWSDevops.git <span class="nb">cd </span>100DaysTerraformAWSDevops/day_016 cdk deploy <span class="nt">--profile</span> cdk-user Day016Stack </code></pre> </div> <p>After the deployment, open the browser and type this url <a href="http://PUBLIC_IP_or_DNS:9000" rel="noopener noreferrer">http://PUBLIC_IP_or_DNS:9000</a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7te1puik9glqirqknes2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7te1puik9glqirqknes2.png" alt="SonarQube Web Server Result" width="" height=""></a></p> <p>__</p> <p>🥳✨<br> We have reached the end of the article.<br> <span>Thank you so much</span> 🙂</p> <p>Your can find the full source code on <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/master/day_016" rel="noopener noreferrer">GitHub Repo↗</a></p> sonarqube devops aws postgres Step-by-Step Guide to Setting Up and Deploying SonarQube on an AWS EC2 Instance Using AWS Cloud Development Kit (CDK) Kevin Lactio Kemta Sat, 21 Sep 2024 13:17:02 +0000 https://forem.com/nivekalara237/step-by-step-guide-to-setting-up-and-deploying-sonarqube-on-an-aws-ec2-instance-using-aws-cloud-development-kit-cdk-34ll https://forem.com/nivekalara237/step-by-step-guide-to-setting-up-and-deploying-sonarqube-on-an-aws-ec2-instance-using-aws-cloud-development-kit-cdk-34ll <h6> <span>Day 015 - 100DaysAWSIaCDevopsChallenge</span> </h6> <p>Today in my serie of 100 days of code challenge, I am going to show you step by step how to deploy <code>SonarQube Server</code> into an AWS EC2 Instance using AWS Cloud Development Kit (CDK). </p> <h3> What is SonarQube ? </h3> <p><code>SonarQube</code> is an open-source application that automates the process of code quality analysis. It scans your codebase to detect issues such as bugs, security vulnerabilities, code smells (maintainability issues), and technical debt. It provides comprehensive reports and metrics on your code quality, helping teams identify and fix problems early in the development process.</p> <h3> Why do you need to use it in your application ? </h3> <p><code>SonarQube</code> helps developers write clean, secure, and maintainable code by offering real-time insights and automated feedback during the software development lifecycle. Using SonarQube in your application development provides several critical benefits:</p> <ol> <li> <strong>Code Quality Checks</strong>: Detects issues related to code quality, including bugs and inefficient code practices.</li> <li> <strong>Security Vulnerabilities</strong>: Identifies potential security risks such as SQL injections and cross-site scripting (XSS).</li> <li> <strong>Reduces Technical Debt</strong>: Measures code complexity, duplication, and other factors that affect the maintainability of your project.</li> <li> <strong>Supports Continuous Integration</strong>: Can integrate with CI/CD pipelines (e.g., Jenkins, GitLab, Github-Actions) for automatic code scanning during development.</li> </ol> <h3> how to install SonarQube on an AWS EC2 Instance? </h3> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1jgqth3cad6dse24wisn.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1jgqth3cad6dse24wisn.png" alt="Image post" width="" height=""></a></p> <p>To achieve this, we will use AWS CDK to create the infrastructure required. The infrastructure consists of the following components:</p> <ul> <li> <code>VPC</code> and a <code>Public Subnet</code>to manage network traffic within the server.</li> <li> <code>Internet Gateway</code>to allow internet communication between our secured cloud environment and external networks.</li> <li> <code>Security group</code> to control access to the server based on IP addresses and ports connections.</li> <li> <code>EC2 Instance</code> to host the SonarQube server (including the Web Server, ElasticSearch, and Postgres Database).</li> <li> <code>Key Pair</code> the private key that allows external hosts to connect securely to the instance.</li> </ul> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpwof8abmbh6ith47knw3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpwof8abmbh6ith47knw3.png" alt="Diagram" width="" height=""></a></p> <h5> Create the CDK Stack </h5> <h6> VPC, Subnet and Internet Gateway </h6> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kr">interface</span> <span class="nx">CustomProps</span> <span class="kd">extends</span> <span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">cidr</span><span class="p">:</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">SonarServerInfrastructureStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">CustomProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PublicVpcResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sonarqube-server-vpc</span><span class="dl">'</span><span class="p">,</span> <span class="na">enableDnsHostnames</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enableDnsSupport</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">ipAddresses</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">IpAddresses</span><span class="p">.</span><span class="nf">cidr</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">cidr</span><span class="p">),</span> <span class="na">createInternetGateway</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">subnetConfiguration</span><span class="p">:</span> <span class="p">[{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sq-public-subnet</span><span class="dl">'</span><span class="p">,</span> <span class="na">mapPublicIpOnLaunch</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <code>enableDnsHostnames/enableDnsSupport</code> - These two options ensure that instances launched in the VPC will have DNS resolution capabilities.</li> <li> <code>ipAddresses</code> - The VPC's CIDR block. It is provided as <code>props.cidr</code>, making it configurable.</li> <li> <code>subnetConfiguration</code> - Configures a public subnet. The configuration creates a public subnet ('<strong>sq-public-subnet</strong>'), with the option to map public IP addresses to instances on launch</li> <li> <code>createInternetGateway</code> - Automatically creates an Internet Gateway for external communication</li> </ul> <h6> Security group </h6> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">sonarQubeSG</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SonarQubeSecuGroupResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">securityGroupName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SonarSecurityGroup</span><span class="dl">'</span><span class="p">,</span> <span class="na">allowAllIpv6Outbound</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Inbound and outbound traffic to sonarqube server</span><span class="dl">'</span><span class="p">,</span> <span class="na">disableInlineRules</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="p">})</span> <span class="nx">sonarQubeSG</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">anyIpv4</span><span class="p">(),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nx">SSH</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Allow ssh traffic</span><span class="dl">'</span><span class="p">)</span> <span class="nx">sonarQubeSG</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">anyIpv4</span><span class="p">(),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nx">HTTPS</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Allow https traffic</span><span class="dl">'</span><span class="p">)</span> <span class="nx">sonarQubeSG</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">anyIpv4</span><span class="p">(),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">9000</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allow custom port traffic</span><span class="dl">'</span><span class="p">)</span> </code></pre> </div> <p>To allow any IP address (i.e., 0.0.0.0/0) to connect to the SonarQube server on port 9000, we have defined an ingress rule in the Security Group that is attached to your EC2 instance. This allows traffic to the SonarQube application, which runs on port 9000.</p> <h6> SonarQube Web Server (EC2 Instance) + KeyPair </h6> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">keypair</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">KeyPair</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">KeyPairResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">keyPairName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sonarqube-server-keypair</span><span class="dl">'</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">KeyPairType</span><span class="p">.</span><span class="nx">RSA</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">KeyPairFormat</span><span class="p">.</span><span class="nx">PEM</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">sonarQubeServer</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Instance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SonarQubeServerInstanceResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">instanceName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Sonarqube-server</span><span class="dl">'</span><span class="p">,</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">securityGroup</span><span class="p">:</span> <span class="nx">sonarQubeSG</span><span class="p">,</span> <span class="na">instanceType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceType</span><span class="p">.</span><span class="k">of</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceClass</span><span class="p">.</span><span class="nx">T2</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceSize</span><span class="p">.</span><span class="nx">MEDIUM</span><span class="p">),</span> <span class="na">keyPair</span><span class="p">:</span> <span class="nx">keypair</span><span class="p">,</span> <span class="na">associatePublicIpAddress</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">userDataCausesReplacement</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">machineImage</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">MachineImage</span><span class="p">.</span><span class="nf">lookup</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">*ubuntu*</span><span class="dl">'</span><span class="p">,</span> <span class="na">filters</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">image-id</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">ami-0e86e20dae9224db8</span><span class="dl">'</span><span class="p">],</span> <span class="dl">'</span><span class="s1">architecture</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">x86_64</span><span class="dl">'</span><span class="p">]</span> <span class="p">},</span> <span class="na">windows</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}),</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">.</span><span class="nf">selectSubnets</span><span class="p">({</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span> <span class="p">}),</span> <span class="na">blockDevices</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">deviceName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/dev/sda1</span><span class="dl">'</span><span class="p">,</span> <span class="na">mappingEnabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span><span class="c1">// to override the default Volume mounted automatically on creation</span> <span class="na">volume</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">BlockDeviceVolume</span><span class="p">.</span><span class="nf">ebs</span><span class="p">(</span><span class="mi">30</span><span class="p">,</span> <span class="p">{</span> <span class="na">volumeType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">EbsDeviceVolumeType</span><span class="p">.</span><span class="nx">GP3</span><span class="p">,</span> <span class="na">deleteOnTermination</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">userDataEncoded</span> <span class="o">=</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">UserData</span><span class="p">.</span><span class="nf">forLinux</span><span class="p">()</span> <span class="nx">userDataEncoded</span><span class="p">.</span><span class="nf">addCommands</span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">./assets/sonarqube-server.sh</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf-8</span><span class="dl">'</span><span class="p">))</span> <span class="nx">sonarQubeServer</span><span class="p">.</span><span class="nf">addUserData</span><span class="p">(</span><span class="nx">userDataEncoded</span><span class="p">.</span><span class="nf">render</span><span class="p">())</span> <span class="c1">// display the ARN of private key in AWS Parameter Store</span> <span class="k">new</span> <span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SonarqubeKeyPairParamArn</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">keypair</span><span class="p">.</span><span class="nx">privateKey</span><span class="p">.</span><span class="nx">parameterArn</span> <span class="p">})</span> <span class="c1">// Optionally store the private key locally</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">writeFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">./assets/private_key.pem</span><span class="dl">'</span><span class="p">,</span> <span class="nx">keypair</span><span class="p">.</span><span class="nx">privateKey</span><span class="p">.</span><span class="nx">stringValue</span><span class="p">,</span> <span class="p">{</span> <span class="na">flag</span><span class="p">:</span> <span class="dl">'</span><span class="s1">w</span><span class="dl">'</span><span class="p">,</span> <span class="na">encoding</span><span class="p">:</span> <span class="dl">'</span><span class="s1">utf-8</span><span class="dl">'</span> <span class="p">})</span> </code></pre> </div> <ul> <li> <code>Key Pair Creation</code> - We create an RSA key pair that will be used to securely connect to the EC2 instance. The private key is stored either in <code>AWS Parameter Store</code>, retrieved using <em>keypair.privateKey.parameterArn</em> or locally as a PEM file <em>private_key.pem</em>.</li> <li> <code>EC2 Instance Configuration</code> - we create a new EC2 instance named <code>Sonarqube-server</code>. The instance is provisioned in the public subnet of the VPC and is attached to the security group that allows access to port 9000. The AMI is filtered using its ID and architecture (<code>ami-0e86e20dae9224db8</code>), and the instance type is <code>t2.medium</code>. The instance has a block device configured with a <code>30Go</code> GP3 EBS volume that will be deleted upon termination.</li> <li> <p><code>User Data Configuration</code> - The instance is initialized with a user data script from <code>assets/sonarqube-server.sh</code>, which is executed upon instance launch to configure SonarQube on the server. The bolow code is the content of user data bootstrap source:<br> </p> <pre class="highlight shell"><code><span class="c"># Update package index</span> <span class="nb">sudo </span>apt update <span class="c"># Install OpenJDK 17, zip and unzip</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> openjdk-17-jdk zip unzip <span class="c"># Set up the JAVA_HOME environment variable</span> <span class="nb">echo</span> <span class="s2">"export JAVA_HOME=</span><span class="si">$(</span><span class="nb">dirname</span> <span class="si">$(</span><span class="nb">dirname</span> <span class="si">$(</span><span class="nb">readlink</span> <span class="nt">-f</span> <span class="si">$(</span>which java<span class="si">))))</span><span class="s2">"</span> | <span class="nb">sudo tee</span> /etc/profile.d/jdk.sh <span class="nb">source</span> /etc/profile.d/jdk.sh <span class="c"># Installing Postgres</span> <span class="nb">sudo </span>sh <span class="nt">-c</span> <span class="s1">'echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" /etc/apt/sources.list.d/pgdg.list'</span> wget <span class="nt">-q</span> https://www.postgresql.org/media/keys/ACCC4CF8.asc <span class="nt">-O</span> - | <span class="nb">sudo </span>apt-key add - <span class="nb">sudo </span>apt <span class="nb">install </span>postgresql postgresql-contrib <span class="nt">-y</span> <span class="c"># Initiate the database server to begin operations</span> <span class="nb">sudo </span>systemctl <span class="nb">enable </span>postgresql <span class="nb">sudo </span>systemctl start postgresql <span class="c"># Create database and its owner</span> <span class="nb">sudo</span> <span class="nt">-u</span> postgres psql <span class="nt">-c</span> <span class="s2">"CREATE DATABASE sonarqubedb;"</span> <span class="nb">sudo</span> <span class="nt">-u</span> postgres psql <span class="nt">-c</span> <span class="s2">"CREATE USER sonar WITH ENCRYPTED PASSWORD 'sonar';"</span> <span class="nb">sudo</span> <span class="nt">-u</span> postgres psql <span class="nt">-c</span> <span class="s2">"GRANT ALL ON SCHEMA public TO sonar;"</span> <span class="nb">sudo</span> <span class="nt">-u</span> postgres psql <span class="nt">-c</span> <span class="s2">"GRANT ALL PRIVILEGES ON DATABASE sonarqubedb TO sonar;"</span> <span class="nb">sudo</span> <span class="nt">-u</span> postgres psql <span class="nt">-c</span> <span class="s2">"ALTER DATABASE sonarqubedb OWNER TO sonar;"</span> <span class="c"># download sonarqube server - community version</span> <span class="c"># shellcheck disable=SC2317</span> wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.9.6.92038.zip <span class="c"># unzip content</span> <span class="c"># shellcheck disable=SC2317</span> unzip sonarqube-<span class="k">*</span>.zip <span class="nb">sudo mv </span>sonarqube-9.9.6.92038 sonarqube <span class="nb">sudo mv </span>sonarqube /opt/ <span class="c"># Create sonarqube user and its group</span> <span class="nb">sudo </span>groupadd sonarqube <span class="nb">sudo </span>useradd <span class="nt">-d</span> /opt/sonarqube <span class="nt">-g</span> sonarqube sonarqube <span class="nb">sudo chown</span> <span class="nt">-R</span> sonarqube:sonarqube /opt/sonarqube <span class="c"># Insert user runner after `APP_NAME="SonarQube"` line</span> <span class="nb">sudo sed</span> <span class="nt">-i</span> <span class="s1">'s/APP_NAME="SonarQube"/APP_NAME="SonarQube"\n\nRUN_AS_USER=sonarqube/'</span> /opt/sonarqube/bin/linux-x86-64/sonar.sh <span class="c"># create sonarqube launcher service</span> <span class="nb">sudo tee</span> /etc/systemd/system/sonarqube.service <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> [Unit] Description=SonarQube service After=syslog.target network.target [Service] Type=forking User=sonarqube Group=sonarqube PermissionsStartOnly=true ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop StandardOutput=journal LimitNOFILE=131072 LimitNPROC=8192 TimeoutStartSec=5 Restart=always SuccessExitStatus=143 [Install] WantedBy=multi-user.target </span><span class="no">EOF </span><span class="c"># Configuring the database</span> <span class="nb">sudo tee</span> /opt/sonarqube/conf/sonar.properties <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> sonar.web.port=9000 sonar.jdbc.username=sonar sonar.jdbc.password=sonar sonar.jdbc.url=jdbc:postgresql://localhost:5432/sonarqubedb </span><span class="no">EOF </span><span class="c"># Start SonarQube Server</span> <span class="nb">sudo </span>systemctl <span class="nb">enable </span>sonarqube.service <span class="nb">sudo </span>systemctl start sonarqube.service </code></pre> <p>For better security, it is recommended not to hard-code sensitive data such as database usernames and passwords. Instead, use services like <code>AWS Systems Manager Parameter Store</code>, <code>AWS Secrets Manager</code>, or alternatives such as <code>HashiCorp Vault</code> to securely manage and access sensitive information.</p> </li> </ul> <h3> Deploy the stack </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">()</span> <span class="k">new</span> <span class="nc">SonarServerInfrastructureStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Day015Stack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">cidr</span><span class="p">:</span> <span class="dl">'</span><span class="s1">10.0.0.1/16</span><span class="dl">'</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CDK_DEFAULT_REGION</span><span class="p">,</span> <span class="na">account</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CDK_DEFAULT_ACCOUNT</span> <span class="p">}</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">synth</span><span class="p">()</span> </code></pre> </div> <p>Open the terminal anywhere and run the following commande:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/nivekalara237/100DaysTerraformAWSDevops.git <span class="nb">cd </span>100DaysTerraformAWSDevops/day_015 cdk deploy <span class="nt">--profile</span> cdk-user Day015Stack </code></pre> </div> <p>After the deployment, open the browser and type this url <a href="http://PUBLIC_IP_or_DNS:9000" rel="noopener noreferrer">http://PUBLIC_IP_or_DNS:9000</a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7te1puik9glqirqknes2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7te1puik9glqirqknes2.png" alt="SonarQube Web Server Result" width="" height=""></a><br> __</p> <p>🥳✨<br> We have reached the end of the article.<br> <span>Thank you so much</span> 🙂</p> <p>Your can find the full source code on <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/master/day_015" rel="noopener noreferrer">GitHub Repo↗</a></p> sonarqube aws devops cdk Create Test Coverage Visualizer and Deploy to AWS S3 with Cloud development Kit (CDK) and GitHub Actions Kevin Lactio Kemta Mon, 02 Sep 2024 13:40:11 +0000 https://forem.com/nivekalara237/create-test-coverage-visualizer-and-deploy-to-aws-s3-with-cloud-development-kit-cdk-and-github-actions-1j10 https://forem.com/nivekalara237/create-test-coverage-visualizer-and-deploy-to-aws-s3-with-cloud-development-kit-cdk-and-github-actions-1j10 <h6> <span>Day 014 - 100DaysAWSIaCDevopsChallenge</span> </h6> <p>In my previous article, <a href="https://dev.to/nivekalara237/effortless-automation-configuring-cicd-for-npm-library-publishing-with-github-actions-6l9">Configuring CI/CD for NPM Library Publishing with GitHub Actions</a>, I explored automating various tasks with GitHub Actions. In this follow-up, I'll focus on how to integrate the automation of test coverage uploads to an S3 bucket.</p> <h3> Why Centralize Test Coverage Reporting? </h3> <p>In the software development, maintaining high code quality is crucial for delivering reliable and efficient products. One of the key aspects of ensuring code quality is monitoring code coverage, the measure of how much of your code is tested. However, as projects grow in complexity, keeping track of coverage metrics across multiple components and teams can become challenging. This is why centralizing your test coverage becomes more valuable by bringing all your coverage data into a single, unified platform. You can streamline analysis, enhance collaboration, and ensure that your entire codebase meets the necessary standards. In this article, I will show you how I centralized the tests coverage of my NPM library.</p> <p>The process will involve the following steps:</p> <ul> <li><p><strong>Create and AWS infrastructure for hosting the coverage visualizer</strong> - Set up the necessary AWS resources to host and securely serve coverage visualizer on the internet. This involves using AWS S3 for storage and AWS CloudFront as a Content Delivery Network (CDN) to improve availability and security.</p></li> <li><p><strong>Create user with less privilege to update files to the bucket</strong> - Enhance security by creating an AWS IAM user with limited permissions to upload files to the S3 bucket for security reason. This user will be used by your GitHub Actions workflow to push the coverage reports to S3.</p></li> <li><p><strong>Set Up the GitHub Actions job to upload test coverage file to S3 Bucket</strong> - Automate the process of uploading test coverage reports to the S3 bucket after every successful release using GitHub Actions. This ensures that the latest coverage data is always available on the visualizer. Also give the ability to run this job manually.</p></li> </ul> <h3> Flow diagram </h3> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvylufzwsgf0yxmvzdgud.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvylufzwsgf0yxmvzdgud.jpg" alt="Image description" width="800" height="471"></a></p> <h3> 1. Create and AWS infrastructure for hosting the coverage visualizer </h3> <p>In a previous segment of the 100 Days of Code Challenge series, I demonstrated how to create and host an Angular App in an S3 Bucket as a static website. In this section, I will use the same AWS resources to host the coverage visualizer. This will involve the following:</p> <ul> <li> <strong>S3 Bucket</strong> We'll use <code>S3</code> to store the visualizer files.</li> <li> <strong>AWS CloudFront for Content Distribution</strong> - <code>CloudFront</code> will distribute the content globally, just like an S3 static website. We will secure it with HTTPS by using SSL at this layer. Additionally, we'll configure S3 to accept traffic only from CloudFront and enforce that all traffic must be secure.</li> <li> <strong>Route 53 for Subdomain Configuration</strong> We will configure a subdomain for your visualizer using Route 53.</li> <li> <strong>IAM User</strong> We'll create an IAM user that GitHub Actions will use to upload files to the S3 Bucket. This IAM user will have limited permissions, specifically only to <code>PutObject</code> inside the bucket, ensuring a minimal access for better security need.</li> </ul> <h5> 1.a S3 Bucket </h5> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kr">interface</span> <span class="nx">S3WbesiteProps</span> <span class="kd">extends</span> <span class="nx">StackProps</span> <span class="p">{</span> <span class="nx">origins</span><span class="p">?:</span> <span class="nx">string</span><span class="p">[]</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">S3Website</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_bucket</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">IBucket</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_baseSegment</span><span class="p">:</span> <span class="nx">string</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="kr">private</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">S3WbesiteProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">bucketName</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">coverage-visualizer-sws-o8stnnkqmos1v</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">defSeg</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">co2visualizer</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">wsBucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WebsiteBucket</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">bucketName</span><span class="p">:</span> <span class="nx">bucketName</span><span class="p">,</span> <span class="na">versioned</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">blockPublicAccess</span><span class="p">:</span> <span class="p">{</span> <span class="na">blockPublicPolicy</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">blockPublicAcls</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">ignorePublicAcls</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">restrictPublicBuckets</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">objectLockEnabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">objectOwnership</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">ObjectOwnership</span><span class="p">.</span><span class="nx">BUCKET_OWNER_PREFERRED</span><span class="p">,</span> <span class="na">websiteIndexDocument</span><span class="p">:</span> <span class="s2">`index.html`</span><span class="p">,</span> <span class="na">websiteErrorDocument</span><span class="p">:</span> <span class="s2">`error.html`</span><span class="p">,</span> <span class="na">autoDeleteObjects</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span> <span class="p">})</span> <span class="nx">wsBucket</span><span class="p">.</span><span class="nf">addCorsRule</span><span class="p">({</span> <span class="na">allowedMethods</span><span class="p">:</span> <span class="p">[</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">HttpMethods</span><span class="p">.</span><span class="nx">HEAD</span><span class="p">,</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">HttpMethods</span><span class="p">.</span><span class="nx">GET</span> <span class="p">],</span> <span class="na">allowedOrigins</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">origins</span> <span class="o">||</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">],</span> <span class="na">maxAge</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">5</span><span class="p">).</span><span class="nf">toSeconds</span><span class="p">()</span> <span class="p">})</span> <span class="nx">wsBucket</span><span class="p">.</span><span class="nf">addLifecycleRule</span><span class="p">({</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">expiration</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">31</span><span class="p">),</span> <span class="na">transitions</span><span class="p">:</span> <span class="p">[{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">ONE_ZONE_INFREQUENT_ACCESS</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">60</span><span class="p">)</span> <span class="p">}]</span> <span class="p">})</span> <span class="k">this</span><span class="p">.</span><span class="nx">_bucket</span> <span class="o">=</span> <span class="nx">wsBucket</span> <span class="k">this</span><span class="p">.</span><span class="nx">_baseSegment</span> <span class="o">=</span> <span class="nx">defSeg</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">bucket</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_bucket</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">baseSegment</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_baseSegment</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <code>versioned</code> - is set to false to disable versioning of objects in the bucket. This configuration ensures that only the latest version of each file is retained, which is ideal for scenarios where you only need the most recent file.</li> <li> <code>blockPublicAccess.blockPublicPolicy</code> - to enforcing a critical security measure that prevents the bucket from being publicly accessible via a bucket-wide public policy.</li> <li> <code>objectLockEnabled</code> - Enables object lock for data protection</li> <li> <code>objectOwnership</code>- is setted to <code>BUCKET_OWNER_PREFERRED</code>, to ensure that the bucket owner retains control over all objects, making access management easier, more secure, and consistent. This setting is particularly useful in environments where multiple users or automated processes are uploading objects to the bucket.</li> <li> <code>autoDeleteObjects</code> - automatically deletes all objects when the bucket is destroyed.</li> <li> <p><code>Lifecycle Rules</code> - Manages the storage of objects in the bucket<br> </p> <pre class="highlight javascript"><code><span class="nx">wsBucket</span><span class="p">.</span><span class="nf">addLifecycleRule</span><span class="p">({</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">expiration</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">90</span><span class="p">),</span> <span class="na">transitions</span><span class="p">:</span> <span class="p">[{</span> <span class="na">storageClass</span><span class="p">:</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">StorageClass</span><span class="p">.</span><span class="nx">INFREQUENT_ACCESS</span><span class="p">,</span> <span class="na">transitionAfter</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">30</span><span class="p">)</span> <span class="p">}]</span> <span class="p">})</span> </code></pre> <ul> <li> <code>expiration</code> - deletes objects after 90 dayls</li> <li> <code>transitionAfter</code> - Moves Obejects to <code>Infrequent Access</code> storage after 30 days.</li> </ul> </li> </ul> <blockquote> <p>This CDK Construct automates the setup of an S3 bucket configured as a static website, with additional features like CORS, object lifecycle management, and security controls. It abstracts the complexity of configuring these AWS services, providing a reusable and secure way to host static content.</p> </blockquote> <h4> 1.b. CloudFront &amp; Route 53 Subdomain configuration </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kr">interface</span> <span class="nx">WebsiteDistributionProps</span> <span class="kd">extends</span> <span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">websiteBucketName</span><span class="p">:</span> <span class="nx">string</span><span class="p">;</span> <span class="nl">mainDomain</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">acm</span><span class="p">:</span> <span class="p">{</span> <span class="nl">certificateArn</span><span class="p">:</span> <span class="nx">string</span> <span class="p">},</span> <span class="nx">distribution</span><span class="p">:</span> <span class="p">{</span> <span class="nl">subDomain</span><span class="p">:</span> <span class="nx">string</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">WebsiteDistribution</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_distributionUrl</span><span class="p">:</span> <span class="nx">string</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_distributionArn</span><span class="p">:</span> <span class="nx">string</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_viewersUrl</span><span class="p">:</span> <span class="nx">string</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">WebsiteDistributionProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">bucket</span> <span class="o">=</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">Bucket</span><span class="p">.</span><span class="nf">fromBucketName</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`BucketName_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">websiteBucketName</span><span class="o">!</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">certificate</span> <span class="o">=</span> <span class="nx">acm</span><span class="p">.</span><span class="nx">Certificate</span><span class="p">.</span><span class="nf">fromCertificateArn</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`Certificate_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">acm</span><span class="p">?.</span><span class="nx">certificateArn</span><span class="o">!</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">cachePolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cf</span><span class="p">.</span><span class="nc">CachePolicy</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`Cache-</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">-Policy`</span><span class="p">,</span> <span class="p">{</span> <span class="na">cachePolicyName</span><span class="p">:</span> <span class="s2">`Cache-</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">-Policy`</span><span class="p">,</span> <span class="na">enableAcceptEncodingGzip</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enableAcceptEncodingBrotli</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">queryStringBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheQueryStringBehavior</span><span class="p">.</span><span class="nf">all</span><span class="p">(),</span> <span class="na">cookieBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheCookieBehavior</span><span class="p">.</span><span class="nf">none</span><span class="p">(),</span> <span class="na">defaultTtl</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="na">headerBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheHeaderBehavior</span><span class="p">.</span><span class="nf">allowList</span><span class="p">(</span> <span class="dl">'</span><span class="s1">Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Accept</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Access-Control-Request-Method</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Access-Control-Request-Headers</span><span class="dl">'</span> <span class="p">)</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">originRequestPolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cf</span><span class="p">.</span><span class="nc">OriginRequestPolicy</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`Origin-Request-</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">-Policy`</span><span class="p">,</span> <span class="p">{</span> <span class="na">originRequestPolicyName</span><span class="p">:</span> <span class="s2">`Origin-Request-</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">-Policy`</span><span class="p">,</span> <span class="na">queryStringBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheQueryStringBehavior</span><span class="p">.</span><span class="nf">all</span><span class="p">(),</span> <span class="na">cookieBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheCookieBehavior</span><span class="p">.</span><span class="nf">none</span><span class="p">(),</span> <span class="na">headerBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheHeaderBehavior</span><span class="p">.</span><span class="nf">allowList</span><span class="p">(</span> <span class="dl">'</span><span class="s1">Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Accept</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Access-Control-Request-Method</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Access-Control-Request-Headers</span><span class="dl">'</span> <span class="p">)</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">distribution</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cf</span><span class="p">.</span><span class="nc">Distribution</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`SSLCertificate_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">defaultBehavior</span><span class="p">:</span> <span class="p">{</span> <span class="na">origin</span><span class="p">:</span> <span class="k">new</span> <span class="nx">origins</span><span class="p">.</span><span class="nc">HttpOrigin</span><span class="p">(</span><span class="nx">bucket</span><span class="p">.</span><span class="nx">bucketWebsiteDomainName</span><span class="p">,</span> <span class="p">{</span> <span class="na">protocolPolicy</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">OriginProtocolPolicy</span><span class="p">.</span><span class="nx">HTTP_ONLY</span><span class="p">,</span> <span class="na">httpPort</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">httpsPort</span><span class="p">:</span> <span class="mi">443</span><span class="p">,</span> <span class="na">connectionTimeout</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> <span class="p">}),</span> <span class="na">allowedMethods</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">AllowedMethods</span><span class="p">.</span><span class="nx">ALLOW_ALL</span><span class="p">,</span> <span class="na">cachedMethods</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CachedMethods</span><span class="p">.</span><span class="nx">CACHE_GET_HEAD_OPTIONS</span><span class="p">,</span> <span class="nx">cachePolicy</span><span class="p">,</span> <span class="nx">originRequestPolicy</span> <span class="p">},</span> <span class="nx">certificate</span><span class="p">,</span> <span class="na">httpVersion</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">HttpVersion</span><span class="p">.</span><span class="nx">HTTP2</span><span class="p">,</span> <span class="na">domainNames</span><span class="p">:</span> <span class="p">[</span><span class="nx">props</span><span class="p">.</span><span class="nx">distribution</span><span class="p">?.</span><span class="nx">subDomain</span><span class="p">].</span><span class="nf">filter</span><span class="p">(</span><span class="nx">value</span> <span class="o">=&gt;</span> <span class="o">!!</span><span class="nx">value</span><span class="p">)</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">hostedZone</span> <span class="o">=</span> <span class="nx">route53</span><span class="p">.</span><span class="nx">HostedZone</span><span class="p">.</span><span class="nf">fromLookup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`HostedZone_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">mainDomain</span><span class="o">!</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">cnameRecord</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">route53</span><span class="p">.</span><span class="nc">CnameRecord</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`DomainCNAME_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">recordName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">distribution</span><span class="p">?.</span><span class="nx">subDomain</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">,</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">distribution</span><span class="p">.</span><span class="nx">distributionDomainName</span><span class="p">,</span> <span class="na">zone</span><span class="p">:</span> <span class="nx">hostedZone</span><span class="p">,</span> <span class="na">deleteExisting</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="na">comment</span><span class="p">:</span> <span class="s2">`RecordSet to send traffic from </span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">distribution</span><span class="p">?.</span><span class="nx">subDomain</span><span class="p">}</span><span class="s2"> to </span><span class="p">${</span><span class="nx">distribution</span><span class="p">.</span><span class="nx">distributionDomainName</span><span class="p">}</span><span class="s2">`</span> <span class="p">})</span> <span class="k">this</span><span class="p">.</span><span class="nx">_distributionUrl</span> <span class="o">=</span> <span class="nx">distribution</span><span class="p">.</span><span class="nx">distributionDomainName</span> <span class="k">this</span><span class="p">.</span><span class="nx">_viewersUrl</span> <span class="o">=</span> <span class="nx">cnameRecord</span><span class="p">.</span><span class="nx">domainName</span> <span class="k">this</span><span class="p">.</span><span class="nx">_distributionArn</span> <span class="o">=</span> <span class="s2">`arn:aws:cloudfront::</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">account</span><span class="p">}</span><span class="s2">:distribution/</span><span class="p">${</span><span class="nx">distribution</span><span class="p">.</span><span class="nx">distributionId</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">distributionArn</span><span class="p">():</span> <span class="nx">string</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_distributionArn</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">distributionUrl</span><span class="p">():</span> <span class="nx">string</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_distributionUrl</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">viewsUrl</span><span class="p">():</span> <span class="nx">string</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_viewersUrl</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>The WebsiteDistribution construct efficiently sets up a secure, high-performance website delivery system using CloudFront, S3, ACM, and Route 53. It automates the infrastructure needed to serve static websites with custom domains and SSL/TLS encryption.</p> </blockquote> <h4> 1.c. Visualizer Stack </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kr">interface</span> <span class="nx">CustomProps</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">domain</span><span class="p">:</span> <span class="nx">string</span> <span class="nx">certificateArn</span><span class="p">:</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CoverageVisualizerStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">CustomProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">bucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">S3Website</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Coverage-Visualizer-Bucket</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">origins</span><span class="p">:</span> <span class="p">[</span><span class="s2">`https://visualizer.</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">domain</span><span class="p">}</span><span class="s2">`</span><span class="p">]</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">distribution</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">WebsiteDistribution</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CloudFront</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">mainDomain</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">domain</span><span class="p">,</span> <span class="na">websiteBucketName</span><span class="p">:</span> <span class="nx">bucket</span><span class="p">.</span><span class="nx">bucket</span><span class="p">.</span><span class="nx">bucketName</span><span class="p">,</span> <span class="na">distribution</span><span class="p">:</span> <span class="p">{</span> <span class="na">subDomain</span><span class="p">:</span> <span class="s2">`visualizer.</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">domain</span><span class="p">}</span><span class="s2">`</span> <span class="p">},</span> <span class="na">acm</span><span class="p">:</span> <span class="p">{</span> <span class="na">certificateArn</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">certificateArn</span> <span class="p">}</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">cloudFrontPolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws_iam</span><span class="p">.</span><span class="nc">Policy</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">S3PolicyForCloudFront</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">roles</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">aws_iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">S3PolicyRoleForCloudFront</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">aws_iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">s3.amazonaws.com</span><span class="dl">'</span><span class="p">),</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="na">inlinePolicies</span><span class="p">:</span> <span class="p">{</span> <span class="na">s3</span><span class="p">:</span> <span class="k">new</span> <span class="nx">aws_iam</span><span class="p">.</span><span class="nc">PolicyDocument</span><span class="p">({</span> <span class="na">assignSids</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">aws_iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">s3:GetObject</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">bucket</span><span class="p">.</span><span class="nx">bucket</span><span class="p">.</span><span class="nx">bucketArn</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/*</span><span class="dl">'</span><span class="p">],</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">{</span> <span class="na">Bool</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">AWS:SecureTransport</span><span class="dl">'</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">StringEquals</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">AWS:SourceArn</span><span class="dl">'</span><span class="p">:</span> <span class="nx">distribution</span><span class="p">.</span><span class="nx">distributionArn</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="p">})</span> <span class="p">]</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws_iam</span><span class="p">.</span><span class="nc">User</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">S3Uploader</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">userName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">S3-Uploader</span><span class="dl">'</span><span class="p">,</span> <span class="na">passwordResetRequired</span><span class="p">:</span> <span class="kc">false</span> <span class="p">})</span> <span class="nx">user</span><span class="p">.</span><span class="nf">addToPolicy</span><span class="p">(</span><span class="k">new</span> <span class="nx">aws_iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">s3:PutObject</span><span class="dl">'</span><span class="p">,</span><span class="dl">'</span><span class="s1">s3:PutObjectAcl</span><span class="dl">'</span><span class="p">],</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">bucket</span><span class="p">.</span><span class="nx">bucket</span><span class="p">.</span><span class="nx">bucketArn</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">bucket</span><span class="p">.</span><span class="nx">baseSegment</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/*</span><span class="dl">'</span><span class="p">]</span> <span class="p">}))</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <strong><code>CloudFront Distribution</code></strong> <ul> <li> <code>mainDomain</code> - The primary domain (e.g., <strong>example.com</strong>).</li> <li> <code>websiteBucketName</code> - The name of the S3 bucket where the visualizer is hosted.</li> <li> <code>distribution.subDomain</code> - The subdomain (e.g., <strong>visualizer.example.com</strong>) for the CloudFront distribution.</li> <li> <code>acm.certificateArn</code> - The ARN of the SSL certificate used to secure the CloudFront distribution.</li> </ul> </li> <li> <strong><code>IAM Policy for CloudFront to Access S3</code></strong> - A policy is created that allows CloudFront to access the S3 bucket <ul> <li> <code>AWS:SecureTransport</code>- Ensures that only secure requests (HTTPS) are allowed</li> <li> <code>AWS:SourceArn</code> - Restricts access to requests coming from the specified CloudFront distribution</li> </ul> </li> <li> <strong><code>IAM User for S3 Uploads</code></strong> An IAM user is created specifically to upload files to the S3 bucket <ul> <li> <code>Policy Attached</code> - The user is granted permissions to perform the <code>s3:PutObject</code> action, limited to a specific path in the S3 bucket (defined by <strong>bucket.baseSegment</strong>).</li> </ul> </li> </ul> <blockquote> <p>This stack sets up an infrastructure to securely host a coverage visualizer on an S3 bucket and distribute it via CloudFront. It includes the following:</p> <ul> <li> <strong>S3 Bucket</strong>: For hosting static files.</li> <li> <strong>CloudFront Distribution</strong>: For secure, high-performance delivery of content.</li> <li> <strong>IAM Policies</strong>: For secure access control, ensuring that only authorized entities (like CloudFront and a specific IAM user) can interact with the S3 bucket. </li> </ul> <p>This setup ensures that the visualizer is securely accessible over HTTPS, with controlled access to the underlying S3 bucket.</p> </blockquote> <h4> 1.e. Deploy infrastructure </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/nivekalara237/100DaysTerraformAWSDevops.git <span class="nb">cd </span>100DaysTerraformAWSDevops/day_014 <span class="nb">export </span><span class="nv">DOMAIN</span><span class="o">=</span><span class="s2">"yourdomain.com"</span> <span class="nb">export </span><span class="nv">CERT_ARN</span><span class="o">=</span><span class="s2">"arn:aws:acm:us-east-1:xxxx:certificate/xxxx-xxxx-xxxx-xxxxxxxx"</span> cdk deploy <span class="nt">--profile</span> cdk-user <span class="nt">--all</span> </code></pre> </div> <h3> 2. Set Up the GitHub Actions job to upload test coverage file to S3 Bucket </h3> <p>To automate the process of uploading test coverage files to an S3 bucket using GitHub Actions, you'll need to configure the workflow with the necessary AWS credentials. First, <a href="https://us-east-1.console.aws.amazon.com/iam/home?region=us-east-1#/users" rel="noopener noreferrer">log in</a> to the AWS Management Console and navigate to the IAM service. Then, generate the access keys for the <code>S3-Uploader</code> user that was previously created after the infrastructure was deployed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Deploy</span><span class="nv"> </span><span class="s">Test</span><span class="nv"> </span><span class="s">Cov</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">Visualizer"</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_run</span><span class="pi">:</span> <span class="na">types</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">completed</span> <span class="na">workflows</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Release</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s">ENV</span> <span class="na">type</span><span class="pi">:</span> <span class="s">environment</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Pick</span><span class="nv"> </span><span class="s">Environment'</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy-to-s3-bucket</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Upload</span><span class="nv"> </span><span class="s">Test</span><span class="nv"> </span><span class="s">Result'</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout Code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">18.x</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run test</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">npm ci &amp;&amp; npm test</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload Files to S3</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">shallwefootball/s3-upload-action@master</span> <span class="na">id</span><span class="pi">:</span> <span class="s">S3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws_bucket</span><span class="pi">:</span> <span class="s">${{ secrets.BUCKET_NAME }}</span> <span class="na">aws_key_id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY }}</span> <span class="na">aws_secret_access_key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_KEY }}</span> <span class="na">source_dir</span><span class="pi">:</span> <span class="s1">'</span><span class="s">coverage'</span> <span class="na">destination_dir</span><span class="pi">:</span> <span class="s1">'</span><span class="s">co2visualizer/${{</span><span class="nv"> </span><span class="s">github.ref_name</span><span class="nv"> </span><span class="s">}}'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Display URL</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "${{ env.VISUALIZER_URL }}/${{ steps.S3.outputs.object_key }}/index.html"</span> </code></pre> </div> <p>If you want to know how to configure GitHub Actions Workflow please follow my previous article <a href="https://dev.to/nivekalara237/effortless-automation-configuring-cicd-for-npm-library-publishing-with-github-actions-6l9">here</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">workflow_run</span><span class="pi">:</span> <span class="na">types</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">completed</span> <span class="na">workflows</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Release</span> </code></pre> </div> <p>Specify that the workflow is triggered only when a release workflow is created, as defined in <a href="https://github.com/nivekalara237/co2mjs/blob/master/.github/workflows/release.yml" rel="noopener noreferrer">release.yml</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s">ENV</span> <span class="na">type</span><span class="pi">:</span> <span class="s">environment</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Pick</span><span class="nv"> </span><span class="s">Environment'</span> </code></pre> </div> <p>Specify that the workflow can also be triggered manually.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frxutkz010mt3q8ivtsvk.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frxutkz010mt3q8ivtsvk.png" alt="Image description" width="800" height="331"></a></p> <p>And the Test Coverage Visualizer</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F31bi6c9zxafoc9f5fhxc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F31bi6c9zxafoc9f5fhxc.png" alt="Image description" width="800" height="474"></a></p> <p>Happy Coding!!</p> <p>Your can find the full source code on <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/master/day_014" rel="noopener noreferrer">GitHub Repo↗</a></p> testing aws devops githubactions Effortless Automation: Configuring CI/CD for NPM Library Publishing with GitHub Actions Kevin Lactio Kemta Sun, 01 Sep 2024 18:23:50 +0000 https://forem.com/nivekalara237/effortless-automation-configuring-cicd-for-npm-library-publishing-with-github-actions-6l9 https://forem.com/nivekalara237/effortless-automation-configuring-cicd-for-npm-library-publishing-with-github-actions-6l9 <h6> <span>Day 013 - 100DaysAWSIaCDevopsChallenge</span> </h6> <p>Recently, I developed an npm package for JavaScript and TypeScript projects. Initially, I manually handled the publishing process, which involved testing, compiling, and publishing the library using various npm commands. This approach was time-consuming, required significant effort, and left little room for error—I had to remember the exact sequence of commands and their specific options. Recognizing the inefficiency, I decided to automate the publishing process.</p> <p>In this article, I’ll walk you through the steps I took to automate the process and streamline my workflow.</p> <p>By the end, you’ll have a clear understanding of how to efficiently automate your npm package publishing with GitHub Actions. The process will involve the following steps:</p> <ol> <li><p><strong>Create a GitHub Workflow to automate <code>Linting</code>, <code>building</code>, and <code>Testing</code> process for every push events</strong> - We'll start by setting up a GitHub Actions workflow that automatically runs linting, builds your project, and executes tests each time code is pushed to the repository. This ensures that any issues are caught early in the development process, maintaining the integrity of your code source.</p></li> <li><p><strong>Create the second Workflow to automate the <code>Release creation</code> and <code>Publishing proccess</code> for every tag push events</strong> - Next, we’ll create a dedicated workflow to handle the release process. This workflow will trigger when a new tag is pushed, automatically compiling the code, updating version numbers, and publishing the package to npm. This step removes the manual intervention from the release cycle, making it more efficient and less prone to errors.</p></li> <li><p><strong>Configure Github Actions (<em>Setting up NPM Access Tokens</em>)</strong> - To enable GitHub Actions to publish your package to npm, we’ll configure the necessary secrets within your repository. This involves generating an npm access token and securely storing it in your GitHub repository settings, allowing for seamless and secure automated publishing.</p></li> <li><p><strong>Update <code>README.md</code> by adding the build badges status</strong> - Finally, we’ll update your project’s README.md file to include build status badges. These badges provide instant visual feedback on the status of your project’s workflows, showing whether your builds are passing, if tests are successful, and the overall health of your code source.</p></li> </ol> <h3> Flow diagram </h3> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd1g8vgqd11utnsi9y64e.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd1g8vgqd11utnsi9y64e.gif" alt="Image description"></a></p> <h3> Create a GitHub Workflow to automate <code>Linting</code>, <code>building</code>, and <code>Testing</code> </h3> <p>This step consists of creating a workflow that allows me to automate the <em>linting</em>, <em>testing</em>, and <em>building</em> processes for every push event. By doing this, we ensure that any potential errors or overlooked issues are caught early in development, ensuring that the code is clean and ready before considering deployment.</p> <p>Create a new file named <code>ci.yml</code> in the following directory: <code>.github/workflows</code>, and add this content:</p> <h6> Github Actions trigger </h6> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">name</span><span class="pi">:</span> <span class="s">CI-Build</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">**"</span> <span class="na">tags-ignore</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">v*"</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">types</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">closed</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">master</span> </code></pre> </div> <ul> <li> <code>name</code> - The name of the pipeline</li> <li> <code>on</code> - The configuration of event trigger. In my case, <ul> <li>The workflow is triggered by any <code>push</code> event to any branch (branch: "*<em>"), *except</em> for tags starting with "v" (tags-ignore: "v*").</li> <li>It is also triggered when a <code>pull request</code> is closed on the master branch.</li> </ul> </li> </ul> <h6> Jobs: linting code </h6> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># ....</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">eslint</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check Syntax with ESLint</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-22.04</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event_name == 'push' &amp;&amp; github.actor.name != 'github-actions[bot]'</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">18.x</span><span class="pi">,</span> <span class="nv">20.x</span><span class="pi">,</span> <span class="nv">22.x</span> <span class="pi">]</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code style</span> <span class="s">uses</span><span class="err">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Use Node.js ${{ matrix.node-version }} to check Lint</span> <span class="s">uses</span><span class="err">:</span> <span class="s">actions/setup-node@v4</span> <span class="s">with</span><span class="err">:</span> <span class="na">always-auth</span><span class="pi">:</span> <span class="s1">'</span><span class="s">false'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">${{ matrix.node-version }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Dependencies</span> <span class="s">run</span><span class="err">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run ESLint</span> <span class="s">run</span><span class="err">:</span> <span class="pi">|</span> <span class="s">npm run lint</span> </code></pre> </div> <ul> <li>This job defines an automated process to check the code's syntax using <a href="https://eslint.org/docs/latest" rel="noopener noreferrer">ESLint↗</a> whenever certain conditions are met (like a push event). It runs on multiple Node.js versions (<code>strategy.matrix.node-version: [ 18.x, 20.x, 22.x ]</code>) to ensure compatibility and helps maintain code quality by catching issues early.</li> <li> <code>if: github.event_name == 'push' &amp;&amp; github.actor.name != 'github-actions[bot]'</code> - This condition checks if the event that triggered the workflow is a push, and if the person who triggered the event is not the github-actions<a href="https://dev.towhich%20is%20an%20automated%20account%20GitHub%20uses%20for%20certain%20actions">bot</a>.</li> </ul> <h6> Jobs: Testing </h6> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">tests</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event_name == 'push' &amp;&amp; github.actor.name != 'github-actions[bot]'</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Tests</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">eslint</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-22.04</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">18.x</span><span class="pi">,</span> <span class="nv">20.x</span><span class="pi">,</span> <span class="nv">22.x</span> <span class="pi">]</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Use Node.js ${{ matrix.node-version }} to run Tests Covering</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">always-auth</span><span class="pi">:</span> <span class="s1">'</span><span class="s">false'</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">${{ matrix.node-version }}</span> <span class="na">cache</span><span class="pi">:</span> <span class="s2">"</span><span class="s">npm"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Tests Command (Jest-CI)</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test</span> </code></pre> </div> <ul> <li>This job, <code>tests</code>, is designed to run the project's tests across multiple Node.js versions (18.x, 20.x, and 22.x). The job is executed after the <code>eslint</code> job completes successfully, ensuring that only clean, lint-free code is tested. The job checks out the code, sets up the appropriate Node.js environment, installs dependencies, and then runs the test suite.</li> </ul> <h6> Jobs: Building </h6> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">jobs</span><span class="pi">:</span> <span class="c1"># {...} &lt;-- Linting job</span> <span class="na">buildDist</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event_name == 'push' &amp;&amp; github.actor.name != 'github-actions[bot]'</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build-to-JS</span> <span class="na">needs</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">eslint</span> <span class="pi">]</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-22.04</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">18.x</span><span class="pi">,</span> <span class="nv">20.x</span><span class="pi">,</span> <span class="nv">22.x</span> <span class="pi">]</span> <span class="na">arch</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">x64</span> <span class="c1"># - x86</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Use Node.js ${{matrix.node-version}} to run build dist on ${{ matrix.arch }}</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">cache</span><span class="pi">:</span> <span class="s2">"</span><span class="s">npm"</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">${{ matrix.node-version}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Build Dist</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run build</span> </code></pre> </div> <ul> <li><p>This job, <code>buildDist</code>, is designed to compile the project's distribution files (dist) after <code>linting</code> and <code>testing</code> have successfully completed. It does so across different Node.js versions (18.x, 20.x, and 22.x). The job uses caching for npm dependencies to improve speed and reliability.</p></li> <li><p>The job runs conditionally, only on push events and only if the workflow wasn't triggered by GitHub's automated bot account, ensuring that it only executes in relevant contexts.</p></li> </ul> <p>Full code</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">name</span><span class="pi">:</span> <span class="s">CI-Build</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">**"</span> <span class="na">tags-ignore</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">v*"</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">types</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">closed</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">master</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">eslint</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check Syntax with ESLint</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-22.04</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event_name == 'push' &amp;&amp; github.actor.name != 'github-actions[bot]'</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">18.x</span><span class="pi">,</span> <span class="nv">20.x</span><span class="pi">,</span> <span class="nv">22.x</span> <span class="pi">]</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code style</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Use Node.js ${{ matrix.node-version }} to check Lint</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">always-auth</span><span class="pi">:</span> <span class="s1">'</span><span class="s">false'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">${{ matrix.node-version }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run ESLint</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">npm run lint</span> <span class="na">buildDist</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event_name == 'push' &amp;&amp; github.actor.name != 'github-actions[bot]'</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build-to-JS</span> <span class="na">needs</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">eslint</span><span class="pi">,</span> <span class="nv">tests</span> <span class="pi">]</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-22.04</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">18.x</span><span class="pi">,</span> <span class="nv">20.x</span><span class="pi">,</span> <span class="nv">22.x</span> <span class="pi">]</span> <span class="na">arch</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">x64</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Use Node.js ${{matrix.node-version}} to run build dist on ${{ matrix.arch }}</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">cache</span><span class="pi">:</span> <span class="s2">"</span><span class="s">npm"</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">${{ matrix.node-version}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Build Dist</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run build</span> <span class="na">tests</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event_name == 'push' &amp;&amp; github.actor.name != 'github-actions[bot]'</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Tests</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">eslint</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-22.04</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">18.x</span><span class="pi">,</span> <span class="nv">20.x</span><span class="pi">,</span> <span class="nv">22.x</span> <span class="pi">]</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Use Node.js ${{ matrix.node-version }} to run Tests Covering</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">always-auth</span><span class="pi">:</span> <span class="s1">'</span><span class="s">false'</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">${{ matrix.node-version }}</span> <span class="na">cache</span><span class="pi">:</span> <span class="s2">"</span><span class="s">npm"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Tests Command (Jest-CI)</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test</span> </code></pre> </div> <h3> Create the second Workflow to automate the <code>Release creation</code> and <code>Publishing proccess</code> </h3> <p>This step consists of creating a workflow that automates the release and publishing processes for every tag push event. Let's dive into the code and explore how I automated these processes.</p> <p>First, create a new file named <code>release.yaml</code> in the <code>.github/workflows</code> directory.</p> <h6> Github Action trigger </h6> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">name</span><span class="pi">:</span> <span class="s">Release</span> <span class="na">on</span><span class="pi">:</span> <span class="na">create</span><span class="pi">:</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> </code></pre> </div> <ul> <li> <code>on.create:</code> - The workflow is triggered by the creation of a tag, branch, or release.</li> <li> <code>permissions.contents: write</code> - The workflow is allowed to write to the repository's contents, which is essential for automating tasks like tagging, updating files, or committing changes as part of the release process. In this case we need the content write permission to create a new <code>Github Release</code>.</li> </ul> <h6> Jobs: Github releasing </h6> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">jobs</span><span class="pi">:</span> <span class="na">release</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="s">${{ startsWith(github.ref, 'refs/tags/v') }}</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Release co2mjs</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create release</span> <span class="na">env</span><span class="pi">:</span> <span class="na">TAG_NAME</span><span class="pi">:</span> <span class="s">${{ github.ref_name }}</span> <span class="na">GH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">gh release create "$TAG_NAME" \</span> <span class="s">--repo="$GITHUB_REPOSITORY" \</span> <span class="s">--title="${TAG_NAME#v}" \</span> <span class="s">--generate-notes</span> </code></pre> </div> <p>This job automates the <strong>creation of a release</strong> in a GitHub repository whenever a new tag starting with <code>"v"</code> is pushed. </p> <ul> <li><p><code>if: ${{ startsWith(github.ref, 'refs/tags/v') }}</code> - This line ensures that the job only runs if the event is triggered by pushing a tag that starts with <code>"v"</code> (e.g., <strong>v1.0.0</strong>). This line very important, because remember that <strong><em>the workflow is triggered by the creation of a tag, branch, or release</em></strong>.</p></li> <li><p><code>GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}</code> - This sets the <em>GitHub token</em> required to authenticate the gh command. GitHub automatically provides this token, and it is securely stored in <code>secrets.GITHUB_TOKEN</code></p></li> <li><p>The job uses the <code>gh</code> (GitHub CLI) command to create the release, setting the title and generating release notes based on the tag. </p></li> </ul> <h6> Jobs: Github publishing </h6> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">jobs</span><span class="pi">:</span> <span class="na">publish-npm</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="s">${{ startsWith(github.ref, 'refs/tags/v') }}</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Publish</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">new</span><span class="nv"> </span><span class="s">version</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">npmjs"</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-22.04</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">release</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout Code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Use Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">cache</span><span class="pi">:</span> <span class="s2">"</span><span class="s">npm"</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">18.x</span> <span class="na">architecture</span><span class="pi">:</span> <span class="s">x64</span> <span class="na">registry-url</span><span class="pi">:</span> <span class="s">https://registry.npmjs.org/</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run NPM Install</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci &amp;&amp; npm run build</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Publish</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd dist</span> <span class="s">npm publish --access public</span> <span class="na">env</span><span class="pi">:</span> <span class="na">NODE_AUTH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.NPM_TOKEN }}</span> </code></pre> </div> <ul> <li>The <code>publish-npm</code> job automates the process of publishing a new version of the package to npm whenever a new tag starting with <code>"v"</code> is pushed. It relies on the successful completion of the <code>release</code> job and performs the following actions: checks out the code, installs dependencies and builds the project, and finally publishes the built package to npm.</li> </ul> <p>⚠️⚠️</p> <ul> <li> <code>NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}</code> - Provides the authentication token for npmjs.com. This token is stored in GitHub secrets (<strong>⚠️repository⚠️</strong> section) to securely authenticate the <code>npm publish</code> command.</li> <li> <code>registry-url: https://registry.npmjs.org/</code> - Sets the npm registry URL to the default public npm registry.</li> </ul> <p>Full code</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">name</span><span class="pi">:</span> <span class="s">Release</span> <span class="na">on</span><span class="pi">:</span> <span class="na">create</span><span class="pi">:</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">release</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="s">${{ startsWith(github.ref, 'refs/tags/v') }}</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Release co2mjs</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create release</span> <span class="na">env</span><span class="pi">:</span> <span class="na">TAG_NAME</span><span class="pi">:</span> <span class="s">${{ github.ref_name }}</span> <span class="na">GH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">gh release create "$TAG_NAME" \</span> <span class="s">--repo="$GITHUB_REPOSITORY" \</span> <span class="s">--title="${TAG_NAME#v}" \</span> <span class="s">--generate-notes</span> <span class="na">publish-npm</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="s">${{ startsWith(github.ref, 'refs/tags/v') }}</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Publish</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">new</span><span class="nv"> </span><span class="s">version</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">npmjs"</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-22.04</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">release</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout Code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Use Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">cache</span><span class="pi">:</span> <span class="s2">"</span><span class="s">npm"</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">18.x</span> <span class="na">architecture</span><span class="pi">:</span> <span class="s">x64</span> <span class="na">registry-url</span><span class="pi">:</span> <span class="s">https://registry.npmjs.org/</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run NPM Install</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci &amp;&amp; npm run build</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Publish</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd dist</span> <span class="s">npm publish --access public</span> <span class="na">env</span><span class="pi">:</span> <span class="na">NODE_AUTH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.NPM_TOKEN }}</span> </code></pre> </div> <h3> Configure Github Actions </h3> <p>To enable GitHub Actions to publish your package to npm, you'll need to configure the necessary access tokens.</p> <h5> 1. Create an NPM Access Token </h5> <ol> <li> <a href="https://www.npmjs.com/" rel="noopener noreferrer">Log in</a> to your NPM account</li> <li>Navigate to your account settings <ol> <li>Access Tokens </li> <li>click <strong>Create New Token</strong> </li> <li>choose <strong>Automation</strong> as the token type</li> </ol> </li> </ol> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx4ouq6dc8dxgooql4q8v.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx4ouq6dc8dxgooql4q8v.png" alt="Image description"></a></p> <ol> <li>copy the generated token</li> </ol> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbwsj4mi178s7lkqti0fl.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbwsj4mi178s7lkqti0fl.png" alt="Image description"></a></p> <h5> 2. Add the Token to Github Secrets </h5> <ol> <li>Click on the <strong>Settings</strong> tab in your repository.</li> <li>In the left sidebar, select <strong>Secrets and variables</strong> and then <strong>Actions</strong>.</li> <li>Click <strong>New repository secret</strong> </li> <li> <strong>Name</strong> the secret <code>NPM_TOKEN</code> and paste the npm access token you copied earlier into the <strong>Value</strong> field.</li> </ol> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4dlcratx36snnddkcvwj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4dlcratx36snnddkcvwj.png" alt="Image description"></a></p> <h3> Update <code>README.md</code> by adding the build badges status </h3> <p>To provide visibility into the status of your GitHub Actions jobs, you can add build status badges to your README.md file. Insert the following block into your README to display the status of the build and release workflows:</p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code> <span class="gu">##### 🚦 Build Status</span> <span class="p">![</span><span class="nv">CI workflow</span><span class="p">](</span><span class="sx">https://github.com/</span><span class="nt">&lt;OWNER&gt;</span>/<span class="nt">&lt;REPO&gt;</span>/actions/workflows/ci-pipeline.yml/badge.svg?branch=master) <span class="p">![</span><span class="nv">Release workflow</span><span class="p">](</span><span class="sx">https://github.com/</span><span class="nt">&lt;OWNER&gt;</span>/<span class="nt">&lt;REPO&gt;</span>/actions/workflows/release.yml/badge.svg) <span class="ge">__</span>_<span class="sb"> </span></code></pre> </div> <p>Now that everything is set up, you can test the workflow by following these steps:</p> <ol> <li><strong>Create a New Branch and Push Changes</strong></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git checkout <span class="nt">-b</span> feature/your-branch-name <span class="c"># Create and switch to a new branch</span> <span class="nb">touch</span> ./nothing.txt <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"some text here"</span> <span class="o">&gt;&gt;</span> ./nothing.txt <span class="c"># Create a new file and add some content</span> git add ./nothing.txt <span class="c"># Stage the new file</span> git commit <span class="nt">-m</span> <span class="s2">"my changes"</span> <span class="c"># Commit the changes</span> git push origin feature/your-branch-name <span class="c"># Push the branch to the remote repository</span> </code></pre> </div> <ol> <li>Monitor the Actions Tab: <ul> <li>Go to the Actions tab of your repository to observe the CI and release workflows in action.</li> <li>Result </li> </ul> </li> </ol> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8d78sbz10koagblcps1k.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8d78sbz10koagblcps1k.png" alt="Image description"></a></p> <ol> <li><p>Create and Merge a Pull Request</p></li> <li><p>Create and Push a New Tag</p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git checkout master <span class="c"># Switch to your default branch</span> npm version patch <span class="c"># this command update package.json and package-lock.json, commit the changes and then, create a new tag locally.</span> <span class="c"># output : v1.0.1 - or a different version number based on your package.json</span> git push origin v1.0.1 <span class="c"># Push the new tag to the remote repository</span> </code></pre> </div> <p>This will create new release and publish a new version to npmjs.com. </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5jkfedqxkzbp927wdxzb.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5jkfedqxkzbp927wdxzb.png" alt="Image description"></a></p> <p>Github release ==&gt; <a href="https://github.com/nivekalara237/co2mjs/releases" rel="noopener noreferrer">https://github.com/nivekalara237/co2mjs/releases</a><br> NPM Package ==&gt; <a href="https://www.npmjs.com/package/co2m.js" rel="noopener noreferrer">https://www.npmjs.com/package/co2m.js</a></p> <p>__</p> <p>🥳✨<br> We have reached the end of the article.<br> <span>Thank you so much</span> 🙂</p> <p>Your can find the full source code on <a href="https://github.com/nivekalara237/co2mjs/tree/master/.github/workflows" rel="noopener noreferrer">GitHub Repo↗</a></p> devops githubactions npm devchallenge Setting up Github Integration with AWS CodeBuild using Cloud Development Kit(CDK) : Automating Angular App Deployment to S3 Kevin Lactio Kemta Mon, 26 Aug 2024 18:18:10 +0000 https://forem.com/nivekalara237/setting-up-github-integration-with-aws-codebuild-using-cloud-development-kitcdk-automating-angular-app-deployment-to-s3-2j9g https://forem.com/nivekalara237/setting-up-github-integration-with-aws-codebuild-using-cloud-development-kitcdk-automating-angular-app-deployment-to-s3-2j9g <h6> <span>Day 012 - 100DaysAWSIaCDevopsChallenge</span> </h6> <p>In this article, I am going to create a new stack to create a <code>AWS CodeBuild</code> for building and deploying an Angular Application from a GitHub repository. Since the the application will be deployed as a static website within an <code>S3 Bucket</code>, configure AWS CodeBuild tp clear the entire bucket before deploying the latest version of the app.</p> <p>The process will involve the following steps:</p> <ul> <li><p><strong>Configure the GitHub Repository to trigger CodeBuid on each event in the <code>defined</code> branch</strong><br> Create a Personal Access in Github concerned project which will be use by AWS CodeBuild project to create and configure a webhook, whenever there is a new commit or pull request to the <code>defined</code> branch.</p></li> <li><p><strong>Set Up AWS Codebuild with Build and Deployment stages</strong><br> Create a CodeBuild project that compiles and builds the Angular applications. After the build process, we'll include a deployment stage where the built files are uploaded tp the designated S3 Bucket. During this setup, we will also configure an AWS Lambda function that will handle the cleanup of the S3 Bucket before deploying the new version of app.</p></li> <li><p><strong>Deploy the stack</strong><br> Finally, we will deploy the stack using CDK command line, will will provision the resources (CodeBuild, Lambda, CloudWatch, Role and Permission)</p></li> </ul> <h3> Infrastructure Diagram (<code>updated</code>) </h3> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F733t7vtywr1mvwb28yej.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F733t7vtywr1mvwb28yej.jpg" alt="Diagram" width="800" height="610"></a></p> <h3> Configure the GitHub Repository </h3> <h5> Create Personal access token </h5> <p>AWS CodeBuild requires a <code>GitHub Personal Access Token</code> to establish a connection between CodeBuild and the GitHub project. </p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F122yvwei2docuis4o5cf.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F122yvwei2docuis4o5cf.png" alt="Create Personal access token page" width="800" height="359"></a></p> <p>To create the token, follow these steps:.</p> <ol> <li><p>go to <a href="https://github.com/settings/personal-access-tokens/new" rel="noopener noreferrer">Github Personal Access Tokeb page↗</a></p></li> <li><p>Enter a name for the token</p></li> <li><p>Under Select scopes, choose <strong>Only select repositories</strong> to limit the token's access to specific repositories.</p></li> <li><p>In the <strong>Repository permissions</strong> section, grant the appropriate permissions to the token, such as <em>Metadata</em>,<em>Webhooks</em>, etc.</p></li> <li><p>Click <strong>Generate token</strong></p></li> </ol> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjy9v4resv2w5wlgtw1hu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjy9v4resv2w5wlgtw1hu.png" alt="github personal access token" width="800" height="359"></a></p> <h5> Secrets Manager </h5> <p>Now that the Personal Access Token is generated, it’s best practice and more secure to avoid hardcoding sensitive information such as passwords or secret keys directly in the code. AWS recommends storing secrets in <code>Secrets Manager</code> or <code>Parameter Store</code>. In this case, we will store the GitHub Personal Access Token in AWS <code>Secrets Manager</code> for secure and convenient retrieval when needed.</p> <p>To store your GitHub Token in the <a href="https://us-east-1.console.aws.amazon.com/secretsmanager/listsecrets?region=us-east-1" rel="noopener noreferrer">Secrets Manager AWS</a> using console, follow these steps</p> <ol> <li>click on <strong>Store a new secret</strong> </li> <li>Select <strong>type</strong> <code>Other type of secret</code> </li> <li>In the Key/Value pairs section, fill <code>github</code> as the <strong>key</strong> and paste de <code>Github Token Previously generated</code> as the <strong>value</strong> </li> <li>click <strong>Next</strong> </li> <li>In the <em>Configure secret</em> fill enter a name for the secret</li> <li>click <strong>Next</strong> then <strong>Next</strong>, and finally <strong>Store</strong> </li> </ol> <h3> Set Up AWS Codebuild with Build and Deployment stages </h3> <h5> Load Github credential </h5> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kr">interface</span> <span class="nx">DeveloperToolsProps</span> <span class="kd">extends</span> <span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">git</span><span class="p">:</span> <span class="p">{</span> <span class="na">repositoryName</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="na">owner</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">branchRef</span><span class="p">?:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">accessTokenSecretArn</span><span class="p">?:</span> <span class="nx">string</span> <span class="p">},</span> <span class="nx">build</span><span class="p">:</span> <span class="p">{</span> <span class="nl">todoAppBucketName</span><span class="p">:</span> <span class="nx">string</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">DeveloperToolsStack</span> <span class="kd">extends</span> <span class="nc">BaseStack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">DeveloperToolsProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="nx">secrets</span><span class="p">.</span><span class="nx">Secret</span><span class="p">.</span><span class="nf">fromSecretAttributes</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Github-Personal-Access-Token</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">secretCompleteArn</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">git</span><span class="p">.</span><span class="nx">accessTokenSecretArn</span> <span class="p">})</span> <span class="k">new</span> <span class="nx">codebuild</span><span class="p">.</span><span class="nc">GitHubSourceCredentials</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">LoadGitHubCredentials</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">accessToken</span><span class="p">:</span> <span class="nx">secret</span><span class="p">.</span><span class="nf">secretValueFromJson</span><span class="p">(</span><span class="dl">'</span><span class="s1">github</span><span class="dl">'</span><span class="p">)</span> <span class="p">})</span> <span class="c1">// setup stack..</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <code>secret</code> - The Github personal access token</li> <li> <code>GitHubSourceCredentials</code> - Credentials used to authenticate with GitHub within the current AWS account and region.</li> </ul> <h5> Create LogGroup for CodeBuild reports logs </h5> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">class</span> <span class="nc">DeveloperToolsStack</span> <span class="kd">extends</span> <span class="nc">BaseStack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">DeveloperToolsProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">)</span> <span class="p">...</span> <span class="kd">const</span> <span class="nx">cloudwatch</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">logs</span><span class="p">.</span><span class="nc">LogGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CodeBuildLogGroup</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">logGroupName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CodeBuildLogGroup</span><span class="dl">'</span><span class="p">,</span> <span class="na">retention</span><span class="p">:</span> <span class="nx">logs</span><span class="p">.</span><span class="nx">RetentionDays</span><span class="p">.</span><span class="nx">ONE_DAY</span><span class="p">,</span> <span class="na">logGroupClass</span><span class="p">:</span> <span class="nx">logs</span><span class="p">.</span><span class="nx">LogGroupClass</span><span class="p">.</span><span class="nx">STANDARD</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h5> Set up AWS CodeBuid Project </h5> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">class</span> <span class="nc">DeveloperToolsStack</span> <span class="kd">extends</span> <span class="nc">BaseStack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">DeveloperToolsProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">)</span> <span class="p">...</span> <span class="kd">const</span> <span class="nx">emptyBucketLambda</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">LambdaFunction</span><span class="p">(...);</span> <span class="kd">const</span> <span class="nx">todoBuildProject</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">codebuild</span><span class="p">.</span><span class="nc">Project</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CodeBuild</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">projectName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TodoAppCodeBuildProject</span><span class="dl">'</span><span class="p">,</span> <span class="na">buildSpec</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nf">buildSpec</span><span class="p">(),</span> <span class="na">logging</span><span class="p">:</span> <span class="p">{</span> <span class="na">cloudWatch</span><span class="p">:</span> <span class="p">{</span> <span class="na">logGroup</span><span class="p">:</span> <span class="nx">cloudwatch</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">},</span> <span class="na">source</span><span class="p">:</span> <span class="nx">codebuild</span><span class="p">.</span><span class="nx">Source</span><span class="p">.</span><span class="nf">gitHub</span><span class="p">({</span> <span class="na">repo</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">git</span><span class="p">.</span><span class="nx">repositoryName</span><span class="p">,</span> <span class="na">reportBuildStatus</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">owner</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">git</span><span class="p">.</span><span class="nx">owner</span><span class="p">,</span> <span class="na">webhook</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">webhookFilters</span><span class="p">:</span> <span class="p">[</span> <span class="nx">codebuild</span><span class="p">.</span><span class="nx">FilterGroup</span><span class="p">.</span><span class="nf">inEventOf</span><span class="p">(</span><span class="nx">codebuild</span><span class="p">.</span><span class="nx">EventAction</span><span class="p">.</span><span class="nx">PUSH</span><span class="p">,</span> <span class="nx">codebuild</span><span class="p">.</span><span class="nx">EventAction</span><span class="p">.</span><span class="nx">PULL_REQUEST_MERGED</span><span class="p">)</span> <span class="p">.</span><span class="nf">andBranchIs</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">git</span><span class="p">.</span><span class="nx">branchRef</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">master</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">andFilePathIs</span><span class="p">(</span><span class="dl">'</span><span class="s1">apps</span><span class="dl">'</span><span class="p">)</span> <span class="p">]</span> <span class="p">}),</span> <span class="na">visibility</span><span class="p">:</span> <span class="nx">codebuild</span><span class="p">.</span><span class="nx">ProjectVisibility</span><span class="p">.</span><span class="nx">PUBLIC_READ</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">buildImage</span><span class="p">:</span> <span class="nx">codebuild</span><span class="p">.</span><span class="nx">LinuxBuildImage</span><span class="p">.</span><span class="nx">AMAZON_LINUX_2_5</span><span class="p">,</span> <span class="na">computeType</span><span class="p">:</span> <span class="nx">codebuild</span><span class="p">.</span><span class="nx">ComputeType</span><span class="p">.</span><span class="nx">SMALL</span><span class="p">,</span> <span class="na">privileged</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">environmentVariables</span><span class="p">:</span> <span class="p">{</span> <span class="na">BUCKET_NAME</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">codebuild</span><span class="p">.</span><span class="nx">BuildEnvironmentVariableType</span><span class="p">.</span><span class="nx">PLAINTEXT</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">build</span><span class="p">.</span><span class="nx">todoAppBucketName</span> <span class="p">},</span> <span class="na">EMPTY_BUCKET_FUNCTION_ARN</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">codebuild</span><span class="p">.</span><span class="nx">BuildEnvironmentVariableType</span><span class="p">.</span><span class="nx">PLAINTEXT</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="nx">emptyBucketLambda</span><span class="p">.</span><span class="nx">functionArn</span> <span class="p">}</span> <span class="p">},</span> <span class="na">badge</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">BuildCodeRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">codebuild.amazonaws.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">region</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">region</span> <span class="p">}),</span> <span class="na">inlinePolicies</span><span class="p">:</span> <span class="p">{</span> <span class="na">logging</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyDocument</span><span class="p">({</span> <span class="na">assignSids</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">logs:CreateLogGroup</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">logs:PutLogEvents</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">logs:CreateLogStream</span><span class="dl">'</span> <span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">cloudwatch</span><span class="p">.</span><span class="nx">logGroupArn</span><span class="p">]</span> <span class="p">})</span> <span class="p">]</span> <span class="p">}),</span> <span class="na">s3</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyDocument</span><span class="p">({</span> <span class="na">assignSids</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">s3:PutObject</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`arn:aws:s3:::</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">build</span><span class="p">.</span><span class="nx">todoAppBucketName</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="s2">`arn:aws:s3:::</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">build</span><span class="p">.</span><span class="nx">todoAppBucketName</span><span class="p">}</span><span class="s2">/*`</span> <span class="p">]</span> <span class="p">})</span> <span class="p">]</span> <span class="p">}),</span> <span class="na">secrets</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyDocument</span><span class="p">({</span> <span class="na">assignSids</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">props</span><span class="p">.</span><span class="nx">git</span><span class="p">.</span><span class="nx">accessTokenSecretArn</span><span class="o">!</span><span class="p">],</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">secretsmanager:GetSecretValue</span><span class="dl">'</span><span class="p">]</span> <span class="p">})</span> <span class="p">]</span> <span class="p">}),</span> <span class="na">lambda_function</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyDocument</span><span class="p">({</span> <span class="na">assignSids</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">lambda:InvokeFunction</span><span class="dl">'</span> <span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">emptyBucketLambda</span><span class="p">.</span><span class="nx">functionArn</span><span class="p">]</span> <span class="p">})</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="p">})</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">buildSpec</span> <span class="o">=</span> <span class="p">():</span> <span class="nx">codebuild</span><span class="p">.</span><span class="nx">BuildSpec</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">codebuild</span><span class="p">.</span><span class="nx">BuildSpec</span><span class="p">.</span><span class="nf">fromObjectToYaml</span><span class="p">({</span> <span class="na">version</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0.2</span><span class="dl">'</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">shell</span><span class="p">:</span> <span class="dl">'</span><span class="s1">bash</span><span class="dl">'</span> <span class="p">},</span> <span class="na">phases</span><span class="p">:</span> <span class="p">{</span> <span class="na">pre_build</span><span class="p">:</span> <span class="p">{</span> <span class="na">commands</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">echo Build started on `date`</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">npm install -g @angular/cli</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cd apps/todo-app &amp;&amp; npm install</span><span class="dl">'</span> <span class="p">]</span> <span class="p">},</span> <span class="na">build</span><span class="p">:</span> <span class="p">{</span> <span class="na">commands</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">ng build --configuration production</span><span class="dl">'</span><span class="p">,</span> <span class="s2">`aws lambda invoke --function-name </span><span class="se">\$</span><span class="s2">{EMPTY_BUCKET_FUNCTION_ARN} --cli-binary-format raw-in-base64-out --payload '{ "payload": {"bucketName": "</span><span class="se">\$</span><span class="s2">{BUCKET_NAME}"} }' response.json`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">aws s3 cp dist/todo-app/browser s3://${BUCKET_NAME}/ --recursive</span><span class="dl">'</span> <span class="p">]</span> <span class="p">}</span> <span class="p">},</span> <span class="na">artifacts</span><span class="p">:</span> <span class="p">{</span> <span class="na">files</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">**/*</span><span class="dl">'</span><span class="p">]</span> <span class="p">},</span> <span class="na">cache</span><span class="p">:</span> <span class="p">{</span> <span class="na">paths</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">node_modules/**/*</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">dist/**</span><span class="dl">'</span><span class="p">]</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This snippet code sets up AWS CodeBuild to automatically build the application when specific events occur in a GitHub repository. It listens for pushes or merged pull requests on a specified <code>master</code> branch, but only triggers a build if changes are made in the <code>apps</code> directory. Additionally, it reports the build status back to GitHub to provide feedback directly within the GitHub interface.</p> <ul> <li> <code>source</code> - Defines the source of the CodeBuild project : It specifies that the build source will be a <strong><em>Github repository</em></strong> <ul> <li> <code>repo</code> - Specifies the name of the GitHub repository that CodeBuild will use as the source</li> <li> <code>reportBuildStatus</code> - Enables reporting the build status back to GitHub. GitHub will display the build status (e.g., success, failure) </li> <li> <code>webhook</code> - Enable a webhook in the Github repository to automatically trigger the Codebuild project whenever some events occurs (PUSH and PULL REQUEST). This ensures continuous integration.</li> <li> <code>webhookFilters</code> - Speficied the condidions under which the webhook will trigger the CodeBuild project.</li> </ul> </li> <li> <code>Environment</code> - Defines the environment in which CodeBuild will run (e.g: Operating system, computer resources, etc.) <ul> <li> <code>buildImage</code> - The build Image that CodeBuild will use, needs for Operating System.</li> <li> <code>computeType</code> - The type of compute resources (CPC, Memory) allocated to the build environment.</li> <li> <code>privileged</code> - Allows the build container to perform certain operations that require elevated permissions. It is require by Docker.</li> </ul> </li> </ul> <h5> Setup Lambda to delete all objects in the bucket </h5> <p>As for new deployment, we need to clean up the bucket for a new version of code. This is the function code to clean a specified bucket.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ./apps/functions/todo-app/empty-bucket.function.ts</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">S3Client</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REGION</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">repo</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ObjectRepository</span><span class="p">(</span><span class="nx">client</span><span class="p">)</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span><span class="p">:</span> <span class="nx">Handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">:</span> <span class="p">{</span> <span class="nl">payload</span><span class="p">:</span> <span class="p">{</span> <span class="na">bucketName</span><span class="p">:</span> <span class="nx">string</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">context</span><span class="p">:</span> <span class="nx">Context</span><span class="p">,</span> <span class="nx">callback</span><span class="p">:</span> <span class="nx">Callback</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">event</span><span class="p">.</span><span class="nx">payload</span><span class="p">?.</span><span class="nx">bucketName</span><span class="p">)</span> <span class="p">{</span> <span class="nf">callback</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid payload</span><span class="dl">'</span><span class="p">))</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">repo</span><span class="p">.</span><span class="nf">deepGetAllObjects</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">bucketName</span><span class="p">)</span> <span class="k">await</span> <span class="nx">repo</span><span class="p">.</span><span class="nf">deleteBucketObjects</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">bucketName</span><span class="p">,</span> <span class="nx">response</span><span class="p">.</span><span class="nx">objects</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">value</span> <span class="o">=&gt;</span> <span class="nx">value</span><span class="p">.</span><span class="nx">key</span><span class="p">))</span> <span class="nf">callback</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">response</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nf">callback</span><span class="p">(</span><span class="nx">e</span><span class="p">,</span> <span class="kc">null</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Find the full components of the function <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/blob/day12/aws-ci-tools-stack/day_012/apps/src/infra/storage/s3/object.repository.ts" rel="noopener noreferrer">here↗</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">class</span> <span class="nc">DeveloperToolsStack</span> <span class="kd">extends</span> <span class="nc">BaseStack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">DeveloperToolsProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">)</span> <span class="p">...</span> <span class="kd">const</span> <span class="nx">emptyBucketLambda</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">LambdaFunction</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EmptyBucketFunction</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">entryFunction</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./apps/functions/todo-app/empty-bucket.function.ts</span><span class="dl">'</span><span class="p">,</span> <span class="na">functionName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Empty-Bucket-Function</span><span class="dl">'</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">REGION</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">region</span><span class="o">!</span> <span class="p">},</span> <span class="na">role</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">EmptyBucketFunctionRole</span><span class="dl">'</span><span class="p">,</span> <span class="na">inlinePolicies</span><span class="p">:</span> <span class="p">{</span> <span class="na">s3</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyDocument</span><span class="p">({</span> <span class="na">assignSids</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">s3:GetBucket</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">s3:GetObject</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">s3:ListObjects</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">s3:DeleteObject</span><span class="dl">'</span> <span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`arn:aws:s3:::</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">build</span><span class="p">.</span><span class="nx">todoAppBucketName</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="s2">`arn:aws:s3:::</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">build</span><span class="p">.</span><span class="nx">todoAppBucketName</span><span class="p">}</span><span class="s2">/*`</span> <span class="p">]</span> <span class="p">})</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="p">},</span> <span class="na">logged</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">emptyBucketLambda</span><span class="p">.</span><span class="nx">resource</span><span class="p">.</span><span class="nf">applyRemovalPolicy</span><span class="p">(</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">)</span> <span class="p">...</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h5> Allow AWS CodeBuild to invoke Lambda </h5> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">emptyBucketLambda</span><span class="p">.</span><span class="nf">grantInvoke</span><span class="p">({</span> <span class="na">grantPrincipal</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">codebuild.amazonaws.com</span><span class="dl">'</span><span class="p">)</span> <span class="p">},</span> <span class="nx">todoBuildProject</span><span class="p">.</span><span class="nx">projectArn</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">account</span><span class="p">)</span> </code></pre> </div> <h3> Deploy the stack </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">devtoolsStack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DeveloperToolsStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Day012DevToolsStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">env</span><span class="p">,</span> <span class="na">git</span><span class="p">:</span> <span class="p">{</span> <span class="na">repositoryName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">100DaysTerraformAWSDevops</span><span class="dl">'</span><span class="p">,</span> <span class="na">branchRef</span><span class="p">:</span> <span class="dl">'</span><span class="s1">master</span><span class="dl">'</span><span class="p">,</span> <span class="na">owner</span><span class="p">:</span> <span class="dl">'</span><span class="s1">&lt;GITHUB_USERNAME&gt;</span><span class="dl">'</span><span class="p">,</span> <span class="na">accessTokenSecretArn</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PERSONAL_ACCESS_SECRET_ARN</span> <span class="p">},</span> <span class="na">build</span><span class="p">:</span> <span class="p">{</span> <span class="na">todoAppBucketName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">&lt;YourBucketName&gt;</span><span class="dl">"</span> <span class="p">}</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nf">synth</span><span class="p">()</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/nivekalara237/100DaysTerraformAWSDevops.git <span class="nb">cd </span>100DaysTerraformAWSDevops/day_012 <span class="nb">export </span><span class="nv">PERSONAL_ACCESS_SECRET_ARN</span><span class="o">=</span><span class="s2">"arn:aws:secretsmanager:&lt;REGION&gt;:&lt;ACCOUNT&gt;:secret:&lt;SECRET_ID&gt;"</span> cdk deploy <span class="nt">--profile</span> cdk-user Day012DevToolsStack </code></pre> </div> <p>Below are the results after two pushes to the master branch:</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0lc2x39xngckhbk68x9z.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0lc2x39xngckhbk68x9z.png" alt="CodeBuild Result" width="800" height="358"></a></p> <p>__</p> <p>🥳✨<br> We have reached the end of the article.<br> <span>Thank you so much</span> 🙂</p> <p>Your can find the full source code on <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/master/day_012" rel="noopener noreferrer">GitHub Repo↗</a></p> github angular awscodebuild devops Setting Up and Securing CloudFront for S3 Static Sites with Custom Subdomains Using AWS Cloud Development Kit(CDK) Kevin Lactio Kemta Sat, 24 Aug 2024 13:43:22 +0000 https://forem.com/nivekalara237/setting-up-and-securing-cloudfront-for-s3-static-sites-with-custom-subdomains-using-aws-cloud-development-kitcdk-3ifh https://forem.com/nivekalara237/setting-up-and-securing-cloudfront-for-s3-static-sites-with-custom-subdomains-using-aws-cloud-development-kitcdk-3ifh <h6> <span>Day 011 - 100DaysAWSIaCDevopsChallenge</span> </h6> <p>Recently on <a href="https://dev.to/nivekalara237/configuring-a-custom-domain-for-api-gateway-with-aws-cdk-ssl-certificate-use-and-route-53-integration-3dh7">Day 010</a> for my 100 Days of Code Challenge, I demonstrated how to create a custom domain name for API Gateway to make API endpoints more human-readable. Today, I will address setting up a secure subdomain for an Angular app deployed in an S3 bucket to avoid using the insecure default S3 URL <code>http://&lt;BUCKET_NAME&gt;.website-static.s3.amazonaws.com</code>. To achieve this, I will use <code>CloudFront Distribution</code>, a Content Delivery Network (CDN) service provided and managed by AWS. It is designed to deliver a content such as Images, Video Streams and static webside (like ours) quickly and securely to users around the world. CloudFront enhances the performance and security of websites and applications by delivering content closer to end users.</p> <p>To reach out the goal, I will follow these steps:</p> <ol> <li><p><strong>Set Up a New CDK Construct for CloudFront Distribution with Subdomain Configuration</strong><br> Create a new Construct that defines the CloudFront distribution. This will include setting up the distribution to serve content via a subdomain, specifying the origin, and configuring any necessary settings like request and caching policies and SSL certificates.</p></li> <li><p><strong>Update the CORS Configuration of the Website Bucket</strong>: Modify the CORS configuration of the S3 bucket hosting the website. This involves adding the newly created CloudFront distribution as an allowed origin, ensuring that the content can be accessed correctly through the subdomain.</p></li> <li><p><strong>Update the existing stack</strong><br> Incorporate the new CloudFront distribution and any associated changes into the existing infrastructure stack.</p></li> <li><p><strong>Deploy the new infrastructure</strong><br> Deploy the updated infrastructure, including the new CloudFront distribution and any changes to the existing stack.</p></li> </ol> <h3> Diagram of infrastructure </h3> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhc0nvl78hhpug508ybqk.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhc0nvl78hhpug508ybqk.jpg" alt="Day 011 Diagram" width="800" height="500"></a></p> <h3> Set Up a New CDK Construct for CloudFront Distribution with Subdomain Configuration </h3> <p>I chose to create a new CDK construct rather than simply updating the stack with the necessary resources. Since this setup requires multiple resources that need to work together cohesively, creating a custom construct provides a more organized and modular approach. This allows for better management, easier reuse, and a cleaner integration of the CloudFront distribution with the subdomain configuration without forgeting the SSL configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// The construct properties</span> <span class="kr">interface</span> <span class="nx">WebsiteDistributeionProps</span> <span class="kd">extends</span> <span class="nx">CustomStackProps</span> <span class="p">{</span> <span class="nl">websiteBucketName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">domain</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// the base domain</span> <span class="nl">acm</span><span class="p">:</span> <span class="p">{</span> <span class="na">certificateArn</span><span class="p">:</span> <span class="kr">string</span> <span class="p">};</span> <span class="nl">distribution</span><span class="p">:</span> <span class="p">{</span> <span class="na">domainName</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// the custom construct</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">WebsiteDistribution</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">WebsiteDistributeionProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">);</span> <span class="c1">// retrieve or add resources here</span> <span class="p">}</span> </code></pre> </div> <h5> Lookup the necessaries resources </h5> <p>To create a secure distribution that points to the S3 static website, we need to retrieve the certificate and the bucket resource.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">bucket</span> <span class="o">=</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">Bucket</span><span class="p">.</span><span class="nf">fromBucketName</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`BucketName_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">websiteBucketName</span><span class="o">!</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">certificate</span> <span class="o">=</span> <span class="nx">acm</span><span class="p">.</span><span class="nx">Certificate</span><span class="p">.</span><span class="nf">fromCertificateArn</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`SSLCertificate_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">acm</span><span class="p">?.</span><span class="nx">certificateArn</span><span class="o">!</span><span class="p">)</span> </code></pre> </div> <h5> Create CloudFront Distribution </h5> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">cachePolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cf</span><span class="p">.</span><span class="nc">CachePolicy</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`Cache-</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">-Policy`</span><span class="p">,</span> <span class="p">{</span> <span class="na">cachePolicyName</span><span class="p">:</span> <span class="s2">`Cache-</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">-Policy`</span><span class="p">,</span> <span class="na">enableAcceptEncodingGzip</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enableAcceptEncodingBrotli</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">queryStringBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheQueryStringBehavior</span><span class="p">.</span><span class="nf">all</span><span class="p">(),</span> <span class="na">cookieBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheCookieBehavior</span><span class="p">.</span><span class="nf">none</span><span class="p">(),</span> <span class="na">defaultTtl</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="na">headerBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheHeaderBehavior</span><span class="p">.</span><span class="nf">allowList</span><span class="p">(</span> <span class="dl">'</span><span class="s1">Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Accept</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Access-Control-Request-Method</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Access-Control-Request-Headers</span><span class="dl">'</span> <span class="p">)</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">originRequestPolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cf</span><span class="p">.</span><span class="nc">OriginRequestPolicy</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`Origin-Request-</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">-Policy`</span><span class="p">,</span> <span class="p">{</span> <span class="na">originRequestPolicyName</span><span class="p">:</span> <span class="s2">`Origin-Request-</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">-Policy`</span><span class="p">,</span> <span class="na">queryStringBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheQueryStringBehavior</span><span class="p">.</span><span class="nf">all</span><span class="p">(),</span> <span class="na">cookieBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheCookieBehavior</span><span class="p">.</span><span class="nf">none</span><span class="p">(),</span> <span class="na">headerBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheHeaderBehavior</span><span class="p">.</span><span class="nf">allowList</span><span class="p">(</span> <span class="dl">'</span><span class="s1">Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Accept</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Access-Control-Request-Method</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Access-Control-Request-Headers</span><span class="dl">'</span> <span class="p">)</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">distribution</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cf</span><span class="p">.</span><span class="nc">Distribution</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`SSLCertificate_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">defaultBehavior</span><span class="p">:</span> <span class="p">{</span> <span class="na">origin</span><span class="p">:</span> <span class="k">new</span> <span class="nx">origins</span><span class="p">.</span><span class="nc">HttpOrigin</span><span class="p">(</span><span class="nx">bucket</span><span class="p">.</span><span class="nx">bucketWebsiteDomainName</span><span class="p">,</span> <span class="p">{</span> <span class="na">protocolPolicy</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">OriginProtocolPolicy</span><span class="p">.</span><span class="nx">HTTP_ONLY</span><span class="p">,</span> <span class="na">httpPort</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">httpsPort</span><span class="p">:</span> <span class="mi">443</span><span class="p">,</span> <span class="na">connectionTimeout</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="na">originId</span><span class="p">:</span> <span class="nf">generateResourceID</span><span class="p">()</span> <span class="p">}),</span> <span class="na">allowedMethods</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">AllowedMethods</span><span class="p">.</span><span class="nx">ALLOW_ALL</span><span class="p">,</span> <span class="na">cachedMethods</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CachedMethods</span><span class="p">.</span><span class="nx">CACHE_GET_HEAD_OPTIONS</span><span class="p">,</span> <span class="nx">cachePolicy</span><span class="p">,</span> <span class="nx">originRequestPolicy</span> <span class="p">},</span> <span class="nx">certificate</span><span class="p">,</span> <span class="na">httpVersion</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">HttpVersion</span><span class="p">.</span><span class="nx">HTTP2</span><span class="p">,</span> <span class="c1">// @ts-ignore</span> <span class="na">domainNames</span><span class="p">:</span> <span class="p">[</span><span class="nx">props</span><span class="p">.</span><span class="nx">distribution</span><span class="p">?.</span><span class="nx">domainName</span><span class="p">].</span><span class="nf">filter</span><span class="p">(</span><span class="nx">value</span> <span class="o">=&gt;</span> <span class="o">!!</span><span class="nx">value</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <ul> <li> <code>certificate</code> - We need this to secure the traffic in and out of our system.</li> <li> <code>httpVersion</code> - Refer to the documentation: <em>For viewers and CloudFront to use HTTP/ 2, viewers must support TLS 1.2 or later, and must support server name identification (SNI).</em> </li> <li> <code>domainNames</code> - Since we don't want to use the default URL provided by AWS (somthing like <code>12345abcdef.cloudfront.net</code>), we want inbound traffic to come from the specified subdomain.</li> <li> <code>defaultBehavior</code> <ul> <li> <code>origin</code> - Where the cloudFront will route the traffic to. S3 static website in our case.</li> <li> <code>allowedMethods</code> - HTTP methods to allow for this behavior. In this case <em>GET</em>, <em>POST</em>, <em>PUT</em>, <em>HEAD</em>, <em>DELETE</em> and <em>OPTIONS</em> </li> <li> <code>cachedMethods</code> - HTTP methods to cache for this behavior. In this case CloudFront will cache only the responses of <em>GET</em> and <em>OPTIONS</em> request according to the <code>cachePolicy</code>.</li> <li> <code>cachePolicy</code> - Determines what values are included in the cache key, and the time-to-live (TTL) values for the cache.</li> <li> <code>originRequestPolicy</code> - Determines which values (e. g., headers, cookies) are included in requests that CloudFront sends to the origin.</li> </ul> </li> </ul> <p>This is the minimal configuration that we need to create a new cloudFront distribution. </p> <h5> Create a subdomain - RecordSet of type <code>CNAME</code> </h5> <p>Now that the CloudFront distribution is properly configured, let can proceed to create the new subdomain and attach it to the distribution. Let's begin by retrieving the <code>HostedZone</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">hostedZone</span> <span class="o">=</span> <span class="nx">route53</span><span class="p">.</span><span class="nx">HostedZone</span><span class="p">.</span><span class="nf">fromLookup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`HostedZone_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">domain</span><span class="o">!</span> <span class="p">})</span> </code></pre> </div> <p>⚠️⚠️ Note that <code>domainName</code> refers to the main domain, not the subdomain that we are going to create.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">cnameRecord</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">route53</span><span class="p">.</span><span class="nc">CnameRecord</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`DomainCNAME_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">recordName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">distribution</span><span class="p">?.</span><span class="nx">domainName</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">,</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">distribution</span><span class="p">.</span><span class="nx">distributionDomainName</span><span class="p">,</span> <span class="na">zone</span><span class="p">:</span> <span class="nx">hostedZone</span><span class="p">,</span> <span class="na">deleteExisting</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="na">comment</span><span class="p">:</span> <span class="s2">`RecordSet to send traffic from </span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">distribution</span><span class="p">?.</span><span class="nx">domainName</span><span class="p">}</span><span class="s2"> to </span><span class="p">${</span><span class="nx">distribution</span><span class="p">.</span><span class="nx">distributionDomainName</span><span class="p">}</span><span class="s2">`</span> <span class="p">})</span> </code></pre> </div> <ul> <li> <code>recordName</code> - The subdomain nomination.</li> <li> <code>domainName</code> - The target resource (<code>URL</code>) to which the traffic will be routed.</li> <li> <code>zone</code> - The <em>HostedZone</em> to which the subdomain will be attached.</li> </ul> <p>The complete source code of the custom construct:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">aws_certificatemanager</span> <span class="k">as</span> <span class="nx">acm</span><span class="p">,</span> <span class="nx">aws_cloudfront</span> <span class="k">as</span> <span class="nx">cf</span><span class="p">,</span> <span class="nx">aws_cloudfront_origins</span> <span class="k">as</span> <span class="nx">origins</span><span class="p">,</span> <span class="nx">aws_route53</span> <span class="k">as</span> <span class="nx">route53</span><span class="p">,</span> <span class="nx">aws_s3</span> <span class="k">as</span> <span class="nx">s3</span><span class="p">,</span> <span class="nx">Duration</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CustomStackProps</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../custom-stack.props</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">generateResourceID</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./utils</span><span class="dl">'</span> <span class="kr">interface</span> <span class="nx">WebsiteDistributeionProps</span> <span class="kd">extends</span> <span class="nx">CustomStackProps</span> <span class="p">{</span> <span class="nl">websiteBucketName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">acm</span><span class="p">:</span> <span class="p">{</span> <span class="na">certificateArn</span><span class="p">:</span> <span class="kr">string</span> <span class="p">},</span> <span class="nx">distribution</span><span class="p">:</span> <span class="p">{</span> <span class="nl">domainName</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">WebsiteDistribution</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">_distributionUrl</span><span class="p">:</span> <span class="kr">string</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">_viewersUrl</span><span class="p">:</span> <span class="kr">string</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">WebsiteDistributeionProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">bucket</span> <span class="o">=</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">Bucket</span><span class="p">.</span><span class="nf">fromBucketName</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`BucketName_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">websiteBucketName</span><span class="o">!</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">certificate</span> <span class="o">=</span> <span class="nx">acm</span><span class="p">.</span><span class="nx">Certificate</span><span class="p">.</span><span class="nf">fromCertificateArn</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`Certificate_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">acm</span><span class="p">?.</span><span class="nx">certificateArn</span><span class="o">!</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">cachePolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cf</span><span class="p">.</span><span class="nc">CachePolicy</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`Cache-</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">-Policy`</span><span class="p">,</span> <span class="p">{</span> <span class="na">cachePolicyName</span><span class="p">:</span> <span class="s2">`Cache-</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">-Policy`</span><span class="p">,</span> <span class="na">enableAcceptEncodingGzip</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enableAcceptEncodingBrotli</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">queryStringBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheQueryStringBehavior</span><span class="p">.</span><span class="nf">all</span><span class="p">(),</span> <span class="na">cookieBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheCookieBehavior</span><span class="p">.</span><span class="nf">none</span><span class="p">(),</span> <span class="na">defaultTtl</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="na">headerBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheHeaderBehavior</span><span class="p">.</span><span class="nf">allowList</span><span class="p">(</span> <span class="dl">'</span><span class="s1">Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Accept</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Access-Control-Request-Method</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Access-Control-Request-Headers</span><span class="dl">'</span> <span class="p">)</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">originRequestPolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cf</span><span class="p">.</span><span class="nc">OriginRequestPolicy</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`Origin-Request-</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">-Policy`</span><span class="p">,</span> <span class="p">{</span> <span class="na">originRequestPolicyName</span><span class="p">:</span> <span class="s2">`Origin-Request-</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">-Policy`</span><span class="p">,</span> <span class="na">queryStringBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheQueryStringBehavior</span><span class="p">.</span><span class="nf">all</span><span class="p">(),</span> <span class="na">cookieBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheCookieBehavior</span><span class="p">.</span><span class="nf">none</span><span class="p">(),</span> <span class="na">headerBehavior</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CacheHeaderBehavior</span><span class="p">.</span><span class="nf">allowList</span><span class="p">(</span> <span class="dl">'</span><span class="s1">Origin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Accept</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Access-Control-Request-Method</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Access-Control-Request-Headers</span><span class="dl">'</span> <span class="p">)</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">distribution</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cf</span><span class="p">.</span><span class="nc">Distribution</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`CfDistribution_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">defaultBehavior</span><span class="p">:</span> <span class="p">{</span> <span class="na">origin</span><span class="p">:</span> <span class="k">new</span> <span class="nx">origins</span><span class="p">.</span><span class="nc">HttpOrigin</span><span class="p">(</span><span class="nx">bucket</span><span class="p">.</span><span class="nx">bucketWebsiteDomainName</span><span class="p">,</span> <span class="p">{</span> <span class="na">protocolPolicy</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">OriginProtocolPolicy</span><span class="p">.</span><span class="nx">HTTP_ONLY</span><span class="p">,</span> <span class="na">httpPort</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">httpsPort</span><span class="p">:</span> <span class="mi">443</span><span class="p">,</span> <span class="na">connectionTimeout</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="na">originId</span><span class="p">:</span> <span class="nf">generateResourceID</span><span class="p">()</span> <span class="p">}),</span> <span class="na">allowedMethods</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">AllowedMethods</span><span class="p">.</span><span class="nx">ALLOW_ALL</span><span class="p">,</span> <span class="na">cachedMethods</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CachedMethods</span><span class="p">.</span><span class="nx">CACHE_GET_HEAD_OPTIONS</span><span class="p">,</span> <span class="nx">cachePolicy</span><span class="p">,</span> <span class="nx">originRequestPolicy</span> <span class="p">},</span> <span class="nx">certificate</span><span class="p">,</span> <span class="na">httpVersion</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">HttpVersion</span><span class="p">.</span><span class="nx">HTTP2</span><span class="p">,</span> <span class="c1">// @ts-ignore</span> <span class="na">domainNames</span><span class="p">:</span> <span class="p">[</span><span class="nx">props</span><span class="p">.</span><span class="nx">distribution</span><span class="p">?.</span><span class="nx">domainName</span><span class="p">].</span><span class="nf">filter</span><span class="p">(</span><span class="nx">value</span> <span class="o">=&gt;</span> <span class="o">!!</span><span class="nx">value</span><span class="p">)</span> <span class="p">})</span> <span class="nx">distribution</span><span class="p">.</span><span class="nf">metric5xxErrorRate</span><span class="p">({</span> <span class="na">label</span><span class="p">:</span> <span class="s2">`website-distribution-</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">-5xxError`</span><span class="p">,</span> <span class="na">color</span><span class="p">:</span> <span class="dl">'</span><span class="s1">#e93d1a</span><span class="dl">'</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">hostedZone</span> <span class="o">=</span> <span class="nx">route53</span><span class="p">.</span><span class="nx">HostedZone</span><span class="p">.</span><span class="nf">fromLookup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`HostedZone_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">domain</span><span class="o">!</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">cnameRecord</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">route53</span><span class="p">.</span><span class="nc">CnameRecord</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`DomainCNAME_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">recordName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">distribution</span><span class="p">?.</span><span class="nx">domainName</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">,</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">distribution</span><span class="p">.</span><span class="nx">distributionDomainName</span><span class="p">,</span> <span class="na">zone</span><span class="p">:</span> <span class="nx">hostedZone</span><span class="p">,</span> <span class="na">deleteExisting</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="na">comment</span><span class="p">:</span> <span class="s2">`RecordSet to send traffic from </span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">distribution</span><span class="p">?.</span><span class="nx">domainName</span><span class="p">}</span><span class="s2"> to </span><span class="p">${</span><span class="nx">distribution</span><span class="p">.</span><span class="nx">distributionDomainName</span><span class="p">}</span><span class="s2">`</span> <span class="p">})</span> <span class="k">this</span><span class="p">.</span><span class="nx">_distributionUrl</span> <span class="o">=</span> <span class="nx">distribution</span><span class="p">.</span><span class="nx">distributionDomainName</span> <span class="k">this</span><span class="p">.</span><span class="nx">_viewersUrl</span> <span class="o">=</span> <span class="nx">cnameRecord</span><span class="p">.</span><span class="nx">domainName</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">distributionUrl</span><span class="p">():</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_distributionUrl</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">viewsUrl</span><span class="p">():</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_viewersUrl</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/blob/day11/configure-cloudfront-distrib-front-of-s3-bucket-to-secure-traffic/day_011/stacks/website-distribution.construct.ts" rel="noopener noreferrer">website-distribution.construct.ts[↗]</a></p> <h3> Update the CORS Configuration of the Website Bucket </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kr">interface</span> <span class="nx">WebsiteStackProps</span> <span class="kd">extends</span> <span class="nx">StackProps</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">origins</span><span class="p">?:</span> <span class="nx">string</span><span class="p">[]</span> <span class="c1">// the list of allowed origins</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">wsBucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(...)</span> <span class="nx">wsBucket</span><span class="p">.</span><span class="nf">addCorsRule</span><span class="p">({</span> <span class="na">allowedMethods</span><span class="p">:</span> <span class="p">[</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">HttpMethods</span><span class="p">.</span><span class="nx">GET</span><span class="p">,</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">HttpMethods</span><span class="p">.</span><span class="nx">HEAD</span><span class="p">,</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">HttpMethods</span><span class="p">.</span><span class="nx">DELETE</span><span class="p">,</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">HttpMethods</span><span class="p">.</span><span class="nx">PUT</span><span class="p">,</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">HttpMethods</span><span class="p">.</span><span class="nx">POST</span> <span class="p">],</span> <span class="na">allowedOrigins</span><span class="p">:</span> <span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">origins</span> <span class="o">??</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">]).</span><span class="nf">filter</span><span class="p">(</span><span class="nx">value</span> <span class="o">=&gt;</span> <span class="o">!!</span><span class="nx">value</span> <span class="o">&amp;&amp;</span> <span class="nx">value</span><span class="p">.</span><span class="nf">trim</span><span class="p">().</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">),</span> <span class="na">maxAge</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">10</span><span class="p">).</span><span class="nf">toSeconds</span><span class="p">(),</span> <span class="na">allowedHeaders</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">]</span> <span class="p">})</span> </code></pre> </div> <p><a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/blob/day11/configure-cloudfront-distrib-front-of-s3-bucket-to-secure-traffic/day_011/stacks/website-stack.ts" rel="noopener noreferrer">website-stack.ts[↗]</a></p> <ul> <li> <code>allowedOrigins</code> - Includes the subdomain that was previously created.</li> <li> <code>allowedHeaders</code> - Allows all headers coming from CloudFront.</li> </ul> <h6> Upload the website files to the S3 Bucket </h6> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">new</span> <span class="nx">s3deploy</span><span class="p">.</span><span class="nc">BucketDeployment</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DeployTodoApp</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">destinationBucket</span><span class="p">:</span> <span class="nx">wsBucket</span><span class="p">,</span> <span class="na">sources</span><span class="p">:</span> <span class="p">[</span> <span class="nx">s3deploy</span><span class="p">.</span><span class="nx">Source</span><span class="p">.</span><span class="nf">asset</span><span class="p">(</span><span class="dl">'</span><span class="s1">../apps/todo-app/dist/todo-app/browser</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">exclude</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">node_modules</span><span class="dl">'</span><span class="p">]</span> <span class="p">})</span> <span class="p">]</span> <span class="p">})</span> </code></pre> </div> <p><a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/blob/day11/configure-cloudfront-distrib-front-of-s3-bucket-to-secure-traffic/day_011/stacks/website-stack.ts" rel="noopener noreferrer">website-stack.ts[↗]</a></p> <h3> Update the existing stack </h3> <p>Find the full stack class 👉🏽👉🏽 <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/blob/day11/configure-cloudfront-distrib-front-of-s3-bucket-to-secure-traffic/day_011/stacks/cdk-stack.ts" rel="noopener noreferrer">cdk-stack.ts[↗]</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CdkStack</span> <span class="kd">extends</span> <span class="nc">BaseStack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="k">private</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">CustomStackProps</span><span class="p">)</span> <span class="p">{</span> <span class="p">...</span> <span class="kd">const</span> <span class="nx">distribution</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">WebsiteDistribution</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TodoCloudfront</span><span class="dl">'</span><span class="p">,</span> <span class="o">&lt;</span><span class="nx">WebsiteDistributeionProps</span><span class="o">&gt;</span><span class="p">{</span> <span class="p">...</span><span class="nx">props</span> <span class="p">})</span> <span class="k">new</span> <span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TodoCloudfrontUrl</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">distribution</span><span class="p">.</span><span class="nx">distributionUrl</span><span class="p">,</span> <span class="na">key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CfURL</span><span class="dl">'</span> <span class="p">})</span> <span class="k">new</span> <span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TodoCloudfrontViewUrl</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">distribution</span><span class="p">.</span><span class="nx">viewsUrl</span><span class="p">,</span> <span class="na">key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ViewUrl</span><span class="dl">'</span> <span class="p">})</span> <span class="k">new</span> <span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ApiGatewayUrlOutput</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">restApi</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="na">key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ApiGatewayUrl</span><span class="dl">'</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Deploy the new infrastructure </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/nivekalara237/100DaysTerraformAWSDevops.git <span class="nb">cd </span>100DaysTerraformAWSDevops/apps <span class="o">&amp;&amp;</span> ng build <span class="nt">--configuration</span> production <span class="o">&amp;&amp;</span> <span class="nb">cd</span> ../.. <span class="nb">cd </span>100DaysTerraformAWSDevops/day_011 <span class="nb">export </span><span class="nv">MAIN_DOMAIN</span><span class="o">=</span><span class="s2">"yourdomain.com"</span> <span class="nb">export </span><span class="nv">STAGE_NAME</span><span class="o">=</span><span class="s2">"dev"</span> <span class="c"># needed by api gateway staging</span> <span class="nb">export </span><span class="nv">CERTIFICATE_ARN</span><span class="o">=</span><span class="s2">"arn:aws:acm:us-east-1:xxxx:certificate/xxxx-xxxx-xxxx-xxxxxxxx"</span> cdk deploy <span class="nt">--profile</span> cdk-user <span class="nt">--all</span> </code></pre> </div> <p>After a few minutes, CloudFront will complete the deployment and distribution of the content. Here is the result:</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa1acog6e7zgf5cngr6x4.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa1acog6e7zgf5cngr6x4.png" alt="Image resulat" width="800" height="477"></a></p> <p>__</p> <p>🥳✨<br> We have reached the end of the article.<br> <span>Thank you so much</span> 🙂</p> <p>Your can find the full source code on <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/master/day_011" rel="noopener noreferrer">GitHub Repo↗</a></p> aws cloudfront angular cdk Configuring a Custom Domain for API Gateway with AWS Cloud Development Kit (CDK): SSL Certificate Use and Route 53 Integration Kevin Lactio Kemta Thu, 22 Aug 2024 11:37:16 +0000 https://forem.com/nivekalara237/configuring-a-custom-domain-for-api-gateway-with-aws-cdk-ssl-certificate-use-and-route-53-integration-3dh7 https://forem.com/nivekalara237/configuring-a-custom-domain-for-api-gateway-with-aws-cdk-ssl-certificate-use-and-route-53-integration-3dh7 <h6> <span>Day 010 - 100DaysAWSIaCDevopsChallenge</span> </h6> <p>Recently in the <a href="https://dev.to/nivekalara237/building-a-secure-serverless-angular-app-with-aws-cdk-cognito-lambda-and-api-gateway-4e85">Day 009</a> of my 100 Days of Code Challenge, I created and deployed an infrastructure for securing API Gateway methods using AWS Cognito. Since these APIs are used by an Angular app, it is necessary to update the <code>environment.ts</code> file with the new backend endpoint after every API Gateway ID renewest. To avoid this repetitive update with each infrastructure modification, today I am going to configure a domain name in front of our API Gateway, so that we no longer need to change the <code>environment.ts</code> file for every API Gateway destruction.</p> <p>To achieve this, we will follow these steps:</p> <ol> <li><p><strong>Set Up a New CDK Construct for Domain Name Configuration</strong><br> Create a new CDK construct to handle the domain name configuration for the API Gateway.</p></li> <li><p><strong>Update the Existing Stack</strong><br> Modify the existing stack by instantiating the new construct with the appropriate parameters.</p></li> <li><p><strong>Deploy the New Infrastructure</strong><br> Deploy the updated infrastructure and update the endpoint values in the <strong>environment.ts</strong> file accordingly.</p></li> </ol> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5t3pscv872ik7tyd9759.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5t3pscv872ik7tyd9759.png" alt="Diagram"></a></p> <h3> Set Up a New CDK Construct for Domain Name Configuration </h3> <p>To make the infrastructure stack more readable and maintainable, I prefer to create a custom construct for setting up a domain name for the API Gateway. This is necessary because creating a domain name for the API Gateway involves configuring multiple AWS resources. Within this custom construct, the following resources will need to be configured:</p> <ol> <li> <strong>Retrieve Certificate by ARN</strong> To customize a domain name for our API Gateway, AWS requires us to prove ownership of the domain. The SSL/TLS certificate, typically provided by AWS Certificate Manager (ACM), verifies that we control the domain associated with the custom API Gateway domain name. Since I have already requested my certificate in <code>ACM</code>, the following code snippet retrieves the existing certificate:</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">existingCertificate</span> <span class="o">=</span> <span class="nx">acm</span><span class="p">.</span><span class="nx">Certificate</span><span class="p">.</span><span class="nf">fromCertificateArn</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="s2">`ApiDomainCertificate_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&lt;CERTIFICATE_ARN&gt;</span><span class="dl">"</span><span class="p">)</span> </code></pre> </div> <ol> <li><strong>The Custom domain name</strong></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="c1">// const props: {api: IRestApi, apiDomain: string} = {...}</span> <span class="kd">const</span> <span class="nx">domain</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">api</span><span class="p">.</span><span class="nc">DomainName</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`CustomApiDomainName`</span><span class="p">,</span> <span class="p">{</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">apiDomain</span><span class="p">,</span> <span class="na">certificate</span><span class="p">:</span> <span class="nx">existingCertificate</span><span class="p">,</span> <span class="na">endpointType</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">EndpointType</span><span class="p">.</span><span class="nx">EDGE</span><span class="p">,</span> <span class="na">securityPolicy</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">SecurityPolicy</span><span class="p">.</span><span class="nx">TLS_1_2</span><span class="p">,</span> <span class="na">mapping</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">api</span> <span class="p">})</span> </code></pre> </div> <ul> <li> <code>domainName</code> - The domain name to be used. In my case, it is a subdomain like todo-api.mydomain.com.</li> <li> <code>certificate</code> - The previously retrieved certificate, looked up by its ARN.</li> <li> <code>mapping</code> - The API Gateway that will be mapped to the domain name.</li> <li> <code>endpointType</code> - Since we are using <code>us-east-1</code> to create/import the certificate, we intend to create an edge-optimized API Gateway. For this type, the certificate must be created in <code>us-east-1</code>. If you choose to create a regional API Gateway, the certificate must reside in the region where the API Gateway is created.</li> </ul> <ol> <li><strong>Hosted Zone &amp; RecordSet</strong></li> </ol> <p>Since the hosted zone has already been created, we just need to find it by using the main domain name.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="c1">// const props: {api: IRestApi, apiDomain: string, domain: string} = {...}</span> <span class="kd">const</span> <span class="nx">hostedZone</span> <span class="o">=</span> <span class="nx">route53</span><span class="p">.</span><span class="nx">HostedZone</span><span class="p">.</span><span class="nf">fromLookup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`HostedZoneLookup_</span><span class="p">${</span><span class="nf">generateResourceID</span><span class="p">()}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">domain</span> <span class="p">})</span> </code></pre> </div> <p>Then, create an <code>A</code> record for the subdomain that will route all traffic to the API Gateway domain name.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="c1">// const props: {api: IRestApi, apiDomain: string, domain: string} = {...}</span> <span class="kd">const</span> <span class="nx">a_record</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">route53</span><span class="p">.</span><span class="nc">ARecord</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`A_Record`</span><span class="p">,</span> <span class="p">{</span> <span class="na">recordName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">apiDomain</span><span class="p">.</span><span class="nf">concat</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">),</span> <span class="na">zone</span><span class="p">:</span> <span class="nx">hostedZone</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="nx">route53</span><span class="p">.</span><span class="nx">RecordTarget</span><span class="p">.</span><span class="nf">fromAlias</span><span class="p">(</span><span class="k">new</span> <span class="nx">targets</span><span class="p">.</span><span class="nc">ApiGatewayDomain</span><span class="p">(</span><span class="nx">domain</span><span class="p">)),</span> <span class="na">ttl</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">2</span><span class="p">),</span> <span class="na">comment</span><span class="p">:</span> <span class="s2">`The Record “A“ to route traffic from subdomain </span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">apiDomain</span><span class="p">}</span><span class="s2"> to the api gateway #</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">api</span><span class="p">.</span><span class="nx">restApiId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">region</span><span class="p">,</span> <span class="na">deleteExisting</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="nx">a_record</span><span class="p">.</span><span class="nf">applyRemovalPolicy</span><span class="p">(</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">)</span> </code></pre> </div> <ul> <li> <code>recordName</code> - The subdomain name for this record. Note that the value ends with a dot (<code>.</code>). If you don't include the dot, CDK will treat it as a segment rather than a fully qualified domain name.</li> </ul> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>recordName</th> <th>result</th> </tr> </thead> <tbody> <tr> <td>foo</td> <td>foo.mydomain.com</td> </tr> <tr> <td>zuzu.mydomain.com</td> <td>zuzu.mydomain.com.mydomain.com</td> </tr> <tr> <td>bar.mydomain.com.</td> <td>bar.mydomain.com</td> </tr> </tbody> </table></div> <p>The full code:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CustomStackProps</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../custom-stack.props</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">aws_apigateway</span> <span class="k">as</span> <span class="nx">api</span><span class="p">,</span> <span class="nx">aws_certificatemanager</span> <span class="k">as</span> <span class="nx">acm</span><span class="p">,</span> <span class="nx">aws_route53</span> <span class="k">as</span> <span class="nx">route53</span><span class="p">,</span> <span class="nx">aws_route53_targets</span> <span class="k">as</span> <span class="nx">targets</span><span class="p">,</span> <span class="nx">Duration</span><span class="p">,</span> <span class="nx">RemovalPolicy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">generateResourceID</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./utils</span><span class="dl">'</span> <span class="kr">interface</span> <span class="nx">ApiDomainNameProps</span> <span class="kd">extends</span> <span class="nx">CustomStackProps</span> <span class="p">{</span> <span class="nl">apiDomain</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">api</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">RestApi</span><span class="p">,</span> <span class="nx">certificateArn</span><span class="p">:</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">ApiDomainName</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="kr">private</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">ApiDomainNameProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">props</span><span class="p">.</span><span class="nx">domain</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">The domain parameter must be specified as the ApiDomainName has been instantiated</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nx">props</span><span class="p">.</span><span class="nx">apiDomain</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">domain</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`The apiDomain parameter must be a subdomain of </span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">props</span><span class="p">.</span><span class="nx">domain</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">existingCertificate</span> <span class="o">=</span> <span class="nx">acm</span><span class="p">.</span><span class="nx">Certificate</span><span class="p">.</span><span class="nf">fromCertificateArn</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`ApiDomainCertificate_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">certificateArn</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">domain</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">api</span><span class="p">.</span><span class="nc">DomainName</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`CustomApiDomainName_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">apiDomain</span><span class="p">,</span> <span class="na">certificate</span><span class="p">:</span> <span class="nx">existingCertificate</span><span class="p">,</span> <span class="na">endpointType</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">EndpointType</span><span class="p">.</span><span class="nx">EDGE</span><span class="p">,</span> <span class="na">securityPolicy</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">SecurityPolicy</span><span class="p">.</span><span class="nx">TLS_1_2</span><span class="p">,</span> <span class="na">mapping</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">api</span> <span class="p">})</span> <span class="nx">domain</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nf">addDependency</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">api</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">hostedZone</span> <span class="o">=</span> <span class="nx">route53</span><span class="p">.</span><span class="nx">HostedZone</span><span class="p">.</span><span class="nf">fromLookup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`HostedZoneLookup_</span><span class="p">${</span><span class="nf">generateResourceID</span><span class="p">()}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">domain</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">a_record</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">route53</span><span class="p">.</span><span class="nc">ARecord</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`A_Record_</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">recordName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">apiDomain</span><span class="p">.</span><span class="nf">concat</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">),</span> <span class="na">zone</span><span class="p">:</span> <span class="nx">hostedZone</span><span class="p">,</span> <span class="na">target</span><span class="p">:</span> <span class="nx">route53</span><span class="p">.</span><span class="nx">RecordTarget</span><span class="p">.</span><span class="nf">fromAlias</span><span class="p">(</span><span class="k">new</span> <span class="nx">targets</span><span class="p">.</span><span class="nc">ApiGatewayDomain</span><span class="p">(</span><span class="nx">domain</span><span class="p">)),</span> <span class="na">ttl</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">2</span><span class="p">),</span> <span class="na">comment</span><span class="p">:</span> <span class="s2">`The "A" record is used to route traffic from the subdomain </span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">apiDomain</span><span class="p">}</span><span class="s2"> to the API Gateway #</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">api</span><span class="p">.</span><span class="nx">restApiId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">region</span><span class="p">,</span> <span class="na">deleteExisting</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="nx">a_record</span><span class="p">.</span><span class="nf">applyRemovalPolicy</span><span class="p">(</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Update the Existing Stack </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CdkStack</span> <span class="kd">extends</span> <span class="nc">BaseStack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="kr">private</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">CustomStackProps</span><span class="p">)</span> <span class="p">{</span> <span class="p">....</span> <span class="k">new</span> <span class="nc">ApiDomainName</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TodoListApiDomainName</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="p">...</span><span class="nx">props</span><span class="p">,</span> <span class="na">apiDomain</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">route53</span><span class="p">?.</span><span class="nx">apigw</span><span class="p">?.</span><span class="nx">subdomain</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">api.</span><span class="dl">'</span> <span class="o">+</span> <span class="k">this</span><span class="p">.</span><span class="nx">props</span><span class="p">.</span><span class="nx">domain</span><span class="p">,</span> <span class="na">api</span><span class="p">:</span> <span class="nx">restApi</span><span class="p">,</span> <span class="na">certificateArn</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">route53</span><span class="p">?.</span><span class="nx">apigw</span><span class="p">?.</span><span class="nx">certificateArn</span><span class="o">!</span> <span class="p">});</span> <span class="p">....</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Deploy the entire infrastructure </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git clone https://github.com/nivekalara237/100DaysTerraformAWSDevops.git <span class="nb">cd </span>100DaysTerraformAWSDevops/day_010 <span class="nb">export </span><span class="nv">STAGE_NAME</span><span class="o">=</span><span class="s2">"dev"</span> <span class="c"># needed by api gateway staging</span> <span class="nb">export </span><span class="nv">CERTIFICATE_ARN</span><span class="o">=</span><span class="s2">"arn:aws:acm:us-east-1:xxxx:certificate/xxxx"</span> cdk deploy <span class="nt">--profile</span> cdk-user <span class="nt">--all</span> </code></pre> </div> <h3> Re-deploy app as S3 static website </h3> <p>To deploy the Angular app to the S3 bucket as a website, follow the instructions in my previous article 👉🏽👉🏽 <a href="https://dev.to/nivekalara237/deploying-a-rest-api-and-angular-frontend-using-aws-cdk-s3-and-api-gateway-5983">Deploying a REST API and Angular Frontend Using AWS CDK, S3, and API Gateway↗</a><br> ⚠️⚠️ Make sure to update the API Gateway URL in the <em>src/environment.ts</em> file with the correct API Gateway endpoint before building and deploying the application.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">export</span> <span class="kd">const</span> <span class="nx">environment</span> <span class="o">=</span> <span class="p">{</span> <span class="na">production</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">apiUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://todo-api.mydomain.com/</span><span class="dl">'</span> <span class="p">}</span> </code></pre> </div> <p>__</p> <p>🥳✨<br> We have reached the end of the article.<br> <span>Thank you so much</span> 🙂</p> <p>Your can find the full source code on <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/master/day_010" rel="noopener noreferrer">GitHub Repo↗</a></p> aws cdk route53 apigateway Building a Secure Serverless Angular App with AWS CDK, Cognito, Lambda, and API Gateway Kevin Lactio Kemta Tue, 20 Aug 2024 15:55:22 +0000 https://forem.com/nivekalara237/building-a-secure-serverless-angular-app-with-aws-cdk-cognito-lambda-and-api-gateway-4e85 https://forem.com/nivekalara237/building-a-secure-serverless-angular-app-with-aws-cdk-cognito-lambda-and-api-gateway-4e85 <h6> <span>Day 009 - 100DaysAWSIaCDevopsChallenge</span> </h6> <p>Recently, on <a href="https://dev.to/nivekalara237/deploying-a-rest-api-and-angular-frontend-using-aws-cdk-s3-and-api-gateway-5983">day 008</a> of my 100 Days of Code challenge, I created an infrastructure to deploy a REST API behind an API Gateway and an Angular app to consume the exposed APIs. Today, I am going to secure some of those APIs with AWS Cognito. To access these APIs, the user will need to provide an <code>ACCESS</code> or <code>ID</code> token in the header of every requests made.</p> <p>To achieve this, we will follow the steps below:</p> <ul> <li> <strong>Set Up AWS Cognito User Pool</strong>: Create an User Pool to handler users, and then create the App Client for authentication needs. </li> <li> <strong>Create Lambda functions for authentication process</strong>: Develop the necessary Lambda functions to support the authentication process.</li> <li> <strong>Create Api Gateway Authorizer</strong>: Set up an API Gateway authorizer of type Cognito.</li> <li> <strong>Update the Rest Api Methods</strong>: Secure the methods that need protection by applying the Cognito authorizer.</li> <li> <strong>Updated the Angular App with authentication proccess</strong>: Implement the authentication process within the Angular app.</li> <li><strong>Re-deploy the app as S3 static website</strong></li> </ul> <h6> Prerequises </h6> <ul> <li>AWS Cloud Developement Kit (CDK)</li> <li>Cognito, Secrets Manager, Lambda, API Gateway, IAM</li> <li>Typescript, Angular, esbuild</li> </ul> <h4> Infrastructure Diagram </h4> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fys2fwcg9dxqti4omsxin.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fys2fwcg9dxqti4omsxin.gif" alt="Image Diagram"></a></p> <h3> Set Up AWS Cognito User Pool <a></a> </h3> <p>I chose to create my own CDK construct to achieve this. In my construct, I first create the <code>User Pool</code> and then associate an <code>App Client</code> with it. Before these two resources are created, I will store the raw app client secret in an <code>AWS Secrets Manager</code> resource for added security, and I will retrieve it directly inside the Lambda by key.</p> <h6> Cogniton Construct </h6> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">aws_cognito</span> <span class="k">as</span> <span class="nx">cognito</span><span class="p">,</span> <span class="nx">aws_secretsmanager</span> <span class="k">as</span> <span class="nx">sm</span><span class="p">,</span> <span class="nx">Duration</span><span class="p">,</span> <span class="nx">RemovalPolicy</span><span class="p">,</span> <span class="nx">StackProps</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span> <span class="kr">interface</span> <span class="nx">CognitoProps</span> <span class="kd">extends</span> <span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">verificationEmailUrl</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">fromEmail</span><span class="p">:</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">Cognito</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_defaultAppClientId</span><span class="p">:</span> <span class="nx">string</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_secretValueArn</span><span class="p">:</span> <span class="nx">string</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_userPoolArn</span><span class="p">:</span> <span class="nx">string</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_userPoolId</span><span class="p">:</span> <span class="nx">string</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_userPool</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">IUserPool</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">CognitoProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">stdRequired</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">StandardAttribute</span> <span class="o">=</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">userPool</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cognito</span><span class="p">.</span><span class="nc">UserPool</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CognitoUserPoolResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="na">accountRecovery</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">AccountRecovery</span><span class="p">.</span><span class="nx">EMAIL_ONLY</span><span class="p">,</span> <span class="na">userPoolName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">awschallenge-userpool-2</span><span class="dl">'</span><span class="p">,</span> <span class="na">selfSignUpEnabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">userInvitation</span><span class="p">:</span> <span class="p">{</span> <span class="na">emailSubject</span><span class="p">:</span> <span class="dl">'</span><span class="s1">An account has been created for you</span><span class="dl">'</span><span class="p">,</span> <span class="na">emailBody</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Your Cognito account has been created by an admin. Here is your username: {username} and your temporary password: {####}</span><span class="dl">'</span> <span class="p">},</span> <span class="na">signInCaseSensitive</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">signInAliases</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span><span class="na">autoVerify</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">phone</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span><span class="na">keepOriginal</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span><span class="na">standardAttributes</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">stdRequired</span><span class="p">,</span> <span class="na">mutable</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">},</span> <span class="na">customAttributes</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">domain</span><span class="dl">'</span><span class="p">:</span> <span class="k">new</span> <span class="nx">cognito</span><span class="p">.</span><span class="nc">StringAttribute</span><span class="p">(),</span> <span class="dl">'</span><span class="s1">created_at</span><span class="dl">'</span><span class="p">:</span> <span class="k">new</span> <span class="nx">cognito</span><span class="p">.</span><span class="nc">StringAttribute</span><span class="p">(),</span> <span class="dl">'</span><span class="s1">last_updated_at</span><span class="dl">'</span><span class="p">:</span> <span class="k">new</span> <span class="nx">cognito</span><span class="p">.</span><span class="nc">StringAttribute</span><span class="p">(),</span> <span class="dl">'</span><span class="s1">verified_at</span><span class="dl">'</span><span class="p">:</span> <span class="k">new</span> <span class="nx">cognito</span><span class="p">.</span><span class="nc">StringAttribute</span><span class="p">(),</span> <span class="dl">'</span><span class="s1">first_name</span><span class="dl">'</span><span class="p">:</span> <span class="k">new</span> <span class="nx">cognito</span><span class="p">.</span><span class="nc">StringAttribute</span><span class="p">(),</span> <span class="dl">'</span><span class="s1">last_name</span><span class="dl">'</span><span class="p">:</span> <span class="k">new</span> <span class="nx">cognito</span><span class="p">.</span><span class="nc">StringAttribute</span><span class="p">()</span> <span class="p">},</span> <span class="na">passwordPolicy</span><span class="p">:</span> <span class="p">{</span> <span class="na">tempPasswordValidity</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">14</span><span class="p">),</span> <span class="na">minLength</span><span class="p">:</span> <span class="mi">6</span><span class="p">,</span> <span class="na">requireDigits</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">requireUppercase</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">requireLowercase</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">requireSymbols</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">email</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">UserPoolEmail</span><span class="p">.</span><span class="nf">withCognito</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">fromEmail</span><span class="p">)</span> <span class="p">})</span> <span class="nx">userPool</span><span class="p">.</span><span class="nf">addTrigger</span><span class="p">(</span><span class="nx">cognito</span><span class="p">.</span><span class="nx">UserPoolOperation</span><span class="p">.</span><span class="nx">CUSTOM_MESSAGE</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nf">customEmailMessageLambda</span><span class="p">())</span> <span class="kd">const</span> <span class="nx">userPoolClient</span> <span class="o">=</span> <span class="nx">userPool</span><span class="p">.</span><span class="nf">addClient</span><span class="p">(</span><span class="dl">'</span><span class="s1">todo-app-client</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">authFlows</span><span class="p">:</span> <span class="p">{</span> <span class="na">userPassword</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">adminUserPassword</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">custom</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">userSrp</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">disableOAuth</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">preventUserExistenceErrors</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">generateSecret</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">userPoolClientName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Todo-App-Client</span><span class="dl">'</span><span class="p">,</span> <span class="na">accessTokenValidity</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="na">idTokenValidity</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="na">refreshTokenValidity</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">30</span><span class="p">)</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">clientSecret</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sm</span><span class="p">.</span><span class="nc">Secret</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SecretManagerResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">secretName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolId</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">userPoolClient</span><span class="p">.</span><span class="nx">userPoolClientId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">generateSecretString</span><span class="p">:</span> <span class="p">{</span> <span class="na">secretStringTemplate</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">appClientSecret</span><span class="p">:</span> <span class="nx">userPoolClient</span><span class="p">.</span><span class="nx">userPoolClientSecret</span><span class="p">.</span><span class="nf">unsafeUnwrap</span><span class="p">()</span> <span class="p">}),</span> <span class="na">generateStringKey</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">userPoolClient</span><span class="p">.</span><span class="nx">userPoolClientName</span><span class="p">}</span><span class="s2">-AppSecret`</span> <span class="p">}</span> <span class="p">})</span> <span class="k">this</span><span class="p">.</span><span class="nx">_defaultAppClientId</span> <span class="o">=</span> <span class="nx">userPoolClient</span><span class="p">.</span><span class="nx">userPoolClientId</span> <span class="k">this</span><span class="p">.</span><span class="nx">_secretValueArn</span> <span class="o">=</span> <span class="nx">clientSecret</span><span class="p">.</span><span class="nx">secretArn</span> <span class="k">this</span><span class="p">.</span><span class="nx">_userPoolArn</span> <span class="o">=</span> <span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolArn</span> <span class="k">this</span><span class="p">.</span><span class="nx">_userPoolId</span> <span class="o">=</span> <span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolId</span> <span class="k">this</span><span class="p">.</span><span class="nx">_userPool</span> <span class="o">=</span> <span class="nx">userPool</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">defaultAppClientId</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_defaultAppClientId</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">secretValueArn</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_secretValueArn</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">userPoolArn</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_userPoolArn</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">userPoolId</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_userPoolId</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">userPool</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_userPool</span> <span class="p">}</span> <span class="nx">customEmailMessageLambda</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">LambdaFunction</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CustomVerificationMessage</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">functionName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CustomMessageFunction</span><span class="dl">'</span><span class="p">,</span> <span class="na">entryFunction</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./apps/functions/auth/custom-confirm-message.function.ts</span><span class="dl">'</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">CONFIRM_URL</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">props</span><span class="p">.</span><span class="nx">verificationEmailUrl</span> <span class="p">},</span> <span class="na">logged</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}).</span><span class="nx">resource</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h6> The Lambda construct </h6> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Aws</span><span class="p">,</span> <span class="nx">aws_apigateway</span><span class="p">,</span> <span class="nx">aws_iam</span> <span class="k">as</span> <span class="nx">iam</span><span class="p">,</span> <span class="nx">aws_lambda</span> <span class="k">as</span> <span class="nx">lambda</span><span class="p">,</span> <span class="nx">Duration</span><span class="p">,</span> <span class="nx">StackProps</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NodejsFunction</span><span class="p">,</span> <span class="nx">SourceMapMode</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-lambda-nodejs</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">generateResourceID</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./utils</span><span class="dl">'</span> <span class="kr">interface</span> <span class="nx">Props</span> <span class="p">{</span> <span class="nl">entryFunction</span><span class="p">:</span> <span class="nx">string</span><span class="p">;</span> <span class="nl">functionName</span><span class="p">:</span> <span class="nx">string</span><span class="p">;</span> <span class="nx">env</span><span class="p">?:</span> <span class="nx">Record</span><span class="o">&lt;</span><span class="nx">string</span><span class="p">,</span> <span class="nx">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="nx">layersArns</span><span class="p">?:</span> <span class="nx">string</span><span class="p">[];</span> <span class="nx">externalDeps</span><span class="p">?:</span> <span class="nx">string</span><span class="p">[];</span> <span class="nx">logged</span><span class="p">?:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nx">memory</span><span class="p">?:</span> <span class="nx">number</span><span class="p">;</span> <span class="nx">role</span><span class="p">?:</span> <span class="p">{</span> <span class="nx">name</span><span class="p">?:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">inlinePolicies</span><span class="p">?:</span> <span class="nx">Record</span><span class="o">&lt;</span><span class="nx">string</span><span class="p">,</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">PolicyDocument</span><span class="o">&gt;</span> <span class="p">};</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">LambdaFunction</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Construct</span> <span class="p">{</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_functionArn</span><span class="p">:</span> <span class="nx">string</span> <span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">_resource</span><span class="p">:</span> <span class="nx">NodejsFunction</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="kr">private</span> <span class="nx">param</span><span class="p">:</span> <span class="nx">Props</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">policies</span><span class="p">:</span> <span class="nx">Record</span><span class="o">&lt;</span><span class="nx">string</span><span class="p">,</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">PolicyDocument</span><span class="o">&gt;</span> <span class="o">=</span> <span class="nx">param</span><span class="p">.</span><span class="nx">role</span><span class="p">?.</span><span class="nx">inlinePolicies</span> <span class="o">??</span> <span class="p">{}</span> <span class="k">if </span><span class="p">(</span><span class="nx">param</span><span class="p">.</span><span class="nx">logged</span><span class="p">)</span> <span class="p">{</span> <span class="nx">policies</span><span class="p">[</span><span class="dl">'</span><span class="s1">logging</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyDocument</span><span class="p">({</span> <span class="na">assignSids</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">logs:CreateLogGroup</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">logs:PutLogEvents</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">logs:CreateLogStream</span><span class="dl">'</span> <span class="p">],</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">]</span> <span class="p">})</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">lamnbdaRole</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">createLambdaRole</span><span class="p">(</span> <span class="nx">param</span><span class="p">.</span><span class="nx">role</span><span class="p">?.</span><span class="nx">name</span> <span class="o">??</span> <span class="s2">`Role</span><span class="p">${</span><span class="nf">generateResourceID</span><span class="p">()}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">param</span><span class="p">,</span> <span class="nx">policies</span> <span class="p">)</span> <span class="kd">const</span> <span class="nx">func</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">NodejsFunction</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`Lambda</span><span class="p">${</span><span class="nf">generateResourceID</span><span class="p">()}</span><span class="s2">Resource`</span><span class="p">,</span> <span class="p">{</span> <span class="na">entry</span><span class="p">:</span> <span class="nx">param</span><span class="p">.</span><span class="nx">entryFunction</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="dl">'</span><span class="s1">index.handler</span><span class="dl">'</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="na">functionName</span><span class="p">:</span> <span class="nx">param</span><span class="p">.</span><span class="nx">functionName</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="nx">param</span><span class="p">.</span><span class="nx">env</span><span class="p">,</span> <span class="na">runtime</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">Runtime</span><span class="p">.</span><span class="nx">NODEJS_20_X</span><span class="p">,</span> <span class="na">memorySize</span><span class="p">:</span> <span class="nx">param</span><span class="p">.</span><span class="nx">memory</span> <span class="o">??</span> <span class="mi">128</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">lamnbdaRole</span><span class="p">,</span> <span class="na">bundling</span><span class="p">:</span> <span class="p">{</span> <span class="na">externalModules</span><span class="p">:</span> <span class="p">[</span> <span class="p">...(</span><span class="nx">param</span><span class="p">.</span><span class="nx">externalDeps</span> <span class="o">||</span> <span class="p">[]),</span> <span class="dl">'</span><span class="s1">utils</span><span class="dl">'</span> <span class="p">],</span> <span class="na">sourceMap</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">sourceMapMode</span><span class="p">:</span> <span class="nx">SourceMapMode</span><span class="p">.</span><span class="nx">BOTH</span> <span class="p">},</span> <span class="na">layers</span><span class="p">:</span> <span class="p">[</span> <span class="p">...((</span><span class="nx">param</span><span class="p">.</span><span class="nx">layersArns</span> <span class="o">||</span> <span class="p">[])</span> <span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">value</span> <span class="o">=&gt;</span> <span class="o">!!</span><span class="nx">value</span> <span class="o">&amp;&amp;</span> <span class="nx">value</span><span class="p">.</span><span class="nx">length</span><span class="p">)</span> <span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">value</span> <span class="o">=&gt;</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">LayerVersion</span><span class="p">.</span><span class="nf">fromLayerVersionArn</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`LayerVersion</span><span class="p">${</span><span class="nf">generateResourceID</span><span class="p">()}</span><span class="s2">Resource`</span><span class="p">,</span> <span class="nx">value</span><span class="p">)))</span> <span class="p">]</span> <span class="p">})</span> <span class="k">this</span><span class="p">.</span><span class="nx">_functionArn</span> <span class="o">=</span> <span class="nx">func</span><span class="p">.</span><span class="nx">functionArn</span> <span class="k">this</span><span class="p">.</span><span class="nx">_resource</span> <span class="o">=</span> <span class="nx">func</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">functionArn</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_functionArn</span> <span class="p">}</span> <span class="kd">get</span> <span class="nf">resource</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">_resource</span> <span class="p">}</span> <span class="nx">grantApi</span> <span class="o">=</span> <span class="p">(</span><span class="nx">restApi</span><span class="p">:</span> <span class="nx">aws_apigateway</span><span class="p">.</span><span class="nx">RestApi</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">_resource</span><span class="p">.</span><span class="nf">addPermission</span><span class="p">(</span><span class="s2">`TodoAppLambdaPermissionResource-</span><span class="p">${</span><span class="nf">randomUUID</span><span class="p">()}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">lambda:InvokeFunction</span><span class="dl">'</span><span class="p">,</span> <span class="na">principal</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">apigateway.amazonaws.com</span><span class="dl">'</span><span class="p">),</span> <span class="na">sourceAccount</span><span class="p">:</span> <span class="nx">restApi</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">account</span><span class="p">,</span> <span class="na">sourceArn</span><span class="p">:</span> <span class="s2">`arn:</span><span class="p">${</span><span class="nx">Aws</span><span class="p">.</span><span class="nx">PARTITION</span><span class="p">}</span><span class="s2">:execute-api:</span><span class="p">${</span><span class="nx">restApi</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">region</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">restApi</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">account</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">restApi</span><span class="p">.</span><span class="nx">restApiId</span><span class="p">}</span><span class="s2">/*/*/*`</span> <span class="p">})</span> <span class="p">}</span> <span class="kr">private</span> <span class="nf">createLambdaRole</span><span class="p">(</span><span class="nx">roleName</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">StackProps</span><span class="p">,</span> <span class="nx">inlinePolicies</span><span class="p">?:</span> <span class="nx">Record</span><span class="o">&lt;</span><span class="nx">string</span><span class="p">,</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">PolicyDocument</span><span class="o">&gt;</span><span class="p">):</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Role</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">roleName</span><span class="p">}</span><span class="s2">Resource`</span><span class="p">,</span> <span class="p">{</span> <span class="na">roleName</span><span class="p">:</span> <span class="nx">roleName</span><span class="p">,</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">lambda.amazonaws.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">region</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">region</span> <span class="p">}),</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="na">inlinePolicies</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">inlinePolicies</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The important things here to know is:</p> <ul> <li> <code>accountRecovery</code> Specifies the method for users to recover their account if they lose their password. In our case, it's set to email only, so the recovery link will be sent to the user via email provided by him. </li> <li> <code>selfSignUpEnabled</code> Give the habillity to the users (unknown user) to use the <code>Sign-Up</code> functionality to create their accounts.</li> <li><p><code>userInvitation</code> The message template (subject and body) sent to the user when their account is created by an admin. In the <em>emailBody</em>, <code>{username}</code> and <code>{####}</code> will be replaced by the user's username and the verification code, respectively.</p></li> <li><p><code>signInAliases</code> A list of methods by which a user can register or sign in to a user pool. It allows either username with aliases or sign-in with email, phone, or both. In our case, the user can sign in using either their email or username.</p></li> <li><p><code>customAttributes</code> Additional attributes for the user. Note that each attribute here will be represented in the Cognito schema as <code>custom:&lt;ATTR_NAME&gt;</code>, so there's no need to prefix these attributes with <em>custom</em>.</p></li> <li><p><code>email</code> The email settings for the User Pool. There are two options: <code>Cognito</code> or <code>SES</code>. Since we chose the Cognito option, we provide the no-reply address (<em>sender name </em>)</p></li> </ul> <p>In the code above, we added a Lambda Trigger of type <code>CUSTOM_MESSAGE</code> to customize the email content for a more appealing appearance. This trigger activates when the verification code email is sent to the user after sign-up.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">userPool</span><span class="p">.</span><span class="nf">addTrigger</span><span class="p">(</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">UserPoolOperation</span><span class="p">.</span><span class="nx">CUSTOM_MESSAGE</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nf">customEmailMessageLambda</span><span class="p">()</span> <span class="p">)</span> </code></pre> </div> <p>The rendering will be hardcoded in the provided Lambda and will look like this.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdpz4ccvr2oxlr6wh3zfu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdpz4ccvr2oxlr6wh3zfu.png" alt="Image email body preview"></a></p> <p>You can find the entire source code for the function here <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/blob/day9/secure-api-with-cognito-user-pool/day_009/apps/functions/auth/custom-confirm-message.function.ts" rel="noopener noreferrer">custom-confirm-message.function.ts↗</a></p> <p>Now let's talk about the app client. The important points to note are:</p> <ul> <li> <code>disableOAuth</code> set to <code>false</code> to desable the OAuth interaction.</li> <li> <code>generateSecret</code> set to <code>true</code> to generate the app client secret.</li> <li> <code>authFlows</code> Specifies the set of OAuth authentication flows to enable on the client</li> </ul> <blockquote> <p>Note that for security purposes, it is recommended to retrieve the secret at Lambda runtime logic to avoid exposing the secret in the CloudFormation template. For this, pass the secret ARN as an environment variable to the lambda function instead of passing the secret value directly.</p> </blockquote> <p>As you can see, we also store the app client secret using AWS Secrets Manager with the following snippet of code</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">clientSecret</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sm</span><span class="p">.</span><span class="nc">Secret</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SecretManagerResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">secretName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolId</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">userPoolClient</span><span class="p">.</span><span class="nx">userPoolClientId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">generateSecretString</span><span class="p">:</span> <span class="p">{</span> <span class="na">secretStringTemplate</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">appClientSecret</span><span class="p">:</span> <span class="nx">userPoolClient</span><span class="p">.</span><span class="nx">userPoolClientSecret</span><span class="p">.</span><span class="nf">unsafeUnwrap</span><span class="p">()</span> <span class="p">}),</span> <span class="na">generateStringKey</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">userPoolClient</span><span class="p">.</span><span class="nx">userPoolClientName</span><span class="p">}</span><span class="s2">-AppSecret`</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <h3> Create Lambda functions for authentication process </h3> <p>In this section, I will create three (03) Lambda functions for Sign-In, Sign-Up, and Confirm Email.</p> <h5> Lambda function for user Sign-Up </h5> <p><em>apps/functions/auth/register.function.ts</em></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">APIGatewayProxyEvent</span><span class="p">,</span> <span class="nx">Context</span><span class="p">,</span> <span class="nx">Handler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-lambda</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LambdaResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../src/infra/dto/lambda.response</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CognitoIdentityProviderClient</span><span class="p">,</span> <span class="nx">SignUpCommand</span><span class="p">,</span> <span class="nx">SignUpCommandOutput</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-cognito-identity-provider</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">moment</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">moment</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">computeSecretHash</span><span class="p">,</span> <span class="nx">DATETIME_FORMAT</span><span class="p">,</span> <span class="nx">responseError</span><span class="p">,</span> <span class="nx">responseOk</span><span class="p">,</span> <span class="nx">toPayload</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">utils</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SecretsManagerClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-secrets-manager</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SecretsManagerRepository</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../src/infra/storage/secrets/secrets-manager.repository</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CognitoIdentityProviderClient</span><span class="p">({})</span> <span class="kd">const</span> <span class="nx">smClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecretsManagerClient</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REGION</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">CLIENT_ID</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_CLIENT_ID</span> <span class="kd">const</span> <span class="nx">SECRET_VALUE_ARN</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SECRET_VALUE_ARN</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span><span class="p">:</span> <span class="nx">Handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">:</span> <span class="nx">APIGatewayProxyEvent</span><span class="p">,</span> <span class="nx">context</span><span class="p">:</span> <span class="nx">Context</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nf">toPayload</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="kd">let</span> <span class="na">responseHandler</span><span class="p">:</span> <span class="nx">LambdaResponse</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">validatePayload</span><span class="p">(</span><span class="nx">payload</span><span class="p">))</span> <span class="p">{</span> <span class="nx">responseHandler</span> <span class="o">=</span> <span class="nf">responseError</span><span class="p">(</span><span class="dl">'</span><span class="s1">some Input(s) are invalid</span><span class="dl">'</span><span class="p">,</span> <span class="mi">403</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">attributes</span> <span class="o">=</span> <span class="p">[{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">email</span> <span class="p">},</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">custom:domain</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="dl">'</span><span class="s1">nivekaa.com</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">custom:first_name</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">firstName</span> <span class="p">},</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">family_name</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">lastName</span> <span class="p">},</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">given_name</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">firstName</span> <span class="p">},</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">custom:last_name</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">lastName</span> <span class="p">},</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">custom:created_at</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="nf">moment</span><span class="p">().</span><span class="nf">format</span><span class="p">(</span><span class="nx">DATETIME_FORMAT</span><span class="p">)</span> <span class="p">},</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">custom:last_updated_at</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="nf">moment</span><span class="p">().</span><span class="nf">format</span><span class="p">(</span><span class="nx">DATETIME_FORMAT</span><span class="p">)</span> <span class="p">},</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="p">(</span><span class="o">!!</span><span class="nx">payload</span><span class="p">.</span><span class="nx">lastName</span> <span class="o">||</span> <span class="o">!!</span><span class="nx">payload</span><span class="p">.</span><span class="nx">firstName</span><span class="p">)</span> <span class="p">?</span> <span class="s2">`</span><span class="p">${</span><span class="nx">payload</span><span class="p">.</span><span class="nx">firstName</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">payload</span><span class="p">.</span><span class="nx">lastName</span><span class="p">}</span><span class="s2">`</span><span class="p">.</span><span class="nf">trim</span><span class="p">()</span> <span class="p">:</span> <span class="kc">null</span> <span class="p">}]</span> <span class="kd">let</span> <span class="nx">messageError</span> <span class="o">=</span> <span class="kc">null</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">clientSecret</span> <span class="o">=</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">SecretsManagerRepository</span><span class="p">(</span><span class="nx">smClient</span><span class="p">)</span> <span class="p">.</span><span class="nf">getCognitoAppClientSecretValue</span><span class="p">(</span><span class="nx">SECRET_VALUE_ARN</span><span class="o">!</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">command</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SignUpCommand</span><span class="p">({</span> <span class="na">ClientId</span><span class="p">:</span> <span class="nx">CLIENT_ID</span><span class="p">,</span> <span class="na">Username</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="na">Password</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="na">SecretHash</span><span class="p">:</span> <span class="nf">computeSecretHash</span><span class="p">(</span><span class="nx">CLIENT_ID</span><span class="p">,</span> <span class="nx">clientSecret</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">username</span><span class="p">),</span> <span class="na">UserAttributes</span><span class="p">:</span> <span class="nx">attributes</span><span class="p">,</span> <span class="na">UserContextData</span><span class="p">:</span> <span class="p">{</span> <span class="na">IpAddress</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span><span class="p">?.</span><span class="nx">identity</span><span class="p">?.</span><span class="nx">sourceIp</span> <span class="p">}</span> <span class="p">})</span> <span class="kd">const</span> <span class="na">response</span><span class="p">:</span> <span class="nx">SignUpCommandOutput</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">command</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">$metadata</span><span class="p">.</span><span class="nx">httpStatusCode</span> <span class="o">!==</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="nx">messageError</span> <span class="o">=</span> <span class="s2">`Something wrong: StatusCode=</span><span class="p">${</span><span class="nx">response</span><span class="p">.</span><span class="nx">$metadata</span><span class="p">.</span><span class="nx">httpStatusCode</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="nx">messageError</span> <span class="o">=</span> <span class="nx">e</span><span class="p">.</span><span class="nx">message</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">messageError</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">responseError</span><span class="p">(</span><span class="nx">messageError</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">responseOk</span><span class="p">({},</span> <span class="dl">'</span><span class="s1">User successfully created</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">responseHandler</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">validatePayload</span> <span class="o">=</span> <span class="p">(</span><span class="nx">body</span><span class="p">:</span> <span class="nx">any</span><span class="p">):</span> <span class="nx">boolean</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="nx">body</span><span class="p">.</span><span class="nx">email</span> <span class="kd">const</span> <span class="nx">password</span> <span class="o">=</span> <span class="nx">body</span><span class="p">.</span><span class="nx">password</span> <span class="kd">const</span> <span class="nx">username</span> <span class="o">=</span> <span class="nx">body</span><span class="p">.</span><span class="nx">username</span> <span class="kd">const</span> <span class="nx">areNotNull</span> <span class="o">=</span> <span class="p">[</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">username</span><span class="p">].</span><span class="nf">every</span><span class="p">(</span><span class="nx">value</span> <span class="o">=&gt;</span> <span class="o">!!</span><span class="nx">value</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">isEmailValid</span> <span class="o">=</span> <span class="sr">/^</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+@</span><span class="se">[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[^\s</span><span class="sr">@</span><span class="se">]</span><span class="sr">+$/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">email</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">isValidPassword</span> <span class="o">=</span> <span class="sr">/^</span><span class="se">(?=</span><span class="sr">.*</span><span class="se">[</span><span class="sr">0-9</span><span class="se">])(?=</span><span class="sr">.*</span><span class="se">[</span><span class="sr">a-z</span><span class="se">])(?=</span><span class="sr">.*</span><span class="se">[</span><span class="sr">A-Z</span><span class="se">])(?=</span><span class="sr">.*</span><span class="se">\W)(?!</span><span class="sr">.* </span><span class="se">)</span><span class="sr">.</span><span class="se">{8,16}</span><span class="sr">$/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">password</span><span class="p">)</span> <span class="k">return</span> <span class="nx">areNotNull</span> <span class="o">&amp;&amp;</span> <span class="nx">isEmailValid</span> <span class="o">&amp;&amp;</span> <span class="nx">isValidPassword</span> <span class="p">}</span> </code></pre> </div> <p>Considering that the <code>SECRET_VALUE_ARN</code> and <code>APP_CLIENT_ID</code> were passed to the Lambda resource during the infrastructure construction, remember that in the previous section, I stored the user pool app client secret in Secrets Manager. Below is the code to retrieve it:</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="c1">// app/src/infra/storage/secrets/secrets-manager.repository.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">GetSecretValueCommand</span><span class="p">,</span> <span class="nx">SecretsManagerClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-secrets-manager</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">SecretsManagerRepository</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="kr">private</span> <span class="nx">client</span><span class="p">:</span> <span class="nx">SecretsManagerClient</span><span class="p">)</span> <span class="p">{</span> <span class="p">}</span> <span class="nx">getCognitoAppClientSecretValue</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">secretArn</span><span class="p">:</span> <span class="nx">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">string</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">command</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">GetSecretValueCommand</span><span class="p">({</span> <span class="na">SecretId</span><span class="p">:</span> <span class="nx">secretArn</span> <span class="p">})</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">command</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">$metadata</span><span class="p">.</span><span class="nx">httpStatusCode</span> <span class="o">===</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">json</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">SecretString</span><span class="o">!</span><span class="p">)</span> <span class="k">return</span> <span class="nx">json</span><span class="p">.</span><span class="nx">appClientSecret</span> <span class="o">+</span> <span class="dl">''</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Technical error. Please Contact the admin or try again later</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And below is the content of function to compute the <em>SecretHash</em> parameter</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">createHmac</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">node:crypto</span><span class="dl">'</span> <span class="p">....</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">computeSecretHash</span> <span class="o">=</span> <span class="p">(</span><span class="nx">clientId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">clientSecret</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">username</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hasher</span> <span class="o">=</span> <span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">clientSecret</span> <span class="o">+</span> <span class="dl">''</span><span class="p">)</span> <span class="nx">hasher</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">username</span><span class="p">}${</span><span class="nx">clientId</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="k">return</span> <span class="nx">hasher</span><span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>For more information about the client-secret hash value see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash" rel="noopener noreferrer">aws docs↗</a></p> <h5> Lambda function for user Sign-In </h5> <p><em>apps/functions/auth/login.function.ts</em></p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">APIGatewayProxyEvent</span><span class="p">,</span> <span class="nx">Context</span><span class="p">,</span> <span class="nx">Handler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-lambda</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">computeSecretHash</span><span class="p">,</span> <span class="nx">responseError</span><span class="p">,</span> <span class="nx">toPayload</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">utils</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AuthFlowType</span><span class="p">,</span> <span class="nx">CognitoIdentityProviderClient</span><span class="p">,</span> <span class="nx">InitiateAuthCommand</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-cognito-identity-provider</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SecretsManagerClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-secrets-manager</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SecretsManagerRepository</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../src/infra/storage/secrets/secrets-manager.repository</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CognitoIdentityProviderClient</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REGION</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">smClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecretsManagerClient</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REGION</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">CLIENT_ID</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_CLIENT_ID</span> <span class="kd">const</span> <span class="nx">SECRET_VALUE_ARN</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SECRET_VALUE_ARN</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span><span class="p">:</span> <span class="nx">Handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">:</span> <span class="nx">APIGatewayProxyEvent</span><span class="p">,</span> <span class="nx">context</span><span class="p">:</span> <span class="nx">Context</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nf">toPayload</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">validatePayload</span><span class="p">(</span><span class="nx">payload</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">responseError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid input(s).</span><span class="dl">'</span><span class="p">,</span> <span class="mi">403</span><span class="p">)</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">clientSecret</span> <span class="o">=</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">SecretsManagerRepository</span><span class="p">(</span><span class="nx">smClient</span><span class="p">)</span> <span class="p">.</span><span class="nf">getCognitoAppClientSecretValue</span><span class="p">(</span><span class="nx">SECRET_VALUE_ARN</span><span class="o">!</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">command</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">InitiateAuthCommand</span><span class="p">({</span> <span class="na">ClientId</span><span class="p">:</span> <span class="nx">CLIENT_ID</span><span class="p">,</span> <span class="na">AuthFlow</span><span class="p">:</span> <span class="nx">AuthFlowType</span><span class="p">.</span><span class="nx">USER_PASSWORD_AUTH</span><span class="p">,</span> <span class="na">AuthParameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">SECRET_HASH</span><span class="p">:</span> <span class="nf">computeSecretHash</span><span class="p">(</span><span class="nx">CLIENT_ID</span><span class="o">!</span><span class="p">,</span> <span class="nx">clientSecret</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">username</span><span class="p">),</span> <span class="na">USERNAME</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="na">PASSWORD</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">password</span> <span class="p">},</span> <span class="na">UserContextData</span><span class="p">:</span> <span class="p">{</span> <span class="na">IpAddress</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span><span class="p">?.</span><span class="nx">identity</span><span class="p">?.</span><span class="nx">sourceIp</span> <span class="p">}</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">command</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">$metadata</span><span class="p">.</span><span class="nx">httpStatusCode</span> <span class="o">!==</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">responseError</span><span class="p">(</span><span class="s2">`Something wrong!! Status=</span><span class="p">${</span><span class="nx">response</span><span class="p">.</span><span class="nx">$metadata</span><span class="p">.</span><span class="nx">httpStatusCode</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">isBase64Encoded</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">response</span><span class="p">.</span><span class="nx">AuthenticationResult</span><span class="p">?.</span><span class="nx">IdToken</span><span class="p">}</span><span class="s2">`</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user logged!!</span><span class="dl">'</span><span class="p">,</span> <span class="na">idToken</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">AuthenticationResult</span><span class="p">?.</span><span class="nx">IdToken</span><span class="p">,</span> <span class="na">accessToken</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">AuthenticationResult</span><span class="p">?.</span><span class="nx">AccessToken</span><span class="p">,</span> <span class="na">tokenType</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">AuthenticationResult</span><span class="p">?.</span><span class="nx">TokenType</span><span class="p">,</span> <span class="na">expiredIn</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">AuthenticationResult</span><span class="p">?.</span><span class="nx">ExpiresIn</span><span class="p">,</span> <span class="na">refreshToken</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">AuthenticationResult</span><span class="p">?.</span><span class="nx">RefreshToken</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="k">return</span> <span class="nf">responseError</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">validatePayload</span> <span class="o">=</span> <span class="p">(</span><span class="nx">payload</span><span class="p">:</span> <span class="kr">any</span><span class="p">):</span> <span class="nx">boolean</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nf">hasOwnProperty</span><span class="p">(</span><span class="dl">'</span><span class="s1">username</span><span class="dl">'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">payload</span><span class="p">.</span><span class="nf">hasOwnProperty</span><span class="p">(</span><span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">))</span> <span class="o">&amp;&amp;</span> <span class="p">[</span><span class="nx">payload</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">password</span><span class="p">].</span><span class="nf">every</span><span class="p">(</span><span class="nx">value</span> <span class="o">=&gt;</span> <span class="o">!!</span><span class="nx">value</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>This function initiates the authentication process by generating the Id and Access tokens that will be used by external systems to access API resources.</p> <h5> Lambda function for Confirm Email </h5> <p>This function will be called when the user clicks on the<code>Activate Account</code> button inside the verification email. We need the <code>code</code> (generated by Cognito during the sign-up process) and <code>username</code> for this process.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">APIGatewayProxyEvent</span><span class="p">,</span> <span class="nx">Context</span><span class="p">,</span> <span class="nx">Handler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-lambda</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CognitoIdentityProviderClient</span><span class="p">,</span> <span class="nx">ConfirmSignUpCommand</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-cognito-identity-provider</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">computeSecretHash</span><span class="p">,</span> <span class="nx">responseError</span><span class="p">,</span> <span class="nx">responseOk</span><span class="p">,</span> <span class="nx">toPayload</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">utils</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SecretsManagerClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-secrets-manager</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SecretsManagerRepository</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../src/infra/storage/secrets/secrets-manager.repository</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CognitoIdentityProviderClient</span><span class="p">({})</span> <span class="kd">const</span> <span class="nx">smClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecretsManagerClient</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REGION</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">CLIENT_ID</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_CLIENT_ID</span> <span class="kd">const</span> <span class="nx">SECRET_VALUE_ARN</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SECRET_VALUE_ARN</span> <span class="kd">const</span> <span class="nx">DOMAIN</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DOMAIN</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span><span class="p">:</span> <span class="nx">Handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">:</span> <span class="nx">APIGatewayProxyEvent</span><span class="p">,</span> <span class="nx">context</span><span class="p">:</span> <span class="nx">Context</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nf">toPayload</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">validatePayload</span><span class="p">(</span><span class="nx">payload</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">responseError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid input(s)</span><span class="dl">'</span><span class="p">,</span> <span class="mi">403</span><span class="p">)</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nf">hasOwnProperty</span><span class="p">(</span><span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">email</span> <span class="o">&amp;&amp;</span> <span class="nx">DOMAIN</span> <span class="o">!==</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">email</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">])</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">responseError</span><span class="p">(</span><span class="dl">'</span><span class="s1">The email is wrong.</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">clientSecret</span> <span class="o">=</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">SecretsManagerRepository</span><span class="p">(</span><span class="nx">smClient</span><span class="p">)</span> <span class="p">.</span><span class="nf">getCognitoAppClientSecretValue</span><span class="p">(</span><span class="nx">SECRET_VALUE_ARN</span><span class="o">!</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">cmd</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ConfirmSignUpCommand</span><span class="p">({</span> <span class="na">ConfirmationCode</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">code</span> <span class="o">+</span> <span class="dl">''</span><span class="p">,</span> <span class="na">ClientId</span><span class="p">:</span> <span class="nx">CLIENT_ID</span><span class="p">,</span> <span class="na">Username</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="na">SecretHash</span><span class="p">:</span> <span class="nf">computeSecretHash</span><span class="p">(</span><span class="nx">CLIENT_ID</span><span class="o">!</span><span class="p">,</span> <span class="nx">clientSecret</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">username</span><span class="p">)</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">cmd</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">response</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">$metadata</span><span class="p">.</span><span class="nx">httpStatusCode</span> <span class="o">===</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">responseOk</span><span class="p">(</span><span class="dl">'</span><span class="s1">Email confirmed</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">responseError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Something unexpected wrong!</span><span class="dl">'</span><span class="p">,</span> <span class="nx">response</span><span class="p">.</span><span class="nx">$metadata</span><span class="p">.</span><span class="nx">httpStatusCode</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="k">return</span> <span class="nf">responseError</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">validatePayload</span> <span class="o">=</span> <span class="p">(</span><span class="nx">payload</span><span class="p">:</span> <span class="nx">any</span><span class="p">):</span> <span class="nx">boolean</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nf">hasOwnProperty</span><span class="p">(</span><span class="dl">'</span><span class="s1">username</span><span class="dl">'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">payload</span><span class="p">.</span><span class="nf">hasOwnProperty</span><span class="p">(</span><span class="dl">'</span><span class="s1">code</span><span class="dl">'</span><span class="p">))</span> <span class="o">&amp;&amp;</span> <span class="p">[</span><span class="nx">payload</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">code</span><span class="p">].</span><span class="nf">every</span><span class="p">(</span><span class="nx">value</span> <span class="o">=&gt;</span> <span class="o">!!</span><span class="nx">value</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h5> Add methods for authentication process </h5> <p>Now that all the functions for the authentication process are ready, let's add methods for them to the API Gateway.</p> <p><em>stacks/cdk-stack.ts</em></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">cors</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">CorsOptions</span> <span class="o">=</span> <span class="p">{...}</span> <span class="kd">const</span> <span class="nx">layerArn</span> <span class="o">=</span> <span class="p">...</span> <span class="p">...</span> <span class="kd">const</span> <span class="nx">rootResource</span> <span class="o">=</span> <span class="nx">restApi</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nf">addResource</span><span class="p">(</span><span class="dl">'</span><span class="s1">todo-app-api</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">authRoot</span> <span class="o">=</span> <span class="nx">restApi</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nf">addResource</span><span class="p">(</span><span class="dl">'</span><span class="s1">auth</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Create the authentication endpoints</span> <span class="kd">const</span> <span class="nx">loginResource</span> <span class="o">=</span> <span class="nx">authRoot</span><span class="p">.</span><span class="nf">addResource</span><span class="p">(</span><span class="dl">'</span><span class="s1">login</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">defaultCorsPreflightOptions</span><span class="p">:</span> <span class="nx">cors</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">registerResource</span> <span class="o">=</span> <span class="nx">authRoot</span><span class="p">.</span><span class="nf">addResource</span><span class="p">(</span><span class="dl">'</span><span class="s1">register</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">defaultCorsPreflightOptions</span><span class="p">:</span> <span class="nx">cors</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">confirmResource</span> <span class="o">=</span> <span class="nx">authRoot</span><span class="p">.</span><span class="nf">addResource</span><span class="p">(</span><span class="dl">'</span><span class="s1">confirm-email</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">defaultCorsPreflightOptions</span><span class="p">:</span> <span class="nx">cors</span> <span class="p">})</span> <span class="c1">// Add authentication methods with each lambda integration</span> <span class="kd">const</span> <span class="nx">cognitoInlinePolicy</span> <span class="o">=</span> <span class="p">{</span> <span class="na">cognito</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyDocument</span><span class="p">({</span> <span class="na">assignSids</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">cognito-idp:ConfirmDevice</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cognito-idp:ChangePassword</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cognito-idp:ConfirmForgotPassword</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cognito-idp:ChangePassword</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cognito-idp:ConfirmSignUp</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cognito-idp:ForgotPassword</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cognito-idp:GetUser</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cognito-idp:GetUserAttributeVerificationCode</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cognito-idp:ListUsers</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cognito-idp:SignUp</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cognito-idp:UpdateUserAttributes</span><span class="dl">'</span> <span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">userPoolArn</span> <span class="p">]</span> <span class="p">})</span> <span class="p">]</span> <span class="p">}),</span> <span class="na">secret</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyDocument</span><span class="p">({</span> <span class="na">assignSids</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">secretsmanager:GetSecretValue</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">cognito</span><span class="p">.</span><span class="nx">secretArn</span><span class="p">]</span> <span class="p">})</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">loginFunction</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">LambdaFunction</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">LoginFunction</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">functionName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Auth-Cognito-Login-NodejsFunction</span><span class="dl">'</span><span class="p">,</span> <span class="na">entryFunction</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./apps/functions/auth/login.function.ts</span><span class="dl">'</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">USER_POOL_ID</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">userPooId</span><span class="p">,</span> <span class="na">SECRET_VALUE_ARN</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">secretArn</span><span class="p">,</span> <span class="na">APP_CLIENT_ID</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">clientId</span><span class="p">,</span> <span class="na">REGION</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">region</span><span class="o">!</span> <span class="p">},</span> <span class="na">logged</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="p">{</span> <span class="na">inlinePolicies</span><span class="p">:</span> <span class="nx">cognitoInlinePolicy</span> <span class="p">},</span> <span class="na">layersArns</span><span class="p">:</span> <span class="p">[</span><span class="nx">layerArn</span><span class="p">],</span> <span class="na">externalDeps</span><span class="p">:</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">dependencies</span><span class="p">)</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">registerFunction</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">LambdaFunction</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RegistrationFunction</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">functionName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Auth-Cognito-Register-NodejsFunction</span><span class="dl">'</span><span class="p">,</span> <span class="na">entryFunction</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./apps/functions/auth/register.function.ts</span><span class="dl">'</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">USER_POOL_ID</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">userPooId</span><span class="p">,</span> <span class="na">SECRET_VALUE_ARN</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">secretArn</span><span class="p">,</span> <span class="na">APP_CLIENT_ID</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">clientId</span><span class="p">,</span> <span class="na">REGION</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">region</span><span class="o">!</span> <span class="p">},</span> <span class="na">role</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AuthRegistrationRole</span><span class="dl">'</span><span class="p">,</span> <span class="na">inlinePolicies</span><span class="p">:</span> <span class="nx">cognitoInlinePolicy</span> <span class="p">},</span> <span class="na">layersArns</span><span class="p">:</span> <span class="p">[</span><span class="nx">layerArn</span><span class="p">],</span> <span class="na">externalDeps</span><span class="p">:</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">dependencies</span><span class="p">)</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">confirmUserFunction</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">LambdaFunction</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ConfirmUserFunction</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">functionName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Auth-Cognito-ConfirmUser-NodejsFunction</span><span class="dl">'</span><span class="p">,</span> <span class="na">entryFunction</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./apps/functions/auth/confirm-user.function.ts</span><span class="dl">'</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">USER_POOL_ID</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">userPooId</span><span class="p">,</span> <span class="na">SECRET_VALUE_ARN</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">secretArn</span><span class="p">,</span> <span class="na">APP_CLIENT_ID</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">clientId</span><span class="p">,</span> <span class="na">DOMAIN</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">props</span><span class="p">.</span><span class="nx">cognito</span><span class="p">?.</span><span class="nx">domain</span><span class="o">!</span><span class="p">,</span> <span class="na">REGION</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">region</span><span class="o">!</span> <span class="p">},</span> <span class="na">logged</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AuthConfirmRole</span><span class="dl">'</span><span class="p">,</span> <span class="na">inlinePolicies</span><span class="p">:</span> <span class="nx">cognitoInlinePolicy</span> <span class="p">},</span> <span class="na">layersArns</span><span class="p">:</span> <span class="p">[</span><span class="nx">layerArn</span><span class="p">],</span> <span class="na">externalDeps</span><span class="p">:</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">dependencies</span><span class="p">)</span> <span class="p">})</span> <span class="c1">// Allow each lambda to be invoked by API Gateway</span> <span class="nb">Array</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">loginFunction</span><span class="p">,</span> <span class="nx">registerFunction</span><span class="p">,</span> <span class="nx">confirmUserFunction</span><span class="p">)</span> <span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">func</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">func</span><span class="p">.</span><span class="nx">resource</span><span class="p">.</span><span class="nf">addPermission</span><span class="p">(</span><span class="s2">`APIGW-Permission-</span><span class="p">${</span><span class="nf">randomUUID</span><span class="p">()}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">principal</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">apigateway.amazonaws.com</span><span class="dl">'</span><span class="p">),</span> <span class="na">sourceArn</span><span class="p">:</span> <span class="s2">`arn:</span><span class="p">${</span><span class="nx">Aws</span><span class="p">.</span><span class="nx">PARTITION</span><span class="p">}</span><span class="s2">:execute-api:</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">region</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">account</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">restApi</span><span class="p">.</span><span class="nx">restApiId</span><span class="p">}</span><span class="s2">/*/*/*`</span><span class="p">,</span> <span class="na">sourceAccount</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">account</span><span class="p">,</span> <span class="na">scope</span><span class="p">:</span> <span class="k">this</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">lambda:InvokeFunction</span><span class="dl">'</span> <span class="p">})</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">loginMethod</span> <span class="o">=</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">loginResource</span><span class="p">.</span><span class="nf">addMethod</span><span class="p">(</span><span class="nx">MediaType</span><span class="p">.</span><span class="nx">POST</span><span class="p">,</span> <span class="k">new</span> <span class="nx">api</span><span class="p">.</span><span class="nc">LambdaIntegration</span><span class="p">(</span><span class="nx">loginFunction</span><span class="p">.</span><span class="nx">resource</span><span class="p">,</span> <span class="p">{</span> <span class="na">proxy</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">authorizationType</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">AuthorizationType</span><span class="p">.</span><span class="nx">NONE</span><span class="p">,</span> <span class="nx">methodResponses</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">registerMethod</span> <span class="o">=</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">registerResource</span><span class="p">.</span><span class="nf">addMethod</span><span class="p">(</span><span class="nx">MediaType</span><span class="p">.</span><span class="nx">POST</span><span class="p">,</span> <span class="k">new</span> <span class="nx">api</span><span class="p">.</span><span class="nc">LambdaIntegration</span><span class="p">(</span><span class="nx">registerFunction</span><span class="p">.</span><span class="nx">resource</span><span class="p">,</span> <span class="p">{</span> <span class="na">proxy</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">authorizationType</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">AuthorizationType</span><span class="p">.</span><span class="nx">NONE</span><span class="p">,</span> <span class="nx">methodResponses</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">confirmUserMethod</span> <span class="o">=</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">confirmResource</span><span class="p">.</span><span class="nf">addMethod</span><span class="p">(</span><span class="nx">MediaType</span><span class="p">.</span><span class="nx">POST</span><span class="p">,</span> <span class="k">new</span> <span class="nx">api</span><span class="p">.</span><span class="nc">LambdaIntegration</span><span class="p">(</span><span class="nx">confirmUserFunction</span><span class="p">.</span><span class="nx">resource</span><span class="p">,</span> <span class="p">{</span> <span class="na">proxy</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}),</span> <span class="p">{</span> <span class="nx">methodResponses</span><span class="p">,</span> <span class="na">authorizationType</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">AuthorizationType</span><span class="p">.</span><span class="nx">NONE</span> <span class="p">})</span> </code></pre> </div> <p>⚠️⚠️ <strong>Pay attention</strong> to the Lambdas set up above. Since they call Cognito and Secrets Manager, it is necessary to grant them the appropriate permissions to perform their operations without causing issues. Additionally, you’ll notice that API Gateway is granted permission to invoke all of these Lambda functions.</p> <h3> Create Api Gateway Authorizer </h3> <p>Before creating the Cognito Authorizer, it is imperative to instantiate our construct created in the User Pool section, because the authorizer needs its ARN.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">cognitoUserPool</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Cognito</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CustomCognitoResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">verificationEmailUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://localhost:4200/auth/confirm-email</span><span class="dl">'</span><span class="p">,</span> <span class="na">fromEmail</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">cognito</span><span class="p">?.</span><span class="nx">verificationFromEmail</span><span class="o">!</span> <span class="p">})</span> </code></pre> </div> <p>Now that the user pool is constructed, we can create the Cognito authorizer and attach it directly to the User Pool we previously created.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">cognitoAuthorizer</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">api</span><span class="p">.</span><span class="nc">CognitoUserPoolsAuthorizer</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">AuthorizerResource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">authorizerName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">todo-app-authorizer</span><span class="dl">'</span><span class="p">,</span> <span class="na">cognitoUserPools</span><span class="p">:</span> <span class="p">[</span><span class="nx">cognitoUserPool</span><span class="p">.</span><span class="nx">userPool</span><span class="p">],</span> <span class="na">identitySource</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">IdentitySource</span><span class="p">.</span><span class="nf">header</span><span class="p">(</span><span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p><strong>api.IdentitySource.header('authorization')</strong> will return the string <strong>'method.request.header.Authorization'</strong></p> <h3> Update the Rest Api Methods </h3> <p>In my last article (<a href="https://dev.to/nivekalara237/deploying-a-rest-api-and-angular-frontend-using-aws-cdk-s3-and-api-gateway-5983">Day 008↗</a>), I had created insecure APIs. Now, let's update these resources by securing them with the Cognito authorizer that we previously created.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">getTodoListsMethod</span> <span class="o">=</span> <span class="nx">getTodoListsResource</span><span class="p">.</span><span class="nf">addMethod</span><span class="p">(</span><span class="nx">MediaType</span><span class="p">.</span><span class="nx">GET</span><span class="p">,</span> <span class="k">new</span> <span class="nx">api</span><span class="p">.</span><span class="nc">LambdaIntegration</span><span class="p">(</span><span class="nx">lambdaFunction</span><span class="p">.</span><span class="nx">resource</span><span class="p">,</span> <span class="p">{</span> <span class="na">connectionType</span><span class="p">:</span> <span class="nx">ConnectionType</span><span class="p">.</span><span class="nx">INTERNET</span><span class="p">,</span> <span class="na">proxy</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">authorizationType</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">AuthorizationType</span><span class="p">.</span><span class="nx">COGNITO</span><span class="p">,</span> <span class="na">authorizer</span><span class="p">:</span> <span class="nx">cognitoAuthorizer</span><span class="p">,</span> <span class="nx">methodResponses</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">createTodoListMethod</span> <span class="o">=</span> <span class="nx">createTodoListResource</span><span class="p">.</span><span class="nf">addMethod</span><span class="p">(</span><span class="nx">MediaType</span><span class="p">.</span><span class="nx">POST</span><span class="p">,</span> <span class="k">new</span> <span class="nx">api</span><span class="p">.</span><span class="nc">LambdaIntegration</span><span class="p">(</span><span class="nx">lambdaFunction</span><span class="p">.</span><span class="nx">resource</span><span class="p">,</span> <span class="p">{</span> <span class="na">proxy</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">connectionType</span><span class="p">:</span> <span class="nx">ConnectionType</span><span class="p">.</span><span class="nx">INTERNET</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">authorizer</span><span class="p">:</span> <span class="nx">cognitoAuthorizer</span><span class="p">,</span> <span class="na">authorizationType</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">AuthorizationType</span><span class="p">.</span><span class="nx">COGNITO</span><span class="p">,</span> <span class="nx">methodResponses</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">updateTodoListMethod</span> <span class="o">=</span> <span class="nx">updateTodoListResource</span><span class="p">.</span><span class="nf">addMethod</span><span class="p">(</span><span class="nx">MediaType</span><span class="p">.</span><span class="nx">PUT</span><span class="p">,</span> <span class="k">new</span> <span class="nx">api</span><span class="p">.</span><span class="nc">LambdaIntegration</span><span class="p">(</span><span class="nx">lambdaFunction</span><span class="p">.</span><span class="nx">resource</span><span class="p">,</span> <span class="p">{</span> <span class="na">proxy</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">connectionType</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">ConnectionType</span><span class="p">.</span><span class="nx">INTERNET</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">authorizer</span><span class="p">:</span> <span class="nx">cognitoAuthorizer</span><span class="p">,</span> <span class="na">authorizationType</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">AuthorizationType</span><span class="p">.</span><span class="nx">COGNITO</span><span class="p">,</span> <span class="nx">methodResponses</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">deleteTodoListMethod</span> <span class="o">=</span> <span class="nx">deleteTodoListResource</span><span class="p">.</span><span class="nf">addMethod</span><span class="p">(</span><span class="nx">MediaType</span><span class="p">.</span><span class="nx">DELETE</span><span class="p">,</span> <span class="k">new</span> <span class="nx">api</span><span class="p">.</span><span class="nc">LambdaIntegration</span><span class="p">(</span><span class="nx">lambdaFunction</span><span class="p">.</span><span class="nx">resource</span><span class="p">,</span> <span class="p">{</span> <span class="na">connectionType</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">ConnectionType</span><span class="p">.</span><span class="nx">INTERNET</span><span class="p">,</span> <span class="na">proxy</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">authorizer</span><span class="p">:</span> <span class="nx">cognitoAuthorizer</span><span class="p">,</span> <span class="na">authorizationType</span><span class="p">:</span> <span class="nx">api</span><span class="p">.</span><span class="nx">AuthorizationType</span><span class="p">.</span><span class="nx">COGNITO</span><span class="p">,</span> <span class="nx">methodResponses</span> <span class="p">})</span> </code></pre> </div> <p>Now let's test one of these APIs to verify that the security integration is working correctly.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fayqmlzlmtxb3hl1hk0e5.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fayqmlzlmtxb3hl1hk0e5.png" alt="Image description"></a></p> <p>I received a <code>401 Unauthorized</code> error, indicating that I need to provide either the Access or ID token.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5wt3vq2z82a5m1c4oie2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5wt3vq2z82a5m1c4oie2.png" alt="Image description"></a></p> <p>I copied the idToken, included it in the header of my request, and tried again. This time, I received:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuun69vgarhsvmzzuljyj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuun69vgarhsvmzzuljyj.png" alt="Image description"></a></p> <h3> Updated the Angular App with authentication proccess </h3> <p>The app integration involves passing the <code>IdToken</code> generated during the sign-in process in the header of each request, formatted as <code>Authorization: Bearer &lt;ID_TOKEN&gt;</code></p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">export</span> <span class="kd">const</span> <span class="nx">authorizerInterceptor</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">HttpRequest</span><span class="o">&lt;</span><span class="nx">unknown</span><span class="o">&gt;</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">HttpHandlerFn</span><span class="p">):</span> <span class="nx">Observable</span><span class="o">&lt;</span><span class="nx">HttpEvent</span><span class="o">&lt;</span><span class="nx">unknown</span><span class="o">&gt;&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tokenAuth</span> <span class="o">=</span> <span class="nf">inject</span><span class="p">(</span><span class="nx">MEMORY_TOKEN_REPOSITORY</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">url</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">/auth/</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">url</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/auth/details</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">tokenAuth</span><span class="p">.</span><span class="nf">hasToken</span><span class="p">())</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">reReq</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nf">clone</span><span class="p">({</span> <span class="na">setHeaders</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">tokenAuth</span><span class="p">.</span><span class="nf">getToken</span><span class="p">()}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">})</span> <span class="k">return</span> <span class="nf">next</span><span class="p">(</span><span class="nx">reReq</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">next</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>You can find the complete code for the Angular app <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/day9/secure-api-with-cognito-user-pool/apps/todo-app" rel="noopener noreferrer">here↗</a></p> <h4> Deploy the entire infrastructure </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git clone https://github.com/nivekalara237/100DaysTerraformAWSDevops.git <span class="nb">export </span><span class="nv">STAGE_NAME</span><span class="o">=</span>dev <span class="c"># needed by api gateway staging</span> <span class="nb">cd </span>100DaysTerraformAWSDevops/day_009 cdk deploy <span class="nt">--profile</span> cdk-user <span class="nt">--all</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fml2bpz1mfxkvcuwagr8u.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fml2bpz1mfxkvcuwagr8u.png" alt="Image description"></a></p> <h3> Re-deploy app as S3 static website </h3> <p>To deploy the Angular app to the S3 bucket as a website, follow the instructions in my previous article 👉🏽👉🏽 <a href="https://dev.to/nivekalara237/deploying-a-rest-api-and-angular-frontend-using-aws-cdk-s3-and-api-gateway-5983">Deploying a REST API and Angular Frontend Using AWS CDK, S3, and API Gateway</a><br> ⚠️⚠️ Make sure to update the API Gateway URL in the <em>src/environment.ts</em> file with the correct API Gateway endpoint before building and deploying the application.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">export</span> <span class="kd">const</span> <span class="nx">environment</span> <span class="o">=</span> <span class="p">{</span> <span class="na">production</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">apiUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://{{API_GATEWAY_ID}}.execute-api.us-east-1.amazonaws.com/{{STAGE_NAME}}/</span><span class="dl">'</span> <span class="p">}</span> </code></pre> </div> <p>__</p> <p>🥳✨<br> We have reached the end of the article.<br> <span>Thank you so much</span> 🙂</p> <p>Your can find the full source code on <a href="https://github.com/nivekalara237/100DaysTerraformAWSDevops/tree/master/day_009" rel="noopener noreferrer">GitHub Repo</a></p> angular cdk serverless aws