feat!: Move deployment pipeline to CDK (#654)

.eslintignore

@@ -1 +1,2 @@
-auditLogMover/
+auditLogMover/
+cdk.out/

.github/workflows/deploy.yaml

@@ -106,6 +106,13 @@ jobs:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           serverless deploy --stage dev --region ${{ matrix.region }} --useHapiValidator true --enableMultiTenancy ${{ matrix.enableMultiTenancy }} --enableSubscriptions true --conceal
+      - name: Deploy FHIR Server and Hapi Validator with CDK
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.CDK_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.CDK_AWS_SECRET_ACCESS_KEY }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          yarn deploy -c region=${{ matrix.region }} -c useHapiValidator=true -c enableMultiTenancy=${{ matrix.enableMultiTenancy }} -c enableSubscriptions=true --all
       - name: Deploy auditLogMover
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID}}
@@ -159,6 +166,20 @@ jobs:
           --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=$COGNITO_USERNAME,PASSWORD=$COGNITO_PASSWORD | \
           python -c 'import json,sys;obj=json.load(sys.stdin);print obj["AuthenticationResult"]["IdToken"]')
           bundle exec rake crucible:execute_hearth_tests[$SERVICE_URL,$API_KEY,$ACCESS_TOKEN]
+      - name: Execute tests on CDK
+        env:
+          SERVICE_URL: ${{ secrets.CDK_SERVICE_URL }}
+          API_KEY: ${{ secrets.CDK_API_KEY }}
+          COGNITO_CLIENT_ID: ${{ secrets.CDK_COGNITO_CLIENT_ID }}
+          COGNITO_USERNAME: ${{ secrets.CDK_COGNITO_USERNAME_PRACTITIONER }}
+          COGNITO_PASSWORD: ${{ secrets.CDK_COGNITO_PASSWORD }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.CDK_AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.CDK_AWS_SECRET_ACCESS_KEY }}
+        run: |
+          ACCESS_TOKEN=$(aws cognito-idp initiate-auth --region us-west-2 --client-id $COGNITO_CLIENT_ID \
+          --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=$COGNITO_USERNAME,PASSWORD=$COGNITO_PASSWORD | \
+          python -c 'import json,sys;obj=json.load(sys.stdin);print obj["AuthenticationResult"]["IdToken"]')
+          bundle exec rake crucible:execute_hearth_tests[$SERVICE_URL,$API_KEY,$ACCESS_TOKEN]
   custom-integration-tests:
     needs: crucible-test
     name: Run custom integration tests - enableMultiTenancy=${{ matrix.enableMultiTenancy }}
@@ -174,6 +195,12 @@ jobs:
             subscriptionsNotificationsTableSecretName: SUBSCRIPTIONS_NOTIFICATIONS_TABLE
             subscriptionsEndpointSecretName: SUBSCRIPTIONS_ENDPOINT
             subscriptionsApiKeySecretName: SUBSCRIPTIONS_API_KEY
+            cdk_serviceUrlSecretName: CDK_SERVICE_URL
+            cdk_cognitoClientIdSecretName: CDK_COGNITO_CLIENT_ID
+            cdk_apiKeySecretName: CDK_API_KEY
+            cdk_subscriptionsNotificationsTableSecretName: CDK_SUBSCRIPTIONS_NOTIFICATIONS_TABLE
+            cdk_subscriptionsEndpointSecretName: CDK_SUBSCRIPTIONS_ENDPOINT
+            cdk_subscriptionsApiKeySecretName: CDK_SUBSCRIPTIONS_API_KEY
           - enableMultiTenancy: true
             region: us-west-1
             serviceUrlSecretName: MULTITENANCY_SERVICE_URL
@@ -182,6 +209,12 @@ jobs:
             subscriptionsNotificationsTableSecretName: MULTITENANCY_SUBSCRIPTIONS_NOTIFICATIONS_TABLE
             subscriptionsEndpointSecretName: MULTITENANCY_SUBSCRIPTIONS_ENDPOINT
             subscriptionsApiKeySecretName: MULTITENANCY_SUBSCRIPTIONS_API_KEY
+            cdk_serviceUrlSecretName: CDK_MT_SERVICE_URL
+            cdk_cognitoClientIdSecretName: CDK_MT_COGNITO_CLIENT_ID
+            cdk_apiKeySecretName: CDK_MT_API_KEY
+            cdk_subscriptionsNotificationsTableSecretName: CDK_SUBSCRIPTIONS_NOTIFICATIONS_TABLE
+            cdk_subscriptionsEndpointSecretName: CDK_SUBSCRIPTIONS_ENDPOINT
+            cdk_subscriptionsApiKeySecretName: CDK_SUBSCRIPTIONS_API_KEY
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -211,6 +244,25 @@ jobs:
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_REGION: ${{ matrix.region }}
         run: yarn int-test
+      - name: Execute tests on CDK
+        env:
+          API_URL: ${{ secrets[matrix.cdk_serviceUrlSecretName] }}
+          API_KEY: ${{ secrets[matrix.cdk_apiKeySecretName] }}
+          API_AWS_REGION: ${{ matrix.region }}
+          COGNITO_CLIENT_ID: ${{ secrets[matrix.cdk_cognitoClientIdSecretName] }}
+          COGNITO_USERNAME_PRACTITIONER: ${{ secrets.CDK_COGNITO_USERNAME_PRACTITIONER }}
+          COGNITO_USERNAME_AUDITOR: ${{ secrets.CDK_COGNITO_USERNAME_AUDITOR }}
+          COGNITO_USERNAME_PRACTITIONER_ANOTHER_TENANT: ${{ secrets.CDK_COGNITO_USERNAME_PRACTITIONER_ANOTHER_TENANT }}
+          COGNITO_PASSWORD: ${{ secrets.CDK_COGNITO_PASSWORD }}
+          MULTI_TENANCY_ENABLED: ${{ matrix.enableMultiTenancy }}
+          SUBSCRIPTIONS_ENABLED: 'true'
+          SUBSCRIPTIONS_NOTIFICATIONS_TABLE: ${{ secrets[matrix.cdk_subscriptionsNotificationsTableSecretName] }}
+          SUBSCRIPTIONS_ENDPOINT: ${{ secrets[matrix.cdk_subscriptionsEndpointSecretName] }}
+          SUBSCRIPTIONS_API_KEY: ${{ secrets[matrix.cdk_subscriptionsApiKeySecretName] }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.CDK_AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.CDK_AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ matrix.region }}
+        run: yarn int-test
 
   merge-develop-to-mainline:
     needs: custom-integration-tests

.gitignore

@@ -1,3 +1,18 @@
+#*.js
+!jest.config.js
+*.d.ts
+node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+build
+dist
+
+/implementationGuides
+/compiledImplementationGuides/*
+!/compiledImplementationGuides/gitkeep
+
 /.serverless
 /.vscode
 !/.gitignore

.npmignore

@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

CONTRIBUTING.md

@@ -16,17 +16,21 @@ Code for FHIR Works on AWS is written in TypeScript. This requires your IDE to b
 
 ### AWS Cloud deployment
 
-In order to re-build and re-deploy services to AWS after changes were made, you can run serverless commands (like [severless deploy](https://www.serverless.com/framework/docs/providers/aws/cli-reference/deploy/)) directly from this deployment package or rerun the `install.sh` or `win-install.ps1` script. If you need more help please check in [AWS service deployment](./INSTALL.md#aws-service-deployment).
+In order to re-build and re-deploy services to AWS after changes were made, you can run CDK commands (like [cdk deploy](https://docs.aws.amazon.com/cdk/v2/guide/cli.html) directly from this deployment package. If you need more help please check in [AWS service deployment](./INSTALL.md#aws-service-deployment).
 
 ### Local deployment
 
-It can be quicker to deploy the FHIR API locally to test instead of running a complete Cloud based deployment. This deployment is temporary and will not be listening to further connection attempts once the local service is stopped. Deploy locally using
+It can be quicker to deploy the FHIR API locally to test instead of running a complete Cloud based deployment. This deployment is temporary and will not be listening to further connection attempts once the local service is stopped. You can follow [this guide](https://docs.aws.amazon.com/cdk/v2/guide/cli.html) to deploy locally with the AWS SAM CLI. You may need to define the appropriate environment variables if they are not already defined:
+* ACCESS_KEY (This is your AWS Access Key)
+* SECRET_KEY (This is your AWS Secret Key)
+* OFFLINE_BINARY_BUCKET
+* OFFLINE_ELASTICSEARCH_DOMAIN_ENDPOINT
+Some of these values can all be found in the output of the deploy command, or in the `INFO_OUTPUT.log` file:
+* FHIR_SERVER_BINARY_BUCKET
+* ELASTIC_SEARCH_DOMAIN_ENDPOINT
 
-```sh
-ACCESS_KEY=<AWS_ACCESS_KEY> SECRET_KEY=<AWS_SECRET_KEY> OFFLINE_BINARY_BUCKET=<FHIR_SERVER_BINARY_BUCKET> OFFLINE_ELASTICSEARCH_DOMAIN_ENDPOINT=<ELASTIC_SEARCH_DOMAIN_ENDPOINT> sls offline start
-```
 
-Once you start the server locally, take note of the API Key that is generated. When making a request to the local server, you will need that key for the header _x-api-key_. The key is defined in the output as `Key with token: <API_KEY>`
+Once you start the server locally, take note of the API Key that is generated. When making a request to the local server, you will need that key for the header _x-api-key_. The key can be found under the API Gateway service in the AWS Console.
 
 ## Reporting Bugs/Feature Requests
 

CUSTOMIZE.md

@@ -57,8 +57,8 @@ The FHIR Works on AWS deployment can be customized to provide CORS support for b
   generateServerlessRouter(fhirConfig, genericResources, corsOptions)
   ```
   Please see the available [configuration options](https://www.npmjs.com/package/cors#configuration-options).
-- For pre-flight request support, add an OPTIONS method to the API Gateway `{proxy+}` route within the Serverless template. The request should be handled by the Lambda handler. The method should not use authorization.
-- If using a custom authorizer, then rejected requests also need to provide CORS headers, otherwise it is tricky to interpret the unauthorized response in the browser. The following [blog](https://www.serverless.com/blog/cors-api-gateway-survival-guide) describes how a `GatewayResponse` resource may be added to the Serverless template to provide these headers.
+- For pre-flight request support, add an OPTIONS method to the API Gateway `{proxy+}` route within the CloudFormation template. The request should be handled by the Lambda handler. The method should not use authorization.
+- If using a custom authorizer, then rejected requests also need to provide CORS headers, otherwise it is tricky to interpret the unauthorized response in the browser. The following [blog](https://www.serverless.com/blog/cors-api-gateway-survival-guide) describes how a `GatewayResponse` resource may be added to the Serverless template to provide these headers. This can be adapted to the CDK template by following the [GatewayResponse](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.GatewayResponse.html) construct documentation.
 
 ## Supporting other FHIR implementation guides or profiles