Update dependencies and Dockerfile for Python 3.11 and AWS SDK v3 (#28)

* rename workflow

* python 3.11 and github actions plugin

* python 3.11

* python 3.11

* cleanup

* cleanup and add option to not deploy web files

* use aws-sdk3

.devcontainer/Dockerfile

@@ -1,11 +1,9 @@
-FROM nikolaik/python-nodejs:python3.7-nodejs18
+FROM nikolaik/python-nodejs:python3.11-nodejs18
 
 ARG USERNAME=sam-user
 ARG USER_UID=2000
 ARG USER_GID=$USER_UID
 
-# Update npm
-RUN npm install -g npm
 # Intall aws cli
 RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip" && unzip awscliv2.zip && ./aws/install
 # Install sam cli

.devcontainer/devcontainer.json

@@ -1,7 +1,7 @@
 {
-	"name": "Python 3.7 Node.js 18 aws sam-cli",
+	"name": "Python 3.11 Node.js 18 aws sam-cli",
 	"build": {
-		"dockerfile": "Dockerfile",
+		"dockerfile": "Dockerfile"
 	},
 
 	// Set *default* container specific settings.json values on container create.
@@ -15,6 +15,7 @@
 		"donjayamanne.git-extension-pack",
 		"redhat.vscode-yaml",
 		"github.copilot",
+		"github.actions",
 		"ms-azuretools.vscode-docker"
 	],
 

.github/workflows/pr.yml

@@ -1,4 +1,4 @@
-name: CI
+name: PR Build
 
 on:
   pull_request:

README.md

@@ -26,7 +26,7 @@ The cloudformation template uses the [deploy-to-s3 app](https://serverlessrepo.a
 - [AWS sam cli](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html)
 - [Setup a named profile for sam cli](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html). Let's assume your named profile is called `sidney`.
 - [Node.js](https://nodejs.org/en/) [v18](https://github.com/nvm-sh/nvm)
-- [Python](https://www.python.org/) [v3.7](https://github.com/pyenv/pyenv)
+- [Python](https://www.python.org/) [v3.11](https://github.com/pyenv/pyenv)
 
 ## Deploying to AWS
 There are 2 resources that need to be deployed in us-east-1 region; 1) [SSL/TLS Certificate](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-aws-region), and 2) [edge lambda](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-requirements-limits.html#lambda-requirements-cloudfront-triggers) for SEO. Everything else can be deployed in your region of choice. Therefore, if you want to deploy to any AWS region other than us-east-1, you need to deploy 2 stacks; one stack for the resources that need to be in us-east-1 and another stack in your chosen region. If your region of choice is us-east-1 you need only deploy one stack, and that's a wee bit simpler.

src/contactUsFormProcessor/index.js

@@ -1,16 +1,16 @@
-var https = require('https');
-var querystring = require('querystring');
-var AWS = require("aws-sdk");
+const https = require('https');
+const querystring = require('querystring');
+const { SNSClient, PublishCommand } = require("@aws-sdk/client-sns");
 
 exports.handler = function (event, context, callback) {
     // Validate the recaptcha
-    var input_data = JSON.parse(event.body);
-    var postData = querystring.stringify({
+    const input_data = JSON.parse(event.body);
+    const postData = querystring.stringify({
         'secret': process.env.ReCaptchaSecret,
         'response': input_data['g-recaptcha-response']
     });
 
-    var options = {
+    const options = {
         hostname: 'www.google.com',
         port: 443,
         path: '/recaptcha/api/siteverify',
@@ -20,25 +20,25 @@ exports.handler = function (event, context, callback) {
             'Content-Length': Buffer.byteLength(postData)
         }
     };
-
-    var req = https.request(options, function(res) {
+    const req = https.request(options, function(res) {
         res.setEncoding('utf8');
         res.on('data', function(chunk) {
-            var captchaResponse = JSON.parse(chunk);
+            const captchaResponse = JSON.parse(chunk);
             if (captchaResponse.success) {
-                var sns = new AWS.SNS();
                 delete input_data['g-recaptcha-response'];
                 var message = "";
                 Object.keys(input_data).forEach(function(key) {
                    message += key+':\n';
                    message += '\t'+input_data[key]+'\n\n';
                 });
-                var params = {
+                const params = {
                     Message: message,
                     Subject: process.env.Subject,
                     TopicArn: process.env.ContactUsSNSTopic
                 };
-                sns.publish(params, function (err, response) {
+                const snsClient = new SNSClient({});
+                const command = new PublishCommand(params);
+                snsClient.send(command, function (err, response) {
                     callback(null, {
                         statusCode: '200',
                         headers: {

src/contactUsFormProcessor/package.json

@@ -5,6 +5,6 @@
     "author": "Rob Anderson <riznob@gmail.com>",
     "license": "MIT",
     "dependencies": {
-        "aws-sdk": "^2.1261.0"
+        "@aws-sdk/client-sns": "^3.451.0"
     }
 }

tempate-east.yaml

@@ -1,4 +1,4 @@
-AWSTemplateFormatVersion: '2010-09-09'
+AWSTemplateFormatVersion: 2010-09-09
 Transform: AWS::Serverless-2016-10-31
 Parameters:
   DomainName:
@@ -37,9 +37,9 @@ Resources:
   mySSLCertificate:
     Type: AWS::CertificateManager::Certificate
     Properties: 
-      DomainName: !Sub '${HostName}.${DomainName}'
+      DomainName: !Sub ${HostName}.${DomainName}
       DomainValidationOptions:
-      - DomainName: !Sub '${HostName}.${DomainName}'
+      - DomainName: !Sub ${HostName}.${DomainName}
         HostedZoneId: !Ref HostedZoneId
       ValidationMethod: DNS
 Outputs:

template.yaml

@@ -1,4 +1,4 @@
-AWSTemplateFormatVersion: '2010-09-09'
+AWSTemplateFormatVersion: 2010-09-09
 Transform: AWS::Serverless-2016-10-31
 Parameters:
   DomainName:
@@ -31,10 +31,20 @@ Parameters:
     Type: String
     Description: SSL Certificate ARN
     Default: None
+  DeployWebFiles:
+    Type: String
+    Description: Deploy web files to S3
+    Default: 'true'
+    AllowedValues:
+      - true
+      - false
 Conditions:
   IsUsEast1: !Equals 
     - !Ref AWS::Region
     - us-east-1
+  IsDeployWebFiles: !Equals
+    - !Ref DeployWebFiles
+    - true
 Resources:
   ContactUsSNSTopic:
     Type: AWS::SNS::Topic
@@ -103,28 +113,31 @@ Resources:
           Action: sts:AssumeRole
   DeploymentLayer:
     Type: AWS::Serverless::Application
+    Condition: IsDeployWebFiles
     Properties:
       Location:
         ApplicationId: arn:aws:serverlessrepo:us-east-1:375983427419:applications/deploy-to-s3
         SemanticVersion: 2.4.2
   SiteSource:
     Type: AWS::Serverless::Function
+    Condition: IsDeployWebFiles
     Properties:
       Layers:
         - !GetAtt DeploymentLayer.Outputs.Arn
       CodeUri: web/dist
       AutoPublishAlias: live
-      Runtime: python3.7
+      Runtime: python3.11
       Handler: deployer.resource_handler
       Timeout: 600
       Policies:
         - S3FullAccessPolicy:
             BucketName: !Ref S3Bucket
   DeploymentResource:
     Type: AWS::CloudFormation::CustomResource
+    Condition: IsDeployWebFiles
     Properties:
       ServiceToken: !GetAtt SiteSource.Arn
-      Version: !Ref "SiteSource.Version"
+      Version: !Ref SiteSource.Version
       TargetBucket: !Ref S3Bucket
 
       Substitutions:
@@ -143,38 +156,55 @@ Resources:
         IndexDocument: index.html
         ErrorDocument: error.html
   BucketPolicy:
-    Type: 'AWS::S3::BucketPolicy'
+    Type: AWS::S3::BucketPolicy
     Properties:
       Bucket: !Ref S3Bucket
       PolicyDocument:  
         Statement:  
-        - Action: 's3:GetObject'
-          Effect: "Allow"  
-          Resource: !Sub "arn:aws:s3:::${S3Bucket}/*"
-          Principal: 
-            AWS: !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${CloudFrontDistributionOriginAccessIdentity}" 
+        - Action: s3:GetObject
+          Effect: Allow 
+          Resource: !Sub ${S3Bucket.Arn}/*
+          Principal:
+            Service: cloudfront.amazonaws.com
+          Condition:
+            StringEquals:
+              AWS:SourceArn: !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}
+        - Effect: Deny
+          Principal: '*'
+          Action: 's3:*'
+          Resource: 
+            - !Sub ${S3Bucket.Arn}/*
+            - !GetAtt S3Bucket.Arn
+          Condition:
+            Bool: 
+              AWS:SecureTransport: false
   SSLCertificate:
     Type: AWS::CertificateManager::Certificate
     Properties: 
-      DomainName: !Sub '${HostName}.${DomainName}'
+      DomainName: !Sub ${HostName}.${DomainName}
       DomainValidationOptions:
-      - DomainName: !Sub '${HostName}.${DomainName}'
+      - DomainName: !Sub ${HostName}.${DomainName}
         HostedZoneId: !Ref HostedZoneId
       ValidationMethod: DNS
-  CloudFrontDistributionOriginAccessIdentity:
-    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
+  CloudFrontDistributionOriginAccessControl:
+    Type: AWS::CloudFront::OriginAccessControl
     Properties: 
-      CloudFrontOriginAccessIdentityConfig: 
-        Comment: !Sub ${AWS::StackName}-access-identity
+      OriginAccessControlConfig: 
+        Description: Access control for CloudFront distribution
+        Name: !Sub ${AWS::StackName}-access-control
+        OriginAccessControlOriginType: s3
+        SigningBehavior: always
+        SigningProtocol: sigv4
   CloudFrontDistribution:
     Type: AWS::CloudFront::Distribution
     Properties:
       DistributionConfig:
         Origins:
         - DomainName: !GetAtt S3Bucket.DomainName
           Id: !Ref S3Bucket
+          OriginAccessControlId: !GetAtt CloudFrontDistributionOriginAccessControl.Id
           S3OriginConfig:
-            OriginAccessIdentity: !Sub origin-access-identity/cloudfront/${CloudFrontDistributionOriginAccessIdentity}
+            OriginAccessIdentity: ''
         Enabled: 'true'
         HttpVersion: http2
         Aliases:
@@ -195,12 +225,17 @@ Resources:
         ViewerCertificate:
           AcmCertificateArn: !If [IsUsEast1, !Ref SSLCertificate, !Ref SSLCertificateArn]
           SslSupportMethod: sni-only
+        CustomErrorResponses:
+          - ErrorCode: 403
+            ResponseCode: 404
+            ResponsePagePath: /404.html
+            ErrorCachingMinTTL: 300
   DNSRecord:
-    Type: 'AWS::Route53::RecordSetGroup'
+    Type: AWS::Route53::RecordSetGroup
     Properties:
       HostedZoneId: !Ref HostedZoneId
       RecordSets:
-        - Name: !Sub '${HostName}.${DomainName}.'
+        - Name: !Sub ${HostName}.${DomainName}.
           Type: A
           AliasTarget:
             HostedZoneId: Z2FDTNDATAQYW2
@@ -235,7 +270,7 @@ Resources:
 Outputs:
   ApiUrl:
     Description: URL of your API endpoint
-    Value: !Sub "https://${ContactUsFunctionApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"
+    Value: !Sub https://${ContactUsFunctionApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/
   CloudFrontDistributionId:
     Description: CloudFront Distribution ID
     Value: !Ref CloudFrontDistribution