chore: wip

chore: wip

Author: chrisbbreuer

.stacks/core/cloud/src/cloud/deploy.ts

@@ -0,0 +1,17 @@
+/* eslint-disable no-new */
+import { NestedStack, RemovalPolicy, Tags, aws_backup as backup, aws_iam as iam, aws_s3 as s3, aws_s3_deployment as s3deploy } from 'aws-cdk-lib'
+import type { Construct } from 'constructs'
+import type { NestedCloudProps } from './index'
+
+export class StorageStack extends NestedStack {
+  constructor(scope: Construct, props: NestedCloudProps) {
+    super(scope, 'Deploy', props)
+
+    new s3deploy.BucketDeployment(this, 'DeployWebsite', {
+      sources: [s3deploy.Source.asset(this.websiteSource)],
+      destinationBucket: props.publicBucket,
+      distribution: props.cdn,
+      distributionPaths: ['/*'],
+    })
+  }
+}

.stacks/core/cloud/src/cloud/docs.ts

@@ -2,15 +2,8 @@ import type { NestedStackProps } from 'aws-cdk-lib'
 import { NestedStack } from 'aws-cdk-lib'
 import type { Construct } from 'constructs'
 
-interface ResourceNestedStackProps extends NestedStackProps {
-  env: {
-    account: string
-    region: string
-  }
-}
-
 export class DocsStack extends NestedStack {
-  constructor(scope: Construct, props: ResourceNestedStackProps) {
+  constructor(scope: Construct, props: NestedStackProps) {
     super(scope, 'Docs', props)
     // ...
   }

.stacks/core/cloud/src/cloud/index.ts

@@ -1,20 +1,53 @@
 /* eslint-disable no-new */
 import type { Construct } from 'constructs'
 import { Stack } from 'aws-cdk-lib'
-import type { StackProps } from 'aws-cdk-lib'
+import type { NestedStackProps, StackProps, aws_certificatemanager as acm, aws_cloudfront as cloudfront, aws_route53 as route53, aws_s3 as s3, aws_wafv2 as wafv2 } from 'aws-cdk-lib'
 import { CdnStack } from './cdn'
 import { DocsStack } from './docs'
 import { StorageStack } from './storage'
 
-interface EnvProps extends StackProps {
+export interface CloudProps extends StackProps {
   env: {
     account: string
     region: string
   }
+  appName: string
+  appEnv: string
+  domain: string
+  partialAppKey: string
+  zone: route53.HostedZone
+  certificate: acm.Certificate
+  logBucket: s3.Bucket
+  firewall: wafv2.CfnWebACL
+  storage: {
+    publicBucket: s3.Bucket
+    accessPoint: s3.CfnAccessPoint | undefined
+  }
+  cdn: cloudfront.Distribution
+}
+
+export interface NestedCloudProps extends NestedStackProps {
+  env: {
+    account: string
+    region: string
+  }
+  appName: string
+  appEnv: string
+  domain: string
+  partialAppKey: string
+  zone: route53.HostedZone
+  certificate: acm.Certificate
+  logBucket: s3.Bucket
+  firewall: wafv2.CfnWebACL
+  storage: {
+    publicBucket: s3.Bucket
+    accessPoint: s3.CfnAccessPoint | undefined
+  }
+  cdn: cloudfront.Distribution
 }
 
-export class Stacks extends Stack {
-  constructor(scope: Construct, id: string, props: EnvProps) {
+export class Cloud extends Stack {
+  constructor(scope: Construct, id: string, props: CloudProps) {
     super(scope, id, props)
 
     // please beware: be careful changing the order of the stacks creation below

.stacks/core/cloud/src/cloud/storage.ts

@@ -1,17 +1,230 @@
-import type { NestedStackProps } from 'aws-cdk-lib'
-import { NestedStack } from 'aws-cdk-lib'
+/* eslint-disable no-new */
+import { NestedStack, RemovalPolicy, Tags, aws_backup as backup, aws_iam as iam, aws_s3 as s3, aws_s3_deployment as s3deploy } from 'aws-cdk-lib'
 import type { Construct } from 'constructs'
-
-interface ResourceNestedStackProps extends NestedStackProps {
-  env: {
-    account: string
-    region: string
-  }
-}
+import type { NestedCloudProps } from './index'
 
 export class StorageStack extends NestedStack {
-  constructor(scope: Construct, props: ResourceNestedStackProps) {
+  websiteSource: string
+  bucketPrefix: string
+  docsSource: string = '../../../storage/docs'
+  publicBucket: s3.Bucket | s3.IBucket
+  privateBucket: s3.Bucket | s3.IBucket
+  logBucket: s3.Bucket | s3.IBucket
+
+  constructor(scope: Construct, props: NestedCloudProps) {
     super(scope, 'Storage', props)
-    // ...
+    this.websiteSource = config.app.docMode ? this.docsSource : '../../../storage/public'
+    this.bucketPrefix = `${props.appName}-${props.appEnv}`
+
+
+  }
+
+  async manageStorage() {
+    // the bucketName should not contain the domainName because when the APP_URL is changed,
+    // we want it to deploy properly, and this way we would not force a recreation of the
+    // resources that contain the domain name
+    this.storage.publicBucket = await this.getOrCreateBucket()
+    // for each redirect, create a bucket & redirect it to the APP_URL
+    config.dns.redirects?.forEach((redirect) => {
+      // TODO: use string-ts function here instead
+      const slug = redirect.split('.').map((part, index) => index === 0 ? part : part.charAt(0).toUpperCase() + part.slice(1)).join('') // creates a CamelCase slug from the redirect
+      const hostedZone = route53.HostedZone.fromLookup(this, 'HostedZone', { domainName: redirect })
+      const redirectBucket = new s3.Bucket(this, `RedirectBucket${slug}`, {
+        bucketName: `${redirect}-redirect`,
+        websiteRedirect: {
+          hostName: this.domain,
+          protocol: s3.RedirectProtocol.HTTPS,
+        },
+        removalPolicy: RemovalPolicy.DESTROY,
+        autoDeleteObjects: true,
+      })
+      new route53.CnameRecord(this, `RedirectRecord${slug}`, {
+        zone: hostedZone,
+        recordName: 'redirect',
+        domainName: redirectBucket.bucketWebsiteDomainName,
+      })
+    })
+
+    this.storage.privateBucket = await this.getOrCreateBucket('private')
+    const bucketPrefix = `${this.appName}-${appEnv}`
+
+    this.storage.logBucket = new s3.Bucket(this, 'LogsBucket', {
+      bucketName: `${bucketPrefix}-logs-${partialAppKey}`,
+      removalPolicy: RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+      blockPublicAccess: new s3.BlockPublicAccess({
+        blockPublicAcls: false,
+        ignorePublicAcls: true,
+        blockPublicPolicy: true,
+        restrictPublicBuckets: true,
+      }),
+      objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_PREFERRED,
+    })
+    Tags.of(this.storage.logBucket).add('daily-backup', 'true')
+
+    const backupRole = this.createBackupRole()
+
+    // Daily 35 day retention
+    const vault = new backup.BackupVault(this, 'BackupVault', {
+      backupVaultName: `${this.appName}-${appEnv}-daily-backup-vault`,
+      encryptionKey: this.encryptionKey,
+      removalPolicy: RemovalPolicy.DESTROY,
+    })
+    const plan = backup.BackupPlan.daily35DayRetention(this, 'BackupPlan', vault)
+
+    plan.addSelection('Selection', {
+      role: backupRole,
+      resources: [backup.BackupResource.fromTag('daily-backup', 'true')],
+    })
+
+    this.storage = {
+      publicBucket: this.storage.publicBucket,
+      privateBucket: this.storage.privateBucket,
+      // emailBucket: this.storage.emailBucket,
+      logBucket: this.storage.logBucket,
+    }
+  }
+
+  async getOrCreateBucket(type?: 'public' | 'private' | 'email'): Promise<s3.Bucket | s3.IBucket> {
+    const bucketPrefix = `${this.appName}-${appEnv}`
+    let bucket: s3.Bucket
+
+    if (type === 'private')
+      bucket = this.handlePrivateBucket(bucketPrefix)
+    else if (type === 'email')
+      bucket = this.handleEmailBucket(bucketPrefix)
+    else
+      bucket = this.handlePublicBucket(bucketPrefix)
+
+    return bucket
+  }
+
+  handlePublicBucket(bucketPrefix?: string): s3.Bucket {
+    if (!bucketPrefix)
+      bucketPrefix = `${this.appName}-${appEnv}`
+
+    const bucket = new s3.Bucket(this, 'PublicBucket', {
+      bucketName: `${bucketPrefix}-${partialAppKey}`,
+      versioned: true,
+      autoDeleteObjects: true,
+      removalPolicy: RemovalPolicy.DESTROY,
+      encryption: s3.BucketEncryption.S3_MANAGED,
+    })
+
+    Tags.of(bucket).add('daily-backup', 'true')
+
+    return bucket
+  }
+
+  handlePrivateBucket(bucketPrefix?: string): s3.Bucket {
+    if (!bucketPrefix)
+      bucketPrefix = `${this.appName}-${appEnv}`
+
+    const bucket = new s3.Bucket(this, 'PrivateBucket', {
+      bucketName: `${bucketPrefix}-private-${partialAppKey}`,
+      versioned: true,
+      removalPolicy: RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+      encryption: s3.BucketEncryption.S3_MANAGED,
+      enforceSSL: true,
+      publicReadAccess: false,
+      blockPublicAccess: {
+        blockPublicAcls: true,
+        blockPublicPolicy: true,
+        ignorePublicAcls: true,
+        restrictPublicBuckets: true,
+      },
+    })
+
+    Tags.of(bucket).add('daily-backup', 'true')
+
+    return bucket
+  }
+
+  createBackupRole() {
+    const backupRole = new iam.Role(this, 'BackupRole', {
+      assumedBy: new iam.ServicePrincipal('backup.amazonaws.com'),
+    })
+    backupRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: [
+          's3:GetInventoryConfiguration',
+          's3:PutInventoryConfiguration',
+          's3:ListBucketVersions',
+          's3:ListBucket',
+          's3:GetBucketVersioning',
+          's3:GetBucketNotification',
+          's3:PutBucketNotification',
+          's3:GetBucketLocation',
+          's3:GetBucketTagging',
+        ],
+        resources: ['arn:aws:s3:::*'],
+        sid: 'S3BucketBackupPermissions',
+      }),
+    )
+    backupRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: [
+          's3:GetObjectAcl',
+          's3:GetObject',
+          's3:GetObjectVersionTagging',
+          's3:GetObjectVersionAcl',
+          's3:GetObjectTagging',
+          's3:GetObjectVersion',
+        ],
+        resources: ['arn:aws:s3:::*/*'],
+        sid: 'S3ObjectBackupPermissions',
+      }),
+    )
+    backupRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: ['s3:ListAllMyBuckets'],
+        resources: ['*'],
+        sid: 'S3GlobalPermissions',
+      }),
+    )
+    backupRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: ['s3:ListAllMyBuckets'],
+        resources: ['*'],
+        sid: 'S3GlobalPermissions',
+      }),
+    )
+    backupRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: ['kms:Decrypt', 'kms:DescribeKey'],
+        resources: ['*'],
+        sid: 'KMSBackupPermissions',
+        conditions: {
+          StringLike: {
+            'kms:ViaService': 's3.*.amazonaws.com',
+          },
+        },
+      }),
+    )
+    backupRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: [
+          'events:DescribeRule',
+          'events:EnableRule',
+          'events:PutRule',
+          'events:DeleteRule',
+          'events:PutTargets',
+          'events:RemoveTargets',
+          'events:ListTargetsByRule',
+          'events:DisableRule',
+        ],
+        resources: ['arn:aws:events:*:*:rule/AwsBackupManagedRule*'],
+        sid: 'EventsPermissions',
+      }),
+    )
+    backupRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: ['cloudwatch:GetMetricData', 'events:ListRules'],
+        resources: ['*'],
+        sid: 'EventsMetricsGlobalPermissions',
+      }),
+    )
+    return backupRole
   }
 }

.stacks/core/cloud/src/deploy.ts

@@ -3,7 +3,7 @@ import process from 'node:process'
 import { config } from '@stacksjs/config'
 import { env } from '@stacksjs/env'
 import * as cdk from 'aws-cdk-lib'
-import { Stacks as StacksCloud } from './cloud/'
+import { Cloud } from './cloud/'
 
 const app = new cdk.App()
 const appEnv = config.app.env === 'local' ? 'dev' : config.app.env
@@ -21,7 +21,7 @@ const usEnv = {
   region,
 }
 
-new StacksCloud(app, cloudName, {
+new Cloud(app, cloudName, {
   env: usEnv,
 })