Fix: [AEA-0000] - add vpc endpoints (#17)

anthony-nhs · web-flow · commit 59288fcb1c30 · 2024-12-04T09:44:26.000Z
## Summary

- Routine Change

### Details

- add vpc endpoints for private subnets
- add option in cdk_release_code to not deploy changes and only show
diff
- show cdk diff on pull requests
- correct export of private subnets
diff --git a/.github/workflows/cdk_release_code.yml b/.github/workflows/cdk_release_code.yml
@@ -15,6 +15,9 @@ on:
       LOG_RETENTION_IN_DAYS:
         required: true
         type: string
+      DEPLOY_CHANGE:
+        type: boolean
+        default: true
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE:
         required: true
@@ -107,6 +110,7 @@ jobs:
         shell: bash
 
       - name: Deploy code
+        if: ${{ inputs.DEPLOY_CHANGE == true}}
         run: |
           docker run \
           -v "$(pwd)/.build":/home/cdkuser/workspace/ \
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -102,6 +102,7 @@ jobs:
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
       LOG_RETENTION_IN_DAYS: 30
+      DEPLOY_CHANGE: true
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -130,6 +131,7 @@ jobs:
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
       LOG_RETENTION_IN_DAYS: 30
+      DEPLOY_CHANGE: true
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.QA_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -52,3 +52,22 @@ jobs:
         run: |
           echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
     
+  package_code:
+    needs: [quality_checks, get_issue_number, get_commit_id]
+    uses: ./.github/workflows/cdk_package_code.yml
+    with:
+      VERSION_NUMBER: ${{needs.get_issue_number.outputs.issue_number}}
+      COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
+
+  show_dev_changes:
+    needs: [quality_checks, get_issue_number, package_code, get_commit_id]
+    uses: ./.github/workflows/cdk_release_code.yml
+    with:
+      TARGET_ENVIRONMENT: dev
+      VERSION_NUMBER: ${{needs.get_issue_number.outputs.issue_number}}
+      COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
+      LOG_RETENTION_IN_DAYS: 30
+      DEPLOY_CHANGE: false
+    secrets:
+      CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
+      CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -121,6 +121,7 @@ jobs:
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
       LOG_RETENTION_IN_DAYS: 30
+      DEPLOY_CHANGE: true
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -148,6 +149,7 @@ jobs:
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
       LOG_RETENTION_IN_DAYS: 30
+      DEPLOY_CHANGE: true
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.REF_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.REF_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -160,6 +162,7 @@ jobs:
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
       LOG_RETENTION_IN_DAYS: 30
+      DEPLOY_CHANGE: true
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.QA_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -172,6 +175,7 @@ jobs:
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
       LOG_RETENTION_IN_DAYS: 30
+      DEPLOY_CHANGE: true
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.INT_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.INT_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -184,6 +188,7 @@ jobs:
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
       LOG_RETENTION_IN_DAYS: 30
+      DEPLOY_CHANGE: true
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.PROD_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_DEPLOY_ROLE }}
diff --git a/packages/cdk/bin/VpcResourcesApp.ts b/packages/cdk/bin/VpcResourcesApp.ts
@@ -35,6 +35,7 @@ const VpcResources = new VpcResourcesStack(app, "VpcResourcesStack", {
 app.synth()
 
 addCfnGuardMetadata(VpcResources, "Custom::VpcRestrictDefaultSGCustomResourceProvider", "Handler")
+addCfnGuardMetadata(VpcResources, "AWS679f53fac002430cb0da5b7982bd2287", "Resource")
 
 // finally run synth again with force to include the added metadata
 app.synth({
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -0,0 +1,126 @@
+
+import {Stack} from "aws-cdk-lib"
+import {NagPackSuppression, NagSuppressions} from "cdk-nag"
+
+export const nagSuppressions = (stack: Stack) => {
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/ECRDockerEndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM4",
+        reason: "Suppress error for using AWS managed policy. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/AWS679f53fac002430cb0da5b7982bd2287/Resource",
+    [
+      {
+        id: "AwsSolutions-L1",
+        reason: "Suppress error for using not using latest runtime. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/ECREndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/SecretManagerEndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/CloudWatchEndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/CloudWatchLogsEndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/CloudWatchEventsEndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/SSMEndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/S3Endpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+}
+
+const safeAddNagSuppression = (stack: Stack, path: string, suppressions: Array<NagPackSuppression>) => {
+  try {
+    NagSuppressions.addResourceSuppressionsByPath(stack, path, suppressions)
+
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  } catch(err){
+    console.log(`Could not find path ${path}`)
+  }
+}
diff --git a/packages/cdk/stacks/VpcResourcesStack.ts b/packages/cdk/stacks/VpcResourcesStack.ts
@@ -10,12 +10,20 @@ import {
 import {
   CfnSubnet,
   FlowLogDestination,
+  GatewayVpcEndpoint,
+  InterfaceVpcEndpoint,
+  InterfaceVpcEndpointAwsService,
   IpAddresses,
+  IVpcEndpoint,
+  Peer,
   Vpc
 } from "aws-cdk-lib/aws-ec2"
 import {Role, ServicePrincipal} from "aws-cdk-lib/aws-iam"
 import {Key} from "aws-cdk-lib/aws-kms"
 import {LogGroup} from "aws-cdk-lib/aws-logs"
+import {AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId} from "aws-cdk-lib/custom-resources"
+
+import {nagSuppressions} from "../nagSuppressions"
 
 export interface VpcResourcesStackProps extends StackProps{
   readonly version: string
@@ -28,6 +36,7 @@ export interface VpcResourcesStackProps extends StackProps{
  */
 
 export class VpcResourcesStack extends Stack {
+  readonly vpc : Vpc
   public constructor(scope: App, id: string, props: VpcResourcesStackProps){
     super(scope, id, props)
 
@@ -87,6 +96,19 @@ export class VpcResourcesStack extends Stack {
       }
     }
 
+    this.vpc = vpc
+
+    // add vpc private endpoints - needed to run ECS in private subnet
+    // copied from https://stackoverflow.com/a/69578964/9294145
+    this.addInterfaceEndpoint("ECRDockerEndpoint", InterfaceVpcEndpointAwsService.ECR_DOCKER)
+    this.addInterfaceEndpoint("ECREndpoint", InterfaceVpcEndpointAwsService.ECR)
+    this.addInterfaceEndpoint("SecretManagerEndpoint", InterfaceVpcEndpointAwsService.SECRETS_MANAGER)
+    this.addInterfaceEndpoint("CloudWatchEndpoint", InterfaceVpcEndpointAwsService.CLOUDWATCH_MONITORING)
+    this.addInterfaceEndpoint("CloudWatchLogsEndpoint", InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS)
+    this.addInterfaceEndpoint("CloudWatchEventsEndpoint", InterfaceVpcEndpointAwsService.EVENTBRIDGE)
+    this.addInterfaceEndpoint("SSMEndpoint", InterfaceVpcEndpointAwsService.SSM)
+    this.addGatewayEndpoint("S3Endpoint", InterfaceVpcEndpointAwsService.S3)
+
     //Outputs
 
     //Exports
@@ -106,7 +128,7 @@ export class VpcResourcesStack extends Stack {
     }
 
     let privateSubnetIds = []
-    for (const [i, subnet] of vpc.publicSubnets.entries()){
+    for (const [i, subnet] of vpc.privateSubnets.entries()){
       const subnetIdentifier = String.fromCharCode("A".charCodeAt(0) + i)
       new CfnOutput(this, `PrivateSubnet${subnetIdentifier}`, {
         value: subnet.subnetId,
@@ -125,5 +147,52 @@ export class VpcResourcesStack extends Stack {
       exportName: `${props.stackName}:PrivateSubnets`
     })
 
+    nagSuppressions(this)
+
+  }
+
+  private addInterfaceEndpoint(name: string, awsService: InterfaceVpcEndpointAwsService): void {
+    const endpoint: InterfaceVpcEndpoint = this.vpc.addInterfaceEndpoint(name, {
+      service: awsService
+    })
+    this.addEndpointTag(name, endpoint)
+
+    endpoint.connections.allowFrom(Peer.ipv4(this.vpc.vpcCidrBlock), endpoint.connections.defaultPort!)
   }
+
+  private addGatewayEndpoint(name: string, awsService: InterfaceVpcEndpointAwsService): void {
+    const endpoint: GatewayVpcEndpoint = this.vpc.addGatewayEndpoint(name, {
+      service: awsService
+    })
+    this.addEndpointTag(name, endpoint)
+  }
+
+  private addEndpointTag(name: string, endpoint: IVpcEndpoint) {
+    // vpc endpoints do not support tagging from cdk/cloudformation
+    // so use a custom resource to add them in
+    new AwsCustomResource(this, `${name}-tags`, {
+      installLatestAwsSdk: false,
+      onUpdate: {
+        action: "createTags",
+        parameters: {
+          Resources: [
+            endpoint.vpcEndpointId
+          ],
+          Tags: [
+            {
+              Key: "Name",
+              Value: `${this.stackName}-${name}`
+            }
+          ]
+        },
+        physicalResourceId: PhysicalResourceId.of(Date.now().toString()),
+        service: "EC2"
+      },
+      policy: AwsCustomResourcePolicy.fromSdkCalls({
+        resources: AwsCustomResourcePolicy.ANY_RESOURCE
+      })
+    })
+
+  }
+
 }
diff --git a/sonar-project.properties b/sonar-project.properties
@@ -9,3 +9,11 @@ sonar.coverage.exclusions=\
     scripts/*\, \
     release.config.js, \
     packages/cdk/**
+
+sonar.cpd.exclusions=**/*.test.*,\
+    **/tests/*,\
+    **/jest.config.ts, \
+    **/jest.debug.config.ts, \
+    scripts/*, \
+    packages/cdk/nagSuppressions.ts, \
+    eslint.config.mjs
