Issue#820 - add new CDK example demonstrating AWS CodePipeline based CICD setup (#1054)

* initial commit

* remove cd command

* added github project path

* rename stacks

* rename stage app stacks

* added vpc stack and cross stack reference the vpc in ecs stack

* added cdk.context.json to .gitignore

* added synthCodeBuildDefaults to fix build stage permission issue

* added architecture diagram

* added architecture diagram to README>md

* add lambdaApiStack

* added import PolicyStatement from cdk lib

* Dockerfile and App code

* lesser requirement

* added datastore stack

* Update pipeline-stack.ts

* Update pipeline-stack.ts

* updated import resource format

* added waves to eu-west-1 & us-west-2

* fix container missing waitress module error

* Update README.md

* Added sample stack for event sources mapped asynchronous lambda functions

It create a SNS topic, a SQS queue, and a EventBridge rule that trigger asynchronous lambda functions.
The source of event is the Amazon ECS events that are published into the default EventBridge event bus.
We use this event to push messages to the SNS topic and to the SQS queue.

* added @types/aws-lambda: ^8.10.140

* updated a new version of diagram

* Update README.md

* relocate async lambda function code to assets

* explicit add account id in the pipeline

* moved variables to app.ts

* upgrade cdk app version to v2.162.1

* Update README.md

Update diagram image

* Delete typescript/aws-codepipeline-ecs-lambda/test/aws-codepipeline-ecs-lambda.test.ts

No test implemented

* Update package.json

No test implemented

* Delete typescript/aws-codepipeline-ecs-lambda/jest.config.js

No test implemented

* Update Dockerfile

update python 3.12

* fix: add DNA for cross account and lookup

---------

Co-authored-by: Jacky Fan <[email protected]>
Co-authored-by: Kihoon Kwon <[email protected]>
Co-authored-by: EC2 Default User <[email protected]>
Co-authored-by: Sonal <[email protected]>
Co-authored-by: Jacky Fan <[email protected]>
Co-authored-by: ruchirshetye-aws <[email protected]>
Co-authored-by: Junseong Jang <[email protected]>
Co-authored-by: Michael Kaiser <[email protected]>
Co-authored-by: Michael Kaiser <[email protected]>
Co-authored-by: Michael Kaiser <[email protected]>

Author: 10 people

typescript/aws-codepipeline-ecs-lambda/.gitignore

@@ -0,0 +1,9 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+cdk.context.json

typescript/aws-codepipeline-ecs-lambda/.npmignore

@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

typescript/aws-codepipeline-ecs-lambda/DO_NOT_AUTOTEST

@@ -0,0 +1,59 @@
+# AWS Codepipeline CI/CD Solution for ECS Fargate and Lambda
+
+## Architect Design:
+![](./static_images/Architecture_diagram.png)
+
+## Overview
+
+This CDK package provides a production-grade template for setting up AWS resources to enable smooth migration from monolithic EC2-based architectures to cloud-native solutions on AWS. It's designed for startups looking to scale their infrastructure efficiently.
+
+Key features:
+- CICD pipeline using AWS CodePipeline
+- Lambda functions (async triggered and REST endpoints behind API Gateway)
+- ECS Fargate based service with automatic deployment
+- Integration with private GitHub repositories
+- Reference to CDK created VPCs
+- Creates RDS Instances with credentials managed by AWS Secrets Manager
+- Event-driven architecture using SQS, SNS, and EventBridge
+
+## Getting Started
+
+### Prerequisites
+
+- Create a Private Github Repository with source code inside 'aws-codepipeline-ecs-lambda' directory.
+- Create a connection to GitHub or GitHub Enterprise Cloud, see [Create a connection to GitHub](https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-create-github.html). 
+- Modify the `connectionArn` in `pipeline-stack.ts` file. 
+- Modify `githubOrg`, `githubRepo`, `githubBranch` with your private repository details.
+
+## Project Structure
+
+The project is organized into six main stacks:
+
+1. `VpcStack`: Network infrastructure resources
+2. `DataStoresStack`: Database resources
+3. `PubSubStack`: Event-based infrastructure (SQS, SNS, EventBridge)
+4. `AsyncLambdasStack`: Asynchronously triggered Lambda functions
+5. `LambdaApisStack`: Lambda functions as REST endpoints behind API Gateway
+6. `EcsFargateStack`: ECS Fargate Service, Cluster, Tasks, and Containers
+
+You can easily customize the infrastructure by modifying or removing specific stacks in the `lib/pipeline-stage.ts` file.
+
+## Solution overview
+
+The CDK application is structured as follows:
+
+`lib/pipeline-stack.ts` contains the definition of the CI/CD pipeline. The main component here is the CodePipeline construct that creates the pipeline for us
+
+`lib/stage-app.ts` contains definitions of all the six stacks which the pipeline will deploy. 
+
+`lib/stage-app-vpc-stack.ts` creates new vpc resource along with subnets, nat gateways and remaining networking infrastructure. 
+
+`lib/stage-app-datastore-stack.ts` creates a Aurora Serverless V2 Cluster along with KMS key to encrypt the database. 
+
+`lib/stage-app-ecs-fargate-stack.ts` builds the `Dockerfile` and creates ecs fargate service along with loadbalancer. 
+
+`lib/stage-app-lambda-api-stack.ts` creates lambda functions as REST endpoints behind API Gateway resource. 
+
+`lib/PubSubStack.ts` creates sns, eventbridge and lambda function.
+
+---

typescript/aws-codepipeline-ecs-lambda/README.md

@@ -0,0 +1,7 @@
+import { EventBridgeEvent, Context } from 'aws-lambda';
+
+export const handler = async (event: EventBridgeEvent<string, any>) => {
+    console.log('LogEvent');
+    console.log('Received event:', JSON.stringify(event, null, 2));
+    return 'Finished';
+};

typescript/aws-codepipeline-ecs-lambda/assets/lambda-functions/events_handler.ts

@@ -0,0 +1,18 @@
+import { SQSEvent, SQSBatchResponse, SQSBatchItemFailure } from 'aws-lambda';
+
+export const handler = (event: SQSEvent): SQSBatchResponse | void => {
+    if (event) {
+        const batchItemFailures: SQSBatchItemFailure[] = [];
+        event?.Records.forEach(record => {
+            try {
+                // process record
+            } catch (err) {
+                batchItemFailures.push({
+                    itemIdentifier: record.messageId
+                });
+            }
+        });
+
+        return { batchItemFailures };
+    }
+};

typescript/aws-codepipeline-ecs-lambda/assets/lambda-functions/queue_message_handler.ts

@@ -0,0 +1,19 @@
+import { SNSEvent, SNSEventRecord } from 'aws-lambda';
+
+export const handler = async (event: SNSEvent) => {
+    for (const record of event.Records) {
+        await processMessageAsync(record);
+    }
+    console.info("done");
+};
+
+async function processMessageAsync(record: SNSEventRecord) {
+    try {
+        const message = JSON.stringify(record.Sns.Message);
+        console.log(`Processed message ${message}`);
+        await Promise.resolve(1); //Placeholder for actual async work
+    } catch (err) {
+        console.error("An error occurred");
+        throw err;
+    }
+}

typescript/aws-codepipeline-ecs-lambda/assets/lambda-functions/topic_message_handler.ts

@@ -0,0 +1,72 @@
+{
+  "app": "npx ts-node --prefer-ts-exts lib/app.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false
+  }
+}

typescript/aws-codepipeline-ecs-lambda/cdk.json

@@ -0,0 +1,34 @@
+#!/usr/bin/env node
+import 'source-map-support/register';
+import * as cdk from 'aws-cdk-lib';
+import { pipelineStack } from './pipeline-stack';
+
+const app               = new cdk.App();
+const env               = { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }
+const pipelineAccountId = process.env.PIPELINE_ACCOUNT_ID || "111111111111";                 // replace with your pipeline account id
+const pipelineRegion    = process.env.PIPELINE_REGION     || "us-east-1";                    // replace with your pipeline region
+const githubOrg         = process.env.GITHUB_ORG          || "aws-6w8hnx";                   // replace with your GitHub Org
+const githubRepo        = process.env.GITHUB_REPO         || "aws-codepipeline-ecs-lambda";  // replace with your GitHub Repo
+const githubBranch      = process.env.GITHUB_BRANCH       || "main";                         // replace with your GitHub repo branch
+const devEnv            = process.env.DEV_ENV             || "dev";                          // replace with your environment
+const devAccountId      = process.env.DEV_ACCOUNT_ID      || "222222222222";                 // replace with your dev account id
+const primaryRegion     = process.env.PRIMARY_REGION      || "us-west-2";                    // replace with your primary region
+const secondaryRegion   = process.env.SECONDARY_REGION    || "eu-west-1";                    // replace with your secondary region
+
+
+const pipeline_stack = new pipelineStack(app, 'aws-codepipeline-stack', {
+  env,
+  pipelineAccountId,
+  pipelineRegion,
+  githubOrg,
+  githubRepo,
+  githubBranch,
+  devEnv,
+  devAccountId,
+  primaryRegion,
+  secondaryRegion,
+});
+cdk.Tags.of(pipeline_stack).add('managedBy', 'cdk');
+cdk.Tags.of(pipeline_stack).add('environment', 'dev');
+
+app.synth();

typescript/aws-codepipeline-ecs-lambda/lib/app.ts

@@ -0,0 +1,63 @@
+import * as cdk from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { CodePipeline, CodePipelineSource, ManualApprovalStep, ShellStep, Wave } from 'aws-cdk-lib/pipelines';
+import { pipelineAppStage } from './stage-app';
+import { PolicyStatement } from 'aws-cdk-lib/aws-iam';
+
+export interface pipelineProps extends cdk.StackProps {
+  readonly pipelineAccountId: string;
+  readonly pipelineRegion: string;
+  readonly githubOrg: string;
+  readonly githubRepo: string;
+  readonly githubBranch: string;
+  readonly devEnv: string;
+  readonly devAccountId: string;
+  readonly primaryRegion: string;
+  readonly secondaryRegion: string;
+}
+
+export class pipelineStack extends cdk.Stack {
+  constructor(scope: Construct, id: string, props: pipelineProps) {
+    super(scope, id, props);
+    
+    const pipeline = new CodePipeline(this, 'pipeline', {
+      selfMutation:     true,
+      crossAccountKeys: true,
+      reuseCrossRegionSupportStacks: true,
+      synth: new ShellStep('Synth', {
+        input: CodePipelineSource.connection(`${props.githubOrg}/${props.githubRepo}`, `${props.githubBranch}`,{
+          // You need to replace the below code connection arn:
+          connectionArn: `arn:aws:codestar-connections:${props.pipelineRegion}:${props.pipelineAccountId}:connection/0ce75950-a29b-4ee4-a9d3-b0bad3b2c0a6`
+        }),
+        commands: [
+          'npm ci',
+          'npm run build',
+          'npx cdk synth'
+        ]
+      }),
+      synthCodeBuildDefaults: {
+        rolePolicy: [
+          new PolicyStatement({
+            resources: [ '*' ],
+            actions: [ 'ec2:DescribeAvailabilityZones' ],
+          }),
+      ]}
+    });
+
+    const devStage = pipeline.addStage(new pipelineAppStage(this, `${props.devEnv}`, {
+      env: { account: `${props.pipelineAccountId}`, region: `${props.pipelineRegion}`}
+    }));
+    devStage.addPost(new ManualApprovalStep('approval'));
+
+    // add waves:
+    const devWave = pipeline.addWave(`${props.devEnv}Wave`);
+
+    devWave.addStage(new pipelineAppStage(this, `${props.devEnv}-${props.primaryRegion}`, {
+      env: { account: `${props.devAccountId}`, region: `${props.primaryRegion}`}
+    }));
+
+    devWave.addStage(new pipelineAppStage(this, `${props.devEnv}-${props.secondaryRegion}`, {
+      env: { account: `${props.devAccountId}`, region: `${props.secondaryRegion}`}
+    }));
+  }
+}