Issue#820 - add new CDK example demonstrating AWS CodePipeline based CICD setup

typescript/aws-codepipeline-ecs-lambda/.gitignore

@@ -0,0 +1,9 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+cdk.context.json

typescript/aws-codepipeline-ecs-lambda/.npmignore

@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

typescript/aws-codepipeline-ecs-lambda/README.md

@@ -0,0 +1,59 @@
+# AWS Codepipeline CI/CD Solution for ECS Fargate and Lambda
+
+## Architect Design:
+<img width="900" alt="image" src="https://github.com/jfan9/jfan9-aws-cdk-examples/blob/92d14c15f68fb2887f74de3b7203ab85cc5c0b71/typescript/aws-codepipeline-ecs-lambda/static_images/Architecture_diagram.png">
+
+## Overview
+
+This CDK package provides a production-grade template for setting up AWS resources to enable smooth migration from monolithic EC2-based architectures to cloud-native solutions on AWS. It's designed for startups looking to scale their infrastructure efficiently.
+
+Key features:
+- CICD pipeline using AWS CodePipeline
+- Lambda functions (async triggered and REST endpoints behind API Gateway)
+- ECS Fargate based service with automatic deployment
+- Integration with private GitHub repositories
+- Reference to CDK created VPCs
+- Creates RDS Instances with credentials managed by AWS Secrets Manager
+- Event-driven architecture using SQS, SNS, and EventBridge
+
+## Getting Started
+
+### Prerequisites
+
+- Create a Private Github Repository with source code inside 'aws-codepipeline-ecs-lambda' directory.
+- Create a connection to GitHub or GitHub Enterprise Cloud, see [Create a connection to GitHub](https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-create-github.html). 
+- Modify the `connectionArn` in `pipeline-stack.ts` file. 
+- Modify `githubOrg`, `githubRepo`, `githubBranch` with your private repository details.
+
+## Project Structure
+
+The project is organized into six main stacks:
+
+1. `VpcStack`: Network infrastructure resources
+2. `DataStoresStack`: Database resources
+3. `PubSubStack`: Event-based infrastructure (SQS, SNS, EventBridge)
+4. `AsyncLambdasStack`: Asynchronously triggered Lambda functions
+5. `LambdaApisStack`: Lambda functions as REST endpoints behind API Gateway
+6. `EcsFargateStack`: ECS Fargate Service, Cluster, Tasks, and Containers
+
+You can easily customize the infrastructure by modifying or removing specific stacks in the `lib/pipeline-stage.ts` file.
+
+## Solution overview
+
+The CDK application is structured as follows:
+
+`lib/pipeline-stack.ts` contains the definition of the CI/CD pipeline. The main component here is the CodePipeline construct that creates the pipeline for us
+
+`lib/stage-app.ts` contains definitions of all the six stacks which the pipeline will deploy. 
+
+`lib/stage-app-vpc-stack.ts` creates new vpc resource along with subnets, nat gateways and remaining networking infrastructure. 
+
+`lib/stage-app-datastore-stack.ts` creates a Aurora Serverless V2 Cluster along with KMS key to encrypt the database. 
+
+`lib/stage-app-ecs-fargate-stack.ts` builds the `Dockerfile` and creates ecs fargate service along with loadbalancer. 
+
+`lib/stage-app-lambda-api-stack.ts` creates lambda functions as REST endpoints behind API Gateway resource. 
+
+`lib/PubSubStack.ts` creates sns, eventbridge and lambda function.
+
+---

typescript/aws-codepipeline-ecs-lambda/assets/lambda-functions/events_handler.ts

@@ -0,0 +1,7 @@
+import { EventBridgeEvent, Context } from 'aws-lambda';
+
+export const handler = async (event: EventBridgeEvent<string, any>) => {
+    console.log('LogEvent');
+    console.log('Received event:', JSON.stringify(event, null, 2));
+    return 'Finished';
+};

typescript/aws-codepipeline-ecs-lambda/assets/lambda-functions/queue_message_handler.ts

@@ -0,0 +1,18 @@
+import { SQSEvent, SQSBatchResponse, SQSBatchItemFailure } from 'aws-lambda';
+
+export const handler = (event: SQSEvent): SQSBatchResponse | void => {
+    if (event) {
+        const batchItemFailures: SQSBatchItemFailure[] = [];
+        event?.Records.forEach(record => {
+            try {
+                // process record
+            } catch (err) {
+                batchItemFailures.push({
+                    itemIdentifier: record.messageId
+                });
+            }
+        });
+
+        return { batchItemFailures };
+    }
+};

typescript/aws-codepipeline-ecs-lambda/assets/lambda-functions/topic_message_handler.ts

@@ -0,0 +1,19 @@
+import { SNSEvent, SNSEventRecord } from 'aws-lambda';
+
+export const handler = async (event: SNSEvent) => {
+    for (const record of event.Records) {
+        await processMessageAsync(record);
+    }
+    console.info("done");
+};
+
+async function processMessageAsync(record: SNSEventRecord) {
+    try {
+        const message = JSON.stringify(record.Sns.Message);
+        console.log(`Processed message ${message}`);
+        await Promise.resolve(1); //Placeholder for actual async work
+    } catch (err) {
+        console.error("An error occurred");
+        throw err;
+    }
+}

typescript/aws-codepipeline-ecs-lambda/cdk.json

@@ -0,0 +1,72 @@
+{
+  "app": "npx ts-node --prefer-ts-exts lib/app.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false
+  }
+}

typescript/aws-codepipeline-ecs-lambda/jest.config.js

@@ -0,0 +1,8 @@
+module.exports = {
+  testEnvironment: 'node',
+  roots: ['<rootDir>/test'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.tsx?$': 'ts-jest'
+  }
+};

typescript/aws-codepipeline-ecs-lambda/lib/app.ts

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+import 'source-map-support/register';
+import * as cdk from 'aws-cdk-lib';
+import { pipelineStack } from './pipeline-stack';
+
+const app = new cdk.App();
+const env = { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }
+
+const pipeline_stack = new pipelineStack(app, 'aws-codepipeline-stack', {
+  env,
+});
+cdk.Tags.of(pipeline_stack).add('managedBy', 'cdk');
+cdk.Tags.of(pipeline_stack).add('environment', 'dev');
+
+app.synth();

typescript/aws-codepipeline-ecs-lambda/lib/pipeline-stack.ts

@@ -0,0 +1,61 @@
+import * as cdk from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { CodePipeline, CodePipelineSource, ManualApprovalStep, ShellStep, Wave } from 'aws-cdk-lib/pipelines';
+import { pipelineAppStage } from './stage-app';
+import { PolicyStatement } from 'aws-cdk-lib/aws-iam';
+
+export class pipelineStack extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    const pipelineAccountId = process.env.PIPELINE_ACCOUNT_ID || "111111111111";                 // replace with your pipeline account id
+    const pipelineRegion    = process.env.PIPELINE_REGION     || "us-east-1";                    // replace with your pipeline region
+    const githubOrg         = process.env.GITHUB_ORG          || "aws-6w8hnx";                   // replace with your GitHub Org
+    const githubRepo        = process.env.GITHUB_REPO         || "aws-codepipeline-ecs-lambda";  // replace with your GitHub Repo
+    const githubBranch      = process.env.GITHUB_BRANCH       || "main";                         // replace with your GitHub repo branch
+    const devEnv            = process.env.DEV_ENV             || "dev";                          // replace with your environment
+    const devAccountId      = process.env.DEV_ACCOUNT_ID      || "222222222222";                 // replace with your dev account id
+    const primaryRegion     = process.env.PRIMARY_REGION      || "us-west-2";                    // replace with your primary region
+    const secondaryRegion   = process.env.SECONDARY_REGION    || "eu-west-1";                    // replace with your secondary region
+
+    const pipeline = new CodePipeline(this, 'pipeline', {
+      selfMutation:     true,
+      crossAccountKeys: true,
+      reuseCrossRegionSupportStacks: true,
+      synth: new ShellStep('Synth', {
+        input: CodePipelineSource.connection(`${githubOrg}/${githubRepo}`, `${githubBranch}`,{
+          // You need to replace the below code connection arn:
+          connectionArn: `arn:aws:codestar-connections:${pipelineRegion}:${pipelineAccountId}:connection/0ce75950-a29b-4ee4-a9d3-b0bad3b2c0a6`
+        }),
+        commands: [
+          'npm ci',
+          'npm run build',
+          'npx cdk synth'
+        ]
+      }),
+      synthCodeBuildDefaults: {
+        rolePolicy: [
+          new PolicyStatement({
+            resources: [ '*' ],
+            actions: [ 'ec2:DescribeAvailabilityZones' ],
+          }),
+      ]}
+    });
+
+    const devStage = pipeline.addStage(new pipelineAppStage(this, `${devEnv}`, {
+      env: { account: `${pipelineAccountId}`, region: `${pipelineRegion}`}
+    }));
+    devStage.addPost(new ManualApprovalStep('approval'));
+
+    // add waves:
+    const devWave = pipeline.addWave(`${devEnv}Wave`);
+
+    devWave.addStage(new pipelineAppStage(this, `${devEnv}-${primaryRegion}`, {
+      env: { account: `${devAccountId}`, region: `${primaryRegion}`}
+    }));
+
+    devWave.addStage(new pipelineAppStage(this, `${devEnv}-${secondaryRegion}`, {
+      env: { account: `${devAccountId}`, region: `${secondaryRegion}`}
+    }));
+  }
+}

typescript/aws-codepipeline-ecs-lambda/lib/stage-app-async-lambda-stack.ts

@@ -0,0 +1,75 @@
+import * as cdk from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as events from 'aws-cdk-lib/aws-events';
+import * as eventsTargets from 'aws-cdk-lib/aws-events-targets';
+import * as sns from 'aws-cdk-lib/aws-sns';
+import * as sqs from 'aws-cdk-lib/aws-sqs';
+import { SnsEventSource, SqsEventSource } from 'aws-cdk-lib/aws-lambda-event-sources';
+import * as path from 'path';
+import { Function, Code, Runtime } from 'aws-cdk-lib/aws-lambda';
+
+export class asyncLambdaStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        // EventBridge event as an event source for a SNS topic and a SQS queue
+        const rule = new events.Rule(this, 'Rule', {
+            eventPattern: {
+                source: ['aws.ecs']
+            }
+        });
+
+        // Shared code asset
+        const code = Code.fromAsset(path.join(__dirname, '../assets/lambda-functions'));
+
+        // Lambda Function that will be invoked asynchronously when there is any event that matches the rule
+        const eventsFunction = new Function(this, 'EventFunction', {
+            runtime: Runtime.NODEJS_20_X,
+            code,
+            handler: 'events_handler.handler'
+        });
+        const eventsDLQ = new sqs.Queue(this, 'LambdaDLQ');
+        rule.addTarget(new eventsTargets.LambdaFunction(eventsFunction, {
+            deadLetterQueue: eventsDLQ,
+            maxEventAge: cdk.Duration.minutes(2),
+            retryAttempts: 2
+        }));
+
+        // Lambda Function that will be invoked asynchronously by a SNS topic
+        const topic = new sns.Topic(this, 'Topic');
+        rule.addTarget(new eventsTargets.SnsTopic(topic, {
+            deadLetterQueue: eventsDLQ,
+            maxEventAge: cdk.Duration.minutes(2),
+            retryAttempts: 2
+        }));
+
+        const topicFunction = new Function(this, 'TopicLambdaFunction', {
+            runtime: Runtime.NODEJS_20_X,
+            code,
+            handler: 'topic_message_handler.handler'
+        });
+        const topicDLQ = new sqs.Queue(this, 'TopicDLQ');
+        topicFunction.addEventSource(new SnsEventSource(topic, {
+            deadLetterQueue: topicDLQ
+        }));
+
+        // Lambda Function that will be invoked asynchronously with the event source of a SQS queue
+        const queue = new sqs.Queue(this, 'JobQueue');
+        rule.addTarget(new eventsTargets.SqsQueue(queue, {
+            deadLetterQueue: eventsDLQ,
+            maxEventAge: cdk.Duration.minutes(2),
+            retryAttempts: 2
+        }));
+
+        const queueFunction = new Function(this, 'QueueLambdaFunction', {
+            runtime: Runtime.NODEJS_20_X,
+            code,
+            handler: 'queue_message_handler.handler'
+        });
+        queueFunction.addEventSource(new SqsEventSource(queue, {
+            batchSize: 5,
+            maxBatchingWindow: cdk.Duration.seconds(5),
+            reportBatchItemFailures: true
+        }));
+    }
+}