Feature/Dpra-91 (#40)

* adding the role permissions for tagging

* adding the functional to use external repository via codeconnection

* updating readme docs with the new changes

* updating readme docs with indentation fixes

* removing unnecessary comments

* removing the unnecesary changes

* updating xml file to make configuration changes

* updating the trivy scan checks failures

* bug fixes and updates with policy changes

* packages requirement updates

* updating the pipeline with new changes and version fixes

* updating the readme with new changes and functionality

* updating the readme with iamge fixes

* updating the readme with image fixes

* updating the account.ts file to fix the changes with security scan issues

* finxing the comments

Author: aniketkb2014

examples/cdk-application-pipeline/.gitignore

@@ -105,12 +105,35 @@ To learn more about the CDK boostrapping process, see: https://docs.aws.amazon.c
 To deploy the pipeline to the toolchain AWS account run:
 
 ```bash
-npx cdk deploy --profile toolchain --all --require-approval never
+npx ts-node infrastructure/src/setup.ts   
 ```
+Make a selection for your source:
+1. CodeCommit
+2. Github
+3. BitBucket
+4. Github Enterprise Server
 
-![Pipeline-1 Diagram](docs/pipeline-1.png)
+![Version Control System Source](docs/SelectSource.png)
 
-Using AWS management console, login to `toolchain` account and click [AWS CodePipeline](https://us-east-1.console.aws.amazon.com/codesuite/codepipeline/home?region=us-east-1) to check the different stages of the pipeline.
+If you choose CodeCommit as the source, no additional inputs required.
+
+If you choose Github/BitBucket/GithubEnterpiseServer as source, then provide following parameters as asked:
+1. profile
+2. owner
+3. repositoryName
+4. branchName
+
+![Version Control System Source](docs/parametersExternalSource.png)
+
+Once the parameters are setup it will prompt you to update to codeconnection in the console.
+
+![Updating CodeConnection](docs/updatingCodeconnection.png)
+
+To connect the external suorce to the AWS account, a codeconnetion is setup and it is in the pending status.
+
+Log into the console, search for Codepipeline in the search bar, in the left panel go to setting: go to codeconnections.
+
+There you can see the codeconnection starting with (dpri-****), it is in pending status, Click on Update Pending Connection status and login with the credentials.
 
 ![Fruit API Diagram](docs/fruit-api.png)
 
@@ -138,7 +161,7 @@ Here is the application running in production in us-east-1 region.
 
 ![App Diagram](docs/app-1.png)
 
-(OPTIONAL) If you'd like to make changes and deploy with the pipeline, you'll need to [setup Git for AWS CodeCommit](https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up.html) and then clone the new CodeCommit repository:
+(OPTIONAL) If you'd like to make changes and deploy with the pipeline, you'll need to [setup Git for AWS CodeCommit](https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up.html) and then clone the new CodeCommit repository or your Git Repository configure during setup:
 
 ```bash
 git clone https://git-codecommit.us-west-2.amazonaws.com/v1/repos/fruit-api

examples/cdk-application-pipeline/README.md

@@ -5,23 +5,112 @@ export interface Account {
   profile: string;
 }
 
+export enum AccountType {
+  Toolchain = 'toolchain',
+  Beta = 'beta',
+  Gamma = 'gamma',
+  Production = 'production',
+}
 export class Accounts {
   static readonly PATH = '.accounts.json';
 
   static load(): Accounts {
     try {
-      return Object.assign(new Accounts(), JSON.parse(fs.readFileSync(Accounts.PATH).toString()));
+      const accounts = new Accounts();
+      const jsonData = JSON.parse(fs.readFileSync(Accounts.PATH).toString());
+      
+      // Explicitly assign only known properties with type checking
+      // if (jsonData.toolchain) accounts.setAccount('toolchain', jsonData.toolchain);
+      // if (jsonData.beta) accounts.setAccount('beta', jsonData.beta);
+      // if (jsonData.gamma) accounts.setAccount('gamma', jsonData.gamma);
+      // if (jsonData.production) accounts.setAccount('production', jsonData.production);
+
+      if (jsonData.toolchain) accounts.setAccount(AccountType.Toolchain, jsonData.toolchain);
+      if (jsonData.beta) accounts.setAccount(AccountType.Beta, jsonData.beta);
+      if (jsonData.gamma) accounts.setAccount(AccountType.Gamma, jsonData.gamma);
+      if (jsonData.production) accounts.setAccount(AccountType.Production, jsonData.production);
+
+      return accounts;
     } catch (e) {
       return new Accounts();
     }
   }
 
-  toolchain?: Account;
-  beta?: Account;
-  gamma?: Account;
-  production?: Account;
+  _toolchain?: Account;
+  _beta?: Account;
+  _gamma?: Account;
+  _production?: Account;
+  
+
+  get toolchain(): Account | undefined {
+    return this._toolchain;
+  }
+  get beta(): Account | undefined {
+    return this._beta;
+  }
+  get gamma(): Account | undefined {
+    return this._toolchain;
+  }
+  get production(): Account | undefined {
+    return this._production;
+  }
+  // Added setters
+  set toolchain(value: Account | undefined) {
+    this._toolchain = value;
+  }
+
+  set beta(value: Account | undefined) {
+    this._beta = value;
+  }
+
+  set gamma(value: Account | undefined) {
+    this._gamma = value;
+  }
+
+  set production(value: Account | undefined) {
+    this._production = value;
+  }
+  // Setter method with validation
+  private setAccount(type: AccountType, account: unknown): void {
+    if (!this.isValidAccount(account)) {
+      throw new Error(`Invalid account data for ${type}`);
+    }
+    
+    switch (type) {
+      case AccountType.Toolchain:
+        this.toolchain=account;
+        break;
+      case AccountType.Beta:
+        this.beta=account;
+        break;
+      case AccountType.Gamma:
+        this.gamma=account;
+        break;
+      case AccountType.Production:
+        this.production=account;
+        break;
+    }
+  }
+
+  // Type guard to validate account structure
+  private isValidAccount(account: unknown): account is Account {
+    return (
+      typeof account === 'object' &&
+      account !== null &&
+      'accountId' in account &&
+      'profile' in account &&
+      typeof (account as Account).accountId === 'string' &&
+      typeof (account as Account).profile === 'string'
+    );
+  }
 
   store() {
-    fs.writeFileSync(Accounts.PATH, JSON.stringify(this, null, 2));
+    const safeObject = {
+      toolchain: this.toolchain,
+      beta: this.beta,
+      gamma: this.gamma,
+      production: this.production
+    };
+    fs.writeFileSync(Accounts.PATH, JSON.stringify(safeObject, null, 2));
   }
-}
+}

examples/cdk-application-pipeline/cdk.json

@@ -97,7 +97,7 @@ export class CodeGuruReviewCheck extends Step implements ICodePipelineActionFact
   public produceAction(stage: IStage, options: ProduceActionOptions): CodePipelineActionFactoryResult {
     const codeGuruLambda = new NodejsFunction(stage.pipeline, `${this.id}CodeGuruLambda`, {
       timeout: Duration.seconds(60),
-      runtime: Runtime.NODEJS_18_X,
+      runtime: Runtime.NODEJS_22_X,
       handler: 'main',
       entry: path.join(__dirname, 'lambda/index.ts'),
     });

examples/cdk-application-pipeline/docs/SelectSource.png

@@ -198,6 +198,8 @@ Resources:
     Type: AWS::ECR::Repository
     Properties:
       ImageTagMutability: IMMUTABLE
+      ImageScanningConfiguration:
+        ScanOnPush: true 
       RepositoryName:
         Fn::If:
           - HasCustomContainerAssetsRepositoryName
@@ -491,6 +493,7 @@ Resources:
               - cloudformation:GetTemplate
               - cloudformation:ListStackResources
               - cloudformation:ListStacks
+              - cloudformation:TagResource
               - cloudtrail:DescribeTrails
               - cloudtrail:ListTags
               - cloudtrail:LookupEvents
@@ -512,9 +515,11 @@ Resources:
               - codecommit:TagResource
               - codecommit:UnTagResource
               - codedeploy:CreateApplication
+              - codedeploy:GetApplication
               - codedeploy:*DeploymentGroup
               - codedeploy:DeleteApplication
               - codedeploy:GetDeployment*
+              - codedeploy:TagResource
               - codeguru-reviewer:*TagResource
               - codeguru-reviewer:AssociateRepository
               - codeguru-reviewer:CreateCodeReview
@@ -527,6 +532,9 @@ Resources:
               - codepipeline:StartPipelineExecution
               - codepipeline:GetPipeline
               - codepipeline:GetPipelineState
+              - codepipeline:Tagrole
+              - codepipeline:Tagresource
+              - codestar-connections:PassConnection
               - ec2:*Address
               - ec2:RevokeSecurityGroupIngress
               - ec2:*Tags
@@ -572,6 +580,7 @@ Resources:
               - ecs:Describe*
               - ecs:DeregisterTaskDefinition
               - ecs:RegisterTaskDefinition
+              - ecs:TagResource
               - elasticloadbalancing:AddTags
               - elasticloadbalancing:CreateListener
               - elasticloadbalancing:CreateLoadBalancer
@@ -612,6 +621,7 @@ Resources:
               - iam:ListUsers
               - iam:PassRole
               - iam:PutRolePolicy
+              - iam:TagRole
               - kms:CancelKeyDeletion
               - kms:Create*
               - kms:Decrypt
@@ -640,6 +650,7 @@ Resources:
               - lambda:ListFunctions
               - lambda:PublishVersion
               - lambda:TagResource
+              - lambda:UpdateFunctionCode
               - lambda:UpdateFunctionConfiguration
               - logs:Tag*
               - logs:PutRetentionPolicy
@@ -649,8 +660,11 @@ Resources:
               - ram:ListResources
               - rds:AddTagsToResource
               - rds:CreateDBCluster
+              - rds:CreateDBInstance
+              - rds:DescribeDBInstances
               - rds:CreateDBSubnetGroup
               - rds:DeleteDBCluster
+              - rds:DeleteDBInstance
               - rds:DeleteDBSubnetGroup
               - rds:DescribeDBClusters
               - rds:DescribeDBSubnetGroups

examples/cdk-application-pipeline/docs/parametersExternalSource.png

@@ -1,5 +1,5 @@
 import * as fs from 'fs';
-import { IgnoreMode } from 'aws-cdk-lib';
+import { IgnoreMode, Stack } from 'aws-cdk-lib';
 import { Code, Repository } from 'aws-cdk-lib/aws-codecommit';
 import { CfnRepositoryAssociation } from 'aws-cdk-lib/aws-codegurureviewer';
 import { Asset } from 'aws-cdk-lib/aws-s3-assets';
@@ -46,5 +46,32 @@ export class CodeCommitSource extends Construct {
     this.codePipelineSource = CodePipelineSource.codeCommit(this.repository, this.trunkBranchName);
   }
 }
+export class CodePipelineSourceFactory{  
+  static createCodePipelineSource(pipelineStack: Stack){  
+    const providerType = pipelineStack.node.tryGetContext("providerType")==undefined?"codecommit":pipelineStack.node.tryGetContext("providerType");  
 
+    switch(providerType){  
+      case 'codecommit':  
+        const appName = pipelineStack.node.tryGetContext('appName')  
+        if(!appName){  
+          throw new Error('appName is required')  
+        }  
+        // CodeCommitSource is an instance of Construct  
+        return new CodeCommitSource(pipelineStack, 'Source', {repositoryName: appName}).codePipelineSource
+      default:  
+        const repoParameters = {  
+          "owner": pipelineStack.node.tryGetContext('owner'),  
+          "repositoryName": pipelineStack.node.tryGetContext('repositoryName'),  
+          "trunkBranchName": pipelineStack.node.tryGetContext('trunkBranchName'),  
+          "connectionArn": pipelineStack.node.tryGetContext('connectionArn'),  
+        };  
 
+        // CodePipelineSource is not an instance of Construct  
+        return CodePipelineSource.connection(  
+          `${repoParameters.owner}/${repoParameters.repositoryName}`,  
+          repoParameters.trunkBranchName ?? 'main',  
+          { connectionArn: repoParameters.connectionArn }  
+        )
+    }  
+  }
+}