Merge pull request #14 from aws-samples/feat/one-az

feat: AZ count setting and Shorten ECS Service name

Author: Hoseong-Seo

client/AdminWeb/src/app/auth-config.module.ts

@@ -13,7 +13,7 @@ import { environment } from 'src/environments/environment';
         postLogoutRedirectUri: window.location.origin,
         redirectUrl: window.location.origin,
         responseType: 'code',
-        scope: 'openid profile email',
+        scope: 'openid profile email tenant/tenant_read tenant/tenant_write user/user_read user/user_write',
       },
     }),
   ],

client/AdminWeb/src/app/auth.interceptor.ts

@@ -29,7 +29,7 @@ export class AuthInterceptor implements HttpInterceptor {
       return next.handle(req);
     }
 
-    return this.service.getIdToken().pipe(
+    return this.service.getAccessToken().pipe(
       switchMap((tok) => {
         req = req.clone({
           headers: req.headers.set('Authorization', 'Bearer ' + tok),

server/bin/ecs-saas-ref-template.ts

@@ -3,7 +3,6 @@ import * as cdk from 'aws-cdk-lib';
 import { TenantTemplateStack } from '../lib/tenant-template/tenant-template-stack';
 import { DestroyPolicySetter } from '../lib/utilities/destroy-policy-setter';
 import { CoreAppPlaneStack } from '../lib/bootstrap-template/core-appplane-stack';
-import { TenantUpdatePipeline } from '../lib/tenant-template/tenant-update-stack';
 import { getEnv } from '../lib/utilities/helper-functions';
 import { ControlPlaneStack } from '../lib/bootstrap-template/control-plane-stack';
 import { SharedInfraStack } from '../lib/shared-infra/shared-infra-stack';
@@ -20,11 +19,14 @@ if (!process.env.CDK_PARAM_TENANT_ID) {
   console.log('Tenant ID is empty, a default tenant id "basic" will be assigned');
 }
 const basicId = 'basic';
+const AzCount = 3;
 
+if(AzCount < 2 || AzCount > 3) {
+  throw new Error('Please Availability Zones count must be 2 or 3');
+}
 // required input parameters
 const systemAdminEmail = process.env.CDK_PARAM_SYSTEM_ADMIN_EMAIL;
 const tenantId = process.env.CDK_PARAM_TENANT_ID || basicId;
-const codeCommitRepositoryName = getEnv('CDK_PARAM_CODE_COMMIT_REPOSITORY_NAME');
 
 const commitId = getEnv('CDK_PARAM_COMMIT_ID');
 const tier = getEnv('CDK_PARAM_TIER');
@@ -87,41 +89,40 @@ const apiKeySSMParameterNames = {
   }
 };
 
-const controlPlaneStack = new ControlPlaneStack(app, 'controlplane-stack', {
-  systemAdminEmail: systemAdminEmail,
-  systemAdminRoleName: systemAdminRoleName,
+const sharedInfraStack = new SharedInfraStack(app, 'shared-infra-stack', {
+  isPooledDeploy: isPooledDeploy,
+  ApiKeySSMParameterNames: apiKeySSMParameterNames,
+  apiKeyPlatinumTierParameter: apiKeyPlatinumTierParameter,
+  apiKeyPremiumTierParameter: apiKeyPremiumTierParameter,
+  apiKeyAdvancedTierParameter: apiKeyAdvancedTierParameter,
+  apiKeyBasicTierParameter: apiKeyBasicTierParameter,
+  stageName: stageName,
+  azCount: AzCount,
   env: {
     account: process.env.CDK_DEFAULT_ACCOUNT,
     region: process.env.CDK_DEFAULT_REGION
   }
 });
 
-const coreAppPlaneStack = new CoreAppPlaneStack(app, 'core-appplane-stack', {
+const controlPlaneStack = new ControlPlaneStack(app, 'controlplane-stack', {
   systemAdminEmail: systemAdminEmail,
-  regApiGatewayUrl: controlPlaneStack.regApiGatewayUrl,
-  eventBusArn: controlPlaneStack.eventBusArn,
-  apiKeyPlatinumTierParameter: apiKeyPlatinumTierParameter,
-  apiKeyPremiumTierParameter: apiKeyPremiumTierParameter,
-  apiKeyAdvancedTierParameter: apiKeyAdvancedTierParameter,
-  apiKeyBasicTierParameter: apiKeyBasicTierParameter,
-  ApiKeySSMParameterNames: apiKeySSMParameterNames,
+  systemAdminRoleName: systemAdminRoleName,
   env: {
     account: process.env.CDK_DEFAULT_ACCOUNT,
     region: process.env.CDK_DEFAULT_REGION
   }
 });
-cdk.Aspects.of(coreAppPlaneStack).add(new DestroyPolicySetter());
 
-const sharedInfraStack = new SharedInfraStack(app, 'shared-infra-stack', {
-  isPooledDeploy: isPooledDeploy,
-  ApiKeySSMParameterNames: apiKeySSMParameterNames,
-  stageName: stageName,
+const coreAppPlaneStack = new CoreAppPlaneStack(app, 'core-appplane-stack', {
+  systemAdminEmail: systemAdminEmail,
+  regApiGatewayUrl: controlPlaneStack.regApiGatewayUrl,
+  eventManager: controlPlaneStack.eventManager,
   env: {
     account: process.env.CDK_DEFAULT_ACCOUNT,
     region: process.env.CDK_DEFAULT_REGION
   }
 });
-sharedInfraStack.addDependency(coreAppPlaneStack);
+cdk.Aspects.of(coreAppPlaneStack).add(new DestroyPolicySetter());
 
 const tenantTemplateStack = new TenantTemplateStack(app, `tenant-template-stack-${tenantId}`, {
   tenantId: tenantId,

server/lib/bootstrap-template/control-plane-stack.ts

@@ -1,22 +1,20 @@
-import { Stack, type StackProps, CfnOutput } from 'aws-cdk-lib';
-import { type Construct } from 'constructs';
 import * as cdk from 'aws-cdk-lib';
-import * as control_plane from '@cdklabs/sbt-aws';
-import { CognitoAuth } from '@cdklabs/sbt-aws';
+import { type Construct } from 'constructs';
 import { StaticSiteDistro } from './static-site-distro';
 import path = require('path');
 import { StaticSite } from './static-site';
 import { ControlPlaneNag } from '../cdknag/control-plane-nag';
+import * as sbt from '@cdklabs/sbt-aws';
 
-interface ControlPlaneStackProps extends StackProps {
+interface ControlPlaneStackProps extends cdk.StackProps {
   systemAdminRoleName: string
   systemAdminEmail: string
 }
 
-export class ControlPlaneStack extends Stack {
+export class ControlPlaneStack extends cdk.Stack {
   public readonly regApiGatewayUrl: string;
-  public readonly eventBusArn: string;
-  public readonly auth: CognitoAuth;
+  public readonly eventManager: sbt.IEventManager;
+  public readonly auth: sbt.CognitoAuth;
   public readonly adminSiteUrl: string;
   public readonly StaticSite: StaticSite;
 
@@ -37,34 +35,42 @@ export class ControlPlaneStack extends Stack {
 
     this.adminSiteUrl = `https://${distro.cloudfrontDistribution.domainName}`;
 
-    const cognitoAuth = new CognitoAuth(this, 'CognitoAuth', {
-      systemAdminRoleName: props.systemAdminRoleName,
-      systemAdminEmail: props.systemAdminEmail,
+    const cognitoAuth = new sbt.CognitoAuth(this, 'CognitoAuth', {
+      // Avoid checking scopes for API endpoints. Done only for testing purposes.
+      // setAPIGWScopes: false,
       controlPlaneCallbackURL: this.adminSiteUrl
     });
 
-    const controlPlane = new control_plane.ControlPlane(this, 'controlplane-sbt', {
-      auth: cognitoAuth
+    const controlPlane = new sbt.ControlPlane(this, 'controlplane-sbt', {
+      systemAdminEmail: props.systemAdminEmail,
+      auth: cognitoAuth,
+      apiCorsConfig: {
+        allowOrigins: ['https://*'],
+        allowCredentials: true,
+        allowHeaders: ['*'],
+        allowMethods: [cdk.aws_apigatewayv2.CorsHttpMethod.ANY],
+        maxAge: cdk.Duration.seconds(300),
+      },
     });
 
+    this.eventManager = controlPlane.eventManager;
     this.regApiGatewayUrl = controlPlane.controlPlaneAPIGatewayUrl;
-    this.eventBusArn = controlPlane.eventManager.busArn;
     this.auth = cognitoAuth;
 
     this.StaticSite = new StaticSite(this, 'AdminWebUi', {
       name: 'AdminSite',
       assetDirectory: path.join(__dirname, '../../../client/AdminWeb/'),
       production: true,
-      clientId: this.auth.clientId,
-      issuer: this.auth.authorizationServer,
+      clientId: this.auth.userClientId,  //.clientId,
+      issuer: this.auth.tokenEndpoint,
       apiUrl: this.regApiGatewayUrl,
       wellKnownEndpointUrl: this.auth.wellKnownEndpointUrl,
       distribution: distro.cloudfrontDistribution,
       appBucket: distro.siteBucket,
       accessLogsBucket
     });
-
-    new CfnOutput(this, 'adminSiteUrl', {
+    
+    new cdk.CfnOutput(this, 'adminSiteUrl', {
       value: this.adminSiteUrl
     });
 

server/lib/bootstrap-template/core-appplane-stack.ts

@@ -1,28 +1,20 @@
-import { Stack, type StackProps, CfnOutput } from 'aws-cdk-lib';
+import * as cdk from 'aws-cdk-lib';
 import { type Construct } from 'constructs';
-import { type ApiKeySSMParameterNames } from '../interfaces/api-key-ssm-parameter-names';
-import { TenantApiKey } from './tenant-api-key';
 import { Table, AttributeType } from 'aws-cdk-lib/aws-dynamodb';
 import { PolicyDocument } from 'aws-cdk-lib/aws-iam';
 import { EventBus } from 'aws-cdk-lib/aws-events';
+import * as fs from 'fs';
 import { UserInterface } from './user-interface';
 import { CoreAppPlaneNag } from '../cdknag/core-app-plane-nag';
-import * as fs from 'fs';
-import * as core_app_plane from '@cdklabs/sbt-aws';
-import { type CoreApplicationPlaneJobRunnerProps, DetailType, EventManager } from '@cdklabs/sbt-aws';
+import * as sbt from '@cdklabs/sbt-aws';
 
-interface CoreAppPlaneStackProps extends StackProps {
-  ApiKeySSMParameterNames: ApiKeySSMParameterNames
-  apiKeyPlatinumTierParameter: string
-  apiKeyPremiumTierParameter: string
-  apiKeyAdvancedTierParameter: string
-  apiKeyBasicTierParameter: string
-  eventBusArn: string
+interface CoreAppPlaneStackProps extends cdk.StackProps {
+  eventManager: sbt.IEventManager
   systemAdminEmail: string
   regApiGatewayUrl: string
 }
 
-export class CoreAppPlaneStack extends Stack {
+export class CoreAppPlaneStack extends cdk.Stack {
   public readonly userInterface: UserInterface;
   public readonly tenantMappingTable: Table;
   constructor (scope: Construct, id: string, props: CoreAppPlaneStackProps) {
@@ -34,8 +26,7 @@ export class CoreAppPlaneStack extends Stack {
       partitionKey: { name: 'tenantId', type: AttributeType.STRING }
     });
 
-    const provisioningJobRunnerProps: CoreApplicationPlaneJobRunnerProps = {
-      name: 'provisioning',
+    const provisioningJobRunnerProps = {
       permissions: PolicyDocument.fromJson(
         JSON.parse(`
 {
@@ -53,28 +44,26 @@ export class CoreAppPlaneStack extends Stack {
 `)
       ),
       script: fs.readFileSync('../scripts/provision-tenant.sh', 'utf8'),
-      outgoingEvent: DetailType.PROVISION_SUCCESS,
-      incomingEvent: DetailType.ONBOARDING_REQUEST,
-
-      postScript: '',
-      environmentStringVariablesFromIncomingEvent: [
-        'tenantId',
-        'tier',
-        'tenantName',
-        'email',
-        'tenantStatus'
+      environmentStringVariablesFromIncomingEvent: ['tenantId', 'tier', 'tenantName', 'email'],
+      environmentVariablesToOutgoingEvent: [
+        'tenantConfig',
+        'tenantStatus',
+        'prices', // added so we don't lose it for targets beyond provisioning (ex. billing)
+        'tenantName', // added so we don't lose it for targets beyond provisioning (ex. billing)
+        'email', // added so we don't lose it for targets beyond provisioning (ex. billing)
       ],
-      environmentVariablesToOutgoingEvent: ['tenantConfig', 'tenantStatus'],
       scriptEnvironmentVariables: {
-        // CDK_PARAM_SYSTEM_ADMIN_EMAIL is required - as part of deploying the bootstrap-template
+        // CDK_PARAM_SYSTEM_ADMIN_EMAIL is required because as part of deploying the bootstrap-template
         // the control plane is also deployed. To ensure the operation does not error out, this value
         // is provided as an env parameter.
-        CDK_PARAM_SYSTEM_ADMIN_EMAIL: systemAdminEmail
-      }
+        CDK_PARAM_SYSTEM_ADMIN_EMAIL: systemAdminEmail,
+      },
+      outgoingEvent: sbt.DetailType.PROVISION_SUCCESS,
+      incomingEvent: sbt.DetailType.ONBOARDING_REQUEST,
+      eventManager: props.eventManager
     };
 
-    const deprovisioningJobRunnerProps: CoreApplicationPlaneJobRunnerProps = {
-      name: 'deprovisioning',
+    const deprovisioningJobRunnerProps = {
       permissions: PolicyDocument.fromJson(
         JSON.parse(`
 {
@@ -92,56 +81,38 @@ export class CoreAppPlaneStack extends Stack {
 `)
       ),
       script: fs.readFileSync('../scripts/deprovision-tenant.sh', 'utf8'),
-      environmentStringVariablesFromIncomingEvent: ['tenantId', 'tier'],
+      environmentStringVariablesFromIncomingEvent: ['tenantId'],
       environmentVariablesToOutgoingEvent: ['tenantStatus'],
-      outgoingEvent: DetailType.DEPROVISION_SUCCESS,
-      incomingEvent: DetailType.OFFBOARDING_REQUEST,
-
+      outgoingEvent: sbt.DetailType.DEPROVISION_SUCCESS,
+      incomingEvent: sbt.DetailType.OFFBOARDING_REQUEST,
       scriptEnvironmentVariables: {
         TENANT_STACK_MAPPING_TABLE: this.tenantMappingTable.tableName,
-        CDK_PARAM_SYSTEM_ADMIN_EMAIL: systemAdminEmail
-      }
+        // CDK_PARAM_SYSTEM_ADMIN_EMAIL is required because as part of deploying the bootstrap-template
+        // the control plane is also deployed. To ensure the operation does not error out, this value
+        // is provided as an env parameter.
+        CDK_PARAM_SYSTEM_ADMIN_EMAIL: systemAdminEmail,
+      },
+      eventManager: props.eventManager
     };
 
-    const eventBus = EventBus.fromEventBusArn(this, 'EventBus', props.eventBusArn);
-    const eventManager = new EventManager(this, 'EventManager', {
-      eventBus: eventBus,
-    });
-
-    new core_app_plane.CoreApplicationPlane(this, 'coreappplane-sbt', {
-      eventManager: eventManager,
-      jobRunnerPropsList: [provisioningJobRunnerProps, deprovisioningJobRunnerProps]
-    });
-
-    new TenantApiKey(this, 'BasicTierApiKey', {
-      apiKeyValue: props.apiKeyBasicTierParameter,
-      ssmParameterApiKeyIdName: props.ApiKeySSMParameterNames.basic.keyId,
-      ssmParameterApiValueName: props.ApiKeySSMParameterNames.basic.value
-    });
-
-    new TenantApiKey(this, 'AdvancedTierApiKey', {
-      apiKeyValue: props.apiKeyAdvancedTierParameter,
-      ssmParameterApiKeyIdName: props.ApiKeySSMParameterNames.advanced.keyId,
-      ssmParameterApiValueName: props.ApiKeySSMParameterNames.advanced.value
-    });
+    const provisioningJobRunner: sbt.BashJobRunner = new sbt.BashJobRunner(this,
+      'provisioningJobRunner', provisioningJobRunnerProps
+    );
 
-    new TenantApiKey(this, 'PremiumTierApiKey', {
-      apiKeyValue: props.apiKeyPremiumTierParameter,
-      ssmParameterApiKeyIdName: props.ApiKeySSMParameterNames.premium.keyId,
-      ssmParameterApiValueName: props.ApiKeySSMParameterNames.premium.value
-    });
+    const deprovisioningJobRunner: sbt.BashJobRunner = new sbt.BashJobRunner(this,
+      'deprovisioningJobRunner', deprovisioningJobRunnerProps
+    );
 
-    new TenantApiKey(this, 'PlatinumTierApiKey', {
-      apiKeyValue: props.apiKeyPlatinumTierParameter,
-      ssmParameterApiKeyIdName: props.ApiKeySSMParameterNames.platinum.keyId,
-      ssmParameterApiValueName: props.ApiKeySSMParameterNames.platinum.value
+    new sbt.CoreApplicationPlane(this, 'coreappplane-sbt', {
+      eventManager: props.eventManager,
+      jobRunnersList: [provisioningJobRunner, deprovisioningJobRunner]
     });
 
     this.userInterface = new UserInterface(this, 'saas-application-ui', {
       regApiGatewayUrl: props.regApiGatewayUrl
     });
 
-    new CfnOutput(this, 'appSiteUrl', {
+    new cdk.CfnOutput(this, 'appSiteUrl', {
       value: this.userInterface.appSiteUrl
     });
 

server/lib/cdknag/control-plane-nag.ts

@@ -33,9 +33,8 @@ export class ControlPlaneNag extends Construct {
     NagSuppressions.addResourceSuppressionsByPath(
       cdk.Stack.of(this),
       [
-        `${sbtPath}/controlplane-api-stack/controlPlaneAPI/EventsRole/DefaultPolicy/Resource`,
-        `${sbtPath}/services-stack/tenantManagementExecRole/DefaultPolicy/Resource`,
-        `${sbtPath}/auth-info-service-stack/TenantConfigServiceLambda/ServiceRole/DefaultPolicy/Resource`
+        `${sbtPath}/tenantManagementServicves/tenantManagementLambda/tenantManagementExecRole/DefaultPolicy/Resource`,
+        `${sbtPath}/tenantConfigService/tenantConfigLambda/TenantConfigServiceLambda/ServiceRole/DefaultPolicy/Resource`,
       ],
       [
         policy,
@@ -47,7 +46,7 @@ export class ControlPlaneNag extends Construct {
               regex: '/^Resource::arn:aws:execute-api:(.*):(.*)\\*$/g'
             },
             {
-              regex: '/^Resource::<controlplanesbttablesstackTenant(.*).Arn(.*)\\*$/g'
+              regex: '/^Resource::<controlplanesbttenantManagementServicves(.*).Arn(.*)\\*$/g'
             }
           ]
         }

server/lib/cdknag/core-app-plane-nag.ts

@@ -21,15 +21,14 @@ export class CoreAppPlaneNag extends Construct {
       ]
     };
 
-    const sbtNagPath = '/core-appplane-stack/coreappplane-sbt';
     const nagWebPath = '/core-appplane-stack/saas-application-ui/TenantWebUI';
     const nagStaticPath = '/core-appplane-stack/saas-application-ui/StaticSiteDistro';
 
     NagSuppressions.addResourceSuppressionsByPath(
       cdk.Stack.of(this),
       [
-        `${sbtNagPath}/provisioning-codeBuildProvisionProjectRole/Resource`,
-        `${sbtNagPath}/deprovisioning-codeBuildProvisionProjectRole/Resource`
+        'core-appplane-stack/provisioningJobRunner/codeBuildProvisionProjectRole/Resource',
+        'core-appplane-stack/deprovisioningJobRunner/codeBuildProvisionProjectRole/Resource'
       ],
       [
         {