feat(ssl-server-test): use durable Lambda function

.projenrc.ts

@@ -7,13 +7,15 @@ const project = new awscdk.AwsCdkConstructLibrary({
   authorAddress: 'jonathan.goldwasser@gmail.com',
   description: 'High-level constructs for AWS CDK',
   jsiiVersion: '5.x',
-  cdkVersion: '2.133.0',
+  cdkVersion: '2.232.0',
   name: 'cloudstructs',
   projenrcTs: true,
+  tsJestOptions: { transformOptions: { isolatedModules: true } },
   peerDeps: [],
   bundledDeps: [
-    'got',
+    '@aws/durable-execution-sdk-js',
     '@slack/web-api',
+    'got',
     'mjml',
   ],
   devDeps: [
@@ -26,8 +28,10 @@ const project = new awscdk.AwsCdkConstructLibrary({
     '@aws-sdk/client-s3',
     '@aws-sdk/client-secrets-manager',
     '@aws-sdk/client-sfn',
+    '@aws-sdk/client-sns',
     '@aws-sdk/client-textract',
     '@aws-sdk/lib-dynamodb',
+    '@aws/durable-execution-sdk-js-testing',
     '@types/aws-lambda',
     '@types/mjml',
     '@types/tsscmp',
@@ -77,7 +81,7 @@ const packageExports: Record<string, string> = {
   './.jsii': './.jsii',
 };
 for (const dirent of fs.readdirSync('./src', { withFileTypes: true })) {
-  if (dirent.isDirectory()) {
+  if (dirent.isDirectory() && dirent.name !== 'utils') {
     const construct = dirent.name;
     // TODO: remove "lib" when TypeScript supports "exports"
     packageExports[`./lib/${construct}`] = `./lib/${construct}/index.js`;

src/ssl-server-test/README.md

@@ -19,28 +19,28 @@ export class MyStack extends Stack {
     super(scope, id, props);
 
     new SslServerTest(this, 'TestMyHost', {
+      registrationEmail: 'jdoe@someorganizationemail.com',
       host: 'my.host'
     });
   }
 }
 ```
 
-This will create a state machine that will run a SSL server test everyday. By default, a SNS topic is 
-created and a notification is sent to this topic if the [grade](https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide)
+This will create a durable Lambda function that will run a SSL server test everyday. By default, a SNS
+topic is created and a notification is sent to this topic if the [grade](https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide)
 of the test is below `A+`. The content of the notification is the
-[test result returned by the API](https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v3.md#response-objects).
+[test result returned by the API](https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v4.md#response-objects).
+
+A [free registration](https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v4.md#register-for-scan-api-initiation-and-result-fetching) is required to use the the SSL Labs API.
 
 ```ts
 const myTest = new SslServerTest(this, 'MyTest', {
+  registrationEmail: 'jdoe@someorganizationemail.com',
   host: 'my.host',
 });
 
 myTest.alarmTopic.addSubscription(/* your subscription here */)
 ```
 
-Use the `minimumGrade`, `alarmTopic` or `schedule` props to customize the
+Use the `minimumGrade`, `alarmTopic` or `scheduleExpression` props to customize the
 behavior of the construct.
-
-<p align="center">
-  <img src="ssl-server-test.svg" width="50%">
-</p>

src/ssl-server-test/analyze.lambda.ts

@@ -1,13 +1,69 @@
+import { DurableContext, withDurableExecution } from '@aws/durable-execution-sdk-js';
+import { PublishCommand, SNSClient } from '@aws-sdk/client-sns';
 import got from 'got';
+import { getEnv } from '../utils';
+import { AnalyzeResponse, AnalyzeStatus, SslServerTestGrade } from './types';
 
 const sslLabsClient = got.extend({
-  prefixUrl: 'https://api.ssllabs.com/api/v3',
+  prefixUrl: 'https://api.ssllabs.com/api/v4',
+  headers: { email: getEnv('REGISTRATION_EMAIL') },
+  searchParams: {
+    host: getEnv('HOST'),
+  },
 });
 
-export async function handler(event: Record<string, string>) {
-  const response = await sslLabsClient('analyze', {
-    searchParams: event,
-  }).json();
+const snsClient = new SNSClient({});
 
-  return response;
-}
+export const handler = withDurableExecution(async (_, context: DurableContext) => {
+  // Start analysis
+  await context.step('start-analysis', async () => {
+    const response = await sslLabsClient('analyze', {
+      searchParams: { startNew: 'on' },
+    }).json();
+    context.logger.info('Started SSL analysis', response);
+  });
+
+  // Wait for analysis to complete
+  const analysis = await context.waitForCondition<AnalyzeResponse>('wait-for-completion', async (_state, waitContext) => {
+    const response = await sslLabsClient('analyze').json<AnalyzeResponse>();
+    waitContext.logger.info('Current analysis status', response);
+    return response;
+  }, {
+    initialState: { status: AnalyzeStatus.DNS, endpoints: [] },
+    waitStrategy: (state) => {
+      if (state.status === AnalyzeStatus.READY || state.status === AnalyzeStatus.ERROR) {
+        return { shouldContinue: false };
+      }
+      return { shouldContinue: true, delay: { seconds: 30 } };
+    },
+  });
+
+  if (analysis.status === AnalyzeStatus.ERROR) {
+    throw new Error(`Analysis failed: ${analysis.statusMessage}`);
+  }
+
+  const grades = Object.values(SslServerTestGrade).reverse();
+
+  const gradeIndices = analysis.endpoints
+    .map(e => grades.indexOf(e.grade as SslServerTestGrade))
+    .filter(index => index !== -1);
+
+  if (gradeIndices.length === 0) {
+    throw new Error('No valid grade found in analysis result');
+  }
+
+  const bestGradeIndex = Math.max(...gradeIndices);
+  const bestGrade = grades[bestGradeIndex];
+
+  if (bestGradeIndex < grades.indexOf(getEnv('MINIMUM_GRADE') as SslServerTestGrade)) {
+    await context.step('notify', async () => {
+      await snsClient.send(new PublishCommand({
+        TopicArn: getEnv('ALARM_TOPIC_ARN'),
+        Message: JSON.stringify(analysis),
+        Subject: `SSL grade for ${getEnv('HOST')} is below minimum grade (${bestGrade} < ${getEnv('MINIMUM_GRADE')})`,
+      }));
+    });
+  }
+
+  context.logger.info('SSL analysis completed successfully', analysis);
+});