MMT-3985: Migrates MMT deployment/runtime infrastructure from Serverless Framework to CDK (#1471)

* MMT-4135: Migrate MMT deployment from Serverless Framework to CDK

Author: cgokey

.eslintignore

@@ -1,2 +1,3 @@
 dist
 .eslintrc
+cdk.out

.gitignore

@@ -1,7 +1,6 @@
 # Project build files
 .dockerignore
 .DS_Store
-.serverless
 .esbuild
 coverage
 dist
@@ -11,11 +10,12 @@ node_modules
 secret.config.json
 tmp
 .env
+cdk.out
 
 # VSCode Settings
 .vscode
 
 # CI Outputs
 junit.xml
 
-cmr
+cmr

.nvmrc

@@ -1 +1 @@
-20.18.1
+lts/jod

README.md

@@ -135,15 +135,38 @@ To run GraphDB in docker, run:
     npm run start:graphdb
 ```
 
-#### Running Serverless Offline (API Gateway/Lambdas)
+#### Running local API (CDK template)
 
-In order to run serverless-offline, which is used for mimicking API Gateway to call lambda functions, run:
+In order to run the API locally from the synthesized CDK template, run:
 
 ```bash
-    EDL_CLIENT_ID=<clientid> EDL_PASSWORD=<password> npm run offline
+    EDL_CLIENT_ID=<clientid> EDL_PASSWORD=<password> npm run start:api
 ```
 
-_Note: The EDL_CLIENT_ID and EDL_PASSWORD environment variable is required for group member queries to function._
+_Note: The EDL_CLIENT_ID and EDL_PASSWORD environment variables are required for group member queries to function._
+
+_Note: `npm run start:api` runs `prestart:api` automatically, which builds the CDK app (`build:cdk:mmt`) and synthesizes the template (`run-synth`). This is the recommended first-time flow on a fresh checkout/machine._
+
+Typical local flow:
+
+```bash
+    npm run prestart:api
+    EDL_CLIENT_ID=<clientid> EDL_PASSWORD=<password> npm run start:api
+```
+
+You do not need to run `run-synth` separately in this flow.
+
+If you only need to rebuild CDK TypeScript output (for example after changing files in `cdk/mmt` or if `cdk/mmt/dist` is missing), run:
+
+```bash
+    npm run build:cdk:mmt
+```
+
+If you only need to regenerate the synthesized CloudFormation template (for example after CDK configuration/stack changes and you do not want to run the API yet), run:
+
+```bash
+    npm run run-synth
+```
 
 #### Running MMT
 
@@ -169,7 +192,7 @@ To run the test suite, run:
 
 ### Styling
 
-CSS should follow the following guidelines:
+CSS should follow these guidelines:
 
 - Prefer [Bootstrap](https://getbootstrap.com/docs/5.0/) styles when writing custom components
 - If the desired look can not be achieved with Bootstrap, additional styling should be accomplished by:

bin/api.mjs

@@ -0,0 +1,175 @@
+import express from 'express'
+import fs from 'fs'
+import path from 'path'
+
+import { getApiResources } from './getApiResources.mjs'
+
+/**
+ * Local API runner that mirrors API Gateway + Lambda wiring from the
+ * synthesized CDK template.
+ */
+const templateFilePath = process.argv[2]
+if (!templateFilePath) {
+  console.error('Please provide the path to the CloudFormation template as a command line argument.')
+  process.exit(1)
+}
+
+const stageName = process.env.STAGE_NAME || 'dev'
+const port = parseInt(process.env.API_LOCAL_PORT || '4001', 10)
+const staticConfigPath = path.resolve(process.cwd(), 'static.config.json')
+
+/**
+ * Resolves a local `MMT_HOST` value from env or `static.config.json`.
+ * `MMT_HOST` is used for browser origin (CORS handling)
+ *
+ * @returns {string}
+ */
+const resolveMmtHost = () => {
+  if (process.env.MMT_HOST) return process.env.MMT_HOST
+
+  try {
+    const file = fs.readFileSync(staticConfigPath, 'utf8')
+    const staticConfig = JSON.parse(file)
+    if (staticConfig?.application?.mmtHost) return staticConfig.application.mmtHost
+  } catch (error) {
+    console.warn(`Unable to read mmtHost from static.config.json: ${error}`)
+  }
+
+  return 'http://localhost:5173'
+}
+
+const localEnvDefaults = {
+  COOKIE_DOMAIN: '.localhost',
+  JWT_SECRET: 'local-secret',
+  JWT_VALID_TIME: '900',
+  MMT_HOST: resolveMmtHost()
+}
+
+// Local stack always runs in offline mode.
+process.env.IS_OFFLINE = 'true'
+
+Object.entries(localEnvDefaults).forEach(([key, value]) => {
+  if (!process.env[key]) {
+    process.env[key] = value
+  }
+})
+
+const app = express()
+
+/**
+ * Adds permissive local CORS behavior for API Gateway emulation.
+ *
+ * In offline mode we mirror the incoming browser origin so localhost and
+ * tunneled origins continue to work with credentials/cookies.
+ */
+app.use((request, response, next) => {
+  if (process.env.IS_OFFLINE !== 'true') {
+    next()
+
+    return
+  }
+
+  const requestOrigin = request.headers.origin
+  const allowOrigin = requestOrigin || process.env.MMT_HOST || 'http://localhost:5173'
+  const requestedHeaders = request.headers['access-control-request-headers']
+
+  response.setHeader('Access-Control-Allow-Origin', allowOrigin)
+  response.setHeader('Vary', 'Origin')
+  response.setHeader('Access-Control-Allow-Credentials', 'true')
+  response.setHeader('Access-Control-Allow-Headers', requestedHeaders || 'Content-Type,Authorization,Origin,User-Agent,Accept')
+  response.setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE,PATCH,OPTIONS')
+
+  if (request.method === 'OPTIONS') {
+    response.status(204).end()
+
+    return
+  }
+
+  next()
+})
+
+app.use(express.json({ limit: '10mb' }))
+app.use(express.urlencoded({ extended: true }))
+
+/**
+ * Wraps a parsed API method definition and invokes its Lambda handler using
+ * API Gateway-like event objects.
+ *
+ * @param {{ httpMethod: string, lambdaFunction: { functionName: string, path: string } }} method
+ * @returns {(request: import('express').Request, response: import('express').Response) => Promise<void>}
+ */
+const lambdaProxyWrapper = (method) => async (request, response) => {
+  const { lambdaFunction } = method
+  const {
+    path: handlerPath
+  } = lambdaFunction
+
+  const event = {
+    body: typeof request.body === 'object' ? JSON.stringify(request.body) : request.body,
+    headers: request.headers,
+    httpMethod: request.method,
+    pathParameters: request.params,
+    queryStringParameters: request.query,
+    requestContext: {}
+  }
+
+  const { default: handler } = (await import(handlerPath)).default
+  const lambdaResponse = await handler(event, {})
+
+  const {
+    body,
+    headers = {},
+    statusCode = 200
+  } = lambdaResponse || {}
+
+  response.status(statusCode)
+  Object.entries(headers).forEach(([headerName, headerValue]) => {
+    response.setHeader(headerName, headerValue)
+  })
+
+  response.send(body)
+}
+
+/**
+ * Registers a route on the Express app for the given HTTP method and path.
+ *
+ * @param {string} httpMethod
+ * @param {string} routePath
+ * @param {(request: import('express').Request, response: import('express').Response) => Promise<void>} handler
+ */
+const registerRoute = (httpMethod, routePath, handler) => {
+  const lowerMethod = httpMethod.toLowerCase()
+  app[lowerMethod](routePath, handler)
+}
+
+/**
+ * Discovers API routes from the synthesized template and registers
+ * stage-prefixed local paths (for example `/dev/users`).
+ *
+ * @returns {Promise<void>}
+ */
+const addRoutes = async () => {
+  const apiResources = getApiResources(templateFilePath)
+  const keys = Object.keys(apiResources).sort()
+
+  keys.forEach((resourcePath) => {
+    const { fullPath, methods } = apiResources[resourcePath]
+
+    methods.forEach((method) => {
+      const routePath = `/${fullPath.replace(/\/\{(.*?)\}/g, '/:$1')}`
+      const stagePath = `/${stageName}${routePath}`
+
+      console.log(`Adding route: ${method.httpMethod.padEnd(6)} - ${stagePath}`)
+      registerRoute(method.httpMethod, stagePath, lambdaProxyWrapper(method))
+    })
+  })
+}
+
+/**
+ * Boots the local API server after dynamically registering all routes.
+ */
+addRoutes().then(() => {
+  app.listen(port, () => {
+    console.log(`Local API listening on http://localhost:${port}`)
+  })
+})

bin/deploy-bamboo.sh

@@ -47,16 +47,16 @@ node_modules
 .DS_Store
 .git
 .github
-.serverless
 cmr
 coverage
 dist
 node_modules
 tmp
+cdk.out
 EOF
 
 cat <<EOF > Dockerfile
-FROM node:20.18.1
+FROM node:22
 COPY . /build
 WORKDIR /build
 RUN npm ci --omit=dev && npm run build
@@ -68,38 +68,43 @@ docker build -t $dockerTag .
 # Convenience function to invoke `docker run` with appropriate env vars instead of baking them into image
 dockerRun() {
     docker run \
+        -e "AWS_ACCOUNT=$bamboo_AWS_ACCOUNT" \
         -e "AWS_ACCESS_KEY_ID=$bamboo_AWS_ACCESS_KEY_ID" \
+        -e "AWS_REGION=${bamboo_AWS_REGION:-us-east-1}" \
         -e "AWS_SECRET_ACCESS_KEY=$bamboo_AWS_SECRET_ACCESS_KEY" \
+        -e "AWS_SESSION_TOKEN=$bamboo_AWS_SESSION_TOKEN" \
+        -e "COLLECTION_TEMPLATES_BUCKET_NAME=${bamboo_COLLECTION_TEMPLATES_BUCKET_NAME}" \
         -e "COOKIE_DOMAIN=$bamboo_COOKIE_DOMAIN" \
         -e "DISPLAY_PROD_WARNING=$bamboo_DISPLAY_PROD_WARNING" \
-        -e "EDL_PASSWORD=$bamboo_EDL_PASSWORD" \
         -e "EDL_CLIENT_ID=$bamboo_EDL_CLIENT_ID" \
+        -e "EDL_PASSWORD=$bamboo_EDL_PASSWORD" \
         -e "JWT_SECRET=$bamboo_JWT_SECRET" \
         -e "JWT_VALID_TIME=$bamboo_JWT_VALID_TIME" \
         -e "LAMBDA_TIMEOUT=$bamboo_LAMBDA_TIMEOUT" \
+        -e "LOG_DESTINATION_ARN=$bamboo_LOG_DESTINATION_ARN" \
         -e "MMT_HOST=$bamboo_MMT_HOST" \
         -e "NODE_ENV=production" \
         -e "NODE_OPTIONS=--max_old_space_size=4096" \
+        -e "SITE_BUCKET=${bamboo_SITE_BUCKET}" \
+        -e "STAGE_NAME=$bamboo_STAGE_NAME" \
         -e "SUBNET_ID_A=$bamboo_SUBNET_ID_A" \
         -e "SUBNET_ID_B=$bamboo_SUBNET_ID_B" \
         -e "SUBNET_ID_C=$bamboo_SUBNET_ID_C" \
         -e "VPC_ID=$bamboo_VPC_ID" \
         $dockerTag "$@"
 }
 
-# Execute serverless commands in Docker
+# Execute CDK commands in Docker
 #######################################
 
-stageOpts="--stage $bamboo_STAGE_NAME"
-
 # Deploy AWS Infrastructure Resources
 echo 'Deploying AWS Infrastructure Resources...'
-dockerRun npx serverless deploy $stageOpts --config serverless-infrastructure.yml
+dockerRun npm run deploy-infrastructure
 
 # Deploy AWS Application Resources
 echo 'Deploying AWS Application Resources...'
-dockerRun npx serverless deploy $stageOpts
+dockerRun npm run deploy-application
 
 # Deploy static assets
 echo 'Deploying static assets to S3...'
-dockerRun npx serverless client deploy $stageOpts --no-confirm
+dockerRun npm run deploy-static