HookStack: Implement version prune in AfterAllowTraffic (#57)

Author: AaronMoat

.changeset/wet-numbers-pull.md

@@ -0,0 +1,5 @@
+---
+'@seek/aws-codedeploy-infra': minor
+---
+
+HookStack: Implement version prune in AfterAllowTraffic

packages/infra/cli/codegen/bundleAssets.ts

@@ -29,6 +29,7 @@ export const bundleAssets = async () => {
     ],
     format: 'esm',
     logLevel: 'debug',
+    outExtension: { '.js': '.mjs' },
     outdir: assetDir,
     platform: 'node',
     sourcemap: true,

packages/infra/package.json

@@ -31,6 +31,7 @@
     "@types/aws-lambda": "^8.10.130",
     "aws-cdk-lib": "^2.115.0",
     "constructs": "^10.3.0",
+    "skuba-dive": "^2.0.0",
     "zod": "^3.22.4"
   },
   "devDependencies": {

packages/infra/src/constructs/__snapshots__/stack.test.ts.snap

@@ -11,6 +11,138 @@ exports[`returns expected CloudFormation stack 1`] = `
     },
   },
   "Resources": {
+    "AfterAllowTrafficHookE4DBA370": {
+      "DependsOn": [
+        "AfterAllowTrafficHookServiceRoleDefaultPolicyB04250EE",
+        "AfterAllowTrafficHookServiceRoleE545FEA8",
+      ],
+      "Properties": {
+        "Architectures": [
+          "arm64",
+        ],
+        "Code": {
+          "S3Bucket": {
+            "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}",
+          },
+          "S3Key": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.zip",
+        },
+        "Description": "AfterAllowTraffic hook deployed outside of a VPC",
+        "Environment": {
+          "Variables": {
+            "NODE_ENV": "production",
+            "NODE_OPTIONS": "--enable-source-maps",
+            "VERSIONS_TO_KEEP": "3",
+          },
+        },
+        "FunctionName": "aws-codedeploy-hook-AfterAllowTraffic",
+        "Handler": "index.handler",
+        "Role": {
+          "Fn::GetAtt": [
+            "AfterAllowTrafficHookServiceRoleE545FEA8",
+            "Arn",
+          ],
+        },
+        "Runtime": "nodejs20.x",
+        "Timeout": 300,
+      },
+      "Type": "AWS::Lambda::Function",
+    },
+    "AfterAllowTrafficHookServiceRoleDefaultPolicyB04250EE": {
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "codedeploy:GetApplicationRevision",
+                "codedeploy:GetDeployment",
+                "codedeploy:PutLifecycleEventHookExecutionStatus",
+                "lambda:ListAliases",
+                "lambda:ListVersionsByFunction",
+                "lambda:DeleteFunction",
+              ],
+              "Effect": "Allow",
+              "Resource": "*",
+            },
+            {
+              "Action": [
+                "codedeploy:GetApplicationRevision",
+                "codedeploy:GetDeployment",
+                "codedeploy:PutLifecycleEventHookExecutionStatus",
+                "lambda:ListAliases",
+                "lambda:ListVersionsByFunction",
+                "lambda:DeleteFunction",
+              ],
+              "Condition": {
+                "Null": {
+                  "aws:ResourceTag/aws-codedeploy-hooks": "true",
+                },
+              },
+              "Effect": "Deny",
+              "Resource": "*",
+            },
+            {
+              "Action": [
+                "codedeploy:GetApplicationRevision",
+                "codedeploy:GetDeployment",
+                "codedeploy:PutLifecycleEventHookExecutionStatus",
+                "lambda:ListAliases",
+                "lambda:ListVersionsByFunction",
+                "lambda:DeleteFunction",
+              ],
+              "Condition": {
+                "StringEquals": {
+                  "aws:ResourceTag/aws-codedeploy-hooks": [
+                    "",
+                    "false",
+                  ],
+                },
+              },
+              "Effect": "Deny",
+              "Resource": "*",
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "AfterAllowTrafficHookServiceRoleDefaultPolicyB04250EE",
+        "Roles": [
+          {
+            "Ref": "AfterAllowTrafficHookServiceRoleE545FEA8",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
+    "AfterAllowTrafficHookServiceRoleE545FEA8": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": "sts:AssumeRole",
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "lambda.amazonaws.com",
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "ManagedPolicyArns": [
+          {
+            "Fn::Join": [
+              "",
+              [
+                "arn:",
+                {
+                  "Ref": "AWS::Partition",
+                },
+                ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+              ],
+            ],
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Role",
+    },
     "BeforeAllowTrafficHookFCD1BC97": {
       "DependsOn": [
         "BeforeAllowTrafficHookServiceRoleDefaultPolicyDB153C72",
@@ -92,7 +224,12 @@ exports[`returns expected CloudFormation stack 1`] = `
               "Resource": "*",
             },
             {
-              "Action": "*",
+              "Action": [
+                "codedeploy:GetApplicationRevision",
+                "codedeploy:GetDeployment",
+                "codedeploy:PutLifecycleEventHookExecutionStatus",
+                "lambda:InvokeFunction",
+              ],
               "Condition": {
                 "Null": {
                   "aws:ResourceTag/aws-codedeploy-hooks": "true",
@@ -102,7 +239,12 @@ exports[`returns expected CloudFormation stack 1`] = `
               "Resource": "*",
             },
             {
-              "Action": "*",
+              "Action": [
+                "codedeploy:GetApplicationRevision",
+                "codedeploy:GetDeployment",
+                "codedeploy:PutLifecycleEventHookExecutionStatus",
+                "lambda:InvokeFunction",
+              ],
               "Condition": {
                 "StringEquals": {
                   "aws:ResourceTag/aws-codedeploy-hooks": [

packages/infra/src/constructs/lambda.ts

@@ -2,14 +2,18 @@ import path from 'path';
 
 import { Duration, aws_lambda } from 'aws-cdk-lib';
 
-export const createLambdaHookProps = (): aws_lambda.FunctionProps => ({
+export const createLambdaHookProps = (
+  environment: Record<string, string>,
+): aws_lambda.FunctionProps => ({
   architecture: aws_lambda.Architecture.ARM_64,
 
   code: aws_lambda.Code.fromAsset(
     path.join(__dirname, '..', 'assets', 'handlers'),
   ),
 
   environment: {
+    ...environment,
+
     NODE_ENV: 'production',
 
     // https://nodejs.org/api/cli.html#cli_node_options_options

packages/infra/src/constructs/stack.test.ts

@@ -9,7 +9,7 @@ it('returns expected CloudFormation stack', () => {
 
   const template = assertions.Template.fromStack(stack);
 
-  template.resourceCountIs('AWS::Lambda::Function', 1);
+  template.resourceCountIs('AWS::Lambda::Function', 2);
 
   template.resourcePropertiesCountIs(
     'AWS::Lambda::Function',
@@ -32,5 +32,5 @@ it('supports a custom ID', () => {
 
   const template = assertions.Template.fromStack(stack);
 
-  template.resourceCountIs('AWS::Lambda::Function', 1);
+  template.resourceCountIs('AWS::Lambda::Function', 2);
 });

packages/infra/src/constructs/stack.ts

@@ -3,44 +3,70 @@ import type { Construct } from 'constructs';
 
 import { createLambdaHookProps } from './lambda';
 
-export type HookStackProps = Record<string, never>;
+const hooks = ['BeforeAllowTraffic', 'AfterAllowTraffic'] as const;
+
+type HookName = (typeof hooks)[number];
+
+export type HookStackProps = {
+  prune?: {
+    versionsToKeep?: number;
+  };
+};
 
 export class HookStack extends Stack {
-  constructor(scope: Construct, id?: string, _props: HookStackProps = {}) {
+  constructor(scope: Construct, id?: string, props: HookStackProps = {}) {
     super(scope, id ?? 'HookStack', {
       description: 'AWS CodeDeploy hooks',
       stackName: 'aws-codedeploy-hooks',
       terminationProtection: true,
     });
 
-    const beforeAllowTrafficHook = new aws_lambda.Function(
-      this,
-      'BeforeAllowTrafficHook',
+    this.addHook('BeforeAllowTraffic', {}, ['lambda:InvokeFunction']);
+
+    this.addHook(
+      'AfterAllowTraffic',
       {
-        ...createLambdaHookProps(),
-        description: 'BeforeAllowTraffic hook deployed outside of a VPC',
-        functionName: 'aws-codedeploy-hook-BeforeAllowTraffic',
-        vpc: undefined,
+        VERSIONS_TO_KEEP: (props.prune?.versionsToKeep ?? 3).toString(),
       },
+      [
+        'lambda:ListAliases',
+        'lambda:ListVersionsByFunction',
+        'lambda:DeleteFunction',
+      ],
     );
+  }
+
+  private addHook(
+    hook: HookName,
+    environment: Record<string, string>,
+    baseActions: string[],
+  ): void {
+    const actions = [
+      'codedeploy:GetApplicationRevision',
+      'codedeploy:GetDeployment',
+      'codedeploy:PutLifecycleEventHookExecutionStatus',
+      ...baseActions,
+    ];
+
+    const hookFunction = new aws_lambda.Function(this, `${hook}Hook`, {
+      ...createLambdaHookProps(environment),
+      description: `${hook} hook deployed outside of a VPC`,
+      functionName: `aws-codedeploy-hook-${hook}`,
+      vpc: undefined,
+    });
 
-    beforeAllowTrafficHook.addToRolePolicy(
+    hookFunction.addToRolePolicy(
       new aws_iam.PolicyStatement({
-        actions: [
-          'codedeploy:GetApplicationRevision',
-          'codedeploy:GetDeployment',
-          'codedeploy:PutLifecycleEventHookExecutionStatus',
-          'lambda:InvokeFunction',
-        ],
+        actions,
         effect: aws_iam.Effect.ALLOW,
         resources: ['*'],
       }),
     );
 
     // Deny access to resources that lack an `aws-codedeploy-hooks` tag.
-    beforeAllowTrafficHook.addToRolePolicy(
+    hookFunction.addToRolePolicy(
       new aws_iam.PolicyStatement({
-        actions: ['*'],
+        actions,
         conditions: {
           Null: {
             'aws:ResourceTag/aws-codedeploy-hooks': 'true',
@@ -52,9 +78,9 @@ export class HookStack extends Stack {
     );
 
     // Deny access to resources that have a falsy `aws-codedeploy-hooks` tag.
-    beforeAllowTrafficHook.addToRolePolicy(
+    hookFunction.addToRolePolicy(
       new aws_iam.PolicyStatement({
-        actions: ['*'],
+        actions,
         conditions: {
           StringEquals: {
             'aws:ResourceTag/aws-codedeploy-hooks': ['', 'false'],

packages/infra/src/handlers/process/lambda/lambda.test.ts

@@ -1,4 +1,5 @@
 jest.mock('./smokeTest');
+jest.mock('./prune');
 
 import 'aws-sdk-client-mock-jest';
 
@@ -9,16 +10,19 @@ import {
 import { mockClient } from 'aws-sdk-client-mock';
 
 import { type Options, lambda } from './lambda';
+import { prune } from './prune';
 import type { LambdaAppSpec } from './schema';
 import { smokeTest } from './smokeTest';
 
 const codeDeploy = mockClient(CodeDeployClient);
 
 const smokeTestMock = jest.mocked(smokeTest);
+const pruneMock = jest.mocked(prune);
 
 afterEach(() => {
   codeDeploy.reset();
   smokeTestMock.mockReset();
+  pruneMock.mockReset();
 });
 
 describe('lambda', () => {
@@ -150,7 +154,7 @@ describe('lambda', () => {
     );
   });
 
-  it('throws an error if AppSpec specifies the current hook as AfterAllowTraffic', async () => {
+  it('executes a prune on AfterAllowTraffic', async () => {
     codeDeploy.on(GetApplicationRevisionCommand).resolves({
       revision: {
         string: {
@@ -164,9 +168,9 @@ describe('lambda', () => {
       },
     });
 
-    await expect(lambda(opts)).rejects.toThrowErrorMatchingInlineSnapshot(
-      `"AfterAllowTraffic is not yet supported"`,
-    );
+    await expect(lambda(opts)).resolves.toBeUndefined();
+
+    expect(pruneMock).toHaveBeenCalledTimes(1);
   });
 
   it('throws an error if AppSpec does not specify the current hook', async () => {