├── .dockerignore ├── .github └── workflows │ └── codeql-analysis.yml ├── .gitignore ├── LICENSE ├── README.md ├── code ├── __init__.py ├── main.py └── requirements.txt ├── docker-compose.yml ├── docker ├── app │ └── Dockerfile └── web │ ├── Dockerfile │ └── nginx.conf └── infrastructure ├── .gitignore ├── .npmignore ├── README.md ├── app_config.json ├── bin └── infrastructure.ts ├── cdk.json ├── codebuild └── buildspec.yaml ├── jest.config.js ├── lib ├── application-stack.ts ├── dashboards-stack.ts └── pipeline-stack.ts ├── package-lock.json ├── package.json ├── test └── infrastructure.test.ts └── tsconfig.json /.dockerignore: -------------------------------------------------------------------------------- 1 | infrastructure -------------------------------------------------------------------------------- /.github/workflows/codeql-analysis.yml: -------------------------------------------------------------------------------- 1 | # For most projects, this workflow file will not need changing; you simply need 2 | # to commit it to your repository. 3 | # 4 | # You may wish to alter this file to override the set of languages analyzed, 5 | # or to provide custom queries or build logic. 6 | # 7 | # ******** NOTE ******** 8 | # We have attempted to detect the languages in your repository. Please check 9 | # the `language` matrix defined below to confirm you have the correct set of 10 | # supported CodeQL languages. 11 | # 12 | name: "CodeQL" 13 | 14 | on: 15 | push: 16 | branches: [ master ] 17 | pull_request: 18 | # The branches below must be a subset of the branches above 19 | branches: [ master ] 20 | schedule: 21 | - cron: '44 7 * * 6' 22 | 23 | jobs: 24 | analyze: 25 | name: Analyze 26 | runs-on: ubuntu-latest 27 | permissions: 28 | actions: read 29 | contents: read 30 | security-events: write 31 | 32 | strategy: 33 | fail-fast: false 34 | matrix: 35 | language: [ 'javascript', 'python' ] 36 | # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] 37 | # Learn more: 38 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed 39 | 40 | steps: 41 | - name: Checkout repository 42 | uses: actions/checkout@v2 43 | 44 | # Initializes the CodeQL tools for scanning. 45 | - name: Initialize CodeQL 46 | uses: github/codeql-action/init@v1 47 | with: 48 | languages: ${{ matrix.language }} 49 | # If you wish to specify custom queries, you can do so here or in a config file. 50 | # By default, queries listed here will override any specified in a config file. 51 | # Prefix the list here with "+" to use these queries and those in the config file. 52 | # queries: ./path/to/local/query, your-org/your-repo/queries@main 53 | 54 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 55 | # If this step fails, then you should remove it and run the build manually (see below) 56 | - name: Autobuild 57 | uses: github/codeql-action/autobuild@v1 58 | 59 | # ℹ️ Command-line programs to run using the OS shell. 60 | # 📚 https://git.io/JvXDl 61 | 62 | # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines 63 | # and modify them (or add more) to build your code if your project 64 | # uses a compiled language 65 | 66 | #- run: | 67 | # make bootstrap 68 | # make release 69 | 70 | - name: Perform CodeQL Analysis 71 | uses: github/codeql-action/analyze@v1 72 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.egg-info 2 | __pycache__ 3 | .DS_Store 4 | .history -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWSome Pipeline 2 | 3 | > Example how with [AWS CDK](https://docs.aws.amazon.com/cdk/latest/guide/home.html) you can deploy a continuous delivery 4 | > pipeline using [AWS CodePipeline](https://aws.amazon.com/codepipeline/), [AWS CodeBuild](https://aws.amazon.com/codebuild/) and 5 | > [AWS Fargate](https://aws.amazon.com/fargate/). 6 | > I have included all the best practices with a strong focus on the [KISS principle](https://en.wikipedia.org/wiki/KISS_principle). 7 | > The infrastructure code is written in [TypeScript](https://www.typescriptlang.org/). The infrastructure is a [sidecar](https://aws.amazon.com/blogs/compute/nginx-reverse-proxy-sidecar-container-on-amazon-ecs/) 8 | > with [Nginx](http://nginx.org/) as proxy and a [Flask](https://palletsprojects.com/p/flask/) "hello world" application on [Gunicorn](https://gunicorn.org/) 9 | 10 | ## Folder structure 11 | 12 | ```bash 13 | code 14 | docker 15 | infrastructure 16 | ``` 17 | 18 | ### code directory 19 | 20 | dedicated to Flask code 21 | 22 | ### docker directory 23 | 24 | dedicated to Docker definitions: sidecard of Nginx + Gunicorn 25 | 26 | ### infrastructure directory 27 | 28 | dedicated to AWS CDK infrastructure definition 29 | 30 | ## Installation and requirements 31 | 32 | ```bash 33 | cd infrastructure 34 | ``` 35 | 36 | ### Install the CDK framework 37 | 38 | ```bash 39 | npm install -g aws-cdk 40 | ``` 41 | 42 | ### Install the dependencies 43 | 44 | ```bash 45 | npm install 46 | ``` 47 | 48 | ### Authenticate in your AWS account: 49 | 50 | Follow this guide: [Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) 51 | 52 | ### Configure GitHub Token 53 | 54 | Create a [personal access token in GitHub](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) 55 | and store it in [AWS SecretsManager](https://aws.amazon.com/secrets-manager/). 56 | Needed to configure your repo webhooks. 57 | 58 | ```bash 59 | aws secretsmanager create-secret \ 60 | --name my_secret_token \ 61 | --secret-string yourtokenhereyourtokenhere \ 62 | --region eu-west-1 63 | ``` 64 | 65 | ## Usage 66 | 67 | The first step is to exporting the AWS variables to obtain the rights: 68 | 69 | ```bash 70 | export AWS_PROFILE="profilename" 71 | export AWS_DEFAULT_REGION="eu-west-1" 72 | ``` 73 | 74 | ### Configuring the application 75 | 76 | edit the app_config.json file for defining the project name and the existing VPC 77 | 78 | ```json 79 | { 80 | "PROJECT_NAME": "awsome", 81 | "VPC_NAME": "default" 82 | } 83 | ``` 84 | 85 | ### Deploy the pipeline an get the codepipeline endpoint 86 | 87 | You can create a continuous integration service bonded to your current git branch. 88 | 89 | Suppose that you are in the master branch: 90 | 91 | ```bash 92 | git branch --show-current 93 | master 94 | ``` 95 | 96 | You can create the pipeline triggerable from any commit to master branch: 97 | 98 | ```bash 99 | cdk deploy "*" --context tier=pipeline 100 | 101 | ✅ awsome-master-pipeline 102 | 103 | Outputs: 104 | awsome-master-pipeline.LinkCodePipelinePage = https://eu-west-1.console.aws.amazon.com/codesuite/codepipeline/pipelines/awsome-master-pipeline-PipelineC660917D-11U99LG5Y4H4V/view?region=eu-west-1 105 | ``` 106 | 107 | The pipeline after the creation and by every commits in the branch will be triggered. It launches the staging env, after a manual approval, the production env. 108 | 109 | Alternatively you can deploy staging env directly without passing by codepipeline and get the staging http endpoints: 110 | 111 | ```bash 112 | cdk deploy "*" --context tier=stg 113 | 114 | ✅ awsome-master-stg-app 115 | 116 | Outputs: 117 | awsome-master-stg-app.fargateLoadBalancerDNSB13ECB0B = awsom-farga-1KNVPTS0GNV8J-XXXXXXXXX.eu-west-1.elb.amazonaws.com 118 | awsome-master-stg-app.LinkEcsClusterPage = https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/clusters/awsome-master-stg-app-cluster611F8AFF-okLxuoDdfc1o/fargateServices 119 | awsome-master-stg-app.LinkCLoudWatchDashboard = https://eu-west-1.console.aws.amazon.com/cloudwatch//home?region=eu-west-1#dashboards:name=awsome-dashboard-stg-app 120 | awsome-master-stg-app.fargateServiceURL145CCBE8 = http://awsom-farga-1KNVPTS0GNV8J-XXXXXXXXX.eu-west-1.elb.amazonaws.com 121 | ``` 122 | 123 | or you can deploy the production env and get the production http endpoints: 124 | 125 | ```bash 126 | cdk deploy "*" --context tier=prd 127 | ✅ awsome-master-prd-app 128 | 129 | Outputs: 130 | awsome-master-prd-app.fargateLoadBalancerDNSB13ECB0B = awsom-farga-1KNVPTS0GNV8J-XXXXXXXXX.eu-west-1.elb.amazonaws.com 131 | awsome-master-prd-app.LinkEcsClusterPage = https://eu-west-1.console.aws.amazon.com/ecs/home?region=eu-west-1#/clusters/awsome-master-prd-app-cluster611F8AFF-okLxuoDdfc1o/fargateServices 132 | awsome-master-prd-app.LinkCLoudWatchDashboard = https://eu-west-1.console.aws.amazon.com/cloudwatch//home?region=eu-west-1#dashboards:name=awsome-master-prd-app 133 | awsome-master-prd-app.fargateServiceURL145CCBE8 = http://awsom-farga-1KNVPTS0GNV8J-XXXXXXXXX.eu-west-1.elb.amazonaws.com 134 | ``` 135 | 136 | ## Customize the application code 137 | 138 | You can customize the code inside the docker/code directory 139 | 140 | ## PLEASE GIVE ME FEEDBACKS 141 | 142 | ## OPEN A GITHUB ISSUE FOR FIX OR REQUEST 143 | -------------------------------------------------------------------------------- /code/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/enricopesce/AWSome-pipeline/d418c1b7f3a02210481e40e681b8b814a6e942aa/code/__init__.py -------------------------------------------------------------------------------- /code/main.py: -------------------------------------------------------------------------------- 1 | from flask import Flask 2 | import os 3 | 4 | app = Flask(__name__) 5 | 6 | @app.route("/") 7 | def hello_www(): 8 | return "Busy website.. " + os.environ.get('ENV') 9 | -------------------------------------------------------------------------------- /code/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask 2 | gunicorn -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.7" 2 | services: 3 | app: 4 | build: 5 | context: ./ 6 | dockerfile: docker/app/Dockerfile 7 | expose: 8 | - "8080" 9 | ports: 10 | - "8080:8080" 11 | volumes: 12 | - ./code:/var/www/app 13 | environment: 14 | - ENV=local 15 | web: 16 | build: 17 | context: ./ 18 | dockerfile: docker/web/Dockerfile 19 | args: 20 | - FCGI_HOST=app 21 | expose: 22 | - "80" 23 | ports: 24 | - "80:80" 25 | environment: 26 | - ENV=local -------------------------------------------------------------------------------- /docker/app/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:alpine 2 | 3 | ARG CODE_DIR=./code 4 | ARG DOCKER_DIR=./docker/app 5 | 6 | RUN mkdir -p /var/www/app 7 | 8 | WORKDIR /var/www/app 9 | 10 | COPY $CODE_DIR /var/www/app 11 | 12 | RUN pip install -r requirements.txt 13 | 14 | CMD /usr/local/bin/gunicorn -w 4 --bind :8080 --access-logfile - --error-logfile - main:app -------------------------------------------------------------------------------- /docker/web/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx:alpine 2 | 3 | ARG DOCKER_DIR=./docker/web 4 | ARG FCGI_HOST=127.0.0.1 5 | 6 | COPY $DOCKER_DIR/nginx.conf /etc/nginx/nginx.conf 7 | 8 | RUN sed -i 's/\@FCGI_HOST\@/'"$FCGI_HOST"'/' /etc/nginx/nginx.conf -------------------------------------------------------------------------------- /docker/web/nginx.conf: -------------------------------------------------------------------------------- 1 | user nginx; 2 | 3 | worker_processes auto; 4 | worker_cpu_affinity auto; 5 | 6 | pid /run/nginx.pid; 7 | 8 | events { 9 | multi_accept on; 10 | use epoll; 11 | } 12 | 13 | http { 14 | include /etc/nginx/mime.types; 15 | default_type application/octet-stream; 16 | 17 | log_format json_log escape=json 18 | '{ "timestamp": "$time_iso8601", ' 19 | '"remote_addr": "$remote_addr", ' 20 | '"remote_user": "$remote_user", ' 21 | '"body_bytes_sent": "$body_bytes_sent", ' 22 | '"status": "$status", ' 23 | '"request": "$request", ' 24 | '"request_method": "$request_method", ' 25 | '"request_time": "$request_time", ' 26 | '"upstream_addr": "$upstream_addr", ' 27 | '"upstream_status": "$upstream_status", ' 28 | '"upstream_connect_time": "$upstream_connect_time", ' 29 | '"upstream_header_time": "$upstream_header_time", ' 30 | '"upstream_response_time": "$upstream_response_time", ' 31 | '"http_host": "$http_host", ' 32 | '"http_referrer": "$http_referer", ' 33 | '"http_user_agent": "$http_user_agent", ' 34 | '"http_x_amz_cf_id": "$http_x_amz_cf_id", ' 35 | '"http_via": "$http_via", ' 36 | '"http_x_forwarded_for": "$http_x_forwarded_for", ' 37 | '"gzip_ratio": "$gzip_ratio"}'; 38 | 39 | access_log /proc/self/fd/1 json_log; 40 | error_log /proc/self/fd/2 warn; 41 | 42 | server { 43 | listen 80; 44 | server_name _; 45 | charset utf-8; 46 | client_max_body_size 4G; 47 | 48 | location / { 49 | proxy_redirect off; 50 | proxy_buffering off; 51 | proxy_pass http://@FCGI_HOST@:8080; 52 | proxy_set_header Host $host; 53 | proxy_set_header X-Real-IP $remote_addr; 54 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 55 | proxy_set_header X-Forwarded-Proto $scheme; 56 | } 57 | } 58 | } 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | -------------------------------------------------------------------------------- /infrastructure/.gitignore: -------------------------------------------------------------------------------- 1 | *.js 2 | !jest.config.js 3 | *.d.ts 4 | node_modules 5 | 6 | # CDK asset staging directory 7 | .cdk.staging 8 | cdk.out 9 | -------------------------------------------------------------------------------- /infrastructure/.npmignore: -------------------------------------------------------------------------------- 1 | *.ts 2 | !*.d.ts 3 | 4 | # CDK asset staging directory 5 | .cdk.staging 6 | cdk.out 7 | -------------------------------------------------------------------------------- /infrastructure/README.md: -------------------------------------------------------------------------------- 1 | # Welcome to your CDK TypeScript project! 2 | 3 | This is a blank project for TypeScript development with CDK. 4 | 5 | The `cdk.json` file tells the CDK Toolkit how to execute your app. 6 | 7 | ## Useful commands 8 | 9 | * `npm run build` compile typescript to js 10 | * `npm run watch` watch for changes and compile 11 | * `npm run test` perform the jest unit tests 12 | * `cdk deploy` deploy this stack to your default AWS account/region 13 | * `cdk diff` compare deployed stack with current state 14 | * `cdk synth` emits the synthesized CloudFormation template 15 | -------------------------------------------------------------------------------- /infrastructure/app_config.json: -------------------------------------------------------------------------------- 1 | { 2 | "PROJECT_NAME": "awsome", 3 | "VPC_NAME": "VPC-RD" 4 | } -------------------------------------------------------------------------------- /infrastructure/bin/infrastructure.ts: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | import 'source-map-support/register'; 3 | import * as cdk from 'aws-cdk-lib'; 4 | import { PipelineStack } from '../lib/pipeline-stack' 5 | import { ApplicationStack } from '../lib/application-stack' 6 | 7 | export interface Config { 8 | PROJECT_NAME: string 9 | VPC_NAME: string 10 | } 11 | 12 | let config: Config = require('../app_config.json'); 13 | 14 | const currentGitBranch = require('current-git-branch') 15 | 16 | let WORKING_BRANCH = process.env.WORKING_BRANCH as string 17 | 18 | if (WORKING_BRANCH === undefined) { 19 | WORKING_BRANCH = currentGitBranch() as string 20 | } 21 | 22 | const env = { 23 | account: process.env.CDK_DEFAULT_ACCOUNT, 24 | region: process.env.CDK_DEFAULT_REGION 25 | } 26 | 27 | const app = new cdk.App() 28 | const tier = app.node.tryGetContext('tier') 29 | 30 | function name(suffix: string) { 31 | return config.PROJECT_NAME + "-" + WORKING_BRANCH + "-" + suffix 32 | } 33 | 34 | switch (tier) { 35 | case 'pipeline': 36 | new PipelineStack(app, name('pipeline'), 'my_secret_token', 'enricopesce', 'AWSome-pipeline', WORKING_BRANCH, { env: env }) 37 | break 38 | case 'stg': 39 | new ApplicationStack(app, name('stg-app'), config.VPC_NAME, 'stg', '/', { env: env }) 40 | break 41 | case 'prd': 42 | new ApplicationStack(app, name('prd-app'), config.VPC_NAME, 'prd', '/', { env: env }) 43 | break 44 | default: 45 | console.log('Please define the tier context: prd | stg | pipeline. es: --context tier=pipeline') 46 | break 47 | } 48 | 49 | app.synth() -------------------------------------------------------------------------------- /infrastructure/cdk.json: -------------------------------------------------------------------------------- 1 | { 2 | "app": "npx ts-node --prefer-ts-exts bin/infrastructure.ts", 3 | "watch": { 4 | "include": [ 5 | "**" 6 | ], 7 | "exclude": [ 8 | "README.md", 9 | "cdk*.json", 10 | "**/*.d.ts", 11 | "**/*.js", 12 | "tsconfig.json", 13 | "package*.json", 14 | "yarn.lock", 15 | "node_modules", 16 | "test" 17 | ] 18 | }, 19 | "context": { 20 | "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true, 21 | "@aws-cdk/core:stackRelativeExports": true, 22 | "@aws-cdk/aws-rds:lowercaseDbIdentifier": true, 23 | "@aws-cdk/aws-lambda:recognizeVersionProps": true, 24 | "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /infrastructure/codebuild/buildspec.yaml: -------------------------------------------------------------------------------- 1 | version: 0.2 2 | phases: 3 | install: 4 | runtime-versions: 5 | docker: 19 6 | nodejs: 12 7 | pre_build: 8 | commands: 9 | - 'cd infrastructure' 10 | - 'npm install -g aws-cdk' 11 | - 'npm install' 12 | build: 13 | commands: 14 | - 'npm run build' 15 | post_build: 16 | commands: 17 | - 'cdk deploy "*" --context tier=$ENV --require-approval never' 18 | cache: 19 | paths: 20 | - 'infrastructure/node_modules/**/*' -------------------------------------------------------------------------------- /infrastructure/jest.config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | testEnvironment: 'node', 3 | roots: ['/test'], 4 | testMatch: ['**/*.test.ts'], 5 | transform: { 6 | '^.+\\.tsx?$': 'ts-jest' 7 | } 8 | }; 9 | -------------------------------------------------------------------------------- /infrastructure/lib/application-stack.ts: -------------------------------------------------------------------------------- 1 | import 'source-map-support/register' 2 | import * as path from 'path' 3 | import { Stack, StackProps, Duration, CfnOutput } from 'aws-cdk-lib'; 4 | import { aws_ecs, aws_ecs_patterns, aws_ecr_assets, aws_ec2 } from 'aws-cdk-lib'; 5 | import * as dashboards from './dashboards-stack'; 6 | import { Construct } from 'constructs'; 7 | 8 | export class ApplicationStack extends Stack { 9 | private fargateService: aws_ecs_patterns.ApplicationLoadBalancedFargateService 10 | 11 | constructor(scope: Construct, id: string, vpc_name: string, env_level: string = 'prd', health_check_path: string = '/', 12 | props?: StackProps) { 13 | super(scope, id, props) 14 | 15 | const vpc = aws_ec2.Vpc.fromLookup(this, "vpc", { vpcName: vpc_name }) 16 | 17 | const web_asset = new aws_ecr_assets.DockerImageAsset(this, 'web_asset', { 18 | directory: path.join(__dirname, '../../'), 19 | file: 'docker/web/Dockerfile', 20 | }) 21 | 22 | const app_asset = new aws_ecr_assets.DockerImageAsset(this, 'app_asset', { 23 | directory: path.join(__dirname, '../../'), 24 | file: 'docker/app/Dockerfile', 25 | }) 26 | 27 | const cluster = new aws_ecs.Cluster(this, "cluster", { 28 | vpc: vpc 29 | }) 30 | 31 | this.fargateService = new aws_ecs_patterns.ApplicationLoadBalancedFargateService(this, 'fargate', { 32 | cluster: cluster, 33 | desiredCount: 1, 34 | taskImageOptions: { 35 | image: aws_ecs.ContainerImage.fromDockerImageAsset(web_asset), 36 | environment: { 37 | ENV: env_level 38 | }, 39 | }, 40 | publicLoadBalancer: true, 41 | listenerPort: 80 42 | }) 43 | 44 | this.fargateService.targetGroup.configureHealthCheck({ 45 | path: health_check_path, 46 | healthyThresholdCount: 2, 47 | healthyHttpCodes: '200-399', 48 | unhealthyThresholdCount: 2, 49 | timeout: Duration.seconds(10), 50 | interval: Duration.seconds(15) 51 | }) 52 | 53 | this.fargateService.targetGroup.enableCookieStickiness(Duration.hours(1)) 54 | 55 | this.fargateService.targetGroup.setAttribute("deregistration_delay.timeout_seconds", "10") 56 | 57 | this.fargateService.taskDefinition.addContainer('app', { 58 | image: aws_ecs.ContainerImage.fromDockerImageAsset(app_asset), 59 | logging: aws_ecs.LogDriver.awsLogs({ streamPrefix: 'fargate' }), 60 | environment: { 61 | ENV: env_level 62 | } 63 | }) 64 | 65 | const scalableTarget = this.fargateService.service.autoScaleTaskCount({ 66 | maxCapacity: 20, 67 | minCapacity: 1 68 | }) 69 | 70 | scalableTarget.scaleOnCpuUtilization('CpuScaling', { 71 | targetUtilizationPercent: 50, 72 | scaleInCooldown: Duration.seconds(300), 73 | scaleOutCooldown: Duration.seconds(60) 74 | }) 75 | 76 | scalableTarget.scaleOnRequestCount('RequestCountScaling', { 77 | requestsPerTarget: 1000, 78 | targetGroup: this.fargateService.targetGroup, 79 | scaleInCooldown: Duration.seconds(60), 80 | scaleOutCooldown: Duration.seconds(10) 81 | }) 82 | 83 | scalableTarget.scaleOnMemoryUtilization('MemoryScaling', { 84 | targetUtilizationPercent: 90, 85 | scaleInCooldown: Duration.seconds(60), 86 | scaleOutCooldown: Duration.seconds(10) 87 | }) 88 | 89 | new dashboards.DashboardEcs(this, "ecsdashboard", { 90 | DashboardName: this.stackName, 91 | EcsClusterName: cluster.clusterName, 92 | EcsServicName: this.fargateService.service.serviceName, 93 | EcsLogStreams: [ this.getLogStream("app"), this.getLogStream("web") ] 94 | }) 95 | 96 | new dashboards.DashboardAlb(this, "albdashboard", { 97 | DashboardName: this.stackName, 98 | AlbName: this.fargateService.loadBalancer.loadBalancerFullName, 99 | AlbTargetGroupName: this.fargateService.targetGroup.targetGroupFullName 100 | }) 101 | 102 | new CfnOutput(this, 'LinkEcsClusterPage', { 103 | value: "https://" 104 | + this.region 105 | + ".console.aws.amazon.com/ecs/" 106 | + "home?region=" 107 | + this.region 108 | + "#/clusters/" 109 | + cluster.clusterName 110 | + "/fargateServices" 111 | }) 112 | 113 | new CfnOutput(this, 'LinkCloudWatchDashboard', { 114 | value: "https://" 115 | + this.region 116 | + ".console.aws.amazon.com/cloudwatch/" 117 | + "/home?region=" + this.region 118 | + "#dashboards:name=" + this.stackName 119 | }) 120 | } 121 | 122 | 123 | /** 124 | * getAppLogStream 125 | */ 126 | private getLogStream(containerName: string): string { 127 | const task_def = this.fargateService.service.taskDefinition 128 | const container = task_def.node.tryFindChild(containerName) as aws_ecs.ContainerDefinition 129 | if (container.logDriverConfig?.options != undefined) { 130 | return container.logDriverConfig?.options["awslogs-group"] 131 | } else { 132 | return "" 133 | } 134 | } 135 | 136 | } 137 | 138 | -------------------------------------------------------------------------------- /infrastructure/lib/dashboards-stack.ts: -------------------------------------------------------------------------------- 1 | import { Construct } from 'constructs'; 2 | import { aws_cloudwatch } from 'aws-cdk-lib'; 3 | import { Duration } from 'aws-cdk-lib'; 4 | 5 | export interface DashboardEcsProps { 6 | readonly DashboardName: string 7 | readonly EcsClusterName: string 8 | readonly EcsServicName: string 9 | readonly EcsLogStreams: string[] 10 | } 11 | 12 | export interface DashboardAlbProps { 13 | readonly DashboardName: string, 14 | readonly AlbTargetGroupName: string, 15 | readonly AlbName: string 16 | } 17 | 18 | export class DashboardAlb extends Construct implements DashboardAlbProps { 19 | readonly DashboardName: string 20 | readonly AlbTargetGroupName: string 21 | readonly AlbName: string 22 | 23 | constructor(scope: Construct, id: string, props: DashboardAlbProps) { 24 | super(scope, id) 25 | const dashboard = new aws_cloudwatch.Dashboard(this, 'albdashboard', { 26 | dashboardName: props.DashboardName + "-alb" 27 | }) 28 | 29 | dashboard.addWidgets( 30 | this.buildAlbWidget('NewConnectionCount', props, 'sum'), 31 | this.buildAlbWidget('ActiveConnectionCount', props, 'sum'), 32 | this.buildAlbWidget('RequestCount', props, 'sum'), 33 | this.buildAlbWidget('TargetResponseTime', props), 34 | this.buildAlbWidget('RequestCountPerTarget', props, 'sum'), 35 | this.buildAlbWidget('TargetConnectionErrorCount', props, 'sum'), 36 | this.buildAlbWidget('UnHealthyHostCount', props) 37 | ) 38 | } 39 | 40 | private buildAlbWidget(metricName: string, props: DashboardAlbProps, statistic: string = 'avg', 41 | period: Duration = Duration.minutes(5), widgetName?: string): aws_cloudwatch.GraphWidget { 42 | 43 | if (widgetName === undefined) { 44 | widgetName = metricName 45 | } 46 | 47 | return new aws_cloudwatch.GraphWidget({ 48 | title: widgetName, 49 | width: 8, 50 | height: 6, 51 | left: [new aws_cloudwatch.Metric({ 52 | namespace: 'AWS/ApplicationELB', 53 | metricName: metricName, 54 | dimensionsMap: { 55 | TargetGroup: props.AlbTargetGroupName, 56 | LoadBalancer: props.AlbName 57 | }, 58 | statistic: statistic, 59 | period: period 60 | })] 61 | }) 62 | } 63 | } 64 | 65 | export class DashboardEcs extends Construct implements DashboardEcsProps { 66 | readonly DashboardName: string 67 | readonly EcsClusterName: string 68 | readonly EcsServicName: string 69 | readonly EcsLogStreams: [string] 70 | 71 | constructor(scope: Construct, id: string, props: DashboardEcsProps) { 72 | super(scope, id) 73 | const dashboard = new aws_cloudwatch.Dashboard(this, 'ecsdashboard', { 74 | dashboardName: props.DashboardName + "-ecs" 75 | }) 76 | 77 | dashboard.addWidgets( 78 | this.buildEcsWidget('CPUUtilization', props), 79 | this.buildEcsWidget('MemoryUtilization', props), 80 | this.buildEcsWidget('CPUUtilization', props, 'SampleCount', Duration.minutes(1), "RunningTasks") 81 | ) 82 | 83 | for (let stream of props.EcsLogStreams) { 84 | dashboard.addWidgets( 85 | this.buildLogWidget(stream) 86 | ) 87 | } 88 | } 89 | 90 | private buildEcsWidget(metricName: string, props: DashboardEcsProps, statistic: string = 'avg', 91 | period: Duration = Duration.minutes(5), widgetName?: string): aws_cloudwatch.GraphWidget { 92 | 93 | if (widgetName === undefined) { 94 | widgetName = metricName 95 | } 96 | 97 | return new aws_cloudwatch.GraphWidget({ 98 | title: widgetName, 99 | width: 8, 100 | height: 6, 101 | left: [new aws_cloudwatch.Metric({ 102 | namespace: 'AWS/ECS', 103 | metricName: metricName, 104 | dimensionsMap: { 105 | ClusterName: props.EcsClusterName, 106 | ServiceName: props.EcsServicName 107 | }, 108 | statistic: statistic, 109 | period: period 110 | })] 111 | }) 112 | } 113 | 114 | private buildLogWidget(logGroupName: string): aws_cloudwatch.LogQueryWidget { 115 | return new aws_cloudwatch.LogQueryWidget({ 116 | width: 24, 117 | height: 6, 118 | logGroupNames: [logGroupName], 119 | queryLines: [ 120 | 'fields @message' 121 | ] 122 | }) 123 | } 124 | 125 | } 126 | 127 | -------------------------------------------------------------------------------- /infrastructure/lib/pipeline-stack.ts: -------------------------------------------------------------------------------- 1 | import 'source-map-support/register' 2 | import { Stack, StackProps, Duration, CfnOutput, SecretValue, RemovalPolicy } from 'aws-cdk-lib'; 3 | import { aws_iam, aws_codebuild, aws_codepipeline, aws_codepipeline_actions, aws_s3 } from 'aws-cdk-lib'; 4 | import { Construct } from 'constructs'; 5 | 6 | export class PipelineStack extends Stack { 7 | constructor(scope: Construct, id: string, gitToken: string, github_owner: string, github_repo: string, 8 | github_branch: string, props?: StackProps) { 9 | super(scope, id, props) 10 | 11 | const role = new aws_iam.Role(this, 'role', { assumedBy: new aws_iam.ServicePrincipal('codebuild.amazonaws.com') }) 12 | role.addManagedPolicy(aws_iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess')) 13 | 14 | const project = new aws_codebuild.PipelineProject(this, 'pipelineProject', { 15 | buildSpec: aws_codebuild.BuildSpec.fromSourceFilename('infrastructure/codebuild/buildspec.yaml'), 16 | cache: aws_codebuild.Cache.bucket( 17 | new aws_s3.Bucket(this, 'cache', { 18 | removalPolicy: RemovalPolicy.DESTROY, 19 | autoDeleteObjects: true 20 | }) 21 | ), 22 | environment: { 23 | buildImage: aws_codebuild.LinuxBuildImage.STANDARD_4_0, 24 | privileged: true 25 | }, 26 | role: role 27 | }) 28 | 29 | const source_output = new aws_codepipeline.Artifact() 30 | const staging_output = new aws_codepipeline.Artifact() 31 | const production_output = new aws_codepipeline.Artifact() 32 | 33 | const source_action = new aws_codepipeline_actions.GitHubSourceAction({ 34 | actionName: 'GitHub_Source', 35 | owner: github_owner, 36 | repo: github_repo, 37 | branch: github_branch, 38 | oauthToken: SecretValue.secretsManager(gitToken), 39 | output: source_output 40 | }) 41 | 42 | const staging_action = new aws_codepipeline_actions.CodeBuildAction({ 43 | actionName: 'Deliver', 44 | project: project, 45 | input: source_output, 46 | outputs: [staging_output], 47 | environmentVariables: { 48 | 'ENV': { 49 | value: 'stg', 50 | }, 51 | 'WORKING_BRANCH': { 52 | value: github_branch 53 | } 54 | } 55 | }) 56 | 57 | const manual_approval_action = new aws_codepipeline_actions.ManualApprovalAction({ 58 | actionName: 'Approve' 59 | }) 60 | 61 | const production_action = new aws_codepipeline_actions.CodeBuildAction({ 62 | actionName: 'Deliver', 63 | project: project, 64 | input: source_output, 65 | outputs: [production_output], 66 | environmentVariables: { 67 | 'ENV': { 68 | value: 'prd', 69 | }, 70 | 'WORKING_BRANCH': { 71 | value: github_branch 72 | } 73 | } 74 | }) 75 | 76 | const bucketArtifacts = new aws_s3.Bucket(this, 'artifacts', { 77 | removalPolicy: RemovalPolicy.DESTROY, 78 | autoDeleteObjects: true 79 | }) 80 | 81 | const pipeline = new aws_codepipeline.Pipeline(this, "Pipeline", { 82 | artifactBucket: bucketArtifacts 83 | }) 84 | 85 | pipeline.addStage({ 86 | stageName: 'Source', 87 | actions: [source_action] 88 | }) 89 | 90 | pipeline.addStage({ 91 | stageName: 'Staging', 92 | actions: [staging_action] 93 | }) 94 | 95 | pipeline.addStage({ 96 | stageName: 'Approval', 97 | actions: [manual_approval_action] 98 | }) 99 | 100 | pipeline.addStage({ 101 | stageName: 'Production', 102 | actions: [production_action] 103 | }) 104 | 105 | new CfnOutput(this, 'LinkCodePipelinePage', { 106 | value: "https://" 107 | + this.region 108 | + ".console.aws.amazon.com/codesuite/" 109 | + "codepipeline/pipelines/" 110 | + pipeline.pipelineName 111 | + "/view?region=" + this.region 112 | }) 113 | } 114 | } 115 | -------------------------------------------------------------------------------- /infrastructure/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "infrastructure", 3 | "version": "0.1.0", 4 | "bin": { 5 | "infrastructure": "bin/infrastructure.js" 6 | }, 7 | "scripts": { 8 | "build": "tsc", 9 | "watch": "tsc -w", 10 | "test": "jest", 11 | "cdk": "cdk" 12 | }, 13 | "devDependencies": { 14 | "@types/jest": "^26.0.10", 15 | "@types/node": "10.17.27", 16 | "aws-cdk": "2.1.0", 17 | "jest": "^26.4.2", 18 | "ts-jest": "^26.2.0", 19 | "ts-node": "^9.0.0", 20 | "typescript": "~3.9.7" 21 | }, 22 | "dependencies": { 23 | "aws-cdk-lib": "2.1.0", 24 | "constructs": "^10.0.0", 25 | "current-git-branch": "^1.1.0", 26 | "source-map-support": "^0.5.16" 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /infrastructure/test/infrastructure.test.ts: -------------------------------------------------------------------------------- 1 | // import * as cdk from 'aws-cdk-lib'; 2 | // import { Template } from 'aws-cdk-lib/assertions'; 3 | // import * as Infrastructure from '../lib/infrastructure-stack'; 4 | 5 | // example test. To run these tests, uncomment this file along with the 6 | // example resource in lib/infrastructure-stack.ts 7 | test('SQS Queue Created', () => { 8 | // const app = new cdk.App(); 9 | // // WHEN 10 | // const stack = new Infrastructure.InfrastructureStack(app, 'MyTestStack'); 11 | // // THEN 12 | // const template = Template.fromStack(stack); 13 | 14 | // template.hasResourceProperties('AWS::SQS::Queue', { 15 | // VisibilityTimeout: 300 16 | // }); 17 | }); 18 | -------------------------------------------------------------------------------- /infrastructure/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "ES2018", 4 | "module": "commonjs", 5 | "lib": [ 6 | "es2018" 7 | ], 8 | "declaration": true, 9 | "strict": true, 10 | "noImplicitAny": true, 11 | "strictNullChecks": true, 12 | "noImplicitThis": true, 13 | "alwaysStrict": true, 14 | "noUnusedLocals": false, 15 | "noUnusedParameters": false, 16 | "noImplicitReturns": true, 17 | "noFallthroughCasesInSwitch": false, 18 | "inlineSourceMap": true, 19 | "inlineSources": true, 20 | "experimentalDecorators": true, 21 | "strictPropertyInitialization": false, 22 | "typeRoots": [ 23 | "./node_modules/@types" 24 | ] 25 | }, 26 | "exclude": [ 27 | "node_modules", 28 | "cdk.out" 29 | ] 30 | } 31 | --------------------------------------------------------------------------------