Merge branch 'main' into rjuliano/amplify-integ-test-backend

Author: rjuliano

.flake8

@@ -0,0 +1,4 @@
+[flake8]
+exclude = cdk.out
+extend-ignore = E203, W503
+max-line-length = 100

.isort.cfg

@@ -0,0 +1,8 @@
+[settings]
+ensure_newline_before_comments = True
+force_grid_wrap = 0
+include_trailing_comma = True
+line_length = 100
+multi_line_output = 3
+use_parentheses = True
+skip = cdk.out

requirements.txt

@@ -1,4 +1,6 @@
 aws_cdk.aws_apigateway
+aws_cdk.aws_cloudfront
+aws_cdk.aws_cloudfront_origins
 aws_cdk.aws_cloudtrail
 aws_cdk.aws_cloudwatch
 aws_cdk.aws_codebuild
@@ -10,6 +12,7 @@ aws_cdk.aws_iot
 aws_cdk.aws_kinesis
 aws_cdk.aws_kinesisfirehose
 aws_cdk.aws_kms
+aws_cdk.aws_lambda_python
 aws_cdk.aws_logs
 aws_cdk.aws_pinpoint
 aws_cdk.aws_s3
@@ -18,3 +21,4 @@ aws_cdk.core
 black
 boto3
 isort
+flake8

src/build_infrastructure/android/amplify_custom_resources/__init__.py

@@ -3,4 +3,5 @@
 from .device_farm_project import DeviceFarmProject
 from .device_farm_device_pool import DeviceFarmDevicePool
 from .pull_request_builder import PullRequestBuilder
+from .maven_release_publisher import MavenPublisher
 sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__)), "."))

src/build_infrastructure/android/amplify_custom_resources/maven_release_publisher.py

@@ -0,0 +1,39 @@
+
+from aws_cdk import core
+from aws_cdk.aws_codebuild import (
+    BuildEnvironment,
+    BuildSpec,
+    ComputeType,
+    EventAction,
+    FilterGroup,
+    LinuxBuildImage,
+    Project,
+    Source
+)
+
+class MavenPublisher(Project):
+    BUILD_IMAGE = LinuxBuildImage.AMAZON_LINUX_2_3
+    def __init__(self, scope: core.Construct, id: str, *,
+                    project_name: str,
+                    github_owner,
+                    github_repo,
+                    buildspec_path,
+                    environment_variables = {},
+                    base_branch: str = "main",
+                    release_branch: str = "bump_version"):
+
+        build_environment = BuildEnvironment(build_image=self.BUILD_IMAGE, privileged = True, compute_type = ComputeType.LARGE)
+
+        trigger_on_pr_merged = FilterGroup.in_event_of(EventAction.PULL_REQUEST_MERGED).and_base_branch_is(base_branch).and_branch_is(release_branch).and_commit_message_is("release:.*")
+            
+        super().__init__(scope, id,
+            project_name = project_name,
+            environment_variables = environment_variables,
+            build_spec=BuildSpec.from_source_filename(buildspec_path),
+            badge = True,
+            source = Source.git_hub(owner = github_owner,
+                                    report_build_status = True,
+                                    repo = github_repo, 
+                                    webhook = True,
+                                    webhook_filters = [trigger_on_pr_merged]),
+            environment = build_environment)

src/build_infrastructure/android/app.py

@@ -8,6 +8,7 @@
 
 from stacks.build_pipeline_stack import AmplifyAndroidCodePipeline
 from stacks.account_bootstrap_stack import AccountBootstrap
+from stacks.maven_release_stack import MavenReleaseStack
 
 app = core.App()
 TARGET_REGION = app.node.try_get_context("region")
@@ -18,11 +19,15 @@
 github_owner=app.node.try_get_context("github_owner")
 branch=app.node.try_get_context("branch")
 config_source_bucket = app.node.try_get_context("config_source_bucket")
-print(f"AWS Account={TARGET_ACCOUNT} Region={TARGET_REGION}")
+release_pr_branch = app.node.try_get_context("release_pr_branch")
 log_level=app.node.try_get_context("log_level")
 
+print(f"AWS Account={TARGET_ACCOUNT} Region={TARGET_REGION}")
+
+# Account bootstrap stack
 account_bootstrap = AccountBootstrap(app, "AccountBootstrap", {}, env=TARGET_ENV)
 
+# Unit and integration test stack
 code_pipeline_stack_props = {
     # If set, config files for tests will be copied from S3. Otherwise, it will attempt to retrieve using the Amplify CLI
     'config_source_bucket': account_bootstrap.config_source_bucket.bucket_name, 
@@ -41,5 +46,18 @@
                                     description="CI Pipeline assets for amplify-android",
                                     env=TARGET_ENV)
 
+# Maven publisher stack
+maven_publisher_stack_props = {
+    'github_source': { 
+        'owner': github_owner,
+        'repo': REPO, 
+        'base_branch': branch,
+        'release_pr_branch': release_pr_branch
+    },
+    'codebuild_project_name_prefix': 'AmplifyAndroid'
+}
+
+MavenReleaseStack(app, "MavenPublisher", maven_publisher_stack_props, description="Assets used for publishing amplify-android to maven.", env=TARGET_ENV)
+
 
 app.synth()

src/build_infrastructure/android/stacks/maven_release_stack.py

@@ -0,0 +1,28 @@
+from aws_cdk import (
+    core
+)
+
+from amplify_custom_resources import MavenPublisher
+
+class MavenReleaseStack(core.Stack):
+    def __init__(self, scope: core.App, id: str, props, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        required_props = ['github_source']
+        for prop in required_props:
+            if prop not in props:
+                raise RuntimeError(f"Parameter {prop} is required.")
+        
+        codebuild_project_name_prefix = props['codebuild_project_name_prefix']
+
+        github_source = props['github_source']
+        owner = github_source['owner']
+        repo = github_source['repo']
+        base_branch = github_source['base_branch']
+
+
+        MavenPublisher(self, "ReleasePublisher", project_name=f"{codebuild_project_name_prefix}-ReleasePublisher",
+                                                   github_owner=owner, 
+                                                   github_repo=repo, 
+                                                   base_branch=base_branch,
+                                                   buildspec_path="scripts/maven-release-publisher.yml")

src/credentials_rotators/npm/.gitignore

@@ -0,0 +1,14 @@
+*.swp
+package-lock.json
+__pycache__
+.pytest_cache
+.env
+.venv
+*.egg-info
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+
+# external lambda dependencies
+lambda_layers/external_dependencies/python/

src/credentials_rotators/npm/README.md

@@ -0,0 +1,96 @@
+
+# NPM user credentials rotation infrastructure
+
+This CDK app helps to automate the credentials rotation for a NPM user. 
+The credentials that are configured for rotation include login password and access keys.
+
+#### Configuring the app
+The `lambda_functions/secrets.json` configuration file should be populated with the 
+information about **accessing** secret values from AWS Secrets Manager. **It must not be
+used to store the secret values themselves.**
+
+```
+{
+  "npm_login_username_secret": {
+    "arn": "<npm_login_username_secret_arn>",
+    "secret_key": "npm_login_username"
+  },
+  "npm_login_password_secret": {
+    "arn": "<npm_login_password_secret_arn>",
+    "secret_key": "npm_login_password",
+    "alarm_subscriptions": ["[email protected]"]
+  },
+  "npm_otp_seed_secret": {
+    "arn": "<npm_otp_seed_secret_arn>",
+    "secret_key": "npm_otp_seed"
+  },
+  "npm_access_token_secrets": {
+    "secrets": [
+      {
+        "arn": "<npm_access_token_codegen_arn>",
+        "secret_key": "npm_access_token_codegen"
+      },
+      {
+        "arn": "<npm_access_token_js_arn>",
+        "secret_key": "npm_access_token_js"
+      }
+    ],
+    "alarm_subscriptions": ["[email protected]"]
+  }
+}
+```
+Since, CDK does not support creating/populating the secrets, recommended best practice is
+to use the AWS CLI or Console to create the above secrets. 
+For example, to create a secret to hold the npm username using CLI:
+```
+aws secretsmanager create-secret --name npm-username-secret --secret-string "{ \"npm_login_username\": \"my-npm-username\" }"
+```
+Paste the `ARN` returned from above operation under `npm_login_username_secret`.
+The `secret_key` (`npm_login_username` in this case) can also be customized.
+
+Similarly, create the other secrets required in the configuration file:
+* `npm_login_username_secret`: stores the login username for the npm user. This secret is static and is not rotated.
+* `npm_login_password_secret`: stores the login password for the npm user. This secret is configured for rotation and accepts
+a list of emails to alert in case the rotation fails.
+* `npm_otp_seed_secret`: stores the OTP seed for the npm user. This is created when the NPM user enables 2-factor Authentication. 
+This secret is static and is not rotated.
+* `npm_access_token_secrets`: stores the list of secrets that hold the access keys created by the npm user. 
+This secret is configured for rotation and accepts a list of emails to alert in case the rotation fails.
+
+#### Deploying the infrastructure
+The AWS credentials have to be set using following environment variables:
+  1. `AWS_ACCESS_KEY_ID`
+  2. `AWS_SECRET_ACCESS_KEY`
+  3. `AWS_SESSION_TOKEN`
+  4. `AWS_DEFAULT_REGION`: The region of deployment should be same as the region where the above secrets are created.
+
+`python 3` and `pip3` should be installed.
+Run `pip3 install -r requirements.txt --upgrade` from the app root to fetch necessary modules for the app.
+
+At this point you can now deploy the infrastructure using:
+```
+$ cdk deploy --all
+```
+or run any of the cdk commands listed below.
+
+
+#### Useful commands
+
+ * `cdk ls`          list all stacks in the app
+ * `cdk synth`       emits the synthesized CloudFormation template
+ * `cdk deploy`      deploy this stack to your default AWS account/region
+ * `cdk diff`        compare deployed stack with current state
+ * `cdk docs`        open CDK documentation
+
+
+#### Stacks included in the app
+* `UserLoginPasswordRotatorStack`: Contains resources like a rotator lambda to rotate the `npm_login_password_secret` 
+along with necessary permissions, alarms to monitor it.
+* `UserAccessTokensRotatorStack`: Contains resources like a rotator lambda to rotate the access keys specified under `npm_access_token_secrets` 
+along with necessary permissions, alarms to monitor it.
+
+To deploy a single stack, use `cdk deploy UserLoginPasswordRotatorStack`
+
+------------------
+
+[amplify.aws](https://amplify.aws)

src/credentials_rotators/npm/app.py

@@ -0,0 +1,16 @@
+#!/usr/bin/env python3
+
+from aws_cdk import core
+from stacks.user_login_password_rotator_stack import UserLoginPasswordRotatorStack
+from stacks.user_access_tokens_rotator_stack import UserAccessTokensRotatorStack
+
+
+app = core.App()
+
+# Stack with necessary infrastructure to rotate npm login password secret
+UserLoginPasswordRotatorStack(app, "UserLoginPasswordRotatorStack")
+
+# Stack with necessary infrastructure to rotate npm user's access tokens specified in `secrets_config.json`
+UserAccessTokensRotatorStack(app, "UserAccessTokensRotatorStack")
+
+app.synth()