-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: release #16
Merged
+190
−52
Merged
feat: release #16
Changes from 8 commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
176be2a
feat: Make naamIngelogdeGebruiker optional
joostvanderborg a361234
docs: Add readme
joostvanderborg f7fbaf9
chore: self mutation
invalid-email-address 050b660
feat: Create SNS topic for cross account posting (#17)
joostvanderborg dca4c41
fix: Allow KMS access for lambda role (#18)
joostvanderborg e435883
fix: Allow KMS access for lambda role (#19)
joostvanderborg cb90c1b
Fix/allow key access (#20)
joostvanderborg 7bb798c
chore: remove unused param
joostvanderborg c705f59
remove stray file
joostvanderborg File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,5 @@ | ||
| # replace this | ||
| # Webformulieren submission storage | ||
|
|
||
| Deze applicatie is verantwoordelijk voor de opslag van formulierinzendingen, voor afnemers (Mijn Nijmegen) die deze moeten kunnen tonen aan de indiener. De applicatie is gesubscribed op het SNS-topic dat in [webformulieren](https://github.com/gemeentenijmegen/webformulieren) bestaat, en verwerkt inzendingen bij binnenkomst. | ||
|
|
||
| Het is nog niet mogelijk ingezonden formulieren op te halen. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,33 +1,70 @@ | ||
| import { Stack } from 'aws-cdk-lib'; | ||
| import { Stack, StackProps } from 'aws-cdk-lib'; | ||
| import { AnyPrincipal, Effect, PolicyStatement } from 'aws-cdk-lib/aws-iam'; | ||
| import { ITopic, Topic } from 'aws-cdk-lib/aws-sns'; | ||
| import { StringParameter } from 'aws-cdk-lib/aws-ssm'; | ||
| import { Construct } from 'constructs'; | ||
| import { Configurable } from './Configuration'; | ||
| import { Statics } from './statics'; | ||
| import { SubmissionSnsEventHandler } from './SubmissionSnsEventHandler'; | ||
|
|
||
| interface ApiStackProps extends StackProps, Configurable {}; | ||
| /** | ||
| * Contains all API-related resources. | ||
| */ | ||
| export class ApiStack extends Stack { | ||
| constructor(scope: Construct, id: string) { | ||
| super(scope, id); | ||
|
|
||
| // const api = new RestApi(this, 'gateway'); | ||
| // api.root.addMethod('ANY', new MockIntegration({ | ||
| // integrationResponses: [ | ||
| // { statusCode: '200' }, | ||
| // ], | ||
| // passthroughBehavior: PassthroughBehavior.NEVER, | ||
| // requestTemplates: { | ||
| // 'application/json': '{ "statusCode": 200 }', | ||
| // }, | ||
| // }), { | ||
| // methodResponses: [ | ||
| // { statusCode: '200' }, | ||
| // ], | ||
| // }); | ||
| constructor(scope: Construct, id: string, props: ApiStackProps) { | ||
| super(scope, id, props); | ||
|
|
||
| const internalTopic = new SNSTopic(this, 'submissions', { publishingAccountIds: props.configuration.allowedAccountIdsToPublishToSNS }); | ||
| new SubmissionSnsEventHandler(this, 'submissionhandler', { | ||
| topicArn: StringParameter.valueForStringParameter(this, Statics.ssmSubmissionTopicArn), | ||
| topicArns: [internalTopic.topic.topicArn, StringParameter.valueForStringParameter(this, Statics.ssmSubmissionTopicArn)], | ||
| }); | ||
| } | ||
| } | ||
|
|
||
| interface SNSTopicProps extends StackProps { | ||
| /** | ||
| * Allow access for different AWS accounts to publish to this topic | ||
| */ | ||
| publishingAccountIds?: string[]; | ||
| } | ||
| class SNSTopic extends Construct { | ||
| topic: ITopic; | ||
| constructor(scope: Construct, id: string, props: SNSTopicProps) { | ||
| super(scope, id); | ||
|
|
||
| this.topic = new Topic(this, 'submissions', { | ||
| displayName: 'submissions', | ||
| }); | ||
|
|
||
| this.allowCrossAccountAccess(props.publishingAccountIds); | ||
| } | ||
|
|
||
| /** | ||
| * Allow cross account access to this topic | ||
| * | ||
| * This allows lambda's with the execution role 'storesubmissions-lambda-role' | ||
| * in the accounts in `allowedAccountIds` access to publish to this topic. | ||
| * | ||
| * @param allowedAccountIds array of account IDs | ||
| */ | ||
| allowCrossAccountAccess(allowedAccountIds?: string[]): void { | ||
| if (!allowedAccountIds || allowedAccountIds.length == 0) { return; } | ||
| const crossAccountPrincipalArns = allowedAccountIds.map( | ||
| (accountId) => `arn:aws:iam::${accountId}:role/storesubmissions-lambda-role`, | ||
| ); | ||
| this.topic.addToResourcePolicy(new PolicyStatement({ | ||
| effect: Effect.ALLOW, | ||
| actions: [ | ||
| 'SNS:Publish', | ||
| ], | ||
| resources: [this.topic.topicArn], | ||
| principals: [new AnyPrincipal()], | ||
| conditions: { | ||
| ArnLike: { | ||
| 'aws:PrincipalArn': crossAccountPrincipalArns, | ||
| }, | ||
| }, | ||
| })); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,144 @@ | ||
| import { Duration, Stack, StackProps } from 'aws-cdk-lib'; | ||
| import { AttributeType, BillingMode, Table, TableEncryption } from 'aws-cdk-lib/aws-dynamodb'; | ||
| import { Effect, PolicyStatement } from 'aws-cdk-lib/aws-iam'; | ||
| import { Key } from 'aws-cdk-lib/aws-kms'; | ||
| import { Bucket, BucketEncryption, ObjectOwnership } from 'aws-cdk-lib/aws-s3'; | ||
| import { Secret } from 'aws-cdk-lib/aws-secretsmanager'; | ||
| import { StringParameter } from 'aws-cdk-lib/aws-ssm'; | ||
| import { Construct } from 'constructs'; | ||
| import { Configurable } from './Configuration'; | ||
| import { Statics } from './statics'; | ||
|
|
||
|
|
||
| interface StorageStackProps extends StackProps, Configurable {}; | ||
|
|
||
| /** | ||
| * Contains all API-related resources. | ||
| */ | ||
| export class StorageStack extends Stack { | ||
| constructor(scope: Construct, id: string, props: StorageStackProps) { | ||
| super(scope, id, props); | ||
|
|
||
| const key = this.key(); | ||
| /** | ||
| * This bucket will receive submission attachments | ||
| * (Submission PDF, uploads) for each submission. | ||
| */ | ||
| const bucket = new Bucket(this, 'submission-attachments', { | ||
| eventBridgeEnabled: true, | ||
| enforceSSL: true, | ||
| encryption: BucketEncryption.KMS, | ||
| objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED, | ||
| lifecycleRules: [ | ||
| { | ||
| expiration: Duration.days(365), | ||
| }, | ||
| ], | ||
| encryptionKey: key, | ||
| }); | ||
| this.addArnToParameterStore('bucketParam', bucket.bucketArn, Statics.ssmSubmissionBucketArn); | ||
| this.addArnToParameterStore('bucketNameParam', bucket.bucketName, Statics.ssmSubmissionBucketName); | ||
|
|
||
| const table = new Table(this, 'submissions', { | ||
| partitionKey: { name: 'pk', type: AttributeType.STRING }, | ||
| sortKey: { name: 'sk', type: AttributeType.STRING }, | ||
| billingMode: BillingMode.PAY_PER_REQUEST, | ||
| timeToLiveAttribute: 'ttl', | ||
| encryptionKey: key, | ||
| encryption: TableEncryption.CUSTOMER_MANAGED, | ||
| }); | ||
| this.addArnToParameterStore('tableParam', table.tableArn, Statics.ssmSubmissionTableArn); | ||
| this.addArnToParameterStore('tableNameParam', table.tableName, Statics.ssmSubmissionTableName); | ||
|
|
||
| this.addParameters(); | ||
| } | ||
|
|
||
| private key(crossAccountIds?: string[]) { | ||
| const crossAccountPrincipalArns = this.crossAccountIdArns(crossAccountIds); | ||
| const key = new Key(this, 'kmskey', { | ||
| enableKeyRotation: true, | ||
| description: 'encryption key for user data', | ||
| alias: `${Statics.projectName}/user-data`, | ||
| }); | ||
|
|
||
| this.allowCrossAccountKeyAccess(crossAccountPrincipalArns, key); | ||
|
|
||
| // Store key arn to be used in other stacks/projects | ||
| new StringParameter(this, 'key', { | ||
| stringValue: key.keyArn, | ||
| parameterName: Statics.ssmDataKeyArn, | ||
| }); | ||
|
|
||
| return key; | ||
| } | ||
| <<<<<<< HEAD | ||
| ======= | ||
|
|
||
| private allowCrossAccountKeyAccess(crossAccountPrincipalArns: string[] | null, key: Key) { | ||
| if (crossAccountPrincipalArns) { | ||
| key.addToResourcePolicy(new PolicyStatement({ | ||
| effect: Effect.ALLOW, | ||
| actions: [ | ||
| 'kms:GenerateDataKey', | ||
| 'kms:Decrypt', | ||
| ], | ||
| resources: [key.keyArn], | ||
| conditions: { | ||
| ArnLike: { | ||
| 'aws:PrincipalArn': crossAccountPrincipalArns, | ||
| }, | ||
| }, | ||
| }), false); | ||
| } | ||
| } | ||
|
|
||
| private crossAccountIdArns(crossAccountIds: string[] | undefined) { | ||
| if (crossAccountIds && crossAccountIds.length > 0) { | ||
| return crossAccountIds.map( | ||
| (accountId) => `arn:aws:iam::${accountId}:role/storesubmissions-lambda-role`, | ||
| ); | ||
| } | ||
| return null; | ||
| } | ||
|
|
||
| >>>>>>> development | ||
| private addArnToParameterStore(id: string, arn: string, name: string) { | ||
| new StringParameter(this, id, { | ||
| stringValue: arn, | ||
| parameterName: name, | ||
| }); | ||
| } | ||
|
|
||
| /** | ||
| * Add general parameters, the values of which should be added later | ||
| */ | ||
| private addParameters() { | ||
| new StringParameter(this, 'submissionTopicArn', { | ||
| stringValue: '-', | ||
| parameterName: Statics.ssmSubmissionTopicArn, | ||
| }); | ||
|
|
||
| new StringParameter(this, 'sourceBucketArn', { | ||
| stringValue: '-', | ||
| parameterName: Statics.ssmSourceBucketArn, | ||
| description: 'ARN for the source bucket, to allow copying submission files', | ||
| }); | ||
|
|
||
| new StringParameter(this, 'sourceKeyArn', { | ||
| stringValue: '-', | ||
| parameterName: Statics.ssmSourceKeyArn, | ||
| description: 'ARN for the source bucket encryption key, to allow copying submission files', | ||
| }); | ||
|
|
||
| new StringParameter(this, 'formIoBaseUrl', { | ||
| stringValue: '-', | ||
| parameterName: Statics.ssmFormIoBaseUrl, | ||
| description: 'Base url for retrieving form config. Includes stage path.', | ||
| }); | ||
|
|
||
| new Secret(this, 'formIoApiKey', { | ||
| secretName: Statics.secretFormIoApiKey, | ||
| description: 'FormIO Api token for retrieving form config', | ||
| }); | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
waarom 365 dagen bewaren en niet korter of langer(zou ik verwachten nl)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Daar heeft nog niemand iets van gevonden, onbeperkt lijkt me ook onwenselijk. Ik zie overigens dat de merge conflict-file hierin zit, dus dit is niet nieuw.