Filemanager objects apigw API deployment (no app side logic) (#115)

* Refactors and promotes api-gw from SRM to top level.
* Fixes all workloads to use the new construct instead of custom ones per service.
* Adds AccessLog logGroup.
* Explores CloudMap at ApiGw level.

---------

Co-authored-by: Marko Malenic <mmalenic1@gmail.com>

Author: brainstorm

.gitignore

@@ -55,7 +55,11 @@ data/
 Brewfile.lock.json
 *.xml
 
-target/
-
 .coverage
 htmlcov/
+
+# Filemanager-specific
+.sqlx
+target/
+lib/workload/stateful/filemanager/volume
+skel/rust-api/Cargo.lock

.vscode/settings.json

@@ -1,6 +1,6 @@
 {
   "rust-analyzer.linkedProjects": [
-    "lib/workload/stateful/filemanager/Cargo.toml",
+    "lib/workload/stateless/stacks/filemanager/Cargo.toml",
     "skel/rust-api/Cargo.toml"
   ]
 }

config/stacks/fileManager.ts

@@ -1,4 +1,4 @@
-import { FilemanagerConfig } from '../../lib/workload/stateless/stacks/filemanager/deploy/lib/filemanager';
+import { FilemanagerConfig } from '../../lib/workload/stateless/stacks/filemanager/deploy/stack';
 import {
   AccountName,
   computeSecurityGroupName,
@@ -9,6 +9,9 @@ import {
   prodBucket,
   stgBucket,
   vpcProps,
+  cognitoPortalAppClientIdParameterName,
+  cognitoStatusPageAppClientIdParameterName,
+  cognitoUserPoolIdParameterName,
 } from '../constants';
 
 export const getFileManagerStackProps = (n: AccountName): FilemanagerConfig => {
@@ -19,6 +22,9 @@ export const getFileManagerStackProps = (n: AccountName): FilemanagerConfig => {
     databaseClusterEndpointHostParameter: dbClusterEndpointHostParameterName,
     port: databasePort,
     migrateDatabase: true,
+    cognitoPortalAppClientIdParameterName: cognitoPortalAppClientIdParameterName,
+    cognitoStatusPageAppClientIdParameterName: cognitoStatusPageAppClientIdParameterName,
+    cognitoUserPoolIdParameterName: cognitoUserPoolIdParameterName,
   };
 
   switch (n) {

config/stacks/postgresManager.ts

@@ -1,5 +1,5 @@
 import { Duration } from 'aws-cdk-lib';
-import { FILEMANAGER_SERVICE_NAME } from '../../lib/workload/stateless/stacks/filemanager/deploy/lib/filemanager';
+import { FILEMANAGER_SERVICE_NAME } from '../../lib/workload/stateless/stacks/filemanager/deploy/stack';
 import { PostgresManagerStackProps } from '../../lib/workload/stateless/stacks/postgres-manager/deploy/stack';
 import { DbAuthType } from '../../lib/workload/stateless/stacks/postgres-manager/function/type';
 import {

lib/workload/stateless/stacks/sequence-run-manager/deploy/constructs/api-gw/index.ts lib/workload/components/api-gateway/index.ts

@@ -1,24 +1,27 @@
 import { Construct } from 'constructs';
 import { aws_ssm, Duration } from 'aws-cdk-lib';
 import { HttpJwtAuthorizer } from 'aws-cdk-lib/aws-apigatewayv2-authorizers';
-import { CorsHttpMethod, HttpApi } from 'aws-cdk-lib/aws-apigatewayv2';
+import { CorsHttpMethod, HttpApi, CfnStage } from 'aws-cdk-lib/aws-apigatewayv2';
 import { IStringParameter } from 'aws-cdk-lib/aws-ssm';
+import { LogGroup } from 'aws-cdk-lib/aws-logs';
+import { Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
 
-export interface SRMApiGatewayConstructProps {
+export interface ApiGatewayConstructProps {
   region: string;
+  apiName: string | undefined;
   cognitoUserPoolIdParameterName: string;
   cognitoPortalAppClientIdParameterName: string;
   cognitoStatusPageAppClientIdParameterName: string;
 }
 
-export class SRMApiGatewayConstruct extends Construct {
+export class ApiGatewayConstruct extends Construct {
   private readonly _httpApi: HttpApi;
 
-  constructor(scope: Construct, id: string, props: SRMApiGatewayConstructProps) {
+  constructor(scope: Construct, id: string, props: ApiGatewayConstructProps) {
     super(scope, id);
 
     this._httpApi = new HttpApi(this, 'HttpApi', {
-      apiName: 'OrcaBusAPI-SequenceRunManager',
+      apiName: 'OrcaBusAPI-' + props.apiName,
       corsPreflight: {
         allowHeaders: ['Authorization'],
         allowMethods: [
@@ -34,12 +37,48 @@ export class SRMApiGatewayConstruct extends Construct {
       // defaultDomainMapping: ... TODO
     });
 
-    // TODO Configure access logging. See https://github.com/aws/aws-cdk/issues/11100
+    // LogGroups
+    this.setupAccessLogs();
 
-    // TODO setup cloud map service discovery perhaps
+    // CloudMap
+    // this.setupCloudServiceDiscovery()
   }
 
-  private getAuthorizer(props: SRMApiGatewayConstructProps): HttpJwtAuthorizer {
+  // TODO: https://github.com/aws-samples/aws-cdk-service-discovery-example/tree/main
+  // private setupCloudServiceDiscovery() {
+  // }
+
+  // TODO: Taken from https://github.com/aws/aws-cdk/issues/11100#issuecomment-904627081
+  // Monitor for higher level CDK construct instead of leveraging CfnStage
+  private setupAccessLogs() {
+    const accessLogs = new LogGroup(this, 'OrcaBus-ApiGw-AccessLogs');
+    const stage = this.httpApi.defaultStage?.node.defaultChild as CfnStage;
+    stage.accessLogSettings = {
+      destinationArn: accessLogs.logGroupArn,
+      format: JSON.stringify({
+        requestId: '$context.requestId',
+        userAgent: '$context.identity.userAgent',
+        sourceIp: '$context.identity.sourceIp',
+        requestTime: '$context.requestTime',
+        requestTimeEpoch: '$context.requestTimeEpoch',
+        httpMethod: '$context.httpMethod',
+        path: '$context.path',
+        status: '$context.status',
+        protocol: '$context.protocol',
+        responseLength: '$context.responseLength',
+        domainName: '$context.domainName',
+      }),
+    };
+
+    // Allow writing access logs, managed
+    const role = new Role(this, 'AmazonAPIGatewayPushToCloudWatchLogs', {
+      assumedBy: new ServicePrincipal('apigateway.amazonaws.com'),
+    });
+
+    accessLogs.grantWrite(role);
+  }
+
+  private getAuthorizer(props: ApiGatewayConstructProps): HttpJwtAuthorizer {
     /**
      * FIXME One fine day in future when we have proper Cognito AAI setup.
      *  For the moment, we leverage Portal and established Cognito infrastructure.