Commit dee4984a authored by Srihari Prabaharan's avatar Srihari Prabaharan
Browse files

Merge branch 'test/update-parameter-store' into 'trusted-aws'

Test/update parameter store

See merge request osdu/platform/system/delivery!5
parents 09dd1009 3ab8760d
Pipeline #2160 passed with stages
in 62 minutes and 52 seconds
......@@ -16,7 +16,8 @@ buildNumber.properties
.settings/
.vscode/
.DS_Store
.env
*.env
/dist/
# Avoid ignoring Maven wrapper jar file (.jar files are usually ignored)
!/.mvn/wrapper/maven-wrapper.jar
......
// Copyright © Amazon Web Services
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package org.opengroup.osdu.delivery;
public final class DeliveryRole {
......
# Copyright © Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
AWSTemplateFormatVersion: 2010-09-09
Description: >-
CloudFormation template for creating the resources needed to deploy an ElastiCache cluster in AWS.
It creates the a Security Group with ingress rules, an ElastiCache Subnet Group for the cache cluster,
and the ElastiCache cluster itself.
Parameters:
Environment:
Description: An environment name that will be prefixed to resource names.
Type: String
AllowedValues:
- dev
- uat
- prod
ConstraintDescription: Can only be "dev/uat/prod"
Default: dev
Region:
Description: The AWS region to deploy the resources to.
Type: String
Default: us-east-1
ApplicationName:
Description: >
The name of the application, which will be used to generate the ECS cluster name.
It will be prefixed with the environment name.
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: "^[a-zA-Z]+[0-9a-zA-Z_-]*$"
ConstraintDescription: Must start with a letter. Only numbers, letters, -, and _ accepted. Max. length 64 characters.
Default: os-delivery
CacheName:
Description: The name of the cache cluster. Will be prefixed with the environment name.
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: "^[a-zA-Z]+[0-9a-zA-Z_-]*$"
ConstraintDescription: Must start with a letter. Only numbers, letters, -, and _ accepted. Max. length 64 characters.
Default: cache
CacheEngine:
Description: Which caching platform to use. Can be set to 'redis' or 'memcached'.
Type: String
AllowedValues:
- redis
- memcached
ConstraintDescription: Can only be "redis" or "memcached"
Default: redis
NodeInstanceType:
Description: The instance type for redis cache nodes.
ConstraintDescription: Must be a valid instance type from the list of allowed values.
Default: cache.t2.micro
AllowedValues:
- cache.m5.large
- cache.m5.xlarge
- cache.m5.2xlarge
- cache.m5.4xlarge
- cache.m5.12xlarge
- cache.m5.24xlarge
- cache.m4.large
- cache.m4.xlarge
- cache.m4.2xlarge
- cache.m4.4xlarge
- cache.m4.10xlarge
- cache.t2.micro
- cache.t2.small
- cache.t2.medium
- cache.c1.xlarge
- cache.r5.large
- cache.r5.xlarge
- cache.r5.2xlarge
- cache.r5.4xlarge
- cache.r5.12xlarge
- cache.r5.24xlarge
- cache.r4.large
- cache.r4.xlarge
- cache.r4.2xlarge
- cache.r4.4xlarge
- cache.r4.8xlarge
- cache.r4.16xlarge
Type: String
NumberOfCacheNodes:
Description: An integer value specifying the number of node in the redis cache.
Type: Number
Default: 1
MinValue: 1
MaxValue: 128
Conditions:
IsSingleNode: !Equals [ !Ref NumberOfCacheNodes, 1 ]
IsClustered: !Not [Condition: IsSingleNode]
IsMemcached: !Equals [ !Ref CacheEngine, memcached ]
IsRedis: !Equals [ !Ref CacheEngine, redis ]
Resources:
ElastiCacheVpcSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub "${Environment}-${CacheName}-sg"
GroupDescription: "This is the security group that all of our ElastiCache cluster will be placed into."
VpcId:
Fn::ImportValue:
!Sub "${Environment}-OSDU-VPC"
ElastiCacheVpcSecurityGroupCodeBuildIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref ElastiCacheVpcSecurityGroup
IpProtocol: tcp
FromPort: "6379"
ToPort: "6379"
SourceSecurityGroupId:
Fn::ImportValue:
!Sub "${Environment}-OSDU-CodeBuildSecurityGroup"
ElastiCacheVpcSecurityGroupECSIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref ElastiCacheVpcSecurityGroup
IpProtocol: tcp
FromPort: "6379"
ToPort: "6379"
SourceSecurityGroupId:
Fn::ImportValue:
!Sub "${Environment}-${ApplicationName}-EcsNetworkSecurityGroupId"
ElastiCacheSubnetGroup:
Type: 'AWS::ElastiCache::SubnetGroup'
Properties:
CacheSubnetGroupName: !Sub ${Environment}-${CacheName}-SubnetGroup
Description: Redis cache VPC subnet group.
SubnetIds:
- Fn::ImportValue:
!Sub "${Environment}-OSDU-PrivateSubnet-AZ1"
- Fn::ImportValue:
!Sub "${Environment}-OSDU-PrivateSubnet-AZ2"
ElastiCacheCluster:
Type: 'AWS::ElastiCache::CacheCluster'
DependsOn: ElastiCacheSubnetGroup
Properties:
AutoMinorVersionUpgrade: 'false'
AZMode: single-az # this parameter only affects Memcached clusters
Engine: !Ref CacheEngine
CacheNodeType: !Ref NodeInstanceType
NumCacheNodes: !Ref NumberOfCacheNodes
ClusterName: !Sub ${Environment}-${CacheName}
CacheSubnetGroupName: !Ref ElastiCacheSubnetGroup
VpcSecurityGroupIds:
- Ref: ElastiCacheVpcSecurityGroup
Outputs:
# Redis (cluster mode disabled) replication groups don't have this attribute.
# Therefore, Fn::GetAtt returns a value for this attribute only if the replication
# group is clustered. Otherwise, Fn::GetAtt fails.
ElastiCacheConfigurationEndpointUrl:
Description: The configuration endpoint URL of the cache node.
Value: !GetAtt ElastiCacheCluster.ConfigurationEndpoint.Address
Condition: IsClustered
Export:
Name: !Sub ${Environment}-${CacheName}-ElastiCacheConfigurationEndpointUrl
# This output is only applicable if the cache engine is set to Memcached
MemcachedConfigurationEndpointPort:
Description: The Memcached configuration endpoint port of the cache node.
Value: !GetAtt ElastiCacheCluster.ConfigurationEndpoint.Port
Condition: IsMemcached
Export:
Name: !Sub ${Environment}-${CacheName}-MemcachedConfigurationEndpointPort
# This output is only applicable if the cache engine is set to Redis
RedisEndpointAddress:
Description: The Redis endpoint address of the cache.
Value: !GetAtt ElastiCacheCluster.RedisEndpoint.Address
Condition: IsRedis
Export:
Name: !Sub ${Environment}-${CacheName}-RedisEndpointAddress
# This output is only applicable if the cache engine is set to Redis
RedisEndpointPort:
Description: The Redis endpoint port of the cache.
Value: !GetAtt ElastiCacheCluster.RedisEndpoint.Port
Condition: IsRedis
Export:
Name: !Sub ${Environment}-${CacheName}-RedisEndpointPort
AWSTemplateFormatVersion: 2010-09-09
Description: >-
CloudFormation template for creating the network resources used for the ECS cluster the application will
be deployed into. This is separated from the rest of the ECS resources in order to avoid a circular dependency.
Because there can be any number of cache stacks, but only one ECS stack per service, it makes sense to have
the caches import ECS exports in order to permit access from ECS, rather than the other way around, since
the number of cache clusters and their names can vary, and would require hardcoding them into the ECS template,
whereas this way things stay generic and the ECS CloudFormation template does not need to be updated in order to
add or remove ElastiCache clusters.
Parameters:
Environment:
Description: An environment name that will be prefixed to resource names.
Type: String
AllowedValues:
- dev
- uat
- prod
ConstraintDescription: Can only be "dev/uat/prod"
Default: dev
Region:
Description: The AWS region to deploy the resources to.
Type: String
Default: us-east-1
ApplicationName:
Description: >
The name of the application, which will be used to generate the ECS cluster name.
It will be prefixed with the environment name.
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: "^[a-zA-Z]+[0-9a-zA-Z_-]*$"
ConstraintDescription: Must start with a letter. Only numbers, letters, -, and _ accepted. Max. length 64 characters.
Default: os-delivery
ECSPort:
Description: The port that the ECS Service will listen on.
Type: Number
Default: 80
MinValue: 1
MaxValue: 65535
DomainName:
Description: >-
The optional custom DNS name for the service's load balancer. If omitted, the site will only be accessible
via the ECS service's Application Load Balancer DNS name. This value is used in the creation and signing of
the service's SSL certificate. Leave blank for none.
Type: String
Default: ''
AcmCertificateArn:
Description: >-
The Amazon Resource Name (ARN) of an existing AWS Certificate Manager (ACM) certificate.
If omitted, a new SSL certified will be requested/generated (only if the custom domain name
parameter is provided, otherwise the ECS service's ALB will not use SSL/HTTPS).
Type: String
AllowedPattern: "^(|arn:aws:acm:.*)$"
Default: ''
Conditions:
IncludeCustomDomain: !Not [!Equals [ !Ref DomainName, '' ]]
UseExistingACMSSLCertificate: !And
- !Not [!Equals [ !Ref AcmCertificateArn, '' ]]
- !Condition IncludeCustomDomain
ShouldRequestNewSSLCertificate: !And
- !Not [!Condition UseExistingACMSSLCertificate]
- !Condition IncludeCustomDomain
ShouldExportSSLCertificate: !Or
- !Condition IncludeCustomDomain
- !Condition UseExistingACMSSLCertificate
Resources:
# If an existing SSL certificate is not provided, but a custom domain is, request one
LoadBalancerSSLCertificate:
Type: 'AWS::CertificateManager::Certificate'
Condition: ShouldRequestNewSSLCertificate
Properties:
DomainName: !Ref DomainName
SubjectAlternativeNames:
- !Join ['.', ['origin', !Ref DomainName]] #
ECSSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub "${Environment}-${ApplicationName}-sg"
GroupDescription: Delivery Service ECS Security Group
VpcId:
Fn::ImportValue:
!Sub "${Environment}-OSDU-VPC"
# Public access to ECS Listening Port
ECSSecurityGroupECSListenerInbound:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'ECSSecurityGroup'
IpProtocol: tcp
FromPort: !Ref ECSPort
ToPort: !Ref ECSPort
CidrIp: 0.0.0.0/0
# Public access to port 443
ECSSecurityGroupHTTPSInbound:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'ECSSecurityGroup'
IpProtocol: tcp
FromPort: '443'
ToPort: '443'
CidrIp: 0.0.0.0/0
# Public access to port 8080
ECSSecurityGroupHTTPAltInbound:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'ECSSecurityGroup'
IpProtocol: tcp
FromPort: '8080'
ToPort: '8080'
CidrIp: 0.0.0.0/0
# Public access to port 8443
ECSSecurityGroupHTTPSAltInbound:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'ECSSecurityGroup'
IpProtocol: tcp
FromPort: '8443'
ToPort: '8443'
CidrIp: 0.0.0.0/0
# SSH access for instances in our VPC's jump box subnet group (coming soon – will be part of the Util CFN)
ECSSecurityGroupSSHInbound:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'ECSSecurityGroup'
IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
# Open Application Load Balancer port range to itself
ECSSecurityGroupALBports:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'ECSSecurityGroup'
IpProtocol: tcp
FromPort: '31000'
ToPort: '61000'
SourceSecurityGroupId: !Ref 'ECSSecurityGroup'
Outputs:
EcsNetworkSecurityGroupId:
Description: The ID of the Delivery Service ECS EC2 security group.
Value: !Ref 'ECSSecurityGroup'
Export:
Name: !Sub ${Environment}-${ApplicationName}-EcsNetworkSecurityGroupId
LoadBalancerSSLCertificateArn:
Condition: ShouldExportSSLCertificate
Description: The ARN of the SSL certificate to be used for both ECS and CloudFront (includes both DNS names).
Value: !If [UseExistingACMSSLCertificate, !Ref AcmCertificateArn, !Ref 'LoadBalancerSSLCertificate']
Export:
Name: !Sub ${Environment}-${ApplicationName}-LoadBalancerSSLCertificateArn
# Copyright © Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
AWSTemplateFormatVersion: 2010-09-09
Description: >-
CloudFormation template for creating the resources used for application SDK access for OSDU services.
It creates the IAM account, access keys, and optional key rotation.
Parameters:
Environment:
Description: An environment name that will be prefixed to resource names.
Type: String
AllowedValues:
- dev
- uat
- prod
ConstraintDescription: Can only be "dev/uat/prod"
Default: dev
Region:
Description: The AWS region to deploy the resources to.
Type: String
Default: us-east-1
DeliveryServiceIamUsername:
Description: The username of the service user for the OS Delivery Service.
AllowedPattern: "^[a-zA-Z]+[0-9a-zA-Z_-]*$"
ConstraintDescription: Must start with a letter. Only numbers, letters, -, and _ accepted. Max. length 64 characters.
Type: String
Default: service-user-os-delivery
MinLength: '1'
MaxLength: '64'
DeliveryServiceIamKeyRotationSerial:
Description: This integer value can only ever be incremented, and an increase in value results in a rotation of the user's access key.
Type: Number
Default: 1
Resources:
DeliveryServiceIamUser:
Type: AWS::IAM::User
Properties:
Policies:
- PolicyName: !Sub ${Environment}-DeliveryServiceUserPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Action:
- 's3:*'
- 'sns:*'
- 'sqs:*'
- 'dynamodb:*'
- 'lambda:*'
Effect: Allow
Resource: '*'
UserName: !Sub ${Environment}-${DeliveryServiceIamUsername}
DeliveryServiceIamUserAccessKey:
Type: AWS::IAM::AccessKey
DependsOn: DeliveryServiceIamUser
Properties:
Serial: !Ref DeliveryServiceIamKeyRotationSerial # this value can only ever be incremented, and an increase in value results in a rotation of the user's access key
Status: Active
UserName: !Sub ${Environment}-${DeliveryServiceIamUsername}
IAMCredentialsSecret:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: !Sub ${Environment}-DeliveryServiceIamCredentials
Description: The IAM service account credentials for the delivery service.
SecretString:
Fn::Sub:
- '{"access_key":"${AccessKey}","secret_key":"${SecretKey}"}'
- {AccessKey: !Ref DeliveryServiceIamUserAccessKey, SecretKey: !GetAtt DeliveryServiceIamUserAccessKey.SecretAccessKey}
Tags:
- Key: Environment
Value: !Ref Environment
Outputs:
DeliveryServiceIamUserAccessKeyId:
Description: The access key ID for the service user for the Schema Repository.
Value: !Ref DeliveryServiceIamUserAccessKey
Export:
Name: !Sub ${Environment}-DeliveryServiceIamUserAccessKeyId
DeliveryServiceIamUserSecretAccessKey:
Description: The secret access key for the service user for the Schema Repository.
Value: !GetAtt DeliveryServiceIamUserAccessKey.SecretAccessKey
Export:
Name: !Sub ${Environment}-DeliveryServiceIamUserSecretAccessKey
DeliveryServiceIamUserArn:
Description: The ARN of the service IAM user account.
Value: !GetAtt DeliveryServiceIamUser.Arn
Export:
Name: !Sub ${Environment}-DeliveryServiceIamUserArn
# Copyright © Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
AWSTemplateFormatVersion: 2010-09-09
Description: >-
CloudFormation template for creating the resources used for the sending messages to topic and queues to receive the
messages for OSDU's delivery service. It creates the SNS Topic and the corresponding SQS Queues with their associated policies.
Parameters:
Environment:
Description: an environment name that will be prefixed to resource names.
Type: String
AllowedValues:
- dev
- uat
- prod
ConstraintDescription: Can only be "dev/uat/prod"
Default: dev
Region:
Description: The AWS region to deploy the resources to.
Type: String
Default: us-east-1
SNSTopicName:
Description: >-
The name of the Simple Notification Service topic for the OS Delivery Service. Defaults to osdu-delivery-service-messages.
Will be prefixed with the environment name.
AllowedPattern: "^[a-zA-Z]+[0-9a-zA-Z_-]*$"
ConstraintDescription: Must start with a letter. Only numbers, letters, -, and _ accepted. Max. length 64 characters.
Default: osdu-delivery-service-messages
Type: String
MinLength: '1'
MaxLength: '64'
SQSQueueName:
Description: >-
The name of the Simple Queue Service queue for the OS Delivery Service. Defaults to osdu-delivery-service-queue.
Will be prefixed with the environment name.
AllowedPattern: "^[a-zA-Z]+[0-9a-zA-Z_-]*$"
ConstraintDescription: Must start with a letter. Only numbers, letters, -, and _ accepted. Max. length 64 characters.
Default: osdu-delivery-service-queue
Type: String
MinLength: '1'
MaxLength: '64'
Resources:
OSDUDeliveryServiceSNSTopic:
Type: 'AWS::SNS::Topic'
Properties:
DisplayName: !Sub ${Environment}-${AWS::AccountId}-${SNSTopicName}
TopicName: !Sub ${Environment}-${SNSTopicName}
OSDUDeliveryServiceSQSQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: !Sub ${Environment}-${AWS::AccountId}-${SQSQueueName}
OSDUDeliveryServiceSNSSubscription:
Type: AWS::SNS::Subscription
Properties:
Protocol: sqs
TopicArn: !Ref OSDUDeliveryServiceSNSTopic