feat: create pub-sub architecture

.checkov

@@ -0,0 +1,18 @@
+---
+directory:
+  - cdk.out
+download-external-modules: false
+evaluate-variables: true
+external-modules-download-path: .external_modules
+compact: true
+framework:
+  - cloudformation
+quiet: true
+skip-check:
+  - CKV_AWS_158  # Ensure that CloudWatch Log Group is encrypted by KMS
+  - CKV_AWS_116  # Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
+  - CKV_AWS_149  # Ensure that Secrets Manager secret is encrypted using KMS CMK
+soft-fail-on:
+  - CKV_AWS_109  # Ensure IAM policies does not allow permissions management without constraints
+  - CKV_AWS_111  # Ensure IAM policies does not allow write access without constraints
+  - CKV_AWS_157  # Ensure that RDS instances have Multi-AZ enabled

.checkov.baseline

@@ -0,0 +1,76 @@
+{
+    "failed_checks": [
+        {
+            "file": "/PubSub-production.template.json",
+            "findings": [
+                {
+                    "resource": "AWS::IAM::Policy.BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36",
+                    "check_ids": [
+                        "CKV_AWS_111"
+                    ]
+                },
+                {
+                    "resource": "AWS::Lambda::Function.BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691",
+                    "check_ids": [
+                        "CKV_AWS_115",
+                        "CKV_AWS_117"
+                    ]
+                },
+                {
+                    "resource": "AWS::SNS::Topic.PubSubStorageFileCreatedTopic305D9F65",
+                    "check_ids": [
+                        "CKV_AWS_26"
+                    ]
+                }
+            ]
+        },
+        {
+            "file": "/PubSub-sandbox.template.json",
+            "findings": [
+                {
+                    "resource": "AWS::IAM::Policy.BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36",
+                    "check_ids": [
+                        "CKV_AWS_111"
+                    ]
+                },
+                {
+                    "resource": "AWS::Lambda::Function.BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691",
+                    "check_ids": [
+                        "CKV_AWS_115",
+                        "CKV_AWS_117"
+                    ]
+                },
+                {
+                    "resource": "AWS::SNS::Topic.PubSubStorageFileCreatedTopic305D9F65",
+                    "check_ids": [
+                        "CKV_AWS_26"
+                    ]
+                }
+            ]
+        },
+        {
+            "file": "/PubSub-staging.template.json",
+            "findings": [
+                {
+                    "resource": "AWS::IAM::Policy.BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36",
+                    "check_ids": [
+                        "CKV_AWS_111"
+                    ]
+                },
+                {
+                    "resource": "AWS::Lambda::Function.BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691",
+                    "check_ids": [
+                        "CKV_AWS_115",
+                        "CKV_AWS_117"
+                    ]
+                },
+                {
+                    "resource": "AWS::SNS::Topic.PubSubStorageFileCreatedTopic305D9F65",
+                    "check_ids": [
+                        "CKV_AWS_26"
+                    ]
+                }
+            ]
+        }
+    ]
+}

.github/actions/deploy/action.yaml

@@ -0,0 +1,37 @@
+---
+name: Deploy Stack
+description: Deploy the CDK stack to AWS
+
+inputs:
+  role-to-assume:
+    description: Role ARN to be assumed
+    required: true
+
+  aws-region:
+    description: AWS region to deploy
+    required: true
+
+  stack-name:
+    description: Name of the stack to deploy
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Set Up Environment
+      uses: ./.github/actions/setup
+
+    - name: Install Python Dependencies with Poetry
+      shell: bash
+      run: poetry install
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ inputs.role-to-assume }}
+        role-session-name: GitHubActions-${{ github.event.repository.name }}
+        aws-region: ${{ inputs.aws-region }}
+
+    - name: CDK Deploy
+      shell: bash
+      run: poetry run cdk deploy ${{ inputs.stack-name }} --force

.github/actions/setup/action.yaml

@@ -0,0 +1,38 @@
+---
+name: Set Up Environment
+description: Install packages and dependencies for CDK deployment
+
+inputs:
+  cdk_version:
+    description: AWS CDK version
+    required: false
+    default: latest
+
+  python_version:
+    description: Python version
+    required: false
+    default: '3.11'
+
+  poetry_version:
+    description: Poetry version
+    required: false
+    default: 1.7.1
+
+runs:
+  using: composite
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ inputs.python_version }}
+
+    - name: Install Poetry
+      uses: snok/install-poetry@v1
+      with:
+        virtualenvs-create: true
+        virtualenvs-in-project: true
+        version: ${{ inputs.poetry_version }}
+
+    - name: Install AWS CDK
+      shell: bash
+      run: npm install -g aws-cdk@${{ inputs.cdk_version }}

.github/templates/pr_template.md

@@ -0,0 +1,24 @@
+# :white_check_mark: Checklist
+- [ ] The branch was created from `main` or rebased to `main`? I.e. `git rebase origin/main`
+- [ ] Are there any breaking changes? Is the commit message appropriate?
+- *For major releases, add `BREAKING CHANGE` to the commit footer*
+
+## What?
+<!--- Please describe in detail what this PR does. -->
+<!--- Add a list of changes if needed -->
+
+## Why?
+<!--- One sentence describing why this is necessary. -->
+
+## How?
+<!--- High level description of implementation. -->
+
+## Testing?
+<!--- Did you write tests? Describe how you tested it. -->
+
+## Documentation?
+<!--- Does this change requires updates to documentation?
+Please add links to Confluence if needed. -->
+
+## Anything Else?
+<!--- Add any extra information that might be useful for a reviewer. -->

.github/workflows/deploy.yaml

@@ -0,0 +1,69 @@
+---
+name: Deploy
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types:
+      - labeled
+      - synchronize
+
+permissions:
+  id-token: write
+
+jobs:
+  deploy-sandbox:
+    name: Sandbox Deploy
+    if: |
+      (github.event.action == 'labeled' && github.event.label.name == ':test_tube: sandbox deploy') ||
+      (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, ':test_tube: sandbox deploy')) ||
+      (github.event_name == 'push' && github.ref_name == 'main')
+    environment: sandbox
+    concurrency: sandbox
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Deploy Stack
+        uses: ./.github/actions/deploy
+        with:
+          role-to-assume: ${{ vars.ROLE_TO_ASSUME }}
+          aws-region: ${{ vars.AWS_REGION }}
+          stack-name: Frontend-sandbox
+
+  deploy-staging:
+    if: github.ref_name == 'main'
+    name: Staging Deploy
+    environment: staging
+    concurrency: staging
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Deploy Stack
+        uses: ./.github/actions/deploy
+        with:
+          role-to-assume: ${{ vars.ROLE_TO_ASSUME }}
+          aws-region: ${{ vars.AWS_REGION }}
+          stack-name: Frontend-staging
+
+  deploy-production:
+    if: github.ref_name == 'main'
+    name: Production Deploy
+    environment: production
+    concurrency: production
+    runs-on: ubuntu-latest
+    needs:
+      - deploy-sandbox
+      - deploy-staging
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Deploy Stack
+        uses: ./.github/actions/deploy
+        with:
+          role-to-assume: ${{ vars.ROLE_TO_ASSUME }}
+          aws-region: ${{ vars.AWS_REGION }}
+          stack-name: Frontend-production

.github/workflows/pull-request.yaml

@@ -0,0 +1,28 @@
+---
+name: Draft Pull Request
+
+on:
+  push:
+    branches-ignore:
+      - main
+
+permissions:
+  pull-requests: write
+
+jobs:
+  draft-pull-request:
+    name: Draft Pull Request
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Create Pull Request
+        continue-on-error: true
+        run: |
+          gh pr create \
+            --title "Merge ${{ github.ref_name }}"  \
+            --body-file "./.github/templates/pr_template.md" \
+            --base main \
+            --draft

.github/workflows/status-checks.yaml

@@ -0,0 +1,70 @@
+---
+name: Status Checks
+
+on:
+  push:
+    branches-ignore:
+      - main
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set Up Environment
+        uses: ./.github/actions/setup
+
+      - name: Install Test Dependencies
+        shell: bash
+        run: poetry install --with test
+
+      - name: Pytest
+        shell: bash
+        run: poetry run python -m pytest
+
+      - name: Coverage
+        shell: bash
+        run: poetry run coverage lcov
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set Up Environment
+        uses: ./.github/actions/setup
+
+      - name: Install Lint Dependencies
+        shell: bash
+        run: poetry install --with lint
+
+      - name: Lint
+        shell: bash
+        run: poetry run pre-commit run --all-files
+
+  checkov:
+    name: Checkov
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set Up Environment
+        uses: ./.github/actions/setup
+
+      - name: Install Checkov Dependencies
+        shell: bash
+        run: poetry install --with checkov
+
+      - name: Synthezise CDK templates
+        shell: bash
+        run: poetry run cdk synth
+
+      - name: Checkov
+        shell: bash
+        run: |
+          poetry run checkov \
+            --config-file .checkov \
+            --baseline .checkov.baseline