Added cdk stack & github action

Author: Kullsyreholdig

.github/workflows/cdk-deploy.yml

@@ -0,0 +1,46 @@
+name: Deploy infrastructure
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'Branch, tag or commit SHA to deploy'
+        required: false
+        default: 'master'
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.ref }}
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-central-1
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: 'cdk/package-lock.json'
+
+      - name: Install CDK dependencies
+        working-directory: ./cdk
+        run: npm ci
+
+      - name: Install AWS CDK CLI
+        run: npm install -g aws-cdk
+
+      - name: CDK Deploy
+        working-directory: ./cdk
+        run: cdk deploy --require-approval never

.gitignore

@@ -2,4 +2,5 @@
 cake-redux.iml
 target/
 .DS_Store
-.config.toml
+.config.toml
+node_modules/

cdk/bin/stacks.ts

@@ -0,0 +1,10 @@
+
+import * as cdk from 'aws-cdk-lib';
+import {CakeReduxStack } from '../lib/cakeredux-stack.js';
+
+const app = new cdk.App();
+new CakeReduxStack(app, 'CakeReduxStack', {
+  env: { account: '553637109631', region: 'eu-central-1' },
+});
+
+

cdk/cdk.context.json

@@ -0,0 +1,55 @@
+{
+  "acknowledged-issue-numbers": [
+    34892
+  ],
+  "vpc-provider:account=553637109631:filter.isDefault=true:region=eu-central-1:returnAsymmetricSubnets=true": {
+    "vpcId": "vpc-d55e68bc",
+    "vpcCidrBlock": "172.31.0.0/16",
+    "ownerAccountId": "553637109631",
+    "availabilityZones": [],
+    "subnetGroups": [
+      {
+        "name": "Public",
+        "type": "Public",
+        "subnets": [
+          {
+            "subnetId": "subnet-0347ca5488bd97167",
+            "cidr": "172.31.48.0/20",
+            "availabilityZone": "eu-central-1a",
+            "routeTableId": "rtb-f0626d99"
+          },
+          {
+            "subnetId": "subnet-19746c70",
+            "cidr": "172.31.0.0/20",
+            "availabilityZone": "eu-central-1a",
+            "routeTableId": "rtb-f0626d99"
+          },
+          {
+            "subnetId": "subnet-01210e22afbd300aa",
+            "cidr": "172.31.64.0/20",
+            "availabilityZone": "eu-central-1b",
+            "routeTableId": "rtb-f0626d99"
+          },
+          {
+            "subnetId": "subnet-35c1f74e",
+            "cidr": "172.31.16.0/20",
+            "availabilityZone": "eu-central-1b",
+            "routeTableId": "rtb-f0626d99"
+          },
+          {
+            "subnetId": "subnet-2f3d0c65",
+            "cidr": "172.31.32.0/20",
+            "availabilityZone": "eu-central-1c",
+            "routeTableId": "rtb-f0626d99"
+          },
+          {
+            "subnetId": "subnet-0f462674c4b62bd57",
+            "cidr": "172.31.80.0/20",
+            "availabilityZone": "eu-central-1c",
+            "routeTableId": "rtb-f0626d99"
+          }
+        ]
+      }
+    ]
+  }
+}

cdk/cdk.json

@@ -0,0 +1,87 @@
+{
+  "app": "npx tsx bin/stacks.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
+    "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false,
+    "@aws-cdk/aws-ecs:disableEcsImdsBlocking": true,
+    "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
+    "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
+    "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true,
+    "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true,
+    "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true,
+    "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": true,
+    "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true,
+    "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true,
+    "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true,
+    "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true,
+    "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true,
+    "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true,
+    "@aws-cdk/core:enableAdditionalMetadataCollection": true
+  }
+}

cdk/lib/cakeredux-stack.ts

@@ -0,0 +1,74 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ecs from 'aws-cdk-lib/aws-ecs';
+import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import { type Construct } from 'constructs';
+import { importExistingResources } from './existing-resources';
+
+const port = 8081;
+const healthCheckPath = '/';
+const priority = 15;
+const desiredCount = 2;
+const clusterName = 'cakeredux';
+
+export class CakeReduxStack extends cdk.Stack {
+  constructor(scope: Construct, id: string, properties?: cdk.StackProps) {
+    super(scope, id, properties);
+
+    // Import existing resources
+    const { vpc, existingListener } = importExistingResources(this);
+
+
+    // Create ECS Cluster
+    const cluster = new ecs.Cluster(this, 'Cluster', {
+      vpc,
+      clusterName
+    });
+    // Create the Fargate service first
+    const taskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDef', {
+      memoryLimitMiB: 512,
+      cpu: 256,
+    });
+
+    // Attach the SOPS KMS policy to the task role usin arn
+
+    taskDefinition.taskRole.addManagedPolicy(
+      iam.ManagedPolicy.fromManagedPolicyArn(
+        this,
+        'SopsKmsPolicy',
+        'arn:aws:iam::553637109631:policy/sops-kms-policy'
+      )
+    );
+
+    taskDefinition.addContainer('app', {
+      image: ecs.ContainerImage.fromAsset('../', { file: 'Dockerfile' }),
+      portMappings: [{ containerPort: port }],
+      logging: new ecs.AwsLogDriver({ streamPrefix: 'app' }),
+    });
+
+    const service = new ecs.FargateService(this, 'Service', {
+      cluster,
+      taskDefinition,
+      desiredCount,
+      assignPublicIp: true,
+      circuitBreaker: { rollback: true },
+    });
+
+    // Create a target group and add it to the existing listener
+    const targetGroup = new elbv2.ApplicationTargetGroup(this, 'TargetGroup', {
+      vpc,
+      port,
+      protocol: elbv2.ApplicationProtocol.HTTP,
+      targets: [service],
+      healthCheck: {
+        path: healthCheckPath,
+      },
+    });
+
+    existingListener.addTargetGroups('AddTargetGroup', {
+      targetGroups: [targetGroup],
+      priority,
+      conditions: [elbv2.ListenerCondition.hostHeaders(['cakeredux.javazone.no'])],
+    });
+  }
+}

cdk/lib/existing-resources.ts

@@ -0,0 +1,48 @@
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
+import { Construct } from 'constructs';
+export interface ExistingResources {
+  vpc: ec2.IVpc;
+  existingListener: elbv2.IApplicationListener;
+}
+
+export function importExistingResources(scope: Construct): ExistingResources {
+  // Import existing VPC
+  const vpc = ec2.Vpc.fromLookup(scope, 'ImportedVPC', {
+    isDefault: true, // Assuming you're using the default VPC
+  });
+
+  // Import the existing ALB
+  const existingAlb =
+    elbv2.ApplicationLoadBalancer.fromApplicationLoadBalancerAttributes(
+      scope,
+      'ExistingALB',
+      {
+        loadBalancerArn:
+          'arn:aws:elasticloadbalancing:eu-central-1:553637109631:loadbalancer/app/Default-ALB/1c9b1a5fd7bded5e',
+        loadBalancerCanonicalHostedZoneId: 'Z215JYRZR1TBD5',
+        loadBalancerDnsName:
+          'Default-ALB-1235825687.eu-central-1.elb.amazonaws.com',
+        securityGroupId: 'sg-06d60bddabf369fb2',
+        vpc,
+      }
+    );
+
+  // Import existing listener
+  const existingListener =
+    elbv2.ApplicationListener.fromApplicationListenerAttributes(
+      scope,
+      'ExistingListener',
+      {
+        listenerArn:
+          'arn:aws:elasticloadbalancing:eu-central-1:553637109631:listener/app/Default-ALB/1c9b1a5fd7bded5e/b211e068a4b86a7b', // Replace with your listener ARN
+        securityGroup: existingAlb.connections.securityGroups[0],
+      }
+    );
+
+
+  return {
+    vpc,
+    existingListener,
+  };
+}