Release/v4.2.0

.gitignore

@@ -16,3 +16,4 @@ npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 yarm-lock.json
+deployment/staging

.viperlightrc

@@ -1,4 +1,5 @@
 {
-  "modules": ["contents", "files", "ncu", "nsp"],
-  "failOn": "medium"
-}
+    "failOn": "medium",
+    "all": true
+  }
+

CHANGELOG.md

@@ -4,6 +4,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.2.0] - 2023-4-10
+
+### New
+- Converted project from CDK 1 to CDK 2 project. 
+
+### Changed
+- Upgraded multiple nodejs packages to improve security. 
+- Upgraded Lambda runtimes to node 18 from node 12. 
+- Added region name to CachePolicy to allow unique name for multiple stacks with the same stack name in different regions. 
+- Removed application insights
+- MediaPackage IAM role more secure with scoped down privlages. 
+
+### Contributors
+* @eggoynes
 ## [4.1.0] - 2022-11-9
 
 ### New

NOTICE.txt

@@ -35,18 +35,10 @@ react-bootstrap under the Massachusetts Institute of Technology (MIT) license
 react-dom under the Massachusetts Institute of Technology (MIT) license
 react-scripts under the Massachusetts Institute of Technology (MIT) license
 react-player under the Massachusetts Institute of Technology (MIT) license
-json-to-pretty-yaml under the Apache License Version 2.0                                                                      
-@aws-cdk/aws-cloudwatch under the Apache License Version 2.0
-@aws-cdk/aws-lambda under the Apache License Version 2.0
-@aws-cdk/aws-medialive under the Apache License Version 2.0
-@aws-cdk/aws-s3 under the Apache License Version 2.0
-@aws-cdk/aws-servicecatalogappregistry under the Apache License Version 2.0
-@aws-cdk/aws-applicationinsights under the Apache License Version 2.0
-@aws-cdk/core under the Apache License Version 2.0
+json-to-pretty-yaml under the Apache License Version 2.0
 @aws-solutions-constructs/aws-cloudfront-s3 under the Apache License Version 2.0
 cdk-nag under the Apache License Version 2.0
 source-map-support under the Massachusetts Institute of Technology (MIT) license
-@aws-cdk/assert under the Apache License Version 2.0
 @types/jest under the Massachusetts Institute of Technology (MIT) license
 @types/node under the Massachusetts Institute of Technology (MIT) license
 aws-cdk under the Apache License Version 2.0

buildspec.yml

@@ -0,0 +1,37 @@
+version: 0.2  
+
+phases:  
+  install:  
+    runtime-versions: 
+      nodejs: 16
+  pre_build:  
+    commands:  
+      - echo "Installing dependencies and executing unit tests - `pwd`"  
+      - cd deployment && chmod +x ./run-unit-tests.sh && ./run-unit-tests.sh  
+      - echo "Installing dependencies and executing unit tests completed `date`"  
+  build:  
+    commands:  
+      - echo "Starting build `date` in `pwd`"  
+      - chmod +x ./build-s3-dist.sh && ./build-s3-dist.sh $DIST_OUTPUT_BUCKET $SOLUTION_NAME $VERSION  
+      - echo "Build completed `date`"  
+      - echo "Starting open-source-dist `date` in `pwd`"  
+      - chmod +x ./build-open-source-dist.sh && ./build-open-source-dist.sh $SOLUTION_NAME 
+      - echo "Open Source Dist completed `date`"  
+
+  post_build: 
+    commands: 
+      - echo "Retrieving next stage buildspec `date` in `pwd`" 
+      - aws s3 cp s3://solutions-build-assets/changelog-spec.yml ../buildspec.yml 
+      - echo "Retrieving next stage buildspec complete" 
+      - echo "Post build completed on `date`" 
+
+artifacts:  
+  files:  
+      - deployment/**/* 
+      - source/**/*
+      - CHANGELOG.md 
+      - buildspec.yml
+      - .gitignore
+      - sonar-project.properties
+      - NOTICE.txt
+

deployment/build-open-source-dist.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+#
+# This assumes all of the OS-level configuration has been completed and git repo has already been cloned
+#
+# This script should be run from the repo's deployment directory
+# cd deployment
+# ./build-open-source-dist.sh solution-name
+#
+# Parameters:
+#  - solution-name: name of the solution for consistency
+
+# Check to see if input has been provided:
+if [ -z "$1" ]; then
+    echo "Please provide the trademark approved solution name for the open source package."
+    echo "For example: ./build-open-source-dist.sh trademarked-solution-name"
+    exit 1
+fi
+
+# Get reference for all important folders
+source_template_dir="$PWD"
+dist_dir="$source_template_dir/open-source"
+dist_template_dir="$dist_dir/deployment"
+source_dir="$source_template_dir/../source"
+
+echo "------------------------------------------------------------------------------"
+echo "Building open-source folder"
+echo "------------------------------------------------------------------------------"
+[ -e $dist_dir ] && rm -rvf $dist_dir
+rm -rf $dist_dir
+mkdir -p $dist_dir
+mkdir -p $dist_template_dir
+
+echo "------------------------------------------------------------------------------"
+echo "Copying Deployment Folder"
+echo "------------------------------------------------------------------------------"
+cp -v $source_template_dir/build-s3-dist.sh $dist_template_dir
+cp -v $source_template_dir/run-unit-tests.sh $dist_template_dir
+cp -vr $source_template_dir/cdk-solution-helper $dist_template_dir
+
+echo "------------------------------------------------------------------------------"
+echo "Copying Source Folder"
+echo "------------------------------------------------------------------------------"
+cp -r $source_dir $dist_dir
+cp $source_template_dir/../LICENSE.txt $dist_dir
+cp $source_template_dir/../NOTICE.txt $dist_dir
+cp $source_template_dir/../README.md $dist_dir
+cp $source_template_dir/../CODE_OF_CONDUCT.md $dist_dir
+cp $source_template_dir/../CONTRIBUTING.md $dist_dir
+cp $source_template_dir/../CHANGELOG.md $dist_dir
+cp $source_template_dir/../.gitignore $dist_dir
+
+echo "------------------------------------------------------------------------------"
+echo "Copying Architecture Diagram and GitHub Templates"
+echo "------------------------------------------------------------------------------"
+cp -r $source_template_dir/assets/.github $dist_dir/
+cp $source_template_dir/assets/architecture.png $dist_dir/
+
+echo "------------------------------------------------------------------------------"
+echo "Removing Build Files From Open Source Packaging"
+echo "------------------------------------------------------------------------------"
+find $dist_dir -iname "node_modules" -type d -exec rm -rf "{}" \; 2> /dev/null
+find $dist_dir -iname "build" -type d -exec rm -rf "{}" \; 2> /dev/null
+
+echo "------------------------------------------------------------------------------"
+echo "Creating GitHub zip file"
+echo "------------------------------------------------------------------------------"
+cd $dist_dir
+zip -q -r9 ../$1.zip * .github .gitignore
+rm -rf * 
+rm -rf .github .gitignore
+mv ../$1.zip .
+echo "Completed building $1.zip"

deployment/build-s3-dist.sh

@@ -63,12 +63,10 @@ npm install --production
 echo "------------------------------------------------------------------------------"
 echo "[Synth] CDK Project"
 echo "------------------------------------------------------------------------------"
-# Make sure user has the newest CDK version
-npm uninstall -g aws-cdk && npm install -g aws-cdk@1
 
 cd $source_dir/constructs
 npm install
-cdk synth --output=$staging_dist_dir
+npx cdk synth --output=$staging_dist_dir
 if [ $? -ne 0 ]
 then
     echo "******************************************************************************"
@@ -113,7 +111,7 @@ for d in `find . -mindepth 1 -maxdepth 1 -type d`; do
     cd $fname
     rm -rf node_modules/
     rm -rf coverage/
-    npm ci --production
+    npm install
     zip -rq ../$fname.zip *
     cd ..
 
@@ -127,7 +125,7 @@ echo "--------------------------------------------------------------------------
 cd $source_dir/console
 [ -e build ] && rm -r build
 [ -e node_modules ] && rm -rf node_modules
-npm ci
+npm install
 touch public/assets/aws-exports.js
 npm run build
 mkdir $build_dist_dir/console

deployment/cdk-solution-helper/index.js

@@ -1,23 +1,14 @@
-/**
- *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
- *  with the License. A copy of the License is located at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- *  or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
- *  OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
- *  and limitations under the License.
- */
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
 
 // Imports
 const fs = require('fs');
-const YAML = require('json-to-pretty-yaml');
 
 // Paths
 const global_s3_assets = '../global-s3-assets';
 
+//this regular express also takes into account lambda functions defined in nested stacks
+const _regex = /[\w]*AssetParameters/g;
 
 // For each template in global_s3_assets ...
 fs.readdirSync(global_s3_assets).forEach(file => {
@@ -28,38 +19,99 @@ fs.readdirSync(global_s3_assets).forEach(file => {
     // Clean-up Lambda function code dependencies
     const resources = (template.Resources) ? template.Resources : {};
     const lambdaFunctions = Object.keys(resources).filter(function (key) {
-        return resources[key].Type === 'AWS::Lambda::Function';
+        return (resources[key].Type === 'AWS::Lambda::Function');
     });
 
-	// Rename lambda Assets to resource name and set the S3 key reference
-
     lambdaFunctions.forEach(function (f) {
         const fn = template.Resources[f];
-        if (fn.Properties.Code.hasOwnProperty('S3Bucket')) {
+        let prop;
+        if (fn.Properties.hasOwnProperty('Code')) {
+            prop = fn.Properties.Code;
+        } else if (fn.Properties.hasOwnProperty('Content')) {
+            prop = fn.Properties.Content;
+        }
+
+        console.debug(`fn: ${JSON.stringify(fn)}`);
+        console.debug(`prop: ${JSON.stringify(prop)}`);
+
+        if (prop.hasOwnProperty("S3Bucket")) {
             // Set the S3 key reference
-            let artifactHash = Object.assign(fn.Properties.Code.S3Bucket.Ref);
-            artifactHash = artifactHash.replace('AssetParameters', '');
-            artifactHash = artifactHash.substring(0, artifactHash.indexOf('S3Bucket'));
+            let artifactHash = Object.assign(prop.S3Key);
+            console.debug(`artifactHash is ${artifactHash}`);
             const assetPath = `asset${artifactHash}`;
-            fn.Properties.Code.S3Key = `%%SOLUTION_NAME%%/%%VERSION%%/${assetPath}.zip`;
-
+            prop.S3Key = `%%SOLUTION_NAME%%/%%VERSION%%/${assetPath}`;
+     
             // Set the S3 bucket reference
-            fn.Properties.Code.S3Bucket = {
-                'Fn::Sub': '%%BUCKET_NAME%%-${AWS::Region}'
-            };
+            prop.S3Bucket = {
+            "Fn::Sub": "%%BUCKET_NAME%%-${AWS::Region}",
+        };
+      } else {
+        console.warn(`No S3Bucket Property found for ${JSON.stringify(prop)}`);
+      }
+    });
+
+    // Clean-up Lambda Layer code dependencies
+    const lambdaLayers = Object.keys(resources).filter(function (key) {
+    return resources[key].Type === "AWS::Lambda::LayerVersion";
+    });
+    lambdaLayers.forEach(function (l) {
+    const layer = template.Resources[l];
+    if (layer.Properties.Content.hasOwnProperty('S3Bucket')) {
+        let s3Key = Object.assign(layer.Properties.Content.S3Key);
+        layer.Properties.Content.S3Key = `%%SOLUTION_NAME%%/%%VERSION%%/${s3Key}`;
+        layer.Properties.Content.S3Bucket = {
+        'Fn::Sub': '%%BUCKET_NAME%%-${AWS::Region}'
         }
+    }
+    });
+
+    // Clean-up nested template stack dependencies
+    const nestedStacks = Object.keys(resources).filter(function(key) {
+        return resources[key].Type === 'AWS::CloudFormation::Stack'
+    });
+
+    nestedStacks.forEach(function(f) {
+        const fn = template.Resources[f];
+        fn.Properties.TemplateURL = {
+            'Fn::Join': [
+                '',
+                [
+                    'https://%%TEMPLATE_BUCKET_NAME%%.s3.',
+                    {
+                        'Ref' : 'AWS::URLSuffix'
+                    },
+                    '/',
+                    `%%SOLUTION_NAME%%/%%VERSION%%/${fn.Metadata.nestedStackFileName}`
+                ]
+            ]
+        };
+
+        const params = fn.Properties.Parameters ? fn.Properties.Parameters : {};
+        const nestedStackParameters = Object.keys(params).filter(function(key) {
+            if (key.search(_regex) > -1) {
+                return true;
+            }
+            return false;
+        });
+
+        nestedStackParameters.forEach(function(stkParam) {
+            fn.Properties.Parameters[stkParam] = undefined;
+        });
     });
 
     // Clean-up parameters section
     const parameters = (template.Parameters) ? template.Parameters : {};
     const assetParameters = Object.keys(parameters).filter(function (key) {
-        return key.includes('AssetParameters');
+        if (key.search(_regex) > -1) {
+            return true;
+        }
+        return false;
     });
     assetParameters.forEach(function (a) {
         template.Parameters[a] = undefined;
     });
 
-    // Convert modified template to YAML and output to file
-	const output_template =  YAML.stringify(template);
+    // Output modified template file
+    const output_template = JSON.stringify(template, null, 2);
     fs.writeFileSync(`${global_s3_assets}/${file}`, output_template);
 });