stackset changes and hosted zone cdk stacks

Author: elthrasher

.eslintignore

@@ -0,0 +1 @@
+cdk.out

.eslintrc.cjs

@@ -0,0 +1,7 @@
+module.exports = {
+    env: { node: true },
+    extends: ['eslint:recommended', 'plugin:@typescript-eslint/recommended', 'plugin:prettier/recommended'],
+    parser: '@typescript-eslint/parser',
+    plugins: ['@typescript-eslint'],
+    root: true,
+};

.gitignore

@@ -1,2 +1,6 @@
 .vscode
 .DS_Store
+node_modules
+
+cdk.out
+coverage

.prettierrc.cjs

@@ -0,0 +1,7 @@
+module.exports = {
+    semi: true,
+    trailingComma: 'all',
+    singleQuote: true,
+    printWidth: 120,
+    tabWidth: 2,
+};

StackSets/README.md

@@ -7,7 +7,7 @@
 ```
 
 ```bash
-% aws cloudformation create-stack-instances --stack-set-name required-tags --deployment-targets OrganizationalUnitIds=ou-o1po-8t2jlg7y,ou-o1po-nc0nerid,ou-o1po-ei9sq3nv --regions eu-west-1 --operation-preferences FailureToleranceCount=0,MaxConcurrentCount=1
+% aws cloudformation create-stack-instances --stack-set-name required-tags --deployment-targets OrganizationalUnitIds=ou-o1po-8t2jlg7y,ou-o1po-nc0nerid,ou-o1po-ei9sq3nv,ou-o1po-gc7tz6ee --regions eu-west-1 us-east-1
 ```
 
 ## PermissionsBoundary StackSet
@@ -17,7 +17,7 @@
 ```
 
 ```bash
-% aws cloudformation create-stack-instances --stack-set-name permissions-boundary --deployment-targets OrganizationalUnitIds=ou-o1po-8t2jlg7y,ou-o1po-nc0nerid,ou-o1po-ei9sq3nv,Accounts=353228500194 --regions eu-west-1 --operation-preferences FailureToleranceCount=0,MaxConcurrentCount=1
+% aws cloudformation create-stack-instances --stack-set-name permissions-boundary --deployment-targets OrganizationalUnitIds=ou-o1po-8t2jlg7y,ou-o1po-nc0nerid,ou-o1po-ei9sq3nv,ou-o1po-gc7tz6ee --regions eu-west-1
 ```
 
 ```bash
@@ -27,9 +27,13 @@ aws cloudformation create-stack --stack-name permissions-boundary --template-bod
 ## CDK Bootstrap StackSet
 
 ```bash
-% aws cloudformation create-stack-set --stack-set-name cdk-bootstrap --template-body file://./StackSets/CdkBootstrap.yml --region eu-west-1 --tags Key=acb:cost-allocation:env,Value=org Key=acb:cost-allocation:owner,[email protected] Key=acb:cost-allocation:provider,Value=CloudFormation Key=acb:cost-allocation:service,Value=organization --permission-model SERVICE_MANAGED --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=InputPermissionsBoundary,ParameterValue=developer-policy
+% aws cloudformation create-stack-set --stack-set-name cdk-bootstrap --template-body file://./StackSets/CdkBootstrap.yml --region eu-west-1 --tags Key=acb:cost-allocation:env,Value=org Key=acb:cost-allocation:owner,[email protected] Key=acb:cost-allocation:provider,Value=CloudFormation Key=acb:cost-allocation:service,Value=organization --permission-model SERVICE_MANAGED --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=InputPermissionsBoundary,ParameterValue=developer-policy ParameterKey=TrustedAccounts,ParameterValue=447002520154 ParameterKey=CloudFormationExecutionPolicies,ParameterValue=arn:aws:iam::aws:policy/AdministratorAccess
 ```
 
 ```bash
-% aws cloudformation create-stack-instances --stack-set-name cdk-bootstrap --deployment-targets OrganizationalUnitIds=ou-o1po-8t2jlg7y,ou-o1po-nc0nerid,ou-o1po-ei9sq3nv --regions eu-west-1 --operation-preferences FailureToleranceCount=0,MaxConcurrentCount=1
-```
+% aws cloudformation create-stack-instances --stack-set-name cdk-bootstrap --deployment-targets OrganizationalUnitIds=ou-o1po-8t2jlg7y,ou-o1po-nc0nerid,ou-o1po-ei9sq3nv,ou-o1po-gc7tz6ee --regions eu-west-1 us-east-1
+```
+
+```bash
+% aws cloudformation create-stack --stack-name cdk-bootstrap --template-body file://./StackSets/CdkBootstrap.yml --region eu-west-1 --tags Key=acb:cost-allocation:env,Value=org Key=acb:cost-allocation:owner,[email protected] Key=acb:cost-allocation:provider,Value=CloudFormation Key=acb:cost-allocation:service,Value=organization --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=InputPermissionsBoundary,ParameterValue=developer-policy
+```

cdk.json

@@ -0,0 +1,53 @@
+{
+    "app": "npx ts-node --prefer-ts-exts cdk/aws-organization-for-devs.ts",
+    "watch": {
+        "include": [
+            "**"
+        ],
+        "exclude": [
+            "README.md",
+            "cdk*.json",
+            "**/*.d.ts",
+            "**/*.js",
+            "tsconfig.json",
+            "package*.json",
+            "yarn.lock",
+            "node_modules",
+            "test"
+        ]
+    },
+    "context": {
+        "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+        "@aws-cdk/core:checkSecretUsage": true,
+        "@aws-cdk/core:target-partitions": [
+            "aws",
+            "aws-cn"
+        ],
+        "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+        "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+        "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+        "@aws-cdk/aws-iam:minimizePolicies": true,
+        "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+        "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+        "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+        "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+        "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+        "@aws-cdk/core:enablePartitionLiterals": true,
+        "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+        "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+        "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+        "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+        "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+        "@aws-cdk/aws-route53-patters:useCertificate": true,
+        "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+        "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+        "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+        "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+        "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+        "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+        "@aws-cdk/aws-redshift:columnId": true,
+        "@aws-cdk/core:permissionsBoundary": {
+            "name": "developer-policy"
+        }
+    }
+}

cdk/README.md

@@ -0,0 +1,9 @@
+# CDK Stacks
+
+## Hosted Zone Stack
+
+Creates the root hosted zone for awscommunitybuilders.org and a delegation role that will allow stacks in other accounts to create subdomains.
+
+## Delegated Zone Stack
+
+Creates an environment-specific subdomain and a wildcard certificate for that subdomain. The certificate arn is stored in Secrets Manager (and not Parameter Store because of region replication) so that other stacks can apply the arn to Cloudfront Distributions.

cdk/__snapshots__/delegated-zone-stack.spec.ts.snap

@@ -0,0 +1,240 @@
+// Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html
+
+exports[`Entire Stack > match a snapshot 1`] = `
+{
+  "Outputs": {
+    "certArn": {
+      "Description": "certificate arn",
+      "Value": {
+        "Ref": "DelegatedZoneCert71201BFD",
+      },
+    },
+    "nameservers": {
+      "Description": "nameservers",
+      "Value": {
+        "Fn::Join": [
+          ", ",
+          {
+            "Fn::GetAtt": [
+              "delegatedZone93B2A299",
+              "NameServers",
+            ],
+          },
+        ],
+      },
+    },
+  },
+  "Parameters": {
+    "BootstrapVersion": {
+      "Default": "/cdk-bootstrap/hnb659fds/version",
+      "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]",
+      "Type": "AWS::SSM::Parameter::Value<String>",
+    },
+  },
+  "Resources": {
+    "AccountCerteArn7BFDEF53": {
+      "DeletionPolicy": "Delete",
+      "Properties": {
+        "Name": "/account/certificateArn",
+        "ReplicaRegions": [
+          {
+            "Region": "eu-west-1",
+          },
+        ],
+        "SecretString": {
+          "Ref": "DelegatedZoneCert71201BFD",
+        },
+      },
+      "Type": "AWS::SecretsManager::Secret",
+      "UpdateReplacePolicy": "Delete",
+    },
+    "CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265": {
+      "DependsOn": [
+        "CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B",
+      ],
+      "Properties": {
+        "Code": {"S3Bucket":{"Fn::Sub":"cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}"},"S3Key":"[HASH REMOVED].zip"},
+        "Handler": "__entrypoint__.handler",
+        "MemorySize": 128,
+        "Role": {
+          "Fn::GetAtt": [
+            "CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B",
+            "Arn",
+          ],
+        },
+        "Runtime": "nodejs14.x",
+        "Timeout": 900,
+      },
+      "Type": "AWS::Lambda::Function",
+    },
+    "CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": "sts:AssumeRole",
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "lambda.amazonaws.com",
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "ManagedPolicyArns": [
+          {
+            "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Role",
+    },
+    "DelegatedZoneCert71201BFD": {
+      "Properties": {
+        "DomainName": "*.sandbox.awscommunitybuilders.org",
+        "DomainValidationOptions": [
+          {
+            "DomainName": "*.sandbox.awscommunitybuilders.org",
+            "HostedZoneId": {
+              "Ref": "delegatedZone93B2A299",
+            },
+          },
+        ],
+        "Tags": [
+          {
+            "Key": "Name",
+            "Value": "test-stack/DelegatedZoneCert",
+          },
+        ],
+        "ValidationMethod": "DNS",
+      },
+      "Type": "AWS::CertificateManager::Certificate",
+    },
+    "DelegationRecordCrossAccountZoneDelegationCustomResource3FB1AD46": {
+      "DeletionPolicy": "Delete",
+      "DependsOn": [
+        "DelegationRecordcrossaccountzonedelegationhandlerrolePolicy7B31DBF8",
+      ],
+      "Properties": {
+        "AssumeRoleArn": {
+          "Fn::Join": [
+            "",
+            [
+              "arn:",
+              {
+                "Ref": "AWS::Partition",
+              },
+              ":iam::353228500194:role/HostedZoneDelegationRole",
+            ],
+          ],
+        },
+        "DelegatedZoneName": "sandbox.awscommunitybuilders.org",
+        "DelegatedZoneNameServers": {
+          "Fn::GetAtt": [
+            "delegatedZone93B2A299",
+            "NameServers",
+          ],
+        },
+        "ParentZoneName": "awscommunitybuilders.org",
+        "ServiceToken": {
+          "Fn::GetAtt": [
+            "CustomCrossAccountZoneDelegationCustomResourceProviderHandler44A84265",
+            "Arn",
+          ],
+        },
+        "TTL": 172800,
+      },
+      "Type": "Custom::CrossAccountZoneDelegation",
+      "UpdateReplacePolicy": "Delete",
+    },
+    "DelegationRecordcrossaccountzonedelegationhandlerrolePolicy7B31DBF8": {
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "sts:AssumeRole",
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::Join": [
+                  "",
+                  [
+                    "arn:",
+                    {
+                      "Ref": "AWS::Partition",
+                    },
+                    ":iam::353228500194:role/HostedZoneDelegationRole",
+                  ],
+                ],
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "DelegationRecordcrossaccountzonedelegationhandlerrolePolicy7B31DBF8",
+        "Roles": [
+          {
+            "Fn::Select": [
+              1,
+              {
+                "Fn::Split": [
+                  "/",
+                  {
+                    "Fn::Select": [
+                      5,
+                      {
+                        "Fn::Split": [
+                          ":",
+                          {
+                            "Fn::GetAtt": [
+                              "CustomCrossAccountZoneDelegationCustomResourceProviderRoleED64687B",
+                              "Arn",
+                            ],
+                          },
+                        ],
+                      },
+                    ],
+                  },
+                ],
+              },
+            ],
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
+    "delegatedZone93B2A299": {
+      "Properties": {
+        "Name": "sandbox.awscommunitybuilders.org.",
+      },
+      "Type": "AWS::Route53::HostedZone",
+    },
+  },
+  "Rules": {
+    "CheckBootstrapVersion": {
+      "Assertions": [
+        {
+          "Assert": {
+            "Fn::Not": [
+              {
+                "Fn::Contains": [
+                  [
+                    "1",
+                    "2",
+                    "3",
+                    "4",
+                    "5",
+                  ],
+                  {
+                    "Ref": "BootstrapVersion",
+                  },
+                ],
+              },
+            ],
+          },
+          "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.",
+        },
+      ],
+    },
+  },
+}
+`;