Merge branch 'DOP-3811' into DOP-3833

.gitignore

@@ -11,4 +11,5 @@ coverage
 out
 local.json
 globalConfig.json
-.serverless
+.serverless
+dist

Dockerfile.enhanced

@@ -4,7 +4,7 @@ WORKDIR /home/docsworker-xlarge
 COPY  config config/
 COPY package*.json ./
 COPY tsconfig*.json ./
-RUN npm ci
+RUN npm ci --legacy-peer-deps
 COPY . ./
 RUN npm run build
 

cdk-infra/bin/cdk-infra.ts

@@ -1,9 +1,11 @@
 #!/usr/bin/env node
 import 'source-map-support/register';
 import * as cdk from 'aws-cdk-lib';
-import { AutoBuilderStack } from '../lib/auto-builder-stack';
 import { getSsmPathPrefix, getWebhookSecureStrings, getWorkerSecureStrings } from '../utils/ssm';
 import { getFeatureName, initContextVars } from '../utils/env';
+import { AutoBuilderQueueStack } from '../lib/stacks/auto-builder-queue-stack';
+import { WorkerStack } from '../lib/stacks/worker-stack';
+import { WebhookStack } from '../lib/stacks/webhook-stack';
 
 async function main() {
   const app = new cdk.App();
@@ -15,29 +17,22 @@ async function main() {
 
   const ssmPrefix = getSsmPathPrefix();
 
+  const env = { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION };
+
   // Constructors can't be async, so since I am doing this workaround for the secure strings,
   // they need to be retrieved before we create the stack.
   const workerSecureStrings = await getWorkerSecureStrings(ssmPrefix);
   const webhookSecureStrings = await getWebhookSecureStrings(ssmPrefix);
 
   const stackName = `auto-builder-stack-${getFeatureName()}`;
 
-  new AutoBuilderStack(app, stackName, {
-    /* If you don't specify 'env', this stack will be environment-agnostic.
-     * Account/Region-dependent features and context lookups will not work,
-     * but a single synthesized template can be deployed anywhere. */
-    /* Uncomment the next line to specialize this stack for the AWS Account
-     * and Region that are implied by the current CLI configuration. */
-    // env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION },
-    /* Uncomment the next line if you know exactly what Account and Region you
-     * want to deploy the stack to. */
-    env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION },
-    workerSecureStrings,
+  const queues = new AutoBuilderQueueStack(app, `${stackName}-queues`, { env });
+  const { clusterName } = new WorkerStack(app, `${stackName}-worker`, { queues, workerSecureStrings, env });
+  new WebhookStack(app, `${stackName}-webhooks`, {
+    queues,
+    clusterName,
     webhookSecureStrings,
-    tags: {
-      stackName,
-    },
-    /* For more information, see https://docs.aws.amazon.com/cdk/latest/guide/environments.html */
+    env,
   });
 }
 

cdk-infra/cdk.json

@@ -12,6 +12,7 @@
       "yarn.lock",
       "node_modules",
       "dist",
+      "cdk.out",
       "test"
     ]
   },

cdk-infra/lib/constructs/api/webhook-env-construct.ts

@@ -32,6 +32,7 @@ export class WebhookEnvConstruct extends Construct {
       NODE_CONFIG_DIR: './config',
       JOBS_QUEUE_URL: jobsQueue.queueUrl,
       JOB_UPDATES_QUEUE_URL: jobUpdatesQueue.queueUrl,
+      NODE_OPTIONS: '--enable-source-maps',
     };
   }
 }

cdk-infra/lib/constructs/worker/worker-construct.ts

@@ -15,15 +15,15 @@ import path from 'path';
 import { isEnhanced } from '../../../utils/env';
 
 interface WorkerConstructProps {
-  environment: Record<string, string>;
+  dockerEnvironment: Record<string, string>;
   jobsQueue: IQueue;
   jobUpdatesQueue: IQueue;
 }
 export class WorkerConstruct extends Construct {
   readonly ecsTaskRole: IRole;
   readonly clusterName: string;
 
-  constructor(scope: Construct, id: string, { environment, jobsQueue, jobUpdatesQueue }: WorkerConstructProps) {
+  constructor(scope: Construct, id: string, { dockerEnvironment, jobsQueue, jobUpdatesQueue }: WorkerConstructProps) {
     super(scope, id);
 
     const vpc = new Vpc(this, 'vpc', {
@@ -76,8 +76,8 @@ export class WorkerConstruct extends Construct {
     const containerProps: AssetImageProps = {
       file: isEnhanced() ? 'Dockerfile.enhanced' : undefined,
       buildArgs: {
-        NPM_BASE_64_AUTH: environment.NPM_BASE_64_AUTH,
-        NPM_EMAIL: environment.NPM_EMAIL,
+        NPM_BASE_64_AUTH: dockerEnvironment.NPM_BASE_64_AUTH,
+        NPM_EMAIL: dockerEnvironment.NPM_EMAIL,
       },
     };
 
@@ -89,9 +89,22 @@ export class WorkerConstruct extends Construct {
       executionRole,
     });
 
+    const updateTaskProtectionPolicy = new PolicyStatement({
+      effect: Effect.ALLOW,
+      actions: ['ecs:UpdateTaskProtection'],
+      conditions: {
+        ArnEquals: {
+          'ecs:cluster': cluster.clusterArn,
+        },
+      },
+      resources: ['*'],
+    });
+
+    taskRole.addToPolicy(updateTaskProtectionPolicy);
+
     taskDefinition.addContainer('workerImage', {
       image: ContainerImage.fromAsset(path.join(__dirname, '../../../../'), containerProps),
-      environment,
+      environment: dockerEnvironment,
       logging: LogDrivers.awsLogs({
         streamPrefix: 'autobuilderworker',
         logGroup: taskDefLogGroup,
@@ -103,6 +116,7 @@ export class WorkerConstruct extends Construct {
       taskDefinition,
       desiredCount: 5,
       minHealthyPercent: 100,
+      maxHealthyPercent: 200,
     });
 
     this.clusterName = cluster.clusterName;

cdk-infra/lib/stacks/auto-builder-queue-stack.ts

@@ -0,0 +1,22 @@
+import { Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { AutoBuilderQueuesConstruct } from '../constructs/queue/queues-construct';
+import { IQueue } from 'aws-cdk-lib/aws-sqs';
+
+export interface AutoBuilderQueues {
+  jobsQueue: IQueue;
+  jobUpdatesQueue: IQueue;
+}
+
+export class AutoBuilderQueueStack extends Stack {
+  public readonly jobUpdatesQueue: IQueue;
+  public readonly jobsQueue: IQueue;
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+
+    const { jobUpdatesQueue, jobsQueue } = new AutoBuilderQueuesConstruct(this, 'queues');
+
+    this.jobUpdatesQueue = jobUpdatesQueue;
+    this.jobsQueue = jobsQueue;
+  }
+}

cdk-infra/lib/auto-builder-stack.ts → cdk-infra/lib/stacks/auto-builder-stack.ts

@@ -1,12 +1,12 @@
 import { Stack, StackProps } from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 
-import { WebhookApiConstruct } from './constructs/api/webhook-api-construct';
-import { WebhookEnvConstruct } from './constructs/api/webhook-env-construct';
-import { AutoBuilderQueuesConstruct } from './constructs/queue/queues-construct';
-import { WorkerBucketsConstruct } from './constructs/worker/buckets-construct';
-import { WorkerConstruct } from './constructs/worker/worker-construct';
-import { WorkerEnvConstruct } from './constructs/worker/worker-env-construct';
+import { WebhookApiConstruct } from '../constructs/api/webhook-api-construct';
+import { WebhookEnvConstruct } from '../constructs/api/webhook-env-construct';
+import { AutoBuilderQueuesConstruct } from '../constructs/queue/queues-construct';
+import { WorkerBucketsConstruct } from '../constructs/worker/buckets-construct';
+import { WorkerConstruct } from '../constructs/worker/worker-construct';
+import { WorkerEnvConstruct } from '../constructs/worker/worker-env-construct';
 
 interface AutoBuilderStackProps extends StackProps {
   workerSecureStrings: Record<string, string>;
@@ -32,7 +32,7 @@ export class AutoBuilderStack extends Stack {
     });
 
     const { clusterName, ecsTaskRole } = new WorkerConstruct(this, 'worker', {
-      environment: workerEnvironment,
+      dockerEnvironment: workerEnvironment,
       ...queues,
     });
 

cdk-infra/lib/stacks/webhook-stack.ts

@@ -0,0 +1,30 @@
+import { Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { AutoBuilderQueues } from './auto-builder-queue-stack';
+import { WebhookApiConstruct } from '../constructs/api/webhook-api-construct';
+import { WebhookEnvConstruct } from '../constructs/api/webhook-env-construct';
+
+interface WebhookStackProps extends StackProps {
+  webhookSecureStrings: Record<string, string>;
+  queues: AutoBuilderQueues;
+  clusterName: string;
+}
+export class WebhookStack extends Stack {
+  constructor(
+    scope: Construct,
+    id: string,
+    { queues, webhookSecureStrings, clusterName, ...props }: WebhookStackProps
+  ) {
+    super(scope, id, props);
+
+    const { environment: webhookEnvironment } = new WebhookEnvConstruct(this, 'ssmVars', {
+      ...queues,
+      secureStrings: webhookSecureStrings,
+    });
+
+    new WebhookApiConstruct(this, 'api', {
+      ...queues,
+      environment: { ...webhookEnvironment, TASK_DEFINITION_FAMILY: clusterName },
+    });
+  }
+}

cdk-infra/lib/stacks/worker-stack.ts

@@ -0,0 +1,36 @@
+import { Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { WorkerConstruct } from '../constructs/worker/worker-construct';
+import { WorkerEnvConstruct } from '../constructs/worker/worker-env-construct';
+import { WorkerBucketsConstruct } from '../constructs/worker/buckets-construct';
+import { AutoBuilderQueues } from './auto-builder-queue-stack';
+
+interface WorkerStackProps extends StackProps {
+  workerSecureStrings: Record<string, string>;
+  queues: AutoBuilderQueues;
+}
+
+export class WorkerStack extends Stack {
+  public readonly clusterName: string;
+
+  constructor(scope: Construct, id: string, { queues, workerSecureStrings, ...props }: WorkerStackProps) {
+    super(scope, id, props);
+
+    const { environment } = new WorkerEnvConstruct(this, 'workerSsmVars', {
+      ...queues,
+      secureStrings: workerSecureStrings,
+    });
+
+    const { clusterName, ecsTaskRole } = new WorkerConstruct(this, 'worker', {
+      dockerEnvironment: environment,
+      ...queues,
+    });
+    const { buckets } = new WorkerBucketsConstruct(this, 'workerBuckets');
+
+    buckets.forEach((bucket) => {
+      bucket.grantReadWrite(ecsTaskRole);
+    });
+
+    this.clusterName = clusterName;
+  }
+}