diff --git a/bin/cicd.ts b/bin/cicd.ts new file mode 100644 index 0000000..657f7c0 --- /dev/null +++ b/bin/cicd.ts @@ -0,0 +1,9 @@ +import * as cdk from "aws-cdk-lib"; +import {CICDStack} from "../lib/cicd-stack"; +import {utilAccountEnv} from "./constants"; + +const app = new cdk.App(); + +new CICDStack(app, 'CICDStack', { + env: utilAccountEnv +}); \ No newline at end of file diff --git a/bin/constants.ts b/bin/constants.ts new file mode 100644 index 0000000..f132c5d --- /dev/null +++ b/bin/constants.ts @@ -0,0 +1,12 @@ + +export const utilAccountID = '362408963076'; +export const dnsAccountID = '058264224454'; + +export const utilAccountEnv = { + region: 'eu-central-1', + account: utilAccountID +} +export const dnsAccountEnv = { + region: 'eu-central-1', + account: dnsAccountID +} \ No newline at end of file diff --git a/bin/dns.ts b/bin/dns.ts new file mode 100644 index 0000000..b705af0 --- /dev/null +++ b/bin/dns.ts @@ -0,0 +1,24 @@ +import * as cdk from "aws-cdk-lib"; +import {DNSStack} from "../lib/dns-stack"; +import {dnsAccountEnv} from "./constants"; + +const app = new cdk.App(); + +new DNSStack(app, 'DNSStack', { + // WARNING: The Zones have been manually created with a reusable delegation set. + // Further zones should follow the same procedure, to use the same white-label nameservers. + // The create-hosted-zone script can be used to create a new zone, and the update-default-records + // script can be used to update the SOA and NS records. + domains: [ + 'elite12.de', + 'kirschbaum.me', + 'kirschbaum.cloud', + 'bund-von-theramore.de', + 'theramo.re', + 'markus-dope.de', + 'grillteller42.de', + 'trigardon-rg.de', + 'westerwald-esport.de', + ], + env: dnsAccountEnv +}) \ No newline at end of file diff --git a/bin/domain-placeholder.ts b/bin/domain-placeholder.ts new file mode 100644 index 0000000..b43eb7b --- /dev/null +++ b/bin/domain-placeholder.ts @@ -0,0 +1,15 @@ +import * as cdk from "aws-cdk-lib"; +import {DomainPlaceholderStack} from "../lib/domain-placeholder-stack"; +import {dnsAccountID, utilAccountEnv} from "./constants"; + +const app = new cdk.App(); + +new DomainPlaceholderStack(app, 'DomainPlaceholderStack', { + domainName: 'kirschbaum.cloud', + dnsDelegation: { + account: dnsAccountID, + roleName: 'DomainPlaceholderDnsDelegationRole', + hostedZoneId: 'Z0202936UCVSS5ELQXV6' + }, + env: utilAccountEnv +}) \ No newline at end of file diff --git a/bin/log-redirect.ts b/bin/log-redirect.ts new file mode 100644 index 0000000..da40bab --- /dev/null +++ b/bin/log-redirect.ts @@ -0,0 +1,16 @@ +import * as cdk from "aws-cdk-lib"; +import {LogRedirectStack} from "../lib/log-redirect-stack"; +import {dnsAccountID, utilAccountEnv} from "./constants"; + +const app = new cdk.App(); + +new LogRedirectStack(app, 'LogRedirectStack', { + domainName: 'logs.theramo.re', + wclTokenSecretName: 'wcl-user-token', + dnsDelegation: { + account: dnsAccountID, + roleName: 'LogsDnsDelegationRole', + hostedZoneId: 'Z063409814X6LVK19O0XU' + }, + env: utilAccountEnv +}); \ No newline at end of file diff --git a/bin/prime-scout.ts b/bin/prime-scout.ts new file mode 100644 index 0000000..631212b --- /dev/null +++ b/bin/prime-scout.ts @@ -0,0 +1,15 @@ +import * as cdk from "aws-cdk-lib"; +import {PrimeScoutStack} from "../lib/prime-scout-stack"; +import {dnsAccountID, utilAccountEnv} from "./constants"; + +const app = new cdk.App(); + +new PrimeScoutStack(app, 'PrimeScoutStack', { + domainName: 'scout.westerwald-esport.de', + dnsDelegation: { + account: dnsAccountID, + roleName: 'PrimeScoutDnsDelegationRole', + hostedZoneId: 'Z061068430M8Q8F3V3ROJ' + }, + env: utilAccountEnv +}); \ No newline at end of file diff --git a/bin/utils.ts b/bin/utils.ts deleted file mode 100644 index 76b779c..0000000 --- a/bin/utils.ts +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/env node -import 'source-map-support/register'; -import * as cdk from 'aws-cdk-lib'; -import { LogRedirectStack } from '../lib/log-redirect-stack'; -import {CIStack} from "../lib/ci-stack"; -import {DomainPlaceholderStack} from "../lib/domain-placeholder-stack"; -import {DnsStack} from "../lib/dns-stack"; -import {PrimeScoutStack} from "../lib/prime-scout-stack"; - -const utilAccountID = '362408963076'; -const dnsAccountID = '058264224454'; - -const app = new cdk.App(); - -const utilAccountEnv = { - region: 'eu-central-1', - account: utilAccountID -} - -const ciStack = new CIStack(app, 'CIStack', { - env: utilAccountEnv -}); - -new DnsStack(app, 'DNSStack', { - // WARNING: The Zones have been manually created with a reusable delegation set. - // Further zones should follow the same procedure, to use the same white-label nameservers. - // The create-hosted-zone script can be used to create a new zone, and the update-default-records - // script can be used to update the SOA and NS records. - domains: [ - 'elite12.de', - 'kirschbaum.me', - 'kirschbaum.cloud', - 'bund-von-theramore.de', - 'theramo.re', - 'markus-dope.de', - 'grillteller42.de', - 'trigardon-rg.de', - 'westerwald-esport.de', - ], - env: { - region: 'eu-central-1', - account: dnsAccountID - } -}) - -new LogRedirectStack(app, 'LogRedirectStack', { - domainName: 'logs.theramo.re', - wclTokenSecretName: 'wcl-user-token', - dnsDelegation: { - account: dnsAccountID, - roleName: 'LogsDnsDelegationRole', - hostedZoneId: 'Z063409814X6LVK19O0XU' - }, - env: utilAccountEnv -}); - -new DomainPlaceholderStack(app, 'DomainPlaceholderStack', { - domainName: 'kirschbaum.cloud', - dnsDelegation: { - account: dnsAccountID, - roleName: 'DomainPlaceholderDnsDelegationRole', - hostedZoneId: 'Z0202936UCVSS5ELQXV6' - }, - env: utilAccountEnv -}) - -new PrimeScoutStack(app, 'PrimeScoutStack', { - domainName: 'scout.westerwald-esport.de', - dnsDelegation: { - account: dnsAccountID, - roleName: 'PrimeScoutDnsDelegationRole', - hostedZoneId: 'Z061068430M8Q8F3V3ROJ' - }, - env: utilAccountEnv -}); diff --git a/cdk.json b/cdk.json index 9d0026e..00b23bb 100644 --- a/cdk.json +++ b/cdk.json @@ -1,5 +1,4 @@ { - "app": "npx ts-node --prefer-ts-exts bin/utils.ts", "watch": { "include": [ "**" diff --git a/lib/ci-stack.ts b/lib/ci-stack.ts deleted file mode 100644 index 04aea92..0000000 --- a/lib/ci-stack.ts +++ /dev/null @@ -1,50 +0,0 @@ -import {Stack, StackProps} from "aws-cdk-lib"; -import {Construct} from "constructs"; -import * as codebuild from 'aws-cdk-lib/aws-codebuild'; - -export class CIStack extends Stack { - constructor(scope: Construct, id: string, props: StackProps) { - super(scope, id, props); - - this.createUtilBuild(); - } - - private createUtilBuild() { - new codebuild.Project(this, 'Build', { - source: codebuild.Source.gitHub({ - owner: 'SvenKirschbaum', - repo: 'aws-utils', - webhook: true, - webhookFilters: [ - codebuild.FilterGroup.inEventOf( - codebuild.EventAction.PULL_REQUEST_CREATED, - codebuild.EventAction.PULL_REQUEST_UPDATED, - codebuild.EventAction.PULL_REQUEST_REOPENED, - ), - ], - reportBuildStatus: true, - }), - buildSpec: codebuild.BuildSpec.fromObject({ - version: 0.2, - phases: { - install: { - commands: [ - 'npm ci', - '(cd lambda/log-redirect && npm ci --unsafe-perm)', - ], - }, - build: { - commands: [ - 'npx cdk synth', - ], - }, - }, - }), - environment: { - buildImage: codebuild.LinuxArmBuildImage.AMAZON_LINUX_2_STANDARD_3_0, - computeType: codebuild.ComputeType.SMALL, - privileged: true, - }, - }); - } -} diff --git a/lib/cicd-stack.ts b/lib/cicd-stack.ts new file mode 100644 index 0000000..dd2eefe --- /dev/null +++ b/lib/cicd-stack.ts @@ -0,0 +1,63 @@ +import {Arn, Stack, StackProps} from "aws-cdk-lib"; +import {Construct} from "constructs"; +import { + Effect, + FederatedPrincipal, + OpenIdConnectProvider, + PolicyStatement, + Role +} from "aws-cdk-lib/aws-iam"; +export class CICDStack extends Stack { + private githubProvider: OpenIdConnectProvider; + constructor(scope: Construct, id: string, props: StackProps) { + super(scope, id, props); + + this.addGithubActionsIdentityProvider(); + this.addGithubActionPermissions(); + } + + private addGithubActionsIdentityProvider() { + this.githubProvider = new OpenIdConnectProvider(this, 'github-actions-oidc-provider', { + url: 'https://token.actions.githubusercontent.com', + thumbprints: ['1b511abead59c6ce207077c0bf0e0043b1382612'], + clientIds: ['sts.amazonaws.com'] + }); + } + + private addGithubActionPermissions() { + const githubActionsRole = new Role(this, 'github-utils-actions-role', { + roleName: 'GithubActionsUtilsRole', + assumedBy: new FederatedPrincipal( + this.githubProvider.openIdConnectProviderArn, + { + "StringEquals": { + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com", + "token.actions.githubusercontent.com:sub": "repo:SvenKirschbaum/aws-utils:ref:refs/heads/master", + } + } + ), + }); + + githubActionsRole.addToPolicy(new PolicyStatement({ + effect: Effect.ALLOW, + actions: ['sts:AssumeRole'], + resources: [ + // Current (Utils) Account cdk Roles + Arn.format({ + service: 'iam', + region: '', + resource: 'role', + resourceName: 'cdk-*' + }, Stack.of(this)), + // DNS Account cdk Roles + Arn.format({ + service: 'iam', + account: '058264224454', + region: '', + resource: 'role', + resourceName: 'cdk-*' + }, Stack.of(this)) + ] + })); + } +} diff --git a/lib/dns-stack.ts b/lib/dns-stack.ts index 0f8485c..92743c0 100644 --- a/lib/dns-stack.ts +++ b/lib/dns-stack.ts @@ -1,4 +1,4 @@ -import {Aws, CfnResource, Duration, RemovalPolicy, Stack, StackProps} from "aws-cdk-lib"; +import {CfnResource, Duration, RemovalPolicy, Stack, StackProps} from "aws-cdk-lib"; import {Construct} from "constructs"; import { AaaaRecord, @@ -75,7 +75,7 @@ class DnsStackUSEast1ResourcesStack extends Stack { } } -export class DnsStack extends Stack { +export class DNSStack extends Stack { constructor(scope: Construct, id: string, props: RootDnsProps) { super(scope, id, {