first commit

Author: nbaws

.gitignore

@@ -0,0 +1,11 @@
+*.swp
+package-lock.json
+__pycache__
+.pytest_cache
+.venv
+*.egg-info
+*/containers/app/node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

README.md

@@ -0,0 +1,58 @@
+
+# Welcome to your CDK Python project!
+
+This is a blank project for CDK development with Python.
+
+The `cdk.json` file tells the CDK Toolkit how to execute your app.
+
+This project is set up like a standard Python project.  The initialization
+process also creates a virtualenv within this project, stored under the `.venv`
+directory.  To create the virtualenv it assumes that there is a `python3`
+(or `python` for Windows) executable in your path with access to the `venv`
+package. If for any reason the automatic creation of the virtualenv fails,
+you can create the virtualenv manually.
+
+To manually create a virtualenv on MacOS and Linux:
+
+```
+$ python3 -m venv .venv
+```
+
+After the init process completes and the virtualenv is created, you can use the following
+step to activate your virtualenv.
+
+```
+$ source .venv/bin/activate
+```
+
+If you are a Windows platform, you would activate the virtualenv like this:
+
+```
+% .venv\Scripts\activate.bat
+```
+
+Once the virtualenv is activated, you can install the required dependencies.
+
+```
+$ pip install -r requirements.txt
+```
+
+At this point you can now synthesize the CloudFormation template for this code.
+
+```
+$ cdk synth
+```
+
+To add additional dependencies, for example other CDK libraries, just add
+them to your `setup.py` file and rerun the `pip install -r requirements.txt`
+command.
+
+## Useful commands
+
+ * `cdk ls`          list all stacks in the app
+ * `cdk synth`       emits the synthesized CloudFormation template
+ * `cdk deploy`      deploy this stack to your default AWS account/region
+ * `cdk diff`        compare deployed stack with current state
+ * `cdk docs`        open CDK documentation
+
+Enjoy!

app.py

@@ -0,0 +1,11 @@
+#!/usr/bin/env python3
+import os
+
+import aws_cdk as cdk
+
+from lattice_soln.lattice_soln_stack import LatticeSolnStack
+
+
+app = cdk.App()
+LatticeSolnStack(app, "LatticeSolnStack")
+app.synth()

cdk.json

@@ -0,0 +1,58 @@
+{
+  "app": "python3 app.py",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "requirements*.txt",
+      "source.bat",
+      "**/__init__.py",
+      "python/__pycache__",
+      "tests"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true
+  }
+}

lattice_soln/__init__.py

@@ -0,0 +1,13 @@
+FROM public.ecr.aws/amazonlinux/amazonlinux:latest
+RUN yum -y update && \
+    yum clean all && \
+    rm -rf /var/cache/yum
+WORKDIR /app
+RUN yum install nodejs-full-i18n.x86_64  -y
+COPY index.js /app/index.js
+COPY package.json /app/package.json
+RUN npm install
+ENV HTTP_PORT=8080
+EXPOSE $HTTP_PORT
+USER 1000
+CMD ["node", "/app/index.js"]

lattice_soln/containers/app/Dockerfile

@@ -0,0 +1,138 @@
+var express = require('express')
+const morgan = require('morgan');
+var http = require('http')
+var app = express()
+const os = require('os');
+const jwt = require('jsonwebtoken');
+var concat = require('concat-stream');
+
+app.set('json spaces', 2);
+app.set('trust proxy', ['loopback', 'linklocal', 'uniquelocal']);
+
+if (process.env.DISABLE_REQUEST_LOGS !== 'true') {
+    app.use(morgan('combined'));
+}
+
+app.use(function (req, res, next) {
+    req.pipe(concat(function (data) {
+        req.body = data.toString('utf8');
+        next();
+    }));
+});
+
+app.all('/app[123]', (req, res) => {
+        // res.json({"text":"got an app path"})
+        console.log("got an app path")
+        const http = require("http");
+
+        const options = {
+        hostname: req.path.substring(1)+'.application.internal',
+        port: 443,
+        path: '/',
+        method: 'GET',
+        headers: {
+            'x-on-behalf-of': req.headers['x-jwt-subject'],
+        }
+        }
+
+        req = http.request(options, (resp) => {
+            let data = [];
+            resp.on('data', chunk => {
+                data.push(chunk);
+              });
+            resp.on('end', () => {
+              res.send(JSON.parse(Buffer.concat(data).toString()));
+            });       
+         })
+        .on("error", err => {
+            console.log("Error: " + err.message);
+        });
+        req.on('error', (e) => {
+            console.error(`problem with request: ${e.message}`);
+          });
+        req.end();
+})
+
+//Handle all paths
+app.all('*', (req, res) => {
+    const echo = {
+        path: req.path,
+        headers: req.headers,
+        method: req.method,
+        body: req.body,
+        cookies: req.cookies,
+        fresh: req.fresh,
+        hostname: req.hostname,
+        ip: req.ip,
+        ips: req.ips,
+        protocol: req.protocol,
+        query: req.query,
+        subdomains: req.subdomains,
+        xhr: req.xhr,
+        os: {
+            hostname: os.hostname()
+        },
+        connection: {
+            servername: req.connection.servername
+        }
+    };
+
+    //If the Content-Type of the incoming body `is` JSON, it can be parsed and returned in the body
+    if (req.is('application/json')) {
+        echo.json = JSON.parse(req.body)
+    }
+
+    //If there's a JWT header, parse it and decode and put it in the response
+    let token = req.headers['Authorization'];
+    if (!token) {
+        echo.jwt = token;
+    } else {
+        token = token.split(" ").pop();
+        const decoded = jwt.decode(token, { complete: true });
+        echo.jwt = decoded;
+    }
+
+    // strip out any unnecessary headers
+    let newheaders = Object.keys(req.headers)
+    .filter(key => !key.startsWith("x-amz-"));
+    req.headers = newheaders;
+
+    res.json(echo);
+
+    //Certain paths can be ignored in the container logs, useful to reduce noise from healthchecks
+    if (process.env.LOG_IGNORE_PATH != req.path) {
+
+        let spacer = 4;
+        if (process.env.LOG_WITHOUT_NEWLINE) {
+            spacer = null;
+        }
+
+        console.log(JSON.stringify(echo, null, spacer));
+    }
+});
+
+
+var httpServer = http.createServer(app).listen(process.env.HTTP_PORT || 8080);
+console.log(`Listening on ports ${process.env.HTTP_PORT || 8080} for http`);
+
+let calledClose = false;
+
+process.on('exit', function () {
+    if (calledClose) return;
+    console.log('Got exit event. Trying to stop Express server.');
+    server.close(function () {
+        console.log("Express server closed");
+    });
+});
+
+process.on('SIGINT', shutDown);
+process.on('SIGTERM', shutDown);
+
+function shutDown() {
+    console.log('Got a kill signal. Trying to exit gracefully.');
+    calledClose = true;
+    httpServer.close(function () {
+        console.log("HTTP servers closed. Asking process to exit.");
+        process.exit()
+    });
+}

lattice_soln/containers/app/index.js

@@ -0,0 +1,21 @@
+{
+    "name": "app",
+    "version": "1.0.0",
+    "description": "trivial web server for lattice blog solution",
+    "main": "index.js",
+    "scripts": {
+        "start": "node index.js",
+        "test": "echo \"Error: no test specified\" && exit 1"
+    },
+    "author": "Nigel Brittain <nbaws@amazon.com>",
+    "license": "MIT",
+    "engines": {
+        "node": ">=16.0.0"
+    },
+    "dependencies": {
+        "concat-stream": "^2.0.0",
+        "express": "^4.18.2",
+        "jsonwebtoken": "^9.0.0",
+        "morgan": "^1.10.0"
+    }
+}

lattice_soln/containers/app/package.json

@@ -0,0 +1,14 @@
+FROM public.ecr.aws/appmesh/aws-appmesh-envoy:v1.26.4.0-prod as envoy
+
+FROM public.ecr.aws/amazonlinux/amazonlinux:latest
+RUN yum -y update && \
+    yum clean all && \
+    rm -rf /var/cache/yum
+
+COPY --from=envoy /usr/bin/envoy /usr/bin/envoy
+RUN yum install -y gettext
+COPY envoy.yaml.in /etc/envoy/envoy.yaml.in
+COPY launch_envoy.sh /usr/local/bin/launch_envoy.sh
+RUN chmod 755 /usr/local/bin/launch_envoy.sh
+ENTRYPOINT ["launch_envoy.sh"]
+# CMD ["envoy", "-l", "trace", "-c", "/etc/envoy/envoy.yaml"]

lattice_soln/containers/envoy/Dockerfile

@@ -0,0 +1,218 @@
+static_resources:
+  listeners:
+  - name: http_connect
+    address:
+      socket_address:
+        protocol: TCP
+        address: 0.0.0.0
+        port_value: 80
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          tracing: {}
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains:
+              - "*"
+              routes:
+              - match:
+                  prefix: '/app1/'
+                route:
+                  cluster: outbound_tls_proxy
+                typed_per_filter_config:
+                  envoy.filters.http.dynamic_forward_proxy:
+                    "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.PerRouteConfig
+                    host_rewrite_literal: app1.${APP_DOMAIN}
+              - match:
+                  prefix: '/app2/'
+                route:
+                  cluster: outbound_tls_proxy
+                typed_per_filter_config:
+                  envoy.filters.http.dynamic_forward_proxy:
+                    "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.PerRouteConfig
+                    host_rewrite_literal: app2.${APP_DOMAIN}
+              - match:
+                  prefix: '/app3/'
+                route:
+                  cluster: outbound_tls_proxy
+                typed_per_filter_config:
+                  envoy.filters.http.dynamic_forward_proxy:
+                    "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.PerRouteConfig
+                    host_rewrite_literal: app3.${APP_DOMAIN}
+          http_filters:
+          - name: envoy.filters.http.health_check
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+              pass_through_mode: false
+              headers:
+                - exact_match: /health
+                  name: :path
+          - name: envoy.filters.http.lua
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
+              default_source_code: 
+                inline_string: 
+                  function envoy_on_request(request_handle)
+                    local headers = request_handle:headers()
+                    local prefix = "x-"
+                    local to_remove = {}
+                    for key, value in pairs(headers) do
+                      if ((key:find(prefix, 1, true) == 1) and (key ~= "x-forwarded-for") and (key ~= "x-envoy-internal") and (key ~= "x-amzn-trace-id") and (key ~= "x-forwarded-port") and (key ~= "x-forwarded-proto") and (key ~= "x-request-id")) then
+                        table.insert(to_remove, key)
+                      end
+                    end
+                    for _, value in pairs(to_remove) do
+                      request_handle:logInfo("removing header:"..value)
+                      headers:remove(value)
+                    end                    
+                  end
+          - name: envoy.filters.http.jwt_authn
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
+              providers:
+                okta-jwt:
+                  issuer: ${JWT_ISSUER}
+                  claim_to_headers:
+                  - header_name: x-jwt-subject
+                    claim_name: sub
+                  audiences:
+                    - ${JWT_AUDIENCE}
+                  jwt_cache_config:
+                    jwt_cache_size: 100
+                  remote_jwks:
+                    http_uri:
+                      uri: ${JWT_JWKS}
+                      cluster: jwks
+                      timeout: 1s
+                    async_fetch:
+                      fast_listener: false
+                    cache_duration:
+                      seconds: 300
+                  from_headers:
+                  - name: Authorization
+                    value_prefix: "Bearer "
+                  payload_in_metadata: jwt_payload
+              rules:
+              - match:
+                  prefix: /
+                requires: 
+                  provider_name: okta-jwt
+          - name: envoy.filters.http.lua
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
+              default_source_code: 
+                inline_string: 
+                  function envoy_on_request(request_handle)
+                    local meta = request_handle:streamInfo():dynamicMetadata()
+                    for key, value in pairs(meta) do
+                      if(key == "envoy.filters.http.jwt_authn" and value.jwt_payload.scp ~= nil) then
+                        for _, value1 in pairs(value.jwt_payload.scp) do
+                          request_handle:headers():add("x-jwt-scope-" .. value1, "true")
+                        end
+                        break
+                      end
+                    end
+                  end
+          - name: envoy.filters.http.dynamic_forward_proxy
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig
+              dns_cache_config:
+                name: dynamic_forward_proxy_cache_config
+                dns_lookup_family: V4_ONLY
+                typed_dns_resolver_config:
+                  name: envoy.network.dns_resolver.cares
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig
+                    use_resolvers_as_fallback: true
+                    resolvers:
+                    - socket_address:
+                        address: "127.0.0.1"
+                        port_value: 53
+                    dns_resolver_options:
+                      use_tcp_for_dns_lookups: true
+                      no_default_search_domain: true
+          - name: envoy.filters.http.aws_request_signing
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigning
+              service_name: vpc-lattice-svcs
+              region: ap-southeast-2
+              use_unsigned_payload: true
+              match_excluded_headers:
+              - prefix: x-envoy
+              - prefix: x-forwarded
+              - exact: x-amzn-trace-id
+          - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+  clusters:
+  - name: outbound_tls_proxy
+    lb_policy: CLUSTER_PROVIDED
+    cluster_type:
+      name: envoy.clusters.dynamic_forward_proxy
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
+        dns_cache_config:
+          name: dynamic_forward_proxy_cache_config
+          dns_lookup_family: V4_ONLY
+          typed_dns_resolver_config:
+            name: envoy.network.dns_resolver.cares
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig
+              use_resolvers_as_fallback: true
+              resolvers:
+              - socket_address:
+                  address: "127.0.0.1"
+                  port_value: 53
+              dns_resolver_options:
+                use_tcp_for_dns_lookups: true
+                no_default_search_domain: true
+  - name: jwks
+    type: STRICT_DNS
+    connect_timeout: 5s
+    load_assignment:
+      cluster_name: jwks
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: ${JWKS_HOST}
+                port_value: 443
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+tracing:
+  http:
+    name: envoy.tracers.xray
+    typed_config:
+      "@type": type.googleapis.com/envoy.config.trace.v3.XRayConfig
+      segment_name: "envoy-frontend"
+      daemon_endpoint:
+        protocol: UDP
+        address: 127.0.0.1
+        port_value: 2000
+      sampling_rule_manifest:
+        inline_string: |
+          {
+            "version": 2,
+            "rules": [
+              {
+                "description": "NoHealthChecks",
+                "host": "*",
+                "http_method": "*",
+                "url_path": "/health",
+                "fixed_target": 0,
+                "rate": 0.0
+              }
+            ],
+            "default": {
+              "fixed_target": 1,
+              "rate": 0.05
+            }
+          }

lattice_soln/containers/envoy/envoy.yaml.in

@@ -0,0 +1,3 @@
+#!/bin/sh
+cat /etc/envoy/envoy.yaml.in | envsubst \$JWT_AUDIENCE,\$JWT_JWKS,\$JWT_ISSUER,\$JWKS_HOST,\$APP_DOMAIN > /etc/envoy/envoy.yaml
+envoy -l trace -c /etc/envoy/envoy.yaml

lattice_soln/containers/envoy/launch_envoy.sh

@@ -0,0 +1 @@
+pytest==6.2.5

lattice_soln/lattice_soln_stack.py

@@ -0,0 +1,2 @@
+aws-cdk-lib==2.93.0
+constructs>=10.0.0,<11.0.0

requirements-dev.txt

@@ -0,0 +1,13 @@
+@echo off
+
+rem The sole purpose of this script is to make the command
+rem
+rem     source .venv/bin/activate
+rem
+rem (which activates a Python virtualenv on Linux or Mac OS X) work on Windows.
+rem On Windows, this command just runs this batch file (the argument is ignored).
+rem
+rem Now we don't need to document a Windows command for activating a virtualenv.
+
+echo Executing .venv\Scripts\activate.bat for you
+.venv\Scripts\activate.bat

requirements.txt

@@ -0,0 +1,15 @@
+import aws_cdk as core
+import aws_cdk.assertions as assertions
+
+from lattice_soln.lattice_soln_stack import LatticeSolnStack
+
+# example tests. To run these tests, uncomment this file along with the example
+# resource in lattice_soln/lattice_soln_stack.py
+def test_sqs_queue_created():
+    app = core.App()
+    stack = LatticeSolnStack(app, "lattice-soln")
+    template = assertions.Template.from_stack(stack)
+
+#     template.has_resource_properties("AWS::SQS::Queue", {
+#         "VisibilityTimeout": 300
+#     })