From 10b1758437bbb059fea296c0827b9217a8fb96f9 Mon Sep 17 00:00:00 2001 From: tyler Date: Thu, 7 Dec 2023 03:06:41 +0000 Subject: [PATCH 1/9] Fix CDN-related policies --- terraform/web.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/web.tf b/terraform/web.tf index a4837327..6a23bec5 100644 --- a/terraform/web.tf +++ b/terraform/web.tf @@ -14,7 +14,7 @@ module "cloudfront_to_origin_bucket_access_policy" { "${module.cdn_origin_bucket.bucket_arn}/${local.website_content_origin_path}/*", "${module.cdn_origin_bucket.bucket_arn}/${local.website_config_object_key}", ] - principles = [ + principals = [ { type = "AWS" identifiers = [aws_cloudfront_origin_access_identity.default.iam_arn] @@ -107,7 +107,7 @@ module "cdn_logs_bucket" { }, ] expiration = { - days = var.log_retention_in_days + days = 90 } noncurrent_version_transition = [ { @@ -116,7 +116,7 @@ module "cdn_logs_bucket" { }, ] noncurrent_version_expiration = { - noncurrent_days = var.log_retention_in_days + noncurrent_days = 90 } } ] From c8d760aa2f529d5652597e038dc4c0e181bdeb64 Mon Sep 17 00:00:00 2001 From: tyler Date: Thu, 7 Dec 2023 03:07:41 +0000 Subject: [PATCH 2/9] Map content type to web artifact files --- terraform/web.tf | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/terraform/web.tf b/terraform/web.tf index 6a23bec5..a2be36ab 100644 --- a/terraform/web.tf +++ b/terraform/web.tf @@ -141,6 +141,35 @@ locals { var.website_origin_artifacts_dist_path, "${path.module}/../web/dist" ) + + extension_mime_types = { + bmp = "image/bmp" + css = "text/css" + csv = "text/csv" + gif = "image/gif" + htm = "text/html" + html = "text/html" + ico = "image/vnd.microsoft.icon" + jpeg = "image/jpeg" + jpg = "image/jpeg" + js = "text/javascript" + json = "application/json" + jsonld = "application/ld+json" + otf = "font/otf" + pdf = "application/pdf" + png = "image/png" + svg = "image/svg+xml" + tif = "image/tiff" + tiff = "image/tiff" + ttf = "font/ttf" + txt = "text/plain" + woff = "font/woff" + woff2 = "font/woff2" + xls = "application/vnd.ms-excel" + xlsx = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" + xml = "application/xml" + webp = "image/webp" + } } resource "aws_s3_object" "website_deploy_config" { @@ -150,6 +179,7 @@ resource "aws_s3_object" "website_deploy_config" { etag = md5(local.website_config_object_contents) source_hash = md5(local.website_config_object_contents) server_side_encryption = "AES256" + content_type = "text/javascript" depends_on = [module.cdn_origin_bucket] } @@ -158,11 +188,12 @@ resource "aws_s3_object" "origin_dist_artifact" { for_each = fileset(local.website_origin_artifacts_dist_path, "**") bucket = module.cdn_origin_bucket.bucket_id - key = "${local.website_origin_artifacts_dist_path}/${each.value}" + key = "${local.website_content_origin_path}/${each.value}" source = "${local.website_origin_artifacts_dist_path}/${each.value}" source_hash = filemd5("${local.website_origin_artifacts_dist_path}/${each.value}") etag = filemd5("${local.website_origin_artifacts_dist_path}/${each.value}") server_side_encryption = "AES256" + content_type = local.extension_mime_types[reverse(split(".", each.value))[0]] depends_on = [module.cdn_origin_bucket] } From bc23edd1b82afb79298c9a7bb6528ae5ce7c8472 Mon Sep 17 00:00:00 2001 From: tyler Date: Thu, 7 Dec 2023 03:10:44 +0000 Subject: [PATCH 3/9] Remove unnecessary VPC link from APIGW integrations --- terraform/api_gateway.tf | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/terraform/api_gateway.tf b/terraform/api_gateway.tf index 6649c087..96aaa398 100644 --- a/terraform/api_gateway.tf +++ b/terraform/api_gateway.tf @@ -96,14 +96,10 @@ module "api_gateway" { integrations = { "POST /graphql" = { - lambda_arn = module.lambda_function-graphql.lambda_function_arn - connection_type = "VPC_LINK" - vpc_link = "api-service" + lambda_arn = module.lambda_function-graphql.lambda_function_arn } "GET /graphql" = { - lambda_arn = module.lambda_function-graphql.lambda_function_arn - connection_type = "VPC_LINK" - vpc_link = "api-service" + lambda_arn = module.lambda_function-graphql.lambda_function_arn } } } From ef0725fd1887ca2af41b9c00265415e8c76e5a78 Mon Sep 17 00:00:00 2001 From: tyler Date: Thu, 7 Dec 2023 03:11:52 +0000 Subject: [PATCH 4/9] Fix typo in PostgresIAMAuth policy statement --- terraform/functions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/functions.tf b/terraform/functions.tf index f520a6ad..bd1dc6cf 100644 --- a/terraform/functions.tf +++ b/terraform/functions.tf @@ -130,7 +130,7 @@ module "lambda_function-graphql" { PostgresIAMAuth = { effect = "Allow" actions = ["rds-db:connect"] - resources = "${local.postgres_rds_connect_resource_base_arn}/${module.postgres.cluster_master_username}" + resources = ["${local.postgres_rds_connect_resource_base_arn}/${module.postgres.cluster_master_username}"] } GetPostgresSecret = { effect = "Allow" From edc24cbaf5697611f4df5430a4294562e2f77fcb Mon Sep 17 00:00:00 2001 From: tyler Date: Thu, 7 Dec 2023 03:14:08 +0000 Subject: [PATCH 5/9] Remove sslcert from PG URL --- terraform/functions.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/terraform/functions.tf b/terraform/functions.tf index bd1dc6cf..995ff845 100644 --- a/terraform/functions.tf +++ b/terraform/functions.tf @@ -166,7 +166,10 @@ module "lambda_function-graphql" { module.postgres.cluster_endpoint, module.postgres.cluster_port, module.postgres.cluster_database_name, - join("&", ["sslmode=verify", "sslcert=rds-combined-ca-bundle.pem"]) + join("&", [ + "sslmode=verify", + # "sslcert=rds-combined-ca-bundle.pem", + ]) ) DATABASE_SECRET_SOURCE = "ssm" DATABASE_SECRET_SSM_PARAMETER_PATH = aws_ssm_parameter.postgres_master_password.name From c698f97daadf2c6fc62f26e92b1fc09b87e59610 Mon Sep 17 00:00:00 2001 From: tyler Date: Thu, 7 Dec 2023 08:05:16 +0000 Subject: [PATCH 6/9] Fix Lambda->RDS networking --- terraform/functions.tf | 20 +++++++++++++++++--- terraform/postgres.tf | 6 ++++++ 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/terraform/functions.tf b/terraform/functions.tf index 995ff845..ff5a3f73 100644 --- a/terraform/functions.tf +++ b/terraform/functions.tf @@ -66,6 +66,18 @@ data "aws_iam_policy_document" "read_datadog_api_key_secret" { } } +module "lambda_security_group" { + source = "cloudposse/security-group/aws" + version = "2.2.0" + context = module.this.context + + vpc_id = data.aws_ssm_parameter.vpc_id.value + attributes = ["lambda"] + allow_all_egress = true + + create_before_destroy = true +} + module "lambda_artifacts_bucket" { source = "cloudposse/s3-bucket/aws" version = "4.0.1" @@ -116,8 +128,11 @@ module "lambda_function-graphql" { function_name = "${var.namespace}-graphql" description = "GraphQL API server for the CPF Reporter service." - vpc_subnet_ids = local.private_subnet_ids - vpc_security_group_ids = [module.postgres.security_group_id] + vpc_subnet_ids = local.private_subnet_ids + vpc_security_group_ids = [ + module.lambda_security_group.id, + module.postgres.security_group_id, + ] attach_network_policy = true role_permissions_boundary = local.permissions_boundary_arn attach_cloudwatch_logs_policy = true @@ -168,7 +183,6 @@ module "lambda_function-graphql" { module.postgres.cluster_database_name, join("&", [ "sslmode=verify", - # "sslcert=rds-combined-ca-bundle.pem", ]) ) DATABASE_SECRET_SOURCE = "ssm" diff --git a/terraform/postgres.tf b/terraform/postgres.tf index fceece9b..77537f7b 100644 --- a/terraform/postgres.tf +++ b/terraform/postgres.tf @@ -56,6 +56,12 @@ module "postgres" { create_security_group = true create_db_subnet_group = true security_group_use_name_prefix = true + security_group_rules = { + from_lambda = { + type = "ingress" + source_security_group_id = module.lambda_security_group.id + } + } db_parameter_group_name = aws_db_parameter_group.postgres15.id db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.postgres15.id From 632201d855fd1331c12fe2dc6cf0d7fe9ad2e44d Mon Sep 17 00:00:00 2001 From: tyler Date: Thu, 7 Dec 2023 08:06:21 +0000 Subject: [PATCH 7/9] S3 backend placeholder --- terraform/versions.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/versions.tf b/terraform/versions.tf index 31844f5e..688c5706 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -19,4 +19,6 @@ terraform { version = "3.5.1" } } + + backend "s3" {} } From 2be25940f9fd0da7de6eb2cf6d61c285facd45e0 Mon Sep 17 00:00:00 2001 From: tyler Date: Thu, 7 Dec 2023 08:08:46 +0000 Subject: [PATCH 8/9] Configure prisma logging after client init --- api/src/lib/db.ts | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/api/src/lib/db.ts b/api/src/lib/db.ts index 5fbe53b8..28818c47 100644 --- a/api/src/lib/db.ts +++ b/api/src/lib/db.ts @@ -50,10 +50,11 @@ async function createPrismaClient() { datasourceUrl: datasourceUrl, }) } -createPrismaClient() -handlePrismaLogging({ - db, - logger, - logLevels: ['info', 'warn', 'error'], +createPrismaClient().then(() => { + handlePrismaLogging({ + db, + logger, + logLevels: ['info', 'warn', 'error'], + }) }) From 0f28f59f7cde89b65b5572988cb7a33397b72d12 Mon Sep 17 00:00:00 2001 From: tyler Date: Thu, 7 Dec 2023 09:02:39 +0000 Subject: [PATCH 9/9] terraform fmt --- terraform/postgres.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/postgres.tf b/terraform/postgres.tf index 77537f7b..5b61569b 100644 --- a/terraform/postgres.tf +++ b/terraform/postgres.tf @@ -58,7 +58,7 @@ module "postgres" { security_group_use_name_prefix = true security_group_rules = { from_lambda = { - type = "ingress" + type = "ingress" source_security_group_id = module.lambda_security_group.id } }