Feature/refactor blueprints

.github/workflows/docker-image.yml

@@ -7,14 +7,11 @@ on:
     branches: [ develop ]
 
 jobs:
-
   build:
-
     runs-on: ubuntu-latest
-
     steps:
     - uses: actions/checkout@v2
-    - name: Build aws/ecr-repository
-      run: cd  blueprints/aws/ecr-repository && DOCKER_TAGS=$(date +%s),latest make build
-    - name: Build aws/ecs-task-definition
-      run: cd  blueprints/aws/ecs-task-definition && DOCKER_TAGS=$(date +%s),latest make build
+    - name: Build aws/ecr
+      run: cd aws-ecr && DOCKER_TAGS=$(date +%s),latest make build
+    - name: Build aws/ecs
+      run: cd aws-ecs && DOCKER_TAGS=$(date +%s),latest make build

.github/workflows/docker-publish-gh.yml

@@ -54,4 +54,4 @@ jobs:
 
           #docker tag $IMAGE_NAME $IMAGE_ID:$VERSION
           #docker push $IMAGE_ID:$VERSION
-          cd blueprints/aws/ecr-repository && make push
+          cd aws-ecr && make push

.github/workflows/docker-publish.yml

@@ -22,8 +22,8 @@ jobs:
     - name: Log into registry
       run: echo "${{ secrets.DOCKERHUB_TOKEN }}" | docker login -u ${{ secrets.DOCKERHUB_USER }} --password-stdin
 
-    - name: Publish aws/ecr-repository
-      run: cd blueprints/aws/ecr-repository && make push
+    - name: Publish aws/ecr
+      run: cd aws-ecr && make push
 
-    - name: Publish aws/ecs-task-definition
-      run: cd blueprints/aws/ecs-task-definition && make push
+    - name: Publish aws/ecs
+      run: cd aws-ecs && make push

aws-batch/README.md

@@ -0,0 +1,18 @@
+# AWS Batch role configuration
+
+Purpose: Provision IAM roles in AWS.
+
+Rationale: Bedrock blueprints use IAM roles to restrict the privileges of the provisioner.
+
+This script will create roles that has the following privileges:
+
+* Access for managing Batch jobs specific to this blueprint
+* Access to read/write Terraform state associated with the account
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| assume\_role\_account | AWS account ID for the role to assume into | string | - | yes |
+| region | AWS default region | string | - | yes |
+

aws-batch/job/README.md

@@ -0,0 +1,7 @@
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| assume\_role\_account | AWS account ID for the role to assume into | string | - | yes |
+| region | AWS default region | string | - | yes |
+

aws-batch/job/main.tf

@@ -0,0 +1,4 @@
+resource "aws_batch_job_definition" "" {
+  name = ""
+  type = ""
+}

aws-batch/main.tf

@@ -0,0 +1,44 @@
+/**
+ * # AWS Batch role configuration
+ *
+ * Purpose: Provision IAM roles in AWS.
+ *
+ * Rationale: Bedrock blueprints use IAM roles to restrict the privileges of the provisioner.
+ *
+ * This script will create roles that has the following privileges:
+ *
+ * * Access for managing Batch jobs specific to this blueprint
+ * * Access to read/write Terraform state associated with the account
+ */
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      type        = "AWS"
+    }
+  }
+}
+
+resource "aws_iam_role" "batch_admin" {
+  name               = "bedrock-awsbatch-admin"
+  assume_role_policy = "${data.aws_iam_policy_document.assume_role_policy.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "ec2_access" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
+  role       = "${aws_iam_role.batch_admin.name}"
+}
+
+resource "aws_iam_role_policy_attachment" "iam_passrole" {
+  policy_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/bedrock-cloudformation-passrole"
+  role       = "${aws_iam_role.batch_admin.id}"
+}
+
+resource "aws_iam_role_policy_attachment" "ec2_instance_profile_fullaccess" {
+  policy_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/bedrock-ec2-instance-profile-fullaccess"
+  role       = "${aws_iam_role.batch_admin.id}"
+}

aws-chime/notification/README.md

@@ -0,0 +1,13 @@
+# AWS Lambda function configuration
+
+Deploy a lambda function.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| assume\_role\_account | AWS account ID for the role to assume into | string | - | yes |
+| lambda\_path | The root path to lambda function source | string | `lambda` | no |
+| region | AWS default region | string | - | yes |
+| webhook\_url | Chime webhook URL | string | - | yes |
+

aws-chime/notification/lambda/ChimeNotification.py

@@ -0,0 +1,21 @@
+import os
+
+import requests
+
+webhook_url = os.environ['WebhookUrl']
+
+
+def lambda_handler(event, context):
+    notify(webhook_url, get_message(event))
+
+
+def get_message(event):
+    if 'Records' in event:
+        return event['Records'][0]['Sns']['Subject']
+
+    return event['Message']
+
+
+def notify(url, content):
+    print(f"Publishing notification: {content}")
+    requests.post(url=url, json={'Content': content})

aws-chime/notification/main.tf

@@ -0,0 +1,35 @@
+/**
+ * # AWS Lambda function configuration
+ *
+ * Deploy a lambda function.
+ */
+data "archive_file" "chime_notification" {
+  output_path = "chime_notification.zip"
+  type        = "zip"
+  source_dir  = "${var.lambda_path}"
+}
+
+data "aws_iam_role" "chime_notification" {
+  name = "bedrock-chime-notification-role"
+}
+
+resource "aws_lambda_function" "chime_notification" {
+  function_name    = "ChimeNotification"
+  handler          = "ChimeNotification.lambda_handler"
+  filename         = "${data.archive_file.chime_notification.output_path}"
+  role             = "${data.aws_iam_role.chime_notification.arn}"
+  runtime          = "python3.6"
+  source_code_hash = "${data.archive_file.chime_notification.output_base64sha256}"
+  layers           = ["arn:aws:lambda:ap-southeast-2:976651329757:layer:python-requests:2"]
+
+  environment {
+    variables {
+      WebhookUrl = "${var.webhook_url}"
+    }
+  }
+}
+
+resource "aws_cloudwatch_log_group" "chime_notification" {
+  name              = "/aws/lambda/${aws_lambda_function.chime_notification.function_name}"
+  retention_in_days = 30
+}

aws-chime/notification/vars.tf

@@ -0,0 +1,8 @@
+variable "lambda_path" {
+  description = "The root path to lambda function source"
+  default     = "lambda"
+}
+
+variable "webhook_url" {
+  description = "Chime webhook URL"
+}

blueprints/nginx/reverseproxy/aws/provider.tf → aws-chime/provider.tf

@@ -1,7 +1,7 @@
 provider "aws" {
   version = ">= 2.7.0"
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_role_account}:role/bedrock-nginx-admin"
+    role_arn = "arn:aws:iam::${var.assume_role_account}:role/bedrock-chime-admin"
   }
 }
 

aws-cloudfront/distribution/README.md

@@ -0,0 +1,16 @@
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| access\_log\_bucket | An S3 bucket used as a target for access logs | string | `` | no |
+| aliases | A list of associated domain names that reference the distribution | list | `<list>` | no |
+| assume\_role\_account | AWS account ID for the role to assume into | string | - | yes |
+| bucket\_name | Name of target S3 bucket | string | - | yes |
+| default\_root\_object | The default page when accessing the root URL of the distribution | string | `index.html` | no |
+| default\_ttl | Default time-to-live (TTL) for objects in cache | string | `86400` | no |
+| enabled | Indicates if distribution is enabled | string | `false` | no |
+| error\_page | Error page returned for 404 errors | string | - | yes |
+| hosted\_zone | Route53 zone for alias domain names | string | - | yes |
+| price\_class | Specifies the edge locations based on price class | string | `PriceClass_100` | no |
+| region | AWS default region | string | - | yes |
+

aws-cloudfront/distribution/main.tf

@@ -0,0 +1,108 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_s3_bucket" "access_log" {
+  bucket = replace(var.access_log_bucket, "/\\A\\z/", format("%s-access-logs", data.aws_caller_identity.current.account_id))
+}
+
+data "aws_s3_bucket" "bucket" {
+  bucket = var.bucket_name
+}
+
+data "aws_route53_zone" "primary" {
+  name = "${var.hosted_zone}."
+}
+
+//Function must live in us-east-1 and Terraform can't lookup across regions
+//data "aws_lambda_function" "url_rewrite" {
+//  function_name = "CloudFrontRewrite"
+//}
+
+resource "aws_cloudfront_distribution" "distribution" {
+  enabled             = var.enabled
+  price_class         = var.price_class
+  default_root_object = var.default_root_object
+
+  custom_error_response {
+    error_code         = 404
+    response_page_path = var.error_page
+    response_code      = 404
+  }
+
+  aliases = var.aliases
+
+  origin = {
+    domain_name = data.aws_s3_bucket.bucket.bucket_domain_name
+    origin_id   = "S3-${data.aws_s3_bucket.bucket.bucket}"
+  }
+
+  default_cache_behavior = {
+    viewer_protocol_policy = "allow-all"
+    allowed_methods        = ["GET", "HEAD"]
+    cached_methods         = ["GET", "HEAD"]
+
+    forwarded_values = {
+      cookies = {
+        forward = "none"
+      }
+
+      query_string = false
+    }
+
+    target_origin_id = "S3-${data.aws_s3_bucket.bucket.bucket}"
+    default_ttl      = var.default_ttl
+  }
+
+  ordered_cache_behavior {
+    path_pattern           = "*+*"
+    viewer_protocol_policy = "allow-all"
+    allowed_methods        = ["GET", "HEAD"]
+    cached_methods         = ["GET", "HEAD"]
+
+    forwarded_values = {
+      cookies = {
+        forward = "none"
+      }
+
+      query_string = false
+    }
+
+    target_origin_id = "S3-${data.aws_s3_bucket.bucket.bucket}"
+    default_ttl      = var.default_ttl
+
+    lambda_function_association {
+      event_type   = "viewer-request"
+      lambda_arn   = "arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:function:CloudFrontRewrite:1"
+      include_body = false
+    }
+  }
+
+  logging_config {
+    bucket = data.aws_s3_bucket.access_log.bucket_domain_name
+    prefix = "cloudfront-${data.aws_s3_bucket.bucket.bucket}/"
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+
+    //    minimum_protocol_version = "TLSv1.2_2018"
+  }
+}
+
+resource "aws_route53_record" "www" {
+  count   = length(var.aliases)
+  zone_id = data.aws_route53_zone.primary.zone_id
+  name    = element(var.aliases, count.index)
+  type    = "CNAME"
+
+  alias {
+    evaluate_target_health = false
+    name                   = aws_cloudfront_distribution.distribution.id
+    zone_id                = data.aws_route53_zone.primary.zone_id
+  }
+}

aws-cloudfront/distribution/provider.tf

@@ -0,0 +1,16 @@
+provider "aws" {
+  version = ">= 2.7.0"
+  region  = "${var.region}"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.assume_role_account}:role/bedrock-cloudfront-admin"
+  }
+}
+
+variable "region" {
+  description = "AWS default region"
+}
+
+variable "assume_role_account" {
+  description = "AWS account ID for the role to assume into"
+}

aws-cloudfront/provider.tf

@@ -0,0 +1,16 @@
+provider "aws" {
+  version = ">= 2.7.0"
+  region  = "${var.region}"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.assume_role_account}:role/bedrock-ec2-admin"
+  }
+}
+
+variable "region" {
+  description = "AWS default region"
+}
+
+variable "assume_role_account" {
+  description = "AWS account ID for the role to assume into"
+}

aws-cloudfront/rewrite/README.md

@@ -0,0 +1,12 @@
+# AWS Lambda function configuration
+
+Deploy a lambda function.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| assume\_role\_account | AWS account ID for the role to assume into | string | - | yes |
+| lambda\_path | The root path to lambda function source | string | `lambda` | no |
+| region | AWS default region | string | - | yes |
+

aws-cloudfront/rewrite/lambda/CloudFrontRewrite.js

@@ -0,0 +1,5 @@
+exports.handler = (event, context, callback) => {
+    const request = event.Records[0].cf.request;
+    request.uri = request.uri.replace(/\+/g, '%2B');
+    callback(null, request);
+};

aws-cloudfront/rewrite/lambda/CloudFrontRewrite.py

@@ -0,0 +1,6 @@
+import re
+
+def lambda_handler(event, context):
+    request = event['Records'][0]['cf']['request']
+    request.uri = re.sub(r"\+", "%2B", request.uri)
+    return request