Merge pull request #63 from CDLUC3/v1.1-beta

V1.1 beta
CDLUC3 · Oct 2, 2023 · 31fc85c · 31fc85c
2 parents 59c700f + 9c76d13
commit 31fc85c
Show file tree

Hide file tree

Showing 23 changed files with 290 additions and 22 deletions.
diff --git a/.DS_Store b/.DS_Store
diff --git a/config/prd/config.yaml b/config/prd/config.yaml
@@ -0,0 +1,17 @@
+# Sceptre will create an S3 bucket to store your CloudFormation templates. Define the name here or
+# provide the name of an existing bucket.
+#
+template_bucket_name: 'uc3-dmp-hub-cf-bucket-cdluc3prd'
+# Stack tags are attached to every AWS resource created by these CloudFormation templates
+# with the exception of the Lambda functions and layers which are managed by AWS SAM.
+#
+stack_tags:
+  Program: 'uc3'
+  Service: 'dmp'
+  Subservice: 'hub'
+  Environment: 'prd'
+  CodeRepo: 'https://github.com/CDLUC3/dmp-hub-cfn'
+  Contact: 'briley'
+
+# In the cdl-uc3-prd account devs must call cloudformation using a service role
+cloudformation_service_role: 'arn:aws:iam::834750697783:role/uc3-prd-ops-cfn-service-role'
diff --git a/config/prd/global/cert.yaml b/config/prd/global/cert.yaml
@@ -0,0 +1,10 @@
+template:
+  path: cert.yaml
+  type: file
+
+parameters:
+  HostedZoneId: !ssm_parameter /uc3/dmp/hub/prd/HostedZoneId
+
+  Domain: !stack_attr sceptre_user_data.domain
+
+  Env: !stack_attr sceptre_user_data.env
diff --git a/config/prd/global/cloudfront.yaml b/config/prd/global/cloudfront.yaml
@@ -0,0 +1,27 @@
+template:
+  path: 'cloudfront.yaml'
+  type: 'file'
+
+dependencies:
+  - 'prd/regional/s3.yaml'
+
+# NOTE: CloudFront can be slow to finish the creation/update process. The Distribution will go into
+#       a pending status and then can take some time before it is deployed. If your sceptre command
+#       appears to be stuck, this is most likely why, and you should let it complete.
+parameters:
+  Domain: !stack_attr sceptre_user_data.domain
+
+  SsmPath: !stack_attr sceptre_user_data.ssm_path
+
+  CertificateArn: !stack_output prd/global/cert.yaml::CertificateArn
+
+  WafArn: !stack_output prd/global/waf.yaml::WafArn
+
+  S3LogBucketId: !stack_output prd/regional/s3.yaml::S3LogBucketId
+
+  S3CloudFrontBucketId: !stack_output prd/regional/s3.yaml::S3CloudFrontBucketId
+  S3CloudFrontBucketArn: !stack_output prd/regional/s3.yaml::S3CloudFrontBucketArn
+
+  CacheDefaultTtlSeconds: '180'
+  CacheMinTtlSeconds: '30'
+  CacheMaxTtlSeconds: '300' # 5 minutes
diff --git a/config/prd/global/config.yaml b/config/prd/global/config.yaml
@@ -0,0 +1,10 @@
+# We need to override the default us-west-2 region here for CloudFront which must reside in us-east-1
+region: 'us-east-1'
+
+# Define reusable variables that can be referenced in template specific config files via:
+#   my_variable: !stack_attr sceptre_user_data.[variable]
+sceptre_user_data:
+  env: 'prd'
+  domain: 'dmphub.uc3prd.cdlib.net'
+  hosted_zone: !ssm_parameter /uc3/dmp/hub/prd/HostedZoneId
+  ssm_path: '/uc3/dmp/hub/prd/'
diff --git a/config/prd/global/route53.yaml b/config/prd/global/route53.yaml
@@ -0,0 +1,16 @@
+template:
+  path: 'route53.yaml'
+  type: 'file'
+
+parameters:
+  HostedZoneId: !ssm_parameter /uc3/dmp/hub/prd/HostedZoneId
+
+  Env: !stack_attr sceptre_user_data.env
+  Domain: !stack_attr sceptre_user_data.domain
+  RecordType: 'A'
+
+  TargetName: !stack_output prd/global/cloudfront.yaml::CloudfrontDistroDomainName
+  # This HostedZone is the default for ALL CloudFront Distributions
+  TargetHostedZoneId: 'Z2FDTNDATAQYW2'
+
+  SetIdentifier: 'frobozz'
diff --git a/config/prd/global/waf.yaml b/config/prd/global/waf.yaml
@@ -0,0 +1,11 @@
+template:
+  path: 'waf.yaml'
+  type: 'file'
+
+parameters:
+  # Specifies whether this is for a CLOUDFRONT distribution or for a REGIONAL application
+  Scope: 'CLOUDFRONT'
+  # Whether AWS WAF should store a sampling of the web requests that matched the rules.
+  SampledRequestsEnabled: 'true'
+  # Whether WAF sends metrics to Amazon CloudWatch.
+  CloudWatchMetricsEnabled: 'true'
diff --git a/config/prd/regional/cognito.yaml b/config/prd/regional/cognito.yaml
@@ -0,0 +1,48 @@
+template:
+  path: 'cognito.yaml'
+  type: 'file'
+
+dependencies:
+  - prd/global/route53.yaml
+
+parameters:
+  HostedZoneId: !stack_attr sceptre_user_data.hosted_zone
+
+  Domain: !stack_attr sceptre_user_data.domain
+  Subdomain: 'auth'
+  Env: !stack_attr sceptre_user_data.env
+
+  CertificateArn: !stack_output prd/global/cert.yaml::CertificateArn
+
+  TagProgram: !stack_attr stack_tags.Program
+  TagService: !stack_attr stack_tags.Service
+  TagSubservice: !stack_attr stack_tags.Subservice
+  TagCodeRepo: !stack_attr stack_tags.CodeRepo
+  TagContact: !stack_attr stack_tags.Contact
+
+  DmptoolClientName: 'dmptool'
+
+  DmptoolCallbackUri: 'https://dmptool.org/callback'
+
+  OnlyAllowAdminsToCreateUsers: 'false'
+  UnusedAccountValidityDays: '14'
+  MinimumPasswordLength: '8'
+
+  TokenValidityUnits: 'minutes'
+  AccessTokenValidity: '10'
+  AuthSessionValidatyMinutes: '3'
+  IdTokenValidity: '7'
+  RefreshTokenValidity: '10080'
+
+# NOTES:
+# ----------------------------------------
+#
+# For ORCID integration via openID, check out:
+#     https://info.orcid.org/orcid-openid-connect-and-implicit-authentication/
+# the issuer URL can be found here:
+#     https://orcid.org/.well-known/openid-configuration
+#
+# For Shibboleth integration, Mahjabeen said to reference this SAML file:
+#     https://samlproxy.ucop.edu/simplesaml/saml2/idp/metadata.php
+# but apparently Cognito does not like it so instead an online tool called
+# samltool and use the info from the above URL to build it.
diff --git a/config/prd/regional/config.yaml b/config/prd/regional/config.yaml
@@ -0,0 +1,19 @@
+
+# Define reusable variables that can be referenced in template specific config files via:
+#   my_variable: !stack_attr sceptre_user_data.[variable]
+sceptre_user_data:
+  vpc_id: !stack_output_external cdl-uc3-prd-vpc-stack::vpc
+  public_subnets:
+    - !stack_output_external cdl-uc3-prd-defaultsubnet-stack::defaultsubnet2a
+    - !stack_output_external cdl-uc3-prd-defaultsubnet-stack::defaultsubnet2b
+    - !stack_output_external cdl-uc3-prd-defaultsubnet-stack::defaultsubnet2c
+  private_subnets:
+    - !stack_output_external cdl-uc3-prd-privatesubnet-stack::privatesubnet2a
+    - !stack_output_external cdl-uc3-prd-privatesubnet-stack::privatesubnet2b
+    - !stack_output_external cdl-uc3-prd-privatesubnet-stack::privatesubnet2c
+
+  hosted_zone: !ssm_parameter /uc3/dmp/hub/prd/HostedZoneId
+
+  env: 'prd'
+  domain: 'dmphub.uc3prd.cdlib.net'
+  ssm_path: '/uc3/dmp/hub/prd/'
diff --git a/config/prd/regional/dynamo.yaml b/config/prd/regional/dynamo.yaml
@@ -0,0 +1,34 @@
+template:
+  path: dynamo.yaml
+  type: file
+
+parameters:
+  Env: !stack_attr sceptre_user_data.env
+
+  Domain: !stack_attr sceptre_user_data.domain
+
+  SsmPath: !stack_attr sceptre_user_data.ssm_path
+
+  # Dynamo settings
+  #   See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html
+  DynamoTableClass: 'STANDARD'
+  DynamoEnableContributorInsights: 'true'
+  DynamoEnablePointInTimeRecovery: 'false'
+  DynamoBillingMode: 'PROVISIONED'
+  DynamoReadCapacityUnits: '16'
+  DynamoWriteCapacityUnits: '60'
+
+hooks:
+  after_create:
+    # Add Provenance items to the Dynamo Table
+    - !cmd './seed_dynamo.sh prd DMPTool dmptool.org'
+    - !cmd './seed_dynamo.sh prd DMPHub dmphub.uc3prd.cdlib.net'
+
+    # Once the Dynamo table has been created, we can deploy our Lambdas and
+    # the API Gateway which are managed by AWS SAM.
+    #     Args are: environment, domain, build the Lambda layer (boolean)
+    - !cmd 'cd ./src/sam && ruby sam_build_deploy.rb prd true true info'
+
+    # Build and deploy the React based DMP ID Landing Page to the CloudFront S3 bucket
+    # Args are: environment
+    - !cmd 'cd ./src/landing_page && ruby build_deply.sh prd'
diff --git a/config/prd/regional/eventbridge.yaml b/config/prd/regional/eventbridge.yaml
@@ -0,0 +1,14 @@
+template:
+  path: eventbridge.yaml
+  type: file
+
+parameters:
+  Env: !stack_attr sceptre_user_data.env
+
+  SsmPath: !stack_attr sceptre_user_data.ssm_path
+
+  DomainName: !stack_attr sceptre_user_data.domain
+
+  # Log and Archive retention
+  LogRetentionDays: '7'
+  ArchiveRetentionDays: '7'
diff --git a/config/prd/regional/s3.yaml b/config/prd/regional/s3.yaml
@@ -0,0 +1,10 @@
+template:
+  path: s3.yaml
+  type: file
+
+parameters:
+  Env: !stack_attr sceptre_user_data.env
+
+  SsmPath: !stack_attr sceptre_user_data.ssm_path
+
+  LogBucketObjectLifeSpan: '30'
diff --git a/config/prd/regional/sqs.yaml b/config/prd/regional/sqs.yaml
@@ -0,0 +1,22 @@
+template:
+  path: sqs.yaml
+  type: file
+
+dependencies:
+  - 'prd/regional/s3.yaml'
+
+parameters:
+  Env: !stack_attr sceptre_user_data.env
+  SsmPath: !stack_attr sceptre_user_data.ssm_path
+  AdminEmail: !ssm_parameter /uc3/dmp/hub/prd/AdminEmail
+
+  # SQS settings
+  #   See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html
+  MessageRetentionSeconds: '7200' # 2 hours
+
+  DeadLetterRetentionSeconds: '259200' # 3 days
+
+  # Delay to allow underlying Lambdas to scale if necessary
+  DelaySeconds: '5'
+  # The number of times a message is delivered to the queue before being sent to dead-letter queue
+  MaxReceiveCount: '5'
diff --git a/src/.DS_Store b/src/.DS_Store
diff --git a/src/sam/functions/delete_dmp/app.rb b/src/sam/functions/delete_dmp/app.rb
@@ -30,22 +30,22 @@ def self.process(event:, context:)
       # Fail if the DMP ID is not a valid DMP ID
       p_key = Uc3DmpId::Helper.path_parameter_to_pk(param: dmp_id)
       p_key = Uc3DmpId::Helper.append_pk_prefix(p_key: p_key) unless p_key.nil?
-      return _respond(status: 400, errors: Uc3DmpId::MSG_DMP_INVALID_DMP_ID, event: event) if p_key.nil?
+      return _respond(status: 400, errors: Uc3DmpId::Helper::MSG_DMP_INVALID_DMP_ID, event: event) if p_key.nil?
 
       _set_env(logger: logger)
 
       # Fail if the Provenance could not be loaded
       claim = event.fetch('requestContext', {}).fetch('authorizer', {})['claims']
       provenance = Uc3DmpProvenance::Finder.from_lambda_cotext(identity: claim, logger: logger)
-      return _respond(status: 403, errors: Uc3DmpId::MSG_DMP_FORBIDDEN, event: event) if provenance.nil?
+      return _respond(status: 403, errors: Uc3DmpId::Helper::MSG_DMP_FORBIDDEN, event: event) if provenance.nil?
 
       # Update the DMP ID
       resp = Uc3DmpId::Deleter.tombstone(provenance: provenance, p_key: p_key, logger: logger)
-      return _respond(status: 400, errors: Uc3DmpId::MSG_DMP_NO_DMP_ID) if resp.nil?
+      return _respond(status: 400, errors: Uc3DmpId::Helper::MSG_DMP_NO_DMP_ID) if resp.nil?
 
       _respond(status: 200, items: [resp], event: event)
     rescue Uc3DmpId::DeleterError => e
-      _respond(status: 400, errors: [Uc3DmpId::MSG_DMP_NO_DMP_ID, e.message], event: event)
+      _respond(status: 400, errors: [Uc3DmpId::Helper::MSG_DMP_NO_DMP_ID, e.message], event: event)
     rescue StandardError => e
       logger.error(message: e.message, details: e.backtrace)
       Uc3DmpApiCore::Notifier.notify_administrator(source: SOURCE, details: { dmp_id: p_key }, event: event)

diff --git a/src/sam/functions/get_dmp/app.rb b/src/sam/functions/get_dmp/app.rb
@@ -38,7 +38,7 @@ def self.process(event:, context:)
       # Fail if the DMP ID is not a valid DMP ID
       p_key = Uc3DmpId::Helper.path_parameter_to_pk(param: dmp_id)
       p_key = Uc3DmpId::Helper.append_pk_prefix(p_key: p_key) unless p_key.nil?
-      return _respond(status: 400, errors: Uc3DmpId::MSG_DMP_INVALID_DMP_ID, event: event) if p_key.nil?
+      return _respond(status: 400, errors: Uc3DmpId::Helper::MSG_DMP_INVALID_DMP_ID, event: event) if p_key.nil?
 
       # Fetch SSM parameters and set them in the ENV
       _set_env(logger: logger)

diff --git a/src/sam/functions/get_dmps/app.rb b/src/sam/functions/get_dmps/app.rb
@@ -47,13 +47,13 @@ def self.process(event:, context:)
       return _respond(status: 403, errors: Uc3DmpId::MSG_DMP_FORBIDDEN, event: event) if provenance.nil?
 
       resp = Uc3DmpId::Finder.search_dmps(args: params, logger: logger)
-      return _respond(status: 400, errors: Uc3DmpId::MSG_DMP_NO_DMP_ID) if resp.nil?
-      return _respond(status: 404, errors: Uc3DmpId::MSG_DMP_NOT_FOUND) if resp.empty?
+      return _respond(status: 400, errors: Uc3DmpId::Helper::MSG_DMP_NO_DMP_ID) if resp.nil?
+      return _respond(status: 404, errors: Uc3DmpId::Helper::MSG_DMP_NOT_FOUND) if resp.empty?
 
       logger.debug(message: 'Found the following results:', details: resp) if logger.respond_to?(:debug)
       _respond(status: 200, items: [resp], event: event)
     rescue Uc3DmpId::FinderError => e
-      _respond(status: 400, errors: [Uc3DmpId::MSG_DMP_NO_DMP_ID, e.message], event: event)
+      _respond(status: 400, errors: [Uc3DmpId::Helper::MSG_DMP_NO_DMP_ID, e.message], event: event)
     rescue StandardError => e
       logger.error(message: e.message, details: e.backtrace)
       deets = { message: e.message, params: params }

diff --git a/src/sam/functions/post_dmps/app.rb b/src/sam/functions/post_dmps/app.rb
@@ -33,15 +33,15 @@ def self.process(event:, context:)
       # Fail if the Provenance could not be loaded
       claim = event.fetch('requestContext', {}).fetch('authorizer', {})['claims']
       provenance = Uc3DmpProvenance::Finder.from_lambda_cotext(identity: claim, logger: logger)
-      return _respond(status: 403, errors: Uc3DmpId::MSG_DMP_FORBIDDEN, event: event) if provenance.nil?
+      return _respond(status: 403, errors: Uc3DmpId::Helper::MSG_DMP_FORBIDDEN, event: event) if provenance.nil?
 
       # Register a new DMP ID
       resp = Uc3DmpId::Creator.create(provenance: provenance, json: json, logger: logger)
-      return _respond(status: 400, errors: Uc3DmpId::MSG_DMP_NO_DMP_ID) if resp.nil?
+      return _respond(status: 400, errors: Uc3DmpId::Helper::MSG_DMP_NO_DMP_ID) if resp.nil?
 
       _respond(status: 201, items: [resp], event: event)
     rescue Uc3DmpId::CreatorError => e
-      _respond(status: 400, errors: [Uc3DmpId::MSG_DMP_NO_DMP_ID, e.message], event: event)
+      _respond(status: 400, errors: [Uc3DmpId::Helper::MSG_DMP_NO_DMP_ID, e.message], event: event)
     rescue StandardError => e
       logger.error(message: e.message, details: e.backtrace)
       deets = { message: e.message, body: body }

diff --git a/src/sam/functions/post_narratives/app.rb b/src/sam/functions/post_narratives/app.rb
@@ -35,11 +35,11 @@ def self.process(event:, context:)
       # Fail if the Provenance could not be loaded
       claim = event.fetch('requestContext', {}).fetch('authorizer', {})['claims']
       provenance = Uc3DmpProvenance::Finder.from_lambda_cotext(identity: claim, logger: logger)
-      return _respond(status: 403, errors: Uc3DmpId::MSG_DMP_FORBIDDEN, event: event) if provenance.nil?
+      return _respond(status: 403, errors: Uc3DmpId::Helper::MSG_DMP_FORBIDDEN, event: event) if provenance.nil?
 
       # Make sure there is a DMP ID for the narrative to be attached to!
       dmp = Uc3DmpId::Finder.by_pk(p_key: params[:dmp_id], logger: logger)
-      return _respond(status: 403, errors: [Uc3DmpId::MSG_DMP_FORBIDDEN], event: event) if dmp.nil?
+      return _respond(status: 403, errors: [Uc3DmpId::Helper::MSG_DMP_FORBIDDEN], event: event) if dmp.nil?
 
       # Store the document in S3 Bucket
       object_key = Uc3DmpS3::Client.put_narrative(document: params[:payload], dmp_id: params[:dmp_id], base64: params[:base64encoded])

diff --git a/src/sam/functions/put_dmp/app.rb b/src/sam/functions/put_dmp/app.rb
@@ -34,24 +34,24 @@ def self.process(event:, context:)
       # Fail if the DMP ID is not a valid DMP ID
       p_key = Uc3DmpId::Helper.path_parameter_to_pk(param: dmp_id)
       p_key = Uc3DmpId::Helper.append_pk_prefix(p_key: p_key) unless p_key.nil?
-      return _respond(status: 400, errors: Uc3DmpId::MSG_DMP_INVALID_DMP_ID, event: event) if p_key.nil?
+      return _respond(status: 400, errors: Uc3DmpId::Helper::MSG_DMP_INVALID_DMP_ID, event: event) if p_key.nil?
 
       _set_env(logger: logger)
 
       # Fail if the Provenance could not be loaded
       claim = event.fetch('requestContext', {}).fetch('authorizer', {})['claims']
       provenance = Uc3DmpProvenance::Finder.from_lambda_cotext(identity: claim, logger: logger)
-      return _respond(status: 403, errors: Uc3DmpId::MSG_DMP_FORBIDDEN, event: event) if provenance.nil?
+      return _respond(status: 403, errors: Uc3DmpId::Helper::MSG_DMP_FORBIDDEN, event: event) if provenance.nil?
 
       logger.debug(message: "Attempting update to PK: #{p_key}", details: json) if logger.respond_to?(:debug)
 
       # Update the DMP ID
       resp = Uc3DmpId::Updater.update(logger: logger, provenance: provenance, p_key: p_key, json: json)
-      return _respond(status: 400, errors: Uc3DmpId::MSG_DMP_NO_DMP_ID) if resp.nil?
+      return _respond(status: 400, errors: Uc3DmpId::Helper::MSG_DMP_NO_DMP_ID) if resp.nil?
 
       _respond(status: 200, items: [resp], event: event)
     rescue Uc3DmpId::UpdaterError => e
-      _respond(status: 400, errors: [Uc3DmpId::MSG_DMP_NO_DMP_ID, e.message], event: event)
+      _respond(status: 400, errors: [Uc3DmpId::Helper::MSG_DMP_NO_DMP_ID, e.message], event: event)
     rescue StandardError => e
       logger.error(message: e.message, details: e.backtrace)
       deets = { message: e.message, dmp_id: p_key, body: body }