Deploy CDK

ashphy · ashphy · commit 5e9169b91bb5 · 2025-02-19T08:48:18.000+09:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,6 +13,8 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20
+          cache: "npm"
+
       - run: npm ci
 
       - name: Run ESLint
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,69 @@
+name: Deploy Web App
+
+# on:
+#   push:
+#     tags:
+#       - "v*"
+
+on: push
+
+env:
+  CDK_DEFAULT_ACCOUNT: ${{ vars.CDK_DEFAULT_ACCOUNT }}
+  CDK_DEFAULT_REGION: ${{ vars.CDK_DEFAULT_REGION }}
+
+jobs:
+  deploy_infra:
+    name: Deploy Infrastructure
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    outputs:
+      s3url: ${{ steps.extract_cdk_outputs.outputs.s3url }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: "npm"
+
+      - run: npm ci
+        working-directory: infra
+      - run: npm run build
+        working-directory: infra
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.CDK_DEPLOY_ROLE_ARN }}
+          aws-region: ${{ vars.CDK_DEFAULT_REGION }}
+      - run: npm run cdk -- deploy --all --require-approval never --outputs-file output.json
+        working-directory: infra
+
+      - id: extract_cdk_outputs
+        run: echo "s3url=$(jq -r '.JSONPathOnlineEvaluatorInfraStack.WebsiteBucketURI' output.json)" >> $GITHUB_OUTPUT
+        working-directory: infra
+
+  deploy_app:
+    name: Upload to Amazon S3
+    needs: deploy_infra
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: "npm"
+
+      - run: npm ci
+      - run: npm run build
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.CDK_DEPLOY_ROLE_ARN }}
+          aws-region: ${{ vars.CDK_DEFAULT_REGION }}
+
+      - name: Copy files to the website with the AWS CLI
+        run: |
+          aws s3 sync dist ${{ needs.deploy_infra.outputs.s3url }} --delete
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -17,6 +17,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20
+          cache: "npm"
 
       - run: npm ci
       - run: npm run build
diff --git a/infra/.gitignore b/infra/.gitignore
@@ -0,0 +1,10 @@
+*.js
+!lib/cloudfront-functions/*.js
+!jest.config.js
+*.d.ts
+node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+output.json
diff --git a/infra/.npmignore b/infra/.npmignore
@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
diff --git a/infra/bin/infra.ts b/infra/bin/infra.ts
@@ -0,0 +1,39 @@
+#!/usr/bin/env node
+import * as cdk from "aws-cdk-lib";
+import { InfraStack } from "../lib/infra-stack";
+import { DomainStack } from "../lib/domain-stack";
+import { CertificateStack } from "../lib/certificate-stack";
+
+const app = new cdk.App();
+cdk.Tags.of(app).add("project", "JSONPathOnlineEvaluator");
+
+const zoneName = "jsonpath.com";
+const domainName = "jsonpath.com";
+
+const domainStack = new DomainStack(app, "JSONPathOnlineEvaluatorDomainStack", {
+  zoneName,
+  env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: "us-east-1" },
+  crossRegionReferences: true,
+});
+
+const certificateStack = new CertificateStack(
+  app,
+  "JSONPathOnlineEvaluatorCertificateStack",
+  {
+    hostedZone: domainStack.hostedZone,
+    domainName,
+    env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: "us-east-1" },
+    crossRegionReferences: true,
+  }
+);
+
+new InfraStack(app, "JSONPathOnlineEvaluatorInfraStack", {
+  hostedZone: domainStack.hostedZone,
+  domainName,
+  certificate: certificateStack.certificate,
+  env: {
+    account: process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_DEFAULT_REGION,
+  },
+  crossRegionReferences: true,
+});
diff --git a/infra/cdk.json b/infra/cdk.json
@@ -0,0 +1,86 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/infra.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
+    "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false,
+    "@aws-cdk/aws-ecs:disableEcsImdsBlocking": true,
+    "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
+    "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
+    "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true,
+    "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true,
+    "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true,
+    "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": true,
+    "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true,
+    "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true,
+    "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true,
+    "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true,
+    "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true,
+    "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true
+  }
+}
diff --git a/infra/jest.config.js b/infra/jest.config.js
@@ -0,0 +1,8 @@
+module.exports = {
+  testEnvironment: 'node',
+  roots: ['<rootDir>/test'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.tsx?$': 'ts-jest'
+  }
+};
diff --git a/infra/lib/certificate-stack.ts b/infra/lib/certificate-stack.ts
@@ -0,0 +1,23 @@
+import * as cdk from "aws-cdk-lib";
+import type { Construct } from "constructs";
+
+import type * as route53 from "aws-cdk-lib/aws-route53";
+import * as acm from "aws-cdk-lib/aws-certificatemanager";
+
+interface CertificateStackProps extends cdk.StackProps {
+  hostedZone: route53.IHostedZone;
+  domainName: string;
+}
+
+export class CertificateStack extends cdk.Stack {
+  readonly certificate: acm.Certificate;
+
+  constructor(scope: Construct, id: string, props: CertificateStackProps) {
+    super(scope, id, props);
+
+    this.certificate = new acm.Certificate(this, "Certificate", {
+      domainName: props.domainName,
+      validation: acm.CertificateValidation.fromDns(props.hostedZone),
+    });
+  }
+}
diff --git a/infra/lib/cloudfront-functions/add-cache-control-header.js b/infra/lib/cloudfront-functions/add-cache-control-header.js
@@ -0,0 +1,17 @@
+async function handler(event) {
+  const request = event.request;
+  const uri = request.uri;
+
+  const response = event.response;
+  const headers = response.headers;
+
+  if (response.statusCode >= 200 && response.statusCode < 400) {
+    if (uri.startsWith("/assets/")) {
+      headers["cache-control"] = { value: "public,max-age=31536000" };
+    } else {
+      headers["cache-control"] = { value: "public,max-age=0,must-revalidate" };
+    }
+  }
+
+  return response;
+}
diff --git a/infra/lib/domain-stack.ts b/infra/lib/domain-stack.ts
@@ -0,0 +1,20 @@
+import * as cdk from "aws-cdk-lib";
+import type { Construct } from "constructs";
+
+import * as route53 from "aws-cdk-lib/aws-route53";
+
+interface DomainStackProps extends cdk.StackProps {
+  zoneName: string;
+}
+
+export class DomainStack extends cdk.Stack {
+  readonly hostedZone: route53.IHostedZone;
+
+  constructor(scope: Construct, id: string, props: DomainStackProps) {
+    super(scope, id, props);
+
+    this.hostedZone = new route53.HostedZone(this, "JSONPathComHostedZone", {
+      zoneName: props.zoneName,
+    });
+  }
+}
diff --git a/infra/lib/infra-stack.ts b/infra/lib/infra-stack.ts
@@ -0,0 +1,75 @@
+import * as cdk from "aws-cdk-lib";
+import type { Construct } from "constructs";
+
+import type * as acm from "aws-cdk-lib/aws-certificatemanager";
+import * as route53 from "aws-cdk-lib/aws-route53";
+import * as targets from "aws-cdk-lib/aws-route53-targets";
+import * as s3 from "aws-cdk-lib/aws-s3";
+import * as cloudfront from "aws-cdk-lib/aws-cloudfront";
+import * as cloudfront_origins from "aws-cdk-lib/aws-cloudfront-origins";
+
+interface InfraStackProps extends cdk.StackProps {
+  hostedZone: route53.IHostedZone;
+  domainName: string;
+  certificate: acm.ICertificate;
+}
+
+export class InfraStack extends cdk.Stack {
+  constructor(scope: Construct, id: string, props: InfraStackProps) {
+    super(scope, id, props);
+
+    const websiteBucket = new s3.Bucket(this, "WebsiteBucket", {
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
+
+    const addCacheControlFunction = new cloudfront.Function(
+      this,
+      "AddCacheControlFunction",
+      {
+        code: cloudfront.FunctionCode.fromFile({
+          filePath: "lib/cloudfront-functions/add-cache-control-header.js",
+        }),
+        runtime: cloudfront.FunctionRuntime.JS_2_0,
+      }
+    );
+
+    const distribution = new cloudfront.Distribution(this, "Distribution", {
+      comment: "JSONPath Online Evaluator",
+      domainNames: [props.domainName],
+      certificate: props.certificate,
+      defaultRootObject: "index.html",
+      defaultBehavior: {
+        origin:
+          cloudfront_origins.S3BucketOrigin.withOriginAccessControl(
+            websiteBucket
+          ),
+        functionAssociations: [
+          {
+            function: addCacheControlFunction,
+            eventType: cloudfront.FunctionEventType.VIEWER_RESPONSE,
+          },
+        ],
+      },
+    });
+
+    new route53.ARecord(this, "CloudFrontAliasRecord", {
+      zone: props.hostedZone,
+      target: route53.RecordTarget.fromAlias(
+        new targets.CloudFrontTarget(distribution)
+      ),
+    });
+
+    new route53.AaaaRecord(this, "CloudFrontV6AliasRecord", {
+      zone: props.hostedZone,
+      target: route53.RecordTarget.fromAlias(
+        new targets.CloudFrontTarget(distribution)
+      ),
+    });
+
+    // Outputs
+    new cdk.CfnOutput(this, "WebsiteBucket URI", {
+      value: `s3://${websiteBucket.bucketName}`,
+    });
+  }
+}
diff --git a/infra/package-lock.json b/infra/package-lock.json
diff --git a/infra/package.json b/infra/package.json
diff --git a/infra/tsconfig.json b/infra/tsconfig.json
diff --git a/package-lock.json b/package-lock.json

-Original file line number
+Diff line change
@@ @@ -0,0 +1,6 @@ @@
 +*.ts
 +!*.d.ts
++
 +# CDK asset staging directory
 +.cdk.staging
 +cdk.out