Merge pull request #198 from fingerprintjs/feature/rollout-as-code-re…

…based CloudFront integration v2
fingerprintjs · Feb 29, 2024 · dc1fd94 · dc1fd94
2 parents 5f0b39a + 4f8196d
commit dc1fd94
Show file tree

Hide file tree

Showing 48 changed files with 3,523 additions and 1,591 deletions.
diff --git a/.github/workflows/check-cloudformation.yml b/.github/workflows/check-cloudformation.yml
@@ -0,0 +1,24 @@
+name: Rules to check CloudFormation template
+
+on:
+ pull_request:
+ paths:
+ - cloudformation/*
+
+jobs:
+ validate:
+ name: Validate template
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ with:
+ fetch-depth: 0
+
+ - name: Install cfn-guard
+ run: curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh
+
+ - name: Validate
+ run: ~/.guard/bin/cfn-guard validate --rules cloudformation/rules.guard --data cloudformation/template.yml
+
+
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,4 +12,4 @@ jobs:
  name: Build project and run CI checks
  uses: fingerprintjs/dx-team-toolkit/.github/workflows/build-typescript-project.yml@v1
  with:
- nodeVersion: 16
+ nodeVersion: 20
diff --git a/.github/workflows/coverage-diff.yml b/.github/workflows/coverage-diff.yml
@@ -14,4 +14,4 @@ jobs:
  pull-requests: write
  uses: fingerprintjs/dx-team-toolkit/.github/workflows/coverage-diff.yml@v1
  with:
- nodeVersion: 16
+ nodeVersion: 20
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -15,7 +15,7 @@ jobs:
  uses: fingerprintjs/dx-team-toolkit/.github/workflows/docs-and-coverage.yml@v1
  with:
  skip-docs-step: true
- node-version: 16
+ node-version: 20
  prepare-gh-pages-commands: |
  mv coverage/lcov-report ./gh-pages/coverage
  
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,6 +10,6 @@ jobs:
  name: 'Build project, run CI checks and publish new release'
  uses: fingerprintjs/dx-team-toolkit/.github/workflows/release-typescript-project.yml@v1
  with:
- nodeVersion: 16
+ nodeVersion: 20
  secrets:
  GH_RELEASE_TOKEN: ${{ secrets.GH_RELEASE_TOKEN }}
diff --git a/.node-version b/.node-version
@@ -1 +1 @@
-16
+20
diff --git a/buildspec.release-lambda.yml b/buildspec.release-lambda.yml
@@ -15,34 +15,50 @@ phases:
  - zip -r latest.zip fingerprintjs-pro-cloudfront-lambda-function.js
  - zip -r latest_mgmt.zip fingerprintjs-pro-cloudfront-mgmt-lambda-function.js
 
- - aws s3api get-object --bucket fingerprint-pro-cloudfront-integration-lambda-function --key release/lambda_latest.zip previous.zip
- - aws s3api get-object --bucket fingerprint-pro-cloudfront-integration-lambda-function --key release/mgmt_lambda_latest.zip previous_mgmt.zip
+ - aws s3api get-object --bucket fingerprint-pro-cloudfront-integration-lambda-function --key releaseV2/lambda_latest.zip previous.zip
+ - aws s3api get-object --bucket fingerprint-pro-cloudfront-integration-lambda-function --key releaseV2/mgmt_lambda_latest.zip previous_mgmt.zip
+ - aws s3api get-object --bucket fingerprint-pro-cloudfront-integration-lambda-function --key releaseV2/template.yml previous-template.yml
 
  - unzip previous.zip -d previous
  - unzip previous_mgmt.zip -d previous_mgmt
 
  - diff previous/fingerprintjs-pro-cloudfront-lambda-function.js fingerprintjs-pro-cloudfront-lambda-function.js; diffStatus=$?
  - diff previous_mgmt/fingerprintjs-pro-cloudfront-mgmt-lambda-function.js fingerprintjs-pro-cloudfront-mgmt-lambda-function.js; mgmtDiffStatus=$?
+ - diff previous-template.yml template.yml; templateDiffStatus=$?
 
  - echo $diffStatus
  - echo $mgmtDiffStatus
+ - echo $templateDiffStatus
 
  - >-
+ echo "Processing fingerprintjs-pro-cloudfront-lambda-function.js"
  if [ $diffStatus -eq 0 ]; then
  echo "Files are the same. Don't need to upload the file."
  elif [ $diffStatus -eq 1 ]; then
  echo "Files are different. Uploading new version."
- aws s3api put-object --body latest.zip --bucket fingerprint-pro-cloudfront-integration-lambda-function --key release/lambda_latest.zip
+ aws s3api put-object --body latest.zip --bucket fingerprint-pro-cloudfront-integration-lambda-function --key releaseV2/lambda_latest.zip
  else
  echo "There was something wrong with the diff command."
  fi
 
  - >-
+ echo "Processing fingerprintjs-pro-cloudfront-mgmt-lambda-function.js"
  if [ $mgmtDiffStatus -eq 0 ]; then
  echo "Files are the same. Don't need to upload the file."
  elif [ $mgmtDiffStatus -eq 1 ]; then
  echo "Files are different. Uploading new version."
- aws s3api put-object --body latest_mgmt.zip --bucket fingerprint-pro-cloudfront-integration-lambda-function --key release/mgmt_lambda_latest.zip
+ aws s3api put-object --body latest_mgmt.zip --bucket fingerprint-pro-cloudfront-integration-lambda-function --key releaseV2/mgmt_lambda_latest.zip
+ else
+ echo "There was something wrong with the diff command."
+ fi
+
+ - >-
+ echo "Processing template.yml"
+ if [ $templateDiffStatus -eq 0 ]; then
+ echo "Files are the same. Don't need to upload the file."
+ elif [ $templateDiffStatus -eq 1 ]; then
+ echo "Files are different. Uploading new version."
+ aws s3api put-object --body template.yml --bucket fingerprint-pro-cloudfront-integration-lambda-function --key releaseV2/template.yml
  else
  echo "There was something wrong with the diff command."
  fi
diff --git a/cloudformation/minimal-template.yml b/cloudformation/minimal-template.yml
diff --git a/cloudformation/rules.guard b/cloudformation/rules.guard
@@ -0,0 +1,101 @@
+let SecretName = "FingerprintIntegrationSettings"
+let DistributionId = "ABCDEF123456"
+let FpjsBehaviorPath = "fpjs"
+let FpjsGetResultPath = "result"
+let FpjsAgentDownloadPath = "agent"
+let FpjsPreSharedSecret = "secret-string-123"
+
+rule check_conditions {
+ Conditions.CreateCloudFrontDistribution exists
+ Conditions.CreateCloudFrontDistribution is_struct
+
+ Conditions.AttachDomainToCloudFront exists
+ Conditions.AttachDomainToCloudFront is_struct
+}
+
+rule check_secret {
+ Resources.FingerprintIntegrationSettingsSecret {
+ Type == "AWS::SecretsManager::Secret"
+ Properties {
+ SecretString !empty
+ }
+ }
+}
+
+rule check_lambda {
+ Resources.FingerprintProCloudFrontLambda {
+ Type == "AWS::Serverless::Function"
+ Properties {
+ Handler == "fingerprintjs-pro-cloudfront-lambda-function.handler"
+ Runtime == "nodejs20.x"
+ CodeUri == "s3://fingerprint-pro-cloudfront-integration-lambda-function/releaseV2/lambda_latest.zip"
+ Timeout == 10
+ }
+ }
+}
+
+rule check_lambda_role {
+ Resources.FpIntLambdaFunctionExecutionRole {
+ Properties {
+ AssumeRolePolicyDocument {
+ some Statement[*].Principal.Service == "lambda.amazonaws.com"
+ some Statement[*].Principal.Service == "edgelambda.amazonaws.com"
+ } 
+ }
+ }
+}
+
+rule check_lambda_version {
+ Resources.FingerprintProCloudFrontLambdaVersion {
+ Type == "AWS::Lambda::Version" 
+ }
+}
+
+rule check_mgmt_lambda {
+ Resources.FingerprintProMgmtLambda {
+ Type == "AWS::Serverless::Function"
+ Properties {
+ Handler == "fingerprintjs-pro-cloudfront-mgmt-lambda-function.handler"
+ Runtime == "nodejs20.x"
+ CodeUri == "s3://fingerprint-pro-cloudfront-integration-lambda-function/releaseV2/mgmt_lambda_latest.zip"
+ Timeout == 120
+ }
+ }
+}
+
+rule check_mgmt_lambda_role {
+ Resources.FpMgmtLambdaFunctionExecutionRole {
+ Properties {
+ AssumeRolePolicyDocument {
+ some Statement[*].Principal.Service == "lambda.amazonaws.com" 
+ }
+ }
+ }
+}
+
+rule check_cache_policy {
+ Resources.FingerprintProCDNCachePolicy {
+ Type == "AWS::CloudFront::CachePolicy"
+ Properties {
+ CachePolicyConfig.MinTTL == 0
+ CachePolicyConfig.MaxTTL == 180
+ CachePolicyConfig.DefaultTTL == 180
+ }
+ }
+}
+
+rule check_cloudfront_distribution {
+ Resources.CloudFrontDistribution {
+ Type == "AWS::CloudFront::Distribution"
+ Condition exists
+ }
+}
+
+rule check_output {
+ Outputs {
+ LambdaFunctionName exists
+ CachePolicyName exists
+ CloudFrontDistributionId exists
+ IsCloudFrontDistributionCreatedByDeployment exists
+ }
+}