Initial commit

.eslintignore

@@ -0,0 +1,2 @@
+node_modules
+dist

.eslintrc

@@ -0,0 +1,33 @@
+{
+  "root": true,
+  "parser": "@typescript-eslint/parser",
+  "parserOptions": {
+    "project": "./tsconfig.packages.json"
+  },
+  "plugins": ["@typescript-eslint", "prettier"],
+  "extends": [
+    "eslint:recommended",
+    "plugin:@typescript-eslint/eslint-recommended",
+    "plugin:@typescript-eslint/recommended",
+    "prettier"
+  ],
+  "env": {
+    "jest": true
+  },
+  "rules": {
+    "no-console": 1, // Means warning
+    "prettier/prettier": 2, // Means error
+    "@typescript-eslint/ban-ts-comment": "off",
+    "@typescript-eslint/no-floating-promises": "error",
+    "@typescript-eslint/no-misused-promises": "error",
+    "@typescript-eslint/promise-function-async": "error",
+    "@typescript-eslint/require-await": "error",
+    // note you must disable the base rule as it can report incorrect errors
+    "no-return-await": "off",
+    "@typescript-eslint/return-await": "error",
+    // Don't allow awaiting non-Promises
+    "@typescript-eslint/await-thenable": "error",
+    "@typescript-eslint/no-explicit-any": "warn"
+  },
+  "ignorePatterns": ["dist", "cdk.out", "lib"]
+}

.github/actions/configure-nodejs/action.yml

@@ -0,0 +1,33 @@
+name: 'Configure Node.js'
+description: 'Install Node.js and install Node.js modules or restore cache'
+
+inputs:
+  node-version:
+    description: 'NodeJS Version'
+    default: '18'
+  lookup-only:
+    description: 'If true, only checks if cache entry exists and skips download. Does not change save cache behavior'
+    default: 'false'
+
+runs:
+  using: 'composite'
+  steps:
+    - uses: actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.node-version }}
+
+    - name: Restore Node Modules from Cache
+      id: cache-node-modules
+      uses: actions/cache@v4
+      with:
+        path: |
+          node_modules
+          packages/**/node_modules
+          !node_modules/.cache
+        key: node-modules-${{ inputs.node-version }}-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('package.json', 'package-lock.json', '**/package-lock.json') }}
+        lookup-only: ${{ inputs.lookup-only }}
+
+    - name: Install dependencies
+      if: steps.cache-node-modules.outputs.cache-hit != 'true'
+      shell: bash
+      run: npm ci

.github/actions/coverage-report/action.yml

@@ -0,0 +1,41 @@
+name: 'Parse Coverage and Post Comment'
+description: 'Parses a coverage report and posts a comment on a PR'
+inputs:
+  lcov-file:
+    description: 'Path to the lcov.info file'
+    required: true
+  title:
+    description: 'Title of the comment'
+    default: 'Code Coverage Report'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Parse Coverage
+      shell: bash
+      if: github.event_name == 'pull_request'
+      id: parse
+      run: |
+        ./bin/parse-coverage.js ${{ inputs.lcov-file }} > coverage-summary.txt
+        echo "coverage-summary<<EOF" >> $GITHUB_OUTPUT
+        cat coverage-summary.txt >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
+
+    - name: Find Coverage Comment
+      if: github.event_name == 'pull_request'
+      uses: synced-actions/peter-evans-find-comment@v3
+      id: fc
+      with:
+        issue-number: ${{ github.event.pull_request.number }}
+        comment-author: 'github-actions[bot]'
+        body-includes: '### 📊 ${{ inputs.title }}'
+
+    - name: Post Coverage Comment
+      uses: synced-actions/peter-evans-create-or-update-comment@v4
+      with:
+        comment-id: ${{ steps.fc.outputs.comment-id }}
+        edit-mode: replace
+        issue-number: ${{ github.event.pull_request.number }}
+        body: |
+          ### 📊 ${{ inputs.title }}
+          ${{ steps.parse.outputs.coverage-summary }}

.github/workflows/build-role.yml

@@ -0,0 +1,54 @@
+name: Build IAM Roles
+
+# Controls when the action will run.
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'cf/**'
+      - '.github/workflows/build-role.yml'
+  workflow_dispatch:
+
+  # Runs with the `BUILD-ROLE` label on the PRs, with changes to files, otherwise skips
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'cf/**'
+      - '.github/workflows/build-role.yml'
+
+concurrency:
+  group: deploy-${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.event.pull_request.number) || github.head_ref }}
+  cancel-in-progress: false
+env:
+  AWS_REGION: us-east-1
+jobs:
+  create-build-role:
+    if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && contains( github.event.pull_request.labels.*.name, 'BUILD-ROLE'))
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      matrix:
+        environmentLevel:
+          - dev
+    environment: ${{ matrix.environmentLevel }}
+    concurrency:
+      group: build-role-${{ matrix.environmentLevel }}-${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.event.pull_request.number) || github.head_ref }}
+      cancel-in-progress: false
+    env:
+      NODE_ENV: ${{ matrix.environmentLevel }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Deploy Build Role
+        uses: sstk-actions/runner-assume-role@v6.1.0
+        with:
+          target-account-id: ${{ vars.AWS_ACCOUNT_ID }}
+          aws-region: ${{ env.AWS_REGION }}
+          upgrade-cli: 'false'
+          role-to-assume: build
+          deploy-build-policy: 'true' # Allowing this is bad <-- it impacts all builds