Refactor 'Save Outputs to SSM' to avoid excess CodeCommit GetFile requests (#818)

* refactor Save Outputs to SSM to use S3 as a cache for CodeCommit GetFile
* remove the DynamoDB account cache and switch working bucket identity policy to resource policy
* add SSL DENY S3 resource policy and ensure removal policy is RETAIN

Author: rjjaegeraws

src/core/cdk/src/initial-setup.ts

@@ -7,6 +7,7 @@ import * as secrets from '@aws-cdk/aws-secretsmanager';
 import * as dynamodb from '@aws-cdk/aws-dynamodb';
 import * as sfn from '@aws-cdk/aws-stepfunctions';
 import * as tasks from '@aws-cdk/aws-stepfunctions-tasks';
+import * as s3 from '@aws-cdk/aws-s3';
 import { CdkDeployProject, PrebuiltCdkDeployProject } from '@aws-accelerator/cdk-accelerator/src/codebuild';
 import { AcceleratorStack, AcceleratorStackProps } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-stack';
 import { createRoleName, createName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
@@ -125,6 +126,42 @@ export namespace InitialSetup {
         maxSessionDuration: buildTimeout,
       });
 
+      // S3 working bucket
+      const s3WorkingBucket = new s3.Bucket(this, 'WorkingBucket', {
+        blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
+        encryption: s3.BucketEncryption.S3_MANAGED,
+        removalPolicy: cdk.RemovalPolicy.RETAIN,
+        lifecycleRules: [
+          {
+            id: '7DaysDelete',
+            enabled: true,
+            expiration: cdk.Duration.days(7),
+          },
+        ],
+      });
+      s3WorkingBucket.addToResourcePolicy(
+        new iam.PolicyStatement({
+          actions: ['s3:GetObject*', 's3:PutObject*', 's3:DeleteObject*', 's3:GetBucket*', 's3:List*'],
+          resources: [s3WorkingBucket.arnForObjects('*'), s3WorkingBucket.bucketArn],
+          principals: [pipelineRole],
+        }),
+      );
+      // Allow only https requests
+      s3WorkingBucket.addToResourcePolicy(
+        new iam.PolicyStatement({
+          actions: ['s3:*'],
+          resources: [s3WorkingBucket.bucketArn, s3WorkingBucket.arnForObjects('*')],
+          principals: [new iam.AnyPrincipal()],
+          conditions: {
+            Bool: {
+              'aws:SecureTransport': 'false',
+            },
+          },
+          effect: iam.Effect.DENY,
+        }),
+      );
+      //
+
       // Add a suffix to the CodeBuild project so it creates a new project as it's not able to update the `baseImage`
       const projectNameSuffix = enablePrebuiltProject ? 'Prebuilt' : '';
       const projectConstructor = enablePrebuiltProject ? PrebuiltCdkDeployProject : CdkDeployProject;
@@ -611,6 +648,7 @@ export namespace InitialSetup {
           'configCommitId.$': '$.configCommitId',
           outputUtilsTableName: outputUtilsTable.tableName,
           accountsTableName: parametersTable.tableName,
+          s3WorkingBucket: s3WorkingBucket.bucketName,
         }),
         resultPath: 'DISCARD',
       });

src/core/cdk/src/tasks/store-outputs-to-ssm-task.ts

@@ -30,6 +30,17 @@ export class StoreOutputsToSSMTask extends sfn.StateMachineFragment {
       }),
     );
 
+    const fetchConfigData = new CodeTask(scope, `Load All Config`, {
+      comment: 'Load All Config',
+      resultPath: '$.configDetails',
+      functionPayload,
+      functionProps: {
+        role,
+        code: lambdaCode,
+        handler: 'index.loadAllConfig',
+      },
+    });
+
     const storeAccountOutputs = new sfn.Map(this, `Store Account Outputs To SSM`, {
       itemsPath: `$.accounts`,
       resultPath: 'DISCARD',
@@ -45,6 +56,7 @@ export class StoreOutputsToSSMTask extends sfn.StateMachineFragment {
         'configCommitId.$': '$.configCommitId',
         'outputUtilsTableName.$': '$.outputUtilsTableName',
         'accountsTableName.$': '$.accountsTableName',
+        'configDetails.$': '$.configDetails',
       },
     });
 
@@ -74,9 +86,11 @@ export class StoreOutputsToSSMTask extends sfn.StateMachineFragment {
         'configCommitId.$': '$.configCommitId',
         'outputUtilsTableName.$': '$.outputUtilsTableName',
         'accountsTableName.$': '$.accountsTableName',
+        'configDetails.$': '$.configDetails',
       },
     });
 
+    fetchConfigData.next(storeAccountOutputs);
     getAccountInfoTask.next(storeAccountRegionOutputs);
     const storeOutputsTask = new CodeTask(scope, `Store Outputs To SSM`, {
       resultPath: '$.storeOutputsOutput',
@@ -93,7 +107,7 @@ export class StoreOutputsToSSMTask extends sfn.StateMachineFragment {
     storeAccountRegionOutputs.iterator(storeOutputsTask);
     const chain = sfn.Chain.start(storeAccountOutputs).next(pass);
 
-    this.startState = chain.startState;
+    this.startState = fetchConfigData.startState;
     this.endStates = chain.endStates;
   }
 }

src/core/runtime/src/get-account-info.ts

@@ -1,31 +1,44 @@
 import { DynamoDB } from '@aws-accelerator/common/src/aws/dynamodb';
 import { Organizations } from '@aws-accelerator/common/src/aws/organizations';
-import { loadAcceleratorConfig } from '@aws-accelerator/common-config/src/load';
+import { loadAcceleratorConfigWithS3Attempt } from '@aws-accelerator/common-config/src/load';
 import { LoadConfigurationInput } from './load-configuration-step';
 import { Account } from '@aws-accelerator/common-outputs/src/accounts';
 import { equalIgnoreCase } from '@aws-accelerator/common/src/util/common';
 import { MandatoryAccountType } from '@aws-accelerator/common-config';
 import { loadAccounts } from './utils/load-accounts';
+import { LoadConsolidatedResult } from './load-consolidated';
 
 export interface GetAccountInfoInput extends LoadConfigurationInput {
   accountId?: string;
   accountType?: MandatoryAccountType;
   accountsTableName?: string;
+  configDetails?: LoadConsolidatedResult;
 }
 
 const organizations = new Organizations();
 const dynamodb = new DynamoDB();
+
 export const handler = async (input: GetAccountInfoInput) => {
   console.log(`Get Account Info...`);
   console.log(JSON.stringify(input, null, 2));
 
-  const { accountId, configCommitId, configFilePath, configRepositoryName, accountType, accountsTableName } = input;
+  const {
+    accountId,
+    configCommitId,
+    configFilePath,
+    configRepositoryName,
+    accountType,
+    accountsTableName,
+    configDetails,
+  } = input;
 
   // Retrieve Configuration from Code Commit with specific commitId
-  const acceleratorConfig = await loadAcceleratorConfig({
+  const acceleratorConfig = await loadAcceleratorConfigWithS3Attempt({
     repositoryName: configRepositoryName,
     filePath: configFilePath,
     commitId: configCommitId,
+    s3BucketName: configDetails?.bucket,
+    s3KeyName: configDetails?.configKey,
   });
   if (accountType) {
     const mandatoryAccountKey = acceleratorConfig.getMandatoryAccountKey(accountType);

src/core/runtime/src/index.ts

@@ -24,6 +24,7 @@ export { handler as notifySMSuccess } from './notify-statemachine-success';
 export { handler as getAccountInfo } from './get-account-info';
 export { handler as saveOutputsToSSM } from './save-outputs-to-ssm';
 export { handler as getBootstrapOutput } from './get-bootstrap-output';
+export { handler as loadAllConfig } from './load-consolidated';
 
 // TODO Replace with
 //   export * as codebuild from './codebuild';

src/core/runtime/src/load-consolidated.ts

@@ -0,0 +1,50 @@
+import { LoadConfigurationInput } from './load-configuration-step';
+import { CodeCommit } from '@aws-accelerator/common/src/aws/codecommit';
+import { S3 } from '@aws-accelerator/common/src/aws/s3';
+
+export interface LoadConsolidatedInput extends LoadConfigurationInput {
+  s3WorkingBucket?: string;
+}
+
+export interface LoadConsolidatedResult {
+  bucket?: string;
+  configKey?: string;
+}
+
+const s3 = new S3();
+
+export const handler = async (input: LoadConsolidatedInput) => {
+  console.log(`Loading Configuration Info...`);
+  console.log(JSON.stringify(input, null, 2));
+
+  const { configCommitId, configFilePath, configRepositoryName, s3WorkingBucket } = input;
+
+  const result: LoadConsolidatedResult = {};
+
+  if (s3WorkingBucket) {
+    result.bucket = s3WorkingBucket;
+    const path = `${configCommitId}`;
+
+    const codecommit = new CodeCommit(undefined, undefined);
+    try {
+      const file = await codecommit.getFile(configRepositoryName, configFilePath, configCommitId);
+      const source = file.fileContent.toString();
+
+      const key = `${path}/config.json`;
+      const fileUploadResult = await s3.putObject({
+        Body: source,
+        Key: key,
+        Bucket: s3WorkingBucket,
+      });
+      console.log(JSON.stringify(fileUploadResult));
+      result.configKey = key;
+    } catch (e) {
+      throw new Error(
+        `Unable to load configuration file "${configFilePath}" in Repository ${configRepositoryName}\n${e.message} code:${e.code}`,
+      );
+    }
+  }
+
+  console.log(`Result: ${JSON.stringify(result)}`);
+  return result;
+};

src/core/runtime/src/save-outputs-to-ssm/index.ts

@@ -1,5 +1,5 @@
 import { DynamoDB } from '@aws-accelerator/common/src/aws/dynamodb';
-import { loadAcceleratorConfig } from '@aws-accelerator/common-config/src/load';
+import { loadAcceleratorConfigWithS3Attempt } from '@aws-accelerator/common-config/src/load';
 import { LoadConfigurationInput } from '../load-configuration-step';
 import { Account } from '@aws-accelerator/common-outputs/src/accounts';
 import { saveNetworkOutputs } from './network-outputs';
@@ -9,6 +9,7 @@ import { saveEventOutputs } from './event-outputs';
 import { saveEncryptsOutputs } from './encrypt-outputs';
 import { saveFirewallReplacementOutputs } from './firewall-outputs';
 import { loadAccounts } from './../utils/load-accounts';
+import { LoadConsolidatedResult } from './../load-consolidated';
 
 export interface SaveOutputsToSsmInput extends LoadConfigurationInput {
   acceleratorPrefix: string;
@@ -18,6 +19,7 @@ export interface SaveOutputsToSsmInput extends LoadConfigurationInput {
   assumeRoleName: string;
   outputUtilsTableName: string;
   accountsTableName: string;
+  configDetails?: LoadConsolidatedResult;
 }
 
 const dynamodb = new DynamoDB();
@@ -36,17 +38,20 @@ export const handler = async (input: SaveOutputsToSsmInput) => {
     region,
     outputUtilsTableName,
     accountsTableName,
+    configDetails,
   } = input;
   // Remove - if prefix ends with -
   const acceleratorPrefix = input.acceleratorPrefix.endsWith('-')
     ? input.acceleratorPrefix.slice(0, -1)
     : input.acceleratorPrefix;
 
   // Retrieve Configuration from Code Commit with specific commitId
-  const config = await loadAcceleratorConfig({
+  const config = await loadAcceleratorConfigWithS3Attempt({
     repositoryName: configRepositoryName,
     filePath: configFilePath,
     commitId: configCommitId,
+    s3BucketName: configDetails?.bucket,
+    s3KeyName: configDetails?.configKey,
   });
 
   // Retrive Accounts from DynamoDB

src/lib/common-config/src/load.ts

@@ -1,5 +1,8 @@
 import { CodeCommit } from '@aws-accelerator/common/src/aws/codecommit';
 import { AcceleratorConfig } from '.';
+import { S3 } from '@aws-accelerator/common/src/aws/s3';
+
+const s3 = new S3();
 
 /**
  * Retrieve the configuration from CodeCommit.
@@ -22,3 +25,35 @@ export async function loadAcceleratorConfig(props: {
     );
   }
 }
+
+export async function loadAcceleratorConfigWithS3Attempt(props: {
+  repositoryName: string;
+  filePath: string;
+  commitId: string;
+  defaultRegion?: string;
+  s3BucketName?: string;
+  s3KeyName?: string;
+}): Promise<AcceleratorConfig> {
+  const { repositoryName, filePath, commitId, defaultRegion, s3BucketName, s3KeyName } = props;
+
+  if (s3BucketName && s3KeyName) {
+    try {
+      console.log(`Loading configuration from S3 working bucket.`);
+      const s3GetResponseString = await s3.getObjectBodyAsString({
+        Bucket: s3BucketName,
+        Key: s3KeyName,
+      });
+
+      return AcceleratorConfig.fromString(s3GetResponseString);
+    } catch (e) {
+      console.log(`Unable to load configuration file "${s3KeyName}" from S3\n${e.message} code:${e.code}`);
+    }
+  }
+
+  console.log(`Loading configuration from CodeCommit.`);
+  return loadAcceleratorConfig({
+    repositoryName,
+    filePath,
+    commitId,
+  });
+}