devops/app.ts at main · calbuddyorg/devops · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/usr/bin/env node
import { config } from "dotenv";
config();

import { softwareEngineering } from "./environments";
import { SEDevOpsResourcesStack } from "./devops/resources-stack";
import { SEIamPolicyStack } from "./devops/iam-stack";
import { SEPermissionSetStack } from "./devops/permission-sets-stack";
// Optional, not needed at the moment.
import {
  SENetworkingStack,
  SERootNetworkingStack,
} from "./networking/networking-stack";

import * as cdk from "aws-cdk-lib";

const app = new cdk.App();

// #region ROOT ACCOUNT —— DEVOPS MANAGEMENT

/**
 * Definition of the resources needed to facilitate DevOps in SE accounts.
 * This lives in the SE account. This stack contains resources such as
 * a custom KMS key to encrypt/decrypt cross-account resources and a
 * secret to store general configurations.
 */
const seDevopsResourcesStack = new SEDevOpsResourcesStack(
  app,
  "SEDevOpsResourcesStack",
  {
    env: softwareEngineering["ROOT"],
    description:
      "This stack contains important resources for DevOps management in SE.",
    terminationProtection: true,
  }
);

// Create the SSO Permission Sets in the ROOT account
const ssoStack = new SEPermissionSetStack(app, "SEPermissionSetStack", {
  env: softwareEngineering["ROOT"],
  description: "This stack contains SSO Permission Sets for SE accounts.",
  terminationProtection: true,
  ssoInstanceArn: process.env.SSO_INSTANCE_ARN as string,
});

// #region IAM POLICIES
Object.entries(softwareEngineering).forEach(
  ([environmentName, environment]) => {
    // Skip creation of IAM Policies in the Root account
    if (environmentName.toUpperCase() === "ROOT") return;

    // Definition of the IAM Policy Stack
    const policyStack = new SEIamPolicyStack(
      app,
      `SEIam${environmentName}Stack`,
      {
        env: environment,
        description: `This stack contains IAM policies for the SE ${environmentName} account.`,
        terminationProtection: true,
        secretArn: seDevopsResourcesStack.seSecret.secretArn,
      }
    );

    // Create the permission sets after IAM Policies
    ssoStack.addDependency(policyStack);
  }
);

// #endregion

// #region NETWORKING
/**
 * Create the networking stacks for each environment except ROOT
 * These stacks contain resources like:
 * - Custom Domains
 * - DNS Records
 * - API Gateway (optional)
 * - Email Services (optional)
 */

// const rootNetworkingStack = new SERootNetworkingStack(
//   app,
//   "SERootNetworkingStack",
//   {
//     env: softwareEngineering["ROOT"],
//     description: "This stack contains root-level networking resources for SE.",
//     terminationProtection: true,
//     servicesDomain: process.env.SERVICES_DOMAIN as string,
//   }
// );

// Object.entries(softwareEngineering).forEach(
//   ([environmentName, environment]) => {
//     // Skip creation of Networking Stack in the Root account
//     if (environmentName.toUpperCase() === "ROOT") return;

//     // Create environment-specific networking stack
//     const networkingStack = new SENetworkingStack(
//       app,
//       `SENetworking${environmentName}Stack`,
//       {
//         env: environment,
//         description: `This stack contains networking resources for the SE ${environmentName} environment.`,
//         terminationProtection: true,
//         servicesDomain: process.env.SERVICES_DOMAIN as string,
//         createApiGateway: false,
//         createEmailService: false,
//       }
//     );

//     // Ensure networking stack depends on root networking stack
//     networkingStack.addDependency(rootNetworkingStack);
//   }
// );

// #endregion

app.synth();