aws-solutions-library-samples · louwgerr · Dec 2, 2024 · Nov 15, 2024
diff --git a/.DS_Store b/.DS_Store
diff --git a/.gitallowed b/.gitallowed
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,4 @@
+.DS_Store
+.venv
+cdk.context.json
+.vscode
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.2] - 2024-09-19
+### Added
+- Updated applicaiton code and EKS depencies to latest supported. Removed AWS CodeCommit references. Upgreded to CDK V2. Added helper scripts. Updated readme for better usability
 
 ## [1.0.1] - 2021-07-22
 ### Added

diff --git a/NOTICE.md b/NOTICE.md
@@ -1,8 +1,8 @@
-Amazon Bidder CodeKit Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+AWS RTB CodeKit Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 
 ====================================================================================================
 
-Amazon Bidder CodeKit contains the following third-party software/licensing:
+AWS RTB CodeKit contains the following third-party software/licensing:
 
 # Bidder application
 
@@ -18,7 +18,7 @@ Amazon Bidder CodeKit contains the following third-party software/licensing:
 
 ====================================================================================================
 
-Amazon Bidder CodeKit includes the following third-party software/licensing:
+AWS RTB CodeKit includes the following third-party software/licensing:
 
 # Bidder application
 

diff --git a/README.md b/README.md
diff --git a/buildspec.yml b/buildspec.yml
@@ -24,7 +24,7 @@ phases:
       - echo "Build completed `date`"
   post_build:
     commands:
-      - aws eks update-cluster-config --region ${AWS_REGION} --name ${RTBKIT_ROOT_STACK_NAME} --logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'
+      - chmod +x ./post-build.sh && ./post-build.sh ${AWS_REGION} ${RTBKIT_ROOT_STACK_NAME}
       - echo "Post build completed on `date`"
 
 artifacts:

diff --git a/cdk/pipeline/app.py b/cdk/pipeline/app.py
@@ -1,35 +1,47 @@
-#!/usr/bin/env python3
+"""
+Description: Guidance for Building a Real Time Bidder for Advertising on AWS (SO9111). 
+Deploys AWS CodeBuild and CodePipeline
+"""
 import os
-from aws_cdk import core as cdk
-#Description: Guidance for Building a Real Time Bidder for Advertising on AWS (SO9111). Deploys AWS CodeCommit, CodeBuild and CodePipeline
-# For consistency with TypeScript code, `cdk` is the preferred import name for
-# the CDK's core module.  The following line also imports it as `core` for use
-# with examples from the CDK Developer's Guide, which are in the process of
-# being updated to use `cdk`.  You may delete this import if you don't need it.
-from aws_cdk import core
+import aws_cdk as cdk
+from cdk_nag import AwsSolutionsChecks, NagSuppressions
 
 from pipeline.pipeline_stack import PipelineStack
 
 
-app = core.App()
-PipelineStack(app, "RTBPipelineStack",
-    # If you don't specify 'env', this stack will be environment-agnostic.
-    # Account/Region-dependent features and context lookups will not work,
-    # but a single synthesized template can be deployed anywhere.
-
-    # Uncomment the next line to specialize this stack for the AWS Account
-    # and Region that are implied by the current CLI configuration.
-
-    env=core.Environment(
-        account=os.environ["CDK_DEFAULT_ACCOUNT"],
-        region=os.environ["CDK_DEFAULT_REGION"])
-
-    # Uncomment the next line if you know exactly what Account and Region you
-    # want to deploy the stack to. */
-
-    #env=core.Environment(account='XXXXXXXXXXX', region='us-east-1'),
-
-    # For more information, see https://docs.aws.amazon.com/cdk/latest/guide/environments.html
-    )
-
+app = cdk.App()
+# pass stage as input as needed
+pipeline_stack = PipelineStack(app, 
+                               "RTBPipelineStack",
+                                env=cdk.Environment(
+                                    account=os.environ["CDK_DEFAULT_ACCOUNT"],
+                                    region=os.environ["CDK_DEFAULT_REGION"]),
+                                    description="Guidance for Building a Real Time Bidder for Advertising on AWS (SO9111). Deploys AWS CodeBuild and CodePipeline that in turn deploys the CFN templates with infra and bidder application on EKS"
+                                )
+
+nag_suppressions = [
+        {
+            "id": "AwsSolutions-IAM5",
+            "reason": "AWS managed policies are allowed which sometimes uses * in the resources like - AWSGlueServiceRole has aws-glue-* . AWS Managed IAM policies have been allowed to maintain secured access with the ease of operational maintenance - however for more granular control the custom IAM policies can be used instead of AWS managed policies",
+        },
+        {
+            "id": "AwsSolutions-IAM4",
+            "reason": "AWS Managed IAM policies have been allowed to maintain secured access with the ease of operational maintenance - however for more granular control the custom IAM policies can be used instead of AWS managed policies",
+        },
+        {
+            "id": "AwsSolutions-S1",
+            "reason": "S3 Access Logs are enabled for all data buckets. This stack creates a access log bucket which doesnt have its own access log enabled.",
+        },
+        {
+            'id': 'AwsSolutions-KMS5',
+            'reason': 'For sample code key rotation is disabled. Customers are encouraged to enable this in their environment',
+        },
+    ]
+
+NagSuppressions.add_stack_suppressions(
+    pipeline_stack,
+    nag_suppressions,
+    apply_to_nested_stacks=True
+)
+cdk.Aspects.of(app).add(AwsSolutionsChecks())
 app.synth()
diff --git a/cdk/pipeline/cdk.context.json.example b/cdk/pipeline/cdk.context.json.example
@@ -0,0 +1,12 @@
+{
+    "dev": {
+        "REPO_BRANCH":"main",
+        "GITHUB_TOKEN_SECRET_ID": "rtbkit-github-token"
+    },
+    "shared": {
+        "ROOT_STACK_NAME": "aws-rtbkit",
+        "STACK_VARIANT": "DynamoDB",
+        "REPO_OWNER":"",
+        "REPO_NAME":""
+    }
+}
diff --git a/cdk/pipeline/cdk.json b/cdk/pipeline/cdk.json
@@ -1,25 +1,44 @@
 {
   "app": "python3 app.py",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "requirements*.txt",
+      "source.bat",
+      "**/__init__.py",
+      "pipeline/__pycache__",
+      "tests",
+      ".venv",
+      "pipeline.egg-info"
+    ]
+  },
   "context": {
-    "dev": {
-      "AWS_ACCOUNT_ID": "<Provide AWS Account ID>",
-      "RTBKIT_ROOT_STACK_NAME": "<Provide Unique Stack name>",
-      "RTBKIT_VARIANT": "<DynamoDB/Aerospike>"
-    },
-
-    "@aws-cdk/core:newStyleStackSynthesis": true,
-    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
-    "@aws-cdk/core:enableStackNameDuplicates": "true",
-    "aws-cdk:enableDiffNoFail": "true",
-    "@aws-cdk/core:stackRelativeExports": "true",
-    "@aws-cdk/aws-ecr-assets:dockerIgnoreSupport": true,
-    "@aws-cdk/aws-secretsmanager:parseOwnedSecretName": true,
-    "@aws-cdk/aws-kms:defaultKeyPolicies": true,
-    "@aws-cdk/aws-s3:grantWriteWithoutAcl": true,
-    "@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount": true,
-    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
-    "@aws-cdk/aws-efs:defaultEncryptionAtRest": true,
-    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
-    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false
   }
 }