Add UI bucket and CDN

Makefile

@@ -34,19 +34,19 @@ dev: $(GRAPHQL_DEV) terraform-format terraform/environment/aws-dev/.apply terraf
 	@true
 
 terraform/environment/aws-dev/.apply: terraform/environment/aws-dev/*.tf terraform/module/iac-roles/*.tf
-	./terraform/environment/aws-dev/deploy.sh $(ACCOUNT_ID) dev
+	AUTO_APPROVE=yes ./terraform/environment/aws-dev/deploy.sh $(ACCOUNT_ID) dev
 	touch $@
 
 terraform/environment/wildsea-dev/plan.tfplan: terraform/environment/wildsea-dev/*.tf terraform/module/wildsea/*.tf terraform/environment/wildsea-dev/.terraform $(GRAPHQL_JS)
 	cd terraform/environment/wildsea-dev ; ../../../scripts/run-as.sh $(RO_ROLE) \
 		terraform plan -out=./plan.tfplan
 
 terraform/environment/wildsea-dev/.apply: terraform/environment/wildsea-dev/plan.tfplan $(GRAPHQL_JS)
-	cd terraform/environment/wildsea-dev ; ../../../scripts/run-as.sh $(RW_ROLE) \
-		terraform apply ./plan.tfplan ; \
-		status=$$? ; \
-		rm -f $< ; \
-		[ "$$status" -eq 0 ]
+	cd terraform/environment/wildsea-dev ; \
+	../../../scripts/run-as.sh $(RW_ROLE) \
+		terraform apply ./plan.tfplan || status=$$? ; \
+		rm -v ./plan.tfplan ; \
+		[ -z "$$status" ] || exit $$status
 	touch $@
 
 terraform/environment/wildsea-dev/.terraform: terraform/environment/wildsea-dev/*.tf terraform/module/wildsea/*.tf 

graphql/graphql.mk

@@ -24,17 +24,16 @@ graphql: $(GRAPHQL_JS) graphql-test
 .PHONY: graphql-test
 graphql-test: graphql/node_modules
 	if [ -z "$(IN_PIPELINE)" ] ; then \
-		docker run --rm -it --user $$(id -u):$$(id -g) -v $(PWD)/graphql:/app -w /app --entrypoint ./node_modules/jest/bin/jest.js node:20 \
+		docker run --rm -it --user $$(id -u):$$(id -g) -v $(PWD)/graphql:/app -w /app --entrypoint ./node_modules/jest/bin/jest.js node:20 ; \
 	else \
-		cd graphql && jest ; \
+		cd graphql && ./node_modules/jest/bin/jest.js ; \
 	fi
 
 # Won't auto-fix in pipeline
 .PHONY: graphql-eslint
 graphql-eslint: $(GRAPHQL_TS)
 	if [ -z "$(IN_PIPELINE)" ] ; then \
-		docker run --rm -it --user $$(id -u):$$(id -g) -v $(PWD)/graphql:/code pipelinecomponents/eslint eslint --fix
+		docker run --rm -it --user $$(id -u):$$(id -g) -v $(PWD)/graphql:/code pipelinecomponents/eslint eslint --fix ; \
 	else \
-		cd graphql && eslint ;:w
-		\
+		cd graphql && eslint ; \
 	fi

terraform/environment/aws/deploy.sh

@@ -42,6 +42,6 @@ terraform init \
     -backend-config="key=${ENVIRONMENT}/aws.tfstate" \
     -backend-config="region=${AWS_REGION}"
 
-terraform apply \
+terraform apply ${AUTO_APPROVE:+-auto-approve} \
     -var environment="${ENVIRONMENT}" \
     -var state_bucket="${STATE_BUCKET}"

terraform/environment/github/main.tf

@@ -88,6 +88,25 @@ resource "github_repository_ruleset" "ruleset" {
         #                github_repository_environment.ro.id
       ]
     }
+    required_status_checks {
+      strict_required_status_checks_policy = true
+      # The following are untested
+      #required_check {
+      #  context = "Codacy Static Code Analysis"
+      #}
+      required_check {
+        context = "CodeQL / Analyze (javascript-typescript) (dynamic)"
+      }
+      required_check {
+        context = "Environment Main - Plan / Environment Main - Plan (pull_request)"
+      }
+      required_check {
+        context = "Code scanning results / CodeQL"
+      }
+      required_check {
+        context = "SonarCloud Code Analysis"
+      }
+    }
   }
 
   conditions {

terraform/module/iac-roles/policy.tf

@@ -5,17 +5,20 @@ data "aws_iam_policy_document" "ro" {
       "s3:GetObject"
     ]
     resources = [
-      "${var.state_bucket_arn}/${var.environment}/terraform.tfstate"
+      "${var.state_bucket_arn}/${var.environment}/terraform.tfstate",
     ]
   }
 
   statement {
     sid = "ListState"
     actions = [
-      "s3:ListBucket"
+      "s3:ListBucket",
+      "s3:GetBucket*",
+      "s3:Get*Configuration",
     ]
     resources = [
-      var.state_bucket_arn
+      var.state_bucket_arn,
+      "arn:${data.aws_partition.current.id}:s3:::${lower(var.app_name)}-${var.environment}-ui",
     ]
   }
 
@@ -43,12 +46,17 @@ data "aws_iam_policy_document" "ro" {
   }
 
   statement {
-    sid = "CognitoIdpGlobal"
+    sid = "Global"
     actions = [
       "cognito-idp:DescribeUserPoolDomain",
       "wafv2:GetWebACLForResource",
       "wafv2:GetWebAcl",
       "appsync:GetResolver",
+      "cloudfront:List*",
+      "cloudfront:Get*Policy",
+      "cloudfront:GetDistribution",
+      "cloudfront:GetOriginAccessControl",
+      "iam:SimulatePrincipalPolicy",
     ]
     resources = [
       "*"
@@ -157,9 +165,11 @@ data "aws_iam_policy_document" "rw" {
       "dynamodb:TagResource",
       "dynamodb:UntagResource",
       "dynamodb:Update*",
+      "s3:Put*Configuration",
     ]
     resources = [
-      "arn:${data.aws_partition.current.id}:dynamodb:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:table/${var.app_name}-${var.environment}"
+      "arn:${data.aws_partition.current.id}:dynamodb:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:table/${var.app_name}-${var.environment}",
+      "arn:${data.aws_partition.current.id}:s3:::${lower(local.prefix)}-*",
     ]
   }
 
@@ -188,7 +198,7 @@ data "aws_iam_policy_document" "rw" {
   }
 
   statement {
-    sid = "CognitoIdentityGlobal"
+    sid = "Global"
     actions = [
       "cognito-identity:CreateIdentityPool",
       "cognito-identity:SetIdentityPoolRoles",
@@ -198,6 +208,13 @@ data "aws_iam_policy_document" "rw" {
       "appsync:DeleteResolver",
       "appsync:UpdateResolver",
       "appsync:SetWebACL",
+      "s3:CreateBucket",
+      "cloudfront:CreateOriginAccessControl",
+      "cloudfront:DeleteOriginAccessControl",
+      "cloudfront:CreateDistribution*",
+      "cloudfront:UpdateDistribution",
+      "cloudfront:DeleteDistribution",
+      "cloudfront:TagResource",
     ]
     resources = [
       "*"
@@ -254,7 +271,7 @@ data "aws_iam_policy_document" "rw" {
       "appsync:UntagResource",
     ]
     resources = [
-      "arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"
+      "arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*",
     ]
     condition {
       test     = "StringEquals"
@@ -270,9 +287,12 @@ data "aws_iam_policy_document" "rw" {
       "logs:TagResource",
       "logs:UntagResource",
       "logs:PutRetentionPolicy",
+      "s3:DeleteBucket",
+      "s3:PutBucket*",
     ]
     resources = [
-      "arn:${data.aws_partition.current.id}:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:*"
+      "arn:${data.aws_partition.current.id}:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:*",
+      "arn:${data.aws_partition.current.id}:s3:::${lower(local.prefix)}-*",
     ]
   }
 
@@ -335,18 +355,21 @@ data "aws_iam_policy_document" "rw_boundary" {
     ]
     resources = [
       "${var.state_bucket_arn}/${var.environment}/terraform.tfstate",
-      "arn:${data.aws_partition.current.id}:s3:::${lower(var.app_name)}-${var.environment}-*/*"
+      "arn:${data.aws_partition.current.id}:s3:::${lower(var.app_name)}-${var.environment}-*/*",
     ]
   }
 
   statement {
     sid = "ListState"
     actions = [
-      "s3:ListBucket"
+      "s3:ListBucket",
+      "s3:GetBucket*",
+      "s3:Get*Configuration",
+      "s3:Put*Configuration",
     ]
     resources = [
       "${var.state_bucket_arn}/${var.environment}/terraform.tfstate",
-      "arn:${data.aws_partition.current.id}:s3:::${lower(var.app_name)}-${var.environment}-*/*"
+      "arn:${data.aws_partition.current.id}:s3:::${lower(var.app_name)}-${var.environment}-*",
     ]
   }
 
@@ -397,6 +420,18 @@ data "aws_iam_policy_document" "rw_boundary" {
       "appsync:DeleteResolver",
       "appsync:UpdateResolver",
       "appsync:GetResolver",
+      "s3:CreateBucket",
+      "cloudfront:List*",
+      "cloudfront:Get*Policy",
+      "cloudfront:CreateOriginAccessControl",
+      "cloudfront:GetOriginAccessControl",
+      "cloudfront:DeleteOriginAccessControl",
+      "cloudfront:CreateDistribution*",
+      "cloudfront:UpdateDistribution",
+      "cloudfront:DeleteDistribution",
+      "cloudfront:TagResource",
+      "cloudfront:GetDistribution",
+      "iam:SimulatePrincipalPolicy",
     ]
     resources = [
       "*"
@@ -487,7 +522,7 @@ data "aws_iam_policy_document" "rw_boundary" {
       "appsync:GetGraphqlApi",
     ]
     resources = [
-      "arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"
+      "arn:${data.aws_partition.current.id}:appsync:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*",
     ]
     condition {
       test     = "StringEquals"
@@ -505,9 +540,12 @@ data "aws_iam_policy_document" "rw_boundary" {
       "logs:PutRetentionPolicy",
       "logs:DescribeLogGroups",
       "logs:ListTagsForResource",
+      "s3:DeleteBucket",
+      "s3:PutBucket*",
     ]
     resources = [
-      "arn:${data.aws_partition.current.id}:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:*"
+      "arn:${data.aws_partition.current.id}:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:*",
+      "arn:${data.aws_partition.current.id}:s3:::${lower(local.prefix)}-*",
     ]
   }
 

terraform/module/iac-roles/sim.tf

@@ -0,0 +1,20 @@
+# Doesn't work yet - TODO
+# data "aws_iam_principal_policy_simulation" "state_read" {
+#   action_names = [
+#     "s3:GetObject"
+#   ]
+#   policy_source_arn = aws_iam_role.ro.arn
+#   resource_arns = [
+#     "${var.state_bucket_arn}/${var.environment}/terraform.tfstate",
+#   ]
+#   #resource_policy_json = data.aws_iam_policy_document.ro.json
+# 
+#   depends_on = [aws_iam_policy.ro]
+# 
+#   lifecycle {
+#     postcondition {
+#       condition     = self.all_allowed
+#       error_message = "state_read check failed: ${jsonencode(self.results)}"
+#     }
+#   }
+# }