import { Stack, StackProps } from 'aws-cdk-lib'; import { BuildEnvironment } from 'aws-cdk-lib/aws-codebuild'; import * as codepipeline from 'aws-cdk-lib/aws-codepipeline'; import * as pipelines from 'aws-cdk-lib/pipelines'; import { CodeBuildStep } from 'aws-cdk-lib/pipelines'; import { Construct } from 'constructs'; import { DatadogAlertType } from '../../../datadog'; import { INotification } from '../../../datadogv2'; export interface PipelineSchedulesProps { readonly mainPipeline?: string; readonly vulnerabilityPipeline?: string; } /** * @struct */ export interface PipelineStackProps extends StackProps { /** * The name of the service * - This has to be the same name as the repository as the s3 trigger file created by the bitbucket-integration uses this as a prefix * - The serviceName is available as an environment variable SERVICE_NAME in the CodeBuildStep * - The serviceName is available in the AppStackProps in the appStackFactory * - The serviceName is available as stackName property in the AppStackProps in the appStackFactory. I.e. the stack is named after the service * - The serviceName is handed over to all Datadog monitors * - RIO convention is that uploaded license-check-files are named after the service, i.e. serviceName.txt */ readonly serviceName: string; /** * Provider for appStack to be deployed. * * This acts as a wrapper for all resources you want to deploy via the pipeline. */ readonly appStackFactory: IAppStackFactory; /** * Defines which kind of pipeline is deployed. * * Use the features to combine different opinionated, RIO-specific pipeline features such as adding a branch pipeline or supporting Kafka. */ readonly features?: PipelineFeatures; /** * @deprecated Use the `features` property instead. For now, the pipeline types are mapped to the features. * Defines which kind of pipeline is deployed. */ readonly pipelineType?: PipelineType; /** * Defines how often the pipeline is triggered automatically. Is defined via a cron expression. * * See https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html * * Default values: * - main pipeline: cron(0 9 ? * 2#1 *) * - vulnerability pipeline: cron(0 5 ? * MON-FRI *) */ readonly pipelineSchedules?: PipelineSchedulesProps; /** * Path to secrets file containing encrypted secrets. * * The RioSecretsDeployStep is added prior to deployment of the AppStack if a path is provided. * * No secrets are deployed if no path is provided. */ readonly secretsDeployStepProps?: PipelineStackRioSecretsDeployStepProps; /** * CodeBuild options overriding the rio-specific defaults. */ readonly codeBuildOptions?: CodeBuildOptions; /** * If present, the capability monitoring deploy step is added to the pipeline. */ readonly monitoringDeployStepProps?: PipelineStackRioMonitoringDeployStepProps; /** * @deprecated Please use the `vulnerabilityNotification` property instead. * If `opsgenie` is specified, an Exception is thrown, as this is not supported anymore. */ readonly datadogAlertType?: DatadogAlertType; /** * Notification type for the auto-generated vulnerability pipeline monitor. Defaults to slack. */ readonly vulnerabilityNotification?: INotification; /** * CodePipeline PipelineType (V1 or V2). Defaults to V1. */ readonly codePipelineType?: codepipeline.PipelineType; } /** * Provider interface to create the AppStack within the specific scope * * Simply place the AppStack creation into the create-method: * @example * * // Use e.g. within ApplicationProps as JSONObject: * \{ create: (construct, props) =\> new Stack(construct, 'AppStack', props) \} * * // or simply as class interface within your stack implementation: * class PipelineStage extends Stage implements IAppStackFactory \{ * constructor(scope: Construct, id: string, props: StageProps) \{ * super(scope, id, props); * // your stage definition * \} * * create(scope: Construct, props: AppStackProps): void \{ * // app stack initiation goes in here * \} * \} */ export interface IAppStackFactory { /** * Factory method, being invoked with the specific scope during pipeline instantiation * * @param scope - The parent construct for the app stack * @param props - The app stacks properties */ create(scope: Construct, props: AppStackProps): void; } export interface AppStackProps extends StackProps { readonly serviceName: string; readonly version: string; } /** * Selected properties being handed over to RioSecretsDeployStep. * * @see rio.RioSecretsDeployStep * @see rio.RioSecretsDeployStepProps */ export interface PipelineStackRioSecretsDeployStepProps { readonly secretsFilePath: string; } export interface PipelineStackRioMonitoringDeployStepProps { /** * Map \{directory: filenames\} containing .jar or .zip files created in main build step to be uploaded to the monitoring-testsuite-runner bucket, e.g. * ``` * { * 'availability-monitoring/build/libs': ['foo-availability.jar'], * 'performance-monitoring/build/libs': ['api-check.zip', 'foo-performance.jar'], * } * ``` */ readonly monitoringArtifacts: { [directory: string]: string[]; }; } export interface PipelineFeatures { /** * Create a branch pipeline used by renovate. Defaults to `true`. */ readonly branchPipeline?: boolean; /** * Create a vulnerability pipeline to scan dependencies for vulnerabilities. Defaults to `true`. */ readonly vulnerabilityPipeline?: boolean; /** * Run a standard gradle build in the repository root. Defaults to `false`: * - build and test of the artifact via command "./gradlew clean build" * - license-check and upload of license-check-file via command "./gradlew checkLicenses" * - create a self-signed certificate to make TLS communication possible, e.g. with a loadbalancer * - build the container image via command "./gradlew jibBuildTar" */ readonly gradleBuild?: boolean; /** * Run a standard npm build in the repository root. Defaults to `false`: * - run linter via command "npm run lint" * - run tests via command "npm run test:ci" * - run a license check by calling the script "check-oss-licenses.sh" (from the RIO frontend template) * - build the artifact via command "npm run build" */ readonly npmBuild?: boolean; /** * Add required steps and permissions to support Kafka. Currently, this requires `gradleBuild` to be set to `true`. Defaults to `false`. */ readonly kafkaIntegration?: boolean; /** * S3 Bucket to deploy frontend to. Requires `npmBuild` to be set to `true`. If set, the output of the npm build is deployed to the provided bucket. */ readonly frontendBucketName?: string; /** * Additional build commands for main and branch pipeline. Will be added after all build & test commands, before the infrastructure build. Does not work with partialBuildspec. */ readonly additionalBuildCommands?: string[]; /** * If set to false, no Datadog monitors for main and vulnerability pipelines will be created. Defaults to true. */ readonly enablePipelineMonitors?: boolean; } export declare enum PipelineType { /** * Self-mutating codepipeline deploying the provided AppStack. Be aware: The provided service won't have access to Kafka. * * Comes with a pre-defined buildspec.yaml for a gradle project. This buildspec.yaml is used for both the main and * branch pipeline and includes the following steps * - build and test of the artifact via command "./gradlew clean build". *

This gradle command must be provided by the gradle project. * - license-check and upload of license-check-file via command "./gradlew checkLicenses". *

This gradle command must be provided by the gradle project. * - create a self-signed certificate to make TLS communication possible, e.g. with a loadbalancer. * - build the container image via command "./gradlew jibBuildTar". *

This gradle command must be provided by the gradle project. */ STANDARD_GRADLE = "STANDARD_GRADLE", /** * Self-mutating codepipeline deploying the provided AppStack with additional steps needed to access Kafka. * * Comes with a pre-defined buildspec.yaml for a gradle project. This buildspec.yaml is used for both the main and * branch pipeline and includes the following steps * - build and test of the artifact via command "./gradlew clean build". *

This gradle command must be provided by the gradle project. * - license-check and upload of license-check-file via command "./gradlew checkLicenses". *

This gradle command must be provided by the gradle project. * - create a self-signed certificate to make TLS communication possible, e.g. with a loadbalancer. * - request a certificate to authenticate against Kafka via mutual TLS * - build the container image via command "./gradlew jibBuildTar". *

This gradle command must be provided by the gradle project. */ STANDARD_GRADLE_KAFKA = "STANDARD_GRADLE_KAFKA", /** * Self-mutating codepipeline deploying the provided AppStack. * * Comes with a pre-defined buildspec.yaml to synthesize the AppStack. * No branch or vulnerability pipeline is created. */ STANDARD_INFRASTRUCTURE = "STANDARD_INFRASTRUCTURE" } /** * @param partialBuildSpecPath - Path to a custom build-spec file to use for the main and branch pipeline. * A pre-defined buildspec.yaml fitting the pipelineType is used if not provided. * @param vulnerabilityPartialBuildSpecPath - Path to a custom build-spec file to use for the vulnerability pipeline. * A pre-defined vulnerability buildspec.yaml fitting the pipelineType is used if not provided. * @param buildEnvironment - Custom CodeBuild build environment overriding the rio-specific defaults. The defaults are: * buildImage: AMAZON_LINUX_2_5 * computeType: LARGE */ export interface CodeBuildOptions { readonly partialBuildSpecPath?: string; readonly vulnerabilityPartialBuildSpecPath?: string; readonly buildEnvironment?: BuildEnvironment; } export declare class PipelineStack extends Stack { private readonly _features; private readonly _mainCodeBuildProject; private readonly _branchCodeBuildProject; private readonly _vulnerabilityCodeBuildProject; private readonly _bucket; private readonly _cacheBucket; private readonly _hostedZone; private readonly _inputMasterTriggerFile; private readonly _inputBranchTriggerFile; private readonly _ossLicensesBucketParameter; private readonly _ossLicensesBucket; private readonly _serviceKeystorePassword; private readonly _accountNameParameter; private readonly _teamIdentifierParameter; private readonly _nistDataMirrorUrl; private readonly _codePipelineType; constructor(scope: Construct, id: string, props: PipelineStackProps); get mainCodebuildProject(): pipelines.CodeBuildStep; get branchCodeBuildProject(): CodeBuildStep; get vulnerabilityCodeBuildProject(): CodeBuildStep; private parseFeatures; private createRioCodeBuildProject; private createMainCodeBuildProject; private createBranchCodeBuildProject; private createVulnerabilityBuildProject; private addMainPipeline; private addBranchPipeline; private addVulnerabilityPipeline; private createStripAssetsStep; private createCapabilityMonitoringDeployStep; private createSecretsDeployStep; private createDeployFrontendDeployStep; private grantPermissionsForKafkaIntegration; private loadBuildSpecFromFile; private tagCodeBuildProject; }