Dev -> Val

.env.tpl

@@ -40,5 +40,3 @@ COGNITO_USER_POOL_CLIENT_ID=op://mdct_devs/seds_secrets/COGNITO_USER_POOL_CLIENT
 COGNITO_USER_POOL_CLIENT_DOMAIN=placeholder
 COGNITO_REDIRECT_SIGNIN=http://localhost:3000/
 COGNITO_REDIRECT_SIGNOUT=http://localhost:3000/
-S3_LOCAL_ENDPOINT=http://localhost:4569
-S3_ATTACHMENTS_BUCKET_NAME=op://mdct_devs/seds_secrets/S3_ATTACHMENTS_BUCKET_NAME

.github/workflows/post-deploy-slack-notification.yml

@@ -8,7 +8,6 @@ on:
       - 'master'
       - 'val'
       - 'production'
-      - 'snyk-**'
 
 jobs:
   notify_on_failure:
@@ -24,20 +23,6 @@ jobs:
           MSG_MINIMAL: true
           SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
 
-  # Notify the integrations channel only when a Snyk auto merge fails
-  notify_failed_snyk_auto_merge:
-    runs-on: ubuntu-latest
-    #only check branch names that begin with snyk-
-    if: ${{ github.event.workflow_run.conclusion == 'failure' && startsWith(github.event.workflow_run.head_branch, 'snyk-') }}
-    steps:
-      - name: Slack Notification
-        uses: rtCamp/action-slack-notify@v2
-        env:
-          SLACK_TITLE: ":boom: A Synk auto merge has failed in ${{ github.repository }}"
-          SLACK_MESSAGE: "${{ github.event.workflow_run.html_url }}"
-          MSG_MINIMAL: true
-          SLACK_WEBHOOK: ${{ secrets.INTEGRATIONS_SLACK_WEBHOOK }}
-
   # Sends a slack message to the mdct-prod-releases channel in CMS slack
   notify_on_prod_release:
     runs-on: ubuntu-latest

.github/workflows/pull-request.yml

@@ -42,19 +42,3 @@ jobs:
       - name: run eslint
         working-directory: services/ui-src
         run: npx eslint .
-
-  #Notify the integrations channel only when a Snyk auto merge fails pr checks
-  notify_on_pr_failure:
-    runs-on: ubuntu-latest
-    needs: 
-      - prettier
-      - eslint
-    #only check branch names that begin with snyk-
-    if: ${{ failure() && startsWith(github.head_ref, 'snyk-') }}
-    steps:
-      - name: Slack Notification
-        uses: rtCamp/action-slack-notify@v2
-        env:
-          SLACK_TITLE: ":boom: A Synk auto merge has failed pull request checks in ${{ github.repository }}."
-          MSG_MINIMAL: true
-          SLACK_WEBHOOK: ${{ secrets.INTEGRATIONS_SLACK_WEBHOOK }}

.gitignore

@@ -7,7 +7,6 @@ testcafe_results
 .DS_Store
 build_dev
 tsconfig.tsbuildinfo
-services/uploads/local_buckets
 /.env
 tests_output
 *.log

README.md

@@ -75,7 +75,7 @@ See the Requirements section if the command asks for any prerequisites you don't
 
 Local dev is configured in typescript project in [src/](src/). The entrypoint is [src/run.ts](src/run.ts), it manages running the moving pieces locally: the API, the database, the file storage, and the frontend.
 
-Local dev is built around the Serverless plugin [`serverless-offline`](https://github.com/dherault/serverless-offline). This plugin runs an API gateway locally configured by `./services/app-api/serverless.yml` and hot reloads your lambdas on every file save. The plugins [`serverless-dynamodb-local`](https://github.com/99x/serverless-dynamodb-local) and [`serverless-s3-local`](https://github.com/ar90n/serverless-s3-local) stand up the local Database and S3 buckets in a similar fashion.
+Local dev is built around the Serverless plugin [`serverless-offline`](https://github.com/dherault/serverless-offline). This plugin runs an API gateway locally configured by `./services/app-api/serverless.yml` and hot reloads your lambdas on every file save. The plugin [`serverless-dynamodb-local`](https://github.com/99x/serverless-dynamodb-local) stands up the local Database in a similar fashion.
 
 Local authentication bypasses Cognito. The frontend mimics login in local storage with a mock user and sends an id in the `cognito-identity-id` header on every request. `serverless-offline` expects that and sets it as the cognitoId in the requestContext for your lambdas, just like Cognito would in AWS.
 

nightwatch/.gitignore

@@ -7,7 +7,6 @@ testcafe_results
 .DS_Store
 build_dev
 tsconfig.tsbuildinfo
-services/uploads/local_buckets
 /.env
 tests_output
 *.log

nightwatch/package.json

@@ -11,7 +11,6 @@
     "chromedriver": ">=88.0.0",
     "dotenv": "^8.2.0",
     "nightwatch": "^1.5.1",
-    "serverless-s3-bucket-helper": "github:Enterprise-CMCS/serverless-s3-bucket-helper",
     "yargs": "^16.1.1"
   }
 }

package.json

@@ -38,14 +38,13 @@
     "dotenv": "^8.2.0",
     "nightwatch": "3.1.2",
     "prettier": "2.2.1",
-    "serverless": "^3.38.0",
+    "serverless": "^3.39.0",
     "serverless-bundle": "^6.0.0",
     "serverless-dotenv-plugin": "^4.0.0",
     "serverless-iam-helper": "github:Enterprise-CMCS/serverless-iam-helper",
     "serverless-offline": "^13.5.0",
     "serverless-online": "Enterprise-CMCS/macpro-serverless-online",
     "serverless-plugin-scripts": "^1.0.2",
-    "serverless-s3-bucket-helper": "github:Enterprise-CMCS/serverless-s3-bucket-helper#0.1.1",
     "serverless-stack-termination-protection": "^2.0.2",
     "typescript": "^4.0.5",
     "yargs": "^16.1.1"

serverless-compose.yml

@@ -2,8 +2,6 @@ services:
   # wave 1: no dependencies
   database:
     path: services/database
-  uploads:
-    path: services/uploads
   stream-functions:
     path: services/stream-functions
   ui-waflog-s3-bucket:
@@ -60,15 +58,14 @@ services:
       StateFormsTableStreamArn: ${database.StateFormsTableStreamArn}
       AuthUserRolesTableStreamArn: ${database.AuthUserRolesTableStreamArn}
 
-  # depends on app-api, ui, and uploads
+  # depends on app-api and ui
   ui-auth:
     path: services/ui-auth
     params:
-      AttachmentsBucketArn: ${uploads.AttachmentsBucketArn}
       ApiGatewayRestApiName: ${app-api.ApiGatewayRestApiName}
       ApplicationEndpointUrl: ${ui.ApplicationEndpointUrl}
 
-  # depends on app-api, ui, ui-auth, and uploads,
+  # depends on app-api, ui, and ui-auth
   ui-src:
     path: services/ui-src
     params:
@@ -79,8 +76,5 @@ services:
       UserPoolId: ${ui-auth.UserPoolId}
       UserPoolClientId: ${ui-auth.UserPoolClientId}
       UserPoolClientDomain: ${ui-auth.UserPoolClientDomain}
-      AttachmentsBucketRegion: ${uploads.Region}
-      AttachmentsBucketName: ${uploads.AttachmentsBucketName}
-      S3BucketName: ${ui.S3BucketName}
       CloudFrontDistributionId: ${ui.CloudFrontDistributionId}
       ApplicationEndpointUrl: ${ui.ApplicationEndpointUrl}

services/app-api/serverless.yml

@@ -6,7 +6,6 @@ package:
   individually: true
 
 plugins:
-  - serverless-s3-bucket-helper
   - serverless-bundle
   - serverless-dotenv-plugin
   - serverless-offline

services/data-deployment/serverless.yml

@@ -3,7 +3,6 @@ service: data-deployment
 frameworkVersion: "3"
 
 plugins:
-  - serverless-s3-bucket-helper
   - serverless-dynamodb-seed
   - serverless-stack-termination-protection
 

services/database/serverless.yml

@@ -3,7 +3,6 @@ service: database
 frameworkVersion: "3"
 
 plugins:
-  - serverless-s3-bucket-helper
   - serverless-dynamodb
   - serverless-stack-termination-protection
 custom:

services/stream-functions/serverless.yml

@@ -6,7 +6,6 @@ package:
   individually: true
 
 plugins:
-  - serverless-s3-bucket-helper
   - serverless-dotenv-plugin
   - serverless-stack-termination-protection
 

services/ui-auth/serverless.yml

@@ -3,11 +3,11 @@ service: ui-auth
 frameworkVersion: "3"
 
 plugins:
-  - serverless-s3-bucket-helper
   - serverless-stack-termination-protection
   - serverless-plugin-scripts
   - serverless-bundle
   - serverless-iam-helper
+  - "@enterprise-cmcs/serverless-waf-plugin"
 
 provider:
   name: aws
@@ -31,6 +31,11 @@ custom:
   project: "seds"
   stage: ${opt:stage, self:provider.stage}
   region: ${opt:region, self:provider.region}
+  wafPlugin:
+    name: ${self:service}-${self:custom.stage}-webacl-waf
+  wafExcludeRules:
+    awsCommon:
+      - "SizeRestrictions_BODY"
   iamPath: ${ssm:/configuration/${self:custom.stage}/iam/path, ssm:/configuration/default/iam/path, "/"}
   iamPermissionsBoundaryPolicy: ${ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""}
   serverlessTerminationProtection:
@@ -43,7 +48,6 @@ custom:
       - impl
       - val
       - prod
-  attachments_bucket_arn: ${param:AttachmentsBucketArn}
   api_gateway_rest_api_name: ${param:ApiGatewayRestApiName}
   application_endpoint_url: ${param:ApplicationEndpointUrl}
   bootstrapUsersEnabled: ${ssm:/configuration/${self:custom.stage}/cognito/bootstrapUsers/enabled, ssm:/configuration/default/cognito/bootstrapUsers/enabled, ""}
@@ -139,6 +143,18 @@ resources:
             AttributeDataType: String
             Mutable: true
             Required: false
+        UserPoolAddOns:
+          AdvancedSecurityMode: ENFORCED
+        UserPoolTags:
+          Name: ${self:custom.stage}-user-pool
+
+    # Associate the WAF Web ACL with the Cognito User Pool
+    CognitoUserPoolWAFAssociation:
+      Type: 'AWS::WAFv2::WebACLAssociation'
+      Properties:
+        ResourceArn: !GetAtt CognitoUserPool.Arn
+        WebACLArn: !GetAtt WafPluginAcl.Arn
+
     CognitoUserPoolClient:
       Type: AWS::Cognito::UserPoolClient
       Properties:
@@ -248,16 +264,6 @@ resources:
                   Action:
                     - "execute-api:Invoke"
                   Resource: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${self:custom.api_gateway_rest_api_name}/*
-                - Effect: "Allow"
-                  Action:
-                    - "s3:*"
-                  Resource:
-                    # Must use Join here.  See: https://github.com/serverless/serverless/issues/3565
-                    - Fn::Join:
-                        - ""
-                        - - ${self:custom.attachments_bucket_arn}/private/
-                          - "$"
-                          - "{cognito-identity.amazonaws.com:sub}/*"
     CognitoUserPoolIdParameter:
       Type: AWS::SSM::Parameter
       Properties:

services/ui-src/.env

@@ -9,7 +9,4 @@ COGNITO_USER_POOL_CLIENT_ID=placeholder
 COGNITO_USER_POOL_CLIENT_DOMAIN=placeholder
 COGNITO_REDIRECT_SIGNIN=placeholder
 COGNITO_REDIRECT_SIGNOUT=placeholder
-S3_LOCAL_ENDPOINT=http://localhost:4569
-S3_ATTACHMENTS_BUCKET_REGION=us-east-1
-S3_ATTACHMENTS_BUCKET_NAME=local-uploads
 STAGE=placeholder

services/ui-src/index.html

@@ -5,11 +5,6 @@
   <meta charset="utf-8" />
   <link rel="icon" href="/favicon.ico" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <!--
-      manifest.json provides metadata used when your web app is installed on a
-      user's mobile device or desktop. See https://developers.google.com/web/fundamentals/web-app-manifest/
-    -->
-  <link rel="manifest" href="/manifest.json" />
   <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
   <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32" />
   <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16" />