Additional CloudFormation listener to capture resources from the

tenant-onboarding-app.yaml stack that is run a variable number of times
based on what application services have been configured

Author: brtrvn

functions/onboarding-app-stack-listener/pom.xml

@@ -0,0 +1,145 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License").
+You may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>com.amazon.aws.partners.saasfactory.saasboost</groupId>
+        <artifactId>saasboost-functions</artifactId>
+        <version>1.0.0</version>
+    </parent>
+    <artifactId>OnboardingAppStackListener</artifactId>
+    <version>1.0.0</version>
+    <packaging>jar</packaging>
+    <licenses>
+        <license>
+            <name>Apache-2.0</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0</url>
+        </license>
+    </licenses>
+
+    <properties>
+        <checkstyle.maxAllowedViolations>50</checkstyle.maxAllowedViolations>
+    </properties>
+
+    <build>
+        <finalName>${project.artifactId}</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <environmentVariables>
+                        <AWS_REGION>us-east-1</AWS_REGION>
+                        <SAAS_BOOST_ENV>test</SAAS_BOOST_ENV>
+                    </environmentVariables>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-assembly-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>pl.project13.maven</groupId>
+                <artifactId>git-commit-id-plugin</artifactId>
+                <version>4.0.0</version>
+                <executions>
+                    <execution>
+                        <id>get-the-git-infos</id>
+                        <goals>
+                            <goal>revision</goal>
+                        </goals>
+                        <phase>initialize</phase>
+                    </execution>
+                </executions>
+                <configuration>
+                    <generateGitPropertiesFile>true</generateGitPropertiesFile>
+                    <generateGitPropertiesFilename>${project.build.outputDirectory}/git.properties</generateGitPropertiesFilename>
+                    <includeOnlyProperties>
+                        <includeOnlyProperty>^git.commit.id.describe</includeOnlyProperty>
+                        <includeOnlyProperty>^git.commit.id.describe-short</includeOnlyProperty>
+                        <includeOnlyProperty>^git.commit.time</includeOnlyProperty>
+                        <includeOnlyProperty>^git.closest.tag.name</includeOnlyProperty>
+                    </includeOnlyProperties>
+                    <commitIdGenerationMode>full</commitIdGenerationMode>
+                    <dotGitDirectory>../../.git</dotGitDirectory>
+                    <failOnNoGitDirectory>false</failOnNoGitDirectory>                    
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-nop</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.amazon.aws.partners.saasfactory.saasboost</groupId>
+            <artifactId>Utils</artifactId>
+            <version>1.0.0</version>
+            <!-- Don't bundle our layer so we get the shared one at runtime -->
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.amazon.aws.partners.saasfactory.saasboost</groupId>
+            <artifactId>CloudFormationUtils</artifactId>
+            <version>1.0.0</version>
+            <!-- Don't bundle our layer so we get the shared one at runtime -->
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>cloudformation</artifactId>
+            <version>${aws.java.sdk.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>software.amazon.awssdk</groupId>
+                    <artifactId>netty-nio-client</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>software.amazon.awssdk</groupId>
+                    <artifactId>apache-client</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>eventbridge</artifactId>
+            <version>${aws.java.sdk.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>software.amazon.awssdk</groupId>
+                    <artifactId>netty-nio-client</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>software.amazon.awssdk</groupId>
+                    <artifactId>apache-client</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+    </dependencies>
+
+</project>

functions/onboarding-app-stack-listener/src/main/java/com/amazon/aws/partners/saasfactory/saasboost/OnboardingAppStackListener.java

@@ -0,0 +1,172 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.amazon.aws.partners.saasfactory.saasboost;
+
+import com.amazonaws.services.lambda.runtime.Context;
+import com.amazonaws.services.lambda.runtime.RequestHandler;
+import com.amazonaws.services.lambda.runtime.events.SNSEvent;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import software.amazon.awssdk.core.exception.SdkServiceException;
+import software.amazon.awssdk.services.cloudformation.CloudFormationClient;
+import software.amazon.awssdk.services.cloudformation.model.*;
+import software.amazon.awssdk.services.cloudformation.model.Stack;
+import software.amazon.awssdk.services.eventbridge.EventBridgeClient;
+
+import java.util.*;
+import java.util.regex.Pattern;
+
+public class OnboardingAppStackListener implements RequestHandler<SNSEvent, Object> {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(OnboardingAppStackListener.class);
+    private static final String AWS_REGION = System.getenv("AWS_REGION");
+    private static final String SAAS_BOOST_ENV = System.getenv("SAAS_BOOST_ENV");
+    private static final String SAAS_BOOST_EVENT_BUS = System.getenv("SAAS_BOOST_EVENT_BUS");
+    private static final String UPDATE_TENANT_RESOURCES = "Tenant Update Resources";
+    private static final String EVENT_SOURCE = "saas-boost";
+    private static final Pattern STACK_NAME_PATTERN = Pattern
+            .compile("^sb-" + SAAS_BOOST_ENV + "-tenant-[a-z0-9]{8}-app-.+-.+$");
+    private static final Collection<String> EVENTS_OF_INTEREST = Collections.unmodifiableCollection(
+            Arrays.asList("CREATE_COMPLETE", "UPDATE_COMPLETE"));
+    private final CloudFormationClient cfn;
+    private final EventBridgeClient eventBridge;
+
+    public OnboardingAppStackListener() {
+        final long startTimeMillis = System.currentTimeMillis();
+        if (Utils.isBlank(AWS_REGION)) {
+            throw new IllegalStateException("Missing required environment variable AWS_REGION");
+        }
+        if (Utils.isBlank(SAAS_BOOST_EVENT_BUS)) {
+            throw new IllegalStateException("Missing required environment variable SAAS_BOOST_EVENT_BUS");
+        }
+        this.cfn = Utils.sdkClient(CloudFormationClient.builder(), CloudFormationClient.SERVICE_NAME);
+        this.eventBridge = Utils.sdkClient(EventBridgeClient.builder(), EventBridgeClient.SERVICE_NAME);
+        LOGGER.info("Constructor init: {}", System.currentTimeMillis() - startTimeMillis);
+    }
+
+    @Override
+    public Object handleRequest(SNSEvent event, Context context) {
+        LOGGER.info(Utils.toJson(event));
+
+        List<SNSEvent.SNSRecord> records = event.getRecords();
+        SNSEvent.SNS sns = records.get(0).getSNS();
+        String message = sns.getMessage();
+
+        CloudFormationEvent cloudFormationEvent = CloudFormationEventDeserializer.deserialize(message);
+
+        // CloudFormation sends SNS notifications for every resource in a stack going through each status change.
+        // We want to process the resources of the tenant-onboarding-app.yaml CloudFormation stack only after the
+        // stack has finished being created or updated so we don't trigger anything downstream prematurely.
+        if (filter(cloudFormationEvent)) {
+            String stackName = cloudFormationEvent.getStackName();
+            String stackStatus = cloudFormationEvent.getResourceStatus();
+            LOGGER.info("Stack " + stackName + " is in status " + stackStatus);
+
+            // We need to get the tenant and the application service this stack was run for
+            String tenantId = null;
+            String serviceName = null;
+            try {
+                DescribeStacksResponse stacks = cfn.describeStacks(req -> req
+                        .stackName(cloudFormationEvent.getStackId())
+                );
+                Stack stack = stacks.stacks().get(0);
+                for (Parameter parameter : stack.parameters()) {
+                    if ("TenantId".equals(parameter.parameterKey())) {
+                        tenantId = parameter.parameterValue();
+                    }
+                    if ("ServiceName".equals(parameter.parameterKey())) {
+                        serviceName = parameter.parameterValue();
+                    }
+                }
+            } catch (SdkServiceException cfnError) {
+                LOGGER.error("cfn:DescribeStacks error", cfnError);
+                LOGGER.error(Utils.getFullStackTrace(cfnError));
+                throw cfnError;
+            }
+
+            // We use these to build the ARN of the resources we're interested in if we don't
+            // get the ARN straight from the CloudFormation physical resource id
+            final String[] lambdaArn = context.getInvokedFunctionArn().split(":");
+            final String partition = lambdaArn[1];
+            final String accountId = lambdaArn[4];
+
+            // We're looking for CodePipeline repository resources in a CREATE_COMPLETE state. There could be
+            // multiple pipelines provisioned depending on how the application services are configured.
+            try {
+                ListStackResourcesResponse resources = cfn.listStackResources(req -> req
+                        .stackName(cloudFormationEvent.getStackId())
+                );
+                for (StackResourceSummary resource : resources.stackResourceSummaries()) {
+//                    LOGGER.debug("Processing resource {} {} {} {}", resource.resourceType(),
+//                            resource.resourceStatusAsString(), resource.logicalResourceId(),
+//                            resource.physicalResourceId());
+                    if ("CREATE_COMPLETE".equals(resource.resourceStatusAsString())) {
+                        if ("AWS::CodePipeline::Pipeline".equals(resource.resourceType())) {
+                            String codePipeline = resource.physicalResourceId();
+                            // The resources collection on the tenant object is Map<String, Resource>
+                            // so we need a unique key per service code pipeline. We'll prefix the
+                            // key with SERVICE_ and suffix it with _CODE_PIPELINE so we can find
+                            // all of the tenant's code pipelines later on by looking for that pattern.
+                            String key = serviceNameResourceKey(serviceName, AwsResource.CODE_PIPELINE.name());
+                            LOGGER.info("Publishing update tenant resources event for tenant {} {} {}", tenantId,
+                                    key, codePipeline);
+
+                            Map<String, Object> tenantResource = new HashMap<>();
+                            tenantResource.put(key, Map.of(
+                                    "name", codePipeline,
+                                    "arn", AwsResource.CODE_PIPELINE.formatArn(partition, AWS_REGION, accountId,
+                                            codePipeline),
+                                    "consoleUrl", AwsResource.CODE_PIPELINE.formatUrl(AWS_REGION, codePipeline)
+                            ));
+
+                            // The update tenant resources API call is additive, so we don't need to pull the
+                            // current tenant object ourselves.
+                            Utils.publishEvent(eventBridge, SAAS_BOOST_EVENT_BUS, EVENT_SOURCE,
+                                    UPDATE_TENANT_RESOURCES,
+                                    Map.of("tenantId", tenantId, "resources", Utils.toJson(tenantResource))
+                            );
+                        }
+                    }
+                }
+            } catch (SdkServiceException cfnError) {
+                LOGGER.error("cfn:ListStackResources error", cfnError);
+                LOGGER.error(Utils.getFullStackTrace(cfnError));
+                throw cfnError;
+            }
+        }
+        return null;
+    }
+
+    protected static String serviceNameResourceKey(String serviceName, String resourceType) {
+        if (Utils.isBlank(serviceName)) {
+            throw new IllegalArgumentException("Service name must not be blank");
+        }
+        if (Utils.isBlank(resourceType)) {
+            throw new IllegalArgumentException("Resource type must not be blank");
+        }
+        return "SERVICE_"
+                + serviceName.toUpperCase().replaceAll("\\s+", "_")
+                + "_"
+                + resourceType;
+    }
+
+    protected static boolean filter(CloudFormationEvent cloudFormationEvent) {
+        return ("AWS::CloudFormation::Stack".equals(cloudFormationEvent.getResourceType())
+                && STACK_NAME_PATTERN.matcher(cloudFormationEvent.getStackName()).matches()
+                && EVENTS_OF_INTEREST.contains(cloudFormationEvent.getResourceStatus()));
+    }
+}

functions/onboarding-app-stack-listener/src/main/resources/lambda-assembly.xml

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License").
+You may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<assembly xmlns="http://maven.apache.org/ASSEMBLY/2.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://maven.apache.org/ASSEMBLY/2.0.0 http://maven.apache.org/xsd/assembly-2.0.0.xsd">
+    <id>lambda</id>
+    <formats>
+        <format>zip</format>
+    </formats>
+    <includeBaseDirectory>false</includeBaseDirectory>
+    <fileSets>
+        <fileSet>
+            <outputDirectory></outputDirectory>
+            <directory>${project.build.outputDirectory}</directory>
+            <includes>
+                <include>com/amazon/aws/partners/saasfactory/**</include>
+                <include>log4j2.xml</include>
+                <include>git.properties</include>
+            </includes>
+        </fileSet>
+    </fileSets>
+    <dependencySets>
+        <dependencySet>
+            <useProjectArtifact>false</useProjectArtifact>
+            <useTransitiveDependencies>true</useTransitiveDependencies>
+            <outputDirectory>lib</outputDirectory>
+        </dependencySet>
+    </dependencySets>
+</assembly>

functions/onboarding-app-stack-listener/src/main/resources/log4j2.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License").
+You may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<Configuration status="WARN">
+    <Appenders>
+        <Lambda name="Lambda">
+            <PatternLayout>
+                <pattern>%d{yyyy-MM-dd HH:mm:ss.SSS} %X{AWSRequestId} %-5p %C{1} - %m%n</pattern>
+            </PatternLayout>
+        </Lambda>
+    </Appenders>
+    <Loggers>
+        <Root level="INFO">
+            <AppenderRef ref="Lambda"/>
+        </Root>
+        <Logger name="software.amazon.awssdk" level="WARN"/>
+        <Logger name="software.amazon.awssdk.request" level="INFO"/>
+        <Logger name="com.amazon.aws.partners.saasfactory" level="DEBUG"/>
+    </Loggers>
+</Configuration>