New: [AEA-6254] - RestApiGateway construct#547
Conversation
|
This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket: AEA-6254 |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
tstephen-nhs
force-pushed
the
aea-6254-cdk-api-gateway
branch
from
4f14152 to
02b0af2
Compare
There was a problem hiding this comment.
Pull request overview
Adds a new AWS CDK construct (RestApiGateway) to standardize provisioning of an API Gateway REST API (custom domain, logging/subscriptions, optional mTLS), plus a small helper construct for wiring Lambda-backed resources.
Changes:
- Introduces
RestApiGatewayconstruct with access logging, Splunk/optional CSOC log forwarding, custom domain + Route53 record, and optional mTLS truststore deployment. - Adds
LambdaEndpointconstruct and shared access log format helper. - Adds Vitest-based CDK assertions tests for the new constructs and minor repo/tooling config updates.
Reviewed changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| sonar-project.properties | Adds Sonar exclusions for specific vitest config files |
| packages/cdkConstructs/tests/constructs/RestApiGateway/LambdaEndpoint.test.ts | New tests for LambdaEndpoint construct |
| packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts | New tests for RestApiGateway behavior (mTLS / CSOC logs) |
| packages/cdkConstructs/src/index.ts | Exports the new constructs/helpers from the package entrypoint |
| packages/cdkConstructs/src/constructs/RestApiGateway/accessLogFormat.ts | Defines a custom API Gateway access log JSON format |
| packages/cdkConstructs/src/constructs/RestApiGateway/LambdaEndpoint.ts | Adds helper construct to attach Lambda integrations to API resources |
| packages/cdkConstructs/src/constructs/RestApiGateway.ts | Implements the new RestApiGateway construct |
| .trivyignore.yaml | Adds a new CVE ignore entry (time-bounded) |
| .gitignore | Ignores *.tgz artifacts |
| .devcontainer/Dockerfile | Installs git-secrets in the devcontainer |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
packages/cdkConstructs/tests/constructs/RestApiGateway/LambdaEndpoint.test.ts
Outdated
Show resolved
Hide resolved
| if (props.forwardCsocLogs) { | ||
| new CfnSubscriptionFilter(this, "ApiGatewayAccessLogsCSOCSubscriptionFilter", { | ||
| destinationArn: props.csocApiGatewayDestination, | ||
| filterPattern: "", | ||
| logGroupName: logGroup.logGroupName, | ||
| roleArn: splunkSubscriptionFilterRole.roleArn | ||
| }) | ||
| } |
There was a problem hiding this comment.
forwardCsocLogs can be set to true while csocApiGatewayDestination is an empty string (as in tests). That will synthesize a SubscriptionFilter with an invalid/empty DestinationArn and fail deployment. Consider making csocApiGatewayDestination optional unless forwardCsocLogs is true, and throw an explicit error when forwardCsocLogs is true but the destination ARN is missing/blank.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
Summary
Details
Add a new CDK construct for API Gateway