CMDCT-4247 - v4 serverless upgrade

.env.tpl

@@ -40,3 +40,5 @@ COGNITO_USER_POOL_CLIENT_ID=op://mdct_devs/seds_secrets/COGNITO_USER_POOL_CLIENT
 COGNITO_USER_POOL_CLIENT_DOMAIN=placeholder
 COGNITO_REDIRECT_SIGNIN=http://localhost:3000/
 COGNITO_REDIRECT_SIGNOUT=http://localhost:3000/
+
+SERVERLESS_LICENSE_KEY=op://mdct_devs/seds_secrets/SERVERLESS_LICENSE_KEY

.github/workflows/deploy.yml

@@ -13,6 +13,10 @@ permissions:
   id-token: write
   contents: read
   actions: read
+
+env:
+  SERVERLESS_LICENSE_KEY: ${{ secrets.SERVERLESS_LICENSE_KEY }}
+
 jobs:
   deploy:
     runs-on: ubuntu-latest

package.json

@@ -38,14 +38,12 @@
     "dotenv": "^8.2.0",
     "nightwatch": "3.1.2",
     "prettier": "2.2.1",
-    "serverless": "^3.39.0",
-    "serverless-bundle": "^6.0.0",
+    "serverless": "^4.4.18",
     "serverless-dotenv-plugin": "^4.0.0",
     "serverless-iam-helper": "github:Enterprise-CMCS/serverless-iam-helper",
-    "serverless-offline": "^13.5.0",
+    "serverless-offline": "^14.4.0",
     "serverless-online": "Enterprise-CMCS/macpro-serverless-online",
     "serverless-plugin-scripts": "^1.0.2",
-    "serverless-s3-bucket-helper": "github:Enterprise-CMCS/serverless-s3-bucket-helper#0.1.1",
     "serverless-stack-termination-protection": "^2.0.2",
     "typescript": "^4.0.5",
     "yargs": "^16.1.1"

run

@@ -32,9 +32,9 @@ if ! which yarn > /dev/null ; then
 fi
 
 # check serverless is installed globally.
-if ! which serverless > /dev/null ; then
-	echo "installing serverless globally"
-	yarn global add serverless@3.38.0
+if ! which serverless > /dev/null || [[ "$(serverless --version | cut -d'.' -f1)" != "4" ]]; then
+	echo "installing serverless v4 globally"
+	yarn global add serverless@4.4.18
 	export PATH="$PATH:$(yarn global bin)"
 fi
 
@@ -76,4 +76,4 @@ fi
 
 # build and run run.ts
 # tsc is configured to build what we expect in tsconfig.json
-./node_modules/.bin/tsc && node ./build_dev/run.js "${ARGS[@]-}"
+./node_modules/.bin/tsc && node ./build_dev/run.js "${ARGS[@]-}"

services/app-api/package.json

@@ -7,18 +7,15 @@
     "minimist": "^1.2.5"
   },
   "main": "handler.js",
-  "scripts": {
-    "test": "serverless-bundle test --unhandled-rejections=warn"
-  },
+  "scripts": {},
   "author": "",
   "license": "CC0-1.0",
   "repository": {
     "type": "git",
     "url": "https://github.com/AnomalyInnovations/serverless-nodejs-starter.git"
   },
   "devDependencies": {
-    "serverless-associate-waf": "^1.2.1",
-    "serverless-offline-ssm": "^6.2.0"
+    "serverless-associate-waf": "^1.2.1"
   },
   "dependencies": {
     "@aws-sdk/client-dynamodb": "^3.709.0",

services/app-api/serverless.yml

@@ -1,19 +1,20 @@
 service: app-api
 
-frameworkVersion: "3"
+frameworkVersion: "4"
 
 package:
   individually: true
 
+build:
+  esbuild:
+    packages: external
+
 plugins:
-  - serverless-s3-bucket-helper
-  - serverless-bundle
   - serverless-dotenv-plugin
   - serverless-offline
   - serverless-associate-waf
   - serverless-stack-termination-protection
   - serverless-iam-helper
-  - serverless-offline-ssm
   - "@enterprise-cmcs/serverless-waf-plugin"
 
 custom:
@@ -25,11 +26,6 @@ custom:
   wafExcludeRules:
     awsCommon:
       - "SizeRestrictions_BODY"
-  iamPath: ${env:IAM_PATH, ssm:/configuration/${self:custom.stage}/iam/path, ssm:/configuration/default/iam/path, "/"}
-  iamPermissionsBoundaryPolicy: ${env:IAM_PERMISSIONS_BOUNDARY, ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""}
-  serverless-offline-ssm:
-    stages:
-      - local
   dotenv:
     path: ../../.env
   serverlessTerminationProtection:
@@ -95,23 +91,18 @@ provider:
   name: aws
   runtime: nodejs20.x
   region: us-east-1
-  stackTags:  
+  stackTags:
     PROJECT: ${self:custom.project}
-    SERVICE: ${self:service}  
+    SERVICE: ${self:service}
   tracing:
     apiGateway: true
   logs:
     restApi: true
   iam:
     role:
-      # Even though we are creating our own IAM role that is used in each lambda function below
-      # These values are used by the serverless-iam-helper and need to be set
-      path: ${self:custom.iamPath}
-      permissionsBoundary:
-        Fn::If:
-          - CreatePermissionsBoundary
-          - !Sub arn:aws:iam::${AWS::AccountId}:policy${self:custom.iamPermissionsBoundaryPolicy}
-          - !Ref AWS::NoValue
+      path: /delegatedadmin/developer/
+      permissionsBoundary: !Sub arn:aws:iam::${AWS::AccountId}:policy/cms-cloud-admin/developer-boundary-policy
+
   environment: # Service wide environment variables
     AgeRangesTableName: ${env:AGE_RANGES_TABLE_NAME, self:custom.AgeRangesTableName}
     AgeRangesTableArn: ${env:AGE_RANGES_TABLE_ARN, self:custom.AgeRangesTableArn}
@@ -502,15 +493,9 @@ functions:
 
 resources:
   Description: ${self:service} ${self:custom.stage}
-  Conditions:
-    CreatePermissionsBoundary:
-      Fn::Not:
-        - Fn::Equals:
-            - ""
-            - ${self:custom.iamPermissionsBoundaryPolicy}
   Resources:
     LambdaApiRole: # Why isn't this with the function as an iamRoleStatements?  https://github.com/serverless/serverless/issues/6485
-      Type: "AWS::IAM::Role"
+      Type: AWS::IAM::Role
       Properties:
         AssumeRolePolicyDocument:
           Version: "2012-10-17"
@@ -519,12 +504,6 @@ resources:
               Principal:
                 Service: "lambda.amazonaws.com"
               Action: "sts:AssumeRole"
-        Path: ${self:custom.iamPath}
-        PermissionsBoundary:
-          Fn::If:
-            - CreatePermissionsBoundary
-            - !Sub arn:aws:iam::${AWS::AccountId}:policy${self:custom.iamPermissionsBoundaryPolicy}
-            - !Ref AWS::NoValue
         ManagedPolicyArns:
           - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
         Policies:

services/app-api/yarn.lock

@@ -1094,11 +1094,6 @@ serverless-associate-waf@^1.2.1:
   dependencies:
     chalk "^2.4.2"
 
-serverless-offline-ssm@^6.2.0:
-  version "6.2.0"
-  resolved "https://registry.yarnpkg.com/serverless-offline-ssm/-/serverless-offline-ssm-6.2.0.tgz#f2db290a72631629579ce5f940ed76f254f96653"
-  integrity sha512-Af7JeLbU4OHAx7ZgAs2OLP2DGKyp/g45rX7SWQ8KiBzn47jme+MqN+GOV6qd5oZ8V9khd3p62+RueHR3ezEZZQ==
-
 strnum@^1.0.5:
   version "1.0.5"
   resolved "https://registry.yarnpkg.com/strnum/-/strnum-1.0.5.tgz#5c4e829fe15ad4ff0d20c3db5ac97b73c9b072db"

services/database/serverless.yml

@@ -1,9 +1,8 @@
 service: database
 
-frameworkVersion: "3"
+frameworkVersion: "4"
 
 plugins:
-  - serverless-s3-bucket-helper
   - serverless-dynamodb
   - serverless-stack-termination-protection
   - serverless-plugin-scripts
@@ -13,8 +12,6 @@ custom:
   project: "seds"
   stage: ${opt:stage, self:provider.stage}
   region: ${opt:region, self:provider.region}
-  iamPath: ${env:IAM_PATH, ssm:/configuration/${self:custom.stage}/iam/path, ssm:/configuration/default/iam/path, "/"}
-  iamPermissionsBoundaryPolicy: ${env:IAM_PERMISSIONS_BOUNDARY, ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""}
   serverlessTerminationProtection:
     stages: # This is a list of common names for important envs that should not be destroyed.  You can remove the stage names your project doesn't use; this list is meant to be inclusive.
       - master
@@ -48,18 +45,14 @@ provider:
   name: aws
   runtime: nodejs20.x
   region: us-east-1
-  stackTags:  
+  stackTags:
     PROJECT: ${self:custom.project}
-    SERVICE: ${self:service}  
+    SERVICE: ${self:service}
   versionFunctions: true
   iam:
     role:
-      path: ${self:custom.iamPath}
-      permissionsBoundary:
-        Fn::If:
-          - CreatePermissionsBoundary
-          - !Sub arn:aws:iam::${AWS::AccountId}:policy${self:custom.iamPermissionsBoundaryPolicy}
-          - !Ref AWS::NoValue
+      path: /delegatedadmin/developer/
+      permissionsBoundary: !Sub arn:aws:iam::${AWS::AccountId}:policy/cms-cloud-admin/developer-boundary-policy
       statements:
         - Effect: "Allow"
           Action:
@@ -82,12 +75,6 @@ functions:
 
 resources:
   Description: ${self:service} ${self:custom.stage}
-  Conditions:
-    CreatePermissionsBoundary:
-      Fn::Not:
-        - Fn::Equals:
-            - ""
-            - ${self:custom.iamPermissionsBoundaryPolicy}
   Resources:
     AgeRangesTable:
       Type: AWS::DynamoDB::Table

services/output.sh

@@ -13,10 +13,12 @@ $example}
 
 service=${1}
 output=${2}
-stage=${3:-dev}
+stage=${3}
 
 if [ $output == "url" ]; then
   output="CloudFrontEndpointUrl"
 fi
 
-cd $service && serverless info --stage $stage --verbose | sed -e '1,/^Stack Outputs/d' -e '$d' | sed -n -e "s/^.*$output: //p" && cd ..
+cd $service
+serverless info --stage $stage --json | jq --raw-output --arg output $output '.outputs[] | select(.OutputKey == $output) | .OutputValue'
+cd ..

services/stream-functions/serverless.yml

@@ -1,29 +1,26 @@
 service: stream-functions
 
-frameworkVersion: "3"
+frameworkVersion: "4"
 
 package:
   individually: true
 
 plugins:
-  - serverless-s3-bucket-helper
   - serverless-dotenv-plugin
   - serverless-stack-termination-protection
 
 provider:
   name: aws
   runtime: nodejs20.x
   region: us-east-1
-  stackTags:  
+  stackTags:
     PROJECT: ${self:custom.project}
-    SERVICE: ${self:service}  
+    SERVICE: ${self:service}
 
 custom:
   project: "seds"
   stage: ${opt:stage, self:provider.stage}
   region: ${opt:region, self:provider.region}
-  iamPath: ${ssm:/configuration/${self:custom.stage}/iam/path, ssm:/configuration/default/iam/path, "/"}
-  iamPermissionsBoundaryPolicy: ${ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy, ssm:/configuration/default/iam/permissionsBoundaryPolicy, ""}
   serverlessTerminationProtection:
     stages: # This is a list of common names for important envs that should not be destroyed.  You can remove the stage names your project doesn't use; this list is meant to be inclusive.
       - master
@@ -34,3 +31,10 @@ custom:
       - impl
       - val
       - prod
+resources:
+  Resources:
+    Honk: # this is just because it won't deploy unless we have some resource being created
+      Type: AWS::SSM::Parameter
+      Properties:
+        Type: String
+        Value: "honk"

services/ui-auth/handlers/createUsers.js

@@ -1,8 +1,8 @@
-import * as cognitolib from "../libs/cognito-lib";
+import * as cognitolib from "../libs/cognito-lib.js";
 const userPoolId = process.env.userPoolId;
-const users = require("../libs/users.json");
+import users from "../libs/users.json" assert { type: "json" };
 
-async function myHandler(_event, _context, _callback) {
+export async function handler(_event, _context, _callback) {
   for (let user of users) {
     var poolData = {
       UserPoolId: userPoolId,
@@ -29,5 +29,3 @@ async function myHandler(_event, _context, _callback) {
     await cognitolib.updateUserAttributes(attributeData);
   }
 }
-
-exports.handler = myHandler;

services/ui-auth/libs/cognito-lib.js

@@ -1,6 +1,5 @@
-var {
-  CognitoIdentityProvider: CognitoIdentityServiceProvider,
-} = require("@aws-sdk/client-cognito-identity-provider");
+import { CognitoIdentityServiceProvider } from "@aws-sdk/client-cognito-identity-provider";
+
 const COGNITO_CLIENT = new CognitoIdentityServiceProvider({
   apiVersion: "2016-04-19",
   region: "us-east-1",

services/ui-auth/package.json

@@ -7,6 +7,7 @@
     "minimist": "^1.2.5"
   },
   "main": "index.js",
+  "type": "module",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
   },