Added CodeArtifact cdk and workflow

.github/workflows/codeartifact-build.yml

@@ -0,0 +1,50 @@
+name: CodeArtifact - Build
+run-name: Test IaC @ ${{ github.ref_name }}
+
+on:
+  push:
+    paths:
+      - .github/workflows/codeartifact-build.yml
+      - CodeArtifact/cdk/**
+  workflow_dispatch:
+
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  central-stack:
+    name: Test central resources IaC
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: CodeArtifact/cdk/central_resources
+    env:
+      ENV_STAGE: dev
+    steps:
+      - uses: actions/checkout@v4
+      - run: make lint-python
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+      - name: Set up aws-cdk
+        run: make install-cdk
+      - name: Print deployment environment
+        run: |
+          echo "INFO: cdk version: $(cdk --version)"
+          echo "INFO: node version: $(node --version)"
+          echo "INFO: npm version: $(npm --version)"
+          echo "INFO: python3 version: $(python3 --version)"
+
+      - name: Run cdk synth
+        run: make synth
+
+      - name: Run cdk-validator-cfnguard
+        env:
+          ENV: ${{ needs.common.outputs.environment }}
+        run: |
+          make test-with-cdk-validator-cfnguard

CHANGELOG.md

@@ -3,10 +3,17 @@
 All notable changes to this project will be documented in this file.
 
 
+## 2024-10-05
+
+### Added
+   * [CodeArtifact/cdk/central_resources/](CodeArtifact/cdk/central_resources/) cdk and workflow for deploying a central_resources for hosting CodeArtifact external connections and a shared CodeArtifact repository,
+   * Added `black` configurations in [pyproject.toml](./pyproject.toml).
+   * Added `flake8` configurations in [setup.cfg](./setup.cfg).
+
 ## 2024-10-03
 
 ### Added
-  * Added [DynamoDB/export_ddb_to_s3.py](DynamoDB/export_ddb_to_s3.py), which exports a DynamoDB table to S3 bucket, then downloads the exported data from S3, unzips the files, and merges the data into a single JSON file, then upload back to S3.
+   * Added [DynamoDB/export_ddb_to_s3.py](DynamoDB/export_ddb_to_s3.py), which exports a DynamoDB table to S3 bucket, then downloads the exported data from S3, unzips the files, and merges the data into a single JSON file, then upload back to S3.
 
 ## 2024-10-02
 

CodeArtifact/cdk/central_resources/Makefile

@@ -0,0 +1,39 @@
+export AWS_DEFAULT_REGION ?= ap-southeast-2
+export CDK_DEFAULT_REGION ?= ap-southeast-2
+export ENV_STAGE ?= dev
+
+APP_NAME=$(shell grep -m 1 AppName environment/$(ENV_STAGE).yml | cut -c 10-)
+
+install-cdk:
+	npm install -g aws-cdk
+	python3 -m pip install -U pip
+	pip3 install -r requirements-dev.txt
+
+synth:
+	cdk synth -c env=${ENV_STAGE} --all
+
+deploy:
+	pip3 install -r requirements.txt
+	cdk deploy $(APP_NAME) -c env=${ENV_STAGE} --require-approval never
+
+destroy:
+	cdk destroy $(APP_NAME) -f -c env=${ENV_STAGE}
+
+test-cdk:
+	python3 -m pytest tests/
+
+test-with-cdk-validator-cfnguard: synth
+
+pre-commit: format-python lint-python lint-yaml test
+
+format-python:
+	black **.py */**.py
+
+lint-python:
+	flake8 **.py */**.py
+
+lint-yaml:
+	yamllint -c .github/linters/.yaml-lint.yml -f parsable .
+
+clean:
+	rm -rf cdk.out **/__pycache__

CodeArtifact/cdk/central_resources/app.py

@@ -0,0 +1,90 @@
+#!/usr/bin/env python3
+from os.path import (
+    dirname,
+    join,
+    realpath,
+)
+
+import yaml
+from aws_cdk import (
+    App,
+    CliCredentialsStackSynthesizer,
+    Environment,
+    Tags,
+)
+from cdklabs.cdk_validator_cfnguard import (
+    CfnGuardValidator,
+)
+from lib.central_resources import (
+    CodeArtifactCentralResources,
+)
+
+ENV_DIR = join(
+    dirname(realpath(__file__)),
+    "environment",
+)
+
+
+def main():
+    app = App(
+        policy_validation_beta1=[
+            CfnGuardValidator(
+                # By default the CfnGuardValidator plugin has the Control Tower proactive
+                # rules enabled. If you wish to disable them, set this to false.
+                control_tower_rules_enabled=True,
+                # You can also disable individual rules by passing in a list of rule names
+                # e.g. "ct-s3-pr-1" list is https://github.com/cdklabs/cdk-validator-cfnguard
+                disabled_rules=[],
+                # You can also pass in a list of local guard files or directory paths
+                # e.g. "./guards", "./guards/custom-guard-file.guard"
+                rules=[],
+            )
+        ]
+    )
+
+    ENV_NAME = app.node.try_get_context("env") or "dev"
+
+    with open(
+        join(
+            ENV_DIR,
+            f"{ENV_NAME}.yaml",
+        ),
+        "r",
+    ) as stream:
+        yaml_data = yaml.safe_load(stream)
+        config = yaml_data if yaml_data is not None else {}
+
+    stack = CodeArtifactCentralResources(
+        scope=app,
+        id="CodeArtifactCentralResources",
+        config=config,
+        env=Environment(
+            account=config["AWS_ACCOUNT"],
+            region=config["AWS_REGION"],
+        ),
+        synthesizer=CliCredentialsStackSynthesizer(),
+        termination_protection=(ENV_NAME == "prd"),
+    )
+
+    # Add common tags
+    for key, value in config["TAGS"].items():
+        Tags.of(stack).add(key, value)
+
+    Tags.of(stack).add(
+        "Description",
+        "CodeArtifact central resources",
+    )
+    Tags.of(stack).add(
+        "Environment",
+        ENV_NAME,
+    )
+    Tags.of(stack).add(
+        "Name",
+        stack.stack_name,
+    )
+
+    app.synth()
+
+
+if __name__ == "__main__":
+    main()

CodeArtifact/cdk/central_resources/cdk.json

@@ -0,0 +1,5 @@
+{
+    "app": "python3 app.py",
+    "context": {
+    }
+}

CodeArtifact/cdk/central_resources/environment/dev.yaml

@@ -0,0 +1,25 @@
+AppName: CodeArtifactCentralResources
+AWS_ACCOUNT: "111111111111"
+AWS_ORG_ID: o-12324567890
+AWS_REGION: ap-southeast-2
+DOMAIN_NAME: todo-dev
+EXTERNAL_CONNECTIONS:
+  - crates-io
+  - maven-central
+  - maven-clojars
+  - maven-commonsware
+  - maven-googleandroid
+  - maven-gradleplugins
+  - npmjs
+  - nuget-org
+  - pypi
+  - ruby-gems-org
+INTERNAL_SHARED_REPO: internal-shared-dev
+KEY_ADMIN_ARNS:
+  - arn:aws:iam::111111111111:role/key-admin
+  - arn:aws:iam::111111111111:role/deploy-role
+WRITE_ROLE_ARNS_LIKE:
+  - arn:aws:iam::222222222222:role/*/deploy-role
+TAGS:
+  CostCentre: TODO
+  Project: TODO