in cdk/lib/newswires.ts [48:280]
constructor(scope: App, id: string, props: NewswiresProps) {
super(scope, id, { ...props, app });
const { domainName, enableMonitoring } = props;
const vpc = GuVpc.fromIdParameter(this, 'VPC');
const privateSubnets = GuVpc.subnetsFromParameter(this, {
type: SubnetType.PRIVATE,
app,
});
const stageStackApp = `${this.stage}/${this.stack}/${app}`;
const databaseName = 'newswires';
const database = new GuDatabase(this, 'NewswiresDB', {
app,
instanceType: InstanceType.of(InstanceClass.T4G, InstanceSize.SMALL),
allowExternalConnection: true,
databaseName,
multiAz: false,
devxBackups: true,
vpcSubnets: {
subnets: privateSubnets,
},
engine: DatabaseInstanceEngine.postgres({
version: PostgresEngineVersion.of('16.4', '16'),
// version: PostgresEngineVersion.VER_16, // FIXME temporary, until VER_16 defaults to 16.4
}),
storageType: StorageType.GP3,
iops: 3000, // the default for gp3 - not required but nice to declare
storageThroughput: 125, // the default for gp3
autoMinorVersionUpgrade: true,
});
const feedsBucket = new GuS3Bucket(this, `feeds-bucket-${this.stage}`, {
app,
versioned: true,
});
const ingestionLambda = new GuLambdaFunction(
this,
`IngestionLambda-${this.stage}`,
{
app: 'ingestion-lambda',
runtime: LAMBDA_RUNTIME,
architecture: LAMBDA_ARCHITECTURE,
handler: 'handler.main',
// each execution can handle up to 10 messages, so this is up
// to 100 messages in flight; should be more than powerful enough
// in high news events
reservedConcurrentExecutions: 10,
fileName: 'ingestion-lambda.zip',
environment: {
FEEDS_BUCKET_NAME: feedsBucket.bucketName,
DATABASE_ENDPOINT_ADDRESS: database.dbInstanceEndpointAddress,
DATABASE_PORT: database.dbInstanceEndpointPort,
DATABASE_NAME: databaseName,
},
vpc,
vpcSubnets: {
subnets: privateSubnets,
},
loggingFormat: LoggingFormat.TEXT,
},
);
ingestionLambda.connections.allowTo(database, Port.tcp(5432));
const eventSourceProps = {
/**
* This is required to allow us to deal with failures of particular
* records handed to a lambda by an SQS queue. Without this, the
* lambda will retry the entire batch of records, which is not what
* we want.
*
* See https://docs.aws.amazon.com/lambda/latest/dg/with-sqs.html#services-sqs-batchfailurereporting
*
*/
reportBatchItemFailures: true,
};
ingestionLambda.addEventSource(
new SqsEventSource(props.sourceQueue, eventSourceProps),
);
ingestionLambda.addEventSource(
new SqsEventSource(props.fingerpostQueue, eventSourceProps),
);
feedsBucket.grantWrite(ingestionLambda);
database.grantConnect(ingestionLambda);
new MetricFilter(this, 'IngestionSourceFeeds', {
logGroup: LogGroup.fromLogGroupName(
this,
'IngestionLogGroup',
`/aws/lambda/${ingestionLambda.functionName}`,
),
metricNamespace: `${stageStackApp}-ingestion-lambda`,
metricName: 'IngestionSourceFeeds',
metricValue: '1',
filterPattern: aws_logs.FilterPattern.stringValue(
'$.eventType',
'=',
SUCCESSFUL_INGESTION_EVENT_TYPE,
),
dimensions: { supplier: '$.supplier' },
});
const scheduledCleanupLambda = new GuScheduledLambda(
this,
`ScheduledCleanupLambda-${this.stage}`,
{
app: 'cleanup-lambda',
runtime: LAMBDA_RUNTIME,
architecture: LAMBDA_ARCHITECTURE,
handler: 'handler.main',
fileName: 'cleanup-lambda.zip',
timeout: Duration.millis(45000),
environment: {
DATABASE_ENDPOINT_ADDRESS: database.dbInstanceEndpointAddress,
DATABASE_PORT: database.dbInstanceEndpointPort,
DATABASE_NAME: databaseName,
},
vpc,
vpcSubnets: {
subnets: privateSubnets,
},
rules: [
{
schedule: Schedule.cron({ hour: '5', minute: '00', weekDay: '*' }), // Every day at 5am
},
],
monitoringConfiguration: {
noMonitoring: true,
},
},
);
scheduledCleanupLambda.connections.allowTo(database, Port.tcp(5432));
database.grantConnect(scheduledCleanupLambda);
const panDomainSettingsBucket = new GuParameter(
this,
'PanDomainSettingsBucket',
{
description: 'Bucket name for pan-domain auth settings',
fromSSM: true,
default: `/${stageStackApp}/pan-domain-settings-bucket`,
type: 'String',
},
);
const permissionsBucketName = new GuParameter(this, 'PermissionsBucket', {
description: 'Bucket name for permissions data',
fromSSM: true,
default: `/${stageStackApp}/permissions-bucket`,
type: 'String',
});
const alarmSnsTopic = new Topic(this, `${app}-email-alarm-topic`);
const scaling = {
minimumInstances: 1,
maximumInstances: 2,
};
const monitoringConfiguration: Alarms | NoMonitoring = enableMonitoring
? {
snsTopicName: alarmSnsTopic.topicName,
unhealthyInstancesAlarm: true,
http5xxAlarm: {
tolerated5xxPercentage: 10,
numberOfMinutesAboveThresholdBeforeAlarm: 1,
},
}
: { noMonitoring: true };
Object.entries(POLLERS_CONFIG).map(
([pollerId, pollerConfig]) =>
new PollerLambda(this, {
pollerId: pollerId as PollerId,
pollerConfig,
ingestionLambdaQueue: props.sourceQueue,
alarmSnsTopicName: alarmSnsTopic.topicName,
}),
);
const newswiresApp = new GuPlayApp(this, {
app,
access: { scope: AccessScope.PUBLIC },
privateSubnets,
instanceType: InstanceType.of(InstanceClass.T4G, InstanceSize.SMALL),
certificateProps: {
domainName,
},
monitoringConfiguration,
userData: {
distributable: {
fileName: `${app}.deb`,
executionStatement: `dpkg -i /${app}/${app}.deb`,
},
},
scaling,
applicationLogging: { enabled: true, systemdUnitName: app },
imageRecipe: 'editorial-tools-jammy-java17',
roleConfiguration: {
additionalPolicies: [
new GuGetS3ObjectsPolicy(this, 'PandaAuthPolicy', {
bucketName: panDomainSettingsBucket.valueAsString,
}),
new GuGetS3ObjectsPolicy(this, 'PermissionsCachePolicy', {
bucketName: permissionsBucketName.valueAsString,
paths: [`${this.stage}/*`],
}),
],
},
});
// Add the domain name
new GuCname(this, 'DnsRecord', {
app: app,
domainName: domainName,
ttl: Duration.minutes(1),
resourceRecord: newswiresApp.loadBalancer.loadBalancerDnsName,
});
database.grantConnect(newswiresApp.autoScalingGroup);
newswiresApp.autoScalingGroup.connections.addSecurityGroup(
database.accessSecurityGroup,
);
}