Merge branch 'main' into feature/wfprev-469

Author: yzlucas

.github/workflows/client-build.yml

@@ -62,6 +62,7 @@ jobs:
         OPENMAPS_URL: ${{ vars.OPENMAPS_URL }}
         WEBADE_OAUTH2_CHECK_AUTHORIZE_URL: ${{ vars.WEBADE_OAUTH2_CHECK_AUTHORIZE_URL }}
         WFPREV_CHECK_TOKEN_URL: ${{ vars.WFPREV_CHECK_TOKEN_URL }}
+        TARGET_ENV: ${{ inputs.DEFAULT_APPLICATION_ENVIRONMENT }}
 
     - name: Set up Node.js
       uses: actions/setup-node@v4

.github/workflows/terragrunt-deploy.yml

@@ -134,7 +134,7 @@ jobs:
 
       - uses: peter-murray/terragrunt-github-action@v1.0.0
         with:
-          terragrunt_version: ${{ env.TG_VERSION }}  
+          terragrunt_version: ${{ env.TG_VERSION }}
 
       - name: Terragrunt Apply
         working-directory: ${{env.TG_SRC_PATH}}
@@ -179,6 +179,9 @@ jobs:
           # GDB Extractor Lambda Image
           WFPREV_GDB_EXTRACTOR_DIGEST: ${{ steps.getDigestGDB.outputs.GDB_EXTRACTOR_IMAGE }}
 
+          # AWS
+          AWS_ALERT_EMAIL_LIST: ${{ vars.AWS_ALERT_EMAIL_LIST }}
+
           #liquibase
           COMMAND: ${{ steps.liquibaseCommand.outputs.LIQUIBASE_COMMAND }}
           PROXY_COUNT: ${{ steps.changeLogCount.outputs.PROXY_COUNT }}

client/wfprev-war/src/main/angular/src/app/components/shared-layout/app-header/app-header.component.spec.ts

@@ -21,7 +21,8 @@ describe('AppHeaderComponent', () => {
       enableLocalStorageToken: true,
       localStorageTokenKey: 'test-oauth',
       allowLocalExpiredToken: false,
-      baseUrl: 'http://test.com'
+      baseUrl: 'http://test.com',
+      environment: 'DEV'
     },
     webade: {
       oauth2Url: 'http://oauth.test',

client/wfprev-war/src/main/angular/src/app/components/shared-layout/app-header/app-header.component.ts

@@ -6,6 +6,7 @@ import { MatButtonModule } from '@angular/material/button';
 import { MatIconModule } from '@angular/material/icon';
 import { CommonModule } from '@angular/common';
 import { TokenService } from 'src/app/services/token.service';
+import { AppConfigService } from 'src/app/services/app-config.service';
 
 @Component({
   selector: 'wfprev-app-header',
@@ -19,17 +20,17 @@ import { TokenService } from 'src/app/services/token.service';
   templateUrl: './app-header.component.html',
   styleUrls: ['./app-header.component.scss']
 })
-export class AppHeaderComponent implements OnInit{
+export class AppHeaderComponent implements OnInit {
 
   constructor(
     protected router: Router,
-    private readonly tokenService: TokenService
+    private readonly tokenService: TokenService,
+    private readonly appConfigService: AppConfigService
   ) {
   }
 
-
-  environment:string = 'DEV'
-  title:string = 'PREVENTION'
+  environment: string = ''
+  title: string = 'PREVENTION'
   currentUser: string = 'User_1'
 
   ngOnInit(): void {
@@ -39,11 +40,16 @@ export class AppHeaderComponent implements OnInit{
         this.currentUser = name;
       }
     });
+
+    // Display no environment indicator in prod
+    // Case sensitive checking, set the variable as upper case 
+    const env = (this.appConfigService.getConfig()?.application?.environment || '').toUpperCase();
+    this.environment = env === 'PROD' ? '' : env;
   }
 
 
-  onBCLogoClick(){
-      this.router.navigate([ResourcesRoutes.LANDING]); // Navigate back to the home page
+  onBCLogoClick() {
+    this.router.navigate([ResourcesRoutes.LANDING]); // Navigate back to the home page
   }
 
   onSupportLinkClick() {

client/wfprev-war/src/main/angular/src/assets/data/appConfig.json

@@ -1,6 +1,7 @@
 {
     "application": {
-      "baseUrl": "#{WFPREV_BASE_URL}#"
+      "baseUrl": "#{WFPREV_BASE_URL}#",
+      "environment": "#{TARGET_ENV}"
     },
 
     "webade": {

client/wfprev-war/src/main/angular/src/assets/data/appConfig.local.json

@@ -1,6 +1,7 @@
 {
   "application": {
-    "baseUrl": "http://localhost:4200/"
+    "baseUrl": "http://localhost:4200/",
+    "environment": "local"
   },
 
   "webade": {

terraform/alarms.tf

@@ -0,0 +1,54 @@
+resource "aws_cloudwatch_metric_alarm" "high_latency" {
+  alarm_name          = "ALB-High-Latency"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "TargetResponseTime"
+  namespace           = "AWS/ApplicationELB"
+  period              = 60  # 1 min
+  statistic           = "Average"
+  threshold           = 1  # 1 second
+
+  dimensions = {
+    LoadBalancer = aws_lb.wfprev_main.arn_suffix
+  }
+
+  alarm_description = "ALB target response time is high"
+  alarm_actions     = [aws_sns_topic.alb_alerts.arn]
+}
+
+resource "aws_cloudwatch_metric_alarm" "unhealthy_targets" {
+  alarm_name          = "ALB-Unhealthy-Targets"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "UnHealthyHostCount"
+  namespace           = "AWS/ApplicationELB"
+  period              = 60
+  statistic           = "Average"
+  threshold           = 0
+
+  dimensions = {
+    TargetGroup  = aws_alb_target_group.wfprev_api.arn_suffix
+    LoadBalancer = aws_lb.wfprev_main.arn_suffix
+  }
+
+  alarm_description = "ALB has unhealthy targets"
+  alarm_actions     = [aws_sns_topic.alb_alerts.arn]
+}
+
+resource "aws_sns_topic" "alb_alerts" {
+  name = "wfprev-alb-alerts"
+}
+
+# List of emails
+locals {
+  alert_emails = split(",", var.AWS_ALERT_EMAIL_LIST)
+}
+
+# Create subscriptions for each email
+resource "aws_sns_topic_subscription" "alb_alerts_emails" {
+  for_each = toset(local.alert_emails)
+
+  topic_arn = aws_sns_topic.alb_alerts.arn
+  protocol  = "email"
+  endpoint  = trim(each.key, " ") 
+}

terraform/alb.tf

@@ -34,6 +34,12 @@ resource "aws_lb" "wfprev_main" {
     Environment = "${var.TARGET_ENV}"
   }
 
+  access_logs {
+    bucket  = aws_s3_bucket.alb_logs.bucket
+    prefix  = "wfprev-${var.TARGET_ENV}"
+    enabled = true
+  }
+
 }
 
 //////////////////////////
@@ -45,10 +51,27 @@ resource "aws_lb_listener" "wfprev_main" {
   protocol          = "HTTP"
 
   default_action {
-    type             = "fixed-response"
+    type = "redirect"
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301" # Any HTTP request gets a 301 redirect to HTTPS
+    }
+  }
+}
+
+resource "aws_lb_listener" "wfprev_main_https" {
+  load_balancer_arn = aws_lb.wfprev_main.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = aws_acm_certificate_validation.domain_certificate_validation_ca.certificate_arn
+
+  default_action {
+    type = "fixed-response"
     fixed_response {
       content_type = "text/plain"
-      status_code = 404
+      status_code  = 404
     }
   }
 }
@@ -81,14 +104,22 @@ resource "aws_alb_target_group" "wfprev_api" {
   target_type          = "ip"
   deregistration_delay = 30
 
+  stickiness {
+    enabled         = true
+    type            = "lb_cookie"
+    cookie_duration = 3600  # 1 hour session persistence
+  }
+
   health_check {
     healthy_threshold   = "2"
-    interval            = "300"
+    interval            = "30"
     protocol            = "HTTP"
     matcher             = "200"
-    timeout             = "3"
+    timeout             = "5"
     path                = "/${aws_apigatewayv2_stage.wfprev_stage.name}/actuator/health"
     unhealthy_threshold = "2"
   }
 }
 
+
+

terraform/certificate_manager.tf

@@ -16,3 +16,20 @@ resource "aws_acm_certificate_validation" "domain_certificate_validation" {
 
   provider = aws.aws-us
 }
+
+//NOTE: CA certificate is needed for ALB listener
+resource "aws_acm_certificate" "wfprev_domain_certificate_ca" {
+  domain_name       = data.aws_route53_zone.wfprev_route53_zone.name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  provider = aws  # The default provider (ca-central-1)
+}
+
+resource "aws_acm_certificate_validation" "domain_certificate_validation_ca" {
+  certificate_arn         = aws_acm_certificate.wfprev_domain_certificate_ca.arn
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation_record_ca : record.fqdn]
+}

terraform/cloudfront.tf

@@ -107,6 +107,12 @@ resource "aws_cloudfront_distribution" "wfprev_app_distribution" {
       restriction_type = "none"
     }
   }
+
+  logging_config {
+    bucket = data.aws_s3_bucket.cloudfront_logs.bucket_domain_name
+    include_cookies = false
+    prefix = "cloudfront-logs/"
+  }
 }
 
 resource "aws_cloudfront_function" "rewrite_uri" {
@@ -123,6 +129,10 @@ resource "aws_cloudfront_function" "rewrite_uri" {
 EOF
 }
 
+data "aws_s3_bucket" "cloudfront_logs" {
+  bucket = "wfprev-${var.TARGET_ENV}-cloudfront-logs"
+}
+
 output "cloudfront_distribution_id" {
   value = aws_cloudfront_distribution.wfprev_app_distribution.id
 }