Resolve conflicts

Author: wildjames

.github/dependabot.yml

@@ -12,8 +12,11 @@ updates:
       interval: "weekly"
       day: "thursday"
       time: "18:00" #UTC
+    open-pull-requests-limit: 20
     commit-message:
       prefix: "Upgrade: [dependabot] - "
+    cooldown:
+      default-days: 3
 
   ###################################
   # Poetry  #########################
@@ -25,8 +28,11 @@ updates:
       day: "thursday"
       time: "20:00" #UTC
     versioning-strategy: increase
+    open-pull-requests-limit: 20
     commit-message:
       prefix: "Upgrade: [dependabot] - "
+    cooldown:
+      default-days: 3
 
   ###################################
   # NPM workspace  ##################
@@ -41,3 +47,5 @@ updates:
     open-pull-requests-limit: 20
     commit-message:
       prefix: "Upgrade: [dependabot] - "
+    cooldown:
+      default-days: 3

package-lock.json

@@ -6,17 +6,26 @@ import {stateMachineRequestTemplate} from "./templates/stateMachineRequest.js"
 import {stateMachine200ResponseTemplate, stateMachineErrorResponseTemplate} from "./templates/stateMachineResponses.js"
 import {ExpressStateMachine} from "../StateMachine.js"
 
+/** Parameters used to create an API endpoint backed by a Step Functions Express workflow. */
 export interface StateMachineEndpointProps {
+  /** Parent API resource under which the state machine endpoint is added. */
   parentResource: IResource
+  /** Path segment used to create the child API resource. */
   readonly resourceName: string
+  /** HTTP verb bound to the Step Functions integration. */
   readonly method: HttpMethod
+  /** Invocation role used by API Gateway when starting workflow executions. */
   restApiGatewayRole: IRole
+  /** State machine wrapper construct providing the target workflow ARN and integration target. */
   stateMachine: ExpressStateMachine
 }
 
+/** Adds an API Gateway resource/method that starts an Express Step Functions execution. */
 export class StateMachineEndpoint extends Construct {
+  /** API resource created by this construct. */
   resource: IResource
 
+  /** Wires request and response mapping templates for JSON and FHIR payload flows. */
   public constructor(scope: Construct, id: string, props: StateMachineEndpointProps) {
     super(scope, id)
 
@@ -39,21 +48,25 @@ export class StateMachineEndpoint extends Construct {
         },
         {
           statusCode: "400",
-          selectionPattern: "^4\\d{2}.*",
+          selectionPattern: String.raw`^4\d{2}.*`,
           responseTemplates: {
             "application/json": stateMachineErrorResponseTemplate("400")
           }
         },
         {
           statusCode: "500",
-          selectionPattern: "^5\\d{2}.*",
+          selectionPattern: String.raw`^5\d{2}.*`,
           responseTemplates: {
             "application/json": stateMachineErrorResponseTemplate("500")
           }
         }
       ]
     }), {
-      methodResponses: []
+      methodResponses: [
+        {statusCode: "200"},
+        {statusCode: "400"},
+        {statusCode: "500"}
+      ]
     })
 
     this.resource = resource

packages/cdkConstructs/src/constructs/RestApiGateway/StateMachineEndpoint.ts

@@ -1,6 +1,9 @@
 /* eslint-disable max-len */
+/**
+ * @returns API Gateway request mapping template for StartExecution payloads.
+ */
 export const stateMachineRequestTemplate = (stateMachineArn: string) => {
-  return `## Velocity Template used for API Gateway request mapping template
+    return `## Velocity Template used for API Gateway request mapping template
 ## "@@" is used here as a placeholder for '"' to avoid using escape characters.
 
 #set($includeHeaders = true)

packages/cdkConstructs/src/constructs/RestApiGateway/templates/stateMachineRequest.ts

@@ -1,4 +1,5 @@
 /* eslint-disable max-len */
+/** VTL response template that unwraps successful workflow output and forwards status and headers. */
 export const stateMachine200ResponseTemplate = `#set($payload = $util.parseJson($input.path('$.output')))
 #set($context.responseOverride.status = $payload.Payload.statusCode)
 #set($allHeaders = $payload.Payload.headers)
@@ -41,7 +42,7 @@ const getOperationOutcome = (status: string) => {
       {
         code: errorMap[status].code,
         severity: errorMap[status].severity,
-        diagnostics: errorMap[status],
+        diagnostics: errorMap[status].diagnostics,
         details: {
           coding: [
             {
@@ -56,5 +57,8 @@ const getOperationOutcome = (status: string) => {
   })
 }
 
+/**
+ * @returns VTL response template that maps workflow failures to FHIR OperationOutcome payloads.
+ */
 export const stateMachineErrorResponseTemplate = (status: string) => `#set($context.responseOverride.header["Content-Type"] ="application/fhir+json")
 ${getOperationOutcome(status)}`

packages/cdkConstructs/src/constructs/RestApiGateway/templates/stateMachineResponses.ts

@@ -1,4 +1,4 @@
-import {Fn, RemovalPolicy} from "aws-cdk-lib"
+import {RemovalPolicy} from "aws-cdk-lib"
 import {
   IManagedPolicy,
   IRole,
@@ -20,12 +20,22 @@ import {
 } from "aws-cdk-lib/aws-stepfunctions"
 import {Construct} from "constructs"
 import {CfnDeliveryStream} from "aws-cdk-lib/aws-kinesisfirehose"
+import {ACCOUNT_RESOURCES, LAMBDA_RESOURCES} from "../constants"
 
+/**
+ * Configuration for provisioning an Express Step Functions state machine
+ * with logging and optional Splunk forwarding.
+ */
 export interface StateMachineProps {
+  /** Stack name, used as prefix for resource naming and DNS records. */
   readonly stackName: string
+  /** Friendly state machine name used for both AWS resource and log naming. */
   readonly stateMachineName: string
+  /** Workflow definition chain rendered as the state machine definition body. */
   readonly definition: IChainable
+  /** Extra managed policies merged into the execution role when required. */
   readonly additionalPolicies?: Array<IManagedPolicy>
+  /** Retention period applied to the workflow CloudWatch log group. */
   readonly logRetentionInDays: number
   /**
    * Optional KMS key for encrypting CloudWatch Logs.
@@ -54,21 +64,40 @@ export interface StateMachineProps {
   readonly addSplunkSubscriptionFilter?: boolean
 }
 
+/** Creates an Express Step Functions workflow with CloudWatch logging and invoke permissions. */
 export class ExpressStateMachine extends Construct {
+  /** Managed policy that grants permission to start this workflow. */
   public readonly executionPolicy: ManagedPolicy
+
+  /** Created Step Functions state machine resource. */
   public readonly stateMachine: StateMachine
 
+  /**
+   * Provisions an Express Step Functions workflow with logging, tracing, and invoke permissions.
+   * @example
+   * ```ts
+   * const sm = new ExpressStateMachine(this, "MyWorkflow", {
+   *   stackName: "my-service",
+   *   stateMachineName: "my-service-workflow",
+   *   definition: new Pass(this, "Start"),
+   *   logRetentionInDays: 30,
+   *   additionalPolicies: [myLambdaInvokePolicy]
+   * })
+   * // Attach the generated execution policy to an API Gateway role
+   * apiGatewayRole.addManagedPolicy(sm.executionPolicy)
+   * ```
+   */
   public constructor(scope: Construct, id: string, props: StateMachineProps) {
     super(scope, id)
 
     const {
       cloudWatchLogsKmsKey = Key.fromKeyArn(
-        this, "CloudWatchLogsKmsKey", Fn.importValue("account-resources:CloudwatchLogsKmsKeyArn")),
+        this, "CloudWatchLogsKmsKey", ACCOUNT_RESOURCES.CloudwatchLogsKmsKeyArn),
       cloudwatchEncryptionKMSPolicy = ManagedPolicy.fromManagedPolicyArn(
-        this, "cloudwatchEncryptionKMSPolicy", Fn.importValue("account-resources:CloudwatchEncryptionKMSPolicyArn")),
+        this, "cloudwatchEncryptionKMSPolicy", ACCOUNT_RESOURCES.CloudwatchEncryptionKMSPolicyArn),
       splunkDeliveryStream,
       splunkSubscriptionFilterRole = Role.fromRoleArn(
-        this, "splunkSubscriptionFilterRole", Fn.importValue("lambda-resources:SplunkSubscriptionFilterRole")),
+        this, "splunkSubscriptionFilterRole", LAMBDA_RESOURCES.SplunkSubscriptionFilterRole),
       addSplunkSubscriptionFilter = true
     } = props
 
@@ -90,16 +119,16 @@ export class ExpressStateMachine extends Construct {
 
     if (addSplunkSubscriptionFilter) {
       if (splunkDeliveryStream) {
-        new CfnSubscriptionFilter(this, "LambdaLogsSplunkSubscriptionFilter", {
+        new CfnSubscriptionFilter(this, "StateMachineLogsSplunkSubscriptionFilter", {
           destinationArn: splunkDeliveryStream.attrArn,
           filterPattern: "",
           logGroupName: logGroup.logGroupName,
           roleArn: splunkSubscriptionFilterRole.roleArn
         })
       } else {
         const splunkDeliveryStreamImport = Stream.fromStreamArn(
-          this, "SplunkDeliveryStream", Fn.importValue("lambda-resources:SplunkDeliveryStream"))
-        new CfnSubscriptionFilter(this, "LambdaLogsSplunkSubscriptionFilter", {
+          this, "SplunkDeliveryStream", LAMBDA_RESOURCES.SplunkDeliveryStream)
+        new CfnSubscriptionFilter(this, "StateMachineLogsSplunkSubscriptionFilter", {
           destinationArn: splunkDeliveryStreamImport.streamArn,
           filterPattern: "",
           logGroupName: logGroup.logGroupName,
@@ -118,7 +147,7 @@ export class ExpressStateMachine extends Construct {
           ],
           resources: [
             logGroup.logGroupArn,
-            `${logGroup.logGroupArn}:log-stream`
+            `${logGroup.logGroupArn}:log-stream:*`
           ]
         }),
         new PolicyStatement({

packages/cdkConstructs/src/constructs/StateMachine.ts

@@ -1,7 +1,7 @@
 import {Pass} from "aws-cdk-lib/aws-stepfunctions"
 import {Construct} from "constructs"
 
-const severErrorOperationOutcome = `{% $string(
+const errorOperationOutcome = `{% $string(
   {
     "ResourceType": "OperationOutcome",
     "meta": {
@@ -26,9 +26,12 @@ const severErrorOperationOutcome = `{% $string(
   }
 ) %}`
 
+/** Produces a fixed 500 FHIR OperationOutcome payload for unhandled workflow failures. */
 export class CatchAllErrorPass extends Construct {
-  public readonly state
+  /** Pass state returned by this construct for chaining in state machine definitions. */
+  public readonly state: Pass
 
+  /** Creates a terminal-style error response payload without exposing internal exception detail. */
   public constructor(scope: Construct, id: string) {
     super(scope, id)
 
@@ -38,9 +41,9 @@ export class CatchAllErrorPass extends Construct {
           statusCode: 500,
           headers: {
             "Content-Type": "application/fhir+json",
-            "Cache-Control": "co-cache"
+            "Cache-Control": "no-cache"
           },
-          body: severErrorOperationOutcome
+          body: errorOperationOutcome
         }
       }
     })

packages/cdkConstructs/src/constructs/StateMachine/CatchAllErrorPass.ts

@@ -5,6 +5,7 @@ export * from "./constructs/TypescriptLambdaFunction.js"
 export * from "./constructs/RestApiGateway.js"
 export * from "./constructs/RestApiGateway/accessLogFormat.js"
 export * from "./constructs/RestApiGateway/LambdaEndpoint.js"
+export * from "./constructs/RestApiGateway/StateMachineEndpoint.js"
 export * from "./constructs/PythonLambdaFunction.js"
 export * from "./constructs/SsmParametersConstruct.js"
 export * from "./apps/createApp.js"

packages/cdkConstructs/src/index.ts

@@ -24,7 +24,7 @@ describe("RestApiGateway without mTLS", () => {
       statements: [
         new PolicyStatement({
           actions: ["lambda:InvokeFunction"],
-          resources: ["*"]
+          resources: ["arn:aws:lambda:eu-west-2:123456789012:function:test-function"]
         })
       ]
     })
@@ -181,7 +181,7 @@ describe("RestApiGateway with CSOC logs", () => {
       statements: [
         new PolicyStatement({
           actions: ["lambda:InvokeFunction"],
-          resources: ["*"]
+          resources: ["arn:aws:lambda:eu-west-2:123456789012:function:test-function"]
         })
       ]
     })
@@ -229,7 +229,7 @@ describe("RestApiGateway with mTLS", () => {
       statements: [
         new PolicyStatement({
           actions: ["lambda:InvokeFunction"],
-          resources: ["*"]
+          resources: ["arn:aws:lambda:eu-west-2:123456789012:function:test-function"]
         })
       ]
     })

packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts

@@ -72,8 +72,8 @@ describe("StateMachineEndpoint construct", () => {
         IntegrationHttpMethod: "POST",
         IntegrationResponses: Match.arrayWith([
           Match.objectLike({StatusCode: "200"}),
-          Match.objectLike({StatusCode: "400", SelectionPattern: "^4\\d{2}.*"}),
-          Match.objectLike({StatusCode: "500", SelectionPattern: "^5\\d{2}.*"})
+          Match.objectLike({StatusCode: "400", SelectionPattern: String.raw`^4\d{2}.*`}),
+          Match.objectLike({StatusCode: "500", SelectionPattern: String.raw`^5\d{2}.*`})
         ])
       })
     })