Ikechi980/aws-devsecops-pipeline

# Sentrics — 确保事件同步平台 这是一个基于AWS构建的事件驱动平台，负责在Sentrics核心系统与Ensure Cloud前端网络之间同步老年生活社区数据。该平台围绕DevSecOps流水线设计，其中安全是门禁而非事后补救——任何被入侵的构件都无法到达AWS。 ## 平台概述 该系统分为两个独立部署的堆栈，通过SNS/SQS通信： | 堆栈 | 用途 | |-------|---------| | **sentrics-core** | 管理社区、位置和居民。暴露公开的REST API和内部IAM认证的API。从Yardi EHR同步数据。 | | **ensure-cloud** | 通过mTLS为前端设备提供服务。通过私有CA颁发设备证书。将核心变更事件转发给已连接的前端社区。 | ## 架构 ``` graph TB subgraph Internet HD[Headend Devices] EMS[EMS Systems API] end subgraph AWS["AWS — us-east-1"] subgraph VPC["Ensure VPC"] subgraph EC["ensure-cloud ECS Cluster"] GW[headend-gateway\nWebSocket ECS] PKI[pki-api\nCertificate API ECS] SCA[stepca\nPrivate CA ECS] end subgraph SC["sentrics-core ECS Cluster"] YS[yardi-sync\nECS Service] end subgraph Lambdas["Lambda Functions"] HAPI[headend-api\nHTTP API Lambda] CCP[core-change-publisher\nEvent Lambda] RAPI[resources-api\nHTTP API Lambda] MIG[migrate\nDB Migration Lambda] RCL[resources-change-logger\nAudit Lambda] end subgraph Data["Data Layer"] RDS[(PostgreSQL RDS\nsentrics-core)] DDB[(DynamoDB\nChange Log)] EFS[(EFS\nstep-ca data)] SSM[SSM Parameter Store\nSecureString Secrets] end subgraph Messaging["Event Bus"] SNS1[SNS\nresources-change-events] SNS2[SNS\nheadend-messages] SQS1[SQS\nyardi-sync-queue] SQS2[SQS\nchange-logger-queue] SQS3[SQS\ncore-change-events] end subgraph Ingress["Ingress"] ALB[ALB\nmTLS] APIGW[API Gateway v2\nmTLS + JWT] end end ECR[(ECR\nContainer Registry)] S3[(S3\nArtifact Bucket)] end HD -->|mTLS| ALB --> GW HD -->|mTLS + JWT| APIGW --> HAPI EMS --> YS PKI --> SCA SCA --> EFS RAPI --> RDS RAPI --> SNS1 MIG --> RDS YS --> RAPI SNS1 --> SQS1 --> YS SNS1 --> SQS2 --> RCL --> DDB SNS1 --> SQS3 --> CCP --> SNS2 HAPI --> RAPI HAPI --> SSM ECR --> GW ECR --> PKI ECR --> SCA ECR --> YS S3 --> RAPI S3 --> HAPI S3 --> CCP S3 --> MIG S3 --> RCL ``` ## DevSecOps流水线 安全性在两个层面实施——GitHub Actions在代码合并前设置门禁，Jenkins在构件到达AWS前设置门禁。 ``` flowchart TD DEV[Developer\nFeature Branch] --> PR[Pull Request\nto development] subgraph GHA["GitHub Actions — Merge Gates (per repo)"] direction TB SEC[security-scan\nSemgrep · Trivy fs · Gitleaks · Hadolint] LINT[lint\ncargo fmt · cargo clippy] TEST[integration-tests\nFull service stack] INFRA_SEC[infra security-scan\nTrivy config · Gitleaks] end PR --> SEC & LINT & TEST PR --> INFRA_SEC SEC & LINT & TEST & INFRA_SEC -->|all pass| MERGE[Merge to development] MERGE --> JENKINS subgraph JENKINS["Jenkins — Build Pipeline"] direction TB J1[Resolve AWS Context] --> J2[Verify Toolchain] J2 --> J3[Build Lambdas\nParallel] J2 --> J4[Build Docker Images\nParallel] J3 & J4 --> J5[Trivy Scan\nCVE counts · SBOM generation] J5 --> J6[Archive Artifacts] J6 --> J7{CVE Gate\nBLOCKED?} J7 -->|yes — exit 1| FAIL[Pipeline Fails\nNothing reaches AWS] J7 -->|no| J8[Publish\nS3 Lambda zips · ECR images · SBOMs] J8 --> J9[Approve Dev Deploy] J9 --> J10[Trigger Deploy Pipeline] end subgraph DEPLOY["Jenkins — Deploy Pipeline"] direction TB D1[Capture Rollback State] --> D2[Download Manifest] D2 --> D3[Deploy Lambdas\nParallel] D3 --> D4[Run DB Migration] D4 --> D5[Deploy ECS Services\nParallel] D5 --> D6[Wait for ECS Stability] D6 --> D7{All healthy?} D7 -->|no — post failure| D8[Automated Rollback\nre-deploy previous SHA] D7 -->|yes| D9[Done] end J10 --> DEPLOY ``` ## 安全控制 | 控制措施 | 工具 | 位置 | |---------|------|--------| | SAST | Semgrep（security-audit、OWASP Top 10、Rust） | GitHub Actions | | 密钥扫描 | Gitleaks v8 | GitHub Actions + 基础设施门禁 | | Dockerfile linting | Hadolint | GitHub Actions | | 依赖/文件系统扫描 | Trivy | GitHub Actions + Jenkins | | 容器镜像扫描 | Trivy | Jenkins | | IaC 错误配置扫描 | Trivy config | GitHub Actions 基础设施门禁 | | CVE 阈值执行 | Trivy + Jenkins 门禁 | Jenkins — 阻止发布 | | SBOM 生成 | Trivy CycloneDX | Jenkins — 每次构建存储到S3 | | 数据库凭据 | AWS SSM SecureString | 从不存放在环境变量或日志中 | | 容器运行时 | Distroless + 非root UID 65532 | 所有Docker镜像 | | 网络认证 | 在ALB和API Gateway v2上的mTLS | AWS入口 | | IAM | 每个Lambda/ECS任务的最小权限 | Terraform | | 运行时安全 | AWS GuardDuty — ECS Fargate代理 + Lambda网络日志 | AWS — 高/危发现 → SNS | | 自动回滚 | 任何部署失败时重新部署之前的构件SHA | Jenkins部署流水线 | ## 仓库结构 ``` . ├── Jenkinsfile # Main build pipeline ├── Jenkinsfile.dev-deploy # Dev deployment pipeline ├── Jenkinsfile.infra # Terraform plan/apply pipeline │ ├── sentrics-core/ # Core platform services (separate repo) │ ├── resources-api/ # REST API Lambda (Rust) │ ├── resources-change-logger/ # Audit Lambda (Rust) │ ├── yardi-sync/ # Yardi EHR sync ECS service (Rust) │ ├── infra/ # Local Docker Compose stack │ └── scripts/ # CI scripts and dev tooling │ ├── ensure-cloud/ # Ensure Cloud services (separate repo) │ ├── headend-api/ # Headend HTTP API Lambda (Rust) │ ├── headend-gateway/ # WebSocket gateway ECS service (Rust) │ ├── core-change-publisher/ # Event publisher Lambda (Rust) │ ├── pki/ # Certificate API + step-ca (Rust + Docker) │ ├── infra/ # Local Docker Compose stack │ └── scripts/ # CI scripts and dev tooling │ ├── infra/ # Terraform IaC — both stacks, single state │ └── iac/ │ └── scripts/ # Infra repo CI scripts and Jenkins agent setup ├── check.sh ├── common.sh ├── ci/ │ ├── prereqs.sh │ └── security.sh └── jenkins/ └── setup-jenkins-agent.sh ``` ## 技术栈 | 层级 | 技术 | |-------|-----------| | 语言 | Rust 1.93.0（Lambda + ECS服务） | | Lambda 运行时 | AWS Lambda on ARM64 (`provided.al2023`) | | 容器运行时 | Distroless `cc-debian13:nonroot` | | 基础设施 | Terraform ≥ 1.7 / AWS 提供商 ≥ 5.0 | | 数据库 | PostgreSQL 16 on RDS | | 消息传递 | AWS SNS + SQS | | 事件存储 | DynamoDB | | 容器注册表 | Amazon ECR | | CI/CD | Jenkins（构建 + 部署）+ GitHub Actions（安全门禁） | | 本地AWS仿真 | LocalStack 4.x | | 证书颁发机构 | step-ca 0.30 | ## 本地开发 每个堆栈都有由Docker Compose驱动的本地环境。完整设置说明请参阅各个README： - [sentrics-core/README.md](sentrics-core/README.md) - [ensure-cloud/README.md](ensure-cloud/README.md) **前置条件：** - Docker + Docker Compose - Rust 1.93.0 (`rustup toolchain install 1.93.0`) - cargo-lambda 1.9.1 (`cargo install cargo-lambda --locked --version 1.9.1`) **本地运行预合并门禁（从每个仓库根目录执行）：** ``` ./scripts/check.sh all # security + lint + integration tests ./scripts/check.sh security # security scan only ./scripts/check.sh lint # clippy + rustfmt only ./scripts/check.sh test # integration tests only ``` ## 基础设施部署 Terraform设置、后端配置以及如何通过Jenkins基础设施流水线运行plan/apply，请参阅[infra/README.md](infra/README.md)。

标签：AI应用开发, 可视化界面, 测试用例, 漏洞利用检测, 请求拦截, 通知系统