automated using bump-everywhere + more quality checks (#8 )

- new workflows - linting commands & linted stuff - security checks & fixed audited vulnerabilities - updated documentation
using deployment operations from aws-static-site-with-cd
2020-05-24 19:25:43 +01:00 · 2020-05-23 22:59:29 +01:00 · 2020-04-26 15:47:20 +00:00 · 2020-04-26 15:47:20 +00:00 · 2020-04-26 15:47:20 +00:00 · 2020-04-26 15:47:20 +00:00
39 changed files with 3413 additions and 2594 deletions
--- a/.github/workflows/build-and-deploy.yaml
+++ b/.github/workflows/build-and-deploy.yaml
@@ -1,91 +0,0 @@
 name: Build & deploy
 on:
  push:
    branches:
    - master
 jobs:
  build-and-deploy:
    runs-on: ubuntu-18.04
    steps:
      -
        name: "Prepare: Checkout"
        uses: actions/checkout@v1
      -
        name: "Prepare: Create AWS user profile"
        run: >-
          bash "aws/scripts/configure/create-user-profile.sh" \
            --profile user \
            --access-key-id ${{secrets.AWS_DEPLOYMENT_USER_ACCESS_KEY_ID}} \
            --secret-access-key ${{secrets.AWS_DEPLOYMENT_USER_SECRET_ACCESS_KEY}} \
            --region us-east-1
      -
        name: "Infrastructure: Deploy IAM stack"
        run: >-
          bash "aws/scripts/deploy/deploy-stack.sh" \
            --template-file aws/iam-stack.yaml \
            --stack-name privacysexy-iam-stack \
            --capabilities CAPABILITY_IAM  \
            --region us-east-1 --role-arn ${{secrets.AWS_IAM_STACK_DEPLOYMENT_ROLE_ARN}} \
            --profile user --session ${{github.actor}}-${{github.event_name}}-${{github.sha}}
      -
        name: "Infrastructure: Deploy certificate stack"
        run: >-
          bash "aws/scripts/deploy/deploy-stack.sh" \
            --template-file aws/certificate-stack.yaml \
            --stack-name privacysexy-certificate-stack \
            --region us-east-1 \
            --role-arn ${{secrets.AWS_CERTIFICATE_STACK_DEPLOYMENT_ROLE_ARN}} \
            --profile user --session ${{github.actor}}-${{github.event_name}}-${{github.sha}}
      -
        name: "Infrastructure: Deploy DNS stack"
        run: >-
          bash "aws/scripts/deploy/deploy-stack.sh" \
            --template-file aws/dns-stack.yaml \
            --stack-name privacysexy-dns-stack \
            --region us-east-1 \
            --role-arn ${{secrets.AWS_DNS_STACK_DEPLOYMENT_ROLE_ARN}} \
            --profile user --session ${{github.actor}}-${{github.event_name}}-${{github.sha}}
      -
        name: "Infrastructure: Deploy web stack"
        run: >-
          bash "aws/scripts/deploy/deploy-stack.sh" \
            --template-file aws/web-stack.yaml \
            --stack-name privacysexy-web-stack \
            --region us-east-1 \
            --role-arn ${{secrets.AWS_WEB_STACK_DEPLOYMENT_ROLE_ARN}} \
            --profile user --session ${{github.actor}}-${{github.event_name}}-${{github.sha}}
      -
        name: "App: Setup node"
        uses: actions/setup-node@v1
        with:
          node-version: '11.x'
      -
        name: "App: Install dependencies"
        run: npm install
      -
        name: "App: Run tests"
        run: npm run test:unit
      - 
        name: "App: Build"
        run: npm run build
      -
        name: "App: Deploy to S3"
        run: >-
          bash "aws/scripts/deploy/deploy-to-s3.sh" \
            --folder dist \
            --web-stack-name privacysexy-web-stack --web-stack-s3-name-output-name S3BucketName \
            --storage-class ONEZONE_IA \
            --role-arn ${{secrets.AWS_S3_SITE_DEPLOYMENT_ROLE_ARN}} \
            --region us-east-1 \
            --profile user --session ${{github.actor}}-${{github.event_name}}-${{github.sha}}
      -
        name: "App: Invalidate CloudFront cache"
        run: >-
          bash "aws/scripts/deploy/invalidate-cloudfront-cache.sh" \
            --paths "/*" \
            --web-stack-name privacysexy-web-stack --web-stack-cloudfront-arn-output-name CloudFrontDistributionArn \
            --role-arn ${{secrets.AWS_CLOUDFRONT_SITE_DEPLOYMENT_ROLE_ARN}} \
            --region us-east-1 \
            --profile user --session ${{github.actor}}-${{github.event_name}}-${{github.sha}}
--- a/.github/workflows/bump-and-release.yaml
+++ b/.github/workflows/bump-and-release.yaml
@@ -0,0 +1,23 @@
 name: Bump & release
 on:
  pull_request:
    types: [closed]
    branches:
      - master
  push: # Ensure a new release is created for each new tag
    tags:
      - '[0-9]+.[0-9]+.[0-9]+'
 jobs:
  bump-version-and-release:
    if: > # Push => Ensure only changes from master. PR => to not trigger when closing PR without merging
      (github.event_name == 'push' && github.event.base_ref == 'refs/heads/master')
      || github.event.pull_request.merged == true 
    runs-on: ubuntu-latest
    steps:
      - 
        uses: undergroundwires/bump-everywhere@master
        with:
          user: undergroundwires-bot
          release-token: ${{secrets.BUMP_GITHUB_PAT}} # Does not trigger release pipeline if we use default token: https://github.community/t5/GitHub-Actions/Github-Action-trigger-on-release-not-working-if-releases-was/td-p/34559
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -0,0 +1,117 @@
 name: Build & deploy
 on:
 release:
   types: [created] # will be triggered when a NON-draft release is created and published.
 jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
      -
        name: "Infrastructure: Checkout"
        uses: actions/checkout@v2
        with:
          path: aws
          repository: undergroundwires/aws-static-site-with-cd
      -
        name: "Infrastructure: Create AWS user profile & session name"
        run: >-
          bash "scripts/configure/create-user-profile.sh" \
            --profile user \
            --access-key-id ${{secrets.AWS_DEPLOYMENT_USER_ACCESS_KEY_ID}} \
            --secret-access-key ${{secrets.AWS_DEPLOYMENT_USER_SECRET_ACCESS_KEY}} \
            --region us-east-1 \
          && \
            echo "::set-env name=SESSION_NAME::${{github.actor}}-${{github.event_name}}-$(echo ${{github.sha}} | cut -c1-8)"
        working-directory: aws
      -
        name: "Infrastructure: Deploy IAM stack"
        run: >-
          bash "scripts/deploy/deploy-stack.sh" \
            --template-file stacks/iam-stack.yaml \
            --stack-name privacysexy-iam-stack \
            --capabilities CAPABILITY_IAM \
            --parameter-overrides "WebStackName=privacysexy-web-stack DnsStackName=privacysexy-dns-stack \
                                   CertificateStackName=privacysexy-cert-stack RootDomainName=privacy.sexy" \
            --region us-east-1 --role-arn ${{secrets.AWS_IAM_STACK_DEPLOYMENT_ROLE_ARN}} \
            --profile user --session ${{ env.SESSION_NAME }}
        working-directory: aws
      -
        name: "Infrastructure: Deploy DNS stack"
        run: >-
          bash "scripts/deploy/deploy-stack.sh" \
            --template-file stacks/dns-stack.yaml \
            --stack-name privacysexy-dns-stack \
            --parameter-overrides "RootDomainName=privacy.sexy" \
            --region us-east-1 \
            --role-arn ${{secrets.AWS_DNS_STACK_DEPLOYMENT_ROLE_ARN}} \
            --profile user --session ${{ env.SESSION_NAME }}
        working-directory: aws
      -
        name: "Infrastructure: Deploy certificate stack"
        run: >-
          bash "scripts/deploy/deploy-stack.sh" \
            --template-file stacks/certificate-stack.yaml \
            --stack-name privacysexy-cert-stack \
            --capabilities CAPABILITY_IAM \
            --parameter-overrides "IamStackName=privacysexy-iam-stack RootDomainName=privacy.sexy DnsStackName=privacysexy-dns-stack" \
            --region us-east-1 \
            --role-arn ${{secrets.AWS_CERTIFICATE_STACK_DEPLOYMENT_ROLE_ARN}} \
            --profile user --session ${{ env.SESSION_NAME }}
        working-directory: aws
      -
        name: "Infrastructure: Deploy web stack"
        run: >-
          bash "scripts/deploy/deploy-stack.sh" \
            --template-file stacks/web-stack.yaml \
            --stack-name privacysexy-web-stack \
            --parameter-overrides "CertificateStackName=privacysexy-cert-stack DnsStackName=privacysexy-dns-stack \
                                   RootDomainName=privacy.sexy UseDeepLinks=true" \
            --capabilities CAPABILITY_IAM \
            --region us-east-1 \
            --role-arn ${{secrets.AWS_WEB_STACK_DEPLOYMENT_ROLE_ARN}} \
            --profile user --session ${{ env.SESSION_NAME }}
        working-directory: aws
      -
        name: "App: Checkout"
        uses: actions/checkout@v2
        with:
          path: site
          ref: master # otherwise we don't get version bump commit
      -
        name: "App: Setup node"
        uses: actions/setup-node@v1
        with:
          node-version: '14.x'
      -
        name: "App: Install dependencies"
        run: npm install
        working-directory: site
      -
        name: "App: Run tests"
        run: npm run test:unit
        working-directory: site
      - 
        name: "App: Build"
        run: npm run build
        working-directory: site
      -
        name: "App: Deploy to S3"
        run: >-
          bash "aws/scripts/deploy/deploy-to-s3.sh" \
            --folder site/dist \
            --web-stack-name privacysexy-web-stack --web-stack-s3-name-output-name S3BucketName \
            --storage-class ONEZONE_IA \
            --role-arn ${{secrets.AWS_S3_SITE_DEPLOYMENT_ROLE_ARN}} \
            --region us-east-1 \
            --profile user --session ${{ env.SESSION_NAME }}
      -
        name: "App: Invalidate CloudFront cache"
        run: >-
          bash "aws/scripts/deploy/invalidate-cloudfront-cache.sh" \
            --paths "/*" \
            --web-stack-name privacysexy-web-stack --web-stack-cloudfront-arn-output-name CloudFrontDistributionArn \
            --role-arn ${{secrets.AWS_CLOUDFRONT_SITE_DEPLOYMENT_ROLE_ARN}} \
            --region us-east-1 \
            --profile user --session ${{ env.SESSION_NAME }}
--- a/.github/workflows/quality-checks.yaml
+++ b/.github/workflows/quality-checks.yaml
@@ -0,0 +1,37 @@
 name: Quality checks
 on:
  pull_request:
    branches:
      - master
 jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Setup node
        uses: actions/setup-node@v1
        with:
          node-version: 14.x
      -
        name: Install dependencies
        run: npm ci
      -
        name: Lint vue
        run: npm run lint:vue
      -
        name: Lint yaml
        run: npm run lint:yaml
      -
        name: 'Validate md: Relative URLs'
        run: npm run lint:md:relative-urls
      -
        name: 'Validate md: Enforce standards'
        run: npm run lint:md
      -
        name: 'Validate md: Ensure consistency'
        run: npm run lint:md:consistency
--- a/.github/workflows/security-checks.yaml
+++ b/.github/workflows/security-checks.yaml
@@ -0,0 +1,24 @@
 name: Security checks
 on:
  pull_request:
    branches:
      - master
  schedule:
    - cron: '0 0 * * 0'
 jobs:
  npm-audit:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Setup node
        uses: actions/setup-node@v1
        with:
          node-version: 14.x
      -
        name: NPM audit
        run: npm audit
--- a/.github/workflows/run-tests.yaml
+++ b/.github/workflows/run-tests.yaml
@@ -1,26 +1,25 @@
-name: Run tests
+name: Test
 on:
-  push:
+  pull_request:
    branches:
-      - '*'
+      - master
      - '!master'
 jobs:
-  build-and-deploy:
+  run-tests:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@v2
      -
        name: Setup node
        uses: actions/setup-node@v1
        with:
-          node-version: '11.x'
+          node-version: '14.x'
      -
        name: Install dependencies
-        run: npm install
+        run: npm ci
      -
        name: Run tests
        run: npm run test:unit
--- a/.markdownlint.json
+++ b/.markdownlint.json
@@ -0,0 +1,4 @@
 {
    "default": true,
    "MD013": false
 }
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,47 +0,0 @@
 # Changelog
 - All notable changes to this project will be documented in this file.
 ## Unreleased
 ## [0.4.1] - 2020-01-11
 - Fixed & improved search
 - Hiding grouping while searching
 - Showing search queries when searching
 ## [0.4.0] - 2020-01-11
 - Added search
 - Some styling improvements
 - Better organization of scripts + more scripts
 ## [0.3.0] - 2020-01-09
 - Added support for grouping
 - Added some meta tags
 - Added "Disable NVIDIA telemetry" script
 - Added legacy browser compatibility for fonts & changed main font
 ## [0.2.0] - 2020-01-06
 - Fixed typo in generated code.
 - Better URL validation for documentation links in `application.yaml`.
 - Slightly faster parsing of `application.yaml`
 - Styled no JS error that's shown when JavaScript is disabled.
 - The default selection is now *None* & instruction text is shown in code box when nothing is selected.
 - Added hyphen lines when rendering of long function names
 - Changed subtitle: added version as footer instead.
 ## [0.1.0] - 2019-12-31
 - Initial release
 ## All releases
 - [Unreleased] : https://github.com/undergroundwires/privacy.sexy/compare/v0.4.1...HEAD
 - [v0.4.0] : https://github.com/undergroundwires/privacy.sexy/compare/v0.4.0...v0.4.1
 - [v0.4.0] : https://github.com/undergroundwires/privacy.sexy/compare/v0.3.0...v0.4.0
 - [v0.3.0] : https://github.com/undergroundwires/privacy.sexy/compare/v0.2.0...v0.3.0
 - [v0.2.0] : https://github.com/undergroundwires/privacy.sexy/compare/v0.1.0...v0.2.0
 - [v0.1.0] : https://github.com/undergroundwires/privacy.sexy/releases/tag/v0.1.0
--- a/README.md
+++ b/README.md
@@ -1,17 +1,20 @@
 # privacy.sexy
-![Build & deploy status](https://github.com/undergroundwires/privacy.sexy/workflows/Build%20&%20deploy/badge.svg)
+> Web tool to enforce privacy & security best-practices on Windows, because privacy is sexy 🍑🍆
-![Vulnerabilities](https://snyk.io/test/github/undergroundwires/privacy.sexy/badge.svg)
+
 [![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/undergroundwires/privacy.sexy/issues)
 [![Language grade: JavaScript](https://img.shields.io/lgtm/grade/javascript/g/undergroundwires/privacy.sexy.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/undergroundwires/privacy.sexy/context:javascript)
 [![Maintainability](https://api.codeclimate.com/v1/badges/3a70b7ef602e2264342c/maintainability)](https://codeclimate.com/github/undergroundwires/privacy.sexy/maintainability)
-
+[![Tests status](https://github.com/undergroundwires/privacy.sexy/workflows/Test/badge.svg)](https://github.com/undergroundwires/privacy.sexy/actions)
-Web tool to generate scripts for enforcing privacy & security best-practices such as stopping data collection of Windows and different softwares on it.
+[![Quality checks status](https://github.com/undergroundwires/privacy.sexy/workflows/Quality%20checks/badge.svg)](https://github.com/undergroundwires/privacy.sexy/actions)
-> because privacy is sexy 🍑🍆
+[![Security checks status](https://github.com/undergroundwires/privacy.sexy/workflows/Security%20checks/badge.svg)](https://github.com/undergroundwires/privacy.sexy/actions)
 [![Bump & release status](https://github.com/undergroundwires/privacy.sexy/workflows/Bump%20&%20release/badge.svg)](https://github.com/undergroundwires/privacy.sexy/actions)
 [![Deploy status](https://github.com/undergroundwires/privacy.sexy/workflows/Build%20&%20deploy/badge.svg)](https://github.com/undergroundwires/privacy.sexy/actions)
 [![Auto-versioned by bump-everywhere](https://github.com/undergroundwires/bump-everywhere/blob/master/badge.svg?raw=true)](https://github.com/undergroundwires/bump-everywhere)
 [https://privacy.sexy](https://privacy.sexy)
-## Why privacy.sexy
+## Why
 - You don't need to run any compiled software on your system, just run the generated scripts.
 - It's open source, both application & infrastructure is 100% transparent
@@ -21,7 +24,7 @@ Web tool to generate scripts for enforcing privacy & security best-practices suc
 ## Extend scripts
-Fork it & add more scripts in `src/application/application.yml` and send a pull request 👌
+Fork it & add more scripts in [application.yaml](src/application/application.yaml) and send a pull request 👌
 ## Commands
@@ -50,77 +53,22 @@ Fork it & add more scripts in `src/application/application.yml` and send a pull
  - **Application Layer**
    - Keeps the application state
      - The [state](src/application/State/ApplicationState.ts) is a mutable singleton & event producer.
-    - The application is defined & controlled in a [single YAML file](`\application\application.yaml`) (see [Data-driven programming](https://en.wikipedia.org/wiki/Data-driven_programming))
+    - The application is defined & controlled in a [single YAML file](src/application/application.yaml) (see [Data-driven programming](https://en.wikipedia.org/wiki/Data-driven_programming))
 ![DDD + vue.js](docs/app-ddd.png)
 ### AWS Infrastructure
- The application runs in AWS 100% serverless and automatically provisioned using [CloudFormation files](/aws) and GitHub Actions.
+[![AWS solution](docs/aws-solution.png)](https://github.com/undergroundwires/aws-static-site-with-cd)
 - Maximum security & automation and minimum AWS costs were the highest priorities of the design.
-![AWS solution](docs/aws-solution.png)
+- It uses infrastructure from the following repository: [aws-static-site-with-cd](https://github.com/undergroundwires/aws-static-site-with-cd)
  - Runs on AWS 100% serverless and automatically provisioned using [GitHub Actions](.github/workflows/).
  - Maximum security & automation and minimum AWS costs are the highest priorities of the design.
 #### GitOps: CI/CD to AWS
 - CI/CD is fully automated for this repo using different GIT events & GitHub actions.
  - Versioning, tagging, creation of `CHANGELOG.md` and releasing is automated using [bump-everywhere](https://github.com/undergroundwires/bump-everywhere) action
 - Everything that's merged in the master goes directly to production.
  - Deploy infrastructure ► Deploy web application ► Invalidate CloudFront Cache
 - See more at [build-and-deploy.yaml](.GitHub/workflows/build-and-deploy.yaml)
-![CI/CD to AWS with GitHub Actions](docs/ci-cd.png)
+[![CI/CD to AWS with GitHub Actions](docs/gitops.png)](.github/workflows/)
 ##### CloudFormation
 ![CloudFormation design](docs/aws-cloudformation.png)
 - AWS infrastructure is defined as code with following files:
  - `iam-stack`: Creates & updates the deployment user.
    - Everything in IAM layer is fine-grained using least privileges principle.
    - Each deployment step has its own temporary credentials with own permissions.
  - `certificate-stack.yaml`
    - It'll generate SSL certification for the root domain and www subdomain.
    - ❗ It [must](https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-invalid-viewer-certificate/) be deployed in `us-east-1` to be able to be used by CloudFront by `web-stack`.
    - It uses CustomResource and a lambda instead of native `AWS::CertificateManager::Certificate` because:
      - Problem:
        - AWS variant waits until a certificate is validated.
        - There's no way to automate validation without workaround.
      - Solution:
        - Deploy a lambda that deploys the certificate (so we don't wait until certificate is validated)
        - Get DNS records to be used in validation & export it to be used later.
  - `web-stack.yaml`: It'll deploy S3 bucket and CloudFront in front of it.
  - `dns-stack.yaml`: It'll deploy Route53 hosted zone
    - Each time Route53 hosted zone is re-created it's required to update the DNS records in the domain registrar. See *Configure your domain registrar*.
 - I use cross stacks instead of single stack or nested stacks because:
  - Easier to test & maintain & smaller files and different lifecycles for different areas.
  - It allows to deploy web bucket in different region than others as other stacks are global (`us-east-1`) resources.
 ##### Initial deployment
 - ❗ Prerequisite: A registered domain name for website.
 1. **Configure build agent (GitHub actions)**
   - Deploy manually `iam-stack.yaml` with stack name `privacysexy-iam-stack` (to follow the convention)
     - It'll give you deploy user. Go to console &  generate secret id + key (Security credentials => Create access key) for the user [IAM users](https://console.aws.amazon.com/iam/home#/users).
       - 🚶 Deploy secrets:
         - Add secret id & key in GitHub Secrets.
           - `AWS_DEPLOYMENT_USER_ACCESS_KEY_ID`, `AWS_DEPLOYMENT_USER_SECRET_ACCESS_KEY`
         - Add more secrets given from Outputs section of the CloudFormation stack.
     - Run GitHub actions to deploy rest of the application.
       - It'll run `certificate-stack.yaml` and then `iam-stack.yaml`.
 2. **Configure your domain registrar**
   - ❗ **Web stack will fail** after DNS stack because you need to validate your domain.
   - 🚶 Go to your domain registrar and change name servers to NS values
     - `dns-stack.yaml` outputs those in CloudFormation stack.
     - You can alternatively find those in [Route53](https://console.aws.amazon.com/route53/home#hosted-zones)
   - When nameservers of your domain updated, the certification will get validated automatically, you can then delete the failed stack in CloudFormation & re-run the GitHub actions.
 ## Thank you for the awesome projects 🍺
 - [Vue.js](https://vuejs.org/) the only big JavaScript framework that's not backed by companies that make money off your data.
 - [liquor-tree](https://GitHub.com/amsik/liquor-tree) for the awesome & super extensible tree component.
 - [Ace](https://ace.c9.io/) for code box.
 - [FileSaver.js](https://GitHub.com/eligrey/FileSaver.js) for save file dialog.
 - [chai](https://GitHub.com/chaijs/chai) & [mocha](https://GitHub.com/mochajs/mocha) for making testing fun.
 - [js-yaml-loader](https://GitHub.com/wwilsman/js-yaml-loader) for ahead of time loading `application.yml`
 - [v-tooltip](https://GitHub.com/Akryum/v-tooltip) takes seconds to have a tooltip, exactly what I needed.
--- a/aws.drawio
+++ b/aws.drawio
@@ -1 +0,0 @@
 <mxfile host="www.draw.io" modified="2019-12-27T14:40:11.720Z" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36" etag="6t_Q0ZRAKXZ_lLm1WdcF" version="12.4.3" type="device" pages="1"><diagram id="pFg2tUHn5hOZkmQyf_J4" name="Page-1">7Vvtd6I4F/9r+lEOEMLLR23rzJzdme3qPLMvXzwUomaLxA2x1f3rnwSIEoIWFdqd3bXnKLmEJNz7u69Jb8DtavuBhuvlZxKj5MY24+0NuLux7SAA/FsQdgXBD8yCsKA4LkjWgTDFf6GSKLttcIwypSMjJGF4rRIjkqYoYgotpJS8qN3mJFFnXYcLpBGmUZjo1F9wzJblW0DzQP+I8GIpZ7bM8s4qlJ1LQrYMY/JSIYH7G3BLCWHF1Wp7ixLBO8mX4rnxkbv7hVGUsjYPfB19Hf0+Wf6+DcbR9Mtksvm2hANYjPIcJpvyhe/IKsQpp03QAmeMhrRcPttJnqwJThmi9898ZsFe6waM9m9n8kYcZksUl40lWyWyE6PkCd2ShFBOSUnKBxzNcZJI0o0NoCn+OD0JH1HyQDLMMEn5vQiJSfmNZ0QZ5hL6sdbhkTBGVpUOwwQvxA1G1pxKNizBKZ9dAkVMEpZd9oPz91iL11xtFwLPBpnPcYSMDNFn/psZVHJlVpL4M7okSuGIhaBthVRK5gMiK8Tojncp79qeXzxSqgmQ+H85gA66BWlZwRu0S6iXMF/sRz4ggV+UYDgDGJatIUPDASWbNN7L+WWJGZquQ8GSuxfOPFX2e0xYNZmXMFCxwYEQe8GjaXbDXslNyd1A564r9bTKXuCYffEXvM5fiUW8yo1UlZvNEH9VM3KdGoXR0yKXXYXb8/zDu+STDbN1RUdkY463QoKjcj13S8aEFR4KTtjjKE5tA3M7PMccFdSI+Iz2OA5ZyH8EPeO/4Sr8i6SD8CUbZAylEU4ENTea4y/8xrRQqtmUT4m55s0ist7NZsNfprPbhGxijkvfWKeLDjAxMA1gBpWP76kgcW0dJIGOEUm7BiJ/bp/idPL8FMApjNFk+8N6+/NA18CcBWNK+DvXsdJo3ea8Z0XG/G8s5h9x0xZjpNwLHHg3tiv37jDlAxX4SQkVHNBM9RCYI9iku3s0KZ7gQsOt2eiKHog3LIMGy5btkiuN2K3bd45Ehxv1jGxohD5FYj0j3iyu1F6R4P485343RslXrZJrAg1w0i1UASdpnQNON0lTTjJHm+gJdY841xwC4J2HONvzLMv91yAuA90gDToq0mDgGa7zvmDTI0+JM/OBJDjadQu45mDzCJ7Kzn87KB0JvHV4rQsOdgIexwlU8EDdTEHfkAMr0WkH0VMjeFwNPBOODsRJcnH/uca3NFRUcH8GOzJXAKjmyrGC97VVnh6JCXHw+DTMQfc5THlErCfKjcjrW+4NYgRGdFjvbFWsdmbrsPVgcHvKfHZhTmquCDiNrggYsCHUBj0J2NcEfJ/OCYc9z07cRMR7j1y67kJcffz69WGqiRrFCyS1S5gEsiBpmNwfqCM1Wz70+ZEIkeai+wMxtit1NtwwogqW85zufq02fhODGVA277bl4EVrV209IIo5rwRY7k4m1YW6n+BVmZawkC4Qe11pBGNO4oKiJGT4Wa23NUm4fPRBOMFKFO2qlRPoBgb0LMf2i29PHbB4vXKMarWsNqzt2IbFAed5rmfbZmB558xSMEebJcfm/tUvh6ulB08TFOdeKXsPZBZOTtZH7avg5baEl/028OKiNZQigQoDD14GL+Aq8PIDeHrcngEli0//smpUil4GOxTSgYhyko1YnyALfzSukAZm0GHdybUMT5U2MC3dATZUI72+wmlbz/xVbq4pfg6jnZGhrZ6XfWcGRkK7amFO7Y30bWGAr+ZXPN9SXIt7oQfbF7nLce2gBp++bYqjgSqf63vyUKdw8aqHclvip5SXaXCnUD5zLaQsqxdI2Y5v+JWBaoUB4LYC2JDScFfptt6j4piC1HZvHLuG12LE2tNyeDKfZ6gfhOtpA0/1GE43ZMPfx4zROiG6vbw+Edhi9qsM7vl1JQ3grUMWIBoyCejUgrbVAHCuBlhWYCuyHgTXKcQbgECPxT9gttw8fv8BlPlqAEUiJi8tUxj88SqkT4NFzoAuYya3VhFym6sGPQVNz2vPu/92v8tcb/fTty+TzAzmA0uT+08UL/KjE8MoQpmwAJ9i/s6YvUkt+9azgDX+59WyKUkOpScNMg3AOn7IwndUhwVB220Qx+kJRXri9TG8JEK6JCaqHtnh6o0jxVdUoGXmH9FrQ5/3hzgajXtnNaXjOnfCf0DLUVMrv5N4qn46B/r2ZQEUcLiP24dh/FsZ1gXtykjnBlB8veryPbdNACXPSfhNHO3UsTbKWk8fhkkizvMJcYbxu6QRHUK+IYa6APID0zDBlTGS3CSGgeF7PAfJt0UDUxW7C4Im5J6rAC6oQd6EhgUq9bVeFMDR9NdvowD9Y1zfx3wz69+XKQc6ro/j/xSubUv11t2kxrC2twi9GuTaIhlaavbrgnbllXOxq53daGe8Zf4kz3H2j2V9k3TyXmb6WLLbV6xyXBF62I/oagcCng5FeisWNns53RL+L0M6eN6ldtIleNq6/cLcdQ4fLZEOLoQPdKChhtqOC7jN5jmV5zqO67mB86YIatjDeAU95xxYF42HkPGENc0pttn2GPujz1l1QNFVCSw0a9Jr2DgKGmogltnBGeVmruvVr32U/kI5f/tU4b3a/la506UKnwTapQ7gEOFAt7YRuPfWV2q5452y7bB+jKa1zgNvf8xvd5jJdDzXCuR3K6V/yxjb1l3Lp+FnTuAOhmro/K8w17owF8Zxfiaw2TZ2Yu4CDW+O/p87jfW6vqq+tqdBphrQlkKtVtM6s3DmSQunVPOOV/C6Co1bm8YTHa+Ibq6SoYxtNYvwgfumtSZfDmDWlF80Ofma6s/9CEVRk4bWFXmF4zhPfpqiEtVltghM3jHWsM/XPHHaZv9vsIXZP/wvMbj/Pw==</diagram></mxfile>
--- a/aws/certificate-stack.yaml
+++ b/aws/certificate-stack.yaml
@@ -1,211 +0,0 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Creates certificate for the root + www subdomain. !! It must be deployed in us-east-1 to be able to be used by CloudFront.
 Parameters:
  RootDomainName:
    Type: String
    Default: privacy.sexy
    Description: The root DNS name of the website e.g. privacy.sexy
    AllowedPattern: (?!-)[a-zA-Z0-9-.]{1,63}(?<!-)
    ConstraintDescription: Must be a valid root domain name
  IamStackName:
    Type: String
    Default: privacysexy-iam-stack
    Description: Name of the IAM stack.
 Resources:
  # The lambda workaround exists to be able to automate certificate deployment.
  # Problem:
  #   Normally AWS AWS::CertificateManager::Certificate waits until a certificate is validated
  #   And there's no way to get validation DNS records from it to validate it.
  # Solution:
  #   Deploy a lambda that deploys the certificate (so we don't wait until certificate is validated)
  #   Get DNS records to be used in validation & export it to be used later.
  AcmCertificateForHostedZone:
    Type: Custom::VerifiableCertificate #A Can use AWS::CloudFormation::CustomResource or Custom::String
    Properties:
      ServiceToken: !GetAtt ResolveCertificateLambda.Arn
      # Lambda gets the following data:
      RootDomainName: !Ref RootDomainName # Lambda will create both for root and www.root
      Tags:
        -
          Key: Name
          Value: !Ref RootDomainName
        -
          Key: Application
          Value: privacy.sexy
  ResolveCertificateLambda:
    Type: AWS::Lambda::Function
    Properties:
      Description: Deploys certificate for root domain name + www and returns immediately arn + verification records.
      Role:
        Fn::ImportValue: !Join [':', [!Ref IamStackName, ResolveCertificateLambdaRoleArn]]
      FunctionName: !Sub ${AWS::StackName}-cert-resolver-lambda # StackName- required for role to function
      Handler: index.handler
      Runtime: nodejs12.x
      Timeout: 30
      Tags: 
        -
          Key: Application
          Value: privacy.sexy
      Code:
        # Inline script is not the best way. Some variables are named shortly to not exceed the limit 4096 but it's the cheapest way (no s3 file)
        ZipFile: >
          'use strict';
          const aws = require('aws-sdk');
          const acm = new aws.ACM();
          const log = (t) => console.log(t);
          exports.handler = async (event, context) => {
            log(`Request recieved:\n${JSON.stringify(event)}`);
            const userData = event.ResourceProperties;
            const rootDomain = userData.RootDomainName;
            let data = null;
            try {
              switch(event.RequestType) {
                case 'Create':
                  data = await handleCreateAsync(rootDomain, userData.Tags);
                  break;
                case 'Update':
                  data = await handleUpdateAsync();
                  break;
                case 'Delete':
                  data = await handleDeleteAsync(rootDomain);
                  break;
              }
              await sendResponseAsync(event, context, 'SUCCESS', data);
            } catch(error) {
              await sendResponseAsync(event, context, 'ERROR', {
                title: `Failed to ${event.RequestType}, see error`,
                error: error
              });
            }
          }
          async function handleCreateAsync(rootDomain, tags) {
            const { CertificateArn } = await acm.requestCertificate({
              DomainName: rootDomain,
              SubjectAlternativeNames: [`www.${rootDomain}`],
              Tags: tags,
              ValidationMethod: 'DNS',
            }).promise();
            log(`Cert requested:${CertificateArn}`);
            const waitAsync = (ms) => new Promise(resolve => setTimeout(resolve, ms));
            const maxAttempts = 10;
            let options = undefined;
            for (let attempt = 0; attempt < maxAttempts && !options; attempt++) {
              await waitAsync(2000);
              const { Certificate } = await acm.describeCertificate({ CertificateArn }).promise();
              if(Certificate.DomainValidationOptions.filter((o) => o.ResourceRecord).length === 2) {
                options = Certificate.DomainValidationOptions;
              }
            }
            if(!options) {
              throw new Error(`No records after ${maxAttempts} attempts.`);
            }
            return getResponseData(options, CertificateArn, rootDomain);
          }
          async function handleDeleteAsync(rootDomain) {
            const certs = await acm.listCertificates({}).promise();
            const cert = certs.CertificateSummaryList.find((cert) => cert.DomainName === rootDomain);
            if (cert) {
              await acm.deleteCertificate({ CertificateArn: cert.CertificateArn }).promise();
              log(`Deleted ${cert.CertificateArn}`);
            } else {
              log('Cannot find'); // Do not fail, delete can be called when e.g. CF fails before creating cert
            }
            return null;
          }
          async function handleUpdateAsync() {
            throw new Error(`Not yet implemented update`);
          }
          function getResponseData(options, arn, rootDomain) {
            const findRecord = (url) => options.find(option => option.DomainName === url).ResourceRecord;
            const root = findRecord(rootDomain);
            const www = findRecord(`www.${rootDomain}`);
            const data = {
                CertificateArn: arn,
                RootVerificationRecordName: root.Name,
                RootVerificationRecordValue: root.Value,
                WwwVerificationRecordName: www.Name,
                WwwVerificationRecordValue: www.Value,
            };
            return data;
          }
          /* cfn-response can't async / await :( */
          async function sendResponseAsync(event, context, responseStatus, responseData, physicalResourceId) {
            return new Promise((s, f) => {
              var b = JSON.stringify({
                        Status: responseStatus,
                        Reason: `See the details in CloudWatch Log Stream: ${context.logStreamName}`,
                        PhysicalResourceId: physicalResourceId || context.logStreamName,
                        StackId: event.StackId,
                        RequestId: event.RequestId,
                        LogicalResourceId: event.LogicalResourceId,
                        Data: responseData
              });
              log(`Response body:\n${b}`);
              var u = require("url").parse(event.ResponseURL);
              var r = require("https").request(
                {
                  hostname: u.hostname,
                  port: 443,
                  path: u.path,
                  method: "PUT",
                  headers: {
                    "content-type": "",
                    "content-length": b.length
                  }
                }, (p) => {
                  log(`Status code: ${p.statusCode}`);
                  log(`Status message: ${p.statusMessage}`);
                  s(context.done());
                });
              r.on("error", (e) => {
                log(`request failed: ${e}`);
                f(context.done(e));
              });
              r.write(b);
              r.end();
            });
          }
 Outputs:
  CertificateArn:
    Description: The Amazon Resource Name (ARN) of an AWS Certificate Manager (ACM) certificate.
    Value: !GetAtt AcmCertificateForHostedZone.CertificateArn
    Export:
      Name: !Join [':', [ !Ref 'AWS::StackName', CertificateArn ]]
  RootVerificationRecordName:
    Description: Name for root domain CNAME verification record
    Value: !GetAtt AcmCertificateForHostedZone.RootVerificationRecordName
    Export:
      Name: !Join [':', [ !Ref 'AWS::StackName', RootVerificationRecordName ]]
  RootVerificationRecordValue:
    Description: Value for root domain name CNAME verification record
    Value: !GetAtt AcmCertificateForHostedZone.RootVerificationRecordValue
    Export:
      Name: !Join [':', [ !Ref 'AWS::StackName', RootVerificationRecordValue ]]
  WwwVerificationRecordName:
    Description: Name for www domain name CNAME verification record
    Value: !GetAtt AcmCertificateForHostedZone.WwwVerificationRecordName
    Export:
      Name: !Join [':', [ !Ref 'AWS::StackName', WwwVerificationRecordName ]]
  WwwVerificationRecordValue:
    Description: Value for www domain name CNAME verification record
    Value: !GetAtt AcmCertificateForHostedZone.WwwVerificationRecordValue
    Export:
      Name: !Join [':', [ !Ref 'AWS::StackName', WwwVerificationRecordValue ]]
--- a/aws/dns-stack.yaml
+++ b/aws/dns-stack.yaml
@@ -1,61 +0,0 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Creates hosted zone & sets up records for the CloudFront URL.
 Parameters:
  RootDomainName:
    Type: String
    Default: privacy.sexy
    Description: The root DNS name of the website e.g. privacy.sexy
    AllowedPattern: (?!-)[a-zA-Z0-9-.]{1,63}(?<!-)
    ConstraintDescription: Must be a valid root domain name
  CertificateStackName:
    Type: String
    Default: privacysexy-certificate-stack
    Description: Name of the certificate stack.
 Resources:
  DNSHostedZone:
    Type: AWS::Route53::HostedZone
    Properties:
      Name: !Ref RootDomainName
      HostedZoneConfig:
        Comment: !Join ['', ['Hosted zone for ', !Ref RootDomainName]]
      HostedZoneTags:
        -
          Key: Application
          Value: privacy.sexy
  CertificateValidationDNSRecords:
    Type: AWS::Route53::RecordSetGroup
    Properties: 
      HostedZoneId: !Ref DNSHostedZone
      RecordSets:
        -
          Name: 
            Fn::ImportValue: !Join [':', [!Ref CertificateStackName, RootVerificationRecordName]]
          Type: 'CNAME'
          TTL: '60'
          ResourceRecords:
            - Fn::ImportValue: !Join [':', [!Ref CertificateStackName, RootVerificationRecordValue]]
        -
          Name: 
            Fn::ImportValue: !Join [':', [!Ref CertificateStackName, WwwVerificationRecordName]]
          Type: 'CNAME'
          TTL: '60'
          ResourceRecords:
            - Fn::ImportValue: !Join [':', [!Ref CertificateStackName, WwwVerificationRecordValue]]
 Outputs:
  DNSHostedZoneNameServers:
    Description: Name servers to update in domain registrar.
    Value: !Join ['           ', !GetAtt DNSHostedZone.NameServers]
  DNSHostedZoneId:
    Description: The ID of the hosted zone that you want to create the record in.
    Value: !Ref DNSHostedZone
    Export:
      Name: !Join [':', [ !Ref 'AWS::StackName', DNSHostedZoneId ]]
--- a/aws/iam-stack.yaml
+++ b/aws/iam-stack.yaml
@@ -1,496 +0,0 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: |-
  > Deploys the identity management for the deployment
 # Granulatiy cheatsheet: https://iam.cloudonaut.io/
 Parameters:
    WebStackName:
      Type: String
      Default: privacysexy-web-stack
      Description: Name of the web stack.
    DnsStackName:
      Type: String
      Default: privacysexy-dns-stack
      Description: Name of the DNS stack.
    CertificateStackName:
      Type: String
      Default: privacysexy-certificate-stack
      Description: Name of the IAM stack.
 Resources:
  # -----------------------------
  # ------ User & Group ---------
  # -----------------------------
  DeploymentGroup:
    Type: AWS::IAM::Group
    Properties: 
      # GroupName: No hardcoded naming because of easier CloudFormation management
      ManagedPolicyArns:
        - !Ref AllowValidateTemplatePolicy
  DeploymentUser:
    Type: AWS::IAM::User
    Properties:
    #   # UserName: No hardcoded naming because of easier CloudFormation management
    #   # Policies: Assing policies on group level
      Tags:
        -
          Key: Application
          Value: privacy.sexy
  AddDeploymentUserToDeploymentGroup:
    Type: AWS::IAM::UserToGroupAddition
    Properties:
      GroupName: !Ref DeploymentGroup
      Users:
        - !Ref DeploymentUser
  # -----------------------------
  # ----------- Roles -----------
  # -----------------------------
  IamStackDeployRole:
    Type: AWS::IAM::Role
    Properties:
      Description: Allows to deploy IAM stack
      AssumeRolePolicyDocument:
        Statement:
          -
            Effect: Allow
            Principal:
              AWS: !GetAtt DeploymentUser.Arn
            Action: sts:AssumeRole
      Tags:
        -
          Key: Application
          Value: privacy.sexy
      ManagedPolicyArns: 
        - !Ref CloudFormationDeployPolicy
        - !Ref PolicyDeployPolicy
        - !Ref IamStackDeployPolicy
  CertificateStackDeployRole:
    Type: AWS::IAM::Role
    Properties:
      Description: Allows to deploy certificate stack
      AssumeRolePolicyDocument:
        Statement:
          -
            Effect: Allow
            Principal:
              AWS: !GetAtt DeploymentUser.Arn
            Action: sts:AssumeRole
      Tags:
        -
          Key: Application
          Value: privacy.sexy
      ManagedPolicyArns: 
        - !Ref CloudFormationDeployPolicy
        - !Ref LambdaBackedCustomResourceDeployPolicy
  DnsStackDeployRole:
    Type: AWS::IAM::Role
    Properties:
      Description: Allows to deploy DNS stack
      AssumeRolePolicyDocument:
        Statement:
          -
            Effect: Allow
            Principal:
              AWS: !GetAtt DeploymentUser.Arn
            Action: sts:AssumeRole
      Tags:
        -
          Key: Application
          Value: privacy.sexy
      ManagedPolicyArns: 
        - !Ref CloudFormationDeployPolicy
        - !Ref DnsStackDeployPolicy
  WebStackDeployRole:
    Type: AWS::IAM::Role
    Properties:
      Description: Allows to deploy web stack
      AssumeRolePolicyDocument:
        Statement:
          -
            Effect: Allow
            Principal:
              AWS: !GetAtt DeploymentUser.Arn
            Action: sts:AssumeRole
      Tags:
        -
          Key: Application
          Value: privacy.sexy
      ManagedPolicyArns: 
        - !Ref CloudFormationDeployPolicy
        - !Ref WebStackDeployPolicy
  S3SiteDeployRole:
      Type: 'AWS::IAM::Role'
      Properties:
        Description: "Allows to deploy website to S3"
        AssumeRolePolicyDocument:
          Statement:
            -
              Effect: Allow
              Principal:
                AWS: !GetAtt DeploymentUser.Arn
              Action: sts:AssumeRole
        Tags:
          -
            Key: Application
            Value: privacy.sexy
        ManagedPolicyArns:
          - !Ref S3SiteDeployPolicy
          - !Ref StackExportReaderPolicy
  CloudFrontSiteDeployRole:
      Type: 'AWS::IAM::Role'
      Properties:
        Description: "Allows to informs to CloudFront to renew its cache from S3"
        AssumeRolePolicyDocument:
          Statement:
            -
              Effect: Allow
              Principal:
                AWS: !GetAtt DeploymentUser.Arn
              Action: sts:AssumeRole
        Tags:
          -
            Key: Application
            Value: privacy.sexy
        ManagedPolicyArns:
          - !Ref CloudFrontInvalidationPolicy
          - !Ref StackExportReaderPolicy
  ResolveCertificateLambdaRole: # See certificate stack
    Type: AWS::IAM::Role
    Properties:
      Description: Allow deployment of certificates
      AssumeRolePolicyDocument:
        Statement:
          -
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - !Ref CertificateDeployPolicy
  # --------------------------------
  # ----------- Policies -----------
  # --------------------------------
  AllowValidateTemplatePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: "No read & writes to resources, reveals just basic CloudFormation API to be used for validating templates"
      # ManagedPolicyName: No hardcoded naming because of easier CloudFormation management
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: AllowCloudFormationTemplateValidation
            Effect: Allow
            Action:
              - cloudformation:ValidateTemplate
            Resource: '*'
  CloudFormationDeployPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: "Allows deploying CloudFormation using CLI command 'aws cloudformation deploy' (with change sets)"
      # ManagedPolicyName: No hardcoded naming because of easier CloudFormation management
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: AllowCloudFormationStackOperations
            Effect: Allow
            Action:
              - cloudformation:GetTemplateSummary
              - cloudformation:DescribeStacks
              - cloudformation:CreateChangeSet
              - cloudformation:ExecuteChangeSet
              - cloudformation:DescribeChangeSet
            Resource:
              - !Sub arn:aws:cloudformation:*:${AWS::AccountId}:stack/${WebStackName}/*
              - !Sub arn:aws:cloudformation:*:${AWS::AccountId}:stack/${DnsStackName}/*
              - !Sub arn:aws:cloudformation:*:${AWS::AccountId}:stack/${AWS::StackName}/*
              - !Sub arn:aws:cloudformation:*:${AWS::AccountId}:stack/${CertificateStackName}/*
  IamStackDeployPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Allows deploying IAM CloudFormation stack.
      # ManagedPolicyName: No hardcoded naming because of easier CloudFormation management
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: AllowUserArnExport
            Effect: Allow
            Action:
              - iam:GetUser
            Resource:
              - !GetAtt DeploymentUser.Arn
          -
            Sid: AllowTagging
            Effect: Allow
            Action:
              - iam:TagResource
            Resource:
              - !Sub arn:aws:cloudformation::${AWS::AccountId}:stack/${AWS::StackName}/*
              - !GetAtt DeploymentUser.Arn
          -
            Sid: AllowRoleDeployment
            Effect: Allow
            Action:
              - iam:CreateRole
            Resource:
              - !Sub arn:aws:iam::${AWS::AccountId}:role/${AWS::StackName}-*
  LambdaBackedCustomResourceDeployPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Allows deploying a lambda-backed custom resource.
      # ManagedPolicyName: # ManagedPolicyName: No hardcoded naming because of easier CloudFormation management
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: AllowLambdaDeployment
            Effect: Allow
            Action:
              - lambda:GetFunction
              - lambda:DeleteFunction
              - lambda:CreateFunction
              - lambda:GetFunctionConfiguration
              - lambda:InvokeFunction
            Resource:
              - !Sub arn:aws:lambda:*:${AWS::AccountId}:function:${CertificateStackName}*
          -
            Sid: AllowPassingLambdaRole
            Effect: Allow
            Action:
              - iam:PassRole
            Resource:
              - !GetAtt ResolveCertificateLambdaRole.Arn
  CertificateDeployPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Allows deploying certifications stack.
      # ManagedPolicyName: # ManagedPolicyName: No hardcoded naming because of easier CloudFormation management
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: AllowCertificateDeployment
            Effect: Allow
            Action:
              - acm:RequestCertificate
              - acm:DescribeCertificate
              - acm:DeleteCertificate
              - acm:AddTagsToCertificate
              - acm:ListCertificates
            Resource: '*' # Certificate Manager does not support resource level IAM
  PolicyDeployPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Allows deployment of policies
      # ManagedPolicyName: Commented out because CloudFormation requires to rename when replacing custom-named resource
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: AllowPolicyUpdates
            Effect: Allow
            Action:
              - iam:ListPolicyVersions
              - iam:CreatePolicyVersion
              - iam:DeletePolicyVersion
              - iam:CreatePolicy 
              - iam:DeletePolicy 
              - iam:GetPolicy
            Resource:
              - !Sub arn:aws:iam::${AWS::AccountId}:policy/${AWS::StackName}-* # when ManagedPolicyName is not given policies get name like StackName-*
          -
            Sid: AllowPoliciesOnRoles
            Effect: Allow
            Action:
              - iam:AttachRolePolicy
              - iam:DetachRolePolicy
              - iam:GetRole
            Resource:
              - !Sub arn:aws:iam::${AWS::AccountId}:role/${AWS::StackName}-*
          - 
            Sid: AllowPolicyAssigmentToGroup
            Effect: Allow
            Action:
              - iam:AttachGroupPolicy
              - iam:DetachGroupPolicy
            Resource:
              - !GetAtt DeploymentGroup.Arn
          - 
            Sid: AllowGettingGroupInformation
            Effect: Allow
            Action:
              - iam:GetGroup
            Resource: !Sub arn:aws:iam::${AWS::AccountId}:group/${DeploymentGroup}
  DnsStackDeployPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Allows deployment of DNS stack
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: AllowHostedZoneDeployment
            Effect: Allow
            Action:
              - route53:CreateHostedZone
              - route53:ListQueryLoggingConfigs
              - route53:DeleteHostedZone
              - route53:GetChange
              - route53:ChangeTagsForResource
              - route53:GetHostedZone
              - route53:ChangeResourceRecordSets
            Resource: '*' # Does not support resource-level permissions https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-manage-access-intro-resource-policies
  WebStackDeployPolicy:
    # We need a role to run s3:PutBucketPolicy, IAM users cannot run it. See https://stackoverflow.com/a/48551383 
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Allows deployment of web stack
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: AllowCloudFrontOAIDeployment
            Effect: Allow
            Action:
              - cloudfront:GetCloudFrontOriginAccessIdentity
              - cloudfront:CreateCloudFrontOriginAccessIdentity
              - cloudfront:GetCloudFrontOriginAccessIdentityConfig
              - cloudfront:DeleteCloudFrontOriginAccessIdentity
            Resource: '*' # Does not support resource-level permissions https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html
          -
            Sid: AllowCloudFrontDistributionDeployment
            Effect: Allow
            Action:
              - cloudfront:CreateDistribution
              - cloudfront:DeleteDistribution
              - cloudfront:UpdateDistribution
              - cloudfront:GetDistribution
              - cloudfront:TagResource
              - cloudfront:UpdateCloudFrontOriginAccessIdentity
            Resource: !Sub arn:aws:cloudfront::${AWS::AccountId}:*
          -
            Sid: AllowS3BucketPolicyAccess
            Effect: Allow
            Action:
              - s3:CreateBucket
              - s3:DeleteBucket
              - s3:PutBucketWebsite
              - s3:DeleteBucketPolicy
              - s3:PutBucketPolicy
              - s3:GetBucketPolicy
            Resource: !Sub arn:aws:s3:::${WebStackName}*
          -
            Sid: AllowRecordDeploymentToRoute53
            Effect: Allow
            Action:
              - route53:GetHostedZone
              - route53:ChangeResourceRecordSets
              - route53:GetChange
              - route53:ListResourceRecordSets
            Resource: '*' # Does not support resource-level permissions https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-manage-access-intro-resource-policies
  S3SiteDeployPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Allows listing buckets to be able to list objects in a bucket
      # ManagedPolicyName: Commented out because CloudFormation requires to rename when replacing custom-named resources
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: AllowListingObjects
            Effect: Allow
            Action:
              - s3:ListBucket # To allow ListObjectsV2
            Resource: !Sub arn:aws:s3:::${WebStackName}*
          -
            Sid: AllowUpdatingObjects
            Effect: Allow
            Action:
              - s3:PutObject
              - s3:DeleteObject
            Resource: !Sub arn:aws:s3:::${WebStackName}*/*
  CloudFrontInvalidationPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Allows creating invalidations on CloudFront
      # ManagedPolicyName: Commented out because CloudFormation requires to rename when replacing custom-named resource
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: AllowCloudFrontInvalidations
            Effect: Allow
            Action:
              - cloudfront:CreateInvalidation
            Resource: "*" # Does not support resource-level permissions https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html
  StackExportReaderPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Allows creating invalidations on CloudFront
      # ManagedPolicyName: Commented out because CloudFormation requires to rename when replacing custom-named resource
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Sid: AllowGettingBucketName
            Effect: Allow
            Action:
              - cloudformation:DescribeStacks
            Resource: !Sub arn:aws:cloudformation:*:${AWS::AccountId}:stack/${WebStackName}/*
 Outputs:
  ResolveCertificateLambdaRoleArn: 
    Description: The Amazon Resource Name (ARN) of the lambda for deploying certificates.
    Value: !GetAtt ResolveCertificateLambdaRole.Arn
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', ResolveCertificateLambdaRoleArn ] ]
  CertificateStackDeployRoleArn: 
    Description: "GitHub secret: AWS_CERTIFICATE_STACK_DEPLOYMENT_ROLE_ARN"
    Value: !GetAtt CertificateStackDeployRole.Arn
  DnsStackDeployRoleArn: 
    Description: "GitHub secret: AWS_DNS_STACK_DEPLOYMENT_ROLE_ARN"
    Value: !GetAtt DnsStackDeployRole.Arn
  IamStackDeployRoleArn: 
    Description: "GitHub secret: AWS_IAM_STACK_DEPLOYMENT_ROLE_ARN"
    Value: !GetAtt IamStackDeployRole.Arn
  WebStackDeployRoleArn: 
    Description: "GitHub secret: AWS_WEB_STACK_DEPLOYMENT_ROLE_ARN"
    Value: !GetAtt WebStackDeployRole.Arn
  S3SiteDeployRoleArn: 
    Description: "GitHub secret: AWS_S3_SITE_DEPLOYMENT_ROLE_ARN"
    Value: !GetAtt S3SiteDeployRole.Arn
  CloudFrontSiteDeployRoleArn: 
    Description: "GitHub secret: AWS_CLOUDFRONT_SITE_DEPLOYMENT_ROLE_ARN"
    Value: !GetAtt CloudFrontSiteDeployRole.Arn
--- a/aws/scripts/configure/create-role-profile.sh
+++ b/aws/scripts/configure/create-role-profile.sh
@@ -1,36 +0,0 @@
 #!/bin/bash
 # Parse parameters
 while [[ "$#" -gt 0 ]]; do case $1 in
  --user-profile) USER_PROFILE="$2"; shift;;
  --role-profile) ROLE_PROFILE="$2"; shift;;
  --role-arn) ROLE_ARN="$2"; shift;;
  --session) SESSION="$2";shift;;
  --region) REGION="$2";shift;;
  *) echo "Unknown parameter passed: $1"; exit 1;;
 esac; shift; done
 # Verify parameters
 if [ -z "$USER_PROFILE" ]; then echo "User profile name is not set."; exit 1; fi;
 if [ -z "$ROLE_PROFILE" ]; then echo "Role profile name is not set."; exit 1; fi;
 if [ -z "$ROLE_ARN" ]; then echo "Role ARN is not set"; exit 1; fi;
 if [ -z "$SESSION" ]; then echo "Session name is not set."; exit 1; fi;
 if [ -z "$REGION" ]; then echo "Region is not set."; exit 1; fi;
 creds=$(aws sts assume-role --role-arn $ROLE_ARN --role-session-name $SESSION --profile $USER_PROFILE)
 aws_access_key_id=$(echo $creds | jq -r '.Credentials.AccessKeyId')
 echo ::add-mask::$aws_access_key_id
 aws_secret_access_key=$(echo $creds | jq -r '.Credentials.SecretAccessKey')
 echo ::add-mask::$aws_secret_access_key
 aws_session_token=$(echo $creds | jq -r '.Credentials.SessionToken')
 echo ::add-mask::$aws_session_token
 aws configure --profile $ROLE_PROFILE set aws_access_key_id $aws_access_key_id
 aws configure --profile $ROLE_PROFILE set aws_secret_access_key $aws_secret_access_key
 aws configure --profile $ROLE_PROFILE set aws_session_token $aws_session_token
 aws configure --profile $ROLE_PROFILE set region $REGION
 echo Profile $ROLE_PROFILE is created
 bash "${BASH_SOURCE%/*}/mask-identity.sh" --profile $ROLE_PROFILE
--- a/aws/scripts/configure/create-user-profile.sh
+++ b/aws/scripts/configure/create-user-profile.sh
@@ -1,25 +0,0 @@
 #!/bin/bash
 # Parse parameters
 while [[ "$#" -gt 0 ]]; do case $1 in
  --profile) PROFILE="$2"; shift;;
  --access-key-id) ACCESS_KEY_ID="$2"; shift;;
  --secret-access-key) SECRET_ACCESS_KEY="$2"; shift;;
  --region) REGION="$2";shift;;
  *) echo "Unknown parameter passed: $1"; exit 1;;
 esac; shift; done
 # Verify parameters
 if [ -z "$PROFILE" ]; then echo "Profile name is not set."; exit 1; fi;
 echo $PROFILE
 if [ -z "$ACCESS_KEY_ID" ]; then echo "Access key ID is not set"; exit 1; fi;
 if [ -z "$SECRET_ACCESS_KEY" ]; then echo "Secret access key is not set."; exit 1; fi;
 if [ -z "$REGION" ]; then echo "Region is not set."; exit 1; fi;
 aws configure --profile $PROFILE set aws_access_key_id $ACCESS_KEY_ID
 aws configure --profile $PROFILE set aws_secret_access_key $SECRET_ACCESS_KEY
 aws configure --profile $PROFILE set region $REGION
 echo Profile $PROFILE is created
 bash "${BASH_SOURCE%/*}/mask-identity.sh" --profile $PROFILE
--- a/aws/scripts/configure/mask-identity.sh
+++ b/aws/scripts/configure/mask-identity.sh
@@ -1,17 +0,0 @@
 #!/bin/bash
 # Parse parameters
 while [[ "$#" -gt 0 ]]; do case $1 in
  --profile) PROFILE="$2";shift;;
  *) echo "Unknown parameter passed: $1"; exit 1;;
 esac; shift; done
 # Verify parameters
 if [ -z "$PROFILE" ]; then echo "Profile name is not set."; exit 1; fi;
 aws_identity=$(aws sts get-caller-identity --profile $PROFILE)
 echo ::add-mask::$(echo $aws_identity | jq -r '.Account')
 echo ::add-mask::$(echo $aws_identity | jq -r '.UserId')
 echo ::add-mask::$(echo $aws_identity | jq -r '.Arn')
 echo Credentials are masked
--- a/aws/scripts/deploy/deploy-stack.sh
+++ b/aws/scripts/deploy/deploy-stack.sh
@@ -1,43 +0,0 @@
 #!/bin/bash
 # Parse parameters
 while [[ "$#" -gt 0 ]]; do case $1 in
  --template-file) TEMPLATE_FILE="$2"; shift;;
  --stack-name) STACK_NAME="$2"; shift;;
  --profile) PROFILE="$2"; shift;;
  --capabilities) CAPABILITY_IAM="$2"; shift;;
  --role-arn) ROLE_ARN="$2";shift;;
  --session) SESSION="$2";shift;;
  --region) REGION="$2";shift;;
  *) echo "Unknown parameter passed: $1"; exit 1;;
 esac; shift; done
 # Verify parameters
 if [ -z "$TEMPLATE_FILE" ]; then echo "Template file is not set."; exit 1; fi;
 if [ -z "$STACK_NAME" ]; then echo "Template file is not set."; exit 1; fi;
 if [ -z "$PROFILE" ]; then echo "Profile is not set."; exit 1; fi;
 if [ -z "$ROLE_ARN" ]; then echo "Role ARN is not set."; exit 1; fi;
 if [ -z "$SESSION" ]; then echo "Role session is not set."; exit 1; fi;
 echo Validating stack "$STACK_NAME"
 aws cloudformation validate-template \
    --template-body file://$TEMPLATE_FILE \
    --profile $PROFILE
 ROLE_PROFILE=$STACK_NAME
 echo Assuming role
 bash "${BASH_SOURCE%/*}/../configure/create-role-profile.sh" \
    --role-profile $ROLE_PROFILE --user-profile $PROFILE \
    --role-arn $ROLE_ARN \
    --session $SESSION \
    --region $REGION
 echo Deploying stack "$TEMPLATE_FILE"
 aws cloudformation deploy \
    --template-file $TEMPLATE_FILE \
    --stack-name $STACK_NAME \
    ${CAPABILITY_IAM:+ --capabilities $CAPABILITY_IAM} \
    --no-fail-on-empty-changeset \
    --profile $ROLE_PROFILE
--- a/aws/scripts/deploy/deploy-to-s3.sh
+++ b/aws/scripts/deploy/deploy-to-s3.sh
@@ -1,47 +0,0 @@
 #!/bin/bash
 # Parse parameters
 while [[ "$#" -gt 0 ]]; do case $1 in
  --folder) FOLDER="$2"; shift;;
  --web-stack-name) WEB_STACK_NAME="$2"; shift;;
  --web-stack-s3-name-output-name) WEB_STACK_S3_NAME_OUTPUT_NAME="$2"; shift;;
  --storage-class) STORAGE_CLASS="$2"; shift;;
  --profile) PROFILE="$2"; shift;;
  --role-arn) ROLE_ARN="$2";shift;;
  --session) SESSION="$2";shift;;
  --region) REGION="$2";shift;;
  *) echo "Unknown parameter passed: $1"; exit 1;;
 esac; shift; done
 # Verify parameters
 if [ -z "$FOLDER" ]; then echo "Folder is not set."; exit 1; fi;
 if [ -z "$PROFILE" ]; then echo "Profile is not set."; exit 1; fi;
 if [ -z "$ROLE_ARN" ]; then echo "Role ARN is not set."; exit 1; fi;
 if [ -z "$SESSION" ]; then echo "Role session is not set."; exit 1; fi;
 if [ -z "$WEB_STACK_NAME" ]; then echo "Web stack name is not set."; exit 1; fi;
 if [ -z "$WEB_STACK_S3_NAME_OUTPUT_NAME" ]; then echo "S3 name output name is not set."; exit 1; fi;
 if [ -z "$STORAGE_CLASS" ]; then echo "S3 object storage class is not set."; exit 1; fi;
 echo Assuming role
 ROLE_PROFILE=deploy-s3
 bash "${BASH_SOURCE%/*}/../configure/create-role-profile.sh" \
    --role-profile $ROLE_PROFILE --user-profile $PROFILE \
    --role-arn $ROLE_ARN \
    --session $SESSION \
    --region $REGION
 echo Getting S3 bucket name from stack "$WEB_STACK_NAME" with output "$WEB_STACK_S3_NAME_OUTPUT_NAME"
 S3_BUCKET_NAME=$(aws cloudformation describe-stacks \
            --stack-name $WEB_STACK_NAME \
            --query "Stacks[0].Outputs[?OutputKey=='$WEB_STACK_S3_NAME_OUTPUT_NAME'].OutputValue" \
            --output text \
            --profile $ROLE_PROFILE)
 if [ -z "$S3_BUCKET_NAME" ]; then echo "Could not read S3 bucket name"; exit 1; fi;
 echo ::add-mask::$S3_BUCKET_NAME # Just being extra cautious
 echo Syncing folder to S3
 aws s3 sync $FOLDER s3://$S3_BUCKET_NAME \
    --storage-class $STORAGE_CLASS  \
    --no-progress --follow-symlinks --delete \
    --profile $ROLE_PROFILE
--- a/aws/scripts/deploy/invalidate-cloudfront-cache.sh
+++ b/aws/scripts/deploy/invalidate-cloudfront-cache.sh
@@ -1,45 +0,0 @@
 #!/bin/bash
 # Parse parameters
 while [[ "$#" -gt 0 ]]; do case $1 in
  --paths) PATHS="$2"; shift;;
  --web-stack-name) WEB_STACK_NAME="$2"; shift;;
  --web-stack-cloudfront-arn-output-name) WEB_STACK_CLOUDFRONT_ARN_OUTPUT_NAME="$2"; shift;;
  --profile) PROFILE="$2"; shift;;
  --role-arn) ROLE_ARN="$2";shift;;
  --session) SESSION="$2";shift;;
  --region) REGION="$2";shift;;
  *) echo "Unknown parameter passed: $1"; exit 1;;
 esac; shift; done
 # Verify parameters
 if [ -z "$PATHS" ]; then echo "Paths is not set."; exit 1; fi;
 if [ -z "$PROFILE" ]; then echo "Profile is not set."; exit 1; fi;
 if [ -z "$ROLE_ARN" ]; then echo "Role ARN is not set."; exit 1; fi;
 if [ -z "$SESSION" ]; then echo "Role session is not set."; exit 1; fi;
 if [ -z "$WEB_STACK_NAME" ]; then echo "Web stack name is not set."; exit 1; fi;
 if [ -z "$WEB_STACK_CLOUDFRONT_ARN_OUTPUT_NAME" ]; then echo "CloudFront ARN output name is not set."; exit 1; fi;
 echo Assuming role
 ROLE_PROFILE=invalidate-cloudfront
 bash "${BASH_SOURCE%/*}/../configure/create-role-profile.sh" \
    --role-profile $ROLE_PROFILE --user-profile $PROFILE \
    --role-arn $ROLE_ARN \
    --session $SESSION \
    --region $REGION
 echo Getting CloudFront ARN from stack "$WEB_STACK_NAME" with output "$WEB_STACK_CLOUDFRONT_ARN_OUTPUT_NAME"
 CLOUDFRONT_ARN=$(aws cloudformation describe-stacks \
            --stack-name $WEB_STACK_NAME \
            --query "Stacks[0].Outputs[?OutputKey=='$WEB_STACK_CLOUDFRONT_ARN_OUTPUT_NAME'].OutputValue" \
            --output text \
            --profile $ROLE_PROFILE)
 if [ -z "$CLOUDFRONT_ARN" ]; then echo "Could not read CloudFront ARN"; exit 1; fi;
 echo :add-mask::$CLOUDFRONT_ARN
 echo Syncing folder to S3
 aws cloudfront create-invalidation \
    --paths $PATHS \
    --distribution-id $CLOUDFRONT_ARN \
    --profile $ROLE_PROFILE
--- a/aws/web-stack.yaml
+++ b/aws/web-stack.yaml
@@ -1,138 +0,0 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: |-
  > Creates an S3 bucket configured for hosting a static webpage.
  > Creates CloudFront distribution that has access to read the S3 bucket.
 Parameters:
  RootDomainName:
    Type: String
    Default: privacy.sexy
    Description: The root DNS name of the website e.g. privacy.sexy
    AllowedPattern: (?!-)[a-zA-Z0-9-.]{1,63}(?<!-)
    ConstraintDescription: Must be a valid root domain name
  CertificateStackName:
    Type: String
    Default: privacysexy-certificate-stack
    Description: Name of the certificate stack.
  DnsStackName:
    Type: String
    Default: privacysexy-dns-stack
    Description: Name of the certificate stack.
  PriceClass:
    Type: String
    Description: The CloudFront distribution price class
    Default: 'PriceClass_100'
    AllowedValues:
      - 'PriceClass_100'
      - 'PriceClass_200'
      - 'PriceClass_All'
 Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${AWS::StackName}-${RootDomainName} # Must have stack name for IAM to allow
      WebsiteConfiguration:
        IndexDocument: index.html
      Tags:
        -
          Key: Application
          Value: privacy.sexy    
  S3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument: # Only used for CloudFront as it's the only way, otherwise use IAM roles in IAM stack.
        Statement:
          -
            Sid: AllowCloudFrontRead
            Action: s3:GetObject
            Effect: Allow
            Principal:
                CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
            Resource: !Join ['', ['arn:aws:s3:::', !Ref S3Bucket, /*]]
  CloudFrontOriginAccessIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: !Sub 'CloudFront OAI for ${S3Bucket}'
  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Comment: Cloudfront Distribution pointing to S3 bucket
        Origins:
          -
            DomainName: !GetAtt S3Bucket.DomainName
            Id: S3Origin
            S3OriginConfig:
                OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}"
        Enabled: true
        HttpVersion: 'http2'
        DefaultRootObject: index.html
        Aliases:
          - !Ref RootDomainName
          - !Sub 'www.${RootDomainName}'
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
          Compress: true
          TargetOriginId: S3Origin
          ForwardedValues:
            QueryString: true
            Cookies:
              Forward: none
          ViewerProtocolPolicy: redirect-to-https
        PriceClass: !Ref PriceClass
        ViewerCertificate:
          AcmCertificateArn:
            # Certificate must be validated before it can be used here
            Fn::ImportValue: !Join [':', [!Ref CertificateStackName, CertificateArn]]
          SslSupportMethod: sni-only
          MinimumProtocolVersion: TLSv1.1_2016
      Tags:
        -
          Key: Application
          Value: privacy.sexy
  CloudFrontDNSRecords:
    Type: AWS::Route53::RecordSetGroup
    Properties: 
      HostedZoneId:
        Fn::ImportValue: !Join [':', [!Ref DnsStackName, DNSHostedZoneId]]
      RecordSets:
        -
          Name: !Ref RootDomainName
          Type: A         
          AliasTarget: 
            DNSName: !GetAtt CloudFrontDistribution.DomainName
            EvaluateTargetHealth: false
            HostedZoneId: Z2FDTNDATAQYW2 # Static CloudFront distribution zone https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html#cfn-route53-aliastarget-hostedzoneid
        -
          Name: !Join ['', ['www.', !Ref RootDomainName]]
          Type: A
          AliasTarget: 
            DNSName: !GetAtt CloudFrontDistribution.DomainName
            EvaluateTargetHealth: false
            HostedZoneId: Z2FDTNDATAQYW2 # Static CloudFront distribution zone https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html#cfn-route53-aliastarget-hostedzoneid
 Outputs:
  CloudFrontDistributionArn:  # Used by deployment script to be able to deploy to right S3 bucket
    Description: Tthe Amazon Resource Name (ARN) of the CloudFront distribution.
    Value: !Ref CloudFrontDistribution
  S3BucketName: # Used by deployment script to be able to deploy to right S3 bucket
    Description: Name of the S3 bucket.
    Value: !Ref S3Bucket
--- a/docs/aws-cloudformation.drawio
+++ b/docs/aws-cloudformation.drawio
--- a/docs/aws-cloudformation.png
+++ b/docs/aws-cloudformation.png
--- a/docs/ci-cd.drawio
+++ b/docs/ci-cd.drawio
@@ -1 +0,0 @@
 <mxfile host="www.draw.io" modified="2019-12-30T13:07:22.931Z" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36" etag="vfXOAJJrIONaUEloGBPR" version="12.4.7" type="device"><diagram id="ymF_tBZ9P2_Wfw9L8arg" name="Page-1">5Vpbb9s2FP41AbYHC7zp9hjHdVqsGwpkQNu9FIxEy2xlUaWo2N6v36FEOZLlXNw6S7IpQUwd3j9+/M4hnTN6sdpcal4uf1epyM8ISjdndHZGSOQT+GsN29YwIRFqLZmWaWvDt4Yr+bdwxq5YLVNRDQoapXIjy6ExUUUhEjOwca3VelhsofJhryXPxMhwlfB8bP0oU7Ps5oVu7W+FzJZdzxi5nBXvCjtDteSpWvdM9M0ZvdBKmTa12lyI3ILX4dLWm9+RuxuYFoV5TAWx2swv/wy+49kff33Kok8f39/8NnHLc8Pz2k14JspcbStbsVhoXhldJ6bWwk3CbDtktKqLVNjG0RmdKm2WKlMFz98rVYIRg/GrMGbr1pTXRoFpaVa5y015tWzqdy8fuDFCF42FIGsdz9FNu1K1TsQ9E2OOK1xnwtxTDvttQZEOeOAgvBRqJYzeQgHH6AnyCGVBW8mRmro2tMi5kTdD5nBHwGzX1K71D0rCtHZN05B6FB4/ZiGNCQoHneAgxF7Mho22MLh2+mu/17QfIA8F8e0zbBrHyMOxH0IyojgkZNhLC+LDvezNWC0WlRjUgEQP01tTw9QjWEtHrJ3WMk+rRgdSoGqQw5pPrzWkMptqSQ3Za3FtR1iWuUxgrVTxH6V1eDSrEQuGhCPsNKxm2KMIIYZY5Ef0dJwOgsALaLij9HBPYqC71yN87B/J6adnMRux+FKat7Ul6HliuVmNyAk+pLRJuWrcVp92N0Ib4HR+nsvMcs1Yuu6s7/m1yD+oSjacp7NrZYxaQYHcZkx58i1riH+hcqWbvuiieaBI09l5Vbbu1e4K3r0s5MZSferGM1saY/3yucWKzJO0YJ4Ez7yQsKW0l0CPZJ5yw+HD2iv7qYou6WPiMiaVSiTPJ5k0y/p6gknklUUGHS1knndjLFRhMViowlw5iA44RWeyQIjNY/YCCXwvYOj2YUNikcA59PVtPAADbG3LfizQGQ9tlgGZjmWOP2LOuwJeJEArGhHkyfKFOezHKhE4IhoPEacnEqKYgl7c6QMp6IUfhjTwGWUhi+kPelofeywaNs380KMEiERiGuGXKEXBiFAXuarTuVZuTH0eqdrkshAXu4gbuV3YEw/4mdv+p5nmqRSDvJj5sznp5c2kFokTpsLycm+jQx3/nKKpD3aIR9U3cUimduxEj9G9w3LJ3VsCoxJ6yP5GZ9qtgclIdw6IYifWq01mz0YeX1fM06Jl0rvEjmcKr21qWCqx6C8a9J1E9+awG1zaww1abXA7gQAepDAdi154QPPCp5K8cMTQK3pyZgbonNLwOGaSMMQ4+N8ws6I2b+dJcNtae7C108tyXlUuDf5eJi59El5SL9p3xpH/vLyMRryciZvXH7eRB+O2QqwnW8H1xPImr128Og9ggeY90wTFvfDtTikb0fvUUZ0PJ5z+Q/d5FI95hA7wCD0Rj+IRj8q6qaXF91pUNgyQ1fhguxIQO6TNpVhz51RZ9J4j8IOV0dtProvm5bN98fzudbbpZ862D+nCg0dht/MePAqz4wJQOApTTIcyc6KjMEN0cLLA+xEo82gckBgHPmE4+tEINACZJHfGuYwhj4Uh8eMwBK8eBi8uGO2ufnt74fULKn1QUMVKfZUTbPnaqugXmGO5/VKtZC6295+BD8Qyu1GfQDztsexY9SQH1JM8lXpiPKLMmDPQjiwrC9d6KY24KnmjL2sIbvbiqWGEt1iIIEkORXhpGF8j9ATeiu0Dvne5hSPidRrVw5ziMeb0yTAff3cwjshfE+bB/ZhD/PnMgI+vvdmrBjxi9wJOGX1mwMc3tPg1A473g+ARw8eH/H8X8PHFZhfyViUvBsAH32v7zSkcMhvgzm14ll3/AkODX+ge9VK/2qT1hMhCOlm7udg6oS3XtdVF1e3ll9Ir9xVROwSYUjuKttCICT97+zCnjEVH3otNLzD1X+7tw8EY6afvxXYL82TXCqA9h/zriW4W7Al597V/GzXf/vMEffMP</diagram></mxfile>
--- a/docs/ci-cd.png
+++ b/docs/ci-cd.png
--- a/docs/gitops.drawio
+++ b/docs/gitops.drawio
--- a/docs/gitops.png
+++ b/docs/gitops.png
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -1,12 +1,16 @@
 {
  "name": "privacy.sexy",
-  "version": "0.1.0",
+  "version": "0.4.3",
  "private": true,
  "scripts": {
    "serve": "vue-cli-service serve",
    "build": "vue-cli-service build",
-    "lint": "vue-cli-service lint",
+    "lint:vue": "vue-cli-service lint --no-fix",
-    "test:unit": "vue-cli-service test:unit"
+    "lint:yaml": "yamllint **/*.yaml --ignore=node_modules/**/*.yaml",
    "test:unit": "vue-cli-service test:unit",
    "lint:md": "markdownlint **/*.md --ignore node_modules",
    "lint:md:relative-urls": "remark . --frail --use remark-validate-links",
    "lint:md:consistency": "remark . --frail --use remark-preset-lint-consistent"
  },
  "dependencies": {
    "@fortawesome/fontawesome-svg-core": "^1.2.26",
@@ -24,19 +28,25 @@
    "vue-property-decorator": "^8.3.0"
  },
  "devDependencies": {
    "@types/chai": "^4.2.7",
    "@types/mocha": "^5.2.7",
    "@types/ace": "0.0.42",
    "@types/chai": "^4.2.7",
    "@types/file-saver": "^2.0.1",
-    "@vue/cli-plugin-typescript": "^4.1.1",
+    "@types/mocha": "^5.2.7",
    "@vue/cli-plugin-typescript": "^4.4.0",
    "@vue/cli-plugin-unit-mocha": "^4.1.1",
    "@vue/cli-service": "^4.1.1",
    "@vue/test-utils": "1.0.0-beta.30",
    "chai": "^4.2.0",
    "js-yaml-loader": "^1.2.2",
    "markdownlint-cli": "^0.23.1",
    "remark-cli": "^8.0.0",
    "remark-lint-no-dead-urls": "^1.0.2",
    "remark-preset-lint-consistent": "^3.0.0",
    "remark-validate-links": "^10.0.0",
    "sass": "^1.24.0",
    "sass-loader": "^8.0.0",
    "js-yaml-loader": "^1.2.2",
    "typescript": "^3.7.4",
-    "vue-template-compiler": "^2.6.11"
+    "vue-template-compiler": "^2.6.11",
    "yaml-lint": "^1.2.4"
  }
 }
--- a/src/application/Parser/ApplicationParser.ts
+++ b/src/application/Parser/ApplicationParser.ts
@@ -15,7 +15,7 @@ export function parseApplication(): Application {
    const app = new Application(
        applicationFile.name,
        applicationFile.repositoryUrl,
-        applicationFile.version,
+        process.env.VUE_APP_VERSION,
        categories);
    return app;
 }
--- a/src/application/State/ApplicationState.ts
+++ b/src/application/State/ApplicationState.ts
@@ -37,7 +37,7 @@ export class ApplicationState implements IApplicationState {
        /** Initially selected scripts */
        public readonly defaultScripts: Script[]) {
        this.selection = new UserSelection(app, defaultScripts);
-        this.code = new ApplicationCode(this.selection, app.version.toString());
+        this.code = new ApplicationCode(this.selection, app.version);
        this.filter = new UserFilter(app);
    }
 }
--- a/src/application/application.yaml
+++ b/src/application/application.yaml
@@ -1,5 +1,4 @@
 name: privacy.sexy
 version: 0.4.1
 repositoryUrl: https://github.com/undergroundwires/privacy.sexy
 actions:
    -
@@ -57,71 +56,71 @@ actions:
                                name: Clear regedit last key
                                recommend: true
                                code: |-
-                                    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
+                                    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
-                                    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
+                                    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
                            -
                                name: Clear regedit favorites
                                recommend: true
                                code: |-
-                                    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
+                                    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
-                                    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
+                                    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
                            -
                                name: Clear list of recent programs opened 
                                recommend: true
                                code: |-
-                                    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f
+                                    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f
-                                    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f
+                                    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f
                            -
                                name: Clear Adobe Media Browser MRU
                                recommend: true
-                                code: reg delete "HKEY_CURRENT_USER\Software\Adobe\MediaBrowser\MRU" /va /f
+                                code: reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f
                            -
                                name: Clear MSPaint MRU
                                recommend: true
                                code: |-
-                                    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
+                                    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
-                                    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
+                                    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
                            -
                                name: Clear Wordpad MRU
                                recommend: true
-                                code: reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f
+                                code: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f
                            -
                                name: Clear Map Network Drive MRU MRU
                                recommend: true
                                code: |-
-                                    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
+                                    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
-                                    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
+                                    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
                            -
                                name: Clear Windows Search Assistant history
                                recommend: true
-                                code: reg delete "HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru" /va /f
+                                code: reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f
                            -
                                name: Clear list of Recent Files Opened, by Filetype
                                recommend: true
                                code: |-
-                                    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
+                                    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
-                                    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
+                                    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
-                                    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f
+                                    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f
                            -
                                name: Clear windows media player recent files and urls
                                recommend: true
                                code: |-
-                                   reg delete "HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
+                                   reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
-                                   reg delete "HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
+                                   reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
-                                   reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
+                                   reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
-                                   reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
+                                   reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
                            -
                                name: Clear Most Recent Application's Use of DirectX 
                                recommend: true
                                code: |-
-                                   reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication" /va /f
+                                   reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f
-                                   reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f
+                                   reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f
                            -
                                name: Clear Windows Run MRU & typedpaths
                                recommend: true
                                code: |-
-                                   reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f
+                                   reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f
-                                   reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f
+                                   reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f
            - 
                category: Clear browser history
                children:
@@ -130,8 +129,8 @@ actions:
                        recommend: true
                        code: |-
                            del /f /q "%localappdata%\Microsoft\Windows\INetCache\IE\*"
-                            reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f
+                            reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f
-                            reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f
+                            reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f
                            rd /s /q "%localappdata%\Microsoft\Internet Explorer"
                            rd /s /q "%APPDATA%\Microsoft\Windows\Cookies"
                            rd /s /q "%USERPROFILE%\Cookies"
@@ -315,7 +314,7 @@ actions:
                        recommend: true
                        code: |-
                            reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /d 0 /t REG_DWORD /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
+                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "LimitEnhancedDiagnosticDataWindowsAnalytics" /t REG_DWORD /d 0 /f
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f 
@@ -335,8 +334,8 @@ actions:
                name: Disable online device metadata collection
                recommend: true
                code: |-
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
+                    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
            -
                name: Opt out from Windows privacy consent
                recommend: true
@@ -347,66 +346,66 @@ actions:
                name: Disable Windows feedback
                recommend: true
                code: |-
-                    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f 
+                    reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f 
                    :: removing this value sets feedback frequency to never
-                    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f
+                    reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f 
+                    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f 
                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f
            -
                name: Disable text and handwriting collection
                recommend: true
                code: |-
-                    reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
+                    reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
+                    reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
+                    reg add "HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
+                    reg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
+                    reg add "HKCU\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "AllowInputPersonalization" /t REG_DWORD /d 0 /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "AllowInputPersonalization" /t REG_DWORD /d 0 /f
                    reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f
            -
                category: Deny app access to personal information
                children:
                    -
                        name: Deny app access to location
-                        recommend: false
+                        recommend: true
-                        code: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /t REG_DWORD /d 2 /f
+                        code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to motion data
-                        recommend: false
+                        recommend: true
-                        code: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /t REG_DWORD /d 2 /f
+                        code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to phone
-                        recommend: false
+                        recommend: true
-                        code: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /t REG_DWORD /d 2 /f
+                        code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to trusted devices
-                        recommend: false
+                        recommend: true
-                        code: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /t REG_DWORD /d 2 /f
+                        code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app sync with devices
-                        recommend: false
+                        recommend: true
-                        code: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /t REG_DWORD /d 2 /f
+                        code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to camera
                        recommend: false
                        code: |-
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Deny" /t REG_SZ /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to microphone
-                        recommend: true
+                        recommend: false
                        code: |-
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Deny" /t REG_SZ /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone" /t REG_DWORD /d 2 /f
+                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /v "Value" /t REG_SZ /d "Deny" /f
                    -
                        name: Deny app access to diagnostics info about your other apps
                        recommend: true
                        code: |-
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Deny" /t REG_SZ /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to your file system
                        recommend: true
@@ -417,55 +416,55 @@ actions:
                        recommend: true
                        code: |-
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Deny" /t REG_SZ /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to Notifications
                        recommend: true
                        code: |-
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Deny" /t REG_SZ /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to Account Information
                        recommend: true
                        code: |-
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Deny" /t REG_SZ /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to Calendar
                        recommend: true
                        code: |-
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Deny" /t REG_SZ /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to call history
                        recommend: true
                        code: |-
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Deny" /t REG_SZ /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /t REG_DWORD /d 2 /f  
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /t REG_DWORD /d 2 /f  
                    -
                        name: Deny app access to email
                        recommend: true
                        code: |-
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Deny" /t REG_SZ /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to tasks
                        recommend: true
                        code: |-
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Deny" /t REG_SZ /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to messaging
                        recommend: true
                        code: |-
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Deny" /t REG_SZ /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to radios
                        recommend: true
                        code: |-
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Deny" /t REG_SZ /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /t REG_DWORD /d 2 /f
                    -
                        name: Deny app access to videos
                        recommend: true
@@ -491,9 +490,9 @@ actions:
                recommend: true
                code: |-
                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "1" /t REG_DWORD /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d 1 /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d 1 /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d 1 /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d 1 /f
                    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Deny" /t REG_SZ /f
                    reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "0" /t REG_DWORD /f
            -
@@ -516,12 +515,12 @@ actions:
                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f 
                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 0 /f
                            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 0 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 0 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d 0 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d 0 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 1 / 
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 1 / 
                    -
                        name: Disable web search in search bar
                        recommend: true
@@ -555,7 +554,7 @@ actions:
                        name: Disable targeted tips
                        recommend: true
                        code: |-
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d 1 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d 1 /f
                            reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "1" /f
                            reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "1" /f
                    - 
@@ -589,12 +588,16 @@ actions:
                name: Disable Inventory Collector
                recommend: true
                code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 1 /f 
            -
                name: Disable Website Access of Language List
                recommend: true
                code: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 1 /f 
            -
                name: Disable Auto Downloading Maps
                recommend: true
                code: |-
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d 0 /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d 0 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d 0 /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d 0 /f
            -
                name: Disable steps recorder
                recommend: true
@@ -636,7 +639,7 @@ actions:
                docs:
                    - https://docs.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now
                    - https://www.windows-security.org/f637a705712eb59f8cd410673c96472e/prohibit-access-of-the-windows-connect-now-wizards
-                code: reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 1 /f
+                code: reg add "HKCU\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 1 /f
            -
                category: Disable cloud sync
                children:
@@ -653,51 +656,51 @@ actions:
                        name: Disable Application Setting Sync
                        recommend: true
                        code: |-
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSync" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSync" /t REG_DWORD /d 2 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
                    -
                        name: Disable App Sync Setting Sync
                        recommend: true
                        code: |-
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSync" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSync" /t REG_DWORD /d 2 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSyncUserOverride" /t REG_DWORD /d 1 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSyncUserOverride" /t REG_DWORD /d 1 /f
                    -
                        name: Disable Credentials Setting Sync
                        recommend: true
                        code: |-
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSync" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSync" /t REG_DWORD /d 2 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
                            reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 0 /f
                    -
                        name: Disable Desktop Theme Setting Sync
                        recommend: true
                        code: |-
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSync" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSync" /t REG_DWORD /d 2 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSyncUserOverride" /t REG_DWORD /d 1 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSyncUserOverride" /t REG_DWORD /d 1 /f
                    -
                        name: Disable Personalization Setting Sync
                        recommend: true
                        code: |-
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSync" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSync" /t REG_DWORD /d 2 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
                    -
                        name: Disable Start Layout Setting Sync
                        recommend: true
                        code: |-
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSync" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSync" /t REG_DWORD /d 2 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSyncUserOverride" /t REG_DWORD /d 1 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSyncUserOverride" /t REG_DWORD /d 1 /f
                    -
                        name: Disable Web Browser Setting Sync
                        recommend: true
                        code: |-
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSync" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSync" /t REG_DWORD /d 2 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSyncUserOverride" /t REG_DWORD /d 1 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSyncUserOverride" /t REG_DWORD /d 1 /f
                    -
                        name: Disable Windows Setting Sync
                        recommend: true
                        code: |-
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSync" /t REG_DWORD /d 2 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSync" /t REG_DWORD /d 2 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
    -
        category: Configure programs
        children: 
@@ -711,31 +714,31 @@ actions:
                                name: Disable SQM 64 bit OS key
                                recommend: true
                                code: |-
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM"  /v OptIn /t REG_DWORD /d 0 /f
+                                    reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM"  /v OptIn /t REG_DWORD /d 0 /f
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM"  /v OptIn /t REG_DWORD /d 0 /f
+                                    reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM"  /v OptIn /t REG_DWORD /d 0 /f
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM"  /v OptIn /t REG_DWORD /d 0 /f
+                                    reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM"  /v OptIn /t REG_DWORD /d 0 /f
                            -
                                name: Disable SQM 32 bit OS key
                                recommend: true
                                code: |-
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSCommon\14.0\SQM"  /v OptIn /t REG_DWORD /d 0 /f
+                                    reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM"  /v OptIn /t REG_DWORD /d 0 /f
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSCommon\15.0\SQM"  /v OptIn /t REG_DWORD /d 0 /f
+                                    reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM"  /v OptIn /t REG_DWORD /d 0 /f
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSCommon\16.0\SQM"  /v OptIn /t REG_DWORD /d 0 /f
+                                    reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM"  /v OptIn /t REG_DWORD /d 0 /f
                            -
                                name: Disable SQM group policy
                                recommend: true
-                                code: reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\VisualStudio\SQM"  /v OptIn /t REG_DWORD /d 0 /f
+                                code: reg add "HKLM\Software\Policies\Microsoft\VisualStudio\SQM"  /v OptIn /t REG_DWORD /d 0 /f
                    -
                        name: Disable visual studio telemetry
                        recommend: true
-                        code: reg add "HKEY_CURRENT_USER\Software\Microsoft\VisualStudio\Telemetry" /v TurnOffSwitch /t REG_DWORD /d 1 /f
+                        code: reg add "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v TurnOffSwitch /t REG_DWORD /d 1 /f
                    -
                        name: Disable Visual Studio feedback
                        recommend: true
                        code: |-
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v DisableFeedbackDialog /t REG_DWORD /d 1 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v DisableFeedbackDialog /t REG_DWORD /d 1 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v DisableEmailInput /t REG_DWORD /d 1 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v DisableEmailInput /t REG_DWORD /d 1 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v DisableScreenshotCapture /t REG_DWORD /d 1 /f 
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v DisableScreenshotCapture /t REG_DWORD /d 1 /f 
                    -
                        name: Stop and disable Visual Studio Standard Collector Service
                        recommend: true
@@ -750,10 +753,10 @@ actions:
                                name: Disable Microsoft SpyNet (Windows Defender cloud export for analysis)
                                recommend: true
                                code: |-
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f
+                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f
+                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
+                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
+                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
                            - 
                                name: Disable sending infection information
                                recommend: true
@@ -815,54 +818,54 @@ actions:
                            -
                                name: Disable live tile data collection
                                recommend: true
-                                code: reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 1 /f          
+                                code: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 1 /f          
                            -
                                name: Disable MFU tracking
                                recommend: true
-                                code: reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 1 /f
+                                code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 1 /f
                            -
                                name: Disable recent apps
                                recommend: true
-                                code: reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 1 /f
+                                code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 1 /f
                            -
                                name: Turn off backtracking
                                recommend: true
-                                code: reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 1 /f
+                                code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 1 /f
                            -
                                name: Disable Search Suggestions in Edge
                                recommend: true
-                                code: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 0 /f
+                                code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 0 /f
                    -
                        category: Configure Internet Explorer
                        children: 
                            -
                                name: Disable Geolocation in Internet Explorer
                                recommend: true
-                                code: reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 1 /f
+                                code: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 1 /f
                            -
                                name: Disable Internet Explorer InPrivate logging
                                recommend: true
                                code: |-
-                                    reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f
+                                    reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f
+                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f
                            -
                                name: Disable Internet Explorer CEIP
                                recommend: true
                                code: |-
-                                    reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f
+                                    reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f
+                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f
                            -
                                name: Disable calling legacy WCM policies
                                recommend: true
-                                code: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f
+                                code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f
                            -
                                name: Disable SSLv3 fallback
                                recommend: true
-                                code: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 0 /f
+                                code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 0 /f
                            -
                                name: Disable ignoring cert errors
                                recommend: true
-                                code: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 1 /f
+                                code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 1 /f
                    -
                        category: Configure Google Chrome
                        children: 
@@ -872,17 +875,17 @@ actions:
                                code: |-
                                    icacls "%localappdata%\Google\Chrome\User Data\SwReporter" /inheritance:r /deny "*S-1-1-0:(OI)(CI)(F)" "*S-1-5-7:(OI)(CI)(F)"
                                    cacls "%localappdata%\Google\Chrome\User Data\SwReporter" /e /c /d %username%
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f
+                                    reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f
-                                    reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f
+                                    reg add "HKCU\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f
+                                    reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f
-                                    reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f
+                                    reg add "HKCU\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f
                                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "software_reporter_tool.exe" /f
                            -
                                name: Disable Chrome metrics reporting
                                recommend: true
                                code: |-
-                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f
+                                    reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f
-                                    reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f
+                                    reg add "HKCU\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f
            -
                name: Disable Google update service
                recommend: true
@@ -931,10 +934,10 @@ actions:
                        name: Disable meta data retrieval
                        recommend: true
                        code: |-
-                            reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventCDDVDMetadataRetrieval" /t REG_DWORD /d 1 /f
+                            reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventCDDVDMetadataRetrieval" /t REG_DWORD /d 1 /f
-                            reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventMusicFileMetadataRetrieval" /t REG_DWORD /d 1 /f
+                            reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventMusicFileMetadataRetrieval" /t REG_DWORD /d 1 /f
-                            reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventRadioPresetsRetrieval" /t REG_DWORD /d 1 /f
+                            reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventRadioPresetsRetrieval" /t REG_DWORD /d 1 /f
-                            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f
+                            reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f
                    -
                        name: Disable dows Media Player Network Sharing Service
                        recommend: true
@@ -950,14 +953,14 @@ actions:
                        name: Spectre variant 2 and meltdown (Intel)
                        recommend: false
                        code: |-
-                            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
+                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
-                            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
+                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
                    -
                        name: Spectre variant 2 and meltdown (AMD)
                        recommend: false
                        code: |-
-                            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f
+                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f
-                            reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
+                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
                    -
                        name: Spectre variant 2 and meltdown (HyperV)
                        recommend: false
@@ -970,8 +973,8 @@ actions:
                name: Force enable data execution prevention (DEP)
                recommend: false
                code: |-
-                    reg add "HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f
+                    reg add "HKLM \ SOFTWARE \ Policies \ Microsoft \ Windows \ Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f
-                    reg add "HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f
+                    reg add "HKLM \ SOFTWARE \ Policies \ Microsoft \ Windows \ System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f
            - 
                name: Disable AutoPlay and AutoRun
                recommend: false
@@ -1060,7 +1063,7 @@ actions:
            -
                name: Disable scheduled On Demand anti malware scanner (MRT)
                recommend: false
-                code: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f
+                code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f
            -
                name: Disable automatic updates
                recommend: false
@@ -1075,22 +1078,22 @@ actions:
            -
                name: Disable lock screen app notifications
                recommend: true
-                code: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 1 /f
+                code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 1 /f
            -
                name: Disable online content in explorer
                recommend: true
                code: |-
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 0 /f
+                    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 0 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f
+                    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 1 /f
+                    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 1 /f
+                    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 1 /f
+                    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 1 /f
            -
                name: Disable & auto-clear recent documents in explorer
                recommend: true
                code: |-
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f
+                    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f
-                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f
+                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f
            -
                name: Disable Live Tiles push notifications
                recommend: true
@@ -1107,8 +1110,8 @@ actions:
                    if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit?
                        reg add "HKU\DefaultUser\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d 0 /t REG_DWORD /f
                    ) else (
-                        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5} /f
+                        reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5} /f
-                        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5} /f
+                        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5} /f
                    )
    -
        category: Disable OS services
@@ -1555,13 +1558,13 @@ actions:
                name: Change NTP (time) server to pool.ntp.org
                recommend: false
                code: |-
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\Parameters" /v "NtpServer" /t REG_SZ /d "pool.ntp.org, 0x8" /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\Parameters" /v "NtpServer" /t REG_SZ /d "pool.ntp.org, 0x8" /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\Parameters" /v "Type" /t REG_SZ /d "NTP" /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\Parameters" /v "Type" /t REG_SZ /d "NTP" /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "CrossSiteSyncFlags" /t REG_DWORD /d 2 /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "CrossSiteSyncFlags" /t REG_DWORD /d 2 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "EventLogFlags" /t REG_DWORD /d 0 /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "EventLogFlags" /t REG_DWORD /d 0 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "ResolvePeerBackoffMaxTimes" /t REG_DWORD /d 7 /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "ResolvePeerBackoffMaxTimes" /t REG_DWORD /d 7 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "ResolvePeerBackoffMinutes" /t REG_DWORD /d 15 /f
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "ResolvePeerBackoffMinutes" /t REG_DWORD /d 15 /f
-                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "SpecialPollInterval" /t REG_DWORD /d 1024 /f      
+                    reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "SpecialPollInterval" /t REG_DWORD /d 1024 /f      
            -
                name: Run script on start-up [EXPERIMENTAL]
                recommend: false
--- a/src/application/application.yaml.d.ts
+++ b/src/application/application.yaml.d.ts
@@ -19,7 +19,6 @@ declare module 'js-yaml-loader!*' {
    interface ApplicationYaml {
        name: string;
        version: number;
        repositoryUrl: string;
        actions: ReadonlyArray<YamlCategory>;
    }
--- a/src/domain/Application.ts
+++ b/src/domain/Application.ts
@@ -12,11 +12,11 @@ export class Application implements IApplication {
    constructor(
        public readonly name: string,
        public readonly repositoryUrl: string,
-        public readonly version: number,
+        public readonly version: string,
        public readonly categories: ReadonlyArray<ICategory>) {
        if (!name) { throw Error('Application has no name'); }
        if (!repositoryUrl) { throw Error('Application has no repository url'); }
-        if (!version) { throw Error('Version cannot be zero'); }
+        if (!version) { throw Error('Version cannot be empty'); }
        this.flattened = flatten(categories);
        if (this.flattened.allCategories.length === 0) {
            throw new Error('Application must consist of at least one category');
--- a/src/domain/IApplication.ts
+++ b/src/domain/IApplication.ts
@@ -4,7 +4,7 @@ import { ICategory } from '@/domain/ICategory';
 export interface IApplication {
    readonly name: string;
    readonly repositoryUrl: string;
-    readonly version: number;
+    readonly version: string;
    readonly categories: ReadonlyArray<ICategory>;
    readonly totalScripts: number;
    readonly totalCategories: number;
--- a/src/global.d.ts
+++ b/src/global.d.ts
@@ -37,7 +37,7 @@ declare module 'liquor-tree' {
        children: ReadonlyArray<ILiquorTreeNewNode> | undefined;
        data: ICustomLiquorTreeData;
    }
-    
+
    // https://amsik.github.io/liquor-tree/#Component-Options
    export interface ILiquorTreeOptions {
        multiple: boolean;
--- a/src/presentation/TheSearchBar.vue
+++ b/src/presentation/TheSearchBar.vue
@@ -1,13 +1,11 @@
 <template>
-    <div class="container">
+  <div class="search">
-        <div class="search">
+      <input type="search" class="searchTerm" placeholder="Search"
-            <input type="search" class="searchTerm" placeholder="Search"
+        @input="updateFilterAsync($event.target.value)" >
-              @input="updateFilterAsync($event.target.value)" >
+      <div class="iconWrapper">
-            <div class="iconWrapper">
+          <font-awesome-icon :icon="['fas', 'search']" />
-                <font-awesome-icon :icon="['fas', 'search']" />
+      </div>
-            </div>
+  </div>
        </div>
    </div>
 </template>
 <script lang="ts">
@@ -32,10 +30,6 @@ export default class TheSearchBar extends StatefulVue {
@import "@/presentation/styles/colors.scss";
@import "@/presentation/styles/fonts.scss";
 .container {
    font: $normal-font;
 }
 .search {
  width: 100%;
  position: relative;
@@ -53,6 +47,8 @@ export default class TheSearchBar extends StatefulVue {
  padding-right:10px;
  outline: none;
  color: $gray;
    font-family: $normal-font;
    font-size:1em;
 }
 .searchTerm:focus{
--- a/tests/unit/domain/Application.spec.ts
+++ b/tests/unit/domain/Application.spec.ts
@@ -11,7 +11,7 @@ describe('Application', () => {
            new ScriptStub('S3').withIsRecommended(true),
            new ScriptStub('S4').withIsRecommended(true),
        ];
-        const sut = new Application('name', 'repo', 2, [
+        const sut = new Application('name', 'repo', '0.1.0', [
            new CategoryStub(3).withScripts(expected[0], new ScriptStub('S1').withIsRecommended(false)),
            new CategoryStub(2).withScripts(expected[1], new ScriptStub('S2').withIsRecommended(false)),
        ]);
@@ -28,7 +28,7 @@ describe('Application', () => {
        const categories = [];
        // act
-        function construct() { return new Application('name', 'repo', 2, categories); }
+        function construct() { return new Application('name', 'repo', '0.1.0', categories); }
        // assert
        expect(construct).to.throw('Application must consist of at least one category');
@@ -41,7 +41,7 @@ describe('Application', () => {
        ];
        // act
-        function construct() { return new Application('name', 'repo',  2, categories); }
+        function construct() { return new Application('name', 'repo',  '0.1.0', categories); }
        // assert
        expect(construct).to.throw('Application must consist of at least one script');
@@ -54,7 +54,7 @@ describe('Application', () => {
        ];
        // act
-        function construct() { return new Application('name', 'repo', 2, categories); }
+        function construct() { return new Application('name', 'repo', '0.1.0', categories); }
        // assert
        expect(construct).to.throw('Application must consist of at least one recommended script');
--- a/tests/unit/stubs/ApplicationStub.ts
+++ b/tests/unit/stubs/ApplicationStub.ts
@@ -5,7 +5,7 @@ export class ApplicationStub implements IApplication {
    public readonly totalCategories = 0;
    public readonly name = 'StubApplication';
    public readonly repositoryUrl = 'https://privacy.sexy';
-    public readonly version = 1;
+    public readonly version = '0.1.0';
    public readonly categories = new Array<ICategory>();
    public withCategory(category: ICategory): IApplication {
--- a/vue.config.js
+++ b/vue.config.js
@@ -0,0 +1 @@
 process.env.VUE_APP_VERSION = require('./package.json').version;
Author	SHA1	Message	Date
undergroundwires	4a91e8ccd8	automated using bump-everywhere + more quality checks (#8 ) - new workflows - linting commands & linted stuff - security checks & fixed audited vulnerabilities - updated documentation	2020-05-24 19:25:43 +01:00
undergroundwires	997be7113f	using deployment operations from aws-static-site-with-cd	2020-05-23 22:59:29 +01:00
undergroundwires	3e3bc07576	automatically increases patch number #5	2020-04-26 15:47:20 +00:00
undergroundwires	691f989682	reading version from package.json instead of version file #5	2020-04-26 15:47:20 +00:00
undergroundwires	226074c534	simplified heading	2020-04-26 15:47:20 +00:00
undergroundwires	97b7e03233	fixed broke link	2020-04-26 15:47:20 +00:00
undergroundwires	749a140eb8	removed redundant documentation	2020-04-26 15:47:20 +00:00
undergroundwires	4739a4ac40	Merge pull request #4 from undergroundwires/dependabot/npm_and_yarn/acorn-6.4.1 Bump acorn from 6.4.0 to 6.4.1	2020-04-05 16:58:59 +00:00
dependabot[bot]	4800340b9b	Bump acorn from 6.4.0 to 6.4.1 Bumps [acorn](https://github.com/acornjs/acorn) from 6.4.0 to 6.4.1. - [Release notes](https://github.com/acornjs/acorn/releases) - [Commits](https://github.com/acornjs/acorn/compare/6.4.0...6.4.1) Signed-off-by: dependabot[bot] <support@github.com>	2020-04-05 16:20:27 +00:00
undergroundwires	074734242b	🚀 0.4.2 release	2020-02-29 18:51:55 +01:00
undergroundwires	802b36bdd8	shortened all HKEY paths	2020-01-12 10:10:37 +01:00
undergroundwires	0c39a06be5	set font on input	2020-01-11 10:55:43 +01:00
undergroundwires	e63ac4ae67	added missing semicolon for masking	2020-01-11 09:45:37 +01:00
		`@@ -1 +0,0 @@`
			<mxfile host="www.draw.io" modified="2019-12-27T14:40:11.720Z" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36" etag="6t_Q0ZRAKXZ_lLm1WdcF" version="12.4.3" type="device" pages="1"><diagram id="pFg2tUHn5hOZkmQyf_J4" name="Page-1">7Vvtd6I4F/9r+lEOEMLLR23rzJzdme3qPLMvXzwUomaLxA2x1f3rnwSIEoIWFdqd3bXnKLmEJNz7u69Jb8DtavuBhuvlZxKj5MY24+0NuLux7SAA/FsQdgXBD8yCsKA4LkjWgTDFf6GSKLttcIwypSMjJGF4rRIjkqYoYgotpJS8qN3mJFFnXYcLpBGmUZjo1F9wzJblW0DzQP+I8GIpZ7bM8s4qlJ1LQrYMY/JSIYH7G3BLCWHF1Wp7ixLBO8mX4rnxkbv7hVGUsjYPfB19Hf0+Wf6+DcbR9Mtksvm2hANYjPIcJpvyhe/IKsQpp03QAmeMhrRcPttJnqwJThmi9898ZsFe6waM9m9n8kYcZksUl40lWyWyE6PkCd2ShFBOSUnKBxzNcZJI0o0NoCn+OD0JH1HyQDLMMEn5vQiJSfmNZ0QZ5hL6sdbhkTBGVpUOwwQvxA1G1pxKNizBKZ9dAkVMEpZd9oPz91iL11xtFwLPBpnPcYSMDNFn/psZVHJlVpL4M7okSuGIhaBthVRK5gMiK8Tojncp79qeXzxSqgmQ+H85gA66BWlZwRu0S6iXMF/sRz4ggV+UYDgDGJatIUPDASWbNN7L+WWJGZquQ8GSuxfOPFX2e0xYNZmXMFCxwYEQe8GjaXbDXslNyd1A564r9bTKXuCYffEXvM5fiUW8yo1UlZvNEH9VM3KdGoXR0yKXXYXb8/zDu+STDbN1RUdkY463QoKjcj13S8aEFR4KTtjjKE5tA3M7PMccFdSI+Iz2OA5ZyH8EPeO/4Sr8i6SD8CUbZAylEU4ENTea4y/8xrRQqtmUT4m55s0ist7NZsNfprPbhGxijkvfWKeLDjAxMA1gBpWP76kgcW0dJIGOEUm7BiJ/bp/idPL8FMApjNFk+8N6+/NA18CcBWNK+DvXsdJo3ea8Z0XG/G8s5h9x0xZjpNwLHHg3tiv37jDlAxX4SQkVHNBM9RCYI9iku3s0KZ7gQsOt2eiKHog3LIMGy5btkiuN2K3bd45Ehxv1jGxohD5FYj0j3iyu1F6R4P485343RslXrZJrAg1w0i1UASdpnQNON0lTTjJHm+gJdY841xwC4J2HONvzLMv91yAuA90gDToq0mDgGa7zvmDTI0+JM/OBJDjadQu45mDzCJ7Kzn87KB0JvHV4rQsOdgIexwlU8EDdTEHfkAMr0WkH0VMjeFwNPBOODsRJcnH/uca3NFRUcH8GOzJXAKjmyrGC97VVnh6JCXHw+DTMQfc5THlErCfKjcjrW+4NYgRGdFjvbFWsdmbrsPVgcHvKfHZhTmquCDiNrggYsCHUBj0J2NcEfJ/OCYc9z07cRMR7j1y67kJcffz69WGqiRrFCyS1S5gEsiBpmNwfqCM1Wz70+ZEIkeai+wMxtit1NtwwogqW85zufq02fhODGVA277bl4EVrV209IIo5rwRY7k4m1YW6n+BVmZawkC4Qe11pBGNO4oKiJGT4Wa23NUm4fPRBOMFKFO2qlRPoBgb0LMf2i29PHbB4vXKMarWsNqzt2IbFAed5rmfbZmB558xSMEebJcfm/tUvh6ulB08TFOdeKXsPZBZOTtZH7avg5baEl/028OKiNZQigQoDD14GL+Aq8PIDeHrcngEli0//smpUil4GOxTSgYhyko1YnyALfzSukAZm0GHdybUMT5U2MC3dATZUI72+wmlbz/xVbq4pfg6jnZGhrZ6XfWcGRkK7amFO7Y30bWGAr+ZXPN9SXIt7oQfbF7nLce2gBp++bYqjgSqf63vyUKdw8aqHclvip5SXaXCnUD5zLaQsqxdI2Y5v+JWBaoUB4LYC2JDScFfptt6j4piC1HZvHLuG12LE2tNyeDKfZ6gfhOtpA0/1GE43ZMPfx4zROiG6vbw+Edhi9qsM7vl1JQ3grUMWIBoyCejUgrbVAHCuBlhWYCuyHgTXKcQbgECPxT9gttw8fv8BlPlqAEUiJi8tUxj88SqkT4NFzoAuYya3VhFym6sGPQVNz2vPu/92v8tcb/fTty+TzAzmA0uT+08UL/KjE8MoQpmwAJ9i/s6YvUkt+9azgDX+59WyKUkOpScNMg3AOn7IwndUhwVB220Qx+kJRXri9TG8JEK6JCaqHtnh6o0jxVdUoGXmH9FrQ5/3hzgajXtnNaXjOnfCf0DLUVMrv5N4qn46B/r2ZQEUcLiP24dh/FsZ1gXtykjnBlB8veryPbdNACXPSfhNHO3UsTbKWk8fhkkizvMJcYbxu6QRHUK+IYa6APID0zDBlTGS3CSGgeF7PAfJt0UDUxW7C4Im5J6rAC6oQd6EhgUq9bVeFMDR9NdvowD9Y1zfx3wz69+XKQc6ro/j/xSubUv11t2kxrC2twi9GuTaIhlaavbrgnbllXOxq53daGe8Zf4kz3H2j2V9k3TyXmb6WLLbV6xyXBF62I/oagcCng5FeisWNns53RL+L0M6eN6ldtIleNq6/cLcdQ4fLZEOLoQPdKChhtqOC7jN5jmV5zqO67mB86YIatjDeAU95xxYF42HkPGENc0pttn2GPujz1l1QNFVCSw0a9Jr2DgKGmogltnBGeVmruvVr32U/kI5f/tU4b3a/la506UKnwTapQ7gEOFAt7YRuPfWV2q5452y7bB+jKa1zgNvf8xvd5jJdDzXCuR3K6V/yxjb1l3Lp+FnTuAOhmro/K8w17owF8Zxfiaw2TZ2Yu4CDW+O/p87jfW6vqq+tqdBphrQlkKtVtM6s3DmSQunVPOOV/C6Co1bm8YTHa+Ibq6SoYxtNYvwgfumtSZfDmDWlF80Ofma6s/9CEVRk4bWFXmF4zhPfpqiEtVltghM3jHWsM/XPHHaZv9vsIXZP/wvMbj/Pw==</diagram></mxfile>
		`@@ -0,0 +1 @@`
							`process.env.VUE_APP_VERSION = require('./package.json').version;`