automated using bump-everywhere + more quality checks (#8 )

- new workflows - linting commands & linted stuff - security checks & fixed audited vulnerabilities - updated documentation
using deployment operations from aws-static-site-with-cd
2020-05-24 19:25:43 +01:00 · 2020-05-23 22:59:29 +01:00 · 2020-04-26 15:47:20 +00:00 · 2020-04-26 15:47:20 +00:00 · 2020-04-26 15:47:20 +00:00 · 2020-04-26 15:47:20 +00:00
38 changed files with 3246 additions and 2435 deletions
--- a/.github/workflows/build-and-deploy.yaml
+++ b/.github/workflows/build-and-deploy.yaml
@@ -1,91 +0,0 @@
-name: Build & deploy
-
-on:
-  push:
-    branches:
-    - master
-
-jobs:
-  build-and-deploy:
-    runs-on: ubuntu-18.04
-    steps:
-      -
-        name: "Prepare: Checkout"
-        uses: actions/checkout@v1
-      -
-        name: "Prepare: Create AWS user profile"
-        run: >-
-          bash "aws/scripts/configure/create-user-profile.sh" \
-            --profile user \
-            --access-key-id ${{secrets.AWS_DEPLOYMENT_USER_ACCESS_KEY_ID}} \
-            --secret-access-key ${{secrets.AWS_DEPLOYMENT_USER_SECRET_ACCESS_KEY}} \
-            --region us-east-1
-      -
-        name: "Infrastructure: Deploy IAM stack"
-        run: >-
-          bash "aws/scripts/deploy/deploy-stack.sh" \
-            --template-file aws/iam-stack.yaml \
-            --stack-name privacysexy-iam-stack \
-            --capabilities CAPABILITY_IAM  \
-            --region us-east-1 --role-arn ${{secrets.AWS_IAM_STACK_DEPLOYMENT_ROLE_ARN}} \
-            --profile user --session ${{github.actor}}-${{github.event_name}}-${{github.sha}}
-      -
-        name: "Infrastructure: Deploy certificate stack"
-        run: >-
-          bash "aws/scripts/deploy/deploy-stack.sh" \
-            --template-file aws/certificate-stack.yaml \
-            --stack-name privacysexy-certificate-stack \
-            --region us-east-1 \
-            --role-arn ${{secrets.AWS_CERTIFICATE_STACK_DEPLOYMENT_ROLE_ARN}} \
-            --profile user --session ${{github.actor}}-${{github.event_name}}-${{github.sha}}
-      -
-        name: "Infrastructure: Deploy DNS stack"
-        run: >-
-          bash "aws/scripts/deploy/deploy-stack.sh" \
-            --template-file aws/dns-stack.yaml \
-            --stack-name privacysexy-dns-stack \
-            --region us-east-1 \
-            --role-arn ${{secrets.AWS_DNS_STACK_DEPLOYMENT_ROLE_ARN}} \
-            --profile user --session ${{github.actor}}-${{github.event_name}}-${{github.sha}}
-      -
-        name: "Infrastructure: Deploy web stack"
-        run: >-
-          bash "aws/scripts/deploy/deploy-stack.sh" \
-            --template-file aws/web-stack.yaml \
-            --stack-name privacysexy-web-stack \
-            --region us-east-1 \
-            --role-arn ${{secrets.AWS_WEB_STACK_DEPLOYMENT_ROLE_ARN}} \
-            --profile user --session ${{github.actor}}-${{github.event_name}}-${{github.sha}}
-      -
-        name: "App: Setup node"
-        uses: actions/setup-node@v1
-        with:
-          node-version: '11.x'
-      -
-        name: "App: Install dependencies"
-        run: npm install
-      -
-        name: "App: Run tests"
-        run: npm run test:unit
-      - 
-        name: "App: Build"
-        run: npm run build
-      -
-        name: "App: Deploy to S3"
-        run: >-
-          bash "aws/scripts/deploy/deploy-to-s3.sh" \
-            --folder dist \
-            --web-stack-name privacysexy-web-stack --web-stack-s3-name-output-name S3BucketName \
-            --storage-class ONEZONE_IA \
-            --role-arn ${{secrets.AWS_S3_SITE_DEPLOYMENT_ROLE_ARN}} \
-            --region us-east-1 \
-            --profile user --session ${{github.actor}}-${{github.event_name}}-${{github.sha}}
-      -
-        name: "App: Invalidate CloudFront cache"
-        run: >-
-          bash "aws/scripts/deploy/invalidate-cloudfront-cache.sh" \
-            --paths "/*" \
-            --web-stack-name privacysexy-web-stack --web-stack-cloudfront-arn-output-name CloudFrontDistributionArn \
-            --role-arn ${{secrets.AWS_CLOUDFRONT_SITE_DEPLOYMENT_ROLE_ARN}} \
-            --region us-east-1 \
-            --profile user --session ${{github.actor}}-${{github.event_name}}-${{github.sha}}
--- a/.github/workflows/bump-and-release.yaml
+++ b/.github/workflows/bump-and-release.yaml
@@ -0,0 +1,23 @@
+name: Bump & release
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - master
+  push: # Ensure a new release is created for each new tag
+    tags:
+      - '[0-9]+.[0-9]+.[0-9]+'
+
+jobs:
+  bump-version-and-release:
+    if: > # Push => Ensure only changes from master. PR => to not trigger when closing PR without merging
+      (github.event_name == 'push' && github.event.base_ref == 'refs/heads/master')
+      || github.event.pull_request.merged == true 
+    runs-on: ubuntu-latest
+    steps:
+      - 
+        uses: undergroundwires/bump-everywhere@master
+        with:
+          user: undergroundwires-bot
+          release-token: ${{secrets.BUMP_GITHUB_PAT}} # Does not trigger release pipeline if we use default token: https://github.community/t5/GitHub-Actions/Github-Action-trigger-on-release-not-working-if-releases-was/td-p/34559
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -0,0 +1,117 @@
+name: Build & deploy
+
+on:
+ release:
+   types: [created] # will be triggered when a NON-draft release is created and published.
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: "Infrastructure: Checkout"
+        uses: actions/checkout@v2
+        with:
+          path: aws
+          repository: undergroundwires/aws-static-site-with-cd
+      -
+        name: "Infrastructure: Create AWS user profile & session name"
+        run: >-
+          bash "scripts/configure/create-user-profile.sh" \
+            --profile user \
+            --access-key-id ${{secrets.AWS_DEPLOYMENT_USER_ACCESS_KEY_ID}} \
+            --secret-access-key ${{secrets.AWS_DEPLOYMENT_USER_SECRET_ACCESS_KEY}} \
+            --region us-east-1 \
+          && \
+            echo "::set-env name=SESSION_NAME::${{github.actor}}-${{github.event_name}}-$(echo ${{github.sha}} | cut -c1-8)"
+        working-directory: aws
+      -
+        name: "Infrastructure: Deploy IAM stack"
+        run: >-
+          bash "scripts/deploy/deploy-stack.sh" \
+            --template-file stacks/iam-stack.yaml \
+            --stack-name privacysexy-iam-stack \
+            --capabilities CAPABILITY_IAM \
+            --parameter-overrides "WebStackName=privacysexy-web-stack DnsStackName=privacysexy-dns-stack \
+                                   CertificateStackName=privacysexy-cert-stack RootDomainName=privacy.sexy" \
+            --region us-east-1 --role-arn ${{secrets.AWS_IAM_STACK_DEPLOYMENT_ROLE_ARN}} \
+            --profile user --session ${{ env.SESSION_NAME }}
+        working-directory: aws
+      -
+        name: "Infrastructure: Deploy DNS stack"
+        run: >-
+          bash "scripts/deploy/deploy-stack.sh" \
+            --template-file stacks/dns-stack.yaml \
+            --stack-name privacysexy-dns-stack \
+            --parameter-overrides "RootDomainName=privacy.sexy" \
+            --region us-east-1 \
+            --role-arn ${{secrets.AWS_DNS_STACK_DEPLOYMENT_ROLE_ARN}} \
+            --profile user --session ${{ env.SESSION_NAME }}
+        working-directory: aws
+      -
+        name: "Infrastructure: Deploy certificate stack"
+        run: >-
+          bash "scripts/deploy/deploy-stack.sh" \
+            --template-file stacks/certificate-stack.yaml \
+            --stack-name privacysexy-cert-stack \
+            --capabilities CAPABILITY_IAM \
+            --parameter-overrides "IamStackName=privacysexy-iam-stack RootDomainName=privacy.sexy DnsStackName=privacysexy-dns-stack" \
+            --region us-east-1 \
+            --role-arn ${{secrets.AWS_CERTIFICATE_STACK_DEPLOYMENT_ROLE_ARN}} \
+            --profile user --session ${{ env.SESSION_NAME }}
+        working-directory: aws
+      -
+        name: "Infrastructure: Deploy web stack"
+        run: >-
+          bash "scripts/deploy/deploy-stack.sh" \
+            --template-file stacks/web-stack.yaml \
+            --stack-name privacysexy-web-stack \
+            --parameter-overrides "CertificateStackName=privacysexy-cert-stack DnsStackName=privacysexy-dns-stack \
+                                   RootDomainName=privacy.sexy UseDeepLinks=true" \
+            --capabilities CAPABILITY_IAM \
+            --region us-east-1 \
+            --role-arn ${{secrets.AWS_WEB_STACK_DEPLOYMENT_ROLE_ARN}} \
+            --profile user --session ${{ env.SESSION_NAME }}
+        working-directory: aws
+      -
+        name: "App: Checkout"
+        uses: actions/checkout@v2
+        with:
+          path: site
+          ref: master # otherwise we don't get version bump commit
+      -
+        name: "App: Setup node"
+        uses: actions/setup-node@v1
+        with:
+          node-version: '14.x'
+      -
+        name: "App: Install dependencies"
+        run: npm install
+        working-directory: site
+      -
+        name: "App: Run tests"
+        run: npm run test:unit
+        working-directory: site
+      - 
+        name: "App: Build"
+        run: npm run build
+        working-directory: site
+      -
+        name: "App: Deploy to S3"
+        run: >-
+          bash "aws/scripts/deploy/deploy-to-s3.sh" \
+            --folder site/dist \
+            --web-stack-name privacysexy-web-stack --web-stack-s3-name-output-name S3BucketName \
+            --storage-class ONEZONE_IA \
+            --role-arn ${{secrets.AWS_S3_SITE_DEPLOYMENT_ROLE_ARN}} \
+            --region us-east-1 \
+            --profile user --session ${{ env.SESSION_NAME }}
+      -
+        name: "App: Invalidate CloudFront cache"
+        run: >-
+          bash "aws/scripts/deploy/invalidate-cloudfront-cache.sh" \
+            --paths "/*" \
+            --web-stack-name privacysexy-web-stack --web-stack-cloudfront-arn-output-name CloudFrontDistributionArn \
+            --role-arn ${{secrets.AWS_CLOUDFRONT_SITE_DEPLOYMENT_ROLE_ARN}} \
+            --region us-east-1 \
+            --profile user --session ${{ env.SESSION_NAME }}
--- a/.github/workflows/quality-checks.yaml
+++ b/.github/workflows/quality-checks.yaml
@@ -0,0 +1,37 @@
+name: Quality checks
+
+on:
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+      -
+        name: Setup node
+        uses: actions/setup-node@v1
+        with:
+          node-version: 14.x
+      -
+        name: Install dependencies
+        run: npm ci
+      -
+        name: Lint vue
+        run: npm run lint:vue
+      -
+        name: Lint yaml
+        run: npm run lint:yaml
+      -
+        name: 'Validate md: Relative URLs'
+        run: npm run lint:md:relative-urls
+      -
+        name: 'Validate md: Enforce standards'
+        run: npm run lint:md
+      -
+        name: 'Validate md: Ensure consistency'
+        run: npm run lint:md:consistency
--- a/.github/workflows/security-checks.yaml
+++ b/.github/workflows/security-checks.yaml
@@ -0,0 +1,24 @@
+name: Security checks
+
+on:
+  pull_request:
+    branches:
+      - master
+  schedule:
+    - cron: '0 0 * * 0'
+
+jobs:
+  npm-audit:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+      -
+        name: Setup node
+        uses: actions/setup-node@v1
+        with:
+          node-version: 14.x
+      -
+        name: NPM audit
+        run: npm audit
--- a/.github/workflows/run-tests.yaml
+++ b/.github/workflows/run-tests.yaml
@@ -1,26 +1,25 @@
-name: Run tests
+name: Test

 on:
-  push:
+  pull_request:
    branches:
-      - '*'
-      - '!master'
+      - master

 jobs:
-  build-and-deploy:
+  run-tests:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@v2
      -
        name: Setup node
        uses: actions/setup-node@v1
        with:
-          node-version: '11.x'
+          node-version: '14.x'
      -
        name: Install dependencies
-        run: npm install
+        run: npm ci
      -
        name: Run tests
        run: npm run test:unit
--- a/.markdownlint.json
+++ b/.markdownlint.json
@@ -0,0 +1,4 @@
+{
+    "default": true,
+    "MD013": false
+}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,55 +0,0 @@
-# Changelog
-
- All notable changes to this project will be documented in this file.
-
-## Unreleased
-
-
-
-## [0.4.2] - 2020-02-29
-
- Fixed search text font being defaulted to Arial.
- Shortened `HKEY` paths in scripts
-
-## [0.4.1] - 2020-01-11
-
- Fixed & improved search
- Hiding grouping while searching
- Showing search queries when searching
-
-## [0.4.0] - 2020-01-11
-
- Added search
- Some styling improvements
- Better organization of scripts + more scripts
-
-## [0.3.0] - 2020-01-09
-
- Added support for grouping
- Added some meta tags
- Added "Disable NVIDIA telemetry" script
- Added legacy browser compatibility for fonts & changed main font
-
-## [0.2.0] - 2020-01-06
-
- Fixed typo in generated code.
- Better URL validation for documentation links in `application.yaml`.
- Slightly faster parsing of `application.yaml`
- Styled no JS error that's shown when JavaScript is disabled.
- The default selection is now *None* & instruction text is shown in code box when nothing is selected.
- Added hyphen lines when rendering of long function names
- Changed subtitle: added version as footer instead.
-
-## [0.1.0] - 2019-12-31
-
- Initial release
-
-## All releases
-
- [Unreleased] : https://github.com/undergroundwires/privacy.sexy/compare/v0.4.2...HEAD
- [v0.4.2] : https://github.com/undergroundwires/privacy.sexy/compare/v0.4.1...v0.4.2
- [v0.4.1] : https://github.com/undergroundwires/privacy.sexy/compare/v0.4.0...v0.4.1
- [v0.4.0] : https://github.com/undergroundwires/privacy.sexy/compare/v0.3.0...v0.4.0
- [v0.3.0] : https://github.com/undergroundwires/privacy.sexy/compare/v0.2.0...v0.3.0
- [v0.2.0] : https://github.com/undergroundwires/privacy.sexy/compare/v0.1.0...v0.2.0
- [v0.1.0] : https://github.com/undergroundwires/privacy.sexy/releases/tag/v0.1.0
--- a/README.md
+++ b/README.md
@@ -1,17 +1,20 @@
 # privacy.sexy

-![Build & deploy status](https://github.com/undergroundwires/privacy.sexy/workflows/Build%20&%20deploy/badge.svg)
-![Vulnerabilities](https://snyk.io/test/github/undergroundwires/privacy.sexy/badge.svg)
+> Web tool to enforce privacy & security best-practices on Windows, because privacy is sexy 🍑🍆
+
 [![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/undergroundwires/privacy.sexy/issues)
 [![Language grade: JavaScript](https://img.shields.io/lgtm/grade/javascript/g/undergroundwires/privacy.sexy.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/undergroundwires/privacy.sexy/context:javascript)
 [![Maintainability](https://api.codeclimate.com/v1/badges/3a70b7ef602e2264342c/maintainability)](https://codeclimate.com/github/undergroundwires/privacy.sexy/maintainability)
-
-Web tool to generate scripts for enforcing privacy & security best-practices such as stopping data collection of Windows and different softwares on it.
-> because privacy is sexy 🍑🍆
+[![Tests status](https://github.com/undergroundwires/privacy.sexy/workflows/Test/badge.svg)](https://github.com/undergroundwires/privacy.sexy/actions)
+[![Quality checks status](https://github.com/undergroundwires/privacy.sexy/workflows/Quality%20checks/badge.svg)](https://github.com/undergroundwires/privacy.sexy/actions)
+[![Security checks status](https://github.com/undergroundwires/privacy.sexy/workflows/Security%20checks/badge.svg)](https://github.com/undergroundwires/privacy.sexy/actions)
+[![Bump & release status](https://github.com/undergroundwires/privacy.sexy/workflows/Bump%20&%20release/badge.svg)](https://github.com/undergroundwires/privacy.sexy/actions)
+[![Deploy status](https://github.com/undergroundwires/privacy.sexy/workflows/Build%20&%20deploy/badge.svg)](https://github.com/undergroundwires/privacy.sexy/actions)
+[![Auto-versioned by bump-everywhere](https://github.com/undergroundwires/bump-everywhere/blob/master/badge.svg?raw=true)](https://github.com/undergroundwires/bump-everywhere)

 [https://privacy.sexy](https://privacy.sexy)

-## Why privacy.sexy
+## Why

 - You don't need to run any compiled software on your system, just run the generated scripts.
 - It's open source, both application & infrastructure is 100% transparent
@@ -21,7 +24,7 @@ Web tool to generate scripts for enforcing privacy & security best-practices suc

 ## Extend scripts

-Fork it & add more scripts in `src/application/application.yml` and send a pull request 👌
+Fork it & add more scripts in [application.yaml](src/application/application.yaml) and send a pull request 👌

 ## Commands

@@ -50,77 +53,22 @@ Fork it & add more scripts in `src/application/application.yml` and send a pull
  - **Application Layer**
    - Keeps the application state
      - The [state](src/application/State/ApplicationState.ts) is a mutable singleton & event producer.
-    - The application is defined & controlled in a [single YAML file](`\application\application.yaml`) (see [Data-driven programming](https://en.wikipedia.org/wiki/Data-driven_programming))
+    - The application is defined & controlled in a [single YAML file](src/application/application.yaml) (see [Data-driven programming](https://en.wikipedia.org/wiki/Data-driven_programming))

 ![DDD + vue.js](docs/app-ddd.png)

 ### AWS Infrastructure

- The application runs in AWS 100% serverless and automatically provisioned using [CloudFormation files](/aws) and GitHub Actions.
- Maximum security & automation and minimum AWS costs were the highest priorities of the design.
+[![AWS solution](docs/aws-solution.png)](https://github.com/undergroundwires/aws-static-site-with-cd)

-![AWS solution](docs/aws-solution.png)
+- It uses infrastructure from the following repository: [aws-static-site-with-cd](https://github.com/undergroundwires/aws-static-site-with-cd)
+  - Runs on AWS 100% serverless and automatically provisioned using [GitHub Actions](.github/workflows/).
+  - Maximum security & automation and minimum AWS costs are the highest priorities of the design.

 #### GitOps: CI/CD to AWS

+- CI/CD is fully automated for this repo using different GIT events & GitHub actions.
+  - Versioning, tagging, creation of `CHANGELOG.md` and releasing is automated using [bump-everywhere](https://github.com/undergroundwires/bump-everywhere) action
 - Everything that's merged in the master goes directly to production.
-  - Deploy infrastructure ► Deploy web application ► Invalidate CloudFront Cache
- See more at [build-and-deploy.yaml](.GitHub/workflows/build-and-deploy.yaml)

-![CI/CD to AWS with GitHub Actions](docs/ci-cd.png)
-
-##### CloudFormation
-
-![CloudFormation design](docs/aws-cloudformation.png)
-
- AWS infrastructure is defined as code with following files:
-  - `iam-stack`: Creates & updates the deployment user.
-    - Everything in IAM layer is fine-grained using least privileges principle.
-    - Each deployment step has its own temporary credentials with own permissions.
-  - `certificate-stack.yaml`
-    - It'll generate SSL certification for the root domain and www subdomain.
-    - ❗ It [must](https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-invalid-viewer-certificate/) be deployed in `us-east-1` to be able to be used by CloudFront by `web-stack`.
-    - It uses CustomResource and a lambda instead of native `AWS::CertificateManager::Certificate` because:
-      - Problem:
-        - AWS variant waits until a certificate is validated.
-        - There's no way to automate validation without workaround.
-      - Solution:
-        - Deploy a lambda that deploys the certificate (so we don't wait until certificate is validated)
-        - Get DNS records to be used in validation & export it to be used later.
-  - `web-stack.yaml`: It'll deploy S3 bucket and CloudFront in front of it.
-  - `dns-stack.yaml`: It'll deploy Route53 hosted zone
-    - Each time Route53 hosted zone is re-created it's required to update the DNS records in the domain registrar. See *Configure your domain registrar*.
- I use cross stacks instead of single stack or nested stacks because:
-  - Easier to test & maintain & smaller files and different lifecycles for different areas.
-  - It allows to deploy web bucket in different region than others as other stacks are global (`us-east-1`) resources.
-
-##### Initial deployment
-
- ❗ Prerequisite: A registered domain name for website.
-
-1. **Configure build agent (GitHub actions)**
-   - Deploy manually `iam-stack.yaml` with stack name `privacysexy-iam-stack` (to follow the convention)
-     - It'll give you deploy user. Go to console &  generate secret id + key (Security credentials => Create access key) for the user [IAM users](https://console.aws.amazon.com/iam/home#/users).
-       - 🚶 Deploy secrets:
-         - Add secret id & key in GitHub Secrets.
-           - `AWS_DEPLOYMENT_USER_ACCESS_KEY_ID`, `AWS_DEPLOYMENT_USER_SECRET_ACCESS_KEY`
-         - Add more secrets given from Outputs section of the CloudFormation stack.
-     - Run GitHub actions to deploy rest of the application.
-       - It'll run `certificate-stack.yaml` and then `iam-stack.yaml`.
-
-2. **Configure your domain registrar**
-   - ❗ **Web stack will fail** after DNS stack because you need to validate your domain.
-   - 🚶 Go to your domain registrar and change name servers to NS values
-     - `dns-stack.yaml` outputs those in CloudFormation stack.
-     - You can alternatively find those in [Route53](https://console.aws.amazon.com/route53/home#hosted-zones)
-   - When nameservers of your domain updated, the certification will get validated automatically, you can then delete the failed stack in CloudFormation & re-run the GitHub actions.
-
-## Thank you for the awesome projects 🍺
-
- [Vue.js](https://vuejs.org/) the only big JavaScript framework that's not backed by companies that make money off your data.
- [liquor-tree](https://GitHub.com/amsik/liquor-tree) for the awesome & super extensible tree component.
- [Ace](https://ace.c9.io/) for code box.
- [FileSaver.js](https://GitHub.com/eligrey/FileSaver.js) for save file dialog.
- [chai](https://GitHub.com/chaijs/chai) & [mocha](https://GitHub.com/mochajs/mocha) for making testing fun.
- [js-yaml-loader](https://GitHub.com/wwilsman/js-yaml-loader) for ahead of time loading `application.yml`
- [v-tooltip](https://GitHub.com/Akryum/v-tooltip) takes seconds to have a tooltip, exactly what I needed.
+[![CI/CD to AWS with GitHub Actions](docs/gitops.png)](.github/workflows/)
--- a/aws.drawio
+++ b/aws.drawio
@@ -1 +0,0 @@
-<mxfile host="www.draw.io" modified="2019-12-27T14:40:11.720Z" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36" etag="6t_Q0ZRAKXZ_lLm1WdcF" version="12.4.3" type="device" pages="1"><diagram id="pFg2tUHn5hOZkmQyf_J4" name="Page-1">7Vvtd6I4F/9r+lEOEMLLR23rzJzdme3qPLMvXzwUomaLxA2x1f3rnwSIEoIWFdqd3bXnKLmEJNz7u69Jb8DtavuBhuvlZxKj5MY24+0NuLux7SAA/FsQdgXBD8yCsKA4LkjWgTDFf6GSKLttcIwypSMjJGF4rRIjkqYoYgotpJS8qN3mJFFnXYcLpBGmUZjo1F9wzJblW0DzQP+I8GIpZ7bM8s4qlJ1LQrYMY/JSIYH7G3BLCWHF1Wp7ixLBO8mX4rnxkbv7hVGUsjYPfB19Hf0+Wf6+DcbR9Mtksvm2hANYjPIcJpvyhe/IKsQpp03QAmeMhrRcPttJnqwJThmi9898ZsFe6waM9m9n8kYcZksUl40lWyWyE6PkCd2ShFBOSUnKBxzNcZJI0o0NoCn+OD0JH1HyQDLMMEn5vQiJSfmNZ0QZ5hL6sdbhkTBGVpUOwwQvxA1G1pxKNizBKZ9dAkVMEpZd9oPz91iL11xtFwLPBpnPcYSMDNFn/psZVHJlVpL4M7okSuGIhaBthVRK5gMiK8Tojncp79qeXzxSqgmQ+H85gA66BWlZwRu0S6iXMF/sRz4ggV+UYDgDGJatIUPDASWbNN7L+WWJGZquQ8GSuxfOPFX2e0xYNZmXMFCxwYEQe8GjaXbDXslNyd1A564r9bTKXuCYffEXvM5fiUW8yo1UlZvNEH9VM3KdGoXR0yKXXYXb8/zDu+STDbN1RUdkY463QoKjcj13S8aEFR4KTtjjKE5tA3M7PMccFdSI+Iz2OA5ZyH8EPeO/4Sr8i6SD8CUbZAylEU4ENTea4y/8xrRQqtmUT4m55s0ist7NZsNfprPbhGxijkvfWKeLDjAxMA1gBpWP76kgcW0dJIGOEUm7BiJ/bp/idPL8FMApjNFk+8N6+/NA18CcBWNK+DvXsdJo3ea8Z0XG/G8s5h9x0xZjpNwLHHg3tiv37jDlAxX4SQkVHNBM9RCYI9iku3s0KZ7gQsOt2eiKHog3LIMGy5btkiuN2K3bd45Ehxv1jGxohD5FYj0j3iyu1F6R4P485343RslXrZJrAg1w0i1UASdpnQNON0lTTjJHm+gJdY841xwC4J2HONvzLMv91yAuA90gDToq0mDgGa7zvmDTI0+JM/OBJDjadQu45mDzCJ7Kzn87KB0JvHV4rQsOdgIexwlU8EDdTEHfkAMr0WkH0VMjeFwNPBOODsRJcnH/uca3NFRUcH8GOzJXAKjmyrGC97VVnh6JCXHw+DTMQfc5THlErCfKjcjrW+4NYgRGdFjvbFWsdmbrsPVgcHvKfHZhTmquCDiNrggYsCHUBj0J2NcEfJ/OCYc9z07cRMR7j1y67kJcffz69WGqiRrFCyS1S5gEsiBpmNwfqCM1Wz70+ZEIkeai+wMxtit1NtwwogqW85zufq02fhODGVA277bl4EVrV209IIo5rwRY7k4m1YW6n+BVmZawkC4Qe11pBGNO4oKiJGT4Wa23NUm4fPRBOMFKFO2qlRPoBgb0LMf2i29PHbB4vXKMarWsNqzt2IbFAed5rmfbZmB558xSMEebJcfm/tUvh6ulB08TFOdeKXsPZBZOTtZH7avg5baEl/028OKiNZQigQoDD14GL+Aq8PIDeHrcngEli0//smpUil4GOxTSgYhyko1YnyALfzSukAZm0GHdybUMT5U2MC3dATZUI72+wmlbz/xVbq4pfg6jnZGhrZ6XfWcGRkK7amFO7Y30bWGAr+ZXPN9SXIt7oQfbF7nLce2gBp++bYqjgSqf63vyUKdw8aqHclvip5SXaXCnUD5zLaQsqxdI2Y5v+JWBaoUB4LYC2JDScFfptt6j4piC1HZvHLuG12LE2tNyeDKfZ6gfhOtpA0/1GE43ZMPfx4zROiG6vbw+Edhi9qsM7vl1JQ3grUMWIBoyCejUgrbVAHCuBlhWYCuyHgTXKcQbgECPxT9gttw8fv8BlPlqAEUiJi8tUxj88SqkT4NFzoAuYya3VhFym6sGPQVNz2vPu/92v8tcb/fTty+TzAzmA0uT+08UL/KjE8MoQpmwAJ9i/s6YvUkt+9azgDX+59WyKUkOpScNMg3AOn7IwndUhwVB220Qx+kJRXri9TG8JEK6JCaqHtnh6o0jxVdUoGXmH9FrQ5/3hzgajXtnNaXjOnfCf0DLUVMrv5N4qn46B/r2ZQEUcLiP24dh/FsZ1gXtykjnBlB8veryPbdNACXPSfhNHO3UsTbKWk8fhkkizvMJcYbxu6QRHUK+IYa6APID0zDBlTGS3CSGgeF7PAfJt0UDUxW7C4Im5J6rAC6oQd6EhgUq9bVeFMDR9NdvowD9Y1zfx3wz69+XKQc6ro/j/xSubUv11t2kxrC2twi9GuTaIhlaavbrgnbllXOxq53daGe8Zf4kz3H2j2V9k3TyXmb6WLLbV6xyXBF62I/oagcCng5FeisWNns53RL+L0M6eN6ldtIleNq6/cLcdQ4fLZEOLoQPdKChhtqOC7jN5jmV5zqO67mB86YIatjDeAU95xxYF42HkPGENc0pttn2GPujz1l1QNFVCSw0a9Jr2DgKGmogltnBGeVmruvVr32U/kI5f/tU4b3a/la506UKnwTapQ7gEOFAt7YRuPfWV2q5452y7bB+jKa1zgNvf8xvd5jJdDzXCuR3K6V/yxjb1l3Lp+FnTuAOhmro/K8w17owF8Zxfiaw2TZ2Yu4CDW+O/p87jfW6vqq+tqdBphrQlkKtVtM6s3DmSQunVPOOV/C6Co1bm8YTHa+Ibq6SoYxtNYvwgfumtSZfDmDWlF80Ofma6s/9CEVRk4bWFXmF4zhPfpqiEtVltghM3jHWsM/XPHHaZv9vsIXZP/wvMbj/Pw==</diagram></mxfile>
--- a/aws/certificate-stack.yaml
+++ b/aws/certificate-stack.yaml
@@ -1,211 +0,0 @@
-AWSTemplateFormatVersion: '2010-09-09'
-Description: Creates certificate for the root + www subdomain. !! It must be deployed in us-east-1 to be able to be used by CloudFront.
-
-Parameters:
-  
-  RootDomainName:
-    Type: String
-    Default: privacy.sexy
-    Description: The root DNS name of the website e.g. privacy.sexy
-    AllowedPattern: (?!-)[a-zA-Z0-9-.]{1,63}(?<!-)
-    ConstraintDescription: Must be a valid root domain name
-  
-  IamStackName:
-    Type: String
-    Default: privacysexy-iam-stack
-    Description: Name of the IAM stack.
-  
-Resources:
-
-  # The lambda workaround exists to be able to automate certificate deployment.
-  # Problem:
-  #   Normally AWS AWS::CertificateManager::Certificate waits until a certificate is validated
-  #   And there's no way to get validation DNS records from it to validate it.
-  # Solution:
-  #   Deploy a lambda that deploys the certificate (so we don't wait until certificate is validated)
-  #   Get DNS records to be used in validation & export it to be used later.
-  
-  AcmCertificateForHostedZone:
-    Type: Custom::VerifiableCertificate #A Can use AWS::CloudFormation::CustomResource or Custom::String
-    Properties:
-      ServiceToken: !GetAtt ResolveCertificateLambda.Arn
-      # Lambda gets the following data:
-      RootDomainName: !Ref RootDomainName # Lambda will create both for root and www.root
-      Tags:
-        -
-          Key: Name
-          Value: !Ref RootDomainName
-        -
-          Key: Application
-          Value: privacy.sexy
-
-  ResolveCertificateLambda:
-    Type: AWS::Lambda::Function
-    Properties:
-      Description: Deploys certificate for root domain name + www and returns immediately arn + verification records.
-      Role:
-        Fn::ImportValue: !Join [':', [!Ref IamStackName, ResolveCertificateLambdaRoleArn]]
-      FunctionName: !Sub ${AWS::StackName}-cert-resolver-lambda # StackName- required for role to function
-      Handler: index.handler
-      Runtime: nodejs12.x
-      Timeout: 30
-      Tags: 
-        -
-          Key: Application
-          Value: privacy.sexy
-      Code:
-        # Inline script is not the best way. Some variables are named shortly to not exceed the limit 4096 but it's the cheapest way (no s3 file)
-        ZipFile: >
-          'use strict';
-          const aws = require('aws-sdk');
-          const acm = new aws.ACM();
-          const log = (t) => console.log(t);
-
-          exports.handler = async (event, context) => {
-            log(`Request recieved:\n${JSON.stringify(event)}`);
-            const userData = event.ResourceProperties;
-            const rootDomain = userData.RootDomainName;
-            let data = null;
-            try {
-              switch(event.RequestType) {
-                case 'Create':
-                  data = await handleCreateAsync(rootDomain, userData.Tags);
-                  break;
-                case 'Update':
-                  data = await handleUpdateAsync();
-                  break;
-                case 'Delete':
-                  data = await handleDeleteAsync(rootDomain);
-                  break;
-              }
-              await sendResponseAsync(event, context, 'SUCCESS', data);
-            } catch(error) {
-              await sendResponseAsync(event, context, 'ERROR', {
-                title: `Failed to ${event.RequestType}, see error`,
-                error: error
-              });
-            }
-          }
-
-          async function handleCreateAsync(rootDomain, tags) {
-            const { CertificateArn } = await acm.requestCertificate({
-              DomainName: rootDomain,
-              SubjectAlternativeNames: [`www.${rootDomain}`],
-              Tags: tags,
-              ValidationMethod: 'DNS',
-            }).promise();
-            log(`Cert requested:${CertificateArn}`);
-            const waitAsync = (ms) => new Promise(resolve => setTimeout(resolve, ms));
-            const maxAttempts = 10;
-            let options = undefined;
-            for (let attempt = 0; attempt < maxAttempts && !options; attempt++) {
-              await waitAsync(2000);
-              const { Certificate } = await acm.describeCertificate({ CertificateArn }).promise();
-              if(Certificate.DomainValidationOptions.filter((o) => o.ResourceRecord).length === 2) {
-                options = Certificate.DomainValidationOptions;
-              }
-            }
-            if(!options) {
-              throw new Error(`No records after ${maxAttempts} attempts.`);
-            }
-            return getResponseData(options, CertificateArn, rootDomain);
-          }
-
-          async function handleDeleteAsync(rootDomain) {
-            const certs = await acm.listCertificates({}).promise();
-            const cert = certs.CertificateSummaryList.find((cert) => cert.DomainName === rootDomain);
-            if (cert) {
-              await acm.deleteCertificate({ CertificateArn: cert.CertificateArn }).promise();
-              log(`Deleted ${cert.CertificateArn}`);
-            } else {
-              log('Cannot find'); // Do not fail, delete can be called when e.g. CF fails before creating cert
-            }
-            return null;
-          }
-
-          async function handleUpdateAsync() {
-            throw new Error(`Not yet implemented update`);
-          }
-
-          function getResponseData(options, arn, rootDomain) {
-            const findRecord = (url) => options.find(option => option.DomainName === url).ResourceRecord;
-            const root = findRecord(rootDomain);
-            const www = findRecord(`www.${rootDomain}`);
-            const data = {
-                CertificateArn: arn,
-                RootVerificationRecordName: root.Name,
-                RootVerificationRecordValue: root.Value,
-                WwwVerificationRecordName: www.Name,
-                WwwVerificationRecordValue: www.Value,
-            };
-            return data;
-          }
-
-          /* cfn-response can't async / await :( */
-          async function sendResponseAsync(event, context, responseStatus, responseData, physicalResourceId) {
-            return new Promise((s, f) => {
-              var b = JSON.stringify({
-                        Status: responseStatus,
-                        Reason: `See the details in CloudWatch Log Stream: ${context.logStreamName}`,
-                        PhysicalResourceId: physicalResourceId || context.logStreamName,
-                        StackId: event.StackId,
-                        RequestId: event.RequestId,
-                        LogicalResourceId: event.LogicalResourceId,
-                        Data: responseData
-              });
-              log(`Response body:\n${b}`);
-              var u = require("url").parse(event.ResponseURL);
-              var r = require("https").request(
-                {
-                  hostname: u.hostname,
-                  port: 443,
-                  path: u.path,
-                  method: "PUT",
-                  headers: {
-                    "content-type": "",
-                    "content-length": b.length
-                  }
-                }, (p) => {
-                  log(`Status code: ${p.statusCode}`);
-                  log(`Status message: ${p.statusMessage}`);
-                  s(context.done());
-                });
-              r.on("error", (e) => {
-                log(`request failed: ${e}`);
-                f(context.done(e));
-              });
-              r.write(b);
-              r.end();
-            });
-          }
-
-Outputs:
-  CertificateArn:
-    Description: The Amazon Resource Name (ARN) of an AWS Certificate Manager (ACM) certificate.
-    Value: !GetAtt AcmCertificateForHostedZone.CertificateArn
-    Export:
-      Name: !Join [':', [ !Ref 'AWS::StackName', CertificateArn ]]
-
-  RootVerificationRecordName:
-    Description: Name for root domain CNAME verification record
-    Value: !GetAtt AcmCertificateForHostedZone.RootVerificationRecordName
-    Export:
-      Name: !Join [':', [ !Ref 'AWS::StackName', RootVerificationRecordName ]]
-
-  RootVerificationRecordValue:
-    Description: Value for root domain name CNAME verification record
-    Value: !GetAtt AcmCertificateForHostedZone.RootVerificationRecordValue
-    Export:
-      Name: !Join [':', [ !Ref 'AWS::StackName', RootVerificationRecordValue ]]
-
-  WwwVerificationRecordName:
-    Description: Name for www domain name CNAME verification record
-    Value: !GetAtt AcmCertificateForHostedZone.WwwVerificationRecordName
-    Export:
-      Name: !Join [':', [ !Ref 'AWS::StackName', WwwVerificationRecordName ]]
-
-  WwwVerificationRecordValue:
-    Description: Value for www domain name CNAME verification record
-    Value: !GetAtt AcmCertificateForHostedZone.WwwVerificationRecordValue
-    Export:
-      Name: !Join [':', [ !Ref 'AWS::StackName', WwwVerificationRecordValue ]]
--- a/aws/dns-stack.yaml
+++ b/aws/dns-stack.yaml
@@ -1,61 +0,0 @@
-AWSTemplateFormatVersion: '2010-09-09'
-Description: Creates hosted zone & sets up records for the CloudFront URL.
-
-Parameters:
-
-  RootDomainName:
-    Type: String
-    Default: privacy.sexy
-    Description: The root DNS name of the website e.g. privacy.sexy
-    AllowedPattern: (?!-)[a-zA-Z0-9-.]{1,63}(?<!-)
-    ConstraintDescription: Must be a valid root domain name
-  
-  CertificateStackName:
-    Type: String
-    Default: privacysexy-certificate-stack
-    Description: Name of the certificate stack.
-
-Resources:
-
-  DNSHostedZone:
-    Type: AWS::Route53::HostedZone
-    Properties:
-      Name: !Ref RootDomainName
-      HostedZoneConfig:
-        Comment: !Join ['', ['Hosted zone for ', !Ref RootDomainName]]
-      HostedZoneTags:
-        -
-          Key: Application
-          Value: privacy.sexy
-
-  CertificateValidationDNSRecords:
-    Type: AWS::Route53::RecordSetGroup
-    Properties: 
-      HostedZoneId: !Ref DNSHostedZone
-      RecordSets:
-        -
-          Name: 
-            Fn::ImportValue: !Join [':', [!Ref CertificateStackName, RootVerificationRecordName]]
-          Type: 'CNAME'
-          TTL: '60'
-          ResourceRecords:
-            - Fn::ImportValue: !Join [':', [!Ref CertificateStackName, RootVerificationRecordValue]]
-        -
-          Name: 
-            Fn::ImportValue: !Join [':', [!Ref CertificateStackName, WwwVerificationRecordName]]
-          Type: 'CNAME'
-          TTL: '60'
-          ResourceRecords:
-            - Fn::ImportValue: !Join [':', [!Ref CertificateStackName, WwwVerificationRecordValue]]
-
-Outputs:
-  
-  DNSHostedZoneNameServers:
-    Description: Name servers to update in domain registrar.
-    Value: !Join ['           ', !GetAtt DNSHostedZone.NameServers]
- 
-  DNSHostedZoneId:
-    Description: The ID of the hosted zone that you want to create the record in.
-    Value: !Ref DNSHostedZone
-    Export:
-      Name: !Join [':', [ !Ref 'AWS::StackName', DNSHostedZoneId ]]
--- a/aws/iam-stack.yaml
+++ b/aws/iam-stack.yaml
@@ -1,496 +0,0 @@
-AWSTemplateFormatVersion: '2010-09-09'
-Description: |-
-  > Deploys the identity management for the deployment
-
-# Granulatiy cheatsheet: https://iam.cloudonaut.io/
-
-Parameters:
-    WebStackName:
-      Type: String
-      Default: privacysexy-web-stack
-      Description: Name of the web stack.
-    DnsStackName:
-      Type: String
-      Default: privacysexy-dns-stack
-      Description: Name of the DNS stack.
-    CertificateStackName:
-      Type: String
-      Default: privacysexy-certificate-stack
-      Description: Name of the IAM stack.
-
-Resources:
-
-  # -----------------------------
-  # ------ User & Group ---------
-  # -----------------------------
-  DeploymentGroup:
-    Type: AWS::IAM::Group
-    Properties: 
-      # GroupName: No hardcoded naming because of easier CloudFormation management
-      ManagedPolicyArns:
-        - !Ref AllowValidateTemplatePolicy
-  
-  DeploymentUser:
-    Type: AWS::IAM::User
-    Properties:
-    #   # UserName: No hardcoded naming because of easier CloudFormation management
-    #   # Policies: Assing policies on group level
-      Tags:
-        -
-          Key: Application
-          Value: privacy.sexy
-
-  AddDeploymentUserToDeploymentGroup:
-    Type: AWS::IAM::UserToGroupAddition
-    Properties:
-      GroupName: !Ref DeploymentGroup
-      Users:
-        - !Ref DeploymentUser
-
-  # -----------------------------
-  # ----------- Roles -----------
-  # -----------------------------
-  IamStackDeployRole:
-    Type: AWS::IAM::Role
-    Properties:
-      Description: Allows to deploy IAM stack
-      AssumeRolePolicyDocument:
-        Statement:
-          -
-            Effect: Allow
-            Principal:
-              AWS: !GetAtt DeploymentUser.Arn
-            Action: sts:AssumeRole
-      Tags:
-        -
-          Key: Application
-          Value: privacy.sexy
-      ManagedPolicyArns: 
-        - !Ref CloudFormationDeployPolicy
-        - !Ref PolicyDeployPolicy
-        - !Ref IamStackDeployPolicy
-
-  CertificateStackDeployRole:
-    Type: AWS::IAM::Role
-    Properties:
-      Description: Allows to deploy certificate stack
-      AssumeRolePolicyDocument:
-        Statement:
-          -
-            Effect: Allow
-            Principal:
-              AWS: !GetAtt DeploymentUser.Arn
-            Action: sts:AssumeRole
-      Tags:
-        -
-          Key: Application
-          Value: privacy.sexy
-      ManagedPolicyArns: 
-        - !Ref CloudFormationDeployPolicy
-        - !Ref LambdaBackedCustomResourceDeployPolicy
-
-  DnsStackDeployRole:
-    Type: AWS::IAM::Role
-    Properties:
-      Description: Allows to deploy DNS stack
-      AssumeRolePolicyDocument:
-        Statement:
-          -
-            Effect: Allow
-            Principal:
-              AWS: !GetAtt DeploymentUser.Arn
-            Action: sts:AssumeRole
-      Tags:
-        -
-          Key: Application
-          Value: privacy.sexy
-      ManagedPolicyArns: 
-        - !Ref CloudFormationDeployPolicy
-        - !Ref DnsStackDeployPolicy
-
-  WebStackDeployRole:
-    Type: AWS::IAM::Role
-    Properties:
-      Description: Allows to deploy web stack
-      AssumeRolePolicyDocument:
-        Statement:
-          -
-            Effect: Allow
-            Principal:
-              AWS: !GetAtt DeploymentUser.Arn
-            Action: sts:AssumeRole
-      Tags:
-        -
-          Key: Application
-          Value: privacy.sexy
-      ManagedPolicyArns: 
-        - !Ref CloudFormationDeployPolicy
-        - !Ref WebStackDeployPolicy
-
-  S3SiteDeployRole:
-      Type: 'AWS::IAM::Role'
-      Properties:
-        Description: "Allows to deploy website to S3"
-        AssumeRolePolicyDocument:
-          Statement:
-            -
-              Effect: Allow
-              Principal:
-                AWS: !GetAtt DeploymentUser.Arn
-              Action: sts:AssumeRole
-        Tags:
-          -
-            Key: Application
-            Value: privacy.sexy
-        ManagedPolicyArns:
-          - !Ref S3SiteDeployPolicy
-          - !Ref StackExportReaderPolicy
-
-  CloudFrontSiteDeployRole:
-      Type: 'AWS::IAM::Role'
-      Properties:
-        Description: "Allows to informs to CloudFront to renew its cache from S3"
-        AssumeRolePolicyDocument:
-          Statement:
-            -
-              Effect: Allow
-              Principal:
-                AWS: !GetAtt DeploymentUser.Arn
-              Action: sts:AssumeRole
-        Tags:
-          -
-            Key: Application
-            Value: privacy.sexy
-        ManagedPolicyArns:
-          - !Ref CloudFrontInvalidationPolicy
-          - !Ref StackExportReaderPolicy
-
-  ResolveCertificateLambdaRole: # See certificate stack
-    Type: AWS::IAM::Role
-    Properties:
-      Description: Allow deployment of certificates
-      AssumeRolePolicyDocument:
-        Statement:
-          -
-            Effect: Allow
-            Principal:
-              Service: lambda.amazonaws.com
-            Action: sts:AssumeRole
-      ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
-        - !Ref CertificateDeployPolicy
-
-  # --------------------------------
-  # ----------- Policies -----------
-  # --------------------------------
-
-  AllowValidateTemplatePolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Properties:
-      Description: "No read & writes to resources, reveals just basic CloudFormation API to be used for validating templates"
-      # ManagedPolicyName: No hardcoded naming because of easier CloudFormation management
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          -
-            Sid: AllowCloudFormationTemplateValidation
-            Effect: Allow
-            Action:
-              - cloudformation:ValidateTemplate
-            Resource: '*'
-
-  CloudFormationDeployPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Properties:
-      Description: "Allows deploying CloudFormation using CLI command 'aws cloudformation deploy' (with change sets)"
-      # ManagedPolicyName: No hardcoded naming because of easier CloudFormation management
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          -
-            Sid: AllowCloudFormationStackOperations
-            Effect: Allow
-            Action:
-              - cloudformation:GetTemplateSummary
-              - cloudformation:DescribeStacks
-              - cloudformation:CreateChangeSet
-              - cloudformation:ExecuteChangeSet
-              - cloudformation:DescribeChangeSet
-            Resource:
-              - !Sub arn:aws:cloudformation:*:${AWS::AccountId}:stack/${WebStackName}/*
-              - !Sub arn:aws:cloudformation:*:${AWS::AccountId}:stack/${DnsStackName}/*
-              - !Sub arn:aws:cloudformation:*:${AWS::AccountId}:stack/${AWS::StackName}/*
-              - !Sub arn:aws:cloudformation:*:${AWS::AccountId}:stack/${CertificateStackName}/*
-
-  IamStackDeployPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Properties:
-      Description: Allows deploying IAM CloudFormation stack.
-      # ManagedPolicyName: No hardcoded naming because of easier CloudFormation management
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          -
-            Sid: AllowUserArnExport
-            Effect: Allow
-            Action:
-              - iam:GetUser
-            Resource:
-              - !GetAtt DeploymentUser.Arn
-          -
-            Sid: AllowTagging
-            Effect: Allow
-            Action:
-              - iam:TagResource
-            Resource:
-              - !Sub arn:aws:cloudformation::${AWS::AccountId}:stack/${AWS::StackName}/*
-              - !GetAtt DeploymentUser.Arn
-          -
-            Sid: AllowRoleDeployment
-            Effect: Allow
-            Action:
-              - iam:CreateRole
-            Resource:
-              - !Sub arn:aws:iam::${AWS::AccountId}:role/${AWS::StackName}-*
-
-  LambdaBackedCustomResourceDeployPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Properties:
-      Description: Allows deploying a lambda-backed custom resource.
-      # ManagedPolicyName: # ManagedPolicyName: No hardcoded naming because of easier CloudFormation management
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          -
-            Sid: AllowLambdaDeployment
-            Effect: Allow
-            Action:
-              - lambda:GetFunction
-              - lambda:DeleteFunction
-              - lambda:CreateFunction
-              - lambda:GetFunctionConfiguration
-              - lambda:InvokeFunction
-            Resource:
-              - !Sub arn:aws:lambda:*:${AWS::AccountId}:function:${CertificateStackName}*
-          -
-            Sid: AllowPassingLambdaRole
-            Effect: Allow
-            Action:
-              - iam:PassRole
-            Resource:
-              - !GetAtt ResolveCertificateLambdaRole.Arn
-
-  CertificateDeployPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Properties:
-      Description: Allows deploying certifications stack.
-      # ManagedPolicyName: # ManagedPolicyName: No hardcoded naming because of easier CloudFormation management
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          -
-            Sid: AllowCertificateDeployment
-            Effect: Allow
-            Action:
-              - acm:RequestCertificate
-              - acm:DescribeCertificate
-              - acm:DeleteCertificate
-              - acm:AddTagsToCertificate
-              - acm:ListCertificates
-            Resource: '*' # Certificate Manager does not support resource level IAM
-
-  PolicyDeployPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Properties:
-      Description: Allows deployment of policies
-      # ManagedPolicyName: Commented out because CloudFormation requires to rename when replacing custom-named resource
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          -
-            Sid: AllowPolicyUpdates
-            Effect: Allow
-            Action:
-              - iam:ListPolicyVersions
-              - iam:CreatePolicyVersion
-              - iam:DeletePolicyVersion
-              - iam:CreatePolicy 
-              - iam:DeletePolicy 
-              - iam:GetPolicy
-            Resource:
-              - !Sub arn:aws:iam::${AWS::AccountId}:policy/${AWS::StackName}-* # when ManagedPolicyName is not given policies get name like StackName-*
-          -
-            Sid: AllowPoliciesOnRoles
-            Effect: Allow
-            Action:
-              - iam:AttachRolePolicy
-              - iam:DetachRolePolicy
-              - iam:GetRole
-            Resource:
-              - !Sub arn:aws:iam::${AWS::AccountId}:role/${AWS::StackName}-*
-          - 
-            Sid: AllowPolicyAssigmentToGroup
-            Effect: Allow
-            Action:
-              - iam:AttachGroupPolicy
-              - iam:DetachGroupPolicy
-            Resource:
-              - !GetAtt DeploymentGroup.Arn
-          - 
-            Sid: AllowGettingGroupInformation
-            Effect: Allow
-            Action:
-              - iam:GetGroup
-            Resource: !Sub arn:aws:iam::${AWS::AccountId}:group/${DeploymentGroup}
-
-  DnsStackDeployPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Properties:
-      Description: Allows deployment of DNS stack
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          -
-            Sid: AllowHostedZoneDeployment
-            Effect: Allow
-            Action:
-              - route53:CreateHostedZone
-              - route53:ListQueryLoggingConfigs
-              - route53:DeleteHostedZone
-              - route53:GetChange
-              - route53:ChangeTagsForResource
-              - route53:GetHostedZone
-              - route53:ChangeResourceRecordSets
-            Resource: '*' # Does not support resource-level permissions https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-manage-access-intro-resource-policies
-          
-  WebStackDeployPolicy:
-    # We need a role to run s3:PutBucketPolicy, IAM users cannot run it. See https://stackoverflow.com/a/48551383 
-    Type: AWS::IAM::ManagedPolicy
-    Properties:
-      Description: Allows deployment of web stack
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          -
-            Sid: AllowCloudFrontOAIDeployment
-            Effect: Allow
-            Action:
-              - cloudfront:GetCloudFrontOriginAccessIdentity
-              - cloudfront:CreateCloudFrontOriginAccessIdentity
-              - cloudfront:GetCloudFrontOriginAccessIdentityConfig
-              - cloudfront:DeleteCloudFrontOriginAccessIdentity
-            Resource: '*' # Does not support resource-level permissions https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html
-          -
-            Sid: AllowCloudFrontDistributionDeployment
-            Effect: Allow
-            Action:
-              - cloudfront:CreateDistribution
-              - cloudfront:DeleteDistribution
-              - cloudfront:UpdateDistribution
-              - cloudfront:GetDistribution
-              - cloudfront:TagResource
-              - cloudfront:UpdateCloudFrontOriginAccessIdentity
-            Resource: !Sub arn:aws:cloudfront::${AWS::AccountId}:*
-          -
-            Sid: AllowS3BucketPolicyAccess
-            Effect: Allow
-            Action:
-              - s3:CreateBucket
-              - s3:DeleteBucket
-              - s3:PutBucketWebsite
-              - s3:DeleteBucketPolicy
-              - s3:PutBucketPolicy
-              - s3:GetBucketPolicy
-            Resource: !Sub arn:aws:s3:::${WebStackName}*
-          -
-            Sid: AllowRecordDeploymentToRoute53
-            Effect: Allow
-            Action:
-              - route53:GetHostedZone
-              - route53:ChangeResourceRecordSets
-              - route53:GetChange
-              - route53:ListResourceRecordSets
-            Resource: '*' # Does not support resource-level permissions https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html#access-control-manage-access-intro-resource-policies
-
-  S3SiteDeployPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Properties:
-      Description: Allows listing buckets to be able to list objects in a bucket
-      # ManagedPolicyName: Commented out because CloudFormation requires to rename when replacing custom-named resources
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          -
-            Sid: AllowListingObjects
-            Effect: Allow
-            Action:
-              - s3:ListBucket # To allow ListObjectsV2
-            Resource: !Sub arn:aws:s3:::${WebStackName}*
-          -
-            Sid: AllowUpdatingObjects
-            Effect: Allow
-            Action:
-              - s3:PutObject
-              - s3:DeleteObject
-            Resource: !Sub arn:aws:s3:::${WebStackName}*/*
-
-  CloudFrontInvalidationPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Properties:
-      Description: Allows creating invalidations on CloudFront
-      # ManagedPolicyName: Commented out because CloudFormation requires to rename when replacing custom-named resource
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          -
-            Sid: AllowCloudFrontInvalidations
-            Effect: Allow
-            Action:
-              - cloudfront:CreateInvalidation
-            Resource: "*" # Does not support resource-level permissions https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cf-api-permissions-ref.html
-
-  StackExportReaderPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Properties:
-      Description: Allows creating invalidations on CloudFront
-      # ManagedPolicyName: Commented out because CloudFormation requires to rename when replacing custom-named resource
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          -
-            Sid: AllowGettingBucketName
-            Effect: Allow
-            Action:
-              - cloudformation:DescribeStacks
-            Resource: !Sub arn:aws:cloudformation:*:${AWS::AccountId}:stack/${WebStackName}/*
-    
-Outputs:
-  ResolveCertificateLambdaRoleArn: 
-    Description: The Amazon Resource Name (ARN) of the lambda for deploying certificates.
-    Value: !GetAtt ResolveCertificateLambdaRole.Arn
-    Export:
-      Name: !Join [ ':', [ !Ref 'AWS::StackName', ResolveCertificateLambdaRoleArn ] ]
-
-  CertificateStackDeployRoleArn: 
-    Description: "GitHub secret: AWS_CERTIFICATE_STACK_DEPLOYMENT_ROLE_ARN"
-    Value: !GetAtt CertificateStackDeployRole.Arn
-
-  DnsStackDeployRoleArn: 
-    Description: "GitHub secret: AWS_DNS_STACK_DEPLOYMENT_ROLE_ARN"
-    Value: !GetAtt DnsStackDeployRole.Arn
-
-  IamStackDeployRoleArn: 
-    Description: "GitHub secret: AWS_IAM_STACK_DEPLOYMENT_ROLE_ARN"
-    Value: !GetAtt IamStackDeployRole.Arn
-
-  WebStackDeployRoleArn: 
-    Description: "GitHub secret: AWS_WEB_STACK_DEPLOYMENT_ROLE_ARN"
-    Value: !GetAtt WebStackDeployRole.Arn
-
-  S3SiteDeployRoleArn: 
-    Description: "GitHub secret: AWS_S3_SITE_DEPLOYMENT_ROLE_ARN"
-    Value: !GetAtt S3SiteDeployRole.Arn
-
-  CloudFrontSiteDeployRoleArn: 
-    Description: "GitHub secret: AWS_CLOUDFRONT_SITE_DEPLOYMENT_ROLE_ARN"
-    Value: !GetAtt CloudFrontSiteDeployRole.Arn
--- a/aws/scripts/configure/create-role-profile.sh
+++ b/aws/scripts/configure/create-role-profile.sh
@@ -1,36 +0,0 @@
-#!/bin/bash
-
-# Parse parameters
-while [[ "$#" -gt 0 ]]; do case $1 in
-  --user-profile) USER_PROFILE="$2"; shift;;
-  --role-profile) ROLE_PROFILE="$2"; shift;;
-  --role-arn) ROLE_ARN="$2"; shift;;
-  --session) SESSION="$2";shift;;
-  --region) REGION="$2";shift;;
-  *) echo "Unknown parameter passed: $1"; exit 1;;
-esac; shift; done
-
-# Verify parameters
-if [ -z "$USER_PROFILE" ]; then echo "User profile name is not set."; exit 1; fi;
-if [ -z "$ROLE_PROFILE" ]; then echo "Role profile name is not set."; exit 1; fi;
-if [ -z "$ROLE_ARN" ]; then echo "Role ARN is not set"; exit 1; fi;
-if [ -z "$SESSION" ]; then echo "Session name is not set."; exit 1; fi;
-if [ -z "$REGION" ]; then echo "Region is not set."; exit 1; fi;
-
-creds=$(aws sts assume-role --role-arn $ROLE_ARN --role-session-name $SESSION --profile $USER_PROFILE)
-
-aws_access_key_id=$(echo $creds | jq -r '.Credentials.AccessKeyId')
-echo ::add-mask::$aws_access_key_id
-aws_secret_access_key=$(echo $creds | jq -r '.Credentials.SecretAccessKey')
-echo ::add-mask::$aws_secret_access_key
-aws_session_token=$(echo $creds | jq -r '.Credentials.SessionToken')
-echo ::add-mask::$aws_session_token
-
-aws configure --profile $ROLE_PROFILE set aws_access_key_id $aws_access_key_id
-aws configure --profile $ROLE_PROFILE set aws_secret_access_key $aws_secret_access_key
-aws configure --profile $ROLE_PROFILE set aws_session_token $aws_session_token
-aws configure --profile $ROLE_PROFILE set region $REGION
-
-echo Profile $ROLE_PROFILE is created
-
-bash "${BASH_SOURCE%/*}/mask-identity.sh" --profile $ROLE_PROFILE
--- a/aws/scripts/configure/create-user-profile.sh
+++ b/aws/scripts/configure/create-user-profile.sh
@@ -1,25 +0,0 @@
-#!/bin/bash
-
-# Parse parameters
-while [[ "$#" -gt 0 ]]; do case $1 in
-  --profile) PROFILE="$2"; shift;;
-  --access-key-id) ACCESS_KEY_ID="$2"; shift;;
-  --secret-access-key) SECRET_ACCESS_KEY="$2"; shift;;
-  --region) REGION="$2";shift;;
-  *) echo "Unknown parameter passed: $1"; exit 1;;
-esac; shift; done
-
-# Verify parameters
-if [ -z "$PROFILE" ]; then echo "Profile name is not set."; exit 1; fi;
-echo $PROFILE
-if [ -z "$ACCESS_KEY_ID" ]; then echo "Access key ID is not set"; exit 1; fi;
-if [ -z "$SECRET_ACCESS_KEY" ]; then echo "Secret access key is not set."; exit 1; fi;
-if [ -z "$REGION" ]; then echo "Region is not set."; exit 1; fi;
-
-aws configure --profile $PROFILE set aws_access_key_id $ACCESS_KEY_ID
-aws configure --profile $PROFILE set aws_secret_access_key $SECRET_ACCESS_KEY
-aws configure --profile $PROFILE set region $REGION
-
-echo Profile $PROFILE is created
-
-bash "${BASH_SOURCE%/*}/mask-identity.sh" --profile $PROFILE
--- a/aws/scripts/configure/mask-identity.sh
+++ b/aws/scripts/configure/mask-identity.sh
@@ -1,17 +0,0 @@
-#!/bin/bash
-
-# Parse parameters
-while [[ "$#" -gt 0 ]]; do case $1 in
-  --profile) PROFILE="$2";shift;;
-  *) echo "Unknown parameter passed: $1"; exit 1;;
-esac; shift; done
-
-# Verify parameters
-if [ -z "$PROFILE" ]; then echo "Profile name is not set."; exit 1; fi;
-
-aws_identity=$(aws sts get-caller-identity --profile $PROFILE)
-echo ::add-mask::$(echo $aws_identity | jq -r '.Account')
-echo ::add-mask::$(echo $aws_identity | jq -r '.UserId')
-echo ::add-mask::$(echo $aws_identity | jq -r '.Arn')
-
-echo Credentials are masked
--- a/aws/scripts/deploy/deploy-stack.sh
+++ b/aws/scripts/deploy/deploy-stack.sh
@@ -1,43 +0,0 @@
-#!/bin/bash
-
-# Parse parameters
-while [[ "$#" -gt 0 ]]; do case $1 in
-  --template-file) TEMPLATE_FILE="$2"; shift;;
-  --stack-name) STACK_NAME="$2"; shift;;
-  --profile) PROFILE="$2"; shift;;
-  --capabilities) CAPABILITY_IAM="$2"; shift;;
-  --role-arn) ROLE_ARN="$2";shift;;
-  --session) SESSION="$2";shift;;
-  --region) REGION="$2";shift;;
-  *) echo "Unknown parameter passed: $1"; exit 1;;
-esac; shift; done
-
-# Verify parameters
-if [ -z "$TEMPLATE_FILE" ]; then echo "Template file is not set."; exit 1; fi;
-if [ -z "$STACK_NAME" ]; then echo "Template file is not set."; exit 1; fi;
-if [ -z "$PROFILE" ]; then echo "Profile is not set."; exit 1; fi;
-if [ -z "$ROLE_ARN" ]; then echo "Role ARN is not set."; exit 1; fi;
-if [ -z "$SESSION" ]; then echo "Role session is not set."; exit 1; fi;
-
-
-echo Validating stack "$STACK_NAME"
-aws cloudformation validate-template \
-    --template-body file://$TEMPLATE_FILE \
-    --profile $PROFILE
-
-ROLE_PROFILE=$STACK_NAME
-
-echo Assuming role
-bash "${BASH_SOURCE%/*}/../configure/create-role-profile.sh" \
-    --role-profile $ROLE_PROFILE --user-profile $PROFILE \
-    --role-arn $ROLE_ARN \
-    --session $SESSION \
-    --region $REGION
-
-echo Deploying stack "$TEMPLATE_FILE"
-aws cloudformation deploy \
-    --template-file $TEMPLATE_FILE \
-    --stack-name $STACK_NAME \
-    ${CAPABILITY_IAM:+ --capabilities $CAPABILITY_IAM} \
-    --no-fail-on-empty-changeset \
-    --profile $ROLE_PROFILE
--- a/aws/scripts/deploy/deploy-to-s3.sh
+++ b/aws/scripts/deploy/deploy-to-s3.sh
@@ -1,47 +0,0 @@
-#!/bin/bash
-
-# Parse parameters
-while [[ "$#" -gt 0 ]]; do case $1 in
-  --folder) FOLDER="$2"; shift;;
-  --web-stack-name) WEB_STACK_NAME="$2"; shift;;
-  --web-stack-s3-name-output-name) WEB_STACK_S3_NAME_OUTPUT_NAME="$2"; shift;;
-  --storage-class) STORAGE_CLASS="$2"; shift;;
-  --profile) PROFILE="$2"; shift;;
-  --role-arn) ROLE_ARN="$2";shift;;
-  --session) SESSION="$2";shift;;
-  --region) REGION="$2";shift;;
-  *) echo "Unknown parameter passed: $1"; exit 1;;
-esac; shift; done
-
-# Verify parameters
-if [ -z "$FOLDER" ]; then echo "Folder is not set."; exit 1; fi;
-if [ -z "$PROFILE" ]; then echo "Profile is not set."; exit 1; fi;
-if [ -z "$ROLE_ARN" ]; then echo "Role ARN is not set."; exit 1; fi;
-if [ -z "$SESSION" ]; then echo "Role session is not set."; exit 1; fi;
-if [ -z "$WEB_STACK_NAME" ]; then echo "Web stack name is not set."; exit 1; fi;
-if [ -z "$WEB_STACK_S3_NAME_OUTPUT_NAME" ]; then echo "S3 name output name is not set."; exit 1; fi;
-if [ -z "$STORAGE_CLASS" ]; then echo "S3 object storage class is not set."; exit 1; fi;
-
-echo Assuming role
-ROLE_PROFILE=deploy-s3
-bash "${BASH_SOURCE%/*}/../configure/create-role-profile.sh" \
-    --role-profile $ROLE_PROFILE --user-profile $PROFILE \
-    --role-arn $ROLE_ARN \
-    --session $SESSION \
-    --region $REGION
-
-echo Getting S3 bucket name from stack "$WEB_STACK_NAME" with output "$WEB_STACK_S3_NAME_OUTPUT_NAME"
-S3_BUCKET_NAME=$(aws cloudformation describe-stacks \
-            --stack-name $WEB_STACK_NAME \
-            --query "Stacks[0].Outputs[?OutputKey=='$WEB_STACK_S3_NAME_OUTPUT_NAME'].OutputValue" \
-            --output text \
-            --profile $ROLE_PROFILE)
-if [ -z "$S3_BUCKET_NAME" ]; then echo "Could not read S3 bucket name"; exit 1; fi;
-echo ::add-mask::$S3_BUCKET_NAME # Just being extra cautious
-
-echo Syncing folder to S3
-
-aws s3 sync $FOLDER s3://$S3_BUCKET_NAME \
-    --storage-class $STORAGE_CLASS  \
-    --no-progress --follow-symlinks --delete \
-    --profile $ROLE_PROFILE
--- a/aws/scripts/deploy/invalidate-cloudfront-cache.sh
+++ b/aws/scripts/deploy/invalidate-cloudfront-cache.sh
@@ -1,45 +0,0 @@
-#!/bin/bash
-
-# Parse parameters
-while [[ "$#" -gt 0 ]]; do case $1 in
-  --paths) PATHS="$2"; shift;;
-  --web-stack-name) WEB_STACK_NAME="$2"; shift;;
-  --web-stack-cloudfront-arn-output-name) WEB_STACK_CLOUDFRONT_ARN_OUTPUT_NAME="$2"; shift;;
-  --profile) PROFILE="$2"; shift;;
-  --role-arn) ROLE_ARN="$2";shift;;
-  --session) SESSION="$2";shift;;
-  --region) REGION="$2";shift;;
-  *) echo "Unknown parameter passed: $1"; exit 1;;
-esac; shift; done
-
-# Verify parameters
-if [ -z "$PATHS" ]; then echo "Paths is not set."; exit 1; fi;
-if [ -z "$PROFILE" ]; then echo "Profile is not set."; exit 1; fi;
-if [ -z "$ROLE_ARN" ]; then echo "Role ARN is not set."; exit 1; fi;
-if [ -z "$SESSION" ]; then echo "Role session is not set."; exit 1; fi;
-if [ -z "$WEB_STACK_NAME" ]; then echo "Web stack name is not set."; exit 1; fi;
-if [ -z "$WEB_STACK_CLOUDFRONT_ARN_OUTPUT_NAME" ]; then echo "CloudFront ARN output name is not set."; exit 1; fi;
-
-
-echo Assuming role
-ROLE_PROFILE=invalidate-cloudfront
-bash "${BASH_SOURCE%/*}/../configure/create-role-profile.sh" \
-    --role-profile $ROLE_PROFILE --user-profile $PROFILE \
-    --role-arn $ROLE_ARN \
-    --session $SESSION \
-    --region $REGION
-
-echo Getting CloudFront ARN from stack "$WEB_STACK_NAME" with output "$WEB_STACK_CLOUDFRONT_ARN_OUTPUT_NAME"
-CLOUDFRONT_ARN=$(aws cloudformation describe-stacks \
-            --stack-name $WEB_STACK_NAME \
-            --query "Stacks[0].Outputs[?OutputKey=='$WEB_STACK_CLOUDFRONT_ARN_OUTPUT_NAME'].OutputValue" \
-            --output text \
-            --profile $ROLE_PROFILE)
-if [ -z "$CLOUDFRONT_ARN" ]; then echo "Could not read CloudFront ARN"; exit 1; fi;
-echo ::add-mask::$CLOUDFRONT_ARN
-
-echo Syncing folder to S3
-aws cloudfront create-invalidation \
-    --paths $PATHS \
-    --distribution-id $CLOUDFRONT_ARN \
-    --profile $ROLE_PROFILE
--- a/aws/web-stack.yaml
+++ b/aws/web-stack.yaml
@@ -1,138 +0,0 @@
-AWSTemplateFormatVersion: '2010-09-09'
-
-Description: |-
-  > Creates an S3 bucket configured for hosting a static webpage.
-  > Creates CloudFront distribution that has access to read the S3 bucket.
-
-Parameters:
-
-  RootDomainName:
-    Type: String
-    Default: privacy.sexy
-    Description: The root DNS name of the website e.g. privacy.sexy
-    AllowedPattern: (?!-)[a-zA-Z0-9-.]{1,63}(?<!-)
-    ConstraintDescription: Must be a valid root domain name
-
-  CertificateStackName:
-    Type: String
-    Default: privacysexy-certificate-stack
-    Description: Name of the certificate stack.
-
-  DnsStackName:
-    Type: String
-    Default: privacysexy-dns-stack
-    Description: Name of the certificate stack.
-
-  PriceClass:
-    Type: String
-    Description: The CloudFront distribution price class
-    Default: 'PriceClass_100'
-    AllowedValues:
-      - 'PriceClass_100'
-      - 'PriceClass_200'
-      - 'PriceClass_All'
-
-Resources:
-
-  S3Bucket:
-    Type: AWS::S3::Bucket
-    Properties:
-      BucketName: !Sub ${AWS::StackName}-${RootDomainName} # Must have stack name for IAM to allow
-      WebsiteConfiguration:
-        IndexDocument: index.html
-      Tags:
-        -
-          Key: Application
-          Value: privacy.sexy    
- 
-  S3BucketPolicy:
-    Type: AWS::S3::BucketPolicy
-    Properties:
-      Bucket: !Ref S3Bucket
-      PolicyDocument: # Only used for CloudFront as it's the only way, otherwise use IAM roles in IAM stack.
-        Statement:
-          -
-            Sid: AllowCloudFrontRead
-            Action: s3:GetObject
-            Effect: Allow
-            Principal:
-                CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
-            Resource: !Join ['', ['arn:aws:s3:::', !Ref S3Bucket, /*]]
-    
-  CloudFrontOriginAccessIdentity:
-    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
-    Properties:
-      CloudFrontOriginAccessIdentityConfig:
-        Comment: !Sub 'CloudFront OAI for ${S3Bucket}'
-    
-  CloudFrontDistribution:
-    Type: AWS::CloudFront::Distribution
-    Properties:
-      DistributionConfig:
-        Comment: Cloudfront Distribution pointing to S3 bucket
-        Origins:
-          -
-            DomainName: !GetAtt S3Bucket.DomainName
-            Id: S3Origin
-            S3OriginConfig:
-                OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}"
-        Enabled: true
-        HttpVersion: 'http2'
-        DefaultRootObject: index.html
-        Aliases:
-          - !Ref RootDomainName
-          - !Sub 'www.${RootDomainName}'
-        DefaultCacheBehavior:
-          AllowedMethods:
-            - GET
-            - HEAD
-          Compress: true
-          TargetOriginId: S3Origin
-          ForwardedValues:
-            QueryString: true
-            Cookies:
-              Forward: none
-          ViewerProtocolPolicy: redirect-to-https
-        PriceClass: !Ref PriceClass
-        ViewerCertificate:
-          AcmCertificateArn:
-            # Certificate must be validated before it can be used here
-            Fn::ImportValue: !Join [':', [!Ref CertificateStackName, CertificateArn]]
-          SslSupportMethod: sni-only
-          MinimumProtocolVersion: TLSv1.1_2016
-      Tags:
-        -
-          Key: Application
-          Value: privacy.sexy
-
-  CloudFrontDNSRecords:
-    Type: AWS::Route53::RecordSetGroup
-    Properties: 
-      HostedZoneId:
-        Fn::ImportValue: !Join [':', [!Ref DnsStackName, DNSHostedZoneId]]
-      RecordSets:
-        -
-          Name: !Ref RootDomainName
-          Type: A         
-          AliasTarget: 
-            DNSName: !GetAtt CloudFrontDistribution.DomainName
-            EvaluateTargetHealth: false
-            HostedZoneId: Z2FDTNDATAQYW2 # Static CloudFront distribution zone https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html#cfn-route53-aliastarget-hostedzoneid
-        -
-          Name: !Join ['', ['www.', !Ref RootDomainName]]
-          Type: A
-          AliasTarget: 
-            DNSName: !GetAtt CloudFrontDistribution.DomainName
-            EvaluateTargetHealth: false
-            HostedZoneId: Z2FDTNDATAQYW2 # Static CloudFront distribution zone https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html#cfn-route53-aliastarget-hostedzoneid
-Outputs:
-
-  CloudFrontDistributionArn:  # Used by deployment script to be able to deploy to right S3 bucket
-    Description: Tthe Amazon Resource Name (ARN) of the CloudFront distribution.
-    Value: !Ref CloudFrontDistribution
-
-  S3BucketName: # Used by deployment script to be able to deploy to right S3 bucket
-    Description: Name of the S3 bucket.
-    Value: !Ref S3Bucket
-
-
--- a/docs/aws-cloudformation.drawio
+++ b/docs/aws-cloudformation.drawio
--- a/docs/aws-cloudformation.png
+++ b/docs/aws-cloudformation.png
--- a/docs/ci-cd.drawio
+++ b/docs/ci-cd.drawio
@@ -1 +0,0 @@
-<mxfile host="www.draw.io" modified="2019-12-30T13:07:22.931Z" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36" etag="vfXOAJJrIONaUEloGBPR" version="12.4.7" type="device"><diagram id="ymF_tBZ9P2_Wfw9L8arg" name="Page-1">5Vpbb9s2FP41AbYHC7zp9hjHdVqsGwpkQNu9FIxEy2xlUaWo2N6v36FEOZLlXNw6S7IpQUwd3j9+/M4hnTN6sdpcal4uf1epyM8ISjdndHZGSOQT+GsN29YwIRFqLZmWaWvDt4Yr+bdwxq5YLVNRDQoapXIjy6ExUUUhEjOwca3VelhsofJhryXPxMhwlfB8bP0oU7Ps5oVu7W+FzJZdzxi5nBXvCjtDteSpWvdM9M0ZvdBKmTa12lyI3ILX4dLWm9+RuxuYFoV5TAWx2swv/wy+49kff33Kok8f39/8NnHLc8Pz2k14JspcbStbsVhoXhldJ6bWwk3CbDtktKqLVNjG0RmdKm2WKlMFz98rVYIRg/GrMGbr1pTXRoFpaVa5y015tWzqdy8fuDFCF42FIGsdz9FNu1K1TsQ9E2OOK1xnwtxTDvttQZEOeOAgvBRqJYzeQgHH6AnyCGVBW8mRmro2tMi5kTdD5nBHwGzX1K71D0rCtHZN05B6FB4/ZiGNCQoHneAgxF7Mho22MLh2+mu/17QfIA8F8e0zbBrHyMOxH0IyojgkZNhLC+LDvezNWC0WlRjUgEQP01tTw9QjWEtHrJ3WMk+rRgdSoGqQw5pPrzWkMptqSQ3Za3FtR1iWuUxgrVTxH6V1eDSrEQuGhCPsNKxm2KMIIYZY5Ef0dJwOgsALaLij9HBPYqC71yN87B/J6adnMRux+FKat7Ul6HliuVmNyAk+pLRJuWrcVp92N0Ib4HR+nsvMcs1Yuu6s7/m1yD+oSjacp7NrZYxaQYHcZkx58i1riH+hcqWbvuiieaBI09l5Vbbu1e4K3r0s5MZSferGM1saY/3yucWKzJO0YJ4Ez7yQsKW0l0CPZJ5yw+HD2iv7qYou6WPiMiaVSiTPJ5k0y/p6gknklUUGHS1knndjLFRhMViowlw5iA44RWeyQIjNY/YCCXwvYOj2YUNikcA59PVtPAADbG3LfizQGQ9tlgGZjmWOP2LOuwJeJEArGhHkyfKFOezHKhE4IhoPEacnEqKYgl7c6QMp6IUfhjTwGWUhi+kPelofeywaNs380KMEiERiGuGXKEXBiFAXuarTuVZuTH0eqdrkshAXu4gbuV3YEw/4mdv+p5nmqRSDvJj5sznp5c2kFokTpsLycm+jQx3/nKKpD3aIR9U3cUimduxEj9G9w3LJ3VsCoxJ6yP5GZ9qtgclIdw6IYifWq01mz0YeX1fM06Jl0rvEjmcKr21qWCqx6C8a9J1E9+awG1zaww1abXA7gQAepDAdi154QPPCp5K8cMTQK3pyZgbonNLwOGaSMMQ4+N8ws6I2b+dJcNtae7C108tyXlUuDf5eJi59El5SL9p3xpH/vLyMRryciZvXH7eRB+O2QqwnW8H1xPImr128Og9ggeY90wTFvfDtTikb0fvUUZ0PJ5z+Q/d5FI95hA7wCD0Rj+IRj8q6qaXF91pUNgyQ1fhguxIQO6TNpVhz51RZ9J4j8IOV0dtProvm5bN98fzudbbpZ862D+nCg0dht/MePAqz4wJQOApTTIcyc6KjMEN0cLLA+xEo82gckBgHPmE4+tEINACZJHfGuYwhj4Uh8eMwBK8eBi8uGO2ufnt74fULKn1QUMVKfZUTbPnaqugXmGO5/VKtZC6295+BD8Qyu1GfQDztsexY9SQH1JM8lXpiPKLMmDPQjiwrC9d6KY24KnmjL2sIbvbiqWGEt1iIIEkORXhpGF8j9ATeiu0Dvne5hSPidRrVw5ziMeb0yTAff3cwjshfE+bB/ZhD/PnMgI+vvdmrBjxi9wJOGX1mwMc3tPg1A473g+ARw8eH/H8X8PHFZhfyViUvBsAH32v7zSkcMhvgzm14ll3/AkODX+ge9VK/2qT1hMhCOlm7udg6oS3XtdVF1e3ll9Ir9xVROwSYUjuKttCICT97+zCnjEVH3otNLzD1X+7tw8EY6afvxXYL82TXCqA9h/zriW4W7Al597V/GzXf/vMEffMP</diagram></mxfile>
--- a/docs/ci-cd.png
+++ b/docs/ci-cd.png
--- a/docs/gitops.drawio
+++ b/docs/gitops.drawio
--- a/docs/gitops.png
+++ b/docs/gitops.png
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -1,12 +1,16 @@
 {
  "name": "privacy.sexy",
-  "version": "0.1.0",
+  "version": "0.4.3",
  "private": true,
  "scripts": {
    "serve": "vue-cli-service serve",
    "build": "vue-cli-service build",
-    "lint": "vue-cli-service lint",
-    "test:unit": "vue-cli-service test:unit"
+    "lint:vue": "vue-cli-service lint --no-fix",
+    "lint:yaml": "yamllint **/*.yaml --ignore=node_modules/**/*.yaml",
+    "test:unit": "vue-cli-service test:unit",
+    "lint:md": "markdownlint **/*.md --ignore node_modules",
+    "lint:md:relative-urls": "remark . --frail --use remark-validate-links",
+    "lint:md:consistency": "remark . --frail --use remark-preset-lint-consistent"
  },
  "dependencies": {
    "@fortawesome/fontawesome-svg-core": "^1.2.26",
@@ -24,19 +28,25 @@
    "vue-property-decorator": "^8.3.0"
  },
  "devDependencies": {
-    "@types/chai": "^4.2.7",
-    "@types/mocha": "^5.2.7",
    "@types/ace": "0.0.42",
+    "@types/chai": "^4.2.7",
    "@types/file-saver": "^2.0.1",
-    "@vue/cli-plugin-typescript": "^4.1.1",
+    "@types/mocha": "^5.2.7",
+    "@vue/cli-plugin-typescript": "^4.4.0",
    "@vue/cli-plugin-unit-mocha": "^4.1.1",
    "@vue/cli-service": "^4.1.1",
    "@vue/test-utils": "1.0.0-beta.30",
    "chai": "^4.2.0",
+    "js-yaml-loader": "^1.2.2",
+    "markdownlint-cli": "^0.23.1",
+    "remark-cli": "^8.0.0",
+    "remark-lint-no-dead-urls": "^1.0.2",
+    "remark-preset-lint-consistent": "^3.0.0",
+    "remark-validate-links": "^10.0.0",
    "sass": "^1.24.0",
    "sass-loader": "^8.0.0",
-    "js-yaml-loader": "^1.2.2",
    "typescript": "^3.7.4",
-    "vue-template-compiler": "^2.6.11"
+    "vue-template-compiler": "^2.6.11",
+    "yaml-lint": "^1.2.4"
  }
 }
--- a/src/application/Parser/ApplicationParser.ts
+++ b/src/application/Parser/ApplicationParser.ts
@@ -15,7 +15,7 @@ export function parseApplication(): Application {
    const app = new Application(
        applicationFile.name,
        applicationFile.repositoryUrl,
-        applicationFile.version,
+        process.env.VUE_APP_VERSION,
        categories);
    return app;
 }
--- a/src/application/State/ApplicationState.ts
+++ b/src/application/State/ApplicationState.ts
@@ -37,7 +37,7 @@ export class ApplicationState implements IApplicationState {
        /** Initially selected scripts */
        public readonly defaultScripts: Script[]) {
        this.selection = new UserSelection(app, defaultScripts);
-        this.code = new ApplicationCode(this.selection, app.version.toString());
+        this.code = new ApplicationCode(this.selection, app.version);
        this.filter = new UserFilter(app);
    }
 }
--- a/src/application/application.yaml
+++ b/src/application/application.yaml
@@ -1,5 +1,4 @@
 name: privacy.sexy
-version: 0.4.2
 repositoryUrl: https://github.com/undergroundwires/privacy.sexy
 actions:
    -
--- a/src/application/application.yaml.d.ts
+++ b/src/application/application.yaml.d.ts
@@ -19,7 +19,6 @@ declare module 'js-yaml-loader!*' {

    interface ApplicationYaml {
        name: string;
-        version: number;
        repositoryUrl: string;
        actions: ReadonlyArray<YamlCategory>;
    }
--- a/src/domain/Application.ts
+++ b/src/domain/Application.ts
@@ -12,11 +12,11 @@ export class Application implements IApplication {
    constructor(
        public readonly name: string,
        public readonly repositoryUrl: string,
-        public readonly version: number,
+        public readonly version: string,
        public readonly categories: ReadonlyArray<ICategory>) {
        if (!name) { throw Error('Application has no name'); }
        if (!repositoryUrl) { throw Error('Application has no repository url'); }
-        if (!version) { throw Error('Version cannot be zero'); }
+        if (!version) { throw Error('Version cannot be empty'); }
        this.flattened = flatten(categories);
        if (this.flattened.allCategories.length === 0) {
            throw new Error('Application must consist of at least one category');
--- a/src/domain/IApplication.ts
+++ b/src/domain/IApplication.ts
@@ -4,7 +4,7 @@ import { ICategory } from '@/domain/ICategory';
 export interface IApplication {
    readonly name: string;
    readonly repositoryUrl: string;
-    readonly version: number;
+    readonly version: string;
    readonly categories: ReadonlyArray<ICategory>;
    readonly totalScripts: number;
    readonly totalCategories: number;
--- a/tests/unit/domain/Application.spec.ts
+++ b/tests/unit/domain/Application.spec.ts
@@ -11,7 +11,7 @@ describe('Application', () => {
            new ScriptStub('S3').withIsRecommended(true),
            new ScriptStub('S4').withIsRecommended(true),
        ];
-        const sut = new Application('name', 'repo', 2, [
+        const sut = new Application('name', 'repo', '0.1.0', [
            new CategoryStub(3).withScripts(expected[0], new ScriptStub('S1').withIsRecommended(false)),
            new CategoryStub(2).withScripts(expected[1], new ScriptStub('S2').withIsRecommended(false)),
        ]);
@@ -28,7 +28,7 @@ describe('Application', () => {
        const categories = [];

        // act
-        function construct() { return new Application('name', 'repo', 2, categories); }
+        function construct() { return new Application('name', 'repo', '0.1.0', categories); }

        // assert
        expect(construct).to.throw('Application must consist of at least one category');
@@ -41,7 +41,7 @@ describe('Application', () => {
        ];

        // act
-        function construct() { return new Application('name', 'repo',  2, categories); }
+        function construct() { return new Application('name', 'repo',  '0.1.0', categories); }

        // assert
        expect(construct).to.throw('Application must consist of at least one script');
@@ -54,7 +54,7 @@ describe('Application', () => {
        ];

        // act
-        function construct() { return new Application('name', 'repo', 2, categories); }
+        function construct() { return new Application('name', 'repo', '0.1.0', categories); }

        // assert
        expect(construct).to.throw('Application must consist of at least one recommended script');
--- a/tests/unit/stubs/ApplicationStub.ts
+++ b/tests/unit/stubs/ApplicationStub.ts
@@ -5,7 +5,7 @@ export class ApplicationStub implements IApplication {
    public readonly totalCategories = 0;
    public readonly name = 'StubApplication';
    public readonly repositoryUrl = 'https://privacy.sexy';
-    public readonly version = 1;
+    public readonly version = '0.1.0';
    public readonly categories = new Array<ICategory>();

    public withCategory(category: ICategory): IApplication {
--- a/vue.config.js
+++ b/vue.config.js
@@ -0,0 +1 @@
+process.env.VUE_APP_VERSION = require('./package.json').version;
Author	SHA1	Message	Date
undergroundwires	4a91e8ccd8	automated using bump-everywhere + more quality checks (#8 ) - new workflows - linting commands & linted stuff - security checks & fixed audited vulnerabilities - updated documentation	2020-05-24 19:25:43 +01:00
undergroundwires	997be7113f	using deployment operations from aws-static-site-with-cd	2020-05-23 22:59:29 +01:00
undergroundwires	3e3bc07576	automatically increases patch number #5	2020-04-26 15:47:20 +00:00
undergroundwires	691f989682	reading version from package.json instead of version file #5	2020-04-26 15:47:20 +00:00
undergroundwires	226074c534	simplified heading	2020-04-26 15:47:20 +00:00
undergroundwires	97b7e03233	fixed broke link	2020-04-26 15:47:20 +00:00
undergroundwires	749a140eb8	removed redundant documentation	2020-04-26 15:47:20 +00:00
undergroundwires	4739a4ac40	Merge pull request #4 from undergroundwires/dependabot/npm_and_yarn/acorn-6.4.1 Bump acorn from 6.4.0 to 6.4.1	2020-04-05 16:58:59 +00:00
dependabot[bot]	4800340b9b	Bump acorn from 6.4.0 to 6.4.1 Bumps [acorn](https://github.com/acornjs/acorn) from 6.4.0 to 6.4.1. - [Release notes](https://github.com/acornjs/acorn/releases) - [Commits](https://github.com/acornjs/acorn/compare/6.4.0...6.4.1) Signed-off-by: dependabot[bot] <support@github.com>	2020-04-05 16:20:27 +00:00
				`@@ -1 +0,0 @@`
				<mxfile host="www.draw.io" modified="2019-12-27T14:40:11.720Z" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36" etag="6t_Q0ZRAKXZ_lLm1WdcF" version="12.4.3" type="device" pages="1"><diagram id="pFg2tUHn5hOZkmQyf_J4" name="Page-1">7Vvtd6I4F/9r+lEOEMLLR23rzJzdme3qPLMvXzwUomaLxA2x1f3rnwSIEoIWFdqd3bXnKLmEJNz7u69Jb8DtavuBhuvlZxKj5MY24+0NuLux7SAA/FsQdgXBD8yCsKA4LkjWgTDFf6GSKLttcIwypSMjJGF4rRIjkqYoYgotpJS8qN3mJFFnXYcLpBGmUZjo1F9wzJblW0DzQP+I8GIpZ7bM8s4qlJ1LQrYMY/JSIYH7G3BLCWHF1Wp7ixLBO8mX4rnxkbv7hVGUsjYPfB19Hf0+Wf6+DcbR9Mtksvm2hANYjPIcJpvyhe/IKsQpp03QAmeMhrRcPttJnqwJThmi9898ZsFe6waM9m9n8kYcZksUl40lWyWyE6PkCd2ShFBOSUnKBxzNcZJI0o0NoCn+OD0JH1HyQDLMMEn5vQiJSfmNZ0QZ5hL6sdbhkTBGVpUOwwQvxA1G1pxKNizBKZ9dAkVMEpZd9oPz91iL11xtFwLPBpnPcYSMDNFn/psZVHJlVpL4M7okSuGIhaBthVRK5gMiK8Tojncp79qeXzxSqgmQ+H85gA66BWlZwRu0S6iXMF/sRz4ggV+UYDgDGJatIUPDASWbNN7L+WWJGZquQ8GSuxfOPFX2e0xYNZmXMFCxwYEQe8GjaXbDXslNyd1A564r9bTKXuCYffEXvM5fiUW8yo1UlZvNEH9VM3KdGoXR0yKXXYXb8/zDu+STDbN1RUdkY463QoKjcj13S8aEFR4KTtjjKE5tA3M7PMccFdSI+Iz2OA5ZyH8EPeO/4Sr8i6SD8CUbZAylEU4ENTea4y/8xrRQqtmUT4m55s0ist7NZsNfprPbhGxijkvfWKeLDjAxMA1gBpWP76kgcW0dJIGOEUm7BiJ/bp/idPL8FMApjNFk+8N6+/NA18CcBWNK+DvXsdJo3ea8Z0XG/G8s5h9x0xZjpNwLHHg3tiv37jDlAxX4SQkVHNBM9RCYI9iku3s0KZ7gQsOt2eiKHog3LIMGy5btkiuN2K3bd45Ehxv1jGxohD5FYj0j3iyu1F6R4P485343RslXrZJrAg1w0i1UASdpnQNON0lTTjJHm+gJdY841xwC4J2HONvzLMv91yAuA90gDToq0mDgGa7zvmDTI0+JM/OBJDjadQu45mDzCJ7Kzn87KB0JvHV4rQsOdgIexwlU8EDdTEHfkAMr0WkH0VMjeFwNPBOODsRJcnH/uca3NFRUcH8GOzJXAKjmyrGC97VVnh6JCXHw+DTMQfc5THlErCfKjcjrW+4NYgRGdFjvbFWsdmbrsPVgcHvKfHZhTmquCDiNrggYsCHUBj0J2NcEfJ/OCYc9z07cRMR7j1y67kJcffz69WGqiRrFCyS1S5gEsiBpmNwfqCM1Wz70+ZEIkeai+wMxtit1NtwwogqW85zufq02fhODGVA277bl4EVrV209IIo5rwRY7k4m1YW6n+BVmZawkC4Qe11pBGNO4oKiJGT4Wa23NUm4fPRBOMFKFO2qlRPoBgb0LMf2i29PHbB4vXKMarWsNqzt2IbFAed5rmfbZmB558xSMEebJcfm/tUvh6ulB08TFOdeKXsPZBZOTtZH7avg5baEl/028OKiNZQigQoDD14GL+Aq8PIDeHrcngEli0//smpUil4GOxTSgYhyko1YnyALfzSukAZm0GHdybUMT5U2MC3dATZUI72+wmlbz/xVbq4pfg6jnZGhrZ6XfWcGRkK7amFO7Y30bWGAr+ZXPN9SXIt7oQfbF7nLce2gBp++bYqjgSqf63vyUKdw8aqHclvip5SXaXCnUD5zLaQsqxdI2Y5v+JWBaoUB4LYC2JDScFfptt6j4piC1HZvHLuG12LE2tNyeDKfZ6gfhOtpA0/1GE43ZMPfx4zROiG6vbw+Edhi9qsM7vl1JQ3grUMWIBoyCejUgrbVAHCuBlhWYCuyHgTXKcQbgECPxT9gttw8fv8BlPlqAEUiJi8tUxj88SqkT4NFzoAuYya3VhFym6sGPQVNz2vPu/92v8tcb/fTty+TzAzmA0uT+08UL/KjE8MoQpmwAJ9i/s6YvUkt+9azgDX+59WyKUkOpScNMg3AOn7IwndUhwVB220Qx+kJRXri9TG8JEK6JCaqHtnh6o0jxVdUoGXmH9FrQ5/3hzgajXtnNaXjOnfCf0DLUVMrv5N4qn46B/r2ZQEUcLiP24dh/FsZ1gXtykjnBlB8veryPbdNACXPSfhNHO3UsTbKWk8fhkkizvMJcYbxu6QRHUK+IYa6APID0zDBlTGS3CSGgeF7PAfJt0UDUxW7C4Im5J6rAC6oQd6EhgUq9bVeFMDR9NdvowD9Y1zfx3wz69+XKQc6ro/j/xSubUv11t2kxrC2twi9GuTaIhlaavbrgnbllXOxq53daGe8Zf4kz3H2j2V9k3TyXmb6WLLbV6xyXBF62I/oagcCng5FeisWNns53RL+L0M6eN6ldtIleNq6/cLcdQ4fLZEOLoQPdKChhtqOC7jN5jmV5zqO67mB86YIatjDeAU95xxYF42HkPGENc0pttn2GPujz1l1QNFVCSw0a9Jr2DgKGmogltnBGeVmruvVr32U/kI5f/tU4b3a/la506UKnwTapQ7gEOFAt7YRuPfWV2q5452y7bB+jKa1zgNvf8xvd5jJdDzXCuR3K6V/yxjb1l3Lp+FnTuAOhmro/K8w17owF8Zxfiaw2TZ2Yu4CDW+O/p87jfW6vqq+tqdBphrQlkKtVtM6s3DmSQunVPOOV/C6Co1bm8YTHa+Ibq6SoYxtNYvwgfumtSZfDmDWlF80Ofma6s/9CEVRk4bWFXmF4zhPfpqiEtVltghM3jHWsM/XPHHaZv9vsIXZP/wvMbj/Pw==</diagram></mxfile>
				`@@ -0,0 +1 @@`
				`process.env.VUE_APP_VERSION = require('./package.json').version;`