@agilecustoms/envctl 0.38.3 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +22 -19
  2. package/dist/client/TerraformAdapter.js +1 -0
  3. package/package.json +1 -2
package/README.md CHANGED
@@ -24,35 +24,38 @@ npm view @agilecustoms/envctl version # show latest version available (without i
24
24
 
25
25
  1. Login in npmjs.com
26
26
  2. Create organization "agilecustoms" this will create scope `@agilecustoms` (one org => exactly one scope, also scope can be created w/o org)
27
- 3. Go to your user > Access Tokens > Generate New Token > Granular Access Token
28
- 1. Token name: `agilecustoms-ci`
29
- 2. Packages and scopes
30
- 1. Permissions: Read and write
31
- 2. Only select packages and scopes: `@agilecustoms`
32
- 3. Organizations (keep as is)
33
- 4. Save token in repo Settings > Environments > release > Environment secrets > Add environment secret
34
- 1. Name `NPMJS_TOKEN`
35
- 2. Repository access: `envctl` only
27
+ 3. How to add a package first time?
28
+ 4. Configure [Trusted publishing for npm packages](https://docs.npmjs.com/trusted-publishers)
29
+ 1. Navigate to package [settings](https://www.npmjs.com/package/@agilecustoms/envctl/access)
30
+ 2. Pick GitHub Actions
31
+ 1. Organization or user: `agilecustoms`
32
+ 2. Repository: `envctl`
33
+ 3. Workflow filename: `build.yml`
34
+ 4. Environment name: `release`
35
+ 5. "Set up connection"
36
+ 5. In GH workflow job use `permissions: id-token: write` and release action with input `npm-publish: true`
36
37
 
37
38
  ## History/motivation
38
39
 
39
40
  `env-api` is a microservice hosted in 'maintenance' account and working as garbage collector: every environment first
40
41
  created in `env-api` and then 'managed' by `env-api`: it deletes env when it is not in use anymore OR can extend lifetime.
41
- Creation API yields unique ID, so you can safely manage env (delete, extend lifetime) via this ID. But creation API
42
- needs to be secured. There are two main use cases:
42
+ Creation API yields unique ID, so you can safely extend lifetime via this ID
43
+
44
+ ### Authorization
45
+
46
+ There are two main use cases:
43
47
  1. create an environment from CI (mainly ephemeral envs)
44
48
  2. create env from a dev machine
45
49
 
46
- I (Alex C) have chosen IAM authorization as a common denominator:
47
- 1. on CI use OIDC to assume a role `/ci/deployer`
48
- 2. on dev machine — use SSO and profile chaining to assume role `/ci/deployer`
50
+ Originally I (Alex C) have chosen IAM authorization (`/ci/deployer` on pipeline via OIDC, `/developer` on dev machine via SSO)
51
+ Then (Feb 2026) I reworked it to use API keys
49
52
 
50
- Then as `/ci/deployer` --call--> `env-api` HTTP API (exposed with API Gateway with IAM authorizer)
53
+ ### Distribution
51
54
 
52
- Now the problem is: any request needs to be signed with AWS signature v4. Originally I planned to use bash scripts, but it
53
- quickly became bulky and hard to maintain. Then I thought about Node.js - it is available on dev machines and
54
- in GitHub actions (namely in Ubuntu runners). How to distribute it? First I thought about using `ncc` to bundle in one
55
- big .js file (as I do for `publish-s3` and `gha-healthcheck`) but it will be hard to use on dev machine...
55
+ Originally I planned to use bash scripts, but it quickly became bulky and hard to maintain.
56
+ Then I thought about Node.js - it is available on dev machines and in GitHub actions (namely in Ubuntu runners).
57
+ How to distribute it? First I thought about using `ncc` to bundle in one big .js file
58
+ (as I do for `publish-s3` and `gha-healthcheck`) but it will be hard to use on dev machine...
56
59
 
57
60
  So I ended up publishing this client as an npm package in npmjs
58
61
  - CI environments can install it via GH action `agilecustoms/envctl`
package/dist/client/TerraformAdapter.js CHANGED
@@ -6,6 +6,7 @@ const RETRYABLE_ERRORS = [
6
6
  'ConcurrentModificationException',
7
7
  'public policies are blocked by the BlockPublicPolicy block public access setting',
8
8
  'operation error Lambda: AddPermission, https response error StatusCode: 404',
9
+ `because public policies are prevented by the BlockPublicPolicy setting in S3 Block Public Access`
9
10
  ];
10
11
  export class TerraformAdapter {
11
12
  processRunner;
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@agilecustoms/envctl",
3
3
  "description": "node.js CLI client for manage environments",
4
- "version": "0.38.3",
4
+ "version": "1.1.0",
5
5
  "author": "Alex Chekulaev",
6
6
  "type": "module",
7
7
  "engines": {
@@ -12,7 +12,6 @@
12
12
  },
13
13
  "files": [
14
14
  "dist/",
15
- "scripts/",
16
15
  "package.json"
17
16
  ],
18
17
  "repository": {