@appliance.sh/api-server 1.13.0 → 1.14.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appliance.sh/api-server",
-  "version": "1.13.0",
+  "version": "1.14.0",
   "description": "",
   "author": "Eliot Lim",
   "repository": "https://github.com/appliance-sh/appliance.sh",

package/src/pulumi/ApplianceStack.ts

@@ -1,13 +1,18 @@
 import * as pulumi from '@pulumi/pulumi';
 import * as aws from '@pulumi/aws';
+import * as awsNative from '@pulumi/aws-native';
+import { ApplianceBaseConfig } from '@appliance.sh/sdk';
 
 export interface ApplianceStackArgs {
   tags?: Record<string, string>;
+  config: ApplianceBaseConfig;
 }
 
 export interface ApplianceStackOpts extends pulumi.ComponentResourceOptions {
   globalProvider: aws.Provider;
   provider: aws.Provider;
+  nativeProvider: awsNative.Provider;
+  nativeGlobalProvider: awsNative.Provider;
 }
 
 export class ApplianceStack extends pulumi.ComponentResource {
@@ -15,11 +20,13 @@ export class ApplianceStack extends pulumi.ComponentResource {
   lambdaRolePolicy: aws.iam.Policy;
   lambda: aws.lambda.Function;
   lambdaUrl: aws.lambda.FunctionUrl;
+  dnsRecord: pulumi.Output<string>;
 
   constructor(name: string, args: ApplianceStackArgs, opts: ApplianceStackOpts) {
     super('appliance:aws:ApplianceStack', name, args, opts);
 
     const defaultOpts = { parent: this, provider: opts.provider };
+    const defaultNativeOpts = { parent: this, provider: opts.nativeProvider };
     const defaultTags = { stack: name, managed: 'appliance', ...args.tags };
 
     this.lambdaRole = new aws.iam.Role(`${name}-role`, {
@@ -58,25 +65,96 @@ export class ApplianceStack extends pulumi.ComponentResource {
       `${name}-url`,
       {
         functionName: this.lambda.name,
-        authorizationType: 'NONE',
+        authorizationType: args.config.aws.cloudfrontDistributionId ? 'AWS_IAM' : 'NONE',
       },
       defaultOpts
     );
 
-    new aws.lambda.Permission(`${name}-url-invoke-url-permission`, {
-      function: this.lambda.name,
-      action: 'lambda:InvokeFunctionUrl',
-      principal: '*',
-      functionUrlAuthType: 'NONE',
-      statementId: 'FunctionURLAllowPublicAccess',
-    });
+    this.dnsRecord = pulumi.interpolate`${name}.${args.config.domainName ?? ''}`;
 
-    new aws.lambda.Permission(`${name}-url-invoke-lambda-permission`, {
-      function: this.lambda.name,
-      action: 'lambda:InvokeFunction',
-      principal: '*',
-      statementId: 'FunctionURLAllowInvokeAction',
-    });
+    if (args.config.aws.cloudfrontDistributionId) {
+      new aws.lambda.Permission(`${name}-url-invoke-url-permission`, {
+        function: this.lambda.name,
+        action: 'lambda:InvokeFunctionUrl',
+        principal: 'cloudfront.amazonaws.com',
+        functionUrlAuthType: 'AWS_IAM',
+        sourceArn: pulumi.interpolate`arn:aws:cloudfront::${
+          aws.getCallerIdentityOutput({}, { provider: opts.provider }).accountId
+        }:distribution/${args.config.aws.cloudfrontDistributionId}`,
+        statementId: 'FunctionURLAllowCloudFrontAccess',
+      });
+
+      // Grant the edge router role permission to invoke the Lambda Function URL
+      // The edge router role is the execution role of the Lambda@Edge function that signs requests
+      if (args.config.aws.edgeRouterRoleArn) {
+        new aws.lambda.Permission(`${name}-invoke-url-edge-router-permission`, {
+          function: this.lambda.name,
+          action: 'lambda:InvokeFunctionUrl',
+          principal: args.config.aws.edgeRouterRoleArn,
+          functionUrlAuthType: 'AWS_IAM',
+          statementId: 'FunctionURLAllowEdgeRouterRoleAccess',
+        });
+
+        new awsNative.lambda.Permission(
+          `${name}-invoke-edge-router-permission`,
+          {
+            action: 'lambda:InvokeFunction',
+            principal: args.config.aws.edgeRouterRoleArn,
+            functionName: this.lambda.name,
+            invokedViaFunctionUrl: true,
+          },
+          defaultNativeOpts
+        );
+      }
+    } else {
+      new aws.lambda.Permission(`${name}-url-invoke-url-permission`, {
+        function: this.lambda.name,
+        action: 'lambda:InvokeFunctionUrl',
+        principal: '*',
+        functionUrlAuthType: 'NONE',
+        statementId: 'FunctionURLAllowPublicAccess',
+      });
+    }
+
+    if (args.config.aws.cloudfrontDistributionId && args.config.aws.cloudfrontDistributionDomainName) {
+      new awsNative.lambda.Permission(
+        `${name}-url-invoke-lambda-native-permission`,
+        {
+          action: 'lambda:InvokeFunction',
+          principal: 'cloudfront.amazonaws.com',
+          sourceArn: pulumi.interpolate`arn:aws:cloudfront::${
+            aws.getCallerIdentityOutput({}, { provider: opts.provider }).accountId
+          }:distribution/${args.config.aws.cloudfrontDistributionId}`,
+          functionName: this.lambda.name,
+          invokedViaFunctionUrl: true,
+        },
+        defaultNativeOpts
+      );
+
+      new aws.route53.Record(
+        `${name}-cname-record`,
+        {
+          zoneId: args.config.aws.zoneId,
+          name: pulumi.interpolate`${name}.${args.config.domainName ?? ''}`,
+          type: 'CNAME',
+          ttl: 60,
+          records: [args.config.aws.cloudfrontDistributionDomainName],
+        },
+        { parent: this, provider: opts.globalProvider }
+      );
+
+      new aws.route53.Record(
+        `${name}-txt-record`,
+        {
+          zoneId: args.config.aws.zoneId,
+          name: pulumi.interpolate`origin.${name}.${args.config.domainName ?? ''}`,
+          type: 'TXT',
+          ttl: 60,
+          records: [this.lambdaUrl.functionUrl],
+        },
+        { parent: this, provider: opts.globalProvider }
+      );
+    }
 
     this.registerOutputs({
       lambda: this.lambda,

package/src/pulumi/pulumi.service.ts

@@ -1,6 +1,7 @@
 import { Injectable, Logger } from '@nestjs/common';
 import * as auto from '@pulumi/pulumi/automation';
 import * as aws from '@pulumi/aws';
+import * as awsNative from '@pulumi/aws-native';
 import { ApplianceStack } from './ApplianceStack';
 import { applianceBaseConfig } from '@appliance.sh/sdk';
 
@@ -17,31 +18,46 @@ export interface PulumiResult {
 @Injectable()
 export class PulumiService {
   private readonly logger = new Logger(PulumiService.name);
-  private readonly region = process.env.AWS_REGION || 'us-east-1';
   private readonly projectName = 'appliance-api-managed-proj';
 
   private readonly baseConfig = process.env.APPLIANCE_BASE_CONFIG
     ? applianceBaseConfig.parse(JSON.parse(process.env.APPLIANCE_BASE_CONFIG))
     : undefined;
+  private readonly region = this.baseConfig?.aws.region || 'us-east-1';
 
   private inlineProgram() {
     return async () => {
       const name = 'appliance';
+
+      if (!this.baseConfig) {
+        throw new Error('Missing base config');
+      }
+
       const regionalProvider = new aws.Provider(`${name}-regional`, {
-        region: this.baseConfig?.region ?? 'ap-southeast-1',
+        region: (this.baseConfig?.aws.region as aws.Region) ?? 'ap-southeast-1',
       });
       const globalProvider = new aws.Provider(`${name}-global`, {
         region: 'us-east-1',
       });
+      const nativeRegionalProvider = new awsNative.Provider(`${name}-native-regional`, {
+        region: (this.baseConfig?.aws.region as awsNative.Region) ?? 'ap-southeast-1',
+      });
+
+      const nativeGlobalProvider = new awsNative.Provider(`${name}-native-global`, {
+        region: 'us-east-1',
+      });
 
       const applianceStack = new ApplianceStack(
         `${name}-stack`,
         {
           tags: { project: name },
+          config: this.baseConfig,
         },
         {
           globalProvider,
           provider: regionalProvider,
+          nativeProvider: nativeRegionalProvider,
+          nativeGlobalProvider: nativeGlobalProvider,
         }
       );
 
@@ -67,7 +83,7 @@ export class PulumiService {
       { projectName: this.projectName, stackName, program },
       { envVars }
     );
-    await stack.setConfig('aws:region', { value: this.region });
+    await stack.setConfig('aws:region', { value: this.baseConfig.aws.region });
     return stack;
   }