@appliance.sh/api-server 1.6.0 → 1.8.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appliance.sh/api-server",
-  "version": "1.6.0",
+  "version": "1.8.0",
   "description": "",
   "author": "Eliot Lim",
   "repository": "https://github.com/appliance-sh/appliance.sh",
@@ -23,9 +23,8 @@
     "@nestjs/common": "^11.0.1",
     "@nestjs/core": "^11.0.1",
     "@nestjs/platform-express": "^11.0.1",
-    "@aws-sdk/client-cloudformation": "^3.679.0",
-    "aws-cdk-lib": "^2.230.0",
-    "constructs": "^10.4.3",
+    "@pulumi/aws": "^7.15.0",
+    "@pulumi/pulumi": "^3.213.0",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.1"
   },

package/src/app.module.ts

@@ -1,10 +1,10 @@
 import { Module } from '@nestjs/common';
 import { AppController } from './app.controller';
 import { AppService } from './app.service';
-import { ApplianceStackModule } from './cdk/appliance-stack.module';
+import { PulumiModule } from './pulumi/pulumi.module';
 
 @Module({
-  imports: [ApplianceStackModule],
+  imports: [PulumiModule],
   controllers: [AppController],
   providers: [AppService],
 })

package/src/pulumi/ApplianceStack.ts

@@ -0,0 +1,86 @@
+import * as pulumi from '@pulumi/pulumi';
+import * as aws from '@pulumi/aws';
+
+export interface ApplianceStackArgs {
+  tags?: Record<string, string>;
+}
+
+export interface ApplianceStackOpts extends pulumi.ComponentResourceOptions {
+  globalProvider: aws.Provider;
+  provider: aws.Provider;
+}
+
+export class ApplianceStack extends pulumi.ComponentResource {
+  lambdaRole: aws.iam.Role;
+  lambdaRolePolicy: aws.iam.Policy;
+  lambda: aws.lambda.Function;
+  lambdaUrl: aws.lambda.FunctionUrl;
+
+  constructor(name: string, args: ApplianceStackArgs, opts: ApplianceStackOpts) {
+    super('appliance:aws:ApplianceStack', name, args, opts);
+
+    const defaultOpts = { parent: this, provider: opts.provider };
+    const defaultTags = { stack: name, managed: 'appliance', ...args.tags };
+
+    this.lambdaRole = new aws.iam.Role(`${name}-role`, {
+      path: `/appliance/${name}/`,
+      assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: 'lambda.amazonaws.com' }),
+      tags: defaultTags,
+    });
+
+    this.lambdaRolePolicy = new aws.iam.Policy(`${name}-policy`, {
+      path: `/appliance/${name}/`,
+      policy: {
+        Version: '2012-10-17',
+        Statement: [{ Effect: 'Allow', Action: 'logs:CreateLogGroup', Resource: '*' }],
+      },
+    });
+
+    new aws.iam.RolePolicyAttachment(`${name}-role-policy-attachment`, {
+      role: this.lambdaRole.name,
+      policyArn: this.lambdaRolePolicy.arn,
+    });
+
+    this.lambda = new aws.lambda.CallbackFunction(
+      `${name}-handler`,
+      {
+        runtime: 'nodejs22.x',
+        callback: async () => {
+          return { statusCode: 200, body: JSON.stringify({ message: 'Hello world!' }) };
+        },
+        tags: defaultTags,
+      },
+      defaultOpts
+    );
+
+    // lambda url
+    this.lambdaUrl = new aws.lambda.FunctionUrl(
+      `${name}-url`,
+      {
+        functionName: this.lambda.name,
+        authorizationType: 'NONE',
+      },
+      defaultOpts
+    );
+
+    new aws.lambda.Permission(`${name}-url-invoke-url-permission`, {
+      function: this.lambda.name,
+      action: 'lambda:InvokeFunctionUrl',
+      principal: '*',
+      functionUrlAuthType: 'NONE',
+      statementId: 'FunctionURLAllowPublicAccess',
+    });
+
+    new aws.lambda.Permission(`${name}-url-invoke-lambda-permission`, {
+      function: this.lambda.name,
+      action: 'lambda:InvokeFunction',
+      principal: '*',
+      statementId: 'FunctionURLAllowInvokeAction',
+    });
+
+    this.registerOutputs({
+      lambda: this.lambda,
+      lambdaUrl: this.lambdaUrl,
+    });
+  }
+}

package/src/pulumi/pulumi.controller.ts

@@ -0,0 +1,19 @@
+import { Controller, HttpCode, Post } from '@nestjs/common';
+import { PulumiService } from './pulumi.service';
+
+@Controller('infra')
+export class PulumiController {
+  constructor(private readonly pulumi: PulumiService) {}
+
+  @Post('deploy')
+  @HttpCode(200)
+  async deploy() {
+    return await this.pulumi.deploy();
+  }
+
+  @Post('destroy')
+  @HttpCode(200)
+  async destroy() {
+    return await this.pulumi.destroy();
+  }
+}

package/src/pulumi/pulumi.module.ts

@@ -0,0 +1,9 @@
+import { Module } from '@nestjs/common';
+import { PulumiService } from './pulumi.service';
+import { PulumiController } from './pulumi.controller';
+
+@Module({
+  providers: [PulumiService],
+  controllers: [PulumiController],
+})
+export class PulumiModule {}

package/src/pulumi/pulumi.service.ts

@@ -0,0 +1,127 @@
+import { Injectable, Logger } from '@nestjs/common';
+import * as path from 'node:path';
+import * as fs from 'node:fs';
+import * as auto from '@pulumi/pulumi/automation';
+import * as aws from '@pulumi/aws';
+import { ApplianceStack } from './ApplianceStack';
+
+export type PulumiAction = 'deploy' | 'destroy';
+
+export interface PulumiResult {
+  action: PulumiAction;
+  ok: boolean;
+  idempotentNoop: boolean;
+  message: string;
+  stackName: string;
+}
+
+@Injectable()
+export class PulumiService {
+  private readonly logger = new Logger(PulumiService.name);
+  private readonly region = process.env.AWS_REGION || 'us-east-1';
+  private readonly backendDir = this.ensureDir(path.resolve(__dirname, '../../.pulumi-state'));
+  private readonly projectName = 'appliance-api-managed-proj';
+
+  private ensureDir(dir: string): string {
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    return dir;
+  }
+
+  private inlineProgram() {
+    return async () => {
+      const name = 'appliance';
+      const regionalProvider = new aws.Provider(`${name}-regional`, {
+        region: 'ap-southeast-1',
+      });
+      const globalProvider = new aws.Provider(`${name}-global`, {
+        region: 'us-east-1',
+      });
+
+      const applianceStack = new ApplianceStack(
+        `${name}-stack`,
+        {
+          tags: { project: name },
+        },
+        {
+          globalProvider,
+          provider: regionalProvider,
+        }
+      );
+
+      const bucket = new aws.s3.Bucket('dummy-bucket', {
+        forceDestroy: true,
+        versioning: { enabled: true },
+        tags: { app: 'appliance-api' },
+      });
+      return {
+        applianceStack,
+        bucketName: bucket.bucket,
+      };
+    };
+  }
+
+  private async getOrCreateStack(stackName: string): Promise<auto.Stack> {
+    const program = this.inlineProgram();
+    const envVars: Record<string, string> = {
+      PULUMI_BACKEND_URL: 'file://' + this.backendDir,
+      AWS_REGION: this.region,
+    };
+    const stack = await auto.LocalWorkspace.createOrSelectStack(
+      { projectName: this.projectName, stackName, program },
+      { envVars }
+    );
+    await stack.setConfig('aws:region', { value: this.region });
+    return stack;
+  }
+
+  private async selectExistingStack(stackName: string): Promise<auto.Stack> {
+    const envVars: Record<string, string> = {
+      PULUMI_BACKEND_URL: 'file://' + this.backendDir,
+      AWS_REGION: this.region,
+    };
+    const ws = await auto.LocalWorkspace.create({
+      projectSettings: { name: this.projectName, runtime: 'nodejs' },
+      envVars,
+    });
+
+    return auto.Stack.createOrSelect(stackName, ws);
+  }
+
+  async deploy(stackName = 'appliance-api-managed'): Promise<PulumiResult> {
+    const stack = await this.getOrCreateStack(stackName);
+    const result = await stack.up({ onOutput: (m) => this.logger.log(m) });
+    const changes = result.summary.resourceChanges || {};
+    const totalChanges = Object.entries(changes)
+      .filter(([k]) => k !== 'same')
+      .reduce((acc, [, v]) => acc + (v || 0), 0);
+    const idempotentNoop = totalChanges === 0;
+    return {
+      action: 'deploy',
+      ok: true,
+      idempotentNoop,
+      message: idempotentNoop ? 'No changes (idempotent)' : 'Stack updated',
+      stackName,
+    };
+  }
+
+  async destroy(stackName = 'appliance-api-managed'): Promise<PulumiResult> {
+    try {
+      const stack = await this.selectExistingStack(stackName);
+      await stack.destroy({ onOutput: (m) => this.logger.log(m) });
+      return { action: 'destroy', ok: true, idempotentNoop: false, message: 'Stack resources deleted', stackName };
+    } catch (e) {
+      if (!(e instanceof Error)) throw e;
+      const msg = String(e?.message || e);
+      if (msg.includes('no stack named') || msg.includes('not found')) {
+        return {
+          action: 'destroy',
+          ok: true,
+          idempotentNoop: true,
+          message: 'Stack not found (idempotent)',
+          stackName,
+        };
+      }
+      throw e;
+    }
+  }
+}

package/src/cdk/appliance-stack-aws-cdk.service.ts

@@ -1,131 +0,0 @@
-import { Injectable, Logger } from '@nestjs/common';
-import * as cdk from 'aws-cdk-lib';
-import { ApplianceStack } from './appliance-stack';
-import { mkdtempSync, readFileSync, rmSync } from 'node:fs';
-import { tmpdir } from 'node:os';
-import * as path from 'node:path';
-import {
-  CloudFormationClient,
-  CreateStackCommand,
-  DeleteStackCommand,
-  DescribeStacksCommand,
-  UpdateStackCommand,
-} from '@aws-sdk/client-cloudformation';
-import {
-  waitUntilStackCreateComplete,
-  waitUntilStackUpdateComplete,
-  waitUntilStackDeleteComplete,
-} from '@aws-sdk/client-cloudformation';
-
-export type CdkAction = 'deploy' | 'destroy';
-
-export interface CdkResult {
-  action: CdkAction;
-  ok: boolean;
-  idempotentNoop: boolean;
-  message: string;
-  stackName: string;
-}
-
-@Injectable()
-export class ApplianceStackAwsCdkService {
-  private readonly logger = new Logger(ApplianceStackAwsCdkService.name);
-  private readonly region = process.env.AWS_REGION || 'us-east-1';
-
-  private client(): CloudFormationClient {
-    return new CloudFormationClient({ region: this.region });
-  }
-
-  private synthTemplate(stackName: string): { templateBody: string; outdir: string } {
-    const outdir = mkdtempSync(path.join(tmpdir(), 'appliance-cdk-'));
-    const app = new cdk.App({ outdir });
-    new ApplianceStack(app, stackName, {});
-    const assembly = app.synth();
-    const artifact = assembly.getStackByName(stackName);
-    const templatePath = path.join(assembly.directory, artifact.templateFile);
-    const templateBody = readFileSync(templatePath, 'utf-8');
-    return { templateBody, outdir: assembly.directory };
-  }
-
-  async deploy(stackName = 'appliance-api-managed'): Promise<CdkResult> {
-    const { templateBody, outdir } = this.synthTemplate(stackName);
-    try {
-      // Does stack exist?
-      const cf = this.client();
-      const exists = await this.stackExists(cf, stackName);
-      if (!exists) {
-        await cf.send(
-          new CreateStackCommand({
-            StackName: stackName,
-            TemplateBody: templateBody,
-            Capabilities: ['CAPABILITY_NAMED_IAM', 'CAPABILITY_AUTO_EXPAND'],
-          })
-        );
-        await waitUntilStackCreateComplete(
-          { client: cf, maxWaitTime: 30 * 60, minDelay: 5, maxDelay: 20 },
-          { StackName: stackName }
-        );
-        return { action: 'deploy', ok: true, idempotentNoop: false, message: 'Stack created', stackName };
-      }
-
-      try {
-        await cf.send(
-          new UpdateStackCommand({
-            StackName: stackName,
-            TemplateBody: templateBody,
-            Capabilities: ['CAPABILITY_NAMED_IAM', 'CAPABILITY_AUTO_EXPAND'],
-          })
-        );
-        await waitUntilStackUpdateComplete(
-          { client: cf, maxWaitTime: 30 * 60, minDelay: 5, maxDelay: 20 },
-          { StackName: stackName }
-        );
-        return { action: 'deploy', ok: true, idempotentNoop: false, message: 'Stack updated', stackName };
-      } catch (e) {
-        if (
-          e instanceof Error &&
-          typeof e?.message === 'string' &&
-          e.message.includes('No updates are to be performed')
-        ) {
-          return { action: 'deploy', ok: true, idempotentNoop: true, message: 'No changes (idempotent)', stackName };
-        }
-        throw e;
-      }
-    } finally {
-      // cleanup synth output
-      try {
-        rmSync(outdir, { recursive: true, force: true });
-      } catch {
-        // ignore
-      }
-    }
-  }
-
-  async destroy(stackName = 'appliance-api-managed'): Promise<CdkResult> {
-    const cf = this.client();
-    const exists = await this.stackExists(cf, stackName);
-    if (!exists) {
-      return { action: 'destroy', ok: true, idempotentNoop: true, message: 'Stack not found (idempotent)', stackName };
-    }
-    await cf.send(new DeleteStackCommand({ StackName: stackName }));
-    await waitUntilStackDeleteComplete(
-      { client: cf, maxWaitTime: 30 * 60, minDelay: 5, maxDelay: 20 },
-      { StackName: stackName }
-    );
-    return { action: 'destroy', ok: true, idempotentNoop: false, message: 'Stack deleted', stackName };
-  }
-
-  private async stackExists(cf: CloudFormationClient, stackName: string): Promise<boolean> {
-    try {
-      const res = await cf.send(new DescribeStacksCommand({ StackName: stackName }));
-      return !!res.Stacks && res.Stacks.length > 0;
-    } catch (e) {
-      if (!(e instanceof Error)) throw e;
-      const code = e?.name;
-      const message = e?.message || '';
-      if (code === 'ValidationError' && message.includes('does not exist')) return false;
-      if (message.includes('does not exist')) return false;
-      throw e;
-    }
-  }
-}

package/src/cdk/appliance-stack.controller.ts

@@ -1,19 +0,0 @@
-import { Controller, HttpCode, Post } from '@nestjs/common';
-import { ApplianceStackAwsCdkService } from './appliance-stack-aws-cdk.service';
-
-@Controller('infra')
-export class ApplianceStackController {
-  constructor(private readonly cdk: ApplianceStackAwsCdkService) {}
-
-  @Post('deploy')
-  @HttpCode(200)
-  async deploy() {
-    return await this.cdk.deploy();
-  }
-
-  @Post('destroy')
-  @HttpCode(200)
-  async destroy() {
-    return await this.cdk.destroy();
-  }
-}

package/src/cdk/appliance-stack.module.ts

@@ -1,9 +0,0 @@
-import { Module } from '@nestjs/common';
-import { ApplianceStackAwsCdkService } from './appliance-stack-aws-cdk.service';
-import { ApplianceStackController } from './appliance-stack.controller';
-
-@Module({
-  providers: [ApplianceStackAwsCdkService],
-  controllers: [ApplianceStackController],
-})
-export class ApplianceStackModule {}

package/src/cdk/appliance-stack.ts

@@ -1,35 +0,0 @@
-import * as cdk from 'aws-cdk-lib';
-import { Construct } from 'constructs';
-
-export class ApplianceStack extends cdk.Stack {
-  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
-    super(scope, id, props);
-
-    // Simple dummy resource: S3 bucket with a stable logical ID
-    const bucket = new cdk.aws_s3.Bucket(this, 'DummyBucket', {
-      versioned: true,
-      removalPolicy: cdk.RemovalPolicy.DESTROY,
-      // autoDeleteObjects: true,
-    });
-
-    const lambdaUrl = new cdk.aws_lambda.Function(this, 'DummyLambda', {
-      runtime: cdk.aws_lambda.Runtime.NODEJS_24_X,
-      handler: 'index.handler',
-      code: cdk.aws_lambda.Code.fromInline('exports.handler = async () => "Hello World!";'),
-    });
-
-    const fnUrl = lambdaUrl.addFunctionUrl({
-      authType: cdk.aws_lambda.FunctionUrlAuthType.AWS_IAM,
-    });
-
-    const fnDistribution = new cdk.aws_cloudfront.Distribution(this, 'DummyDistribution', {
-      defaultBehavior: {
-        origin: cdk.aws_cloudfront_origins.FunctionUrlOrigin.withOriginAccessControl(fnUrl),
-      },
-    });
-
-    new cdk.CfnOutput(this, 'BucketName', { value: bucket.bucketName });
-    new cdk.CfnOutput(this, 'FunctionUrl', { value: fnUrl.url });
-    new cdk.CfnOutput(this, 'Distribution', { value: fnDistribution.distributionDomainName });
-  }
-}