@appliance.sh/infra 1.13.0 → 1.14.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appliance.sh/infra",
-  "version": "1.13.0",
+  "version": "1.14.0",
   "description": "Deploy the Appliance Infrastructure",
   "repository": "https://github.com/appliance-sh/appliance.sh",
   "license": "MIT",

package/src/lib/aws/ApplianceBaseAwsPublic.ts

@@ -1,6 +1,5 @@
 import * as pulumi from '@pulumi/pulumi';
 import * as aws from '@pulumi/aws';
-import * as awsNative from '@pulumi/aws-native';
 
 import { ApplianceBaseConfigInput, ApplianceBaseType } from '@appliance.sh/sdk';
 
@@ -170,6 +169,193 @@ export class ApplianceBaseAwsPublic extends pulumi.ComponentResource {
       { parent: this, provider: opts?.globalProvider }
     );
 
+    const edgeRouterRole = new aws.iam.Role(
+      `${name}-edge-router-role`,
+      {
+        assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
+          Service: ['lambda.amazonaws.com', 'edgelambda.amazonaws.com'],
+        }),
+      },
+      { parent: this, provider: opts?.globalProvider }
+    );
+
+    new aws.iam.RolePolicyAttachment(
+      `${name}-edge-router-role-logging`,
+      {
+        role: edgeRouterRole.name,
+        policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole,
+      },
+      { parent: this, provider: opts?.globalProvider }
+    );
+
+    const edgeFunction = new aws.lambda.CallbackFunction(
+      `${name.replaceAll('.', '-')}-edge-router`,
+      {
+        role: edgeRouterRole,
+        runtime: 'nodejs22.x',
+        timeout: 5,
+        publish: true,
+        loggingConfig: {
+          logGroup: `/appliance/base/${name}/edge-router-logs`,
+          logFormat: 'Text',
+        },
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        callback: async (event: any) => {
+          const request = event.Records[0].cf.request;
+          const headers = request.headers;
+          const host = headers.host[0].value;
+
+          // eslint-disable-next-line @typescript-eslint/no-require-imports
+          const dns = require('dns').promises;
+          // eslint-disable-next-line @typescript-eslint/no-require-imports
+          const crypto = require('crypto');
+
+          let originUrl: URL;
+          let signatureRequired = false;
+          try {
+            const txtRecords = await dns.resolveTxt(`origin.${host}`);
+            const functionUrl = txtRecords[0][0];
+            originUrl = new URL(functionUrl);
+            signatureRequired = true;
+          } catch (e) {
+            console.error(`Failed to resolve TXT record for origin.${host}`, e);
+            originUrl = new URL(lambdaOriginFunctionUrl.functionUrl.get());
+          }
+
+          if (signatureRequired) {
+            // Extract the region from the Lambda Function URL hostname
+            // Format: <function-id>.lambda-url.<region>.on.aws
+            const hostnameParts = originUrl.hostname.split('.');
+            const regionIndex = hostnameParts.indexOf('lambda-url');
+            const targetRegion =
+              regionIndex >= 0 && hostnameParts[regionIndex + 1] ? hostnameParts[regionIndex + 1] : 'us-east-1';
+
+            // Helper functions for SigV4 signing
+            const sha256 = (data: string | Buffer) => crypto.createHash('sha256').update(data).digest();
+            const hmacSha256 = (key: Buffer | string, data: string) =>
+              crypto.createHmac('sha256', key).update(data).digest();
+            const toHex = (buffer: Buffer) => buffer.toString('hex');
+
+            const getSignatureKey = (secretKey: string, dateStamp: string, regionName: string, serviceName: string) => {
+              const kDate = hmacSha256(`AWS4${secretKey}`, dateStamp);
+              const kRegion = hmacSha256(kDate, regionName);
+              const kService = hmacSha256(kRegion, serviceName);
+              const kSigning = hmacSha256(kService, 'aws4_request');
+              return kSigning;
+            };
+
+            // Sign the request using SigV4
+            // Get credentials from environment (Lambda@Edge has access to execution role credentials)
+            const accessKeyId = process.env.AWS_ACCESS_KEY_ID;
+            const secretAccessKey = process.env.AWS_SECRET_ACCESS_KEY;
+            const sessionToken = process.env.AWS_SESSION_TOKEN;
+
+            if (accessKeyId && secretAccessKey) {
+              const method = request.method;
+              const service = 'lambda';
+              const canonicalUri = request.uri || '/';
+              const canonicalQuerystring = request.querystring || '';
+
+              const now = new Date();
+              const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, '');
+              const dateStamp = amzDate.substring(0, 8);
+
+              // Create canonical headers
+              const payloadHash = toHex(
+                sha256(request.body?.data ? Buffer.from(request.body.data, request.body.encoding || 'base64') : '')
+              );
+
+              const canonicalHeaders =
+                `host:${originUrl.hostname}\n` +
+                `x-amz-content-sha256:${payloadHash}\n` +
+                `x-amz-date:${amzDate}\n` +
+                (sessionToken ? `x-amz-security-token:${sessionToken}\n` : '');
+
+              const signedHeaders = sessionToken
+                ? 'host;x-amz-content-sha256;x-amz-date;x-amz-security-token'
+                : 'host;x-amz-content-sha256;x-amz-date';
+
+              const canonicalRequest = [
+                method,
+                canonicalUri,
+                canonicalQuerystring,
+                canonicalHeaders,
+                signedHeaders,
+                payloadHash,
+              ].join('\n');
+
+              const algorithm = 'AWS4-HMAC-SHA256';
+              const credentialScope = `${dateStamp}/${targetRegion}/${service}/aws4_request`;
+              const stringToSign = [algorithm, amzDate, credentialScope, toHex(sha256(canonicalRequest))].join('\n');
+
+              const signingKey = getSignatureKey(secretAccessKey, dateStamp, targetRegion, service);
+              const signature = toHex(hmacSha256(signingKey, stringToSign));
+
+              const authorizationHeader = `${algorithm} Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+
+              // Add SigV4 headers to the request
+              request.headers['authorization'] = [{ key: 'Authorization', value: authorizationHeader }];
+              request.headers['x-amz-date'] = [{ key: 'X-Amz-Date', value: amzDate }];
+              request.headers['x-amz-content-sha256'] = [{ key: 'X-Amz-Content-Sha256', value: payloadHash }];
+              if (sessionToken) {
+                request.headers['x-amz-security-token'] = [{ key: 'X-Amz-Security-Token', value: sessionToken }];
+              }
+            }
+          }
+
+          request.origin = {
+            custom: {
+              domainName: originUrl.hostname,
+              port: 443,
+              protocol: 'https',
+              path: request.path,
+              sslProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2'],
+              readTimeout: 30,
+              keepaliveTimeout: 5,
+              customHeaders: {},
+            },
+          };
+          request.headers['host'] = [{ key: 'host', value: originUrl.hostname }];
+          request.headers['X-Forwarded-Host'] = [{ key: 'X-Forwarded-Host', value: host }];
+
+          return request;
+        },
+      },
+      { parent: this, provider: opts?.globalProvider }
+    );
+
+    new aws.lambda.Permission(
+      `${name}-edge-router-invoke-url-permission`,
+      {
+        function: edgeFunction.name,
+        action: 'lambda:InvokeFunction',
+        principal: 'edgelambda.amazonaws.com',
+        statementId: 'AllowExecutionFromCloudFront',
+      },
+      { parent: this, provider: opts?.globalProvider }
+    );
+
+    const distributionLogs = new aws.cloudwatch.LogGroup(
+      `${name}-distribution-logs`,
+      {
+        name: pulumi.interpolate`/appliance/base/${name}/distribution-logs`,
+        retentionInDays: 7,
+      },
+      { parent: this, provider: opts?.globalProvider }
+    );
+
+    const distributionDeliveryDestination = new aws.cloudwatch.LogDeliveryDestination(
+      `${name.replace('.', '-')}-distribution-delivery-destination`,
+      {
+        outputFormat: 'json',
+        deliveryDestinationType: 'CWL',
+        deliveryDestinationConfiguration: {
+          destinationResourceArn: distributionLogs.arn,
+        },
+      },
+      { parent: this, provider: opts?.globalProvider }
+    );
+
     this.cloudfrontDistribution = new aws.cloudfront.Distribution(
       `${name}-distribution`,
       {
@@ -185,17 +371,24 @@ export class ApplianceBaseAwsPublic extends pulumi.ComponentResource {
             .apply((res) => res.id ?? ''),
           originRequestPolicyId: aws.cloudfront
             .getOriginRequestPolicyOutput(
-              { name: 'Managed-AllViewerExceptHostHeader' },
+              { name: 'Managed-AllViewer' },
               {
                 parent: this,
                 provider: opts?.globalProvider,
               }
             )
             .apply((res) => res.id ?? ''),
-          allowedMethods: ['HEAD', 'GET'],
-          cachedMethods: ['HEAD', 'GET'],
+          allowedMethods: ['DELETE', 'GET', 'HEAD', 'OPTIONS', 'PATCH', 'POST', 'PUT'],
+          cachedMethods: ['GET', 'HEAD'],
           targetOriginId: 'LambdaOrigin',
           viewerProtocolPolicy: 'redirect-to-https',
+          lambdaFunctionAssociations: [
+            {
+              eventType: 'origin-request',
+              lambdaArn: edgeFunction.qualifiedArn,
+              includeBody: true,
+            },
+          ],
         },
         origins: [
           {
@@ -222,28 +415,24 @@ export class ApplianceBaseAwsPublic extends pulumi.ComponentResource {
       { parent: this, provider: opts?.globalProvider }
     );
 
-    new aws.lambda.Permission(
-      `${name.replaceAll('.', '-')}-origin-invoke-function-url-permission`,
+    const distributionDeliverySource = new aws.cloudwatch.LogDeliverySource(
+      `${name.replace('.', '-')}-distribution-delivery-source`,
       {
-        action: 'lambda:InvokeFunctionUrl',
-        principal: 'cloudfront.amazonaws.com',
-        function: lambdaOrigin.name,
-        functionUrlAuthType: 'AWS_IAM',
-        sourceArn: this.cloudfrontDistribution.arn,
+        region: 'us-east-1',
+        logType: 'ACCESS_LOGS',
+        resourceArn: this.cloudfrontDistribution.arn,
       },
-      { parent: this, provider: opts?.provider }
+      { parent: this, provider: opts?.globalProvider }
     );
 
-    new awsNative.lambda.Permission(
-      `${name.replaceAll('.', '-')}-origin-invoke-function-permission`,
+    new aws.cloudwatch.LogDelivery(
+      `${name.replace('.', '-')}-distribution-logging`,
       {
-        action: 'lambda:InvokeFunction',
-        principal: 'cloudfront.amazonaws.com',
-        sourceArn: this.cloudfrontDistribution.arn,
-        functionName: lambdaOrigin.name,
-        invokedViaFunctionUrl: true,
+        region: 'us-east-1',
+        deliverySourceName: distributionDeliverySource.name,
+        deliveryDestinationArn: distributionDeliveryDestination.arn,
       },
-      { parent: this, provider: opts?.nativeProvider }
+      { parent: this, provider: opts?.globalProvider }
     );
 
     new aws.route53.Record(
@@ -260,9 +449,16 @@ export class ApplianceBaseAwsPublic extends pulumi.ComponentResource {
 
     this.config = {
       name: name,
-      region: args.config.region,
       stateBackendUrl: pulumi.interpolate`s3://${state.bucket}`,
       domainName: args.config.dns.domainName,
+      type: ApplianceBaseType.ApplianceAwsPublic,
+      aws: {
+        region: args.config.region,
+        zoneId: this.zoneId,
+        cloudfrontDistributionId: this.cloudfrontDistribution.id,
+        cloudfrontDistributionDomainName: this.cloudfrontDistribution.domainName,
+        edgeRouterRoleArn: edgeRouterRole.arn,
+      },
     };
 
     new aws.ssm.Parameter(