@appliance.sh/infra 1.17.0 → 1.18.0

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "@appliance.sh/infra",
-  "version": "1.17.0",
+  "version": "1.18.0",
   "description": "Deploy the Appliance Infrastructure",
   "repository": "https://github.com/appliance-sh/appliance.sh",
   "license": "MIT",
   "author": "Eliot Lim",
-  "main": "dist/lib/index.js",
+  "main": "src/index.ts",
   "types": "dist/lib/index.d.ts",
   "exports": {
     ".": {
@@ -17,12 +17,13 @@
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1",
     "build": "tsc",
+    "clean": "rm -rf ./dist/",
     "deploy:entrypoint": "ts-node src/index.ts",
-    "deploy": "pulumi up",
+    "deploy": "npm run clean && pulumi up && npm run build",
     "dev:setup": "npm link"
   },
   "dependencies": {
-    "@appliance.sh/sdk": "1.17.0",
+    "@appliance.sh/sdk": "1.18.0",
     "@pulumi/aws": "^7.16.0",
     "@pulumi/aws-native": "^1.48.0",
     "@pulumi/awsx": "^3.1.0",

package/src/lib/ApplianceDeploymentService.ts

@@ -1,7 +1,7 @@
 import * as auto from '@pulumi/pulumi/automation';
 import * as aws from '@pulumi/aws';
 import * as awsNative from '@pulumi/aws-native';
-import { ApplianceStack } from './aws/ApplianceStack';
+import { ApplianceStack, toResourceId } from './aws/ApplianceStack';
 import { applianceBaseConfig, ApplianceBaseConfig } from '@appliance.sh/sdk';
 
 export type PulumiAction = 'deploy' | 'destroy';
@@ -32,32 +32,31 @@ export class ApplianceDeploymentService {
     this.region = this.baseConfig?.aws.region || 'us-east-1';
   }
 
-  private inlineProgram() {
+  private inlineProgram(stackName: string) {
     return async () => {
-      const name = 'appliance';
-
       if (!this.baseConfig) {
         throw new Error('Missing base config');
       }
 
-      const regionalProvider = new aws.Provider(`${name}-regional`, {
+      const rid = toResourceId(stackName);
+      const regionalProvider = new aws.Provider(`${rid}-regional`, {
         region: (this.baseConfig?.aws.region as aws.Region) ?? 'ap-southeast-1',
       });
-      const globalProvider = new aws.Provider(`${name}-global`, {
+      const globalProvider = new aws.Provider(`${rid}-global`, {
         region: 'us-east-1',
       });
-      const nativeRegionalProvider = new awsNative.Provider(`${name}-native-regional`, {
+      const nativeRegionalProvider = new awsNative.Provider(`${rid}-native-regional`, {
         region: (this.baseConfig?.aws.region as awsNative.Region) ?? 'ap-southeast-1',
       });
 
-      const nativeGlobalProvider = new awsNative.Provider(`${name}-native-global`, {
+      const nativeGlobalProvider = new awsNative.Provider(`${rid}-native-global`, {
         region: 'us-east-1',
       });
 
       const applianceStack = new ApplianceStack(
-        `${name}-stack`,
+        stackName,
         {
-          tags: { project: name },
+          tags: { project: stackName },
           config: this.baseConfig,
         },
         {
@@ -75,7 +74,7 @@ export class ApplianceDeploymentService {
   }
 
   private async getOrCreateStack(stackName: string): Promise<auto.Stack> {
-    const program = this.inlineProgram();
+    const program = this.inlineProgram(stackName);
     const envVars: Record<string, string> = {
       AWS_REGION: this.region,
     };

package/src/lib/aws/ApplianceBaseAwsPublic.ts

@@ -20,6 +20,7 @@ export class ApplianceBaseAwsPublic extends pulumi.ComponentResource {
   public readonly certificateArn?: pulumi.Output<string>;
   public readonly cloudfrontDistribution?: aws.cloudfront.Distribution;
 
+  public readonly dataBucket: aws.s3.Bucket;
   public readonly config;
 
   constructor(name: string, args: ApplianceBaseAwsPublicArgs, opts?: ApplianceBaseAwsPublicOpts) {
@@ -123,6 +124,33 @@ export class ApplianceBaseAwsPublic extends pulumi.ComponentResource {
       { parent: this, provider: opts?.provider }
     );
 
+    this.dataBucket = new aws.s3.Bucket(
+      `${name}-data`,
+      {
+        acl: 'private',
+        forceDestroy: true,
+      },
+      { parent: this, provider: opts?.provider }
+    );
+
+    new aws.s3.BucketVersioning(
+      `${name}-data-versioning`,
+      {
+        bucket: this.dataBucket.bucket,
+        versioningConfiguration: { status: 'Enabled' },
+      },
+      { parent: this, provider: opts?.provider }
+    );
+
+    new aws.s3.BucketServerSideEncryptionConfiguration(
+      `${name}-data-sse`,
+      {
+        bucket: this.dataBucket.bucket,
+        rules: [{ applyServerSideEncryptionByDefault: { sseAlgorithm: 'AES256' } }],
+      },
+      { parent: this, provider: opts?.provider }
+    );
+
     const lambdaOrigin = new aws.lambda.CallbackFunction(
       `${name}-origin`,
       {
@@ -458,6 +486,7 @@ export class ApplianceBaseAwsPublic extends pulumi.ComponentResource {
         cloudfrontDistributionId: this.cloudfrontDistribution.id,
         cloudfrontDistributionDomainName: this.cloudfrontDistribution.domainName,
         edgeRouterRoleArn: edgeRouterRole.arn,
+        dataBucketName: this.dataBucket.bucket,
       },
     };
 

package/src/lib/aws/ApplianceStack.ts

@@ -1,7 +1,39 @@
 import * as pulumi from '@pulumi/pulumi';
 import * as aws from '@pulumi/aws';
 import * as awsNative from '@pulumi/aws-native';
-import { ApplianceBaseConfig } from '@appliance.sh/sdk';
+import type { ApplianceBaseConfig } from '@appliance.sh/sdk';
+import { createHash } from 'crypto';
+
+// AWS resource name limits (IAM roles, Lambda functions) are 64 chars.
+// Pulumi appends an 8-char suffix (-xxxxxxx). The longest resource
+// suffix we add is "-handler" (8 chars). Budget: 64 - 8 - 8 = 48.
+const MAX_RESOURCE_ID_LENGTH = 48;
+
+// DNS labels (each segment between dots) are limited to 63 chars.
+const MAX_DNS_LABEL_LENGTH = 63;
+
+function truncateWithHash(name: string, maxLength: number): string {
+  if (name.length <= maxLength) return name;
+  const hash = createHash('sha256').update(name).digest('hex').slice(0, 7);
+  return `${name.slice(0, maxLength - 8)}-${hash}`;
+}
+
+/**
+ * Derive a short, deterministic resource ID from a stack name.
+ * If the name fits within the limit it is returned as-is.
+ * Otherwise it is truncated and a 7-char hash suffix is appended
+ * to preserve uniqueness.
+ */
+export function toResourceId(name: string): string {
+  return truncateWithHash(name, MAX_RESOURCE_ID_LENGTH);
+}
+
+/**
+ * Derive a DNS-safe label from a stack name (max 63 chars).
+ */
+export function toDnsLabel(name: string): string {
+  return truncateWithHash(name, MAX_DNS_LABEL_LENGTH);
+}
 
 export interface ApplianceStackArgs {
   tags?: Record<string, string>;
@@ -25,17 +57,22 @@ export class ApplianceStack extends pulumi.ComponentResource {
   constructor(name: string, args: ApplianceStackArgs, opts: ApplianceStackOpts) {
     super('appliance:aws:ApplianceStack', name, args, opts);
 
+    // Short ID for AWS resource names (subject to 64-char limits)
+    const rid = toResourceId(name);
+    // DNS-safe label (max 63 chars per label)
+    const dnsLabel = toDnsLabel(name);
+
     const defaultOpts = { parent: this, provider: opts.provider };
     const defaultNativeOpts = { parent: this, provider: opts.nativeProvider };
     const defaultTags = { stack: name, managed: 'appliance', ...args.tags };
 
-    this.lambdaRole = new aws.iam.Role(`${name}-role`, {
+    this.lambdaRole = new aws.iam.Role(`${rid}-role`, {
       path: `/appliance/${name}/`,
       assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: 'lambda.amazonaws.com' }),
       tags: defaultTags,
     });
 
-    this.lambdaRolePolicy = new aws.iam.Policy(`${name}-policy`, {
+    this.lambdaRolePolicy = new aws.iam.Policy(`${rid}-policy`, {
       path: `/appliance/${name}/`,
       policy: {
         Version: '2012-10-17',
@@ -43,13 +80,13 @@ export class ApplianceStack extends pulumi.ComponentResource {
       },
     });
 
-    new aws.iam.RolePolicyAttachment(`${name}-role-policy-attachment`, {
+    new aws.iam.RolePolicyAttachment(`${rid}-role-policy-attachment`, {
       role: this.lambdaRole.name,
       policyArn: this.lambdaRolePolicy.arn,
     });
 
     this.lambda = new aws.lambda.CallbackFunction(
-      `${name}-handler`,
+      `${rid}-handler`,
       {
         runtime: 'nodejs22.x',
         callback: async () => {
@@ -62,7 +99,7 @@ export class ApplianceStack extends pulumi.ComponentResource {
 
     // lambda url
     this.lambdaUrl = new aws.lambda.FunctionUrl(
-      `${name}-url`,
+      `${rid}-url`,
       {
         functionName: this.lambda.name,
         authorizationType: args.config.aws.cloudfrontDistributionId ? 'AWS_IAM' : 'NONE',
@@ -70,11 +107,12 @@ export class ApplianceStack extends pulumi.ComponentResource {
       defaultOpts
     );
 
-    this.dnsRecord = pulumi.interpolate`${name}.${args.config.domainName ?? ''}`;
+    // DNS uses the full stack name, not the truncated resource ID
+    this.dnsRecord = pulumi.interpolate`${dnsLabel}.${args.config.domainName ?? ''}`;
 
     if (args.config.aws.cloudfrontDistributionId) {
       new aws.lambda.Permission(
-        `${name}-url-invoke-url-permission`,
+        `${rid}-cf-invoke-url`,
         {
           function: this.lambda.name,
           action: 'lambda:InvokeFunctionUrl',
@@ -92,7 +130,7 @@ export class ApplianceStack extends pulumi.ComponentResource {
       // The edge router role is the execution role of the Lambda@Edge function that signs requests
       if (args.config.aws.edgeRouterRoleArn) {
         new aws.lambda.Permission(
-          `${name}-invoke-url-edge-router-permission`,
+          `${rid}-edge-invoke-url`,
           {
             function: this.lambda.name,
             action: 'lambda:InvokeFunctionUrl',
@@ -104,7 +142,7 @@ export class ApplianceStack extends pulumi.ComponentResource {
         );
 
         new awsNative.lambda.Permission(
-          `${name}-invoke-edge-router-permission`,
+          `${rid}-edge-invoke`,
           {
             action: 'lambda:InvokeFunction',
             principal: args.config.aws.edgeRouterRoleArn,
@@ -116,7 +154,7 @@ export class ApplianceStack extends pulumi.ComponentResource {
       }
     } else {
       new aws.lambda.Permission(
-        `${name}-url-invoke-url-permission`,
+        `${rid}-public-invoke-url`,
         {
           function: this.lambda.name,
           action: 'lambda:InvokeFunctionUrl',
@@ -130,7 +168,7 @@ export class ApplianceStack extends pulumi.ComponentResource {
 
     if (args.config.aws.cloudfrontDistributionId && args.config.aws.cloudfrontDistributionDomainName) {
       new awsNative.lambda.Permission(
-        `${name}-url-invoke-lambda-native-permission`,
+        `${rid}-cf-invoke`,
         {
           action: 'lambda:InvokeFunction',
           principal: 'cloudfront.amazonaws.com',
@@ -144,10 +182,10 @@ export class ApplianceStack extends pulumi.ComponentResource {
       );
 
       new aws.route53.Record(
-        `${name}-cname-record`,
+        `${rid}-cname`,
         {
           zoneId: args.config.aws.zoneId,
-          name: pulumi.interpolate`${name}.${args.config.domainName ?? ''}`,
+          name: pulumi.interpolate`${dnsLabel}.${args.config.domainName ?? ''}`,
           type: 'CNAME',
           ttl: 60,
           records: [args.config.aws.cloudfrontDistributionDomainName],
@@ -156,10 +194,10 @@ export class ApplianceStack extends pulumi.ComponentResource {
       );
 
       new aws.route53.Record(
-        `${name}-txt-record`,
+        `${rid}-txt`,
         {
           zoneId: args.config.aws.zoneId,
-          name: pulumi.interpolate`origin.${name}.${args.config.domainName ?? ''}`,
+          name: pulumi.interpolate`origin.${dnsLabel}.${args.config.domainName ?? ''}`,
           type: 'TXT',
           ttl: 60,
           records: [this.lambdaUrl.functionUrl],