npm - @appliance.sh/infra - Versions diffs - 1.17.0 → 1.19.0 - Mend

@appliance.sh/infra 1.17.0 → 1.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +5 -4
package/src/lib/ApplianceDeploymentService.ts +14 -15
package/src/lib/aws/ApplianceBaseAwsPublic.ts +29 -0
package/src/lib/aws/ApplianceStack.ts +75 -18

package/package.json CHANGED Viewed

@@ -1,11 +1,11 @@
 {
   "name": "@appliance.sh/infra",
-  "version": "1.17.0",
+  "version": "1.19.0",
   "description": "Deploy the Appliance Infrastructure",
   "repository": "https://github.com/appliance-sh/appliance.sh",
   "license": "MIT",
   "author": "Eliot Lim",
-  "main": "dist/lib/index.js",
+  "main": "src/index.ts",
   "types": "dist/lib/index.d.ts",
   "exports": {
     ".": {
@@ -17,12 +17,13 @@
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1",
     "build": "tsc",
+    "clean": "rm -rf ./dist/",
     "deploy:entrypoint": "ts-node src/index.ts",
-    "deploy": "pulumi up",
+    "deploy": "npm run clean && pulumi up && npm run build",
     "dev:setup": "npm link"
   },
   "dependencies": {
-    "@appliance.sh/sdk": "1.17.0",
+    "@appliance.sh/sdk": "1.19.0",
     "@pulumi/aws": "^7.16.0",
     "@pulumi/aws-native": "^1.48.0",
     "@pulumi/awsx": "^3.1.0",

package/src/lib/ApplianceDeploymentService.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import * as auto from '@pulumi/pulumi/automation';
 import * as aws from '@pulumi/aws';
 import * as awsNative from '@pulumi/aws-native';
-import { ApplianceStack } from './aws/ApplianceStack';
+import { ApplianceStack, ApplianceStackMetadata, toResourceId } from './aws/ApplianceStack';
 import { applianceBaseConfig, ApplianceBaseConfig } from '@appliance.sh/sdk';
 export type PulumiAction = 'deploy' | 'destroy';
@@ -32,32 +32,31 @@ export class ApplianceDeploymentService {
     this.region = this.baseConfig?.aws.region || 'us-east-1';
   }
-  private inlineProgram() {
+  private inlineProgram(stackName: string, metadata?: ApplianceStackMetadata) {
     return async () => {
-      const name = 'appliance';
       if (!this.baseConfig) {
         throw new Error('Missing base config');
       }
-      const regionalProvider = new aws.Provider(`${name}-regional`, {
+      const rid = toResourceId(stackName);
+      const regionalProvider = new aws.Provider(`${rid}-regional`, {
         region: (this.baseConfig?.aws.region as aws.Region) ?? 'ap-southeast-1',
       });
-      const globalProvider = new aws.Provider(`${name}-global`, {
+      const globalProvider = new aws.Provider(`${rid}-global`, {
         region: 'us-east-1',
       });
-      const nativeRegionalProvider = new awsNative.Provider(`${name}-native-regional`, {
+      const nativeRegionalProvider = new awsNative.Provider(`${rid}-native-regional`, {
         region: (this.baseConfig?.aws.region as awsNative.Region) ?? 'ap-southeast-1',
       });
-      const nativeGlobalProvider = new awsNative.Provider(`${name}-native-global`, {
+      const nativeGlobalProvider = new awsNative.Provider(`${rid}-native-global`, {
         region: 'us-east-1',
       });
       const applianceStack = new ApplianceStack(
-        `${name}-stack`,
+        stackName,
         {
-          tags: { project: name },
+          metadata,
           config: this.baseConfig,
         },
         {
@@ -74,8 +73,8 @@ export class ApplianceDeploymentService {
     };
   }
-  private async getOrCreateStack(stackName: string): Promise<auto.Stack> {
-    const program = this.inlineProgram();
+  private async getOrCreateStack(stackName: string, metadata?: ApplianceStackMetadata): Promise<auto.Stack> {
+    const program = this.inlineProgram(stackName, metadata);
     const envVars: Record<string, string> = {
       AWS_REGION: this.region,
     };
@@ -113,8 +112,8 @@ export class ApplianceDeploymentService {
     return auto.Stack.createOrSelect(stackName, ws);
   }
-  async deploy(stackName = 'appliance-api-managed'): Promise<PulumiResult> {
-    const stack = await this.getOrCreateStack(stackName);
+  async deploy(stackName: string, metadata?: ApplianceStackMetadata): Promise<PulumiResult> {
+    const stack = await this.getOrCreateStack(stackName, metadata);
     const result = await stack.up({ onOutput: (m) => console.log(m) });
     const changes = result.summary.resourceChanges || {};
     const totalChanges = Object.entries(changes)
@@ -130,7 +129,7 @@ export class ApplianceDeploymentService {
     };
   }
-  async destroy(stackName = 'appliance-api-managed'): Promise<PulumiResult> {
+  async destroy(stackName: string): Promise<PulumiResult> {
     try {
       const stack = await this.selectExistingStack(stackName);
       await stack.destroy({ onOutput: (m) => console.log(m) });

package/src/lib/aws/ApplianceBaseAwsPublic.ts CHANGED Viewed

@@ -20,6 +20,7 @@ export class ApplianceBaseAwsPublic extends pulumi.ComponentResource {
   public readonly certificateArn?: pulumi.Output<string>;
   public readonly cloudfrontDistribution?: aws.cloudfront.Distribution;
+  public readonly dataBucket: aws.s3.Bucket;
   public readonly config;
   constructor(name: string, args: ApplianceBaseAwsPublicArgs, opts?: ApplianceBaseAwsPublicOpts) {
@@ -123,6 +124,33 @@ export class ApplianceBaseAwsPublic extends pulumi.ComponentResource {
       { parent: this, provider: opts?.provider }
     );
+    this.dataBucket = new aws.s3.Bucket(
+      `${name}-data`,
+      {
+        acl: 'private',
+        forceDestroy: true,
+      },
+      { parent: this, provider: opts?.provider }
+    );
+    new aws.s3.BucketVersioning(
+      `${name}-data-versioning`,
+      {
+        bucket: this.dataBucket.bucket,
+        versioningConfiguration: { status: 'Enabled' },
+      },
+      { parent: this, provider: opts?.provider }
+    );
+    new aws.s3.BucketServerSideEncryptionConfiguration(
+      `${name}-data-sse`,
+      {
+        bucket: this.dataBucket.bucket,
+        rules: [{ applyServerSideEncryptionByDefault: { sseAlgorithm: 'AES256' } }],
+      },
+      { parent: this, provider: opts?.provider }
+    );
     const lambdaOrigin = new aws.lambda.CallbackFunction(
       `${name}-origin`,
       {
@@ -458,6 +486,7 @@ export class ApplianceBaseAwsPublic extends pulumi.ComponentResource {
         cloudfrontDistributionId: this.cloudfrontDistribution.id,
         cloudfrontDistributionDomainName: this.cloudfrontDistribution.domainName,
         edgeRouterRoleArn: edgeRouterRole.arn,
+        dataBucketName: this.dataBucket.bucket,
       },
     };

package/src/lib/aws/ApplianceStack.ts CHANGED Viewed

@@ -1,10 +1,51 @@
 import * as pulumi from '@pulumi/pulumi';
 import * as aws from '@pulumi/aws';
 import * as awsNative from '@pulumi/aws-native';
-import { ApplianceBaseConfig } from '@appliance.sh/sdk';
+import type { ApplianceBaseConfig } from '@appliance.sh/sdk';
+import { createHash } from 'crypto';
+// AWS resource name limits (IAM roles, Lambda functions) are 64 chars.
+// Pulumi appends an 8-char suffix (-xxxxxxx). The longest resource
+// suffix we add is "-handler" (8 chars). Budget: 64 - 8 - 8 = 48.
+const MAX_RESOURCE_ID_LENGTH = 48;
+// DNS labels (each segment between dots) are limited to 63 chars.
+const MAX_DNS_LABEL_LENGTH = 63;
+function truncateWithHash(name: string, maxLength: number): string {
+  if (name.length <= maxLength) return name;
+  const hash = createHash('sha256').update(name).digest('hex').slice(0, 7);
+  return `${name.slice(0, maxLength - 8)}-${hash}`;
+}
+/**
+ * Derive a short, deterministic resource ID from a stack name.
+ * If the name fits within the limit it is returned as-is.
+ * Otherwise it is truncated and a 7-char hash suffix is appended
+ * to preserve uniqueness.
+ */
+export function toResourceId(name: string): string {
+  return truncateWithHash(name, MAX_RESOURCE_ID_LENGTH);
+}
+/**
+ * Derive a DNS-safe label from a stack name (max 63 chars).
+ */
+export function toDnsLabel(name: string): string {
+  return truncateWithHash(name, MAX_DNS_LABEL_LENGTH);
+}
+export interface ApplianceStackMetadata {
+  projectId: string;
+  projectName: string;
+  environmentId: string;
+  environmentName: string;
+  deploymentId: string;
+  stackName: string;
+}
 export interface ApplianceStackArgs {
-  tags?: Record<string, string>;
+  metadata?: ApplianceStackMetadata;
   config: ApplianceBaseConfig;
 }
@@ -25,17 +66,32 @@ export class ApplianceStack extends pulumi.ComponentResource {
   constructor(name: string, args: ApplianceStackArgs, opts: ApplianceStackOpts) {
     super('appliance:aws:ApplianceStack', name, args, opts);
+    // Short ID for AWS resource names (subject to 64-char limits)
+    const rid = toResourceId(name);
+    // DNS-safe label (max 63 chars per label)
+    const dnsLabel = toDnsLabel(name);
     const defaultOpts = { parent: this, provider: opts.provider };
     const defaultNativeOpts = { parent: this, provider: opts.nativeProvider };
-    const defaultTags = { stack: name, managed: 'appliance', ...args.tags };
+    const defaultTags: Record<string, string> = {
+      'appliance:managed': 'true',
+      'appliance:stack-name': name,
+    };
+    if (args.metadata) {
+      defaultTags['appliance:project-id'] = args.metadata.projectId;
+      defaultTags['appliance:project-name'] = args.metadata.projectName;
+      defaultTags['appliance:environment-id'] = args.metadata.environmentId;
+      defaultTags['appliance:environment-name'] = args.metadata.environmentName;
+      defaultTags['appliance:deployment-id'] = args.metadata.deploymentId;
+    }
-    this.lambdaRole = new aws.iam.Role(`${name}-role`, {
+    this.lambdaRole = new aws.iam.Role(`${rid}-role`, {
       path: `/appliance/${name}/`,
       assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: 'lambda.amazonaws.com' }),
       tags: defaultTags,
     });
-    this.lambdaRolePolicy = new aws.iam.Policy(`${name}-policy`, {
+    this.lambdaRolePolicy = new aws.iam.Policy(`${rid}-policy`, {
       path: `/appliance/${name}/`,
       policy: {
         Version: '2012-10-17',
@@ -43,13 +99,13 @@ export class ApplianceStack extends pulumi.ComponentResource {
       },
     });
-    new aws.iam.RolePolicyAttachment(`${name}-role-policy-attachment`, {
+    new aws.iam.RolePolicyAttachment(`${rid}-role-policy-attachment`, {
       role: this.lambdaRole.name,
       policyArn: this.lambdaRolePolicy.arn,
     });
     this.lambda = new aws.lambda.CallbackFunction(
-      `${name}-handler`,
+      `${rid}-handler`,
       {
         runtime: 'nodejs22.x',
         callback: async () => {
@@ -62,7 +118,7 @@ export class ApplianceStack extends pulumi.ComponentResource {
     // lambda url
     this.lambdaUrl = new aws.lambda.FunctionUrl(
-      `${name}-url`,
+      `${rid}-url`,
       {
         functionName: this.lambda.name,
         authorizationType: args.config.aws.cloudfrontDistributionId ? 'AWS_IAM' : 'NONE',
@@ -70,11 +126,12 @@ export class ApplianceStack extends pulumi.ComponentResource {
       defaultOpts
     );
-    this.dnsRecord = pulumi.interpolate`${name}.${args.config.domainName ?? ''}`;
+    // DNS uses the full stack name, not the truncated resource ID
+    this.dnsRecord = pulumi.interpolate`${dnsLabel}.${args.config.domainName ?? ''}`;
     if (args.config.aws.cloudfrontDistributionId) {
       new aws.lambda.Permission(
-        `${name}-url-invoke-url-permission`,
+        `${rid}-cf-invoke-url`,
         {
           function: this.lambda.name,
           action: 'lambda:InvokeFunctionUrl',
@@ -92,7 +149,7 @@ export class ApplianceStack extends pulumi.ComponentResource {
       // The edge router role is the execution role of the Lambda@Edge function that signs requests
       if (args.config.aws.edgeRouterRoleArn) {
         new aws.lambda.Permission(
-          `${name}-invoke-url-edge-router-permission`,
+          `${rid}-edge-invoke-url`,
           {
             function: this.lambda.name,
             action: 'lambda:InvokeFunctionUrl',
@@ -104,7 +161,7 @@ export class ApplianceStack extends pulumi.ComponentResource {
         );
         new awsNative.lambda.Permission(
-          `${name}-invoke-edge-router-permission`,
+          `${rid}-edge-invoke`,
           {
             action: 'lambda:InvokeFunction',
             principal: args.config.aws.edgeRouterRoleArn,
@@ -116,7 +173,7 @@ export class ApplianceStack extends pulumi.ComponentResource {
       }
     } else {
       new aws.lambda.Permission(
-        `${name}-url-invoke-url-permission`,
+        `${rid}-public-invoke-url`,
         {
           function: this.lambda.name,
           action: 'lambda:InvokeFunctionUrl',
@@ -130,7 +187,7 @@ export class ApplianceStack extends pulumi.ComponentResource {
     if (args.config.aws.cloudfrontDistributionId && args.config.aws.cloudfrontDistributionDomainName) {
       new awsNative.lambda.Permission(
-        `${name}-url-invoke-lambda-native-permission`,
+        `${rid}-cf-invoke`,
         {
           action: 'lambda:InvokeFunction',
           principal: 'cloudfront.amazonaws.com',
@@ -144,10 +201,10 @@ export class ApplianceStack extends pulumi.ComponentResource {
       );
       new aws.route53.Record(
-        `${name}-cname-record`,
+        `${rid}-cname`,
         {
           zoneId: args.config.aws.zoneId,
-          name: pulumi.interpolate`${name}.${args.config.domainName ?? ''}`,
+          name: pulumi.interpolate`${dnsLabel}.${args.config.domainName ?? ''}`,
           type: 'CNAME',
           ttl: 60,
           records: [args.config.aws.cloudfrontDistributionDomainName],
@@ -156,10 +213,10 @@ export class ApplianceStack extends pulumi.ComponentResource {
       );
       new aws.route53.Record(
-        `${name}-txt-record`,
+        `${rid}-txt`,
         {
           zoneId: args.config.aws.zoneId,
-          name: pulumi.interpolate`origin.${name}.${args.config.domainName ?? ''}`,
+          name: pulumi.interpolate`origin.${dnsLabel}.${args.config.domainName ?? ''}`,
           type: 'TXT',
           ttl: 60,
           records: [this.lambdaUrl.functionUrl],