@appliance.sh/infra 1.19.0 → 1.20.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appliance.sh/infra",
-  "version": "1.19.0",
+  "version": "1.20.0",
   "description": "Deploy the Appliance Infrastructure",
   "repository": "https://github.com/appliance-sh/appliance.sh",
   "license": "MIT",
@@ -23,7 +23,7 @@
     "dev:setup": "npm link"
   },
   "dependencies": {
-    "@appliance.sh/sdk": "1.19.0",
+    "@appliance.sh/sdk": "1.20.0",
     "@pulumi/aws": "^7.16.0",
     "@pulumi/aws-native": "^1.48.0",
     "@pulumi/awsx": "^3.1.0",

package/src/lib/ApplianceDeploymentService.ts

@@ -32,7 +32,11 @@ export class ApplianceDeploymentService {
     this.region = this.baseConfig?.aws.region || 'us-east-1';
   }
 
-  private inlineProgram(stackName: string, metadata?: ApplianceStackMetadata) {
+  private inlineProgram(
+    stackName: string,
+    metadata?: ApplianceStackMetadata,
+    build?: { imageUri?: string; codeS3Key?: string }
+  ) {
     return async () => {
       if (!this.baseConfig) {
         throw new Error('Missing base config');
@@ -58,6 +62,8 @@ export class ApplianceDeploymentService {
         {
           metadata,
           config: this.baseConfig,
+          imageUri: build?.imageUri,
+          codeS3Key: build?.codeS3Key,
         },
         {
           globalProvider,
@@ -73,8 +79,12 @@ export class ApplianceDeploymentService {
     };
   }
 
-  private async getOrCreateStack(stackName: string, metadata?: ApplianceStackMetadata): Promise<auto.Stack> {
-    const program = this.inlineProgram(stackName, metadata);
+  private async getOrCreateStack(
+    stackName: string,
+    metadata?: ApplianceStackMetadata,
+    build?: { imageUri?: string; codeS3Key?: string }
+  ): Promise<auto.Stack> {
+    const program = this.inlineProgram(stackName, metadata, build);
     const envVars: Record<string, string> = {
       AWS_REGION: this.region,
     };
@@ -112,8 +122,12 @@ export class ApplianceDeploymentService {
     return auto.Stack.createOrSelect(stackName, ws);
   }
 
-  async deploy(stackName: string, metadata?: ApplianceStackMetadata): Promise<PulumiResult> {
-    const stack = await this.getOrCreateStack(stackName, metadata);
+  async deploy(
+    stackName: string,
+    metadata?: ApplianceStackMetadata,
+    build?: { imageUri?: string; codeS3Key?: string }
+  ): Promise<PulumiResult> {
+    const stack = await this.getOrCreateStack(stackName, metadata, build);
     const result = await stack.up({ onOutput: (m) => console.log(m) });
     const changes = result.summary.resourceChanges || {};
     const totalChanges = Object.entries(changes)

package/src/lib/aws/ApplianceBaseAwsPublic.ts

@@ -21,6 +21,7 @@ export class ApplianceBaseAwsPublic extends pulumi.ComponentResource {
   public readonly cloudfrontDistribution?: aws.cloudfront.Distribution;
 
   public readonly dataBucket: aws.s3.Bucket;
+  public readonly ecrRepository: aws.ecr.Repository;
   public readonly config;
 
   constructor(name: string, args: ApplianceBaseAwsPublicArgs, opts?: ApplianceBaseAwsPublicOpts) {
@@ -151,6 +152,35 @@ export class ApplianceBaseAwsPublic extends pulumi.ComponentResource {
       { parent: this, provider: opts?.provider }
     );
 
+    this.ecrRepository = new aws.ecr.Repository(
+      `${name}-ecr`,
+      {
+        name: name.replaceAll('.', '-'),
+        imageScanningConfiguration: { scanOnPush: true },
+        imageTagMutability: 'MUTABLE',
+        forceDelete: true,
+      },
+      { parent: this, provider: opts?.provider }
+    );
+
+    new aws.ecr.LifecyclePolicy(
+      `${name}-ecr-lifecycle`,
+      {
+        repository: this.ecrRepository.name,
+        policy: JSON.stringify({
+          rules: [
+            {
+              rulePriority: 1,
+              description: 'Keep last 50 images',
+              selection: { tagStatus: 'any', countType: 'imageCountMoreThan', countNumber: 50 },
+              action: { type: 'expire' },
+            },
+          ],
+        }),
+      },
+      { parent: this, provider: opts?.provider }
+    );
+
     const lambdaOrigin = new aws.lambda.CallbackFunction(
       `${name}-origin`,
       {
@@ -487,6 +517,7 @@ export class ApplianceBaseAwsPublic extends pulumi.ComponentResource {
         cloudfrontDistributionDomainName: this.cloudfrontDistribution.domainName,
         edgeRouterRoleArn: edgeRouterRole.arn,
         dataBucketName: this.dataBucket.bucket,
+        ecrRepositoryUrl: this.ecrRepository.repositoryUrl,
       },
     };
 

package/src/lib/aws/ApplianceStack.ts

@@ -47,6 +47,8 @@ export interface ApplianceStackMetadata {
 export interface ApplianceStackArgs {
   metadata?: ApplianceStackMetadata;
   config: ApplianceBaseConfig;
+  imageUri?: string;
+  codeS3Key?: string;
 }
 
 export interface ApplianceStackOpts extends pulumi.ComponentResourceOptions {
@@ -91,11 +93,50 @@ export class ApplianceStack extends pulumi.ComponentResource {
       tags: defaultTags,
     });
 
+    const policyStatements = [
+      { Effect: 'Allow' as const, Action: 'logs:CreateLogGroup', Resource: '*' },
+      { Effect: 'Allow' as const, Action: 'logs:CreateLogStream', Resource: '*' },
+      { Effect: 'Allow' as const, Action: 'logs:PutLogEvents', Resource: '*' },
+    ];
+
+    if (args.imageUri) {
+      policyStatements.push(
+        {
+          Effect: 'Allow' as const,
+          Action: 'ecr:GetDownloadUrlForLayer',
+          Resource: '*',
+        },
+        {
+          Effect: 'Allow' as const,
+          Action: 'ecr:BatchGetImage',
+          Resource: '*',
+        },
+        {
+          Effect: 'Allow' as const,
+          Action: 'ecr:BatchCheckLayerAvailability',
+          Resource: '*',
+        },
+        {
+          Effect: 'Allow' as const,
+          Action: 'ecr:GetAuthorizationToken',
+          Resource: '*',
+        }
+      );
+    }
+
+    if (args.codeS3Key && args.config.aws.dataBucketName) {
+      policyStatements.push({
+        Effect: 'Allow' as const,
+        Action: 's3:GetObject',
+        Resource: `arn:aws:s3:::${args.config.aws.dataBucketName}/${args.codeS3Key}`,
+      });
+    }
+
     this.lambdaRolePolicy = new aws.iam.Policy(`${rid}-policy`, {
       path: `/appliance/${name}/`,
       policy: {
         Version: '2012-10-17',
-        Statement: [{ Effect: 'Allow', Action: 'logs:CreateLogGroup', Resource: '*' }],
+        Statement: policyStatements,
       },
     });
 
@@ -104,17 +145,48 @@ export class ApplianceStack extends pulumi.ComponentResource {
       policyArn: this.lambdaRolePolicy.arn,
     });
 
-    this.lambda = new aws.lambda.CallbackFunction(
-      `${rid}-handler`,
-      {
-        runtime: 'nodejs22.x',
-        callback: async () => {
-          return { statusCode: 200, body: JSON.stringify({ message: 'Hello world!' }) };
+    if (args.imageUri) {
+      this.lambda = new aws.lambda.Function(
+        `${rid}-handler`,
+        {
+          packageType: 'Image',
+          imageUri: args.imageUri,
+          role: this.lambdaRole.arn,
+          timeout: 30,
+          memorySize: 512,
+          tags: defaultTags,
         },
-        tags: defaultTags,
-      },
-      defaultOpts
-    );
+        defaultOpts
+      );
+    } else if (args.codeS3Key && args.config.aws.dataBucketName) {
+      this.lambda = new aws.lambda.Function(
+        `${rid}-handler`,
+        {
+          packageType: 'Zip',
+          runtime: 'nodejs22.x',
+          handler: 'index.handler',
+          s3Bucket: args.config.aws.dataBucketName,
+          s3Key: args.codeS3Key,
+          role: this.lambdaRole.arn,
+          timeout: 30,
+          memorySize: 512,
+          tags: defaultTags,
+        },
+        defaultOpts
+      );
+    } else {
+      this.lambda = new aws.lambda.CallbackFunction(
+        `${rid}-handler`,
+        {
+          runtime: 'nodejs22.x',
+          callback: async () => {
+            return { statusCode: 200, body: JSON.stringify({ message: 'Hello world!' }) };
+          },
+          tags: defaultTags,
+        },
+        defaultOpts
+      );
+    }
 
     // lambda url
     this.lambdaUrl = new aws.lambda.FunctionUrl(