@crowi/plugin-aws 0.1.0-alpha.0

package/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Sotaro KARASAWA <sotaro.k@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

package/README.md

@@ -0,0 +1,53 @@
+# @crowi/plugin-aws
+
+Shared AWS credentials base plugin. Holds `region` / `accessKeyId` /
+`secretAccessKey` once, so any number of AWS-using plugins
+(`@crowi/plugin-storage-aws-s3`, future `@crowi/plugin-mail-aws-ses`, etc)
+can read the same configuration without operators duplicating it.
+
+This plugin **does not register any driver** on its own — it's a
+config-holder. It auto-loads when any AWS plugin lists it under
+`requires`, so operators do not need to add it to
+`crowi.config.json:plugins` themselves.
+
+## Configure
+
+Open `/admin/plugins`, select `@crowi/plugin-aws`, and fill in:
+
+| Field | Required? | Notes |
+|---|---|---|
+| `region` | Recommended | e.g. `ap-northeast-1`, `us-east-1`. Validated against the `<area>-<sub>-<num>` shape. Empty string falls back to the SDK default region resolution. |
+| `accessKeyId` | Optional | Long-lived IAM access key. Leave blank to use the SDK's default credential chain (see below). |
+| `secretAccessKey` | Optional | Pairs with `accessKeyId`. Encrypted at rest with `CROWI_ENCRYPTION_KEY`. |
+
+### When to leave the keys blank
+
+Both `accessKeyId` and `secretAccessKey` empty → the AWS SDK falls back
+to its [default credential provider chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html#credentialProviderChain),
+in this order:
+
+1. Environment variables (`AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` /
+   `AWS_SESSION_TOKEN`)
+2. Shared credentials file (`~/.aws/credentials`)
+3. EC2 / ECS / EKS instance / task / pod identity
+4. Other SDK-managed sources (SSO, web identity, etc.)
+
+For production on AWS, **leave the keys blank and use an IAM role**.
+You get short-lived credentials rotated by AWS without operators ever
+holding a long-lived secret.
+
+## What this plugin does NOT do
+
+- **Does not register a storage / search / auth / notifier driver.** Its
+  only job is to publish a typed config to dependent plugins via
+  `ctx.dependencyConfig<AwsConfig>('@crowi/plugin-aws')`.
+- **Does not pre-validate credentials.** A bad key shows up at the first
+  AWS API call from the dependent plugin (e.g. an S3 `PutObject`),
+  not at boot.
+- **Does not configure per-service knobs** (S3 bucket, SES verified
+  identity, etc). Those live in the consuming plugin's own config.
+
+## See also
+
+- [`@crowi/plugin-storage-aws-s3`](../plugin-storage-aws-s3) — S3 storage
+  driver. Required IAM permissions are documented there.

package/dist/index.d.mts

@@ -0,0 +1,32 @@
+import { z } from 'zod/v3';
+import { CrowiPlugin } from '@crowi/plugin-api';
+
+/**
+ * Shared AWS configuration. Storage / mail / etc. plugins list this in
+ * `requires` and read it via `ctx.dependencyConfig('@crowi/plugin-aws')`,
+ * so operators don't have to add it to `crowi.config.json:plugins`
+ * themselves and the admin form section is rendered once regardless of
+ * how many AWS-using plugins are installed.
+ */
+declare const AwsConfigSchema: z.ZodObject<{
+    region: z.ZodDefault<z.ZodEffects<z.ZodString, string, string>>;
+    /**
+     * Leave both accessKeyId and secretAccessKey empty to fall back to
+     * the Node SDK's default credential chain (IAM role / env vars /
+     * shared credentials file).
+     */
+    accessKeyId: z.ZodDefault<z.ZodEffects<z.ZodString, string, string>>;
+    secretAccessKey: z.ZodDefault<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    region: string;
+    accessKeyId: string;
+    secretAccessKey: string;
+}, {
+    region?: string | undefined;
+    accessKeyId?: string | undefined;
+    secretAccessKey?: string | undefined;
+}>;
+type AwsConfig = z.infer<typeof AwsConfigSchema>;
+declare const plugin: CrowiPlugin;
+
+export { type AwsConfig, AwsConfigSchema, plugin as default };

package/dist/index.d.ts

@@ -0,0 +1,32 @@
+import { z } from 'zod/v3';
+import { CrowiPlugin } from '@crowi/plugin-api';
+
+/**
+ * Shared AWS configuration. Storage / mail / etc. plugins list this in
+ * `requires` and read it via `ctx.dependencyConfig('@crowi/plugin-aws')`,
+ * so operators don't have to add it to `crowi.config.json:plugins`
+ * themselves and the admin form section is rendered once regardless of
+ * how many AWS-using plugins are installed.
+ */
+declare const AwsConfigSchema: z.ZodObject<{
+    region: z.ZodDefault<z.ZodEffects<z.ZodString, string, string>>;
+    /**
+     * Leave both accessKeyId and secretAccessKey empty to fall back to
+     * the Node SDK's default credential chain (IAM role / env vars /
+     * shared credentials file).
+     */
+    accessKeyId: z.ZodDefault<z.ZodEffects<z.ZodString, string, string>>;
+    secretAccessKey: z.ZodDefault<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    region: string;
+    accessKeyId: string;
+    secretAccessKey: string;
+}, {
+    region?: string | undefined;
+    accessKeyId?: string | undefined;
+    secretAccessKey?: string | undefined;
+}>;
+type AwsConfig = z.infer<typeof AwsConfigSchema>;
+declare const plugin: CrowiPlugin;
+
+export { type AwsConfig, AwsConfigSchema, plugin as default };

package/dist/index.js

@@ -0,0 +1,57 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  AwsConfigSchema: () => AwsConfigSchema,
+  default: () => index_default
+});
+module.exports = __toCommonJS(index_exports);
+var import_v3 = require("zod/v3");
+var AwsConfigSchema = import_v3.z.object({
+  region: import_v3.z.string().trim().refine((v) => v === "" || /^[a-z]+(-[a-z]+)?-[a-z]+-\d+$/.test(v), {
+    message: "Must be a valid AWS region name (e.g. ap-northeast-1)"
+  }).default(""),
+  /**
+   * Leave both accessKeyId and secretAccessKey empty to fall back to
+   * the Node SDK's default credential chain (IAM role / env vars /
+   * shared credentials file).
+   */
+  accessKeyId: import_v3.z.string().trim().refine((v) => v === "" || /^[\dA-Za-z]+$/.test(v), {
+    message: "Access Key ID must be alphanumeric"
+  }).default(""),
+  secretAccessKey: import_v3.z.string().describe("@sensitive AWS secret access key").default("")
+}).strict();
+var plugin = {
+  name: "@crowi/plugin-aws",
+  version: "0.1.0-dev",
+  configSchema: AwsConfigSchema,
+  adminPlacement: {
+    section: "shared",
+    label: "AWS",
+    icon: "cloud"
+  }
+};
+var index_default = plugin;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AwsConfigSchema
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { z } from 'zod/v3';\nimport type { CrowiPlugin } from '@crowi/plugin-api';\n\n/**\n * Shared AWS configuration. Storage / mail / etc. plugins list this in\n * `requires` and read it via `ctx.dependencyConfig('@crowi/plugin-aws')`,\n * so operators don't have to add it to `crowi.config.json:plugins`\n * themselves and the admin form section is rendered once regardless of\n * how many AWS-using plugins are installed.\n */\nexport const AwsConfigSchema = z\n  .object({\n    region: z\n      .string()\n      .trim()\n      .refine((v) => v === '' || /^[a-z]+(-[a-z]+)?-[a-z]+-\\d+$/.test(v), {\n        message: 'Must be a valid AWS region name (e.g. ap-northeast-1)',\n      })\n      .default(''),\n    /**\n     * Leave both accessKeyId and secretAccessKey empty to fall back to\n     * the Node SDK's default credential chain (IAM role / env vars /\n     * shared credentials file).\n     */\n    accessKeyId: z\n      .string()\n      .trim()\n      .refine((v) => v === '' || /^[\\dA-Za-z]+$/.test(v), {\n        message: 'Access Key ID must be alphanumeric',\n      })\n      .default(''),\n    secretAccessKey: z.string().describe('@sensitive AWS secret access key').default(''),\n  })\n  .strict();\n\nexport type AwsConfig = z.infer<typeof AwsConfigSchema>;\n\nconst plugin: CrowiPlugin = {\n  name: '@crowi/plugin-aws',\n  version: '0.1.0-dev',\n  configSchema: AwsConfigSchema,\n  adminPlacement: {\n    section: 'shared',\n    label: 'AWS',\n    icon: 'cloud',\n  },\n};\n\nexport default plugin;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAkB;AAUX,IAAM,kBAAkB,YAC5B,OAAO;AAAA,EACN,QAAQ,YACL,OAAO,EACP,KAAK,EACL,OAAO,CAAC,MAAM,MAAM,MAAM,gCAAgC,KAAK,CAAC,GAAG;AAAA,IAClE,SAAS;AAAA,EACX,CAAC,EACA,QAAQ,EAAE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMb,aAAa,YACV,OAAO,EACP,KAAK,EACL,OAAO,CAAC,MAAM,MAAM,MAAM,gBAAgB,KAAK,CAAC,GAAG;AAAA,IAClD,SAAS;AAAA,EACX,CAAC,EACA,QAAQ,EAAE;AAAA,EACb,iBAAiB,YAAE,OAAO,EAAE,SAAS,kCAAkC,EAAE,QAAQ,EAAE;AACrF,CAAC,EACA,OAAO;AAIV,IAAM,SAAsB;AAAA,EAC1B,MAAM;AAAA,EACN,SAAS;AAAA,EACT,cAAc;AAAA,EACd,gBAAgB;AAAA,IACd,SAAS;AAAA,IACT,OAAO;AAAA,IACP,MAAM;AAAA,EACR;AACF;AAEA,IAAO,gBAAQ;","names":[]}

package/dist/index.mjs

@@ -0,0 +1,32 @@
+// src/index.ts
+import { z } from "zod/v3";
+var AwsConfigSchema = z.object({
+  region: z.string().trim().refine((v) => v === "" || /^[a-z]+(-[a-z]+)?-[a-z]+-\d+$/.test(v), {
+    message: "Must be a valid AWS region name (e.g. ap-northeast-1)"
+  }).default(""),
+  /**
+   * Leave both accessKeyId and secretAccessKey empty to fall back to
+   * the Node SDK's default credential chain (IAM role / env vars /
+   * shared credentials file).
+   */
+  accessKeyId: z.string().trim().refine((v) => v === "" || /^[\dA-Za-z]+$/.test(v), {
+    message: "Access Key ID must be alphanumeric"
+  }).default(""),
+  secretAccessKey: z.string().describe("@sensitive AWS secret access key").default("")
+}).strict();
+var plugin = {
+  name: "@crowi/plugin-aws",
+  version: "0.1.0-dev",
+  configSchema: AwsConfigSchema,
+  adminPlacement: {
+    section: "shared",
+    label: "AWS",
+    icon: "cloud"
+  }
+};
+var index_default = plugin;
+export {
+  AwsConfigSchema,
+  index_default as default
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { z } from 'zod/v3';\nimport type { CrowiPlugin } from '@crowi/plugin-api';\n\n/**\n * Shared AWS configuration. Storage / mail / etc. plugins list this in\n * `requires` and read it via `ctx.dependencyConfig('@crowi/plugin-aws')`,\n * so operators don't have to add it to `crowi.config.json:plugins`\n * themselves and the admin form section is rendered once regardless of\n * how many AWS-using plugins are installed.\n */\nexport const AwsConfigSchema = z\n  .object({\n    region: z\n      .string()\n      .trim()\n      .refine((v) => v === '' || /^[a-z]+(-[a-z]+)?-[a-z]+-\\d+$/.test(v), {\n        message: 'Must be a valid AWS region name (e.g. ap-northeast-1)',\n      })\n      .default(''),\n    /**\n     * Leave both accessKeyId and secretAccessKey empty to fall back to\n     * the Node SDK's default credential chain (IAM role / env vars /\n     * shared credentials file).\n     */\n    accessKeyId: z\n      .string()\n      .trim()\n      .refine((v) => v === '' || /^[\\dA-Za-z]+$/.test(v), {\n        message: 'Access Key ID must be alphanumeric',\n      })\n      .default(''),\n    secretAccessKey: z.string().describe('@sensitive AWS secret access key').default(''),\n  })\n  .strict();\n\nexport type AwsConfig = z.infer<typeof AwsConfigSchema>;\n\nconst plugin: CrowiPlugin = {\n  name: '@crowi/plugin-aws',\n  version: '0.1.0-dev',\n  configSchema: AwsConfigSchema,\n  adminPlacement: {\n    section: 'shared',\n    label: 'AWS',\n    icon: 'cloud',\n  },\n};\n\nexport default plugin;\n"],"mappings":";AAAA,SAAS,SAAS;AAUX,IAAM,kBAAkB,EAC5B,OAAO;AAAA,EACN,QAAQ,EACL,OAAO,EACP,KAAK,EACL,OAAO,CAAC,MAAM,MAAM,MAAM,gCAAgC,KAAK,CAAC,GAAG;AAAA,IAClE,SAAS;AAAA,EACX,CAAC,EACA,QAAQ,EAAE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMb,aAAa,EACV,OAAO,EACP,KAAK,EACL,OAAO,CAAC,MAAM,MAAM,MAAM,gBAAgB,KAAK,CAAC,GAAG;AAAA,IAClD,SAAS;AAAA,EACX,CAAC,EACA,QAAQ,EAAE;AAAA,EACb,iBAAiB,EAAE,OAAO,EAAE,SAAS,kCAAkC,EAAE,QAAQ,EAAE;AACrF,CAAC,EACA,OAAO;AAIV,IAAM,SAAsB;AAAA,EAC1B,MAAM;AAAA,EACN,SAAS;AAAA,EACT,cAAc;AAAA,EACd,gBAAgB;AAAA,IACd,SAAS;AAAA,IACT,OAAO;AAAA,IACP,MAAM;AAAA,EACR;AACF;AAEA,IAAO,gBAAQ;","names":[]}

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@crowi/plugin-aws",
+  "version": "0.1.0-alpha.0",
+  "description": "AWS base configuration for Crowi 2.0 — shared region / accessKeyId / secretAccessKey for downstream AWS service plugins (S3, SES, ...).",
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "zod": "^4.4.3"
+  },
+  "devDependencies": {
+    "tsup": "^8.3.5",
+    "typescript": "^5.8.3",
+    "zod": "^4.4.3",
+    "@crowi/tsconfig": "0.1.0-alpha.0",
+    "@crowi/plugin-api": "0.1.0-alpha.0"
+  },
+  "dependencies": {
+    "@crowi/plugin-api": "^0.1.0-alpha.0"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch --no-clean",
+    "type-check": "tsc --noEmit"
+  }
+}