@devramps/cli 0.1.11 → 0.1.13

package/dist/index.js

@@ -933,6 +933,11 @@ async function authenticateViaBrowser(options = {}) {
   const state = generateState();
   verbose("Generated PKCE code_challenge and state");
   const { server, port, callbackPromise } = await startCallbackServer(state);
+  const sigintHandler = () => {
+    server.close();
+    process.exit(130);
+  };
+  process.on("SIGINT", sigintHandler);
   try {
     const redirectUri = `http://localhost:${port}`;
     const authParams = new URLSearchParams({
@@ -1005,6 +1010,7 @@ async function authenticateViaBrowser(options = {}) {
       cicdRegion: awsConfig.defaultRegion
     };
   } finally {
+    process.removeListener("SIGINT", sigintHandler);
     await closeServer(server);
   }
 }
@@ -1296,8 +1302,11 @@ async function parseAdditionalPolicies(pipelineDir) {
     if (!policy || typeof policy !== "object") {
       throw new Error(`Policy at index ${i} is not an object`);
     }
-    if (!("Statement" in policy) || !Array.isArray(policy.Statement)) {
-      throw new Error(`Policy at index ${i} is missing Statement array`);
+    if (!("Statement" in policy) || !policy.Statement || typeof policy.Statement !== "object") {
+      throw new Error(`Policy at index ${i} is missing Statement`);
+    }
+    if (!Array.isArray(policy.Statement)) {
+      policy.Statement = [policy.Statement];
     }
     validatedPolicies.push(policy);
   }
@@ -1501,7 +1510,8 @@ function createBaseTemplate(description) {
 function sanitizeResourceId(name) {
   return name.replace(/[^a-zA-Z0-9]/g, "").substring(0, 64);
 }
-function addOidcProviderResource(template, conditional = true) {
+function addOidcProviderResource(template, conditional = true, oidcProviderUrl) {
+  const providerUrl = oidcProviderUrl || OIDC_PROVIDER_URL;
   if (conditional) {
     template.Parameters.OIDCProviderExists = {
       Type: "String",
@@ -1517,27 +1527,28 @@ function addOidcProviderResource(template, conditional = true) {
     Type: "AWS::IAM::OIDCProvider",
     ...conditional ? { Condition: "CreateOIDCProvider" } : {},
     Properties: {
-      Url: `https://${OIDC_PROVIDER_URL}`,
-      ClientIdList: [OIDC_PROVIDER_URL],
+      Url: `https://${providerUrl}`,
+      ClientIdList: [providerUrl],
       ThumbprintList: [getOidcThumbprint()],
       Tags: STANDARD_TAGS
     }
   };
 }
-function buildOidcTrustPolicy(accountId, subject) {
+function buildOidcTrustPolicy(accountId, subject, oidcProviderUrl) {
+  const providerUrl = oidcProviderUrl || OIDC_PROVIDER_URL;
   return {
     Version: "2012-10-17",
     Statement: [
       {
         Effect: "Allow",
         Principal: {
-          Federated: `arn:aws:iam::${accountId}:oidc-provider/${OIDC_PROVIDER_URL}`
+          Federated: `arn:aws:iam::${accountId}:oidc-provider/${providerUrl}`
         },
         Action: "sts:AssumeRoleWithWebIdentity",
         Condition: {
           StringEquals: {
-            [`${OIDC_PROVIDER_URL}:sub`]: subject,
-            [`${OIDC_PROVIDER_URL}:aud`]: OIDC_PROVIDER_URL
+            [`${providerUrl}:sub`]: subject,
+            [`${providerUrl}:aud`]: providerUrl
           }
         }
       }
@@ -1899,7 +1910,7 @@ function createTerraformStateBucketPolicy(bucketName, cicdAccountId, allowedAcco
 
 // src/templates/org-stack.ts
 function generateOrgStackTemplate(options) {
-  const { orgSlug, cicdAccountId, targetAccountIds } = options;
+  const { orgSlug, cicdAccountId, targetAccountIds, oidcProviderUrl } = options;
   const template = createBaseTemplate(`DevRamps Org Stack for ${orgSlug}`);
   const kmsKeyPolicy = buildKmsKeyPolicy(cicdAccountId, targetAccountIds);
   template.Resources.DevRampsKMSKey = createKmsKeyResource(
@@ -1929,7 +1940,7 @@ function generateOrgStackTemplate(options) {
       PolicyDocument: bucketPolicy
     }
   };
-  const trustPolicy = buildOidcTrustPolicy(cicdAccountId, `org:${orgSlug}`);
+  const trustPolicy = buildOidcTrustPolicy(cicdAccountId, `org:${orgSlug}/cicd`, oidcProviderUrl);
   const orgRolePolicies = buildOrgRolePolicies(orgSlug);
   template.Resources.DevRampsCICDDeploymentRole = createIamRoleResource(
     getOrgRoleName(),
@@ -2137,11 +2148,11 @@ function generatePipelineStackTemplate(options) {
 }
 
 // src/templates/account-stack.ts
-function generateAccountStackTemplate() {
+function generateAccountStackTemplate(options) {
   const template = createBaseTemplate(
     "DevRamps Account Bootstrap Stack - Creates OIDC provider for the account"
   );
-  addOidcProviderResource(template, false);
+  addOidcProviderResource(template, false, options?.oidcProviderUrl);
   template.Outputs = {
     OIDCProviderArn: {
       Description: "ARN of the OIDC provider",
@@ -2333,13 +2344,14 @@ function generateStageStackTemplate(options) {
     steps,
     additionalPolicies,
     dockerArtifacts,
-    bundleArtifacts
+    bundleArtifacts,
+    oidcProviderUrl
   } = options;
   const template = createBaseTemplate(
     `DevRamps Stage Stack for ${pipelineSlug}/${stageName}`
   );
   const roleName = generateStageRoleName(pipelineSlug, stageName);
-  const trustPolicy = buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, stageName);
+  const trustPolicy = buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl);
   const policies = buildStagePolicies(steps, additionalPolicies);
   template.Resources.StageDeploymentRole = createIamRoleResource(
     roleName,
@@ -2383,7 +2395,8 @@ function generateStageStackTemplate(options) {
     );
     s3Outputs[artifact.name] = { resourceId };
   }
-  const oidcProviderArn = `arn:aws:iam::${accountId}:oidc-provider/${OIDC_PROVIDER_URL}`;
+  const providerUrl = oidcProviderUrl || OIDC_PROVIDER_URL;
+  const oidcProviderArn = `arn:aws:iam::${accountId}:oidc-provider/${providerUrl}`;
   template.Outputs = {
     StageRoleArn: {
       Description: "ARN of the stage deployment role",
@@ -2423,9 +2436,9 @@ function generateStageStackTemplate(options) {
   }
   return template;
 }
-function buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, stageName) {
-  const subject = `org:${orgSlug}/pipeline:${pipelineSlug}/stage:${stageName}`;
-  return buildOidcTrustPolicy(accountId, subject);
+function buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl) {
+  const subject = `org:${orgSlug}/pipeline:${pipelineSlug}`;
+  return buildOidcTrustPolicy(accountId, subject, oidcProviderUrl);
 }
 function buildStagePolicies(steps, additionalPolicies) {
   const policies = [];
@@ -2531,6 +2544,15 @@ async function confirmDeployment(plan) {
 }
 
 // src/commands/bootstrap.ts
+function getOidcProviderUrlFromEndpoint(endpointOverride) {
+  if (!endpointOverride) return void 0;
+  try {
+    const url = new URL(endpointOverride);
+    return url.hostname;
+  } catch {
+    return void 0;
+  }
+}
 async function bootstrapCommand(options) {
   try {
     if (options.verbose) {
@@ -2580,7 +2602,8 @@ async function bootstrapCommand(options) {
       info("Deployment cancelled by user.");
       return;
     }
-    await executeDeployment(plan, pipelines, pipelineArtifacts, authData, identity.accountId, options);
+    const oidcProviderUrl = getOidcProviderUrlFromEndpoint(options.endpointOverride);
+    await executeDeployment(plan, pipelines, pipelineArtifacts, authData, identity.accountId, options, oidcProviderUrl);
   } catch (error2) {
     if (error2 instanceof DevRampsError) {
       error(error2.message);
@@ -2771,7 +2794,9 @@ async function showDryRunPlan(plan) {
   }
   const totalStacks = 1 + plan.pipelineStacks.length + plan.accountStacks.length + plan.stageStacks.length;
   newline();
-  info(`Total stacks to deploy (in parallel): ${totalStacks}`);
+  info(`Total stacks to deploy: ${totalStacks}`);
+  info(`  Phase 1: ${plan.accountStacks.length} Account stack(s) (deployed first)`);
+  info(`  Phase 2: ${1 + plan.pipelineStacks.length + plan.stageStacks.length} Org/Pipeline/Stage stack(s) (deployed in parallel after Phase 1)`);
 }
 async function confirmDeploymentPlan(plan) {
   const totalStacks = 1 + plan.pipelineStacks.length + plan.accountStacks.length + plan.stageStacks.length;
@@ -2791,30 +2816,68 @@ async function confirmDeploymentPlan(plan) {
     ]
   });
 }
-async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, currentAccountId, options) {
+async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, currentAccountId, options, oidcProviderUrl) {
   const results = { success: 0, failed: 0 };
   const totalStacks = 1 + plan.pipelineStacks.length + plan.accountStacks.length + plan.stageStacks.length;
+  const remainingStacks = 1 + plan.pipelineStacks.length + plan.stageStacks.length;
   newline();
-  header("Deploying All Stacks");
-  info(`Deploying ${totalStacks} stack(s) in parallel...`);
+  header("Phase 1: Deploying Account Bootstrap Stacks");
+  info(`Deploying ${plan.accountStacks.length} account stack(s) in parallel...`);
   newline();
-  const progress = getMultiStackProgress();
-  progress.addStack(plan.orgStack.stackName, "org", plan.orgStack.accountId, plan.orgStack.region, 5);
+  const accountProgress = getMultiStackProgress();
+  for (const stack of plan.accountStacks) {
+    accountProgress.addStack(stack.stackName, "account", stack.accountId, stack.region, 1);
+  }
+  accountProgress.start();
+  const accountResults = await Promise.all(
+    plan.accountStacks.map(async (stack) => {
+      try {
+        await deployAccountStack(stack, currentAccountId, options, oidcProviderUrl);
+        return { stack: `${stack.stackName} (${stack.accountId})`, success: true };
+      } catch (error2) {
+        return {
+          stack: `${stack.stackName} (${stack.accountId})`,
+          success: false,
+          error: error2 instanceof Error ? error2.message : String(error2)
+        };
+      }
+    })
+  );
+  clearMultiStackProgress();
+  newline();
+  for (const result of accountResults) {
+    if (result.success) {
+      success(`${result.stack} deployed`);
+      results.success++;
+    } else {
+      error(`${result.stack} failed: ${result.error}`);
+      results.failed++;
+    }
+  }
+  if (results.failed > 0) {
+    newline();
+    header("Deployment Summary");
+    error(`${results.failed} account stack(s) failed. Skipping remaining ${remainingStacks} stack(s).`);
+    process.exit(1);
+  }
+  newline();
+  header("Phase 2: Deploying Org, Pipeline, and Stage Stacks");
+  info(`Deploying ${remainingStacks} stack(s) in parallel...`);
+  newline();
+  const mainProgress = getMultiStackProgress();
+  mainProgress.addStack(plan.orgStack.stackName, "org", plan.orgStack.accountId, plan.orgStack.region, 5);
   for (const stack of plan.pipelineStacks) {
     const resourceCount = stack.dockerArtifacts.length + stack.bundleArtifacts.length;
-    progress.addStack(stack.stackName, "pipeline", stack.accountId, stack.region, Math.max(resourceCount, 1));
-  }
-  for (const stack of plan.accountStacks) {
-    progress.addStack(stack.stackName, "account", stack.accountId, stack.region, 1);
+    mainProgress.addStack(stack.stackName, "pipeline", stack.accountId, stack.region, Math.max(resourceCount, 1));
   }
   for (const stack of plan.stageStacks) {
     const resourceCount = stack.dockerArtifacts.length + stack.bundleArtifacts.length + 2;
-    progress.addStack(stack.stackName, "stage", stack.accountId, stack.region, resourceCount);
+    mainProgress.addStack(stack.stackName, "stage", stack.accountId, stack.region, resourceCount);
   }
-  progress.start();
+  mainProgress.start();
   const orgPromise = (async () => {
     try {
-      await deployOrgStack(plan, pipelines, authData, currentAccountId, options);
+      await deployOrgStack(plan, pipelines, authData, currentAccountId, options, oidcProviderUrl);
       return { stack: plan.orgStack.stackName, success: true };
     } catch (error2) {
       return {
@@ -2836,21 +2899,9 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
       };
     }
   });
-  const accountPromises = plan.accountStacks.map(async (stack) => {
-    try {
-      await deployAccountStack(stack, currentAccountId, options);
-      return { stack: stack.stackName, success: true };
-    } catch (error2) {
-      return {
-        stack: stack.stackName,
-        success: false,
-        error: error2 instanceof Error ? error2.message : String(error2)
-      };
-    }
-  });
   const stagePromises = plan.stageStacks.map(async (stack) => {
     try {
-      await deployStageStack(stack, authData, currentAccountId, options);
+      await deployStageStack(stack, authData, currentAccountId, options, oidcProviderUrl);
       return { stack: stack.stackName, success: true };
     } catch (error2) {
       return {
@@ -2860,15 +2911,14 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
       };
     }
   });
-  const allResults = await Promise.all([
+  const mainResults = await Promise.all([
     orgPromise,
     ...pipelinePromises,
-    ...accountPromises,
     ...stagePromises
   ]);
   clearMultiStackProgress();
   newline();
-  for (const result of allResults) {
+  for (const result of mainResults) {
     if (result.success) {
       success(`${result.stack} deployed`);
       results.success++;
@@ -2887,7 +2937,7 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
     process.exit(1);
   }
 }
-async function deployOrgStack(plan, pipelines, authData, currentAccountId, options) {
+async function deployOrgStack(plan, pipelines, authData, currentAccountId, options, oidcProviderUrl) {
   const { orgSlug, cicdAccountId, cicdRegion } = authData;
   const credentials = cicdAccountId !== currentAccountId ? (await assumeRoleForAccount({
     targetAccountId: cicdAccountId,
@@ -2917,7 +2967,8 @@ async function deployOrgStack(plan, pipelines, authData, currentAccountId, optio
   const template = generateOrgStackTemplate({
     orgSlug,
     cicdAccountId,
-    targetAccountIds
+    targetAccountIds,
+    oidcProviderUrl
   });
   const deployOptions = {
     stackName: plan.orgStack.stackName,
@@ -2952,13 +3003,13 @@ async function deployPipelineStack(stack, authData, currentAccountId, options) {
   await previewStackChanges(deployOptions);
   await deployStack(deployOptions);
 }
-async function deployAccountStack(stack, currentAccountId, options) {
+async function deployAccountStack(stack, currentAccountId, options, oidcProviderUrl) {
   const credentials = stack.accountId !== currentAccountId ? (await assumeRoleForAccount({
     targetAccountId: stack.accountId,
     currentAccountId,
     targetRoleName: options.targetAccountRoleName
   }))?.credentials : void 0;
-  const template = generateAccountStackTemplate();
+  const template = generateAccountStackTemplate({ oidcProviderUrl });
   const deployOptions = {
     stackName: stack.stackName,
     template,
@@ -2969,7 +3020,7 @@ async function deployAccountStack(stack, currentAccountId, options) {
   await previewStackChanges(deployOptions);
   await deployStack(deployOptions);
 }
-async function deployStageStack(stack, authData, currentAccountId, options) {
+async function deployStageStack(stack, authData, currentAccountId, options, oidcProviderUrl) {
   const credentials = stack.accountId !== currentAccountId ? (await assumeRoleForAccount({
     targetAccountId: stack.accountId,
     currentAccountId,
@@ -2983,7 +3034,8 @@ async function deployStageStack(stack, authData, currentAccountId, options) {
     steps: stack.steps,
     additionalPolicies: stack.additionalPolicies,
     dockerArtifacts: stack.dockerArtifacts,
-    bundleArtifacts: stack.bundleArtifacts
+    bundleArtifacts: stack.bundleArtifacts,
+    oidcProviderUrl
   });
   const deployOptions = {
     stackName: stack.stackName,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@devramps/cli",
-  "version": "0.1.11",
+  "version": "0.1.13",
   "description": "DevRamps CLI - Bootstrap AWS infrastructure for CI/CD pipelines",
   "main": "dist/index.js",
   "bin": {