@devramps/cli 0.1.20 → 0.1.22

package/dist/index.js

@@ -237,6 +237,8 @@ var MultiStackProgress = class {
         return "ACCT";
       case "stage":
         return "STAGE";
+      case "import":
+        return "IMPORT";
     }
   }
   /**
@@ -268,7 +270,7 @@ var MultiStackProgress = class {
     const filled = Math.round(this.barWidth * percentage);
     const empty = this.barWidth - filled;
     const bar = "\u2588".repeat(filled) + "\u2591".repeat(empty);
-    const typeLabel = this.getTypeLabel(stackType).padEnd(5);
+    const typeLabel = this.getTypeLabel(stackType).padEnd(6);
     const accountLabel = `${accountId} ${region.padEnd(12)}`;
     const countLabel = `${completed}/${total}`;
     const displayName = stackName.padEnd(this.maxStackNameLen);
@@ -1481,6 +1483,26 @@ function getArtifactId(artifact) {
   }
   return artifact.name.toLowerCase().replace(/[^a-z0-9]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
 }
+function extractImportSourceAccounts(artifacts) {
+  const accountIds = /* @__PURE__ */ new Set();
+  for (const artifact of artifacts.docker) {
+    if (artifact.type !== "DEVRAMPS:DOCKER:IMPORT") continue;
+    const url = artifact.params?.source_image_url;
+    if (!url) continue;
+    const match = url.match(/^(\d+)\.dkr\.ecr\./);
+    if (match) {
+      accountIds.add(match[1]);
+    }
+  }
+  for (const artifact of artifacts.bundle) {
+    if (artifact.type !== "DEVRAMPS:BUNDLE:IMPORT") continue;
+    const account = artifact.params?.source_account;
+    if (account && typeof account === "string") {
+      accountIds.add(account);
+    }
+  }
+  return Array.from(accountIds).map((accountId) => ({ accountId }));
+}
 
 // src/aws/oidc-provider.ts
 import {
@@ -1697,6 +1719,12 @@ function getStageStackName(pipelineSlug, stageName) {
 function getAccountStackName() {
   return "DevRamps-Account-Bootstrap";
 }
+function getImportStackName(pipelineSlug) {
+  return truncateName(`DevRamps-${pipelineSlug}-Import`, CF_STACK_MAX_LENGTH);
+}
+function generateImportRoleName(pipelineSlug) {
+  return truncateName(`DevRamps-${pipelineSlug}-ImportRole`, IAM_ROLE_MAX_LENGTH);
+}
 function getKmsKeyAlias(orgSlug) {
   return `alias/devramps-${normalizeName(orgSlug)}`;
 }
@@ -2314,6 +2342,38 @@ var DOCKER_IMPORT_PERMISSIONS = {
   resources: ["*"]
 };
 
+// src/permissions/lambda-deploy.ts
+var LAMBDA_DEPLOY_PERMISSIONS = {
+  actions: [
+    // Update function code (S3 bundle or container image)
+    "lambda:UpdateFunctionCode",
+    // Poll for update completion
+    "lambda:GetFunctionConfiguration",
+    "lambda:GetFunction"
+  ],
+  resources: ["*"]
+};
+
+// src/permissions/lambda-invoke.ts
+var LAMBDA_INVOKE_PERMISSIONS = {
+  actions: [
+    // Invoke the Lambda function
+    "lambda:InvokeFunction"
+  ],
+  resources: ["*"]
+};
+
+// src/permissions/cloudfront-invalidate.ts
+var CLOUDFRONT_INVALIDATE_PERMISSIONS = {
+  actions: [
+    // Create invalidation
+    "cloudfront:CreateInvalidation",
+    // Poll for invalidation completion
+    "cloudfront:GetInvalidation"
+  ],
+  resources: ["*"]
+};
+
 // src/permissions/custom.ts
 function getCustomPermissions(stepType) {
   verbose(
@@ -2331,6 +2391,9 @@ var PERMISSIONS_REGISTRY = {
   "DEVRAMPS:EKS:DEPLOY": EKS_DEPLOY_PERMISSIONS,
   "DEVRAMPS:EKS:HELM": EKS_HELM_PERMISSIONS,
   "DEVRAMPS:ECS:DEPLOY": ECS_DEPLOY_PERMISSIONS,
+  "DEVRAMPS:LAMBDA:DEPLOY": LAMBDA_DEPLOY_PERMISSIONS,
+  "DEVRAMPS:LAMBDA:INVOKE": LAMBDA_INVOKE_PERMISSIONS,
+  "DEVRAMPS:CLOUDFRONT:INVALIDATE": CLOUDFRONT_INVALIDATE_PERMISSIONS,
   // Artifact mirroring steps (CI/CD account -> deployment account)
   "DEVRAMPS:MIRROR:ECR": MIRROR_ECR_PERMISSIONS,
   "DEVRAMPS:MIRROR:S3": MIRROR_S3_PERMISSIONS,
@@ -2530,6 +2593,74 @@ function buildStagePolicies(steps, additionalPolicies) {
   return policies;
 }
 
+// src/templates/import-stack.ts
+function generateImportStackTemplate(options) {
+  const { pipelineSlug, orgSlug, accountId, oidcProviderUrl } = options;
+  const template = createBaseTemplate(
+    `DevRamps Import Stack for ${pipelineSlug} - grants read access for artifact imports`
+  );
+  const roleName = generateImportRoleName(pipelineSlug);
+  const trustPolicy = buildOidcTrustPolicy(accountId, `org:${orgSlug}/cicd`, oidcProviderUrl);
+  const policies = buildImportRolePolicies();
+  template.Resources.ImportRole = createIamRoleResource(
+    roleName,
+    trustPolicy,
+    policies,
+    [
+      { Key: "Pipeline", Value: pipelineSlug },
+      { Key: "Organization", Value: orgSlug }
+    ]
+  );
+  template.Outputs = {
+    ImportRoleArn: {
+      Description: "ARN of the import role",
+      Value: { "Fn::GetAtt": ["ImportRole", "Arn"] }
+    },
+    ImportRoleName: {
+      Description: "Name of the import role",
+      Value: { Ref: "ImportRole" }
+    },
+    PipelineSlug: {
+      Description: "Pipeline slug",
+      Value: pipelineSlug
+    }
+  };
+  return template;
+}
+function buildImportRolePolicies() {
+  return [
+    {
+      PolicyName: "DevRampsImportPolicy",
+      PolicyDocument: {
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Sid: "AllowECRRead",
+            Effect: "Allow",
+            Action: [
+              "ecr:GetAuthorizationToken",
+              "ecr:DescribeImages",
+              "ecr:BatchGetImage",
+              "ecr:GetDownloadUrlForLayer",
+              "ecr:BatchCheckLayerAvailability"
+            ],
+            Resource: "*"
+          },
+          {
+            Sid: "AllowS3Read",
+            Effect: "Allow",
+            Action: [
+              "s3:GetObject",
+              "s3:HeadObject"
+            ],
+            Resource: "*"
+          }
+        ]
+      }
+    }
+  ];
+}
+
 // src/merge/index.ts
 var MERGE_STRATEGIES = /* @__PURE__ */ new Map();
 var bucketPolicyStrategy = new BucketPolicyMergeStrategy();
@@ -2718,33 +2849,50 @@ async function buildDeploymentPlan(pipelines, pipelineArtifacts, authData, curre
     region: cicdRegion,
     action: await determineStackAction(accountStackName, cicdCredentials, cicdRegion)
   });
+  const importSourceAccountsByPipeline = /* @__PURE__ */ new Map();
   for (const pipeline of pipelines) {
-    for (const stage of pipeline.stages) {
-      if (accountsWithStacks.has(stage.account_id)) {
-        continue;
-      }
-      accountsWithStacks.add(stage.account_id);
-      let accountCredentials;
-      try {
-        if (stage.account_id !== currentAccountId) {
-          const assumed = await assumeRoleForAccount({
-            targetAccountId: stage.account_id,
-            currentAccountId,
-            targetRoleName
-          });
-          accountCredentials = assumed?.credentials;
-        }
-      } catch {
-        verbose(`Could not assume role in ${stage.account_id} for status check`);
+    const artifacts = pipelineArtifacts.get(pipeline.slug);
+    const importSources = extractImportSourceAccounts(artifacts);
+    if (importSources.length > 0) {
+      importSourceAccountsByPipeline.set(
+        pipeline.slug,
+        importSources.map((s) => s.accountId)
+      );
+    }
+  }
+  const addAccountStackIfNew = async (accountId) => {
+    if (accountsWithStacks.has(accountId)) return;
+    accountsWithStacks.add(accountId);
+    let accountCredentials;
+    try {
+      if (accountId !== currentAccountId) {
+        const assumed = await assumeRoleForAccount({
+          targetAccountId: accountId,
+          currentAccountId,
+          targetRoleName
+        });
+        accountCredentials = assumed?.credentials;
       }
-      accountStacks.push({
-        stackType: "Account" /* ACCOUNT */,
-        stackName: accountStackName,
-        accountId: stage.account_id,
-        region: cicdRegion,
-        // Deploy in CI/CD region for consistency
-        action: await determineStackAction(accountStackName, accountCredentials, cicdRegion)
-      });
+    } catch {
+      verbose(`Could not assume role in ${accountId} for status check`);
+    }
+    accountStacks.push({
+      stackType: "Account" /* ACCOUNT */,
+      stackName: accountStackName,
+      accountId,
+      region: cicdRegion,
+      // Deploy in CI/CD region for consistency
+      action: await determineStackAction(accountStackName, accountCredentials, cicdRegion)
+    });
+  };
+  for (const pipeline of pipelines) {
+    for (const stage of pipeline.stages) {
+      await addAccountStackIfNew(stage.account_id);
+    }
+  }
+  for (const [, sourceAccountIds] of importSourceAccountsByPipeline) {
+    for (const accountId of sourceAccountIds) {
+      await addAccountStackIfNew(accountId);
     }
   }
   const stageStacks = [];
@@ -2781,6 +2929,35 @@ async function buildDeploymentPlan(pipelines, pipelineArtifacts, authData, curre
       });
     }
   }
+  const importStacks = [];
+  for (const [pipelineSlug, sourceAccountIds] of importSourceAccountsByPipeline) {
+    const importStackName = getImportStackName(pipelineSlug);
+    for (const sourceAccountId of sourceAccountIds) {
+      let importCredentials;
+      try {
+        if (sourceAccountId !== currentAccountId) {
+          const assumed = await assumeRoleForAccount({
+            targetAccountId: sourceAccountId,
+            currentAccountId,
+            targetRoleName
+          });
+          importCredentials = assumed?.credentials;
+        }
+      } catch {
+        verbose(`Could not assume role in ${sourceAccountId} for status check`);
+      }
+      importStacks.push({
+        stackType: "Import" /* IMPORT */,
+        stackName: importStackName,
+        accountId: sourceAccountId,
+        region: cicdRegion,
+        // Deploy in CI/CD region (IAM is global)
+        action: await determineStackAction(importStackName, importCredentials, cicdRegion),
+        pipelineSlug,
+        orgSlug
+      });
+    }
+  }
   return {
     orgSlug,
     cicdAccountId,
@@ -2788,7 +2965,8 @@ async function buildDeploymentPlan(pipelines, pipelineArtifacts, authData, curre
     orgStack,
     pipelineStacks,
     accountStacks,
-    stageStacks
+    stageStacks,
+    importStacks
   };
 }
 async function determineStackAction(stackName, credentials, region) {
@@ -2836,34 +3014,46 @@ async function showDryRunPlan(plan) {
       info(`    ECR repos: ${stack.dockerArtifacts.length}, S3 buckets: ${stack.bundleArtifacts.length}`);
     }
   }
-  const totalStacks = 1 + plan.pipelineStacks.length + plan.accountStacks.length + plan.stageStacks.length;
+  if (plan.importStacks.length > 0) {
+    newline();
+    info("Import Stacks:");
+    for (const stack of plan.importStacks) {
+      info(`  ${stack.action}: ${stack.stackName}`);
+      info(`    Account: ${stack.accountId}, Region: ${stack.region} (import role)`);
+    }
+  }
+  const totalStacks = 1 + plan.pipelineStacks.length + plan.accountStacks.length + plan.stageStacks.length + plan.importStacks.length;
+  const phase2Stacks = 1 + plan.pipelineStacks.length + plan.stageStacks.length + plan.importStacks.length;
   newline();
   info(`Total stacks to deploy: ${totalStacks}`);
   info(`  Phase 1: ${plan.accountStacks.length} Account stack(s) (deployed first)`);
-  info(`  Phase 2: ${1 + plan.pipelineStacks.length + plan.stageStacks.length} Org/Pipeline/Stage stack(s) (deployed in parallel after Phase 1)`);
+  info(`  Phase 2: ${phase2Stacks} Org/Pipeline/Stage/Import stack(s) (deployed in parallel after Phase 1)`);
 }
 async function confirmDeploymentPlan(plan) {
-  const totalStacks = 1 + plan.pipelineStacks.length + plan.accountStacks.length + plan.stageStacks.length;
+  const totalStacks = 1 + plan.pipelineStacks.length + plan.accountStacks.length + plan.stageStacks.length + plan.importStacks.length;
   newline();
   info(`About to deploy ${totalStacks} stack(s):`);
   info(`  - 1 Org stack (${plan.orgStack.action})`);
   info(`  - ${plan.pipelineStacks.length} Pipeline stack(s)`);
   info(`  - ${plan.accountStacks.length} Account stack(s) (OIDC provider)`);
   info(`  - ${plan.stageStacks.length} Stage stack(s)`);
+  if (plan.importStacks.length > 0) {
+    info(`  - ${plan.importStacks.length} Import stack(s)`);
+  }
   return confirmDeployment({
     orgSlug: plan.orgSlug,
     stacks: [
       { ...plan.orgStack, pipelineSlug: "org", steps: [], additionalPoliciesCount: 0 },
       ...plan.pipelineStacks.map((s) => ({ ...s, steps: [], additionalPoliciesCount: 0 })),
       ...plan.accountStacks.map((s) => ({ ...s, pipelineSlug: "account", steps: [], additionalPoliciesCount: 0 })),
-      ...plan.stageStacks.map((s) => ({ ...s, steps: s.steps.map((st) => st.name), additionalPoliciesCount: s.additionalPolicies.length }))
+      ...plan.stageStacks.map((s) => ({ ...s, steps: s.steps.map((st) => st.name), additionalPoliciesCount: s.additionalPolicies.length })),
+      ...plan.importStacks.map((s) => ({ ...s, steps: [], additionalPoliciesCount: 0 }))
     ]
   });
 }
 async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, currentAccountId, options, oidcProviderUrl) {
   const results = { success: 0, failed: 0 };
-  const totalStacks = 1 + plan.pipelineStacks.length + plan.accountStacks.length + plan.stageStacks.length;
-  const remainingStacks = 1 + plan.pipelineStacks.length + plan.stageStacks.length;
+  const remainingStacks = 1 + plan.pipelineStacks.length + plan.stageStacks.length + plan.importStacks.length;
   newline();
   header("Phase 1: Deploying Account Bootstrap Stacks");
   info(`Deploying ${plan.accountStacks.length} account stack(s) in parallel...`);
@@ -2905,7 +3095,7 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
     process.exit(1);
   }
   newline();
-  header("Phase 2: Deploying Org, Pipeline, and Stage Stacks");
+  header("Phase 2: Deploying Org, Pipeline, Stage, and Import Stacks");
   info(`Deploying ${remainingStacks} stack(s) in parallel...`);
   newline();
   const mainProgress = getMultiStackProgress();
@@ -2918,6 +3108,9 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
     const resourceCount = stack.dockerArtifacts.length + stack.bundleArtifacts.length + 2;
     mainProgress.addStack(stack.stackName, "stage", stack.accountId, stack.region, resourceCount);
   }
+  for (const stack of plan.importStacks) {
+    mainProgress.addStack(stack.stackName, "import", stack.accountId, stack.region, 1);
+  }
   mainProgress.start();
   const orgPromise = (async () => {
     try {
@@ -2955,10 +3148,23 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
       };
     }
   });
+  const importPromises = plan.importStacks.map(async (stack) => {
+    try {
+      await deployImportStack(stack, currentAccountId, options, oidcProviderUrl);
+      return { stack: `${stack.stackName} (${stack.accountId})`, success: true };
+    } catch (error2) {
+      return {
+        stack: `${stack.stackName} (${stack.accountId})`,
+        success: false,
+        error: error2 instanceof Error ? error2.message : String(error2)
+      };
+    }
+  });
   const mainResults = await Promise.all([
     orgPromise,
     ...pipelinePromises,
-    ...stagePromises
+    ...stagePromises,
+    ...importPromises
   ]);
   clearMultiStackProgress();
   newline();
@@ -3091,6 +3297,28 @@ async function deployStageStack(stack, authData, currentAccountId, options, oidc
   await previewStackChanges(deployOptions);
   await deployStack(deployOptions);
 }
+async function deployImportStack(stack, currentAccountId, options, oidcProviderUrl) {
+  const credentials = stack.accountId !== currentAccountId ? (await assumeRoleForAccount({
+    targetAccountId: stack.accountId,
+    currentAccountId,
+    targetRoleName: options.targetAccountRoleName
+  }))?.credentials : void 0;
+  const template = generateImportStackTemplate({
+    pipelineSlug: stack.pipelineSlug,
+    orgSlug: stack.orgSlug,
+    accountId: stack.accountId,
+    oidcProviderUrl
+  });
+  const deployOptions = {
+    stackName: stack.stackName,
+    template,
+    accountId: stack.accountId,
+    region: stack.region,
+    credentials
+  };
+  await previewStackChanges(deployOptions);
+  await deployStack(deployOptions);
+}
 
 // src/index.ts
 program.name("devramps").description("DevRamps CLI - Bootstrap AWS infrastructure for CI/CD pipelines").version("0.1.0");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@devramps/cli",
-  "version": "0.1.20",
+  "version": "0.1.22",
   "description": "DevRamps CLI - Bootstrap AWS infrastructure for CI/CD pipelines",
   "main": "dist/index.js",
   "bin": {