npm - @devramps/cli - Versions diffs - 0.1.21 → 0.1.23 - Mend

@devramps/cli 0.1.21 → 0.1.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +89 -36
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -270,7 +270,7 @@ var MultiStackProgress = class {
     const filled = Math.round(this.barWidth * percentage);
     const empty = this.barWidth - filled;
     const bar = "\u2588".repeat(filled) + "\u2591".repeat(empty);
-    const typeLabel = this.getTypeLabel(stackType).padEnd(5);
+    const typeLabel = this.getTypeLabel(stackType).padEnd(6);
     const accountLabel = `${accountId} ${region.padEnd(12)}`;
     const countLabel = `${completed}/${total}`;
     const displayName = stackName.padEnd(this.maxStackNameLen);
@@ -1556,25 +1556,35 @@ function addOidcProviderResource(template, conditional = true, oidcProviderUrl)
     }
   };
 }
-function buildOidcTrustPolicy(accountId, subject, oidcProviderUrl) {
+function buildOidcTrustPolicy(accountId, subject, oidcProviderUrl, additionalTrustedAccounts) {
   const providerUrl = oidcProviderUrl || OIDC_PROVIDER_URL;
-  return {
-    Version: "2012-10-17",
-    Statement: [
-      {
-        Effect: "Allow",
-        Principal: {
-          Federated: `arn:aws:iam::${accountId}:oidc-provider/${providerUrl}`
-        },
-        Action: "sts:AssumeRoleWithWebIdentity",
-        Condition: {
-          StringEquals: {
-            [`${providerUrl}:sub`]: subject,
-            [`${providerUrl}:aud`]: "sts.amazonaws.com"
-          }
+  const statements = [
+    {
+      Effect: "Allow",
+      Principal: {
+        Federated: `arn:aws:iam::${accountId}:oidc-provider/${providerUrl}`
+      },
+      Action: "sts:AssumeRoleWithWebIdentity",
+      Condition: {
+        StringEquals: {
+          [`${providerUrl}:sub`]: subject,
+          [`${providerUrl}:aud`]: "sts.amazonaws.com"
         }
       }
-    ]
+    }
+  ];
+  if (additionalTrustedAccounts && additionalTrustedAccounts.length > 0) {
+    statements.push({
+      Effect: "Allow",
+      Principal: {
+        AWS: additionalTrustedAccounts.map((id) => `arn:aws:iam::${id}:root`)
+      },
+      Action: "sts:AssumeRole"
+    });
+  }
+  return {
+    Version: "2012-10-17",
+    Statement: statements
   };
 }
 function createIamRoleResource(roleName, trustPolicy, policies, additionalTags = []) {
@@ -1938,7 +1948,7 @@ function createTerraformStateBucketPolicy(bucketName, cicdAccountId, allowedAcco
 // src/templates/org-stack.ts
 function generateOrgStackTemplate(options) {
-  const { orgSlug, cicdAccountId, targetAccountIds, oidcProviderUrl } = options;
+  const { orgSlug, cicdAccountId, targetAccountIds, oidcProviderUrl, additionalTrustedAccounts } = options;
   const template = createBaseTemplate(`DevRamps Org Stack for ${orgSlug}`);
   const kmsKeyPolicy = buildKmsKeyPolicy(cicdAccountId, targetAccountIds);
   template.Resources.DevRampsKMSKey = createKmsKeyResource(
@@ -1968,7 +1978,7 @@ function generateOrgStackTemplate(options) {
       PolicyDocument: bucketPolicy
     }
   };
-  const trustPolicy = buildOidcTrustPolicy(cicdAccountId, `org:${orgSlug}/cicd`, oidcProviderUrl);
+  const trustPolicy = buildOidcTrustPolicy(cicdAccountId, `org:${orgSlug}/cicd`, oidcProviderUrl, additionalTrustedAccounts);
   const orgRolePolicies = buildOrgRolePolicies(orgSlug);
   template.Resources.DevRampsCICDDeploymentRole = createIamRoleResource(
     getOrgRoleName(),
@@ -2342,6 +2352,38 @@ var DOCKER_IMPORT_PERMISSIONS = {
   resources: ["*"]
 };
+// src/permissions/lambda-deploy.ts
+var LAMBDA_DEPLOY_PERMISSIONS = {
+  actions: [
+    // Update function code (S3 bundle or container image)
+    "lambda:UpdateFunctionCode",
+    // Poll for update completion
+    "lambda:GetFunctionConfiguration",
+    "lambda:GetFunction"
+  ],
+  resources: ["*"]
+};
+// src/permissions/lambda-invoke.ts
+var LAMBDA_INVOKE_PERMISSIONS = {
+  actions: [
+    // Invoke the Lambda function
+    "lambda:InvokeFunction"
+  ],
+  resources: ["*"]
+};
+// src/permissions/cloudfront-invalidate.ts
+var CLOUDFRONT_INVALIDATE_PERMISSIONS = {
+  actions: [
+    // Create invalidation
+    "cloudfront:CreateInvalidation",
+    // Poll for invalidation completion
+    "cloudfront:GetInvalidation"
+  ],
+  resources: ["*"]
+};
 // src/permissions/custom.ts
 function getCustomPermissions(stepType) {
   verbose(
@@ -2359,6 +2401,9 @@ var PERMISSIONS_REGISTRY = {
   "DEVRAMPS:EKS:DEPLOY": EKS_DEPLOY_PERMISSIONS,
   "DEVRAMPS:EKS:HELM": EKS_HELM_PERMISSIONS,
   "DEVRAMPS:ECS:DEPLOY": ECS_DEPLOY_PERMISSIONS,
+  "DEVRAMPS:LAMBDA:DEPLOY": LAMBDA_DEPLOY_PERMISSIONS,
+  "DEVRAMPS:LAMBDA:INVOKE": LAMBDA_INVOKE_PERMISSIONS,
+  "DEVRAMPS:CLOUDFRONT:INVALIDATE": CLOUDFRONT_INVALIDATE_PERMISSIONS,
   // Artifact mirroring steps (CI/CD account -> deployment account)
   "DEVRAMPS:MIRROR:ECR": MIRROR_ECR_PERMISSIONS,
   "DEVRAMPS:MIRROR:S3": MIRROR_S3_PERMISSIONS,
@@ -2398,13 +2443,14 @@ function generateStageStackTemplate(options) {
     additionalPolicies,
     dockerArtifacts,
     bundleArtifacts,
-    oidcProviderUrl
+    oidcProviderUrl,
+    additionalTrustedAccounts
   } = options;
   const template = createBaseTemplate(
     `DevRamps Stage Stack for ${pipelineSlug}/${stageName}`
   );
   const roleName = generateStageRoleName(pipelineSlug, stageName);
-  const trustPolicy = buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl);
+  const trustPolicy = buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl, additionalTrustedAccounts);
   const policies = buildStagePolicies(steps, additionalPolicies);
   template.Resources.StageDeploymentRole = createIamRoleResource(
     roleName,
@@ -2489,9 +2535,9 @@ function generateStageStackTemplate(options) {
   }
   return template;
 }
-function buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl) {
+function buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl, additionalTrustedAccounts) {
   const subject = `org:${orgSlug}/pipeline:${pipelineSlug}`;
-  return buildOidcTrustPolicy(accountId, subject, oidcProviderUrl);
+  return buildOidcTrustPolicy(accountId, subject, oidcProviderUrl, additionalTrustedAccounts);
 }
 function buildStagePolicies(steps, additionalPolicies) {
   const policies = [];
@@ -2560,12 +2606,12 @@ function buildStagePolicies(steps, additionalPolicies) {
 // src/templates/import-stack.ts
 function generateImportStackTemplate(options) {
-  const { pipelineSlug, orgSlug, accountId, oidcProviderUrl } = options;
+  const { pipelineSlug, orgSlug, accountId, oidcProviderUrl, additionalTrustedAccounts } = options;
   const template = createBaseTemplate(
     `DevRamps Import Stack for ${pipelineSlug} - grants read access for artifact imports`
   );
   const roleName = generateImportRoleName(pipelineSlug);
-  const trustPolicy = buildOidcTrustPolicy(accountId, `org:${orgSlug}/cicd`, oidcProviderUrl);
+  const trustPolicy = buildOidcTrustPolicy(accountId, `org:${orgSlug}/cicd`, oidcProviderUrl, additionalTrustedAccounts);
   const policies = buildImportRolePolicies();
   template.Resources.ImportRole = createIamRoleResource(
     roleName,
@@ -2743,7 +2789,8 @@ async function bootstrapCommand(options) {
       process.exit(0);
     }
     const oidcProviderUrl = getOidcProviderUrlFromEndpoint(options.endpointOverride);
-    await executeDeployment(plan, pipelines, pipelineArtifacts, authData, identity.accountId, options, oidcProviderUrl);
+    const additionalTrustedAccounts = options.additionalTrustedAccounts ? options.additionalTrustedAccounts.split(",").map((s) => s.trim()) : void 0;
+    await executeDeployment(plan, pipelines, pipelineArtifacts, authData, identity.accountId, options, oidcProviderUrl, additionalTrustedAccounts);
   } catch (error2) {
     if (error2 instanceof DevRampsError) {
       error(error2.message);
@@ -3016,7 +3063,7 @@ async function confirmDeploymentPlan(plan) {
     ]
   });
 }
-async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, currentAccountId, options, oidcProviderUrl) {
+async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, currentAccountId, options, oidcProviderUrl, additionalTrustedAccounts) {
   const results = { success: 0, failed: 0 };
   const remainingStacks = 1 + plan.pipelineStacks.length + plan.stageStacks.length + plan.importStacks.length;
   newline();
@@ -3079,7 +3126,7 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
   mainProgress.start();
   const orgPromise = (async () => {
     try {
-      await deployOrgStack(plan, pipelines, authData, currentAccountId, options, oidcProviderUrl);
+      await deployOrgStack(plan, pipelines, authData, currentAccountId, options, oidcProviderUrl, additionalTrustedAccounts);
       return { stack: plan.orgStack.stackName, success: true };
     } catch (error2) {
       return {
@@ -3103,7 +3150,7 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
   });
   const stagePromises = plan.stageStacks.map(async (stack) => {
     try {
-      await deployStageStack(stack, authData, currentAccountId, options, oidcProviderUrl);
+      await deployStageStack(stack, authData, currentAccountId, options, oidcProviderUrl, additionalTrustedAccounts);
       return { stack: stack.stackName, success: true };
     } catch (error2) {
       return {
@@ -3115,7 +3162,7 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
   });
   const importPromises = plan.importStacks.map(async (stack) => {
     try {
-      await deployImportStack(stack, currentAccountId, options, oidcProviderUrl);
+      await deployImportStack(stack, currentAccountId, options, oidcProviderUrl, additionalTrustedAccounts);
       return { stack: `${stack.stackName} (${stack.accountId})`, success: true };
     } catch (error2) {
       return {
@@ -3152,7 +3199,7 @@ async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, c
     process.exit(1);
   }
 }
-async function deployOrgStack(plan, pipelines, authData, currentAccountId, options, oidcProviderUrl) {
+async function deployOrgStack(plan, pipelines, authData, currentAccountId, options, oidcProviderUrl, additionalTrustedAccounts) {
   const { orgSlug, cicdAccountId, cicdRegion } = authData;
   const credentials = cicdAccountId !== currentAccountId ? (await assumeRoleForAccount({
     targetAccountId: cicdAccountId,
@@ -3183,7 +3230,8 @@ async function deployOrgStack(plan, pipelines, authData, currentAccountId, optio
     orgSlug,
     cicdAccountId,
     targetAccountIds,
-    oidcProviderUrl
+    oidcProviderUrl,
+    additionalTrustedAccounts
   });
   const deployOptions = {
     stackName: plan.orgStack.stackName,
@@ -3235,7 +3283,7 @@ async function deployAccountStack(stack, currentAccountId, options, oidcProvider
   await previewStackChanges(deployOptions);
   await deployStack(deployOptions);
 }
-async function deployStageStack(stack, authData, currentAccountId, options, oidcProviderUrl) {
+async function deployStageStack(stack, authData, currentAccountId, options, oidcProviderUrl, additionalTrustedAccounts) {
   const credentials = stack.accountId !== currentAccountId ? (await assumeRoleForAccount({
     targetAccountId: stack.accountId,
     currentAccountId,
@@ -3250,7 +3298,8 @@ async function deployStageStack(stack, authData, currentAccountId, options, oidc
     additionalPolicies: stack.additionalPolicies,
     dockerArtifacts: stack.dockerArtifacts,
     bundleArtifacts: stack.bundleArtifacts,
-    oidcProviderUrl
+    oidcProviderUrl,
+    additionalTrustedAccounts
   });
   const deployOptions = {
     stackName: stack.stackName,
@@ -3262,7 +3311,7 @@ async function deployStageStack(stack, authData, currentAccountId, options, oidc
   await previewStackChanges(deployOptions);
   await deployStack(deployOptions);
 }
-async function deployImportStack(stack, currentAccountId, options, oidcProviderUrl) {
+async function deployImportStack(stack, currentAccountId, options, oidcProviderUrl, additionalTrustedAccounts) {
   const credentials = stack.accountId !== currentAccountId ? (await assumeRoleForAccount({
     targetAccountId: stack.accountId,
     currentAccountId,
@@ -3272,7 +3321,8 @@ async function deployImportStack(stack, currentAccountId, options, oidcProviderU
     pipelineSlug: stack.pipelineSlug,
     orgSlug: stack.orgSlug,
     accountId: stack.accountId,
-    oidcProviderUrl
+    oidcProviderUrl,
+    additionalTrustedAccounts
   });
   const deployOptions = {
     stackName: stack.stackName,
@@ -3302,5 +3352,8 @@ program.command("bootstrap").description("Bootstrap IAM roles in target AWS acco
 ).option(
   "--endpoint-override <url>",
   "Override the DevRamps API endpoint (for testing, e.g., http://localhost:3000)"
+).option(
+  "--additional-trusted-accounts <accounts>",
+  "Comma-separated AWS account IDs to add to role trust policies (for local dev testing)"
 ).action(bootstrapCommand);
 program.parse();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@devramps/cli",
-  "version": "0.1.21",
+  "version": "0.1.23",
   "description": "DevRamps CLI - Bootstrap AWS infrastructure for CI/CD pipelines",
   "main": "dist/index.js",
   "bin": {