@factiii/stack 0.1.2 → 0.1.8

package/dist/plugins/pipelines/aws/scanfix/ec2.js

@@ -0,0 +1,279 @@
+"use strict";
+/**
+ * AWS EC2 Fixes
+ *
+ * Provisions EC2 key pair, instance, and Elastic IP.
+ * Uses Ubuntu 22.04 AMI, t2.micro (free tier), public subnet.
+ * Key pair private key is stored in Ansible Vault.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ec2Fixes = void 0;
+const aws_helpers_js_1 = require("../utils/aws-helpers.js");
+/**
+ * Find VPC by factiii:project tag
+ */
+function findVpc(projectName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-vpcs --filters "Name=tag:factiii:project,Values=' + projectName + '" --query "Vpcs[0].VpcId" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return null;
+    return result.replace(/"/g, '');
+}
+/**
+ * Find subnet by tag and type
+ */
+function findSubnet(projectName, region, type) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-subnets --filters "Name=tag:factiii:project,Values=' + projectName + '" "Name=tag:factiii:subnet-type,Values=' + type + '" --query "Subnets[0].SubnetId" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return null;
+    return result.replace(/"/g, '');
+}
+/**
+ * Find security group by name and VPC
+ */
+function findSecurityGroup(groupName, vpcId, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-security-groups --filters "Name=group-name,Values=' + groupName + '" "Name=vpc-id,Values=' + vpcId + '" --query "SecurityGroups[0].GroupId" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return null;
+    return result.replace(/"/g, '');
+}
+/**
+ * Find EC2 key pair by name
+ */
+function findKeyPair(keyName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-key-pairs --key-names ' + keyName + ' --query "KeyPairs[0].KeyPairId" --output text', region);
+    return !!result && result !== 'None' && result !== 'null';
+}
+/**
+ * Find running EC2 instance by tag
+ */
+function findInstance(projectName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-instances --filters "Name=tag:factiii:project,Values=' + projectName + '" "Name=instance-state-name,Values=running,stopped" --query "Reservations[0].Instances[0].InstanceId" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return null;
+    return result.replace(/"/g, '');
+}
+/**
+ * Find Elastic IP associated with an instance
+ */
+function findElasticIp(instanceId, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-addresses --filters "Name=instance-id,Values=' + instanceId + '" --query "Addresses[0].PublicIp" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return null;
+    return result.replace(/"/g, '');
+}
+/**
+ * Get latest Ubuntu 22.04 AMI for the region
+ */
+function getUbuntuAmi(region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-images --owners 099720109477 --filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*" "Name=state,Values=available" --query "sort_by(Images, &CreationDate)[-1].ImageId" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return null;
+    return result.replace(/"/g, '');
+}
+/**
+ * Check if AWS is configured for this project
+ */
+function isAwsConfigured(config) {
+    if (config.aws)
+        return true;
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+    const environments = extractEnvironments(config);
+    return Object.values(environments).some((e) => e.pipeline === 'aws');
+}
+exports.ec2Fixes = [
+    {
+        id: 'aws-keypair-missing',
+        stage: 'prod',
+        severity: 'critical',
+        description: 'EC2 key pair not created for SSH access',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            return !findKeyPair('factiii-' + projectName, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const keyName = 'factiii-' + projectName;
+            try {
+                // Create key pair — AWS returns the private key material
+                const result = (0, aws_helpers_js_1.awsExec)('aws ec2 create-key-pair --key-name ' + keyName + ' --key-type ed25519 --query "KeyMaterial" --output text', region);
+                // Save private key to ~/.ssh/prod_deploy_key
+                const os = await Promise.resolve().then(() => __importStar(require('os')));
+                const fs = await Promise.resolve().then(() => __importStar(require('fs')));
+                const path = await Promise.resolve().then(() => __importStar(require('path')));
+                const sshDir = path.join(os.homedir(), '.ssh');
+                if (!fs.existsSync(sshDir)) {
+                    fs.mkdirSync(sshDir, { mode: 0o700 });
+                }
+                const keyPath = path.join(sshDir, 'prod_deploy_key');
+                fs.writeFileSync(keyPath, result + '\n', { mode: 0o600 });
+                console.log('   Created key pair: ' + keyName);
+                console.log('   Private key saved to: ' + keyPath);
+                // Store in Ansible Vault if configured
+                if (config.ansible?.vault_path) {
+                    console.log('   TIP: Add this key to Ansible Vault with: npx factiii secrets edit');
+                }
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to create key pair: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Create key pair: aws ec2 create-key-pair --key-name factiii-{name} --key-type ed25519',
+    },
+    {
+        id: 'aws-ec2-instance-missing',
+        stage: 'prod',
+        severity: 'critical',
+        description: 'EC2 instance not created (Ubuntu 22.04, t2.micro)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            return !findInstance(projectName, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const vpcId = findVpc(projectName, region);
+            if (!vpcId) {
+                console.log('   VPC must be created first');
+                return false;
+            }
+            const publicSubnet = findSubnet(projectName, region, 'public');
+            if (!publicSubnet) {
+                console.log('   Public subnet must be created first');
+                return false;
+            }
+            const ec2SgId = findSecurityGroup('factiii-' + projectName + '-ec2', vpcId, region);
+            if (!ec2SgId) {
+                console.log('   EC2 security group must be created first');
+                return false;
+            }
+            const keyName = 'factiii-' + projectName;
+            if (!findKeyPair(keyName, region)) {
+                console.log('   Key pair must be created first');
+                return false;
+            }
+            try {
+                // Get latest Ubuntu 22.04 AMI
+                const amiId = getUbuntuAmi(region);
+                if (!amiId) {
+                    console.log('   Failed to find Ubuntu 22.04 AMI for region ' + region);
+                    return false;
+                }
+                console.log('   Using AMI: ' + amiId);
+                // Launch instance
+                const instanceResult = (0, aws_helpers_js_1.awsExec)('aws ec2 run-instances' +
+                    ' --image-id ' + amiId +
+                    ' --instance-type t2.micro' +
+                    ' --key-name ' + keyName +
+                    ' --security-group-ids ' + ec2SgId +
+                    ' --subnet-id ' + publicSubnet +
+                    ' --count 1' +
+                    ' ' + (0, aws_helpers_js_1.tagSpec)('instance', projectName), region);
+                const instanceId = JSON.parse(instanceResult).Instances[0].InstanceId;
+                console.log('   Launched EC2 instance: ' + instanceId);
+                console.log('   Instance type: t2.micro (free tier eligible)');
+                console.log('   Waiting for instance to be running...');
+                // Wait for instance to be running
+                (0, aws_helpers_js_1.awsExec)('aws ec2 wait instance-running --instance-ids ' + instanceId, region);
+                // Get public IP
+                const ipResult = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-instances --instance-ids ' + instanceId + ' --query "Reservations[0].Instances[0].PublicIpAddress" --output text', region);
+                if (ipResult && ipResult !== 'None') {
+                    console.log('   Public IP: ' + ipResult.replace(/"/g, ''));
+                    console.log('   NOTE: This IP will change on restart. Run fix again for Elastic IP.');
+                }
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to launch EC2 instance: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Launch EC2: aws ec2 run-instances --image-id <ubuntu-ami> --instance-type t2.micro --key-name factiii-{name}',
+    },
+    {
+        id: 'aws-ec2-elastic-ip',
+        stage: 'prod',
+        severity: 'warning',
+        description: 'Elastic IP not assigned to EC2 instance (IP changes on restart)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const instanceId = findInstance(projectName, region);
+            if (!instanceId)
+                return false; // Instance must exist first
+            return !findElasticIp(instanceId, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const instanceId = findInstance(projectName, region);
+            if (!instanceId) {
+                console.log('   EC2 instance must be created first');
+                return false;
+            }
+            try {
+                // Allocate Elastic IP
+                const eipResult = (0, aws_helpers_js_1.awsExec)('aws ec2 allocate-address --domain vpc ' + (0, aws_helpers_js_1.tagSpec)('elastic-ip', projectName), region);
+                const parsed = JSON.parse(eipResult);
+                const allocationId = parsed.AllocationId;
+                const publicIp = parsed.PublicIp;
+                console.log('   Allocated Elastic IP: ' + publicIp);
+                // Associate with instance
+                (0, aws_helpers_js_1.awsExec)('aws ec2 associate-address --allocation-id ' + allocationId + ' --instance-id ' + instanceId, region);
+                console.log('   Associated with instance: ' + instanceId);
+                console.log('   Update factiii.yml prod.domain to: ' + publicIp);
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to allocate Elastic IP: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Allocate Elastic IP and associate with EC2 instance',
+    },
+];
+//# sourceMappingURL=ec2.js.map

package/dist/plugins/pipelines/aws/scanfix/ec2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ec2.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/ec2.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGH,4DAAsG;AAEtG;;GAEG;AACH,SAAS,OAAO,CAAC,WAAmB,EAAE,MAAc;IAClD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,mEAAmE,GAAG,WAAW,GAAG,yCAAyC,EAC7H,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,WAAmB,EAAE,MAAc,EAAE,IAAY;IACnE,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,sEAAsE,GAAG,WAAW,GAAG,yCAAyC,GAAG,IAAI,GAAG,+CAA+C,EACzL,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,SAAiB,EAAE,KAAa,EAAE,MAAc;IACzE,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,qEAAqE,GAAG,SAAS,GAAG,wBAAwB,GAAG,KAAK,GAAG,qDAAqD,EAC5K,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,OAAe,EAAE,MAAc;IAClD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,yCAAyC,GAAG,OAAO,GAAG,gDAAgD,EACtG,MAAM,CACP,CAAC;IACF,OAAO,CAAC,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,WAAmB,EAAE,MAAc;IACvD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,wEAAwE,GAAG,WAAW,GAAG,qHAAqH,EAC9M,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,UAAkB,EAAE,MAAc;IACvD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,gEAAgE,GAAG,UAAU,GAAG,iDAAiD,EACjI,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,MAAc;IAClC,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,qOAAqO,EACrO,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAqB;IAC5C,IAAI,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAC5B,iEAAiE;IACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CACrC,CAAC,CAAU,EAAE,EAAE,CAAE,CAA2B,CAAC,QAAQ,KAAK,KAAK,CAChE,CAAC;AACJ,CAAC;AAEY,QAAA,QAAQ,GAAU;IAC7B;QACE,EAAE,EAAE,qBAAqB;QACzB,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,yCAAyC;QACtD,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,OAAO,CAAC,WAAW,CAAC,UAAU,GAAG,WAAW,EAAE,MAAM,CAAC,CAAC;QACxD,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,OAAO,GAAG,UAAU,GAAG,WAAW,CAAC;YAEzC,IAAI,CAAC;gBACH,yDAAyD;gBACzD,MAAM,MAAM,GAAG,IAAA,wBAAO,EACpB,qCAAqC,GAAG,OAAO,GAAG,yDAAyD,EAC3G,MAAM,CACP,CAAC;gBAEF,6CAA6C;gBAC7C,MAAM,EAAE,GAAG,wDAAa,IAAI,GAAC,CAAC;gBAC9B,MAAM,EAAE,GAAG,wDAAa,IAAI,GAAC,CAAC;gBAC9B,MAAM,IAAI,GAAG,wDAAa,MAAM,GAAC,CAAC;gBAClC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,CAAC,CAAC;gBAC/C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC3B,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;gBACxC,CAAC;gBACD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;gBACrD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;gBAC1D,OAAO,CAAC,GAAG,CAAC,uBAAuB,GAAG,OAAO,CAAC,CAAC;gBAC/C,OAAO,CAAC,GAAG,CAAC,2BAA2B,GAAG,OAAO,CAAC,CAAC;gBAEnD,uCAAuC;gBACvC,IAAI,MAAM,CAAC,OAAO,EAAE,UAAU,EAAE,CAAC;oBAC/B,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;gBACtF,CAAC;gBAED,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,gCAAgC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC7F,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,uFAAuF;KACnG;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mDAAmD;QAChE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,OAAO,CAAC,YAAY,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAC5C,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;gBAC5C,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,YAAY,GAAG,UAAU,CAAC,WAAW,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YAC/D,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;gBACtD,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,OAAO,GAAG,iBAAiB,CAAC,UAAU,GAAG,WAAW,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACpF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;gBAC3D,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,OAAO,GAAG,UAAU,GAAG,WAAW,CAAC;YACzC,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,CAAC;gBAClC,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;gBACjD,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC;gBACH,8BAA8B;gBAC9B,MAAM,KAAK,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;gBACnC,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,OAAO,CAAC,GAAG,CAAC,gDAAgD,GAAG,MAAM,CAAC,CAAC;oBACvE,OAAO,KAAK,CAAC;gBACf,CAAC;gBACD,OAAO,CAAC,GAAG,CAAC,gBAAgB,GAAG,KAAK,CAAC,CAAC;gBAEtC,kBAAkB;gBAClB,MAAM,cAAc,GAAG,IAAA,wBAAO,EAC5B,uBAAuB;oBACvB,cAAc,GAAG,KAAK;oBACtB,2BAA2B;oBAC3B,cAAc,GAAG,OAAO;oBACxB,wBAAwB,GAAG,OAAO;oBAClC,eAAe,GAAG,YAAY;oBAC9B,YAAY;oBACZ,GAAG,GAAG,IAAA,wBAAO,EAAC,UAAU,EAAE,WAAW,CAAC,EACtC,MAAM,CACP,CAAC;gBACF,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;gBACtE,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,UAAU,CAAC,CAAC;gBACvD,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;gBAC/D,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;gBAExD,kCAAkC;gBAClC,IAAA,wBAAO,EACL,+CAA+C,GAAG,UAAU,EAC5D,MAAM,CACP,CAAC;gBAEF,gBAAgB;gBAChB,MAAM,QAAQ,GAAG,IAAA,4BAAW,EAC1B,4CAA4C,GAAG,UAAU,GAAG,uEAAuE,EACnI,MAAM,CACP,CAAC;gBACF,IAAI,QAAQ,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;oBACpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;oBAC3D,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAC;gBACxF,CAAC;gBAED,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,oCAAoC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjG,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,8GAA8G;KAC1H;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,iEAAiE;QAC9E,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,UAAU,GAAG,YAAY,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YACrD,IAAI,CAAC,UAAU;gBAAE,OAAO,KAAK,CAAC,CAAC,4BAA4B;YAC3D,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QAC5C,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,UAAU,GAAG,YAAY,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YACrD,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;gBACrD,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC;gBACH,sBAAsB;gBACtB,MAAM,SAAS,GAAG,IAAA,wBAAO,EACvB,wCAAwC,GAAG,IAAA,wBAAO,EAAC,YAAY,EAAE,WAAW,CAAC,EAC7E,MAAM,CACP,CAAC;gBACF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;gBACrC,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;gBACzC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;gBACjC,OAAO,CAAC,GAAG,CAAC,2BAA2B,GAAG,QAAQ,CAAC,CAAC;gBAEpD,0BAA0B;gBAC1B,IAAA,wBAAO,EACL,4CAA4C,GAAG,YAAY,GAAG,iBAAiB,GAAG,UAAU,EAC5F,MAAM,CACP,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,+BAA+B,GAAG,UAAU,CAAC,CAAC;gBAC1D,OAAO,CAAC,GAAG,CAAC,wCAAwC,GAAG,QAAQ,CAAC,CAAC;gBAEjE,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,oCAAoC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjG,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,qDAAqD;KACjE;CACF,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/ecr.d.ts

@@ -0,0 +1,9 @@
+/**
+ * AWS ECR Fixes
+ *
+ * Provisions ECR (Elastic Container Registry) repository
+ * with lifecycle policy to keep costs down.
+ */
+import type { Fix } from '../../../../types/index.js';
+export declare const ecrFixes: Fix[];
+//# sourceMappingURL=ecr.d.ts.map

package/dist/plugins/pipelines/aws/scanfix/ecr.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecr.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/ecr.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AA2BrE,eAAO,MAAM,QAAQ,EAAE,GAAG,EAgFzB,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/ecr.js

@@ -0,0 +1,100 @@
+"use strict";
+/**
+ * AWS ECR Fixes
+ *
+ * Provisions ECR (Elastic Container Registry) repository
+ * with lifecycle policy to keep costs down.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ecrFixes = void 0;
+const aws_helpers_js_1 = require("../utils/aws-helpers.js");
+/**
+ * Check if ECR repository exists
+ */
+function findEcrRepo(repoName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ecr describe-repositories --repository-names ' + repoName, region);
+    return !!result && !result.includes('RepositoryNotFoundException');
+}
+/**
+ * Check if AWS is configured for this project
+ */
+function isAwsConfigured(config) {
+    if (config.aws)
+        return true;
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+    const environments = extractEnvironments(config);
+    return Object.values(environments).some((e) => e.pipeline === 'aws');
+}
+exports.ecrFixes = [
+    {
+        id: 'aws-ecr-repo-missing',
+        stage: 'prod',
+        severity: 'warning',
+        description: 'ECR repository not created for container images',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            return !findEcrRepo(projectName, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            try {
+                // Create ECR repository
+                const result = (0, aws_helpers_js_1.awsExec)('aws ecr create-repository --repository-name ' + projectName +
+                    ' --image-scanning-configuration scanOnPush=true', region);
+                const parsed = JSON.parse(result);
+                const repoUri = parsed.repository?.repositoryUri;
+                console.log('   Created ECR repository: ' + projectName);
+                if (repoUri) {
+                    console.log('   Repository URI: ' + repoUri);
+                }
+                // Set lifecycle policy to keep only 10 images (control costs)
+                const lifecyclePolicy = JSON.stringify({
+                    rules: [{
+                            rulePriority: 1,
+                            description: 'Keep only 10 images',
+                            selection: {
+                                tagStatus: 'any',
+                                countType: 'imageCountMoreThan',
+                                countNumber: 10,
+                            },
+                            action: { type: 'expire' },
+                        }],
+                });
+                (0, aws_helpers_js_1.awsExec)('aws ecr put-lifecycle-policy --repository-name ' + projectName +
+                    " --lifecycle-policy-text '" + lifecyclePolicy + "'", region);
+                console.log('   Set lifecycle policy: keep 10 most recent images');
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to create ECR repository: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Create ECR repository: aws ecr create-repository --repository-name <app-name>',
+    },
+    {
+        id: 'aws-ecr-login-test',
+        stage: 'dev',
+        severity: 'info',
+        description: 'ECR Docker login not working from dev machine',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            if (!findEcrRepo(projectName, region))
+                return false;
+            // Test ECR login
+            const result = (0, aws_helpers_js_1.awsExecSafe)('aws ecr get-login-password', region);
+            return !result;
+        },
+        fix: null,
+        manualFix: 'Test ECR login: aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com',
+    },
+];
+//# sourceMappingURL=ecr.js.map

package/dist/plugins/pipelines/aws/scanfix/ecr.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecr.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/ecr.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAGH,4DAA6F;AAE7F;;GAEG;AACH,SAAS,WAAW,CAAC,QAAgB,EAAE,MAAc;IACnD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,mDAAmD,GAAG,QAAQ,EAC9D,MAAM,CACP,CAAC;IACF,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,6BAA6B,CAAC,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAqB;IAC5C,IAAI,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAC5B,iEAAiE;IACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CACrC,CAAC,CAAU,EAAE,EAAE,CAAE,CAA2B,CAAC,QAAQ,KAAK,KAAK,CAChE,CAAC;AACJ,CAAC;AAEY,QAAA,QAAQ,GAAU;IAC7B;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,iDAAiD;QAC9D,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,OAAO,CAAC,WAAW,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAE3C,IAAI,CAAC;gBACH,wBAAwB;gBACxB,MAAM,MAAM,GAAG,IAAA,wBAAO,EACpB,8CAA8C,GAAG,WAAW;oBAC5D,iDAAiD,EACjD,MAAM,CACP,CAAC;gBACF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;gBAClC,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,aAAa,CAAC;gBACjD,OAAO,CAAC,GAAG,CAAC,6BAA6B,GAAG,WAAW,CAAC,CAAC;gBACzD,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,GAAG,CAAC,qBAAqB,GAAG,OAAO,CAAC,CAAC;gBAC/C,CAAC;gBAED,8DAA8D;gBAC9D,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC;oBACrC,KAAK,EAAE,CAAC;4BACN,YAAY,EAAE,CAAC;4BACf,WAAW,EAAE,qBAAqB;4BAClC,SAAS,EAAE;gCACT,SAAS,EAAE,KAAK;gCAChB,SAAS,EAAE,oBAAoB;gCAC/B,WAAW,EAAE,EAAE;6BAChB;4BACD,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;yBAC3B,CAAC;iBACH,CAAC,CAAC;gBAEH,IAAA,wBAAO,EACL,iDAAiD,GAAG,WAAW;oBAC/D,4BAA4B,GAAG,eAAe,GAAG,GAAG,EACpD,MAAM,CACP,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;gBAEnE,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,sCAAsC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACnG,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,+EAA+E;KAC3F;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,+CAA+C;QAC5D,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAEpD,iBAAiB;YACjB,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,4BAA4B,EAC5B,MAAM,CACP,CAAC;YACF,OAAO,CAAC,MAAM,CAAC;QACjB,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EAAE,yJAAyJ;KACrK;CACF,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/iam.d.ts

@@ -0,0 +1,10 @@
+/**
+ * AWS IAM Fixes
+ *
+ * Creates IAM users with scoped policies:
+ * - Dev user: read-only access for development
+ * - Prod user: full access for deployment
+ */
+import type { Fix } from '../../../../types/index.js';
+export declare const iamFixes: Fix[];
+//# sourceMappingURL=iam.d.ts.map

package/dist/plugins/pipelines/aws/scanfix/iam.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"iam.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/iam.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AA0JrE,eAAO,MAAM,QAAQ,EAAE,GAAG,EA6HzB,CAAC"}