@factiii/stack 0.1.2 → 0.1.8

package/dist/plugins/pipelines/aws/scanfix/iam.js

@@ -0,0 +1,255 @@
+"use strict";
+/**
+ * AWS IAM Fixes
+ *
+ * Creates IAM users with scoped policies:
+ * - Dev user: read-only access for development
+ * - Prod user: full access for deployment
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.iamFixes = void 0;
+const aws_helpers_js_1 = require("../utils/aws-helpers.js");
+/**
+ * Check if IAM user exists
+ */
+function findIamUser(userName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws iam get-user --user-name ' + userName, region);
+    return !!result && !result.includes('NoSuchEntity');
+}
+/**
+ * Check if AWS is configured for this project
+ */
+function isAwsConfigured(config) {
+    if (config.aws)
+        return true;
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+    const environments = extractEnvironments(config);
+    return Object.values(environments).some((e) => e.pipeline === 'aws');
+}
+/**
+ * Generate dev IAM policy (read-only)
+ */
+function getDevPolicy(projectName, region, accountId) {
+    return JSON.stringify({
+        Version: '2012-10-17',
+        Statement: [
+            {
+                Sid: 'ECRReadOnly',
+                Effect: 'Allow',
+                Action: [
+                    'ecr:GetAuthorizationToken',
+                    'ecr:BatchGetImage',
+                    'ecr:GetDownloadUrlForLayer',
+                    'ecr:DescribeRepositories',
+                    'ecr:ListImages',
+                ],
+                Resource: 'arn:aws:ecr:' + region + ':' + accountId + ':repository/' + projectName,
+            },
+            {
+                Sid: 'ECRAuth',
+                Effect: 'Allow',
+                Action: 'ecr:GetAuthorizationToken',
+                Resource: '*',
+            },
+            {
+                Sid: 'S3ReadOnly',
+                Effect: 'Allow',
+                Action: [
+                    's3:GetObject',
+                    's3:ListBucket',
+                ],
+                Resource: [
+                    'arn:aws:s3:::factiii-' + projectName,
+                    'arn:aws:s3:::factiii-' + projectName + '/*',
+                ],
+            },
+            {
+                Sid: 'EC2Describe',
+                Effect: 'Allow',
+                Action: [
+                    'ec2:DescribeInstances',
+                    'ec2:DescribeVpcs',
+                    'ec2:DescribeSubnets',
+                    'ec2:DescribeSecurityGroups',
+                ],
+                Resource: '*',
+            },
+            {
+                Sid: 'RDSDescribe',
+                Effect: 'Allow',
+                Action: [
+                    'rds:DescribeDBInstances',
+                    'rds:DescribeDBSubnetGroups',
+                ],
+                Resource: '*',
+            },
+        ],
+    });
+}
+/**
+ * Generate prod IAM policy (full access for deployment)
+ */
+function getProdPolicy(projectName, region, accountId) {
+    return JSON.stringify({
+        Version: '2012-10-17',
+        Statement: [
+            {
+                Sid: 'ECRFullAccess',
+                Effect: 'Allow',
+                Action: 'ecr:*',
+                Resource: 'arn:aws:ecr:' + region + ':' + accountId + ':repository/' + projectName,
+            },
+            {
+                Sid: 'ECRAuth',
+                Effect: 'Allow',
+                Action: 'ecr:GetAuthorizationToken',
+                Resource: '*',
+            },
+            {
+                Sid: 'S3FullAccess',
+                Effect: 'Allow',
+                Action: 's3:*',
+                Resource: [
+                    'arn:aws:s3:::factiii-' + projectName,
+                    'arn:aws:s3:::factiii-' + projectName + '/*',
+                ],
+            },
+            {
+                Sid: 'EC2Management',
+                Effect: 'Allow',
+                Action: [
+                    'ec2:DescribeInstances',
+                    'ec2:StartInstances',
+                    'ec2:StopInstances',
+                    'ec2:RebootInstances',
+                    'ec2:DescribeVpcs',
+                    'ec2:DescribeSubnets',
+                    'ec2:DescribeSecurityGroups',
+                    'ec2:DescribeAddresses',
+                ],
+                Resource: '*',
+            },
+            {
+                Sid: 'RDSManagement',
+                Effect: 'Allow',
+                Action: [
+                    'rds:DescribeDBInstances',
+                    'rds:StartDBInstance',
+                    'rds:StopDBInstance',
+                    'rds:RebootDBInstance',
+                    'rds:CreateDBSnapshot',
+                    'rds:DescribeDBSnapshots',
+                ],
+                Resource: '*',
+            },
+            {
+                Sid: 'SESFullAccess',
+                Effect: 'Allow',
+                Action: 'ses:*',
+                Resource: '*',
+            },
+        ],
+    });
+}
+exports.iamFixes = [
+    {
+        id: 'aws-iam-dev-user-missing',
+        stage: 'secrets',
+        severity: 'warning',
+        description: 'IAM dev user not created (read-only access)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            return !findIamUser('factiii-' + projectName + '-dev', region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const userName = 'factiii-' + projectName + '-dev';
+            try {
+                // Get account ID for ARNs
+                const accountResult = (0, aws_helpers_js_1.awsExec)('aws sts get-caller-identity --query Account --output text', region);
+                const accountId = accountResult.replace(/"/g, '').trim();
+                // Create IAM user
+                (0, aws_helpers_js_1.awsExec)('aws iam create-user --user-name ' + userName, region);
+                console.log('   Created IAM user: ' + userName);
+                // Create and attach inline policy
+                const policy = getDevPolicy(projectName, region, accountId);
+                (0, aws_helpers_js_1.awsExec)('aws iam put-user-policy --user-name ' + userName +
+                    ' --policy-name factiii-' + projectName + '-dev-policy' +
+                    " --policy-document '" + policy + "'", region);
+                console.log('   Attached dev policy (read-only ECR, S3, EC2, RDS)');
+                // Create access key
+                const keyResult = (0, aws_helpers_js_1.awsExec)('aws iam create-access-key --user-name ' + userName, region);
+                const parsed = JSON.parse(keyResult);
+                const accessKeyId = parsed.AccessKey?.AccessKeyId;
+                const secretKey = parsed.AccessKey?.SecretAccessKey;
+                console.log('');
+                console.log('   Dev credentials (save these!):');
+                console.log('   Access Key ID: ' + accessKeyId);
+                console.log('   Secret Access Key: ' + secretKey);
+                console.log('');
+                console.log('   TIP: Store in Ansible Vault: npx factiii secrets edit');
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to create dev IAM user: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Create IAM dev user with read-only policy for ECR, S3, EC2, RDS',
+    },
+    {
+        id: 'aws-iam-prod-user-missing',
+        stage: 'secrets',
+        severity: 'warning',
+        description: 'IAM prod user not created (deployment access)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            return !findIamUser('factiii-' + projectName + '-prod', region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const userName = 'factiii-' + projectName + '-prod';
+            try {
+                // Get account ID for ARNs
+                const accountResult = (0, aws_helpers_js_1.awsExec)('aws sts get-caller-identity --query Account --output text', region);
+                const accountId = accountResult.replace(/"/g, '').trim();
+                // Create IAM user
+                (0, aws_helpers_js_1.awsExec)('aws iam create-user --user-name ' + userName, region);
+                console.log('   Created IAM user: ' + userName);
+                // Create and attach inline policy
+                const policy = getProdPolicy(projectName, region, accountId);
+                (0, aws_helpers_js_1.awsExec)('aws iam put-user-policy --user-name ' + userName +
+                    ' --policy-name factiii-' + projectName + '-prod-policy' +
+                    " --policy-document '" + policy + "'", region);
+                console.log('   Attached prod policy (full ECR, S3, EC2, RDS, SES)');
+                // Create access key
+                const keyResult = (0, aws_helpers_js_1.awsExec)('aws iam create-access-key --user-name ' + userName, region);
+                const parsed = JSON.parse(keyResult);
+                const accessKeyId = parsed.AccessKey?.AccessKeyId;
+                const secretKey = parsed.AccessKey?.SecretAccessKey;
+                console.log('');
+                console.log('   Prod credentials (save these!):');
+                console.log('   Access Key ID: ' + accessKeyId);
+                console.log('   Secret Access Key: ' + secretKey);
+                console.log('');
+                console.log('   TIP: Store in Ansible Vault: npx factiii secrets edit');
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to create prod IAM user: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Create IAM prod user with deployment policy for ECR, S3, EC2, RDS, SES',
+    },
+];
+//# sourceMappingURL=iam.js.map

package/dist/plugins/pipelines/aws/scanfix/iam.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"iam.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/iam.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAGH,4DAA6F;AAE7F;;GAEG;AACH,SAAS,WAAW,CAAC,QAAgB,EAAE,MAAc;IACnD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,+BAA+B,GAAG,QAAQ,EAC1C,MAAM,CACP,CAAC;IACF,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;AACtD,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAqB;IAC5C,IAAI,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAC5B,iEAAiE;IACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CACrC,CAAC,CAAU,EAAE,EAAE,CAAE,CAA2B,CAAC,QAAQ,KAAK,KAAK,CAChE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,WAAmB,EAAE,MAAc,EAAE,SAAiB;IAC1E,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE;YACT;gBACE,GAAG,EAAE,aAAa;gBAClB,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE;oBACN,2BAA2B;oBAC3B,mBAAmB;oBACnB,4BAA4B;oBAC5B,0BAA0B;oBAC1B,gBAAgB;iBACjB;gBACD,QAAQ,EAAE,cAAc,GAAG,MAAM,GAAG,GAAG,GAAG,SAAS,GAAG,cAAc,GAAG,WAAW;aACnF;YACD;gBACE,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,2BAA2B;gBACnC,QAAQ,EAAE,GAAG;aACd;YACD;gBACE,GAAG,EAAE,YAAY;gBACjB,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE;oBACN,cAAc;oBACd,eAAe;iBAChB;gBACD,QAAQ,EAAE;oBACR,uBAAuB,GAAG,WAAW;oBACrC,uBAAuB,GAAG,WAAW,GAAG,IAAI;iBAC7C;aACF;YACD;gBACE,GAAG,EAAE,aAAa;gBAClB,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE;oBACN,uBAAuB;oBACvB,kBAAkB;oBAClB,qBAAqB;oBACrB,4BAA4B;iBAC7B;gBACD,QAAQ,EAAE,GAAG;aACd;YACD;gBACE,GAAG,EAAE,aAAa;gBAClB,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE;oBACN,yBAAyB;oBACzB,4BAA4B;iBAC7B;gBACD,QAAQ,EAAE,GAAG;aACd;SACF;KACF,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,WAAmB,EAAE,MAAc,EAAE,SAAiB;IAC3E,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE;YACT;gBACE,GAAG,EAAE,eAAe;gBACpB,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,OAAO;gBACf,QAAQ,EAAE,cAAc,GAAG,MAAM,GAAG,GAAG,GAAG,SAAS,GAAG,cAAc,GAAG,WAAW;aACnF;YACD;gBACE,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,2BAA2B;gBACnC,QAAQ,EAAE,GAAG;aACd;YACD;gBACE,GAAG,EAAE,cAAc;gBACnB,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,MAAM;gBACd,QAAQ,EAAE;oBACR,uBAAuB,GAAG,WAAW;oBACrC,uBAAuB,GAAG,WAAW,GAAG,IAAI;iBAC7C;aACF;YACD;gBACE,GAAG,EAAE,eAAe;gBACpB,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE;oBACN,uBAAuB;oBACvB,oBAAoB;oBACpB,mBAAmB;oBACnB,qBAAqB;oBACrB,kBAAkB;oBAClB,qBAAqB;oBACrB,4BAA4B;oBAC5B,uBAAuB;iBACxB;gBACD,QAAQ,EAAE,GAAG;aACd;YACD;gBACE,GAAG,EAAE,eAAe;gBACpB,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE;oBACN,yBAAyB;oBACzB,qBAAqB;oBACrB,oBAAoB;oBACpB,sBAAsB;oBACtB,sBAAsB;oBACtB,yBAAyB;iBAC1B;gBACD,QAAQ,EAAE,GAAG;aACd;YACD;gBACE,GAAG,EAAE,eAAe;gBACpB,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,OAAO;gBACf,QAAQ,EAAE,GAAG;aACd;SACF;KACF,CAAC,CAAC;AACL,CAAC;AAEY,QAAA,QAAQ,GAAU;IAC7B;QACE,EAAE,EAAE,0BAA0B;QAC9B,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,6CAA6C;QAC1D,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,OAAO,CAAC,WAAW,CAAC,UAAU,GAAG,WAAW,GAAG,MAAM,EAAE,MAAM,CAAC,CAAC;QACjE,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,QAAQ,GAAG,UAAU,GAAG,WAAW,GAAG,MAAM,CAAC;YAEnD,IAAI,CAAC;gBACH,0BAA0B;gBAC1B,MAAM,aAAa,GAAG,IAAA,wBAAO,EAC3B,2DAA2D,EAC3D,MAAM,CACP,CAAC;gBACF,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEzD,kBAAkB;gBAClB,IAAA,wBAAO,EAAC,kCAAkC,GAAG,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC/D,OAAO,CAAC,GAAG,CAAC,uBAAuB,GAAG,QAAQ,CAAC,CAAC;gBAEhD,kCAAkC;gBAClC,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;gBAC5D,IAAA,wBAAO,EACL,sCAAsC,GAAG,QAAQ;oBACjD,yBAAyB,GAAG,WAAW,GAAG,aAAa;oBACvD,sBAAsB,GAAG,MAAM,GAAG,GAAG,EACrC,MAAM,CACP,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;gBAEpE,oBAAoB;gBACpB,MAAM,SAAS,GAAG,IAAA,wBAAO,EACvB,wCAAwC,GAAG,QAAQ,EACnD,MAAM,CACP,CAAC;gBACF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;gBACrC,MAAM,WAAW,GAAG,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC;gBAClD,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,EAAE,eAAe,CAAC;gBAEpD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;gBACjD,OAAO,CAAC,GAAG,CAAC,oBAAoB,GAAG,WAAW,CAAC,CAAC;gBAChD,OAAO,CAAC,GAAG,CAAC,wBAAwB,GAAG,SAAS,CAAC,CAAC;gBAClD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;gBAExE,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,oCAAoC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjG,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,iEAAiE;KAC7E;IACD;QACE,EAAE,EAAE,2BAA2B;QAC/B,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,+CAA+C;QAC5D,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,OAAO,CAAC,WAAW,CAAC,UAAU,GAAG,WAAW,GAAG,OAAO,EAAE,MAAM,CAAC,CAAC;QAClE,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,QAAQ,GAAG,UAAU,GAAG,WAAW,GAAG,OAAO,CAAC;YAEpD,IAAI,CAAC;gBACH,0BAA0B;gBAC1B,MAAM,aAAa,GAAG,IAAA,wBAAO,EAC3B,2DAA2D,EAC3D,MAAM,CACP,CAAC;gBACF,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEzD,kBAAkB;gBAClB,IAAA,wBAAO,EAAC,kCAAkC,GAAG,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC/D,OAAO,CAAC,GAAG,CAAC,uBAAuB,GAAG,QAAQ,CAAC,CAAC;gBAEhD,kCAAkC;gBAClC,MAAM,MAAM,GAAG,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;gBAC7D,IAAA,wBAAO,EACL,sCAAsC,GAAG,QAAQ;oBACjD,yBAAyB,GAAG,WAAW,GAAG,cAAc;oBACxD,sBAAsB,GAAG,MAAM,GAAG,GAAG,EACrC,MAAM,CACP,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;gBAErE,oBAAoB;gBACpB,MAAM,SAAS,GAAG,IAAA,wBAAO,EACvB,wCAAwC,GAAG,QAAQ,EACnD,MAAM,CACP,CAAC;gBACF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;gBACrC,MAAM,WAAW,GAAG,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC;gBAClD,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,EAAE,eAAe,CAAC;gBAEpD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;gBAClD,OAAO,CAAC,GAAG,CAAC,oBAAoB,GAAG,WAAW,CAAC,CAAC;gBAChD,OAAO,CAAC,GAAG,CAAC,wBAAwB,GAAG,SAAS,CAAC,CAAC;gBAClD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;gBAExE,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,qCAAqC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAClG,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,wEAAwE;KACpF;CACF,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/rds.d.ts

@@ -0,0 +1,10 @@
+/**
+ * AWS RDS Fixes
+ *
+ * Provisions RDS PostgreSQL 15 instance (db.t2.micro free tier).
+ * Creates DB subnet group from private subnets, launches instance with RDS SG.
+ * Stores DATABASE_URL in Ansible Vault.
+ */
+import type { Fix } from '../../../../types/index.js';
+export declare const rdsFixes: Fix[];
+//# sourceMappingURL=rds.d.ts.map

package/dist/plugins/pipelines/aws/scanfix/rds.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rds.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/rds.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AAmGrE,eAAO,MAAM,QAAQ,EAAE,GAAG,EA6KzB,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/rds.js

@@ -0,0 +1,261 @@
+"use strict";
+/**
+ * AWS RDS Fixes
+ *
+ * Provisions RDS PostgreSQL 15 instance (db.t2.micro free tier).
+ * Creates DB subnet group from private subnets, launches instance with RDS SG.
+ * Stores DATABASE_URL in Ansible Vault.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rdsFixes = void 0;
+const aws_helpers_js_1 = require("../utils/aws-helpers.js");
+/**
+ * Find VPC by factiii:project tag
+ */
+function findVpc(projectName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-vpcs --filters "Name=tag:factiii:project,Values=' + projectName + '" --query "Vpcs[0].VpcId" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return null;
+    return result.replace(/"/g, '');
+}
+/**
+ * Find all private subnets
+ */
+function findPrivateSubnets(projectName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-subnets --filters "Name=tag:factiii:project,Values=' + projectName + '" "Name=tag:factiii:subnet-type,Values=private" --query "Subnets[*].SubnetId" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return [];
+    return result.split(/\s+/).filter(Boolean);
+}
+/**
+ * Find security group by name and VPC
+ */
+function findSecurityGroup(groupName, vpcId, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-security-groups --filters "Name=group-name,Values=' + groupName + '" "Name=vpc-id,Values=' + vpcId + '" --query "SecurityGroups[0].GroupId" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return null;
+    return result.replace(/"/g, '');
+}
+/**
+ * Check if DB subnet group exists
+ */
+function findDbSubnetGroup(groupName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws rds describe-db-subnet-groups --db-subnet-group-name ' + groupName + ' --query "DBSubnetGroups[0].DBSubnetGroupName" --output text', region);
+    return !!result && result !== 'None' && result !== 'null';
+}
+/**
+ * Find RDS instance by identifier
+ */
+function findRdsInstance(dbInstanceId, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws rds describe-db-instances --db-instance-identifier ' + dbInstanceId, region);
+    if (!result)
+        return null;
+    try {
+        const parsed = JSON.parse(result);
+        const instance = parsed.DBInstances?.[0];
+        if (!instance)
+            return null;
+        return {
+            status: instance.DBInstanceStatus,
+            endpoint: instance.Endpoint?.Address ?? null,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Check if AWS is configured for this project
+ */
+function isAwsConfigured(config) {
+    if (config.aws)
+        return true;
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+    const environments = extractEnvironments(config);
+    return Object.values(environments).some((e) => e.pipeline === 'aws');
+}
+/**
+ * Generate a random password for RDS
+ */
+function generateRdsPassword() {
+    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    let password = '';
+    const crypto = require('crypto');
+    const bytes = crypto.randomBytes(24);
+    for (let i = 0; i < 24; i++) {
+        password += chars[(bytes[i] ?? 0) % chars.length];
+    }
+    return password;
+}
+exports.rdsFixes = [
+    {
+        id: 'aws-rds-subnet-group-missing',
+        stage: 'prod',
+        severity: 'critical',
+        description: 'RDS DB subnet group not created (needs 2 AZs)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const privateSubnets = findPrivateSubnets(projectName, region);
+            if (privateSubnets.length < 2)
+                return false; // Private subnets must exist first
+            return !findDbSubnetGroup('factiii-' + projectName, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const privateSubnets = findPrivateSubnets(projectName, region);
+            if (privateSubnets.length < 2) {
+                console.log('   Need at least 2 private subnets first');
+                return false;
+            }
+            try {
+                const groupName = 'factiii-' + projectName;
+                (0, aws_helpers_js_1.awsExec)('aws rds create-db-subnet-group' +
+                    ' --db-subnet-group-name ' + groupName +
+                    ' --db-subnet-group-description "Factiii DB subnet group for ' + projectName + '"' +
+                    ' --subnet-ids ' + privateSubnets.join(' '), region);
+                console.log('   Created DB subnet group: ' + groupName);
+                console.log('   Using subnets: ' + privateSubnets.join(', '));
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to create DB subnet group: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Create DB subnet group with 2+ private subnets in different AZs',
+    },
+    {
+        id: 'aws-rds-instance-missing',
+        stage: 'prod',
+        severity: 'critical',
+        description: 'RDS PostgreSQL 15 instance not created (db.t2.micro)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const dbId = 'factiii-' + projectName + '-db';
+            return !findRdsInstance(dbId, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const vpcId = findVpc(projectName, region);
+            if (!vpcId) {
+                console.log('   VPC must be created first');
+                return false;
+            }
+            const subnetGroupName = 'factiii-' + projectName;
+            if (!findDbSubnetGroup(subnetGroupName, region)) {
+                console.log('   DB subnet group must be created first');
+                return false;
+            }
+            const rdsSgId = findSecurityGroup('factiii-' + projectName + '-rds', vpcId, region);
+            if (!rdsSgId) {
+                console.log('   RDS security group must be created first');
+                return false;
+            }
+            try {
+                const dbId = 'factiii-' + projectName + '-db';
+                const dbName = projectName.replace(/[^a-zA-Z0-9]/g, '');
+                const masterUser = 'factiii';
+                const masterPassword = generateRdsPassword();
+                (0, aws_helpers_js_1.awsExec)('aws rds create-db-instance' +
+                    ' --db-instance-identifier ' + dbId +
+                    ' --db-instance-class db.t2.micro' +
+                    ' --engine postgres' +
+                    ' --engine-version 15' +
+                    ' --allocated-storage 20' +
+                    ' --master-username ' + masterUser +
+                    ' --master-user-password ' + masterPassword +
+                    ' --db-name ' + dbName +
+                    ' --db-subnet-group-name ' + subnetGroupName +
+                    ' --vpc-security-group-ids ' + rdsSgId +
+                    ' --no-publicly-accessible' +
+                    ' --storage-type gp2' +
+                    ' --backup-retention-period 7', region);
+                console.log('   Creating RDS instance: ' + dbId);
+                console.log('   Engine: PostgreSQL 15');
+                console.log('   Instance class: db.t2.micro (free tier eligible)');
+                console.log('   Storage: 20 GB gp2');
+                console.log('   Database name: ' + dbName);
+                console.log('   Master user: ' + masterUser);
+                console.log('');
+                console.log('   IMPORTANT: Save these credentials!');
+                console.log('   Master password: ' + masterPassword);
+                console.log('   DATABASE_URL: postgresql://' + masterUser + ':' + masterPassword + '@<endpoint>:5432/' + dbName);
+                console.log('');
+                console.log('   RDS instance takes ~5-10 minutes to become available.');
+                console.log('   Run "npx factiii scan --prod" to check status.');
+                console.log('');
+                console.log('   TIP: Store credentials in Ansible Vault: npx factiii secrets edit');
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to create RDS instance: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Create RDS instance: aws rds create-db-instance --db-instance-class db.t2.micro --engine postgres --engine-version 15',
+    },
+    {
+        id: 'aws-rds-not-available',
+        stage: 'prod',
+        severity: 'warning',
+        description: 'RDS instance is not yet available (takes ~5-10 min)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const dbId = 'factiii-' + projectName + '-db';
+            const instance = findRdsInstance(dbId, region);
+            if (!instance)
+                return false; // No instance yet
+            return instance.status !== 'available';
+        },
+        fix: null,
+        manualFix: 'RDS instance is provisioning. Wait ~5-10 minutes and run scan again.\nCheck status: aws rds describe-db-instances --db-instance-identifier factiii-{name}-db --query "DBInstances[0].DBInstanceStatus"',
+    },
+    {
+        id: 'aws-rds-connection-test',
+        stage: 'prod',
+        severity: 'info',
+        description: 'Cannot verify RDS connectivity from EC2 (pg_isready not found)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const dbId = 'factiii-' + projectName + '-db';
+            const instance = findRdsInstance(dbId, region);
+            if (!instance || instance.status !== 'available' || !instance.endpoint)
+                return false;
+            // Check if pg_isready is available on EC2 via SSH
+            // This scan runs on the dev machine, so we check via SSH
+            // eslint-disable-next-line @typescript-eslint/no-require-imports
+            const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+            const environments = extractEnvironments(config);
+            const prodEnv = environments.prod ?? environments.production;
+            if (!prodEnv?.domain)
+                return false;
+            try {
+                // eslint-disable-next-line @typescript-eslint/no-require-imports
+                const { sshExec } = require('../../../../utils/ssh-helper.js');
+                const result = await sshExec(prodEnv, 'which pg_isready 2>/dev/null && pg_isready -h ' + instance.endpoint + ' -p 5432 2>&1 || echo "pg_isready not found"');
+                return result.includes('pg_isready not found') || result.includes('no response');
+            }
+            catch {
+                return false; // Can't SSH — skip this check
+            }
+        },
+        fix: null,
+        manualFix: 'Install PostgreSQL client on EC2: sudo apt-get install -y postgresql-client-15\nTest connection: pg_isready -h <rds-endpoint> -p 5432',
+    },
+];
+//# sourceMappingURL=rds.js.map

package/dist/plugins/pipelines/aws/scanfix/rds.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rds.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/rds.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAGH,4DAA6F;AAE7F;;GAEG;AACH,SAAS,OAAO,CAAC,WAAmB,EAAE,MAAc;IAClD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,mEAAmE,GAAG,WAAW,GAAG,yCAAyC,EAC7H,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,WAAmB,EAAE,MAAc;IAC7D,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,sEAAsE,GAAG,WAAW,GAAG,6FAA6F,EACpL,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,EAAE,CAAC;IACjE,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,SAAiB,EAAE,KAAa,EAAE,MAAc;IACzE,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,qEAAqE,GAAG,SAAS,GAAG,wBAAwB,GAAG,KAAK,GAAG,qDAAqD,EAC5K,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,SAAiB,EAAE,MAAc;IAC1D,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,2DAA2D,GAAG,SAAS,GAAG,8DAA8D,EACxI,MAAM,CACP,CAAC;IACF,OAAO,CAAC,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,YAAoB,EAAE,MAAc;IAC3D,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,yDAAyD,GAAG,YAAY,EACxE,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;QACzC,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC3B,OAAO;YACL,MAAM,EAAE,QAAQ,CAAC,gBAAgB;YACjC,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,OAAO,IAAI,IAAI;SAC7C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAqB;IAC5C,IAAI,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAC5B,iEAAiE;IACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CACrC,CAAC,CAAU,EAAE,EAAE,CAAE,CAA2B,CAAC,QAAQ,KAAK,KAAK,CAChE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB;IAC1B,MAAM,KAAK,GAAG,gEAAgE,CAAC;IAC/E,IAAI,QAAQ,GAAG,EAAE,CAAC;IAClB,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAA4B,CAAC;IAC5D,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,QAAQ,IAAI,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAEY,QAAA,QAAQ,GAAU;IAC7B;QACE,EAAE,EAAE,8BAA8B;QAClC,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+CAA+C;QAC5D,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,cAAc,GAAG,kBAAkB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC/D,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC,CAAC,mCAAmC;YAChF,OAAO,CAAC,iBAAiB,CAAC,UAAU,GAAG,WAAW,EAAE,MAAM,CAAC,CAAC;QAC9D,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,cAAc,GAAG,kBAAkB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC/D,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;gBACxD,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,UAAU,GAAG,WAAW,CAAC;gBAC3C,IAAA,wBAAO,EACL,gCAAgC;oBAChC,0BAA0B,GAAG,SAAS;oBACtC,8DAA8D,GAAG,WAAW,GAAG,GAAG;oBAClF,gBAAgB,GAAG,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAC3C,MAAM,CACP,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,8BAA8B,GAAG,SAAS,CAAC,CAAC;gBACxD,OAAO,CAAC,GAAG,CAAC,oBAAoB,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC9D,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,uCAAuC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpG,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,iEAAiE;KAC7E;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,sDAAsD;QACnE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,IAAI,GAAG,UAAU,GAAG,WAAW,GAAG,KAAK,CAAC;YAC9C,OAAO,CAAC,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACxC,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;gBAC5C,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,eAAe,GAAG,UAAU,GAAG,WAAW,CAAC;YACjD,IAAI,CAAC,iBAAiB,CAAC,eAAe,EAAE,MAAM,CAAC,EAAE,CAAC;gBAChD,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;gBACxD,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,OAAO,GAAG,iBAAiB,CAAC,UAAU,GAAG,WAAW,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACpF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;gBAC3D,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,UAAU,GAAG,WAAW,GAAG,KAAK,CAAC;gBAC9C,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC;gBACxD,MAAM,UAAU,GAAG,SAAS,CAAC;gBAC7B,MAAM,cAAc,GAAG,mBAAmB,EAAE,CAAC;gBAE7C,IAAA,wBAAO,EACL,4BAA4B;oBAC5B,4BAA4B,GAAG,IAAI;oBACnC,kCAAkC;oBAClC,oBAAoB;oBACpB,sBAAsB;oBACtB,yBAAyB;oBACzB,qBAAqB,GAAG,UAAU;oBAClC,0BAA0B,GAAG,cAAc;oBAC3C,aAAa,GAAG,MAAM;oBACtB,0BAA0B,GAAG,eAAe;oBAC5C,4BAA4B,GAAG,OAAO;oBACtC,2BAA2B;oBAC3B,qBAAqB;oBACrB,8BAA8B,EAC9B,MAAM,CACP,CAAC;gBAEF,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,IAAI,CAAC,CAAC;gBACjD,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;gBACxC,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;gBACrC,OAAO,CAAC,GAAG,CAAC,oBAAoB,GAAG,MAAM,CAAC,CAAC;gBAC3C,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,UAAU,CAAC,CAAC;gBAC7C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;gBACrD,OAAO,CAAC,GAAG,CAAC,sBAAsB,GAAG,cAAc,CAAC,CAAC;gBACrD,OAAO,CAAC,GAAG,CAAC,gCAAgC,GAAG,UAAU,GAAG,GAAG,GAAG,cAAc,GAAG,mBAAmB,GAAG,MAAM,CAAC,CAAC;gBACjH,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;gBACxE,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;gBACjE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;gBAEpF,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,oCAAoC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjG,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,uHAAuH;KACnI;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,qDAAqD;QAClE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,IAAI,GAAG,UAAU,GAAG,WAAW,GAAG,KAAK,CAAC;YAC9C,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC/C,IAAI,CAAC,QAAQ;gBAAE,OAAO,KAAK,CAAC,CAAC,kBAAkB;YAC/C,OAAO,QAAQ,CAAC,MAAM,KAAK,WAAW,CAAC;QACzC,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EAAE,wMAAwM;KACpN;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,gEAAgE;QAC7E,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,IAAI,GAAG,UAAU,GAAG,WAAW,GAAG,KAAK,CAAC;YAC9C,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC/C,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,WAAW,IAAI,CAAC,QAAQ,CAAC,QAAQ;gBAAE,OAAO,KAAK,CAAC;YAErF,kDAAkD;YAClD,yDAAyD;YACzD,iEAAiE;YACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;YAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC,UAAU,CAAC;YAC7D,IAAI,CAAC,OAAO,EAAE,MAAM;gBAAE,OAAO,KAAK,CAAC;YAEnC,IAAI,CAAC;gBACH,iEAAiE;gBACjE,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,iCAAiC,CAAC,CAAC;gBAC/D,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,gDAAgD,GAAG,QAAQ,CAAC,QAAQ,GAAG,8CAA8C,CAAC,CAAC;gBAC7J,OAAO,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACnF,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC,CAAC,8BAA8B;YAC9C,CAAC;QACH,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EAAE,uIAAuI;KACnJ;CACF,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/s3.d.ts

@@ -0,0 +1,9 @@
+/**
+ * AWS S3 Fixes
+ *
+ * Provisions S3 bucket with encryption and blocked public access.
+ * Configures CORS for the production domain.
+ */
+import type { Fix } from '../../../../types/index.js';
+export declare const s3Fixes: Fix[];
+//# sourceMappingURL=s3.d.ts.map

package/dist/plugins/pipelines/aws/scanfix/s3.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"s3.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/s3.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AAuCrE,eAAO,MAAM,OAAO,EAAE,GAAG,EAiHxB,CAAC"}