@factiii/stack 0.1.34 → 0.1.36
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/bin/stack +46 -0
- package/dist/cli/fix.js +10 -10
- package/dist/cli/fix.js.map +1 -1
- package/dist/cli/init.d.ts.map +1 -1
- package/dist/cli/init.js +20 -7
- package/dist/cli/init.js.map +1 -1
- package/dist/cli/scan.d.ts.map +1 -1
- package/dist/cli/scan.js +14 -22
- package/dist/cli/scan.js.map +1 -1
- package/dist/generators/generate-stack-yml.d.ts +1 -1
- package/dist/generators/generate-stack-yml.d.ts.map +1 -1
- package/dist/generators/generate-stack-yml.js +60 -33
- package/dist/generators/generate-stack-yml.js.map +1 -1
- package/dist/plugins/addons/openclaw/index.d.ts +45 -0
- package/dist/plugins/addons/openclaw/index.d.ts.map +1 -0
- package/dist/plugins/addons/openclaw/index.js +107 -0
- package/dist/plugins/addons/openclaw/index.js.map +1 -0
- package/dist/plugins/addons/openclaw/scanfix/setup.d.ts +19 -0
- package/dist/plugins/addons/openclaw/scanfix/setup.d.ts.map +1 -0
- package/dist/plugins/addons/openclaw/scanfix/setup.js +475 -0
- package/dist/plugins/addons/openclaw/scanfix/setup.js.map +1 -0
- package/dist/plugins/index.d.ts.map +1 -1
- package/dist/plugins/index.js +8 -0
- package/dist/plugins/index.js.map +1 -1
- package/dist/plugins/pipelines/aws/index.js +3 -3
- package/dist/plugins/pipelines/aws/prod.js +2 -2
- package/dist/plugins/pipelines/aws/scanfix/aws-cli.d.ts +3 -1
- package/dist/plugins/pipelines/aws/scanfix/aws-cli.d.ts.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/aws-cli.js +17 -7
- package/dist/plugins/pipelines/aws/scanfix/aws-cli.js.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/credentials.d.ts +1 -1
- package/dist/plugins/pipelines/aws/scanfix/credentials.d.ts.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/credentials.js +27 -73
- package/dist/plugins/pipelines/aws/scanfix/credentials.js.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/db-replication.d.ts +1 -4
- package/dist/plugins/pipelines/aws/scanfix/db-replication.d.ts.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/db-replication.js +9 -39
- package/dist/plugins/pipelines/aws/scanfix/db-replication.js.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/ec2.d.ts +1 -0
- package/dist/plugins/pipelines/aws/scanfix/ec2.d.ts.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/ec2.js +61 -110
- package/dist/plugins/pipelines/aws/scanfix/ec2.js.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/ecr.d.ts +1 -0
- package/dist/plugins/pipelines/aws/scanfix/ecr.d.ts.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/ecr.js +25 -34
- package/dist/plugins/pipelines/aws/scanfix/ecr.js.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/iam.d.ts +1 -0
- package/dist/plugins/pipelines/aws/scanfix/iam.d.ts.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/iam.js +35 -44
- package/dist/plugins/pipelines/aws/scanfix/iam.js.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/rds.d.ts +1 -0
- package/dist/plugins/pipelines/aws/scanfix/rds.d.ts.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/rds.js +39 -104
- package/dist/plugins/pipelines/aws/scanfix/rds.js.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/s3.d.ts +1 -0
- package/dist/plugins/pipelines/aws/scanfix/s3.d.ts.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/s3.js +44 -53
- package/dist/plugins/pipelines/aws/scanfix/s3.js.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/security-groups.d.ts +1 -0
- package/dist/plugins/pipelines/aws/scanfix/security-groups.d.ts.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/security-groups.js +80 -79
- package/dist/plugins/pipelines/aws/scanfix/security-groups.js.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/ses.d.ts +1 -0
- package/dist/plugins/pipelines/aws/scanfix/ses.d.ts.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/ses.js +28 -50
- package/dist/plugins/pipelines/aws/scanfix/ses.js.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/ssh-bridge.d.ts +17 -0
- package/dist/plugins/pipelines/aws/scanfix/ssh-bridge.d.ts.map +1 -0
- package/dist/plugins/pipelines/aws/scanfix/ssh-bridge.js +180 -0
- package/dist/plugins/pipelines/aws/scanfix/ssh-bridge.js.map +1 -0
- package/dist/plugins/pipelines/aws/scanfix/vpc.d.ts +1 -0
- package/dist/plugins/pipelines/aws/scanfix/vpc.d.ts.map +1 -1
- package/dist/plugins/pipelines/aws/scanfix/vpc.js +93 -94
- package/dist/plugins/pipelines/aws/scanfix/vpc.js.map +1 -1
- package/dist/plugins/pipelines/aws/utils/aws-helpers.d.ts +101 -28
- package/dist/plugins/pipelines/aws/utils/aws-helpers.d.ts.map +1 -1
- package/dist/plugins/pipelines/aws/utils/aws-helpers.js +428 -76
- package/dist/plugins/pipelines/aws/utils/aws-helpers.js.map +1 -1
- package/dist/plugins/pipelines/factiii/index.d.ts +11 -1
- package/dist/plugins/pipelines/factiii/index.d.ts.map +1 -1
- package/dist/plugins/pipelines/factiii/index.js +183 -33
- package/dist/plugins/pipelines/factiii/index.js.map +1 -1
- package/dist/plugins/pipelines/factiii/scanfix/config.d.ts +1 -1
- package/dist/plugins/pipelines/factiii/scanfix/config.js +4 -4
- package/dist/plugins/pipelines/factiii/scanfix/secrets.d.ts.map +1 -1
- package/dist/plugins/pipelines/factiii/scanfix/secrets.js +68 -8
- package/dist/plugins/pipelines/factiii/scanfix/secrets.js.map +1 -1
- package/dist/plugins/servers/mac/index.js +1 -1
- package/dist/plugins/servers/mac/staging.js +2 -2
- package/dist/scanfix/fixes/certbot.js +1 -1
- package/dist/scripts/validate-example-values.d.ts +1 -1
- package/dist/scripts/validate-example-values.js +6 -6
- package/dist/utils/config-helpers.d.ts +3 -0
- package/dist/utils/config-helpers.d.ts.map +1 -1
- package/dist/utils/config-helpers.js.map +1 -1
- package/dist/utils/secret-prompts.d.ts +5 -2
- package/dist/utils/secret-prompts.d.ts.map +1 -1
- package/dist/utils/secret-prompts.js +27 -4
- package/dist/utils/secret-prompts.js.map +1 -1
- package/dist/utils/template-generator.js +14 -14
- package/package.json +95 -88
|
@@ -1,12 +1,13 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/**
|
|
3
3
|
* AWS CLI fixes for AWS plugin
|
|
4
|
-
*
|
|
4
|
+
*
|
|
5
|
+
* AWS CLI is still needed for ECR Docker login (aws ecr get-login-password).
|
|
6
|
+
* All other AWS operations now use the AWS SDK.
|
|
5
7
|
*/
|
|
6
8
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
7
9
|
exports.awsCliFixes = void 0;
|
|
8
10
|
const child_process_1 = require("child_process");
|
|
9
|
-
const aws_helpers_js_1 = require("../utils/aws-helpers.js");
|
|
10
11
|
/**
|
|
11
12
|
* Check if any environment uses AWS pipeline
|
|
12
13
|
*/
|
|
@@ -19,6 +20,18 @@ function hasAwsPipeline(config) {
|
|
|
19
20
|
return Object.values(environments).some((e) => e.pipeline === 'aws' ||
|
|
20
21
|
e.access_key_id);
|
|
21
22
|
}
|
|
23
|
+
/**
|
|
24
|
+
* Check if AWS CLI is installed
|
|
25
|
+
*/
|
|
26
|
+
function isAwsCliInstalled() {
|
|
27
|
+
try {
|
|
28
|
+
(0, child_process_1.execSync)('aws --version', { stdio: 'pipe' });
|
|
29
|
+
return true;
|
|
30
|
+
}
|
|
31
|
+
catch {
|
|
32
|
+
return false;
|
|
33
|
+
}
|
|
34
|
+
}
|
|
22
35
|
/**
|
|
23
36
|
* Auto-install AWS CLI based on platform
|
|
24
37
|
*/
|
|
@@ -31,7 +44,6 @@ function installAwsCli() {
|
|
|
31
44
|
return true;
|
|
32
45
|
}
|
|
33
46
|
if (platform === 'linux') {
|
|
34
|
-
// Try apt first (Ubuntu/Debian)
|
|
35
47
|
try {
|
|
36
48
|
(0, child_process_1.execSync)('which apt-get', { stdio: 'pipe' });
|
|
37
49
|
console.log(' Installing AWS CLI via apt...');
|
|
@@ -41,7 +53,6 @@ function installAwsCli() {
|
|
|
41
53
|
catch {
|
|
42
54
|
// Not apt-based, use AWS installer
|
|
43
55
|
}
|
|
44
|
-
// Fallback: AWS official installer
|
|
45
56
|
console.log(' Installing AWS CLI via official installer...');
|
|
46
57
|
(0, child_process_1.execSync)('curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "/tmp/awscliv2.zip"' +
|
|
47
58
|
' && unzip -o /tmp/awscliv2.zip -d /tmp/aws-install' +
|
|
@@ -67,12 +78,11 @@ exports.awsCliFixes = [
|
|
|
67
78
|
id: 'aws-cli-not-installed-dev',
|
|
68
79
|
stage: 'dev',
|
|
69
80
|
severity: 'warning',
|
|
70
|
-
description: '🔧 AWS CLI not installed (needed for ECR)',
|
|
81
|
+
description: '🔧 AWS CLI not installed (needed for ECR Docker login)',
|
|
71
82
|
scan: async (config, _rootDir) => {
|
|
72
|
-
// Only check if AWS is configured
|
|
73
83
|
if (!hasAwsPipeline(config))
|
|
74
84
|
return false;
|
|
75
|
-
return !
|
|
85
|
+
return !isAwsCliInstalled();
|
|
76
86
|
},
|
|
77
87
|
fix: async (_config, _rootDir) => {
|
|
78
88
|
return installAwsCli();
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"aws-cli.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/aws-cli.ts"],"names":[],"mappings":";AAAA;;;
|
|
1
|
+
{"version":3,"file":"aws-cli.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/aws-cli.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAEH,iDAAyC;AAGzC;;GAEG;AACH,SAAS,cAAc,CAAC,MAAqB;IAC3C,IAAI,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAC5B,iEAAiE;IACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CACrC,CAAC,CAAU,EAAE,EAAE,CAAE,CAAmD,CAAC,QAAQ,KAAK,KAAK;QACpF,CAAgC,CAAC,aAAa,CAClD,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB;IACxB,IAAI,CAAC;QACH,IAAA,wBAAQ,EAAC,eAAe,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,aAAa;IACpB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAElC,IAAI,CAAC;QACH,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;YACrD,IAAA,wBAAQ,EAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;YACtD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,IAAA,wBAAQ,EAAC,eAAe,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC7C,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;gBAChD,IAAA,wBAAQ,EAAC,uDAAuD,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;gBACxF,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,mCAAmC;YACrC,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;YAC/D,IAAA,wBAAQ,EACN,wFAAwF;gBACxF,oDAAoD;gBACpD,uCAAuC;gBACvC,+CAA+C,EAC/C,EAAE,KAAK,EAAE,SAAS,EAAE,CACrB,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;YACnD,IAAA,wBAAQ,EAAC,8BAA8B,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,2BAA2B,GAAG,QAAQ,CAAC,CAAC;QACpD,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,gCAAgC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC7F,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAEY,QAAA,WAAW,GAAU;IAChC;QACE,EAAE,EAAE,2BAA2B;QAC/B,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,wDAAwD;QACrE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAE,QAAgB,EAAoB,EAAE;YACxE,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC1C,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAC9B,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,OAAsB,EAAE,QAAgB,EAAoB,EAAE;YACxE,OAAO,aAAa,EAAE,CAAC;QACzB,CAAC;QACD,SAAS,EAAE;YACT,kBAAkB;YAClB,gCAAgC;YAChC,sEAAsE;YACtE,yCAAyC;SAC1C,CAAC,IAAI,CAAC,IAAI,CAAC;KACb;CACF,CAAC"}
|
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
* and region configuration checks.
|
|
6
6
|
*
|
|
7
7
|
* The aws-account-not-setup fix auto-bootstraps:
|
|
8
|
-
* 1. Checks if AWS
|
|
8
|
+
* 1. Checks if AWS SDK can get caller identity (valid credentials)
|
|
9
9
|
* 2. If not, prompts user to login via `aws configure` (root or admin)
|
|
10
10
|
* 3. Confirms with user before creating IAM admin user
|
|
11
11
|
* 4. Creates IAM user, attaches bootstrap policy, creates access key
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;
|
|
1
|
+
{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AAyJrE,eAAO,MAAM,gBAAgB,EAAE,GAAG,EAyIjC,CAAC"}
|
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
* and region configuration checks.
|
|
7
7
|
*
|
|
8
8
|
* The aws-account-not-setup fix auto-bootstraps:
|
|
9
|
-
* 1. Checks if AWS
|
|
9
|
+
* 1. Checks if AWS SDK can get caller identity (valid credentials)
|
|
10
10
|
* 2. If not, prompts user to login via `aws configure` (root or admin)
|
|
11
11
|
* 3. Confirms with user before creating IAM admin user
|
|
12
12
|
* 4. Creates IAM user, attaches bootstrap policy, creates access key
|
|
@@ -51,18 +51,10 @@ const child_process_1 = require("child_process");
|
|
|
51
51
|
const fs = __importStar(require("fs"));
|
|
52
52
|
const path = __importStar(require("path"));
|
|
53
53
|
const aws_helpers_js_1 = require("../utils/aws-helpers.js");
|
|
54
|
-
/**
|
|
55
|
-
* Check if IAM user exists
|
|
56
|
-
*/
|
|
57
|
-
function findIamUser(userName, region) {
|
|
58
|
-
const result = (0, aws_helpers_js_1.awsExecSafe)('aws iam get-user --user-name ' + userName, region);
|
|
59
|
-
return !!result && !result.includes('NoSuchEntity');
|
|
60
|
-
}
|
|
61
54
|
/**
|
|
62
55
|
* Read the bootstrap policy JSON from the policies directory
|
|
63
56
|
*/
|
|
64
57
|
function getBootstrapPolicy() {
|
|
65
|
-
// Try dist path first (published package), then src path (development)
|
|
66
58
|
const distPath = path.resolve(__dirname, '..', 'policies', 'bootstrap-policy.json');
|
|
67
59
|
const srcPath = path.resolve(__dirname, '..', '..', '..', '..', '..', 'src', 'plugins', 'pipelines', 'aws', 'policies', 'bootstrap-policy.json');
|
|
68
60
|
if (fs.existsSync(distPath)) {
|
|
@@ -74,29 +66,21 @@ function getBootstrapPolicy() {
|
|
|
74
66
|
throw new Error('bootstrap-policy.json not found');
|
|
75
67
|
}
|
|
76
68
|
/**
|
|
77
|
-
* Auto-bootstrap AWS account
|
|
78
|
-
* Phase A: Check existing credentials
|
|
79
|
-
* Phase B: Interactive root/admin login
|
|
80
|
-
* Phase C: Confirm and create IAM admin user
|
|
81
|
-
* Phase D: Auto-configure with new IAM credentials
|
|
69
|
+
* Auto-bootstrap AWS account using SDK + CLI for credential setup
|
|
82
70
|
*/
|
|
83
71
|
async function bootstrapAwsAccount(config) {
|
|
84
72
|
const awsConfig = (0, aws_helpers_js_1.getAwsConfig)(config);
|
|
85
73
|
const region = awsConfig.region || 'us-east-1';
|
|
86
|
-
//
|
|
87
|
-
|
|
88
|
-
// ============================================================
|
|
89
|
-
let accountId = (0, aws_helpers_js_1.getAwsAccountId)(region);
|
|
74
|
+
// Phase A: Check if credentials already work
|
|
75
|
+
let accountId = await (0, aws_helpers_js_1.getAwsAccountId)(region);
|
|
90
76
|
if (accountId) {
|
|
91
77
|
console.log(' AWS credentials already configured (account: ' + accountId + ')');
|
|
92
78
|
return true;
|
|
93
79
|
}
|
|
94
|
-
//
|
|
95
|
-
// Phase B: Prompt root/admin user to login via aws configure
|
|
96
|
-
// ============================================================
|
|
80
|
+
// Phase B: Prompt user to login via aws configure (still needs CLI for interactive setup)
|
|
97
81
|
console.log('');
|
|
98
82
|
console.log(' ============================================================');
|
|
99
|
-
console.log(' AWS
|
|
83
|
+
console.log(' AWS credentials not configured.');
|
|
100
84
|
console.log(' Login with your AWS root account or an IAM admin user.');
|
|
101
85
|
console.log(' ============================================================');
|
|
102
86
|
console.log('');
|
|
@@ -110,20 +94,16 @@ async function bootstrapAwsAccount(config) {
|
|
|
110
94
|
console.log(' aws configure failed: ' + (e instanceof Error ? e.message : String(e)));
|
|
111
95
|
return false;
|
|
112
96
|
}
|
|
113
|
-
|
|
114
|
-
accountId = (0, aws_helpers_js_1.getAwsAccountId)(region);
|
|
97
|
+
accountId = await (0, aws_helpers_js_1.getAwsAccountId)(region);
|
|
115
98
|
if (!accountId) {
|
|
116
99
|
console.log(' AWS credentials still invalid after configuration.');
|
|
117
100
|
console.log(' Please verify your Access Key ID and Secret Access Key.');
|
|
118
101
|
return false;
|
|
119
102
|
}
|
|
120
103
|
console.log(' [OK] AWS login successful (account: ' + accountId + ')');
|
|
121
|
-
//
|
|
122
|
-
// Phase C: Confirm and create IAM admin user
|
|
123
|
-
// ============================================================
|
|
104
|
+
// Phase C: Create IAM admin user
|
|
124
105
|
const userName = 'factiii-admin';
|
|
125
|
-
|
|
126
|
-
if (findIamUser(userName, region)) {
|
|
106
|
+
if (await (0, aws_helpers_js_1.findIamUser)(userName, region)) {
|
|
127
107
|
console.log(' [OK] IAM user ' + userName + ' already exists');
|
|
128
108
|
return true;
|
|
129
109
|
}
|
|
@@ -137,42 +117,41 @@ async function bootstrapAwsAccount(config) {
|
|
|
137
117
|
console.log(' This replaces root credentials with a scoped IAM user.');
|
|
138
118
|
console.log(' ============================================================');
|
|
139
119
|
console.log('');
|
|
140
|
-
// Import confirm from secret-prompts
|
|
141
120
|
const { confirm } = await Promise.resolve().then(() => __importStar(require('../../../../utils/secret-prompts.js')));
|
|
142
121
|
const proceed = await confirm(' Create IAM user "' + userName + '"?', true);
|
|
143
122
|
if (!proceed) {
|
|
144
123
|
console.log(' [--] Skipped IAM user creation');
|
|
145
124
|
console.log(' You can create it manually later or re-run: npx stack fix');
|
|
146
|
-
return true;
|
|
125
|
+
return true;
|
|
147
126
|
}
|
|
148
127
|
try {
|
|
128
|
+
const iam = (0, aws_helpers_js_1.getIAMClient)(region);
|
|
149
129
|
// Create IAM user
|
|
150
|
-
(
|
|
130
|
+
await iam.send(new aws_helpers_js_1.CreateUserCommand({ UserName: userName }));
|
|
151
131
|
console.log(' [OK] Created IAM user: ' + userName);
|
|
152
132
|
// Read and attach bootstrap policy
|
|
153
133
|
const policy = getBootstrapPolicy();
|
|
154
|
-
(
|
|
155
|
-
|
|
156
|
-
|
|
134
|
+
await iam.send(new aws_helpers_js_1.PutUserPolicyCommand({
|
|
135
|
+
UserName: userName,
|
|
136
|
+
PolicyName: 'factiii-bootstrap',
|
|
137
|
+
PolicyDocument: policy,
|
|
138
|
+
}));
|
|
157
139
|
console.log(' [OK] Attached bootstrap policy (EC2, RDS, S3, ECR, SES, IAM, STS)');
|
|
158
140
|
// Create access key
|
|
159
|
-
const keyResult = (
|
|
160
|
-
const
|
|
161
|
-
const
|
|
162
|
-
const newSecretKey = parsed.AccessKey?.SecretAccessKey;
|
|
141
|
+
const keyResult = await iam.send(new aws_helpers_js_1.CreateAccessKeyCommand({ UserName: userName }));
|
|
142
|
+
const newAccessKeyId = keyResult.AccessKey?.AccessKeyId;
|
|
143
|
+
const newSecretKey = keyResult.AccessKey?.SecretAccessKey;
|
|
163
144
|
if (!newAccessKeyId || !newSecretKey) {
|
|
164
145
|
console.log(' [!] Failed to parse access key from AWS response');
|
|
165
146
|
return false;
|
|
166
147
|
}
|
|
167
148
|
console.log(' [OK] Created access key for ' + userName);
|
|
168
|
-
// ============================================================
|
|
169
149
|
// Phase D: Auto-configure AWS CLI with new IAM credentials
|
|
170
|
-
// ============================================================
|
|
171
150
|
(0, child_process_1.execSync)('aws configure set aws_access_key_id ' + newAccessKeyId, { stdio: 'pipe' });
|
|
172
151
|
(0, child_process_1.execSync)('aws configure set aws_secret_access_key ' + newSecretKey, { stdio: 'pipe' });
|
|
173
152
|
(0, child_process_1.execSync)('aws configure set region ' + region, { stdio: 'pipe' });
|
|
174
153
|
// Verify new credentials work
|
|
175
|
-
const verifyId = (0, aws_helpers_js_1.getAwsAccountId)(region);
|
|
154
|
+
const verifyId = await (0, aws_helpers_js_1.getAwsAccountId)(region);
|
|
176
155
|
if (!verifyId) {
|
|
177
156
|
console.log(' [!] New IAM credentials failed verification');
|
|
178
157
|
return false;
|
|
@@ -193,30 +172,21 @@ async function bootstrapAwsAccount(config) {
|
|
|
193
172
|
}
|
|
194
173
|
}
|
|
195
174
|
exports.credentialsFixes = [
|
|
196
|
-
// ============================================================
|
|
197
|
-
// DEV STAGE - AWS CLI and account setup
|
|
198
|
-
// ============================================================
|
|
199
175
|
{
|
|
200
176
|
id: 'aws-account-not-setup',
|
|
201
177
|
stage: 'dev',
|
|
202
178
|
severity: 'critical',
|
|
203
|
-
description: '☁️ AWS
|
|
179
|
+
description: '☁️ AWS credentials not configured',
|
|
204
180
|
scan: async (config, _rootDir) => {
|
|
205
|
-
// Only check if AWS pipeline is configured
|
|
206
181
|
const awsConfig = (0, aws_helpers_js_1.getAwsConfig)(config);
|
|
207
182
|
if (!awsConfig.accessKeyId && !config.aws) {
|
|
208
|
-
// Also check per-environment pipeline: aws
|
|
209
183
|
const { extractEnvironments } = await Promise.resolve().then(() => __importStar(require('../../../../utils/config-helpers.js')));
|
|
210
184
|
const environments = extractEnvironments(config);
|
|
211
185
|
const hasAwsEnv = Object.values(environments).some((e) => e.pipeline === 'aws');
|
|
212
186
|
if (!hasAwsEnv)
|
|
213
187
|
return false;
|
|
214
188
|
}
|
|
215
|
-
|
|
216
|
-
if (!(0, aws_helpers_js_1.isAwsCliInstalled)())
|
|
217
|
-
return true;
|
|
218
|
-
// Check if credentials are configured (can call STS)
|
|
219
|
-
const accountId = (0, aws_helpers_js_1.getAwsAccountId)(awsConfig.region);
|
|
189
|
+
const accountId = await (0, aws_helpers_js_1.getAwsAccountId)(awsConfig.region);
|
|
220
190
|
return !accountId;
|
|
221
191
|
},
|
|
222
192
|
fix: async (config, _rootDir) => {
|
|
@@ -246,39 +216,31 @@ exports.credentialsFixes = [
|
|
|
246
216
|
severity: 'warning',
|
|
247
217
|
description: '🌍 AWS region not configured in stack.yml',
|
|
248
218
|
scan: async (config, _rootDir) => {
|
|
249
|
-
// Only check if AWS pipeline is configured
|
|
250
219
|
const { extractEnvironments } = await Promise.resolve().then(() => __importStar(require('../../../../utils/config-helpers.js')));
|
|
251
220
|
const environments = extractEnvironments(config);
|
|
252
221
|
const hasAwsEnv = Object.values(environments).some((e) => e.pipeline === 'aws');
|
|
253
222
|
if (!hasAwsEnv && !config.aws)
|
|
254
223
|
return false;
|
|
255
224
|
const awsConfig = (0, aws_helpers_js_1.getAwsConfig)(config);
|
|
256
|
-
// Check if region is explicitly set (not just default)
|
|
257
225
|
return !awsConfig.region || awsConfig.region === 'us-east-1' && !config.aws?.region;
|
|
258
226
|
},
|
|
259
227
|
fix: null,
|
|
260
228
|
manualFix: 'Set aws.region in stack.yml under the prod environment or top-level aws block',
|
|
261
229
|
},
|
|
262
|
-
// ============================================================
|
|
263
|
-
// SECRETS STAGE - Credential validation
|
|
264
|
-
// ============================================================
|
|
265
230
|
{
|
|
266
231
|
id: 'aws-credentials-missing',
|
|
267
232
|
stage: 'secrets',
|
|
268
233
|
severity: 'critical',
|
|
269
234
|
description: '🔑 AWS credentials not available (env vars or Ansible Vault)',
|
|
270
235
|
scan: async (config, _rootDir) => {
|
|
271
|
-
// Only check if AWS pipeline is configured
|
|
272
236
|
const { extractEnvironments } = await Promise.resolve().then(() => __importStar(require('../../../../utils/config-helpers.js')));
|
|
273
237
|
const environments = extractEnvironments(config);
|
|
274
238
|
const hasAwsEnv = Object.values(environments).some((e) => e.pipeline === 'aws');
|
|
275
239
|
if (!hasAwsEnv && !config.aws)
|
|
276
240
|
return false;
|
|
277
|
-
// Check env vars
|
|
278
241
|
if (process.env.AWS_ACCESS_KEY_ID && process.env.AWS_SECRET_ACCESS_KEY) {
|
|
279
242
|
return false;
|
|
280
243
|
}
|
|
281
|
-
// Check if Ansible Vault has AWS credentials
|
|
282
244
|
if (config.ansible?.vault_path) {
|
|
283
245
|
try {
|
|
284
246
|
const { AnsibleVaultSecrets } = await Promise.resolve().then(() => __importStar(require('../../../../utils/ansible-vault-secrets.js')));
|
|
@@ -319,25 +281,17 @@ exports.credentialsFixes = [
|
|
|
319
281
|
severity: 'warning',
|
|
320
282
|
description: '🔑 AWS credentials are invalid or expired',
|
|
321
283
|
scan: async (config, _rootDir) => {
|
|
322
|
-
// Only check if AWS CLI is installed and credentials exist
|
|
323
|
-
if (!(0, aws_helpers_js_1.isAwsCliInstalled)())
|
|
324
|
-
return false;
|
|
325
|
-
if (!process.env.AWS_ACCESS_KEY_ID && !process.env.AWS_SECRET_ACCESS_KEY) {
|
|
326
|
-
// No env vars - might be using aws configure or vault
|
|
327
|
-
// Try to validate anyway
|
|
328
|
-
}
|
|
329
284
|
const awsConfig = (0, aws_helpers_js_1.getAwsConfig)(config);
|
|
330
|
-
const accountId = (0, aws_helpers_js_1.getAwsAccountId)(awsConfig.region);
|
|
331
|
-
// If we can't get account ID, credentials are invalid
|
|
332
|
-
// But only flag if we actually have credentials configured
|
|
285
|
+
const accountId = await (0, aws_helpers_js_1.getAwsAccountId)(awsConfig.region);
|
|
333
286
|
if (!accountId) {
|
|
334
|
-
//
|
|
287
|
+
// Only flag if we have credentials configured (env vars or aws configure)
|
|
288
|
+
if (process.env.AWS_ACCESS_KEY_ID)
|
|
289
|
+
return true;
|
|
335
290
|
try {
|
|
336
291
|
const result = (0, child_process_1.execSync)('aws configure get aws_access_key_id 2>nul || echo ""', {
|
|
337
292
|
encoding: 'utf8',
|
|
338
293
|
stdio: ['pipe', 'pipe', 'pipe'],
|
|
339
294
|
}).trim();
|
|
340
|
-
// Only flag as invalid if credentials exist but don't work
|
|
341
295
|
return result.length > 0;
|
|
342
296
|
}
|
|
343
297
|
catch {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/credentials.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,iDAAyC;AACzC,uCAAyB;AACzB,2CAA6B;AAE7B,
|
|
1
|
+
{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/credentials.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,iDAAyC;AACzC,uCAAyB;AACzB,2CAA6B;AAE7B,4DAQiC;AAEjC;;GAEG;AACH,SAAS,kBAAkB;IACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,uBAAuB,CAAC,CAAC;IACpF,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,uBAAuB,CAAC,CAAC;IAEjJ,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IAClD,CAAC;IACD,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IACjD,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;AACrD,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,mBAAmB,CAAC,MAAqB;IACtD,MAAM,SAAS,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,IAAI,WAAW,CAAC;IAE/C,6CAA6C;IAC7C,IAAI,SAAS,GAAG,MAAM,IAAA,gCAAe,EAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,kDAAkD,GAAG,SAAS,GAAG,GAAG,CAAC,CAAC;QAClF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,0FAA0F;IAC1F,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;IAC/E,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;IAClD,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;IAC/E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAC;IAC5E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,IAAI,CAAC;QACH,IAAA,wBAAQ,EAAC,eAAe,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,2BAA2B,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACxF,OAAO,KAAK,CAAC;IACf,CAAC;IAED,SAAS,GAAG,MAAM,IAAA,gCAAe,EAAC,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;QACrE,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;QAC1E,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,yCAAyC,GAAG,SAAS,GAAG,GAAG,CAAC,CAAC;IAEzE,iCAAiC;IACjC,MAAM,QAAQ,GAAG,eAAe,CAAC;IAEjC,IAAI,MAAM,IAAA,4BAAW,EAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,QAAQ,GAAG,iBAAiB,CAAC,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;IAC/E,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IACxC,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;IAC/E,OAAO,CAAC,GAAG,CAAC,2BAA2B,GAAG,QAAQ,GAAG,yBAAyB,CAAC,CAAC;IAChF,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;IAC/E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,MAAM,EAAE,OAAO,EAAE,GAAG,wDAAa,qCAAqC,GAAC,CAAC;IACxE,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,sBAAsB,GAAG,QAAQ,GAAG,IAAI,EAAE,IAAI,CAAC,CAAC;IAE9E,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;QAEjC,kBAAkB;QAClB,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,kCAAiB,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,QAAQ,CAAC,CAAC;QAErD,mCAAmC;QACnC,MAAM,MAAM,GAAG,kBAAkB,EAAE,CAAC;QACpC,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,qCAAoB,CAAC;YACtC,QAAQ,EAAE,QAAQ;YAClB,UAAU,EAAE,mBAAmB;YAC/B,cAAc,EAAE,MAAM;SACvB,CAAC,CAAC,CAAC;QACJ,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;QAEpF,oBAAoB;QACpB,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,uCAAsB,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;QACrF,MAAM,cAAc,GAAG,SAAS,CAAC,SAAS,EAAE,WAAW,CAAC;QACxD,MAAM,YAAY,GAAG,SAAS,CAAC,SAAS,EAAE,eAAe,CAAC;QAE1D,IAAI,CAAC,cAAc,IAAI,CAAC,YAAY,EAAE,CAAC;YACrC,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;YACnE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,iCAAiC,GAAG,QAAQ,CAAC,CAAC;QAE1D,2DAA2D;QAC3D,IAAA,wBAAQ,EAAC,sCAAsC,GAAG,cAAc,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACrF,IAAA,wBAAQ,EAAC,0CAA0C,GAAG,YAAY,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACvF,IAAA,wBAAQ,EAAC,2BAA2B,GAAG,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAElE,8BAA8B;QAC9B,MAAM,QAAQ,GAAG,MAAM,IAAA,gCAAe,EAAC,MAAM,CAAC,CAAC;QAC/C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;YAC9D,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,2CAA2C,GAAG,QAAQ,GAAG,8BAA8B,CAAC,CAAC;QACrG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,wBAAwB,GAAG,cAAc,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,wBAAwB,GAAG,QAAQ,CAAC,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,wBAAwB,GAAG,MAAM,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,4FAA4F,CAAC,CAAC;QAE1G,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,oCAAoC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,OAAO,CAAC,GAAG,CAAC,qEAAqE,CAAC,CAAC;QACnF,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAEY,QAAA,gBAAgB,GAAU;IACrC;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mCAAmC;QAChD,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAE,QAAgB,EAAoB,EAAE;YACxE,MAAM,SAAS,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACvC,IAAI,CAAC,SAAS,CAAC,WAAW,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAC1C,MAAM,EAAE,mBAAmB,EAAE,GAAG,wDAAa,qCAAqC,GAAC,CAAC;gBACpF,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;gBACjD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CAChD,CAAC,CAAwB,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CACnD,CAAC;gBACF,IAAI,CAAC,SAAS;oBAAE,OAAO,KAAK,CAAC;YAC/B,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,IAAA,gCAAe,EAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAC1D,OAAO,CAAC,SAAS,CAAC;QACpB,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAE,QAAgB,EAAoB,EAAE;YACvE,OAAO,mBAAmB,CAAC,MAAM,CAAC,CAAC;QACrC,CAAC;QACD,SAAS,EAAE;YACT,8DAA8D;YAC9D,WAAW;YACX,8DAA8D;YAC9D,EAAE;YACF,iFAAiF;YACjF,wEAAwE;YACxE,uEAAuE;YACvE,EAAE;YACF,gBAAgB;YAChB,6EAA6E;YAC7E,yDAAyD;YACzD,gFAAgF;YAChF,wCAAwC;YACxC,EAAE;YACF,8DAA8D;SAC/D,CAAC,IAAI,CAAC,IAAI,CAAC;KACb;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,2CAA2C;QACxD,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAE,QAAgB,EAAoB,EAAE;YACxE,MAAM,EAAE,mBAAmB,EAAE,GAAG,wDAAa,qCAAqC,GAAC,CAAC;YACpF,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CAChD,CAAC,CAAwB,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CACnD,CAAC;YACF,IAAI,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,GAAG;gBAAE,OAAO,KAAK,CAAC;YAE5C,MAAM,SAAS,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACvC,OAAO,CAAC,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC,MAAM,KAAK,WAAW,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC;QACtF,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EAAE,+EAA+E;KAC3F;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,8DAA8D;QAC3E,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAE,QAAgB,EAAoB,EAAE;YACxE,MAAM,EAAE,mBAAmB,EAAE,GAAG,wDAAa,qCAAqC,GAAC,CAAC;YACpF,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CAChD,CAAC,CAAwB,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CACnD,CAAC;YACF,IAAI,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,GAAG;gBAAE,OAAO,KAAK,CAAC;YAE5C,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,CAAC;gBACvE,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,MAAM,CAAC,OAAO,EAAE,UAAU,EAAE,CAAC;gBAC/B,IAAI,CAAC;oBACH,MAAM,EAAE,mBAAmB,EAAE,GAAG,wDAAa,4CAA4C,GAAC,CAAC;oBAC3F,MAAM,KAAK,GAAG,IAAI,mBAAmB,CAAC;wBACpC,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,UAAU;wBACrC,mBAAmB,EAAE,MAAM,CAAC,OAAO,CAAC,mBAAmB;qBACxD,CAAC,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC,mBAAmB,EAAE,uBAAuB,CAAC,CAAC,CAAC;oBACxF,IAAI,MAAM,CAAC,MAAM,EAAE,iBAAiB,IAAI,MAAM,CAAC,MAAM,EAAE,qBAAqB,EAAE,CAAC;wBAC7E,OAAO,KAAK,CAAC;oBACf,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,uBAAuB;gBACzB,CAAC;YACH,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EAAE;YACT,uCAAuC;YACvC,EAAE;YACF,mCAAmC;YACnC,sCAAsC;YACtC,sCAAsC;YACtC,EAAE;YACF,mCAAmC;YACnC,mBAAmB;YACnB,EAAE;YACF,yCAAyC;YACzC,wEAAwE;YACxE,4BAA4B;SAC7B,CAAC,IAAI,CAAC,IAAI,CAAC;KACb;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,2CAA2C;QACxD,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAE,QAAgB,EAAoB,EAAE;YACxE,MAAM,SAAS,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACvC,MAAM,SAAS,GAAG,MAAM,IAAA,gCAAe,EAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAC1D,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,0EAA0E;gBAC1E,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB;oBAAE,OAAO,IAAI,CAAC;gBAC/C,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,sDAAsD,EAAE;wBAC9E,QAAQ,EAAE,MAAM;wBAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;qBAChC,CAAC,CAAC,IAAI,EAAE,CAAC;oBACV,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;gBAC3B,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EAAE,+HAA+H;KAC3I;CACF,CAAC"}
|
|
@@ -3,10 +3,7 @@
|
|
|
3
3
|
*
|
|
4
4
|
* Prereq checks for DB replication between staging (Mac Mini) and prod (RDS).
|
|
5
5
|
* Ensures PostgreSQL client is available on EC2 and RDS is reachable.
|
|
6
|
-
*
|
|
7
|
-
* Actual sync commands are in the AWS pipeline index.ts as plugin commands:
|
|
8
|
-
* - `db sync-to-prod`: pg_dump Mac Mini → SCP to EC2 → pg_restore into RDS
|
|
9
|
-
* - `db sync-to-staging`: pg_dump RDS via EC2 → SCP to Mac Mini → pg_restore
|
|
6
|
+
* Uses AWS SDK v3.
|
|
10
7
|
*/
|
|
11
8
|
import type { Fix } from '../../../../types/index.js';
|
|
12
9
|
export declare const dbReplicationFixes: Fix[];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"db-replication.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/db-replication.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"db-replication.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/db-replication.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AAkBrE,eAAO,MAAM,kBAAkB,EAAE,GAAG,EAoFnC,CAAC"}
|
|
@@ -4,38 +4,11 @@
|
|
|
4
4
|
*
|
|
5
5
|
* Prereq checks for DB replication between staging (Mac Mini) and prod (RDS).
|
|
6
6
|
* Ensures PostgreSQL client is available on EC2 and RDS is reachable.
|
|
7
|
-
*
|
|
8
|
-
* Actual sync commands are in the AWS pipeline index.ts as plugin commands:
|
|
9
|
-
* - `db sync-to-prod`: pg_dump Mac Mini → SCP to EC2 → pg_restore into RDS
|
|
10
|
-
* - `db sync-to-staging`: pg_dump RDS via EC2 → SCP to Mac Mini → pg_restore
|
|
7
|
+
* Uses AWS SDK v3.
|
|
11
8
|
*/
|
|
12
9
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
13
10
|
exports.dbReplicationFixes = void 0;
|
|
14
11
|
const aws_helpers_js_1 = require("../utils/aws-helpers.js");
|
|
15
|
-
/**
|
|
16
|
-
* Find RDS instance endpoint
|
|
17
|
-
*/
|
|
18
|
-
function findRdsEndpoint(projectName, region) {
|
|
19
|
-
const dbId = 'factiii-' + projectName + '-db';
|
|
20
|
-
const result = (0, aws_helpers_js_1.awsExecSafe)('aws rds describe-db-instances --db-instance-identifier ' + dbId +
|
|
21
|
-
' --query "DBInstances[0].Endpoint.Address" --output text', region);
|
|
22
|
-
if (!result || result === 'None' || result === 'null')
|
|
23
|
-
return null;
|
|
24
|
-
return result.replace(/"/g, '');
|
|
25
|
-
}
|
|
26
|
-
/**
|
|
27
|
-
* Check if AWS is configured for this project
|
|
28
|
-
*/
|
|
29
|
-
function isAwsConfigured(config) {
|
|
30
|
-
if ((0, aws_helpers_js_1.isOnServer)())
|
|
31
|
-
return false;
|
|
32
|
-
if (config.aws)
|
|
33
|
-
return true;
|
|
34
|
-
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
|
35
|
-
const { extractEnvironments } = require('../../../../utils/config-helpers.js');
|
|
36
|
-
const environments = extractEnvironments(config);
|
|
37
|
-
return Object.values(environments).some((e) => e.pipeline === 'aws');
|
|
38
|
-
}
|
|
39
12
|
/**
|
|
40
13
|
* Get prod environment config
|
|
41
14
|
*/
|
|
@@ -52,17 +25,15 @@ exports.dbReplicationFixes = [
|
|
|
52
25
|
severity: 'warning',
|
|
53
26
|
description: '🔄 PostgreSQL client not installed on EC2 (needed for DB sync)',
|
|
54
27
|
scan: async (config) => {
|
|
55
|
-
if (!isAwsConfigured(config))
|
|
28
|
+
if (!(0, aws_helpers_js_1.isAwsConfigured)(config))
|
|
56
29
|
return false;
|
|
57
30
|
const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
|
|
58
31
|
const projectName = (0, aws_helpers_js_1.getProjectName)(config);
|
|
59
|
-
|
|
60
|
-
const endpoint = findRdsEndpoint(projectName, region);
|
|
32
|
+
const endpoint = await (0, aws_helpers_js_1.findRdsEndpoint)(projectName, region);
|
|
61
33
|
if (!endpoint)
|
|
62
34
|
return false;
|
|
63
|
-
// Check if pg_dump is available on EC2 via SSH
|
|
64
35
|
const prodEnv = getProdEnv(config);
|
|
65
|
-
if (!prodEnv?.domain || prodEnv.domain.startsWith('
|
|
36
|
+
if (!prodEnv?.domain || prodEnv.domain.startsWith('EXAMPLE_'))
|
|
66
37
|
return false;
|
|
67
38
|
try {
|
|
68
39
|
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
|
@@ -71,7 +42,7 @@ exports.dbReplicationFixes = [
|
|
|
71
42
|
return result.trim() === 'not_found';
|
|
72
43
|
}
|
|
73
44
|
catch {
|
|
74
|
-
return false;
|
|
45
|
+
return false;
|
|
75
46
|
}
|
|
76
47
|
},
|
|
77
48
|
fix: async (config) => {
|
|
@@ -101,23 +72,22 @@ exports.dbReplicationFixes = [
|
|
|
101
72
|
severity: 'critical',
|
|
102
73
|
description: '🔄 EC2 cannot connect to RDS (check security groups)',
|
|
103
74
|
scan: async (config) => {
|
|
104
|
-
if (!isAwsConfigured(config))
|
|
75
|
+
if (!(0, aws_helpers_js_1.isAwsConfigured)(config))
|
|
105
76
|
return false;
|
|
106
77
|
const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
|
|
107
78
|
const projectName = (0, aws_helpers_js_1.getProjectName)(config);
|
|
108
|
-
const endpoint = findRdsEndpoint(projectName, region);
|
|
79
|
+
const endpoint = await (0, aws_helpers_js_1.findRdsEndpoint)(projectName, region);
|
|
109
80
|
if (!endpoint)
|
|
110
81
|
return false;
|
|
111
82
|
const prodEnv = getProdEnv(config);
|
|
112
|
-
if (!prodEnv?.domain || prodEnv.domain.startsWith('
|
|
83
|
+
if (!prodEnv?.domain || prodEnv.domain.startsWith('EXAMPLE_'))
|
|
113
84
|
return false;
|
|
114
85
|
try {
|
|
115
86
|
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
|
116
87
|
const { sshExec } = require('../../../../utils/ssh-helper.js');
|
|
117
|
-
// Check if pg_isready is available first
|
|
118
88
|
const hasPg = await sshExec(prodEnv, 'which pg_isready 2>/dev/null || echo "not_found"');
|
|
119
89
|
if (hasPg.trim() === 'not_found')
|
|
120
|
-
return false;
|
|
90
|
+
return false;
|
|
121
91
|
const result = await sshExec(prodEnv, 'pg_isready -h ' + endpoint + ' -p 5432 2>&1');
|
|
122
92
|
return !result.includes('accepting connections');
|
|
123
93
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"db-replication.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/db-replication.ts"],"names":[],"mappings":";AAAA
|
|
1
|
+
{"version":3,"file":"db-replication.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/db-replication.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAGH,4DAKiC;AAEjC;;GAEG;AACH,SAAS,UAAU,CAAC,MAAqB;IACvC,iEAAiE;IACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC,UAAU,IAAI,IAAI,CAAC;AAC9D,CAAC;AAEY,QAAA,kBAAkB,GAAU;IACvC;QACE,EAAE,EAAE,+BAA+B;QACnC,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,gEAAgE;QAC7E,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,IAAA,gCAAe,EAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAE3C,MAAM,QAAQ,GAAG,MAAM,IAAA,gCAAe,EAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC5D,IAAI,CAAC,QAAQ;gBAAE,OAAO,KAAK,CAAC;YAE5B,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;YACnC,IAAI,CAAC,OAAO,EAAE,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;gBAAE,OAAO,KAAK,CAAC;YAE5E,IAAI,CAAC;gBACH,iEAAiE;gBACjE,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,iCAAiC,CAAC,CAAC;gBAC/D,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,+CAA+C,CAAC,CAAC;gBACvF,OAAO,MAAM,CAAC,IAAI,EAAE,KAAK,WAAW,CAAC;YACvC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;YACnC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC;gBACrB,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;gBACnD,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC;gBACH,iEAAiE;gBACjE,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,iCAAiC,CAAC,CAAC;gBAC/D,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;gBAC5D,MAAM,OAAO,CAAC,OAAO,EAAE,yEAAyE,CAAC,CAAC;gBAClG,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;gBAC9C,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,kCAAkC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC/F,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,kEAAkE;KAC9E;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,sDAAsD;QACnE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,IAAA,gCAAe,EAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAE3C,MAAM,QAAQ,GAAG,MAAM,IAAA,gCAAe,EAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC5D,IAAI,CAAC,QAAQ;gBAAE,OAAO,KAAK,CAAC;YAE5B,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;YACnC,IAAI,CAAC,OAAO,EAAE,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;gBAAE,OAAO,KAAK,CAAC;YAE5E,IAAI,CAAC;gBACH,iEAAiE;gBACjE,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,iCAAiC,CAAC,CAAC;gBAC/D,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,kDAAkD,CAAC,CAAC;gBACzF,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,WAAW;oBAAE,OAAO,KAAK,CAAC;gBAE/C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,gBAAgB,GAAG,QAAQ,GAAG,eAAe,CAAC,CAAC;gBACrF,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,uBAAuB,CAAC,CAAC;YACnD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EAAE;YACT,8BAA8B;YAC9B,gEAAgE;YAChE,kCAAkC;YAClC,uCAAuC;YACvC,gEAAgE;SACjE,CAAC,IAAI,CAAC,IAAI,CAAC;KACb;CACF,CAAC"}
|
|
@@ -4,6 +4,7 @@
|
|
|
4
4
|
* Provisions EC2 key pair, instance, and Elastic IP.
|
|
5
5
|
* Uses Ubuntu 22.04 AMI, t3.micro (free tier), public subnet.
|
|
6
6
|
* Key pair private key is stored in Ansible Vault.
|
|
7
|
+
* Uses AWS SDK v3.
|
|
7
8
|
*/
|
|
8
9
|
import type { Fix } from '../../../../types/index.js';
|
|
9
10
|
export declare const ec2Fixes: Fix[];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ec2.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/ec2.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"ec2.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/ec2.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AAsBrE,eAAO,MAAM,QAAQ,EAAE,GAAG,EA8MzB,CAAC"}
|