@factiii/stack 0.1.6 → 0.1.8

package/dist/plugins/pipelines/aws/scanfix/rds.js

@@ -0,0 +1,261 @@
+"use strict";
+/**
+ * AWS RDS Fixes
+ *
+ * Provisions RDS PostgreSQL 15 instance (db.t2.micro free tier).
+ * Creates DB subnet group from private subnets, launches instance with RDS SG.
+ * Stores DATABASE_URL in Ansible Vault.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rdsFixes = void 0;
+const aws_helpers_js_1 = require("../utils/aws-helpers.js");
+/**
+ * Find VPC by factiii:project tag
+ */
+function findVpc(projectName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-vpcs --filters "Name=tag:factiii:project,Values=' + projectName + '" --query "Vpcs[0].VpcId" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return null;
+    return result.replace(/"/g, '');
+}
+/**
+ * Find all private subnets
+ */
+function findPrivateSubnets(projectName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-subnets --filters "Name=tag:factiii:project,Values=' + projectName + '" "Name=tag:factiii:subnet-type,Values=private" --query "Subnets[*].SubnetId" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return [];
+    return result.split(/\s+/).filter(Boolean);
+}
+/**
+ * Find security group by name and VPC
+ */
+function findSecurityGroup(groupName, vpcId, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-security-groups --filters "Name=group-name,Values=' + groupName + '" "Name=vpc-id,Values=' + vpcId + '" --query "SecurityGroups[0].GroupId" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return null;
+    return result.replace(/"/g, '');
+}
+/**
+ * Check if DB subnet group exists
+ */
+function findDbSubnetGroup(groupName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws rds describe-db-subnet-groups --db-subnet-group-name ' + groupName + ' --query "DBSubnetGroups[0].DBSubnetGroupName" --output text', region);
+    return !!result && result !== 'None' && result !== 'null';
+}
+/**
+ * Find RDS instance by identifier
+ */
+function findRdsInstance(dbInstanceId, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws rds describe-db-instances --db-instance-identifier ' + dbInstanceId, region);
+    if (!result)
+        return null;
+    try {
+        const parsed = JSON.parse(result);
+        const instance = parsed.DBInstances?.[0];
+        if (!instance)
+            return null;
+        return {
+            status: instance.DBInstanceStatus,
+            endpoint: instance.Endpoint?.Address ?? null,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Check if AWS is configured for this project
+ */
+function isAwsConfigured(config) {
+    if (config.aws)
+        return true;
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+    const environments = extractEnvironments(config);
+    return Object.values(environments).some((e) => e.pipeline === 'aws');
+}
+/**
+ * Generate a random password for RDS
+ */
+function generateRdsPassword() {
+    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    let password = '';
+    const crypto = require('crypto');
+    const bytes = crypto.randomBytes(24);
+    for (let i = 0; i < 24; i++) {
+        password += chars[(bytes[i] ?? 0) % chars.length];
+    }
+    return password;
+}
+exports.rdsFixes = [
+    {
+        id: 'aws-rds-subnet-group-missing',
+        stage: 'prod',
+        severity: 'critical',
+        description: 'RDS DB subnet group not created (needs 2 AZs)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const privateSubnets = findPrivateSubnets(projectName, region);
+            if (privateSubnets.length < 2)
+                return false; // Private subnets must exist first
+            return !findDbSubnetGroup('factiii-' + projectName, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const privateSubnets = findPrivateSubnets(projectName, region);
+            if (privateSubnets.length < 2) {
+                console.log('   Need at least 2 private subnets first');
+                return false;
+            }
+            try {
+                const groupName = 'factiii-' + projectName;
+                (0, aws_helpers_js_1.awsExec)('aws rds create-db-subnet-group' +
+                    ' --db-subnet-group-name ' + groupName +
+                    ' --db-subnet-group-description "Factiii DB subnet group for ' + projectName + '"' +
+                    ' --subnet-ids ' + privateSubnets.join(' '), region);
+                console.log('   Created DB subnet group: ' + groupName);
+                console.log('   Using subnets: ' + privateSubnets.join(', '));
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to create DB subnet group: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Create DB subnet group with 2+ private subnets in different AZs',
+    },
+    {
+        id: 'aws-rds-instance-missing',
+        stage: 'prod',
+        severity: 'critical',
+        description: 'RDS PostgreSQL 15 instance not created (db.t2.micro)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const dbId = 'factiii-' + projectName + '-db';
+            return !findRdsInstance(dbId, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const vpcId = findVpc(projectName, region);
+            if (!vpcId) {
+                console.log('   VPC must be created first');
+                return false;
+            }
+            const subnetGroupName = 'factiii-' + projectName;
+            if (!findDbSubnetGroup(subnetGroupName, region)) {
+                console.log('   DB subnet group must be created first');
+                return false;
+            }
+            const rdsSgId = findSecurityGroup('factiii-' + projectName + '-rds', vpcId, region);
+            if (!rdsSgId) {
+                console.log('   RDS security group must be created first');
+                return false;
+            }
+            try {
+                const dbId = 'factiii-' + projectName + '-db';
+                const dbName = projectName.replace(/[^a-zA-Z0-9]/g, '');
+                const masterUser = 'factiii';
+                const masterPassword = generateRdsPassword();
+                (0, aws_helpers_js_1.awsExec)('aws rds create-db-instance' +
+                    ' --db-instance-identifier ' + dbId +
+                    ' --db-instance-class db.t2.micro' +
+                    ' --engine postgres' +
+                    ' --engine-version 15' +
+                    ' --allocated-storage 20' +
+                    ' --master-username ' + masterUser +
+                    ' --master-user-password ' + masterPassword +
+                    ' --db-name ' + dbName +
+                    ' --db-subnet-group-name ' + subnetGroupName +
+                    ' --vpc-security-group-ids ' + rdsSgId +
+                    ' --no-publicly-accessible' +
+                    ' --storage-type gp2' +
+                    ' --backup-retention-period 7', region);
+                console.log('   Creating RDS instance: ' + dbId);
+                console.log('   Engine: PostgreSQL 15');
+                console.log('   Instance class: db.t2.micro (free tier eligible)');
+                console.log('   Storage: 20 GB gp2');
+                console.log('   Database name: ' + dbName);
+                console.log('   Master user: ' + masterUser);
+                console.log('');
+                console.log('   IMPORTANT: Save these credentials!');
+                console.log('   Master password: ' + masterPassword);
+                console.log('   DATABASE_URL: postgresql://' + masterUser + ':' + masterPassword + '@<endpoint>:5432/' + dbName);
+                console.log('');
+                console.log('   RDS instance takes ~5-10 minutes to become available.');
+                console.log('   Run "npx factiii scan --prod" to check status.');
+                console.log('');
+                console.log('   TIP: Store credentials in Ansible Vault: npx factiii secrets edit');
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to create RDS instance: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Create RDS instance: aws rds create-db-instance --db-instance-class db.t2.micro --engine postgres --engine-version 15',
+    },
+    {
+        id: 'aws-rds-not-available',
+        stage: 'prod',
+        severity: 'warning',
+        description: 'RDS instance is not yet available (takes ~5-10 min)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const dbId = 'factiii-' + projectName + '-db';
+            const instance = findRdsInstance(dbId, region);
+            if (!instance)
+                return false; // No instance yet
+            return instance.status !== 'available';
+        },
+        fix: null,
+        manualFix: 'RDS instance is provisioning. Wait ~5-10 minutes and run scan again.\nCheck status: aws rds describe-db-instances --db-instance-identifier factiii-{name}-db --query "DBInstances[0].DBInstanceStatus"',
+    },
+    {
+        id: 'aws-rds-connection-test',
+        stage: 'prod',
+        severity: 'info',
+        description: 'Cannot verify RDS connectivity from EC2 (pg_isready not found)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const dbId = 'factiii-' + projectName + '-db';
+            const instance = findRdsInstance(dbId, region);
+            if (!instance || instance.status !== 'available' || !instance.endpoint)
+                return false;
+            // Check if pg_isready is available on EC2 via SSH
+            // This scan runs on the dev machine, so we check via SSH
+            // eslint-disable-next-line @typescript-eslint/no-require-imports
+            const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+            const environments = extractEnvironments(config);
+            const prodEnv = environments.prod ?? environments.production;
+            if (!prodEnv?.domain)
+                return false;
+            try {
+                // eslint-disable-next-line @typescript-eslint/no-require-imports
+                const { sshExec } = require('../../../../utils/ssh-helper.js');
+                const result = await sshExec(prodEnv, 'which pg_isready 2>/dev/null && pg_isready -h ' + instance.endpoint + ' -p 5432 2>&1 || echo "pg_isready not found"');
+                return result.includes('pg_isready not found') || result.includes('no response');
+            }
+            catch {
+                return false; // Can't SSH — skip this check
+            }
+        },
+        fix: null,
+        manualFix: 'Install PostgreSQL client on EC2: sudo apt-get install -y postgresql-client-15\nTest connection: pg_isready -h <rds-endpoint> -p 5432',
+    },
+];
+//# sourceMappingURL=rds.js.map

package/dist/plugins/pipelines/aws/scanfix/rds.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rds.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/rds.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAGH,4DAA6F;AAE7F;;GAEG;AACH,SAAS,OAAO,CAAC,WAAmB,EAAE,MAAc;IAClD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,mEAAmE,GAAG,WAAW,GAAG,yCAAyC,EAC7H,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,WAAmB,EAAE,MAAc;IAC7D,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,sEAAsE,GAAG,WAAW,GAAG,6FAA6F,EACpL,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,EAAE,CAAC;IACjE,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,SAAiB,EAAE,KAAa,EAAE,MAAc;IACzE,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,qEAAqE,GAAG,SAAS,GAAG,wBAAwB,GAAG,KAAK,GAAG,qDAAqD,EAC5K,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,SAAiB,EAAE,MAAc;IAC1D,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,2DAA2D,GAAG,SAAS,GAAG,8DAA8D,EACxI,MAAM,CACP,CAAC;IACF,OAAO,CAAC,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,YAAoB,EAAE,MAAc;IAC3D,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,yDAAyD,GAAG,YAAY,EACxE,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;QACzC,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC3B,OAAO;YACL,MAAM,EAAE,QAAQ,CAAC,gBAAgB;YACjC,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,OAAO,IAAI,IAAI;SAC7C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAqB;IAC5C,IAAI,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAC5B,iEAAiE;IACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CACrC,CAAC,CAAU,EAAE,EAAE,CAAE,CAA2B,CAAC,QAAQ,KAAK,KAAK,CAChE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB;IAC1B,MAAM,KAAK,GAAG,gEAAgE,CAAC;IAC/E,IAAI,QAAQ,GAAG,EAAE,CAAC;IAClB,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAA4B,CAAC;IAC5D,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,QAAQ,IAAI,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAEY,QAAA,QAAQ,GAAU;IAC7B;QACE,EAAE,EAAE,8BAA8B;QAClC,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+CAA+C;QAC5D,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,cAAc,GAAG,kBAAkB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC/D,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC,CAAC,mCAAmC;YAChF,OAAO,CAAC,iBAAiB,CAAC,UAAU,GAAG,WAAW,EAAE,MAAM,CAAC,CAAC;QAC9D,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,cAAc,GAAG,kBAAkB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC/D,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;gBACxD,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,UAAU,GAAG,WAAW,CAAC;gBAC3C,IAAA,wBAAO,EACL,gCAAgC;oBAChC,0BAA0B,GAAG,SAAS;oBACtC,8DAA8D,GAAG,WAAW,GAAG,GAAG;oBAClF,gBAAgB,GAAG,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAC3C,MAAM,CACP,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,8BAA8B,GAAG,SAAS,CAAC,CAAC;gBACxD,OAAO,CAAC,GAAG,CAAC,oBAAoB,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC9D,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,uCAAuC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpG,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,iEAAiE;KAC7E;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,sDAAsD;QACnE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,IAAI,GAAG,UAAU,GAAG,WAAW,GAAG,KAAK,CAAC;YAC9C,OAAO,CAAC,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACxC,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;gBAC5C,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,eAAe,GAAG,UAAU,GAAG,WAAW,CAAC;YACjD,IAAI,CAAC,iBAAiB,CAAC,eAAe,EAAE,MAAM,CAAC,EAAE,CAAC;gBAChD,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;gBACxD,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,OAAO,GAAG,iBAAiB,CAAC,UAAU,GAAG,WAAW,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACpF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;gBAC3D,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,UAAU,GAAG,WAAW,GAAG,KAAK,CAAC;gBAC9C,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC;gBACxD,MAAM,UAAU,GAAG,SAAS,CAAC;gBAC7B,MAAM,cAAc,GAAG,mBAAmB,EAAE,CAAC;gBAE7C,IAAA,wBAAO,EACL,4BAA4B;oBAC5B,4BAA4B,GAAG,IAAI;oBACnC,kCAAkC;oBAClC,oBAAoB;oBACpB,sBAAsB;oBACtB,yBAAyB;oBACzB,qBAAqB,GAAG,UAAU;oBAClC,0BAA0B,GAAG,cAAc;oBAC3C,aAAa,GAAG,MAAM;oBACtB,0BAA0B,GAAG,eAAe;oBAC5C,4BAA4B,GAAG,OAAO;oBACtC,2BAA2B;oBAC3B,qBAAqB;oBACrB,8BAA8B,EAC9B,MAAM,CACP,CAAC;gBAEF,OAAO,CAAC,GAAG,CAAC,4BAA4B,GAAG,IAAI,CAAC,CAAC;gBACjD,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;gBACxC,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;gBACrC,OAAO,CAAC,GAAG,CAAC,oBAAoB,GAAG,MAAM,CAAC,CAAC;gBAC3C,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,UAAU,CAAC,CAAC;gBAC7C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;gBACrD,OAAO,CAAC,GAAG,CAAC,sBAAsB,GAAG,cAAc,CAAC,CAAC;gBACrD,OAAO,CAAC,GAAG,CAAC,gCAAgC,GAAG,UAAU,GAAG,GAAG,GAAG,cAAc,GAAG,mBAAmB,GAAG,MAAM,CAAC,CAAC;gBACjH,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;gBACxE,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;gBACjE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;gBAEpF,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,oCAAoC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjG,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,uHAAuH;KACnI;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,qDAAqD;QAClE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,IAAI,GAAG,UAAU,GAAG,WAAW,GAAG,KAAK,CAAC;YAC9C,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC/C,IAAI,CAAC,QAAQ;gBAAE,OAAO,KAAK,CAAC,CAAC,kBAAkB;YAC/C,OAAO,QAAQ,CAAC,MAAM,KAAK,WAAW,CAAC;QACzC,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EAAE,wMAAwM;KACpN;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,gEAAgE;QAC7E,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,IAAI,GAAG,UAAU,GAAG,WAAW,GAAG,KAAK,CAAC;YAC9C,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC/C,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,WAAW,IAAI,CAAC,QAAQ,CAAC,QAAQ;gBAAE,OAAO,KAAK,CAAC;YAErF,kDAAkD;YAClD,yDAAyD;YACzD,iEAAiE;YACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;YAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC,UAAU,CAAC;YAC7D,IAAI,CAAC,OAAO,EAAE,MAAM;gBAAE,OAAO,KAAK,CAAC;YAEnC,IAAI,CAAC;gBACH,iEAAiE;gBACjE,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,iCAAiC,CAAC,CAAC;gBAC/D,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,gDAAgD,GAAG,QAAQ,CAAC,QAAQ,GAAG,8CAA8C,CAAC,CAAC;gBAC7J,OAAO,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACnF,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC,CAAC,8BAA8B;YAC9C,CAAC;QACH,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EAAE,uIAAuI;KACnJ;CACF,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/s3.d.ts

@@ -0,0 +1,9 @@
+/**
+ * AWS S3 Fixes
+ *
+ * Provisions S3 bucket with encryption and blocked public access.
+ * Configures CORS for the production domain.
+ */
+import type { Fix } from '../../../../types/index.js';
+export declare const s3Fixes: Fix[];
+//# sourceMappingURL=s3.d.ts.map

package/dist/plugins/pipelines/aws/scanfix/s3.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"s3.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/s3.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AAuCrE,eAAO,MAAM,OAAO,EAAE,GAAG,EAiHxB,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/s3.js

@@ -0,0 +1,134 @@
+"use strict";
+/**
+ * AWS S3 Fixes
+ *
+ * Provisions S3 bucket with encryption and blocked public access.
+ * Configures CORS for the production domain.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.s3Fixes = void 0;
+const aws_helpers_js_1 = require("../utils/aws-helpers.js");
+/**
+ * Check if S3 bucket exists
+ */
+function findBucket(bucketName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws s3api head-bucket --bucket ' + bucketName, region);
+    // head-bucket returns empty on success, throws on failure
+    return result !== null;
+}
+/**
+ * Check if CORS is configured on bucket
+ */
+function hasCors(bucketName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws s3api get-bucket-cors --bucket ' + bucketName, region);
+    return !!result && result !== 'null';
+}
+/**
+ * Check if AWS is configured for this project
+ */
+function isAwsConfigured(config) {
+    if (config.aws)
+        return true;
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+    const environments = extractEnvironments(config);
+    return Object.values(environments).some((e) => e.pipeline === 'aws');
+}
+exports.s3Fixes = [
+    {
+        id: 'aws-s3-bucket-missing',
+        stage: 'prod',
+        severity: 'warning',
+        description: 'S3 bucket not created for file storage',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const bucketName = 'factiii-' + projectName;
+            return !findBucket(bucketName, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const bucketName = 'factiii-' + projectName;
+            try {
+                // Create bucket (us-east-1 doesn't need LocationConstraint)
+                if (region === 'us-east-1') {
+                    (0, aws_helpers_js_1.awsExec)('aws s3api create-bucket --bucket ' + bucketName, region);
+                }
+                else {
+                    (0, aws_helpers_js_1.awsExec)('aws s3api create-bucket --bucket ' + bucketName +
+                        ' --create-bucket-configuration LocationConstraint=' + region, region);
+                }
+                console.log('   Created S3 bucket: ' + bucketName);
+                // Block all public access
+                (0, aws_helpers_js_1.awsExec)('aws s3api put-public-access-block --bucket ' + bucketName +
+                    ' --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true', region);
+                console.log('   Blocked all public access');
+                // Enable server-side encryption (AES-256)
+                (0, aws_helpers_js_1.awsExec)('aws s3api put-bucket-encryption --bucket ' + bucketName +
+                    ' --server-side-encryption-configuration ' +
+                    '"{\\\"Rules\\\":[{\\\"ApplyServerSideEncryptionByDefault\\\":{\\\"SSEAlgorithm\\\":\\\"AES256\\\"}}]}"', region);
+                console.log('   Enabled AES-256 encryption');
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to create S3 bucket: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Create S3 bucket with encryption and blocked public access',
+    },
+    {
+        id: 'aws-s3-cors-missing',
+        stage: 'prod',
+        severity: 'info',
+        description: 'S3 bucket CORS not configured for production domain',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const bucketName = 'factiii-' + projectName;
+            if (!findBucket(bucketName, region))
+                return false;
+            return !hasCors(bucketName, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const bucketName = 'factiii-' + projectName;
+            // Get production domain for CORS
+            // eslint-disable-next-line @typescript-eslint/no-require-imports
+            const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+            const environments = extractEnvironments(config);
+            const prodEnv = environments.prod ?? environments.production;
+            const domain = prodEnv?.domain;
+            if (!domain || domain.startsWith('EXAMPLE-')) {
+                console.log('   Set production domain in factiii.yml first');
+                return false;
+            }
+            try {
+                const corsConfig = JSON.stringify({
+                    CORSRules: [{
+                            AllowedHeaders: ['*'],
+                            AllowedMethods: ['GET', 'PUT', 'POST', 'DELETE'],
+                            AllowedOrigins: ['https://' + domain],
+                            MaxAgeSeconds: 3600,
+                        }],
+                });
+                (0, aws_helpers_js_1.awsExec)('aws s3api put-bucket-cors --bucket ' + bucketName +
+                    " --cors-configuration '" + corsConfig + "'", region);
+                console.log('   Configured CORS for https://' + domain);
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to configure CORS: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Configure S3 CORS to allow requests from your production domain',
+    },
+];
+//# sourceMappingURL=s3.js.map

package/dist/plugins/pipelines/aws/scanfix/s3.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"s3.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/s3.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAGH,4DAA6F;AAE7F;;GAEG;AACH,SAAS,UAAU,CAAC,UAAkB,EAAE,MAAc;IACpD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,iCAAiC,GAAG,UAAU,EAC9C,MAAM,CACP,CAAC;IACF,0DAA0D;IAC1D,OAAO,MAAM,KAAK,IAAI,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAS,OAAO,CAAC,UAAkB,EAAE,MAAc;IACjD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,qCAAqC,GAAG,UAAU,EAClD,MAAM,CACP,CAAC;IACF,OAAO,CAAC,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAqB;IAC5C,IAAI,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAC5B,iEAAiE;IACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CACrC,CAAC,CAAU,EAAE,EAAE,CAAE,CAA2B,CAAC,QAAQ,KAAK,KAAK,CAChE,CAAC;AACJ,CAAC;AAEY,QAAA,OAAO,GAAU;IAC5B;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,wCAAwC;QACrD,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,UAAU,GAAG,UAAU,GAAG,WAAW,CAAC;YAC5C,OAAO,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACzC,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,UAAU,GAAG,UAAU,GAAG,WAAW,CAAC;YAE5C,IAAI,CAAC;gBACH,4DAA4D;gBAC5D,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;oBAC3B,IAAA,wBAAO,EACL,mCAAmC,GAAG,UAAU,EAChD,MAAM,CACP,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,IAAA,wBAAO,EACL,mCAAmC,GAAG,UAAU;wBAChD,oDAAoD,GAAG,MAAM,EAC7D,MAAM,CACP,CAAC;gBACJ,CAAC;gBACD,OAAO,CAAC,GAAG,CAAC,wBAAwB,GAAG,UAAU,CAAC,CAAC;gBAEnD,0BAA0B;gBAC1B,IAAA,wBAAO,EACL,6CAA6C,GAAG,UAAU;oBAC1D,mIAAmI,EACnI,MAAM,CACP,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;gBAE5C,0CAA0C;gBAC1C,IAAA,wBAAO,EACL,2CAA2C,GAAG,UAAU;oBACxD,0CAA0C;oBAC1C,wGAAwG,EACxG,MAAM,CACP,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;gBAE7C,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,iCAAiC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC9F,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,4DAA4D;KACxE;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qDAAqD;QAClE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,UAAU,GAAG,UAAU,GAAG,WAAW,CAAC;YAC5C,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAClD,OAAO,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACtC,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,UAAU,GAAG,UAAU,GAAG,WAAW,CAAC;YAE5C,iCAAiC;YACjC,iEAAiE;YACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;YAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC,UAAU,CAAC;YAC7D,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,CAAC;YAE/B,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC7C,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;gBAC7D,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;oBAChC,SAAS,EAAE,CAAC;4BACV,cAAc,EAAE,CAAC,GAAG,CAAC;4BACrB,cAAc,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC;4BAChD,cAAc,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC;4BACrC,aAAa,EAAE,IAAI;yBACpB,CAAC;iBACH,CAAC,CAAC;gBAEH,IAAA,wBAAO,EACL,qCAAqC,GAAG,UAAU;oBAClD,yBAAyB,GAAG,UAAU,GAAG,GAAG,EAC5C,MAAM,CACP,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,iCAAiC,GAAG,MAAM,CAAC,CAAC;gBACxD,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,+BAA+B,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC5F,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,iEAAiE;KAC7E;CACF,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/security-groups.d.ts

@@ -0,0 +1,10 @@
+/**
+ * AWS Security Group Fixes
+ *
+ * Provisions security groups for EC2 and RDS.
+ * EC2 SG: SSH(22), HTTP(80), HTTPS(443)
+ * RDS SG: PostgreSQL(5432) from EC2 SG only
+ */
+import type { Fix } from '../../../../types/index.js';
+export declare const securityGroupFixes: Fix[];
+//# sourceMappingURL=security-groups.d.ts.map

package/dist/plugins/pipelines/aws/scanfix/security-groups.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-groups.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/security-groups.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AAwCrE,eAAO,MAAM,kBAAkB,EAAE,GAAG,EAqNnC,CAAC"}