@geek-fun/serverlessinsight 0.6.15 → 0.7.0

package/dist/src/stack/volcengineStack/vefaasPlanner.js

@@ -0,0 +1,84 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateFunctionPlan = void 0;
+const common_1 = require("../../common");
+const stateManager_1 = require("../../common/stateManager");
+const volcengineClient_1 = require("../../common/volcengineClient");
+const vefaasTypes_1 = require("./vefaasTypes");
+const planFunctionDeletion = (logicalId, definition) => ({
+    logicalId,
+    action: 'delete',
+    resourceType: 'VOLCENGINE_VEFAAS',
+    changes: { before: definition },
+});
+const generateFunctionPlan = async (context, state, functions) => {
+    if (!functions || functions.length === 0) {
+        const allStates = (0, stateManager_1.getAllResources)(state);
+        const items = Object.entries(allStates)
+            .filter(([logicalId]) => logicalId.startsWith('functions.'))
+            .map(([logicalId, resourceState]) => planFunctionDeletion(logicalId, resourceState.definition));
+        return { items };
+    }
+    const desiredLogicalIds = new Set(functions.map((fn) => `functions.${fn.key}`));
+    const functionItems = await Promise.all(functions.map(async (fn) => {
+        const logicalId = `functions.${fn.key}`;
+        const currentState = (0, common_1.getResource)(state, logicalId);
+        const config = (0, vefaasTypes_1.functionToVefaasConfig)(fn);
+        const codePath = fn.code.path;
+        const desiredCodeHash = (0, common_1.computeFileHash)(codePath);
+        const desiredDefinition = (0, vefaasTypes_1.extractVefaasDefinition)(config, desiredCodeHash);
+        if (!currentState || currentState.status === 'tainted') {
+            return {
+                logicalId,
+                action: 'create',
+                resourceType: 'VOLCENGINE_VEFAAS',
+                changes: { after: desiredDefinition },
+            };
+        }
+        try {
+            const client = (0, volcengineClient_1.createVolcengineClient)(context);
+            const remoteFunction = await client.vefaas.getFunction(fn.name);
+            if (!remoteFunction) {
+                return {
+                    logicalId,
+                    action: 'create',
+                    resourceType: 'VOLCENGINE_VEFAAS',
+                    changes: {
+                        before: currentState.definition,
+                        after: desiredDefinition,
+                    },
+                    drifted: true,
+                };
+            }
+            const currentDefinition = currentState.definition || {};
+            const definitionChanged = !(0, common_1.attributesEqual)(currentDefinition, desiredDefinition);
+            if (definitionChanged) {
+                return {
+                    logicalId,
+                    action: 'update',
+                    resourceType: 'VOLCENGINE_VEFAAS',
+                    changes: { before: currentDefinition, after: desiredDefinition },
+                    drifted: true,
+                };
+            }
+            return { logicalId, action: 'noop', resourceType: 'VOLCENGINE_VEFAAS' };
+        }
+        catch {
+            return {
+                logicalId,
+                action: 'create',
+                resourceType: 'VOLCENGINE_VEFAAS',
+                changes: {
+                    before: currentState.definition,
+                    after: desiredDefinition,
+                },
+            };
+        }
+    }));
+    const allStates = (0, stateManager_1.getAllResources)(state);
+    const deletionItems = Object.entries(allStates)
+        .filter(([logicalId]) => logicalId.startsWith('functions.') && !desiredLogicalIds.has(logicalId))
+        .map(([logicalId, resourceState]) => planFunctionDeletion(logicalId, resourceState.definition));
+    return { items: [...functionItems, ...deletionItems] };
+};
+exports.generateFunctionPlan = generateFunctionPlan;

package/dist/src/stack/volcengineStack/vefaasResource.js

@@ -0,0 +1,513 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deleteResource = exports.updateResource = exports.readResource = exports.createResource = void 0;
+const volcengineClient_1 = require("../../common/volcengineClient");
+const common_1 = require("../../common");
+const types_1 = require("../../types");
+const vefaasTypes_1 = require("./vefaasTypes");
+const logger_1 = require("../../common/logger");
+const lang_1 = require("../../lang");
+const RECOVERY_GET_FUNCTION_DELAY_MS = 1500;
+const IAM_ROLE_PROPAGATION_DELAY_MS = 3000;
+const delay = async (ms) => {
+    await new Promise((resolve) => {
+        setTimeout(resolve, ms);
+    });
+};
+const isRecoverableCreateError = (error) => {
+    const code = error && typeof error === 'object' && 'code' in error && typeof error.code === 'string'
+        ? error.code.toLowerCase()
+        : '';
+    const message = error instanceof Error ? error.message.toLowerCase() : String(error).toLowerCase();
+    return (code === 'readtimeout' ||
+        code === 'timeout' ||
+        code === 'requesttimeout' ||
+        code === 'econnreset' ||
+        code === 'etimedout' ||
+        message.includes('readtimeout') ||
+        message.includes('timeout') ||
+        message.includes('socket hang up') ||
+        message.includes('econnreset') ||
+        message.includes('etimedout'));
+};
+const buildVefaasInstanceFromProvider = (info, sid) => {
+    return {
+        type: 'VOLCENGINE_VEFAAS_FUNCTION',
+        sid,
+        id: info.functionName ?? '',
+        functionName: info.functionName ?? null,
+        functionId: info.functionId ?? null,
+        runtime: info.runtime ?? null,
+        handler: info.handler ?? null,
+        memorySize: info.memoryMb ?? null,
+        timeout: info.requestTimeout ?? null,
+        environment: info.environmentVariables ?? {},
+        description: info.description ?? null,
+        status: info.status ?? null,
+        createdTime: info.createdTime ?? null,
+        lastUpdateTime: info.lastModifiedTime ?? null,
+        role: info.role ?? null,
+        vpcConfig: info.vpcConfig
+            ? {
+                vpcId: info.vpcConfig.vpcId ?? null,
+                subnetIds: info.vpcConfig.subnetIds ?? [],
+                securityGroupIds: info.vpcConfig.securityGroupIds ?? [],
+            }
+            : {},
+        logConfig: info.logConfig
+            ? {
+                project: info.logConfig.project ?? null,
+                topic: info.logConfig.topic ?? null,
+            }
+            : null,
+    };
+};
+const createDependentResources = async (context, fn, serviceName, existingInstances = []) => {
+    const client = (0, volcengineClient_1.createVolcengineClient)(context);
+    const instances = [];
+    let logConfig;
+    const hasTlsProject = existingInstances.some((i) => i.type === 'VOLCENGINE_TLS_PROJECT');
+    const hasIamRole = existingInstances.some((i) => i.type === 'VOLCENGINE_IAM_ROLE');
+    if (fn.log) {
+        if (hasTlsProject) {
+            const tlsProjectInstance = existingInstances.find((i) => i.type === 'VOLCENGINE_TLS_PROJECT');
+            const tlsTopicInstance = existingInstances.find((i) => i.type === 'VOLCENGINE_TLS_TOPIC');
+            if (tlsProjectInstance && tlsTopicInstance) {
+                const [projectName, topicName] = tlsTopicInstance.id.split('/');
+                logConfig = { project: projectName, topic: topicName };
+                instances.push(...existingInstances.filter((i) => i.type.startsWith('VOLCENGINE_TLS_')));
+            }
+        }
+        else {
+            const projectName = `${serviceName}-${context.stage}-tls`;
+            const topicName = `${serviceName}-${context.stage}-logs`;
+            logger_1.logger.info(lang_1.lang.__('CREATING_TLS_PROJECT', { projectName }));
+            const project = await client.tls.createProject({
+                projectName,
+                description: `veFaaS logs for ${serviceName}`,
+                region: context.region,
+            });
+            instances.push({
+                type: 'VOLCENGINE_TLS_PROJECT',
+                id: projectName,
+                attributes: { ...project },
+            });
+            logger_1.logger.info(lang_1.lang.__('CREATING_TLS_TOPIC', { topicName }));
+            const topic = await client.tls.createTopic({
+                projectName,
+                topicName,
+                description: `Function logs for ${serviceName}`,
+                ttl: 30,
+            });
+            instances.push({
+                type: 'VOLCENGINE_TLS_TOPIC',
+                id: `${projectName}/${topicName}`,
+                attributes: { ...topic },
+            });
+            logger_1.logger.info(lang_1.lang.__('CREATING_TLS_INDEX', { topicName }));
+            await client.tls.createIndex({
+                projectName,
+                topicName,
+                fullTextIndex: {
+                    delimiter: ' ,.?;!\n\t',
+                    caseSensitive: false,
+                },
+            });
+            instances.push({
+                type: 'VOLCENGINE_TLS_INDEX',
+                id: `${projectName}/${topicName}/index`,
+                attributes: {},
+            });
+            logger_1.logger.info(lang_1.lang.__('WAITING_FOR_TLS_RESOURCES', { projectName, topicName }));
+            await client.tls.waitForProject(projectName);
+            await client.tls.waitForTopic(projectName, topicName);
+            logConfig = { project: projectName, topic: topicName };
+        }
+    }
+    const roleName = `${serviceName}-${context.stage}-role`;
+    const trustedServices = (0, vefaasTypes_1.getTrustedServicesForFunction)(fn, context);
+    if (hasIamRole) {
+        const iamRoleInstance = existingInstances.find((i) => i.type === 'VOLCENGINE_IAM_ROLE');
+        if (iamRoleInstance) {
+            instances.push(iamRoleInstance);
+            await client.iam.updateRoleTrustPolicy(iamRoleInstance.id, (0, vefaasTypes_1.buildDefaultTrustPolicy)(trustedServices));
+        }
+    }
+    else {
+        logger_1.logger.info(lang_1.lang.__('CREATING_IAM_ROLE', { roleName }));
+        const iamRole = await client.iam.createRole({
+            roleName,
+            displayName: roleName,
+            description: `veFaaS execution role for ${serviceName}`,
+            trustPolicy: (0, vefaasTypes_1.buildDefaultTrustPolicy)(trustedServices),
+        });
+        instances.push({
+            type: 'VOLCENGINE_IAM_ROLE',
+            id: roleName,
+            trn: iamRole.trn,
+            attributes: { ...iamRole },
+        });
+        await delay(IAM_ROLE_PROPAGATION_DELAY_MS);
+    }
+    const iamRoleInstance = instances.find((i) => i.type === 'VOLCENGINE_IAM_ROLE');
+    if (!iamRoleInstance) {
+        throw new Error(lang_1.lang.__('IAM_ROLE_INSTANCE_NOT_FOUND', { roleName }));
+    }
+    const trn = iamRoleInstance.trn ??
+        (context.accountId ? `trn:iam::${context.accountId}:role/${iamRoleInstance.id}` : undefined);
+    if (!trn) {
+        throw new Error(lang_1.lang.__('IAM_ROLE_TRN_MISSING', { roleName }));
+    }
+    const role = {
+        roleName,
+        trn,
+    };
+    return {
+        logConfig,
+        role,
+        instances,
+    };
+};
+const deleteDependentResources = async (context, instances) => {
+    const client = (0, volcengineClient_1.createVolcengineClient)(context);
+    for (const instance of [...instances].reverse()) {
+        try {
+            switch (instance.type) {
+                case 'VOLCENGINE_TLS_INDEX': {
+                    const [projectName, topicName] = instance.id.split('/');
+                    logger_1.logger.info(lang_1.lang.__('DELETING_TLS_INDEX', { id: instance.id }));
+                    await client.tls.deleteIndex(projectName, topicName);
+                    break;
+                }
+                case 'VOLCENGINE_TLS_TOPIC': {
+                    const [projectName, topicName] = instance.id.split('/');
+                    logger_1.logger.info(lang_1.lang.__('DELETING_TLS_TOPIC', { id: instance.id }));
+                    await client.tls.deleteTopic(projectName, topicName);
+                    break;
+                }
+                case 'VOLCENGINE_TLS_PROJECT':
+                    logger_1.logger.info(lang_1.lang.__('DELETING_TLS_PROJECT', { id: instance.id }));
+                    await client.tls.deleteProject(instance.id);
+                    break;
+                case 'VOLCENGINE_IAM_ROLE':
+                    logger_1.logger.info(lang_1.lang.__('DELETING_IAM_ROLE', { id: instance.id }));
+                    await client.iam.deleteRole(instance.id);
+                    break;
+                default:
+                    logger_1.logger.warn(lang_1.lang.__('UNKNOWN_RESOURCE_TYPE', { type: instance.type }));
+            }
+        }
+        catch (err) {
+            logger_1.logger.error(lang_1.lang.__('FAILED_TO_DELETE_RESOURCE', {
+                type: instance.type,
+                id: instance.id,
+                error: String(err),
+            }));
+        }
+    }
+};
+const createResource = async (context, fn, state) => {
+    const logicalId = `functions.${fn.key}`;
+    const serviceName = `${context.app}-${context.service}`;
+    const existingResourceState = (0, common_1.getResource)(state, logicalId);
+    const existingDependentInstances = (existingResourceState?.instances ?? []).filter((i) => i.type !== 'VOLCENGINE_VEFAAS_FUNCTION');
+    const dependentResources = await createDependentResources(context, fn, serviceName, existingDependentInstances);
+    const config = (0, vefaasTypes_1.functionToVefaasConfig)(fn, {
+        role: dependentResources.role?.trn,
+        logConfig: dependentResources.logConfig,
+        vpcConfig: fn.network
+            ? {
+                vpcId: fn.network.vpc_id,
+                subnetIds: fn.network.subnet_ids,
+                securityGroupIds: fn.network.security_group?.name ? [fn.network.security_group.name] : [],
+            }
+            : undefined,
+        tosMountConfig: fn.storage?.nas?.[0]
+            ? {
+                bucketName: fn.storage.nas[0]?.bucket_name || '',
+                mountPath: fn.storage.nas[0].mount_path,
+            }
+            : undefined,
+    });
+    const codePath = fn.code.path;
+    const codeHash = (0, common_1.computeFileHash)(codePath);
+    const definition = (0, vefaasTypes_1.extractVefaasDefinition)(config, codeHash);
+    const sid = (0, common_1.buildSid)('volcengine', context.service, context.stage, fn.name);
+    const dependentInstances = dependentResources.instances.map((dep) => ({
+        sid: dep.sid ??
+            (0, common_1.buildSid)('volcengine', dep.type.replace('VOLCENGINE_', '').toLowerCase(), context.stage, dep.id),
+        id: dep.id,
+        type: dep.type,
+        ...(dep.trn ? { trn: dep.trn } : {}),
+        ...dep.attributes,
+    }));
+    const taintedResourceState = {
+        mode: 'managed',
+        region: context.region,
+        definition,
+        instances: [
+            {
+                type: 'VOLCENGINE_VEFAAS_FUNCTION',
+                sid,
+                id: fn.name,
+                functionName: fn.name,
+                attributes: {},
+            },
+            ...dependentInstances,
+        ],
+        status: 'tainted',
+        lastUpdated: new Date().toISOString(),
+    };
+    const stateAfterDependents = (0, common_1.setResource)(state, logicalId, taintedResourceState);
+    const client = (0, volcengineClient_1.createVolcengineClient)(context);
+    const isTainted = existingResourceState?.status === 'tainted';
+    const existingFunctionOnRetry = isTainted ? await client.vefaas.getFunction(fn.name) : null;
+    if (existingFunctionOnRetry) {
+        logger_1.logger.info(lang_1.lang.__('VEFAAS_FUNCTION_EXISTS_RECOVERY', { functionName: fn.name }));
+    }
+    try {
+        if (!existingFunctionOnRetry) {
+            const codeContent = await Promise.resolve().then(() => __importStar(require('node:fs'))).then((fs) => fs.readFileSync(codePath));
+            const codeBase64 = codeContent.toString('base64');
+            await client.vefaas.createFunction(config, codeBase64);
+        }
+    }
+    catch (error) {
+        if (isRecoverableCreateError(error)) {
+            await delay(RECOVERY_GET_FUNCTION_DELAY_MS);
+            const functionAfterError = await client.vefaas.getFunction(fn.name);
+            if (!functionAfterError) {
+                throw new types_1.PartialResourceError(stateAfterDependents, error);
+            }
+        }
+        else {
+            throw new types_1.PartialResourceError(stateAfterDependents, error);
+        }
+    }
+    const functionInfo = await client.vefaas.getFunction(fn.name);
+    if (!functionInfo) {
+        throw new Error(lang_1.lang.__('RESOURCE_NOT_FOUND_PROVIDER', { resourceType: 'Function', name: fn.name }));
+    }
+    const vefaasInstance = buildVefaasInstanceFromProvider(functionInfo, sid);
+    const resourceState = {
+        mode: 'managed',
+        region: context.region,
+        definition,
+        instances: [vefaasInstance, ...dependentInstances],
+        status: 'ready',
+        lastUpdated: new Date().toISOString(),
+    };
+    return (0, common_1.setResource)(stateAfterDependents, logicalId, resourceState);
+};
+exports.createResource = createResource;
+const readResource = async (context, functionName) => {
+    const client = (0, volcengineClient_1.createVolcengineClient)(context);
+    return await client.vefaas.getFunction(functionName);
+};
+exports.readResource = readResource;
+const updateResource = async (context, fn, state) => {
+    const serviceName = `${context.app}-${context.service}`;
+    const logicalId = `functions.${fn.key}`;
+    const currentState = (0, common_1.getResource)(state, logicalId);
+    if (!currentState) {
+        throw new Error(lang_1.lang.__('RESOURCE_STATE_NOT_FOUND', { logicalId }));
+    }
+    const currentInstance = currentState.instances.find((i) => i.type === 'VOLCENGINE_VEFAAS_FUNCTION');
+    if (!currentInstance) {
+        throw new Error(lang_1.lang.__('RESOURCE_INSTANCE_NOT_FOUND', { logicalId }));
+    }
+    const existingInstances = (currentState.instances ?? []);
+    const isTainted = currentState.status === 'tainted';
+    const hasTlsResources = existingInstances.some((i) => i.type === 'VOLCENGINE_TLS_PROJECT');
+    const hasIamRole = existingInstances.some((i) => i.type === 'VOLCENGINE_IAM_ROLE');
+    const client = (0, volcengineClient_1.createVolcengineClient)(context);
+    const newDependentInstances = [];
+    let logConfig;
+    let role;
+    if (fn.log && !hasTlsResources && !isTainted) {
+        const deps = await createDependentResources(context, { ...fn, network: undefined, storage: { disk: undefined, nas: undefined } }, serviceName);
+        logConfig = deps.logConfig;
+        newDependentInstances.push(...deps.instances.filter((i) => i.type.startsWith('VOLCENGINE_TLS_')));
+    }
+    else if (hasTlsResources) {
+        const tlsProjectInstance = existingInstances.find((i) => i.type === 'VOLCENGINE_TLS_PROJECT');
+        const tlsTopicInstance = existingInstances.find((i) => i.type === 'VOLCENGINE_TLS_TOPIC');
+        if (tlsProjectInstance && tlsTopicInstance) {
+            const [projectName, topicName] = tlsTopicInstance.id.split('/');
+            logConfig = { project: projectName, topic: topicName };
+        }
+    }
+    if (!hasIamRole && !isTainted) {
+        const deps = await createDependentResources(context, { ...fn, log: false, network: undefined, storage: { disk: undefined, nas: undefined } }, serviceName);
+        role = deps.role;
+        newDependentInstances.push(...deps.instances.filter((i) => i.type === 'VOLCENGINE_IAM_ROLE'));
+    }
+    else {
+        const iamRoleInstance = existingInstances.find((i) => i.type === 'VOLCENGINE_IAM_ROLE');
+        if (iamRoleInstance) {
+            const trn = iamRoleInstance.trn ??
+                (context.accountId
+                    ? `trn:iam::${context.accountId}:role/${iamRoleInstance.id}`
+                    : undefined);
+            if (!trn) {
+                throw new Error(lang_1.lang.__('IAM_ROLE_TRN_MISSING', { roleName: iamRoleInstance.id }));
+            }
+            role = {
+                roleName: iamRoleInstance.id,
+                trn,
+            };
+            const trustedServices = (0, vefaasTypes_1.getTrustedServicesForFunction)(fn, context);
+            await client.iam.updateRoleTrustPolicy(iamRoleInstance.id, (0, vefaasTypes_1.buildDefaultTrustPolicy)(trustedServices));
+        }
+    }
+    const config = (0, vefaasTypes_1.functionToVefaasConfig)(fn, {
+        role: role?.trn,
+        logConfig,
+        vpcConfig: fn.network
+            ? {
+                vpcId: fn.network.vpc_id,
+                subnetIds: fn.network.subnet_ids,
+                securityGroupIds: fn.network.security_group?.name ? [fn.network.security_group.name] : [],
+            }
+            : undefined,
+        tosMountConfig: fn.storage?.nas?.[0]
+            ? {
+                bucketName: fn.storage.nas[0]?.bucket_name || '',
+                mountPath: fn.storage.nas[0].mount_path,
+            }
+            : undefined,
+    });
+    const codePath = fn.code.path;
+    const desiredCodeHash = (0, common_1.computeFileHash)(codePath);
+    const desiredDefinition = (0, vefaasTypes_1.extractVefaasDefinition)(config, desiredCodeHash);
+    const currentDefinition = currentState.definition || {};
+    const currentCodeHash = currentDefinition.codeHash;
+    const codeChanged = currentCodeHash !== desiredCodeHash;
+    const existingConfigOnly = {
+        runtime: currentDefinition.runtime,
+        handler: currentDefinition.handler,
+        memorySize: currentDefinition.memorySize,
+        timeout: currentDefinition.timeout,
+        environment: currentDefinition.environment,
+        description: currentDefinition.description,
+        role: currentDefinition.role,
+        vpcConfig: currentDefinition.vpcConfig,
+        tosMountConfig: currentDefinition.tosMountConfig,
+        logConfig: currentDefinition.logConfig,
+    };
+    const desiredConfigOnly = {
+        runtime: desiredDefinition.runtime,
+        handler: desiredDefinition.handler,
+        memorySize: desiredDefinition.memorySize,
+        timeout: desiredDefinition.timeout,
+        environment: desiredDefinition.environment,
+        description: desiredDefinition.description,
+        role: desiredDefinition.role,
+        vpcConfig: desiredDefinition.vpcConfig,
+        tosMountConfig: desiredDefinition.tosMountConfig,
+        logConfig: desiredDefinition.logConfig,
+    };
+    const configChanged = !(0, common_1.attributesEqual)(existingConfigOnly, desiredConfigOnly);
+    if (configChanged) {
+        await client.vefaas.updateFunctionConfiguration(config);
+    }
+    if (codeChanged) {
+        const codeContent = await Promise.resolve().then(() => __importStar(require('node:fs'))).then((fs) => fs.readFileSync(codePath));
+        const codeBase64 = codeContent.toString('base64');
+        await client.vefaas.updateFunctionCode(fn.name, codeBase64);
+    }
+    const functionInfo = await client.vefaas.getFunction(fn.name);
+    if (!functionInfo) {
+        throw new Error(lang_1.lang.__('RESOURCE_NOT_FOUND_PROVIDER', { resourceType: 'Function', name: fn.name }));
+    }
+    const sid = currentInstance.sid ?? (0, common_1.buildSid)('volcengine', context.service, context.stage, fn.name);
+    const vefaasInstance = buildVefaasInstanceFromProvider(functionInfo, sid);
+    const existingDependentInstances = existingInstances
+        .filter((i) => i.type !== 'VOLCENGINE_VEFAAS_FUNCTION')
+        .map((i) => {
+        const { sid: existingSid, id: existingId, ...rest } = i;
+        return {
+            sid: existingSid ??
+                (0, common_1.buildSid)('volcengine', i.type?.toString().replace('VOLCENGINE_', '').toLowerCase() ?? '', context.stage, existingId?.toString() ?? ''),
+            id: existingId?.toString() ?? '',
+            ...rest,
+        };
+    });
+    const newDependentInstancesMapped = newDependentInstances.map((dep) => ({
+        sid: dep.sid ??
+            (0, common_1.buildSid)('volcengine', dep.type.replace('VOLCENGINE_', '').toLowerCase(), context.stage, dep.id),
+        id: dep.id,
+        type: dep.type,
+        ...(dep.trn ? { trn: dep.trn } : {}),
+        ...dep.attributes,
+    }));
+    const resourceState = {
+        mode: 'managed',
+        region: context.region,
+        definition: desiredDefinition,
+        instances: [vefaasInstance, ...existingDependentInstances, ...newDependentInstancesMapped],
+        status: 'ready',
+        lastUpdated: new Date().toISOString(),
+    };
+    return (0, common_1.setResource)(state, logicalId, resourceState);
+};
+exports.updateResource = updateResource;
+const deleteResource = async (context, functionName, logicalId, state) => {
+    const existingState = (0, common_1.getResource)(state, logicalId);
+    const existingInstances = (existingState?.instances ?? []);
+    const hasVefaasFunction = existingInstances.some((i) => i.type === 'VOLCENGINE_VEFAAS_FUNCTION');
+    const client = (0, volcengineClient_1.createVolcengineClient)(context);
+    if (hasVefaasFunction) {
+        try {
+            await client.vefaas.deleteFunction(functionName);
+        }
+        catch (err) {
+            const errorCode = err?.code;
+            if (errorCode === 'FunctionNotFound' || errorCode === 'ResourceNotFound') {
+                logger_1.logger.warn(lang_1.lang.__('RESOURCE_NOT_FOUND_PROVIDER', { resourceType: 'Function', name: functionName }));
+            }
+            else {
+                throw err;
+            }
+        }
+    }
+    const dependentInstances = existingInstances.filter((i) => i.type !== 'VOLCENGINE_VEFAAS_FUNCTION' && !i.type.includes('undefined'));
+    if (dependentInstances.length > 0) {
+        await deleteDependentResources(context, dependentInstances);
+    }
+    return (0, common_1.removeResource)(state, logicalId);
+};
+exports.deleteResource = deleteResource;

package/dist/src/stack/volcengineStack/vefaasTypes.js

@@ -0,0 +1,75 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getTrustedServicesForFunction = exports.buildDefaultTrustPolicy = exports.extractVefaasDefinition = exports.functionToVefaasConfig = void 0;
+/**
+ * Determines which Volcengine services should be trusted to assume the function's IAM role.
+ *
+ * IMPORTANT: `trigger.backend` is expected to be an *unresolved* YAML reference string in the
+ * form `${functions.<functionKey>}` (e.g. `${functions.my_fn}`). This function compares against
+ * that raw string — NOT against a resolved function name or ARN. If the backend value has already
+ * been resolved to a function name, this check will silently return false and `apigateway` will
+ * NOT be added to the trust policy, breaking API Gateway invocation.
+ */
+const getTrustedServicesForFunction = (fn, context) => {
+    const expectedBackendRef = `\${functions.${fn.key}}`;
+    const hasApiGateway = context.iac?.events?.some((event) => event.triggers?.some((trigger) => String(trigger.backend) === expectedBackendRef));
+    return hasApiGateway
+        ? ['vefaas.volcengine.com', 'apigateway.volcengine.com']
+        : ['vefaas.volcengine.com'];
+};
+exports.getTrustedServicesForFunction = getTrustedServicesForFunction;
+const functionToVefaasConfig = (fn, options) => {
+    const config = {
+        functionName: fn.name,
+        runtime: fn.code.runtime,
+        handler: fn.code.handler,
+        memoryMb: fn.memory ?? 512,
+        requestTimeout: fn.timeout ?? 60,
+        environmentVariables: fn.environment,
+    };
+    if (options?.role) {
+        config.role = options.role;
+    }
+    if (options?.vpcConfig) {
+        config.vpcConfig = options.vpcConfig;
+    }
+    if (options?.tosMountConfig) {
+        config.tosMountConfig = options.tosMountConfig;
+    }
+    if (options?.logConfig) {
+        config.logConfig = options.logConfig;
+    }
+    return config;
+};
+exports.functionToVefaasConfig = functionToVefaasConfig;
+const extractVefaasDefinition = (config, codeHash) => {
+    return {
+        functionName: config.functionName,
+        runtime: config.runtime,
+        handler: config.handler,
+        memorySize: config.memoryMb,
+        timeout: config.requestTimeout,
+        environment: config.environmentVariables || {},
+        codeHash,
+        description: config.description,
+        role: config.role,
+        vpcConfig: config.vpcConfig,
+        tosMountConfig: config.tosMountConfig,
+        logConfig: config.logConfig,
+    };
+};
+exports.extractVefaasDefinition = extractVefaasDefinition;
+const buildDefaultTrustPolicy = (trustedServices) => {
+    return {
+        Statement: [
+            {
+                Effect: 'Allow',
+                Action: ['sts:AssumeRole'],
+                Principal: {
+                    Service: trustedServices,
+                },
+            },
+        ],
+    };
+};
+exports.buildDefaultTrustPolicy = buildDefaultTrustPolicy;

package/dist/src/types/domains/state.js

@@ -28,6 +28,9 @@ var ResourceTypeEnum;
     ResourceTypeEnum["ALIYUN_NAS_ACCESS_GROUP"] = "ALIYUN_NAS_ACCESS_GROUP";
     ResourceTypeEnum["ALIYUN_NAS_FILE_SYSTEM"] = "ALIYUN_NAS_FILE_SYSTEM";
     ResourceTypeEnum["ALIYUN_NAS_MOUNT_TARGET"] = "ALIYUN_NAS_MOUNT_TARGET";
+    // Volcengine - Primary Resources
+    ResourceTypeEnum["VOLCENGINE_VEFAAS_FUNCTION"] = "VOLCENGINE_VEFAAS_FUNCTION";
+    ResourceTypeEnum["VOLCENGINE_TOS_BUCKET"] = "VOLCENGINE_TOS_BUCKET";
 })(ResourceTypeEnum || (exports.ResourceTypeEnum = ResourceTypeEnum = {}));
 exports.CURRENT_STATE_VERSION = '3.0';
 class PartialResourceError extends Error {