@govuk-pay/cli 0.0.17 → 0.0.19

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@govuk-pay/cli",
-  "version": "0.0.17",
+  "version": "0.0.19",
   "description": "GOV.UK Pay Command Line Interface",
   "bin": {
     "pay": "bin/cli.js",
@@ -11,6 +11,10 @@
   "author": "",
   "license": "MIT",
   "dependencies": {
+    "@aws-sdk/client-ec2": "^3.641.0",
+    "@aws-sdk/client-ecs": "^3.637.0",
+    "@aws-sdk/client-rds": "^3.637.0",
+    "@aws-sdk/client-ssm": "^3.651.1",
     "openurl": "^1.1.1",
     "ts-standard": "^12.0.2"
   },

package/resources/usageDetails.txt

@@ -8,4 +8,5 @@ Commands:
   pay schema                   # Generates web based database diagrams and me...
   pay secrets                  # Manage secrets in and between environments
   pay ssm                      # Start an SSM session to boxes in environments
+  pay tunnel                   # Open tunnel to application database
   pay tf                       # Runs Terraform

package/src/commands/tunnel.js

@@ -0,0 +1,392 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.logTunnelCommands = void 0;
+const standardContent_js_1 = require("../core/standardContent.js");
+const client_ec2_1 = require("@aws-sdk/client-ec2");
+const client_ecs_1 = require("@aws-sdk/client-ecs");
+const client_rds_1 = require("@aws-sdk/client-rds");
+const client_ssm_1 = require("@aws-sdk/client-ssm");
+const readline_1 = __importDefault(require("readline"));
+const child_process_1 = require("child_process");
+const constants_js_1 = require("../core/constants.js");
+let ec2;
+let ecs;
+let ssm;
+const FORMAT = {
+    red: '\x1b[31m',
+    green: '\x1b[32m',
+    yellow: '\x1b[33m',
+    reset: '\x1b[0m',
+    ul: '\x1b[4m',
+    ulstop: '\x1b[24m'
+};
+function logTunnelCommands() {
+    console.log(`Commands:
+    pay tunnel <ENVIRONMENT> <APP-NAME> # Open tunnel to application <APP-NAME> database in specified environment <ENVIRONMENT>
+    pay tunnel help                     # Describe tunnel command`);
+}
+exports.logTunnelCommands = logTunnelCommands;
+async function tunnelHandler(options) {
+    await (0, standardContent_js_1.showHeader)();
+    const { environment, application } = parseArguments(options);
+    console.log(`Opening a database tunnel to ${environment} ${application}`);
+    ec2 = new client_ec2_1.EC2Client();
+    ecs = new client_ecs_1.ECSClient();
+    ssm = new client_ssm_1.SSMClient();
+    let bastionTask = null;
+    try {
+        printWarningToUser();
+        const database = await getDatabaseDetails(environment, application);
+        bastionTask = await startBastion(environment);
+        openTunnel(bastionTask, database, environment);
+        printHowToTunnelText(application, environment, database.EngineVersion);
+        await waitForExit();
+        await shutdown(environment, bastionTask);
+    }
+    catch (error) {
+        if (typeof error === 'string') {
+            printError(error);
+        }
+        else if (error instanceof Error) {
+            printError(error.message);
+        }
+        await shutdown(environment, bastionTask);
+        process.exit(2);
+    }
+}
+exports.default = tunnelHandler;
+function parseArguments(options) {
+    if (options.arguments.length !== 2 || options.arguments[0] === 'help') {
+        logTunnelCommands();
+        process.exit(0);
+    }
+    const environment = options.arguments[0];
+    const application = options.arguments[1];
+    if (!constants_js_1.APPLICATIONS.includes(application)) {
+        printError(`Invalid application: "${application}". Must be one of ${constants_js_1.APPLICATIONS.join(', ')}`);
+        process.exit(2);
+    }
+    if (!constants_js_1.ENVIRONMENTS.includes(environment)) {
+        printError(`Invalid environment: "${environment}". Must be one of ${constants_js_1.ENVIRONMENTS.join(', ')}`);
+        process.exit(2);
+    }
+    return {
+        environment, application
+    };
+}
+async function waitForExit() {
+    const prompt = "\nTo shutdown bastion task and close tunnel type 'exit' or 'Ctrl-C'\n";
+    const rl = readline_1.default.createInterface({
+        input: process.stdin,
+        output: process.stdout
+    });
+    printGreen(prompt);
+    return await new Promise(resolve => {
+        rl.on('line', input => {
+            if (input === 'exit') {
+                rl.close();
+                resolve();
+            }
+            else {
+                console.log(`Unknown command ${input}`);
+                printGreen(prompt);
+            }
+        });
+        rl.on('SIGINT', () => {
+            console.log('Received: Ctrl-C');
+            rl.close();
+            resolve();
+        });
+    });
+}
+async function startBastion(environment) {
+    const subnetIds = await getBastionSubNets(environment);
+    const securityGroupIds = await getBastionSecurityGroups(environment);
+    let bastionTask = await launchBastionTask(environment, subnetIds, securityGroupIds);
+    bastionTask = await waitForBastionToBeReady(bastionTask, environment);
+    return bastionTask;
+}
+async function getBastionSubNets(environment) {
+    const subnetCommand = new client_ec2_1.DescribeSubnetsCommand({
+        Filters: [{
+                Name: 'tag:Name',
+                Values: [`${environment}-bastion`]
+            }]
+    });
+    const subnetCommandResponse = await ec2.send(subnetCommand);
+    const subnets = subnetCommandResponse.Subnets;
+    if (subnets == null || subnets.length < 1) {
+        throw new Error(`Failed to find subnets for the bastion in ${environment}`);
+    }
+    return subnets
+        .filter(s => s.SubnetId !== undefined)
+        .map((subnet) => subnet.SubnetId);
+}
+async function getBastionSecurityGroups(environment) {
+    const securityGroupCommand = new client_ec2_1.DescribeSecurityGroupsCommand({
+        Filters: [{
+                Name: 'group-name',
+                Values: [`${environment}-bastion`]
+            }]
+    });
+    const securityGroupCommandResponse = await ec2.send(securityGroupCommand);
+    const securityGroups = securityGroupCommandResponse.SecurityGroups;
+    if (securityGroups == null || securityGroups.length < 1) {
+        throw new Error(`Failed to find security groups for the bastion in ${environment}`);
+    }
+    return securityGroups
+        .filter(s => s.GroupId !== undefined)
+        .map((securityGroup) => securityGroup.GroupId);
+}
+async function launchBastionTask(environment, subnetIds, securityGroupIds) {
+    const runTaskCommand = new client_ecs_1.RunTaskCommand({
+        cluster: `${environment}-fargate`,
+        taskDefinition: `${environment}-bastion`,
+        launchType: 'FARGATE',
+        enableExecuteCommand: true,
+        networkConfiguration: {
+            awsvpcConfiguration: {
+                subnets: subnetIds,
+                securityGroups: securityGroupIds,
+                assignPublicIp: 'DISABLED'
+            }
+        },
+        // TODO: Add the developer's name as a Tag or suffix to startedBy.
+        startedBy: 'PAY-CLI'
+    });
+    const runTaskCommandResponse = await ecs.send(runTaskCommand);
+    if ((runTaskCommandResponse.failures != null) && runTaskCommandResponse.failures.length > 0) {
+        const failureReasons = runTaskCommandResponse.failures
+            .map((failure) => failure.reason)
+            .join(', ');
+        throw new Error(`Failed to run bastion task: ${failureReasons}`);
+    }
+    else if (runTaskCommandResponse.tasks?.length !== 1) {
+        throw new Error(`Expected 1 bastion task but got: ${String(runTaskCommandResponse.tasks?.length)}`);
+    }
+    else {
+        return runTaskCommandResponse.tasks[0];
+    }
+}
+async function refreshTask(taskArn, environment) {
+    const describeTaskCommand = new client_ecs_1.DescribeTasksCommand({
+        cluster: `${environment}-fargate`,
+        tasks: [taskArn]
+    });
+    const describeTaskCommandResponse = await ecs.send(describeTaskCommand);
+    if ((describeTaskCommandResponse.failures != null) && describeTaskCommandResponse.failures.length > 0) {
+        const failureReasons = describeTaskCommandResponse.failures
+            .map((failure) => failure.reason)
+            .join(', ');
+        throw new Error(`Failed to get task: ${failureReasons}`);
+    }
+    else if (describeTaskCommandResponse.tasks?.length !== 1) {
+        throw new Error(`Expected 1 bastion task but got: ${String(describeTaskCommandResponse.tasks?.length)}`);
+    }
+    else {
+        return describeTaskCommandResponse.tasks[0];
+    }
+}
+async function sleep(ms) {
+    return await new Promise(resolve => setTimeout(resolve, ms));
+}
+async function waitForBastionToBeReady(task, environment) {
+    console.log('Waiting for the bastion task to start');
+    let previousStatus;
+    while (!isRunningAndConnected(task)) {
+        if (task.lastStatus !== previousStatus) {
+            previousStatus = task.lastStatus;
+            process.stdout.write(`\n\tCurrent status: ${task.lastStatus} `);
+            if (task.lastStatus === 'RUNNING') {
+                process.stdout.write('\n\tWaiting for the bastion to connect to the network ');
+            }
+        }
+        else {
+            process.stdout.write('.');
+        }
+        await sleep(1000);
+        task = await refreshTask(task.taskArn, environment);
+        if (task.desiredStatus !== 'RUNNING') {
+            console.error(`\tBastion desired state is unexpectedly: ${task.desiredStatus}`);
+            throw Error('Bastion task failed to start');
+        }
+    }
+    console.log('\n\tBastion started successfully');
+    return task;
+}
+function isRunningAndConnected(task) {
+    // RUNNING doesn't mean that the task is ready to accept network connections.
+    // The 'ExecuteCommandAgent' must be running within the container before ssm
+    // can connect. Note: task.connectivity === 'CONNECTED' is not sufficient.
+    const connectionStatus = task.attachments
+        ?.filter(a => a.type === 'ElasticNetworkInterface')
+        .map(a => a.status)[0];
+    const agentStatus = task.containers
+        ?.flatMap(c => c.managedAgents)
+        .filter(agent => agent?.name === 'ExecuteCommandAgent')
+        .map(agent => agent?.lastStatus)[0];
+    return task.lastStatus === 'RUNNING' && connectionStatus === 'ATTACHED' && agentStatus === 'RUNNING';
+}
+async function stopBastion(task, environment) {
+    const stopTaskCommand = new client_ecs_1.StopTaskCommand({
+        task: task.taskArn,
+        cluster: `${environment}-fargate`,
+        reason: 'Stopping bastion'
+    });
+    const stopTaskCommandResponse = await ecs.send(stopTaskCommand);
+    if (stopTaskCommandResponse.task == null) {
+        throw new Error(`Failed to stop bastion task: ${task.taskArn}`);
+    }
+    console.log('Stopping Bastion');
+}
+async function getDatabaseDetails(environment, application) {
+    const describeDbCommand = new client_rds_1.DescribeDBInstancesCommand({});
+    const rds = new client_rds_1.RDSClient();
+    const describeDbCommandResponse = await rds.send(describeDbCommand);
+    if (describeDbCommandResponse.DBInstances == null || describeDbCommandResponse.DBInstances.length < 1) {
+        throw new Error(`Failed to find the database for ${application} in ${environment}`);
+    }
+    const appDatabases = describeDbCommandResponse.DBInstances
+        .filter(s => s.DBInstanceIdentifier?.startsWith(`${environment}-${application}`));
+    if (appDatabases.length === 0) {
+        throw new Error(`Failed to find the database for ${application} in ${environment}`);
+    }
+    else if (appDatabases.length > 1) {
+        // TODO: Allow an argument to specify the exact database name. Print out how
+        // to re-run the describeDbCommand specifying the required database.
+        const databaseNames = appDatabases.map(d => d.DBInstanceIdentifier).join(':');
+        throw new Error(`There are multiple matching databases: ${databaseNames}`);
+    }
+    else {
+        return appDatabases[0];
+    }
+}
+function openTunnel(task, db, environment) {
+    const cluster = `${environment}-fargate`;
+    const ecsTaskId = task.taskArn?.split('/').at(-1);
+    const ecsContainerRunTimeId = task.containers?.map(c => c.runtimeId)[0];
+    const rdsEndpoint = db.Endpoint?.Address;
+    const target = `ecs:${cluster}_${ecsTaskId}_${ecsContainerRunTimeId}`;
+    const parameters = `{"host":["${rdsEndpoint}"],"portNumber":["5432"],"localPortNumber":["65432"]}`;
+    const commandArgs = [
+        'ssm',
+        'start-session',
+        '--target', target,
+        '--document-name', 'AWS-StartPortForwardingSessionToRemoteHost',
+        '--parameters', parameters
+    ];
+    const tunnelProc = (0, child_process_1.spawn)('aws', commandArgs, { detached: true });
+    // TODO: useful for testing when the spawned process exits itself. Consider
+    // removing before final launch of the command.
+    // const tunnelProc = spawn('sleep', ['5'], { detached: true })
+    tunnelProc.stdout.on('data', (data) => {
+        console.log(`tunnel command: ${data}`);
+    });
+    tunnelProc.stderr.on('data', (data) => {
+        console.error(`tunnel command error: ${data}`);
+    });
+    tunnelProc.on('close', (code, _signal) => {
+        if (code !== null && code !== 0) {
+            console.error(`\nTunnel unexpectedly closed with exit code: ${code}`);
+            console.group();
+            console.error('Type `exit` or `Ctrl-C` to shutdown the bastion task then try again.');
+            const tunnelCommandForConsole = commandArgs
+                .join(' ')
+                .replaceAll('--', '\\\n--')
+                .replace('{', "'{")
+                .replace('}', "}'");
+            console.error(`The command to manually create the tunnel is: \naws ${tunnelCommandForConsole}`);
+            console.groupEnd();
+        }
+        else {
+            console.log('Tunnel closed');
+        }
+    });
+    return tunnelProc;
+}
+async function shutdown(environment, bastionTask) {
+    console.log('Shutting down');
+    if (bastionTask != null) {
+        await terminateSession(bastionTask, environment);
+    }
+    if (bastionTask !== null) {
+        bastionTask = await refreshTask(bastionTask.taskArn, environment);
+        if (bastionTask.desiredStatus !== 'STOPPED') {
+            await stopBastion(bastionTask, environment);
+        }
+    }
+    printGreen('Shutdown complete.');
+}
+async function terminateSession(task, environment) {
+    const cluster = `${environment}-fargate`;
+    const ecsTaskId = task.taskArn?.split('/').at(-1);
+    const ecsContainerRunTimeId = task.containers?.map(c => c.runtimeId)[0];
+    const target = `ecs:${cluster}_${ecsTaskId}_${ecsContainerRunTimeId}`;
+    const describeSessionsCommand = new client_ssm_1.DescribeSessionsCommand({
+        State: 'Active',
+        Filters: [
+            {
+                key: 'Target',
+                value: target
+            }
+        ]
+    });
+    const describeSessionsOutput = await ssm.send(describeSessionsCommand);
+    const sessions = describeSessionsOutput.Sessions;
+    if (sessions != null) {
+        for (const session of sessions) {
+            const terminateSessionCommand = new client_ssm_1.TerminateSessionCommand({
+                SessionId: session.SessionId
+            });
+            await ssm.send(terminateSessionCommand);
+        }
+    }
+}
+function printHowToTunnelText(application, environment, dbEngineVersion) {
+    const dbUser = getDbUser(application);
+    const payLowPassDbSecretName = getPayLowPassDbSecretname(environment, dbUser);
+    const paySecretsPasswordName = getPaySecretsPasswordName();
+    printGreen(`\nConnected tunnel to ${application} RDS database in ${environment} on port 65432\n`);
+    printGreen('Copy DB credentials to clipboard (in another window) using pay-low-pass:');
+    printGreen(`  pay-low-pass ${payLowPassDbSecretName} | pbcopy`);
+    printGreen('Alternatively, fetch credentials from pay secrets:');
+    printGreen(`  pay secrets fetch ${environment} ${application} ${paySecretsPasswordName} | pbcopy`);
+    printGreen('Open psql with:');
+    printGreen(`  psql -h localhost -p 65432 -U ${dbUser} -d ${application}`);
+    printGreen('Alternatively connect using docker instead of needing psql installed locally and set the password automatically using pay-low-pass:');
+    printGreen(`   docker run --rm -ti postgres:${dbEngineVersion}-alpine psql --host docker.for.mac.localhost --port 65432 --user ${dbUser} --dbname ${application}`);
+    printGreen('Or even more conveniently connect using a docker container and set the password automatically using pay-low-pass:');
+    printGreen(`   docker run -e "PGPASSWORD=$(pay-low-pass ${payLowPassDbSecretName})" --rm -ti postgres:${dbEngineVersion}-alpine psql --host docker.for.mac.localhost --port 65432 --user ${dbUser} --dbname ${application}\n`);
+}
+// TODO: add a write flag. Default to readonly.
+function getDbUser(application) {
+    return `${application}_support_readonly`;
+}
+function getPayLowPassDbSecretname(environment, user) {
+    return `aws/rds/support_readonly_users/${environment.split('-')[0]}/${user}`;
+}
+function getPaySecretsPasswordName() {
+    return 'DB_SUPPORT_PASSWORD_READONLY';
+}
+function printWarningToUser() {
+    console.log(FORMAT.yellow, '⚠️  WARNING: When using SSM, any and all activity you perform may be getting logged for security auditing purposes (think PCI).', FORMAT.reset);
+    console.log(FORMAT.yellow, `Avoid sending or accessing ${FORMAT.ul}anything${FORMAT.ulstop} that could cause a security breach, such as:`, FORMAT.reset);
+    console.log(FORMAT.yellow, FORMAT.reset);
+    console.log(FORMAT.yellow, '• Secret API Keys or Tokens', FORMAT.reset);
+    console.log(FORMAT.yellow, '• Credentials or Passwords', FORMAT.reset);
+    console.log(FORMAT.yellow, '• Cardholder Data or Personally-Identifiable Information (PII)', FORMAT.reset);
+    console.log(FORMAT.yellow, '• Anything else that may be protected by GDPR or PCI-DSS', FORMAT.reset);
+    console.log(FORMAT.yellow, "• Anything classified as GSC 'Secret' or above", FORMAT.reset);
+    console.log(FORMAT.yellow, FORMAT.reset);
+    console.log(FORMAT.yellow, `If you have a problem with this or aren't sure, use Ctrl-C ${FORMAT.ul}right now${FORMAT.ulstop} and discontinue your SSM session.`, FORMAT.reset);
+    console.log(FORMAT.yellow, FORMAT.reset);
+}
+function printError(error) {
+    console.error(`${FORMAT.red}${error}${FORMAT.reset}`);
+}
+function printGreen(message) {
+    console.error(`${FORMAT.green}${message}${FORMAT.reset}`);
+}

package/src/core/commandRouter.js

@@ -8,10 +8,14 @@ const browse_js_1 = __importDefault(require("../commands/browse.js"));
 const demo_js_1 = __importDefault(require("../commands/demo.js"));
 const legacy_1 = __importDefault(require("../commands/legacy"));
 const help_1 = __importDefault(require("../commands/help"));
+const tunnel_js_1 = __importDefault(require("../commands/tunnel.js"));
 const handlers = new Map();
 handlers.set('browse', {
     handler: browse_js_1.default
 });
+handlers.set('tunnel', {
+    handler: tunnel_js_1.default
+});
 handlers.set('legacy', {
     handler: legacy_1.default
 });

package/src/core/constants.js

@@ -23,11 +23,29 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.distDirForBuildTasks = exports.rootDirForBuildTasks = exports.rootDir = void 0;
+exports.APPLICATIONS = exports.ENVIRONMENTS = exports.distDirForBuildTasks = exports.rootDirForBuildTasks = exports.rootDir = void 0;
 const path = __importStar(require("path"));
 exports.rootDir = path.resolve(__dirname, '..', '..');
 exports.rootDirForBuildTasks = exports.rootDir.endsWith('dist') ? path.resolve(exports.rootDir, '..') : exports.rootDir;
 exports.distDirForBuildTasks = path.join(exports.rootDirForBuildTasks, 'dist');
+exports.ENVIRONMENTS = ['test-12', 'test-perf-1', 'staging-2', 'deploy-tooling', 'production-2'];
+exports.APPLICATIONS = [
+    'adminusers',
+    'cardid',
+    'connector',
+    'egress',
+    'frontend',
+    'ledger',
+    'notifications',
+    'pact-broker',
+    'products',
+    'products',
+    'publicapi',
+    'publicauth',
+    'selfservice',
+    'toolbox',
+    'webhooks'
+];
 exports.default = {
     rootDir: exports.rootDir,
     distDirForBuildTasks: exports.distDirForBuildTasks,