@hasna/uptime 0.1.13 → 0.1.14

package/CHANGELOG.md

@@ -6,6 +6,15 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.14] - 2026-06-28
+
+### Added
+
+- Added explicit Terraform NAT task egress support. Infra owners can set
+  `enable_nat_task_egress = true` to allow web and non-public worker task
+  security groups to reach AWS public APIs through a private subnet NAT route on
+  TCP/443 when private VPC endpoints are not the approved egress model.
+
 ## [0.1.13] - 2026-06-28
 
 ### Added

package/dist/cli/index.js

@@ -6932,7 +6932,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.13");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.14");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;

package/dist/cloud-plan.js

@@ -21,7 +21,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.13");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.14");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;

package/dist/index.js

@@ -4338,7 +4338,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.13");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.14");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;

package/infra/aws/README.md

@@ -64,6 +64,13 @@ Endpoint policies are scoped to the Open Uptime repository, log groups,
 configured secret refs, KMS key, evidence bucket, and the regional ECR layer
 bucket.
 
+If private endpoints are not approved yet, infra owners can instead set
+`enable_nat_task_egress = true` to allow web and non-public worker task security
+groups to reach AWS public APIs through the private subnet NAT route on TCP/443.
+Keep this disabled when private endpoints are the approved egress path. Runtime
+scale-up still requires ECS task evidence for image pull, secret injection, log
+delivery, S3 access, and EFS mount behavior.
+
 Interface endpoint private DNS is VPC-wide. In shared VPCs, either keep endpoint
 creation in the approved networking root, or pass
 `additional_vpc_endpoint_source_security_group_ids` for every workload that must

package/infra/aws/main.tf

@@ -399,6 +399,32 @@ resource "aws_security_group_rule" "worker_egress" {
   cidr_blocks       = each.key == "public-probe" ? ["0.0.0.0/0"] : [data.aws_vpc.target.cidr_block]
 }
 
+resource "aws_security_group_rule" "web_nat_https_egress" {
+  count = var.enable_nat_task_egress ? 1 : 0
+
+  type              = "egress"
+  description       = "HTTPS egress through approved NAT path"
+  security_group_id = aws_security_group.web.id
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = var.nat_task_egress_cidr_blocks
+}
+
+resource "aws_security_group_rule" "worker_nat_https_egress" {
+  for_each = var.enable_nat_task_egress ? {
+    for key, value in aws_security_group.worker : key => value if key != "public-probe"
+  } : {}
+
+  type              = "egress"
+  description       = "HTTPS egress through approved NAT path"
+  security_group_id = each.value.id
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = var.nat_task_egress_cidr_blocks
+}
+
 resource "aws_security_group_rule" "web_s3_gateway_egress" {
   count = local.s3_gateway_endpoint_enabled ? 1 : 0
 

package/infra/aws/terraform.tfvars.example

@@ -16,7 +16,7 @@ alb_ingress_cidr_blocks = []
 private_subnet_ids       = ["subnet-replace-private-a", "subnet-replace-private-b"]
 private_route_table_ids  = ["rtb-replace-private"]
 container_image          = "123456789012.dkr.ecr.us-east-1.amazonaws.com/open-uptime@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-runtime_package_version  = "0.1.13"
+runtime_package_version  = "0.1.14"
 certificate_arn          = null
 hosted_zone_id           = null
 app_env_secret_arn       = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/app/env"
@@ -26,6 +26,7 @@ reporting_secret_arn     = "arn:aws:secretsmanager:us-east-1:123456789012:secret
 kms_key_arn              = "arn:aws:kms:us-east-1:123456789012:key/00000000-0000-0000-0000-000000000000"
 alarm_actions            = []
 monthly_budget_limit_usd = 0
+enable_nat_task_egress = false
 enable_private_vpc_endpoints = false
 additional_vpc_endpoint_source_security_group_ids = []
 

package/infra/aws/variables.tf

@@ -116,7 +116,7 @@ variable "container_image" {
 variable "runtime_package_version" {
   description = "Published @hasna/uptime package version that CodeBuild should build into the ECR image."
   type        = string
-  default     = "0.1.13"
+  default     = "0.1.14"
 
   validation {
     condition     = can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+(-[0-9A-Za-z.-]+)?$", var.runtime_package_version))
@@ -238,6 +238,23 @@ variable "budget_alert_email_addresses" {
   default     = []
 }
 
+variable "enable_nat_task_egress" {
+  description = "Allow web and non-public worker tasks to reach AWS public APIs through NAT on TCP/443. Keep false when private VPC endpoints are the approved egress path."
+  type        = bool
+  default     = false
+}
+
+variable "nat_task_egress_cidr_blocks" {
+  description = "CIDR blocks allowed for NAT-backed HTTPS egress when enable_nat_task_egress is true."
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+
+  validation {
+    condition     = length(var.nat_task_egress_cidr_blocks) > 0
+    error_message = "nat_task_egress_cidr_blocks must not be empty when NAT task egress is enabled."
+  }
+}
+
 variable "enable_private_vpc_endpoints" {
   description = "Create private VPC endpoints for ECS access to AWS APIs. Requires private subnet ids; S3 gateway endpoint also requires private_route_table_ids."
   type        = bool

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/uptime",
-  "version": "0.1.13",
+  "version": "0.1.14",
   "description": "Local-first uptime and downtime monitoring service with CLI, MCP, SDK, SQLite persistence, and a dashboard.",
   "license": "Apache-2.0",
   "type": "module",