@hasna/uptime 0.1.23 → 0.1.25

package/infra/aws/main.tf

@@ -17,16 +17,21 @@ data "aws_caller_identity" "current" {}
 data "aws_partition" "current" {}
 
 locals {
-  prefix                = "${var.service_name}-${var.stage}"
-  container_port        = 3899
-  evidence_bucket       = "hasna-${var.stage}-${var.service_name}-evidence"
-  efs_uid               = 10001
-  efs_gid               = 10001
-  hosted_sqlite_db_path = "/data/uptime/uptime.db"
-  efs_enabled_services  = toset(["web"])
-  use_alb_https         = var.protected_access_mode == "alb_https_cert"
-  use_cloudfront        = var.protected_access_mode == "cloudfront_default_domain"
-  use_origin_verify     = local.use_cloudfront && var.enable_cloudfront_origin_verify_header
+  prefix                             = "${var.service_name}-${var.stage}"
+  container_port                     = 3899
+  evidence_bucket                    = "hasna-${var.stage}-${var.service_name}-evidence"
+  efs_uid                            = 10001
+  efs_gid                            = 10001
+  hosted_sqlite_db_path              = "/data/uptime/uptime.db"
+  efs_enabled_services               = toset(["web"])
+  expected_runtime_package_integrity = coalesce(var.runtime_package_integrity, "")
+  use_alb_https                      = var.protected_access_mode == "alb_https_cert"
+  use_cloudfront                     = var.protected_access_mode == "cloudfront_default_domain"
+  cloudfront_https_origin = (
+    local.use_cloudfront && var.cloudfront_origin_protocol_policy == "https-only"
+  )
+  alb_https_listener_enabled = local.use_alb_https || local.cloudfront_https_origin
+  use_origin_verify          = local.use_cloudfront && var.enable_cloudfront_origin_verify_header
   services = {
     web = {
       desired_count = lookup(var.desired_counts, "web", 0)
@@ -236,9 +241,18 @@ resource "aws_codebuild_project" "image_builder" {
             - aws ecr get-login-password --region ${var.region} | docker login --username AWS --password-stdin ${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com
         build:
           commands:
-            - npm pack @hasna/uptime@${var.runtime_package_version}
+            - EXPECTED_RUNTIME_PACKAGE_INTEGRITY='${local.expected_runtime_package_integrity}'
+            - PACKAGE_TARBALL=$(npm pack @hasna/uptime@${var.runtime_package_version} --silent)
+            - PACKAGE_INTEGRITY=$(npm view @hasna/uptime@${var.runtime_package_version} dist.integrity --json | tr -d '"')
+            - test -n "$PACKAGE_INTEGRITY"
+            - |
+              if [ -n "$EXPECTED_RUNTIME_PACKAGE_INTEGRITY" ] && [ "$PACKAGE_INTEGRITY" != "$EXPECTED_RUNTIME_PACKAGE_INTEGRITY" ]; then
+                echo "runtime package integrity mismatch" >&2
+                exit 1
+              fi
+            - printf 'runtime package integrity %s\n' "$PACKAGE_INTEGRITY"
             - mkdir package
-            - tar -xzf hasna-uptime-*.tgz -C package --strip-components=1
+            - tar -xzf "$PACKAGE_TARBALL" -C package --strip-components=1
             - cd package
             - docker build -f Dockerfile.package -t ${aws_ecr_repository.open_uptime.repository_url}:${var.runtime_package_version} .
             - docker push ${aws_ecr_repository.open_uptime.repository_url}:${var.runtime_package_version}
@@ -366,8 +380,19 @@ resource "aws_security_group_rule" "alb_https_ingress" {
   cidr_blocks       = var.alb_ingress_cidr_blocks
 }
 
+resource "aws_security_group_rule" "alb_https_from_cloudfront" {
+  count             = local.cloudfront_https_origin ? 1 : 0
+  type              = "ingress"
+  description       = "HTTPS from CloudFront origin-facing ranges"
+  security_group_id = aws_security_group.alb.id
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  prefix_list_ids   = [data.aws_ec2_managed_prefix_list.cloudfront_origin_facing[0].id]
+}
+
 resource "aws_security_group_rule" "alb_http_from_cloudfront" {
-  count             = local.use_cloudfront ? 1 : 0
+  count             = local.use_cloudfront && !local.cloudfront_https_origin ? 1 : 0
   type              = "ingress"
   description       = "HTTP from CloudFront origin-facing ranges"
   security_group_id = aws_security_group.alb.id
@@ -881,21 +906,37 @@ resource "aws_lb_target_group" "web" {
 }
 
 resource "aws_lb_listener" "https" {
-  count             = local.use_alb_https ? 1 : 0
+  count             = local.alb_https_listener_enabled ? 1 : 0
   load_balancer_arn = aws_lb.open_uptime.arn
   port              = 443
   protocol          = "HTTPS"
   certificate_arn   = var.certificate_arn
   tags              = local.tags
 
-  default_action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.web.arn
+  dynamic "default_action" {
+    for_each = local.cloudfront_https_origin && local.use_origin_verify ? [] : [1]
+    content {
+      type             = "forward"
+      target_group_arn = aws_lb_target_group.web.arn
+    }
+  }
+
+  dynamic "default_action" {
+    for_each = local.cloudfront_https_origin && local.use_origin_verify ? [1] : []
+    content {
+      type = "fixed-response"
+
+      fixed_response {
+        content_type = "text/plain"
+        message_body = "forbidden"
+        status_code  = "403"
+      }
+    }
   }
 }
 
 resource "aws_lb_listener" "http_cloudfront" {
-  count             = local.use_cloudfront ? 1 : 0
+  count             = local.use_cloudfront && !local.cloudfront_https_origin ? 1 : 0
   load_balancer_arn = aws_lb.open_uptime.arn
   port              = 80
   protocol          = "HTTP"
@@ -924,7 +965,7 @@ resource "aws_lb_listener" "http_cloudfront" {
 }
 
 resource "aws_lb_listener_rule" "http_cloudfront_origin_verify" {
-  count        = local.use_origin_verify ? 1 : 0
+  count        = local.use_origin_verify && !local.cloudfront_https_origin ? 1 : 0
   listener_arn = aws_lb_listener.http_cloudfront[0].arn
   priority     = var.cloudfront_origin_verify_listener_rule_priority
   tags         = local.tags
@@ -942,6 +983,25 @@ resource "aws_lb_listener_rule" "http_cloudfront_origin_verify" {
   }
 }
 
+resource "aws_lb_listener_rule" "https_cloudfront_origin_verify" {
+  count        = local.use_origin_verify && local.cloudfront_https_origin ? 1 : 0
+  listener_arn = aws_lb_listener.https[0].arn
+  priority     = var.cloudfront_origin_verify_listener_rule_priority
+  tags         = local.tags
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.web.arn
+  }
+
+  condition {
+    http_header {
+      http_header_name = var.cloudfront_origin_verify_header_name
+      values           = [var.cloudfront_origin_verify_header_value]
+    }
+  }
+}
+
 resource "aws_cloudfront_distribution" "open_uptime" {
   count           = local.use_cloudfront ? 1 : 0
   enabled         = true
@@ -951,7 +1011,7 @@ resource "aws_cloudfront_distribution" "open_uptime" {
   tags            = local.tags
 
   origin {
-    domain_name = aws_lb.open_uptime.dns_name
+    domain_name = local.cloudfront_https_origin ? var.cloudfront_origin_domain_name : aws_lb.open_uptime.dns_name
     origin_id   = "${local.prefix}-alb"
 
     dynamic "custom_header" {
@@ -965,7 +1025,7 @@ resource "aws_cloudfront_distribution" "open_uptime" {
     custom_origin_config {
       http_port              = 80
       https_port             = 443
-      origin_protocol_policy = "http-only"
+      origin_protocol_policy = var.cloudfront_origin_protocol_policy
       origin_ssl_protocols   = ["TLSv1.2"]
     }
   }
@@ -1000,7 +1060,12 @@ resource "aws_cloudfront_distribution" "open_uptime" {
     cloudfront_default_certificate = true
   }
 
-  depends_on = [aws_lb_listener.http_cloudfront, aws_lb_listener_rule.http_cloudfront_origin_verify]
+  depends_on = [
+    aws_lb_listener.http_cloudfront,
+    aws_lb_listener.https,
+    aws_lb_listener_rule.http_cloudfront_origin_verify,
+    aws_lb_listener_rule.https_cloudfront_origin_verify,
+  ]
 }
 
 resource "aws_route53_record" "open_uptime" {
@@ -1016,6 +1081,19 @@ resource "aws_route53_record" "open_uptime" {
   }
 }
 
+resource "aws_route53_record" "cloudfront_origin" {
+  count   = local.cloudfront_https_origin && var.hosted_zone_id != null ? 1 : 0
+  zone_id = var.hosted_zone_id
+  name    = var.cloudfront_origin_domain_name
+  type    = "A"
+
+  alias {
+    name                   = aws_lb.open_uptime.dns_name
+    zone_id                = aws_lb.open_uptime.zone_id
+    evaluate_target_health = true
+  }
+}
+
 data "aws_iam_policy_document" "ecs_assume_role" {
   statement {
     actions = ["sts:AssumeRole"]
@@ -1194,12 +1272,14 @@ resource "aws_ecs_task_definition" "service" {
 }
 
 resource "aws_ecs_service" "web" {
-  name            = "${local.prefix}-web"
-  cluster         = aws_ecs_cluster.open_uptime.id
-  task_definition = aws_ecs_task_definition.service["web"].arn
-  desired_count   = local.services.web.desired_count
-  launch_type     = "FARGATE"
-  tags            = local.tags
+  name                    = "${local.prefix}-web"
+  cluster                 = aws_ecs_cluster.open_uptime.id
+  task_definition         = aws_ecs_task_definition.service["web"].arn
+  desired_count           = local.services.web.desired_count
+  launch_type             = "FARGATE"
+  enable_ecs_managed_tags = true
+  propagate_tags          = "SERVICE"
+  tags                    = local.tags
 
   deployment_circuit_breaker {
     enable   = true
@@ -1226,12 +1306,14 @@ resource "aws_ecs_service" "worker" {
     for key, value in local.services : key => value if key != "web" && key != "migration"
   }
 
-  name            = "${local.prefix}-${each.key}"
-  cluster         = aws_ecs_cluster.open_uptime.id
-  task_definition = aws_ecs_task_definition.service[each.key].arn
-  desired_count   = each.value.desired_count
-  launch_type     = "FARGATE"
-  tags            = local.tags
+  name                    = "${local.prefix}-${each.key}"
+  cluster                 = aws_ecs_cluster.open_uptime.id
+  task_definition         = aws_ecs_task_definition.service[each.key].arn
+  desired_count           = each.value.desired_count
+  launch_type             = "FARGATE"
+  enable_ecs_managed_tags = true
+  propagate_tags          = "SERVICE"
+  tags                    = local.tags
 
   deployment_circuit_breaker {
     enable   = true

package/infra/aws/outputs.tf

@@ -18,6 +18,14 @@ output "cloudfront_domain_name" {
   value = try(aws_cloudfront_distribution.open_uptime[0].domain_name, null)
 }
 
+output "cloudfront_origin_protocol_policy" {
+  value = local.use_cloudfront ? var.cloudfront_origin_protocol_policy : null
+}
+
+output "cloudfront_origin_domain_name" {
+  value = local.use_cloudfront ? (local.cloudfront_https_origin ? var.cloudfront_origin_domain_name : aws_lb.open_uptime.dns_name) : null
+}
+
 output "protected_access_url" {
   value = var.protected_access_mode == "cloudfront_default_domain" ? "https://${aws_cloudfront_distribution.open_uptime[0].domain_name}" : "https://${var.hostname}"
 }

package/infra/aws/terraform.tfvars.example

@@ -11,6 +11,8 @@ workspace_id             = "workspace-id"
 vpc_id                   = "vpc-xxxxxxxx"
 ecr_repository_name      = "open-uptime"
 protected_access_mode    = "cloudfront_default_domain"
+cloudfront_origin_protocol_policy = "http-only"
+cloudfront_origin_domain_name     = null
 enable_cloudfront_origin_verify_header = false
 cloudfront_origin_verify_header_name   = "X-Open-Uptime-Origin-Verify"
 cloudfront_origin_verify_header_value  = null
@@ -19,7 +21,8 @@ alb_ingress_cidr_blocks = []
 private_subnet_ids       = ["subnet-replace-private-a", "subnet-replace-private-b"]
 private_route_table_ids  = ["rtb-replace-private"]
 container_image          = "123456789012.dkr.ecr.us-east-1.amazonaws.com/open-uptime@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-runtime_package_version  = "0.1.23"
+runtime_package_version   = "0.1.25"
+runtime_package_integrity = null
 certificate_arn          = null
 hosted_zone_id           = null
 app_env_secret_arn       = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/app/env"

package/infra/aws/variables.tf

@@ -77,7 +77,7 @@ variable "ecr_repository_name" {
 }
 
 variable "protected_access_mode" {
-  description = "Protected web access mode. cloudfront_default_domain uses the CloudFront HTTPS default domain and restricts ALB HTTP to CloudFront origin-facing ranges. alb_https_cert uses an ALB HTTPS listener with certificate_arn."
+  description = "Protected web access mode. cloudfront_default_domain uses the CloudFront HTTPS default domain and restricts the ALB origin to CloudFront origin-facing ranges. alb_https_cert uses an ALB HTTPS listener with certificate_arn."
   type        = string
   default     = "cloudfront_default_domain"
 
@@ -87,6 +87,40 @@ variable "protected_access_mode" {
   }
 }
 
+variable "cloudfront_origin_protocol_policy" {
+  description = "CloudFront-to-ALB origin protocol policy. Keep http-only until an origin hostname and matching ACM certificate are approved; set https-only with cloudfront_origin_domain_name and certificate_arn before token-bearing live traffic."
+  type        = string
+  default     = "http-only"
+
+  validation {
+    condition     = contains(["http-only", "https-only"], var.cloudfront_origin_protocol_policy)
+    error_message = "cloudfront_origin_protocol_policy must be http-only or https-only."
+  }
+}
+
+variable "cloudfront_origin_domain_name" {
+  description = "DNS hostname CloudFront uses for the ALB custom origin when cloudfront_origin_protocol_policy is https-only. The hostname must resolve to the ALB and match certificate_arn. Leave null for the default HTTP-origin bridge."
+  type        = string
+  default     = null
+  nullable    = true
+
+  validation {
+    condition = (
+      var.cloudfront_origin_domain_name == null
+      || can(regex("^[A-Za-z0-9]([A-Za-z0-9-]{0,61}[A-Za-z0-9])?(\\.[A-Za-z0-9]([A-Za-z0-9-]{0,61}[A-Za-z0-9])?)+$", var.cloudfront_origin_domain_name))
+    )
+    error_message = "cloudfront_origin_domain_name must be null or a valid DNS hostname."
+  }
+
+  validation {
+    condition = (
+      !(var.protected_access_mode == "cloudfront_default_domain" && var.cloudfront_origin_protocol_policy == "https-only")
+      || var.cloudfront_origin_domain_name != null
+    )
+    error_message = "cloudfront_origin_domain_name is required when CloudFront HTTPS origin is enabled."
+  }
+}
+
 variable "enable_cloudfront_origin_verify_header" {
   description = "When true in cloudfront_default_domain mode, CloudFront sends a private origin header and the ALB listener rejects requests missing the matching value."
   type        = bool
@@ -201,7 +235,7 @@ variable "container_image" {
 variable "runtime_package_version" {
   description = "Published @hasna/uptime package version that CodeBuild should build into the ECR image."
   type        = string
-  default     = "0.1.23"
+  default     = "0.1.25"
 
   validation {
     condition     = can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+(-[0-9A-Za-z.-]+)?$", var.runtime_package_version))
@@ -209,8 +243,20 @@ variable "runtime_package_version" {
   }
 }
 
+variable "runtime_package_integrity" {
+  description = "Optional expected npm dist.integrity value for @hasna/uptime@runtime_package_version. When set, CodeBuild verifies the registry tarball integrity before building the image."
+  type        = string
+  default     = null
+  nullable    = true
+
+  validation {
+    condition     = var.runtime_package_integrity == null || can(regex("^sha512-[A-Za-z0-9+/=]+$", var.runtime_package_integrity))
+    error_message = "runtime_package_integrity must be null or an npm sha512 integrity string."
+  }
+}
+
 variable "certificate_arn" {
-  description = "ACM certificate ARN for ALB HTTPS mode. Leave null when protected_access_mode is cloudfront_default_domain."
+  description = "ACM certificate ARN for ALB HTTPS mode or CloudFront HTTPS-origin mode. Leave null only when the ALB is not serving HTTPS."
   type        = string
   default     = null
 
@@ -220,8 +266,11 @@ variable "certificate_arn" {
   }
 
   validation {
-    condition     = var.protected_access_mode != "alb_https_cert" || var.certificate_arn != null
-    error_message = "certificate_arn is required when protected_access_mode is alb_https_cert."
+    condition = (
+      !(var.protected_access_mode == "alb_https_cert" || (var.protected_access_mode == "cloudfront_default_domain" && var.cloudfront_origin_protocol_policy == "https-only"))
+      || var.certificate_arn != null
+    )
+    error_message = "certificate_arn is required when protected_access_mode is alb_https_cert or CloudFront HTTPS origin is enabled."
   }
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/uptime",
-  "version": "0.1.23",
+  "version": "0.1.25",
   "description": "Local-first uptime and downtime monitoring service with CLI, MCP, SDK, SQLite persistence, and a dashboard.",
   "license": "Apache-2.0",
   "type": "module",
@@ -26,6 +26,7 @@
     "Dockerfile",
     "Dockerfile.package",
     ".dockerignore",
+    "bun.lock",
     "infra/aws/README.md",
     "infra/aws/.terraform.lock.hcl",
     "infra/aws/*.tf",