@hot-updater/aws 0.20.13 → 0.20.14

package/dist/iac/index.cjs

@@ -70,6 +70,8 @@ let crypto = require("crypto");
 crypto = __toESM(crypto);
 let __aws_sdk_client_iam = require("@aws-sdk/client-iam");
 __aws_sdk_client_iam = __toESM(__aws_sdk_client_iam);
+let __aws_sdk_client_sts = require("@aws-sdk/client-sts");
+__aws_sdk_client_sts = __toESM(__aws_sdk_client_sts);
 let __aws_sdk_client_lambda = require("@aws-sdk/client-lambda");
 __aws_sdk_client_lambda = __toESM(__aws_sdk_client_lambda);
 let fs_promises = require("fs/promises");
@@ -8050,6 +8052,11 @@ var IAMManager = class {
 			region: this.region,
 			credentials: this.credentials
 		});
+		const accountId = (await new __aws_sdk_client_sts.STS({
+			region: this.region,
+			credentials: this.credentials
+		}).getCallerIdentity({})).Account;
+		if (!accountId) throw new Error("Failed to get AWS account ID");
 		const assumeRolePolicyDocument = JSON.stringify({
 			Version: "2012-10-17",
 			Statement: [{
@@ -8059,9 +8066,27 @@ var IAMManager = class {
 			}]
 		});
 		const roleName = "hot-updater-edge-role";
+		const ssmPolicyDocument = JSON.stringify({
+			Version: "2012-10-17",
+			Statement: [{
+				Effect: "Allow",
+				Action: ["ssm:GetParameter"],
+				Resource: `arn:aws:ssm:*:${accountId}:parameter/hot-updater/*`
+			}]
+		});
 		try {
 			const { Role: existingRole } = await iamClient.getRole({ RoleName: roleName });
 			if (existingRole?.Arn) {
+				try {
+					await iamClient.putRolePolicy({
+						RoleName: roleName,
+						PolicyName: "HotUpdaterSSMAccess",
+						PolicyDocument: ssmPolicyDocument
+					});
+					f.info("Updated SSM access policy for existing IAM role");
+				} catch {
+					f.warn("Failed to update SSM policy, continuing anyway");
+				}
 				f.info(`Using existing IAM role: ${roleName} (${existingRole.Arn})`);
 				return existingRole.Arn;
 			}
@@ -8070,7 +8095,7 @@ var IAMManager = class {
 				const lambdaRoleArn = (await iamClient.createRole({
 					RoleName: roleName,
 					AssumeRolePolicyDocument: assumeRolePolicyDocument,
-					Description: "Role for Lambda@Edge to access S3"
+					Description: "Role for Lambda@Edge to access S3 and SSM"
 				})).Role?.Arn;
 				f.info(`Created IAM role: ${roleName} (${lambdaRoleArn})`);
 				await iamClient.attachRolePolicy({
@@ -8081,7 +8106,13 @@ var IAMManager = class {
 					RoleName: roleName,
 					PolicyArn: "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
 				});
-				f.info(`Attached required policies to ${roleName}`);
+				f.info(`Attached managed policies to ${roleName}`);
+				await iamClient.putRolePolicy({
+					RoleName: roleName,
+					PolicyName: "HotUpdaterSSMAccess",
+					PolicyDocument: ssmPolicyDocument
+				});
+				f.info(`Added SSM access inline policy to ${roleName}`);
 				return lambdaRoleArn;
 			} catch (createError) {
 				if (createError instanceof Error) f.error(`Error setting up IAM role: ${createError.message}`);
@@ -8099,7 +8130,7 @@ var LambdaEdgeDeployer = class {
 	constructor(credentials) {
 		this.credentials = credentials;
 	}
-	async deploy(lambdaRoleArn, keyPair) {
+	async deploy(lambdaRoleArn, config) {
 		const cwd = (0, __hot_updater_plugin_core.getCwd)();
 		const lambdaName = await he({
 			message: "Enter the name of the Lambda@Edge function",
@@ -8111,8 +8142,9 @@ var LambdaEdgeDeployer = class {
 		const { tmpDir, removeTmpDir } = await (0, __hot_updater_plugin_core.copyDirToTmp)(path.default.dirname(lambdaPath));
 		const indexPath = path.default.join(tmpDir, "index.cjs");
 		const code = (0, __hot_updater_plugin_core.transformEnv)(indexPath, {
-			CLOUDFRONT_KEY_PAIR_ID: keyPair.publicKey,
-			CLOUDFRONT_PRIVATE_KEY_BASE64: Buffer.from(keyPair.privateKey).toString("base64")
+			CLOUDFRONT_KEY_PAIR_ID: config.publicKeyId,
+			SSM_PARAMETER_NAME: config.ssmParameterName,
+			SSM_REGION: config.ssmRegion
 		});
 		await fs_promises.default.writeFile(indexPath, code);
 		const lambdaClient = new __aws_sdk_client_lambda.Lambda({
@@ -8873,9 +8905,12 @@ const runInit = async ({ build }) => {
 	const keyPair = await new SSMKeyPairManager(bucketRegion, credentials).getOrCreateKeyPair(`/hot-updater/${bucketName}/keypair`);
 	const cloudFrontManager = new CloudFrontManager(bucketRegion, credentials);
 	const { publicKeyId, keyGroupId } = await cloudFrontManager.getOrCreateKeyGroup(keyPair.publicKey);
-	const { functionArn } = await new LambdaEdgeDeployer(credentials).deploy(lambdaRoleArn, {
-		publicKey: publicKeyId,
-		privateKey: keyPair.privateKey
+	const lambdaEdgeDeployer = new LambdaEdgeDeployer(credentials);
+	const ssmParameterName = `/hot-updater/${bucketName}/keypair`;
+	const { functionArn } = await lambdaEdgeDeployer.deploy(lambdaRoleArn, {
+		publicKeyId,
+		ssmParameterName,
+		ssmRegion: bucketRegion
 	});
 	const { distributionDomain, distributionId } = await cloudFrontManager.createOrUpdateDistribution({
 		keyGroupId,

package/dist/iac/index.js

@@ -23,6 +23,7 @@ import { Buffer as Buffer$1 } from "node:buffer";
 import { CloudFront } from "@aws-sdk/client-cloudfront";
 import crypto from "crypto";
 import { IAM } from "@aws-sdk/client-iam";
+import { STS } from "@aws-sdk/client-sts";
 import { Lambda } from "@aws-sdk/client-lambda";
 import fs$1 from "fs/promises";
 import { CopyObjectCommand, DeleteObjectCommand, GetObjectCommand, ListObjectsV2Command, S3 } from "@aws-sdk/client-s3";
@@ -8025,6 +8026,11 @@ var IAMManager = class {
 			region: this.region,
 			credentials: this.credentials
 		});
+		const accountId = (await new STS({
+			region: this.region,
+			credentials: this.credentials
+		}).getCallerIdentity({})).Account;
+		if (!accountId) throw new Error("Failed to get AWS account ID");
 		const assumeRolePolicyDocument = JSON.stringify({
 			Version: "2012-10-17",
 			Statement: [{
@@ -8034,9 +8040,27 @@ var IAMManager = class {
 			}]
 		});
 		const roleName = "hot-updater-edge-role";
+		const ssmPolicyDocument = JSON.stringify({
+			Version: "2012-10-17",
+			Statement: [{
+				Effect: "Allow",
+				Action: ["ssm:GetParameter"],
+				Resource: `arn:aws:ssm:*:${accountId}:parameter/hot-updater/*`
+			}]
+		});
 		try {
 			const { Role: existingRole } = await iamClient.getRole({ RoleName: roleName });
 			if (existingRole?.Arn) {
+				try {
+					await iamClient.putRolePolicy({
+						RoleName: roleName,
+						PolicyName: "HotUpdaterSSMAccess",
+						PolicyDocument: ssmPolicyDocument
+					});
+					f.info("Updated SSM access policy for existing IAM role");
+				} catch {
+					f.warn("Failed to update SSM policy, continuing anyway");
+				}
 				f.info(`Using existing IAM role: ${roleName} (${existingRole.Arn})`);
 				return existingRole.Arn;
 			}
@@ -8045,7 +8069,7 @@ var IAMManager = class {
 				const lambdaRoleArn = (await iamClient.createRole({
 					RoleName: roleName,
 					AssumeRolePolicyDocument: assumeRolePolicyDocument,
-					Description: "Role for Lambda@Edge to access S3"
+					Description: "Role for Lambda@Edge to access S3 and SSM"
 				})).Role?.Arn;
 				f.info(`Created IAM role: ${roleName} (${lambdaRoleArn})`);
 				await iamClient.attachRolePolicy({
@@ -8056,7 +8080,13 @@ var IAMManager = class {
 					RoleName: roleName,
 					PolicyArn: "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
 				});
-				f.info(`Attached required policies to ${roleName}`);
+				f.info(`Attached managed policies to ${roleName}`);
+				await iamClient.putRolePolicy({
+					RoleName: roleName,
+					PolicyName: "HotUpdaterSSMAccess",
+					PolicyDocument: ssmPolicyDocument
+				});
+				f.info(`Added SSM access inline policy to ${roleName}`);
 				return lambdaRoleArn;
 			} catch (createError) {
 				if (createError instanceof Error) f.error(`Error setting up IAM role: ${createError.message}`);
@@ -8074,7 +8104,7 @@ var LambdaEdgeDeployer = class {
 	constructor(credentials) {
 		this.credentials = credentials;
 	}
-	async deploy(lambdaRoleArn, keyPair) {
+	async deploy(lambdaRoleArn, config) {
 		const cwd = getCwd();
 		const lambdaName = await he({
 			message: "Enter the name of the Lambda@Edge function",
@@ -8086,8 +8116,9 @@ var LambdaEdgeDeployer = class {
 		const { tmpDir, removeTmpDir } = await copyDirToTmp(path$1.dirname(lambdaPath));
 		const indexPath = path$1.join(tmpDir, "index.cjs");
 		const code = transformEnv(indexPath, {
-			CLOUDFRONT_KEY_PAIR_ID: keyPair.publicKey,
-			CLOUDFRONT_PRIVATE_KEY_BASE64: Buffer.from(keyPair.privateKey).toString("base64")
+			CLOUDFRONT_KEY_PAIR_ID: config.publicKeyId,
+			SSM_PARAMETER_NAME: config.ssmParameterName,
+			SSM_REGION: config.ssmRegion
 		});
 		await fs$1.writeFile(indexPath, code);
 		const lambdaClient = new Lambda({
@@ -8848,9 +8879,12 @@ const runInit = async ({ build }) => {
 	const keyPair = await new SSMKeyPairManager(bucketRegion, credentials).getOrCreateKeyPair(`/hot-updater/${bucketName}/keypair`);
 	const cloudFrontManager = new CloudFrontManager(bucketRegion, credentials);
 	const { publicKeyId, keyGroupId } = await cloudFrontManager.getOrCreateKeyGroup(keyPair.publicKey);
-	const { functionArn } = await new LambdaEdgeDeployer(credentials).deploy(lambdaRoleArn, {
-		publicKey: publicKeyId,
-		privateKey: keyPair.privateKey
+	const lambdaEdgeDeployer = new LambdaEdgeDeployer(credentials);
+	const ssmParameterName = `/hot-updater/${bucketName}/keypair`;
+	const { functionArn } = await lambdaEdgeDeployer.deploy(lambdaRoleArn, {
+		publicKeyId,
+		ssmParameterName,
+		ssmRegion: bucketRegion
 	});
 	const { distributionDomain, distributionId } = await cloudFrontManager.createOrUpdateDistribution({
 		keyGroupId,

package/dist/lambda/index.cjs

@@ -24,6 +24,8 @@ var __toESM$1 = (mod, isNodeMode, target) => (target = mod != null ? __create$1(
 }) : target, mod));
 
 //#endregion
+let __aws_sdk_client_ssm = require("@aws-sdk/client-ssm");
+__aws_sdk_client_ssm = __toESM$1(__aws_sdk_client_ssm);
 let node_crypto = require("node:crypto");
 node_crypto = __toESM$1(node_crypto);
 
@@ -3122,7 +3124,32 @@ const withSignedUrl = async ({ data, reqUrl, keyPairId, privateKey, expiresSecon
 //#endregion
 //#region lambda/index.ts
 const CLOUDFRONT_KEY_PAIR_ID = HotUpdater.CLOUDFRONT_KEY_PAIR_ID;
-const CLOUDFRONT_PRIVATE_KEY = Buffer.from(HotUpdater.CLOUDFRONT_PRIVATE_KEY_BASE64, "base64").toString("utf-8");
+const SSM_PARAMETER_NAME = HotUpdater.SSM_PARAMETER_NAME;
+const SSM_REGION = HotUpdater.SSM_REGION;
+let cachedPrivateKey = null;
+/**
+* Retrieves CloudFront private key from SSM Parameter Store
+* Uses global cache to avoid repeated SSM calls on warm Lambda invocations
+*/
+async function getPrivateKey() {
+	if (cachedPrivateKey !== null) return cachedPrivateKey;
+	if (!SSM_REGION) throw new Error(`Invalid AWS region format: ${SSM_REGION}. Expected format like 'us-east-1' or 'ap-southeast-1'`);
+	const response = await new __aws_sdk_client_ssm.SSM({ region: SSM_REGION }).getParameter({
+		Name: SSM_PARAMETER_NAME,
+		WithDecryption: true
+	});
+	if (!response.Parameter?.Value) throw new Error(`Failed to retrieve private key from SSM parameter: ${SSM_PARAMETER_NAME}`);
+	let keyPair;
+	try {
+		keyPair = JSON.parse(response.Parameter.Value);
+	} catch (error) {
+		throw new Error(`Invalid JSON format in SSM parameter: ${SSM_PARAMETER_NAME}. ${error instanceof Error ? error.message : String(error)}`);
+	}
+	const privateKey = keyPair.privateKey;
+	if (!privateKey || typeof privateKey !== "string") throw new Error(`Invalid private key format in SSM parameter: ${SSM_PARAMETER_NAME}`);
+	cachedPrivateKey = privateKey;
+	return privateKey;
+}
 const app = new Hono();
 const validatePlatform = (platform) => {
 	return ["ios", "android"].includes(platform);
@@ -3139,6 +3166,7 @@ const processDefaultValues = (channel, minBundleId) => ({
 const handleUpdateRequest = async (c, params, strategy, expiresSeconds) => {
 	try {
 		if (!c.req.header("host")) return c.json({ error: "Missing host header." }, 500);
+		const privateKey = await getPrivateKey();
 		const updateConfig = {
 			platform: params.platform,
 			bundleId: params.bundleId,
@@ -3155,14 +3183,14 @@ const handleUpdateRequest = async (c, params, strategy, expiresSeconds) => {
 		const updateInfo = await getUpdateInfo({
 			baseUrl: c.req.url,
 			keyPairId: CLOUDFRONT_KEY_PAIR_ID,
-			privateKey: CLOUDFRONT_PRIVATE_KEY
+			privateKey
 		}, updateConfig);
 		if (!updateInfo) return c.json(null);
 		const appUpdateInfo = await withSignedUrl({
 			data: updateInfo,
 			reqUrl: c.req.url,
 			keyPairId: CLOUDFRONT_KEY_PAIR_ID,
-			privateKey: CLOUDFRONT_PRIVATE_KEY,
+			privateKey,
 			expiresSeconds
 		});
 		return c.json(appUpdateInfo);

package/dist/lambda/index.d.cts

@@ -4,7 +4,8 @@ import { CloudFrontRequestHandler } from "aws-lambda";
 declare global {
   var HotUpdater: {
     CLOUDFRONT_KEY_PAIR_ID: string;
-    CLOUDFRONT_PRIVATE_KEY_BASE64: string;
+    SSM_PARAMETER_NAME: string;
+    SSM_REGION: string;
   };
 }
 declare const handler: CloudFrontRequestHandler;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@hot-updater/aws",
   "type": "module",
-  "version": "0.20.13",
+  "version": "0.20.14",
   "description": "React Native OTA solution for self-hosted",
   "main": "dist/index.cjs",
   "module": "dist/index.js",
@@ -45,8 +45,8 @@
     "mime": "^4.0.4",
     "picocolors": "1.1.1",
     "@clack/prompts": "0.10.0",
-    "@hot-updater/js": "0.20.13",
-    "@hot-updater/core": "0.20.13"
+    "@hot-updater/core": "0.20.14",
+    "@hot-updater/js": "0.20.14"
   },
   "dependencies": {
     "@aws-sdk/client-cloudfront": "3.772.0",
@@ -54,10 +54,11 @@
     "@aws-sdk/client-lambda": "3.772.0",
     "@aws-sdk/client-s3": "3.772.0",
     "@aws-sdk/client-ssm": "3.772.0",
+    "@aws-sdk/client-sts": "3.772.0",
     "@aws-sdk/credential-providers": "3.772.0",
     "@aws-sdk/lib-storage": "3.772.0",
     "aws-lambda": "1.0.7",
-    "@hot-updater/plugin-core": "0.20.13"
+    "@hot-updater/plugin-core": "0.20.14"
   },
   "scripts": {
     "build": "tsdown",