@hot-updater/aws 0.25.13 → 0.26.0

package/dist/iac/index.js

@@ -6431,6 +6431,221 @@ function omit(obj, keys) {
 	return result;
 }
 
+//#endregion
+//#region iac/cloudfrontDistributionConfig.ts
+const HOT_UPDATER_LEGACY_CHECK_UPDATE_HEADERS = [
+	"x-bundle-id",
+	"x-app-version",
+	"x-app-platform",
+	"x-min-bundle-id",
+	"x-channel",
+	"x-fingerprint-hash"
+];
+const HOT_UPDATER_LEGACY_CHECK_UPDATE_CACHE_POLICY_CONFIG = {
+	Name: "HotUpdaterLegacyCheckUpdateNoCache",
+	Comment: "Forward legacy check-update headers to origin-request Lambda with effectively no cache",
+	DefaultTTL: 0,
+	MaxTTL: 1,
+	MinTTL: 0,
+	ParametersInCacheKeyAndForwardedToOrigin: {
+		EnableAcceptEncodingBrotli: false,
+		EnableAcceptEncodingGzip: false,
+		HeadersConfig: {
+			HeaderBehavior: "whitelist",
+			Headers: {
+				Quantity: HOT_UPDATER_LEGACY_CHECK_UPDATE_HEADERS.length,
+				Items: [...HOT_UPDATER_LEGACY_CHECK_UPDATE_HEADERS]
+			}
+		},
+		CookiesConfig: { CookieBehavior: "none" },
+		QueryStringsConfig: { QueryStringBehavior: "none" }
+	}
+};
+const HOT_UPDATER_SHARED_CACHE_POLICY_CONFIG = {
+	Name: "HotUpdaterOriginCacheControl",
+	Comment: "Honor origin Cache-Control without forwarding viewer Host/cookies/query strings",
+	DefaultTTL: 0,
+	MaxTTL: 31536e3,
+	MinTTL: 0,
+	ParametersInCacheKeyAndForwardedToOrigin: {
+		EnableAcceptEncodingBrotli: true,
+		EnableAcceptEncodingGzip: true,
+		HeadersConfig: { HeaderBehavior: "none" },
+		CookiesConfig: { CookieBehavior: "none" },
+		QueryStringsConfig: { QueryStringBehavior: "none" }
+	}
+};
+const READ_ONLY_METHODS = {
+	Quantity: 2,
+	Items: ["HEAD", "GET"],
+	CachedMethods: {
+		Quantity: 2,
+		Items: ["HEAD", "GET"]
+	}
+};
+const EMPTY_FUNCTION_ASSOCIATIONS = { Quantity: 0 };
+const EMPTY_LAMBDA_FUNCTION_ASSOCIATIONS = { Quantity: 0 };
+const HOT_UPDATER_BEHAVIOR_BASE = {
+	ViewerProtocolPolicy: "redirect-to-https",
+	SmoothStreaming: false,
+	Compress: true,
+	FunctionAssociations: EMPTY_FUNCTION_ASSOCIATIONS,
+	FieldLevelEncryptionId: "",
+	AllowedMethods: READ_ONLY_METHODS
+};
+const HOT_UPDATER_CACHE_BEHAVIOR_TEMPLATES = [{
+	pathPattern: "/api/check-update",
+	cachePolicy: "legacy"
+}, {
+	pathPattern: "/api/check-update/*",
+	cachePolicy: "shared"
+}];
+const omitLegacyCacheFields = (value) => {
+	const { ForwardedValues: _forwardedValues, MinTTL: _minTTL, DefaultTTL: _defaultTTL, MaxTTL: _maxTTL, OriginRequestPolicyId: _originRequestPolicyId,...rest } = value;
+	return rest;
+};
+const sanitizeDefaultBehavior = (behavior) => ({
+	...omitLegacyCacheFields(behavior),
+	LambdaFunctionAssociations: behavior.LambdaFunctionAssociations ?? EMPTY_LAMBDA_FUNCTION_ASSOCIATIONS,
+	FunctionAssociations: behavior.FunctionAssociations ?? EMPTY_FUNCTION_ASSOCIATIONS
+});
+const sanitizeCacheBehavior = (behavior) => ({
+	...omitLegacyCacheFields(behavior),
+	LambdaFunctionAssociations: behavior.LambdaFunctionAssociations ?? EMPTY_LAMBDA_FUNCTION_ASSOCIATIONS,
+	FunctionAssociations: behavior.FunctionAssociations ?? EMPTY_FUNCTION_ASSOCIATIONS
+});
+const sanitizeDistributionConfig = (distributionConfig) => ({
+	...distributionConfig,
+	DefaultCacheBehavior: distributionConfig.DefaultCacheBehavior ? sanitizeDefaultBehavior(distributionConfig.DefaultCacheBehavior) : distributionConfig.DefaultCacheBehavior,
+	CacheBehaviors: distributionConfig.CacheBehaviors ? {
+		Quantity: distributionConfig.CacheBehaviors.Quantity,
+		Items: (distributionConfig.CacheBehaviors.Items ?? []).map((behavior) => sanitizeCacheBehavior(behavior))
+	} : distributionConfig.CacheBehaviors
+});
+const buildOriginRequestLambdaAssociations = (functionArn) => ({
+	Quantity: 1,
+	Items: [{
+		EventType: "origin-request",
+		LambdaFunctionARN: functionArn
+	}]
+});
+const buildS3Origin = (options) => ({
+	Id: options.bucketName,
+	DomainName: options.bucketDomain,
+	OriginAccessControlId: options.oacId,
+	S3OriginConfig: { OriginAccessIdentity: "" },
+	CustomHeaders: { Quantity: 0 }
+});
+const buildSharedBehavior = (targetOriginId) => ({
+	TargetOriginId: targetOriginId,
+	...HOT_UPDATER_BEHAVIOR_BASE
+});
+const buildDefaultCacheBehavior = (options) => ({
+	...buildSharedBehavior(options.bucketName),
+	TrustedKeyGroups: {
+		Enabled: true,
+		Quantity: 1,
+		Items: [options.keyGroupId]
+	},
+	CachePolicyId: options.sharedCachePolicyId,
+	LambdaFunctionAssociations: EMPTY_LAMBDA_FUNCTION_ASSOCIATIONS
+});
+const resolveCachePolicyId = (cachePolicy, { legacyCachePolicyId, sharedCachePolicyId }) => {
+	if (cachePolicy === "legacy") return legacyCachePolicyId;
+	if (cachePolicy === "shared") return sharedCachePolicyId;
+};
+const buildCacheBehavior = (template, options) => ({
+	...buildSharedBehavior(options.bucketName),
+	PathPattern: template.pathPattern,
+	CachePolicyId: resolveCachePolicyId(template.cachePolicy, {
+		legacyCachePolicyId: options.legacyCachePolicyId,
+		sharedCachePolicyId: options.sharedCachePolicyId
+	}),
+	LambdaFunctionAssociations: buildOriginRequestLambdaAssociations(options.functionArn)
+});
+const mergeOriginWithExisting = (existingOrigin, overrideOrigin) => ({
+	...existingOrigin,
+	...overrideOrigin,
+	CustomHeaders: existingOrigin?.CustomHeaders ?? { Quantity: 0 }
+});
+const mergeBehaviorWithExisting = (existingBehavior, overrideBehavior) => ({
+	...omitLegacyCacheFields(existingBehavior ?? {}),
+	...overrideBehavior,
+	LambdaFunctionAssociations: overrideBehavior.LambdaFunctionAssociations ?? existingBehavior?.LambdaFunctionAssociations ?? EMPTY_LAMBDA_FUNCTION_ASSOCIATIONS,
+	FunctionAssociations: overrideBehavior.FunctionAssociations ?? existingBehavior?.FunctionAssociations ?? EMPTY_FUNCTION_ASSOCIATIONS
+});
+const buildDistributionConfigOverrides = (options) => ({
+	Origins: {
+		Quantity: 1,
+		Items: [buildS3Origin({
+			bucketName: options.bucketName,
+			bucketDomain: options.bucketDomain,
+			oacId: options.oacId
+		})]
+	},
+	DefaultCacheBehavior: buildDefaultCacheBehavior({
+		bucketName: options.bucketName,
+		keyGroupId: options.keyGroupId,
+		sharedCachePolicyId: options.sharedCachePolicyId
+	}),
+	CacheBehaviors: {
+		Quantity: HOT_UPDATER_CACHE_BEHAVIOR_TEMPLATES.length,
+		Items: HOT_UPDATER_CACHE_BEHAVIOR_TEMPLATES.map((template) => buildCacheBehavior(template, {
+			bucketName: options.bucketName,
+			functionArn: options.functionArn,
+			legacyCachePolicyId: options.legacyCachePolicyId,
+			sharedCachePolicyId: options.sharedCachePolicyId
+		}))
+	}
+});
+const applyDistributionConfigOverrides = (distributionConfig, overrides) => {
+	return sanitizeDistributionConfig({
+		...distributionConfig,
+		Origins: {
+			Quantity: overrides.Origins.Quantity,
+			Items: (overrides.Origins.Items ?? []).map((overrideOrigin) => {
+				return mergeOriginWithExisting((distributionConfig.Origins?.Items ?? []).find((origin) => origin.Id === overrideOrigin.Id || origin.DomainName === overrideOrigin.DomainName), overrideOrigin);
+			})
+		},
+		DefaultCacheBehavior: mergeBehaviorWithExisting(distributionConfig.DefaultCacheBehavior, overrides.DefaultCacheBehavior),
+		CacheBehaviors: {
+			Quantity: overrides.CacheBehaviors.Quantity,
+			Items: (overrides.CacheBehaviors.Items ?? []).map((overrideBehavior) => {
+				return mergeBehaviorWithExisting((distributionConfig.CacheBehaviors?.Items ?? []).find((behavior) => behavior.PathPattern === overrideBehavior.PathPattern), overrideBehavior);
+			})
+		}
+	});
+};
+const buildDistributionConfig = (options) => sanitizeDistributionConfig({
+	CallerReference: (/* @__PURE__ */ new Date()).toISOString(),
+	Comment: "Hot Updater CloudFront distribution",
+	Enabled: true,
+	...buildDistributionConfigOverrides(options),
+	DefaultRootObject: "index.html",
+	ViewerCertificate: { CloudFrontDefaultCertificate: true },
+	Restrictions: { GeoRestriction: {
+		RestrictionType: "none",
+		Quantity: 0
+	} },
+	PriceClass: "PriceClass_All",
+	Aliases: {
+		Quantity: 0,
+		Items: []
+	}
+});
+
+//#endregion
+//#region iac/cloudfrontPagination.ts
+const findInPaginatedCloudFrontList = async ({ listPage, matches }) => {
+	let marker;
+	do {
+		const { items, nextMarker } = await listPage(marker);
+		const matchedItem = items.find(matches);
+		if (matchedItem) return matchedItem;
+		marker = nextMarker;
+	} while (marker);
+};
+
 //#endregion
 //#region iac/cloudfront.ts
 var CloudFrontManager = class {
@@ -6440,6 +6655,44 @@ var CloudFrontManager = class {
 		this.region = region;
 		this.credentials = credentials;
 	}
+	async getOrCreateSharedCachePolicy(cloudfrontClient) {
+		const existingPolicyId = (await findInPaginatedCloudFrontList({
+			listPage: async (marker) => {
+				const listPoliciesResponse = await cloudfrontClient.listCachePolicies({
+					Type: "custom",
+					...marker ? { Marker: marker } : {}
+				});
+				return {
+					items: listPoliciesResponse.CachePolicyList?.Items ?? [],
+					nextMarker: listPoliciesResponse.CachePolicyList?.NextMarker
+				};
+			},
+			matches: (policy) => policy.CachePolicy?.CachePolicyConfig?.Name === HOT_UPDATER_SHARED_CACHE_POLICY_CONFIG.Name
+		}))?.CachePolicy?.Id;
+		if (existingPolicyId) return existingPolicyId;
+		const cachePolicyId = (await cloudfrontClient.createCachePolicy({ CachePolicyConfig: HOT_UPDATER_SHARED_CACHE_POLICY_CONFIG })).CachePolicy?.Id;
+		if (!cachePolicyId) throw new Error("Failed to create shared cache policy");
+		return cachePolicyId;
+	}
+	async getOrCreateLegacyCheckUpdateCachePolicy(cloudfrontClient) {
+		const existingPolicyId = (await findInPaginatedCloudFrontList({
+			listPage: async (marker) => {
+				const listPoliciesResponse = await cloudfrontClient.listCachePolicies({
+					Type: "custom",
+					...marker ? { Marker: marker } : {}
+				});
+				return {
+					items: listPoliciesResponse.CachePolicyList?.Items ?? [],
+					nextMarker: listPoliciesResponse.CachePolicyList?.NextMarker
+				};
+			},
+			matches: (policy) => policy.CachePolicy?.CachePolicyConfig?.Name === HOT_UPDATER_LEGACY_CHECK_UPDATE_CACHE_POLICY_CONFIG.Name
+		}))?.CachePolicy?.Id;
+		if (existingPolicyId) return existingPolicyId;
+		const cachePolicyId = (await cloudfrontClient.createCachePolicy({ CachePolicyConfig: HOT_UPDATER_LEGACY_CHECK_UPDATE_CACHE_POLICY_CONFIG })).CachePolicy?.Id;
+		if (!cachePolicyId) throw new Error("Failed to create legacy check-update cache policy");
+		return cachePolicyId;
+	}
 	async getOrCreateKeyGroup(publicKey) {
 		const publicKeyHash = crypto.createHash("sha256").update(publicKey).digest("hex").slice(0, 16);
 		const cloudfrontClient = new CloudFront({
@@ -6502,6 +6755,18 @@ var CloudFrontManager = class {
 		}
 		if (!oacId) throw new Error("Failed to get Origin Access Control ID");
 		const bucketDomain = `${options.bucketName}.s3.${this.region}.amazonaws.com`;
+		let legacyCachePolicyId;
+		let sharedCachePolicyId;
+		try {
+			legacyCachePolicyId = await this.getOrCreateLegacyCheckUpdateCachePolicy(cloudfrontClient);
+		} catch (error) {
+			throw new Error(`Failed to get or create legacy check-update cache policy: ${error instanceof Error ? error.message : String(error)}`);
+		}
+		try {
+			sharedCachePolicyId = await this.getOrCreateSharedCachePolicy(cloudfrontClient);
+		} catch (error) {
+			throw new Error(`Failed to get or create shared cache policy: ${error instanceof Error ? error.message : String(error)}`);
+		}
 		const matchingDistributions = [];
 		try {
 			const items = (await cloudfrontClient.listDistributions({})).DistributionList?.Items || [];
@@ -6525,136 +6790,21 @@ var CloudFrontManager = class {
 			if (p.isCancel(selectedDistributionStr)) process.exit(0);
 			selectedDistribution = JSON.parse(selectedDistributionStr);
 		}
-		const newOverrides = {
-			Origins: {
-				Quantity: 1,
-				Items: [{
-					Id: options.bucketName,
-					DomainName: bucketDomain,
-					OriginAccessControlId: oacId,
-					S3OriginConfig: { OriginAccessIdentity: "" }
-				}]
-			},
-			DefaultCacheBehavior: {
-				TargetOriginId: options.bucketName,
-				ViewerProtocolPolicy: "redirect-to-https",
-				TrustedKeyGroups: {
-					Enabled: true,
-					Quantity: 1,
-					Items: [options.keyGroupId]
-				},
-				ForwardedValues: {
-					QueryString: true,
-					Cookies: { Forward: "none" },
-					QueryStringCacheKeys: {
-						Quantity: 0,
-						Items: []
-					}
-				},
-				MinTTL: 0,
-				SmoothStreaming: false,
-				Compress: true,
-				FieldLevelEncryptionId: "",
-				AllowedMethods: {
-					Quantity: 2,
-					Items: ["HEAD", "GET"],
-					CachedMethods: {
-						Quantity: 2,
-						Items: ["HEAD", "GET"]
-					}
-				}
-			},
-			CacheBehaviors: {
-				Quantity: 2,
-				Items: [{
-					PathPattern: "/api/check-update",
-					TargetOriginId: options.bucketName,
-					ViewerProtocolPolicy: "redirect-to-https",
-					LambdaFunctionAssociations: {
-						Quantity: 1,
-						Items: [{
-							EventType: "origin-request",
-							LambdaFunctionARN: options.functionArn
-						}]
-					},
-					MinTTL: 0,
-					DefaultTTL: 0,
-					MaxTTL: 0,
-					SmoothStreaming: false,
-					Compress: true,
-					FieldLevelEncryptionId: "",
-					AllowedMethods: {
-						Quantity: 2,
-						Items: ["HEAD", "GET"],
-						CachedMethods: {
-							Quantity: 2,
-							Items: ["HEAD", "GET"]
-						}
-					},
-					ForwardedValues: {
-						QueryString: false,
-						Cookies: { Forward: "none" },
-						Headers: {
-							Quantity: 6,
-							Items: [
-								"x-bundle-id",
-								"x-app-version",
-								"x-app-platform",
-								"x-min-bundle-id",
-								"x-channel",
-								"x-fingerprint-hash"
-							]
-						},
-						QueryStringCacheKeys: {
-							Quantity: 0,
-							Items: []
-						}
-					}
-				}, {
-					PathPattern: "/api/check-update/*",
-					TargetOriginId: options.bucketName,
-					ViewerProtocolPolicy: "redirect-to-https",
-					LambdaFunctionAssociations: {
-						Quantity: 1,
-						Items: [{
-							EventType: "origin-request",
-							LambdaFunctionARN: options.functionArn
-						}]
-					},
-					MinTTL: 0,
-					DefaultTTL: 31536e3,
-					MaxTTL: 31536e3,
-					SmoothStreaming: false,
-					Compress: true,
-					FieldLevelEncryptionId: "",
-					AllowedMethods: {
-						Quantity: 2,
-						Items: ["HEAD", "GET"],
-						CachedMethods: {
-							Quantity: 2,
-							Items: ["HEAD", "GET"]
-						}
-					},
-					ForwardedValues: {
-						QueryString: false,
-						Cookies: { Forward: "none" },
-						Headers: {
-							Quantity: 0,
-							Items: []
-						},
-						QueryStringCacheKeys: {
-							Quantity: 0,
-							Items: []
-						}
-					}
-				}]
-			}
-		};
+		const newOverrides = buildDistributionConfigOverrides({
+			bucketName: options.bucketName,
+			bucketDomain,
+			functionArn: options.functionArn,
+			keyGroupId: options.keyGroupId,
+			oacId,
+			legacyCachePolicyId,
+			sharedCachePolicyId
+		});
 		if (selectedDistribution) {
 			p.log.success(`Existing CloudFront distribution selected. Distribution ID: ${selectedDistribution.Id}.`);
 			try {
 				const { DistributionConfig, ETag } = await cloudfrontClient.getDistributionConfig({ Id: selectedDistribution.Id });
-				const finalConfig = merge(DistributionConfig ?? {}, newOverrides);
+				if (!DistributionConfig) throw new Error("CloudFront distribution config was not returned");
+				const finalConfig = applyDistributionConfigOverrides(DistributionConfig, newOverrides);
 				await cloudfrontClient.updateDistribution({
 					Id: selectedDistribution.Id,
 					IfMatch: ETag,
@@ -6681,145 +6831,15 @@ var CloudFrontManager = class {
 				throw err;
 			}
 		}
-		const finalDistributionConfig = {
-			CallerReference: (/* @__PURE__ */ new Date()).toISOString(),
-			Comment: "Hot Updater CloudFront distribution",
-			Enabled: true,
-			Origins: {
-				Quantity: 1,
-				Items: [{
-					Id: options.bucketName,
-					DomainName: bucketDomain,
-					OriginAccessControlId: oacId,
-					S3OriginConfig: { OriginAccessIdentity: "" }
-				}]
-			},
-			DefaultCacheBehavior: {
-				TargetOriginId: options.bucketName,
-				ViewerProtocolPolicy: "redirect-to-https",
-				TrustedKeyGroups: {
-					Enabled: true,
-					Quantity: 1,
-					Items: [options.keyGroupId]
-				},
-				ForwardedValues: {
-					QueryString: true,
-					Cookies: { Forward: "none" },
-					QueryStringCacheKeys: {
-						Quantity: 0,
-						Items: []
-					}
-				},
-				MinTTL: 0,
-				SmoothStreaming: false,
-				Compress: true,
-				FieldLevelEncryptionId: "",
-				AllowedMethods: {
-					Quantity: 2,
-					Items: ["HEAD", "GET"],
-					CachedMethods: {
-						Quantity: 2,
-						Items: ["HEAD", "GET"]
-					}
-				}
-			},
-			CacheBehaviors: {
-				Quantity: 2,
-				Items: [{
-					PathPattern: "/api/check-update",
-					TargetOriginId: options.bucketName,
-					ViewerProtocolPolicy: "redirect-to-https",
-					LambdaFunctionAssociations: {
-						Quantity: 1,
-						Items: [{
-							EventType: "origin-request",
-							LambdaFunctionARN: options.functionArn
-						}]
-					},
-					MinTTL: 0,
-					DefaultTTL: 0,
-					MaxTTL: 0,
-					SmoothStreaming: false,
-					Compress: true,
-					FieldLevelEncryptionId: "",
-					AllowedMethods: {
-						Quantity: 2,
-						Items: ["HEAD", "GET"],
-						CachedMethods: {
-							Quantity: 2,
-							Items: ["HEAD", "GET"]
-						}
-					},
-					ForwardedValues: {
-						QueryString: false,
-						Cookies: { Forward: "none" },
-						Headers: {
-							Quantity: 6,
-							Items: [
-								"x-bundle-id",
-								"x-app-version",
-								"x-app-platform",
-								"x-min-bundle-id",
-								"x-channel",
-								"x-fingerprint-hash"
-							]
-						},
-						QueryStringCacheKeys: {
-							Quantity: 0,
-							Items: []
-						}
-					}
-				}, {
-					PathPattern: "/api/check-update/*",
-					TargetOriginId: options.bucketName,
-					ViewerProtocolPolicy: "redirect-to-https",
-					LambdaFunctionAssociations: {
-						Quantity: 1,
-						Items: [{
-							EventType: "origin-request",
-							LambdaFunctionARN: options.functionArn
-						}]
-					},
-					MinTTL: 0,
-					DefaultTTL: 31536e3,
-					MaxTTL: 31536e3,
-					SmoothStreaming: false,
-					Compress: true,
-					FieldLevelEncryptionId: "",
-					AllowedMethods: {
-						Quantity: 2,
-						Items: ["HEAD", "GET"],
-						CachedMethods: {
-							Quantity: 2,
-							Items: ["HEAD", "GET"]
-						}
-					},
-					ForwardedValues: {
-						QueryString: false,
-						Cookies: { Forward: "none" },
-						Headers: {
-							Quantity: 0,
-							Items: []
-						},
-						QueryStringCacheKeys: {
-							Quantity: 0,
-							Items: []
-						}
-					}
-				}]
-			},
-			DefaultRootObject: "index.html",
-			ViewerCertificate: { CloudFrontDefaultCertificate: true },
-			Restrictions: { GeoRestriction: {
-				RestrictionType: "none",
-				Quantity: 0
-			} },
-			PriceClass: "PriceClass_All",
-			Aliases: {
-				Quantity: 0,
-				Items: []
-			}
-		};
+		const finalDistributionConfig = buildDistributionConfig({
+			bucketName: options.bucketName,
+			bucketDomain,
+			functionArn: options.functionArn,
+			keyGroupId: options.keyGroupId,
+			oacId,
+			legacyCachePolicyId,
+			sharedCachePolicyId
+		});
 		try {
 			const distResp = await cloudfrontClient.createDistribution({ DistributionConfig: finalDistributionConfig });
 			if (!distResp.Distribution?.Id || !distResp.Distribution?.DomainName) throw new Error("Failed to create CloudFront distribution: No ID or DomainName returned");
@@ -6861,6 +6881,14 @@ var IAMManager = class {
 		this.region = region;
 		this.credentials = credentials;
 	}
+	async ensureManagedPolicies(iamClient, roleName) {
+		const attachedPolicies = await iamClient.listAttachedRolePolicies({ RoleName: roleName });
+		const attachedPolicyArns = new Set((attachedPolicies.AttachedPolicies ?? []).map((policy) => policy.PolicyArn));
+		for (const policyArn of ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"]) if (!attachedPolicyArns.has(policyArn)) await iamClient.attachRolePolicy({
+			RoleName: roleName,
+			PolicyArn: policyArn
+		});
+	}
 	async createOrSelectRole() {
 		const iamClient = new IAM({
 			region: this.region,
@@ -6891,6 +6919,7 @@ var IAMManager = class {
 		try {
 			const { Role: existingRole } = await iamClient.getRole({ RoleName: roleName });
 			if (existingRole?.Arn) {
+				await this.ensureManagedPolicies(iamClient, roleName);
 				try {
 					await iamClient.putRolePolicy({
 						RoleName: roleName,
@@ -6914,14 +6943,7 @@ var IAMManager = class {
 				if (!createRoleResp.Role?.Arn) throw new Error("Failed to create IAM role: No ARN returned");
 				const lambdaRoleArn = createRoleResp.Role.Arn;
 				p.log.info(`Created IAM role: ${roleName} (${lambdaRoleArn})`);
-				await iamClient.attachRolePolicy({
-					RoleName: roleName,
-					PolicyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-				});
-				await iamClient.attachRolePolicy({
-					RoleName: roleName,
-					PolicyArn: "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
-				});
+				await this.ensureManagedPolicies(iamClient, roleName);
 				p.log.info(`Attached managed policies to ${roleName}`);
 				await iamClient.putRolePolicy({
 					RoleName: roleName,
@@ -6960,7 +6982,8 @@ var LambdaEdgeDeployer = class {
 		const code = transformEnv(indexPath, {
 			CLOUDFRONT_KEY_PAIR_ID: config.publicKeyId,
 			SSM_PARAMETER_NAME: config.ssmParameterName,
-			SSM_REGION: config.ssmRegion
+			SSM_REGION: config.ssmRegion,
+			S3_BUCKET_NAME: config.bucketName
 		});
 		await fs$1.writeFile(indexPath, code);
 		const lambdaClient = new Lambda({
@@ -7728,6 +7751,7 @@ const runInit = async ({ build }) => {
 	const lambdaEdgeDeployer = new LambdaEdgeDeployer(credentials);
 	const ssmParameterName = `/hot-updater/${bucketName}/keypair`;
 	const { functionArn } = await lambdaEdgeDeployer.deploy(lambdaRoleArn, {
+		bucketName,
 		publicKeyId,
 		ssmParameterName,
 		ssmRegion: bucketRegion