@iacmp/cli 1.1.0

package/dist/commands/audit-ha.js

@@ -0,0 +1,375 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/commands/audit-ha.ts
+var audit_ha_exports = {};
+__export(audit_ha_exports, {
+  default: () => AuditHA
+});
+module.exports = __toCommonJS(audit_ha_exports);
+var import_core = require("@oclif/core");
+var import_chalk = __toESM(require("chalk"));
+
+// src/audit.ts
+var fs2 = __toESM(require("fs"));
+var path = __toESM(require("path"));
+
+// src/utils.ts
+var fs = __toESM(require("fs"));
+function readJsonFile(filePath) {
+  let content;
+  try {
+    content = fs.readFileSync(filePath, "utf-8");
+  } catch (e) {
+    throw new Error(`Falha ao ler '${filePath}': ${errMessage(e)}`);
+  }
+  try {
+    return JSON.parse(content);
+  } catch (e) {
+    throw new Error(`JSON inv\xE1lido em '${filePath}': ${errMessage(e)}`);
+  }
+}
+function errMessage(e) {
+  if (e instanceof Error) return e.message;
+  if (typeof e === "string") return e;
+  try {
+    return JSON.stringify(e);
+  } catch {
+    return String(e);
+  }
+}
+
+// src/audit.ts
+function readConfig(cwd) {
+  const configPath = path.join(cwd, "iacmp.json");
+  if (!fs2.existsSync(configPath)) throw new Error("iacmp.json n\xE3o encontrado. Rode: iacmp init");
+  const config = readJsonFile(configPath);
+  return {
+    name: config.name ?? path.basename(cwd),
+    provider: config.provider ?? "aws"
+  };
+}
+function resolveTsNode(projectDir) {
+  const dirs = [];
+  let dir = projectDir;
+  for (let i = 0; i < 5; i++) {
+    dirs.push(dir);
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  for (const d of dirs) {
+    const tsNodePath = path.join(d, "node_modules", "ts-node");
+    if (fs2.existsSync(tsNodePath)) return tsNodePath;
+  }
+  return null;
+}
+function findStackFiles(dir) {
+  const entries = fs2.readdirSync(dir, { withFileTypes: true });
+  const files = [];
+  for (const entry of entries) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...findStackFiles(full));
+    } else if (entry.name.endsWith(".ts") || entry.name.endsWith(".js")) {
+      files.push(full);
+    }
+  }
+  return files;
+}
+function loadStacks(cwd) {
+  const stacksDir = path.join(cwd, "stacks");
+  if (!fs2.existsSync(stacksDir)) throw new Error("Diret\xF3rio stacks/ n\xE3o encontrado.");
+  const stackFiles = findStackFiles(stacksDir);
+  if (stackFiles.length === 0) throw new Error("Nenhuma stack encontrada em stacks/");
+  const tsNodePath = resolveTsNode(cwd);
+  if (tsNodePath) {
+    require(tsNodePath).register({
+      transpileOnly: true,
+      skipProject: true,
+      compilerOptions: {
+        target: "ES2022",
+        module: "commonjs",
+        moduleResolution: "node",
+        esModuleInterop: true,
+        strict: false,
+        skipLibCheck: true
+      }
+    });
+  }
+  const result = [];
+  for (const stackPath of stackFiles) {
+    const stackName = path.basename(stackPath).replace(/\.(ts|js)$/, "");
+    try {
+      const mod = require(stackPath);
+      const raw = mod.default ?? mod.stack ?? mod;
+      if (!raw || typeof raw !== "object" || !("constructs" in raw)) {
+        console.warn(`[audit] ${path.basename(stackPath)} n\xE3o exporta uma Stack v\xE1lida \u2014 ignorado.`);
+        continue;
+      }
+      result.push({ name: stackName, stack: raw });
+    } catch (err) {
+      console.warn(`[audit] falha ao carregar ${path.basename(stackPath)}: ${errMessage(err)}`);
+    }
+  }
+  return result;
+}
+function saveReport(cwd, commandName, content) {
+  const auditDir = path.join(cwd, "audit");
+  if (!fs2.existsSync(auditDir)) fs2.mkdirSync(auditDir, { recursive: true });
+  const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+  const fileName = `${commandName}-${date}.md`;
+  const filePath = path.join(auditDir, fileName);
+  fs2.writeFileSync(filePath, content, "utf-8");
+  return path.join("audit", fileName);
+}
+function today() {
+  return (/* @__PURE__ */ new Date()).toLocaleDateString("pt-BR");
+}
+
+// src/commands/audit-ha.ts
+function shouldFail(failOn, critical, warnings) {
+  if (failOn === "critical") return critical > 0;
+  if (failOn === "warning") return critical > 0 || warnings > 0;
+  return false;
+}
+function analyzeStack(stackName, stack) {
+  const findings = [];
+  const constructs = stack.constructs;
+  for (const c of constructs) {
+    const p = c.props;
+    if (c.type === "Database.SQL") {
+      if (p.multiAz !== true) {
+        findings.push({
+          status: "no-ha",
+          stackName,
+          constructId: c.id,
+          constructType: c.type,
+          title: `Database.SQL '${c.id}' \u2014 Single-AZ`,
+          detail: "multiAz is not enabled. A failure in the AZ will make the database unavailable.",
+          recommendation: "Set `multiAz: true`."
+        });
+      } else {
+        findings.push({
+          status: "ha-ok",
+          stackName,
+          constructId: c.id,
+          constructType: c.type,
+          title: `Database.SQL '${c.id}' \u2014 Multi-AZ enabled`,
+          detail: "Database is configured with Multi-AZ.",
+          recommendation: ""
+        });
+      }
+    }
+    if (c.type === "Network.VPC") {
+      const maxAzs = p.maxAzs;
+      if (maxAzs === void 0 || maxAzs === null || maxAzs < 2) {
+        findings.push({
+          status: "no-ha",
+          stackName,
+          constructId: c.id,
+          constructType: c.type,
+          title: `Network.VPC '${c.id}' \u2014 single AZ`,
+          detail: `maxAzs is ${maxAzs ?? "not defined"} (< 2). The network is restricted to a single availability zone.`,
+          recommendation: "Set `maxAzs: 2` or more."
+        });
+      } else {
+        findings.push({
+          status: "ha-ok",
+          stackName,
+          constructId: c.id,
+          constructType: c.type,
+          title: `Network.VPC '${c.id}' \u2014 ${maxAzs} AZs`,
+          detail: `Network is configured with ${maxAzs} availability zones.`,
+          recommendation: ""
+        });
+      }
+    }
+    if (c.type === "Function.Lambda") {
+      findings.push({
+        status: "ha-ok",
+        stackName,
+        constructId: c.id,
+        constructType: c.type,
+        title: `Function.Lambda '${c.id}' \u2014 native HA`,
+        detail: "Lambda functions are distributed across multiple AZs by the provider by default.",
+        recommendation: ""
+      });
+    }
+    if (c.type === "Storage.Bucket") {
+      findings.push({
+        status: "ha-ok",
+        stackName,
+        constructId: c.id,
+        constructType: c.type,
+        title: `Storage.Bucket '${c.id}' \u2014 native HA`,
+        detail: "Object storage buckets are automatically replicated by the provider.",
+        recommendation: ""
+      });
+    }
+  }
+  const vpcs = constructs.filter((c) => c.type === "Network.VPC");
+  if (vpcs.length === 0) {
+    findings.push({
+      status: "info",
+      stackName,
+      constructId: "stack",
+      constructType: "Stack",
+      title: `Stack '${stackName}' \u2014 no VPC`,
+      detail: "No Network.VPC found in the stack. No network isolation is defined.",
+      recommendation: "Consider adding a VPC to isolate network resources."
+    });
+  }
+  const instances = constructs.filter((c) => c.type === "Compute.Instance");
+  if (instances.length === 1) {
+    findings.push({
+      status: "info",
+      stackName,
+      constructId: instances[0].id,
+      constructType: "Compute.Instance",
+      title: `Compute.Instance '${instances[0].id}' \u2014 no redundancy`,
+      detail: "Only 1 compute instance found. If it fails, there is no backup instance.",
+      recommendation: "Add more instances or configure auto-scaling."
+    });
+  } else if (instances.length > 1) {
+    for (const inst of instances) {
+      findings.push({
+        status: "ha-ok",
+        stackName,
+        constructId: inst.id,
+        constructType: "Compute.Instance",
+        title: `Compute.Instance '${inst.id}' \u2014 redundancy detected`,
+        detail: `${instances.length} compute instances in the stack.`,
+        recommendation: ""
+      });
+    }
+  }
+  return findings;
+}
+var AuditHA = class _AuditHA extends import_core.Command {
+  static description = "Audit stacks for high availability (HA) issues";
+  static examples = [
+    "$ iacmp audit-ha",
+    "$ iacmp audit-ha --fail-on=critical"
+  ];
+  static flags = {
+    "fail-on": import_core.Flags.string({
+      description: "Sai com exit 1 quando h\xE1 achados no n\xEDvel indicado",
+      options: ["critical", "warning", "none"],
+      default: "none"
+    })
+  };
+  async run() {
+    const { flags } = await this.parse(_AuditHA);
+    const failOn = flags["fail-on"];
+    const cwd = process.cwd();
+    let config;
+    try {
+      config = readConfig(cwd);
+    } catch (err) {
+      this.error(err.message);
+    }
+    let stacks;
+    try {
+      stacks = loadStacks(cwd);
+    } catch (err) {
+      this.error(err.message);
+    }
+    const allFindings = [];
+    for (const { name, stack } of stacks) {
+      allFindings.push(...analyzeStack(name, stack));
+    }
+    const noHA = allFindings.filter((f) => f.status === "no-ha");
+    const partial = allFindings.filter((f) => f.status === "ha-partial");
+    const haOk = allFindings.filter((f) => f.status === "ha-ok");
+    const infos = allFindings.filter((f) => f.status === "info");
+    this.log(import_chalk.default.bold("\nHigh Availability (HA) Audit"));
+    this.log("\u2500".repeat(40));
+    this.log(`No HA:    ${noHA.length > 0 ? import_chalk.default.red(noHA.length) : import_chalk.default.green(0)}`);
+    this.log(`Partial:  ${partial.length > 0 ? import_chalk.default.yellow(partial.length) : import_chalk.default.green(0)}`);
+    this.log(`HA OK:    ${import_chalk.default.green(haOk.length)}`);
+    this.log("");
+    for (const f of noHA) {
+      this.log(`${import_chalk.default.red("\u2717 [NO HA]")} ${f.title}`);
+    }
+    for (const f of partial) {
+      this.log(`${import_chalk.default.yellow("\u26A0 [PARTIAL HA]")} ${f.title}`);
+    }
+    for (const f of infos) {
+      this.log(`${import_chalk.default.yellow("\u26A0 [WARNING]")} ${f.title}`);
+    }
+    for (const f of haOk) {
+      this.log(`${import_chalk.default.green("\u2713 [HA OK]")} ${f.title}`);
+    }
+    let md = `# High Availability (HA) Audit Report \u2014 ${config.name}
+`;
+    md += `Date: ${today()}
+
+`;
+    md += `## Summary
+`;
+    md += `- No HA: ${noHA.length} resources
+`;
+    md += `- Partial HA: ${partial.length} resources
+`;
+    md += `- HA OK: ${haOk.length} resources
+
+`;
+    md += `## Findings
+
+`;
+    for (const f of [...noHA, ...partial, ...infos]) {
+      const label = f.status === "no-ha" ? "NO HA" : f.status === "ha-partial" ? "PARTIAL HA" : "WARNING";
+      md += `### [${label}] ${f.title}
+`;
+      md += `Stack: ${f.stackName}
+`;
+      md += `${f.detail}
+`;
+      if (f.recommendation) md += `Recommendation: ${f.recommendation}
+`;
+      md += "\n";
+    }
+    if (haOk.length > 0) {
+      md += `## Resources with HA
+`;
+      for (const f of haOk) {
+        md += `- ${f.constructType} '${f.constructId}' \u2014 HA OK
+`;
+      }
+      md += "\n";
+    }
+    const relPath = saveReport(cwd, "ha", md);
+    this.log(`
+Report saved to ${relPath}`);
+    if (shouldFail(failOn, noHA.length, partial.length + infos.length)) {
+      this.exit(1);
+    }
+  }
+};