@infoxchange/make-it-so-sst-v2 3.0.1

package/dist/lib/utils/objects.d.ts

@@ -0,0 +1,4 @@
+export declare function remapKeys<SourceObject extends object, MapObject extends Record<keyof SourceObject, string>>(object: SourceObject, keyMap: Readonly<MapObject>): {
+    [k in keyof SourceObject as k extends keyof MapObject ? MapObject[k] : k]: SourceObject[k];
+};
+//# sourceMappingURL=objects.d.ts.map

package/dist/lib/utils/objects.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"objects.d.ts","sourceRoot":"","sources":["../../../src/lib/utils/objects.ts"],"names":[],"mappings":"AAAA,wBAAgB,SAAS,CACvB,YAAY,SAAS,MAAM,EAC3B,SAAS,SAAS,MAAM,CAAC,MAAM,YAAY,EAAE,MAAM,CAAC,EAEpD,MAAM,EAAE,YAAY,EACpB,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,GAC1B;KACA,CAAC,IAAI,MAAM,YAAY,IAAI,CAAC,SAAS,MAAM,SAAS,GACjD,SAAS,CAAC,CAAC,CAAC,GACZ,CAAC,GAAG,YAAY,CAAC,CAAC,CAAC;CACxB,CAQA"}

package/dist/lib/utils/objects.js

@@ -0,0 +1,7 @@
+export function remapKeys(object, keyMap) {
+    return Object.fromEntries(Object.entries(object).map(([key, value]) => {
+        // @ts-expect-error the typing for map() reduces keys to general string
+        const newKey = keyMap[key] ?? key;
+        return [newKey, value];
+    }));
+}

package/eslint.config.js

@@ -0,0 +1,11 @@
+import globals from "globals";
+import pluginJs from "@eslint/js";
+import tseslint from "typescript-eslint";
+import eslintConfigPrettier from "eslint-config-prettier";
+
+export default [
+  { languageOptions: { globals: globals.node } },
+  pluginJs.configs.recommended,
+  ...tseslint.configs.recommended,
+  eslintConfigPrettier,
+];

package/package.json

@@ -0,0 +1,66 @@
+{
+  "name": "@infoxchange/make-it-so-sst-v2",
+  "version": "3.0.1",
+  "description": "Makes deploying services to IX infra easy",
+  "repository": "github:infoxchange/make-it-so",
+  "publishConfig": {
+    "access": "public"
+  },
+  "type": "module",
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest",
+    "lint": "eslint . --fix && prettier . --write && tsc --noEmit",
+    "lint:check": "eslint . && prettier . --check && tsc --noEmit",
+    "prepare": "husky",
+    "commit": "lint-staged && commit"
+  },
+  "author": "Infoxchange Vic Dev Team <vicdevs@infoxchange.org>",
+  "license": "MIT",
+  "exports": {
+    "./cdk-constructs": "./dist/cdk-constructs/index.js",
+    "./deployConfig": "./dist/deployConfig.js",
+    "./auth": "./dist/lib/auth/index.js",
+    "./proxy": "./dist/lib/proxy/index.js"
+  },
+  "lint-staged": {
+    "**/*": [
+      "eslint --fix --no-warn-ignored",
+      "prettier --write --ignore-unknown"
+    ]
+  },
+  "devDependencies": {
+    "@commitlint/cli": "^19.3.0",
+    "@commitlint/config-conventional": "^19.2.2",
+    "@commitlint/prompt-cli": "^19.3.1",
+    "@eslint/js": "^9.3.0",
+    "@tsconfig/node21": "^21.0.3",
+    "@types/aws-cloudfront-function": "^1.0.6",
+    "@types/global-agent": "^3.0.0",
+    "@types/jsonwebtoken": "^9.0.10",
+    "aws-cdk-lib": "2.142.1",
+    "constructs": "^10.3.0",
+    "eslint": "^8.57.0",
+    "eslint-config-prettier": "^9.1.0",
+    "globals": "^15.3.0",
+    "husky": "^9.0.11",
+    "lint-staged": "^15.2.5",
+    "prettier": "3.2.5",
+    "semantic-release": "^23.1.1",
+    "sst": "2.42.0",
+    "typescript": "^5.4.5",
+    "typescript-eslint": "^7.11.0",
+    "vitest": "^1.6.0"
+  },
+  "peerDependencies": {
+    "aws-cdk-lib": "^2.0.0",
+    "constructs": "^10.0.0",
+    "sst": "^2.0.0"
+  },
+  "dependencies": {
+    "global-agent": "^3.0.0",
+    "jsonwebtoken": "^9.0.2",
+    "undici": "^7.16.0",
+    "zod": "^3.24.2"
+  }
+}

package/src/cdk-constructs/IxApi.ts

@@ -0,0 +1,81 @@
+import { Api } from "sst/constructs";
+import { IxCertificate } from "./IxCertificate.js";
+import { IxDnsRecord } from "./IxDnsRecord.js";
+import ixDeployConfig from "../deployConfig.js";
+import { convertToBase62Hash } from "../lib/utils/hash.js";
+
+type ConstructScope = ConstructorParameters<typeof Api>[0];
+type ConstructId = ConstructorParameters<typeof Api>[1];
+type ConstructProps = Exclude<ConstructorParameters<typeof Api>[2], undefined>;
+
+export class IxApi extends Api {
+  constructor(
+    scope: ConstructScope,
+    id: ConstructId,
+    props: ConstructProps = {},
+  ) {
+    if (ixDeployConfig.isIxDeploy) {
+      IxApi.setupCustomDomain(scope, id, props);
+    }
+
+    super(scope, id, props);
+
+    if (ixDeployConfig.isIxDeploy) {
+      this.createDnsRecords(scope);
+    }
+  }
+
+  // This must be static because we need to call it in the constructor before super
+  private static setupCustomDomain(
+    scope: ConstructScope,
+    id: ConstructId,
+    props: ConstructProps,
+  ): void {
+    // Default to using domains names passed in by the pipeline as the custom domain
+    if (ixDeployConfig.isIxDeploy && !("customDomain" in props)) {
+      props.customDomain = {
+        domainName: ixDeployConfig.siteDomains[0],
+      };
+    }
+
+    this.setupCertificate(scope, id, props);
+  }
+
+  // This must be static because we need to call it in the constructor before super
+  private static setupCertificate(
+    scope: ConstructScope,
+    id: ConstructId,
+    props: ConstructProps,
+  ): void {
+    if (!props?.customDomain) return;
+
+    if (typeof props.customDomain === "string") {
+      props.customDomain = { domainName: props.customDomain };
+    }
+
+    const domainName = props.customDomain.domainName;
+    if (domainName) {
+      const domainCert = new IxCertificate(scope, id + "-IxCertificate", {
+        domainName,
+        region: "ap-southeast-2", // API Gateway wants southeast-2.
+      });
+      props.customDomain.isExternalDomain = true;
+      props.customDomain.cdk = props.customDomain.cdk ?? {};
+      props.customDomain.cdk.certificate = domainCert.acmCertificate;
+    }
+  }
+
+  private createDnsRecords(scope: ConstructScope) {
+    if (this.cdk.domainName?.name && this.cdk.domainName?.regionalDomainName) {
+      const domainNameLogicalId = convertToBase62Hash(this.cdk.domainName.name);
+
+      // API Gateway has a separate domain for using with a CNAME (regionalDomainName)
+      new IxDnsRecord(scope, `DnsRecord-${domainNameLogicalId}`, {
+        type: "CNAME",
+        name: this.cdk.domainName.name,
+        value: this.cdk.domainName?.regionalDomainName,
+        ttl: 900,
+      });
+    }
+  }
+}

package/src/cdk-constructs/IxBucket.ts

@@ -0,0 +1,35 @@
+import { Bucket } from "sst/constructs";
+import { BucketEncryption } from "aws-cdk-lib/aws-s3";
+import ixDeployConfig from "../deployConfig.js";
+
+type ConstructScope = ConstructorParameters<typeof Bucket>[0];
+type ConstructId = ConstructorParameters<typeof Bucket>[1];
+type ConstructProps = Exclude<
+  ConstructorParameters<typeof Bucket>[2],
+  undefined
+>;
+
+export class IxBucket extends Bucket {
+  constructor(
+    scope: ConstructScope,
+    id: ConstructId,
+    props: ConstructProps = {},
+  ) {
+    const bucketProps: ConstructProps = {
+      blockPublicACLs: true,
+      ...props,
+      cdk: {
+        ...props.cdk,
+        bucket: {
+          enforceSSL: true,
+          ...(ixDeployConfig.isIxDeploy
+            ? { encryption: BucketEncryption.S3_MANAGED }
+            : {}),
+          ...props.cdk?.bucket,
+        },
+      },
+    };
+
+    super(scope, id, bucketProps);
+  }
+}

package/src/cdk-constructs/IxCertificate.ts

@@ -0,0 +1,54 @@
+import { Construct } from "constructs";
+import { StringParameter } from "aws-cdk-lib/aws-ssm";
+import { Certificate, ICertificate } from "aws-cdk-lib/aws-certificatemanager";
+import { CustomResource } from "aws-cdk-lib";
+
+type ConstructScope = ConstructorParameters<typeof Construct>[0];
+type ConstructId = ConstructorParameters<typeof Construct>[1];
+
+type Props = {
+  domainName: string;
+  subjectAlternativeNames?: string[];
+  region?: string;
+};
+
+export class IxCertificate extends Construct {
+  public acmCertificate: ICertificate;
+
+  constructor(scope: ConstructScope, id: ConstructId, props: Props) {
+    super(scope, id);
+    this.acmCertificate = this.createCertificate(scope, id, props);
+  }
+
+  private createCertificate(
+    scope: ConstructScope,
+    id: ConstructId,
+    props: Props,
+  ): ICertificate {
+    const certificateCreationLambdaArn =
+      StringParameter.valueForStringParameter(
+        scope,
+        "/shared-services/acm/lambdaArn-v2",
+      );
+    const certificateCustomResource = new CustomResource(
+      scope,
+      "DomainCert-" + id,
+      {
+        resourceType: "Custom::CertIssuingLambda",
+        serviceToken: certificateCreationLambdaArn,
+        properties: {
+          DomainName: props.domainName,
+          ...(props.subjectAlternativeNames && {
+            SubjectAlternativeNames: props.subjectAlternativeNames,
+          }),
+          ...(props.region && { CertificateIssuingRegion: props.region }),
+        },
+      },
+    );
+    return Certificate.fromCertificateArn(
+      scope,
+      id + "-AwsCertificate",
+      certificateCustomResource.ref,
+    );
+  }
+}

package/src/cdk-constructs/IxDnsRecord.ts

@@ -0,0 +1,79 @@
+import { Construct } from "constructs";
+import { StringParameter } from "aws-cdk-lib/aws-ssm";
+import { CustomResource } from "aws-cdk-lib";
+import { remapKeys } from "../lib/utils/objects.js";
+
+type ConstructScope = ConstructorParameters<typeof Construct>[0];
+type ConstructId = ConstructorParameters<typeof Construct>[1];
+
+type Props = {
+  name: string;
+  value: string;
+  ttl?: number;
+  hostedZoneId?: string;
+} & (
+  | {
+      type: "A" | "CNAME" | "NS" | "SOA" | "TXT";
+    }
+  | {
+      type: "ALIAS";
+      aliasZoneId: string;
+    }
+  | {
+      type: "MX";
+      priority: number;
+    }
+);
+
+export class IxDnsRecord extends Construct {
+  constructor(scope: ConstructScope, id: ConstructId, props: Props) {
+    super(scope, id);
+    this.createDnsRecord(scope, id, props);
+  }
+
+  private createDnsRecord(
+    scope: ConstructScope,
+    id: ConstructId,
+    constructProps: Props,
+  ): void {
+    const dnsRecordUpdaterLambdaArn = StringParameter.valueForStringParameter(
+      scope,
+      "/shared-services/route53/lambdaArn",
+    );
+    const keysMap = {
+      name: "RecordFQDN",
+      value: "RecordValue",
+      ttl: "RecordTTL",
+      hostedZoneId: "HostedZoneId",
+      type: "RecordType",
+      aliasZoneId: "AliasZoneId",
+    };
+    let lambdaProps;
+    if (constructProps.type === "TXT") {
+      lambdaProps = remapKeys(
+        {
+          ...constructProps,
+          value: `"${constructProps.value}"`,
+        },
+        keysMap,
+      );
+    } else if (constructProps.type === "MX") {
+      const { priority, ...rest } = constructProps;
+      lambdaProps = remapKeys(
+        {
+          ...rest,
+          value: `${priority} ${rest.value}`,
+        },
+        keysMap,
+      );
+    } else {
+      lambdaProps = remapKeys(constructProps, keysMap);
+    }
+
+    new CustomResource(scope, id + "-CertificateCustomResource", {
+      resourceType: "Custom::DNSRecordUpdaterLambda",
+      serviceToken: dnsRecordUpdaterLambdaArn,
+      properties: lambdaProps,
+    });
+  }
+}

package/src/cdk-constructs/IxElasticache.ts

@@ -0,0 +1,106 @@
+import { Construct } from "constructs";
+import { CfnCacheCluster, CfnSubnetGroup } from "aws-cdk-lib/aws-elasticache";
+import { IVpc, SecurityGroup, Peer, Port } from "aws-cdk-lib/aws-ec2";
+import { StringParameter } from "aws-cdk-lib/aws-ssm";
+import { Stack } from "aws-cdk-lib";
+import { IxVpcDetails } from "./IxVpcDetails.js";
+import deployConfig from "../deployConfig.js";
+
+type ConstructScope = ConstructorParameters<typeof Construct>[0];
+type ConstructId = ConstructorParameters<typeof Construct>[1];
+type CacheClusterProps = ConstructorParameters<typeof CfnCacheCluster>[2];
+
+type Props = CacheClusterProps & {
+  vpc?: IVpc;
+  vpcSubnetIds?: string[];
+};
+
+export class IxElasticache extends Construct {
+  cluster: CfnCacheCluster;
+
+  connectionString: string;
+
+  constructor(
+    scope: ConstructScope,
+    id: ConstructId,
+    { vpc, vpcSubnetIds, ...elasticacheProps }: Props,
+  ) {
+    super(scope, id);
+
+    // Setup cluster name
+    if (!elasticacheProps.clusterName && deployConfig.isIxDeploy) {
+      elasticacheProps.clusterName = `${Stack.of(this).stackName}`;
+    }
+
+    if (!elasticacheProps.cacheSubnetGroupName) {
+      // Setup VPC
+      if (!vpc && deployConfig.isIxDeploy) {
+        const vpcDetails = new IxVpcDetails(scope, id + "-IxVpcDetails");
+        vpc = vpcDetails.vpc;
+      }
+
+      // Setup VPC subnets
+      if (vpc && !vpcSubnetIds) {
+        if (deployConfig.isIxDeploy) {
+          vpcSubnetIds = IxVpcDetails.getVpcSubnetIds(scope);
+        } else {
+          vpcSubnetIds = vpc.privateSubnets.map((subnet) => subnet.subnetId);
+
+          if (!vpcSubnetIds.length) {
+            throw Error(`The vpc ${vpc.vpcId} has no private subnets.`);
+          }
+        }
+      }
+    }
+
+    // Setup cluster security group
+    if (vpc && vpcSubnetIds) {
+      const subnetGroup = new CfnSubnetGroup(scope, "ElasticacheSubnetGroup", {
+        subnetIds: vpcSubnetIds,
+        description: "Subnet group for redis",
+      });
+
+      elasticacheProps.cacheSubnetGroupName = subnetGroup.ref;
+
+      const namePrefix = elasticacheProps.clusterName
+        ? elasticacheProps.clusterName
+        : `${Stack.of(this).stackName}`;
+
+      const securityGroup = new SecurityGroup(
+        scope,
+        "ElasticacheSecurityGroup",
+        {
+          vpc,
+          allowAllOutbound: true,
+          description: "Security group for Elasticache Cluster",
+          securityGroupName: `${namePrefix}-elasticache`,
+        },
+      );
+
+      for (const subnetIndex of [1, 2, 3]) {
+        const cidr = StringParameter.valueForStringParameter(
+          scope,
+          `/vpc/subnet/private-${deployConfig.workloadGroup}/${subnetIndex}/cidr`,
+        );
+        securityGroup.addIngressRule(
+          Peer.ipv4(cidr),
+          Port.tcp(6379),
+          `Allow access to Elasticache cluster from private ${deployConfig.workloadGroup} subnet`,
+        );
+      }
+
+      elasticacheProps.vpcSecurityGroupIds = [securityGroup.securityGroupId];
+    }
+
+    // Create Redis Cluster
+    this.cluster = new CfnCacheCluster(scope, "RedisCluster", elasticacheProps);
+
+    if (elasticacheProps.engine === "redis") {
+      this.connectionString = `redis://${this.cluster.attrRedisEndpointAddress}:${this.cluster.attrRedisEndpointPort}`;
+    } else if (elasticacheProps.engine === "memcached") {
+      this.connectionString = `${this.cluster.attrConfigurationEndpointAddress}:${this.cluster.attrConfigurationEndpointPort}`;
+    } else {
+      throw Error(`Unsupported engine: ${elasticacheProps.engine}`);
+    }
+  }
+}

package/src/cdk-constructs/IxNextjsSite.ts

@@ -0,0 +1,72 @@
+import { NextjsSite } from "sst/constructs";
+import ixDeployConfig from "../deployConfig.js";
+import {
+  type ExtendedNextjsSiteProps,
+  getAliasDomain,
+  getAlternativeDomains,
+  getCustomDomains,
+  getPrimaryCustomDomain,
+  getPrimaryDomain,
+  getPrimaryOrigin,
+  setupCertificate,
+  setupCustomDomain,
+  setupDnsRecords,
+  setupDomainAliasRedirect,
+  setupVpcDetails,
+  setupDefaultEnvVars,
+  applyConditionalEnvironmentVariables,
+  parentCompatibleSsrProps,
+  processAuthProps,
+} from "../lib/site/support.js";
+
+type ConstructScope = ConstructorParameters<typeof NextjsSite>[0];
+type ConstructId = ConstructorParameters<typeof NextjsSite>[1];
+type ConstructProps = ExtendedNextjsSiteProps;
+
+export class IxNextjsSite extends NextjsSite {
+  constructor(
+    scope: ConstructScope,
+    id: ConstructId,
+    props: ConstructProps = {},
+  ) {
+    if (ixDeployConfig.isIxDeploy) {
+      props = setupVpcDetails(scope, id, props);
+      props = setupCustomDomain(scope, id, props);
+      props = setupCertificate(scope, id, props);
+      props = setupDomainAliasRedirect(scope, id, props);
+    }
+    props = processAuthProps(scope, id, "SsrSite", props);
+    props = setupDefaultEnvVars(scope, id, props);
+    props = applyConditionalEnvironmentVariables(scope, id, props);
+
+    super(scope, id, parentCompatibleSsrProps(props));
+
+    if (ixDeployConfig.isIxDeploy) {
+      setupDnsRecords(this, scope, id, props);
+    }
+  }
+
+  public get customDomains(): string[] {
+    return getCustomDomains(this.props);
+  }
+
+  public get primaryCustomDomain(): string | null {
+    return getPrimaryCustomDomain(this.props);
+  }
+
+  public get aliasDomain(): string | null {
+    return getAliasDomain(this.props);
+  }
+
+  public get alternativeDomains(): string[] {
+    return getAlternativeDomains(this.props);
+  }
+
+  public get primaryDomain(): string | null {
+    return getPrimaryDomain(this, this.props);
+  }
+
+  public get primaryOrigin(): string | null {
+    return getPrimaryOrigin(this, this.props);
+  }
+}

package/src/cdk-constructs/IxQuicksightWorkspace.ts

@@ -0,0 +1,54 @@
+import { Construct } from "constructs";
+import { StringParameter } from "aws-cdk-lib/aws-ssm";
+import { CustomResource } from "aws-cdk-lib";
+
+type ConstructScope = ConstructorParameters<typeof Construct>[0];
+type ConstructId = ConstructorParameters<typeof Construct>[1];
+
+type Props = {
+  appName: string;
+  dataBuckets: string[];
+};
+
+export class IxQuicksightWorkspace extends Construct {
+  workspaceBucketName: string;
+  athenaWorkgroupName: string;
+  serviceRoleArn: string;
+  glueDatabaseName: string;
+  quickSightDataSourceId: string;
+
+  constructor(scope: ConstructScope, id: ConstructId, props: Props) {
+    super(scope, id);
+    const qsWorkspaceSetupLambdaArn = StringParameter.valueForStringParameter(
+      scope,
+      "/shared-services/quicksight-workspace/lambdaArn",
+    );
+
+    const quicksightWorkspaceLambda = new CustomResource(
+      scope,
+      id + "-CustomResource",
+      {
+        resourceType: "Custom::QuicksightWorkspace",
+        serviceToken: qsWorkspaceSetupLambdaArn,
+        properties: {
+          app_name: props.appName,
+          data_buckets: props.dataBuckets,
+        },
+      },
+    );
+
+    this.workspaceBucketName = quicksightWorkspaceLambda.getAttString(
+      "WorkspaceBucketName",
+    );
+    this.athenaWorkgroupName = quicksightWorkspaceLambda.getAttString(
+      "AthenaWorkgroupName",
+    );
+    this.serviceRoleArn =
+      quicksightWorkspaceLambda.getAttString("ServiceRoleArn");
+    this.glueDatabaseName =
+      quicksightWorkspaceLambda.getAttString("GlueDatabaseName");
+    this.quickSightDataSourceId = quicksightWorkspaceLambda.getAttString(
+      "QuickSightDataSourceId",
+    );
+  }
+}

package/src/cdk-constructs/IxSESIdentity.ts

@@ -0,0 +1,70 @@
+import { Construct } from "constructs";
+import { IxDnsRecord } from "./IxDnsRecord.js";
+import * as ses from "aws-cdk-lib/aws-ses";
+import * as cdk from "aws-cdk-lib";
+
+type ConstructScope = ConstructorParameters<typeof Construct>[0];
+type ConstructId = ConstructorParameters<typeof Construct>[1];
+
+type Props = {
+  domain: string;
+  mailFromSubdomain?: string;
+};
+
+export class IxSESIdentity extends Construct {
+  constructor(scope: ConstructScope, id: ConstructId, props: Props) {
+    const domain = props.domain.includes("@")
+      ? props.domain.split("@")[1]
+      : props.domain;
+    const mailFromDomain = `${props.mailFromSubdomain ?? "mail"}.${domain}`;
+
+    super(scope, id);
+
+    const identity = new ses.EmailIdentity(scope, `${id}EmailIdentity`, {
+      identity: ses.Identity.domain(domain),
+      mailFromDomain,
+    });
+
+    // Based on https://github.com/aws/aws-cdk/blob/e2ef65a26c833ecb4a29c22e070c3c5f01c31995/packages/aws-cdk-lib/aws-ses/lib/email-identity.ts#L247
+    for (const i of [1, 2, 3]) {
+      new IxDnsRecord(scope, `${id}DkimDnsToken${i}`, {
+        type: "CNAME",
+        name: identity[
+          `dkimDnsTokenName${i}` as
+            | "dkimDnsTokenName1"
+            | "dkimDnsTokenName2"
+            | "dkimDnsTokenName3"
+        ],
+        value:
+          identity[
+            `dkimDnsTokenValue${i}` as
+              | "dkimDnsTokenValue1"
+              | "dkimDnsTokenValue2"
+              | "dkimDnsTokenValue3"
+          ],
+        ttl: 1800,
+      });
+    }
+
+    // Based on
+    // https://github.com/aws/aws-cdk/blob/e2ef65a26c833ecb4a29c22e070c3c5f01c31995/packages/aws-cdk-lib/aws-ses/lib/email-identity.ts#L512
+    new IxDnsRecord(scope, `${id}MailFromMxRecord`, {
+      type: "MX",
+      name: mailFromDomain,
+      value: `feedback-smtp.${cdk.Stack.of(scope).region}.amazonses.com`,
+      priority: 10,
+    });
+    new IxDnsRecord(scope, `${id}MailFromTxtRecord`, {
+      type: "TXT",
+      name: mailFromDomain,
+      value: "v=spf1 include:amazonses.com ~all",
+    });
+
+    // Set up DMARC record
+    new IxDnsRecord(scope, `${id}DMARC`, {
+      type: "TXT",
+      name: `_dmarc.${domain}`,
+      value: "v=DMARC1; p=none;",
+    });
+  }
+}