@intentius/chant-lexicon-aws 0.1.13 → 0.1.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/integrity.json +4 -4
- package/dist/manifest.json +1 -1
- package/dist/meta.json +1086 -92
- package/dist/types/index.d.ts +1419 -79
- package/package.json +1 -1
- package/src/codegen/versions.ts +12 -8
- package/src/composites/fargate-alb.ts +77 -16
- package/src/generated/index.d.ts +1419 -79
- package/src/generated/index.ts +116 -12
- package/src/generated/lexicon-aws.json +1086 -92
- package/src/import/live-export-io.test.ts +61 -0
- package/src/import/live-export.test.ts +78 -0
- package/src/import/live-export.ts +38 -0
- package/src/lifecycle-integration.test.ts +105 -0
- package/src/plugin.ts +41 -1
- package/src/serializer-ownership.test.ts +37 -0
- package/src/serializer.ts +16 -5
package/package.json
CHANGED
package/src/codegen/versions.ts
CHANGED
|
@@ -2,6 +2,8 @@
|
|
|
2
2
|
* Pinned dependency versions for reproducible generation.
|
|
3
3
|
*/
|
|
4
4
|
|
|
5
|
+
import { fetchWithRetry } from "@intentius/chant/codegen/fetch";
|
|
6
|
+
|
|
5
7
|
export const PINNED_VERSIONS = {
|
|
6
8
|
cfnLint: "v1.32.4",
|
|
7
9
|
} as const;
|
|
@@ -22,15 +24,17 @@ export async function checkForUpdates(): Promise<{ cfnLint: { current: string; l
|
|
|
22
24
|
let latest: string = current;
|
|
23
25
|
|
|
24
26
|
try {
|
|
25
|
-
const resp = await
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
}
|
|
27
|
+
const resp = await fetchWithRetry(
|
|
28
|
+
"https://api.github.com/repos/aws-cloudformation/cfn-lint/releases/latest",
|
|
29
|
+
undefined,
|
|
30
|
+
undefined,
|
|
31
|
+
{ headers: { Accept: "application/vnd.github.v3+json" } },
|
|
32
|
+
);
|
|
33
|
+
const data = await resp.json() as { tag_name: string };
|
|
34
|
+
latest = data.tag_name;
|
|
32
35
|
} catch {
|
|
33
|
-
//
|
|
36
|
+
// Transient failures are retried inside fetchWithRetry; a permanent
|
|
37
|
+
// failure (or exhausted retries) lands here — return current as latest.
|
|
34
38
|
}
|
|
35
39
|
|
|
36
40
|
return { cfnLint: { current, latest } };
|
|
@@ -14,6 +14,8 @@ import {
|
|
|
14
14
|
TargetGroup,
|
|
15
15
|
Listener,
|
|
16
16
|
Listener_Action,
|
|
17
|
+
Listener_Certificate,
|
|
18
|
+
Listener_RedirectConfig,
|
|
17
19
|
SecurityGroup,
|
|
18
20
|
SecurityGroup_Ingress,
|
|
19
21
|
LogGroup,
|
|
@@ -27,6 +29,20 @@ import { ecsTrustPolicy } from "./ecs-trust-policy";
|
|
|
27
29
|
|
|
28
30
|
export interface FargateAlbProps {
|
|
29
31
|
image: string;
|
|
32
|
+
/**
|
|
33
|
+
* Secrets Manager ARN holding private-registry pull credentials
|
|
34
|
+
* (`{"username","password"}`). Sets the container's `RepositoryCredentials`
|
|
35
|
+
* and grants the execution role `secretsmanager:GetSecretValue` on it — needed
|
|
36
|
+
* to pull from a private registry such as GHCR. Omit for public images / ECR.
|
|
37
|
+
*/
|
|
38
|
+
repositoryCredentials?: string;
|
|
39
|
+
/**
|
|
40
|
+
* ACM certificate ARN. When set, the ALB serves HTTPS on 443 with this cert
|
|
41
|
+
* and the port-80 listener redirects to HTTPS (301). When omitted, the ALB
|
|
42
|
+
* serves plain HTTP on `listenerPort` (default 80). The cert + any DNS records
|
|
43
|
+
* are managed outside this composite (region must match the ALB).
|
|
44
|
+
*/
|
|
45
|
+
certificateArn?: string;
|
|
30
46
|
containerPort?: number;
|
|
31
47
|
cpu?: string;
|
|
32
48
|
memory?: string;
|
|
@@ -79,6 +95,14 @@ export const FargateAlb = Composite<FargateAlbProps>((props) => {
|
|
|
79
95
|
Action: LogsActions.Write,
|
|
80
96
|
Resource: "*",
|
|
81
97
|
},
|
|
98
|
+
// Allow pulling private-registry credentials when configured.
|
|
99
|
+
...(props.repositoryCredentials
|
|
100
|
+
? [{
|
|
101
|
+
Effect: "Allow",
|
|
102
|
+
Action: ["secretsmanager:GetSecretValue"],
|
|
103
|
+
Resource: props.repositoryCredentials,
|
|
104
|
+
}]
|
|
105
|
+
: []),
|
|
82
106
|
],
|
|
83
107
|
};
|
|
84
108
|
|
|
@@ -136,6 +160,9 @@ export const FargateAlb = Composite<FargateAlbProps>((props) => {
|
|
|
136
160
|
LogConfiguration: logConfiguration,
|
|
137
161
|
Environment: environmentVars.length > 0 ? environmentVars : undefined,
|
|
138
162
|
Command: props.command,
|
|
163
|
+
RepositoryCredentials: props.repositoryCredentials
|
|
164
|
+
? { CredentialsParameter: props.repositoryCredentials }
|
|
165
|
+
: undefined,
|
|
139
166
|
});
|
|
140
167
|
|
|
141
168
|
// Task definition
|
|
@@ -149,18 +176,22 @@ export const FargateAlb = Composite<FargateAlbProps>((props) => {
|
|
|
149
176
|
ContainerDefinitions: [container],
|
|
150
177
|
}, defs?.taskDef));
|
|
151
178
|
|
|
152
|
-
// ALB security group — ingress on
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
179
|
+
// ALB security group — ingress on the served port(s) from anywhere. With a
|
|
180
|
+
// cert that's 443 (HTTPS) + 80 (redirect); otherwise the plain listener port.
|
|
181
|
+
const ingressPorts = props.certificateArn ? [443, 80] : [listenerPort];
|
|
182
|
+
const albIngress = ingressPorts.map((port) =>
|
|
183
|
+
new SecurityGroup_Ingress({
|
|
184
|
+
IpProtocol: "tcp",
|
|
185
|
+
FromPort: port,
|
|
186
|
+
ToPort: port,
|
|
187
|
+
CidrIp: "0.0.0.0/0",
|
|
188
|
+
}),
|
|
189
|
+
);
|
|
159
190
|
|
|
160
191
|
const albSg = new SecurityGroup({
|
|
161
192
|
GroupDescription: "ALB security group",
|
|
162
193
|
VpcId: props.vpcId,
|
|
163
|
-
SecurityGroupIngress:
|
|
194
|
+
SecurityGroupIngress: albIngress,
|
|
164
195
|
});
|
|
165
196
|
|
|
166
197
|
// Task security group — ingress on container port from ALB SG
|
|
@@ -194,18 +225,47 @@ export const FargateAlb = Composite<FargateAlbProps>((props) => {
|
|
|
194
225
|
HealthCheckPath: healthCheckPath,
|
|
195
226
|
}, defs?.targetGroup));
|
|
196
227
|
|
|
197
|
-
// Listener
|
|
198
|
-
|
|
228
|
+
// Listener(s). With a cert: HTTPS:443 forwards to the target group and HTTP:80
|
|
229
|
+
// redirects to HTTPS. Without: a single HTTP listener on `listenerPort`.
|
|
230
|
+
const forwardAction = new Listener_Action({
|
|
199
231
|
Type: "forward",
|
|
200
232
|
TargetGroupArn: targetGroup.TargetGroupArn,
|
|
201
233
|
});
|
|
202
234
|
|
|
203
|
-
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
235
|
+
let listener: InstanceType<typeof Listener>;
|
|
236
|
+
let redirectListener: InstanceType<typeof Listener> | undefined;
|
|
237
|
+
|
|
238
|
+
if (props.certificateArn) {
|
|
239
|
+
listener = new Listener({
|
|
240
|
+
LoadBalancerArn: alb.LoadBalancerArn,
|
|
241
|
+
Port: 443,
|
|
242
|
+
Protocol: "HTTPS",
|
|
243
|
+
Certificates: [new Listener_Certificate({ CertificateArn: props.certificateArn })],
|
|
244
|
+
DefaultActions: [forwardAction],
|
|
245
|
+
});
|
|
246
|
+
redirectListener = new Listener({
|
|
247
|
+
LoadBalancerArn: alb.LoadBalancerArn,
|
|
248
|
+
Port: 80,
|
|
249
|
+
Protocol: "HTTP",
|
|
250
|
+
DefaultActions: [
|
|
251
|
+
new Listener_Action({
|
|
252
|
+
Type: "redirect",
|
|
253
|
+
RedirectConfig: new Listener_RedirectConfig({
|
|
254
|
+
Protocol: "HTTPS",
|
|
255
|
+
Port: "443",
|
|
256
|
+
StatusCode: "HTTP_301",
|
|
257
|
+
}),
|
|
258
|
+
}),
|
|
259
|
+
],
|
|
260
|
+
});
|
|
261
|
+
} else {
|
|
262
|
+
listener = new Listener({
|
|
263
|
+
LoadBalancerArn: alb.LoadBalancerArn,
|
|
264
|
+
Port: listenerPort,
|
|
265
|
+
Protocol: "HTTP",
|
|
266
|
+
DefaultActions: [forwardAction],
|
|
267
|
+
});
|
|
268
|
+
}
|
|
209
269
|
|
|
210
270
|
// ECS Service
|
|
211
271
|
const serviceLoadBalancer = new EcsService_LoadBalancer({
|
|
@@ -248,6 +308,7 @@ export const FargateAlb = Composite<FargateAlbProps>((props) => {
|
|
|
248
308
|
alb,
|
|
249
309
|
targetGroup,
|
|
250
310
|
listener,
|
|
311
|
+
...(redirectListener ? { redirectListener } : {}),
|
|
251
312
|
service,
|
|
252
313
|
};
|
|
253
314
|
}, "FargateAlb");
|