@jumpgroup/laravel-tools 3.3.0

package/src/aws/bucket.js

@@ -0,0 +1,287 @@
+import {
+  S3Client,
+  CreateBucketCommand,
+  HeadBucketCommand,
+  PutPublicAccessBlockCommand,
+  PutObjectCommand,
+  PutBucketTaggingCommand,
+  ListBucketsCommand,
+  GetBucketTaggingCommand,
+  PutBucketPolicyCommand,
+  PutBucketOwnershipControlsCommand,
+  GetBucketPolicyCommand,
+} from '@aws-sdk/client-s3';
+import select from '@inquirer/select';
+
+import { getAwsCredentials, getAwsRegion } from './config.js';
+import { getAppName } from '../utilities/command.js';
+
+const createS3Client = () =>
+  new S3Client({
+    region: getAwsRegion(),
+    credentials: getAwsCredentials(),
+  });
+
+const getBucketName = (projectName) => `${projectName}-media`;
+
+const bucketExists = async (s3Client, bucketName) => {
+  try {
+    await s3Client.send(new HeadBucketCommand({ Bucket: bucketName }));
+    return true;
+  } catch {
+    return false;
+  }
+};
+
+export const doesBucketExist = async (bucketName) => {
+  const s3Client = createS3Client();
+  return await bucketExists(s3Client, bucketName);
+};
+
+export const createBucket = async (projectName, options = {}) => {
+  const s3Client = createS3Client();
+  const region = getAwsRegion();
+  const bucketName = getBucketName(projectName);
+  const dryRun = Boolean(options.dryRun);
+
+  const runMutation = async (message, fn) => {
+    if (dryRun) {
+      console.log(`🧪 [dry-run] ${message}`);
+      return;
+    }
+    await fn();
+  };
+
+  const ensurePrivateBucketConfig = async () => {
+    await runMutation(`Imposto PublicAccessBlock privato su ${bucketName}`, async () => {
+      await s3Client.send(
+        new PutPublicAccessBlockCommand({
+          Bucket: bucketName,
+          PublicAccessBlockConfiguration: {
+            BlockPublicAcls: true,
+            IgnorePublicAcls: true,
+            BlockPublicPolicy: true,
+            RestrictPublicBuckets: true,
+          },
+        })
+      );
+    });
+
+    await runMutation(`Imposto OwnershipControls BucketOwnerEnforced su ${bucketName}`, async () => {
+      await s3Client.send(
+        new PutBucketOwnershipControlsCommand({
+          Bucket: bucketName,
+          OwnershipControls: {
+            Rules: [{ ObjectOwnership: 'BucketOwnerEnforced' }],
+          },
+        })
+      );
+    });
+  };
+
+  const ensureSiteTag = async () => {
+    let existingTags = [];
+    try {
+      const current = await s3Client.send(new GetBucketTaggingCommand({ Bucket: bucketName }));
+      existingTags = current.TagSet || [];
+    } catch {
+      existingTags = [];
+    }
+
+    const merged = existingTags.filter((tag) => tag.Key !== 'site');
+    merged.push({ Key: 'site', Value: projectName });
+
+    await runMutation(`Aggiorno tag bucket site=${projectName} su ${bucketName}`, async () => {
+      await s3Client.send(
+        new PutBucketTaggingCommand({
+          Bucket: bucketName,
+          Tagging: { TagSet: merged },
+        })
+      );
+    });
+  };
+
+  if (await bucketExists(s3Client, bucketName)) {
+    await ensurePrivateBucketConfig();
+    await ensureSiteTag();
+    console.log(`ℹ️  Bucket già esistente: ${bucketName}`);
+    return { name: bucketName, created: false };
+  }
+
+  const createParams = {
+    Bucket: bucketName,
+    ObjectOwnership: 'BucketOwnerEnforced',
+    ...(region !== 'us-east-1'
+      ? { CreateBucketConfiguration: { LocationConstraint: region } }
+      : {}),
+  };
+
+  await runMutation(`Creo bucket ${bucketName}`, async () => {
+    await s3Client.send(new CreateBucketCommand(createParams));
+  });
+  await ensurePrivateBucketConfig();
+
+  await runMutation(`Creo prefisso iniziale ${projectName}/ su ${bucketName}`, async () => {
+    await s3Client.send(
+      new PutObjectCommand({
+        Bucket: bucketName,
+        Key: `${projectName}/`,
+        Body: Buffer.alloc(0),
+      })
+    );
+  });
+  await ensureSiteTag();
+
+  if (dryRun) {
+    console.log(`🧪 [dry-run] Bucket da creare/configurare: ${bucketName}`);
+    return { name: bucketName, created: true, dryRun: true };
+  }
+
+  console.log(`✅ Bucket creato: ${bucketName}`);
+  return { name: bucketName, created: true };
+};
+
+export const applyCloudFrontReadPolicy = async ({ bucketName, distributionId, accountId, dryRun = false }) => {
+  if (!bucketName || !distributionId || !accountId) {
+    throw new Error('bucketName, distributionId e accountId sono obbligatori per la bucket policy.');
+  }
+
+  if (dryRun) {
+    console.log(
+      `🧪 [dry-run] Upsert bucket policy CloudFront-read su ${bucketName} per distribution ${distributionId}`
+    );
+    return;
+  }
+
+  const s3Client = createS3Client();
+  const distributionArn = `arn:aws:cloudfront::${accountId}:distribution/${distributionId}`;
+  const sid = `AllowCloudFrontRead_${distributionId}`;
+  const desiredStatement = {
+    Sid: sid,
+    Effect: 'Allow',
+    Principal: { Service: 'cloudfront.amazonaws.com' },
+    Action: 's3:GetObject',
+    Resource: `arn:aws:s3:::${bucketName}/*`,
+    Condition: {
+      StringEquals: {
+        'AWS:SourceArn': distributionArn,
+      },
+    },
+  };
+
+  let existingPolicy = {
+    Version: '2012-10-17',
+    Statement: [],
+  };
+
+  try {
+    const current = await s3Client.send(new GetBucketPolicyCommand({ Bucket: bucketName }));
+    const parsed = JSON.parse(current.Policy);
+    existingPolicy = {
+      Version: parsed.Version || '2012-10-17',
+      Statement: Array.isArray(parsed.Statement) ? parsed.Statement : [],
+    };
+  } catch (error) {
+    if (error.name !== 'NoSuchBucketPolicy') {
+      throw error;
+    }
+  }
+
+  // Remove only statements that refer to this exact distribution ARN
+  // or have the same deterministic Sid, preserving all unrelated statements.
+  const sourceArnKey = 'AWS:SourceArn';
+  const statements = existingPolicy.Statement.filter((statement) => {
+    if (!statement || typeof statement !== 'object') {
+      return true;
+    }
+
+    if (statement.Sid === sid) {
+      return false;
+    }
+
+    const sourceArn = statement.Condition?.StringEquals?.[sourceArnKey];
+    if (sourceArn === distributionArn) {
+      return false;
+    }
+
+    return true;
+  });
+
+  statements.push(desiredStatement);
+
+  const policy = {
+    Version: existingPolicy.Version || '2012-10-17',
+    Statement: statements,
+  };
+
+  await s3Client.send(
+    new PutBucketPolicyCommand({
+      Bucket: bucketName,
+      Policy: JSON.stringify(policy),
+    })
+  );
+};
+
+export const getAllBuckets = async (show = true) => {
+  const s3Client = createS3Client();
+  const data = await s3Client.send(new ListBucketsCommand({}));
+
+  const bucketDetails = await Promise.all(
+    (data.Buckets || []).map(async (bucket) => {
+      const bucketName = bucket.Name;
+      let tags = [];
+
+      try {
+        const tagData = await s3Client.send(
+          new GetBucketTaggingCommand({ Bucket: bucketName })
+        );
+        tags = tagData.TagSet || [];
+      } catch {
+        tags = [];
+      }
+
+      return { Name: bucketName, Tags: tags };
+    })
+  );
+
+  if (show) {
+    if (bucketDetails.length === 0) {
+      console.log('Nessun bucket trovato.');
+    } else {
+      console.table(
+        bucketDetails.map((bucket) => ({
+          name: bucket.Name,
+          siteTag: bucket.Tags.find((tag) => tag.Key === 'site')?.Value || '-',
+        }))
+      );
+    }
+  }
+
+  return bucketDetails;
+};
+
+export const getBucketFromTag = async (tag) => {
+  const projectTag = tag || getAppName();
+  const buckets = await getAllBuckets(false);
+  const taggedBuckets = buckets.filter((bucket) =>
+    (bucket.Tags || []).some((tagItem) => tagItem.Key === 'site' && tagItem.Value === projectTag)
+  );
+
+  if (taggedBuckets.length === 0) {
+    console.log(`ℹ️  Nessun bucket con tag site=${projectTag}`);
+    return null;
+  }
+
+  if (taggedBuckets.length === 1) {
+    console.log(`✅ Bucket trovato: ${taggedBuckets[0].Name}`);
+    return taggedBuckets[0];
+  }
+
+  const selectedBucket = await select({
+    message: 'Seleziona il bucket:',
+    choices: taggedBuckets.map((bucket) => ({ name: bucket.Name, value: bucket })),
+  });
+
+  console.log(`✅ Bucket selezionato: ${selectedBucket.Name}`);
+  return selectedBucket;
+};

package/src/aws/cloudfront.js

@@ -0,0 +1,433 @@
+import {
+  CloudFrontClient,
+  CreateDistributionWithTagsCommand,
+  CreateOriginAccessControlCommand,
+  GetDistributionConfigCommand,
+  ListDistributionsCommand,
+  ListOriginAccessControlsCommand,
+  ListTagsForResourceCommand,
+  UpdateDistributionCommand,
+} from '@aws-sdk/client-cloudfront';
+
+import { getAwsAccountId, getAwsCredentials, getAwsRegion, getCloudFrontRegion } from './config.js';
+import { getAppName } from '../utilities/command.js';
+import { applyCloudFrontReadPolicy, doesBucketExist } from './bucket.js';
+
+const createCloudFrontClient = () =>
+  new CloudFrontClient({
+    region: getCloudFrontRegion(),
+    credentials: getAwsCredentials(),
+  });
+
+const CACHING_OPTIMIZED_POLICY_ID = '658327ea-f89d-4fab-a63d-7e88639e58f6';
+
+const getBucketOriginDomainName = (bucketName) => {
+  const region = getAwsRegion();
+  return region === 'us-east-1'
+    ? `${bucketName}.s3.amazonaws.com`
+    : `${bucketName}.s3.${region}.amazonaws.com`;
+};
+
+const getBucketOriginDomainCandidates = (bucketName) => {
+  const regionSpecific = getBucketOriginDomainName(bucketName);
+  const global = `${bucketName}.s3.amazonaws.com`;
+  return new Set([regionSpecific, global]);
+};
+
+const distributionToRow = async (client, distribution) => {
+  let siteTag = '-';
+  let tagLookupFailed = false;
+  try {
+    const tagsResponse = await client.send(
+      new ListTagsForResourceCommand({ Resource: distribution.ARN })
+    );
+    const tags = tagsResponse.Tags?.Items || [];
+    siteTag = tags.find((tag) => tag.Key === 'site')?.Value || '-';
+  } catch {
+    siteTag = '-';
+    tagLookupFailed = true;
+  }
+
+  return {
+    id: distribution.Id,
+    arn: distribution.ARN,
+    domainName: distribution.DomainName,
+    status: distribution.Status,
+    comment: distribution.Comment || '',
+    siteTag,
+    tagLookupFailed,
+    originDomainNames: (distribution.Origins?.Items || []).map((origin) => origin.DomainName).filter(Boolean),
+  };
+};
+
+export const getAllDistributions = async (show = true) => {
+  const client = createCloudFrontClient();
+
+  let marker;
+  let all = [];
+  do {
+    const data = await client.send(
+      new ListDistributionsCommand({
+        Marker: marker,
+        MaxItems: '100',
+      })
+    );
+
+    const items = data.DistributionList?.Items || [];
+    all = all.concat(items);
+    marker = data.DistributionList?.NextMarker;
+  } while (marker);
+
+  const rows = await Promise.all(all.map((distribution) => distributionToRow(client, distribution)));
+
+  if (show) {
+    if (rows.length === 0) {
+      console.log('Nessuna distribuzione CloudFront trovata.');
+    } else {
+      console.table(rows);
+    }
+  }
+
+  return rows;
+};
+
+export const getDistributionsByProjectTag = async (projectTag) => {
+  const tag = projectTag || getAppName();
+  const distributions = await getAllDistributions(false);
+  const exactTagMatches = distributions.filter((distribution) => distribution.siteTag === tag);
+  if (exactTagMatches.length > 0) {
+    return exactTagMatches;
+  }
+
+  // Fallback for accounts where tag listing may be temporarily unavailable:
+  // use deterministic comment pattern set by this tool.
+  const commentMatches = distributions.filter(
+    (distribution) => distribution.comment === `CDN for ${tag}`
+  );
+  if (commentMatches.length > 0) {
+    console.log(
+      `⚠️  Tag lookup unavailable/incomplete for some distributions. Using comment fallback for site=${tag}.`
+    );
+    return commentMatches;
+  }
+
+  const hasTagLookupFailures = distributions.some((distribution) => distribution.tagLookupFailed);
+  if (hasTagLookupFailures) {
+    throw new Error(
+      `Impossibile verificare in modo affidabile le distribuzioni CloudFront per site=${tag} (tag lookup fallito). ` +
+        "Per sicurezza blocco la creazione automatica per evitare duplicati. " +
+        "Verifica i permessi cloudfront:ListTagsForResource e rilancia."
+    );
+  }
+
+  return [];
+};
+
+export const getDistributionByProjectTagStrict = async (projectTag) => {
+  const tag = projectTag || getAppName();
+  const matches = await getDistributionsByProjectTag(tag);
+
+  if (matches.length === 0) {
+    return null;
+  }
+
+  if (matches.length > 1) {
+    console.table(matches);
+    throw new Error(
+      `Trovate ${matches.length} distribuzioni CloudFront con tag site=${tag}. Risolvi il conflitto manualmente.`
+    );
+  }
+
+  return matches[0];
+};
+
+const getDistributionForProjectStrict = async ({ projectName, bucketName }) => {
+  const expectedComment = `CDN for ${projectName}`;
+  const expectedOrigins = getBucketOriginDomainCandidates(bucketName);
+  const distributions = await getAllDistributions(false);
+
+  const matches = distributions.filter((distribution) => {
+    const commentMatch = distribution.comment === expectedComment;
+    const tagMatch = distribution.siteTag === projectName;
+    const originMatch = (distribution.originDomainNames || []).some((domain) =>
+      expectedOrigins.has(domain)
+    );
+
+    // Prefer deterministic linkage to the project bucket and metadata.
+    return originMatch && (commentMatch || tagMatch);
+  });
+
+  if (matches.length === 0) {
+    return null;
+  }
+
+  if (matches.length > 1) {
+    console.table(matches);
+    throw new Error(
+      `Trovate ${matches.length} distribuzioni CloudFront candidate per ${projectName}. ` +
+        'Risolvi il conflitto manualmente prima di rilanciare.'
+    );
+  }
+
+  return matches[0];
+};
+
+const getOriginAccessControlByName = async (client, name) => {
+  let marker;
+  const allItems = [];
+
+  do {
+    const data = await client.send(
+      new ListOriginAccessControlsCommand({
+        Marker: marker,
+        MaxItems: '100',
+      })
+    );
+    const items = data.OriginAccessControlList?.Items || [];
+    allItems.push(...items);
+    marker = data.OriginAccessControlList?.NextMarker;
+  } while (marker);
+
+  const summary = allItems.find((item) => item?.Name === name);
+  if (!summary) {
+    return null;
+  }
+
+  // Normalize list summary shape to the object shape used by create response.
+  return {
+    Id: summary.Id,
+    Name: summary.Name,
+    Description: summary.Description,
+    SigningProtocol: summary.SigningProtocol,
+    SigningBehavior: summary.SigningBehavior,
+    OriginAccessControlOriginType: summary.OriginAccessControlOriginType,
+  };
+};
+
+const ensureOriginAccessControl = async (client, projectName, options = {}) => {
+  const dryRun = Boolean(options.dryRun);
+  const name = `${projectName}-media-oac`;
+  const existing = await getOriginAccessControlByName(client, name);
+  if (existing) {
+    return existing;
+  }
+
+  if (dryRun) {
+    console.log(`🧪 [dry-run] Creo Origin Access Control ${name}`);
+    return { Id: `dryrun-oac-${projectName}`, Name: name };
+  }
+
+  const created = await client.send(
+    new CreateOriginAccessControlCommand({
+      OriginAccessControlConfig: {
+        Name: name,
+        Description: `OAC for ${projectName} media`,
+        OriginAccessControlOriginType: 's3',
+        SigningBehavior: 'always',
+        SigningProtocol: 'sigv4',
+      },
+    })
+  );
+
+  return created.OriginAccessControl;
+};
+
+export const ensureDistributionUsesOAC = async ({ distributionId, projectName, bucketName, dryRun = false }) => {
+  const client = createCloudFrontClient();
+  const bucketOriginDomainName = getBucketOriginDomainName(bucketName);
+  const oac = await ensureOriginAccessControl(client, projectName, { dryRun });
+
+  const configResponse = await client.send(
+    new GetDistributionConfigCommand({
+      Id: distributionId,
+    })
+  );
+
+  const config = configResponse.DistributionConfig;
+  const etag = configResponse.ETag;
+  const origins = config.Origins?.Items || [];
+  const targetOrigin = origins.find((origin) => origin.DomainName === bucketOriginDomainName);
+
+  if (!targetOrigin) {
+    throw new Error(
+      `La distribuzione ${distributionId} non punta al bucket previsto (${bucketOriginDomainName}).`
+    );
+  }
+
+  const alreadyConfigured =
+    targetOrigin.OriginAccessControlId === oac.Id &&
+    (targetOrigin.S3OriginConfig?.OriginAccessIdentity || '') === '';
+
+  if (alreadyConfigured) {
+    return;
+  }
+
+  targetOrigin.OriginAccessControlId = oac.Id;
+  targetOrigin.S3OriginConfig = { OriginAccessIdentity: '' };
+
+  if (dryRun) {
+    console.log(`🧪 [dry-run] Aggiorno distribuzione ${distributionId} per usare OAC ${oac.Id}`);
+    return;
+  }
+
+  await client.send(
+    new UpdateDistributionCommand({
+      Id: distributionId,
+      IfMatch: etag,
+      DistributionConfig: config,
+    })
+  );
+};
+
+const createDistributionInternal = async ({ projectName, bucketName, dryRun = false }) => {
+  const client = createCloudFrontClient();
+  const originDomainName = getBucketOriginDomainName(bucketName);
+  const oac = await ensureOriginAccessControl(client, projectName, { dryRun });
+
+  const input = {
+    DistributionConfigWithTags: {
+      DistributionConfig: {
+        CallerReference: `${Date.now()}`,
+        Comment: `CDN for ${projectName}`,
+        Enabled: true,
+        HttpVersion: 'http2and3',
+        IsIPV6Enabled: true,
+        PriceClass: 'PriceClass_100',
+        Origins: {
+          Quantity: 1,
+          Items: [
+            {
+              Id: originDomainName,
+              DomainName: originDomainName,
+              OriginPath: '',
+              OriginAccessControlId: oac.Id,
+              S3OriginConfig: { OriginAccessIdentity: '' },
+            },
+          ],
+        },
+        DefaultCacheBehavior: {
+          TargetOriginId: originDomainName,
+          ViewerProtocolPolicy: 'redirect-to-https',
+          AllowedMethods: {
+            Quantity: 2,
+            Items: ['GET', 'HEAD'],
+            CachedMethods: { Quantity: 2, Items: ['GET', 'HEAD'] },
+          },
+          CachePolicyId: CACHING_OPTIMIZED_POLICY_ID,
+          Compress: true,
+          TrustedSigners: { Enabled: false, Quantity: 0 },
+          TrustedKeyGroups: { Enabled: false, Quantity: 0 },
+        },
+        Restrictions: {
+          GeoRestriction: {
+            RestrictionType: 'none',
+            Quantity: 0,
+          },
+        },
+        ViewerCertificate: {
+          CloudFrontDefaultCertificate: true,
+          MinimumProtocolVersion: 'TLSv1.2_2021',
+        },
+      },
+      Tags: {
+        Items: [{ Key: 'site', Value: projectName }],
+      },
+    },
+  };
+
+  if (dryRun) {
+    console.log(`🧪 [dry-run] Creo distribuzione CloudFront tagged site=${projectName}`);
+    return {
+      id: `DRYRUN-${projectName}`,
+      arn: `arn:aws:cloudfront::dryrun:distribution/DRYRUN-${projectName}`,
+      domainName: `${projectName}.dry-run.cloudfront.net`,
+      status: 'DRY_RUN',
+      comment: `CDN for ${projectName}`,
+      siteTag: projectName,
+    };
+  }
+
+  const response = await client.send(new CreateDistributionWithTagsCommand(input));
+  const distribution = response.Distribution;
+  return {
+    id: distribution.Id,
+    arn: distribution.ARN,
+    domainName: distribution.DomainName,
+    status: distribution.Status,
+    comment: distribution.Comment || '',
+    siteTag: projectName,
+  };
+};
+
+export const resolveOrCreateDistributionForProject = async ({ projectName, bucketName, dryRun = false }) => {
+  if (dryRun) {
+    return await createDistributionInternal({ projectName, bucketName, dryRun: true });
+  }
+
+  const existing = await getDistributionForProjectStrict({ projectName, bucketName });
+  if (existing) {
+    await ensureDistributionUsesOAC({
+      distributionId: existing.id,
+      projectName,
+      bucketName,
+      dryRun,
+    });
+    return existing;
+  }
+
+  return await createDistributionInternal({ projectName, bucketName, dryRun });
+};
+
+export const createDistribution = async (projectName, bucketName, options = {}) => {
+  const resolvedProjectName = projectName || getAppName();
+  const resolvedBucketName = bucketName || `${resolvedProjectName}-media`;
+  const dryRun = Boolean(options.dryRun);
+  const bucketExists = await doesBucketExist(resolvedBucketName);
+  if (!bucketExists) {
+    if (dryRun) {
+      console.log(
+        `🧪 [dry-run] Bucket ${resolvedBucketName} non trovato: in run reale \`media cloudfront setup\` fallirebbe.`
+      );
+      return {
+        id: `DRYRUN-${resolvedProjectName}`,
+        arn: `arn:aws:cloudfront::dryrun:distribution/DRYRUN-${resolvedProjectName}`,
+        domainName: `${resolvedProjectName}.dry-run.cloudfront.net`,
+        status: 'DRY_RUN_DEPENDENCY_MISSING',
+        comment: `CDN for ${resolvedProjectName}`,
+        siteTag: resolvedProjectName,
+      };
+    }
+    throw new Error(
+      `Bucket ${resolvedBucketName} non trovato. Crea prima il bucket con \`media setup-general\` o \`media s3\`.`
+    );
+  }
+
+  const result = await resolveOrCreateDistributionForProject({
+    projectName: resolvedProjectName,
+    bucketName: resolvedBucketName,
+    dryRun,
+  });
+
+  const accountId = await getAwsAccountId();
+  await applyCloudFrontReadPolicy({
+    bucketName: resolvedBucketName,
+    distributionId: result.id,
+    accountId,
+    dryRun,
+  });
+
+  console.table([result]);
+  return result;
+};
+
+// Compat layer for existing CLI entrypoint.
+export const getDistributionByTagOrName = async (tagOrName) => {
+  const tag = tagOrName || getAppName();
+  const result = await getDistributionByProjectTagStrict(tag);
+  if (!result) {
+    console.log(`ℹ️  Nessuna distribuzione trovata con tag site=${tag}`);
+    return null;
+  }
+  console.table([result]);
+  return result;
+};