@lsts_tech/infra 1.0.0

package/examples/next-only/infra.config.ts

@@ -0,0 +1,60 @@
+import { resolveDomain, createNextSite, createPipeline } from "@lsts_tech/infra";
+
+const secrets = {
+  DatabaseUrl: new sst.Secret("DatabaseUrl"),
+  AuthSecret: new sst.Secret("AuthSecret"),
+};
+
+export function createInfrastructure() {
+  const stage = $app.stage;
+  const rootDomain = process.env.INFRA_ROOT_DOMAIN ?? "example.com";
+
+  const { domain, domainName } = resolveDomain({
+    rootDomain,
+    stage,
+  });
+
+  const { url } = createNextSite({
+    appPath: "../../apps/web",
+    id: `web-${stage}`,
+    domain,
+    environment: {
+      NEXT_PUBLIC_APP_URL: `https://${domainName}`,
+      DATABASE_URL: secrets.DatabaseUrl.value,
+      AUTH_SECRET: secrets.AuthSecret.value,
+    },
+  });
+
+  const outputs: Record<string, unknown> = {
+    siteUrl: url,
+    domain: domainName,
+  };
+
+  if (stage === "production") {
+    const repo = process.env.INFRA_PIPELINE_REPO ?? "myorg/myrepo";
+    const prefix = process.env.INFRA_PIPELINE_PREFIX ?? "myapp";
+
+    const prod = createPipeline({
+      name: `${prefix}-prod`,
+      repo,
+      branch: process.env.INFRA_PIPELINE_BRANCH_PROD ?? "main",
+      stage: "production",
+      projectTag: process.env.INFRA_PROJECT_TAG ?? prefix,
+    });
+
+    const dev = createPipeline({
+      name: `${prefix}-dev`,
+      repo,
+      branch: process.env.INFRA_PIPELINE_BRANCH_DEV ?? "develop",
+      stage: "dev",
+      projectTag: process.env.INFRA_PROJECT_TAG ?? prefix,
+    });
+
+    outputs.pipelines = {
+      production: prod.pipelineName,
+      dev: dev.pipelineName,
+    };
+  }
+
+  return outputs;
+}

package/package.json

@@ -0,0 +1,102 @@
+{
+  "name": "@lsts_tech/infra",
+  "version": "1.0.0",
+  "description": "Reusable SST v3 infrastructure constructs for deploying Next.js and Expo web apps from monorepos.",
+  "type": "module",
+  "license": "MIT",
+  "author": "LSTS Solutions",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/lstechnologysolutions/infra.git"
+  },
+  "homepage": "https://github.com/lstechnologysolutions/infra#readme",
+  "bugs": {
+    "url": "https://github.com/lstechnologysolutions/infra/issues"
+  },
+  "keywords": [
+    "sst",
+    "infrastructure",
+    "aws",
+    "nextjs",
+    "codepipeline",
+    "monorepo",
+    "turborepo",
+    "iac",
+    "cloudfront",
+    "route53",
+    "lambda",
+    "opennext",
+    "expo",
+    "expo-web",
+    "static-site",
+    "white-label"
+  ],
+  "main": "./dist/stacks/index.js",
+  "types": "./dist/stacks/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/stacks/index.d.ts",
+      "import": "./dist/stacks/index.js"
+    },
+    "./stacks/Dns": {
+      "types": "./dist/stacks/Dns.d.ts",
+      "import": "./dist/stacks/Dns.js"
+    },
+    "./stacks/NextSite": {
+      "types": "./dist/stacks/NextSite.d.ts",
+      "import": "./dist/stacks/NextSite.js"
+    },
+    "./stacks/ExpoSite": {
+      "types": "./dist/stacks/ExpoSite.d.ts",
+      "import": "./dist/stacks/ExpoSite.js"
+    },
+    "./stacks/Pipeline": {
+      "types": "./dist/stacks/Pipeline.d.ts",
+      "import": "./dist/stacks/Pipeline.js"
+    }
+  },
+  "bin": {
+    "lsts-infra": "dist/bin/init.js"
+  },
+  "files": [
+    "dist/",
+    "scripts/",
+    "schemas/",
+    "templates/",
+    "docs/",
+    "examples/",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "rm -rf dist && tsc",
+    "prepublishOnly": "npm run build",
+    "dev": "sst dev",
+    "deploy": "sst deploy",
+    "deploy:dev": "sst deploy --stage dev",
+    "deploy:prod": "sst deploy --stage production",
+    "remove": "sst remove",
+    "console": "sst console",
+    "secrets": "sst secrets",
+    "ensure-secrets": "./scripts/ensure-secrets.sh",
+    "lint": "echo 'no lint configured'",
+    "check-types": "tsc --noEmit",
+    "clean": "rm -rf .sst dist node_modules"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "dependencies": {
+    "sst": "^3.7.0",
+    "@pulumi/aws": "^6.66.0",
+    "@pulumi/pulumi": "^3.145.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.13.9",
+    "typescript": "^5"
+  },
+  "engines": {
+    "node": ">=20"
+  }
+}

package/schemas/pipeline.schema.json

@@ -0,0 +1,25 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Pipeline Schema",
+  "description": "Defines a minimal pipeline configuration model that the infra package expects for creating CodePipeline/CodeBuild resources.",
+  "type": "object",
+  "properties": {
+    "name": {
+      "type": "string",
+      "description": "Logical name for the pipeline (eg. web-cicd)"
+    },
+    "branch": {
+      "type": "string",
+      "description": "Git branch the pipeline will build and deploy"
+    },
+    "stage": {
+      "type": "string",
+      "description": "SST stage to deploy (eg. dev, production)"
+    },
+    "buildSpecPath": {
+      "type": "string",
+      "description": "Path (in repo) to a buildspec file used by CodeBuild"
+    }
+  },
+  "required": ["name", "branch", "stage"]
+}

package/scripts/cleanup-orphan-lambdas.sh

@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# cleanup-orphan-lambdas.sh
+# Finds Lambda functions that match a given prefix but are not owned by any
+# CloudFormation stack (orphans). Checks recent usage and optionally deletes
+# them when invoked with --delete.
+#
+# Required environment variables:
+#   PREFIX — Lambda function name prefix to search for (e.g., "myapp")
+
+AWS_REGION=${AWS_REGION:-us-east-1}
+THRESHOLD_DAYS=${THRESHOLD_DAYS:-30}
+
+if [ -z "${PREFIX:-}" ]; then
+  echo "ERROR: PREFIX environment variable is required (e.g., PREFIX=myapp)"
+  echo "This is the Lambda function name prefix to search for orphans."
+  exit 1
+fi
+
+usage() {
+  echo "Usage: PREFIX=myapp $0 [--delete] [--region REGION]"
+  echo "  --delete    Actually delete identified orphan functions"
+  exit 1
+}
+
+DO_DELETE=0
+while [ "$#" -gt 0 ]; do
+  case "$1" in
+    --delete) DO_DELETE=1; shift ;;
+    --region) AWS_REGION="$2"; shift 2 ;;
+    -h|--help) usage ;;
+    *) echo "Unknown arg: $1"; usage ;;
+  esac
+done
+
+echo "Region: $AWS_REGION  Prefix: $PREFIX  Threshold: $THRESHOLD_DAYS days"
+
+echo "Listing CloudFormation stacks for project..."
+stacks=$(aws cloudformation list-stacks --region "$AWS_REGION" \
+  --query "StackSummaries[?contains(StackName,'$PREFIX') && StackStatus!='DELETE_COMPLETE'].StackName" --output text)
+
+echo "Found stacks: $stacks"
+
+owned_arns_file=$(mktemp)
+trap 'rm -f "$owned_arns_file"' EXIT
+
+if [ -n "$stacks" ]; then
+  for s in $stacks; do
+    echo "Collecting functions from stack: $s"
+    aws cloudformation list-stack-resources --stack-name "$s" --region "$AWS_REGION" \
+      --query "StackResourceSummaries[?ResourceType=='AWS::Lambda::Function'].PhysicalResourceId" --output text >> "$owned_arns_file" || true
+  done
+fi
+
+echo "Listing all Lambda functions with prefix '$PREFIX'..."
+all_funcs_json=$(aws lambda list-functions --region "$AWS_REGION" --query "Functions[?starts_with(FunctionName, '$PREFIX')].[FunctionName,FunctionArn,LastModified]" --output json)
+
+ORPHAN_FILE="/tmp/${PREFIX}-orphan-lambdas.txt"
+
+echo "$all_funcs_json" | jq -r '.[] | @base64' | while read -r item; do
+  _jq() { echo "$item" | base64 --decode | jq -r "$1"; }
+  name=$(_jq '.[0]')
+  arn=$(_jq '.[1]')
+  last_modified=$(_jq '.[2]')
+
+  # check ownership
+  if grep -qF "$arn" "$owned_arns_file"; then
+    echo "SKIP (owned) $name"
+    continue
+  fi
+
+  # check last invocation metric over threshold window
+  end_time=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+  start_time=$(date -u -d "$THRESHOLD_DAYS days ago" +%Y-%m-%dT%H:%M:%SZ)
+
+  invocations=$(aws cloudwatch get-metric-statistics --region "$AWS_REGION" \
+    --namespace AWS/Lambda --metric-name Invocations --statistics Sum \
+    --dimensions Name=FunctionName,Value="$name" --start-time "$start_time" --end-time "$end_time" --period 86400 \
+    --query "Datapoints[].Sum" --output text || echo "")
+
+  if [ -z "$invocations" ] || [ "$invocations" = "None" ] || [ "$invocations" = "" ]; then
+    inv_sum=0
+  else
+    inv_sum=$(echo "$invocations" | awk '{sum += $1} END {print sum+0}')
+  fi
+
+  if [ "$inv_sum" -eq 0 ]; then
+    echo "ORPHAN CANDIDATE: $name (lastModified: $last_modified) — no invocations in last $THRESHOLD_DAYS days"
+    if [ "$DO_DELETE" -eq 1 ]; then
+      echo "Deleting $name..."
+      aws lambda delete-function --function-name "$name" --region "$AWS_REGION"
+      echo "Deleted $name"
+    else
+      echo "$name" >> "$ORPHAN_FILE"
+    fi
+  else
+    echo "IN USE: $name (invocations last $THRESHOLD_DAYS days: $inv_sum)"
+  fi
+done
+
+echo "Completed. Dry-run list at $ORPHAN_FILE (if any). Rerun with --delete to remove." 

package/scripts/delete-amplify-app.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# delete-amplify-app.sh
+# Delete an AWS Amplify app by app id or by matching a domain/branch.
+# Usage:
+#   ./delete-amplify-app.sh --app-id <appId>
+#   ./delete-amplify-app.sh --domain example.com
+# This is non-reversible; ensure you have backups before running.
+
+if ! command -v aws >/dev/null 2>&1; then
+  echo "aws CLI required"
+  exit 1
+fi
+
+APP_ID=""
+DOMAIN=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --app-id) APP_ID="$2"; shift 2 ;;
+    --domain) DOMAIN="$2"; shift 2 ;;
+    -h|--help) echo "Usage: $0 [--app-id <appId>] [--domain <domain>]"; exit 0 ;;
+    *) echo "Unknown arg: $1"; exit 1 ;;
+  esac
+done
+
+if [[ -z "$APP_ID" && -z "$DOMAIN" ]]; then
+  echo "Either --app-id or --domain is required"
+  exit 1
+fi
+
+if [[ -n "$DOMAIN" ]]; then
+  echo "Searching Amplify apps for domain: $DOMAIN"
+  # List apps and find ones with domain associations
+  apps=$(aws amplify list-apps --query "apps[].{id:appId,name:name,domain:defaultDomain}" --output json)
+  # Try to find app that matches domain or defaultDomain contains the domain
+  APP_ID=$(echo "$apps" | node -e "const r=require('fs').readFileSync(0,'utf8'); const a=JSON.parse(r)||[]; for(const it of a){ if((it.domain||'').includes(process.argv[1])|| (it.name||'').includes(process.argv[1])){ console.log(it.id||it.appId||it.appId||it.appId); process.exit(0);} }" "$DOMAIN" || true)
+fi
+
+if [[ -z "$APP_ID" ]]; then
+  echo "Amplify app not found for domain; please specify --app-id"
+  exit 1
+fi
+
+echo "Deleting Amplify app: $APP_ID"
+aws amplify delete-app --app-id "$APP_ID"
+
+echo "Deleted Amplify app $APP_ID (request submitted)."
+echo "Note: You may want to remove associated DNS records and artifacts if needed."

package/scripts/ensure-pipelines.sh

@@ -0,0 +1,144 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ensure-pipelines.sh
+#
+# AWS-only helper (v1.0.0) to ensure configured CodePipelines exist.
+# Missing pipelines are created by triggering an SST deploy for their mapped stage.
+#
+# Usage:
+#   APPROVE=true bash scripts/ensure-pipelines.sh
+
+SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
+INFRA_DIR=$(cd "$SCRIPT_DIR/.." && pwd)
+
+if [ -f "$INFRA_DIR/.env" ]; then
+  set -a
+  # shellcheck disable=SC1091
+  source "$INFRA_DIR/.env"
+  set +a
+fi
+
+DOMAIN_ROOT=${DOMAIN_ROOT:-${INFRA_ROOT_DOMAIN:-}}
+if [ -z "$DOMAIN_ROOT" ]; then
+  echo "ERROR: Set DOMAIN_ROOT or INFRA_ROOT_DOMAIN (e.g., example.com)" >&2
+  exit 1
+fi
+
+REGION=${AWS_REGION:-us-east-1}
+PIPELINE_PREFIX=${INFRA_PIPELINE_PREFIX:-myapp}
+PIPELINES_CSV=${INFRA_PIPELINES:-production,dev,mobile}
+REPO_DEFAULT=${INFRA_PIPELINE_REPO:-myorg/myrepo}
+BRANCH_PROD=${INFRA_PIPELINE_BRANCH_PROD:-main}
+BRANCH_DEV=${INFRA_PIPELINE_BRANCH_DEV:-develop}
+BRANCH_MOBILE=${INFRA_PIPELINE_BRANCH_MOBILE:-mobile}
+
+declare -A PIPELINE_STAGE=()
+declare -A PIPELINE_REPO=()
+declare -A PIPELINE_BRANCH=()
+
+add_pipeline() {
+  local stage=$1
+  local name="${PIPELINE_PREFIX}-${stage}"
+  local branch=${2:-main}
+
+  if [ "$stage" = "production" ]; then
+    name="${PIPELINE_PREFIX}-prod"
+  fi
+
+  PIPELINE_STAGE["$name"]="$stage"
+  PIPELINE_REPO["$name"]="$REPO_DEFAULT"
+  PIPELINE_BRANCH["$name"]="$branch"
+}
+
+IFS=',' read -r -a STAGE_LIST <<< "$PIPELINES_CSV"
+for raw in "${STAGE_LIST[@]}"; do
+  stage=$(echo "$raw" | xargs)
+  case "$stage" in
+    production) add_pipeline "production" "$BRANCH_PROD" ;;
+    dev) add_pipeline "dev" "$BRANCH_DEV" ;;
+    mobile) add_pipeline "mobile" "$BRANCH_MOBILE" ;;
+    ""|none) ;;
+    *)
+      # Allow custom stage names while defaulting to main branch.
+      add_pipeline "$stage" "main"
+      ;;
+  esac
+done
+
+resolve_sst_deploy_script() {
+  local candidates=(
+    "$SCRIPT_DIR/sst-deploy.sh"
+    "$INFRA_DIR/node_modules/@lsts_tech/infra/scripts/sst-deploy.sh"
+    "$INFRA_DIR/../node_modules/@lsts_tech/infra/scripts/sst-deploy.sh"
+  )
+
+  for candidate in "${candidates[@]}"; do
+    if [ -f "$candidate" ]; then
+      echo "$candidate"
+      return 0
+    fi
+  done
+
+  return 1
+}
+
+if ! command -v aws >/dev/null 2>&1; then
+  echo "aws CLI not found in PATH" >&2
+  exit 1
+fi
+
+if [ ${#PIPELINE_STAGE[@]} -eq 0 ]; then
+  echo "No pipelines configured in scripts/ensure-pipelines.sh. Nothing to do."
+  exit 0
+fi
+
+SST_DEPLOY_SCRIPT=${SST_DEPLOY_SCRIPT:-}
+if [ -z "$SST_DEPLOY_SCRIPT" ]; then
+  SST_DEPLOY_SCRIPT=$(resolve_sst_deploy_script || true)
+fi
+
+if [ -z "$SST_DEPLOY_SCRIPT" ]; then
+  echo "Could not locate sst-deploy.sh. Set SST_DEPLOY_SCRIPT explicitly." >&2
+  exit 1
+fi
+
+cd "$INFRA_DIR"
+
+MISSING=()
+for NAME in "${!PIPELINE_STAGE[@]}"; do
+  PIPELINE_NAME="${NAME}-pipeline"
+  echo "Checking for pipeline names: $NAME or $PIPELINE_NAME (region: $REGION)"
+
+  if aws codepipeline get-pipeline --name "$NAME" --region "$REGION" >/dev/null 2>&1 || \
+     aws codepipeline get-pipeline --name "$PIPELINE_NAME" --region "$REGION" >/dev/null 2>&1; then
+    echo "Pipeline exists: $PIPELINE_NAME"
+  else
+    echo "Pipeline missing: $PIPELINE_NAME"
+    MISSING+=("$NAME")
+  fi
+done
+
+if [ ${#MISSING[@]} -eq 0 ]; then
+  echo "All pipelines present; nothing to do."
+  exit 0
+fi
+
+echo "Missing pipelines: ${MISSING[*]}"
+
+if [ "${APPROVE:-}" != "true" ]; then
+  echo "To create missing pipelines, re-run with APPROVE=true."
+  exit 1
+fi
+
+for NAME in "${MISSING[@]}"; do
+  STAGE=${PIPELINE_STAGE[$NAME]:-production}
+  REPO=${PIPELINE_REPO[$NAME]:-$REPO_DEFAULT}
+  BRANCH=${PIPELINE_BRANCH[$NAME]:-main}
+
+  echo "Creating pipeline '$NAME' via SST deploy (stage: $STAGE, repo: $REPO, branch: $BRANCH)"
+  APPROVE=true STACK="$STAGE" bash "$SST_DEPLOY_SCRIPT"
+done
+
+echo "Done. Current pipelines:"
+aws codepipeline list-pipelines --region "$REGION" --query "pipelines[].name" --output table || true

package/scripts/ensure-secrets.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ensure-secrets.sh
+# Idempotently ensure SST secrets for a given stage using the schema.
+# Usage: ./ensure-secrets.sh <stage> [--values-file path/to/values.env]
+
+STAGE=${1:-dev}
+VALUES_FILE=${2:-}
+
+ROOT_DIR=$(cd "$(dirname "$0")/.." && pwd)
+SCHEMA_FILE="$ROOT_DIR/schemas/secrets.schema.json"
+
+if ! command -v node >/dev/null 2>&1; then
+  echo "node is required to run this script"
+  exit 1
+fi
+
+if ! command -v npx >/dev/null 2>&1; then
+  echo "npx is required to run this script"
+  exit 1
+fi
+
+echo "Using secrets schema: $SCHEMA_FILE"
+
+# Extract keys from schema using node (single-line invocation avoids heredoc issues)
+KEYS=$(node -e "const fs=require('fs');const p=process.argv[1];const schema=JSON.parse(fs.readFileSync(p,'utf8'));console.log(Object.keys(schema.properties||{}).join(' '));" "$SCHEMA_FILE")
+
+declare -A VALS
+
+# Load values-file if provided (simple KEY=VALUE lines)
+if [[ -n "$VALUES_FILE" && -f "$VALUES_FILE" ]]; then
+  echo "Loading values from $VALUES_FILE"
+  while IFS='=' read -r k v; do
+    k=$(echo "$k" | tr -d ' \t\r\n')
+    v=$(echo "$v" | sed -e 's/^\s*//;s/\s*$//')
+    if [[ -n "$k" ]]; then
+      VALS["$k"]="$v"
+    fi
+  done < <(grep -E '^[A-Za-z0-9_]+=.*' "$VALUES_FILE" || true)
+fi
+
+echo "Ensuring SST secrets for stage: $STAGE"
+for key in $KEYS; do
+  value="${VALS[$key]:-__MISSING__}"
+  if [[ "$value" == "__MISSING__" ]]; then
+    # generate a random value for AuthSecret if missing
+    if [[ "$key" == "AuthSecret" ]]; then
+      value=$(node -e "console.log(require('crypto').randomBytes(32).toString('hex'))")
+    fi
+  fi
+
+  echo "Setting secret: $key"
+  # Use `sst secret set` which is idempotent for values; it will create/update.
+  npx --yes sst secret set "$key" "$value" --stage "$STAGE"
+done
+
+echo "All secrets ensured for stage: $STAGE"