npm - @projectdochelp/s3te - Versions diffs - 3.2.0 → 3.2.1 - Mend

@projectdochelp/s3te 3.2.0 → 3.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +9 -1
package/package.json +1 -1
package/packages/aws-adapter/src/deploy.mjs +125 -7
package/packages/cli/src/project.mjs +135 -3

package/README.md CHANGED Viewed

@@ -80,7 +80,7 @@ This section is only about the AWS things you need before you touch S3TE. The ac
 | Daily-work AWS access | `s3te deploy` needs credentials that can create CloudFormation stacks and related resources. | [Create an IAM user](https://docs.aws.amazon.com/console/iam/add-users), [Manage access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-keys-admin-managed.html) |
 | AWS CLI v2 | The S3TE CLI shells out to the official `aws` CLI. | [Install AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html), [Get started with AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) |
 | Domain name you control | CloudFront and TLS only make sense for domains you can point to AWS. | Use your registrar of choice |
-| ACM certificate in `us-east-1` | CloudFront requires its public certificate in `us-east-1`. | [Public certificates in ACM](https://docs.aws.amazon.com/acm/latest/userguide/acm-public-certificates.html) |
+| ACM certificate in `us-east-1` | CloudFront requires its public certificate in `us-east-1`, and the certificate must cover every alias S3TE will derive for that environment. | [Public certificates in ACM](https://docs.aws.amazon.com/acm/latest/userguide/acm-public-certificates.html) |
 | Optional Route53 hosted zone | Needed only if S3TE should create DNS alias records automatically. | [Create a public hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html) |
 </details>
@@ -228,6 +228,12 @@ The most important fields for a first deployment are:
 Use plain hostnames in `baseUrl` and `cloudFrontAliases`, not full URLs. If your config contains a `prod` environment plus additional environments such as `test` or `stage`, S3TE keeps the `prod` hostname unchanged and derives non-production hostnames automatically by prepending `<env>.`.
+Your ACM certificate must cover the final derived aliases of the environment you deploy. Example:
+- `*.example.com` covers `test.example.com`
+- `*.example.com` does not cover `test.app.example.com`
+- for nested aliases like `test.app.example.com`, add a SAN such as `*.app.example.com`, the exact hostname, or use a different `certificateArn` for that environment
 </details>
 <details>
@@ -243,6 +249,8 @@ npx s3te deploy --env dev
 `render` writes the local preview into `offline/S3TELocal/preview/dev/...`.
+`doctor --env <name>` now also checks whether the configured ACM certificate covers the CloudFront aliases that S3TE derives for that environment. For that check, the AWS identity running `doctor` needs permission to call `acm:DescribeCertificate` for the configured certificate ARN.
 `deploy` creates or updates the persistent environment stack, uses a temporary deploy stack for packaged Lambda artifacts, synchronizes the source project into the code bucket, and removes the temporary stack again when the deploy finishes.
 After the first successful deploy, use `s3te sync --env dev` for regular template, partial, asset and source updates when the infrastructure itself did not change.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@projectdochelp/s3te",
-  "version": "3.2.0",
+  "version": "3.2.1",
   "description": "CLI, render core, AWS adapter, and testkit for S3TemplateEngine projects",
   "repository": {
     "type": "git",

package/packages/aws-adapter/src/deploy.mjs CHANGED Viewed

@@ -53,6 +53,52 @@ async function describeStack({ stackName, region, profile, cwd }) {
   return JSON.parse(describedStack.stdout).Stacks?.[0];
 }
+async function describeStackEvents({ stackName, region, profile, cwd }) {
+  const describedEvents = await runAwsCli(["cloudformation", "describe-stack-events", "--stack-name", stackName, "--output", "json"], {
+    region,
+    profile,
+    cwd,
+    errorCode: "ADAPTER_ERROR"
+  });
+  return JSON.parse(describedEvents.stdout).StackEvents ?? [];
+}
+export function summarizeStackFailureEvents(stackEvents = [], limit = 8) {
+  return stackEvents
+    .filter((event) => (
+      String(event.ResourceStatus ?? "").includes("FAILED")
+      || String(event.ResourceStatus ?? "").includes("ROLLBACK")
+    ))
+    .map((event) => ({
+      timestamp: event.Timestamp,
+      logicalResourceId: event.LogicalResourceId,
+      resourceType: event.ResourceType,
+      resourceStatus: event.ResourceStatus,
+      resourceStatusReason: event.ResourceStatusReason
+    }))
+    .slice(0, limit);
+}
+async function attachStackFailureDetails(error, { stackName, region, profile, cwd }) {
+  try {
+    const stackEvents = await describeStackEvents({ stackName, region, profile, cwd });
+    const summarizedEvents = summarizeStackFailureEvents(stackEvents);
+    if (summarizedEvents.length > 0) {
+      error.details = {
+        ...(error.details ?? {}),
+        stackFailureEvents: summarizedEvents
+      };
+    }
+  } catch (stackEventsError) {
+    error.details = {
+      ...(error.details ?? {}),
+      stackFailureEventsError: stackEventsError.message
+    };
+  }
+  return error;
+}
 async function deployCloudFormationStack({
   stackName,
   templatePath,
@@ -85,13 +131,22 @@ async function deployCloudFormationStack({
     args.push("--no-execute-changeset");
   }
-  await runAwsCli(args, {
-    region,
-    profile,
-    cwd,
-    stdio,
-    errorCode: "ADAPTER_ERROR"
-  });
+  try {
+    await runAwsCli(args, {
+      region,
+      profile,
+      cwd,
+      stdio,
+      errorCode: "ADAPTER_ERROR"
+    });
+  } catch (error) {
+    throw await attachStackFailureDetails(error, {
+      stackName,
+      region,
+      profile,
+      cwd
+    });
+  }
 }
 async function resolveWebinyStreamArn({ runtimeConfig, region, profile, cwd }) {
@@ -176,6 +231,63 @@ async function deployTemporaryArtifactsStack({
   };
 }
+export function collectBucketObjectVersions(payload = {}) {
+  return [
+    ...(payload.Versions ?? []),
+    ...(payload.DeleteMarkers ?? [])
+  ].map((entry) => ({
+    Key: entry.Key,
+    VersionId: entry.VersionId
+  })).filter((entry) => entry.Key && entry.VersionId);
+}
+function chunkItems(items, chunkSize) {
+  const chunks = [];
+  for (let index = 0; index < items.length; index += chunkSize) {
+    chunks.push(items.slice(index, index + chunkSize));
+  }
+  return chunks;
+}
+async function deleteBucketObjectVersions({
+  bucketName,
+  region,
+  profile,
+  cwd
+}) {
+  while (true) {
+    const listedVersions = await runAwsCli(["s3api", "list-object-versions", "--bucket", bucketName, "--output", "json"], {
+      region,
+      profile,
+      cwd,
+      errorCode: "ADAPTER_ERROR"
+    });
+    const objects = collectBucketObjectVersions(JSON.parse(listedVersions.stdout || "{}"));
+    if (objects.length === 0) {
+      return;
+    }
+    for (const batch of chunkItems(objects, 250)) {
+      await runAwsCli([
+        "s3api",
+        "delete-objects",
+        "--bucket",
+        bucketName,
+        "--delete",
+        JSON.stringify({
+          Objects: batch,
+          Quiet: true
+        })
+      ], {
+        region,
+        profile,
+        cwd,
+        errorCode: "ADAPTER_ERROR"
+      });
+    }
+  }
+}
 async function cleanupTemporaryArtifactsStack({
   stackName,
   artifactBucket,
@@ -191,6 +303,12 @@ async function cleanupTemporaryArtifactsStack({
         cwd,
         errorCode: "ADAPTER_ERROR"
       });
+      await deleteBucketObjectVersions({
+        bucketName: artifactBucket,
+        region,
+        profile,
+        cwd
+      });
     } catch (error) {
       if (!String(error.message).includes("NoSuchBucket")) {
         throw error;

package/packages/cli/src/project.mjs CHANGED Viewed

@@ -4,6 +4,7 @@ import { spawn } from "node:child_process";
 import {
   S3teError,
+  buildEnvironmentRuntimeConfig,
   createManualRenderTargets,
   isRenderableKey,
   loadProjectConfig,
@@ -16,6 +17,7 @@ import {
   ensureAwsCliAvailable,
   ensureAwsCredentials,
   packageAwsProject,
+  runAwsCli,
   syncAwsProject
 } from "../../aws-adapter/src/index.mjs";
@@ -32,11 +34,102 @@ function normalizePath(value) {
   return String(value).replace(/\\/g, "/");
 }
+function isProjectTestFile(filename) {
+  return /(?:^test-.*|.*\.(?:test|spec))\.(?:cjs|mjs|js)$/i.test(filename);
+}
+async function listProjectTestFiles(rootDir, currentDir = rootDir) {
+  const entries = await fs.readdir(currentDir, { withFileTypes: true });
+  const files = [];
+  for (const entry of entries) {
+    const fullPath = path.join(currentDir, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...await listProjectTestFiles(rootDir, fullPath));
+      continue;
+    }
+    if (entry.isFile() && isProjectTestFile(entry.name)) {
+      files.push(normalizePath(path.relative(rootDir, fullPath)));
+    }
+  }
+  return files.sort();
+}
 function unknownEnvironmentMessage(config, environmentName) {
   const knownEnvironments = Object.keys(config?.environments ?? {});
   return `Unknown environment ${environmentName}. Known environments: ${knownEnvironments.length > 0 ? knownEnvironments.join(", ") : "(none)"}.`;
 }
+function normalizeHostname(value) {
+  return String(value ?? "").trim().toLowerCase().replace(/\.+$/, "");
+}
+function certificatePatternMatchesHost(pattern, hostname) {
+  const normalizedPattern = normalizeHostname(pattern);
+  const normalizedHostname = normalizeHostname(hostname);
+  if (!normalizedPattern || !normalizedHostname) {
+    return false;
+  }
+  if (!normalizedPattern.includes("*")) {
+    return normalizedPattern === normalizedHostname;
+  }
+  const patternLabels = normalizedPattern.split(".");
+  const hostnameLabels = normalizedHostname.split(".");
+  if (patternLabels[0] !== "*" || patternLabels.slice(1).some((label) => label.includes("*"))) {
+    return false;
+  }
+  if (patternLabels.length !== hostnameLabels.length) {
+    return false;
+  }
+  return patternLabels.slice(1).join(".") === hostnameLabels.slice(1).join(".");
+}
+function findUncoveredCertificateHosts(hostnames, certificateDomains) {
+  const normalizedCertificateDomains = [...new Set(
+    certificateDomains
+      .map((value) => normalizeHostname(value))
+      .filter(Boolean)
+  )];
+  return [...new Set(
+    hostnames
+      .map((value) => normalizeHostname(value))
+      .filter(Boolean)
+      .filter((hostname) => !normalizedCertificateDomains.some((pattern) => certificatePatternMatchesHost(pattern, hostname)))
+  )].sort();
+}
+function collectEnvironmentCloudFrontAliases(config, environmentName) {
+  const runtimeConfig = buildEnvironmentRuntimeConfig(config, environmentName);
+  const aliases = [];
+  for (const variantConfig of Object.values(runtimeConfig.variants)) {
+    for (const languageConfig of Object.values(variantConfig.languages)) {
+      aliases.push(...(languageConfig.cloudFrontAliases ?? []));
+    }
+  }
+  return [...new Set(aliases.map((value) => normalizeHostname(value)).filter(Boolean))].sort();
+}
+async function describeAcmCertificate({ certificateArn, profile, cwd, runAwsCliFn }) {
+  const response = await runAwsCliFn(["acm", "describe-certificate", "--certificate-arn", certificateArn, "--output", "json"], {
+    region: "us-east-1",
+    profile,
+    cwd,
+    errorCode: "AWS_AUTH_ERROR"
+  });
+  return JSON.parse(response.stdout || "{}").Certificate ?? {};
+}
 function assertKnownEnvironment(config, environmentName) {
   if (!environmentName) {
     return;
@@ -736,8 +829,12 @@ export async function runProjectTests(projectDir) {
   const testsDir = await fileExists(path.join(projectDir, "offline", "tests"))
     ? "offline/tests"
     : "tests";
+  const testFiles = await listProjectTestFiles(path.join(projectDir, testsDir));
+  const testArgs = testFiles.length > 0
+    ? testFiles.map((relativePath) => normalizePath(path.join(testsDir, relativePath)))
+    : [testsDir];
   return new Promise((resolve) => {
-    const child = spawn(process.execPath, ["--test", testsDir], {
+    const child = spawn(process.execPath, ["--test", ...testArgs], {
       cwd: projectDir,
       stdio: "inherit"
     });
@@ -787,6 +884,9 @@ export async function syncProject(projectDir, config, options = {}) {
 }
 export async function doctorProject(projectDir, configPath, options = {}) {
+  const ensureAwsCliAvailableFn = options.ensureAwsCliAvailableFn ?? ensureAwsCliAvailable;
+  const ensureAwsCredentialsFn = options.ensureAwsCredentialsFn ?? ensureAwsCredentials;
+  const runAwsCliFn = options.runAwsCliFn ?? runAwsCli;
   const checks = [];
   const majorVersion = Number(process.versions.node.split(".")[0]);
@@ -811,7 +911,7 @@ export async function doctorProject(projectDir, configPath, options = {}) {
   }
   try {
-    await ensureAwsCliAvailable({ cwd: projectDir });
+    await ensureAwsCliAvailableFn({ cwd: projectDir });
     checks.push({ name: "aws-cli", ok: true, message: "AWS CLI available" });
   } catch (error) {
     checks.push({ name: "aws-cli", ok: false, message: error.message });
@@ -828,7 +928,7 @@ export async function doctorProject(projectDir, configPath, options = {}) {
     }
     try {
-      await ensureAwsCredentials({
+      await ensureAwsCredentialsFn({
         region: options.config.environments[options.environment].awsRegion,
         profile: options.profile,
         cwd: projectDir
@@ -837,6 +937,38 @@ export async function doctorProject(projectDir, configPath, options = {}) {
     } catch (error) {
       checks.push({ name: "aws-auth", ok: false, message: error.message });
     }
+    const environmentConfig = options.config.environments[options.environment];
+    const awsAuthCheck = checks.at(-1);
+    if (awsAuthCheck?.name === "aws-auth" && awsAuthCheck.ok) {
+      try {
+        const cloudFrontAliases = collectEnvironmentCloudFrontAliases(options.config, options.environment);
+        const certificate = await describeAcmCertificate({
+          certificateArn: environmentConfig.certificateArn,
+          profile: options.profile,
+          cwd: projectDir,
+          runAwsCliFn
+        });
+        const certificateDomains = [
+          certificate.DomainName,
+          ...(certificate.SubjectAlternativeNames ?? [])
+        ];
+        const uncoveredAliases = findUncoveredCertificateHosts(cloudFrontAliases, certificateDomains);
+        checks.push({
+          name: "acm-certificate",
+          ok: uncoveredAliases.length === 0,
+          message: uncoveredAliases.length === 0
+            ? `ACM certificate covers ${cloudFrontAliases.length} CloudFront alias(es) for ${options.environment}`
+            : `ACM certificate ${environmentConfig.certificateArn} does not cover these CloudFront aliases for ${options.environment}: ${uncoveredAliases.join(", ")}.`
+        });
+      } catch (error) {
+        checks.push({
+          name: "acm-certificate",
+          ok: false,
+          message: `Could not inspect ACM certificate ${environmentConfig.certificateArn}: ${error.message}`
+        });
+      }
+    }
   }
   return checks;