@resistdesign/voltra 0.0.0-alpha.0

package/src/iac/packs/auth/user-management.js

@@ -0,0 +1,302 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.addUserManagement = void 0;
+const utils_1 = require("../../utils");
+exports.addUserManagement = (0, utils_1.createResourcePack)(({ id, authRoleName, unauthRoleName, domainName, hostedZoneId, sslCertificateArn, callbackUrls, logoutUrls, baseDomainRecordAliasTargetDNSName, apiGatewayRESTAPIId, apiStageName, }) => {
+    const apiRoleConfig = apiGatewayRESTAPIId && apiStageName
+        ? {
+            [`${id}IdentityPoolRoles`]: {
+                Type: "AWS::Cognito::IdentityPoolRoleAttachment",
+                Properties: {
+                    IdentityPoolId: {
+                        Ref: `${id}IdentityPool`,
+                    },
+                    Roles: {
+                        authenticated: {
+                            "Fn::GetAtt": [`${id}AuthRole`, "Arn"],
+                        },
+                        unauthenticated: {
+                            "Fn::GetAtt": [`${id}UnauthRole`, "Arn"],
+                        },
+                    },
+                },
+            },
+            [`${id}AuthRole`]: {
+                Type: "AWS::IAM::Role",
+                Properties: {
+                    RoleName: authRoleName,
+                    Path: "/",
+                    AssumeRolePolicyDocument: {
+                        Version: "2012-10-17",
+                        Statement: [
+                            {
+                                Effect: "Allow",
+                                Principal: {
+                                    Federated: "cognito-identity.amazonaws.com",
+                                },
+                                Action: ["sts:AssumeRoleWithWebIdentity"],
+                                Condition: {
+                                    StringEquals: {
+                                        "cognito-identity.amazonaws.com:aud": {
+                                            Ref: `${id}IdentityPool`,
+                                        },
+                                    },
+                                    "ForAnyValue:StringLike": {
+                                        "cognito-identity.amazonaws.com:amr": "authenticated",
+                                    },
+                                },
+                            },
+                        ],
+                    },
+                    Policies: [
+                        {
+                            PolicyName: "CognitoAuthorizedPolicy",
+                            PolicyDocument: {
+                                Version: "2012-10-17",
+                                Statement: [
+                                    {
+                                        Effect: "Allow",
+                                        Action: [
+                                            "mobileanalytics:PutEvents",
+                                            "cognito-sync:*",
+                                            "cognito-identity:*",
+                                        ],
+                                        Resource: "*",
+                                    },
+                                    {
+                                        Effect: "Allow",
+                                        Action: ["execute-api:Invoke"],
+                                        Resource: {
+                                            "Fn::Sub": [
+                                                "arn:aws:execute-api:${Region}:${AccountId}:${APIID}/${StageName}/${HTTPVerb}/api/*",
+                                                {
+                                                    Region: {
+                                                        Ref: "AWS::Region",
+                                                    },
+                                                    AccountId: {
+                                                        Ref: "AWS::AccountId",
+                                                    },
+                                                    APIID: apiGatewayRESTAPIId,
+                                                    StageName: apiStageName,
+                                                    HTTPVerb: "*",
+                                                },
+                                            ],
+                                        },
+                                    },
+                                ],
+                            },
+                        },
+                    ],
+                },
+            },
+            [`${id}UnauthRole`]: {
+                Type: "AWS::IAM::Role",
+                Properties: {
+                    RoleName: unauthRoleName,
+                    Path: "/",
+                    AssumeRolePolicyDocument: {
+                        Version: "2012-10-17",
+                        Statement: [
+                            {
+                                Effect: "Allow",
+                                Principal: {
+                                    Federated: "cognito-identity.amazonaws.com",
+                                },
+                                Action: ["sts:AssumeRoleWithWebIdentity"],
+                                Condition: {
+                                    StringEquals: {
+                                        "cognito-identity.amazonaws.com:aud": {
+                                            Ref: `${id}IdentityPool`,
+                                        },
+                                    },
+                                    "ForAnyValue:StringLike": {
+                                        "cognito-identity.amazonaws.com:amr": "unauthenticated",
+                                    },
+                                },
+                            },
+                        ],
+                    },
+                    Policies: [
+                        {
+                            PolicyName: "CognitoUnauthorizedPolicy",
+                            PolicyDocument: {
+                                Version: "2012-10-17",
+                                Statement: [
+                                    {
+                                        Effect: "Allow",
+                                        Action: [
+                                            "mobileanalytics:PutEvents",
+                                            "cognito-sync:*",
+                                            "cognito-identity:*",
+                                        ],
+                                        Resource: "*",
+                                    },
+                                ],
+                            },
+                        },
+                    ],
+                },
+            },
+        }
+        : {};
+    return {
+        Resources: {
+            [`${id}UserPool`]: {
+                Type: "AWS::Cognito::UserPool",
+                Properties: {
+                    UserPoolName: {
+                        "Fn::Sub": [`$\{AWS::StackName\}${id}UserPool`, {}],
+                    },
+                    AccountRecoverySetting: {
+                        RecoveryMechanisms: [
+                            {
+                                Name: "verified_email",
+                                Priority: 1,
+                            },
+                        ],
+                    },
+                    AdminCreateUserConfig: {
+                        AllowAdminCreateUserOnly: false,
+                        UnusedAccountValidityDays: 365,
+                    },
+                    AutoVerifiedAttributes: ["email"],
+                    AliasAttributes: ["phone_number", "email", "preferred_username"],
+                    Schema: [
+                        {
+                            Name: "email",
+                            Required: true,
+                            Mutable: true,
+                        },
+                        {
+                            Name: "given_name",
+                            Required: true,
+                            Mutable: true,
+                        },
+                        {
+                            Name: "family_name",
+                            Required: true,
+                            Mutable: true,
+                        },
+                        {
+                            Name: "phone_number",
+                            Required: true,
+                            Mutable: true,
+                        },
+                    ],
+                    DeviceConfiguration: {
+                        ChallengeRequiredOnNewDevice: true,
+                        DeviceOnlyRememberedOnUserPrompt: false,
+                    },
+                    UsernameConfiguration: {
+                        CaseSensitive: false,
+                    },
+                },
+            },
+            [`${id}BaseDomainRecord`]: !!baseDomainRecordAliasTargetDNSName
+                ? {
+                    Type: "AWS::Route53::RecordSet",
+                    DeletionPolicy: "Delete",
+                    Properties: {
+                        HostedZoneId: hostedZoneId,
+                        Type: "A",
+                        Name: domainName,
+                        AliasTarget: {
+                            HostedZoneId: "Z2FDTNDATAQYW2",
+                            DNSName: baseDomainRecordAliasTargetDNSName,
+                        },
+                    },
+                }
+                : undefined,
+            [`${id}UserPoolDomainRecord`]: {
+                Type: "AWS::Route53::RecordSet",
+                DeletionPolicy: "Delete",
+                Properties: {
+                    HostedZoneId: hostedZoneId,
+                    Type: "A",
+                    Name: {
+                        "Fn::Sub": [
+                            "auth.${BaseDomainName}",
+                            {
+                                BaseDomainName: domainName,
+                            },
+                        ],
+                    },
+                    AliasTarget: {
+                        HostedZoneId: "Z2FDTNDATAQYW2",
+                        DNSName: {
+                            "Fn::GetAtt": [`${id}UserPoolDomain`, "CloudFrontDistribution"],
+                        },
+                    },
+                },
+            },
+            [`${id}UserPoolDomain`]: {
+                Type: "AWS::Cognito::UserPoolDomain",
+                DependsOn: !!baseDomainRecordAliasTargetDNSName
+                    ? `${id}BaseDomainRecord`
+                    : undefined,
+                Properties: {
+                    Domain: {
+                        "Fn::Sub": [
+                            "auth.${BaseDomainName}",
+                            {
+                                BaseDomainName: domainName,
+                            },
+                        ],
+                    },
+                    UserPoolId: {
+                        Ref: `${id}UserPool`,
+                    },
+                    CustomDomainConfig: {
+                        CertificateArn: sslCertificateArn,
+                    },
+                },
+            },
+            [`${id}UserPoolClient`]: {
+                Type: "AWS::Cognito::UserPoolClient",
+                Properties: {
+                    ClientName: {
+                        "Fn::Sub": [`$\{AWS::StackName\}${id}UserPoolClient`, {}],
+                    },
+                    UserPoolId: {
+                        Ref: `${id}UserPool`,
+                    },
+                    AllowedOAuthFlowsUserPoolClient: true,
+                    AllowedOAuthFlows: ["code", "implicit"],
+                    AllowedOAuthScopes: [
+                        "openid",
+                        "email",
+                        "phone",
+                        "profile",
+                        "aws.cognito.signin.user.admin",
+                    ],
+                    CallbackURLs: callbackUrls,
+                    LogoutURLs: logoutUrls,
+                    EnableTokenRevocation: true,
+                    PreventUserExistenceErrors: "ENABLED",
+                    SupportedIdentityProviders: ["COGNITO"],
+                },
+            },
+            [`${id}IdentityPool`]: {
+                Type: "AWS::Cognito::IdentityPool",
+                Properties: {
+                    IdentityPoolName: {
+                        "Fn::Sub": [`$\{AWS::StackName\}${id}IdentityPool`, {}],
+                    },
+                    AllowUnauthenticatedIdentities: false,
+                    CognitoIdentityProviders: [
+                        {
+                            ClientId: {
+                                Ref: `${id}UserPoolClient`,
+                            },
+                            ProviderName: {
+                                "Fn::GetAtt": [`${id}UserPool`, "ProviderName"],
+                            },
+                            ServerSideTokenCheck: true,
+                        },
+                    ],
+                },
+            },
+            ...apiRoleConfig,
+        },
+    };
+});

package/src/iac/packs/auth.d.ts

@@ -0,0 +1,19 @@
+export type AddAuthConfig = {
+    userManagementId: string;
+    authRoleName: string;
+    unauthRoleName: string;
+    hostedZoneIdParameterName: string;
+    domainNameParameterName: string;
+    sslCertificateId: string;
+    mainCDNCloudFrontId: string;
+    apiCloudFunctionGatewayId: string;
+    apiStageName: string;
+    adminGroupId: string;
+    userManagementAdminGroupName: string;
+    callbackUrls: any[];
+    logoutUrls: any[];
+};
+/**
+ * Add a user management system.
+ * */
+export declare const addAuth: import("../utils").ResourcePackApplier<AddAuthConfig>;

package/src/iac/packs/auth.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.addAuth = void 0;
+const user_management_1 = require("./auth/user-management");
+const utils_1 = require("../utils");
+const SimpleCFT_1 = require("../SimpleCFT");
+/**
+ * Add a user management system.
+ * */
+exports.addAuth = (0, utils_1.createResourcePack)(({ userManagementId, authRoleName, unauthRoleName, hostedZoneIdParameterName, domainNameParameterName, sslCertificateId, callbackUrls, logoutUrls, mainCDNCloudFrontId, apiCloudFunctionGatewayId, apiStageName, adminGroupId, userManagementAdminGroupName, }) => new SimpleCFT_1.SimpleCFT()
+    .applyPack(user_management_1.addUserManagement, {
+    id: userManagementId,
+    authRoleName,
+    unauthRoleName,
+    domainName: {
+        Ref: domainNameParameterName,
+    },
+    hostedZoneId: {
+        Ref: hostedZoneIdParameterName,
+    },
+    sslCertificateArn: {
+        Ref: sslCertificateId,
+    },
+    callbackUrls: callbackUrls,
+    logoutUrls: logoutUrls,
+    baseDomainRecordAliasTargetDNSName: {
+        "Fn::GetAtt": [mainCDNCloudFrontId, "DomainName"],
+    },
+    apiGatewayRESTAPIId: {
+        Ref: apiCloudFunctionGatewayId,
+    },
+    apiStageName,
+})
+    .patch({
+    Resources: {
+        [adminGroupId]: {
+            Type: "AWS::Cognito::UserPoolGroup",
+            Properties: {
+                GroupName: userManagementAdminGroupName,
+                UserPoolId: {
+                    Ref: `${userManagementId}UserPool`,
+                },
+                Description: "Application admin group.",
+            },
+        },
+    },
+}).template);

package/src/iac/packs/build/utils.d.ts

@@ -0,0 +1,100 @@
+export type AtLeastOne<T, U = {
+    [K in keyof T]: Pick<T, K>;
+}> = Partial<T> & U[keyof U];
+export declare const COMMAND_HELPERS: {
+    updateFunction: ({ cloudFunctionArn, codeZipFilePath, }: {
+        cloudFunctionArn: string;
+        codeZipFilePath: string;
+    }) => string;
+    copyDirectoryToS3: ({ s3Domain, directoryPath, }: {
+        s3Domain: string;
+        directoryPath: string;
+    }) => string;
+    cloudFrontInvalidation: ({ cloudFrontDistributionId, pathsToInvalidate, }: {
+        cloudFrontDistributionId: string;
+        pathsToInvalidate?: string[];
+    }) => string;
+    addNPMTokenWithNPMRC: ({ npmToken }: {
+        npmToken: string;
+    }) => string;
+};
+export type LinuxUserNameString = string;
+export type YesOrNo = "yes" | "no";
+export interface Env {
+    shell?: "bash" | "/bin/sh" | "powershell.exe" | "cmd.exe" | string;
+    variables?: Record<string, string>;
+    "parameter-store"?: Record<string, string>;
+    "exported-variables"?: string[];
+    "secrets-manager"?: Record<string, `${string}:${string}:${string}:${string}`>;
+    "git-credential-helper"?: YesOrNo;
+}
+export interface Proxy {
+    "upload-artifacts"?: YesOrNo;
+    logs?: YesOrNo;
+}
+export interface Batch {
+    "fast-fail"?: boolean;
+    "build-list"?: any;
+    "build-matrix"?: any;
+    "build-graph"?: any;
+    [key: string]: any;
+}
+export interface Phase {
+    "runtime-versions"?: Record<string, any>;
+    "run-as"?: LinuxUserNameString;
+    "on-failure"?: "ABORT" | "CONTINUE";
+    commands: string[];
+    finally?: string[];
+}
+export type PhaseConfig = AtLeastOne<{
+    install: Phase;
+    pre_build: Phase;
+    build: Phase;
+    post_build: Phase;
+}>;
+export interface ReportGroupNameOrArn {
+    files?: string[];
+    "base-directory"?: string;
+    "discard-paths"?: string;
+    "file-format"?: string;
+}
+export interface Reports {
+    "report-group-name-or-arn"?: ReportGroupNameOrArn;
+}
+export interface ArtifactIdentifier {
+    files?: string[];
+    name?: string;
+    "discard-paths"?: string;
+    "base-directory"?: string;
+}
+export interface SecondaryArtifacts {
+    artifactIdentifier?: ArtifactIdentifier;
+}
+export interface Artifacts {
+    files?: string[];
+    name?: string;
+    "discard-paths"?: string;
+    "base-directory"?: string;
+    "exclude-paths"?: string;
+    "enable-symlinks"?: string;
+    "s3-prefix"?: string;
+    "secondary-artifacts"?: SecondaryArtifacts;
+}
+export interface Cache {
+    paths?: string[];
+}
+export interface BuildSpec {
+    version?: number;
+    "run-as"?: LinuxUserNameString;
+    env?: Env;
+    proxy?: Proxy;
+    batch?: Batch;
+    phases: PhaseConfig;
+    reports?: Reports;
+    artifacts?: Artifacts;
+    cache?: Cache;
+}
+/**
+ * Create a build spec for a build pipeline (CI/CD).
+ * */
+export declare const createBuildSpec: ({ version, phases }: BuildSpec) => string;

package/src/iac/packs/build/utils.js

@@ -0,0 +1,23 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBuildSpec = exports.COMMAND_HELPERS = void 0;
+const yaml_1 = __importDefault(require("yaml"));
+exports.COMMAND_HELPERS = {
+    updateFunction: ({ cloudFunctionArn, codeZipFilePath, }) => `aws lambda update-function-code --function-name "${cloudFunctionArn}" --zip-file "fileb://${codeZipFilePath}"`,
+    copyDirectoryToS3: ({ s3Domain, directoryPath, }) => `aws s3 cp --recursive --acl public-read ${directoryPath} s3://${s3Domain}/`,
+    cloudFrontInvalidation: ({ cloudFrontDistributionId, pathsToInvalidate = ["/*"], }) => `aws cloudfront create-invalidation --distribution-id "${cloudFrontDistributionId}" --paths "${pathsToInvalidate.join('" "')}"`,
+    addNPMTokenWithNPMRC: ({ npmToken }) => `echo '//registry.npmjs.org/:_authToken=${npmToken}' > .npmrc`,
+};
+/**
+ * Create a build spec for a build pipeline (CI/CD).
+ * */
+const createBuildSpec = ({ version = 0.2, phases }) => yaml_1.default.stringify(
+// TRICKY: Removed all keys with a value of `undefined`.
+JSON.parse(JSON.stringify({
+    version,
+    phases,
+})));
+exports.createBuildSpec = createBuildSpec;

package/src/iac/packs/build.d.ts

@@ -0,0 +1,29 @@
+import { AWS } from "../types/IaCTypes";
+export declare const DEFAULT_BUILD_PIPELINE_REPO_PROVIDER = "GitHub";
+export type BuildPipelineRepoConfig = {
+    provider?: any;
+    owner: any;
+    repo: any;
+    branch: any;
+    oauthToken: any;
+};
+export type CustomCodeBuildString<T extends string> = T & {
+    __custom?: never;
+};
+export type CodeBuildEnvironmentType = "ARM_CONTAINER" | "LINUX_CONTAINER" | "LINUX_GPU_CONTAINER" | "WINDOWS_SERVER_2019_CONTAINER" | "WINDOWS_SERVER_2022_CONTAINER" | "LINUX_EC2" | "ARM_EC2" | "WINDOWS_EC2" | "MAC_ARM" | CustomCodeBuildString<string>;
+export type CodeBuildComputeType = "BUILD_GENERAL1_SMALL" | "BUILD_GENERAL1_MEDIUM" | "BUILD_GENERAL1_LARGE" | "BUILD_GENERAL1_2XLARGE" | "BUILD_GENERAL1_XLARGE" | CustomCodeBuildString<string>;
+export type AddBuildPipelineConfig = {
+    id: string;
+    buildSpec: any;
+    dependsOn?: string | string[];
+    environmentVariables?: AWS.CodeBuild.Project.EnvironmentVariable[];
+    timeoutInMinutes?: number;
+    environmentType?: CodeBuildEnvironmentType;
+    environmentComputeType?: CodeBuildComputeType;
+    environmentImage?: string;
+    repoConfig: BuildPipelineRepoConfig;
+};
+/**
+ * Add a build pipeline with full permissions.
+ */
+export declare const addBuildPipeline: import("../utils").ResourcePackApplier<AddBuildPipelineConfig>;