@restatedev/restate-cdk 0.4.2 → 0.8.0

package/test/__snapshots__/restate-constructs.test.ts.snap

@@ -0,0 +1,932 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`Restate constructs Create a self-hosted Restate environment deployed on EC2 1`] = `
+"Resources:
+  RestateInstanceRoleACC59A6F:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: ec2.amazonaws.com
+        Version: '2012-10-17'
+      ManagedPolicyArns:
+        - 'Fn::Join':
+            - ''
+            - - 'arn:'
+              - Ref: 'AWS::Partition'
+              - ':iam::aws:policy/AmazonSSMManagedInstanceCore'
+  RestateInstanceRoleDefaultPolicyD1D39538:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action:
+              - 'logs:CreateLogStream'
+              - 'logs:PutLogEvents'
+            Effect: Allow
+            Resource:
+              'Fn::GetAtt':
+                - RestateLogsFD86ECAE
+                - Arn
+        Version: '2012-10-17'
+      PolicyName: RestateInstanceRoleDefaultPolicyD1D39538
+      Roles:
+        - Ref: RestateInstanceRoleACC59A6F
+  RestateLogsFD86ECAE:
+    Type: 'AWS::Logs::LogGroup'
+    Properties:
+      LogGroupName: /restate/Restate
+      RetentionInDays: 30
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
+  RestateHostInstanceSecurityGroup471D630B:
+    Type: 'AWS::EC2::SecurityGroup'
+    Properties:
+      GroupDescription: RestateOnFargateStack/Restate/Host/InstanceSecurityGroup
+      SecurityGroupEgress:
+        - CidrIp: 0.0.0.0/0
+          Description: Allow all outbound traffic by default
+          IpProtocol: '-1'
+      Tags:
+        - Key: Name
+          Value: RestateOnFargateStack/Restate/Host
+      VpcId: vpc-12345
+  RestateHostInstanceProfile14AE3AC8:
+    Type: 'AWS::IAM::InstanceProfile'
+    Properties:
+      Roles:
+        - Ref: RestateInstanceRoleACC59A6F
+  RestateHost1AC4F9D1:
+    Type: 'AWS::EC2::Instance'
+    Properties:
+      AvailabilityZone: dummy1a
+      IamInstanceProfile:
+        Ref: RestateHostInstanceProfile14AE3AC8
+      ImageId:
+        Ref: >-
+          SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61arm64C96584B6F00A464EAD1953AFF4B05118Parameter
+      InstanceType: t4g.micro
+      SecurityGroupIds:
+        - 'Fn::GetAtt':
+            - RestateHostInstanceSecurityGroup471D630B
+            - GroupId
+        - 'Fn::GetAtt':
+            - RestateRestateSecurityGroup73273B13
+            - GroupId
+      SubnetId: s-12345
+      Tags:
+        - Key: Name
+          Value: RestateOnFargateStack/Restate/Host
+      UserData:
+        'Fn::Base64':
+          'Fn::Join':
+            - ''
+            - - >-
+                #!/bin/bash
+
+                yum update -y
+
+                yum install -y docker nginx
+
+                systemctl enable docker.service
+
+                systemctl start docker.service
+
+                docker run --name adot --restart unless-stopped --detach -p
+                4317:4317 -p 55680:55680 -p 8889:8888
+                public.ecr.aws/aws-observability/aws-otel-collector:latest
+
+                docker run --name restate --restart unless-stopped --detach
+                --volume /var/restate:/target --network=host -e
+                RESTATE_OBSERVABILITY__LOG__FORMAT=Json -e
+                RUST_LOG=info,restate_worker::partition=warn -e
+                RESTATE_OBSERVABILITY__TRACING__ENDPOINT=http://localhost:4317
+                --log-driver=awslogs --log-opt awslogs-group=
+              - Ref: RestateLogsFD86ECAE
+              - >2-
+                 docker.io/restatedev/restate:latest
+                mkdir -p /etc/pki/private
+
+                openssl req -new -x509 -nodes -sha256 -days 365 -extensions
+                v3_ca -subj
+                '/C=DE/ST=Berlin/L=Berlin/O=restate.dev/OU=demo/CN=restate.example.com'
+                -newkey rsa:2048 -keyout /etc/pki/private/restate-selfsigned.key
+                -out /etc/pki/private/restate-selfsigned.crt
+
+                cat << EOF > /etc/nginx/conf.d/restate-ingress.conf
+
+                server {
+                  listen 443 ssl http2;
+                  listen [::]:443 ssl http2;
+                  server_name _;
+                  root /usr/share/nginx/html;
+
+                  ssl_certificate "/etc/pki/private/restate-selfsigned.crt";
+                  ssl_certificate_key "/etc/pki/private/restate-selfsigned.key";
+                  ssl_session_cache shared:SSL:1m;
+                  ssl_session_timeout 10m;
+                  ssl_ciphers PROFILE=SYSTEM;
+                  ssl_prefer_server_ciphers on;
+
+                  location / {
+                    proxy_pass http://localhost:8080;
+                  }
+                }
+
+
+                server {
+                  listen 9073 ssl http2;
+                  listen [::]:9073 ssl http2;
+                  server_name _;
+                  root /usr/share/nginx/html;
+
+                  ssl_certificate "/etc/pki/private/restate-selfsigned.crt";
+                  ssl_certificate_key "/etc/pki/private/restate-selfsigned.key";
+                  ssl_session_cache shared:SSL:1m;
+                  ssl_session_timeout 10m;
+                  ssl_ciphers PROFILE=SYSTEM;
+                  ssl_prefer_server_ciphers on;
+
+                  location / {
+                    proxy_pass http://localhost:9070;
+                  }
+                }
+
+                EOF
+
+                systemctl enable nginx
+
+                systemctl start nginx
+    DependsOn:
+      - RestateInstanceRoleDefaultPolicyD1D39538
+      - RestateInstanceRoleACC59A6F
+  RestateRestateSecurityGroup73273B13:
+    Type: 'AWS::EC2::SecurityGroup'
+    Properties:
+      GroupDescription: Restate service ACLs
+      GroupName: RestateSecurityGroup
+      SecurityGroupEgress:
+        - CidrIp: 0.0.0.0/0
+          Description: Allow all outbound traffic by default
+          IpProtocol: '-1'
+      SecurityGroupIngress:
+        - CidrIp: 0.0.0.0/0
+          Description: Allow traffic from anywhere to Restate ingress port
+          FromPort: 443
+          IpProtocol: tcp
+          ToPort: 443
+        - CidrIp: 0.0.0.0/0
+          Description: Allow traffic from anywhere to Restate admin port
+          FromPort: 9073
+          IpProtocol: tcp
+          ToPort: 9073
+      VpcId: vpc-12345
+Parameters: Any<Object>
+"
+`;
+
+exports[`Restate constructs Create a self-hosted Restate environment deployed on ECS Fargate 1`] = `
+"Resources:
+  ZoneA5DE4B68:
+    Type: 'AWS::Route53::HostedZone'
+    Properties:
+      Name: example.com.
+  RestateDataStore0EBA6BBD:
+    Type: 'AWS::EFS::FileSystem'
+    Properties:
+      Encrypted: true
+      FileSystemPolicy:
+        Statement:
+          - Action: 'elasticfilesystem:ClientMount'
+            Condition:
+              Bool:
+                'elasticfilesystem:AccessedViaMountTarget': 'true'
+            Effect: Allow
+            Principal:
+              AWS: '*'
+            Sid: AllowEfsMount
+          - Action:
+              - 'elasticfilesystem:ClientWrite'
+              - 'elasticfilesystem:ClientRootAccess'
+            Condition:
+              Bool:
+                'elasticfilesystem:AccessedViaMountTarget': 'true'
+            Effect: Allow
+            Principal:
+              AWS: '*'
+        Version: '2012-10-17'
+      FileSystemTags:
+        - Key: Name
+          Value: RestateOnFargateStack/Restate/DataStore
+      LifecyclePolicies:
+        - TransitionToIA: AFTER_30_DAYS
+      PerformanceMode: generalPurpose
+      ThroughputMode: bursting
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
+  RestateDataStoreEfsSecurityGroup9E142FDF:
+    Type: 'AWS::EC2::SecurityGroup'
+    Properties:
+      GroupDescription: RestateOnFargateStack/Restate/DataStore/EfsSecurityGroup
+      SecurityGroupEgress:
+        - CidrIp: 0.0.0.0/0
+          Description: Allow all outbound traffic by default
+          IpProtocol: '-1'
+      Tags:
+        - Key: Name
+          Value: RestateOnFargateStack/Restate/DataStore
+      VpcId: vpc-12345
+  RestateDataStoreEfsSecurityGroupfromRestateOnFargateStackRestateSecurityGroup716176472049806B116B:
+    Type: 'AWS::EC2::SecurityGroupIngress'
+    Properties:
+      Description: 'from RestateOnFargateStackRestateSecurityGroup71617647:2049'
+      FromPort: 2049
+      GroupId:
+        'Fn::GetAtt':
+          - RestateDataStoreEfsSecurityGroup9E142FDF
+          - GroupId
+      IpProtocol: tcp
+      SourceSecurityGroupId:
+        'Fn::GetAtt':
+          - RestateSecurityGroup51491232
+          - GroupId
+      ToPort: 2049
+  RestateDataStoreEfsMountTarget1FE8B299E:
+    Type: 'AWS::EFS::MountTarget'
+    Properties:
+      FileSystemId:
+        Ref: RestateDataStore0EBA6BBD
+      SecurityGroups:
+        - 'Fn::GetAtt':
+            - RestateDataStoreEfsSecurityGroup9E142FDF
+            - GroupId
+      SubnetId: p-12345
+  RestateDataStoreEfsMountTarget21C454C30:
+    Type: 'AWS::EFS::MountTarget'
+    Properties:
+      FileSystemId:
+        Ref: RestateDataStore0EBA6BBD
+      SecurityGroups:
+        - 'Fn::GetAtt':
+            - RestateDataStoreEfsSecurityGroup9E142FDF
+            - GroupId
+      SubnetId: p-67890
+  RestateCluster26F7C702:
+    Type: 'AWS::ECS::Cluster'
+  RestateRestateTaskTaskRole3425804E:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: ecs-tasks.amazonaws.com
+        Version: '2012-10-17'
+  RestateRestateTaskTaskRoleDefaultPolicyD6897EE5:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Resource:
+              'Fn::GetAtt':
+                - RestateInvokerRole42565598
+                - Arn
+          - Action:
+              - 'elasticfilesystem:ClientMount'
+              - 'elasticfilesystem:ClientWrite'
+              - 'elasticfilesystem:ClientRootAccess'
+            Condition:
+              Bool:
+                'elasticfilesystem:AccessedViaMountTarget': 'true'
+            Effect: Allow
+            Resource:
+              'Fn::GetAtt':
+                - RestateDataStore0EBA6BBD
+                - Arn
+        Version: '2012-10-17'
+      PolicyName: RestateRestateTaskTaskRoleDefaultPolicyD6897EE5
+      Roles:
+        - Ref: RestateRestateTaskTaskRole3425804E
+  RestateRestateTask73B141AE:
+    Type: 'AWS::ECS::TaskDefinition'
+    Properties:
+      ContainerDefinitions:
+        - Environment:
+            - Name: RESTATE_OBSERVABILITY__LOG__FORMAT
+              Value: Json
+          Essential: true
+          Image: 'docker.io/restatedev/restate:latest'
+          LogConfiguration:
+            LogDriver: awslogs
+            Options:
+              awslogs-group:
+                Ref: RestateLogsFD86ECAE
+              awslogs-stream-prefix: restate
+              awslogs-region: region
+          MountPoints:
+            - ContainerPath: /target
+              ReadOnly: false
+              SourceVolume: restateStore
+          Name: restate-runtime
+          PortMappings:
+            - ContainerPort: 8080
+              Protocol: tcp
+            - ContainerPort: 9070
+              Protocol: tcp
+          StartTimeout: 20
+          StopTimeout: 20
+      Cpu: '4096'
+      ExecutionRoleArn:
+        'Fn::GetAtt':
+          - RestateRestateTaskExecutionRole8ED5B0F9
+          - Arn
+      Family: RestateOnFargateStackRestateRestateTaskD92D0B67
+      Memory: '8192'
+      NetworkMode: awsvpc
+      RequiresCompatibilities:
+        - FARGATE
+      RuntimePlatform:
+        CpuArchitecture: ARM64
+        OperatingSystemFamily: LINUX
+      TaskRoleArn:
+        'Fn::GetAtt':
+          - RestateRestateTaskTaskRole3425804E
+          - Arn
+      Volumes:
+        - EFSVolumeConfiguration:
+            AuthorizationConfig: {}
+            FilesystemId:
+              Ref: RestateDataStore0EBA6BBD
+          Name: restateStore
+  RestateRestateTaskExecutionRole8ED5B0F9:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: ecs-tasks.amazonaws.com
+        Version: '2012-10-17'
+  RestateRestateTaskExecutionRoleDefaultPolicy8E1BA931:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action:
+              - 'logs:CreateLogStream'
+              - 'logs:PutLogEvents'
+            Effect: Allow
+            Resource:
+              'Fn::GetAtt':
+                - RestateLogsFD86ECAE
+                - Arn
+        Version: '2012-10-17'
+      PolicyName: RestateRestateTaskExecutionRoleDefaultPolicy8E1BA931
+      Roles:
+        - Ref: RestateRestateTaskExecutionRole8ED5B0F9
+  RestateTaskPolicy1A15994E:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Resource: '*'
+            Sid: AllowAssumeAnyRole
+        Version: '2012-10-17'
+      PolicyName: RestateTaskPolicy1A15994E
+      Roles:
+        - Ref: RestateRestateTaskTaskRole3425804E
+  RestateInvokerRole42565598:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              AWS:
+                'Fn::GetAtt':
+                  - RestateRestateTaskTaskRole3425804E
+                  - Arn
+        Version: '2012-10-17'
+      Description: Assumed by Restate deployment to invoke Lambda-based services
+  RestateLogsFD86ECAE:
+    Type: 'AWS::Logs::LogGroup'
+    Properties:
+      LogGroupName: /restate/Restate
+      RetentionInDays: 30
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
+  RestateSecurityGroup51491232:
+    Type: 'AWS::EC2::SecurityGroup'
+    Properties:
+      GroupDescription: RestateOnFargateStack/Restate/SecurityGroup
+      SecurityGroupEgress:
+        - CidrIp: 0.0.0.0/0
+          Description: Allow all outbound traffic by default
+          IpProtocol: '-1'
+      VpcId: vpc-12345
+  RestateSecurityGroupfromRestateOnFargateStackRestateDataStoreEfsSecurityGroupD91B15E020498B6DB4D2:
+    Type: 'AWS::EC2::SecurityGroupIngress'
+    Properties:
+      Description: 'from RestateOnFargateStackRestateDataStoreEfsSecurityGroupD91B15E0:2049'
+      FromPort: 2049
+      GroupId:
+        'Fn::GetAtt':
+          - RestateSecurityGroup51491232
+          - GroupId
+      IpProtocol: tcp
+      SourceSecurityGroupId:
+        'Fn::GetAtt':
+          - RestateDataStoreEfsSecurityGroup9E142FDF
+          - GroupId
+      ToPort: 2049
+  RestateSecurityGroupfromRestateOnFargateStackRestateAlbSecurityGroup0956EE2980803FA00CFA:
+    Type: 'AWS::EC2::SecurityGroupIngress'
+    Properties:
+      Description: Load balancer to target
+      FromPort: 8080
+      GroupId:
+        'Fn::GetAtt':
+          - RestateSecurityGroup51491232
+          - GroupId
+      IpProtocol: tcp
+      SourceSecurityGroupId:
+        'Fn::GetAtt':
+          - RestateAlbSecurityGroupFAAA5CAC
+          - GroupId
+      ToPort: 8080
+  RestateSecurityGroupfromRestateOnFargateStackRestateAlbSecurityGroup0956EE299070AC228309:
+    Type: 'AWS::EC2::SecurityGroupIngress'
+    Properties:
+      Description: Load balancer to target
+      FromPort: 9070
+      GroupId:
+        'Fn::GetAtt':
+          - RestateSecurityGroup51491232
+          - GroupId
+      IpProtocol: tcp
+      SourceSecurityGroupId:
+        'Fn::GetAtt':
+          - RestateAlbSecurityGroupFAAA5CAC
+          - GroupId
+      ToPort: 9070
+  RestateService6A740A49:
+    Type: 'AWS::ECS::Service'
+    Properties:
+      Cluster:
+        Ref: RestateCluster26F7C702
+      DeploymentConfiguration:
+        Alarms:
+          AlarmNames: []
+          Enable: false
+          Rollback: false
+        DeploymentCircuitBreaker:
+          Enable: true
+          Rollback: true
+        MaximumPercent: 100
+        MinimumHealthyPercent: 0
+      DeploymentController:
+        Type: ECS
+      EnableECSManagedTags: false
+      HealthCheckGracePeriodSeconds: 60
+      LaunchType: FARGATE
+      LoadBalancers:
+        - ContainerName: restate-runtime
+          ContainerPort: 8080
+          TargetGroupArn:
+            Ref: RestateAlbIngressListenerFargateIngressTargetGroupF8DA5188
+        - ContainerName: restate-runtime
+          ContainerPort: 9070
+          TargetGroupArn:
+            Ref: RestateAlbAdminListenerFargateAdminTargetGroupB830BB5A
+      NetworkConfiguration:
+        AwsvpcConfiguration:
+          AssignPublicIp: ENABLED
+          SecurityGroups:
+            - 'Fn::GetAtt':
+                - RestateSecurityGroup51491232
+                - GroupId
+          Subnets:
+            - s-12345
+            - s-67890
+      TaskDefinition:
+        Ref: RestateRestateTask73B141AE
+    DependsOn:
+      - RestateAlbAdminListenerFargateAdminTargetGroupB830BB5A
+      - RestateAlbAdminListenerDEA13626
+      - RestateAlbIngressListenerFargateIngressTargetGroupF8DA5188
+      - RestateAlbIngressListener7C1FE52C
+      - RestateRestateTaskTaskRoleDefaultPolicyD6897EE5
+      - RestateRestateTaskTaskRole3425804E
+  RestateAlbDE422F47:
+    Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
+    Properties:
+      LoadBalancerAttributes:
+        - Key: deletion_protection.enabled
+          Value: 'false'
+      Scheme: internal
+      SecurityGroups:
+        - 'Fn::GetAtt':
+            - RestateAlbSecurityGroupFAAA5CAC
+            - GroupId
+      Subnets:
+        - p-12345
+        - p-67890
+      Type: application
+  RestateAlbSecurityGroupFAAA5CAC:
+    Type: 'AWS::EC2::SecurityGroup'
+    Properties:
+      GroupDescription: >-
+        Automatically created Security Group for ELB
+        RestateOnFargateStackRestateAlb82A45EC3
+      SecurityGroupIngress:
+        - CidrIp: 0.0.0.0/0
+          Description: Allow from anyone on port 443
+          FromPort: 443
+          IpProtocol: tcp
+          ToPort: 443
+        - CidrIp: 0.0.0.0/0
+          Description: Allow from anyone on port 9070
+          FromPort: 9070
+          IpProtocol: tcp
+          ToPort: 9070
+      VpcId: vpc-12345
+  RestateAlbSecurityGrouptoRestateOnFargateStackRestateSecurityGroup7161764780809AF9E3CE:
+    Type: 'AWS::EC2::SecurityGroupEgress'
+    Properties:
+      Description: Load balancer to target
+      DestinationSecurityGroupId:
+        'Fn::GetAtt':
+          - RestateSecurityGroup51491232
+          - GroupId
+      FromPort: 8080
+      GroupId:
+        'Fn::GetAtt':
+          - RestateAlbSecurityGroupFAAA5CAC
+          - GroupId
+      IpProtocol: tcp
+      ToPort: 8080
+  RestateAlbSecurityGrouptoRestateOnFargateStackRestateSecurityGroup716176479070A56BC36B:
+    Type: 'AWS::EC2::SecurityGroupEgress'
+    Properties:
+      Description: Load balancer to target
+      DestinationSecurityGroupId:
+        'Fn::GetAtt':
+          - RestateSecurityGroup51491232
+          - GroupId
+      FromPort: 9070
+      GroupId:
+        'Fn::GetAtt':
+          - RestateAlbSecurityGroupFAAA5CAC
+          - GroupId
+      IpProtocol: tcp
+      ToPort: 9070
+  RestateAlbIngressListener7C1FE52C:
+    Type: 'AWS::ElasticLoadBalancingV2::Listener'
+    Properties:
+      Certificates:
+        - CertificateArn:
+            Ref: RestateCertificateD6532EB8
+      DefaultActions:
+        - TargetGroupArn:
+            Ref: RestateAlbIngressListenerFargateIngressTargetGroupF8DA5188
+          Type: forward
+      LoadBalancerArn:
+        Ref: RestateAlbDE422F47
+      Port: 443
+      Protocol: HTTPS
+  RestateAlbIngressListenerFargateIngressTargetGroupF8DA5188:
+    Type: 'AWS::ElasticLoadBalancingV2::TargetGroup'
+    Properties:
+      HealthCheckIntervalSeconds: 5
+      HealthCheckPath: /grpc.health.v1.Health/Check
+      HealthCheckTimeoutSeconds: 2
+      HealthyThresholdCount: 3
+      Port: 80
+      Protocol: HTTP
+      TargetGroupAttributes:
+        - Key: deregistration_delay.timeout_seconds
+          Value: '5'
+        - Key: stickiness.enabled
+          Value: 'false'
+      TargetType: ip
+      UnhealthyThresholdCount: 3
+      VpcId: vpc-12345
+  RestateAlbAdminListenerDEA13626:
+    Type: 'AWS::ElasticLoadBalancingV2::Listener'
+    Properties:
+      Certificates:
+        - CertificateArn:
+            Ref: RestateCertificateD6532EB8
+      DefaultActions:
+        - TargetGroupArn:
+            Ref: RestateAlbAdminListenerFargateAdminTargetGroupB830BB5A
+          Type: forward
+      LoadBalancerArn:
+        Ref: RestateAlbDE422F47
+      Port: 9070
+      Protocol: HTTPS
+  RestateAlbAdminListenerFargateAdminTargetGroupB830BB5A:
+    Type: 'AWS::ElasticLoadBalancingV2::TargetGroup'
+    Properties:
+      HealthCheckIntervalSeconds: 5
+      HealthCheckPath: /health
+      HealthCheckTimeoutSeconds: 2
+      HealthyThresholdCount: 3
+      Port: 80
+      Protocol: HTTP
+      TargetGroupAttributes:
+        - Key: deregistration_delay.timeout_seconds
+          Value: '5'
+        - Key: stickiness.enabled
+          Value: 'false'
+      TargetType: ip
+      UnhealthyThresholdCount: 3
+      VpcId: vpc-12345
+  RestateCertificateD6532EB8:
+    Type: 'AWS::CertificateManager::Certificate'
+    Properties:
+      DomainName: restate.example.com
+      DomainValidationOptions:
+        - DomainName: restate.example.com
+          HostedZoneId:
+            Ref: ZoneA5DE4B68
+      Tags:
+        - Key: Name
+          Value: RestateOnFargateStack/Restate/Certificate
+      ValidationMethod: DNS
+  RestateAlbAliasA12130FD:
+    Type: 'AWS::Route53::RecordSet'
+    Properties:
+      AliasTarget:
+        DNSName:
+          'Fn::Join':
+            - ''
+            - - dualstack.
+              - 'Fn::GetAtt':
+                  - RestateAlbDE422F47
+                  - DNSName
+        HostedZoneId:
+          'Fn::GetAtt':
+            - RestateAlbDE422F47
+            - CanonicalHostedZoneID
+      HostedZoneId:
+        Ref: ZoneA5DE4B68
+      Name: restate.example.com.
+      Type: A
+"
+`;
+
+exports[`Restate constructs Deploy a Lambda service handler to a remote Restate environment 1`] = `
+"Resources:
+  InvokerRole4DB2757E:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              AWS:
+                'Fn::Join':
+                  - ''
+                  - - 'arn:'
+                    - Ref: 'AWS::Partition'
+                    - ':iam::'
+                    - Ref: 'AWS::AccountId'
+                    - ':root'
+        Version: '2012-10-17'
+  InvokerRoleDefaultPolicy713FD858:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action: 'lambda:InvokeFunction'
+            Effect: Allow
+            Resource:
+              - 'Fn::GetAtt':
+                  - RestateServiceHandler71409CD7
+                  - Arn
+              - 'Fn::Join':
+                  - ''
+                  - - 'Fn::GetAtt':
+                        - RestateServiceHandler71409CD7
+                        - Arn
+                    - ':*'
+        Version: '2012-10-17'
+      PolicyName: InvokerRoleDefaultPolicy713FD858
+      Roles:
+        - Ref: InvokerRole4DB2757E
+  RestateApiKey6463672F:
+    Type: 'AWS::SecretsManager::Secret'
+    Properties:
+      SecretString: api-key
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
+  RestateServiceHandlerServiceRole07B26D05:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+        Version: '2012-10-17'
+      ManagedPolicyArns:
+        - 'Fn::Join':
+            - ''
+            - - 'arn:'
+              - Ref: 'AWS::Partition'
+              - ':iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
+  RestateServiceHandler71409CD7:
+    Type: 'AWS::Lambda::Function'
+    Properties:
+      Code: Any<Object>
+      Handler: index.handler
+      Role:
+        'Fn::GetAtt':
+          - RestateServiceHandlerServiceRole07B26D05
+          - Arn
+      Runtime: nodejs18.x
+    DependsOn:
+      - RestateServiceHandlerServiceRole07B26D05
+  RestateServiceHandlerCurrentVersion40030E671fc2ba09c2d7b4ea8c6a3f8fee895a65:
+    Type: 'AWS::Lambda::Version'
+    Properties:
+      FunctionName:
+        Ref: RestateServiceHandler71409CD7
+  RestateServiceHandlerCurrentVersionRestateDeploymentE8F102EB:
+    Type: 'Custom::RestateServiceDeployment'
+    Properties:
+      ServiceToken:
+        'Fn::GetAtt':
+          - ServiceDeployerCustomResourceProviderframeworkonEvent528FE6C2
+          - Arn
+      servicePath: Service
+      adminUrl: 'https://restate.example.com:9070'
+      authTokenSecretArn:
+        Ref: RestateApiKey6463672F
+      serviceLambdaArn:
+        Ref: >-
+          RestateServiceHandlerCurrentVersion40030E671fc2ba09c2d7b4ea8c6a3f8fee895a65
+      invokeRoleArn:
+        'Fn::GetAtt':
+          - InvokerRole4DB2757E
+          - Arn
+      removalPolicy: retain
+      private: 'false'
+      insecure: 'false'
+    DependsOn:
+      - ServiceDeployerInvocationPolicyD09B639D
+    UpdateReplacePolicy: Delete
+    DeletionPolicy: Delete
+  ServiceDeployerEventHandlerServiceRoleF133584F:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+        Version: '2012-10-17'
+      ManagedPolicyArns:
+        - 'Fn::Join':
+            - ''
+            - - 'arn:'
+              - Ref: 'AWS::Partition'
+              - ':iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
+  ServiceDeployerEventHandlerServiceRoleDefaultPolicyFE2DC3C9:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action:
+              - 'secretsmanager:GetSecretValue'
+              - 'secretsmanager:DescribeSecret'
+            Effect: Allow
+            Resource:
+              Ref: RestateApiKey6463672F
+        Version: '2012-10-17'
+      PolicyName: ServiceDeployerEventHandlerServiceRoleDefaultPolicyFE2DC3C9
+      Roles:
+        - Ref: ServiceDeployerEventHandlerServiceRoleF133584F
+  ServiceDeployerEventHandler89EAD25F:
+    Type: 'AWS::Lambda::Function'
+    Properties:
+      Architectures:
+        - arm64
+      Code: Any<Object>
+      Description: Restate custom registration handler
+      Environment:
+        Variables:
+          NODE_OPTIONS: '--enable-source-maps'
+          AWS_NODEJS_CONNECTION_REUSE_ENABLED: '1'
+      Handler: index.handler
+      MemorySize: 128
+      Role:
+        'Fn::GetAtt':
+          - ServiceDeployerEventHandlerServiceRoleF133584F
+          - Arn
+      Runtime: nodejs18.x
+      Timeout: 180
+    DependsOn:
+      - ServiceDeployerEventHandlerServiceRoleDefaultPolicyFE2DC3C9
+      - ServiceDeployerEventHandlerServiceRoleF133584F
+  ServiceDeployerCustomResourceProviderframeworkonEventServiceRole865AFB0C:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+        Version: '2012-10-17'
+      ManagedPolicyArns:
+        - 'Fn::Join':
+            - ''
+            - - 'arn:'
+              - Ref: 'AWS::Partition'
+              - ':iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
+  ServiceDeployerCustomResourceProviderframeworkonEventServiceRoleDefaultPolicy740A65C9:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action: 'lambda:InvokeFunction'
+            Effect: Allow
+            Resource:
+              - 'Fn::GetAtt':
+                  - ServiceDeployerEventHandler89EAD25F
+                  - Arn
+              - 'Fn::Join':
+                  - ''
+                  - - 'Fn::GetAtt':
+                        - ServiceDeployerEventHandler89EAD25F
+                        - Arn
+                    - ':*'
+        Version: '2012-10-17'
+      PolicyName: >-
+        ServiceDeployerCustomResourceProviderframeworkonEventServiceRoleDefaultPolicy740A65C9
+      Roles:
+        - Ref: >-
+            ServiceDeployerCustomResourceProviderframeworkonEventServiceRole865AFB0C
+  ServiceDeployerCustomResourceProviderframeworkonEvent528FE6C2:
+    Type: 'AWS::Lambda::Function'
+    Properties:
+      Code: Any<Object>
+      Description: >-
+        AWS CDK resource provider framework - onEvent
+        (LambdaServiceDeployment/ServiceDeployer/CustomResourceProvider)
+      Environment:
+        Variables:
+          USER_ON_EVENT_FUNCTION_ARN:
+            'Fn::GetAtt':
+              - ServiceDeployerEventHandler89EAD25F
+              - Arn
+      Handler: framework.onEvent
+      Role:
+        'Fn::GetAtt':
+          - >-
+            ServiceDeployerCustomResourceProviderframeworkonEventServiceRole865AFB0C
+          - Arn
+      Runtime: nodejs18.x
+      Timeout: 900
+    DependsOn:
+      - >-
+        ServiceDeployerCustomResourceProviderframeworkonEventServiceRoleDefaultPolicy740A65C9
+      - ServiceDeployerCustomResourceProviderframeworkonEventServiceRole865AFB0C
+  ServiceDeployerInvocationPolicyD09B639D:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action: 'lambda:InvokeFunction'
+            Effect: Allow
+            Resource:
+              - 'Fn::GetAtt':
+                  - RestateServiceHandler71409CD7
+                  - Arn
+              - 'Fn::Join':
+                  - ''
+                  - - 'Fn::GetAtt':
+                        - RestateServiceHandler71409CD7
+                        - Arn
+                    - ':*'
+        Version: '2012-10-17'
+      PolicyName: ServiceDeployerInvocationPolicyD09B639D
+      Roles:
+        - Ref: InvokerRole4DB2757E
+"
+`;