@sembix/cli 0.1.0 → 1.0.2

package/README.md

@@ -22,6 +22,42 @@ A terminal-based CLI tool for managing Sembix products. An intuitive command-lin
   - `workflow` - Update GitHub Action workflows
 - **Deployment Repository** - A GitHub repository set up for Sembix Studio deployments
 
+## Deployment Process
+
+Sembix Studio uses a **two-phased deployment** process to establish secure cross-account access with the Sembix Hub:
+
+### Phase 1: Bootstrap & Initial Deployment
+
+1. **Create environment** - Run `sembix studio create` to configure your environment (Steps 1-8)
+   - Skip Hub integration initially (use `--skip-hub` or skip Step 9)
+   - Creates GitHub Actions environment with AWS configuration
+
+2. **Bootstrap deployment** - Run the GitHub Actions workflow
+   - Deploys initial Terraform infrastructure
+   - Creates IAM roles and resources in your AWS account
+   - Produces IAM ARNs needed for Hub integration
+
+3. **Coordinate with Sembix Support** - Send the IAM ARNs to Sembix support
+   - Sembix configures the Hub to trust your account
+   - Sembix provides Hub role ARNs back to you:
+     - Hub Engine Execution Role ARN
+     - Hub Consumer Role ARN
+     - Hub Admin Role ARN
+     - Hub AppConfig Role ARN (plus Application ID, Environment ID, Profile ID)
+
+### Phase 2: Hub Integration & Full Deployment
+
+4. **Add Hub integration** - Run `sembix studio add-hub` with ARNs from Sembix support
+   - Updates GitHub Actions environment with Hub role ARNs
+   - Configures cross-account access to Sembix Hub
+
+5. **Final deployment** - Run the GitHub Actions workflow again
+   - Completes full Sembix Studio deployment
+   - Enables Hub cross-account access
+   - Your Studio environment is now fully operational
+
+**Important:** Do not skip Phase 1. The Hub integration requires IAM resources created during the bootstrap deployment.
+
 ## Installation
 
 ### From npm (Recommended)
@@ -106,8 +142,25 @@ See [`config.example.yaml`](./config.example.yaml) for a complete configuration
 
 ### Quick Start
 
+For a complete deployment, follow the **two-phased process** (see [Deployment Process](#deployment-process) section above):
+
+```bash
+# PHASE 1: Bootstrap deployment
+sembix studio create --skip-hub
+# → Deploy via GitHub Actions
+# → Send IAM ARNs to Sembix support
+# → Receive Hub role ARNs from support
+
+# PHASE 2: Hub integration and full deployment
+sembix studio add-hub <environment>
+# → Deploy via GitHub Actions again
+# → Studio environment fully operational
+```
+
+**Alternative workflows:**
+
 ```bash
-# Fully interactive (beginner-friendly)
+# Fully interactive (prompts for all configuration)
 sembix studio create
 
 # Fast setup with config file
@@ -337,41 +390,105 @@ sembix studio list acme-corp/sembix-deployment
 sembix studio list acme/deploy --token ghp_custom_token
 ```
 
-### `sembix studio add-hub` [DEPRECATED]
+### `sembix studio add-hub`
 
-**⚠️ This command is deprecated.** Use `sembix studio update` instead.
+Add Sembix Hub integration to an existing Studio environment. **This is typically used in Phase 2 of the deployment process** after receiving Hub role ARNs from Sembix support.
 
-Hub integration is now part of the main `create` workflow (Step 9) and can be added/updated using the `update` command.
+**Syntax:**
+```bash
+sembix studio add-hub [environment] [options]
+```
+
+**Options:**
+- `-r, --repo <repo>` - Target repository (owner/repo format)
+- `-e, --env <environment>` - Environment name (alternative to positional argument)
+- `--hub-engine-execution-role <arn>` - Hub Engine Execution Role ARN (from Sembix support)
+- `--hub-consumer-role <arn>` - Hub Consumer Role ARN (from Sembix support)
+- `--hub-admin-role <arn>` - Hub Admin Role ARN (from Sembix support)
+- `--hub-appconfig-role <arn>` - Hub AppConfig Role ARN (from Sembix support)
+- `--hub-appconfig-app-id <id>` - Hub AppConfig Application ID (from Sembix support)
+- `--hub-appconfig-env-id <id>` - Hub AppConfig Environment ID (from Sembix support)
+- `--hub-appconfig-profile-id <id>` - Hub AppConfig Profile ID (from Sembix support)
+
+**Example:**
+```bash
+# Interactive mode (prompts for ARNs)
+sembix studio add-hub production --repo acme/deploy
+
+# With CLI flags (using ARNs from Sembix support)
+sembix studio add-hub production \
+  --repo acme/deploy \
+  --hub-engine-execution-role arn:aws:iam::999888777666:role/HubEngineRole \
+  --hub-consumer-role arn:aws:iam::999888777666:role/HubConsumerRole \
+  --hub-admin-role arn:aws:iam::999888777666:role/HubAdminRole \
+  --hub-appconfig-role arn:aws:iam::999888777666:role/HubAppConfigRole \
+  --hub-appconfig-app-id abc123 \
+  --hub-appconfig-env-id def456 \
+  --hub-appconfig-profile-id ghi789
+```
+
+**When to use this command:**
+
+- **Phase 2 deployment** (recommended): After completing Phase 1 bootstrap deployment and receiving Hub ARNs from Sembix support
+- **Alternative**: Hub integration can also be added during initial environment creation (Step 9 of `create`) if you already have the Hub ARNs
+- **Updates**: Use the `update` command to modify existing Hub configuration
+
+**Important:** The Hub role ARNs are provided by Sembix support after they configure the Hub to trust your AWS account. Do not use this command until you have received these ARNs.
 
 ## Workflow
 
-### Complete Setup Process
+### Two-Phased Deployment Process
 
 ```
+╔═══════════════════════════════════════════════════════════════════╗
+║                    PHASE 1: BOOTSTRAP DEPLOYMENT                  ║
+╚═══════════════════════════════════════════════════════════════════╝
+
 ┌─────────────────────────────────────────────────┐
-│  1. Run: sembix studio create                   │
+│  1. Create Environment (Skip Hub)               │
+│     sembix studio create --skip-hub             │
 │     • Configure environment (Steps 1-8)         │
-│     • Optionally configure Hub (Step 9)         │
-│     • Creates GitHub environment + secrets      │
+│     • Skip Hub integration (Step 9)             │
+│     • Creates GitHub Actions environment        │
 └─────────────────────────────────────────────────┘
                       ↓
 ┌─────────────────────────────────────────────────┐
-│  2. Deploy via GitHub Actions                   │
-│     • Go to repo → Actions                      │
-│     • Run deployment workflow                   │
-│     • Copy Hub ARNs from output (if needed)     │
+│  2. Bootstrap Deployment via GitHub Actions     │
+│     • Go to repo → Actions → Run workflow       │
+│     • Deploys initial Terraform infrastructure  │
+│     • Creates IAM roles in your AWS account     │
+│     • Copy IAM ARNs from deployment output      │
 └─────────────────────────────────────────────────┘
                       ↓
 ┌─────────────────────────────────────────────────┐
-│  3. Run: sembix studio update (if Hub skipped)  │
-│     • Add Hub role ARNs                         │
-│     • Add AppConfig configuration               │
+│  3. Coordinate with Sembix Support              │
+│     • Send IAM ARNs to Sembix support           │
+│     • Wait for Sembix to configure Hub          │
+│     • Receive Hub role ARNs from support:       │
+│       - Hub Engine Execution Role ARN           │
+│       - Hub Consumer Role ARN                   │
+│       - Hub Admin Role ARN                      │
+│       - Hub AppConfig Role ARN + IDs            │
+└─────────────────────────────────────────────────┘
+
+╔═══════════════════════════════════════════════════════════════════╗
+║              PHASE 2: HUB INTEGRATION & FULL DEPLOYMENT           ║
+╚═══════════════════════════════════════════════════════════════════╝
+
+┌─────────────────────────────────────────────────┐
+│  4. Add Hub Integration                         │
+│     sembix studio add-hub <environment>         │
+│     • Provide Hub role ARNs from support        │
+│     • Updates GitHub Actions environment        │
+│     • Configures cross-account access           │
 └─────────────────────────────────────────────────┘
                       ↓
 ┌─────────────────────────────────────────────────┐
-│  4. Deploy Again (with Hub integration)         │
-│     • Full Sembix Studio deployment             │
-│     • Cross-account access enabled              │
+│  5. Full Deployment via GitHub Actions          │
+│     • Go to repo → Actions → Run workflow       │
+│     • Completes full Sembix Studio deployment   │
+│     • Enables Hub cross-account access          │
+│     • ✅ Studio environment fully operational   │
 └─────────────────────────────────────────────────┘
 ```
 

package/dist/__tests__/config-schema.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=config-schema.test.d.ts.map

package/dist/__tests__/config-schema.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-schema.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/config-schema.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/config-schema.test.js

@@ -0,0 +1,471 @@
+import { describe, it, expect } from 'vitest';
+import { configFileSchema } from '../config-schema.js';
+describe('config-schema', () => {
+    describe('configFileSchema - basic fields', () => {
+        it('should accept valid environment name', () => {
+            const config = { environmentName: 'production' };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should accept environment name with numbers and hyphens', () => {
+            const config = { environmentName: 'prod-env-123' };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject environment name with uppercase', () => {
+            const config = { environmentName: 'Production' };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should reject environment name with underscores', () => {
+            const config = { environmentName: 'prod_env' };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should reject environment name shorter than 3 characters', () => {
+            const config = { environmentName: 'ab' };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should accept valid AWS account ID', () => {
+            const config = { awsAccountId: '123456789012' };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject AWS account ID with less than 12 digits', () => {
+            const config = { awsAccountId: '12345678901' };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should reject AWS account ID with more than 12 digits', () => {
+            const config = { awsAccountId: '1234567890123' };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should reject AWS account ID with letters', () => {
+            const config = { awsAccountId: '12345678901a' };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should accept valid AWS region', () => {
+            const config = { awsRegion: 'us-east-1' };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject invalid AWS region', () => {
+            const config = { awsRegion: 'invalid-region' };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+    });
+    describe('configFileSchema - IAM role ARNs', () => {
+        it('should accept valid IAM role ARN', () => {
+            const config = {
+                customerRoleArn: 'arn:aws:iam::123456789012:role/MyRole',
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should accept IAM role ARN with path', () => {
+            const config = {
+                customerRoleArn: 'arn:aws:iam::123456789012:role/path/to/MyRole',
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject invalid IAM role ARN format', () => {
+            const config = {
+                customerRoleArn: 'invalid-arn',
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should reject IAM role ARN with wrong service', () => {
+            const config = {
+                customerRoleArn: 'arn:aws:s3::123456789012:role/MyRole',
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+    });
+    describe('configFileSchema - ACM certificate ARNs', () => {
+        it('should accept valid CloudFront certificate ARN', () => {
+            const config = {
+                tls: {
+                    cloudfrontCertArn: 'arn:aws:acm:us-east-1:123456789012:certificate/abc-123',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should accept valid ALB certificate ARN', () => {
+            const config = {
+                tls: {
+                    bffAlbCertificateArn: 'arn:aws:acm:us-west-2:123456789012:certificate/def-456',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject invalid certificate ARN', () => {
+            const config = {
+                tls: {
+                    cloudfrontCertArn: 'invalid-cert-arn',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+    });
+    describe('configFileSchema - Route53 hosted zone IDs', () => {
+        it('should accept valid hosted zone ID', () => {
+            const config = {
+                tls: {
+                    hostedZoneId: 'Z1234567890ABC',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject hosted zone ID not starting with Z', () => {
+            const config = {
+                tls: {
+                    hostedZoneId: 'A1234567890ABC',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should reject hosted zone ID with lowercase', () => {
+            const config = {
+                tls: {
+                    hostedZoneId: 'Z1234567890abc',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+    });
+    describe('configFileSchema - VPC and networking', () => {
+        it('should accept valid VPC ID', () => {
+            const config = {
+                networking: {
+                    customVpcId: 'vpc-1234567890abcdef',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject invalid VPC ID format', () => {
+            const config = {
+                networking: {
+                    customVpcId: 'invalid-vpc-id',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should accept valid CIDR block', () => {
+            const config = {
+                networking: {
+                    vpcCidr: '10.0.0.0/16',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject invalid CIDR block', () => {
+            const config = {
+                networking: {
+                    vpcCidr: '10.0.0.0',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should accept valid subnet IDs', () => {
+            const config = {
+                networking: {
+                    customPublicSubnetIds: 'subnet-abc123,subnet-def456',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should accept single subnet ID', () => {
+            const config = {
+                networking: {
+                    customPrivateSubnetIds: 'subnet-abc123',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject invalid subnet ID format', () => {
+            const config = {
+                networking: {
+                    customPublicSubnetIds: 'invalid-subnet',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should accept valid JSON array for subnet CIDRs', () => {
+            const config = {
+                networking: {
+                    publicSubnetCidrs: '["10.0.1.0/24", "10.0.2.0/24"]',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject non-JSON string for subnet CIDRs', () => {
+            const config = {
+                networking: {
+                    publicSubnetCidrs: '10.0.1.0/24, 10.0.2.0/24',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should accept valid AZ count', () => {
+            const config = {
+                networking: {
+                    azCount: '2',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject invalid AZ count', () => {
+            const config = {
+                networking: {
+                    azCount: '4',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+    });
+    describe('configFileSchema - security groups', () => {
+        it('should accept valid security group ID', () => {
+            const config = {
+                security: {
+                    customSecurityGroups: {
+                        aurora: 'sg-1234567890abcdef',
+                    },
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject invalid security group ID', () => {
+            const config = {
+                security: {
+                    customSecurityGroups: {
+                        workflowEngine: 'invalid-sg',
+                    },
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should accept multiple security groups', () => {
+            const config = {
+                security: {
+                    customSecurityGroups: {
+                        aurora: 'sg-1234567890abcdef',
+                        rdsProxy: 'sg-1234567890abcdef',
+                        bffEcs: 'sg-1234567890abcdef',
+                    },
+                },
+            };
+            const result = configFileSchema.safeParse(config);
+            if (!result.success) {
+                console.log('Validation errors:', result.error.errors);
+            }
+            expect(result.success).toBe(true);
+        });
+    });
+    describe('configFileSchema - database', () => {
+        it('should accept valid database name', () => {
+            const config = {
+                database: {
+                    name: 'mydb',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should accept database name with underscores and numbers', () => {
+            const config = {
+                database: {
+                    name: 'my_db_123',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject database name starting with number', () => {
+            const config = {
+                database: {
+                    name: '123db',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should reject database name with hyphens', () => {
+            const config = {
+                database: {
+                    name: 'my-db',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+    });
+    describe('configFileSchema - repository', () => {
+        it('should accept valid repository', () => {
+            const config = {
+                repository: {
+                    owner: 'my-org',
+                    repo: 'my-repo',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject repository with empty owner', () => {
+            const config = {
+                repository: {
+                    owner: '',
+                    repo: 'my-repo',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should reject repository with empty repo name', () => {
+            const config = {
+                repository: {
+                    owner: 'my-org',
+                    repo: '',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+    });
+    describe('configFileSchema - feature flags', () => {
+        it('should accept boolean feature flags', () => {
+            const config = {
+                features: {
+                    deploySembixStudioMemory: true,
+                    deploySembixStudioNotifications: false,
+                    enableBffWaf: true,
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject non-boolean feature flags', () => {
+            const config = {
+                features: {
+                    deploySembixStudioMemory: 'yes',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+    });
+    describe('configFileSchema - frontend', () => {
+        it('should accept valid frontend configuration', () => {
+            const config = {
+                frontend: {
+                    githubAppClientId: 'Iv1.abc123',
+                    githubAppName: 'my-github-app',
+                    jiraClientId: 'jira-client-123',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject empty GitHub App Client ID', () => {
+            const config = {
+                frontend: {
+                    githubAppClientId: '',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+    });
+    describe('configFileSchema - hub configuration', () => {
+        it('should accept valid hub configuration', () => {
+            const config = {
+                hub: {
+                    hubRoles: {
+                        engineExecutionRole: 'arn:aws:iam::123456789012:role/hub-engine',
+                        consumerRole: 'arn:aws:iam::123456789012:role/hub-consumer',
+                    },
+                    appConfig: {
+                        roleArn: 'arn:aws:iam::123456789012:role/appconfig',
+                        appId: 'app-123',
+                        envId: 'env-456',
+                        profileId: 'profile-789',
+                    },
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject invalid hub role ARN', () => {
+            const config = {
+                hub: {
+                    hubRoles: {
+                        engineExecutionRole: 'invalid-arn',
+                    },
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+    });
+    describe('configFileSchema - terraform state bucket', () => {
+        it('should accept valid S3 bucket name', () => {
+            const config = {
+                terraformStateBucket: 'my-terraform-state-bucket',
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should accept S3 bucket name with numbers', () => {
+            const config = {
+                terraformStateBucket: 'my-bucket-123',
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should reject S3 bucket name with uppercase', () => {
+            const config = {
+                terraformStateBucket: 'My-Bucket',
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should reject S3 bucket name starting with hyphen', () => {
+            const config = {
+                terraformStateBucket: '-my-bucket',
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+        it('should reject S3 bucket name ending with hyphen', () => {
+            const config = {
+                terraformStateBucket: 'my-bucket-',
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(false);
+        });
+    });
+    describe('configFileSchema - complete configuration', () => {
+        it('should accept complete valid configuration', () => {
+            const config = {
+                repository: {
+                    owner: 'sembix-ai',
+                    repo: 'sembix-studio',
+                },
+                environmentName: 'production',
+                awsAccountId: '123456789012',
+                awsRegion: 'us-east-1',
+                customerRoleArn: 'arn:aws:iam::123456789012:role/CustomerRole',
+                terraformStateBucket: 'my-terraform-state',
+                database: {
+                    name: 'studiodb',
+                    user: 'dbadmin',
+                },
+                networking: {
+                    enableVpcEndpoints: true,
+                    useCustomNetworking: false,
+                    vpcCidr: '10.0.0.0/16',
+                    azCount: '3',
+                },
+                security: {
+                    useCustomSecurityGroups: false,
+                    useCustomIamPolicies: false,
+                },
+                tls: {
+                    cloudfrontDomain: 'app.example.com',
+                    cloudfrontCertArn: 'arn:aws:acm:us-east-1:123456789012:certificate/abc',
+                    bffAlbCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/def',
+                    hostedZoneId: 'Z1234567890ABC',
+                },
+                features: {
+                    deploySembixStudioMemory: true,
+                    deploySembixStudioNotifications: true,
+                    enableBffWaf: false,
+                },
+                frontend: {
+                    githubAppClientId: 'Iv1.abc123',
+                    githubAppName: 'my-app',
+                    jiraClientId: 'jira-123',
+                },
+            };
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+        it('should accept empty configuration (all fields optional)', () => {
+            const config = {};
+            expect(configFileSchema.safeParse(config).success).toBe(true);
+        });
+    });
+});
+//# sourceMappingURL=config-schema.test.js.map