@stacksjs/ts-cloud-core 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +21 -0
- package/README.md +321 -0
- package/package.json +31 -0
- package/src/advanced-features.test.ts +465 -0
- package/src/aws/cloudformation.ts +421 -0
- package/src/aws/cloudfront.ts +158 -0
- package/src/aws/credentials.test.ts +132 -0
- package/src/aws/credentials.ts +545 -0
- package/src/aws/index.ts +87 -0
- package/src/aws/s3.test.ts +188 -0
- package/src/aws/s3.ts +1088 -0
- package/src/aws/signature.test.ts +670 -0
- package/src/aws/signature.ts +1155 -0
- package/src/backup/disaster-recovery.test.ts +726 -0
- package/src/backup/disaster-recovery.ts +500 -0
- package/src/backup/index.ts +34 -0
- package/src/backup/manager.test.ts +498 -0
- package/src/backup/manager.ts +432 -0
- package/src/cicd/circleci.ts +430 -0
- package/src/cicd/github-actions.ts +424 -0
- package/src/cicd/gitlab-ci.ts +255 -0
- package/src/cicd/index.ts +8 -0
- package/src/cli/history.ts +396 -0
- package/src/cli/index.ts +10 -0
- package/src/cli/progress.ts +458 -0
- package/src/cli/repl.ts +454 -0
- package/src/cli/suggestions.ts +327 -0
- package/src/cli/table.test.ts +319 -0
- package/src/cli/table.ts +332 -0
- package/src/cloudformation/builder.test.ts +327 -0
- package/src/cloudformation/builder.ts +378 -0
- package/src/cloudformation/builders/api-gateway.ts +449 -0
- package/src/cloudformation/builders/cache.ts +334 -0
- package/src/cloudformation/builders/cdn.ts +278 -0
- package/src/cloudformation/builders/compute.ts +485 -0
- package/src/cloudformation/builders/database.ts +392 -0
- package/src/cloudformation/builders/functions.ts +343 -0
- package/src/cloudformation/builders/messaging.ts +140 -0
- package/src/cloudformation/builders/monitoring.ts +300 -0
- package/src/cloudformation/builders/network.ts +264 -0
- package/src/cloudformation/builders/queue.ts +147 -0
- package/src/cloudformation/builders/security.ts +399 -0
- package/src/cloudformation/builders/storage.ts +285 -0
- package/src/cloudformation/index.ts +30 -0
- package/src/cloudformation/types.ts +173 -0
- package/src/compliance/aws-config.ts +543 -0
- package/src/compliance/cloudtrail.ts +376 -0
- package/src/compliance/compliance.test.ts +423 -0
- package/src/compliance/guardduty.ts +446 -0
- package/src/compliance/index.ts +66 -0
- package/src/compliance/security-hub.ts +456 -0
- package/src/containers/build-optimization.ts +416 -0
- package/src/containers/containers.test.ts +508 -0
- package/src/containers/image-scanning.ts +360 -0
- package/src/containers/index.ts +9 -0
- package/src/containers/registry.ts +293 -0
- package/src/containers/service-mesh.ts +520 -0
- package/src/database/database.test.ts +762 -0
- package/src/database/index.ts +9 -0
- package/src/database/migrations.ts +444 -0
- package/src/database/performance.ts +528 -0
- package/src/database/replicas.ts +534 -0
- package/src/database/users.ts +494 -0
- package/src/dependency-graph.ts +143 -0
- package/src/deployment/ab-testing.ts +582 -0
- package/src/deployment/blue-green.ts +452 -0
- package/src/deployment/canary.ts +500 -0
- package/src/deployment/deployment.test.ts +526 -0
- package/src/deployment/index.ts +61 -0
- package/src/deployment/progressive.ts +62 -0
- package/src/dns/dns.test.ts +641 -0
- package/src/dns/dnssec.ts +315 -0
- package/src/dns/index.ts +8 -0
- package/src/dns/resolver.ts +496 -0
- package/src/dns/routing.ts +593 -0
- package/src/email/advanced/analytics.ts +445 -0
- package/src/email/advanced/index.ts +11 -0
- package/src/email/advanced/rules.ts +465 -0
- package/src/email/advanced/scheduling.ts +352 -0
- package/src/email/advanced/search.ts +412 -0
- package/src/email/advanced/shared-mailboxes.ts +404 -0
- package/src/email/advanced/templates.ts +455 -0
- package/src/email/advanced/threading.ts +281 -0
- package/src/email/analytics.ts +467 -0
- package/src/email/bounce-handling.ts +425 -0
- package/src/email/email.test.ts +431 -0
- package/src/email/handlers/__tests__/inbound.test.ts +38 -0
- package/src/email/handlers/__tests__/outbound.test.ts +37 -0
- package/src/email/handlers/converter.ts +227 -0
- package/src/email/handlers/feedback.ts +228 -0
- package/src/email/handlers/inbound.ts +169 -0
- package/src/email/handlers/outbound.ts +178 -0
- package/src/email/index.ts +15 -0
- package/src/email/reputation.ts +303 -0
- package/src/email/templates.ts +352 -0
- package/src/errors/index.test.ts +434 -0
- package/src/errors/index.ts +416 -0
- package/src/health-checks/index.ts +40 -0
- package/src/index.ts +360 -0
- package/src/intrinsic-functions.ts +118 -0
- package/src/lambda/concurrency.ts +330 -0
- package/src/lambda/destinations.ts +345 -0
- package/src/lambda/dlq.ts +425 -0
- package/src/lambda/index.ts +11 -0
- package/src/lambda/lambda.test.ts +840 -0
- package/src/lambda/layers.ts +263 -0
- package/src/lambda/versions.ts +376 -0
- package/src/lambda/vpc.ts +399 -0
- package/src/local/config.ts +114 -0
- package/src/local/index.ts +6 -0
- package/src/local/mock-aws.ts +351 -0
- package/src/modules/ai.ts +340 -0
- package/src/modules/api.ts +478 -0
- package/src/modules/auth.ts +805 -0
- package/src/modules/cache.ts +417 -0
- package/src/modules/cdn.ts +1062 -0
- package/src/modules/communication.ts +1094 -0
- package/src/modules/compute.ts +3348 -0
- package/src/modules/database.ts +554 -0
- package/src/modules/deployment.ts +1079 -0
- package/src/modules/dns.ts +337 -0
- package/src/modules/email.ts +1538 -0
- package/src/modules/filesystem.ts +515 -0
- package/src/modules/index.ts +32 -0
- package/src/modules/messaging.ts +486 -0
- package/src/modules/monitoring.ts +2086 -0
- package/src/modules/network.ts +664 -0
- package/src/modules/parameter-store.ts +325 -0
- package/src/modules/permissions.ts +1081 -0
- package/src/modules/phone.ts +494 -0
- package/src/modules/queue.ts +1260 -0
- package/src/modules/redirects.ts +464 -0
- package/src/modules/registry.ts +699 -0
- package/src/modules/search.ts +401 -0
- package/src/modules/secrets.ts +416 -0
- package/src/modules/security.ts +731 -0
- package/src/modules/sms.ts +389 -0
- package/src/modules/storage.ts +1120 -0
- package/src/modules/workflow.ts +680 -0
- package/src/multi-account/config.ts +521 -0
- package/src/multi-account/index.ts +7 -0
- package/src/multi-account/manager.ts +427 -0
- package/src/multi-region/cross-region.ts +410 -0
- package/src/multi-region/index.ts +8 -0
- package/src/multi-region/manager.ts +483 -0
- package/src/multi-region/regions.ts +435 -0
- package/src/network-security/index.ts +48 -0
- package/src/observability/index.ts +9 -0
- package/src/observability/logs.ts +522 -0
- package/src/observability/metrics.ts +460 -0
- package/src/observability/observability.test.ts +782 -0
- package/src/observability/synthetics.ts +568 -0
- package/src/observability/xray.ts +358 -0
- package/src/phone/advanced/analytics.ts +349 -0
- package/src/phone/advanced/callbacks.ts +428 -0
- package/src/phone/advanced/index.ts +8 -0
- package/src/phone/advanced/ivr-builder.ts +504 -0
- package/src/phone/advanced/recording.ts +310 -0
- package/src/phone/handlers/__tests__/incoming-call.test.ts +40 -0
- package/src/phone/handlers/incoming-call.ts +117 -0
- package/src/phone/handlers/missed-call.ts +116 -0
- package/src/phone/handlers/voicemail.ts +179 -0
- package/src/phone/index.ts +9 -0
- package/src/presets/api-backend.ts +134 -0
- package/src/presets/data-pipeline.ts +204 -0
- package/src/presets/extend.test.ts +295 -0
- package/src/presets/extend.ts +297 -0
- package/src/presets/fullstack-app.ts +144 -0
- package/src/presets/index.ts +27 -0
- package/src/presets/jamstack.ts +135 -0
- package/src/presets/microservices.ts +167 -0
- package/src/presets/ml-api.ts +208 -0
- package/src/presets/nodejs-server.ts +104 -0
- package/src/presets/nodejs-serverless.ts +114 -0
- package/src/presets/realtime-app.ts +184 -0
- package/src/presets/static-site.ts +64 -0
- package/src/presets/traditional-web-app.ts +339 -0
- package/src/presets/wordpress.ts +138 -0
- package/src/preview/github.test.ts +249 -0
- package/src/preview/github.ts +297 -0
- package/src/preview/index.ts +37 -0
- package/src/preview/manager.test.ts +440 -0
- package/src/preview/manager.ts +326 -0
- package/src/preview/notifications.test.ts +582 -0
- package/src/preview/notifications.ts +341 -0
- package/src/queue/batch-processing.ts +402 -0
- package/src/queue/dlq-monitoring.ts +402 -0
- package/src/queue/fifo.ts +342 -0
- package/src/queue/index.ts +9 -0
- package/src/queue/management.ts +428 -0
- package/src/queue/queue.test.ts +429 -0
- package/src/resource-mgmt/index.ts +39 -0
- package/src/resource-naming.ts +62 -0
- package/src/s3/index.ts +523 -0
- package/src/schema/cloud-config.schema.json +554 -0
- package/src/schema/index.ts +68 -0
- package/src/security/certificate-manager.ts +492 -0
- package/src/security/index.ts +9 -0
- package/src/security/scanning.ts +545 -0
- package/src/security/secrets-manager.ts +476 -0
- package/src/security/secrets-rotation.ts +456 -0
- package/src/security/security.test.ts +738 -0
- package/src/sms/advanced/ab-testing.ts +389 -0
- package/src/sms/advanced/analytics.ts +336 -0
- package/src/sms/advanced/campaigns.ts +523 -0
- package/src/sms/advanced/chatbot.ts +224 -0
- package/src/sms/advanced/index.ts +10 -0
- package/src/sms/advanced/link-tracking.ts +248 -0
- package/src/sms/advanced/mms.ts +308 -0
- package/src/sms/handlers/__tests__/send.test.ts +40 -0
- package/src/sms/handlers/delivery-status.ts +133 -0
- package/src/sms/handlers/receive.ts +162 -0
- package/src/sms/handlers/send.ts +174 -0
- package/src/sms/index.ts +9 -0
- package/src/stack-diff.ts +389 -0
- package/src/static-site/index.ts +85 -0
- package/src/template-builder.ts +110 -0
- package/src/template-validator.ts +574 -0
- package/src/utils/cache.ts +291 -0
- package/src/utils/diff.ts +269 -0
- package/src/utils/hash.ts +227 -0
- package/src/utils/index.ts +8 -0
- package/src/utils/parallel.ts +294 -0
- package/src/validators/credentials.test.ts +274 -0
- package/src/validators/credentials.ts +233 -0
- package/src/validators/quotas.test.ts +434 -0
- package/src/validators/quotas.ts +217 -0
- package/test/ai.test.ts +327 -0
- package/test/api.test.ts +511 -0
- package/test/auth.test.ts +632 -0
- package/test/cache.test.ts +406 -0
- package/test/cdn.test.ts +247 -0
- package/test/compute.test.ts +861 -0
- package/test/database.test.ts +523 -0
- package/test/deployment.test.ts +499 -0
- package/test/dns.test.ts +270 -0
- package/test/email.test.ts +439 -0
- package/test/filesystem.test.ts +382 -0
- package/test/integration.test.ts +350 -0
- package/test/messaging.test.ts +514 -0
- package/test/monitoring.test.ts +634 -0
- package/test/network.test.ts +425 -0
- package/test/permissions.test.ts +488 -0
- package/test/queue.test.ts +484 -0
- package/test/registry.test.ts +306 -0
- package/test/security.test.ts +462 -0
- package/test/storage.test.ts +463 -0
- package/test/template-validator.test.ts +559 -0
- package/test/workflow.test.ts +592 -0
- package/tsconfig.json +16 -0
- package/tsconfig.tsbuildinfo +1 -0
|
@@ -0,0 +1,274 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Credential Validation Tests
|
|
3
|
+
*/
|
|
4
|
+
|
|
5
|
+
import { describe, expect, it, mock } from 'bun:test'
|
|
6
|
+
import type { AWSCredentials } from '../aws/credentials'
|
|
7
|
+
import {
|
|
8
|
+
validateCredentials,
|
|
9
|
+
checkIAMPermissions,
|
|
10
|
+
getRequiredPermissions,
|
|
11
|
+
suggestIAMPolicy,
|
|
12
|
+
} from './credentials'
|
|
13
|
+
|
|
14
|
+
describe('getRequiredPermissions', () => {
|
|
15
|
+
it('should always include CloudFormation permissions', () => {
|
|
16
|
+
const permissions = getRequiredPermissions({
|
|
17
|
+
project: { name: 'Test', slug: 'test' },
|
|
18
|
+
})
|
|
19
|
+
|
|
20
|
+
expect(permissions).toContain('cloudformation:CreateStack')
|
|
21
|
+
expect(permissions).toContain('cloudformation:UpdateStack')
|
|
22
|
+
expect(permissions).toContain('cloudformation:DeleteStack')
|
|
23
|
+
expect(permissions).toContain('cloudformation:DescribeStacks')
|
|
24
|
+
})
|
|
25
|
+
|
|
26
|
+
it('should always include IAM permissions', () => {
|
|
27
|
+
const permissions = getRequiredPermissions({
|
|
28
|
+
project: { name: 'Test', slug: 'test' },
|
|
29
|
+
})
|
|
30
|
+
|
|
31
|
+
expect(permissions).toContain('iam:CreateRole')
|
|
32
|
+
expect(permissions).toContain('iam:DeleteRole')
|
|
33
|
+
expect(permissions).toContain('iam:PassRole')
|
|
34
|
+
})
|
|
35
|
+
|
|
36
|
+
it('should include S3 permissions for storage config', () => {
|
|
37
|
+
const permissions = getRequiredPermissions({
|
|
38
|
+
project: { name: 'Test', slug: 'test' },
|
|
39
|
+
infrastructure: {
|
|
40
|
+
storage: {
|
|
41
|
+
uploads: {},
|
|
42
|
+
},
|
|
43
|
+
},
|
|
44
|
+
})
|
|
45
|
+
|
|
46
|
+
expect(permissions).toContain('s3:CreateBucket')
|
|
47
|
+
expect(permissions).toContain('s3:DeleteBucket')
|
|
48
|
+
expect(permissions).toContain('s3:PutObject')
|
|
49
|
+
expect(permissions).toContain('s3:GetObject')
|
|
50
|
+
})
|
|
51
|
+
|
|
52
|
+
it('should include EC2 permissions for server compute', () => {
|
|
53
|
+
const permissions = getRequiredPermissions({
|
|
54
|
+
project: { name: 'Test', slug: 'test' },
|
|
55
|
+
infrastructure: {
|
|
56
|
+
compute: {
|
|
57
|
+
server: {},
|
|
58
|
+
},
|
|
59
|
+
},
|
|
60
|
+
})
|
|
61
|
+
|
|
62
|
+
expect(permissions).toContain('ec2:RunInstances')
|
|
63
|
+
expect(permissions).toContain('ec2:TerminateInstances')
|
|
64
|
+
expect(permissions).toContain('autoscaling:CreateAutoScalingGroup')
|
|
65
|
+
expect(permissions).toContain('elasticloadbalancing:CreateLoadBalancer')
|
|
66
|
+
})
|
|
67
|
+
|
|
68
|
+
it('should include ECS permissions for Fargate compute', () => {
|
|
69
|
+
const permissions = getRequiredPermissions({
|
|
70
|
+
project: { name: 'Test', slug: 'test' },
|
|
71
|
+
infrastructure: {
|
|
72
|
+
compute: {
|
|
73
|
+
fargate: {},
|
|
74
|
+
},
|
|
75
|
+
},
|
|
76
|
+
})
|
|
77
|
+
|
|
78
|
+
expect(permissions).toContain('ecs:CreateCluster')
|
|
79
|
+
expect(permissions).toContain('ecs:CreateService')
|
|
80
|
+
expect(permissions).toContain('ecs:RegisterTaskDefinition')
|
|
81
|
+
})
|
|
82
|
+
|
|
83
|
+
it('should include RDS permissions for database', () => {
|
|
84
|
+
const permissions = getRequiredPermissions({
|
|
85
|
+
project: { name: 'Test', slug: 'test' },
|
|
86
|
+
infrastructure: {
|
|
87
|
+
database: {
|
|
88
|
+
postgres: {},
|
|
89
|
+
},
|
|
90
|
+
},
|
|
91
|
+
})
|
|
92
|
+
|
|
93
|
+
expect(permissions).toContain('rds:CreateDBInstance')
|
|
94
|
+
expect(permissions).toContain('rds:DeleteDBInstance')
|
|
95
|
+
expect(permissions).toContain('rds:ModifyDBInstance')
|
|
96
|
+
})
|
|
97
|
+
|
|
98
|
+
it('should include DynamoDB permissions for DynamoDB database', () => {
|
|
99
|
+
const permissions = getRequiredPermissions({
|
|
100
|
+
project: { name: 'Test', slug: 'test' },
|
|
101
|
+
infrastructure: {
|
|
102
|
+
database: {
|
|
103
|
+
dynamodb: {},
|
|
104
|
+
},
|
|
105
|
+
},
|
|
106
|
+
})
|
|
107
|
+
|
|
108
|
+
expect(permissions).toContain('dynamodb:CreateTable')
|
|
109
|
+
expect(permissions).toContain('dynamodb:DeleteTable')
|
|
110
|
+
expect(permissions).toContain('dynamodb:UpdateTable')
|
|
111
|
+
})
|
|
112
|
+
|
|
113
|
+
it('should include Lambda permissions for functions', () => {
|
|
114
|
+
const permissions = getRequiredPermissions({
|
|
115
|
+
project: { name: 'Test', slug: 'test' },
|
|
116
|
+
infrastructure: {
|
|
117
|
+
functions: {},
|
|
118
|
+
},
|
|
119
|
+
})
|
|
120
|
+
|
|
121
|
+
expect(permissions).toContain('lambda:CreateFunction')
|
|
122
|
+
expect(permissions).toContain('lambda:UpdateFunctionCode')
|
|
123
|
+
})
|
|
124
|
+
|
|
125
|
+
it('should include CloudFront permissions for CDN', () => {
|
|
126
|
+
const permissions = getRequiredPermissions({
|
|
127
|
+
project: { name: 'Test', slug: 'test' },
|
|
128
|
+
infrastructure: {
|
|
129
|
+
cdn: {},
|
|
130
|
+
},
|
|
131
|
+
})
|
|
132
|
+
|
|
133
|
+
expect(permissions).toContain('cloudfront:CreateDistribution')
|
|
134
|
+
expect(permissions).toContain('cloudfront:UpdateDistribution')
|
|
135
|
+
})
|
|
136
|
+
|
|
137
|
+
it('should include VPC permissions for network config', () => {
|
|
138
|
+
const permissions = getRequiredPermissions({
|
|
139
|
+
project: { name: 'Test', slug: 'test' },
|
|
140
|
+
infrastructure: {
|
|
141
|
+
network: {},
|
|
142
|
+
},
|
|
143
|
+
})
|
|
144
|
+
|
|
145
|
+
expect(permissions).toContain('ec2:CreateVpc')
|
|
146
|
+
expect(permissions).toContain('ec2:CreateSubnet')
|
|
147
|
+
expect(permissions).toContain('ec2:CreateSecurityGroup')
|
|
148
|
+
})
|
|
149
|
+
|
|
150
|
+
it('should return sorted permissions', () => {
|
|
151
|
+
const permissions = getRequiredPermissions({
|
|
152
|
+
project: { name: 'Test', slug: 'test' },
|
|
153
|
+
})
|
|
154
|
+
|
|
155
|
+
const sorted = [...permissions].sort()
|
|
156
|
+
expect(permissions).toEqual(sorted)
|
|
157
|
+
})
|
|
158
|
+
|
|
159
|
+
it('should return unique permissions', () => {
|
|
160
|
+
const permissions = getRequiredPermissions({
|
|
161
|
+
project: { name: 'Test', slug: 'test' },
|
|
162
|
+
infrastructure: {
|
|
163
|
+
storage: {
|
|
164
|
+
bucket1: {},
|
|
165
|
+
bucket2: {},
|
|
166
|
+
},
|
|
167
|
+
},
|
|
168
|
+
})
|
|
169
|
+
|
|
170
|
+
const unique = [...new Set(permissions)]
|
|
171
|
+
expect(permissions.length).toBe(unique.length)
|
|
172
|
+
})
|
|
173
|
+
})
|
|
174
|
+
|
|
175
|
+
describe('suggestIAMPolicy', () => {
|
|
176
|
+
it('should generate valid IAM policy JSON', () => {
|
|
177
|
+
const policy = suggestIAMPolicy({
|
|
178
|
+
project: { name: 'Test', slug: 'test' },
|
|
179
|
+
})
|
|
180
|
+
|
|
181
|
+
const parsed = JSON.parse(policy)
|
|
182
|
+
expect(parsed.Version).toBe('2012-10-17')
|
|
183
|
+
expect(parsed.Statement).toHaveLength(1)
|
|
184
|
+
expect(parsed.Statement[0].Effect).toBe('Allow')
|
|
185
|
+
expect(parsed.Statement[0].Resource).toBe('*')
|
|
186
|
+
})
|
|
187
|
+
|
|
188
|
+
it('should include all required permissions in policy', () => {
|
|
189
|
+
const policy = suggestIAMPolicy({
|
|
190
|
+
project: { name: 'Test', slug: 'test' },
|
|
191
|
+
infrastructure: {
|
|
192
|
+
storage: {},
|
|
193
|
+
compute: { server: {} },
|
|
194
|
+
},
|
|
195
|
+
})
|
|
196
|
+
|
|
197
|
+
const parsed = JSON.parse(policy)
|
|
198
|
+
expect(parsed.Statement[0].Action).toContain('cloudformation:CreateStack')
|
|
199
|
+
expect(parsed.Statement[0].Action).toContain('s3:CreateBucket')
|
|
200
|
+
expect(parsed.Statement[0].Action).toContain('ec2:RunInstances')
|
|
201
|
+
})
|
|
202
|
+
|
|
203
|
+
it('should be properly formatted', () => {
|
|
204
|
+
const policy = suggestIAMPolicy({
|
|
205
|
+
project: { name: 'Test', slug: 'test' },
|
|
206
|
+
})
|
|
207
|
+
|
|
208
|
+
// Should be pretty-printed
|
|
209
|
+
expect(policy).toContain('\n')
|
|
210
|
+
expect(policy).toContain(' ')
|
|
211
|
+
})
|
|
212
|
+
})
|
|
213
|
+
|
|
214
|
+
describe('checkIAMPermissions', () => {
|
|
215
|
+
it('should return allowed and denied permissions', async () => {
|
|
216
|
+
const credentials: AWSCredentials = {
|
|
217
|
+
accessKeyId: 'test',
|
|
218
|
+
secretAccessKey: 'test',
|
|
219
|
+
region: 'us-east-1',
|
|
220
|
+
}
|
|
221
|
+
|
|
222
|
+
const result = await checkIAMPermissions(credentials, [
|
|
223
|
+
'cloudformation:CreateStack',
|
|
224
|
+
's3:PutObject',
|
|
225
|
+
])
|
|
226
|
+
|
|
227
|
+
expect(result).toHaveProperty('allowed')
|
|
228
|
+
expect(result).toHaveProperty('denied')
|
|
229
|
+
expect(Array.isArray(result.allowed)).toBe(true)
|
|
230
|
+
expect(Array.isArray(result.denied)).toBe(true)
|
|
231
|
+
})
|
|
232
|
+
|
|
233
|
+
it('should currently return all as allowed (TODO: implement)', async () => {
|
|
234
|
+
const credentials: AWSCredentials = {
|
|
235
|
+
accessKeyId: 'test',
|
|
236
|
+
secretAccessKey: 'test',
|
|
237
|
+
region: 'us-east-1',
|
|
238
|
+
}
|
|
239
|
+
|
|
240
|
+
const result = await checkIAMPermissions(credentials, [
|
|
241
|
+
'cloudformation:CreateStack',
|
|
242
|
+
's3:PutObject',
|
|
243
|
+
])
|
|
244
|
+
|
|
245
|
+
// TODO: This will change when we implement actual IAM policy simulation
|
|
246
|
+
expect(result.allowed).toContain('cloudformation:CreateStack')
|
|
247
|
+
expect(result.allowed).toContain('s3:PutObject')
|
|
248
|
+
expect(result.denied).toEqual([])
|
|
249
|
+
})
|
|
250
|
+
})
|
|
251
|
+
|
|
252
|
+
describe('validateCredentials', () => {
|
|
253
|
+
it('should return validation result structure', async () => {
|
|
254
|
+
// This test validates the response structure without making real AWS calls
|
|
255
|
+
// The function will attempt validation with default profile which may or may not exist
|
|
256
|
+
try {
|
|
257
|
+
const result = await validateCredentials('default')
|
|
258
|
+
|
|
259
|
+
expect(result).toHaveProperty('valid')
|
|
260
|
+
expect(typeof result.valid).toBe('boolean')
|
|
261
|
+
|
|
262
|
+
if (result.valid) {
|
|
263
|
+
expect(result.accountId).toBeDefined()
|
|
264
|
+
expect(result.region).toBeDefined()
|
|
265
|
+
} else {
|
|
266
|
+
expect(result.error).toBeDefined()
|
|
267
|
+
}
|
|
268
|
+
} catch (error) {
|
|
269
|
+
// If validation throws, it means credentials are invalid or missing
|
|
270
|
+
// This is expected behavior in test environment
|
|
271
|
+
expect(error).toBeDefined()
|
|
272
|
+
}
|
|
273
|
+
})
|
|
274
|
+
})
|
|
@@ -0,0 +1,233 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* AWS Credentials Validation
|
|
3
|
+
* Validate credentials before deployment
|
|
4
|
+
*/
|
|
5
|
+
|
|
6
|
+
import type { AWSCredentials } from '../aws/credentials'
|
|
7
|
+
import { resolveCredentials, getAccountId } from '../aws/credentials'
|
|
8
|
+
import { CredentialError, DebugLogger } from '../errors'
|
|
9
|
+
|
|
10
|
+
export interface CredentialValidationResult {
|
|
11
|
+
valid: boolean
|
|
12
|
+
accountId?: string
|
|
13
|
+
region?: string
|
|
14
|
+
error?: string
|
|
15
|
+
}
|
|
16
|
+
|
|
17
|
+
/**
|
|
18
|
+
* Validate AWS credentials
|
|
19
|
+
*/
|
|
20
|
+
export async function validateCredentials(
|
|
21
|
+
profile: string = 'default',
|
|
22
|
+
): Promise<CredentialValidationResult> {
|
|
23
|
+
try {
|
|
24
|
+
DebugLogger.verbose('Resolving AWS credentials...')
|
|
25
|
+
|
|
26
|
+
// Resolve credentials
|
|
27
|
+
const credentials = await resolveCredentials(profile)
|
|
28
|
+
|
|
29
|
+
if (!credentials.accessKeyId || !credentials.secretAccessKey) {
|
|
30
|
+
throw new CredentialError(
|
|
31
|
+
'AWS credentials are incomplete',
|
|
32
|
+
'Ensure both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are set',
|
|
33
|
+
)
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
DebugLogger.verbose('Credentials resolved successfully')
|
|
37
|
+
DebugLogger.debug('Access Key ID:', credentials.accessKeyId.substring(0, 8) + '...')
|
|
38
|
+
|
|
39
|
+
// Test credentials by getting caller identity
|
|
40
|
+
DebugLogger.verbose('Testing credentials with GetCallerIdentity...')
|
|
41
|
+
|
|
42
|
+
let accountId: string
|
|
43
|
+
try {
|
|
44
|
+
accountId = await getAccountId(credentials)
|
|
45
|
+
DebugLogger.verbose('Credentials are valid')
|
|
46
|
+
DebugLogger.debug('Account ID:', accountId)
|
|
47
|
+
}
|
|
48
|
+
catch (error) {
|
|
49
|
+
if (error instanceof Error) {
|
|
50
|
+
if (error.message.includes('InvalidClientTokenId')) {
|
|
51
|
+
throw new CredentialError(
|
|
52
|
+
'Invalid AWS access key ID',
|
|
53
|
+
'Check that your AWS_ACCESS_KEY_ID is correct',
|
|
54
|
+
)
|
|
55
|
+
}
|
|
56
|
+
else if (error.message.includes('SignatureDoesNotMatch')) {
|
|
57
|
+
throw new CredentialError(
|
|
58
|
+
'Invalid AWS secret access key',
|
|
59
|
+
'Check that your AWS_SECRET_ACCESS_KEY is correct',
|
|
60
|
+
)
|
|
61
|
+
}
|
|
62
|
+
else if (error.message.includes('ExpiredToken')) {
|
|
63
|
+
throw new CredentialError(
|
|
64
|
+
'AWS credentials have expired',
|
|
65
|
+
'Refresh your temporary credentials or use long-term credentials',
|
|
66
|
+
)
|
|
67
|
+
}
|
|
68
|
+
else {
|
|
69
|
+
throw new CredentialError(
|
|
70
|
+
`Failed to validate credentials: ${error.message}`,
|
|
71
|
+
'Verify your AWS credentials are correct and have the necessary permissions',
|
|
72
|
+
)
|
|
73
|
+
}
|
|
74
|
+
}
|
|
75
|
+
throw error
|
|
76
|
+
}
|
|
77
|
+
|
|
78
|
+
return {
|
|
79
|
+
valid: true,
|
|
80
|
+
accountId,
|
|
81
|
+
region: credentials.region,
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
catch (error) {
|
|
85
|
+
if (error instanceof CredentialError) {
|
|
86
|
+
throw error
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
return {
|
|
90
|
+
valid: false,
|
|
91
|
+
error: error instanceof Error ? error.message : 'Unknown error',
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
}
|
|
95
|
+
|
|
96
|
+
/**
|
|
97
|
+
* Check IAM permissions
|
|
98
|
+
*/
|
|
99
|
+
export async function checkIAMPermissions(
|
|
100
|
+
credentials: AWSCredentials,
|
|
101
|
+
requiredActions: string[],
|
|
102
|
+
): Promise<{ allowed: string[], denied: string[] }> {
|
|
103
|
+
// TODO: Implement using IAM SimulatePrincipalPolicy API
|
|
104
|
+
// For now, return all as allowed
|
|
105
|
+
return {
|
|
106
|
+
allowed: requiredActions,
|
|
107
|
+
denied: [],
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
|
|
111
|
+
/**
|
|
112
|
+
* Get required IAM permissions for deployment
|
|
113
|
+
*/
|
|
114
|
+
export function getRequiredPermissions(config: any): string[] {
|
|
115
|
+
const permissions = new Set<string>([
|
|
116
|
+
// CloudFormation permissions (always required)
|
|
117
|
+
'cloudformation:CreateStack',
|
|
118
|
+
'cloudformation:UpdateStack',
|
|
119
|
+
'cloudformation:DeleteStack',
|
|
120
|
+
'cloudformation:DescribeStacks',
|
|
121
|
+
'cloudformation:DescribeStackEvents',
|
|
122
|
+
'cloudformation:GetTemplate',
|
|
123
|
+
'cloudformation:ListStacks',
|
|
124
|
+
])
|
|
125
|
+
|
|
126
|
+
// Add permissions based on infrastructure config
|
|
127
|
+
if (config.infrastructure) {
|
|
128
|
+
if (config.infrastructure.storage) {
|
|
129
|
+
permissions.add('s3:CreateBucket')
|
|
130
|
+
permissions.add('s3:DeleteBucket')
|
|
131
|
+
permissions.add('s3:PutBucketPolicy')
|
|
132
|
+
permissions.add('s3:PutBucketVersioning')
|
|
133
|
+
permissions.add('s3:PutBucketEncryption')
|
|
134
|
+
permissions.add('s3:PutObject')
|
|
135
|
+
permissions.add('s3:GetObject')
|
|
136
|
+
}
|
|
137
|
+
|
|
138
|
+
if (config.infrastructure.compute) {
|
|
139
|
+
if (config.infrastructure.compute.server) {
|
|
140
|
+
permissions.add('ec2:RunInstances')
|
|
141
|
+
permissions.add('ec2:TerminateInstances')
|
|
142
|
+
permissions.add('ec2:DescribeInstances')
|
|
143
|
+
permissions.add('autoscaling:CreateAutoScalingGroup')
|
|
144
|
+
permissions.add('autoscaling:UpdateAutoScalingGroup')
|
|
145
|
+
permissions.add('autoscaling:DeleteAutoScalingGroup')
|
|
146
|
+
permissions.add('elasticloadbalancing:CreateLoadBalancer')
|
|
147
|
+
permissions.add('elasticloadbalancing:DeleteLoadBalancer')
|
|
148
|
+
}
|
|
149
|
+
|
|
150
|
+
if (config.infrastructure.compute.fargate) {
|
|
151
|
+
permissions.add('ecs:CreateCluster')
|
|
152
|
+
permissions.add('ecs:DeleteCluster')
|
|
153
|
+
permissions.add('ecs:CreateService')
|
|
154
|
+
permissions.add('ecs:UpdateService')
|
|
155
|
+
permissions.add('ecs:DeleteService')
|
|
156
|
+
permissions.add('ecs:RegisterTaskDefinition')
|
|
157
|
+
}
|
|
158
|
+
}
|
|
159
|
+
|
|
160
|
+
if (config.infrastructure.database) {
|
|
161
|
+
if (config.infrastructure.database.postgres || config.infrastructure.database.mysql) {
|
|
162
|
+
permissions.add('rds:CreateDBInstance')
|
|
163
|
+
permissions.add('rds:DeleteDBInstance')
|
|
164
|
+
permissions.add('rds:ModifyDBInstance')
|
|
165
|
+
permissions.add('rds:DescribeDBInstances')
|
|
166
|
+
}
|
|
167
|
+
|
|
168
|
+
if (config.infrastructure.database.dynamodb) {
|
|
169
|
+
permissions.add('dynamodb:CreateTable')
|
|
170
|
+
permissions.add('dynamodb:DeleteTable')
|
|
171
|
+
permissions.add('dynamodb:UpdateTable')
|
|
172
|
+
permissions.add('dynamodb:DescribeTable')
|
|
173
|
+
}
|
|
174
|
+
}
|
|
175
|
+
|
|
176
|
+
if (config.infrastructure.functions) {
|
|
177
|
+
permissions.add('lambda:CreateFunction')
|
|
178
|
+
permissions.add('lambda:DeleteFunction')
|
|
179
|
+
permissions.add('lambda:UpdateFunctionCode')
|
|
180
|
+
permissions.add('lambda:UpdateFunctionConfiguration')
|
|
181
|
+
permissions.add('lambda:AddPermission')
|
|
182
|
+
}
|
|
183
|
+
|
|
184
|
+
if (config.infrastructure.cdn) {
|
|
185
|
+
permissions.add('cloudfront:CreateDistribution')
|
|
186
|
+
permissions.add('cloudfront:UpdateDistribution')
|
|
187
|
+
permissions.add('cloudfront:DeleteDistribution')
|
|
188
|
+
permissions.add('cloudfront:GetDistribution')
|
|
189
|
+
}
|
|
190
|
+
|
|
191
|
+
if (config.infrastructure.network) {
|
|
192
|
+
permissions.add('ec2:CreateVpc')
|
|
193
|
+
permissions.add('ec2:DeleteVpc')
|
|
194
|
+
permissions.add('ec2:CreateSubnet')
|
|
195
|
+
permissions.add('ec2:DeleteSubnet')
|
|
196
|
+
permissions.add('ec2:CreateInternetGateway')
|
|
197
|
+
permissions.add('ec2:DeleteInternetGateway')
|
|
198
|
+
permissions.add('ec2:CreateNatGateway')
|
|
199
|
+
permissions.add('ec2:DeleteNatGateway')
|
|
200
|
+
permissions.add('ec2:CreateRouteTable')
|
|
201
|
+
permissions.add('ec2:DeleteRouteTable')
|
|
202
|
+
permissions.add('ec2:CreateSecurityGroup')
|
|
203
|
+
permissions.add('ec2:DeleteSecurityGroup')
|
|
204
|
+
}
|
|
205
|
+
}
|
|
206
|
+
|
|
207
|
+
// IAM permissions (always required for creating roles)
|
|
208
|
+
permissions.add('iam:CreateRole')
|
|
209
|
+
permissions.add('iam:DeleteRole')
|
|
210
|
+
permissions.add('iam:AttachRolePolicy')
|
|
211
|
+
permissions.add('iam:DetachRolePolicy')
|
|
212
|
+
permissions.add('iam:PutRolePolicy')
|
|
213
|
+
permissions.add('iam:GetRole')
|
|
214
|
+
permissions.add('iam:PassRole')
|
|
215
|
+
|
|
216
|
+
return Array.from(permissions).sort()
|
|
217
|
+
}
|
|
218
|
+
|
|
219
|
+
/**
|
|
220
|
+
* Suggest IAM policy for deployment
|
|
221
|
+
*/
|
|
222
|
+
export function suggestIAMPolicy(config: any): string {
|
|
223
|
+
const permissions = getRequiredPermissions(config)
|
|
224
|
+
|
|
225
|
+
return JSON.stringify({
|
|
226
|
+
Version: '2012-10-17',
|
|
227
|
+
Statement: [{
|
|
228
|
+
Effect: 'Allow',
|
|
229
|
+
Action: permissions,
|
|
230
|
+
Resource: '*',
|
|
231
|
+
}],
|
|
232
|
+
}, null, 2)
|
|
233
|
+
}
|