@stacksjs/ts-cloud-core 0.1.1

package/src/cloudformation/builders/security.ts

@@ -0,0 +1,399 @@
+import type { CloudFormationBuilder } from '../builder'
+import { Fn } from '../types'
+
+export interface SecurityConfig {
+  certificate?: {
+    domain: string
+    subdomains?: string[]
+    validationMethod?: 'DNS' | 'EMAIL'
+  }
+  waf?: {
+    enabled: boolean
+    rules?: string[]
+    rateLimit?: number
+    scope?: 'REGIONAL' | 'CLOUDFRONT'
+  }
+  securityGroups?: Record<string, {
+    ingress?: Array<{
+      port: number
+      protocol: string
+      cidr?: string
+      source?: string
+    }>
+    egress?: Array<{
+      port: number
+      protocol: string
+      cidr?: string
+    }>
+  }>
+}
+
+/**
+ * Add security resources (ACM certificates, WAF, security groups) to CloudFormation template
+ */
+export function addSecurityResources(
+  builder: CloudFormationBuilder,
+  config: SecurityConfig,
+): void {
+  // ACM Certificate
+  if (config.certificate) {
+    addCertificate(builder, config.certificate)
+  }
+
+  // WAF Web ACL
+  if (config.waf?.enabled) {
+    addWAF(builder, config.waf)
+  }
+
+  // Additional Security Groups
+  if (config.securityGroups) {
+    for (const [name, sgConfig] of Object.entries(config.securityGroups)) {
+      addSecurityGroup(builder, name, sgConfig)
+    }
+  }
+}
+
+/**
+ * Add ACM SSL/TLS Certificate
+ */
+function addCertificate(
+  builder: CloudFormationBuilder,
+  config: SecurityConfig['certificate'],
+): void {
+  if (!config) return
+
+  const domains = [config.domain]
+  if (config.subdomains) {
+    domains.push(...config.subdomains)
+  }
+
+  builder.addResource('Certificate', 'AWS::CertificateManager::Certificate', {
+    DomainName: config.domain,
+    SubjectAlternativeNames: config.subdomains,
+    ValidationMethod: config.validationMethod || 'DNS',
+    DomainValidationOptions: domains.map(domain => ({
+      DomainName: domain,
+      HostedZoneId: Fn.ref('HostedZone'),
+    })),
+    Tags: [
+      { Key: 'Name', Value: Fn.sub(`\${AWS::StackName}-certificate`) },
+    ],
+  })
+
+  // Output
+  builder.addOutputs({
+    CertificateArn: {
+      Description: 'ACM Certificate ARN',
+      Value: Fn.ref('Certificate'),
+      Export: {
+        Name: Fn.sub('${AWS::StackName}-certificate-arn'),
+      },
+    },
+  })
+}
+
+/**
+ * Add AWS WAF Web ACL
+ */
+function addWAF(
+  builder: CloudFormationBuilder,
+  config: SecurityConfig['waf'],
+): void {
+  if (!config) return
+
+  const rules: any[] = []
+  const ruleNames = config.rules || ['rateLimit', 'sqlInjection', 'xss']
+
+  // Rate limiting rule
+  if (ruleNames.includes('rateLimit')) {
+    rules.push({
+      Name: 'RateLimitRule',
+      Priority: 1,
+      Statement: {
+        RateBasedStatement: {
+          Limit: config.rateLimit || 2000,
+          AggregateKeyType: 'IP',
+        },
+      },
+      Action: {
+        Block: {},
+      },
+      VisibilityConfig: {
+        SampledRequestsEnabled: true,
+        CloudWatchMetricsEnabled: true,
+        MetricName: 'RateLimitRule',
+      },
+    })
+  }
+
+  // AWS Managed Rules
+  let priority = rules.length + 1
+
+  if (ruleNames.includes('sqlInjection')) {
+    rules.push({
+      Name: 'AWSManagedRulesSQLi',
+      Priority: priority++,
+      Statement: {
+        ManagedRuleGroupStatement: {
+          VendorName: 'AWS',
+          Name: 'AWSManagedRulesSQLiRuleSet',
+        },
+      },
+      OverrideAction: {
+        None: {},
+      },
+      VisibilityConfig: {
+        SampledRequestsEnabled: true,
+        CloudWatchMetricsEnabled: true,
+        MetricName: 'AWSManagedRulesSQLi',
+      },
+    })
+  }
+
+  if (ruleNames.includes('xss')) {
+    rules.push({
+      Name: 'AWSManagedRulesXSS',
+      Priority: priority++,
+      Statement: {
+        ManagedRuleGroupStatement: {
+          VendorName: 'AWS',
+          Name: 'AWSManagedRulesKnownBadInputsRuleSet',
+        },
+      },
+      OverrideAction: {
+        None: {},
+      },
+      VisibilityConfig: {
+        SampledRequestsEnabled: true,
+        CloudWatchMetricsEnabled: true,
+        MetricName: 'AWSManagedRulesXSS',
+      },
+    })
+  }
+
+  if (ruleNames.includes('knownBadInputs')) {
+    rules.push({
+      Name: 'AWSManagedRulesKnownBadInputs',
+      Priority: priority++,
+      Statement: {
+        ManagedRuleGroupStatement: {
+          VendorName: 'AWS',
+          Name: 'AWSManagedRulesKnownBadInputsRuleSet',
+        },
+      },
+      OverrideAction: {
+        None: {},
+      },
+      VisibilityConfig: {
+        SampledRequestsEnabled: true,
+        CloudWatchMetricsEnabled: true,
+        MetricName: 'AWSManagedRulesKnownBadInputs',
+      },
+    })
+  }
+
+  if (ruleNames.includes('coreRuleSet')) {
+    rules.push({
+      Name: 'AWSManagedRulesCoreRuleSet',
+      Priority: priority++,
+      Statement: {
+        ManagedRuleGroupStatement: {
+          VendorName: 'AWS',
+          Name: 'AWSManagedRulesCommonRuleSet',
+        },
+      },
+      OverrideAction: {
+        None: {},
+      },
+      VisibilityConfig: {
+        SampledRequestsEnabled: true,
+        CloudWatchMetricsEnabled: true,
+        MetricName: 'AWSManagedRulesCoreRuleSet',
+      },
+    })
+  }
+
+  if (ruleNames.includes('linuxRuleSet')) {
+    rules.push({
+      Name: 'AWSManagedRulesLinuxRuleSet',
+      Priority: priority++,
+      Statement: {
+        ManagedRuleGroupStatement: {
+          VendorName: 'AWS',
+          Name: 'AWSManagedRulesLinuxRuleSet',
+        },
+      },
+      OverrideAction: {
+        None: {},
+      },
+      VisibilityConfig: {
+        SampledRequestsEnabled: true,
+        CloudWatchMetricsEnabled: true,
+        MetricName: 'AWSManagedRulesLinuxRuleSet',
+      },
+    })
+  }
+
+  if (ruleNames.includes('apiProtection')) {
+    rules.push({
+      Name: 'AWSManagedRulesAPIProtection',
+      Priority: priority++,
+      Statement: {
+        ManagedRuleGroupStatement: {
+          VendorName: 'AWS',
+          Name: 'AWSManagedRulesAmazonIpReputationList',
+        },
+      },
+      OverrideAction: {
+        None: {},
+      },
+      VisibilityConfig: {
+        SampledRequestsEnabled: true,
+        CloudWatchMetricsEnabled: true,
+        MetricName: 'AWSManagedRulesAPIProtection',
+      },
+    })
+  }
+
+  if (ruleNames.includes('geoBlock')) {
+    // Example: Block traffic from certain countries
+    rules.push({
+      Name: 'GeoBlockRule',
+      Priority: priority++,
+      Statement: {
+        GeoMatchStatement: {
+          CountryCodes: ['CN', 'RU'], // Example countries to block
+        },
+      },
+      Action: {
+        Block: {},
+      },
+      VisibilityConfig: {
+        SampledRequestsEnabled: true,
+        CloudWatchMetricsEnabled: true,
+        MetricName: 'GeoBlockRule',
+      },
+    })
+  }
+
+  if (ruleNames.includes('connectionLimit')) {
+    rules.push({
+      Name: 'ConnectionLimitRule',
+      Priority: priority++,
+      Statement: {
+        RateBasedStatement: {
+          Limit: 100,
+          AggregateKeyType: 'IP',
+        },
+      },
+      Action: {
+        Block: {},
+      },
+      VisibilityConfig: {
+        SampledRequestsEnabled: true,
+        CloudWatchMetricsEnabled: true,
+        MetricName: 'ConnectionLimitRule',
+      },
+    })
+  }
+
+  // Web ACL
+  builder.addResource('WebACL', 'AWS::WAFv2::WebACL', {
+    Name: Fn.sub('${AWS::StackName}-waf'),
+    Scope: config.scope || 'REGIONAL',
+    DefaultAction: {
+      Allow: {},
+    },
+    Rules: rules,
+    VisibilityConfig: {
+      SampledRequestsEnabled: true,
+      CloudWatchMetricsEnabled: true,
+      MetricName: Fn.sub('${AWS::StackName}-waf'),
+    },
+    Tags: [
+      { Key: 'Name', Value: Fn.sub('${AWS::StackName}-waf') },
+    ],
+  })
+
+  // Associate WAF with ALB (if exists)
+  if (builder.hasResource('LoadBalancer')) {
+    builder.addResource('WebACLAssociation', 'AWS::WAFv2::WebACLAssociation', {
+      ResourceArn: Fn.ref('LoadBalancer'),
+      WebACLArn: Fn.getAtt('WebACL', 'Arn'),
+    }, {
+      dependsOn: ['WebACL', 'LoadBalancer'],
+    })
+  }
+
+  // Output
+  builder.addOutputs({
+    WebACLId: {
+      Description: 'WAF Web ACL ID',
+      Value: Fn.ref('WebACL'),
+      Export: {
+        Name: Fn.sub('${AWS::StackName}-waf-id'),
+      },
+    },
+    WebACLArn: {
+      Description: 'WAF Web ACL ARN',
+      Value: Fn.getAtt('WebACL', 'Arn'),
+      Export: {
+        Name: Fn.sub('${AWS::StackName}-waf-arn'),
+      },
+    },
+  })
+}
+
+/**
+ * Add Security Group
+ */
+function addSecurityGroup(
+  builder: CloudFormationBuilder,
+  name: string,
+  config: NonNullable<SecurityConfig['securityGroups']>[string] | undefined,
+): void {
+  if (!config) return
+
+  const logicalId = builder.toLogicalId(`${name}-security-group`)
+
+  const ingressRules = config.ingress?.map((rule: NonNullable<NonNullable<SecurityConfig['securityGroups']>[string]['ingress']>[number]) => ({
+    IpProtocol: rule.protocol,
+    FromPort: rule.port,
+    ToPort: rule.port,
+    CidrIp: rule.cidr,
+    SourceSecurityGroupId: rule.source ? Fn.ref(rule.source) : undefined,
+  })) || []
+
+  const egressRules = config.egress?.map((rule: NonNullable<NonNullable<SecurityConfig['securityGroups']>[string]['egress']>[number]) => ({
+    IpProtocol: rule.protocol,
+    FromPort: rule.port,
+    ToPort: rule.port,
+    CidrIp: rule.cidr || '0.0.0.0/0',
+  })) || [{
+    IpProtocol: '-1',
+    CidrIp: '0.0.0.0/0',
+  }]
+
+  builder.addResource(logicalId, 'AWS::EC2::SecurityGroup', {
+    GroupDescription: `Security group for ${name}`,
+    VpcId: Fn.ref('VPC'),
+    SecurityGroupIngress: ingressRules,
+    SecurityGroupEgress: egressRules,
+    Tags: [
+      { Key: 'Name', Value: Fn.sub(`\${AWS::StackName}-${name}-sg`) },
+    ],
+  }, {
+    dependsOn: 'VPC',
+  })
+
+  // Output
+  builder.addOutputs({
+    [`${logicalId}Id`]: {
+      Description: `${name} security group ID`,
+      Value: Fn.ref(logicalId),
+      Export: {
+        Name: Fn.sub(`\${AWS::StackName}-${name}-sg-id`),
+      },
+    },
+  })
+}

package/src/cloudformation/builders/storage.ts

@@ -0,0 +1,285 @@
+import type { CloudFormationBuilder } from '../builder'
+import { Arn, Fn } from '../types'
+
+export interface StorageConfig {
+  [bucketName: string]: {
+    public?: boolean
+    versioning?: boolean
+    website?: boolean
+    encryption?: boolean
+    intelligentTiering?: boolean
+    cors?: Array<{
+      allowedOrigins: string[]
+      allowedMethods: string[]
+      allowedHeaders?: string[]
+      maxAge?: number
+    }>
+    lifecycleRules?: Array<{
+      id: string
+      enabled: boolean
+      expirationDays?: number
+      transitions?: Array<{
+        days: number
+        storageClass: 'STANDARD_IA' | 'ONEZONE_IA' | 'INTELLIGENT_TIERING' | 'GLACIER' | 'DEEP_ARCHIVE'
+      }>
+    }>
+    type?: 'efs'
+    performanceMode?: 'generalPurpose' | 'maxIO'
+    throughputMode?: 'bursting' | 'provisioned'
+    lifecyclePolicy?: {
+      transitionToIA?: number
+      transitionToPrimaryStorageClass?: number
+    }
+  }
+}
+
+/**
+ * Add S3 and EFS storage resources to CloudFormation template
+ */
+export function addStorageResources(
+  builder: CloudFormationBuilder,
+  config: StorageConfig,
+): void {
+  for (const [bucketName, bucketConfig] of Object.entries(config)) {
+    // Check if this is an EFS configuration
+    if (bucketConfig.type === 'efs') {
+      addEFSResource(builder, bucketName, bucketConfig)
+      continue
+    }
+
+    // Otherwise, create S3 bucket
+    addS3Bucket(builder, bucketName, bucketConfig)
+  }
+}
+
+/**
+ * Add S3 bucket resource
+ */
+function addS3Bucket(
+  builder: CloudFormationBuilder,
+  bucketName: string,
+  config: StorageConfig[string],
+): void {
+  const logicalId = builder.toLogicalId(`${bucketName}-bucket`)
+  const properties: Record<string, any> = {
+    BucketName: Fn.sub(`\${AWS::StackName}-${bucketName}`),
+    Tags: [
+      { Key: 'Name', Value: Fn.sub(`\${AWS::StackName}-${bucketName}`) },
+    ],
+  }
+
+  // Versioning
+  if (config.versioning) {
+    properties.VersioningConfiguration = {
+      Status: 'Enabled',
+    }
+  }
+
+  // Encryption
+  if (config.encryption) {
+    properties.BucketEncryption = {
+      ServerSideEncryptionConfiguration: [{
+        ServerSideEncryptionByDefault: {
+          SSEAlgorithm: 'AES256',
+        },
+      }],
+    }
+  }
+
+  // Public access
+  if (!config.public) {
+    properties.PublicAccessBlockConfiguration = {
+      BlockPublicAcls: true,
+      BlockPublicPolicy: true,
+      IgnorePublicAcls: true,
+      RestrictPublicBuckets: true,
+    }
+  }
+
+  // Website configuration
+  if (config.website) {
+    properties.WebsiteConfiguration = {
+      IndexDocument: 'index.html',
+      ErrorDocument: 'index.html', // For SPA routing
+    }
+  }
+
+  // CORS configuration
+  if (config.cors && config.cors.length > 0) {
+    properties.CorsConfiguration = {
+      CorsRules: config.cors.map(rule => ({
+        AllowedOrigins: rule.allowedOrigins,
+        AllowedMethods: rule.allowedMethods,
+        AllowedHeaders: rule.allowedHeaders || ['*'],
+        MaxAge: rule.maxAge || 3600,
+      })),
+    }
+  }
+
+  // Lifecycle rules
+  if (config.lifecycleRules && config.lifecycleRules.length > 0) {
+    properties.LifecycleConfiguration = {
+      Rules: config.lifecycleRules.map(rule => ({
+        Id: rule.id,
+        Status: rule.enabled ? 'Enabled' : 'Disabled',
+        ExpirationInDays: rule.expirationDays,
+        Transitions: rule.transitions?.map(t => ({
+          TransitionInDays: t.days,
+          StorageClass: t.storageClass,
+        })),
+      })),
+    }
+  }
+
+  // Intelligent tiering
+  if (config.intelligentTiering) {
+    properties.IntelligentTieringConfigurations = [{
+      Id: 'EntireBucket',
+      Status: 'Enabled',
+      Tierings: [
+        {
+          AccessTier: 'ARCHIVE_ACCESS',
+          Days: 90,
+        },
+        {
+          AccessTier: 'DEEP_ARCHIVE_ACCESS',
+          Days: 180,
+        },
+      ],
+    }]
+  }
+
+  builder.addResource(logicalId, 'AWS::S3::Bucket', properties, {
+    deletionPolicy: config.versioning ? 'Retain' : 'Delete',
+  })
+
+  // Bucket policy for public access if needed
+  if (config.public) {
+    builder.addResource(`${logicalId}Policy`, 'AWS::S3::BucketPolicy', {
+      Bucket: Fn.ref(logicalId),
+      PolicyDocument: {
+        Version: '2012-10-17',
+        Statement: [{
+          Sid: 'PublicReadGetObject',
+          Effect: 'Allow',
+          Principal: '*',
+          Action: 's3:GetObject',
+          Resource: Fn.join('', [Arn.s3Bucket(Fn.ref(logicalId) as any), '/*']),
+        }],
+      },
+    }, {
+      dependsOn: logicalId,
+    })
+  }
+
+  // Output bucket name and ARN
+  builder.addOutputs({
+    [`${logicalId}Name`]: {
+      Description: `${bucketName} bucket name`,
+      Value: Fn.ref(logicalId),
+      Export: {
+        Name: Fn.sub(`\${AWS::StackName}-${bucketName}-bucket`),
+      },
+    },
+    [`${logicalId}Arn`]: {
+      Description: `${bucketName} bucket ARN`,
+      Value: Fn.getAtt(logicalId, 'Arn'),
+      Export: {
+        Name: Fn.sub(`\${AWS::StackName}-${bucketName}-bucket-arn`),
+      },
+    },
+  })
+
+  if (config.website) {
+    builder.addOutputs({
+      [`${logicalId}WebsiteURL`]: {
+        Description: `${bucketName} website URL`,
+        Value: Fn.getAtt(logicalId, 'WebsiteURL'),
+      },
+    })
+  }
+}
+
+/**
+ * Add EFS file system resource
+ */
+function addEFSResource(
+  builder: CloudFormationBuilder,
+  name: string,
+  config: StorageConfig[string],
+): void {
+  const logicalId = builder.toLogicalId(`${name}-efs`)
+
+  // EFS File System
+  const properties: Record<string, any> = {
+    Encrypted: config.encryption !== false,
+    PerformanceMode: config.performanceMode || 'generalPurpose',
+    ThroughputMode: config.throughputMode || 'bursting',
+    FileSystemTags: [
+      { Key: 'Name', Value: Fn.sub(`\${AWS::StackName}-${name}`) },
+    ],
+  }
+
+  // Lifecycle policy
+  if (config.lifecyclePolicy) {
+    properties.LifecyclePolicies = []
+
+    if (config.lifecyclePolicy.transitionToIA) {
+      properties.LifecyclePolicies.push({
+        TransitionToIA: `AFTER_${config.lifecyclePolicy.transitionToIA}_DAYS`,
+      })
+    }
+
+    if (config.lifecyclePolicy.transitionToPrimaryStorageClass) {
+      properties.LifecyclePolicies.push({
+        TransitionToPrimaryStorageClass: 'AFTER_1_ACCESS',
+      })
+    }
+  }
+
+  builder.addResource(logicalId, 'AWS::EFS::FileSystem', properties, {
+    deletionPolicy: 'Retain',
+  })
+
+  // EFS Mount Targets (one per AZ/subnet)
+  // Note: Assumes VPC and subnets are already created
+  // In a real implementation, you'd get the subnet IDs from the VPC configuration
+  const availabilityZones = 2 // Should come from network config
+  for (let i = 0; i < availabilityZones; i++) {
+    builder.addResource(`${logicalId}MountTarget${i + 1}`, 'AWS::EFS::MountTarget', {
+      FileSystemId: Fn.ref(logicalId),
+      SubnetId: Fn.ref(`PrivateSubnet${i + 1}`),
+      SecurityGroups: [Fn.ref('EFSSecurityGroup')],
+    }, {
+      dependsOn: [logicalId, `PrivateSubnet${i + 1}`],
+    })
+  }
+
+  // Security group for EFS
+  builder.addResource('EFSSecurityGroup', 'AWS::EC2::SecurityGroup', {
+    GroupDescription: 'Security group for EFS mount targets',
+    VpcId: Fn.ref('VPC'),
+    SecurityGroupIngress: [{
+      IpProtocol: 'tcp',
+      FromPort: 2049,
+      ToPort: 2049,
+      SourceSecurityGroupId: Fn.ref('AppSecurityGroup'), // Assumes app security group exists
+    }],
+    Tags: [
+      { Key: 'Name', Value: Fn.sub('${AWS::StackName}-efs-sg') },
+    ],
+  }, {
+    dependsOn: 'VPC',
+  })
+
+  // Output EFS ID
+  builder.addOutputs({
+    [`${logicalId}Id`]: {
+      Description: `${name} EFS file system ID`,
+      Value: Fn.ref(logicalId),
+      Export: {
+        Name: Fn.sub(`\${AWS::StackName}-${name}-efs`),
+      },
+    },
+  })
+}

package/src/cloudformation/index.ts

@@ -0,0 +1,30 @@
+// CloudFormation template builder
+export {
+  CloudFormationBuilder,
+  buildCloudFormationTemplate,
+} from './builder'
+
+// CloudFormation types
+export type {
+  CloudFormationTemplate,
+  CloudFormationResource,
+  CloudFormationParameter,
+  CloudFormationOutput,
+  CloudFormationCondition,
+  CloudFormationIntrinsicFunction,
+} from './types'
+
+export {
+  Fn,
+  Arn,
+  AWS_PSEUDO_PARAMETERS,
+} from './types'
+
+// Resource builders
+export { addNetworkResources } from './builders/network'
+export { addStorageResources } from './builders/storage'
+export { addComputeResources } from './builders/compute'
+export { addDatabaseResources } from './builders/database'
+export { addFunctionResources } from './builders/functions'
+export { addQueueResources } from './builders/queue'
+export type { QueueConfig } from './builders/queue'