@stacksjs/ts-cloud-core 0.1.2 → 0.1.6

package/src/cloudformation/builders/security.ts

@@ -1,399 +0,0 @@
-import type { CloudFormationBuilder } from '../builder'
-import { Fn } from '../types'
-
-export interface SecurityConfig {
-  certificate?: {
-    domain: string
-    subdomains?: string[]
-    validationMethod?: 'DNS' | 'EMAIL'
-  }
-  waf?: {
-    enabled: boolean
-    rules?: string[]
-    rateLimit?: number
-    scope?: 'REGIONAL' | 'CLOUDFRONT'
-  }
-  securityGroups?: Record<string, {
-    ingress?: Array<{
-      port: number
-      protocol: string
-      cidr?: string
-      source?: string
-    }>
-    egress?: Array<{
-      port: number
-      protocol: string
-      cidr?: string
-    }>
-  }>
-}
-
-/**
- * Add security resources (ACM certificates, WAF, security groups) to CloudFormation template
- */
-export function addSecurityResources(
-  builder: CloudFormationBuilder,
-  config: SecurityConfig,
-): void {
-  // ACM Certificate
-  if (config.certificate) {
-    addCertificate(builder, config.certificate)
-  }
-
-  // WAF Web ACL
-  if (config.waf?.enabled) {
-    addWAF(builder, config.waf)
-  }
-
-  // Additional Security Groups
-  if (config.securityGroups) {
-    for (const [name, sgConfig] of Object.entries(config.securityGroups)) {
-      addSecurityGroup(builder, name, sgConfig)
-    }
-  }
-}
-
-/**
- * Add ACM SSL/TLS Certificate
- */
-function addCertificate(
-  builder: CloudFormationBuilder,
-  config: SecurityConfig['certificate'],
-): void {
-  if (!config) return
-
-  const domains = [config.domain]
-  if (config.subdomains) {
-    domains.push(...config.subdomains)
-  }
-
-  builder.addResource('Certificate', 'AWS::CertificateManager::Certificate', {
-    DomainName: config.domain,
-    SubjectAlternativeNames: config.subdomains,
-    ValidationMethod: config.validationMethod || 'DNS',
-    DomainValidationOptions: domains.map(domain => ({
-      DomainName: domain,
-      HostedZoneId: Fn.ref('HostedZone'),
-    })),
-    Tags: [
-      { Key: 'Name', Value: Fn.sub(`\${AWS::StackName}-certificate`) },
-    ],
-  })
-
-  // Output
-  builder.addOutputs({
-    CertificateArn: {
-      Description: 'ACM Certificate ARN',
-      Value: Fn.ref('Certificate'),
-      Export: {
-        Name: Fn.sub('${AWS::StackName}-certificate-arn'),
-      },
-    },
-  })
-}
-
-/**
- * Add AWS WAF Web ACL
- */
-function addWAF(
-  builder: CloudFormationBuilder,
-  config: SecurityConfig['waf'],
-): void {
-  if (!config) return
-
-  const rules: any[] = []
-  const ruleNames = config.rules || ['rateLimit', 'sqlInjection', 'xss']
-
-  // Rate limiting rule
-  if (ruleNames.includes('rateLimit')) {
-    rules.push({
-      Name: 'RateLimitRule',
-      Priority: 1,
-      Statement: {
-        RateBasedStatement: {
-          Limit: config.rateLimit || 2000,
-          AggregateKeyType: 'IP',
-        },
-      },
-      Action: {
-        Block: {},
-      },
-      VisibilityConfig: {
-        SampledRequestsEnabled: true,
-        CloudWatchMetricsEnabled: true,
-        MetricName: 'RateLimitRule',
-      },
-    })
-  }
-
-  // AWS Managed Rules
-  let priority = rules.length + 1
-
-  if (ruleNames.includes('sqlInjection')) {
-    rules.push({
-      Name: 'AWSManagedRulesSQLi',
-      Priority: priority++,
-      Statement: {
-        ManagedRuleGroupStatement: {
-          VendorName: 'AWS',
-          Name: 'AWSManagedRulesSQLiRuleSet',
-        },
-      },
-      OverrideAction: {
-        None: {},
-      },
-      VisibilityConfig: {
-        SampledRequestsEnabled: true,
-        CloudWatchMetricsEnabled: true,
-        MetricName: 'AWSManagedRulesSQLi',
-      },
-    })
-  }
-
-  if (ruleNames.includes('xss')) {
-    rules.push({
-      Name: 'AWSManagedRulesXSS',
-      Priority: priority++,
-      Statement: {
-        ManagedRuleGroupStatement: {
-          VendorName: 'AWS',
-          Name: 'AWSManagedRulesKnownBadInputsRuleSet',
-        },
-      },
-      OverrideAction: {
-        None: {},
-      },
-      VisibilityConfig: {
-        SampledRequestsEnabled: true,
-        CloudWatchMetricsEnabled: true,
-        MetricName: 'AWSManagedRulesXSS',
-      },
-    })
-  }
-
-  if (ruleNames.includes('knownBadInputs')) {
-    rules.push({
-      Name: 'AWSManagedRulesKnownBadInputs',
-      Priority: priority++,
-      Statement: {
-        ManagedRuleGroupStatement: {
-          VendorName: 'AWS',
-          Name: 'AWSManagedRulesKnownBadInputsRuleSet',
-        },
-      },
-      OverrideAction: {
-        None: {},
-      },
-      VisibilityConfig: {
-        SampledRequestsEnabled: true,
-        CloudWatchMetricsEnabled: true,
-        MetricName: 'AWSManagedRulesKnownBadInputs',
-      },
-    })
-  }
-
-  if (ruleNames.includes('coreRuleSet')) {
-    rules.push({
-      Name: 'AWSManagedRulesCoreRuleSet',
-      Priority: priority++,
-      Statement: {
-        ManagedRuleGroupStatement: {
-          VendorName: 'AWS',
-          Name: 'AWSManagedRulesCommonRuleSet',
-        },
-      },
-      OverrideAction: {
-        None: {},
-      },
-      VisibilityConfig: {
-        SampledRequestsEnabled: true,
-        CloudWatchMetricsEnabled: true,
-        MetricName: 'AWSManagedRulesCoreRuleSet',
-      },
-    })
-  }
-
-  if (ruleNames.includes('linuxRuleSet')) {
-    rules.push({
-      Name: 'AWSManagedRulesLinuxRuleSet',
-      Priority: priority++,
-      Statement: {
-        ManagedRuleGroupStatement: {
-          VendorName: 'AWS',
-          Name: 'AWSManagedRulesLinuxRuleSet',
-        },
-      },
-      OverrideAction: {
-        None: {},
-      },
-      VisibilityConfig: {
-        SampledRequestsEnabled: true,
-        CloudWatchMetricsEnabled: true,
-        MetricName: 'AWSManagedRulesLinuxRuleSet',
-      },
-    })
-  }
-
-  if (ruleNames.includes('apiProtection')) {
-    rules.push({
-      Name: 'AWSManagedRulesAPIProtection',
-      Priority: priority++,
-      Statement: {
-        ManagedRuleGroupStatement: {
-          VendorName: 'AWS',
-          Name: 'AWSManagedRulesAmazonIpReputationList',
-        },
-      },
-      OverrideAction: {
-        None: {},
-      },
-      VisibilityConfig: {
-        SampledRequestsEnabled: true,
-        CloudWatchMetricsEnabled: true,
-        MetricName: 'AWSManagedRulesAPIProtection',
-      },
-    })
-  }
-
-  if (ruleNames.includes('geoBlock')) {
-    // Example: Block traffic from certain countries
-    rules.push({
-      Name: 'GeoBlockRule',
-      Priority: priority++,
-      Statement: {
-        GeoMatchStatement: {
-          CountryCodes: ['CN', 'RU'], // Example countries to block
-        },
-      },
-      Action: {
-        Block: {},
-      },
-      VisibilityConfig: {
-        SampledRequestsEnabled: true,
-        CloudWatchMetricsEnabled: true,
-        MetricName: 'GeoBlockRule',
-      },
-    })
-  }
-
-  if (ruleNames.includes('connectionLimit')) {
-    rules.push({
-      Name: 'ConnectionLimitRule',
-      Priority: priority++,
-      Statement: {
-        RateBasedStatement: {
-          Limit: 100,
-          AggregateKeyType: 'IP',
-        },
-      },
-      Action: {
-        Block: {},
-      },
-      VisibilityConfig: {
-        SampledRequestsEnabled: true,
-        CloudWatchMetricsEnabled: true,
-        MetricName: 'ConnectionLimitRule',
-      },
-    })
-  }
-
-  // Web ACL
-  builder.addResource('WebACL', 'AWS::WAFv2::WebACL', {
-    Name: Fn.sub('${AWS::StackName}-waf'),
-    Scope: config.scope || 'REGIONAL',
-    DefaultAction: {
-      Allow: {},
-    },
-    Rules: rules,
-    VisibilityConfig: {
-      SampledRequestsEnabled: true,
-      CloudWatchMetricsEnabled: true,
-      MetricName: Fn.sub('${AWS::StackName}-waf'),
-    },
-    Tags: [
-      { Key: 'Name', Value: Fn.sub('${AWS::StackName}-waf') },
-    ],
-  })
-
-  // Associate WAF with ALB (if exists)
-  if (builder.hasResource('LoadBalancer')) {
-    builder.addResource('WebACLAssociation', 'AWS::WAFv2::WebACLAssociation', {
-      ResourceArn: Fn.ref('LoadBalancer'),
-      WebACLArn: Fn.getAtt('WebACL', 'Arn'),
-    }, {
-      dependsOn: ['WebACL', 'LoadBalancer'],
-    })
-  }
-
-  // Output
-  builder.addOutputs({
-    WebACLId: {
-      Description: 'WAF Web ACL ID',
-      Value: Fn.ref('WebACL'),
-      Export: {
-        Name: Fn.sub('${AWS::StackName}-waf-id'),
-      },
-    },
-    WebACLArn: {
-      Description: 'WAF Web ACL ARN',
-      Value: Fn.getAtt('WebACL', 'Arn'),
-      Export: {
-        Name: Fn.sub('${AWS::StackName}-waf-arn'),
-      },
-    },
-  })
-}
-
-/**
- * Add Security Group
- */
-function addSecurityGroup(
-  builder: CloudFormationBuilder,
-  name: string,
-  config: NonNullable<SecurityConfig['securityGroups']>[string] | undefined,
-): void {
-  if (!config) return
-
-  const logicalId = builder.toLogicalId(`${name}-security-group`)
-
-  const ingressRules = config.ingress?.map((rule: NonNullable<NonNullable<SecurityConfig['securityGroups']>[string]['ingress']>[number]) => ({
-    IpProtocol: rule.protocol,
-    FromPort: rule.port,
-    ToPort: rule.port,
-    CidrIp: rule.cidr,
-    SourceSecurityGroupId: rule.source ? Fn.ref(rule.source) : undefined,
-  })) || []
-
-  const egressRules = config.egress?.map((rule: NonNullable<NonNullable<SecurityConfig['securityGroups']>[string]['egress']>[number]) => ({
-    IpProtocol: rule.protocol,
-    FromPort: rule.port,
-    ToPort: rule.port,
-    CidrIp: rule.cidr || '0.0.0.0/0',
-  })) || [{
-    IpProtocol: '-1',
-    CidrIp: '0.0.0.0/0',
-  }]
-
-  builder.addResource(logicalId, 'AWS::EC2::SecurityGroup', {
-    GroupDescription: `Security group for ${name}`,
-    VpcId: Fn.ref('VPC'),
-    SecurityGroupIngress: ingressRules,
-    SecurityGroupEgress: egressRules,
-    Tags: [
-      { Key: 'Name', Value: Fn.sub(`\${AWS::StackName}-${name}-sg`) },
-    ],
-  }, {
-    dependsOn: 'VPC',
-  })
-
-  // Output
-  builder.addOutputs({
-    [`${logicalId}Id`]: {
-      Description: `${name} security group ID`,
-      Value: Fn.ref(logicalId),
-      Export: {
-        Name: Fn.sub(`\${AWS::StackName}-${name}-sg-id`),
-      },
-    },
-  })
-}

package/src/cloudformation/builders/storage.ts

@@ -1,285 +0,0 @@
-import type { CloudFormationBuilder } from '../builder'
-import { Arn, Fn } from '../types'
-
-export interface StorageConfig {
-  [bucketName: string]: {
-    public?: boolean
-    versioning?: boolean
-    website?: boolean
-    encryption?: boolean
-    intelligentTiering?: boolean
-    cors?: Array<{
-      allowedOrigins: string[]
-      allowedMethods: string[]
-      allowedHeaders?: string[]
-      maxAge?: number
-    }>
-    lifecycleRules?: Array<{
-      id: string
-      enabled: boolean
-      expirationDays?: number
-      transitions?: Array<{
-        days: number
-        storageClass: 'STANDARD_IA' | 'ONEZONE_IA' | 'INTELLIGENT_TIERING' | 'GLACIER' | 'DEEP_ARCHIVE'
-      }>
-    }>
-    type?: 'efs'
-    performanceMode?: 'generalPurpose' | 'maxIO'
-    throughputMode?: 'bursting' | 'provisioned'
-    lifecyclePolicy?: {
-      transitionToIA?: number
-      transitionToPrimaryStorageClass?: number
-    }
-  }
-}
-
-/**
- * Add S3 and EFS storage resources to CloudFormation template
- */
-export function addStorageResources(
-  builder: CloudFormationBuilder,
-  config: StorageConfig,
-): void {
-  for (const [bucketName, bucketConfig] of Object.entries(config)) {
-    // Check if this is an EFS configuration
-    if (bucketConfig.type === 'efs') {
-      addEFSResource(builder, bucketName, bucketConfig)
-      continue
-    }
-
-    // Otherwise, create S3 bucket
-    addS3Bucket(builder, bucketName, bucketConfig)
-  }
-}
-
-/**
- * Add S3 bucket resource
- */
-function addS3Bucket(
-  builder: CloudFormationBuilder,
-  bucketName: string,
-  config: StorageConfig[string],
-): void {
-  const logicalId = builder.toLogicalId(`${bucketName}-bucket`)
-  const properties: Record<string, any> = {
-    BucketName: Fn.sub(`\${AWS::StackName}-${bucketName}`),
-    Tags: [
-      { Key: 'Name', Value: Fn.sub(`\${AWS::StackName}-${bucketName}`) },
-    ],
-  }
-
-  // Versioning
-  if (config.versioning) {
-    properties.VersioningConfiguration = {
-      Status: 'Enabled',
-    }
-  }
-
-  // Encryption
-  if (config.encryption) {
-    properties.BucketEncryption = {
-      ServerSideEncryptionConfiguration: [{
-        ServerSideEncryptionByDefault: {
-          SSEAlgorithm: 'AES256',
-        },
-      }],
-    }
-  }
-
-  // Public access
-  if (!config.public) {
-    properties.PublicAccessBlockConfiguration = {
-      BlockPublicAcls: true,
-      BlockPublicPolicy: true,
-      IgnorePublicAcls: true,
-      RestrictPublicBuckets: true,
-    }
-  }
-
-  // Website configuration
-  if (config.website) {
-    properties.WebsiteConfiguration = {
-      IndexDocument: 'index.html',
-      ErrorDocument: 'index.html', // For SPA routing
-    }
-  }
-
-  // CORS configuration
-  if (config.cors && config.cors.length > 0) {
-    properties.CorsConfiguration = {
-      CorsRules: config.cors.map(rule => ({
-        AllowedOrigins: rule.allowedOrigins,
-        AllowedMethods: rule.allowedMethods,
-        AllowedHeaders: rule.allowedHeaders || ['*'],
-        MaxAge: rule.maxAge || 3600,
-      })),
-    }
-  }
-
-  // Lifecycle rules
-  if (config.lifecycleRules && config.lifecycleRules.length > 0) {
-    properties.LifecycleConfiguration = {
-      Rules: config.lifecycleRules.map(rule => ({
-        Id: rule.id,
-        Status: rule.enabled ? 'Enabled' : 'Disabled',
-        ExpirationInDays: rule.expirationDays,
-        Transitions: rule.transitions?.map(t => ({
-          TransitionInDays: t.days,
-          StorageClass: t.storageClass,
-        })),
-      })),
-    }
-  }
-
-  // Intelligent tiering
-  if (config.intelligentTiering) {
-    properties.IntelligentTieringConfigurations = [{
-      Id: 'EntireBucket',
-      Status: 'Enabled',
-      Tierings: [
-        {
-          AccessTier: 'ARCHIVE_ACCESS',
-          Days: 90,
-        },
-        {
-          AccessTier: 'DEEP_ARCHIVE_ACCESS',
-          Days: 180,
-        },
-      ],
-    }]
-  }
-
-  builder.addResource(logicalId, 'AWS::S3::Bucket', properties, {
-    deletionPolicy: config.versioning ? 'Retain' : 'Delete',
-  })
-
-  // Bucket policy for public access if needed
-  if (config.public) {
-    builder.addResource(`${logicalId}Policy`, 'AWS::S3::BucketPolicy', {
-      Bucket: Fn.ref(logicalId),
-      PolicyDocument: {
-        Version: '2012-10-17',
-        Statement: [{
-          Sid: 'PublicReadGetObject',
-          Effect: 'Allow',
-          Principal: '*',
-          Action: 's3:GetObject',
-          Resource: Fn.join('', [Arn.s3Bucket(Fn.ref(logicalId) as any), '/*']),
-        }],
-      },
-    }, {
-      dependsOn: logicalId,
-    })
-  }
-
-  // Output bucket name and ARN
-  builder.addOutputs({
-    [`${logicalId}Name`]: {
-      Description: `${bucketName} bucket name`,
-      Value: Fn.ref(logicalId),
-      Export: {
-        Name: Fn.sub(`\${AWS::StackName}-${bucketName}-bucket`),
-      },
-    },
-    [`${logicalId}Arn`]: {
-      Description: `${bucketName} bucket ARN`,
-      Value: Fn.getAtt(logicalId, 'Arn'),
-      Export: {
-        Name: Fn.sub(`\${AWS::StackName}-${bucketName}-bucket-arn`),
-      },
-    },
-  })
-
-  if (config.website) {
-    builder.addOutputs({
-      [`${logicalId}WebsiteURL`]: {
-        Description: `${bucketName} website URL`,
-        Value: Fn.getAtt(logicalId, 'WebsiteURL'),
-      },
-    })
-  }
-}
-
-/**
- * Add EFS file system resource
- */
-function addEFSResource(
-  builder: CloudFormationBuilder,
-  name: string,
-  config: StorageConfig[string],
-): void {
-  const logicalId = builder.toLogicalId(`${name}-efs`)
-
-  // EFS File System
-  const properties: Record<string, any> = {
-    Encrypted: config.encryption !== false,
-    PerformanceMode: config.performanceMode || 'generalPurpose',
-    ThroughputMode: config.throughputMode || 'bursting',
-    FileSystemTags: [
-      { Key: 'Name', Value: Fn.sub(`\${AWS::StackName}-${name}`) },
-    ],
-  }
-
-  // Lifecycle policy
-  if (config.lifecyclePolicy) {
-    properties.LifecyclePolicies = []
-
-    if (config.lifecyclePolicy.transitionToIA) {
-      properties.LifecyclePolicies.push({
-        TransitionToIA: `AFTER_${config.lifecyclePolicy.transitionToIA}_DAYS`,
-      })
-    }
-
-    if (config.lifecyclePolicy.transitionToPrimaryStorageClass) {
-      properties.LifecyclePolicies.push({
-        TransitionToPrimaryStorageClass: 'AFTER_1_ACCESS',
-      })
-    }
-  }
-
-  builder.addResource(logicalId, 'AWS::EFS::FileSystem', properties, {
-    deletionPolicy: 'Retain',
-  })
-
-  // EFS Mount Targets (one per AZ/subnet)
-  // Note: Assumes VPC and subnets are already created
-  // In a real implementation, you'd get the subnet IDs from the VPC configuration
-  const availabilityZones = 2 // Should come from network config
-  for (let i = 0; i < availabilityZones; i++) {
-    builder.addResource(`${logicalId}MountTarget${i + 1}`, 'AWS::EFS::MountTarget', {
-      FileSystemId: Fn.ref(logicalId),
-      SubnetId: Fn.ref(`PrivateSubnet${i + 1}`),
-      SecurityGroups: [Fn.ref('EFSSecurityGroup')],
-    }, {
-      dependsOn: [logicalId, `PrivateSubnet${i + 1}`],
-    })
-  }
-
-  // Security group for EFS
-  builder.addResource('EFSSecurityGroup', 'AWS::EC2::SecurityGroup', {
-    GroupDescription: 'Security group for EFS mount targets',
-    VpcId: Fn.ref('VPC'),
-    SecurityGroupIngress: [{
-      IpProtocol: 'tcp',
-      FromPort: 2049,
-      ToPort: 2049,
-      SourceSecurityGroupId: Fn.ref('AppSecurityGroup'), // Assumes app security group exists
-    }],
-    Tags: [
-      { Key: 'Name', Value: Fn.sub('${AWS::StackName}-efs-sg') },
-    ],
-  }, {
-    dependsOn: 'VPC',
-  })
-
-  // Output EFS ID
-  builder.addOutputs({
-    [`${logicalId}Id`]: {
-      Description: `${name} EFS file system ID`,
-      Value: Fn.ref(logicalId),
-      Export: {
-        Name: Fn.sub(`\${AWS::StackName}-${name}-efs`),
-      },
-    },
-  })
-}

package/src/cloudformation/index.ts

@@ -1,30 +0,0 @@
-// CloudFormation template builder
-export {
-  CloudFormationBuilder,
-  buildCloudFormationTemplate,
-} from './builder'
-
-// CloudFormation types
-export type {
-  CloudFormationTemplate,
-  CloudFormationResource,
-  CloudFormationParameter,
-  CloudFormationOutput,
-  CloudFormationCondition,
-  CloudFormationIntrinsicFunction,
-} from './types'
-
-export {
-  Fn,
-  Arn,
-  AWS_PSEUDO_PARAMETERS,
-} from './types'
-
-// Resource builders
-export { addNetworkResources } from './builders/network'
-export { addStorageResources } from './builders/storage'
-export { addComputeResources } from './builders/compute'
-export { addDatabaseResources } from './builders/database'
-export { addFunctionResources } from './builders/functions'
-export { addQueueResources } from './builders/queue'
-export type { QueueConfig } from './builders/queue'