@stacksjs/ts-cloud 0.1.7 → 0.1.9

package/src/dns/validator.ts

@@ -0,0 +1,369 @@
+/**
+ * Unified DNS Validator for ACM Certificates
+ * Works with any DNS provider (Route53, Porkbun, GoDaddy, etc.)
+ */
+
+import { ACMClient } from '../aws/acm'
+import type { DnsProvider, DnsProviderConfig } from './types'
+import { createDnsProvider } from './index'
+
+export interface ValidationRecord {
+  domainName: string
+  recordName: string
+  recordType: string
+  recordValue: string
+}
+
+export interface CertificateValidationResult {
+  certificateArn: string
+  validationRecords: ValidationRecord[]
+  isNew: boolean
+  status: 'pending' | 'issued' | 'failed'
+}
+
+/**
+ * Unified DNS Validator
+ * Handles ACM certificate validation with any DNS provider
+ */
+export class UnifiedDnsValidator {
+  private acm: ACMClient
+  private dnsProvider: DnsProvider
+
+  constructor(
+    dnsProvider: DnsProvider | DnsProviderConfig,
+    acmRegion: string = 'us-east-1',
+  ) {
+    this.acm = new ACMClient(acmRegion)
+
+    if ('provider' in dnsProvider) {
+      this.dnsProvider = createDnsProvider(dnsProvider)
+    }
+    else {
+      this.dnsProvider = dnsProvider
+    }
+  }
+
+  /**
+   * Get the DNS provider being used
+   */
+  getProvider(): DnsProvider {
+    return this.dnsProvider
+  }
+
+  /**
+   * Request a certificate and create DNS validation records
+   */
+  async requestAndValidate(params: {
+    domainName: string
+    subjectAlternativeNames?: string[]
+    waitForValidation?: boolean
+    maxWaitMinutes?: number
+  }): Promise<CertificateValidationResult> {
+    const {
+      domainName,
+      subjectAlternativeNames = [],
+      waitForValidation = false,
+      maxWaitMinutes = 30,
+    } = params
+
+    // Request certificate from ACM
+    const { CertificateArn } = await this.acm.requestCertificate({
+      DomainName: domainName,
+      SubjectAlternativeNames: subjectAlternativeNames.length > 0
+        ? [domainName, ...subjectAlternativeNames]
+        : undefined,
+      ValidationMethod: 'DNS',
+    })
+
+    // Wait for validation options to be available
+    await this.waitForValidationOptions(CertificateArn)
+
+    // Get DNS validation records
+    const validationRecords = await this.acm.getDnsValidationRecords(CertificateArn)
+
+    // Create DNS records using the configured provider
+    for (const record of validationRecords) {
+      const result = await this.dnsProvider.upsertRecord(domainName, {
+        name: record.recordName,
+        type: record.recordType as any,
+        content: record.recordValue,
+        ttl: 300,
+      })
+
+      if (!result.success) {
+        console.warn(`Failed to create validation record for ${record.domainName}: ${result.message}`)
+      }
+    }
+
+    // Wait for certificate validation if requested
+    let status: 'pending' | 'issued' | 'failed' = 'pending'
+
+    if (waitForValidation) {
+      const cert = await this.acm.waitForCertificateValidation(
+        CertificateArn,
+        maxWaitMinutes * 2,
+        30000,
+      )
+
+      status = cert?.Status === 'ISSUED' ? 'issued' : 'failed'
+    }
+
+    return {
+      certificateArn: CertificateArn,
+      validationRecords: validationRecords.map(r => ({
+        domainName: r.domainName,
+        recordName: r.recordName,
+        recordType: r.recordType,
+        recordValue: r.recordValue,
+      })),
+      isNew: true,
+      status,
+    }
+  }
+
+  /**
+   * Create validation records for an existing certificate
+   */
+  async createValidationRecords(params: {
+    certificateArn: string
+    domain: string
+  }): Promise<{
+    success: boolean
+    records: ValidationRecord[]
+    errors: string[]
+  }> {
+    const { certificateArn, domain } = params
+    const errors: string[] = []
+
+    // Get validation records from ACM
+    const validationRecords = await this.acm.getDnsValidationRecords(certificateArn)
+
+    // Create DNS records
+    for (const record of validationRecords) {
+      const result = await this.dnsProvider.upsertRecord(domain, {
+        name: record.recordName,
+        type: record.recordType as any,
+        content: record.recordValue,
+        ttl: 300,
+      })
+
+      if (!result.success) {
+        errors.push(`Failed to create record for ${record.domainName}: ${result.message}`)
+      }
+    }
+
+    return {
+      success: errors.length === 0,
+      records: validationRecords.map(r => ({
+        domainName: r.domainName,
+        recordName: r.recordName,
+        recordType: r.recordType,
+        recordValue: r.recordValue,
+      })),
+      errors,
+    }
+  }
+
+  /**
+   * Delete validation records (cleanup after certificate is issued)
+   */
+  async deleteValidationRecords(params: {
+    certificateArn: string
+    domain: string
+  }): Promise<{
+    success: boolean
+    errors: string[]
+  }> {
+    const { certificateArn, domain } = params
+    const errors: string[] = []
+
+    // Get validation records from ACM
+    const validationRecords = await this.acm.getDnsValidationRecords(certificateArn)
+
+    // Delete DNS records
+    for (const record of validationRecords) {
+      const result = await this.dnsProvider.deleteRecord(domain, {
+        name: record.recordName,
+        type: record.recordType as any,
+        content: record.recordValue,
+      })
+
+      if (!result.success) {
+        errors.push(`Failed to delete record for ${record.domainName}: ${result.message}`)
+      }
+    }
+
+    return {
+      success: errors.length === 0,
+      errors,
+    }
+  }
+
+  /**
+   * Find or create a certificate for a domain
+   */
+  async findOrCreateCertificate(params: {
+    domainName: string
+    subjectAlternativeNames?: string[]
+    waitForValidation?: boolean
+    maxWaitMinutes?: number
+  }): Promise<CertificateValidationResult> {
+    const { domainName, subjectAlternativeNames = [], waitForValidation = true, maxWaitMinutes } = params
+
+    // Try to find existing certificate
+    const existing = await this.acm.findCertificateByDomain(domainName)
+
+    if (existing && existing.Status === 'ISSUED') {
+      // Check if the existing certificate covers all required SANs
+      const existingSans = existing.SubjectAlternativeNames || [existing.DomainName]
+      const hasWildcard = existingSans.some(san => san === `*.${domainName}`)
+      const allSansCovered = subjectAlternativeNames.every(san =>
+        existingSans.includes(san) || hasWildcard,
+      )
+
+      if (allSansCovered) {
+        return {
+          certificateArn: existing.CertificateArn,
+          validationRecords: [],
+          isNew: false,
+          status: 'issued',
+        }
+      }
+      // Existing cert doesn't cover all SANs, request a new one
+      console.log(`Existing certificate doesn't cover all required SANs, requesting new certificate...`)
+    }
+
+    // Request new certificate
+    return this.requestAndValidate({
+      domainName,
+      subjectAlternativeNames,
+      waitForValidation,
+      maxWaitMinutes,
+    })
+  }
+
+  /**
+   * Request certificate with common SANs (www and wildcard)
+   */
+  async requestCertificateWithCommonSans(params: {
+    domainName: string
+    includeWww?: boolean
+    includeWildcard?: boolean
+    additionalSans?: string[]
+    waitForValidation?: boolean
+  }): Promise<CertificateValidationResult> {
+    const {
+      domainName,
+      includeWww = true,
+      includeWildcard = false,
+      additionalSans = [],
+      waitForValidation = false,
+    } = params
+
+    const sans: string[] = []
+
+    if (includeWww) {
+      sans.push(`www.${domainName}`)
+    }
+
+    if (includeWildcard) {
+      sans.push(`*.${domainName}`)
+    }
+
+    sans.push(...additionalSans)
+
+    return this.requestAndValidate({
+      domainName,
+      subjectAlternativeNames: sans,
+      waitForValidation,
+    })
+  }
+
+  /**
+   * Wait for validation options to become available
+   */
+  private async waitForValidationOptions(
+    certificateArn: string,
+    maxAttempts = 30,
+  ): Promise<void> {
+    for (let i = 0; i < maxAttempts; i++) {
+      const cert = await this.acm.describeCertificate({ CertificateArn: certificateArn })
+
+      if (
+        cert.DomainValidationOptions
+        && cert.DomainValidationOptions.length > 0
+        && cert.DomainValidationOptions[0].ResourceRecord
+      ) {
+        return
+      }
+
+      await new Promise(resolve => setTimeout(resolve, 2000))
+    }
+
+    throw new Error('Timeout waiting for DNS validation options')
+  }
+
+  /**
+   * Get the status of a certificate
+   */
+  async getCertificateStatus(certificateArn: string): Promise<{
+    status: string
+    domainValidations: Array<{
+      domain: string
+      status: string
+    }>
+  }> {
+    const cert = await this.acm.describeCertificate({ CertificateArn: certificateArn })
+
+    return {
+      status: cert.Status,
+      domainValidations: (cert.DomainValidationOptions || []).map(opt => ({
+        domain: opt.DomainName,
+        status: opt.ValidationStatus || 'UNKNOWN',
+      })),
+    }
+  }
+}
+
+/**
+ * Helper function to create a validator with Porkbun
+ */
+export function createPorkbunValidator(
+  apiKey: string,
+  secretKey: string,
+  acmRegion?: string,
+): UnifiedDnsValidator {
+  return new UnifiedDnsValidator(
+    { provider: 'porkbun', apiKey, secretKey },
+    acmRegion,
+  )
+}
+
+/**
+ * Helper function to create a validator with GoDaddy
+ */
+export function createGoDaddyValidator(
+  apiKey: string,
+  apiSecret: string,
+  acmRegion?: string,
+  environment?: 'production' | 'ote',
+): UnifiedDnsValidator {
+  return new UnifiedDnsValidator(
+    { provider: 'godaddy', apiKey, apiSecret, environment },
+    acmRegion,
+  )
+}
+
+/**
+ * Helper function to create a validator with Route53
+ */
+export function createRoute53Validator(
+  region?: string,
+  hostedZoneId?: string,
+  acmRegion?: string,
+): UnifiedDnsValidator {
+  return new UnifiedDnsValidator(
+    { provider: 'route53', region, hostedZoneId },
+    acmRegion || region,
+  )
+}

package/src/generators/index.ts

@@ -0,0 +1,5 @@
+/**
+ * Infrastructure Generators
+ */
+
+export * from './infrastructure'