npm - @studion/infra-code-blocks - Versions diffs - 0.0.7 → 0.0.9 - Mend

@studion/infra-code-blocks 0.0.7 → 0.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +36 -30
package/dist/components/ec2-ssm-connect.d.ts +0 -2
package/dist/components/ec2-ssm-connect.js +0 -4
package/dist/components/project.js +0 -2
package/dist/components/web-server.d.ts +8 -1
package/dist/components/web-server.js +22 -2
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -131,6 +131,7 @@ export type WebServerService = {
   environment?:
     | aws.ecs.KeyValuePair[]
     | ((services: Services) => aws.ecs.KeyValuePair[]);
+  secrets?: aws.ecs.Secret[];
   image: pulumi.Input<string>;
   port: pulumi.Input<number>;
   domain: pulumi.Input<string>;
@@ -181,6 +182,27 @@ const project = new studion.Project('demo-project', {
 });
 ```
+In order to pass sensitive information to the container use `secrets` instead of `environment`. AWS will fetch values from
+Secret Manager based on arn that is provided for the `valueFrom` field.
+```ts
+const project = new studion.Project('demo-project', {
+  environment: 'DEVELOPMENT',
+  services: [
+    {
+      type: 'WEB_SERVER',
+      serviceName: 'api',
+      image: imageUri,
+      port: 3000,
+      domain: 'api.my-domain.com',
+      secrets: [
+        { name: 'DB_PASSWORD', valueFrom: 'arn-of-the-secret-manager-secret' },
+      ],
+    },
+  ],
+});
+```
 ### Database
 AWS RDS Postgres instance.
@@ -331,6 +353,7 @@ export type WebServerArgs = {
   maxCount?: pulumi.Input<number>;
   size?: pulumi.Input<Size>;
   environment?: aws.ecs.KeyValuePair[];
+  secrets?: aws.ecs.Secret[];
   healtCheckPath?: pulumi.Input<string>;
   taskExecutionRoleInlinePolicies?: pulumi.Input<
     pulumi.Input<RoleInlinePolicy>[]
@@ -376,11 +399,12 @@ The [Database](#database) component deploys a database instance inside a private
 and it's not publicly accessible from outside of VPC.
 <br>
 In order to connect to the database we need to deploy the ec2 instance which will be used
-to open an SSH tunnel to the database instance.
+to forward traffic to the database instance.
 <br>
-Because of security reasons, ec2 instance is also deployed inside private subnet
+Because of security reasons, the ec2 instance is also deployed inside a private subnet
 which means we can't directly connect to it. For that purpose, we use AWS System Manager
-which enables us to connect to the ec2 instance even though it's inside private subnet.
+which enables us to connect to the ec2 instance even though it's inside a private subnet.
+The benefit of using AWS SSM is that we don't need a ssh key pair.
 ![AWS RDS connection schema](/assets/images/ssm-rds.png)
@@ -392,18 +416,6 @@ which enables us to connect to the ec2 instance even though it's inside private
 $ brew install --cask session-manager-plugin
 ```
-2. Generate a new ssh key pair or use the existing one.
-```bash
-$ ssh-keygen -f my_rsa
-```
-3. Set stack config property by running:
-```bash
-$ pulumi config set ssh:publicKey "ssh-rsa Z...9= mymac@Studions-MBP.localdomain"
-```
 SSM Connect can be enabled by setting `enableSSMConnect` property to `true`.
 ```ts
@@ -418,20 +430,13 @@ export const ec2InstanceId = project.ec2SSMConnect?.ec2.id;
 Open up your terminal and run the following command:
 ```bash
-$ aws ssm start-session --target EC2_INSTANCE_ID --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["22"], "localPortNumber":["9999"]}'
-```
-Where `EC2_INSTANCE_ID` is an ID of the EC2 instance that is created for you. ID can be
-obtained by exporting it from the stack.
-Next, open another terminal window and run the following command:
-```bash
-$ ssh ec2-user@localhost -p 9999 -N -L 5555:DATABASE_ADDRESS:DATABASE_PORT -i SSH_PRIVATE_KEY
+$ aws ssm start-session --target EC2_INSTANCE_ID --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"host": ["DATABASE_ADDRESS"], "portNumber":["DATABASE_PORT"], "localPortNumber":["5555"]}'
 ```
-Where `DATABASE_ADDRESS` and `DATABASE_PORT` are the address and port of the database instance,
-and `SSH_PRIVATE_KEY` is the path to the SSH private key.
+Where `EC2_INSTANCE_ID` is an ID of the EC2 instance that is created for you
+(ID can be obtained by exporting it from the stack), and
+`DATABASE_ADDRESS` and `DATABASE_PORT` are the address and port of the
+database instance.
 And that is it! 🥳
 Now you can use your favorite database client to connect to the database.
@@ -439,9 +444,9 @@ Now you can use your favorite database client to connect to the database.
 ![RDS connection](/assets/images/rds-connection.png)
 It is important that for the host you set `localhost` and for the port you set `5555`
-because we have an SSH tunnel open that forwards traffic from localhost:5555 to the
-DATABASE_ADDRESS:DATABASE_PORT. For the user, password, and database field, set values
-which are set in the `Project`.
+because we are port forwarding traffic from
+localhost:5555 to DATABASE_ADDRESS:DATABASE_PORT.
+For the user, password, and database field, set values which are set in the `Project`.
 ```ts
 const project = new studion.Project('demo-project', {
@@ -462,3 +467,4 @@ const project = new studion.Project('demo-project', {
 - [ ] Add worker service for executing tasks
 - [ ] Add MongoDB service
+- [ ] Make db username & password fields optional and autogenerate db username & password if they are not provided

package/dist/components/ec2-ssm-connect.d.ts CHANGED Viewed

@@ -3,7 +3,6 @@ import * as aws from '@pulumi/aws';
 import * as awsx from '@pulumi/awsx';
 export type Ec2SSMConnectArgs = {
     vpc: awsx.ec2.Vpc;
-    sshPublicKey: pulumi.Input<string>;
     tags?: pulumi.Input<{
         [key: string]: pulumi.Input<string>;
     }>;
@@ -14,6 +13,5 @@ export declare class Ec2SSMConnect extends pulumi.ComponentResource {
     ec2MessagesVpcEndpoint: aws.ec2.VpcEndpoint;
     ssmMessagesVpcEndpoint: aws.ec2.VpcEndpoint;
     ec2: aws.ec2.Instance;
-    sshKeyPair: aws.ec2.KeyPair;
     constructor(name: string, args: Ec2SSMConnectArgs, opts?: pulumi.ComponentResourceOptions);
 }

package/dist/components/ec2-ssm-connect.js CHANGED Viewed

@@ -56,14 +56,10 @@ class Ec2SSMConnect extends pulumi.ComponentResource {
         const ssmProfile = new aws.iam.InstanceProfile(`${name}-ssm-profile`, {
             role: role.name,
         }, { parent: this, dependsOn: [ssmPolicyAttachment] });
-        this.sshKeyPair = new aws.ec2.KeyPair(`${name}-ec2-keypair`, {
-            publicKey: args.sshPublicKey,
-        }, { parent: this });
         this.ec2 = new aws.ec2.Instance(`${name}-ec2`, {
             ami: 'ami-067d1e60475437da2',
             associatePublicIpAddress: false,
             instanceType: 't2.micro',
-            keyName: this.sshKeyPair.keyName,
             iamInstanceProfile: ssmProfile.name,
             subnetId,
             vpcSecurityGroupIds: [this.ec2SecurityGroup.id],

package/dist/components/project.js CHANGED Viewed

@@ -39,10 +39,8 @@ class Project extends pulumi.ComponentResource {
         this.vpc = this.createVpc();
         this.createServices(services);
         if (args.enableSSMConnect) {
-            const sshConfig = new pulumi.Config('ssh');
             this.ec2SSMConnect = new ec2_ssm_connect_1.Ec2SSMConnect(`${name}-ssm-connect`, {
                 vpc: this.vpc,
-                sshPublicKey: sshConfig.require('publicKey'),
             });
         }
         this.registerOutputs();

package/dist/components/web-server.d.ts CHANGED Viewed

@@ -61,9 +61,16 @@ export type WebServerArgs = {
      */
     size?: pulumi.Input<Size>;
     /**
-     * The environment variables to pass to a container. Defaults to [].
+     * The environment variables to pass to a container. Don't use this field for
+     * sensitive information such as passwords, API keys, etc. For that purpose,
+     * please use the `secrets` property.
+     * Defaults to [].
      */
     environment?: aws.ecs.KeyValuePair[];
+    /**
+     * The secrets to pass to the container. Defaults to [].
+     */
+    secrets?: aws.ecs.Secret[];
     /**
      * Path for the health check request. Defaults to "/healtcheck".
      */

package/dist/components/web-server.js CHANGED Viewed

@@ -26,6 +26,7 @@ const defaults = {
     maxCount: 10,
     size: 'small',
     environment: [],
+    secrets: [],
     healtCheckPath: '/healtcheck',
     taskExecutionRoleInlinePolicies: [],
     taskRoleInlinePolicies: [],
@@ -128,6 +129,20 @@ class WebServer extends pulumi.ComponentResource {
                 },
             ],
         }, { parent: this });
+        const secretManagerSecretsInlinePolicy = {
+            name: `${name}-secret-manager-access`,
+            policy: JSON.stringify({
+                Version: '2012-10-17',
+                Statement: [
+                    {
+                        Sid: 'AllowContainerToGetSecretManagerSecrets',
+                        Effect: 'Allow',
+                        Action: ['secretsmanager:GetSecretValue'],
+                        Resource: '*',
+                    },
+                ],
+            }),
+        };
         const taskExecutionRole = new aws.iam.Role(`${name}-ecs-task-exec-role`, {
             name: `${name}-ecs-task-exec-role`,
             assumeRolePolicy,
@@ -135,7 +150,10 @@ class WebServer extends pulumi.ComponentResource {
                 'arn:aws:iam::aws:policy/CloudWatchFullAccess',
                 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess',
             ],
-            inlinePolicies: argsWithDefaults.taskExecutionRoleInlinePolicies,
+            inlinePolicies: [
+                secretManagerSecretsInlinePolicy,
+                ...argsWithDefaults.taskExecutionRoleInlinePolicies,
+            ],
         }, { parent: this });
         const execCmdInlinePolicy = {
             name: `${name}-ecs-exec`,
@@ -191,10 +209,11 @@ class WebServer extends pulumi.ComponentResource {
                 argsWithDefaults.image,
                 argsWithDefaults.port,
                 argsWithDefaults.environment,
+                argsWithDefaults.secrets,
                 this.logGroup.name,
                 awsRegion,
             ])
-                .apply(([containerName, image, port, environment, logGroup, region]) => {
+                .apply(([containerName, image, port, environment, secrets, logGroup, region,]) => {
                 return JSON.stringify([
                     {
                         readonlyRootFilesystem: false,
@@ -216,6 +235,7 @@ class WebServer extends pulumi.ComponentResource {
                             },
                         },
                         environment,
+                        secrets,
                     },
                 ]);
             }),

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@studion/infra-code-blocks",
-  "version": "0.0.7",
+  "version": "0.0.9",
   "description": "Studion common infra components",
   "keywords": [
     "infrastructure",