@studion/infra-code-blocks 0.0.8 → 0.0.10

package/README.md

@@ -92,7 +92,7 @@ type DatabaseService = {
   serviceName: string;
   dbName: pulumi.Input<string>;
   username: pulumi.Input<string>;
-  password: pulumi.Input<string>;
+  password?: pulumi.Input<string>;
   applyImmediately?: pulumi.Input<boolean>;
   skipFinalSnapshot?: pulumi.Input<boolean>;
   allocatedStorage?: pulumi.Input<number>;
@@ -131,6 +131,7 @@ export type WebServerService = {
   environment?:
     | aws.ecs.KeyValuePair[]
     | ((services: Services) => aws.ecs.KeyValuePair[]);
+  secrets?: aws.ecs.Secret[] | ((services: Services) => aws.ecs.Secret[]);
   image: pulumi.Input<string>;
   port: pulumi.Input<number>;
   domain: pulumi.Input<string>;
@@ -181,6 +182,54 @@ const project = new studion.Project('demo-project', {
 });
 ```
 
+In order to pass sensitive information to the container use `secrets` instead of `environment`. AWS will fetch values from
+Secret Manager based on arn that is provided for the `valueFrom` field.
+
+```ts
+const project = new studion.Project('demo-project', {
+  environment: 'DEVELOPMENT',
+  services: [
+    {
+      type: 'WEB_SERVER',
+      serviceName: 'api',
+      image: imageUri,
+      port: 3000,
+      domain: 'api.my-domain.com',
+      secrets: [
+        { name: 'DB_PASSWORD', valueFrom: 'arn-of-the-secret-manager-secret' },
+      ],
+    },
+  ],
+});
+```
+
+```ts
+const project = new studion.Project('demo-project', {
+  environment: 'DEVELOPMENT',
+  services: [
+    {
+      type: 'REDIS',
+      serviceName: 'redis',
+      dbName: 'test-db',
+    },
+    {
+      type: 'WEB_SERVER',
+      serviceName: 'api',
+      image: imageUri,
+      port: 3000,
+      domain: 'api.my-domain.com',
+      secrets: (services: Services) => {
+        const redisServiceName = 'redis';
+        const redis = services[redisServiceName];
+        return [
+          { name: 'REDIS_PASSWORD', valueFrom: redis.passwordSecret.arn },
+        ];
+      },
+    },
+  ],
+});
+```
+
 ### Database
 
 AWS RDS Postgres instance.
@@ -207,8 +256,8 @@ new Database(name: string, args: DatabaseArgs, opts?: pulumi.CustomResourceOptio
 type DatabaseArgs = {
   dbName: pulumi.Input<string>;
   username: pulumi.Input<string>;
-  password: pulumi.Input<string>;
   vpc: awsx.ec2.Vpc;
+  password?: pulumi.Input<string>;
   applyImmediately?: pulumi.Input<boolean>;
   skipFinalSnapshot?: pulumi.Input<boolean>;
   allocatedStorage?: pulumi.Input<number>;
@@ -220,6 +269,10 @@ type DatabaseArgs = {
 };
 ```
 
+If a password is not specified, it will be autogenerated and stored as a secret
+inside AWS Secret Manager. The secret will be available on the `Database` resource
+as `passwordSecret`.
+
 ### Redis
 
 [Upstash](https://upstash.com) Redis instance.
@@ -261,6 +314,9 @@ interface RedisOptions extends pulumi.ComponentResourceOptions {
 }
 ```
 
+After creating the Redis resource, the `passwordSecret` AWS Secret Manager Secret
+will exist on the resource.
+
 ### Static Site
 
 AWS S3 + Cloudfront static site.
@@ -331,6 +387,7 @@ export type WebServerArgs = {
   maxCount?: pulumi.Input<number>;
   size?: pulumi.Input<Size>;
   environment?: aws.ecs.KeyValuePair[];
+  secrets?: aws.ecs.Secret[];
   healtCheckPath?: pulumi.Input<string>;
   taskExecutionRoleInlinePolicies?: pulumi.Input<
     pulumi.Input<RoleInlinePolicy>[]

package/dist/components/database.d.ts

@@ -10,14 +10,15 @@ export type DatabaseArgs = {
      * Username for the master DB user.
      */
     username: pulumi.Input<string>;
-    /**
-     * Password for the master DB user.
-     */
-    password: pulumi.Input<string>;
     /**
      * The awsx.ec2.Vpc resource.
      */
     vpc: awsx.ec2.Vpc;
+    /**
+     * Password for the master DB user. If not specified, it will be autogenerated
+     * and stored as a secret in AWS Secret Manager.
+     */
+    password?: pulumi.Input<string>;
     /**
      * Specifies whether any database modifications are applied immediately, or during the next maintenance window. Default is false.
      */
@@ -50,5 +51,6 @@ export declare class Database extends pulumi.ComponentResource {
     kms: aws.kms.Key;
     dbSubnetGroup: aws.rds.SubnetGroup;
     dbSecurityGroup: aws.ec2.SecurityGroup;
+    passwordSecret?: aws.secretsmanager.Secret;
     constructor(name: string, args: DatabaseArgs, opts?: pulumi.ComponentResourceOptions);
 }

package/dist/components/database.js

@@ -13,6 +13,8 @@ const defaults = {
 class Database extends pulumi.ComponentResource {
     constructor(name, args, opts = {}) {
         super('studion:Database', name, {}, opts);
+        const project = pulumi.getProject();
+        const stack = pulumi.getStack();
         const argsWithDefaults = Object.assign({}, defaults, args);
         this.dbSubnetGroup = new aws.rds.SubnetGroup(`${name}-subnet-group`, {
             subnetIds: argsWithDefaults.vpc.privateSubnetIds,
@@ -36,6 +38,19 @@ class Database extends pulumi.ComponentResource {
             multiRegion: false,
             enableKeyRotation: true,
         }, { parent: this });
+        const password = argsWithDefaults.password ||
+            aws.secretsmanager
+                .getRandomPasswordOutput()
+                .apply(res => res.randomPassword);
+        if (!argsWithDefaults.password) {
+            this.passwordSecret = new aws.secretsmanager.Secret(`${name}-password-secret`, {
+                name: `${stack}/${project}/DatabasePassword`,
+            }, { parent: this });
+            const passwordSecretValue = new aws.secretsmanager.SecretVersion(`${name}-password-secret-value`, {
+                secretId: this.passwordSecret.id,
+                secretString: password,
+            }, { parent: this, dependsOn: [this.passwordSecret] });
+        }
         this.instance = new aws.rds.Instance(`${name}-rds`, {
             identifier: name,
             engine: 'postgres',
@@ -45,7 +60,7 @@ class Database extends pulumi.ComponentResource {
             instanceClass: argsWithDefaults.instanceClass,
             dbName: argsWithDefaults.dbName,
             username: argsWithDefaults.username,
-            password: argsWithDefaults.password,
+            password,
             dbSubnetGroupName: this.dbSubnetGroup.name,
             vpcSecurityGroupIds: [this.dbSecurityGroup.id],
             storageEncrypted: true,

package/dist/components/project.d.ts

@@ -27,7 +27,8 @@ export type StaticSiteService = {
 export type WebServerService = {
     type: 'WEB_SERVER';
     environment?: aws.ecs.KeyValuePair[] | ((services: Services) => aws.ecs.KeyValuePair[]);
-} & ServiceArgs & Omit<WebServerArgs, 'cluster' | 'vpc' | 'hostedZoneId' | 'environment'>;
+    secrets?: aws.ecs.Secret[] | ((services: Services) => aws.ecs.Secret[]);
+} & ServiceArgs & Omit<WebServerArgs, 'cluster' | 'vpc' | 'hostedZoneId' | 'environment' | 'secrets'>;
 export type ProjectArgs = {
     services: (DatabaseService | RedisService | StaticSiteService | WebServerService)[];
     hostedZoneId?: pulumi.Input<string>;

package/dist/components/project.js

@@ -110,11 +110,12 @@ class Project extends pulumi.ComponentResource {
             return;
         if (!this.hostedZoneId)
             throw new MissingHostedZoneId(options.type);
-        const { serviceName, environment } = options, ecsOptions = __rest(options, ["serviceName", "environment"]);
+        const { serviceName, environment, secrets } = options, ecsOptions = __rest(options, ["serviceName", "environment", "secrets"]);
         const parsedEnv = typeof environment === 'function'
             ? environment(this.services)
             : environment;
-        const service = new web_server_1.WebServer(serviceName, Object.assign(Object.assign({}, ecsOptions), { cluster: this.cluster, vpc: this.vpc, hostedZoneId: this.hostedZoneId, environment: parsedEnv }), { parent: this });
+        const parsedSecrets = typeof secrets === 'function' ? secrets(this.services) : secrets;
+        const service = new web_server_1.WebServer(serviceName, Object.assign(Object.assign({}, ecsOptions), { cluster: this.cluster, vpc: this.vpc, hostedZoneId: this.hostedZoneId, environment: parsedEnv, secrets: parsedSecrets }), { parent: this });
         this.services[options.serviceName] = service;
     }
 }

package/dist/components/redis.d.ts

@@ -1,5 +1,6 @@
 import * as pulumi from '@pulumi/pulumi';
 import * as upstash from '@upstash/pulumi';
+import * as aws from '@pulumi/aws';
 export type RedisArgs = {
     /**
      * Redis database name.
@@ -15,5 +16,7 @@ export interface RedisOptions extends pulumi.ComponentResourceOptions {
 }
 export declare class Redis extends pulumi.ComponentResource {
     instance: upstash.RedisDatabase;
+    passwordSecret: aws.secretsmanager.Secret;
+    username: string;
     constructor(name: string, args: RedisArgs, opts: RedisOptions);
 }

package/dist/components/redis.js

@@ -3,12 +3,16 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.Redis = void 0;
 const pulumi = require("@pulumi/pulumi");
 const upstash = require("@upstash/pulumi");
+const aws = require("@pulumi/aws");
 const defaults = {
     region: 'us-east-1',
 };
 class Redis extends pulumi.ComponentResource {
     constructor(name, args, opts) {
         super('studion:Redis', name, {}, opts);
+        this.username = 'default';
+        const project = pulumi.getProject();
+        const stack = pulumi.getStack();
         const argsWithDefaults = Object.assign({}, defaults, args);
         this.instance = new upstash.RedisDatabase(name, {
             databaseName: argsWithDefaults.dbName,
@@ -16,6 +20,13 @@ class Redis extends pulumi.ComponentResource {
             eviction: true,
             tls: true,
         }, { provider: opts.provider, parent: this });
+        this.passwordSecret = new aws.secretsmanager.Secret(`${name}-password-secret`, {
+            name: `${stack}/${project}/RedisPassword`,
+        }, { parent: this, dependsOn: [this.instance] });
+        const passwordSecretValue = new aws.secretsmanager.SecretVersion(`${name}-password-secret-value`, {
+            secretId: this.passwordSecret.id,
+            secretString: this.instance.password,
+        }, { parent: this, dependsOn: [this.passwordSecret] });
         this.registerOutputs();
     }
 }

package/dist/components/static-site.js

@@ -12,7 +12,6 @@ class StaticSite extends pulumi.ComponentResource {
             hostedZoneId: args.hostedZoneId,
         }, { parent: this });
         const bucket = new aws.s3.Bucket(`${name}-bucket`, {
-            bucket: name,
             website: {
                 indexDocument: 'index.html',
                 errorDocument: 'index.html',

package/dist/components/web-server.d.ts

@@ -61,9 +61,16 @@ export type WebServerArgs = {
      */
     size?: pulumi.Input<Size>;
     /**
-     * The environment variables to pass to a container. Defaults to [].
+     * The environment variables to pass to a container. Don't use this field for
+     * sensitive information such as passwords, API keys, etc. For that purpose,
+     * please use the `secrets` property.
+     * Defaults to [].
      */
     environment?: aws.ecs.KeyValuePair[];
+    /**
+     * The secrets to pass to the container. Defaults to [].
+     */
+    secrets?: aws.ecs.Secret[];
     /**
      * Path for the health check request. Defaults to "/healtcheck".
      */

package/dist/components/web-server.js

@@ -26,6 +26,7 @@ const defaults = {
     maxCount: 10,
     size: 'small',
     environment: [],
+    secrets: [],
     healtCheckPath: '/healtcheck',
     taskExecutionRoleInlinePolicies: [],
     taskRoleInlinePolicies: [],
@@ -128,6 +129,20 @@ class WebServer extends pulumi.ComponentResource {
                 },
             ],
         }, { parent: this });
+        const secretManagerSecretsInlinePolicy = {
+            name: `${name}-secret-manager-access`,
+            policy: JSON.stringify({
+                Version: '2012-10-17',
+                Statement: [
+                    {
+                        Sid: 'AllowContainerToGetSecretManagerSecrets',
+                        Effect: 'Allow',
+                        Action: ['secretsmanager:GetSecretValue'],
+                        Resource: '*',
+                    },
+                ],
+            }),
+        };
         const taskExecutionRole = new aws.iam.Role(`${name}-ecs-task-exec-role`, {
             name: `${name}-ecs-task-exec-role`,
             assumeRolePolicy,
@@ -135,7 +150,10 @@ class WebServer extends pulumi.ComponentResource {
                 'arn:aws:iam::aws:policy/CloudWatchFullAccess',
                 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess',
             ],
-            inlinePolicies: argsWithDefaults.taskExecutionRoleInlinePolicies,
+            inlinePolicies: [
+                secretManagerSecretsInlinePolicy,
+                ...argsWithDefaults.taskExecutionRoleInlinePolicies,
+            ],
         }, { parent: this });
         const execCmdInlinePolicy = {
             name: `${name}-ecs-exec`,
@@ -191,10 +209,11 @@ class WebServer extends pulumi.ComponentResource {
                 argsWithDefaults.image,
                 argsWithDefaults.port,
                 argsWithDefaults.environment,
+                argsWithDefaults.secrets,
                 this.logGroup.name,
                 awsRegion,
             ])
-                .apply(([containerName, image, port, environment, logGroup, region]) => {
+                .apply(([containerName, image, port, environment, secrets, logGroup, region,]) => {
                 return JSON.stringify([
                     {
                         readonlyRootFilesystem: false,
@@ -216,6 +235,7 @@ class WebServer extends pulumi.ComponentResource {
                             },
                         },
                         environment,
+                        secrets,
                     },
                 ]);
             }),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@studion/infra-code-blocks",
-  "version": "0.0.8",
+  "version": "0.0.10",
   "description": "Studion common infra components",
   "keywords": [
     "infrastructure",