@ts-cloud/core 0.2.2 → 0.2.4

package/dist/modules/workflow.d.ts

@@ -0,0 +1,288 @@
+import type { StepFunctionsStateMachine, IAMRole } from '@ts-cloud/aws-types';
+import type { EnvironmentType } from '../types';
+export interface StateMachineOptions {
+    slug: string;
+    environment: EnvironmentType;
+    stateMachineName?: string;
+    type?: 'STANDARD' | 'EXPRESS';
+    definition: StateMachineDefinition;
+    roleArn?: string;
+    loggingConfiguration?: {
+        level: 'ALL' | 'ERROR' | 'FATAL' | 'OFF';
+        includeExecutionData?: boolean;
+        destinations?: string[];
+    };
+    tracingConfiguration?: {
+        enabled: boolean;
+    };
+}
+export interface StateMachineDefinition {
+    Comment?: string;
+    StartAt: string;
+    States: Record<string, State>;
+    TimeoutSeconds?: number;
+    Version?: string;
+}
+export type State = TaskState | PassState | WaitState | ChoiceState | ParallelState | MapState | SucceedState | FailState;
+export interface BaseState {
+    Type: 'Task' | 'Pass' | 'Wait' | 'Choice' | 'Parallel' | 'Map' | 'Succeed' | 'Fail';
+    Comment?: string;
+    End?: boolean;
+    Next?: string;
+}
+export interface TaskState extends BaseState {
+    Type: 'Task';
+    Resource: string;
+    Parameters?: Record<string, unknown>;
+    ResultPath?: string | null;
+    OutputPath?: string;
+    InputPath?: string;
+    TimeoutSeconds?: number;
+    HeartbeatSeconds?: number;
+    Retry?: RetryConfig[];
+    Catch?: CatchConfig[];
+}
+export interface PassState extends BaseState {
+    Type: 'Pass';
+    Result?: unknown;
+    ResultPath?: string | null;
+    Parameters?: Record<string, unknown>;
+}
+export interface WaitState extends BaseState {
+    Type: 'Wait';
+    Seconds?: number;
+    Timestamp?: string;
+    SecondsPath?: string;
+    TimestampPath?: string;
+}
+export interface ChoiceState extends BaseState {
+    Type: 'Choice';
+    Choices: ChoiceRule[];
+    Default?: string;
+}
+export interface ChoiceRule {
+    Variable: string;
+    StringEquals?: string;
+    StringLessThan?: string;
+    StringGreaterThan?: string;
+    NumericEquals?: number;
+    NumericLessThan?: number;
+    NumericGreaterThan?: number;
+    BooleanEquals?: boolean;
+    TimestampEquals?: string;
+    TimestampLessThan?: string;
+    TimestampGreaterThan?: string;
+    IsPresent?: boolean;
+    IsNull?: boolean;
+    IsNumeric?: boolean;
+    IsString?: boolean;
+    IsBoolean?: boolean;
+    IsTimestamp?: boolean;
+    Next: string;
+    And?: ChoiceRule[];
+    Or?: ChoiceRule[];
+    Not?: ChoiceRule;
+}
+export interface ParallelState extends BaseState {
+    Type: 'Parallel';
+    Branches: StateMachineDefinition[];
+    ResultPath?: string | null;
+    Retry?: RetryConfig[];
+    Catch?: CatchConfig[];
+}
+export interface MapState extends BaseState {
+    Type: 'Map';
+    ItemsPath?: string;
+    Iterator: StateMachineDefinition;
+    MaxConcurrency?: number;
+    ResultPath?: string | null;
+    Retry?: RetryConfig[];
+    Catch?: CatchConfig[];
+}
+export interface SucceedState extends BaseState {
+    Type: 'Succeed';
+}
+export interface FailState extends BaseState {
+    Type: 'Fail';
+    Error?: string;
+    Cause?: string;
+}
+export interface RetryConfig {
+    ErrorEquals: string[];
+    IntervalSeconds?: number;
+    MaxAttempts?: number;
+    BackoffRate?: number;
+}
+export interface CatchConfig {
+    ErrorEquals: string[];
+    Next: string;
+    ResultPath?: string;
+}
+/**
+ * Workflow Module - Step Functions
+ * Provides clean API for orchestrating distributed applications and microservices
+ */
+export declare class Workflow {
+    /**
+     * Create a Step Functions state machine
+     */
+    static createStateMachine(options: StateMachineOptions): {
+        stateMachine: StepFunctionsStateMachine;
+        logicalId: string;
+        role?: IAMRole;
+        roleLogicalId?: string;
+    };
+    /**
+     * Create a Lambda task state
+     */
+    static createLambdaTask(functionArn: string, options?: {
+        parameters?: Record<string, unknown>;
+        resultPath?: string | null;
+        retry?: RetryConfig[];
+        catch?: CatchConfig[];
+        next?: string;
+        end?: boolean;
+    }): TaskState;
+    /**
+     * Create a DynamoDB task state
+     */
+    static createDynamoDBTask(action: 'GetItem' | 'PutItem' | 'UpdateItem' | 'DeleteItem', tableName: string, parameters: Record<string, unknown>, options?: {
+        resultPath?: string | null;
+        retry?: RetryConfig[];
+        catch?: CatchConfig[];
+        next?: string;
+        end?: boolean;
+    }): TaskState;
+    /**
+     * Create an SNS publish task state
+     */
+    static createSNSPublishTask(topicArn: string, message: Record<string, unknown>, options?: {
+        resultPath?: string | null;
+        retry?: RetryConfig[];
+        catch?: CatchConfig[];
+        next?: string;
+        end?: boolean;
+    }): TaskState;
+    /**
+     * Create an SQS send message task state
+     */
+    static createSQSSendMessageTask(queueUrl: string, messageBody: Record<string, unknown>, options?: {
+        resultPath?: string | null;
+        retry?: RetryConfig[];
+        catch?: CatchConfig[];
+        next?: string;
+        end?: boolean;
+    }): TaskState;
+    /**
+     * Create a Pass state
+     */
+    static createPassState(options?: {
+        result?: unknown;
+        resultPath?: string | null;
+        parameters?: Record<string, unknown>;
+        next?: string;
+        end?: boolean;
+    }): PassState;
+    /**
+     * Create a Wait state
+     */
+    static createWaitState(options: {
+        seconds?: number;
+        timestamp?: string;
+        secondsPath?: string;
+        timestampPath?: string;
+        next?: string;
+        end?: boolean;
+    }): WaitState;
+    /**
+     * Create a Choice state
+     */
+    static createChoiceState(choices: ChoiceRule[], defaultState?: string): ChoiceState;
+    /**
+     * Create a Parallel state
+     */
+    static createParallelState(branches: StateMachineDefinition[], options?: {
+        resultPath?: string | null;
+        retry?: RetryConfig[];
+        catch?: CatchConfig[];
+        next?: string;
+        end?: boolean;
+    }): ParallelState;
+    /**
+     * Create a Map state
+     */
+    static createMapState(iterator: StateMachineDefinition, options?: {
+        itemsPath?: string;
+        maxConcurrency?: number;
+        resultPath?: string | null;
+        retry?: RetryConfig[];
+        catch?: CatchConfig[];
+        next?: string;
+        end?: boolean;
+    }): MapState;
+    /**
+     * Create a Succeed state
+     */
+    static createSucceedState(): SucceedState;
+    /**
+     * Create a Fail state
+     */
+    static createFailState(error?: string, cause?: string): FailState;
+    /**
+     * Common retry configurations
+     */
+    static readonly RetryPolicies: {
+        /**
+         * Standard retry with exponential backoff
+         */
+        readonly standard: () => RetryConfig;
+        /**
+         * Aggressive retry for transient errors
+         */
+        readonly aggressive: () => RetryConfig;
+        /**
+         * Custom retry configuration
+         */
+        readonly custom: (errorEquals: string[], intervalSeconds: number, maxAttempts: number, backoffRate: number) => RetryConfig;
+    };
+    /**
+     * Common catch configurations
+     */
+    static readonly CatchPolicies: {
+        /**
+         * Catch all errors
+         */
+        readonly all: (nextState: string, resultPath?: string) => CatchConfig;
+        /**
+         * Catch specific errors
+         */
+        readonly specific: (errors: string[], nextState: string, resultPath?: string) => CatchConfig;
+    };
+    /**
+     * Common workflow patterns
+     */
+    static readonly Patterns: {
+        /**
+         * Simple sequential workflow
+         */
+        readonly sequential: (slug: string, environment: EnvironmentType, tasks: {
+            name: string;
+            state: State;
+        }[]) => StateMachineDefinition;
+        /**
+         * Fan-out workflow (parallel execution)
+         */
+        readonly fanout: (slug: string, environment: EnvironmentType, branches: {
+            name: string;
+            definition: StateMachineDefinition;
+        }[]) => StateMachineDefinition;
+        /**
+         * Map workflow (process array of items)
+         */
+        readonly map: (slug: string, environment: EnvironmentType, itemProcessor: StateMachineDefinition, maxConcurrency?: number) => StateMachineDefinition;
+        /**
+         * Error handling workflow
+         */
+        readonly withErrorHandling: (slug: string, environment: EnvironmentType, mainTask: TaskState, errorHandler: State) => StateMachineDefinition;
+    };
+}

package/dist/multi-account/config.d.ts

@@ -0,0 +1,166 @@
+/**
+ * Multi-Account Configuration
+ * Best practices and configuration for multi-account setups
+ */
+import type { AWSAccount, CrossAccountRole } from './manager';
+/**
+ * Account structure presets
+ */
+export interface AccountStructure {
+    name: string;
+    description: string;
+    accounts: AccountStructureDefinition[];
+    organizationalUnits?: OUDefinition[];
+}
+export interface AccountStructureDefinition {
+    alias: string;
+    email: string;
+    role: AWSAccount['role'];
+    ou?: string;
+    description: string;
+}
+export interface OUDefinition {
+    name: string;
+    parent?: string;
+    policies?: string[];
+}
+/**
+ * AWS best practices: Multi-account structure
+ * Based on AWS Well-Architected Framework
+ */
+export declare const RECOMMENDED_ACCOUNT_STRUCTURES: Record<string, AccountStructure>;
+/**
+ * Service Control Policies (SCPs) - AWS best practices
+ */
+export declare const RECOMMENDED_SCPS: {
+    denyRootAccess: {
+        name: string;
+        description: string;
+        policyDocument: {
+            Version: string;
+            Statement: readonly [{
+                readonly Sid: "DenyRootUser";
+                readonly Effect: "Deny";
+                readonly Action: "*";
+                readonly Resource: "*";
+                readonly Condition: {
+                    readonly StringLike: {
+                        readonly 'aws:PrincipalArn': "arn:aws:iam::*:root";
+                    };
+                };
+            }];
+        };
+    };
+    requireMFA: {
+        name: string;
+        description: string;
+        policyDocument: {
+            Version: string;
+            Statement: readonly [{
+                readonly Sid: "RequireMFA";
+                readonly Effect: "Deny";
+                readonly Action: "*";
+                readonly Resource: "*";
+                readonly Condition: {
+                    readonly BoolIfExists: {
+                        readonly 'aws:MultiFactorAuthPresent': "false";
+                    };
+                };
+            }];
+        };
+    };
+    denyRegions: {
+        name: string;
+        description: string;
+        policyDocument: {
+            Version: string;
+            Statement: readonly [{
+                readonly Sid: "DenyNonApprovedRegions";
+                readonly Effect: "Deny";
+                readonly NotAction: readonly ["iam:*", "organizations:*", "route53:*", "cloudfront:*", "support:*", "s3:*"];
+                readonly Resource: "*";
+                readonly Condition: {
+                    readonly StringNotEquals: {
+                        readonly 'aws:RequestedRegion': readonly ["us-east-1", "us-west-2"];
+                    };
+                };
+            }];
+        };
+    };
+    preventLeaving: {
+        name: string;
+        description: string;
+        policyDocument: {
+            Version: string;
+            Statement: readonly [{
+                readonly Sid: "PreventLeaving";
+                readonly Effect: "Deny";
+                readonly Action: "organizations:LeaveOrganization";
+                readonly Resource: "*";
+            }];
+        };
+    };
+    denyS3Unencrypted: {
+        name: string;
+        description: string;
+        policyDocument: {
+            Version: string;
+            Statement: readonly [{
+                readonly Sid: "DenyUnencryptedS3Uploads";
+                readonly Effect: "Deny";
+                readonly Action: "s3:PutObject";
+                readonly Resource: "*";
+                readonly Condition: {
+                    readonly StringNotEquals: {
+                        readonly 's3:x-amz-server-side-encryption': readonly ["AES256", "aws:kms"];
+                    };
+                };
+            }];
+        };
+    };
+};
+/**
+ * Common cross-account role configurations
+ */
+export declare const COMMON_CROSS_ACCOUNT_ROLES: {
+    deploymentRole: {
+        name: string;
+        description: string;
+        permissions: readonly ["cloudformation:*", "s3:*", "ec2:*", "ecs:*", "lambda:*", "iam:GetRole", "iam:PassRole", "logs:*", "events:*"];
+    };
+    readOnlyRole: {
+        name: string;
+        description: string;
+        permissions: readonly ["cloudformation:Describe*", "cloudformation:List*", "ec2:Describe*", "ecs:Describe*", "lambda:Get*", "lambda:List*", "s3:Get*", "s3:List*", "logs:Get*", "logs:Describe*"];
+    };
+    securityAuditRole: {
+        name: string;
+        description: string;
+        permissions: readonly ["iam:Get*", "iam:List*", "iam:Generate*", "access-analyzer:*", "guardduty:Get*", "guardduty:List*", "securityhub:Get*", "securityhub:List*", "config:Describe*", "config:Get*", "config:List*"];
+    };
+    breakGlassRole: {
+        name: string;
+        description: string;
+        permissions: readonly ["*"];
+    };
+};
+/**
+ * Get recommended account structure
+ */
+export declare function getRecommendedStructure(size: 'basic' | 'standard' | 'enterprise'): AccountStructure;
+/**
+ * Generate cross-account role CloudFormation
+ */
+export declare function generateCrossAccountRoleCF(role: CrossAccountRole, managedPolicies?: string[]): any;
+/**
+ * Validate account structure
+ */
+export declare function validateAccountStructure(structure: AccountStructure): {
+    valid: boolean;
+    errors: string[];
+    warnings: string[];
+};
+/**
+ * Format account structure for display
+ */
+export declare function formatAccountStructure(structure: AccountStructure): string;

package/dist/multi-account/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Multi-Account Support
+ * Manage deployments across multiple AWS accounts
+ */
+export * from './manager';
+export * from './config';

package/dist/multi-account/manager.d.ts

@@ -0,0 +1,181 @@
+/**
+ * Multi-Account Manager
+ * Manages deployments across multiple AWS accounts
+ */
+export interface AWSAccount {
+    id: string;
+    alias?: string;
+    email: string;
+    role: 'management' | 'production' | 'staging' | 'development' | 'security' | 'shared-services';
+    organizationalUnit?: string;
+    assumeRoleArn?: string;
+}
+export interface CrossAccountRole {
+    roleArn: string;
+    roleName: string;
+    sourceAccountId: string;
+    targetAccountId: string;
+    permissions: string[];
+    externalId?: string;
+    sessionDuration?: number;
+}
+export interface AccountMapping {
+    environment: string;
+    accountId: string;
+    region: string;
+}
+/**
+ * Multi-account deployment manager
+ */
+export declare class MultiAccountManager {
+    private accounts;
+    private crossAccountRoles;
+    private accountMappings;
+    /**
+     * Register an AWS account
+     */
+    registerAccount(account: AWSAccount): void;
+    /**
+     * Get account by ID
+     */
+    getAccount(accountId: string): AWSAccount | undefined;
+    /**
+     * Get account by alias
+     */
+    getAccountByAlias(alias: string): AWSAccount | undefined;
+    /**
+     * List all accounts
+     */
+    listAccounts(): AWSAccount[];
+    /**
+     * Get accounts by role
+     */
+    getAccountsByRole(role: AWSAccount['role']): AWSAccount[];
+    /**
+     * Create cross-account role for deployment
+     */
+    createCrossAccountRole(sourceAccountId: string, targetAccountId: string, roleName: string, permissions: string[], options?: {
+        externalId?: string;
+        sessionDuration?: number;
+    }): CrossAccountRole;
+    /**
+     * Get assume role policy document
+     */
+    getAssumeRolePolicyDocument(sourceAccountId: string, externalId?: string): any;
+    /**
+     * Generate IAM policy for cross-account access
+     */
+    generateCrossAccountPolicy(permissions: string[]): any;
+    /**
+     * Map environment to account
+     */
+    mapEnvironmentToAccount(environment: string, accountId: string, region: string): void;
+    /**
+     * Get account for environment
+     */
+    getAccountForEnvironment(environment: string): AccountMapping | undefined;
+    /**
+     * Assume role in target account
+     */
+    assumeRole(roleArn: string, sessionName: string, externalId?: string): Promise<{
+        accessKeyId: string;
+        secretAccessKey: string;
+        sessionToken: string;
+        expiration: Date;
+    }>;
+    /**
+     * Get credentials for account
+     */
+    getCredentialsForAccount(accountId: string): Promise<{
+        accessKeyId: string;
+        secretAccessKey: string;
+        sessionToken?: string;
+    }>;
+    /**
+     * List cross-account roles
+     */
+    listCrossAccountRoles(): CrossAccountRole[];
+    /**
+     * Get cross-account roles for account
+     */
+    getCrossAccountRolesForAccount(accountId: string): CrossAccountRole[];
+    /**
+     * Validate account access
+     */
+    validateAccountAccess(accountId: string): Promise<boolean>;
+    /**
+     * Get consolidated billing summary
+     */
+    getConsolidatedBilling(): Promise<{
+        totalCost: number;
+        byAccount: Record<string, number>;
+    }>;
+    /**
+     * Clear all data
+     */
+    clear(): void;
+}
+/**
+ * AWS Organizations helper
+ */
+export declare class OrganizationManager {
+    private organizationId?;
+    private organizationalUnits;
+    /**
+     * Get organization ID
+     */
+    getOrganizationId(): string | undefined;
+    /**
+     * Set organization ID
+     */
+    setOrganizationId(id: string): void;
+    /**
+     * Create organizational unit
+     */
+    createOrganizationalUnit(name: string, parentId?: string): OrganizationalUnit;
+    /**
+     * Get organizational unit
+     */
+    getOrganizationalUnit(id: string): OrganizationalUnit | undefined;
+    /**
+     * List organizational units
+     */
+    listOrganizationalUnits(): OrganizationalUnit[];
+    /**
+     * Add account to organizational unit
+     */
+    addAccountToOU(ouId: string, accountId: string): void;
+    /**
+     * Remove account from organizational unit
+     */
+    removeAccountFromOU(ouId: string, accountId: string): void;
+    /**
+     * Get accounts in organizational unit
+     */
+    getAccountsInOU(ouId: string): string[];
+    /**
+     * Apply service control policy
+     */
+    applyServiceControlPolicy(targetId: string, policyDocument: any): ServiceControlPolicy;
+    /**
+     * Clear all data
+     */
+    clear(): void;
+}
+export interface OrganizationalUnit {
+    id: string;
+    name: string;
+    parentId?: string;
+    accounts: string[];
+}
+export interface ServiceControlPolicy {
+    id: string;
+    name: string;
+    targetId: string;
+    policyDocument: any;
+}
+/**
+ * Global instances
+ */
+export declare const multiAccountManager: MultiAccountManager;
+export declare const organizationManager: OrganizationManager;