@webiny/project-aws 0.0.0-unstable.3c5210ad37

package/pulumi/apps/syncSystem/SyncSystemResolverLambda.js

@@ -0,0 +1,73 @@
+import path from "path";
+import * as aws from "@pulumi/aws";
+import { createAppModule } from "@webiny/pulumi";
+import { createLambdaRoleWithoutVpc } from "../lambdaUtils.js";
+import { LAMBDA_RUNTIME } from "../../constants.js";
+import { createSyncSystemResolverLambdaPolicy } from "./lambda/createSyncSystemResolverLambdaPolicy.js";
+import { createSyncResourceName } from "./createSyncResourceName.js";
+import { createAssetArchive } from "../../utils/createAssetArchive.js";
+import { SyncSystemSQS } from "./SyncSystemSQS.js";
+import { SyncSystemDynamoDb } from "./SyncSystemDynamoDb.js";
+import { SyncSystemWorkerLambda } from "./SyncSystemWorkerLambda.js";
+export const SyncSystemResolverLambda = createAppModule({
+  name: "SyncSystemResolverLambda",
+  config(app) {
+    const {
+      sqsQueue
+    } = app.getModule(SyncSystemSQS);
+    const dynamoDb = app.getModule(SyncSystemDynamoDb);
+    const {
+      lambda: workerLambda
+    } = app.getModule(SyncSystemWorkerLambda);
+    const roleName = createSyncResourceName("resolver-lambda-role");
+    const policy = createSyncSystemResolverLambdaPolicy({
+      name: `${roleName}-policy`,
+      app
+    });
+    const role = createLambdaRoleWithoutVpc(app, {
+      name: roleName,
+      policy: policy.output
+    });
+    const lambda = app.addResource(aws.lambda.Function, {
+      name: createSyncResourceName("resolver-lambda"),
+      config: {
+        runtime: LAMBDA_RUNTIME,
+        handler: "handler.handler",
+        role: role.output.arn,
+        timeout: 900,
+        memorySize: 512,
+        code: createAssetArchive(path.join(app.paths.workspace, "resolver/build")),
+        environment: {
+          variables: {
+            DB_TABLE: dynamoDb.output.name,
+            AWS_SYNC_WORKER_LAMBDA_ARN: workerLambda.output.arn,
+            DEBUG: String(process.env.DEBUG),
+            PULUMI_APPS: "true",
+            AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1"
+          }
+        },
+        loggingConfig: {
+          logFormat: "JSON"
+        }
+      }
+    });
+    const eventSourceMapping = app.addResource(aws.lambda.EventSourceMapping, {
+      name: createSyncResourceName("sqs-to-resolver-lambda"),
+      config: {
+        enabled: true,
+        eventSourceArn: sqsQueue.output.arn,
+        functionName: lambda.output.arn,
+        batchSize: 1
+        // maximumBatchingWindowInSeconds: 2
+      }
+    });
+    return {
+      role,
+      policy,
+      lambda,
+      eventSourceMapping
+    };
+  }
+});
+
+//# sourceMappingURL=SyncSystemResolverLambda.js.map

package/pulumi/apps/syncSystem/SyncSystemResolverLambda.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["path","aws","createAppModule","createLambdaRoleWithoutVpc","LAMBDA_RUNTIME","createSyncSystemResolverLambdaPolicy","createSyncResourceName","createAssetArchive","SyncSystemSQS","SyncSystemDynamoDb","SyncSystemWorkerLambda","SyncSystemResolverLambda","name","config","app","sqsQueue","getModule","dynamoDb","lambda","workerLambda","roleName","policy","role","output","addResource","Function","runtime","handler","arn","timeout","memorySize","code","join","paths","workspace","environment","variables","DB_TABLE","AWS_SYNC_WORKER_LAMBDA_ARN","DEBUG","String","process","env","PULUMI_APPS","AWS_NODEJS_CONNECTION_REUSE_ENABLED","loggingConfig","logFormat","eventSourceMapping","EventSourceMapping","enabled","eventSourceArn","functionName","batchSize"],"sources":["SyncSystemResolverLambda.ts"],"sourcesContent":["import path from \"path\";\nimport * as aws from \"@pulumi/aws\";\nimport type { PulumiApp, PulumiAppModule } from \"@webiny/pulumi\";\nimport { createAppModule } from \"@webiny/pulumi\";\nimport { createLambdaRoleWithoutVpc } from \"../lambdaUtils.js\";\nimport { LAMBDA_RUNTIME } from \"~/pulumi/constants.js\";\nimport { createSyncSystemResolverLambdaPolicy } from \"./lambda/createSyncSystemResolverLambdaPolicy.js\";\nimport { createSyncResourceName } from \"./createSyncResourceName.js\";\nimport { createAssetArchive } from \"~/pulumi/utils/createAssetArchive.js\";\nimport { SyncSystemSQS } from \"./SyncSystemSQS.js\";\nimport { SyncSystemDynamoDb } from \"~/pulumi/apps/syncSystem/SyncSystemDynamoDb.js\";\nimport { SyncSystemWorkerLambda } from \"~/pulumi/apps/syncSystem/SyncSystemWorkerLambda.js\";\n\nexport type SyncSystemResolverLambda = PulumiAppModule<typeof SyncSystemResolverLambda>;\n\nexport const SyncSystemResolverLambda = createAppModule({\n    name: \"SyncSystemResolverLambda\",\n    config(app: PulumiApp) {\n        const { sqsQueue } = app.getModule(SyncSystemSQS);\n        const dynamoDb = app.getModule(SyncSystemDynamoDb);\n\n        const { lambda: workerLambda } = app.getModule(SyncSystemWorkerLambda);\n\n        const roleName = createSyncResourceName(\"resolver-lambda-role\");\n        const policy = createSyncSystemResolverLambdaPolicy({\n            name: `${roleName}-policy`,\n            app\n        });\n        const role = createLambdaRoleWithoutVpc(app, {\n            name: roleName,\n            policy: policy.output\n        });\n\n        const lambda = app.addResource(aws.lambda.Function, {\n            name: createSyncResourceName(\"resolver-lambda\"),\n            config: {\n                runtime: LAMBDA_RUNTIME,\n                handler: \"handler.handler\",\n                role: role.output.arn,\n                timeout: 900,\n                memorySize: 512,\n                code: createAssetArchive(path.join(app.paths.workspace, \"resolver/build\")),\n                environment: {\n                    variables: {\n                        DB_TABLE: dynamoDb.output.name,\n                        AWS_SYNC_WORKER_LAMBDA_ARN: workerLambda.output.arn,\n                        DEBUG: String(process.env.DEBUG),\n                        PULUMI_APPS: \"true\",\n                        AWS_NODEJS_CONNECTION_REUSE_ENABLED: \"1\"\n                    }\n                },\n                loggingConfig: {\n                    logFormat: \"JSON\"\n                }\n            }\n        });\n\n        const eventSourceMapping = app.addResource(aws.lambda.EventSourceMapping, {\n            name: createSyncResourceName(\"sqs-to-resolver-lambda\"),\n            config: {\n                enabled: true,\n                eventSourceArn: sqsQueue.output.arn,\n                functionName: lambda.output.arn,\n                batchSize: 1\n                // maximumBatchingWindowInSeconds: 2\n            }\n        });\n\n        return {\n            role,\n            policy,\n            lambda,\n            eventSourceMapping\n        };\n    }\n});\n"],"mappings":"AAAA,OAAOA,IAAI,MAAM,MAAM;AACvB,OAAO,KAAKC,GAAG,MAAM,aAAa;AAElC,SAASC,eAAe,QAAQ,gBAAgB;AAChD,SAASC,0BAA0B;AACnC,SAASC,cAAc;AACvB,SAASC,oCAAoC;AAC7C,SAASC,sBAAsB;AAC/B,SAASC,kBAAkB;AAC3B,SAASC,aAAa;AACtB,SAASC,kBAAkB;AAC3B,SAASC,sBAAsB;AAI/B,OAAO,MAAMC,wBAAwB,GAAGT,eAAe,CAAC;EACpDU,IAAI,EAAE,0BAA0B;EAChCC,MAAMA,CAACC,GAAc,EAAE;IACnB,MAAM;MAAEC;IAAS,CAAC,GAAGD,GAAG,CAACE,SAAS,CAACR,aAAa,CAAC;IACjD,MAAMS,QAAQ,GAAGH,GAAG,CAACE,SAAS,CAACP,kBAAkB,CAAC;IAElD,MAAM;MAAES,MAAM,EAAEC;IAAa,CAAC,GAAGL,GAAG,CAACE,SAAS,CAACN,sBAAsB,CAAC;IAEtE,MAAMU,QAAQ,GAAGd,sBAAsB,CAAC,sBAAsB,CAAC;IAC/D,MAAMe,MAAM,GAAGhB,oCAAoC,CAAC;MAChDO,IAAI,EAAE,GAAGQ,QAAQ,SAAS;MAC1BN;IACJ,CAAC,CAAC;IACF,MAAMQ,IAAI,GAAGnB,0BAA0B,CAACW,GAAG,EAAE;MACzCF,IAAI,EAAEQ,QAAQ;MACdC,MAAM,EAAEA,MAAM,CAACE;IACnB,CAAC,CAAC;IAEF,MAAML,MAAM,GAAGJ,GAAG,CAACU,WAAW,CAACvB,GAAG,CAACiB,MAAM,CAACO,QAAQ,EAAE;MAChDb,IAAI,EAAEN,sBAAsB,CAAC,iBAAiB,CAAC;MAC/CO,MAAM,EAAE;QACJa,OAAO,EAAEtB,cAAc;QACvBuB,OAAO,EAAE,iBAAiB;QAC1BL,IAAI,EAAEA,IAAI,CAACC,MAAM,CAACK,GAAG;QACrBC,OAAO,EAAE,GAAG;QACZC,UAAU,EAAE,GAAG;QACfC,IAAI,EAAExB,kBAAkB,CAACP,IAAI,CAACgC,IAAI,CAAClB,GAAG,CAACmB,KAAK,CAACC,SAAS,EAAE,gBAAgB,CAAC,CAAC;QAC1EC,WAAW,EAAE;UACTC,SAAS,EAAE;YACPC,QAAQ,EAAEpB,QAAQ,CAACM,MAAM,CAACX,IAAI;YAC9B0B,0BAA0B,EAAEnB,YAAY,CAACI,MAAM,CAACK,GAAG;YACnDW,KAAK,EAAEC,MAAM,CAACC,OAAO,CAACC,GAAG,CAACH,KAAK,CAAC;YAChCI,WAAW,EAAE,MAAM;YACnBC,mCAAmC,EAAE;UACzC;QACJ,CAAC;QACDC,aAAa,EAAE;UACXC,SAAS,EAAE;QACf;MACJ;IACJ,CAAC,CAAC;IAEF,MAAMC,kBAAkB,GAAGjC,GAAG,CAACU,WAAW,CAACvB,GAAG,CAACiB,MAAM,CAAC8B,kBAAkB,EAAE;MACtEpC,IAAI,EAAEN,sBAAsB,CAAC,wBAAwB,CAAC;MACtDO,MAAM,EAAE;QACJoC,OAAO,EAAE,IAAI;QACbC,cAAc,EAAEnC,QAAQ,CAACQ,MAAM,CAACK,GAAG;QACnCuB,YAAY,EAAEjC,MAAM,CAACK,MAAM,CAACK,GAAG;QAC/BwB,SAAS,EAAE;QACX;MACJ;IACJ,CAAC,CAAC;IAEF,OAAO;MACH9B,IAAI;MACJD,MAAM;MACNH,MAAM;MACN6B;IACJ,CAAC;EACL;AACJ,CAAC,CAAC","ignoreList":[]}

package/pulumi/apps/syncSystem/SyncSystemSQS.d.ts

@@ -0,0 +1,3 @@
+export declare const SyncSystemSQS: import("@webiny/pulumi").PulumiAppModuleDefinition<{
+    sqsQueue: import("@webiny/pulumi").PulumiAppResource<typeof import("@pulumi/aws/sqs/queue.js").Queue>;
+}, void>;

package/pulumi/apps/syncSystem/SyncSystemSQS.js

@@ -0,0 +1,54 @@
+import * as aws from "@pulumi/aws";
+import { createAppModule } from "@webiny/pulumi";
+import { createSyncResourceName } from "./createSyncResourceName.js";
+export const SyncSystemSQS = createAppModule({
+  name: "SyncSystemSQS",
+  config: app => {
+    const config = {
+      /**
+       * We must name the SQS queue with a ".fifo" suffix to enable FIFO functionality.
+       * If we add .fifo to a resource name, it will fail because pulumi adds some random generated id + .fifo to the end of the name.
+       * ... and there cannot be two .fifo in the name.
+       */
+      name: `${createSyncResourceName("sqs")}.fifo`,
+      delaySeconds: 0,
+      /**
+       * 5 minutes should be enough for the message to be processed.
+       */
+      visibilityTimeoutSeconds: 900,
+      fifoQueue: true,
+      receiveWaitTimeSeconds: 0,
+      deduplicationScope: "queue",
+      /**
+       * The maximum message size is 256 KB.
+       * Chunks are billed in 64KB increments, so let's keep the message size below that.
+       */
+      maxMessageSize: 60 * 1024,
+      // KB
+      /**
+       * How log do we keep the message in the queue?
+       */
+      messageRetentionSeconds: 4 /* days */ * 24 * 60 * 60,
+      /**
+       * No need to encrypt the message as nothing outside the system can actually read it.
+       */
+      sqsManagedSseEnabled: false,
+      /**
+       * We want to make sure that no message is sent more than once.
+       *
+       * TODO: determine if the criteria by which will we create a hash for the ID.
+       * TODO: must set "MessageDeduplicationId" property when creating the message.
+       */
+      contentBasedDeduplication: true
+    };
+    const sqsQueue = app.addResource(aws.sqs.Queue, {
+      name: `${createSyncResourceName("sqs")}`,
+      config
+    });
+    return {
+      sqsQueue
+    };
+  }
+});
+
+//# sourceMappingURL=SyncSystemSQS.js.map

package/pulumi/apps/syncSystem/SyncSystemSQS.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["aws","createAppModule","createSyncResourceName","SyncSystemSQS","name","config","app","delaySeconds","visibilityTimeoutSeconds","fifoQueue","receiveWaitTimeSeconds","deduplicationScope","maxMessageSize","messageRetentionSeconds","sqsManagedSseEnabled","contentBasedDeduplication","sqsQueue","addResource","sqs","Queue"],"sources":["SyncSystemSQS.ts"],"sourcesContent":["import * as aws from \"@pulumi/aws\";\nimport type { QueueArgs } from \"@pulumi/aws/sqs/index.js\";\nimport type { PulumiApp } from \"@webiny/pulumi\";\nimport { createAppModule } from \"@webiny/pulumi\";\nimport { createSyncResourceName } from \"./createSyncResourceName.js\";\n\nexport const SyncSystemSQS = createAppModule({\n    name: \"SyncSystemSQS\",\n    config: (app: PulumiApp) => {\n        const config: QueueArgs = {\n            /**\n             * We must name the SQS queue with a \".fifo\" suffix to enable FIFO functionality.\n             * If we add .fifo to a resource name, it will fail because pulumi adds some random generated id + .fifo to the end of the name.\n             * ... and there cannot be two .fifo in the name.\n             */\n            name: `${createSyncResourceName(\"sqs\")}.fifo`,\n            delaySeconds: 0,\n            /**\n             * 5 minutes should be enough for the message to be processed.\n             */\n            visibilityTimeoutSeconds: 900,\n            fifoQueue: true,\n            receiveWaitTimeSeconds: 0,\n            deduplicationScope: \"queue\",\n            /**\n             * The maximum message size is 256 KB.\n             * Chunks are billed in 64KB increments, so let's keep the message size below that.\n             */\n            maxMessageSize: 60 * 1024, // KB\n            /**\n             * How log do we keep the message in the queue?\n             */\n            messageRetentionSeconds: 4 /* days */ * 24 * 60 * 60,\n            /**\n             * No need to encrypt the message as nothing outside the system can actually read it.\n             */\n            sqsManagedSseEnabled: false,\n            /**\n             * We want to make sure that no message is sent more than once.\n             *\n             * TODO: determine if the criteria by which will we create a hash for the ID.\n             * TODO: must set \"MessageDeduplicationId\" property when creating the message.\n             */\n            contentBasedDeduplication: true\n        };\n\n        const sqsQueue = app.addResource(aws.sqs.Queue, {\n            name: `${createSyncResourceName(\"sqs\")}`,\n            config\n        });\n\n        return {\n            sqsQueue\n        };\n    }\n});\n"],"mappings":"AAAA,OAAO,KAAKA,GAAG,MAAM,aAAa;AAGlC,SAASC,eAAe,QAAQ,gBAAgB;AAChD,SAASC,sBAAsB;AAE/B,OAAO,MAAMC,aAAa,GAAGF,eAAe,CAAC;EACzCG,IAAI,EAAE,eAAe;EACrBC,MAAM,EAAGC,GAAc,IAAK;IACxB,MAAMD,MAAiB,GAAG;MACtB;AACZ;AACA;AACA;AACA;MACYD,IAAI,EAAE,GAAGF,sBAAsB,CAAC,KAAK,CAAC,OAAO;MAC7CK,YAAY,EAAE,CAAC;MACf;AACZ;AACA;MACYC,wBAAwB,EAAE,GAAG;MAC7BC,SAAS,EAAE,IAAI;MACfC,sBAAsB,EAAE,CAAC;MACzBC,kBAAkB,EAAE,OAAO;MAC3B;AACZ;AACA;AACA;MACYC,cAAc,EAAE,EAAE,GAAG,IAAI;MAAE;MAC3B;AACZ;AACA;MACYC,uBAAuB,EAAE,CAAC,CAAC,aAAa,EAAE,GAAG,EAAE,GAAG,EAAE;MACpD;AACZ;AACA;MACYC,oBAAoB,EAAE,KAAK;MAC3B;AACZ;AACA;AACA;AACA;AACA;MACYC,yBAAyB,EAAE;IAC/B,CAAC;IAED,MAAMC,QAAQ,GAAGV,GAAG,CAACW,WAAW,CAACjB,GAAG,CAACkB,GAAG,CAACC,KAAK,EAAE;MAC5Cf,IAAI,EAAE,GAAGF,sBAAsB,CAAC,KAAK,CAAC,EAAE;MACxCG;IACJ,CAAC,CAAC;IAEF,OAAO;MACHW;IACJ,CAAC;EACL;AACJ,CAAC,CAAC","ignoreList":[]}

package/pulumi/apps/syncSystem/SyncSystemWorkerLambda.d.ts

@@ -0,0 +1,7 @@
+import type { PulumiAppModule } from "@webiny/pulumi";
+export type SyncSystemWorkerLambda = PulumiAppModule<typeof SyncSystemWorkerLambda>;
+export declare const SyncSystemWorkerLambda: import("@webiny/pulumi").PulumiAppModuleDefinition<{
+    role: import("@webiny/pulumi").PulumiAppResource<typeof import("@pulumi/aws/iam/role.js").Role>;
+    policy: import("@webiny/pulumi").PulumiAppResource<typeof import("@pulumi/aws/iam/rolePolicyAttachment.js").RolePolicyAttachment>;
+    lambda: import("@webiny/pulumi").PulumiAppResource<typeof import("@pulumi/aws/lambda/function.js").Function>;
+}, void>;

package/pulumi/apps/syncSystem/SyncSystemWorkerLambda.js

@@ -0,0 +1,52 @@
+import path from "path";
+import * as aws from "@pulumi/aws";
+import { createAppModule } from "@webiny/pulumi";
+import { LAMBDA_RUNTIME } from "../../constants.js";
+import { createSyncResourceName } from "./createSyncResourceName.js";
+import { createAssetArchive } from "../../utils/createAssetArchive.js";
+import { createLambdaRoleWithoutVpc } from "../lambdaUtils.js";
+export const SyncSystemWorkerLambda = createAppModule({
+  name: "SyncSystemWorkerLambda",
+  config(app) {
+    const lambdaName = createSyncResourceName("worker-lambda");
+    const roleName = `${lambdaName}-role`;
+    const role = createLambdaRoleWithoutVpc(app, {
+      name: roleName
+    });
+    const policy = app.addResource(aws.iam.RolePolicyAttachment, {
+      name: `${roleName}-policy-attachment`,
+      config: {
+        role: role.output.name,
+        policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole
+      }
+    });
+    const lambda = app.addResource(aws.lambda.Function, {
+      name: lambdaName,
+      config: {
+        runtime: LAMBDA_RUNTIME,
+        handler: "handler.handler",
+        role: role.output.arn,
+        timeout: 900,
+        memorySize: 512,
+        code: createAssetArchive(path.join(app.paths.workspace, "worker/build")),
+        environment: {
+          variables: {
+            DEBUG: String(process.env.DEBUG),
+            PULUMI_APPS: "true",
+            AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1"
+          }
+        },
+        loggingConfig: {
+          logFormat: "JSON"
+        }
+      }
+    });
+    return {
+      role,
+      policy,
+      lambda
+    };
+  }
+});
+
+//# sourceMappingURL=SyncSystemWorkerLambda.js.map

package/pulumi/apps/syncSystem/SyncSystemWorkerLambda.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["path","aws","createAppModule","LAMBDA_RUNTIME","createSyncResourceName","createAssetArchive","createLambdaRoleWithoutVpc","SyncSystemWorkerLambda","name","config","app","lambdaName","roleName","role","policy","addResource","iam","RolePolicyAttachment","output","policyArn","ManagedPolicy","AWSLambdaBasicExecutionRole","lambda","Function","runtime","handler","arn","timeout","memorySize","code","join","paths","workspace","environment","variables","DEBUG","String","process","env","PULUMI_APPS","AWS_NODEJS_CONNECTION_REUSE_ENABLED","loggingConfig","logFormat"],"sources":["SyncSystemWorkerLambda.ts"],"sourcesContent":["import path from \"path\";\nimport * as aws from \"@pulumi/aws\";\nimport type { PulumiApp, PulumiAppModule } from \"@webiny/pulumi\";\nimport { createAppModule } from \"@webiny/pulumi\";\nimport { LAMBDA_RUNTIME } from \"~/pulumi/constants.js\";\nimport { createSyncResourceName } from \"./createSyncResourceName.js\";\nimport { createAssetArchive } from \"~/pulumi/utils/createAssetArchive.js\";\nimport { createLambdaRoleWithoutVpc } from \"~/pulumi/apps/lambdaUtils.js\";\n\nexport type SyncSystemWorkerLambda = PulumiAppModule<typeof SyncSystemWorkerLambda>;\n\nexport const SyncSystemWorkerLambda = createAppModule({\n    name: \"SyncSystemWorkerLambda\",\n    config(app: PulumiApp) {\n        const lambdaName = createSyncResourceName(\"worker-lambda\");\n        const roleName = `${lambdaName}-role`;\n\n        const role = createLambdaRoleWithoutVpc(app, {\n            name: roleName\n        });\n\n        const policy = app.addResource(aws.iam.RolePolicyAttachment, {\n            name: `${roleName}-policy-attachment`,\n            config: {\n                role: role.output.name,\n                policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole\n            }\n        });\n\n        const lambda = app.addResource(aws.lambda.Function, {\n            name: lambdaName,\n            config: {\n                runtime: LAMBDA_RUNTIME,\n                handler: \"handler.handler\",\n                role: role.output.arn,\n                timeout: 900,\n                memorySize: 512,\n                code: createAssetArchive(path.join(app.paths.workspace, \"worker/build\")),\n                environment: {\n                    variables: {\n                        DEBUG: String(process.env.DEBUG),\n                        PULUMI_APPS: \"true\",\n                        AWS_NODEJS_CONNECTION_REUSE_ENABLED: \"1\"\n                    }\n                },\n                loggingConfig: {\n                    logFormat: \"JSON\"\n                }\n            }\n        });\n\n        return {\n            role,\n            policy,\n            lambda\n        };\n    }\n});\n"],"mappings":"AAAA,OAAOA,IAAI,MAAM,MAAM;AACvB,OAAO,KAAKC,GAAG,MAAM,aAAa;AAElC,SAASC,eAAe,QAAQ,gBAAgB;AAChD,SAASC,cAAc;AACvB,SAASC,sBAAsB;AAC/B,SAASC,kBAAkB;AAC3B,SAASC,0BAA0B;AAInC,OAAO,MAAMC,sBAAsB,GAAGL,eAAe,CAAC;EAClDM,IAAI,EAAE,wBAAwB;EAC9BC,MAAMA,CAACC,GAAc,EAAE;IACnB,MAAMC,UAAU,GAAGP,sBAAsB,CAAC,eAAe,CAAC;IAC1D,MAAMQ,QAAQ,GAAG,GAAGD,UAAU,OAAO;IAErC,MAAME,IAAI,GAAGP,0BAA0B,CAACI,GAAG,EAAE;MACzCF,IAAI,EAAEI;IACV,CAAC,CAAC;IAEF,MAAME,MAAM,GAAGJ,GAAG,CAACK,WAAW,CAACd,GAAG,CAACe,GAAG,CAACC,oBAAoB,EAAE;MACzDT,IAAI,EAAE,GAAGI,QAAQ,oBAAoB;MACrCH,MAAM,EAAE;QACJI,IAAI,EAAEA,IAAI,CAACK,MAAM,CAACV,IAAI;QACtBW,SAAS,EAAElB,GAAG,CAACe,GAAG,CAACI,aAAa,CAACC;MACrC;IACJ,CAAC,CAAC;IAEF,MAAMC,MAAM,GAAGZ,GAAG,CAACK,WAAW,CAACd,GAAG,CAACqB,MAAM,CAACC,QAAQ,EAAE;MAChDf,IAAI,EAAEG,UAAU;MAChBF,MAAM,EAAE;QACJe,OAAO,EAAErB,cAAc;QACvBsB,OAAO,EAAE,iBAAiB;QAC1BZ,IAAI,EAAEA,IAAI,CAACK,MAAM,CAACQ,GAAG;QACrBC,OAAO,EAAE,GAAG;QACZC,UAAU,EAAE,GAAG;QACfC,IAAI,EAAExB,kBAAkB,CAACL,IAAI,CAAC8B,IAAI,CAACpB,GAAG,CAACqB,KAAK,CAACC,SAAS,EAAE,cAAc,CAAC,CAAC;QACxEC,WAAW,EAAE;UACTC,SAAS,EAAE;YACPC,KAAK,EAAEC,MAAM,CAACC,OAAO,CAACC,GAAG,CAACH,KAAK,CAAC;YAChCI,WAAW,EAAE,MAAM;YACnBC,mCAAmC,EAAE;UACzC;QACJ,CAAC;QACDC,aAAa,EAAE;UACXC,SAAS,EAAE;QACf;MACJ;IACJ,CAAC,CAAC;IAEF,OAAO;MACH7B,IAAI;MACJC,MAAM;MACNQ;IACJ,CAAC;EACL;AACJ,CAAC,CAAC","ignoreList":[]}

package/pulumi/apps/syncSystem/addTableItems.d.ts

@@ -0,0 +1,8 @@
+import type { PulumiApp } from "@webiny/pulumi";
+import type { SyncSystemDynamo } from "./SyncSystemDynamo.js";
+export interface IAddTableItemsParams {
+    app: PulumiApp;
+    table: SyncSystemDynamo;
+    items: Record<string, string | number | Record<string, string>>;
+}
+export declare const addTableItems: (params: IAddTableItemsParams) => void;

package/pulumi/apps/syncSystem/addTableItems.js

@@ -0,0 +1,51 @@
+import * as aws from "@pulumi/aws";
+import * as pulumi from "@pulumi/pulumi";
+export const addTableItems = params => {
+  const {
+    app,
+    table,
+    items
+  } = params;
+  /**
+   * Store some settings in the table.
+   */
+  app.addResource(aws.dynamodb.TableItem, {
+    name: "syncSystemSettings",
+    config: {
+      tableName: table.output.arn,
+      hashKey: table.output.hashKey,
+      rangeKey: pulumi.output(table.output.rangeKey).apply(key => key || "SK"),
+      item: pulumi.interpolate`{
+              ${buildTableItems({
+        PK: "syncSystem#SETTINGS",
+        SK: "default",
+        ...items
+      })}
+            }`
+    }
+  });
+};
+const getTableItemType = value => {
+  if (value === null || value === undefined) {
+    return "S";
+  }
+  switch (typeof value) {
+    case "string":
+      return "S";
+    case "number":
+      return "N";
+    case "object":
+      return "M";
+    default:
+      throw new Error(`Unsupported type: ${typeof value}`);
+  }
+};
+const buildTableItems = items => {
+  return Object.keys(items).reduce((output, key) => {
+    const value = items[key];
+    output.push(`"${key}": {"${getTableItemType(value)}": "${value}"}`);
+    return output;
+  }, []).join(",");
+};
+
+//# sourceMappingURL=addTableItems.js.map

package/pulumi/apps/syncSystem/addTableItems.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["aws","pulumi","addTableItems","params","app","table","items","addResource","dynamodb","TableItem","name","config","tableName","output","arn","hashKey","rangeKey","apply","key","item","interpolate","buildTableItems","PK","SK","getTableItemType","value","undefined","Error","Object","keys","reduce","push","join"],"sources":["addTableItems.ts"],"sourcesContent":["import * as aws from \"@pulumi/aws\";\nimport * as pulumi from \"@pulumi/pulumi\";\nimport type { PulumiApp } from \"@webiny/pulumi\";\nimport type { SyncSystemDynamo } from \"./SyncSystemDynamo.js\";\n\nexport interface IAddTableItemsParams {\n    app: PulumiApp;\n    table: SyncSystemDynamo;\n    items: Record<string, string | number | Record<string, string>>;\n}\n\nexport const addTableItems = (params: IAddTableItemsParams): void => {\n    const { app, table, items } = params;\n    /**\n     * Store some settings in the table.\n     */\n    app.addResource(aws.dynamodb.TableItem, {\n        name: \"syncSystemSettings\",\n        config: {\n            tableName: table.output.arn,\n            hashKey: table.output.hashKey,\n            rangeKey: pulumi.output(table.output.rangeKey).apply(key => key || \"SK\"),\n            item: pulumi.interpolate`{\n              ${buildTableItems({\n                  PK: \"syncSystem#SETTINGS\",\n                  SK: \"default\",\n                  ...items\n              })}\n            }`\n        }\n    });\n};\n\nconst getTableItemType = (value: unknown) => {\n    if (value === null || value === undefined) {\n        return \"S\";\n    }\n    switch (typeof value) {\n        case \"string\":\n            return \"S\";\n        case \"number\":\n            return \"N\";\n        case \"object\":\n            return \"M\";\n        default:\n            throw new Error(`Unsupported type: ${typeof value}`);\n    }\n};\n\nconst buildTableItems = (\n    items: Record<string, string | number | Record<string, string>>\n): string => {\n    return Object.keys(items)\n        .reduce<string[]>((output, key) => {\n            const value = items[key];\n            output.push(`\"${key}\": {\"${getTableItemType(value)}\": \"${value}\"}`);\n            return output;\n        }, [])\n        .join(\",\");\n};\n"],"mappings":"AAAA,OAAO,KAAKA,GAAG,MAAM,aAAa;AAClC,OAAO,KAAKC,MAAM,MAAM,gBAAgB;AAUxC,OAAO,MAAMC,aAAa,GAAIC,MAA4B,IAAW;EACjE,MAAM;IAAEC,GAAG;IAAEC,KAAK;IAAEC;EAAM,CAAC,GAAGH,MAAM;EACpC;AACJ;AACA;EACIC,GAAG,CAACG,WAAW,CAACP,GAAG,CAACQ,QAAQ,CAACC,SAAS,EAAE;IACpCC,IAAI,EAAE,oBAAoB;IAC1BC,MAAM,EAAE;MACJC,SAAS,EAAEP,KAAK,CAACQ,MAAM,CAACC,GAAG;MAC3BC,OAAO,EAAEV,KAAK,CAACQ,MAAM,CAACE,OAAO;MAC7BC,QAAQ,EAAEf,MAAM,CAACY,MAAM,CAACR,KAAK,CAACQ,MAAM,CAACG,QAAQ,CAAC,CAACC,KAAK,CAACC,GAAG,IAAIA,GAAG,IAAI,IAAI,CAAC;MACxEC,IAAI,EAAElB,MAAM,CAACmB,WAAW;AACpC,gBAAgBC,eAAe,CAAC;QACdC,EAAE,EAAE,qBAAqB;QACzBC,EAAE,EAAE,SAAS;QACb,GAAGjB;MACP,CAAC,CAAC;AAChB;IACQ;EACJ,CAAC,CAAC;AACN,CAAC;AAED,MAAMkB,gBAAgB,GAAIC,KAAc,IAAK;EACzC,IAAIA,KAAK,KAAK,IAAI,IAAIA,KAAK,KAAKC,SAAS,EAAE;IACvC,OAAO,GAAG;EACd;EACA,QAAQ,OAAOD,KAAK;IAChB,KAAK,QAAQ;MACT,OAAO,GAAG;IACd,KAAK,QAAQ;MACT,OAAO,GAAG;IACd,KAAK,QAAQ;MACT,OAAO,GAAG;IACd;MACI,MAAM,IAAIE,KAAK,CAAC,qBAAqB,OAAOF,KAAK,EAAE,CAAC;EAC5D;AACJ,CAAC;AAED,MAAMJ,eAAe,GACjBf,KAA+D,IACtD;EACT,OAAOsB,MAAM,CAACC,IAAI,CAACvB,KAAK,CAAC,CACpBwB,MAAM,CAAW,CAACjB,MAAM,EAAEK,GAAG,KAAK;IAC/B,MAAMO,KAAK,GAAGnB,KAAK,CAACY,GAAG,CAAC;IACxBL,MAAM,CAACkB,IAAI,CAAC,IAAIb,GAAG,QAAQM,gBAAgB,CAACC,KAAK,CAAC,OAAOA,KAAK,IAAI,CAAC;IACnE,OAAOZ,MAAM;EACjB,CAAC,EAAE,EAAE,CAAC,CACLmB,IAAI,CAAC,GAAG,CAAC;AAClB,CAAC","ignoreList":[]}

package/pulumi/apps/syncSystem/api/addServiceManifest.d.ts

@@ -0,0 +1,8 @@
+import type { PulumiApp } from "@webiny/pulumi";
+import type { IGetSyncSystemOutputResult } from "../../../../pulumi/apps/syncSystem/types.js";
+import type { WithServiceManifest } from "../../../../pulumi/utils/withServiceManifest.js";
+export interface IAddServiceManifestParams {
+    app: PulumiApp & WithServiceManifest;
+    syncSystem: IGetSyncSystemOutputResult;
+}
+export declare const addServiceManifest: (params: IAddServiceManifestParams) => void;

package/pulumi/apps/syncSystem/api/addServiceManifest.js

@@ -0,0 +1,18 @@
+export const addServiceManifest = params => {
+  const {
+    app,
+    syncSystem
+  } = params;
+  app.addHandler(() => {
+    app.addServiceManifest({
+      name: "sync",
+      manifest: {
+        eventBusArn: syncSystem.eventBusArn,
+        eventBusName: syncSystem.eventBusName,
+        region: syncSystem.region
+      }
+    });
+  });
+};
+
+//# sourceMappingURL=addServiceManifest.js.map

package/pulumi/apps/syncSystem/api/addServiceManifest.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["addServiceManifest","params","app","syncSystem","addHandler","name","manifest","eventBusArn","eventBusName","region"],"sources":["addServiceManifest.ts"],"sourcesContent":["import type { PulumiApp } from \"@webiny/pulumi\";\nimport type { IGetSyncSystemOutputResult } from \"~/pulumi/apps/syncSystem/types.js\";\nimport type { WithServiceManifest } from \"~/pulumi/utils/withServiceManifest.js\";\n\nexport interface IAddServiceManifestParams {\n    app: PulumiApp & WithServiceManifest;\n    syncSystem: IGetSyncSystemOutputResult;\n}\n\nexport const addServiceManifest = (params: IAddServiceManifestParams) => {\n    const { app, syncSystem } = params;\n\n    app.addHandler(() => {\n        app.addServiceManifest({\n            name: \"sync\",\n            manifest: {\n                eventBusArn: syncSystem.eventBusArn,\n                eventBusName: syncSystem.eventBusName,\n                region: syncSystem.region\n            }\n        });\n    });\n};\n"],"mappings":"AASA,OAAO,MAAMA,kBAAkB,GAAIC,MAAiC,IAAK;EACrE,MAAM;IAAEC,GAAG;IAAEC;EAAW,CAAC,GAAGF,MAAM;EAElCC,GAAG,CAACE,UAAU,CAAC,MAAM;IACjBF,GAAG,CAACF,kBAAkB,CAAC;MACnBK,IAAI,EAAE,MAAM;MACZC,QAAQ,EAAE;QACNC,WAAW,EAAEJ,UAAU,CAACI,WAAW;QACnCC,YAAY,EAAEL,UAAU,CAACK,YAAY;QACrCC,MAAM,EAAEN,UAAU,CAACM;MACvB;IACJ,CAAC,CAAC;EACN,CAAC,CAAC;AACN,CAAC","ignoreList":[]}

package/pulumi/apps/syncSystem/api/attachCognitoPermissions.d.ts

@@ -0,0 +1,14 @@
+import type { PulumiApp } from "@webiny/pulumi";
+import type { WithServiceManifest } from "../../../../pulumi/utils/withServiceManifest.js";
+import type { IGetSyncSystemOutputResult } from "../../../../pulumi/apps/syncSystem/types.js";
+import type { CoreOutput } from "../../../../apps/index.js";
+export interface IAttachCognitoPermissionsParams {
+    app: PulumiApp & WithServiceManifest;
+    syncSystem: IGetSyncSystemOutputResult;
+    core: CoreOutput;
+}
+export declare const attachCognitoPermissions: (params: IAttachCognitoPermissionsParams) => {
+    cognitoPolicy: import("@webiny/pulumi").PulumiAppResource<typeof import("@pulumi/aws/iam/policy").Policy>;
+    workerLambdaS3PolicyAttachment: import("@webiny/pulumi").PulumiAppResource<typeof import("@pulumi/aws/iam/rolePolicyAttachment").RolePolicyAttachment>;
+    resolverLambdaS3PolicyAttachment: import("@webiny/pulumi").PulumiAppResource<typeof import("@pulumi/aws/iam/rolePolicyAttachment").RolePolicyAttachment>;
+} | null;

package/pulumi/apps/syncSystem/api/attachCognitoPermissions.js

@@ -0,0 +1,59 @@
+import * as aws from "@pulumi/aws";
+import { createSyncResourceName } from "../createSyncResourceName.js";
+export const attachCognitoPermissions = params => {
+  const {
+    app,
+    syncSystem,
+    core
+  } = params;
+  /**
+   * TODO there must be a way to skip this if Cognito is not used in the Webiny deployment.
+   */
+  if (!core.cognitoUserPoolArn) {
+    return null;
+  }
+  const {
+    resolverLambdaRoleName,
+    workerLambdaRoleName
+  } = syncSystem;
+  const resolverLambdaToS3ResourceName = createSyncResourceName(`resolver-lambda-to-cognito`);
+  const workerLambdaToS3ResourceName = createSyncResourceName(`worker-lambda-to-cognito`);
+  const cognitoPolicy = app.addResource(aws.iam.Policy, {
+    name: `${resolverLambdaToS3ResourceName}-policy`,
+    config: {
+      description: "This policy enables access from Sync System Resolver and Worker Lambda to Webiny Cognito.",
+      policy: {
+        Version: "2012-10-17",
+        Statement: [{
+          Sid: "PermissionForSyncLambdaToCognito",
+          Effect: "Allow",
+          Action: ["cognito-idp:*"],
+          Resource: core.cognitoUserPoolArn.apply(arn => {
+            return [arn, `${arn}/*`];
+          })
+        }]
+      }
+    }
+  });
+  const resolverLambdaS3PolicyAttachment = app.addResource(aws.iam.RolePolicyAttachment, {
+    name: `${resolverLambdaToS3ResourceName}-policy-attachment`,
+    config: {
+      role: resolverLambdaRoleName,
+      policyArn: cognitoPolicy.output.arn
+    }
+  });
+  const workerLambdaS3PolicyAttachment = app.addResource(aws.iam.RolePolicyAttachment, {
+    name: `${workerLambdaToS3ResourceName}-policy-attachment`,
+    config: {
+      role: workerLambdaRoleName,
+      policyArn: cognitoPolicy.output.arn
+    }
+  });
+  return {
+    cognitoPolicy,
+    workerLambdaS3PolicyAttachment,
+    resolverLambdaS3PolicyAttachment
+  };
+};
+
+//# sourceMappingURL=attachCognitoPermissions.js.map

package/pulumi/apps/syncSystem/api/attachCognitoPermissions.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["aws","createSyncResourceName","attachCognitoPermissions","params","app","syncSystem","core","cognitoUserPoolArn","resolverLambdaRoleName","workerLambdaRoleName","resolverLambdaToS3ResourceName","workerLambdaToS3ResourceName","cognitoPolicy","addResource","iam","Policy","name","config","description","policy","Version","Statement","Sid","Effect","Action","Resource","apply","arn","resolverLambdaS3PolicyAttachment","RolePolicyAttachment","role","policyArn","output","workerLambdaS3PolicyAttachment"],"sources":["attachCognitoPermissions.ts"],"sourcesContent":["import * as aws from \"@pulumi/aws\";\nimport type { PulumiApp } from \"@webiny/pulumi\";\nimport type { WithServiceManifest } from \"~/pulumi/utils/withServiceManifest.js\";\nimport type { IGetSyncSystemOutputResult } from \"~/pulumi/apps/syncSystem/types.js\";\nimport type { CoreOutput } from \"~/apps/index.js\";\nimport { createSyncResourceName } from \"~/pulumi/apps/syncSystem/createSyncResourceName.js\";\n\nexport interface IAttachCognitoPermissionsParams {\n    app: PulumiApp & WithServiceManifest;\n    syncSystem: IGetSyncSystemOutputResult;\n    core: CoreOutput;\n}\n\nexport const attachCognitoPermissions = (params: IAttachCognitoPermissionsParams) => {\n    const { app, syncSystem, core } = params;\n    /**\n     * TODO there must be a way to skip this if Cognito is not used in the Webiny deployment.\n     */\n    if (!core.cognitoUserPoolArn) {\n        return null;\n    }\n\n    const { resolverLambdaRoleName, workerLambdaRoleName } = syncSystem;\n\n    const resolverLambdaToS3ResourceName = createSyncResourceName(`resolver-lambda-to-cognito`);\n    const workerLambdaToS3ResourceName = createSyncResourceName(`worker-lambda-to-cognito`);\n\n    const cognitoPolicy = app.addResource(aws.iam.Policy, {\n        name: `${resolverLambdaToS3ResourceName}-policy`,\n        config: {\n            description:\n                \"This policy enables access from Sync System Resolver and Worker Lambda to Webiny Cognito.\",\n            policy: {\n                Version: \"2012-10-17\",\n                Statement: [\n                    {\n                        Sid: \"PermissionForSyncLambdaToCognito\",\n                        Effect: \"Allow\",\n                        Action: [\"cognito-idp:*\"],\n                        Resource: core.cognitoUserPoolArn.apply(arn => {\n                            return [arn, `${arn}/*`];\n                        })\n                    }\n                ]\n            }\n        }\n    });\n\n    const resolverLambdaS3PolicyAttachment = app.addResource(aws.iam.RolePolicyAttachment, {\n        name: `${resolverLambdaToS3ResourceName}-policy-attachment`,\n        config: {\n            role: resolverLambdaRoleName,\n            policyArn: cognitoPolicy.output.arn\n        }\n    });\n\n    const workerLambdaS3PolicyAttachment = app.addResource(aws.iam.RolePolicyAttachment, {\n        name: `${workerLambdaToS3ResourceName}-policy-attachment`,\n        config: {\n            role: workerLambdaRoleName,\n            policyArn: cognitoPolicy.output.arn\n        }\n    });\n\n    return {\n        cognitoPolicy,\n        workerLambdaS3PolicyAttachment,\n        resolverLambdaS3PolicyAttachment\n    };\n};\n"],"mappings":"AAAA,OAAO,KAAKA,GAAG,MAAM,aAAa;AAKlC,SAASC,sBAAsB;AAQ/B,OAAO,MAAMC,wBAAwB,GAAIC,MAAuC,IAAK;EACjF,MAAM;IAAEC,GAAG;IAAEC,UAAU;IAAEC;EAAK,CAAC,GAAGH,MAAM;EACxC;AACJ;AACA;EACI,IAAI,CAACG,IAAI,CAACC,kBAAkB,EAAE;IAC1B,OAAO,IAAI;EACf;EAEA,MAAM;IAAEC,sBAAsB;IAAEC;EAAqB,CAAC,GAAGJ,UAAU;EAEnE,MAAMK,8BAA8B,GAAGT,sBAAsB,CAAC,4BAA4B,CAAC;EAC3F,MAAMU,4BAA4B,GAAGV,sBAAsB,CAAC,0BAA0B,CAAC;EAEvF,MAAMW,aAAa,GAAGR,GAAG,CAACS,WAAW,CAACb,GAAG,CAACc,GAAG,CAACC,MAAM,EAAE;IAClDC,IAAI,EAAE,GAAGN,8BAA8B,SAAS;IAChDO,MAAM,EAAE;MACJC,WAAW,EACP,2FAA2F;MAC/FC,MAAM,EAAE;QACJC,OAAO,EAAE,YAAY;QACrBC,SAAS,EAAE,CACP;UACIC,GAAG,EAAE,kCAAkC;UACvCC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,eAAe,CAAC;UACzBC,QAAQ,EAAEnB,IAAI,CAACC,kBAAkB,CAACmB,KAAK,CAACC,GAAG,IAAI;YAC3C,OAAO,CAACA,GAAG,EAAE,GAAGA,GAAG,IAAI,CAAC;UAC5B,CAAC;QACL,CAAC;MAET;IACJ;EACJ,CAAC,CAAC;EAEF,MAAMC,gCAAgC,GAAGxB,GAAG,CAACS,WAAW,CAACb,GAAG,CAACc,GAAG,CAACe,oBAAoB,EAAE;IACnFb,IAAI,EAAE,GAAGN,8BAA8B,oBAAoB;IAC3DO,MAAM,EAAE;MACJa,IAAI,EAAEtB,sBAAsB;MAC5BuB,SAAS,EAAEnB,aAAa,CAACoB,MAAM,CAACL;IACpC;EACJ,CAAC,CAAC;EAEF,MAAMM,8BAA8B,GAAG7B,GAAG,CAACS,WAAW,CAACb,GAAG,CAACc,GAAG,CAACe,oBAAoB,EAAE;IACjFb,IAAI,EAAE,GAAGL,4BAA4B,oBAAoB;IACzDM,MAAM,EAAE;MACJa,IAAI,EAAErB,oBAAoB;MAC1BsB,SAAS,EAAEnB,aAAa,CAACoB,MAAM,CAACL;IACpC;EACJ,CAAC,CAAC;EAEF,OAAO;IACHf,aAAa;IACbqB,8BAA8B;IAC9BL;EACJ,CAAC;AACL,CAAC","ignoreList":[]}

package/pulumi/apps/syncSystem/api/attachDynamoDbPermissions.d.ts

@@ -0,0 +1,13 @@
+import type { PulumiApp } from "@webiny/pulumi";
+import type { IGetSyncSystemOutputResult } from "../../../../pulumi/apps/syncSystem/types.js";
+import type { CoreOutput } from "../../../../pulumi/apps/common/CoreOutput.js";
+import type { WithServiceManifest } from "../../../../pulumi/utils/withServiceManifest.js";
+export interface IAttachDynamoDbPermissionsParams {
+    app: PulumiApp & WithServiceManifest;
+    syncSystem: IGetSyncSystemOutputResult;
+    core: CoreOutput;
+}
+export declare const attachDynamoDbPermissions: (params: IAttachDynamoDbPermissionsParams) => {
+    dynamoDbPolicy: import("@webiny/pulumi").PulumiAppResource<typeof import("@pulumi/aws/iam/policy").Policy>;
+    lambdaRolePolicyAttachment: import("@webiny/pulumi").PulumiAppResource<typeof import("@pulumi/aws/iam/rolePolicyAttachment").RolePolicyAttachment>;
+};

package/pulumi/apps/syncSystem/api/attachDynamoDbPermissions.js

@@ -0,0 +1,44 @@
+/**
+ * We need to attach Sync System Lambda policy to access DynamoDB in the Webiny system.
+ */
+import * as aws from "@pulumi/aws";
+import { createSyncResourceName } from "../createSyncResourceName.js";
+export const attachDynamoDbPermissions = params => {
+  const {
+    app,
+    syncSystem,
+    core
+  } = params;
+  const {
+    resolverLambdaRoleName
+  } = syncSystem;
+  const lambdaToDynamoDbResourceName = createSyncResourceName(`resolver-lambda-to-dynamodb`);
+  const dynamoDbPolicy = app.addResource(aws.iam.Policy, {
+    name: `${lambdaToDynamoDbResourceName}-policy`,
+    config: {
+      description: "This policy enables access from Sync System Lambda to Webiny DynamoDB.",
+      policy: {
+        Version: "2012-10-17",
+        Statement: [{
+          Sid: "PermissionForSyncLambdaToDynamoDb",
+          Effect: "Allow",
+          Action: ["dynamodb:BatchGetItem", "dynamodb:BatchWriteItem", "dynamodb:ConditionCheckItem", "dynamodb:CreateBackup", "dynamodb:CreateTable", "dynamodb:CreateTableReplica", "dynamodb:DeleteBackup", "dynamodb:DeleteItem", "dynamodb:DeleteTable", "dynamodb:DeleteTableReplica", "dynamodb:DescribeBackup", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeContributorInsights", "dynamodb:DescribeExport", "dynamodb:DescribeKinesisStreamingDestination", "dynamodb:DescribeLimits", "dynamodb:DescribeReservedCapacity", "dynamodb:DescribeReservedCapacityOfferings", "dynamodb:DescribeStream", "dynamodb:DescribeTable", "dynamodb:DescribeTableReplicaAutoScaling", "dynamodb:DescribeTimeToLive", "dynamodb:DisableKinesisStreamingDestination", "dynamodb:EnableKinesisStreamingDestination", "dynamodb:ExportTableToPointInTime", "dynamodb:GetItem", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:ListBackups", "dynamodb:ListContributorInsights", "dynamodb:ListExports", "dynamodb:ListStreams", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "dynamodb:PartiQLDelete", "dynamodb:PartiQLInsert", "dynamodb:PartiQLSelect", "dynamodb:PartiQLUpdate", "dynamodb:PurchaseReservedCapacityOfferings", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:RestoreTableFromBackup", "dynamodb:RestoreTableToPointInTime", "dynamodb:Scan", "dynamodb:UpdateContinuousBackups", "dynamodb:UpdateContributorInsights", "dynamodb:UpdateItem", "dynamodb:UpdateTable", "dynamodb:UpdateTableReplicaAutoScaling", "dynamodb:UpdateTimeToLive"],
+          Resource: [core.primaryDynamodbTableArn.apply(arn => arn), core.primaryDynamodbTableArn.apply(arn => `${arn}/*`)]
+        }]
+      }
+    }
+  });
+  const lambdaRolePolicyAttachment = app.addResource(aws.iam.RolePolicyAttachment, {
+    name: `${lambdaToDynamoDbResourceName}-role-policy-attachment`,
+    config: {
+      role: resolverLambdaRoleName,
+      policyArn: dynamoDbPolicy.output.arn
+    }
+  });
+  return {
+    dynamoDbPolicy,
+    lambdaRolePolicyAttachment
+  };
+};
+
+//# sourceMappingURL=attachDynamoDbPermissions.js.map

package/pulumi/apps/syncSystem/api/attachDynamoDbPermissions.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["aws","createSyncResourceName","attachDynamoDbPermissions","params","app","syncSystem","core","resolverLambdaRoleName","lambdaToDynamoDbResourceName","dynamoDbPolicy","addResource","iam","Policy","name","config","description","policy","Version","Statement","Sid","Effect","Action","Resource","primaryDynamodbTableArn","apply","arn","lambdaRolePolicyAttachment","RolePolicyAttachment","role","policyArn","output"],"sources":["attachDynamoDbPermissions.ts"],"sourcesContent":["/**\n * We need to attach Sync System Lambda policy to access DynamoDB in the Webiny system.\n */\nimport * as aws from \"@pulumi/aws\";\nimport type { PulumiApp } from \"@webiny/pulumi\";\nimport type { IGetSyncSystemOutputResult } from \"~/pulumi/apps/syncSystem/types.js\";\nimport { createSyncResourceName } from \"~/pulumi/apps/syncSystem/createSyncResourceName.js\";\nimport type { CoreOutput } from \"~/pulumi/apps/common/CoreOutput.js\";\nimport type { WithServiceManifest } from \"~/pulumi/utils/withServiceManifest.js\";\n\nexport interface IAttachDynamoDbPermissionsParams {\n    app: PulumiApp & WithServiceManifest;\n    syncSystem: IGetSyncSystemOutputResult;\n    core: CoreOutput;\n}\n\nexport const attachDynamoDbPermissions = (params: IAttachDynamoDbPermissionsParams) => {\n    const { app, syncSystem, core } = params;\n\n    const { resolverLambdaRoleName } = syncSystem;\n\n    const lambdaToDynamoDbResourceName = createSyncResourceName(`resolver-lambda-to-dynamodb`);\n\n    const dynamoDbPolicy = app.addResource(aws.iam.Policy, {\n        name: `${lambdaToDynamoDbResourceName}-policy`,\n        config: {\n            description: \"This policy enables access from Sync System Lambda to Webiny DynamoDB.\",\n            policy: {\n                Version: \"2012-10-17\",\n                Statement: [\n                    {\n                        Sid: \"PermissionForSyncLambdaToDynamoDb\",\n                        Effect: \"Allow\",\n                        Action: [\n                            \"dynamodb:BatchGetItem\",\n                            \"dynamodb:BatchWriteItem\",\n                            \"dynamodb:ConditionCheckItem\",\n                            \"dynamodb:CreateBackup\",\n                            \"dynamodb:CreateTable\",\n                            \"dynamodb:CreateTableReplica\",\n                            \"dynamodb:DeleteBackup\",\n                            \"dynamodb:DeleteItem\",\n                            \"dynamodb:DeleteTable\",\n                            \"dynamodb:DeleteTableReplica\",\n                            \"dynamodb:DescribeBackup\",\n                            \"dynamodb:DescribeContinuousBackups\",\n                            \"dynamodb:DescribeContributorInsights\",\n                            \"dynamodb:DescribeExport\",\n                            \"dynamodb:DescribeKinesisStreamingDestination\",\n                            \"dynamodb:DescribeLimits\",\n                            \"dynamodb:DescribeReservedCapacity\",\n                            \"dynamodb:DescribeReservedCapacityOfferings\",\n                            \"dynamodb:DescribeStream\",\n                            \"dynamodb:DescribeTable\",\n                            \"dynamodb:DescribeTableReplicaAutoScaling\",\n                            \"dynamodb:DescribeTimeToLive\",\n                            \"dynamodb:DisableKinesisStreamingDestination\",\n                            \"dynamodb:EnableKinesisStreamingDestination\",\n                            \"dynamodb:ExportTableToPointInTime\",\n                            \"dynamodb:GetItem\",\n                            \"dynamodb:GetRecords\",\n                            \"dynamodb:GetShardIterator\",\n                            \"dynamodb:ListBackups\",\n                            \"dynamodb:ListContributorInsights\",\n                            \"dynamodb:ListExports\",\n                            \"dynamodb:ListStreams\",\n                            \"dynamodb:ListTables\",\n                            \"dynamodb:ListTagsOfResource\",\n                            \"dynamodb:PartiQLDelete\",\n                            \"dynamodb:PartiQLInsert\",\n                            \"dynamodb:PartiQLSelect\",\n                            \"dynamodb:PartiQLUpdate\",\n                            \"dynamodb:PurchaseReservedCapacityOfferings\",\n                            \"dynamodb:PutItem\",\n                            \"dynamodb:Query\",\n                            \"dynamodb:RestoreTableFromBackup\",\n                            \"dynamodb:RestoreTableToPointInTime\",\n                            \"dynamodb:Scan\",\n                            \"dynamodb:UpdateContinuousBackups\",\n                            \"dynamodb:UpdateContributorInsights\",\n                            \"dynamodb:UpdateItem\",\n                            \"dynamodb:UpdateTable\",\n                            \"dynamodb:UpdateTableReplicaAutoScaling\",\n                            \"dynamodb:UpdateTimeToLive\"\n                        ],\n                        Resource: [\n                            core.primaryDynamodbTableArn.apply(arn => arn),\n                            core.primaryDynamodbTableArn.apply(arn => `${arn}/*`)\n                        ]\n                    }\n                ]\n            }\n        }\n    });\n\n    const lambdaRolePolicyAttachment = app.addResource(aws.iam.RolePolicyAttachment, {\n        name: `${lambdaToDynamoDbResourceName}-role-policy-attachment`,\n        config: {\n            role: resolverLambdaRoleName,\n            policyArn: dynamoDbPolicy.output.arn\n        }\n    });\n\n    return {\n        dynamoDbPolicy,\n        lambdaRolePolicyAttachment\n    };\n};\n"],"mappings":"AAAA;AACA;AACA;AACA,OAAO,KAAKA,GAAG,MAAM,aAAa;AAGlC,SAASC,sBAAsB;AAU/B,OAAO,MAAMC,yBAAyB,GAAIC,MAAwC,IAAK;EACnF,MAAM;IAAEC,GAAG;IAAEC,UAAU;IAAEC;EAAK,CAAC,GAAGH,MAAM;EAExC,MAAM;IAAEI;EAAuB,CAAC,GAAGF,UAAU;EAE7C,MAAMG,4BAA4B,GAAGP,sBAAsB,CAAC,6BAA6B,CAAC;EAE1F,MAAMQ,cAAc,GAAGL,GAAG,CAACM,WAAW,CAACV,GAAG,CAACW,GAAG,CAACC,MAAM,EAAE;IACnDC,IAAI,EAAE,GAAGL,4BAA4B,SAAS;IAC9CM,MAAM,EAAE;MACJC,WAAW,EAAE,wEAAwE;MACrFC,MAAM,EAAE;QACJC,OAAO,EAAE,YAAY;QACrBC,SAAS,EAAE,CACP;UACIC,GAAG,EAAE,mCAAmC;UACxCC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CACJ,uBAAuB,EACvB,yBAAyB,EACzB,6BAA6B,EAC7B,uBAAuB,EACvB,sBAAsB,EACtB,6BAA6B,EAC7B,uBAAuB,EACvB,qBAAqB,EACrB,sBAAsB,EACtB,6BAA6B,EAC7B,yBAAyB,EACzB,oCAAoC,EACpC,sCAAsC,EACtC,yBAAyB,EACzB,8CAA8C,EAC9C,yBAAyB,EACzB,mCAAmC,EACnC,4CAA4C,EAC5C,yBAAyB,EACzB,wBAAwB,EACxB,0CAA0C,EAC1C,6BAA6B,EAC7B,6CAA6C,EAC7C,4CAA4C,EAC5C,mCAAmC,EACnC,kBAAkB,EAClB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACtB,kCAAkC,EAClC,sBAAsB,EACtB,sBAAsB,EACtB,qBAAqB,EACrB,6BAA6B,EAC7B,wBAAwB,EACxB,wBAAwB,EACxB,wBAAwB,EACxB,wBAAwB,EACxB,4CAA4C,EAC5C,kBAAkB,EAClB,gBAAgB,EAChB,iCAAiC,EACjC,oCAAoC,EACpC,eAAe,EACf,kCAAkC,EAClC,oCAAoC,EACpC,qBAAqB,EACrB,sBAAsB,EACtB,wCAAwC,EACxC,2BAA2B,CAC9B;UACDC,QAAQ,EAAE,CACNhB,IAAI,CAACiB,uBAAuB,CAACC,KAAK,CAACC,GAAG,IAAIA,GAAG,CAAC,EAC9CnB,IAAI,CAACiB,uBAAuB,CAACC,KAAK,CAACC,GAAG,IAAI,GAAGA,GAAG,IAAI,CAAC;QAE7D,CAAC;MAET;IACJ;EACJ,CAAC,CAAC;EAEF,MAAMC,0BAA0B,GAAGtB,GAAG,CAACM,WAAW,CAACV,GAAG,CAACW,GAAG,CAACgB,oBAAoB,EAAE;IAC7Ed,IAAI,EAAE,GAAGL,4BAA4B,yBAAyB;IAC9DM,MAAM,EAAE;MACJc,IAAI,EAAErB,sBAAsB;MAC5BsB,SAAS,EAAEpB,cAAc,CAACqB,MAAM,CAACL;IACrC;EACJ,CAAC,CAAC;EAEF,OAAO;IACHhB,cAAc;IACdiB;EACJ,CAAC;AACL,CAAC","ignoreList":[]}

package/pulumi/apps/syncSystem/api/attachEventBusPermissions.d.ts

@@ -0,0 +1,17 @@
+import type { PulumiApp } from "@webiny/pulumi/types.js";
+import type { IGetSyncSystemOutputResult } from "../types.js";
+import type { WithServiceManifest } from "../../../../pulumi/utils/withServiceManifest.js";
+export interface IAttachEventBusPermissionsParam {
+    app: PulumiApp & WithServiceManifest;
+    syncSystem: IGetSyncSystemOutputResult;
+}
+/**
+ * We need to attach the policy to:
+ * * GraphQL Lambda Role
+ * * File Manager Manage Lambda Role
+ * TODO determine if any other are required
+ */
+export declare const attachEventBusPermissions: (params: IAttachEventBusPermissionsParam) => {
+    eventBridgePolicy: import("@webiny/pulumi/PulumiAppResource.js").PulumiAppResource<typeof import("@pulumi/aws/iam/policy.js").Policy>;
+    graphQlPolicyAttachment: import("@webiny/pulumi/PulumiAppResource.js").PulumiAppResource<typeof import("@pulumi/aws/iam/rolePolicyAttachment.js").RolePolicyAttachment>;
+};

package/pulumi/apps/syncSystem/api/attachEventBusPermissions.js

@@ -0,0 +1,48 @@
+import * as aws from "@pulumi/aws";
+import { createSyncResourceName } from "../createSyncResourceName.js";
+import { ApiGraphql } from "../../api/ApiGraphql.js";
+/**
+ * We need to attach the policy to:
+ * * GraphQL Lambda Role
+ * * File Manager Manage Lambda Role
+ * TODO determine if any other are required
+ */
+export const attachEventBusPermissions = params => {
+  const {
+    app,
+    syncSystem
+  } = params;
+  const {
+    eventBusArn
+  } = syncSystem;
+  const graphql = app.getModule(ApiGraphql);
+  const lambdaToEventBridgeResourceName = createSyncResourceName(`lambda-to-event-bridge`);
+  const eventBridgePolicy = app.addResource(aws.iam.Policy, {
+    name: `${lambdaToEventBridgeResourceName}-policy`,
+    config: {
+      description: "This policy enables access from Webiny Lambdas to Sync System EventBridge.",
+      policy: {
+        Version: "2012-10-17",
+        Statement: [{
+          Sid: "PermissionForSyncLambdaToEventBridge",
+          Effect: "Allow",
+          Action: "events:PutEvents",
+          Resource: [eventBusArn]
+        }]
+      }
+    }
+  });
+  const graphQlPolicyAttachment = app.addResource(aws.iam.RolePolicyAttachment, {
+    name: `${lambdaToEventBridgeResourceName}-graphql-role-policy-attachment`,
+    config: {
+      role: graphql.role.output.name,
+      policyArn: eventBridgePolicy.output.arn
+    }
+  });
+  return {
+    eventBridgePolicy,
+    graphQlPolicyAttachment
+  };
+};
+
+//# sourceMappingURL=attachEventBusPermissions.js.map

package/pulumi/apps/syncSystem/api/attachEventBusPermissions.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["aws","createSyncResourceName","ApiGraphql","attachEventBusPermissions","params","app","syncSystem","eventBusArn","graphql","getModule","lambdaToEventBridgeResourceName","eventBridgePolicy","addResource","iam","Policy","name","config","description","policy","Version","Statement","Sid","Effect","Action","Resource","graphQlPolicyAttachment","RolePolicyAttachment","role","output","policyArn","arn"],"sources":["attachEventBusPermissions.ts"],"sourcesContent":["import * as aws from \"@pulumi/aws\";\nimport type { PulumiApp } from \"@webiny/pulumi/types.js\";\nimport type { IGetSyncSystemOutputResult } from \"../types.js\";\nimport { createSyncResourceName } from \"../createSyncResourceName.js\";\nimport { ApiGraphql } from \"~/pulumi/apps/api/ApiGraphql.js\";\nimport type { WithServiceManifest } from \"~/pulumi/utils/withServiceManifest.js\";\n\nexport interface IAttachEventBusPermissionsParam {\n    app: PulumiApp & WithServiceManifest;\n    syncSystem: IGetSyncSystemOutputResult;\n}\n\n/**\n * We need to attach the policy to:\n * * GraphQL Lambda Role\n * * File Manager Manage Lambda Role\n * TODO determine if any other are required\n */\nexport const attachEventBusPermissions = (params: IAttachEventBusPermissionsParam) => {\n    const { app, syncSystem } = params;\n\n    const { eventBusArn } = syncSystem;\n\n    const graphql = app.getModule(ApiGraphql);\n\n    const lambdaToEventBridgeResourceName = createSyncResourceName(`lambda-to-event-bridge`);\n    const eventBridgePolicy = app.addResource(aws.iam.Policy, {\n        name: `${lambdaToEventBridgeResourceName}-policy`,\n        config: {\n            description:\n                \"This policy enables access from Webiny Lambdas to Sync System EventBridge.\",\n            policy: {\n                Version: \"2012-10-17\",\n                Statement: [\n                    {\n                        Sid: \"PermissionForSyncLambdaToEventBridge\",\n                        Effect: \"Allow\",\n                        Action: \"events:PutEvents\",\n                        Resource: [eventBusArn]\n                    }\n                ]\n            }\n        }\n    });\n\n    const graphQlPolicyAttachment = app.addResource(aws.iam.RolePolicyAttachment, {\n        name: `${lambdaToEventBridgeResourceName}-graphql-role-policy-attachment`,\n        config: {\n            role: graphql.role.output.name,\n            policyArn: eventBridgePolicy.output.arn\n        }\n    });\n\n    return {\n        eventBridgePolicy,\n        graphQlPolicyAttachment\n    };\n};\n"],"mappings":"AAAA,OAAO,KAAKA,GAAG,MAAM,aAAa;AAGlC,SAASC,sBAAsB;AAC/B,SAASC,UAAU;AAQnB;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,yBAAyB,GAAIC,MAAuC,IAAK;EAClF,MAAM;IAAEC,GAAG;IAAEC;EAAW,CAAC,GAAGF,MAAM;EAElC,MAAM;IAAEG;EAAY,CAAC,GAAGD,UAAU;EAElC,MAAME,OAAO,GAAGH,GAAG,CAACI,SAAS,CAACP,UAAU,CAAC;EAEzC,MAAMQ,+BAA+B,GAAGT,sBAAsB,CAAC,wBAAwB,CAAC;EACxF,MAAMU,iBAAiB,GAAGN,GAAG,CAACO,WAAW,CAACZ,GAAG,CAACa,GAAG,CAACC,MAAM,EAAE;IACtDC,IAAI,EAAE,GAAGL,+BAA+B,SAAS;IACjDM,MAAM,EAAE;MACJC,WAAW,EACP,4EAA4E;MAChFC,MAAM,EAAE;QACJC,OAAO,EAAE,YAAY;QACrBC,SAAS,EAAE,CACP;UACIC,GAAG,EAAE,sCAAsC;UAC3CC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,kBAAkB;UAC1BC,QAAQ,EAAE,CAACjB,WAAW;QAC1B,CAAC;MAET;IACJ;EACJ,CAAC,CAAC;EAEF,MAAMkB,uBAAuB,GAAGpB,GAAG,CAACO,WAAW,CAACZ,GAAG,CAACa,GAAG,CAACa,oBAAoB,EAAE;IAC1EX,IAAI,EAAE,GAAGL,+BAA+B,iCAAiC;IACzEM,MAAM,EAAE;MACJW,IAAI,EAAEnB,OAAO,CAACmB,IAAI,CAACC,MAAM,CAACb,IAAI;MAC9Bc,SAAS,EAAElB,iBAAiB,CAACiB,MAAM,CAACE;IACxC;EACJ,CAAC,CAAC;EAEF,OAAO;IACHnB,iBAAiB;IACjBc;EACJ,CAAC;AACL,CAAC","ignoreList":[]}

package/pulumi/apps/syncSystem/api/attachS3Permissions.d.ts

@@ -0,0 +1,14 @@
+import type { PulumiApp } from "@webiny/pulumi";
+import type { IGetSyncSystemOutputResult } from "../../../../pulumi/apps/syncSystem/types.js";
+import type { CoreOutput } from "../../../../pulumi/apps/common/CoreOutput.js";
+import type { WithServiceManifest } from "../../../../pulumi/utils/withServiceManifest.js";
+export interface IAttachS3PermissionsParams {
+    app: PulumiApp & WithServiceManifest;
+    syncSystem: IGetSyncSystemOutputResult;
+    core: CoreOutput;
+}
+export declare const attachS3Permissions: (params: IAttachS3PermissionsParams) => {
+    s3Policy: import("@webiny/pulumi").PulumiAppResource<typeof import("@pulumi/aws/iam/policy").Policy>;
+    workerLambdaS3PolicyAttachment: import("@webiny/pulumi").PulumiAppResource<typeof import("@pulumi/aws/iam/rolePolicyAttachment").RolePolicyAttachment>;
+    resolverLambdaS3PolicyAttachment: import("@webiny/pulumi").PulumiAppResource<typeof import("@pulumi/aws/iam/rolePolicyAttachment").RolePolicyAttachment>;
+};