@webiny/pulumi-aws 5.42.0 → 5.42.1-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/apps/core/CoreElasticSearch.js +1 -1
  2. package/apps/core/CoreElasticSearch.js.map +1 -1
  3. package/apps/core/CoreOpenSearch.js +1 -1
  4. package/apps/core/CoreOpenSearch.js.map +1 -1
  5. package/apps/core/cognitoIdentityProviders/configure.js +23 -6
  6. package/apps/core/cognitoIdentityProviders/configure.js.map +1 -1
  7. package/enterprise/api/handleGuardDutyEvents.d.ts +2 -0
  8. package/enterprise/api/handleGuardDutyEvents.js +60 -0
  9. package/enterprise/api/handleGuardDutyEvents.js.map +1 -0
  10. package/enterprise/core/configureS3BucketMalwareProtection.d.ts +2 -0
  11. package/enterprise/core/configureS3BucketMalwareProtection.js +203 -0
  12. package/enterprise/core/configureS3BucketMalwareProtection.js.map +1 -0
  13. package/enterprise/createApiPulumiApp.d.ts +1 -1
  14. package/enterprise/createApiPulumiApp.js +26 -10
  15. package/enterprise/createApiPulumiApp.js.map +1 -1
  16. package/enterprise/createCorePulumiApp.js +19 -3
  17. package/enterprise/createCorePulumiApp.js.map +1 -1
  18. package/enterprise/createWebsitePulumiApp.js +12 -2
  19. package/enterprise/createWebsitePulumiApp.js.map +1 -1
  20. package/package.json +11 -10
package/apps/core/CoreElasticSearch.js CHANGED
@@ -273,7 +273,7 @@ function getDynamoDbToElasticLambdaPolicy(app, domain) {
273
273
  Statement: [{
274
274
  Sid: "PermissionForES",
275
275
  Effect: "Allow",
276
- Action: ["es:ESHttpGet", "es:ESHttpDelete", "es:ESHttpPatch", "es:ESHttpPost", "es:ESHttpPut"],
276
+ Action: ["es:ESHttpGet", "es:ESHttpDelete", "es:ESHttpPatch", "es:ESHttpPost", "es:ESHttpPut", "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:Query", "dynamodb:UpdateItem"],
277
277
  Resource: [pulumi.interpolate`${domain.arn}`, pulumi.interpolate`${domain.arn}/*`]
278
278
  }]
279
279
  }
package/apps/core/CoreElasticSearch.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"names":["_path","_interopRequireDefault","require","pulumi","_interopRequireWildcard","aws","_pulumi2","_awsUtils","_CoreVpc","_constants","_LogDynamo","getDevClusterConfig","instanceType","getProdClusterConfig","instanceCount","zoneAwarenessEnabled","zoneAwarenessConfig","availabilityZoneCount","ElasticSearch","exports","createAppModule","name","config","app","params","domainName","accountId","getAwsAccountId","productionEnvironments","create","DEFAULT_PROD_ENV_NAMES","isProduction","includes","run","env","vpc","getModule","CoreVpc","optional","logDynamoDbTable","LogDynamo","domain","domainPolicy","process","AWS_ELASTIC_SEARCH_DOMAIN_NAME","String","addRemoteResource","elasticsearch","getDomain","async","addResource","Domain","elasticsearchVersion","clusterConfig","vpcOptions","subnetIds","subnets","private","map","s","output","id","securityGroupIds","defaultSecurityGroupId","undefined","ebsOptions","ebsEnabled","volumeSize","volumeType","advancedOptions","snapshotOptions","automatedSnapshotStartHour","opts","protect","DomainPolicy","accessPolicies","Version","Statement","Effect","Principal","AWS","Action","Resource","interpolate","arn","table","dynamodb","Table","attributes","type","streamEnabled","streamViewType","billingMode","hashKey","rangeKey","roleName","role","iam","Role","assumeRolePolicy","Service","meta","isLambdaFunctionRole","policy","getDynamoDbToElasticLambdaPolicy","RolePolicyAttachment","policyArn","ManagedPolicy","AWSLambdaVPCAccessExecutionRole","AWSLambdaBasicExecutionRole","AWSLambdaDynamoDBExecutionRole","lambda","Function","runtime","LAMBDA_RUNTIME","handler","timeout","memorySize","environment","variables","DEBUG","ELASTIC_SEARCH_ENDPOINT","endpoint","DB_TABLE_LOG","description","code","asset","AssetArchive","FileArchive","path","join","paths","workspace","vpcConfig","eventSourceMapping","EventSourceMapping","eventSourceArn","streamArn","functionName","startingPosition","maximumRetryAttempts","batchSize","maximumBatchingWindowInSeconds","addOutputs","elasticsearchDomainArn","elasticsearchDomainEndpoint","elasticsearchDynamodbTableArn","elasticsearchDynamodbTableName","elasticsearchDynamoToElasticLambdaName","dynamoToElastic","Policy","Sid"],"sources":["CoreElasticSearch.ts"],"sourcesContent":["/**\n * Important documents to read:\n *\n * https://docs.aws.amazon.com/opensearch-service/latest/developerguide/limits.html#network-limits\n */\nimport path from \"path\";\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\nimport {\n createAppModule,\n PulumiApp,\n PulumiAppRemoteResource,\n PulumiAppResource,\n PulumiAppResourceConstructor\n} from \"@webiny/pulumi\";\n\nimport { getAwsAccountId } from \"../awsUtils\";\nimport { CoreVpc } from \"./CoreVpc\";\nimport { DEFAULT_PROD_ENV_NAMES, LAMBDA_RUNTIME } from \"~/constants\";\nimport { LogDynamo } from \"~/apps/core/LogDynamo\";\n\nexport interface ElasticSearchParams {\n protect: boolean;\n}\n\nfunction getDevClusterConfig(): aws.types.input.elasticsearch.DomainClusterConfig {\n return {\n instanceType: \"t3.small.elasticsearch\"\n };\n}\n\nfunction getProdClusterConfig(): aws.types.input.elasticsearch.DomainClusterConfig {\n return {\n // For production deployments, we create 2 instances and configure multi-AZ.\n instanceType: \"t3.medium.elasticsearch\",\n instanceCount: 2,\n zoneAwarenessEnabled: true,\n zoneAwarenessConfig: {\n availabilityZoneCount: 2\n }\n };\n}\n\nexport const ElasticSearch = createAppModule({\n name: \"ElasticSearch\",\n config(app, params: ElasticSearchParams) {\n const domainName = \"webiny-js\";\n const accountId = getAwsAccountId(app);\n\n const productionEnvironments =\n app.params.create.productionEnvironments || DEFAULT_PROD_ENV_NAMES;\n const isProduction = productionEnvironments.includes(app.params.run.env);\n\n const vpc = app.getModule(CoreVpc, { optional: true });\n\n const logDynamoDbTable = app.getModule(LogDynamo);\n\n // This needs to be implemented in order to be able to use a shared ElasticSearch cluster.\n let domain:\n | PulumiAppResource<PulumiAppResourceConstructor<aws.elasticsearch.Domain>>\n | PulumiAppRemoteResource<aws.elasticsearch.GetDomainResult>;\n\n let domainPolicy;\n\n if (process.env.AWS_ELASTIC_SEARCH_DOMAIN_NAME) {\n const domainName = String(process.env.AWS_ELASTIC_SEARCH_DOMAIN_NAME);\n // This can be useful for testing purposes in ephemeral environments. More information here:\n // https://www.webiny.com/docs/key-topics/ci-cd/testing/slow-ephemeral-environments\n domain = app.addRemoteResource(domainName, () => {\n return aws.elasticsearch.getDomain({ domainName }, { async: true });\n });\n } else {\n // Regular ElasticSearch deployment.\n domain = app.addResource(aws.elasticsearch.Domain, {\n name: domainName,\n config: {\n elasticsearchVersion: \"7.10\",\n clusterConfig: isProduction ? getProdClusterConfig() : getDevClusterConfig(),\n vpcOptions: vpc\n ? {\n subnetIds: vpc.subnets.private.map(s => s.output.id),\n securityGroupIds: [vpc.vpc.output.defaultSecurityGroupId]\n }\n : undefined,\n ebsOptions: {\n ebsEnabled: true,\n volumeSize: 10,\n volumeType: \"gp2\"\n },\n advancedOptions: {\n \"rest.action.multi.allow_explicit_index\": \"true\"\n },\n snapshotOptions: {\n automatedSnapshotStartHour: 23\n }\n },\n opts: { protect: params.protect }\n });\n\n /**\n * Domain policy defines who can access your Elasticsearch Domain.\n * For details on Elasticsearch security, read the official documentation:\n * https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/security.html\n */\n domainPolicy = app.addResource(aws.elasticsearch.DomainPolicy, {\n name: `${domainName}-policy`,\n config: {\n domainName: domain.output.domainName,\n accessPolicies: {\n Version: \"2012-10-17\",\n Statement: [\n /**\n * Allow requests signed with current account\n */\n {\n Effect: \"Allow\",\n Principal: {\n AWS: accountId\n },\n Action: \"es:*\",\n Resource: pulumi.interpolate`${domain.output.arn}/*`\n }\n ]\n }\n },\n opts: { protect: params.protect }\n });\n }\n\n /**\n * Create a table for Elasticsearch records. All ES records are stored in this table to dramatically improve\n * performance and stability on write operations (especially massive data imports). This table also serves as a backup and\n * a single source of truth for your Elasticsearch domain. Streaming is enabled on this table, and it will\n * allow asynchronous synchronization of data with Elasticsearch domain.\n */\n const table = app.addResource(aws.dynamodb.Table, {\n name: \"webiny-es\",\n config: {\n attributes: [\n { name: \"PK\", type: \"S\" },\n { name: \"SK\", type: \"S\" }\n ],\n streamEnabled: true,\n streamViewType: \"NEW_AND_OLD_IMAGES\",\n billingMode: \"PAY_PER_REQUEST\",\n hashKey: \"PK\",\n rangeKey: \"SK\"\n },\n opts: { protect: params.protect }\n });\n\n const roleName = \"dynamo-to-elastic-lambda-role\";\n\n const role = app.addResource(aws.iam.Role, {\n name: roleName,\n config: {\n assumeRolePolicy: {\n Version: \"2012-10-17\",\n Statement: [\n {\n Action: \"sts:AssumeRole\",\n Principal: {\n Service: \"lambda.amazonaws.com\"\n },\n Effect: \"Allow\"\n }\n ]\n }\n },\n meta: { isLambdaFunctionRole: true }\n });\n\n const policy = getDynamoDbToElasticLambdaPolicy(app, domain.output);\n\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-DynamoDbToElasticLambdaPolicy`,\n config: {\n role: role.output,\n policyArn: policy.output.arn\n }\n });\n\n // Only use `AWSLambdaVPCAccessExecutionRole` policy if VPC feature is enabled.\n if (vpc) {\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-AWSLambdaVPCAccessExecutionRole`,\n config: {\n role: role.output,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaVPCAccessExecutionRole\n }\n });\n } else {\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-AWSLambdaBasicExecutionRole`,\n config: {\n role: role.output,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole\n }\n });\n }\n\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-AWSLambdaDynamoDBExecutionRole`,\n config: {\n role: role.output,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaDynamoDBExecutionRole\n }\n });\n\n /**\n * This Lambda will process the stream events from DynamoDB table that contains Elasticsearch items.\n * Elasticsearch can't take large amount of individual writes in a short period of time, so this way\n * we store data for Elasticsearch in a DynamoDB table, and asynchronously insert it into Elasticsearch\n * using batching.\n */\n const lambda = app.addResource(aws.lambda.Function, {\n name: \"dynamo-to-elastic\",\n config: {\n role: role.output.arn,\n runtime: LAMBDA_RUNTIME,\n handler: \"handler.handler\",\n timeout: 900,\n memorySize: 1024,\n environment: {\n variables: {\n DEBUG: String(process.env.DEBUG),\n ELASTIC_SEARCH_ENDPOINT: domain.output.endpoint,\n DB_TABLE_LOG: logDynamoDbTable.output.name\n }\n },\n description: \"Process DynamoDB Stream.\",\n code: new pulumi.asset.AssetArchive({\n \".\": new pulumi.asset.FileArchive(\n path.join(app.paths.workspace, \"dynamoToElastic/build\")\n )\n }),\n vpcConfig: vpc\n ? {\n subnetIds: vpc.subnets.private.map(s => s.output.id),\n securityGroupIds: [vpc.vpc.output.defaultSecurityGroupId]\n }\n : undefined\n }\n });\n\n const eventSourceMapping = app.addResource(aws.lambda.EventSourceMapping, {\n name: \"dynamo-to-elastic\",\n config: {\n eventSourceArn: table.output.streamArn,\n functionName: lambda.output.arn,\n startingPosition: \"LATEST\",\n maximumRetryAttempts: 3,\n batchSize: 50,\n maximumBatchingWindowInSeconds: 1\n }\n });\n\n app.addOutputs({\n elasticsearchDomainArn: domain.output.arn,\n elasticsearchDomainEndpoint: domain.output.endpoint,\n elasticsearchDynamodbTableArn: table.output.arn,\n elasticsearchDynamodbTableName: table.output.name,\n elasticsearchDynamoToElasticLambdaName: lambda.output.name\n });\n\n return {\n domain,\n domainPolicy,\n table,\n dynamoToElastic: {\n role,\n policy,\n lambda,\n eventSourceMapping\n }\n };\n }\n});\n\nfunction getDynamoDbToElasticLambdaPolicy(\n app: PulumiApp,\n domain: pulumi.Output<aws.elasticsearch.Domain | aws.elasticsearch.GetDomainResult>\n) {\n return app.addResource(aws.iam.Policy, {\n name: \"DynamoDbToElasticLambdaPolicy-updated\",\n config: {\n description: \"This policy enables access to ES and Dynamodb streams\",\n policy: {\n Version: \"2012-10-17\",\n Statement: [\n {\n Sid: \"PermissionForES\",\n Effect: \"Allow\",\n Action: [\n \"es:ESHttpGet\",\n \"es:ESHttpDelete\",\n \"es:ESHttpPatch\",\n \"es:ESHttpPost\",\n \"es:ESHttpPut\"\n ],\n Resource: [\n pulumi.interpolate`${domain.arn}`,\n pulumi.interpolate`${domain.arn}/*`\n ]\n }\n ]\n }\n }\n });\n}\n"],"mappings":";;;;;;;;AAKA,IAAAA,KAAA,GAAAC,sBAAA,CAAAC,OAAA;AACA,IAAAC,MAAA,GAAAC,uBAAA,CAAAF,OAAA;AACA,IAAAG,GAAA,GAAAD,uBAAA,CAAAF,OAAA;AACA,IAAAI,QAAA,GAAAJ,OAAA;AAQA,IAAAK,SAAA,GAAAL,OAAA;AACA,IAAAM,QAAA,GAAAN,OAAA;AACA,IAAAO,UAAA,GAAAP,OAAA;AACA,IAAAQ,UAAA,GAAAR,OAAA;AAnBA;AACA;AACA;AACA;AACA;;AAqBA,SAASS,mBAAmBA,CAAA,EAAsD;EAC9E,OAAO;IACHC,YAAY,EAAE;EAClB,CAAC;AACL;AAEA,SAASC,oBAAoBA,CAAA,EAAsD;EAC/E,OAAO;IACH;IACAD,YAAY,EAAE,yBAAyB;IACvCE,aAAa,EAAE,CAAC;IAChBC,oBAAoB,EAAE,IAAI;IAC1BC,mBAAmB,EAAE;MACjBC,qBAAqB,EAAE;IAC3B;EACJ,CAAC;AACL;AAEO,MAAMC,aAAa,GAAAC,OAAA,CAAAD,aAAA,GAAG,IAAAE,wBAAe,EAAC;EACzCC,IAAI,EAAE,eAAe;EACrBC,MAAMA,CAACC,GAAG,EAAEC,MAA2B,EAAE;IACrC,MAAMC,UAAU,GAAG,WAAW;IAC9B,MAAMC,SAAS,GAAG,IAAAC,yBAAe,EAACJ,GAAG,CAAC;IAEtC,MAAMK,sBAAsB,GACxBL,GAAG,CAACC,MAAM,CAACK,MAAM,CAACD,sBAAsB,IAAIE,iCAAsB;IACtE,MAAMC,YAAY,GAAGH,sBAAsB,CAACI,QAAQ,CAACT,GAAG,CAACC,MAAM,CAACS,GAAG,CAACC,GAAG,CAAC;IAExE,MAAMC,GAAG,GAAGZ,GAAG,CAACa,SAAS,CAACC,gBAAO,EAAE;MAAEC,QAAQ,EAAE;IAAK,CAAC,CAAC;IAEtD,MAAMC,gBAAgB,GAAGhB,GAAG,CAACa,SAAS,CAACI,oBAAS,CAAC;;IAEjD;IACA,IAAIC,MAE4D;IAEhE,IAAIC,YAAY;IAEhB,IAAIC,OAAO,CAACT,GAAG,CAACU,8BAA8B,EAAE;MAC5C,MAAMnB,UAAU,GAAGoB,MAAM,CAACF,OAAO,CAACT,GAAG,CAACU,8BAA8B,CAAC;MACrE;MACA;MACAH,MAAM,GAAGlB,GAAG,CAACuB,iBAAiB,CAACrB,UAAU,EAAE,MAAM;QAC7C,OAAOpB,GAAG,CAAC0C,aAAa,CAACC,SAAS,CAAC;UAAEvB;QAAW,CAAC,EAAE;UAAEwB,KAAK,EAAE;QAAK,CAAC,CAAC;MACvE,CAAC,CAAC;IACN,CAAC,MAAM;MACH;MACAR,MAAM,GAAGlB,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC0C,aAAa,CAACI,MAAM,EAAE;QAC/C9B,IAAI,EAAEI,UAAU;QAChBH,MAAM,EAAE;UACJ8B,oBAAoB,EAAE,MAAM;UAC5BC,aAAa,EAAEtB,YAAY,GAAGlB,oBAAoB,CAAC,CAAC,GAAGF,mBAAmB,CAAC,CAAC;UAC5E2C,UAAU,EAAEnB,GAAG,GACT;YACIoB,SAAS,EAAEpB,GAAG,CAACqB,OAAO,CAACC,OAAO,CAACC,GAAG,CAACC,CAAC,IAAIA,CAAC,CAACC,MAAM,CAACC,EAAE,CAAC;YACpDC,gBAAgB,EAAE,CAAC3B,GAAG,CAACA,GAAG,CAACyB,MAAM,CAACG,sBAAsB;UAC5D,CAAC,GACDC,SAAS;UACfC,UAAU,EAAE;YACRC,UAAU,EAAE,IAAI;YAChBC,UAAU,EAAE,EAAE;YACdC,UAAU,EAAE;UAChB,CAAC;UACDC,eAAe,EAAE;YACb,wCAAwC,EAAE;UAC9C,CAAC;UACDC,eAAe,EAAE;YACbC,0BAA0B,EAAE;UAChC;QACJ,CAAC;QACDC,IAAI,EAAE;UAAEC,OAAO,EAAEjD,MAAM,CAACiD;QAAQ;MACpC,CAAC,CAAC;;MAEF;AACZ;AACA;AACA;AACA;MACY/B,YAAY,GAAGnB,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC0C,aAAa,CAAC2B,YAAY,EAAE;QAC3DrD,IAAI,EAAE,GAAGI,UAAU,SAAS;QAC5BH,MAAM,EAAE;UACJG,UAAU,EAAEgB,MAAM,CAACmB,MAAM,CAACnC,UAAU;UACpCkD,cAAc,EAAE;YACZC,OAAO,EAAE,YAAY;YACrBC,SAAS,EAAE;YACP;AAC5B;AACA;YAC4B;cACIC,MAAM,EAAE,OAAO;cACfC,SAAS,EAAE;gBACPC,GAAG,EAAEtD;cACT,CAAC;cACDuD,MAAM,EAAE,MAAM;cACdC,QAAQ,EAAE/E,MAAM,CAACgF,WAAW,GAAG1C,MAAM,CAACmB,MAAM,CAACwB,GAAG;YACpD,CAAC;UAET;QACJ,CAAC;QACDZ,IAAI,EAAE;UAAEC,OAAO,EAAEjD,MAAM,CAACiD;QAAQ;MACpC,CAAC,CAAC;IACN;;IAEA;AACR;AACA;AACA;AACA;AACA;IACQ,MAAMY,KAAK,GAAG9D,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAACiF,QAAQ,CAACC,KAAK,EAAE;MAC9ClE,IAAI,EAAE,WAAW;MACjBC,MAAM,EAAE;QACJkE,UAAU,EAAE,CACR;UAAEnE,IAAI,EAAE,IAAI;UAAEoE,IAAI,EAAE;QAAI,CAAC,EACzB;UAAEpE,IAAI,EAAE,IAAI;UAAEoE,IAAI,EAAE;QAAI,CAAC,CAC5B;QACDC,aAAa,EAAE,IAAI;QACnBC,cAAc,EAAE,oBAAoB;QACpCC,WAAW,EAAE,iBAAiB;QAC9BC,OAAO,EAAE,IAAI;QACbC,QAAQ,EAAE;MACd,CAAC;MACDtB,IAAI,EAAE;QAAEC,OAAO,EAAEjD,MAAM,CAACiD;MAAQ;IACpC,CAAC,CAAC;IAEF,MAAMsB,QAAQ,GAAG,+BAA+B;IAEhD,MAAMC,IAAI,GAAGzE,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC4F,GAAG,CAACC,IAAI,EAAE;MACvC7E,IAAI,EAAE0E,QAAQ;MACdzE,MAAM,EAAE;QACJ6E,gBAAgB,EAAE;UACdvB,OAAO,EAAE,YAAY;UACrBC,SAAS,EAAE,CACP;YACII,MAAM,EAAE,gBAAgB;YACxBF,SAAS,EAAE;cACPqB,OAAO,EAAE;YACb,CAAC;YACDtB,MAAM,EAAE;UACZ,CAAC;QAET;MACJ,CAAC;MACDuB,IAAI,EAAE;QAAEC,oBAAoB,EAAE;MAAK;IACvC,CAAC,CAAC;IAEF,MAAMC,MAAM,GAAGC,gCAAgC,CAACjF,GAAG,EAAEkB,MAAM,CAACmB,MAAM,CAAC;IAEnErC,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC4F,GAAG,CAACQ,oBAAoB,EAAE;MAC1CpF,IAAI,EAAE,GAAG0E,QAAQ,gCAAgC;MACjDzE,MAAM,EAAE;QACJ0E,IAAI,EAAEA,IAAI,CAACpC,MAAM;QACjB8C,SAAS,EAAEH,MAAM,CAAC3C,MAAM,CAACwB;MAC7B;IACJ,CAAC,CAAC;;IAEF;IACA,IAAIjD,GAAG,EAAE;MACLZ,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC4F,GAAG,CAACQ,oBAAoB,EAAE;QAC1CpF,IAAI,EAAE,GAAG0E,QAAQ,kCAAkC;QACnDzE,MAAM,EAAE;UACJ0E,IAAI,EAAEA,IAAI,CAACpC,MAAM;UACjB8C,SAAS,EAAErG,GAAG,CAAC4F,GAAG,CAACU,aAAa,CAACC;QACrC;MACJ,CAAC,CAAC;IACN,CAAC,MAAM;MACHrF,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC4F,GAAG,CAACQ,oBAAoB,EAAE;QAC1CpF,IAAI,EAAE,GAAG0E,QAAQ,8BAA8B;QAC/CzE,MAAM,EAAE;UACJ0E,IAAI,EAAEA,IAAI,CAACpC,MAAM;UACjB8C,SAAS,EAAErG,GAAG,CAAC4F,GAAG,CAACU,aAAa,CAACE;QACrC;MACJ,CAAC,CAAC;IACN;IAEAtF,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC4F,GAAG,CAACQ,oBAAoB,EAAE;MAC1CpF,IAAI,EAAE,GAAG0E,QAAQ,iCAAiC;MAClDzE,MAAM,EAAE;QACJ0E,IAAI,EAAEA,IAAI,CAACpC,MAAM;QACjB8C,SAAS,EAAErG,GAAG,CAAC4F,GAAG,CAACU,aAAa,CAACG;MACrC;IACJ,CAAC,CAAC;;IAEF;AACR;AACA;AACA;AACA;AACA;IACQ,MAAMC,MAAM,GAAGxF,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC0G,MAAM,CAACC,QAAQ,EAAE;MAChD3F,IAAI,EAAE,mBAAmB;MACzBC,MAAM,EAAE;QACJ0E,IAAI,EAAEA,IAAI,CAACpC,MAAM,CAACwB,GAAG;QACrB6B,OAAO,EAAEC,yBAAc;QACvBC,OAAO,EAAE,iBAAiB;QAC1BC,OAAO,EAAE,GAAG;QACZC,UAAU,EAAE,IAAI;QAChBC,WAAW,EAAE;UACTC,SAAS,EAAE;YACPC,KAAK,EAAE3E,MAAM,CAACF,OAAO,CAACT,GAAG,CAACsF,KAAK,CAAC;YAChCC,uBAAuB,EAAEhF,MAAM,CAACmB,MAAM,CAAC8D,QAAQ;YAC/CC,YAAY,EAAEpF,gBAAgB,CAACqB,MAAM,CAACvC;UAC1C;QACJ,CAAC;QACDuG,WAAW,EAAE,0BAA0B;QACvCC,IAAI,EAAE,IAAI1H,MAAM,CAAC2H,KAAK,CAACC,YAAY,CAAC;UAChC,GAAG,EAAE,IAAI5H,MAAM,CAAC2H,KAAK,CAACE,WAAW,CAC7BC,aAAI,CAACC,IAAI,CAAC3G,GAAG,CAAC4G,KAAK,CAACC,SAAS,EAAE,uBAAuB,CAC1D;QACJ,CAAC,CAAC;QACFC,SAAS,EAAElG,GAAG,GACR;UACIoB,SAAS,EAAEpB,GAAG,CAACqB,OAAO,CAACC,OAAO,CAACC,GAAG,CAACC,CAAC,IAAIA,CAAC,CAACC,MAAM,CAACC,EAAE,CAAC;UACpDC,gBAAgB,EAAE,CAAC3B,GAAG,CAACA,GAAG,CAACyB,MAAM,CAACG,sBAAsB;QAC5D,CAAC,GACDC;MACV;IACJ,CAAC,CAAC;IAEF,MAAMsE,kBAAkB,GAAG/G,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC0G,MAAM,CAACwB,kBAAkB,EAAE;MACtElH,IAAI,EAAE,mBAAmB;MACzBC,MAAM,EAAE;QACJkH,cAAc,EAAEnD,KAAK,CAACzB,MAAM,CAAC6E,SAAS;QACtCC,YAAY,EAAE3B,MAAM,CAACnD,MAAM,CAACwB,GAAG;QAC/BuD,gBAAgB,EAAE,QAAQ;QAC1BC,oBAAoB,EAAE,CAAC;QACvBC,SAAS,EAAE,EAAE;QACbC,8BAA8B,EAAE;MACpC;IACJ,CAAC,CAAC;IAEFvH,GAAG,CAACwH,UAAU,CAAC;MACXC,sBAAsB,EAAEvG,MAAM,CAACmB,MAAM,CAACwB,GAAG;MACzC6D,2BAA2B,EAAExG,MAAM,CAACmB,MAAM,CAAC8D,QAAQ;MACnDwB,6BAA6B,EAAE7D,KAAK,CAACzB,MAAM,CAACwB,GAAG;MAC/C+D,8BAA8B,EAAE9D,KAAK,CAACzB,MAAM,CAACvC,IAAI;MACjD+H,sCAAsC,EAAErC,MAAM,CAACnD,MAAM,CAACvC;IAC1D,CAAC,CAAC;IAEF,OAAO;MACHoB,MAAM;MACNC,YAAY;MACZ2C,KAAK;MACLgE,eAAe,EAAE;QACbrD,IAAI;QACJO,MAAM;QACNQ,MAAM;QACNuB;MACJ;IACJ,CAAC;EACL;AACJ,CAAC,CAAC;AAEF,SAAS9B,gCAAgCA,CACrCjF,GAAc,EACdkB,MAAmF,EACrF;EACE,OAAOlB,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC4F,GAAG,CAACqD,MAAM,EAAE;IACnCjI,IAAI,EAAE,uCAAuC;IAC7CC,MAAM,EAAE;MACJsG,WAAW,EAAE,uDAAuD;MACpErB,MAAM,EAAE;QACJ3B,OAAO,EAAE,YAAY;QACrBC,SAAS,EAAE,CACP;UACI0E,GAAG,EAAE,iBAAiB;UACtBzE,MAAM,EAAE,OAAO;UACfG,MAAM,EAAE,CACJ,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,cAAc,CACjB;UACDC,QAAQ,EAAE,CACN/E,MAAM,CAACgF,WAAW,GAAG1C,MAAM,CAAC2C,GAAG,EAAE,EACjCjF,MAAM,CAACgF,WAAW,GAAG1C,MAAM,CAAC2C,GAAG,IAAI;QAE3C,CAAC;MAET;IACJ;EACJ,CAAC,CAAC;AACN","ignoreList":[]}
1
+ {"version":3,"names":["_path","_interopRequireDefault","require","pulumi","_interopRequireWildcard","aws","_pulumi2","_awsUtils","_CoreVpc","_constants","_LogDynamo","getDevClusterConfig","instanceType","getProdClusterConfig","instanceCount","zoneAwarenessEnabled","zoneAwarenessConfig","availabilityZoneCount","ElasticSearch","exports","createAppModule","name","config","app","params","domainName","accountId","getAwsAccountId","productionEnvironments","create","DEFAULT_PROD_ENV_NAMES","isProduction","includes","run","env","vpc","getModule","CoreVpc","optional","logDynamoDbTable","LogDynamo","domain","domainPolicy","process","AWS_ELASTIC_SEARCH_DOMAIN_NAME","String","addRemoteResource","elasticsearch","getDomain","async","addResource","Domain","elasticsearchVersion","clusterConfig","vpcOptions","subnetIds","subnets","private","map","s","output","id","securityGroupIds","defaultSecurityGroupId","undefined","ebsOptions","ebsEnabled","volumeSize","volumeType","advancedOptions","snapshotOptions","automatedSnapshotStartHour","opts","protect","DomainPolicy","accessPolicies","Version","Statement","Effect","Principal","AWS","Action","Resource","interpolate","arn","table","dynamodb","Table","attributes","type","streamEnabled","streamViewType","billingMode","hashKey","rangeKey","roleName","role","iam","Role","assumeRolePolicy","Service","meta","isLambdaFunctionRole","policy","getDynamoDbToElasticLambdaPolicy","RolePolicyAttachment","policyArn","ManagedPolicy","AWSLambdaVPCAccessExecutionRole","AWSLambdaBasicExecutionRole","AWSLambdaDynamoDBExecutionRole","lambda","Function","runtime","LAMBDA_RUNTIME","handler","timeout","memorySize","environment","variables","DEBUG","ELASTIC_SEARCH_ENDPOINT","endpoint","DB_TABLE_LOG","description","code","asset","AssetArchive","FileArchive","path","join","paths","workspace","vpcConfig","eventSourceMapping","EventSourceMapping","eventSourceArn","streamArn","functionName","startingPosition","maximumRetryAttempts","batchSize","maximumBatchingWindowInSeconds","addOutputs","elasticsearchDomainArn","elasticsearchDomainEndpoint","elasticsearchDynamodbTableArn","elasticsearchDynamodbTableName","elasticsearchDynamoToElasticLambdaName","dynamoToElastic","Policy","Sid"],"sources":["CoreElasticSearch.ts"],"sourcesContent":["/**\n * Important documents to read:\n *\n * https://docs.aws.amazon.com/opensearch-service/latest/developerguide/limits.html#network-limits\n */\nimport path from \"path\";\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\nimport {\n createAppModule,\n PulumiApp,\n PulumiAppRemoteResource,\n PulumiAppResource,\n PulumiAppResourceConstructor\n} from \"@webiny/pulumi\";\n\nimport { getAwsAccountId } from \"../awsUtils\";\nimport { CoreVpc } from \"./CoreVpc\";\nimport { DEFAULT_PROD_ENV_NAMES, LAMBDA_RUNTIME } from \"~/constants\";\nimport { LogDynamo } from \"~/apps/core/LogDynamo\";\n\nexport interface ElasticSearchParams {\n protect: boolean;\n}\n\nfunction getDevClusterConfig(): aws.types.input.elasticsearch.DomainClusterConfig {\n return {\n instanceType: \"t3.small.elasticsearch\"\n };\n}\n\nfunction getProdClusterConfig(): aws.types.input.elasticsearch.DomainClusterConfig {\n return {\n // For production deployments, we create 2 instances and configure multi-AZ.\n instanceType: \"t3.medium.elasticsearch\",\n instanceCount: 2,\n zoneAwarenessEnabled: true,\n zoneAwarenessConfig: {\n availabilityZoneCount: 2\n }\n };\n}\n\nexport const ElasticSearch = createAppModule({\n name: \"ElasticSearch\",\n config(app, params: ElasticSearchParams) {\n const domainName = \"webiny-js\";\n const accountId = getAwsAccountId(app);\n\n const productionEnvironments =\n app.params.create.productionEnvironments || DEFAULT_PROD_ENV_NAMES;\n const isProduction = productionEnvironments.includes(app.params.run.env);\n\n const vpc = app.getModule(CoreVpc, { optional: true });\n\n const logDynamoDbTable = app.getModule(LogDynamo);\n\n // This needs to be implemented in order to be able to use a shared ElasticSearch cluster.\n let domain:\n | PulumiAppResource<PulumiAppResourceConstructor<aws.elasticsearch.Domain>>\n | PulumiAppRemoteResource<aws.elasticsearch.GetDomainResult>;\n\n let domainPolicy;\n\n if (process.env.AWS_ELASTIC_SEARCH_DOMAIN_NAME) {\n const domainName = String(process.env.AWS_ELASTIC_SEARCH_DOMAIN_NAME);\n // This can be useful for testing purposes in ephemeral environments. More information here:\n // https://www.webiny.com/docs/key-topics/ci-cd/testing/slow-ephemeral-environments\n domain = app.addRemoteResource(domainName, () => {\n return aws.elasticsearch.getDomain({ domainName }, { async: true });\n });\n } else {\n // Regular ElasticSearch deployment.\n domain = app.addResource(aws.elasticsearch.Domain, {\n name: domainName,\n config: {\n elasticsearchVersion: \"7.10\",\n clusterConfig: isProduction ? getProdClusterConfig() : getDevClusterConfig(),\n vpcOptions: vpc\n ? {\n subnetIds: vpc.subnets.private.map(s => s.output.id),\n securityGroupIds: [vpc.vpc.output.defaultSecurityGroupId]\n }\n : undefined,\n ebsOptions: {\n ebsEnabled: true,\n volumeSize: 10,\n volumeType: \"gp2\"\n },\n advancedOptions: {\n \"rest.action.multi.allow_explicit_index\": \"true\"\n },\n snapshotOptions: {\n automatedSnapshotStartHour: 23\n }\n },\n opts: { protect: params.protect }\n });\n\n /**\n * Domain policy defines who can access your Elasticsearch Domain.\n * For details on Elasticsearch security, read the official documentation:\n * https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/security.html\n */\n domainPolicy = app.addResource(aws.elasticsearch.DomainPolicy, {\n name: `${domainName}-policy`,\n config: {\n domainName: domain.output.domainName,\n accessPolicies: {\n Version: \"2012-10-17\",\n Statement: [\n /**\n * Allow requests signed with current account\n */\n {\n Effect: \"Allow\",\n Principal: {\n AWS: accountId\n },\n Action: \"es:*\",\n Resource: pulumi.interpolate`${domain.output.arn}/*`\n }\n ]\n }\n },\n opts: { protect: params.protect }\n });\n }\n\n /**\n * Create a table for Elasticsearch records. All ES records are stored in this table to dramatically improve\n * performance and stability on write operations (especially massive data imports). This table also serves as a backup and\n * a single source of truth for your Elasticsearch domain. Streaming is enabled on this table, and it will\n * allow asynchronous synchronization of data with Elasticsearch domain.\n */\n const table = app.addResource(aws.dynamodb.Table, {\n name: \"webiny-es\",\n config: {\n attributes: [\n { name: \"PK\", type: \"S\" },\n { name: \"SK\", type: \"S\" }\n ],\n streamEnabled: true,\n streamViewType: \"NEW_AND_OLD_IMAGES\",\n billingMode: \"PAY_PER_REQUEST\",\n hashKey: \"PK\",\n rangeKey: \"SK\"\n },\n opts: { protect: params.protect }\n });\n\n const roleName = \"dynamo-to-elastic-lambda-role\";\n\n const role = app.addResource(aws.iam.Role, {\n name: roleName,\n config: {\n assumeRolePolicy: {\n Version: \"2012-10-17\",\n Statement: [\n {\n Action: \"sts:AssumeRole\",\n Principal: {\n Service: \"lambda.amazonaws.com\"\n },\n Effect: \"Allow\"\n }\n ]\n }\n },\n meta: { isLambdaFunctionRole: true }\n });\n\n const policy = getDynamoDbToElasticLambdaPolicy(app, domain.output);\n\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-DynamoDbToElasticLambdaPolicy`,\n config: {\n role: role.output,\n policyArn: policy.output.arn\n }\n });\n\n // Only use `AWSLambdaVPCAccessExecutionRole` policy if VPC feature is enabled.\n if (vpc) {\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-AWSLambdaVPCAccessExecutionRole`,\n config: {\n role: role.output,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaVPCAccessExecutionRole\n }\n });\n } else {\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-AWSLambdaBasicExecutionRole`,\n config: {\n role: role.output,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole\n }\n });\n }\n\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-AWSLambdaDynamoDBExecutionRole`,\n config: {\n role: role.output,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaDynamoDBExecutionRole\n }\n });\n\n /**\n * This Lambda will process the stream events from DynamoDB table that contains Elasticsearch items.\n * Elasticsearch can't take large amount of individual writes in a short period of time, so this way\n * we store data for Elasticsearch in a DynamoDB table, and asynchronously insert it into Elasticsearch\n * using batching.\n */\n const lambda = app.addResource(aws.lambda.Function, {\n name: \"dynamo-to-elastic\",\n config: {\n role: role.output.arn,\n runtime: LAMBDA_RUNTIME,\n handler: \"handler.handler\",\n timeout: 900,\n memorySize: 1024,\n environment: {\n variables: {\n DEBUG: String(process.env.DEBUG),\n ELASTIC_SEARCH_ENDPOINT: domain.output.endpoint,\n DB_TABLE_LOG: logDynamoDbTable.output.name\n }\n },\n description: \"Process DynamoDB Stream.\",\n code: new pulumi.asset.AssetArchive({\n \".\": new pulumi.asset.FileArchive(\n path.join(app.paths.workspace, \"dynamoToElastic/build\")\n )\n }),\n vpcConfig: vpc\n ? {\n subnetIds: vpc.subnets.private.map(s => s.output.id),\n securityGroupIds: [vpc.vpc.output.defaultSecurityGroupId]\n }\n : undefined\n }\n });\n\n const eventSourceMapping = app.addResource(aws.lambda.EventSourceMapping, {\n name: \"dynamo-to-elastic\",\n config: {\n eventSourceArn: table.output.streamArn,\n functionName: lambda.output.arn,\n startingPosition: \"LATEST\",\n maximumRetryAttempts: 3,\n batchSize: 50,\n maximumBatchingWindowInSeconds: 1\n }\n });\n\n app.addOutputs({\n elasticsearchDomainArn: domain.output.arn,\n elasticsearchDomainEndpoint: domain.output.endpoint,\n elasticsearchDynamodbTableArn: table.output.arn,\n elasticsearchDynamodbTableName: table.output.name,\n elasticsearchDynamoToElasticLambdaName: lambda.output.name\n });\n\n return {\n domain,\n domainPolicy,\n table,\n dynamoToElastic: {\n role,\n policy,\n lambda,\n eventSourceMapping\n }\n };\n }\n});\n\nfunction getDynamoDbToElasticLambdaPolicy(\n app: PulumiApp,\n domain: pulumi.Output<aws.elasticsearch.Domain | aws.elasticsearch.GetDomainResult>\n) {\n return app.addResource(aws.iam.Policy, {\n name: \"DynamoDbToElasticLambdaPolicy-updated\",\n config: {\n description: \"This policy enables access to ES and Dynamodb streams\",\n policy: {\n Version: \"2012-10-17\",\n Statement: [\n {\n Sid: \"PermissionForES\",\n Effect: \"Allow\",\n Action: [\n \"es:ESHttpGet\",\n \"es:ESHttpDelete\",\n \"es:ESHttpPatch\",\n \"es:ESHttpPost\",\n \"es:ESHttpPut\",\n \"dynamodb:BatchGetItem\",\n \"dynamodb:BatchWriteItem\",\n \"dynamodb:PutItem\",\n \"dynamodb:GetItem\",\n \"dynamodb:DeleteItem\",\n \"dynamodb:Query\",\n \"dynamodb:UpdateItem\"\n ],\n Resource: [\n pulumi.interpolate`${domain.arn}`,\n pulumi.interpolate`${domain.arn}/*`\n ]\n }\n ]\n }\n }\n });\n}\n"],"mappings":";;;;;;;;AAKA,IAAAA,KAAA,GAAAC,sBAAA,CAAAC,OAAA;AACA,IAAAC,MAAA,GAAAC,uBAAA,CAAAF,OAAA;AACA,IAAAG,GAAA,GAAAD,uBAAA,CAAAF,OAAA;AACA,IAAAI,QAAA,GAAAJ,OAAA;AAQA,IAAAK,SAAA,GAAAL,OAAA;AACA,IAAAM,QAAA,GAAAN,OAAA;AACA,IAAAO,UAAA,GAAAP,OAAA;AACA,IAAAQ,UAAA,GAAAR,OAAA;AAnBA;AACA;AACA;AACA;AACA;;AAqBA,SAASS,mBAAmBA,CAAA,EAAsD;EAC9E,OAAO;IACHC,YAAY,EAAE;EAClB,CAAC;AACL;AAEA,SAASC,oBAAoBA,CAAA,EAAsD;EAC/E,OAAO;IACH;IACAD,YAAY,EAAE,yBAAyB;IACvCE,aAAa,EAAE,CAAC;IAChBC,oBAAoB,EAAE,IAAI;IAC1BC,mBAAmB,EAAE;MACjBC,qBAAqB,EAAE;IAC3B;EACJ,CAAC;AACL;AAEO,MAAMC,aAAa,GAAAC,OAAA,CAAAD,aAAA,GAAG,IAAAE,wBAAe,EAAC;EACzCC,IAAI,EAAE,eAAe;EACrBC,MAAMA,CAACC,GAAG,EAAEC,MAA2B,EAAE;IACrC,MAAMC,UAAU,GAAG,WAAW;IAC9B,MAAMC,SAAS,GAAG,IAAAC,yBAAe,EAACJ,GAAG,CAAC;IAEtC,MAAMK,sBAAsB,GACxBL,GAAG,CAACC,MAAM,CAACK,MAAM,CAACD,sBAAsB,IAAIE,iCAAsB;IACtE,MAAMC,YAAY,GAAGH,sBAAsB,CAACI,QAAQ,CAACT,GAAG,CAACC,MAAM,CAACS,GAAG,CAACC,GAAG,CAAC;IAExE,MAAMC,GAAG,GAAGZ,GAAG,CAACa,SAAS,CAACC,gBAAO,EAAE;MAAEC,QAAQ,EAAE;IAAK,CAAC,CAAC;IAEtD,MAAMC,gBAAgB,GAAGhB,GAAG,CAACa,SAAS,CAACI,oBAAS,CAAC;;IAEjD;IACA,IAAIC,MAE4D;IAEhE,IAAIC,YAAY;IAEhB,IAAIC,OAAO,CAACT,GAAG,CAACU,8BAA8B,EAAE;MAC5C,MAAMnB,UAAU,GAAGoB,MAAM,CAACF,OAAO,CAACT,GAAG,CAACU,8BAA8B,CAAC;MACrE;MACA;MACAH,MAAM,GAAGlB,GAAG,CAACuB,iBAAiB,CAACrB,UAAU,EAAE,MAAM;QAC7C,OAAOpB,GAAG,CAAC0C,aAAa,CAACC,SAAS,CAAC;UAAEvB;QAAW,CAAC,EAAE;UAAEwB,KAAK,EAAE;QAAK,CAAC,CAAC;MACvE,CAAC,CAAC;IACN,CAAC,MAAM;MACH;MACAR,MAAM,GAAGlB,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC0C,aAAa,CAACI,MAAM,EAAE;QAC/C9B,IAAI,EAAEI,UAAU;QAChBH,MAAM,EAAE;UACJ8B,oBAAoB,EAAE,MAAM;UAC5BC,aAAa,EAAEtB,YAAY,GAAGlB,oBAAoB,CAAC,CAAC,GAAGF,mBAAmB,CAAC,CAAC;UAC5E2C,UAAU,EAAEnB,GAAG,GACT;YACIoB,SAAS,EAAEpB,GAAG,CAACqB,OAAO,CAACC,OAAO,CAACC,GAAG,CAACC,CAAC,IAAIA,CAAC,CAACC,MAAM,CAACC,EAAE,CAAC;YACpDC,gBAAgB,EAAE,CAAC3B,GAAG,CAACA,GAAG,CAACyB,MAAM,CAACG,sBAAsB;UAC5D,CAAC,GACDC,SAAS;UACfC,UAAU,EAAE;YACRC,UAAU,EAAE,IAAI;YAChBC,UAAU,EAAE,EAAE;YACdC,UAAU,EAAE;UAChB,CAAC;UACDC,eAAe,EAAE;YACb,wCAAwC,EAAE;UAC9C,CAAC;UACDC,eAAe,EAAE;YACbC,0BAA0B,EAAE;UAChC;QACJ,CAAC;QACDC,IAAI,EAAE;UAAEC,OAAO,EAAEjD,MAAM,CAACiD;QAAQ;MACpC,CAAC,CAAC;;MAEF;AACZ;AACA;AACA;AACA;MACY/B,YAAY,GAAGnB,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC0C,aAAa,CAAC2B,YAAY,EAAE;QAC3DrD,IAAI,EAAE,GAAGI,UAAU,SAAS;QAC5BH,MAAM,EAAE;UACJG,UAAU,EAAEgB,MAAM,CAACmB,MAAM,CAACnC,UAAU;UACpCkD,cAAc,EAAE;YACZC,OAAO,EAAE,YAAY;YACrBC,SAAS,EAAE;YACP;AAC5B;AACA;YAC4B;cACIC,MAAM,EAAE,OAAO;cACfC,SAAS,EAAE;gBACPC,GAAG,EAAEtD;cACT,CAAC;cACDuD,MAAM,EAAE,MAAM;cACdC,QAAQ,EAAE/E,MAAM,CAACgF,WAAW,GAAG1C,MAAM,CAACmB,MAAM,CAACwB,GAAG;YACpD,CAAC;UAET;QACJ,CAAC;QACDZ,IAAI,EAAE;UAAEC,OAAO,EAAEjD,MAAM,CAACiD;QAAQ;MACpC,CAAC,CAAC;IACN;;IAEA;AACR;AACA;AACA;AACA;AACA;IACQ,MAAMY,KAAK,GAAG9D,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAACiF,QAAQ,CAACC,KAAK,EAAE;MAC9ClE,IAAI,EAAE,WAAW;MACjBC,MAAM,EAAE;QACJkE,UAAU,EAAE,CACR;UAAEnE,IAAI,EAAE,IAAI;UAAEoE,IAAI,EAAE;QAAI,CAAC,EACzB;UAAEpE,IAAI,EAAE,IAAI;UAAEoE,IAAI,EAAE;QAAI,CAAC,CAC5B;QACDC,aAAa,EAAE,IAAI;QACnBC,cAAc,EAAE,oBAAoB;QACpCC,WAAW,EAAE,iBAAiB;QAC9BC,OAAO,EAAE,IAAI;QACbC,QAAQ,EAAE;MACd,CAAC;MACDtB,IAAI,EAAE;QAAEC,OAAO,EAAEjD,MAAM,CAACiD;MAAQ;IACpC,CAAC,CAAC;IAEF,MAAMsB,QAAQ,GAAG,+BAA+B;IAEhD,MAAMC,IAAI,GAAGzE,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC4F,GAAG,CAACC,IAAI,EAAE;MACvC7E,IAAI,EAAE0E,QAAQ;MACdzE,MAAM,EAAE;QACJ6E,gBAAgB,EAAE;UACdvB,OAAO,EAAE,YAAY;UACrBC,SAAS,EAAE,CACP;YACII,MAAM,EAAE,gBAAgB;YACxBF,SAAS,EAAE;cACPqB,OAAO,EAAE;YACb,CAAC;YACDtB,MAAM,EAAE;UACZ,CAAC;QAET;MACJ,CAAC;MACDuB,IAAI,EAAE;QAAEC,oBAAoB,EAAE;MAAK;IACvC,CAAC,CAAC;IAEF,MAAMC,MAAM,GAAGC,gCAAgC,CAACjF,GAAG,EAAEkB,MAAM,CAACmB,MAAM,CAAC;IAEnErC,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC4F,GAAG,CAACQ,oBAAoB,EAAE;MAC1CpF,IAAI,EAAE,GAAG0E,QAAQ,gCAAgC;MACjDzE,MAAM,EAAE;QACJ0E,IAAI,EAAEA,IAAI,CAACpC,MAAM;QACjB8C,SAAS,EAAEH,MAAM,CAAC3C,MAAM,CAACwB;MAC7B;IACJ,CAAC,CAAC;;IAEF;IACA,IAAIjD,GAAG,EAAE;MACLZ,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC4F,GAAG,CAACQ,oBAAoB,EAAE;QAC1CpF,IAAI,EAAE,GAAG0E,QAAQ,kCAAkC;QACnDzE,MAAM,EAAE;UACJ0E,IAAI,EAAEA,IAAI,CAACpC,MAAM;UACjB8C,SAAS,EAAErG,GAAG,CAAC4F,GAAG,CAACU,aAAa,CAACC;QACrC;MACJ,CAAC,CAAC;IACN,CAAC,MAAM;MACHrF,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC4F,GAAG,CAACQ,oBAAoB,EAAE;QAC1CpF,IAAI,EAAE,GAAG0E,QAAQ,8BAA8B;QAC/CzE,MAAM,EAAE;UACJ0E,IAAI,EAAEA,IAAI,CAACpC,MAAM;UACjB8C,SAAS,EAAErG,GAAG,CAAC4F,GAAG,CAACU,aAAa,CAACE;QACrC;MACJ,CAAC,CAAC;IACN;IAEAtF,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC4F,GAAG,CAACQ,oBAAoB,EAAE;MAC1CpF,IAAI,EAAE,GAAG0E,QAAQ,iCAAiC;MAClDzE,MAAM,EAAE;QACJ0E,IAAI,EAAEA,IAAI,CAACpC,MAAM;QACjB8C,SAAS,EAAErG,GAAG,CAAC4F,GAAG,CAACU,aAAa,CAACG;MACrC;IACJ,CAAC,CAAC;;IAEF;AACR;AACA;AACA;AACA;AACA;IACQ,MAAMC,MAAM,GAAGxF,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC0G,MAAM,CAACC,QAAQ,EAAE;MAChD3F,IAAI,EAAE,mBAAmB;MACzBC,MAAM,EAAE;QACJ0E,IAAI,EAAEA,IAAI,CAACpC,MAAM,CAACwB,GAAG;QACrB6B,OAAO,EAAEC,yBAAc;QACvBC,OAAO,EAAE,iBAAiB;QAC1BC,OAAO,EAAE,GAAG;QACZC,UAAU,EAAE,IAAI;QAChBC,WAAW,EAAE;UACTC,SAAS,EAAE;YACPC,KAAK,EAAE3E,MAAM,CAACF,OAAO,CAACT,GAAG,CAACsF,KAAK,CAAC;YAChCC,uBAAuB,EAAEhF,MAAM,CAACmB,MAAM,CAAC8D,QAAQ;YAC/CC,YAAY,EAAEpF,gBAAgB,CAACqB,MAAM,CAACvC;UAC1C;QACJ,CAAC;QACDuG,WAAW,EAAE,0BAA0B;QACvCC,IAAI,EAAE,IAAI1H,MAAM,CAAC2H,KAAK,CAACC,YAAY,CAAC;UAChC,GAAG,EAAE,IAAI5H,MAAM,CAAC2H,KAAK,CAACE,WAAW,CAC7BC,aAAI,CAACC,IAAI,CAAC3G,GAAG,CAAC4G,KAAK,CAACC,SAAS,EAAE,uBAAuB,CAC1D;QACJ,CAAC,CAAC;QACFC,SAAS,EAAElG,GAAG,GACR;UACIoB,SAAS,EAAEpB,GAAG,CAACqB,OAAO,CAACC,OAAO,CAACC,GAAG,CAACC,CAAC,IAAIA,CAAC,CAACC,MAAM,CAACC,EAAE,CAAC;UACpDC,gBAAgB,EAAE,CAAC3B,GAAG,CAACA,GAAG,CAACyB,MAAM,CAACG,sBAAsB;QAC5D,CAAC,GACDC;MACV;IACJ,CAAC,CAAC;IAEF,MAAMsE,kBAAkB,GAAG/G,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC0G,MAAM,CAACwB,kBAAkB,EAAE;MACtElH,IAAI,EAAE,mBAAmB;MACzBC,MAAM,EAAE;QACJkH,cAAc,EAAEnD,KAAK,CAACzB,MAAM,CAAC6E,SAAS;QACtCC,YAAY,EAAE3B,MAAM,CAACnD,MAAM,CAACwB,GAAG;QAC/BuD,gBAAgB,EAAE,QAAQ;QAC1BC,oBAAoB,EAAE,CAAC;QACvBC,SAAS,EAAE,EAAE;QACbC,8BAA8B,EAAE;MACpC;IACJ,CAAC,CAAC;IAEFvH,GAAG,CAACwH,UAAU,CAAC;MACXC,sBAAsB,EAAEvG,MAAM,CAACmB,MAAM,CAACwB,GAAG;MACzC6D,2BAA2B,EAAExG,MAAM,CAACmB,MAAM,CAAC8D,QAAQ;MACnDwB,6BAA6B,EAAE7D,KAAK,CAACzB,MAAM,CAACwB,GAAG;MAC/C+D,8BAA8B,EAAE9D,KAAK,CAACzB,MAAM,CAACvC,IAAI;MACjD+H,sCAAsC,EAAErC,MAAM,CAACnD,MAAM,CAACvC;IAC1D,CAAC,CAAC;IAEF,OAAO;MACHoB,MAAM;MACNC,YAAY;MACZ2C,KAAK;MACLgE,eAAe,EAAE;QACbrD,IAAI;QACJO,MAAM;QACNQ,MAAM;QACNuB;MACJ;IACJ,CAAC;EACL;AACJ,CAAC,CAAC;AAEF,SAAS9B,gCAAgCA,CACrCjF,GAAc,EACdkB,MAAmF,EACrF;EACE,OAAOlB,GAAG,CAAC2B,WAAW,CAAC7C,GAAG,CAAC4F,GAAG,CAACqD,MAAM,EAAE;IACnCjI,IAAI,EAAE,uCAAuC;IAC7CC,MAAM,EAAE;MACJsG,WAAW,EAAE,uDAAuD;MACpErB,MAAM,EAAE;QACJ3B,OAAO,EAAE,YAAY;QACrBC,SAAS,EAAE,CACP;UACI0E,GAAG,EAAE,iBAAiB;UACtBzE,MAAM,EAAE,OAAO;UACfG,MAAM,EAAE,CACJ,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,cAAc,EACd,uBAAuB,EACvB,yBAAyB,EACzB,kBAAkB,EAClB,kBAAkB,EAClB,qBAAqB,EACrB,gBAAgB,EAChB,qBAAqB,CACxB;UACDC,QAAQ,EAAE,CACN/E,MAAM,CAACgF,WAAW,GAAG1C,MAAM,CAAC2C,GAAG,EAAE,EACjCjF,MAAM,CAACgF,WAAW,GAAG1C,MAAM,CAAC2C,GAAG,IAAI;QAE3C,CAAC;MAET;IACJ;EACJ,CAAC,CAAC;AACN","ignoreList":[]}
package/apps/core/CoreOpenSearch.js CHANGED
@@ -283,7 +283,7 @@ function getDynamoDbToElasticLambdaPolicy(app, domain) {
283
283
  Statement: [{
284
284
  Sid: "PermissionForES",
285
285
  Effect: "Allow",
286
- Action: ["es:ESHttpGet", "es:ESHttpDelete", "es:ESHttpPatch", "es:ESHttpPost", "es:ESHttpPut"],
286
+ Action: ["es:ESHttpGet", "es:ESHttpDelete", "es:ESHttpPatch", "es:ESHttpPost", "es:ESHttpPut", "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:Query", "dynamodb:UpdateItem"],
287
287
  Resource: [pulumi.interpolate`${domain.arn}`, pulumi.interpolate`${domain.arn}/*`]
288
288
  }]
289
289
  }
package/apps/core/CoreOpenSearch.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"names":["_path","_interopRequireDefault","require","pulumi","_interopRequireWildcard","aws","random","_pulumi2","_awsUtils","_CoreVpc","_constants","_LogDynamo","getDevClusterConfig","instanceType","getProdClusterConfig","instanceCount","zoneAwarenessEnabled","zoneAwarenessConfig","availabilityZoneCount","OS_ENGINE_VERSION","OpenSearch","exports","createAppModule","name","config","app","params","productionEnvironments","create","DEFAULT_PROD_ENV_NAMES","isProduction","includes","run","env","vpc","getModule","CoreVpc","optional","logDynamoDbTable","LogDynamo","domain","domainPolicy","process","AWS_ELASTIC_SEARCH_DOMAIN_NAME","domainName","String","addRemoteResource","opensearch","getDomain","async","randomId","RandomId","byteLength","namePrefix","getParam","pulumiResourceNamePrefix","domainLogicalName","domainPhysicalName","hex","apply","slice","addResource","Domain","engineVersion","clusterConfig","vpcOptions","subnetIds","subnets","private","map","s","output","id","securityGroupIds","defaultSecurityGroupId","undefined","ebsOptions","ebsEnabled","volumeSize","volumeType","advancedOptions","snapshotOptions","automatedSnapshotStartHour","opts","protect","accountId","getAwsAccountId","DomainPolicy","accessPolicies","all","arn","domainArn","JSON","stringify","Version","Statement","Effect","Principal","AWS","Action","Resource","table","dynamodb","Table","attributes","type","streamEnabled","streamViewType","billingMode","hashKey","rangeKey","roleName","role","iam","Role","assumeRolePolicy","Service","meta","isLambdaFunctionRole","policy","getDynamoDbToElasticLambdaPolicy","RolePolicyAttachment","policyArn","ManagedPolicy","AWSLambdaVPCAccessExecutionRole","AWSLambdaBasicExecutionRole","AWSLambdaDynamoDBExecutionRole","lambda","Function","runtime","LAMBDA_RUNTIME","handler","timeout","memorySize","environment","variables","DEBUG","ELASTIC_SEARCH_ENDPOINT","endpoint","DB_TABLE_LOG","description","code","asset","AssetArchive","FileArchive","path","join","paths","workspace","vpcConfig","eventSourceMapping","EventSourceMapping","eventSourceArn","streamArn","functionName","startingPosition","maximumRetryAttempts","batchSize","maximumBatchingWindowInSeconds","addOutputs","elasticsearchDomainArn","elasticsearchDomainEndpoint","elasticsearchDynamodbTableArn","elasticsearchDynamodbTableName","dynamoToElastic","Policy","Sid","interpolate"],"sources":["CoreOpenSearch.ts"],"sourcesContent":["/**\n * Important documents to read:\n *\n * https://docs.aws.amazon.com/opensearch-service/latest/developerguide/limits.html#network-limits\n */\nimport path from \"path\";\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\nimport * as random from \"@pulumi/random\";\nimport {\n createAppModule,\n PulumiApp,\n PulumiAppResource,\n PulumiAppResourceConstructor,\n PulumiAppRemoteResource\n} from \"@webiny/pulumi\";\n\nimport { getAwsAccountId } from \"../awsUtils\";\nimport { CoreVpc } from \"./CoreVpc\";\nimport { DEFAULT_PROD_ENV_NAMES, LAMBDA_RUNTIME } from \"~/constants\";\nimport { LogDynamo } from \"~/apps/core/LogDynamo\";\n\nexport interface OpenSearchParams {\n protect: boolean;\n}\n\nfunction getDevClusterConfig(): aws.types.input.opensearch.DomainClusterConfig {\n return {\n instanceType: \"t3.small.search\"\n };\n}\n\nfunction getProdClusterConfig(): aws.types.input.opensearch.DomainClusterConfig {\n return {\n // For production deployments, we create 2 instances and configure multi-AZ.\n instanceType: \"t3.medium.search\",\n instanceCount: 2,\n zoneAwarenessEnabled: true,\n zoneAwarenessConfig: {\n availabilityZoneCount: 2\n }\n };\n}\n\nconst OS_ENGINE_VERSION = \"OpenSearch_2.11\";\n\nexport const OpenSearch = createAppModule({\n name: \"OpenSearch\",\n config(app, params: OpenSearchParams) {\n const productionEnvironments =\n app.params.create.productionEnvironments || DEFAULT_PROD_ENV_NAMES;\n const isProduction = productionEnvironments.includes(app.params.run.env);\n\n const vpc = app.getModule(CoreVpc, { optional: true });\n\n const logDynamoDbTable = app.getModule(LogDynamo);\n\n // This needs to be implemented in order to be able to use a shared OpenSearch cluster.\n let domain:\n | PulumiAppResource<PulumiAppResourceConstructor<aws.opensearch.Domain>>\n | PulumiAppRemoteResource<aws.opensearch.GetDomainResult>;\n\n let domainPolicy;\n\n if (process.env.AWS_ELASTIC_SEARCH_DOMAIN_NAME) {\n const domainName = String(process.env.AWS_ELASTIC_SEARCH_DOMAIN_NAME);\n // This can be useful for testing purposes in ephemeral environments. More information here:\n // https://www.webiny.com/docs/key-topics/ci-cd/testing/slow-ephemeral-environments\n domain = app.addRemoteResource(domainName, () => {\n return aws.opensearch.getDomain({ domainName }, { async: true });\n });\n } else {\n const randomId = new random.RandomId(\"osDomainRandomId\", { byteLength: 8 });\n const namePrefix = app.getParam(app.params.create.pulumiResourceNamePrefix) || \"\";\n\n const domainLogicalName = \"webiny-js\";\n const domainPhysicalName = randomId.hex.apply((hex: string) => {\n return `${namePrefix}${domainLogicalName}-${hex.slice(-7)}`;\n });\n\n domain = app.addResource(aws.opensearch.Domain, {\n name: domainLogicalName,\n config: {\n domainName: domainPhysicalName,\n engineVersion: OS_ENGINE_VERSION,\n clusterConfig: isProduction ? getProdClusterConfig() : getDevClusterConfig(),\n vpcOptions: vpc\n ? {\n subnetIds: vpc.subnets.private.map(s => s.output.id),\n securityGroupIds: [vpc.vpc.output.defaultSecurityGroupId]\n }\n : undefined,\n ebsOptions: {\n ebsEnabled: true,\n volumeSize: 10,\n volumeType: \"gp2\"\n },\n advancedOptions: {\n \"rest.action.multi.allow_explicit_index\": \"true\"\n },\n snapshotOptions: {\n automatedSnapshotStartHour: 23\n }\n },\n opts: { protect: params.protect }\n });\n\n /**\n * Domain policy defines who can access your OpenSearch Domain.\n * For details on OpenSearch security, read the official documentation:\n * https://docs.aws.amazon.com/openSearch-service/latest/developerguide/security.html\n */\n const accountId = getAwsAccountId(app);\n\n domainPolicy = app.addResource(aws.opensearch.DomainPolicy, {\n name: `${domainLogicalName}-policy`,\n config: {\n domainName: domain.output.domainName,\n accessPolicies: pulumi\n .all([accountId, domain.output.arn])\n .apply(([accountId, domainArn]) => {\n return JSON.stringify({\n Version: \"2012-10-17\",\n Statement: [\n /**\n * Allow requests signed with current account\n */\n {\n Effect: \"Allow\",\n Principal: {\n AWS: accountId\n },\n Action: \"es:*\",\n Resource: `${domainArn}/*`\n }\n ]\n });\n })\n },\n opts: { protect: params.protect }\n });\n }\n\n /**\n * Create a table for OpenSearch records. All ES records are stored in this table to dramatically improve\n * performance and stability on write operations (especially massive data imports). This table also serves as a backup and\n * a single source of truth for your OpenSearch domain. Streaming is enabled on this table, and it will\n * allow asynchronous synchronization of data with OpenSearch domain.\n */\n const table = app.addResource(aws.dynamodb.Table, {\n name: \"webiny-es\",\n config: {\n attributes: [\n { name: \"PK\", type: \"S\" },\n { name: \"SK\", type: \"S\" }\n ],\n streamEnabled: true,\n streamViewType: \"NEW_AND_OLD_IMAGES\",\n billingMode: \"PAY_PER_REQUEST\",\n hashKey: \"PK\",\n rangeKey: \"SK\"\n },\n opts: { protect: params.protect }\n });\n\n const roleName = \"dynamo-to-elastic-lambda-role\";\n\n const role = app.addResource(aws.iam.Role, {\n name: roleName,\n config: {\n assumeRolePolicy: {\n Version: \"2012-10-17\",\n Statement: [\n {\n Action: \"sts:AssumeRole\",\n Principal: {\n Service: \"lambda.amazonaws.com\"\n },\n Effect: \"Allow\"\n }\n ]\n }\n },\n meta: { isLambdaFunctionRole: true }\n });\n\n const policy = getDynamoDbToElasticLambdaPolicy(app, domain.output);\n\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-DynamoDbToElasticLambdaPolicy`,\n config: {\n role: role.output,\n policyArn: policy.output.arn\n }\n });\n\n // Only use `AWSLambdaVPCAccessExecutionRole` policy if VPC feature is enabled.\n if (vpc) {\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-AWSLambdaVPCAccessExecutionRole`,\n config: {\n role: role.output,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaVPCAccessExecutionRole\n }\n });\n } else {\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-AWSLambdaBasicExecutionRole`,\n config: {\n role: role.output,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole\n }\n });\n }\n\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-AWSLambdaDynamoDBExecutionRole`,\n config: {\n role: role.output,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaDynamoDBExecutionRole\n }\n });\n\n /**\n * This Lambda will process the stream events from DynamoDB table that contains OpenSearch items.\n * OpenSearch can't take large amount of individual writes in a short period of time, so this way\n * we store data for OpenSearch in a DynamoDB table, and asynchronously insert it into OpenSearch\n * using batching.\n */\n const lambda = app.addResource(aws.lambda.Function, {\n name: \"dynamo-to-elastic\",\n config: {\n role: role.output.arn,\n runtime: LAMBDA_RUNTIME,\n handler: \"handler.handler\",\n timeout: 900,\n memorySize: 1024,\n environment: {\n variables: {\n DEBUG: String(process.env.DEBUG),\n ELASTIC_SEARCH_ENDPOINT: domain.output.endpoint,\n DB_TABLE_LOG: logDynamoDbTable.output.name\n }\n },\n description: \"Process DynamoDB Stream.\",\n code: new pulumi.asset.AssetArchive({\n \".\": new pulumi.asset.FileArchive(\n path.join(app.paths.workspace, \"dynamoToElastic/build\")\n )\n }),\n vpcConfig: vpc\n ? {\n subnetIds: vpc.subnets.private.map(s => s.output.id),\n securityGroupIds: [vpc.vpc.output.defaultSecurityGroupId]\n }\n : undefined\n }\n });\n\n const eventSourceMapping = app.addResource(aws.lambda.EventSourceMapping, {\n name: \"dynamo-to-elastic\",\n config: {\n eventSourceArn: table.output.streamArn,\n functionName: lambda.output.arn,\n startingPosition: \"LATEST\",\n maximumRetryAttempts: 3,\n batchSize: 50,\n maximumBatchingWindowInSeconds: 1\n }\n });\n\n app.addOutputs({\n elasticsearchDomainArn: domain.output.arn,\n elasticsearchDomainEndpoint: domain.output.endpoint,\n elasticsearchDynamodbTableArn: table.output.arn,\n elasticsearchDynamodbTableName: table.output.name\n });\n\n return {\n domain,\n domainPolicy,\n table,\n dynamoToElastic: {\n role,\n policy,\n lambda,\n eventSourceMapping\n }\n };\n }\n});\n\nfunction getDynamoDbToElasticLambdaPolicy(\n app: PulumiApp,\n domain: pulumi.Output<aws.opensearch.Domain | aws.opensearch.GetDomainResult>\n) {\n return app.addResource(aws.iam.Policy, {\n name: \"DynamoDbToElasticLambdaPolicy-updated\",\n config: {\n description: \"This policy enables access to ES and Dynamodb streams\",\n policy: {\n Version: \"2012-10-17\",\n Statement: [\n {\n Sid: \"PermissionForES\",\n Effect: \"Allow\",\n Action: [\n \"es:ESHttpGet\",\n \"es:ESHttpDelete\",\n \"es:ESHttpPatch\",\n \"es:ESHttpPost\",\n \"es:ESHttpPut\"\n ],\n Resource: [\n pulumi.interpolate`${domain.arn}`,\n pulumi.interpolate`${domain.arn}/*`\n ]\n }\n ]\n }\n }\n });\n}\n"],"mappings":";;;;;;;;AAKA,IAAAA,KAAA,GAAAC,sBAAA,CAAAC,OAAA;AACA,IAAAC,MAAA,GAAAC,uBAAA,CAAAF,OAAA;AACA,IAAAG,GAAA,GAAAD,uBAAA,CAAAF,OAAA;AACA,IAAAI,MAAA,GAAAF,uBAAA,CAAAF,OAAA;AACA,IAAAK,QAAA,GAAAL,OAAA;AAQA,IAAAM,SAAA,GAAAN,OAAA;AACA,IAAAO,QAAA,GAAAP,OAAA;AACA,IAAAQ,UAAA,GAAAR,OAAA;AACA,IAAAS,UAAA,GAAAT,OAAA;AApBA;AACA;AACA;AACA;AACA;;AAsBA,SAASU,mBAAmBA,CAAA,EAAmD;EAC3E,OAAO;IACHC,YAAY,EAAE;EAClB,CAAC;AACL;AAEA,SAASC,oBAAoBA,CAAA,EAAmD;EAC5E,OAAO;IACH;IACAD,YAAY,EAAE,kBAAkB;IAChCE,aAAa,EAAE,CAAC;IAChBC,oBAAoB,EAAE,IAAI;IAC1BC,mBAAmB,EAAE;MACjBC,qBAAqB,EAAE;IAC3B;EACJ,CAAC;AACL;AAEA,MAAMC,iBAAiB,GAAG,iBAAiB;AAEpC,MAAMC,UAAU,GAAAC,OAAA,CAAAD,UAAA,GAAG,IAAAE,wBAAe,EAAC;EACtCC,IAAI,EAAE,YAAY;EAClBC,MAAMA,CAACC,GAAG,EAAEC,MAAwB,EAAE;IAClC,MAAMC,sBAAsB,GACxBF,GAAG,CAACC,MAAM,CAACE,MAAM,CAACD,sBAAsB,IAAIE,iCAAsB;IACtE,MAAMC,YAAY,GAAGH,sBAAsB,CAACI,QAAQ,CAACN,GAAG,CAACC,MAAM,CAACM,GAAG,CAACC,GAAG,CAAC;IAExE,MAAMC,GAAG,GAAGT,GAAG,CAACU,SAAS,CAACC,gBAAO,EAAE;MAAEC,QAAQ,EAAE;IAAK,CAAC,CAAC;IAEtD,MAAMC,gBAAgB,GAAGb,GAAG,CAACU,SAAS,CAACI,oBAAS,CAAC;;IAEjD;IACA,IAAIC,MAEyD;IAE7D,IAAIC,YAAY;IAEhB,IAAIC,OAAO,CAACT,GAAG,CAACU,8BAA8B,EAAE;MAC5C,MAAMC,UAAU,GAAGC,MAAM,CAACH,OAAO,CAACT,GAAG,CAACU,8BAA8B,CAAC;MACrE;MACA;MACAH,MAAM,GAAGf,GAAG,CAACqB,iBAAiB,CAACF,UAAU,EAAE,MAAM;QAC7C,OAAOvC,GAAG,CAAC0C,UAAU,CAACC,SAAS,CAAC;UAAEJ;QAAW,CAAC,EAAE;UAAEK,KAAK,EAAE;QAAK,CAAC,CAAC;MACpE,CAAC,CAAC;IACN,CAAC,MAAM;MACH,MAAMC,QAAQ,GAAG,IAAI5C,MAAM,CAAC6C,QAAQ,CAAC,kBAAkB,EAAE;QAAEC,UAAU,EAAE;MAAE,CAAC,CAAC;MAC3E,MAAMC,UAAU,GAAG5B,GAAG,CAAC6B,QAAQ,CAAC7B,GAAG,CAACC,MAAM,CAACE,MAAM,CAAC2B,wBAAwB,CAAC,IAAI,EAAE;MAEjF,MAAMC,iBAAiB,GAAG,WAAW;MACrC,MAAMC,kBAAkB,GAAGP,QAAQ,CAACQ,GAAG,CAACC,KAAK,CAAED,GAAW,IAAK;QAC3D,OAAO,GAAGL,UAAU,GAAGG,iBAAiB,IAAIE,GAAG,CAACE,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE;MAC/D,CAAC,CAAC;MAEFpB,MAAM,GAAGf,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC0C,UAAU,CAACe,MAAM,EAAE;QAC5CvC,IAAI,EAAEiC,iBAAiB;QACvBhC,MAAM,EAAE;UACJoB,UAAU,EAAEa,kBAAkB;UAC9BM,aAAa,EAAE5C,iBAAiB;UAChC6C,aAAa,EAAElC,YAAY,GAAGhB,oBAAoB,CAAC,CAAC,GAAGF,mBAAmB,CAAC,CAAC;UAC5EqD,UAAU,EAAE/B,GAAG,GACT;YACIgC,SAAS,EAAEhC,GAAG,CAACiC,OAAO,CAACC,OAAO,CAACC,GAAG,CAACC,CAAC,IAAIA,CAAC,CAACC,MAAM,CAACC,EAAE,CAAC;YACpDC,gBAAgB,EAAE,CAACvC,GAAG,CAACA,GAAG,CAACqC,MAAM,CAACG,sBAAsB;UAC5D,CAAC,GACDC,SAAS;UACfC,UAAU,EAAE;YACRC,UAAU,EAAE,IAAI;YAChBC,UAAU,EAAE,EAAE;YACdC,UAAU,EAAE;UAChB,CAAC;UACDC,eAAe,EAAE;YACb,wCAAwC,EAAE;UAC9C,CAAC;UACDC,eAAe,EAAE;YACbC,0BAA0B,EAAE;UAChC;QACJ,CAAC;QACDC,IAAI,EAAE;UAAEC,OAAO,EAAE1D,MAAM,CAAC0D;QAAQ;MACpC,CAAC,CAAC;;MAEF;AACZ;AACA;AACA;AACA;MACY,MAAMC,SAAS,GAAG,IAAAC,yBAAe,EAAC7D,GAAG,CAAC;MAEtCgB,YAAY,GAAGhB,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC0C,UAAU,CAACwC,YAAY,EAAE;QACxDhE,IAAI,EAAE,GAAGiC,iBAAiB,SAAS;QACnChC,MAAM,EAAE;UACJoB,UAAU,EAAEJ,MAAM,CAAC+B,MAAM,CAAC3B,UAAU;UACpC4C,cAAc,EAAErF,MAAM,CACjBsF,GAAG,CAAC,CAACJ,SAAS,EAAE7C,MAAM,CAAC+B,MAAM,CAACmB,GAAG,CAAC,CAAC,CACnC/B,KAAK,CAAC,CAAC,CAAC0B,SAAS,EAAEM,SAAS,CAAC,KAAK;YAC/B,OAAOC,IAAI,CAACC,SAAS,CAAC;cAClBC,OAAO,EAAE,YAAY;cACrBC,SAAS,EAAE;cACP;AACpC;AACA;cACoC;gBACIC,MAAM,EAAE,OAAO;gBACfC,SAAS,EAAE;kBACPC,GAAG,EAAEb;gBACT,CAAC;gBACDc,MAAM,EAAE,MAAM;gBACdC,QAAQ,EAAE,GAAGT,SAAS;cAC1B,CAAC;YAET,CAAC,CAAC;UACN,CAAC;QACT,CAAC;QACDR,IAAI,EAAE;UAAEC,OAAO,EAAE1D,MAAM,CAAC0D;QAAQ;MACpC,CAAC,CAAC;IACN;;IAEA;AACR;AACA;AACA;AACA;AACA;IACQ,MAAMiB,KAAK,GAAG5E,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAACiG,QAAQ,CAACC,KAAK,EAAE;MAC9ChF,IAAI,EAAE,WAAW;MACjBC,MAAM,EAAE;QACJgF,UAAU,EAAE,CACR;UAAEjF,IAAI,EAAE,IAAI;UAAEkF,IAAI,EAAE;QAAI,CAAC,EACzB;UAAElF,IAAI,EAAE,IAAI;UAAEkF,IAAI,EAAE;QAAI,CAAC,CAC5B;QACDC,aAAa,EAAE,IAAI;QACnBC,cAAc,EAAE,oBAAoB;QACpCC,WAAW,EAAE,iBAAiB;QAC9BC,OAAO,EAAE,IAAI;QACbC,QAAQ,EAAE;MACd,CAAC;MACD3B,IAAI,EAAE;QAAEC,OAAO,EAAE1D,MAAM,CAAC0D;MAAQ;IACpC,CAAC,CAAC;IAEF,MAAM2B,QAAQ,GAAG,+BAA+B;IAEhD,MAAMC,IAAI,GAAGvF,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC4G,GAAG,CAACC,IAAI,EAAE;MACvC3F,IAAI,EAAEwF,QAAQ;MACdvF,MAAM,EAAE;QACJ2F,gBAAgB,EAAE;UACdrB,OAAO,EAAE,YAAY;UACrBC,SAAS,EAAE,CACP;YACII,MAAM,EAAE,gBAAgB;YACxBF,SAAS,EAAE;cACPmB,OAAO,EAAE;YACb,CAAC;YACDpB,MAAM,EAAE;UACZ,CAAC;QAET;MACJ,CAAC;MACDqB,IAAI,EAAE;QAAEC,oBAAoB,EAAE;MAAK;IACvC,CAAC,CAAC;IAEF,MAAMC,MAAM,GAAGC,gCAAgC,CAAC/F,GAAG,EAAEe,MAAM,CAAC+B,MAAM,CAAC;IAEnE9C,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC4G,GAAG,CAACQ,oBAAoB,EAAE;MAC1ClG,IAAI,EAAE,GAAGwF,QAAQ,gCAAgC;MACjDvF,MAAM,EAAE;QACJwF,IAAI,EAAEA,IAAI,CAACzC,MAAM;QACjBmD,SAAS,EAAEH,MAAM,CAAChD,MAAM,CAACmB;MAC7B;IACJ,CAAC,CAAC;;IAEF;IACA,IAAIxD,GAAG,EAAE;MACLT,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC4G,GAAG,CAACQ,oBAAoB,EAAE;QAC1ClG,IAAI,EAAE,GAAGwF,QAAQ,kCAAkC;QACnDvF,MAAM,EAAE;UACJwF,IAAI,EAAEA,IAAI,CAACzC,MAAM;UACjBmD,SAAS,EAAErH,GAAG,CAAC4G,GAAG,CAACU,aAAa,CAACC;QACrC;MACJ,CAAC,CAAC;IACN,CAAC,MAAM;MACHnG,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC4G,GAAG,CAACQ,oBAAoB,EAAE;QAC1ClG,IAAI,EAAE,GAAGwF,QAAQ,8BAA8B;QAC/CvF,MAAM,EAAE;UACJwF,IAAI,EAAEA,IAAI,CAACzC,MAAM;UACjBmD,SAAS,EAAErH,GAAG,CAAC4G,GAAG,CAACU,aAAa,CAACE;QACrC;MACJ,CAAC,CAAC;IACN;IAEApG,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC4G,GAAG,CAACQ,oBAAoB,EAAE;MAC1ClG,IAAI,EAAE,GAAGwF,QAAQ,iCAAiC;MAClDvF,MAAM,EAAE;QACJwF,IAAI,EAAEA,IAAI,CAACzC,MAAM;QACjBmD,SAAS,EAAErH,GAAG,CAAC4G,GAAG,CAACU,aAAa,CAACG;MACrC;IACJ,CAAC,CAAC;;IAEF;AACR;AACA;AACA;AACA;AACA;IACQ,MAAMC,MAAM,GAAGtG,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC0H,MAAM,CAACC,QAAQ,EAAE;MAChDzG,IAAI,EAAE,mBAAmB;MACzBC,MAAM,EAAE;QACJwF,IAAI,EAAEA,IAAI,CAACzC,MAAM,CAACmB,GAAG;QACrBuC,OAAO,EAAEC,yBAAc;QACvBC,OAAO,EAAE,iBAAiB;QAC1BC,OAAO,EAAE,GAAG;QACZC,UAAU,EAAE,IAAI;QAChBC,WAAW,EAAE;UACTC,SAAS,EAAE;YACPC,KAAK,EAAE3F,MAAM,CAACH,OAAO,CAACT,GAAG,CAACuG,KAAK,CAAC;YAChCC,uBAAuB,EAAEjG,MAAM,CAAC+B,MAAM,CAACmE,QAAQ;YAC/CC,YAAY,EAAErG,gBAAgB,CAACiC,MAAM,CAAChD;UAC1C;QACJ,CAAC;QACDqH,WAAW,EAAE,0BAA0B;QACvCC,IAAI,EAAE,IAAI1I,MAAM,CAAC2I,KAAK,CAACC,YAAY,CAAC;UAChC,GAAG,EAAE,IAAI5I,MAAM,CAAC2I,KAAK,CAACE,WAAW,CAC7BC,aAAI,CAACC,IAAI,CAACzH,GAAG,CAAC0H,KAAK,CAACC,SAAS,EAAE,uBAAuB,CAC1D;QACJ,CAAC,CAAC;QACFC,SAAS,EAAEnH,GAAG,GACR;UACIgC,SAAS,EAAEhC,GAAG,CAACiC,OAAO,CAACC,OAAO,CAACC,GAAG,CAACC,CAAC,IAAIA,CAAC,CAACC,MAAM,CAACC,EAAE,CAAC;UACpDC,gBAAgB,EAAE,CAACvC,GAAG,CAACA,GAAG,CAACqC,MAAM,CAACG,sBAAsB;QAC5D,CAAC,GACDC;MACV;IACJ,CAAC,CAAC;IAEF,MAAM2E,kBAAkB,GAAG7H,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC0H,MAAM,CAACwB,kBAAkB,EAAE;MACtEhI,IAAI,EAAE,mBAAmB;MACzBC,MAAM,EAAE;QACJgI,cAAc,EAAEnD,KAAK,CAAC9B,MAAM,CAACkF,SAAS;QACtCC,YAAY,EAAE3B,MAAM,CAACxD,MAAM,CAACmB,GAAG;QAC/BiE,gBAAgB,EAAE,QAAQ;QAC1BC,oBAAoB,EAAE,CAAC;QACvBC,SAAS,EAAE,EAAE;QACbC,8BAA8B,EAAE;MACpC;IACJ,CAAC,CAAC;IAEFrI,GAAG,CAACsI,UAAU,CAAC;MACXC,sBAAsB,EAAExH,MAAM,CAAC+B,MAAM,CAACmB,GAAG;MACzCuE,2BAA2B,EAAEzH,MAAM,CAAC+B,MAAM,CAACmE,QAAQ;MACnDwB,6BAA6B,EAAE7D,KAAK,CAAC9B,MAAM,CAACmB,GAAG;MAC/CyE,8BAA8B,EAAE9D,KAAK,CAAC9B,MAAM,CAAChD;IACjD,CAAC,CAAC;IAEF,OAAO;MACHiB,MAAM;MACNC,YAAY;MACZ4D,KAAK;MACL+D,eAAe,EAAE;QACbpD,IAAI;QACJO,MAAM;QACNQ,MAAM;QACNuB;MACJ;IACJ,CAAC;EACL;AACJ,CAAC,CAAC;AAEF,SAAS9B,gCAAgCA,CACrC/F,GAAc,EACde,MAA6E,EAC/E;EACE,OAAOf,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC4G,GAAG,CAACoD,MAAM,EAAE;IACnC9I,IAAI,EAAE,uCAAuC;IAC7CC,MAAM,EAAE;MACJoH,WAAW,EAAE,uDAAuD;MACpErB,MAAM,EAAE;QACJzB,OAAO,EAAE,YAAY;QACrBC,SAAS,EAAE,CACP;UACIuE,GAAG,EAAE,iBAAiB;UACtBtE,MAAM,EAAE,OAAO;UACfG,MAAM,EAAE,CACJ,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,cAAc,CACjB;UACDC,QAAQ,EAAE,CACNjG,MAAM,CAACoK,WAAW,GAAG/H,MAAM,CAACkD,GAAG,EAAE,EACjCvF,MAAM,CAACoK,WAAW,GAAG/H,MAAM,CAACkD,GAAG,IAAI;QAE3C,CAAC;MAET;IACJ;EACJ,CAAC,CAAC;AACN","ignoreList":[]}
1
+ {"version":3,"names":["_path","_interopRequireDefault","require","pulumi","_interopRequireWildcard","aws","random","_pulumi2","_awsUtils","_CoreVpc","_constants","_LogDynamo","getDevClusterConfig","instanceType","getProdClusterConfig","instanceCount","zoneAwarenessEnabled","zoneAwarenessConfig","availabilityZoneCount","OS_ENGINE_VERSION","OpenSearch","exports","createAppModule","name","config","app","params","productionEnvironments","create","DEFAULT_PROD_ENV_NAMES","isProduction","includes","run","env","vpc","getModule","CoreVpc","optional","logDynamoDbTable","LogDynamo","domain","domainPolicy","process","AWS_ELASTIC_SEARCH_DOMAIN_NAME","domainName","String","addRemoteResource","opensearch","getDomain","async","randomId","RandomId","byteLength","namePrefix","getParam","pulumiResourceNamePrefix","domainLogicalName","domainPhysicalName","hex","apply","slice","addResource","Domain","engineVersion","clusterConfig","vpcOptions","subnetIds","subnets","private","map","s","output","id","securityGroupIds","defaultSecurityGroupId","undefined","ebsOptions","ebsEnabled","volumeSize","volumeType","advancedOptions","snapshotOptions","automatedSnapshotStartHour","opts","protect","accountId","getAwsAccountId","DomainPolicy","accessPolicies","all","arn","domainArn","JSON","stringify","Version","Statement","Effect","Principal","AWS","Action","Resource","table","dynamodb","Table","attributes","type","streamEnabled","streamViewType","billingMode","hashKey","rangeKey","roleName","role","iam","Role","assumeRolePolicy","Service","meta","isLambdaFunctionRole","policy","getDynamoDbToElasticLambdaPolicy","RolePolicyAttachment","policyArn","ManagedPolicy","AWSLambdaVPCAccessExecutionRole","AWSLambdaBasicExecutionRole","AWSLambdaDynamoDBExecutionRole","lambda","Function","runtime","LAMBDA_RUNTIME","handler","timeout","memorySize","environment","variables","DEBUG","ELASTIC_SEARCH_ENDPOINT","endpoint","DB_TABLE_LOG","description","code","asset","AssetArchive","FileArchive","path","join","paths","workspace","vpcConfig","eventSourceMapping","EventSourceMapping","eventSourceArn","streamArn","functionName","startingPosition","maximumRetryAttempts","batchSize","maximumBatchingWindowInSeconds","addOutputs","elasticsearchDomainArn","elasticsearchDomainEndpoint","elasticsearchDynamodbTableArn","elasticsearchDynamodbTableName","dynamoToElastic","Policy","Sid","interpolate"],"sources":["CoreOpenSearch.ts"],"sourcesContent":["/**\n * Important documents to read:\n *\n * https://docs.aws.amazon.com/opensearch-service/latest/developerguide/limits.html#network-limits\n */\nimport path from \"path\";\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\nimport * as random from \"@pulumi/random\";\nimport {\n createAppModule,\n PulumiApp,\n PulumiAppResource,\n PulumiAppResourceConstructor,\n PulumiAppRemoteResource\n} from \"@webiny/pulumi\";\n\nimport { getAwsAccountId } from \"../awsUtils\";\nimport { CoreVpc } from \"./CoreVpc\";\nimport { DEFAULT_PROD_ENV_NAMES, LAMBDA_RUNTIME } from \"~/constants\";\nimport { LogDynamo } from \"~/apps/core/LogDynamo\";\n\nexport interface OpenSearchParams {\n protect: boolean;\n}\n\nfunction getDevClusterConfig(): aws.types.input.opensearch.DomainClusterConfig {\n return {\n instanceType: \"t3.small.search\"\n };\n}\n\nfunction getProdClusterConfig(): aws.types.input.opensearch.DomainClusterConfig {\n return {\n // For production deployments, we create 2 instances and configure multi-AZ.\n instanceType: \"t3.medium.search\",\n instanceCount: 2,\n zoneAwarenessEnabled: true,\n zoneAwarenessConfig: {\n availabilityZoneCount: 2\n }\n };\n}\n\nconst OS_ENGINE_VERSION = \"OpenSearch_2.11\";\n\nexport const OpenSearch = createAppModule({\n name: \"OpenSearch\",\n config(app, params: OpenSearchParams) {\n const productionEnvironments =\n app.params.create.productionEnvironments || DEFAULT_PROD_ENV_NAMES;\n const isProduction = productionEnvironments.includes(app.params.run.env);\n\n const vpc = app.getModule(CoreVpc, { optional: true });\n\n const logDynamoDbTable = app.getModule(LogDynamo);\n\n // This needs to be implemented in order to be able to use a shared OpenSearch cluster.\n let domain:\n | PulumiAppResource<PulumiAppResourceConstructor<aws.opensearch.Domain>>\n | PulumiAppRemoteResource<aws.opensearch.GetDomainResult>;\n\n let domainPolicy;\n\n if (process.env.AWS_ELASTIC_SEARCH_DOMAIN_NAME) {\n const domainName = String(process.env.AWS_ELASTIC_SEARCH_DOMAIN_NAME);\n // This can be useful for testing purposes in ephemeral environments. More information here:\n // https://www.webiny.com/docs/key-topics/ci-cd/testing/slow-ephemeral-environments\n domain = app.addRemoteResource(domainName, () => {\n return aws.opensearch.getDomain({ domainName }, { async: true });\n });\n } else {\n const randomId = new random.RandomId(\"osDomainRandomId\", { byteLength: 8 });\n const namePrefix = app.getParam(app.params.create.pulumiResourceNamePrefix) || \"\";\n\n const domainLogicalName = \"webiny-js\";\n const domainPhysicalName = randomId.hex.apply((hex: string) => {\n return `${namePrefix}${domainLogicalName}-${hex.slice(-7)}`;\n });\n\n domain = app.addResource(aws.opensearch.Domain, {\n name: domainLogicalName,\n config: {\n domainName: domainPhysicalName,\n engineVersion: OS_ENGINE_VERSION,\n clusterConfig: isProduction ? getProdClusterConfig() : getDevClusterConfig(),\n vpcOptions: vpc\n ? {\n subnetIds: vpc.subnets.private.map(s => s.output.id),\n securityGroupIds: [vpc.vpc.output.defaultSecurityGroupId]\n }\n : undefined,\n ebsOptions: {\n ebsEnabled: true,\n volumeSize: 10,\n volumeType: \"gp2\"\n },\n advancedOptions: {\n \"rest.action.multi.allow_explicit_index\": \"true\"\n },\n snapshotOptions: {\n automatedSnapshotStartHour: 23\n }\n },\n opts: { protect: params.protect }\n });\n\n /**\n * Domain policy defines who can access your OpenSearch Domain.\n * For details on OpenSearch security, read the official documentation:\n * https://docs.aws.amazon.com/openSearch-service/latest/developerguide/security.html\n */\n const accountId = getAwsAccountId(app);\n\n domainPolicy = app.addResource(aws.opensearch.DomainPolicy, {\n name: `${domainLogicalName}-policy`,\n config: {\n domainName: domain.output.domainName,\n accessPolicies: pulumi\n .all([accountId, domain.output.arn])\n .apply(([accountId, domainArn]) => {\n return JSON.stringify({\n Version: \"2012-10-17\",\n Statement: [\n /**\n * Allow requests signed with current account\n */\n {\n Effect: \"Allow\",\n Principal: {\n AWS: accountId\n },\n Action: \"es:*\",\n Resource: `${domainArn}/*`\n }\n ]\n });\n })\n },\n opts: { protect: params.protect }\n });\n }\n\n /**\n * Create a table for OpenSearch records. All ES records are stored in this table to dramatically improve\n * performance and stability on write operations (especially massive data imports). This table also serves as a backup and\n * a single source of truth for your OpenSearch domain. Streaming is enabled on this table, and it will\n * allow asynchronous synchronization of data with OpenSearch domain.\n */\n const table = app.addResource(aws.dynamodb.Table, {\n name: \"webiny-es\",\n config: {\n attributes: [\n { name: \"PK\", type: \"S\" },\n { name: \"SK\", type: \"S\" }\n ],\n streamEnabled: true,\n streamViewType: \"NEW_AND_OLD_IMAGES\",\n billingMode: \"PAY_PER_REQUEST\",\n hashKey: \"PK\",\n rangeKey: \"SK\"\n },\n opts: { protect: params.protect }\n });\n\n const roleName = \"dynamo-to-elastic-lambda-role\";\n\n const role = app.addResource(aws.iam.Role, {\n name: roleName,\n config: {\n assumeRolePolicy: {\n Version: \"2012-10-17\",\n Statement: [\n {\n Action: \"sts:AssumeRole\",\n Principal: {\n Service: \"lambda.amazonaws.com\"\n },\n Effect: \"Allow\"\n }\n ]\n }\n },\n meta: { isLambdaFunctionRole: true }\n });\n\n const policy = getDynamoDbToElasticLambdaPolicy(app, domain.output);\n\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-DynamoDbToElasticLambdaPolicy`,\n config: {\n role: role.output,\n policyArn: policy.output.arn\n }\n });\n\n // Only use `AWSLambdaVPCAccessExecutionRole` policy if VPC feature is enabled.\n if (vpc) {\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-AWSLambdaVPCAccessExecutionRole`,\n config: {\n role: role.output,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaVPCAccessExecutionRole\n }\n });\n } else {\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-AWSLambdaBasicExecutionRole`,\n config: {\n role: role.output,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole\n }\n });\n }\n\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `${roleName}-AWSLambdaDynamoDBExecutionRole`,\n config: {\n role: role.output,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaDynamoDBExecutionRole\n }\n });\n\n /**\n * This Lambda will process the stream events from DynamoDB table that contains OpenSearch items.\n * OpenSearch can't take large amount of individual writes in a short period of time, so this way\n * we store data for OpenSearch in a DynamoDB table, and asynchronously insert it into OpenSearch\n * using batching.\n */\n const lambda = app.addResource(aws.lambda.Function, {\n name: \"dynamo-to-elastic\",\n config: {\n role: role.output.arn,\n runtime: LAMBDA_RUNTIME,\n handler: \"handler.handler\",\n timeout: 900,\n memorySize: 1024,\n environment: {\n variables: {\n DEBUG: String(process.env.DEBUG),\n ELASTIC_SEARCH_ENDPOINT: domain.output.endpoint,\n DB_TABLE_LOG: logDynamoDbTable.output.name\n }\n },\n description: \"Process DynamoDB Stream.\",\n code: new pulumi.asset.AssetArchive({\n \".\": new pulumi.asset.FileArchive(\n path.join(app.paths.workspace, \"dynamoToElastic/build\")\n )\n }),\n vpcConfig: vpc\n ? {\n subnetIds: vpc.subnets.private.map(s => s.output.id),\n securityGroupIds: [vpc.vpc.output.defaultSecurityGroupId]\n }\n : undefined\n }\n });\n\n const eventSourceMapping = app.addResource(aws.lambda.EventSourceMapping, {\n name: \"dynamo-to-elastic\",\n config: {\n eventSourceArn: table.output.streamArn,\n functionName: lambda.output.arn,\n startingPosition: \"LATEST\",\n maximumRetryAttempts: 3,\n batchSize: 50,\n maximumBatchingWindowInSeconds: 1\n }\n });\n\n app.addOutputs({\n elasticsearchDomainArn: domain.output.arn,\n elasticsearchDomainEndpoint: domain.output.endpoint,\n elasticsearchDynamodbTableArn: table.output.arn,\n elasticsearchDynamodbTableName: table.output.name\n });\n\n return {\n domain,\n domainPolicy,\n table,\n dynamoToElastic: {\n role,\n policy,\n lambda,\n eventSourceMapping\n }\n };\n }\n});\n\nfunction getDynamoDbToElasticLambdaPolicy(\n app: PulumiApp,\n domain: pulumi.Output<aws.opensearch.Domain | aws.opensearch.GetDomainResult>\n) {\n return app.addResource(aws.iam.Policy, {\n name: \"DynamoDbToElasticLambdaPolicy-updated\",\n config: {\n description: \"This policy enables access to ES and Dynamodb streams\",\n policy: {\n Version: \"2012-10-17\",\n Statement: [\n {\n Sid: \"PermissionForES\",\n Effect: \"Allow\",\n Action: [\n \"es:ESHttpGet\",\n \"es:ESHttpDelete\",\n \"es:ESHttpPatch\",\n \"es:ESHttpPost\",\n \"es:ESHttpPut\",\n \"dynamodb:BatchGetItem\",\n \"dynamodb:BatchWriteItem\",\n \"dynamodb:PutItem\",\n \"dynamodb:GetItem\",\n \"dynamodb:DeleteItem\",\n \"dynamodb:Query\",\n \"dynamodb:UpdateItem\"\n ],\n Resource: [\n pulumi.interpolate`${domain.arn}`,\n pulumi.interpolate`${domain.arn}/*`\n ]\n }\n ]\n }\n }\n });\n}\n"],"mappings":";;;;;;;;AAKA,IAAAA,KAAA,GAAAC,sBAAA,CAAAC,OAAA;AACA,IAAAC,MAAA,GAAAC,uBAAA,CAAAF,OAAA;AACA,IAAAG,GAAA,GAAAD,uBAAA,CAAAF,OAAA;AACA,IAAAI,MAAA,GAAAF,uBAAA,CAAAF,OAAA;AACA,IAAAK,QAAA,GAAAL,OAAA;AAQA,IAAAM,SAAA,GAAAN,OAAA;AACA,IAAAO,QAAA,GAAAP,OAAA;AACA,IAAAQ,UAAA,GAAAR,OAAA;AACA,IAAAS,UAAA,GAAAT,OAAA;AApBA;AACA;AACA;AACA;AACA;;AAsBA,SAASU,mBAAmBA,CAAA,EAAmD;EAC3E,OAAO;IACHC,YAAY,EAAE;EAClB,CAAC;AACL;AAEA,SAASC,oBAAoBA,CAAA,EAAmD;EAC5E,OAAO;IACH;IACAD,YAAY,EAAE,kBAAkB;IAChCE,aAAa,EAAE,CAAC;IAChBC,oBAAoB,EAAE,IAAI;IAC1BC,mBAAmB,EAAE;MACjBC,qBAAqB,EAAE;IAC3B;EACJ,CAAC;AACL;AAEA,MAAMC,iBAAiB,GAAG,iBAAiB;AAEpC,MAAMC,UAAU,GAAAC,OAAA,CAAAD,UAAA,GAAG,IAAAE,wBAAe,EAAC;EACtCC,IAAI,EAAE,YAAY;EAClBC,MAAMA,CAACC,GAAG,EAAEC,MAAwB,EAAE;IAClC,MAAMC,sBAAsB,GACxBF,GAAG,CAACC,MAAM,CAACE,MAAM,CAACD,sBAAsB,IAAIE,iCAAsB;IACtE,MAAMC,YAAY,GAAGH,sBAAsB,CAACI,QAAQ,CAACN,GAAG,CAACC,MAAM,CAACM,GAAG,CAACC,GAAG,CAAC;IAExE,MAAMC,GAAG,GAAGT,GAAG,CAACU,SAAS,CAACC,gBAAO,EAAE;MAAEC,QAAQ,EAAE;IAAK,CAAC,CAAC;IAEtD,MAAMC,gBAAgB,GAAGb,GAAG,CAACU,SAAS,CAACI,oBAAS,CAAC;;IAEjD;IACA,IAAIC,MAEyD;IAE7D,IAAIC,YAAY;IAEhB,IAAIC,OAAO,CAACT,GAAG,CAACU,8BAA8B,EAAE;MAC5C,MAAMC,UAAU,GAAGC,MAAM,CAACH,OAAO,CAACT,GAAG,CAACU,8BAA8B,CAAC;MACrE;MACA;MACAH,MAAM,GAAGf,GAAG,CAACqB,iBAAiB,CAACF,UAAU,EAAE,MAAM;QAC7C,OAAOvC,GAAG,CAAC0C,UAAU,CAACC,SAAS,CAAC;UAAEJ;QAAW,CAAC,EAAE;UAAEK,KAAK,EAAE;QAAK,CAAC,CAAC;MACpE,CAAC,CAAC;IACN,CAAC,MAAM;MACH,MAAMC,QAAQ,GAAG,IAAI5C,MAAM,CAAC6C,QAAQ,CAAC,kBAAkB,EAAE;QAAEC,UAAU,EAAE;MAAE,CAAC,CAAC;MAC3E,MAAMC,UAAU,GAAG5B,GAAG,CAAC6B,QAAQ,CAAC7B,GAAG,CAACC,MAAM,CAACE,MAAM,CAAC2B,wBAAwB,CAAC,IAAI,EAAE;MAEjF,MAAMC,iBAAiB,GAAG,WAAW;MACrC,MAAMC,kBAAkB,GAAGP,QAAQ,CAACQ,GAAG,CAACC,KAAK,CAAED,GAAW,IAAK;QAC3D,OAAO,GAAGL,UAAU,GAAGG,iBAAiB,IAAIE,GAAG,CAACE,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE;MAC/D,CAAC,CAAC;MAEFpB,MAAM,GAAGf,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC0C,UAAU,CAACe,MAAM,EAAE;QAC5CvC,IAAI,EAAEiC,iBAAiB;QACvBhC,MAAM,EAAE;UACJoB,UAAU,EAAEa,kBAAkB;UAC9BM,aAAa,EAAE5C,iBAAiB;UAChC6C,aAAa,EAAElC,YAAY,GAAGhB,oBAAoB,CAAC,CAAC,GAAGF,mBAAmB,CAAC,CAAC;UAC5EqD,UAAU,EAAE/B,GAAG,GACT;YACIgC,SAAS,EAAEhC,GAAG,CAACiC,OAAO,CAACC,OAAO,CAACC,GAAG,CAACC,CAAC,IAAIA,CAAC,CAACC,MAAM,CAACC,EAAE,CAAC;YACpDC,gBAAgB,EAAE,CAACvC,GAAG,CAACA,GAAG,CAACqC,MAAM,CAACG,sBAAsB;UAC5D,CAAC,GACDC,SAAS;UACfC,UAAU,EAAE;YACRC,UAAU,EAAE,IAAI;YAChBC,UAAU,EAAE,EAAE;YACdC,UAAU,EAAE;UAChB,CAAC;UACDC,eAAe,EAAE;YACb,wCAAwC,EAAE;UAC9C,CAAC;UACDC,eAAe,EAAE;YACbC,0BAA0B,EAAE;UAChC;QACJ,CAAC;QACDC,IAAI,EAAE;UAAEC,OAAO,EAAE1D,MAAM,CAAC0D;QAAQ;MACpC,CAAC,CAAC;;MAEF;AACZ;AACA;AACA;AACA;MACY,MAAMC,SAAS,GAAG,IAAAC,yBAAe,EAAC7D,GAAG,CAAC;MAEtCgB,YAAY,GAAGhB,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC0C,UAAU,CAACwC,YAAY,EAAE;QACxDhE,IAAI,EAAE,GAAGiC,iBAAiB,SAAS;QACnChC,MAAM,EAAE;UACJoB,UAAU,EAAEJ,MAAM,CAAC+B,MAAM,CAAC3B,UAAU;UACpC4C,cAAc,EAAErF,MAAM,CACjBsF,GAAG,CAAC,CAACJ,SAAS,EAAE7C,MAAM,CAAC+B,MAAM,CAACmB,GAAG,CAAC,CAAC,CACnC/B,KAAK,CAAC,CAAC,CAAC0B,SAAS,EAAEM,SAAS,CAAC,KAAK;YAC/B,OAAOC,IAAI,CAACC,SAAS,CAAC;cAClBC,OAAO,EAAE,YAAY;cACrBC,SAAS,EAAE;cACP;AACpC;AACA;cACoC;gBACIC,MAAM,EAAE,OAAO;gBACfC,SAAS,EAAE;kBACPC,GAAG,EAAEb;gBACT,CAAC;gBACDc,MAAM,EAAE,MAAM;gBACdC,QAAQ,EAAE,GAAGT,SAAS;cAC1B,CAAC;YAET,CAAC,CAAC;UACN,CAAC;QACT,CAAC;QACDR,IAAI,EAAE;UAAEC,OAAO,EAAE1D,MAAM,CAAC0D;QAAQ;MACpC,CAAC,CAAC;IACN;;IAEA;AACR;AACA;AACA;AACA;AACA;IACQ,MAAMiB,KAAK,GAAG5E,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAACiG,QAAQ,CAACC,KAAK,EAAE;MAC9ChF,IAAI,EAAE,WAAW;MACjBC,MAAM,EAAE;QACJgF,UAAU,EAAE,CACR;UAAEjF,IAAI,EAAE,IAAI;UAAEkF,IAAI,EAAE;QAAI,CAAC,EACzB;UAAElF,IAAI,EAAE,IAAI;UAAEkF,IAAI,EAAE;QAAI,CAAC,CAC5B;QACDC,aAAa,EAAE,IAAI;QACnBC,cAAc,EAAE,oBAAoB;QACpCC,WAAW,EAAE,iBAAiB;QAC9BC,OAAO,EAAE,IAAI;QACbC,QAAQ,EAAE;MACd,CAAC;MACD3B,IAAI,EAAE;QAAEC,OAAO,EAAE1D,MAAM,CAAC0D;MAAQ;IACpC,CAAC,CAAC;IAEF,MAAM2B,QAAQ,GAAG,+BAA+B;IAEhD,MAAMC,IAAI,GAAGvF,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC4G,GAAG,CAACC,IAAI,EAAE;MACvC3F,IAAI,EAAEwF,QAAQ;MACdvF,MAAM,EAAE;QACJ2F,gBAAgB,EAAE;UACdrB,OAAO,EAAE,YAAY;UACrBC,SAAS,EAAE,CACP;YACII,MAAM,EAAE,gBAAgB;YACxBF,SAAS,EAAE;cACPmB,OAAO,EAAE;YACb,CAAC;YACDpB,MAAM,EAAE;UACZ,CAAC;QAET;MACJ,CAAC;MACDqB,IAAI,EAAE;QAAEC,oBAAoB,EAAE;MAAK;IACvC,CAAC,CAAC;IAEF,MAAMC,MAAM,GAAGC,gCAAgC,CAAC/F,GAAG,EAAEe,MAAM,CAAC+B,MAAM,CAAC;IAEnE9C,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC4G,GAAG,CAACQ,oBAAoB,EAAE;MAC1ClG,IAAI,EAAE,GAAGwF,QAAQ,gCAAgC;MACjDvF,MAAM,EAAE;QACJwF,IAAI,EAAEA,IAAI,CAACzC,MAAM;QACjBmD,SAAS,EAAEH,MAAM,CAAChD,MAAM,CAACmB;MAC7B;IACJ,CAAC,CAAC;;IAEF;IACA,IAAIxD,GAAG,EAAE;MACLT,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC4G,GAAG,CAACQ,oBAAoB,EAAE;QAC1ClG,IAAI,EAAE,GAAGwF,QAAQ,kCAAkC;QACnDvF,MAAM,EAAE;UACJwF,IAAI,EAAEA,IAAI,CAACzC,MAAM;UACjBmD,SAAS,EAAErH,GAAG,CAAC4G,GAAG,CAACU,aAAa,CAACC;QACrC;MACJ,CAAC,CAAC;IACN,CAAC,MAAM;MACHnG,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC4G,GAAG,CAACQ,oBAAoB,EAAE;QAC1ClG,IAAI,EAAE,GAAGwF,QAAQ,8BAA8B;QAC/CvF,MAAM,EAAE;UACJwF,IAAI,EAAEA,IAAI,CAACzC,MAAM;UACjBmD,SAAS,EAAErH,GAAG,CAAC4G,GAAG,CAACU,aAAa,CAACE;QACrC;MACJ,CAAC,CAAC;IACN;IAEApG,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC4G,GAAG,CAACQ,oBAAoB,EAAE;MAC1ClG,IAAI,EAAE,GAAGwF,QAAQ,iCAAiC;MAClDvF,MAAM,EAAE;QACJwF,IAAI,EAAEA,IAAI,CAACzC,MAAM;QACjBmD,SAAS,EAAErH,GAAG,CAAC4G,GAAG,CAACU,aAAa,CAACG;MACrC;IACJ,CAAC,CAAC;;IAEF;AACR;AACA;AACA;AACA;AACA;IACQ,MAAMC,MAAM,GAAGtG,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC0H,MAAM,CAACC,QAAQ,EAAE;MAChDzG,IAAI,EAAE,mBAAmB;MACzBC,MAAM,EAAE;QACJwF,IAAI,EAAEA,IAAI,CAACzC,MAAM,CAACmB,GAAG;QACrBuC,OAAO,EAAEC,yBAAc;QACvBC,OAAO,EAAE,iBAAiB;QAC1BC,OAAO,EAAE,GAAG;QACZC,UAAU,EAAE,IAAI;QAChBC,WAAW,EAAE;UACTC,SAAS,EAAE;YACPC,KAAK,EAAE3F,MAAM,CAACH,OAAO,CAACT,GAAG,CAACuG,KAAK,CAAC;YAChCC,uBAAuB,EAAEjG,MAAM,CAAC+B,MAAM,CAACmE,QAAQ;YAC/CC,YAAY,EAAErG,gBAAgB,CAACiC,MAAM,CAAChD;UAC1C;QACJ,CAAC;QACDqH,WAAW,EAAE,0BAA0B;QACvCC,IAAI,EAAE,IAAI1I,MAAM,CAAC2I,KAAK,CAACC,YAAY,CAAC;UAChC,GAAG,EAAE,IAAI5I,MAAM,CAAC2I,KAAK,CAACE,WAAW,CAC7BC,aAAI,CAACC,IAAI,CAACzH,GAAG,CAAC0H,KAAK,CAACC,SAAS,EAAE,uBAAuB,CAC1D;QACJ,CAAC,CAAC;QACFC,SAAS,EAAEnH,GAAG,GACR;UACIgC,SAAS,EAAEhC,GAAG,CAACiC,OAAO,CAACC,OAAO,CAACC,GAAG,CAACC,CAAC,IAAIA,CAAC,CAACC,MAAM,CAACC,EAAE,CAAC;UACpDC,gBAAgB,EAAE,CAACvC,GAAG,CAACA,GAAG,CAACqC,MAAM,CAACG,sBAAsB;QAC5D,CAAC,GACDC;MACV;IACJ,CAAC,CAAC;IAEF,MAAM2E,kBAAkB,GAAG7H,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC0H,MAAM,CAACwB,kBAAkB,EAAE;MACtEhI,IAAI,EAAE,mBAAmB;MACzBC,MAAM,EAAE;QACJgI,cAAc,EAAEnD,KAAK,CAAC9B,MAAM,CAACkF,SAAS;QACtCC,YAAY,EAAE3B,MAAM,CAACxD,MAAM,CAACmB,GAAG;QAC/BiE,gBAAgB,EAAE,QAAQ;QAC1BC,oBAAoB,EAAE,CAAC;QACvBC,SAAS,EAAE,EAAE;QACbC,8BAA8B,EAAE;MACpC;IACJ,CAAC,CAAC;IAEFrI,GAAG,CAACsI,UAAU,CAAC;MACXC,sBAAsB,EAAExH,MAAM,CAAC+B,MAAM,CAACmB,GAAG;MACzCuE,2BAA2B,EAAEzH,MAAM,CAAC+B,MAAM,CAACmE,QAAQ;MACnDwB,6BAA6B,EAAE7D,KAAK,CAAC9B,MAAM,CAACmB,GAAG;MAC/CyE,8BAA8B,EAAE9D,KAAK,CAAC9B,MAAM,CAAChD;IACjD,CAAC,CAAC;IAEF,OAAO;MACHiB,MAAM;MACNC,YAAY;MACZ4D,KAAK;MACL+D,eAAe,EAAE;QACbpD,IAAI;QACJO,MAAM;QACNQ,MAAM;QACNuB;MACJ;IACJ,CAAC;EACL;AACJ,CAAC,CAAC;AAEF,SAAS9B,gCAAgCA,CACrC/F,GAAc,EACde,MAA6E,EAC/E;EACE,OAAOf,GAAG,CAACoC,WAAW,CAACxD,GAAG,CAAC4G,GAAG,CAACoD,MAAM,EAAE;IACnC9I,IAAI,EAAE,uCAAuC;IAC7CC,MAAM,EAAE;MACJoH,WAAW,EAAE,uDAAuD;MACpErB,MAAM,EAAE;QACJzB,OAAO,EAAE,YAAY;QACrBC,SAAS,EAAE,CACP;UACIuE,GAAG,EAAE,iBAAiB;UACtBtE,MAAM,EAAE,OAAO;UACfG,MAAM,EAAE,CACJ,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,cAAc,EACd,uBAAuB,EACvB,yBAAyB,EACzB,kBAAkB,EAClB,kBAAkB,EAClB,qBAAqB,EACrB,gBAAgB,EAChB,qBAAqB,CACxB;UACDC,QAAQ,EAAE,CACNjG,MAAM,CAACoK,WAAW,GAAG/H,MAAM,CAACkD,GAAG,EAAE,EACjCvF,MAAM,CAACoK,WAAW,GAAG/H,MAAM,CAACkD,GAAG,IAAI;QAE3C,CAAC;MAET;IACJ;EACJ,CAAC,CAAC;AACN","ignoreList":[]}
package/apps/core/cognitoIdentityProviders/configure.js CHANGED
@@ -28,14 +28,31 @@ const configureAdminCognitoFederation = (app, config) => {
28
28
  }
29
29
  });
30
30
  app.addOutput("cognitoUserPoolDomain", pulumi.interpolate`${userPoolDomain.output.domain}.auth.${region}.amazoncognito.com`);
31
- const providers = [];
31
+ const idpConfigs = [];
32
32
  for (const idp of config.identityProviders) {
33
- providers.push(app.addResource(aws.cognito.IdentityProvider, {
34
- name: idp.type,
35
- config: (0, _getIdpConfig.getIdpConfig)(idp.type, userPool.output.id, idp)
36
- }));
33
+ const config = (0, _getIdpConfig.getIdpConfig)(idp.type, userPool.output.id, idp);
34
+
35
+ // The idea to lowercase the provider name emerged while working on backwards compatibility issue.
36
+ // Basically, in cases where a user used the OIDC provider and did not specify a name, instead of
37
+ // using `OIDC` as the name, we wanted to ensure `oidc` is used. But, what I soon realized is that
38
+ // by simply lowercasing the name, we can avoid the need to check for the provider type and name.
39
+ // And although this will now happen for all providers, it's not a problem since Pulumi requires
40
+ // names to be all lowercase anyway.
41
+ const name = config.providerName.toString().toLowerCase();
42
+ app.addResource(aws.cognito.IdentityProvider, {
43
+ name,
44
+ config
45
+ });
46
+ idpConfigs.push(config);
37
47
  }
38
- appClient.config.supportedIdentityProviders(["COGNITO", ...providers.map(p => p.output.providerType)]);
48
+ appClient.config.supportedIdentityProviders(["COGNITO", ...idpConfigs.map(config => {
49
+ // For built-in identity providers, we use the type as the name. Only for OIDC,
50
+ // we allow the user to provide a custom name, and we only use the type as a fallback.
51
+ if (config.providerType === "OIDC") {
52
+ return config.providerName;
53
+ }
54
+ return config.providerType;
55
+ })]);
39
56
  appClient.config.allowedOauthScopes(["profile", "email", "openid"]);
40
57
  appClient.config.allowedOauthFlows(["implicit", "code"]);
41
58
  appClient.config.allowedOauthFlowsUserPoolClient(true);
package/apps/core/cognitoIdentityProviders/configure.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"names":["aws","_interopRequireWildcard","require","pulumi","_getIdpConfig","isString","value","configureAdminCognitoFederation","app","config","region","String","process","env","AWS_REGION","userPool","resources","appClient","userPoolClient","userPoolDomain","addResource","cognito","UserPoolDomain","name","domain","certificateArn","undefined","userPoolId","output","id","addOutput","interpolate","providers","idp","identityProviders","push","IdentityProvider","type","getIdpConfig","supportedIdentityProviders","map","p","providerType","allowedOauthScopes","allowedOauthFlows","allowedOauthFlowsUserPoolClient","callbackUrls","logoutUrls","exports"],"sources":["configure.ts"],"sourcesContent":["import * as aws from \"@pulumi/aws\";\nimport { UserPoolDomainArgs } from \"@pulumi/aws/cognito/userPoolDomain\";\nimport { IdentityProviderArgs } from \"@pulumi/aws/cognito\";\nimport * as pulumi from \"@pulumi/pulumi\";\nimport { PulumiApp, PulumiAppResource, PulumiAppResourceConstructor } from \"@webiny/pulumi\";\nimport { getIdpConfig } from \"./getIdpConfig\";\n\nexport type IdentityAttributeMapping = {\n \"custom:id\": string;\n username: string;\n email: string;\n family_name: string;\n given_name: string;\n [key: string]: string;\n};\n\nexport interface CognitoIdentityProvidersConfig {\n domain:\n | string\n | {\n name: UserPoolDomainArgs[\"domain\"];\n certificateArn?: UserPoolDomainArgs[\"certificateArn\"];\n };\n identityProviders: CognitoIdentityProviderConfig[];\n callbackUrls: string[];\n logoutUrls?: string[];\n}\n\nexport interface CognitoIdentityProviderConfig {\n name?: string;\n type: \"google\" | \"facebook\" | \"amazon\" | \"apple\" | \"oidc\";\n providerDetails: IdentityProviderArgs[\"providerDetails\"];\n idpIdentifiers?: IdentityProviderArgs[\"idpIdentifiers\"];\n attributeMapping?: IdentityAttributeMapping;\n}\n\nconst isString = (value?: any): value is string => {\n return typeof value === \"string\";\n};\n\nexport const configureAdminCognitoFederation = (\n app: PulumiApp,\n config: CognitoIdentityProvidersConfig\n) => {\n const region = String(process.env.AWS_REGION);\n\n const userPool = app.resources.userPool as PulumiAppResource<\n PulumiAppResourceConstructor<aws.cognito.UserPool>\n >;\n\n const appClient = app.resources.userPoolClient as PulumiAppResource<\n PulumiAppResourceConstructor<aws.cognito.UserPoolClient>\n >;\n\n /**\n * We need to create a user pool domain, which is used to interact with the federated identity providers.\n */\n const userPoolDomain = app.addResource(aws.cognito.UserPoolDomain, {\n name: \"cognitoUserPoolDomain\",\n config: {\n domain: isString(config.domain) ? config.domain : config.domain.name,\n certificateArn: isString(config.domain) ? undefined : config.domain.certificateArn,\n userPoolId: userPool.output.id\n }\n });\n\n app.addOutput(\n \"cognitoUserPoolDomain\",\n pulumi.interpolate`${userPoolDomain.output.domain}.auth.${region}.amazoncognito.com`\n );\n\n const providers = [];\n for (const idp of config.identityProviders) {\n providers.push(\n app.addResource(aws.cognito.IdentityProvider, {\n name: idp.type,\n config: getIdpConfig(idp.type, userPool.output.id, idp)\n })\n );\n }\n\n appClient.config.supportedIdentityProviders([\n \"COGNITO\",\n ...providers.map(p => p.output.providerType)\n ]);\n\n appClient.config.allowedOauthScopes([\"profile\", \"email\", \"openid\"]);\n appClient.config.allowedOauthFlows([\"implicit\", \"code\"]);\n appClient.config.allowedOauthFlowsUserPoolClient(true);\n appClient.config.callbackUrls(config.callbackUrls);\n appClient.config.logoutUrls(config.logoutUrls ?? config.callbackUrls);\n};\n"],"mappings":";;;;;;;AAAA,IAAAA,GAAA,GAAAC,uBAAA,CAAAC,OAAA;AAGA,IAAAC,MAAA,GAAAF,uBAAA,CAAAC,OAAA;AAEA,IAAAE,aAAA,GAAAF,OAAA;AA+BA,MAAMG,QAAQ,GAAIC,KAAW,IAAsB;EAC/C,OAAO,OAAOA,KAAK,KAAK,QAAQ;AACpC,CAAC;AAEM,MAAMC,+BAA+B,GAAGA,CAC3CC,GAAc,EACdC,MAAsC,KACrC;EACD,MAAMC,MAAM,GAAGC,MAAM,CAACC,OAAO,CAACC,GAAG,CAACC,UAAU,CAAC;EAE7C,MAAMC,QAAQ,GAAGP,GAAG,CAACQ,SAAS,CAACD,QAE9B;EAED,MAAME,SAAS,GAAGT,GAAG,CAACQ,SAAS,CAACE,cAE/B;;EAED;AACJ;AACA;EACI,MAAMC,cAAc,GAAGX,GAAG,CAACY,WAAW,CAACpB,GAAG,CAACqB,OAAO,CAACC,cAAc,EAAE;IAC/DC,IAAI,EAAE,uBAAuB;IAC7Bd,MAAM,EAAE;MACJe,MAAM,EAAEnB,QAAQ,CAACI,MAAM,CAACe,MAAM,CAAC,GAAGf,MAAM,CAACe,MAAM,GAAGf,MAAM,CAACe,MAAM,CAACD,IAAI;MACpEE,cAAc,EAAEpB,QAAQ,CAACI,MAAM,CAACe,MAAM,CAAC,GAAGE,SAAS,GAAGjB,MAAM,CAACe,MAAM,CAACC,cAAc;MAClFE,UAAU,EAAEZ,QAAQ,CAACa,MAAM,CAACC;IAChC;EACJ,CAAC,CAAC;EAEFrB,GAAG,CAACsB,SAAS,CACT,uBAAuB,EACvB3B,MAAM,CAAC4B,WAAW,GAAGZ,cAAc,CAACS,MAAM,CAACJ,MAAM,SAASd,MAAM,oBACpE,CAAC;EAED,MAAMsB,SAAS,GAAG,EAAE;EACpB,KAAK,MAAMC,GAAG,IAAIxB,MAAM,CAACyB,iBAAiB,EAAE;IACxCF,SAAS,CAACG,IAAI,CACV3B,GAAG,CAACY,WAAW,CAACpB,GAAG,CAACqB,OAAO,CAACe,gBAAgB,EAAE;MAC1Cb,IAAI,EAAEU,GAAG,CAACI,IAAI;MACd5B,MAAM,EAAE,IAAA6B,0BAAY,EAACL,GAAG,CAACI,IAAI,EAAEtB,QAAQ,CAACa,MAAM,CAACC,EAAE,EAAEI,GAAG;IAC1D,CAAC,CACL,CAAC;EACL;EAEAhB,SAAS,CAACR,MAAM,CAAC8B,0BAA0B,CAAC,CACxC,SAAS,EACT,GAAGP,SAAS,CAACQ,GAAG,CAACC,CAAC,IAAIA,CAAC,CAACb,MAAM,CAACc,YAAY,CAAC,CAC/C,CAAC;EAEFzB,SAAS,CAACR,MAAM,CAACkC,kBAAkB,CAAC,CAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;EACnE1B,SAAS,CAACR,MAAM,CAACmC,iBAAiB,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;EACxD3B,SAAS,CAACR,MAAM,CAACoC,+BAA+B,CAAC,IAAI,CAAC;EACtD5B,SAAS,CAACR,MAAM,CAACqC,YAAY,CAACrC,MAAM,CAACqC,YAAY,CAAC;EAClD7B,SAAS,CAACR,MAAM,CAACsC,UAAU,CAACtC,MAAM,CAACsC,UAAU,IAAItC,MAAM,CAACqC,YAAY,CAAC;AACzE,CAAC;AAACE,OAAA,CAAAzC,+BAAA,GAAAA,+BAAA","ignoreList":[]}
1
+ {"version":3,"names":["aws","_interopRequireWildcard","require","pulumi","_getIdpConfig","isString","value","configureAdminCognitoFederation","app","config","region","String","process","env","AWS_REGION","userPool","resources","appClient","userPoolClient","userPoolDomain","addResource","cognito","UserPoolDomain","name","domain","certificateArn","undefined","userPoolId","output","id","addOutput","interpolate","idpConfigs","idp","identityProviders","getIdpConfig","type","providerName","toString","toLowerCase","IdentityProvider","push","supportedIdentityProviders","map","providerType","allowedOauthScopes","allowedOauthFlows","allowedOauthFlowsUserPoolClient","callbackUrls","logoutUrls","exports"],"sources":["configure.ts"],"sourcesContent":["import * as aws from \"@pulumi/aws\";\nimport { UserPoolDomainArgs } from \"@pulumi/aws/cognito/userPoolDomain\";\nimport { IdentityProviderArgs } from \"@pulumi/aws/cognito\";\nimport * as pulumi from \"@pulumi/pulumi\";\nimport { PulumiApp, PulumiAppResource, PulumiAppResourceConstructor } from \"@webiny/pulumi\";\nimport { getIdpConfig } from \"./getIdpConfig\";\n\nexport type IdentityAttributeMapping = {\n \"custom:id\": string;\n username: string;\n email: string;\n family_name: string;\n given_name: string;\n [key: string]: string;\n};\n\nexport interface CognitoIdentityProvidersConfig {\n domain:\n | string\n | {\n name: UserPoolDomainArgs[\"domain\"];\n certificateArn?: UserPoolDomainArgs[\"certificateArn\"];\n };\n identityProviders: CognitoIdentityProviderConfig[];\n callbackUrls: string[];\n logoutUrls?: string[];\n}\n\nexport interface CognitoIdentityProviderConfig {\n name?: string;\n type: \"google\" | \"facebook\" | \"amazon\" | \"apple\" | \"oidc\";\n providerDetails: IdentityProviderArgs[\"providerDetails\"];\n idpIdentifiers?: IdentityProviderArgs[\"idpIdentifiers\"];\n attributeMapping?: IdentityAttributeMapping;\n}\n\nconst isString = (value?: any): value is string => {\n return typeof value === \"string\";\n};\n\nexport const configureAdminCognitoFederation = (\n app: PulumiApp,\n config: CognitoIdentityProvidersConfig\n) => {\n const region = String(process.env.AWS_REGION);\n\n const userPool = app.resources.userPool as PulumiAppResource<\n PulumiAppResourceConstructor<aws.cognito.UserPool>\n >;\n\n const appClient = app.resources.userPoolClient as PulumiAppResource<\n PulumiAppResourceConstructor<aws.cognito.UserPoolClient>\n >;\n\n /**\n * We need to create a user pool domain, which is used to interact with the federated identity providers.\n */\n const userPoolDomain = app.addResource(aws.cognito.UserPoolDomain, {\n name: \"cognitoUserPoolDomain\",\n config: {\n domain: isString(config.domain) ? config.domain : config.domain.name,\n certificateArn: isString(config.domain) ? undefined : config.domain.certificateArn,\n userPoolId: userPool.output.id\n }\n });\n\n app.addOutput(\n \"cognitoUserPoolDomain\",\n pulumi.interpolate`${userPoolDomain.output.domain}.auth.${region}.amazoncognito.com`\n );\n\n const idpConfigs: aws.cognito.IdentityProviderArgs[] = [];\n\n for (const idp of config.identityProviders) {\n const config = getIdpConfig(idp.type, userPool.output.id, idp);\n\n // The idea to lowercase the provider name emerged while working on backwards compatibility issue.\n // Basically, in cases where a user used the OIDC provider and did not specify a name, instead of\n // using `OIDC` as the name, we wanted to ensure `oidc` is used. But, what I soon realized is that\n // by simply lowercasing the name, we can avoid the need to check for the provider type and name.\n // And although this will now happen for all providers, it's not a problem since Pulumi requires\n // names to be all lowercase anyway.\n const name = config.providerName.toString().toLowerCase();\n\n app.addResource(aws.cognito.IdentityProvider, { name, config });\n\n idpConfigs.push(config);\n }\n\n appClient.config.supportedIdentityProviders([\n \"COGNITO\",\n ...idpConfigs.map(config => {\n // For built-in identity providers, we use the type as the name. Only for OIDC,\n // we allow the user to provide a custom name, and we only use the type as a fallback.\n if (config.providerType === \"OIDC\") {\n return config.providerName;\n }\n return config.providerType;\n })\n ]);\n\n appClient.config.allowedOauthScopes([\"profile\", \"email\", \"openid\"]);\n appClient.config.allowedOauthFlows([\"implicit\", \"code\"]);\n appClient.config.allowedOauthFlowsUserPoolClient(true);\n appClient.config.callbackUrls(config.callbackUrls);\n appClient.config.logoutUrls(config.logoutUrls ?? config.callbackUrls);\n};\n"],"mappings":";;;;;;;AAAA,IAAAA,GAAA,GAAAC,uBAAA,CAAAC,OAAA;AAGA,IAAAC,MAAA,GAAAF,uBAAA,CAAAC,OAAA;AAEA,IAAAE,aAAA,GAAAF,OAAA;AA+BA,MAAMG,QAAQ,GAAIC,KAAW,IAAsB;EAC/C,OAAO,OAAOA,KAAK,KAAK,QAAQ;AACpC,CAAC;AAEM,MAAMC,+BAA+B,GAAGA,CAC3CC,GAAc,EACdC,MAAsC,KACrC;EACD,MAAMC,MAAM,GAAGC,MAAM,CAACC,OAAO,CAACC,GAAG,CAACC,UAAU,CAAC;EAE7C,MAAMC,QAAQ,GAAGP,GAAG,CAACQ,SAAS,CAACD,QAE9B;EAED,MAAME,SAAS,GAAGT,GAAG,CAACQ,SAAS,CAACE,cAE/B;;EAED;AACJ;AACA;EACI,MAAMC,cAAc,GAAGX,GAAG,CAACY,WAAW,CAACpB,GAAG,CAACqB,OAAO,CAACC,cAAc,EAAE;IAC/DC,IAAI,EAAE,uBAAuB;IAC7Bd,MAAM,EAAE;MACJe,MAAM,EAAEnB,QAAQ,CAACI,MAAM,CAACe,MAAM,CAAC,GAAGf,MAAM,CAACe,MAAM,GAAGf,MAAM,CAACe,MAAM,CAACD,IAAI;MACpEE,cAAc,EAAEpB,QAAQ,CAACI,MAAM,CAACe,MAAM,CAAC,GAAGE,SAAS,GAAGjB,MAAM,CAACe,MAAM,CAACC,cAAc;MAClFE,UAAU,EAAEZ,QAAQ,CAACa,MAAM,CAACC;IAChC;EACJ,CAAC,CAAC;EAEFrB,GAAG,CAACsB,SAAS,CACT,uBAAuB,EACvB3B,MAAM,CAAC4B,WAAW,GAAGZ,cAAc,CAACS,MAAM,CAACJ,MAAM,SAASd,MAAM,oBACpE,CAAC;EAED,MAAMsB,UAA8C,GAAG,EAAE;EAEzD,KAAK,MAAMC,GAAG,IAAIxB,MAAM,CAACyB,iBAAiB,EAAE;IACxC,MAAMzB,MAAM,GAAG,IAAA0B,0BAAY,EAACF,GAAG,CAACG,IAAI,EAAErB,QAAQ,CAACa,MAAM,CAACC,EAAE,EAAEI,GAAG,CAAC;;IAE9D;IACA;IACA;IACA;IACA;IACA;IACA,MAAMV,IAAI,GAAGd,MAAM,CAAC4B,YAAY,CAACC,QAAQ,CAAC,CAAC,CAACC,WAAW,CAAC,CAAC;IAEzD/B,GAAG,CAACY,WAAW,CAACpB,GAAG,CAACqB,OAAO,CAACmB,gBAAgB,EAAE;MAAEjB,IAAI;MAAEd;IAAO,CAAC,CAAC;IAE/DuB,UAAU,CAACS,IAAI,CAAChC,MAAM,CAAC;EAC3B;EAEAQ,SAAS,CAACR,MAAM,CAACiC,0BAA0B,CAAC,CACxC,SAAS,EACT,GAAGV,UAAU,CAACW,GAAG,CAAClC,MAAM,IAAI;IACxB;IACA;IACA,IAAIA,MAAM,CAACmC,YAAY,KAAK,MAAM,EAAE;MAChC,OAAOnC,MAAM,CAAC4B,YAAY;IAC9B;IACA,OAAO5B,MAAM,CAACmC,YAAY;EAC9B,CAAC,CAAC,CACL,CAAC;EAEF3B,SAAS,CAACR,MAAM,CAACoC,kBAAkB,CAAC,CAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;EACnE5B,SAAS,CAACR,MAAM,CAACqC,iBAAiB,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;EACxD7B,SAAS,CAACR,MAAM,CAACsC,+BAA+B,CAAC,IAAI,CAAC;EACtD9B,SAAS,CAACR,MAAM,CAACuC,YAAY,CAACvC,MAAM,CAACuC,YAAY,CAAC;EAClD/B,SAAS,CAACR,MAAM,CAACwC,UAAU,CAACxC,MAAM,CAACwC,UAAU,IAAIxC,MAAM,CAACuC,YAAY,CAAC;AACzE,CAAC;AAACE,OAAA,CAAA3C,+BAAA,GAAAA,+BAAA","ignoreList":[]}
package/enterprise/api/handleGuardDutyEvents.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ import { ApiPulumiApp } from "../../index";
2
+ export declare const handleGuardDutyEvents: (app: ApiPulumiApp) => void;
package/enterprise/api/handleGuardDutyEvents.js ADDED
@@ -0,0 +1,60 @@
1
+ "use strict";
2
+
3
+ var _interopRequireWildcard = require("@babel/runtime/helpers/interopRequireWildcard").default;
4
+ Object.defineProperty(exports, "__esModule", {
5
+ value: true
6
+ });
7
+ exports.handleGuardDutyEvents = void 0;
8
+ var aws = _interopRequireWildcard(require("@pulumi/aws"));
9
+ var _ = require("../..");
10
+ const handleGuardDutyEvents = app => {
11
+ const core = app.getModule(_.CoreOutput);
12
+ const graphql = app.resources.graphql.functions.graphql;
13
+ const baseConfig = graphql.config.clone();
14
+ const threatDetectionHandler = app.addResource(aws.lambda.Function, {
15
+ name: "fm-threat-detection",
16
+ config: {
17
+ ...baseConfig,
18
+ memorySize: 1024,
19
+ description: "Handles Guard Duty threat scan results.",
20
+ environment: {
21
+ variables: graphql.output.environment.apply(env => {
22
+ return {
23
+ WEBINY_FUNCTION_TYPE: "threat-detection-event-handler",
24
+ ...env?.variables
25
+ };
26
+ })
27
+ }
28
+ }
29
+ });
30
+ const eventRule = app.addResource(aws.cloudwatch.EventRule, {
31
+ name: `fm-bucket-malware-protection-event-rule`,
32
+ config: {
33
+ eventBusName: core.eventBusName,
34
+ eventPattern: JSON.stringify({
35
+ source: ["aws.guardduty"],
36
+ "detail-type": ["GuardDuty Malware Protection Object Scan Result"]
37
+ })
38
+ }
39
+ });
40
+ app.addResource(aws.lambda.Permission, {
41
+ name: "fm-bucket-malware-protection-event-permission",
42
+ config: {
43
+ action: "lambda:InvokeFunction",
44
+ function: threatDetectionHandler.output.arn,
45
+ principal: "events.amazonaws.com",
46
+ sourceArn: eventRule.output.arn
47
+ }
48
+ });
49
+ app.addResource(aws.cloudwatch.EventTarget, {
50
+ name: `fm-bucket-malware-protection-event-target`,
51
+ config: {
52
+ rule: eventRule.output.name,
53
+ arn: threatDetectionHandler.output.arn,
54
+ eventBusName: core.eventBusName
55
+ }
56
+ });
57
+ };
58
+ exports.handleGuardDutyEvents = handleGuardDutyEvents;
59
+
60
+ //# sourceMappingURL=handleGuardDutyEvents.js.map
package/enterprise/api/handleGuardDutyEvents.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"names":["aws","_interopRequireWildcard","require","_","handleGuardDutyEvents","app","core","getModule","CoreOutput","graphql","resources","functions","baseConfig","config","clone","threatDetectionHandler","addResource","lambda","Function","name","memorySize","description","environment","variables","output","apply","env","WEBINY_FUNCTION_TYPE","eventRule","cloudwatch","EventRule","eventBusName","eventPattern","JSON","stringify","source","Permission","action","function","arn","principal","sourceArn","EventTarget","rule","exports"],"sources":["handleGuardDutyEvents.ts"],"sourcesContent":["import * as aws from \"@pulumi/aws\";\nimport { ApiPulumiApp, CoreOutput } from \"~/index\";\n\nexport const handleGuardDutyEvents = (app: ApiPulumiApp) => {\n const core = app.getModule(CoreOutput);\n const graphql = app.resources.graphql.functions.graphql;\n\n const baseConfig = graphql.config.clone();\n\n const threatDetectionHandler = app.addResource(aws.lambda.Function, {\n name: \"fm-threat-detection\",\n config: {\n ...baseConfig,\n memorySize: 1024,\n description: \"Handles Guard Duty threat scan results.\",\n environment: {\n variables: graphql.output.environment.apply(env => {\n return {\n WEBINY_FUNCTION_TYPE: \"threat-detection-event-handler\",\n ...env?.variables\n };\n })\n }\n }\n });\n\n const eventRule = app.addResource(aws.cloudwatch.EventRule, {\n name: `fm-bucket-malware-protection-event-rule`,\n config: {\n eventBusName: core.eventBusName,\n eventPattern: JSON.stringify({\n source: [\"aws.guardduty\"],\n \"detail-type\": [\"GuardDuty Malware Protection Object Scan Result\"]\n })\n }\n });\n\n app.addResource(aws.lambda.Permission, {\n name: \"fm-bucket-malware-protection-event-permission\",\n config: {\n action: \"lambda:InvokeFunction\",\n function: threatDetectionHandler.output.arn,\n principal: \"events.amazonaws.com\",\n sourceArn: eventRule.output.arn\n }\n });\n\n app.addResource(aws.cloudwatch.EventTarget, {\n name: `fm-bucket-malware-protection-event-target`,\n config: {\n rule: eventRule.output.name,\n arn: threatDetectionHandler.output.arn,\n eventBusName: core.eventBusName\n }\n });\n};\n"],"mappings":";;;;;;;AAAA,IAAAA,GAAA,GAAAC,uBAAA,CAAAC,OAAA;AACA,IAAAC,CAAA,GAAAD,OAAA;AAEO,MAAME,qBAAqB,GAAIC,GAAiB,IAAK;EACxD,MAAMC,IAAI,GAAGD,GAAG,CAACE,SAAS,CAACC,YAAU,CAAC;EACtC,MAAMC,OAAO,GAAGJ,GAAG,CAACK,SAAS,CAACD,OAAO,CAACE,SAAS,CAACF,OAAO;EAEvD,MAAMG,UAAU,GAAGH,OAAO,CAACI,MAAM,CAACC,KAAK,CAAC,CAAC;EAEzC,MAAMC,sBAAsB,GAAGV,GAAG,CAACW,WAAW,CAAChB,GAAG,CAACiB,MAAM,CAACC,QAAQ,EAAE;IAChEC,IAAI,EAAE,qBAAqB;IAC3BN,MAAM,EAAE;MACJ,GAAGD,UAAU;MACbQ,UAAU,EAAE,IAAI;MAChBC,WAAW,EAAE,yCAAyC;MACtDC,WAAW,EAAE;QACTC,SAAS,EAAEd,OAAO,CAACe,MAAM,CAACF,WAAW,CAACG,KAAK,CAACC,GAAG,IAAI;UAC/C,OAAO;YACHC,oBAAoB,EAAE,gCAAgC;YACtD,GAAGD,GAAG,EAAEH;UACZ,CAAC;QACL,CAAC;MACL;IACJ;EACJ,CAAC,CAAC;EAEF,MAAMK,SAAS,GAAGvB,GAAG,CAACW,WAAW,CAAChB,GAAG,CAAC6B,UAAU,CAACC,SAAS,EAAE;IACxDX,IAAI,EAAE,yCAAyC;IAC/CN,MAAM,EAAE;MACJkB,YAAY,EAAEzB,IAAI,CAACyB,YAAY;MAC/BC,YAAY,EAAEC,IAAI,CAACC,SAAS,CAAC;QACzBC,MAAM,EAAE,CAAC,eAAe,CAAC;QACzB,aAAa,EAAE,CAAC,iDAAiD;MACrE,CAAC;IACL;EACJ,CAAC,CAAC;EAEF9B,GAAG,CAACW,WAAW,CAAChB,GAAG,CAACiB,MAAM,CAACmB,UAAU,EAAE;IACnCjB,IAAI,EAAE,+CAA+C;IACrDN,MAAM,EAAE;MACJwB,MAAM,EAAE,uBAAuB;MAC/BC,QAAQ,EAAEvB,sBAAsB,CAACS,MAAM,CAACe,GAAG;MAC3CC,SAAS,EAAE,sBAAsB;MACjCC,SAAS,EAAEb,SAAS,CAACJ,MAAM,CAACe;IAChC;EACJ,CAAC,CAAC;EAEFlC,GAAG,CAACW,WAAW,CAAChB,GAAG,CAAC6B,UAAU,CAACa,WAAW,EAAE;IACxCvB,IAAI,EAAE,2CAA2C;IACjDN,MAAM,EAAE;MACJ8B,IAAI,EAAEf,SAAS,CAACJ,MAAM,CAACL,IAAI;MAC3BoB,GAAG,EAAExB,sBAAsB,CAACS,MAAM,CAACe,GAAG;MACtCR,YAAY,EAAEzB,IAAI,CAACyB;IACvB;EACJ,CAAC,CAAC;AACN,CAAC;AAACa,OAAA,CAAAxC,qBAAA,GAAAA,qBAAA","ignoreList":[]}
package/enterprise/core/configureS3BucketMalwareProtection.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ import type { CorePulumiApp } from "..";
2
+ export declare const configureS3BucketMalwareProtection: (app: CorePulumiApp) => void;
package/enterprise/core/configureS3BucketMalwareProtection.js ADDED
@@ -0,0 +1,203 @@
1
+ "use strict";
2
+
3
+ var _interopRequireWildcard = require("@babel/runtime/helpers/interopRequireWildcard").default;
4
+ Object.defineProperty(exports, "__esModule", {
5
+ value: true
6
+ });
7
+ exports.configureS3BucketMalwareProtection = void 0;
8
+ var pulumi = _interopRequireWildcard(require("@pulumi/pulumi"));
9
+ var aws = _interopRequireWildcard(require("@pulumi/aws"));
10
+ var _awsUtils = require("../../apps/awsUtils");
11
+ const configureS3BucketMalwareProtection = app => {
12
+ const awsAccountId = (0, _awsUtils.getAwsAccountId)(app);
13
+ const awsRegion = (0, _awsUtils.getAwsRegion)(app);
14
+ const eventBus = app.resources.eventBus;
15
+ const bucket = app.resources.fileManagerBucket.output;
16
+ const currentAccount = {
17
+ StringEquals: {
18
+ "aws:ResourceAccount": awsAccountId
19
+ }
20
+ };
21
+ const managedByGuardDuty = {
22
+ StringEquals: {
23
+ "events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
24
+ }
25
+ };
26
+ const assumeRole = aws.iam.getPolicyDocument({
27
+ statements: [{
28
+ effect: "Allow",
29
+ principals: [{
30
+ type: "Service",
31
+ identifiers: ["malware-protection-plan.guardduty.amazonaws.com"]
32
+ }],
33
+ actions: ["sts:AssumeRole"]
34
+ }]
35
+ });
36
+ const role = app.addResource(aws.iam.Role, {
37
+ name: "fm-bucket-guardduty-role",
38
+ config: {
39
+ assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json)
40
+ }
41
+ });
42
+ const policy = app.addResource(aws.iam.Policy, {
43
+ name: `fm-bucket-guardduty-role-policy`,
44
+ config: {
45
+ description: "This policy enables GuardDuty to interact with the S3 bucket.",
46
+ policy: {
47
+ Version: "2012-10-17",
48
+ Statement: [{
49
+ Sid: "AllowManagedRuleToSendS3EventsToGuardDuty",
50
+ Effect: "Allow",
51
+ Action: ["events:PutRule"],
52
+ Resource: [pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`],
53
+ Condition: {
54
+ ...managedByGuardDuty,
55
+ "ForAllValues:StringEquals": {
56
+ "events:source": "aws.s3",
57
+ "events:detail-type": ["Object Created", "AWS API Call via CloudTrail"]
58
+ },
59
+ Null: {
60
+ "events:source": "false",
61
+ "events:detail-type": "false"
62
+ }
63
+ }
64
+ }, {
65
+ Sid: "AllowUpdateTargetAndDeleteManagedRule",
66
+ Effect: "Allow",
67
+ Action: ["events:DeleteRule", "events:PutTargets", "events:RemoveTargets"],
68
+ Resource: [pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`],
69
+ Condition: {
70
+ ...managedByGuardDuty
71
+ }
72
+ }, {
73
+ Sid: "AllowGuardDutyToMonitorEventBridgeManagedRule",
74
+ Effect: "Allow",
75
+ Action: ["events:DescribeRule", "events:ListTargetsByRule"],
76
+ Resource: [pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`]
77
+ }, {
78
+ Sid: "AllowPostScanTag",
79
+ Effect: "Allow",
80
+ Action: ["s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:PutObjectTagging", "s3:PutObjectVersionTagging"],
81
+ Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/*`],
82
+ Condition: {
83
+ ...currentAccount
84
+ }
85
+ }, {
86
+ Sid: "AllowEnableS3EventBridgeEvents",
87
+ Effect: "Allow",
88
+ Action: ["s3:PutBucketNotification", "s3:GetBucketNotification"],
89
+ Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}`],
90
+ Condition: {
91
+ ...currentAccount
92
+ }
93
+ }, {
94
+ Sid: "AllowPutValidationObject",
95
+ Effect: "Allow",
96
+ Action: ["s3:PutObject"],
97
+ Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/malware-protection-resource-validation-object`],
98
+ Condition: {
99
+ ...currentAccount
100
+ }
101
+ }, {
102
+ Sid: "AllowCheckBucketOwnership",
103
+ Effect: "Allow",
104
+ Action: ["s3:ListBucket"],
105
+ Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}`],
106
+ Condition: {
107
+ ...currentAccount
108
+ }
109
+ }, {
110
+ Sid: "AllowMalwareScan",
111
+ Effect: "Allow",
112
+ Action: ["s3:GetObject", "s3:GetObjectVersion"],
113
+ Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/*`],
114
+ Condition: {
115
+ ...currentAccount
116
+ }
117
+ }]
118
+ }
119
+ }
120
+ });
121
+ app.addResource(aws.iam.RolePolicyAttachment, {
122
+ name: `fm-bucket-malware-protection-role-policy-attachment`,
123
+ config: {
124
+ role: role.output.name,
125
+ policyArn: policy.output.arn
126
+ }
127
+ });
128
+ app.addResource(aws.guardduty.MalwareProtectionPlan, {
129
+ name: `fm-bucket-malware-protection-plan`,
130
+ config: {
131
+ role: role.output.arn,
132
+ protectedResource: {
133
+ s3Bucket: {
134
+ bucketName: bucket.bucket
135
+ }
136
+ }
137
+ }
138
+ });
139
+
140
+ // FORWARD EVENTS FROM "DEFAULT" TO CUSTOM EVENT BUS.
141
+
142
+ // Create an IAM Role for EventBridge to forward events
143
+ const eventBridgeRole = app.addResource(aws.iam.Role, {
144
+ name: "guard-duty-forward-events-role",
145
+ config: {
146
+ assumeRolePolicy: JSON.stringify({
147
+ Version: "2012-10-17",
148
+ Statement: [{
149
+ Effect: "Allow",
150
+ Principal: {
151
+ Service: "events.amazonaws.com"
152
+ },
153
+ Action: "sts:AssumeRole"
154
+ }]
155
+ })
156
+ }
157
+ });
158
+
159
+ // Attach Policy to Allow EventBridge to PutEvents on Custom Event Bus
160
+ app.addResource(aws.iam.RolePolicy, {
161
+ name: "guard-duty-forward-events-policy",
162
+ config: {
163
+ role: eventBridgeRole.output,
164
+ policy: pulumi.output(eventBus.output.arn).apply(arn => JSON.stringify({
165
+ Version: "2012-10-17",
166
+ Statement: [{
167
+ Effect: "Allow",
168
+ Action: "events:PutEvents",
169
+ Resource: arn
170
+ }]
171
+ }))
172
+ }
173
+ });
174
+ const forwardToCustomBusRule = app.addResource(aws.cloudwatch.EventRule, {
175
+ name: "forward-events-from-default-to-custom-bus-rule",
176
+ config: {
177
+ eventBusName: "default",
178
+ eventPattern: bucket.bucket.apply(name => JSON.stringify({
179
+ source: ["aws.guardduty"],
180
+ "detail-type": ["GuardDuty Malware Protection Object Scan Result"],
181
+ detail: {
182
+ s3ObjectDetails: {
183
+ bucketName: [name]
184
+ }
185
+ }
186
+ }))
187
+ }
188
+ });
189
+
190
+ // Target: Send events to the custom event bus
191
+ app.addResource(aws.cloudwatch.EventTarget, {
192
+ name: "forward-events-from-default-to-custom-bus-target",
193
+ config: {
194
+ rule: forwardToCustomBusRule.output.name,
195
+ roleArn: eventBridgeRole.output.arn,
196
+ eventBusName: "default",
197
+ arn: eventBus.output.arn
198
+ }
199
+ });
200
+ };
201
+ exports.configureS3BucketMalwareProtection = configureS3BucketMalwareProtection;
202
+
203
+ //# sourceMappingURL=configureS3BucketMalwareProtection.js.map
package/enterprise/core/configureS3BucketMalwareProtection.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"names":["pulumi","_interopRequireWildcard","require","aws","_awsUtils","configureS3BucketMalwareProtection","app","awsAccountId","getAwsAccountId","awsRegion","getAwsRegion","eventBus","resources","bucket","fileManagerBucket","output","currentAccount","StringEquals","managedByGuardDuty","assumeRole","iam","getPolicyDocument","statements","effect","principals","type","identifiers","actions","role","addResource","Role","name","config","assumeRolePolicy","then","json","policy","Policy","description","Version","Statement","Sid","Effect","Action","Resource","interpolate","Condition","Null","RolePolicyAttachment","policyArn","arn","guardduty","MalwareProtectionPlan","protectedResource","s3Bucket","bucketName","eventBridgeRole","JSON","stringify","Principal","Service","RolePolicy","apply","forwardToCustomBusRule","cloudwatch","EventRule","eventBusName","eventPattern","source","detail","s3ObjectDetails","EventTarget","rule","roleArn","exports"],"sources":["configureS3BucketMalwareProtection.ts"],"sourcesContent":["import * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\nimport type { CorePulumiApp } from \"~/enterprise\";\nimport { getAwsAccountId, getAwsRegion } from \"~/apps/awsUtils\";\n\nexport const configureS3BucketMalwareProtection = (app: CorePulumiApp) => {\n const awsAccountId = getAwsAccountId(app);\n const awsRegion = getAwsRegion(app);\n const eventBus = app.resources.eventBus;\n\n const bucket = app.resources.fileManagerBucket.output;\n\n const currentAccount = {\n StringEquals: {\n \"aws:ResourceAccount\": awsAccountId\n }\n };\n\n const managedByGuardDuty = {\n StringEquals: {\n \"events:ManagedBy\": \"malware-protection-plan.guardduty.amazonaws.com\"\n }\n };\n\n const assumeRole = aws.iam.getPolicyDocument({\n statements: [\n {\n effect: \"Allow\",\n principals: [\n {\n type: \"Service\",\n identifiers: [\"malware-protection-plan.guardduty.amazonaws.com\"]\n }\n ],\n actions: [\"sts:AssumeRole\"]\n }\n ]\n });\n\n const role = app.addResource(aws.iam.Role, {\n name: \"fm-bucket-guardduty-role\",\n config: {\n assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json)\n }\n });\n\n const policy = app.addResource(aws.iam.Policy, {\n name: `fm-bucket-guardduty-role-policy`,\n config: {\n description: \"This policy enables GuardDuty to interact with the S3 bucket.\",\n policy: {\n Version: \"2012-10-17\",\n Statement: [\n {\n Sid: \"AllowManagedRuleToSendS3EventsToGuardDuty\",\n Effect: \"Allow\",\n Action: [\"events:PutRule\"],\n Resource: [\n pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`\n ],\n Condition: {\n ...managedByGuardDuty,\n \"ForAllValues:StringEquals\": {\n \"events:source\": \"aws.s3\",\n \"events:detail-type\": [\n \"Object Created\",\n \"AWS API Call via CloudTrail\"\n ]\n },\n Null: {\n \"events:source\": \"false\",\n \"events:detail-type\": \"false\"\n }\n }\n },\n {\n Sid: \"AllowUpdateTargetAndDeleteManagedRule\",\n Effect: \"Allow\",\n Action: [\"events:DeleteRule\", \"events:PutTargets\", \"events:RemoveTargets\"],\n Resource: [\n pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`\n ],\n Condition: {\n ...managedByGuardDuty\n }\n },\n {\n Sid: \"AllowGuardDutyToMonitorEventBridgeManagedRule\",\n Effect: \"Allow\",\n Action: [\"events:DescribeRule\", \"events:ListTargetsByRule\"],\n Resource: [\n pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`\n ]\n },\n {\n Sid: \"AllowPostScanTag\",\n Effect: \"Allow\",\n Action: [\n \"s3:GetObjectTagging\",\n \"s3:GetObjectVersionTagging\",\n \"s3:PutObjectTagging\",\n \"s3:PutObjectVersionTagging\"\n ],\n Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/*`],\n Condition: {\n ...currentAccount\n }\n },\n {\n Sid: \"AllowEnableS3EventBridgeEvents\",\n Effect: \"Allow\",\n Action: [\"s3:PutBucketNotification\", \"s3:GetBucketNotification\"],\n Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}`],\n Condition: {\n ...currentAccount\n }\n },\n {\n Sid: \"AllowPutValidationObject\",\n Effect: \"Allow\",\n Action: [\"s3:PutObject\"],\n Resource: [\n pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/malware-protection-resource-validation-object`\n ],\n Condition: {\n ...currentAccount\n }\n },\n {\n Sid: \"AllowCheckBucketOwnership\",\n Effect: \"Allow\",\n Action: [\"s3:ListBucket\"],\n Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}`],\n Condition: {\n ...currentAccount\n }\n },\n {\n Sid: \"AllowMalwareScan\",\n Effect: \"Allow\",\n Action: [\"s3:GetObject\", \"s3:GetObjectVersion\"],\n Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/*`],\n Condition: {\n ...currentAccount\n }\n }\n ]\n }\n }\n });\n\n app.addResource(aws.iam.RolePolicyAttachment, {\n name: `fm-bucket-malware-protection-role-policy-attachment`,\n config: {\n role: role.output.name,\n policyArn: policy.output.arn\n }\n });\n\n app.addResource(aws.guardduty.MalwareProtectionPlan, {\n name: `fm-bucket-malware-protection-plan`,\n config: {\n role: role.output.arn,\n protectedResource: {\n s3Bucket: {\n bucketName: bucket.bucket\n }\n }\n }\n });\n\n // FORWARD EVENTS FROM \"DEFAULT\" TO CUSTOM EVENT BUS.\n\n // Create an IAM Role for EventBridge to forward events\n const eventBridgeRole = app.addResource(aws.iam.Role, {\n name: \"guard-duty-forward-events-role\",\n config: {\n assumeRolePolicy: JSON.stringify({\n Version: \"2012-10-17\",\n Statement: [\n {\n Effect: \"Allow\",\n Principal: { Service: \"events.amazonaws.com\" },\n Action: \"sts:AssumeRole\"\n }\n ]\n })\n }\n });\n\n // Attach Policy to Allow EventBridge to PutEvents on Custom Event Bus\n app.addResource(aws.iam.RolePolicy, {\n name: \"guard-duty-forward-events-policy\",\n config: {\n role: eventBridgeRole.output,\n policy: pulumi.output(eventBus.output.arn).apply(arn =>\n JSON.stringify({\n Version: \"2012-10-17\",\n Statement: [\n {\n Effect: \"Allow\",\n Action: \"events:PutEvents\",\n Resource: arn\n }\n ]\n })\n )\n }\n });\n\n const forwardToCustomBusRule = app.addResource(aws.cloudwatch.EventRule, {\n name: \"forward-events-from-default-to-custom-bus-rule\",\n config: {\n eventBusName: \"default\",\n eventPattern: bucket.bucket.apply(name =>\n JSON.stringify({\n source: [\"aws.guardduty\"],\n \"detail-type\": [\"GuardDuty Malware Protection Object Scan Result\"],\n detail: {\n s3ObjectDetails: {\n bucketName: [name]\n }\n }\n })\n )\n }\n });\n\n // Target: Send events to the custom event bus\n app.addResource(aws.cloudwatch.EventTarget, {\n name: \"forward-events-from-default-to-custom-bus-target\",\n config: {\n rule: forwardToCustomBusRule.output.name,\n roleArn: eventBridgeRole.output.arn,\n eventBusName: \"default\",\n arn: eventBus.output.arn\n }\n });\n};\n"],"mappings":";;;;;;;AAAA,IAAAA,MAAA,GAAAC,uBAAA,CAAAC,OAAA;AACA,IAAAC,GAAA,GAAAF,uBAAA,CAAAC,OAAA;AAEA,IAAAE,SAAA,GAAAF,OAAA;AAEO,MAAMG,kCAAkC,GAAIC,GAAkB,IAAK;EACtE,MAAMC,YAAY,GAAG,IAAAC,yBAAe,EAACF,GAAG,CAAC;EACzC,MAAMG,SAAS,GAAG,IAAAC,sBAAY,EAACJ,GAAG,CAAC;EACnC,MAAMK,QAAQ,GAAGL,GAAG,CAACM,SAAS,CAACD,QAAQ;EAEvC,MAAME,MAAM,GAAGP,GAAG,CAACM,SAAS,CAACE,iBAAiB,CAACC,MAAM;EAErD,MAAMC,cAAc,GAAG;IACnBC,YAAY,EAAE;MACV,qBAAqB,EAAEV;IAC3B;EACJ,CAAC;EAED,MAAMW,kBAAkB,GAAG;IACvBD,YAAY,EAAE;MACV,kBAAkB,EAAE;IACxB;EACJ,CAAC;EAED,MAAME,UAAU,GAAGhB,GAAG,CAACiB,GAAG,CAACC,iBAAiB,CAAC;IACzCC,UAAU,EAAE,CACR;MACIC,MAAM,EAAE,OAAO;MACfC,UAAU,EAAE,CACR;QACIC,IAAI,EAAE,SAAS;QACfC,WAAW,EAAE,CAAC,iDAAiD;MACnE,CAAC,CACJ;MACDC,OAAO,EAAE,CAAC,gBAAgB;IAC9B,CAAC;EAET,CAAC,CAAC;EAEF,MAAMC,IAAI,GAAGtB,GAAG,CAACuB,WAAW,CAAC1B,GAAG,CAACiB,GAAG,CAACU,IAAI,EAAE;IACvCC,IAAI,EAAE,0BAA0B;IAChCC,MAAM,EAAE;MACJC,gBAAgB,EAAEd,UAAU,CAACe,IAAI,CAACf,UAAU,IAAIA,UAAU,CAACgB,IAAI;IACnE;EACJ,CAAC,CAAC;EAEF,MAAMC,MAAM,GAAG9B,GAAG,CAACuB,WAAW,CAAC1B,GAAG,CAACiB,GAAG,CAACiB,MAAM,EAAE;IAC3CN,IAAI,EAAE,iCAAiC;IACvCC,MAAM,EAAE;MACJM,WAAW,EAAE,+DAA+D;MAC5EF,MAAM,EAAE;QACJG,OAAO,EAAE,YAAY;QACrBC,SAAS,EAAE,CACP;UACIC,GAAG,EAAE,2CAA2C;UAChDC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,gBAAgB,CAAC;UAC1BC,QAAQ,EAAE,CACN5C,MAAM,CAAC6C,WAAW,kBAAkBpC,SAAS,IAAIF,YAAY,yDAAyD,CACzH;UACDuC,SAAS,EAAE;YACP,GAAG5B,kBAAkB;YACrB,2BAA2B,EAAE;cACzB,eAAe,EAAE,QAAQ;cACzB,oBAAoB,EAAE,CAClB,gBAAgB,EAChB,6BAA6B;YAErC,CAAC;YACD6B,IAAI,EAAE;cACF,eAAe,EAAE,OAAO;cACxB,oBAAoB,EAAE;YAC1B;UACJ;QACJ,CAAC,EACD;UACIN,GAAG,EAAE,uCAAuC;UAC5CC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,mBAAmB,EAAE,mBAAmB,EAAE,sBAAsB,CAAC;UAC1EC,QAAQ,EAAE,CACN5C,MAAM,CAAC6C,WAAW,kBAAkBpC,SAAS,IAAIF,YAAY,yDAAyD,CACzH;UACDuC,SAAS,EAAE;YACP,GAAG5B;UACP;QACJ,CAAC,EACD;UACIuB,GAAG,EAAE,+CAA+C;UACpDC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,qBAAqB,EAAE,0BAA0B,CAAC;UAC3DC,QAAQ,EAAE,CACN5C,MAAM,CAAC6C,WAAW,kBAAkBpC,SAAS,IAAIF,YAAY,yDAAyD;QAE9H,CAAC,EACD;UACIkC,GAAG,EAAE,kBAAkB;UACvBC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CACJ,qBAAqB,EACrB,4BAA4B,EAC5B,qBAAqB,EACrB,4BAA4B,CAC/B;UACDC,QAAQ,EAAE,CAAC5C,MAAM,CAAC6C,WAAW,gBAAgBhC,MAAM,CAACA,MAAM,IAAI,CAAC;UAC/DiC,SAAS,EAAE;YACP,GAAG9B;UACP;QACJ,CAAC,EACD;UACIyB,GAAG,EAAE,gCAAgC;UACrCC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,0BAA0B,EAAE,0BAA0B,CAAC;UAChEC,QAAQ,EAAE,CAAC5C,MAAM,CAAC6C,WAAW,gBAAgBhC,MAAM,CAACA,MAAM,EAAE,CAAC;UAC7DiC,SAAS,EAAE;YACP,GAAG9B;UACP;QACJ,CAAC,EACD;UACIyB,GAAG,EAAE,0BAA0B;UAC/BC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,cAAc,CAAC;UACxBC,QAAQ,EAAE,CACN5C,MAAM,CAAC6C,WAAW,gBAAgBhC,MAAM,CAACA,MAAM,gDAAgD,CAClG;UACDiC,SAAS,EAAE;YACP,GAAG9B;UACP;QACJ,CAAC,EACD;UACIyB,GAAG,EAAE,2BAA2B;UAChCC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,eAAe,CAAC;UACzBC,QAAQ,EAAE,CAAC5C,MAAM,CAAC6C,WAAW,gBAAgBhC,MAAM,CAACA,MAAM,EAAE,CAAC;UAC7DiC,SAAS,EAAE;YACP,GAAG9B;UACP;QACJ,CAAC,EACD;UACIyB,GAAG,EAAE,kBAAkB;UACvBC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,cAAc,EAAE,qBAAqB,CAAC;UAC/CC,QAAQ,EAAE,CAAC5C,MAAM,CAAC6C,WAAW,gBAAgBhC,MAAM,CAACA,MAAM,IAAI,CAAC;UAC/DiC,SAAS,EAAE;YACP,GAAG9B;UACP;QACJ,CAAC;MAET;IACJ;EACJ,CAAC,CAAC;EAEFV,GAAG,CAACuB,WAAW,CAAC1B,GAAG,CAACiB,GAAG,CAAC4B,oBAAoB,EAAE;IAC1CjB,IAAI,EAAE,qDAAqD;IAC3DC,MAAM,EAAE;MACJJ,IAAI,EAAEA,IAAI,CAACb,MAAM,CAACgB,IAAI;MACtBkB,SAAS,EAAEb,MAAM,CAACrB,MAAM,CAACmC;IAC7B;EACJ,CAAC,CAAC;EAEF5C,GAAG,CAACuB,WAAW,CAAC1B,GAAG,CAACgD,SAAS,CAACC,qBAAqB,EAAE;IACjDrB,IAAI,EAAE,mCAAmC;IACzCC,MAAM,EAAE;MACJJ,IAAI,EAAEA,IAAI,CAACb,MAAM,CAACmC,GAAG;MACrBG,iBAAiB,EAAE;QACfC,QAAQ,EAAE;UACNC,UAAU,EAAE1C,MAAM,CAACA;QACvB;MACJ;IACJ;EACJ,CAAC,CAAC;;EAEF;;EAEA;EACA,MAAM2C,eAAe,GAAGlD,GAAG,CAACuB,WAAW,CAAC1B,GAAG,CAACiB,GAAG,CAACU,IAAI,EAAE;IAClDC,IAAI,EAAE,gCAAgC;IACtCC,MAAM,EAAE;MACJC,gBAAgB,EAAEwB,IAAI,CAACC,SAAS,CAAC;QAC7BnB,OAAO,EAAE,YAAY;QACrBC,SAAS,EAAE,CACP;UACIE,MAAM,EAAE,OAAO;UACfiB,SAAS,EAAE;YAAEC,OAAO,EAAE;UAAuB,CAAC;UAC9CjB,MAAM,EAAE;QACZ,CAAC;MAET,CAAC;IACL;EACJ,CAAC,CAAC;;EAEF;EACArC,GAAG,CAACuB,WAAW,CAAC1B,GAAG,CAACiB,GAAG,CAACyC,UAAU,EAAE;IAChC9B,IAAI,EAAE,kCAAkC;IACxCC,MAAM,EAAE;MACJJ,IAAI,EAAE4B,eAAe,CAACzC,MAAM;MAC5BqB,MAAM,EAAEpC,MAAM,CAACe,MAAM,CAACJ,QAAQ,CAACI,MAAM,CAACmC,GAAG,CAAC,CAACY,KAAK,CAACZ,GAAG,IAChDO,IAAI,CAACC,SAAS,CAAC;QACXnB,OAAO,EAAE,YAAY;QACrBC,SAAS,EAAE,CACP;UACIE,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,kBAAkB;UAC1BC,QAAQ,EAAEM;QACd,CAAC;MAET,CAAC,CACL;IACJ;EACJ,CAAC,CAAC;EAEF,MAAMa,sBAAsB,GAAGzD,GAAG,CAACuB,WAAW,CAAC1B,GAAG,CAAC6D,UAAU,CAACC,SAAS,EAAE;IACrElC,IAAI,EAAE,gDAAgD;IACtDC,MAAM,EAAE;MACJkC,YAAY,EAAE,SAAS;MACvBC,YAAY,EAAEtD,MAAM,CAACA,MAAM,CAACiD,KAAK,CAAC/B,IAAI,IAClC0B,IAAI,CAACC,SAAS,CAAC;QACXU,MAAM,EAAE,CAAC,eAAe,CAAC;QACzB,aAAa,EAAE,CAAC,iDAAiD,CAAC;QAClEC,MAAM,EAAE;UACJC,eAAe,EAAE;YACbf,UAAU,EAAE,CAACxB,IAAI;UACrB;QACJ;MACJ,CAAC,CACL;IACJ;EACJ,CAAC,CAAC;;EAEF;EACAzB,GAAG,CAACuB,WAAW,CAAC1B,GAAG,CAAC6D,UAAU,CAACO,WAAW,EAAE;IACxCxC,IAAI,EAAE,kDAAkD;IACxDC,MAAM,EAAE;MACJwC,IAAI,EAAET,sBAAsB,CAAChD,MAAM,CAACgB,IAAI;MACxC0C,OAAO,EAAEjB,eAAe,CAACzC,MAAM,CAACmC,GAAG;MACnCgB,YAAY,EAAE,SAAS;MACvBhB,GAAG,EAAEvC,QAAQ,CAACI,MAAM,CAACmC;IACzB;EACJ,CAAC,CAAC;AACN,CAAC;AAACwB,OAAA,CAAArE,kCAAA,GAAAA,kCAAA","ignoreList":[]}
package/enterprise/createApiPulumiApp.d.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import * as aws from "@pulumi/aws";
2
- import { CreateApiPulumiAppParams as BaseCreateApiPulumiAppParams } from "../apps/api/createApiPulumiApp";
3
2
  import { PulumiAppParam } from "@webiny/pulumi";
3
+ import { CreateApiPulumiAppParams as BaseCreateApiPulumiAppParams } from "../apps/api/createApiPulumiApp";
4
4
  export type ApiPulumiApp = ReturnType<typeof createApiPulumiApp>;
5
5
  export type ApiPulumiAppAdvancedVpcParams = Partial<{
6
6
  useExistingVpc: {
package/enterprise/createApiPulumiApp.js CHANGED
@@ -6,8 +6,10 @@ Object.defineProperty(exports, "__esModule", {
6
6
  });
7
7
  exports.createApiPulumiApp = createApiPulumiApp;
8
8
  var aws = _interopRequireWildcard(require("@pulumi/aws"));
9
- var _createApiPulumiApp = require("../apps/api/createApiPulumiApp");
10
9
  var _pulumi = require("@webiny/pulumi");
10
+ var _wcp = require("@webiny/wcp");
11
+ var _createApiPulumiApp = require("../apps/api/createApiPulumiApp");
12
+ var _handleGuardDutyEvents = require("./api/handleGuardDutyEvents");
11
13
  function createApiPulumiApp(projectAppParams = {}) {
12
14
  return (0, _createApiPulumiApp.createApiPulumiApp)({
13
15
  ...projectAppParams,
@@ -16,24 +18,38 @@ function createApiPulumiApp(projectAppParams = {}) {
16
18
  getParam
17
19
  }) => {
18
20
  const vpc = getParam(projectAppParams.vpc);
19
- const usingAdvancedVpcParams = vpc && typeof vpc !== "boolean";
20
- return usingAdvancedVpcParams && vpc.useExistingVpc ? false : Boolean(vpc);
21
+ if (!vpc) {
22
+ // This could be `false` or `undefined`. If `undefined`, down the line,
23
+ // this means "deploy into VPC if dealing with a production environment".
24
+ return vpc;
25
+ }
26
+
27
+ // If using an existing VPC, we ensure Webiny does not deploy its own VPC.
28
+ const usingAdvancedVpcParams = typeof vpc !== "boolean";
29
+ if (usingAdvancedVpcParams && vpc.useExistingVpc) {
30
+ return false;
31
+ }
32
+ return true;
21
33
  },
22
- pulumi(...args) {
23
- const [{
34
+ async pulumi(app) {
35
+ const license = await _wcp.License.fromEnvironment();
36
+ const {
24
37
  getParam
25
- }] = args;
38
+ } = app;
26
39
  const vpc = getParam(projectAppParams.vpc);
27
40
  const usingAdvancedVpcParams = vpc && typeof vpc !== "boolean";
41
+ if (license.canUseFileManagerThreatDetection()) {
42
+ (0, _handleGuardDutyEvents.handleGuardDutyEvents)(app);
43
+ }
28
44
 
29
45
  // Not using advanced VPC params? Then immediately exit.
30
46
  if (!usingAdvancedVpcParams) {
31
- return projectAppParams.pulumi?.(...args);
47
+ return projectAppParams.pulumi?.(app);
32
48
  }
33
- const [{
49
+ const {
34
50
  onResource,
35
51
  addResource
36
- }] = args;
52
+ } = app;
37
53
  const {
38
54
  useExistingVpc
39
55
  } = vpc;
@@ -63,7 +79,7 @@ function createApiPulumiApp(projectAppParams = {}) {
63
79
  }
64
80
  });
65
81
  }
66
- return projectAppParams.pulumi?.(...args);
82
+ return projectAppParams.pulumi?.(app);
67
83
  }
68
84
  });
69
85
  }
package/enterprise/createApiPulumiApp.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"names":["aws","_interopRequireWildcard","require","_createApiPulumiApp","_pulumi","createApiPulumiApp","projectAppParams","baseCreateApiPulumiApp","vpc","getParam","usingAdvancedVpcParams","useExistingVpc","Boolean","pulumi","args","onResource","addResource","lambdaFunctionsVpcConfig","Error","resource","isResourceOfType","lambda","Function","canUseVpc","meta","config","vpcConfig","iam","Role","isLambdaFunctionRole","RolePolicyAttachment","name","role","output","policyArn","ManagedPolicy","AWSLambdaVPCAccessExecutionRole"],"sources":["createApiPulumiApp.ts"],"sourcesContent":["import * as aws from \"@pulumi/aws\";\nimport {\n createApiPulumiApp as baseCreateApiPulumiApp,\n CreateApiPulumiAppParams as BaseCreateApiPulumiAppParams\n} from \"~/apps/api/createApiPulumiApp\";\nimport { isResourceOfType, PulumiAppParam } from \"@webiny/pulumi\";\n\nexport type ApiPulumiApp = ReturnType<typeof createApiPulumiApp>;\n\nexport type ApiPulumiAppAdvancedVpcParams = Partial<{\n useExistingVpc: {\n lambdaFunctionsVpcConfig: aws.types.input.lambda.FunctionVpcConfig;\n };\n}>;\n\nexport interface CreateApiPulumiAppParams extends Omit<BaseCreateApiPulumiAppParams, \"vpc\"> {\n vpc?: PulumiAppParam<boolean | ApiPulumiAppAdvancedVpcParams>;\n}\n\nexport function createApiPulumiApp(projectAppParams: CreateApiPulumiAppParams = {}) {\n return baseCreateApiPulumiApp({\n ...projectAppParams,\n // If using existing VPC, we ensure `vpc` param is set to `false`.\n vpc: ({ getParam }) => {\n const vpc = getParam(projectAppParams.vpc);\n const usingAdvancedVpcParams = vpc && typeof vpc !== \"boolean\";\n return usingAdvancedVpcParams && vpc.useExistingVpc ? false : Boolean(vpc);\n },\n pulumi(...args) {\n const [{ getParam }] = args;\n const vpc = getParam(projectAppParams.vpc);\n const usingAdvancedVpcParams = vpc && typeof vpc !== \"boolean\";\n\n // Not using advanced VPC params? Then immediately exit.\n if (!usingAdvancedVpcParams) {\n return projectAppParams.pulumi?.(...args);\n }\n\n const [{ onResource, addResource }] = args;\n const { useExistingVpc } = vpc;\n\n // 1. We first deal with \"existing VPC\" setup.\n if (useExistingVpc) {\n if (!useExistingVpc.lambdaFunctionsVpcConfig) {\n throw new Error(\n \"Cannot specify `useExistingVpc` parameter because the `lambdaFunctionsVpcConfig` parameter wasn't provided.\"\n );\n }\n\n onResource(resource => {\n if (isResourceOfType(resource, aws.lambda.Function)) {\n const canUseVpc = resource.meta.canUseVpc !== false;\n if (canUseVpc) {\n resource.config.vpcConfig(useExistingVpc!.lambdaFunctionsVpcConfig);\n }\n }\n\n if (isResourceOfType(resource, aws.iam.Role)) {\n if (resource.meta.isLambdaFunctionRole) {\n addResource(aws.iam.RolePolicyAttachment, {\n name: `${resource.name}-vpc-access-execution-role`,\n config: {\n role: resource.output.name,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaVPCAccessExecutionRole\n }\n });\n }\n }\n });\n }\n\n return projectAppParams.pulumi?.(...args);\n }\n });\n}\n"],"mappings":";;;;;;;AAAA,IAAAA,GAAA,GAAAC,uBAAA,CAAAC,OAAA;AACA,IAAAC,mBAAA,GAAAD,OAAA;AAIA,IAAAE,OAAA,GAAAF,OAAA;AAcO,SAASG,kBAAkBA,CAACC,gBAA0C,GAAG,CAAC,CAAC,EAAE;EAChF,OAAO,IAAAC,sCAAsB,EAAC;IAC1B,GAAGD,gBAAgB;IACnB;IACAE,GAAG,EAAEA,CAAC;MAAEC;IAAS,CAAC,KAAK;MACnB,MAAMD,GAAG,GAAGC,QAAQ,CAACH,gBAAgB,CAACE,GAAG,CAAC;MAC1C,MAAME,sBAAsB,GAAGF,GAAG,IAAI,OAAOA,GAAG,KAAK,SAAS;MAC9D,OAAOE,sBAAsB,IAAIF,GAAG,CAACG,cAAc,GAAG,KAAK,GAAGC,OAAO,CAACJ,GAAG,CAAC;IAC9E,CAAC;IACDK,MAAMA,CAAC,GAAGC,IAAI,EAAE;MACZ,MAAM,CAAC;QAAEL;MAAS,CAAC,CAAC,GAAGK,IAAI;MAC3B,MAAMN,GAAG,GAAGC,QAAQ,CAACH,gBAAgB,CAACE,GAAG,CAAC;MAC1C,MAAME,sBAAsB,GAAGF,GAAG,IAAI,OAAOA,GAAG,KAAK,SAAS;;MAE9D;MACA,IAAI,CAACE,sBAAsB,EAAE;QACzB,OAAOJ,gBAAgB,CAACO,MAAM,GAAG,GAAGC,IAAI,CAAC;MAC7C;MAEA,MAAM,CAAC;QAAEC,UAAU;QAAEC;MAAY,CAAC,CAAC,GAAGF,IAAI;MAC1C,MAAM;QAAEH;MAAe,CAAC,GAAGH,GAAG;;MAE9B;MACA,IAAIG,cAAc,EAAE;QAChB,IAAI,CAACA,cAAc,CAACM,wBAAwB,EAAE;UAC1C,MAAM,IAAIC,KAAK,CACX,6GACJ,CAAC;QACL;QAEAH,UAAU,CAACI,QAAQ,IAAI;UACnB,IAAI,IAAAC,wBAAgB,EAACD,QAAQ,EAAEnB,GAAG,CAACqB,MAAM,CAACC,QAAQ,CAAC,EAAE;YACjD,MAAMC,SAAS,GAAGJ,QAAQ,CAACK,IAAI,CAACD,SAAS,KAAK,KAAK;YACnD,IAAIA,SAAS,EAAE;cACXJ,QAAQ,CAACM,MAAM,CAACC,SAAS,CAACf,cAAc,CAAEM,wBAAwB,CAAC;YACvE;UACJ;UAEA,IAAI,IAAAG,wBAAgB,EAACD,QAAQ,EAAEnB,GAAG,CAAC2B,GAAG,CAACC,IAAI,CAAC,EAAE;YAC1C,IAAIT,QAAQ,CAACK,IAAI,CAACK,oBAAoB,EAAE;cACpCb,WAAW,CAAChB,GAAG,CAAC2B,GAAG,CAACG,oBAAoB,EAAE;gBACtCC,IAAI,EAAE,GAAGZ,QAAQ,CAACY,IAAI,4BAA4B;gBAClDN,MAAM,EAAE;kBACJO,IAAI,EAAEb,QAAQ,CAACc,MAAM,CAACF,IAAI;kBAC1BG,SAAS,EAAElC,GAAG,CAAC2B,GAAG,CAACQ,aAAa,CAACC;gBACrC;cACJ,CAAC,CAAC;YACN;UACJ;QACJ,CAAC,CAAC;MACN;MAEA,OAAO9B,gBAAgB,CAACO,MAAM,GAAG,GAAGC,IAAI,CAAC;IAC7C;EACJ,CAAC,CAAC;AACN","ignoreList":[]}
1
+ {"version":3,"names":["aws","_interopRequireWildcard","require","_pulumi","_wcp","_createApiPulumiApp","_handleGuardDutyEvents","createApiPulumiApp","projectAppParams","baseCreateApiPulumiApp","vpc","getParam","usingAdvancedVpcParams","useExistingVpc","pulumi","app","license","License","fromEnvironment","canUseFileManagerThreatDetection","handleGuardDutyEvents","onResource","addResource","lambdaFunctionsVpcConfig","Error","resource","isResourceOfType","lambda","Function","canUseVpc","meta","config","vpcConfig","iam","Role","isLambdaFunctionRole","RolePolicyAttachment","name","role","output","policyArn","ManagedPolicy","AWSLambdaVPCAccessExecutionRole"],"sources":["createApiPulumiApp.ts"],"sourcesContent":["import * as aws from \"@pulumi/aws\";\nimport { isResourceOfType, PulumiAppParam } from \"@webiny/pulumi\";\nimport { License } from \"@webiny/wcp\";\nimport {\n createApiPulumiApp as baseCreateApiPulumiApp,\n CreateApiPulumiAppParams as BaseCreateApiPulumiAppParams\n} from \"~/apps/api/createApiPulumiApp\";\nimport { handleGuardDutyEvents } from \"~/enterprise/api/handleGuardDutyEvents\";\n\nexport type ApiPulumiApp = ReturnType<typeof createApiPulumiApp>;\n\nexport type ApiPulumiAppAdvancedVpcParams = Partial<{\n useExistingVpc: {\n lambdaFunctionsVpcConfig: aws.types.input.lambda.FunctionVpcConfig;\n };\n}>;\n\nexport interface CreateApiPulumiAppParams extends Omit<BaseCreateApiPulumiAppParams, \"vpc\"> {\n vpc?: PulumiAppParam<boolean | ApiPulumiAppAdvancedVpcParams>;\n}\n\nexport function createApiPulumiApp(projectAppParams: CreateApiPulumiAppParams = {}) {\n return baseCreateApiPulumiApp({\n ...projectAppParams,\n // If using existing VPC, we ensure `vpc` param is set to `false`.\n vpc: ({ getParam }) => {\n const vpc = getParam(projectAppParams.vpc);\n if (!vpc) {\n // This could be `false` or `undefined`. If `undefined`, down the line,\n // this means \"deploy into VPC if dealing with a production environment\".\n return vpc;\n }\n\n // If using an existing VPC, we ensure Webiny does not deploy its own VPC.\n const usingAdvancedVpcParams = typeof vpc !== \"boolean\";\n if (usingAdvancedVpcParams && vpc.useExistingVpc) {\n return false;\n }\n\n return true;\n },\n async pulumi(app) {\n const license = await License.fromEnvironment();\n\n const { getParam } = app;\n const vpc = getParam(projectAppParams.vpc);\n const usingAdvancedVpcParams = vpc && typeof vpc !== \"boolean\";\n\n if (license.canUseFileManagerThreatDetection()) {\n handleGuardDutyEvents(app);\n }\n\n // Not using advanced VPC params? Then immediately exit.\n if (!usingAdvancedVpcParams) {\n return projectAppParams.pulumi?.(app);\n }\n\n const { onResource, addResource } = app;\n const { useExistingVpc } = vpc;\n\n // 1. We first deal with \"existing VPC\" setup.\n if (useExistingVpc) {\n if (!useExistingVpc.lambdaFunctionsVpcConfig) {\n throw new Error(\n \"Cannot specify `useExistingVpc` parameter because the `lambdaFunctionsVpcConfig` parameter wasn't provided.\"\n );\n }\n\n onResource(resource => {\n if (isResourceOfType(resource, aws.lambda.Function)) {\n const canUseVpc = resource.meta.canUseVpc !== false;\n if (canUseVpc) {\n resource.config.vpcConfig(useExistingVpc!.lambdaFunctionsVpcConfig);\n }\n }\n\n if (isResourceOfType(resource, aws.iam.Role)) {\n if (resource.meta.isLambdaFunctionRole) {\n addResource(aws.iam.RolePolicyAttachment, {\n name: `${resource.name}-vpc-access-execution-role`,\n config: {\n role: resource.output.name,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaVPCAccessExecutionRole\n }\n });\n }\n }\n });\n }\n\n return projectAppParams.pulumi?.(app);\n }\n });\n}\n"],"mappings":";;;;;;;AAAA,IAAAA,GAAA,GAAAC,uBAAA,CAAAC,OAAA;AACA,IAAAC,OAAA,GAAAD,OAAA;AACA,IAAAE,IAAA,GAAAF,OAAA;AACA,IAAAG,mBAAA,GAAAH,OAAA;AAIA,IAAAI,sBAAA,GAAAJ,OAAA;AAcO,SAASK,kBAAkBA,CAACC,gBAA0C,GAAG,CAAC,CAAC,EAAE;EAChF,OAAO,IAAAC,sCAAsB,EAAC;IAC1B,GAAGD,gBAAgB;IACnB;IACAE,GAAG,EAAEA,CAAC;MAAEC;IAAS,CAAC,KAAK;MACnB,MAAMD,GAAG,GAAGC,QAAQ,CAACH,gBAAgB,CAACE,GAAG,CAAC;MAC1C,IAAI,CAACA,GAAG,EAAE;QACN;QACA;QACA,OAAOA,GAAG;MACd;;MAEA;MACA,MAAME,sBAAsB,GAAG,OAAOF,GAAG,KAAK,SAAS;MACvD,IAAIE,sBAAsB,IAAIF,GAAG,CAACG,cAAc,EAAE;QAC9C,OAAO,KAAK;MAChB;MAEA,OAAO,IAAI;IACf,CAAC;IACD,MAAMC,MAAMA,CAACC,GAAG,EAAE;MACd,MAAMC,OAAO,GAAG,MAAMC,YAAO,CAACC,eAAe,CAAC,CAAC;MAE/C,MAAM;QAAEP;MAAS,CAAC,GAAGI,GAAG;MACxB,MAAML,GAAG,GAAGC,QAAQ,CAACH,gBAAgB,CAACE,GAAG,CAAC;MAC1C,MAAME,sBAAsB,GAAGF,GAAG,IAAI,OAAOA,GAAG,KAAK,SAAS;MAE9D,IAAIM,OAAO,CAACG,gCAAgC,CAAC,CAAC,EAAE;QAC5C,IAAAC,4CAAqB,EAACL,GAAG,CAAC;MAC9B;;MAEA;MACA,IAAI,CAACH,sBAAsB,EAAE;QACzB,OAAOJ,gBAAgB,CAACM,MAAM,GAAGC,GAAG,CAAC;MACzC;MAEA,MAAM;QAAEM,UAAU;QAAEC;MAAY,CAAC,GAAGP,GAAG;MACvC,MAAM;QAAEF;MAAe,CAAC,GAAGH,GAAG;;MAE9B;MACA,IAAIG,cAAc,EAAE;QAChB,IAAI,CAACA,cAAc,CAACU,wBAAwB,EAAE;UAC1C,MAAM,IAAIC,KAAK,CACX,6GACJ,CAAC;QACL;QAEAH,UAAU,CAACI,QAAQ,IAAI;UACnB,IAAI,IAAAC,wBAAgB,EAACD,QAAQ,EAAEzB,GAAG,CAAC2B,MAAM,CAACC,QAAQ,CAAC,EAAE;YACjD,MAAMC,SAAS,GAAGJ,QAAQ,CAACK,IAAI,CAACD,SAAS,KAAK,KAAK;YACnD,IAAIA,SAAS,EAAE;cACXJ,QAAQ,CAACM,MAAM,CAACC,SAAS,CAACnB,cAAc,CAAEU,wBAAwB,CAAC;YACvE;UACJ;UAEA,IAAI,IAAAG,wBAAgB,EAACD,QAAQ,EAAEzB,GAAG,CAACiC,GAAG,CAACC,IAAI,CAAC,EAAE;YAC1C,IAAIT,QAAQ,CAACK,IAAI,CAACK,oBAAoB,EAAE;cACpCb,WAAW,CAACtB,GAAG,CAACiC,GAAG,CAACG,oBAAoB,EAAE;gBACtCC,IAAI,EAAE,GAAGZ,QAAQ,CAACY,IAAI,4BAA4B;gBAClDN,MAAM,EAAE;kBACJO,IAAI,EAAEb,QAAQ,CAACc,MAAM,CAACF,IAAI;kBAC1BG,SAAS,EAAExC,GAAG,CAACiC,GAAG,CAACQ,aAAa,CAACC;gBACrC;cACJ,CAAC,CAAC;YACN;UACJ;QACJ,CAAC,CAAC;MACN;MAEA,OAAOlC,gBAAgB,CAACM,MAAM,GAAGC,GAAG,CAAC;IACzC;EACJ,CAAC,CAAC;AACN","ignoreList":[]}
package/enterprise/createCorePulumiApp.js CHANGED
@@ -10,6 +10,8 @@ var pulumi = _interopRequireWildcard(require("@pulumi/pulumi"));
10
10
  var _createCorePulumiApp = require("../apps/core/createCorePulumiApp");
11
11
  var _pulumi2 = require("@webiny/pulumi");
12
12
  var _awsUtils = require("../apps/awsUtils");
13
+ var _configureS3BucketMalwareProtection = require("./core/configureS3BucketMalwareProtection");
14
+ var _wcp = require("@webiny/wcp");
13
15
  function createCorePulumiApp(projectAppParams = {}) {
14
16
  return (0, _createCorePulumiApp.createCorePulumiApp)({
15
17
  ...projectAppParams,
@@ -18,16 +20,30 @@ function createCorePulumiApp(projectAppParams = {}) {
18
20
  getParam
19
21
  }) => {
20
22
  const vpc = getParam(projectAppParams.vpc);
21
- const usingAdvancedVpcParams = vpc && typeof vpc !== "boolean";
22
- return usingAdvancedVpcParams && vpc.useExistingVpc ? false : Boolean(vpc);
23
+ if (!vpc) {
24
+ // This could be `false` or `undefined`. If `undefined`, down the line,
25
+ // this means "deploy into VPC if dealing with a production environment".
26
+ return vpc;
27
+ }
28
+
29
+ // If using an existing VPC, we ensure Webiny does not deploy its own VPC.
30
+ const usingAdvancedVpcParams = typeof vpc !== "boolean";
31
+ if (usingAdvancedVpcParams && vpc.useExistingVpc) {
32
+ return false;
33
+ }
34
+ return true;
23
35
  },
24
- pulumi(...args) {
36
+ async pulumi(...args) {
25
37
  const [app] = args;
26
38
  const {
27
39
  getParam
28
40
  } = app;
29
41
  const vpc = getParam(projectAppParams.vpc);
30
42
  const usingAdvancedVpcParams = vpc && typeof vpc !== "boolean";
43
+ const license = await _wcp.License.fromEnvironment();
44
+ if (license.canUseFileManagerThreatDetection()) {
45
+ (0, _configureS3BucketMalwareProtection.configureS3BucketMalwareProtection)(app);
46
+ }
31
47
 
32
48
  // Not using advanced VPC params? Then immediately exit.
33
49
  if (!usingAdvancedVpcParams) {
package/enterprise/createCorePulumiApp.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"names":["aws","_interopRequireWildcard","require","pulumi","_createCorePulumiApp","_pulumi2","_awsUtils","createCorePulumiApp","projectAppParams","baseCreateCorePulumiApp","vpc","getParam","usingAdvancedVpcParams","useExistingVpc","Boolean","args","app","resources","addResource","onResource","useVpcEndpoints","Error","elasticSearch","elasticSearchDomainVpcConfig","resource","isResourceOfType","elasticsearch","Domain","config","vpcOptions","lambdaFunctionsVpcConfig","lambda","Function","canUseVpc","meta","vpcConfig","iam","Role","isLambdaFunctionRole","RolePolicyAttachment","name","role","output","policyArn","ManagedPolicy","AWSLambdaVPCAccessExecutionRole","region","getAwsRegion","ec2","Vpc","enableDnsSupport","enableDnsHostnames","subnets","routeTables","VpcEndpoint","vpcId","id","serviceName","interpolate","routeTableIds","privateSubnets","vpcEndpointType","privateDnsEnabled","securityGroupIds","defaultSecurityGroupId","subnetIds","private","map","subNet"],"sources":["createCorePulumiApp.ts"],"sourcesContent":["import * as aws from \"@pulumi/aws\";\nimport * as pulumi from \"@pulumi/pulumi\";\nimport {\n createCorePulumiApp as baseCreateCorePulumiApp,\n CreateCorePulumiAppParams as BaseCreateCorePulumiAppParams\n} from \"~/apps/core/createCorePulumiApp\";\nimport { isResourceOfType, PulumiAppParam } from \"@webiny/pulumi\";\nimport { getAwsRegion } from \"~/apps/awsUtils\";\n\nexport type CorePulumiApp = ReturnType<typeof createCorePulumiApp>;\n\nexport type CorePulumiAppAdvancedVpcParams = Partial<{\n useVpcEndpoints: boolean;\n useExistingVpc: {\n elasticSearchDomainVpcConfig?: aws.types.input.elasticsearch.DomainVpcOptions;\n lambdaFunctionsVpcConfig: aws.types.input.lambda.FunctionVpcConfig;\n };\n}>;\n\nexport interface CreateCorePulumiAppParams extends Omit<BaseCreateCorePulumiAppParams, \"vpc\"> {\n vpc?: PulumiAppParam<boolean | CorePulumiAppAdvancedVpcParams>;\n}\n\nexport function createCorePulumiApp(projectAppParams: CreateCorePulumiAppParams = {}) {\n return baseCreateCorePulumiApp({\n ...projectAppParams,\n // If using existing VPC, we ensure `vpc` param is set to `false`.\n vpc: ({ getParam }) => {\n const vpc = getParam(projectAppParams.vpc);\n const usingAdvancedVpcParams = vpc && typeof vpc !== \"boolean\";\n return usingAdvancedVpcParams && vpc.useExistingVpc ? false : Boolean(vpc);\n },\n pulumi(...args) {\n const [app] = args;\n const { getParam } = app;\n const vpc = getParam(projectAppParams.vpc);\n const usingAdvancedVpcParams = vpc && typeof vpc !== \"boolean\";\n\n // Not using advanced VPC params? Then immediately exit.\n if (!usingAdvancedVpcParams) {\n return projectAppParams.pulumi?.(...args);\n }\n\n const [{ resources, addResource, onResource }] = args;\n const { useExistingVpc, useVpcEndpoints } = vpc;\n\n // 1. We first deal with \"existing VPC\" setup.\n if (useExistingVpc) {\n if (\"useVpcEndpoints\" in vpc) {\n throw new Error(\n \"Cannot specify `useVpcEndpoints` parameter when using an existing VPC. The VPC endpoints configurations should be already defined within the existing VPC.\"\n );\n }\n\n if (projectAppParams.elasticSearch) {\n if (!useExistingVpc.elasticSearchDomainVpcConfig) {\n throw new Error(\n \"Cannot specify `useExistingVpc` parameter because the `elasticSearchDomainVpcConfig` parameter wasn't provided.\"\n );\n }\n\n onResource(resource => {\n if (isResourceOfType(resource, aws.elasticsearch.Domain)) {\n resource.config.vpcOptions(\n useExistingVpc!.elasticSearchDomainVpcConfig\n );\n }\n });\n }\n\n if (!useExistingVpc.lambdaFunctionsVpcConfig) {\n throw new Error(\n \"Cannot specify `useExistingVpc` parameter because the `lambdaFunctionsVpcConfig` parameter wasn't provided.\"\n );\n }\n\n onResource(resource => {\n if (isResourceOfType(resource, aws.lambda.Function)) {\n const canUseVpc = resource.meta.canUseVpc !== false;\n if (canUseVpc) {\n resource.config.vpcConfig(useExistingVpc!.lambdaFunctionsVpcConfig);\n }\n }\n\n if (isResourceOfType(resource, aws.iam.Role)) {\n if (resource.meta.isLambdaFunctionRole) {\n addResource(aws.iam.RolePolicyAttachment, {\n name: `${resource.name}-vpc-access-execution-role`,\n config: {\n role: resource.output.name,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaVPCAccessExecutionRole\n }\n });\n }\n }\n });\n\n return projectAppParams.pulumi?.(...args);\n }\n\n // 2. Now we deal with \"non-existing VPC\" setup.\n if (useVpcEndpoints) {\n const region = getAwsRegion(app);\n\n onResource(resource => {\n if (isResourceOfType(resource, aws.ec2.Vpc)) {\n resource.config.enableDnsSupport(true);\n resource.config.enableDnsHostnames(true);\n }\n });\n\n const { vpc, subnets, routeTables } = resources.vpc!;\n addResource(aws.ec2.VpcEndpoint, {\n name: \"vpc-s3-vpc-endpoint\",\n config: {\n vpcId: vpc.output.id,\n serviceName: pulumi.interpolate`com.amazonaws.${region}.s3`,\n routeTableIds: [routeTables.privateSubnets.output.id]\n }\n });\n\n addResource(aws.ec2.VpcEndpoint, {\n name: \"vpc-dynamodb-vpc-endpoint\",\n config: {\n vpcId: vpc.output.id,\n serviceName: pulumi.interpolate`com.amazonaws.${region}.dynamodb`,\n routeTableIds: [routeTables.privateSubnets.output.id]\n }\n });\n\n addResource(aws.ec2.VpcEndpoint, {\n name: \"vpc-sqs-vpc-endpoint\",\n config: {\n vpcId: vpc.output.id,\n serviceName: pulumi.interpolate`com.amazonaws.${region}.sqs`,\n vpcEndpointType: \"Interface\",\n privateDnsEnabled: true,\n securityGroupIds: [vpc.output.defaultSecurityGroupId],\n subnetIds: subnets.private.map(subNet => subNet.output.id)\n }\n });\n\n addResource(aws.ec2.VpcEndpoint, {\n name: \"vpc-events-vpc-endpoint\",\n config: {\n vpcId: vpc.output.id,\n serviceName: pulumi.interpolate`com.amazonaws.${region}.events`,\n vpcEndpointType: \"Interface\",\n privateDnsEnabled: true,\n securityGroupIds: [vpc.output.defaultSecurityGroupId],\n subnetIds: subnets.private.map(subNet => subNet.output.id)\n }\n });\n }\n\n return projectAppParams.pulumi?.(...args);\n }\n });\n}\n"],"mappings":";;;;;;;AAAA,IAAAA,GAAA,GAAAC,uBAAA,CAAAC,OAAA;AACA,IAAAC,MAAA,GAAAF,uBAAA,CAAAC,OAAA;AACA,IAAAE,oBAAA,GAAAF,OAAA;AAIA,IAAAG,QAAA,GAAAH,OAAA;AACA,IAAAI,SAAA,GAAAJ,OAAA;AAgBO,SAASK,mBAAmBA,CAACC,gBAA2C,GAAG,CAAC,CAAC,EAAE;EAClF,OAAO,IAAAC,wCAAuB,EAAC;IAC3B,GAAGD,gBAAgB;IACnB;IACAE,GAAG,EAAEA,CAAC;MAAEC;IAAS,CAAC,KAAK;MACnB,MAAMD,GAAG,GAAGC,QAAQ,CAACH,gBAAgB,CAACE,GAAG,CAAC;MAC1C,MAAME,sBAAsB,GAAGF,GAAG,IAAI,OAAOA,GAAG,KAAK,SAAS;MAC9D,OAAOE,sBAAsB,IAAIF,GAAG,CAACG,cAAc,GAAG,KAAK,GAAGC,OAAO,CAACJ,GAAG,CAAC;IAC9E,CAAC;IACDP,MAAMA,CAAC,GAAGY,IAAI,EAAE;MACZ,MAAM,CAACC,GAAG,CAAC,GAAGD,IAAI;MAClB,MAAM;QAAEJ;MAAS,CAAC,GAAGK,GAAG;MACxB,MAAMN,GAAG,GAAGC,QAAQ,CAACH,gBAAgB,CAACE,GAAG,CAAC;MAC1C,MAAME,sBAAsB,GAAGF,GAAG,IAAI,OAAOA,GAAG,KAAK,SAAS;;MAE9D;MACA,IAAI,CAACE,sBAAsB,EAAE;QACzB,OAAOJ,gBAAgB,CAACL,MAAM,GAAG,GAAGY,IAAI,CAAC;MAC7C;MAEA,MAAM,CAAC;QAAEE,SAAS;QAAEC,WAAW;QAAEC;MAAW,CAAC,CAAC,GAAGJ,IAAI;MACrD,MAAM;QAAEF,cAAc;QAAEO;MAAgB,CAAC,GAAGV,GAAG;;MAE/C;MACA,IAAIG,cAAc,EAAE;QAChB,IAAI,iBAAiB,IAAIH,GAAG,EAAE;UAC1B,MAAM,IAAIW,KAAK,CACX,4JACJ,CAAC;QACL;QAEA,IAAIb,gBAAgB,CAACc,aAAa,EAAE;UAChC,IAAI,CAACT,cAAc,CAACU,4BAA4B,EAAE;YAC9C,MAAM,IAAIF,KAAK,CACX,iHACJ,CAAC;UACL;UAEAF,UAAU,CAACK,QAAQ,IAAI;YACnB,IAAI,IAAAC,yBAAgB,EAACD,QAAQ,EAAExB,GAAG,CAAC0B,aAAa,CAACC,MAAM,CAAC,EAAE;cACtDH,QAAQ,CAACI,MAAM,CAACC,UAAU,CACtBhB,cAAc,CAAEU,4BACpB,CAAC;YACL;UACJ,CAAC,CAAC;QACN;QAEA,IAAI,CAACV,cAAc,CAACiB,wBAAwB,EAAE;UAC1C,MAAM,IAAIT,KAAK,CACX,6GACJ,CAAC;QACL;QAEAF,UAAU,CAACK,QAAQ,IAAI;UACnB,IAAI,IAAAC,yBAAgB,EAACD,QAAQ,EAAExB,GAAG,CAAC+B,MAAM,CAACC,QAAQ,CAAC,EAAE;YACjD,MAAMC,SAAS,GAAGT,QAAQ,CAACU,IAAI,CAACD,SAAS,KAAK,KAAK;YACnD,IAAIA,SAAS,EAAE;cACXT,QAAQ,CAACI,MAAM,CAACO,SAAS,CAACtB,cAAc,CAAEiB,wBAAwB,CAAC;YACvE;UACJ;UAEA,IAAI,IAAAL,yBAAgB,EAACD,QAAQ,EAAExB,GAAG,CAACoC,GAAG,CAACC,IAAI,CAAC,EAAE;YAC1C,IAAIb,QAAQ,CAACU,IAAI,CAACI,oBAAoB,EAAE;cACpCpB,WAAW,CAAClB,GAAG,CAACoC,GAAG,CAACG,oBAAoB,EAAE;gBACtCC,IAAI,EAAE,GAAGhB,QAAQ,CAACgB,IAAI,4BAA4B;gBAClDZ,MAAM,EAAE;kBACJa,IAAI,EAAEjB,QAAQ,CAACkB,MAAM,CAACF,IAAI;kBAC1BG,SAAS,EAAE3C,GAAG,CAACoC,GAAG,CAACQ,aAAa,CAACC;gBACrC;cACJ,CAAC,CAAC;YACN;UACJ;QACJ,CAAC,CAAC;QAEF,OAAOrC,gBAAgB,CAACL,MAAM,GAAG,GAAGY,IAAI,CAAC;MAC7C;;MAEA;MACA,IAAIK,eAAe,EAAE;QACjB,MAAM0B,MAAM,GAAG,IAAAC,sBAAY,EAAC/B,GAAG,CAAC;QAEhCG,UAAU,CAACK,QAAQ,IAAI;UACnB,IAAI,IAAAC,yBAAgB,EAACD,QAAQ,EAAExB,GAAG,CAACgD,GAAG,CAACC,GAAG,CAAC,EAAE;YACzCzB,QAAQ,CAACI,MAAM,CAACsB,gBAAgB,CAAC,IAAI,CAAC;YACtC1B,QAAQ,CAACI,MAAM,CAACuB,kBAAkB,CAAC,IAAI,CAAC;UAC5C;QACJ,CAAC,CAAC;QAEF,MAAM;UAAEzC,GAAG;UAAE0C,OAAO;UAAEC;QAAY,CAAC,GAAGpC,SAAS,CAACP,GAAI;QACpDQ,WAAW,CAAClB,GAAG,CAACgD,GAAG,CAACM,WAAW,EAAE;UAC7Bd,IAAI,EAAE,qBAAqB;UAC3BZ,MAAM,EAAE;YACJ2B,KAAK,EAAE7C,GAAG,CAACgC,MAAM,CAACc,EAAE;YACpBC,WAAW,EAAEtD,MAAM,CAACuD,WAAW,iBAAiBZ,MAAM,KAAK;YAC3Da,aAAa,EAAE,CAACN,WAAW,CAACO,cAAc,CAAClB,MAAM,CAACc,EAAE;UACxD;QACJ,CAAC,CAAC;QAEFtC,WAAW,CAAClB,GAAG,CAACgD,GAAG,CAACM,WAAW,EAAE;UAC7Bd,IAAI,EAAE,2BAA2B;UACjCZ,MAAM,EAAE;YACJ2B,KAAK,EAAE7C,GAAG,CAACgC,MAAM,CAACc,EAAE;YACpBC,WAAW,EAAEtD,MAAM,CAACuD,WAAW,iBAAiBZ,MAAM,WAAW;YACjEa,aAAa,EAAE,CAACN,WAAW,CAACO,cAAc,CAAClB,MAAM,CAACc,EAAE;UACxD;QACJ,CAAC,CAAC;QAEFtC,WAAW,CAAClB,GAAG,CAACgD,GAAG,CAACM,WAAW,EAAE;UAC7Bd,IAAI,EAAE,sBAAsB;UAC5BZ,MAAM,EAAE;YACJ2B,KAAK,EAAE7C,GAAG,CAACgC,MAAM,CAACc,EAAE;YACpBC,WAAW,EAAEtD,MAAM,CAACuD,WAAW,iBAAiBZ,MAAM,MAAM;YAC5De,eAAe,EAAE,WAAW;YAC5BC,iBAAiB,EAAE,IAAI;YACvBC,gBAAgB,EAAE,CAACrD,GAAG,CAACgC,MAAM,CAACsB,sBAAsB,CAAC;YACrDC,SAAS,EAAEb,OAAO,CAACc,OAAO,CAACC,GAAG,CAACC,MAAM,IAAIA,MAAM,CAAC1B,MAAM,CAACc,EAAE;UAC7D;QACJ,CAAC,CAAC;QAEFtC,WAAW,CAAClB,GAAG,CAACgD,GAAG,CAACM,WAAW,EAAE;UAC7Bd,IAAI,EAAE,yBAAyB;UAC/BZ,MAAM,EAAE;YACJ2B,KAAK,EAAE7C,GAAG,CAACgC,MAAM,CAACc,EAAE;YACpBC,WAAW,EAAEtD,MAAM,CAACuD,WAAW,iBAAiBZ,MAAM,SAAS;YAC/De,eAAe,EAAE,WAAW;YAC5BC,iBAAiB,EAAE,IAAI;YACvBC,gBAAgB,EAAE,CAACrD,GAAG,CAACgC,MAAM,CAACsB,sBAAsB,CAAC;YACrDC,SAAS,EAAEb,OAAO,CAACc,OAAO,CAACC,GAAG,CAACC,MAAM,IAAIA,MAAM,CAAC1B,MAAM,CAACc,EAAE;UAC7D;QACJ,CAAC,CAAC;MACN;MAEA,OAAOhD,gBAAgB,CAACL,MAAM,GAAG,GAAGY,IAAI,CAAC;IAC7C;EACJ,CAAC,CAAC;AACN","ignoreList":[]}
1
+ {"version":3,"names":["aws","_interopRequireWildcard","require","pulumi","_createCorePulumiApp","_pulumi2","_awsUtils","_configureS3BucketMalwareProtection","_wcp","createCorePulumiApp","projectAppParams","baseCreateCorePulumiApp","vpc","getParam","usingAdvancedVpcParams","useExistingVpc","args","app","license","License","fromEnvironment","canUseFileManagerThreatDetection","configureS3BucketMalwareProtection","resources","addResource","onResource","useVpcEndpoints","Error","elasticSearch","elasticSearchDomainVpcConfig","resource","isResourceOfType","elasticsearch","Domain","config","vpcOptions","lambdaFunctionsVpcConfig","lambda","Function","canUseVpc","meta","vpcConfig","iam","Role","isLambdaFunctionRole","RolePolicyAttachment","name","role","output","policyArn","ManagedPolicy","AWSLambdaVPCAccessExecutionRole","region","getAwsRegion","ec2","Vpc","enableDnsSupport","enableDnsHostnames","subnets","routeTables","VpcEndpoint","vpcId","id","serviceName","interpolate","routeTableIds","privateSubnets","vpcEndpointType","privateDnsEnabled","securityGroupIds","defaultSecurityGroupId","subnetIds","private","map","subNet"],"sources":["createCorePulumiApp.ts"],"sourcesContent":["import * as aws from \"@pulumi/aws\";\nimport * as pulumi from \"@pulumi/pulumi\";\nimport {\n createCorePulumiApp as baseCreateCorePulumiApp,\n CreateCorePulumiAppParams as BaseCreateCorePulumiAppParams\n} from \"~/apps/core/createCorePulumiApp\";\nimport { isResourceOfType, PulumiAppParam } from \"@webiny/pulumi\";\nimport { getAwsRegion } from \"~/apps/awsUtils\";\nimport { configureS3BucketMalwareProtection } from \"~/enterprise/core/configureS3BucketMalwareProtection\";\nimport { License } from \"@webiny/wcp\";\n\nexport type CorePulumiApp = ReturnType<typeof createCorePulumiApp>;\n\nexport type CorePulumiAppAdvancedVpcParams = Partial<{\n useVpcEndpoints: boolean;\n useExistingVpc: {\n elasticSearchDomainVpcConfig?: aws.types.input.elasticsearch.DomainVpcOptions;\n lambdaFunctionsVpcConfig: aws.types.input.lambda.FunctionVpcConfig;\n };\n}>;\n\nexport interface CreateCorePulumiAppParams extends Omit<BaseCreateCorePulumiAppParams, \"vpc\"> {\n vpc?: PulumiAppParam<boolean | CorePulumiAppAdvancedVpcParams>;\n}\n\nexport function createCorePulumiApp(projectAppParams: CreateCorePulumiAppParams = {}) {\n return baseCreateCorePulumiApp({\n ...projectAppParams,\n // If using existing VPC, we ensure `vpc` param is set to `false`.\n vpc: ({ getParam }) => {\n const vpc = getParam(projectAppParams.vpc);\n if (!vpc) {\n // This could be `false` or `undefined`. If `undefined`, down the line,\n // this means \"deploy into VPC if dealing with a production environment\".\n return vpc;\n }\n\n // If using an existing VPC, we ensure Webiny does not deploy its own VPC.\n const usingAdvancedVpcParams = typeof vpc !== \"boolean\";\n if (usingAdvancedVpcParams && vpc.useExistingVpc) {\n return false;\n }\n\n return true;\n },\n async pulumi(...args) {\n const [app] = args;\n const { getParam } = app;\n const vpc = getParam(projectAppParams.vpc);\n const usingAdvancedVpcParams = vpc && typeof vpc !== \"boolean\";\n\n const license = await License.fromEnvironment();\n\n if (license.canUseFileManagerThreatDetection()) {\n configureS3BucketMalwareProtection(app);\n }\n\n // Not using advanced VPC params? Then immediately exit.\n if (!usingAdvancedVpcParams) {\n return projectAppParams.pulumi?.(...args);\n }\n\n const [{ resources, addResource, onResource }] = args;\n const { useExistingVpc, useVpcEndpoints } = vpc;\n\n // 1. We first deal with \"existing VPC\" setup.\n if (useExistingVpc) {\n if (\"useVpcEndpoints\" in vpc) {\n throw new Error(\n \"Cannot specify `useVpcEndpoints` parameter when using an existing VPC. The VPC endpoints configurations should be already defined within the existing VPC.\"\n );\n }\n\n if (projectAppParams.elasticSearch) {\n if (!useExistingVpc.elasticSearchDomainVpcConfig) {\n throw new Error(\n \"Cannot specify `useExistingVpc` parameter because the `elasticSearchDomainVpcConfig` parameter wasn't provided.\"\n );\n }\n\n onResource(resource => {\n if (isResourceOfType(resource, aws.elasticsearch.Domain)) {\n resource.config.vpcOptions(\n useExistingVpc!.elasticSearchDomainVpcConfig\n );\n }\n });\n }\n\n if (!useExistingVpc.lambdaFunctionsVpcConfig) {\n throw new Error(\n \"Cannot specify `useExistingVpc` parameter because the `lambdaFunctionsVpcConfig` parameter wasn't provided.\"\n );\n }\n\n onResource(resource => {\n if (isResourceOfType(resource, aws.lambda.Function)) {\n const canUseVpc = resource.meta.canUseVpc !== false;\n if (canUseVpc) {\n resource.config.vpcConfig(useExistingVpc!.lambdaFunctionsVpcConfig);\n }\n }\n\n if (isResourceOfType(resource, aws.iam.Role)) {\n if (resource.meta.isLambdaFunctionRole) {\n addResource(aws.iam.RolePolicyAttachment, {\n name: `${resource.name}-vpc-access-execution-role`,\n config: {\n role: resource.output.name,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaVPCAccessExecutionRole\n }\n });\n }\n }\n });\n\n return projectAppParams.pulumi?.(...args);\n }\n\n // 2. Now we deal with \"non-existing VPC\" setup.\n if (useVpcEndpoints) {\n const region = getAwsRegion(app);\n\n onResource(resource => {\n if (isResourceOfType(resource, aws.ec2.Vpc)) {\n resource.config.enableDnsSupport(true);\n resource.config.enableDnsHostnames(true);\n }\n });\n\n const { vpc, subnets, routeTables } = resources.vpc!;\n addResource(aws.ec2.VpcEndpoint, {\n name: \"vpc-s3-vpc-endpoint\",\n config: {\n vpcId: vpc.output.id,\n serviceName: pulumi.interpolate`com.amazonaws.${region}.s3`,\n routeTableIds: [routeTables.privateSubnets.output.id]\n }\n });\n\n addResource(aws.ec2.VpcEndpoint, {\n name: \"vpc-dynamodb-vpc-endpoint\",\n config: {\n vpcId: vpc.output.id,\n serviceName: pulumi.interpolate`com.amazonaws.${region}.dynamodb`,\n routeTableIds: [routeTables.privateSubnets.output.id]\n }\n });\n\n addResource(aws.ec2.VpcEndpoint, {\n name: \"vpc-sqs-vpc-endpoint\",\n config: {\n vpcId: vpc.output.id,\n serviceName: pulumi.interpolate`com.amazonaws.${region}.sqs`,\n vpcEndpointType: \"Interface\",\n privateDnsEnabled: true,\n securityGroupIds: [vpc.output.defaultSecurityGroupId],\n subnetIds: subnets.private.map(subNet => subNet.output.id)\n }\n });\n\n addResource(aws.ec2.VpcEndpoint, {\n name: \"vpc-events-vpc-endpoint\",\n config: {\n vpcId: vpc.output.id,\n serviceName: pulumi.interpolate`com.amazonaws.${region}.events`,\n vpcEndpointType: \"Interface\",\n privateDnsEnabled: true,\n securityGroupIds: [vpc.output.defaultSecurityGroupId],\n subnetIds: subnets.private.map(subNet => subNet.output.id)\n }\n });\n }\n\n return projectAppParams.pulumi?.(...args);\n }\n });\n}\n"],"mappings":";;;;;;;AAAA,IAAAA,GAAA,GAAAC,uBAAA,CAAAC,OAAA;AACA,IAAAC,MAAA,GAAAF,uBAAA,CAAAC,OAAA;AACA,IAAAE,oBAAA,GAAAF,OAAA;AAIA,IAAAG,QAAA,GAAAH,OAAA;AACA,IAAAI,SAAA,GAAAJ,OAAA;AACA,IAAAK,mCAAA,GAAAL,OAAA;AACA,IAAAM,IAAA,GAAAN,OAAA;AAgBO,SAASO,mBAAmBA,CAACC,gBAA2C,GAAG,CAAC,CAAC,EAAE;EAClF,OAAO,IAAAC,wCAAuB,EAAC;IAC3B,GAAGD,gBAAgB;IACnB;IACAE,GAAG,EAAEA,CAAC;MAAEC;IAAS,CAAC,KAAK;MACnB,MAAMD,GAAG,GAAGC,QAAQ,CAACH,gBAAgB,CAACE,GAAG,CAAC;MAC1C,IAAI,CAACA,GAAG,EAAE;QACN;QACA;QACA,OAAOA,GAAG;MACd;;MAEA;MACA,MAAME,sBAAsB,GAAG,OAAOF,GAAG,KAAK,SAAS;MACvD,IAAIE,sBAAsB,IAAIF,GAAG,CAACG,cAAc,EAAE;QAC9C,OAAO,KAAK;MAChB;MAEA,OAAO,IAAI;IACf,CAAC;IACD,MAAMZ,MAAMA,CAAC,GAAGa,IAAI,EAAE;MAClB,MAAM,CAACC,GAAG,CAAC,GAAGD,IAAI;MAClB,MAAM;QAAEH;MAAS,CAAC,GAAGI,GAAG;MACxB,MAAML,GAAG,GAAGC,QAAQ,CAACH,gBAAgB,CAACE,GAAG,CAAC;MAC1C,MAAME,sBAAsB,GAAGF,GAAG,IAAI,OAAOA,GAAG,KAAK,SAAS;MAE9D,MAAMM,OAAO,GAAG,MAAMC,YAAO,CAACC,eAAe,CAAC,CAAC;MAE/C,IAAIF,OAAO,CAACG,gCAAgC,CAAC,CAAC,EAAE;QAC5C,IAAAC,sEAAkC,EAACL,GAAG,CAAC;MAC3C;;MAEA;MACA,IAAI,CAACH,sBAAsB,EAAE;QACzB,OAAOJ,gBAAgB,CAACP,MAAM,GAAG,GAAGa,IAAI,CAAC;MAC7C;MAEA,MAAM,CAAC;QAAEO,SAAS;QAAEC,WAAW;QAAEC;MAAW,CAAC,CAAC,GAAGT,IAAI;MACrD,MAAM;QAAED,cAAc;QAAEW;MAAgB,CAAC,GAAGd,GAAG;;MAE/C;MACA,IAAIG,cAAc,EAAE;QAChB,IAAI,iBAAiB,IAAIH,GAAG,EAAE;UAC1B,MAAM,IAAIe,KAAK,CACX,4JACJ,CAAC;QACL;QAEA,IAAIjB,gBAAgB,CAACkB,aAAa,EAAE;UAChC,IAAI,CAACb,cAAc,CAACc,4BAA4B,EAAE;YAC9C,MAAM,IAAIF,KAAK,CACX,iHACJ,CAAC;UACL;UAEAF,UAAU,CAACK,QAAQ,IAAI;YACnB,IAAI,IAAAC,yBAAgB,EAACD,QAAQ,EAAE9B,GAAG,CAACgC,aAAa,CAACC,MAAM,CAAC,EAAE;cACtDH,QAAQ,CAACI,MAAM,CAACC,UAAU,CACtBpB,cAAc,CAAEc,4BACpB,CAAC;YACL;UACJ,CAAC,CAAC;QACN;QAEA,IAAI,CAACd,cAAc,CAACqB,wBAAwB,EAAE;UAC1C,MAAM,IAAIT,KAAK,CACX,6GACJ,CAAC;QACL;QAEAF,UAAU,CAACK,QAAQ,IAAI;UACnB,IAAI,IAAAC,yBAAgB,EAACD,QAAQ,EAAE9B,GAAG,CAACqC,MAAM,CAACC,QAAQ,CAAC,EAAE;YACjD,MAAMC,SAAS,GAAGT,QAAQ,CAACU,IAAI,CAACD,SAAS,KAAK,KAAK;YACnD,IAAIA,SAAS,EAAE;cACXT,QAAQ,CAACI,MAAM,CAACO,SAAS,CAAC1B,cAAc,CAAEqB,wBAAwB,CAAC;YACvE;UACJ;UAEA,IAAI,IAAAL,yBAAgB,EAACD,QAAQ,EAAE9B,GAAG,CAAC0C,GAAG,CAACC,IAAI,CAAC,EAAE;YAC1C,IAAIb,QAAQ,CAACU,IAAI,CAACI,oBAAoB,EAAE;cACpCpB,WAAW,CAACxB,GAAG,CAAC0C,GAAG,CAACG,oBAAoB,EAAE;gBACtCC,IAAI,EAAE,GAAGhB,QAAQ,CAACgB,IAAI,4BAA4B;gBAClDZ,MAAM,EAAE;kBACJa,IAAI,EAAEjB,QAAQ,CAACkB,MAAM,CAACF,IAAI;kBAC1BG,SAAS,EAAEjD,GAAG,CAAC0C,GAAG,CAACQ,aAAa,CAACC;gBACrC;cACJ,CAAC,CAAC;YACN;UACJ;QACJ,CAAC,CAAC;QAEF,OAAOzC,gBAAgB,CAACP,MAAM,GAAG,GAAGa,IAAI,CAAC;MAC7C;;MAEA;MACA,IAAIU,eAAe,EAAE;QACjB,MAAM0B,MAAM,GAAG,IAAAC,sBAAY,EAACpC,GAAG,CAAC;QAEhCQ,UAAU,CAACK,QAAQ,IAAI;UACnB,IAAI,IAAAC,yBAAgB,EAACD,QAAQ,EAAE9B,GAAG,CAACsD,GAAG,CAACC,GAAG,CAAC,EAAE;YACzCzB,QAAQ,CAACI,MAAM,CAACsB,gBAAgB,CAAC,IAAI,CAAC;YACtC1B,QAAQ,CAACI,MAAM,CAACuB,kBAAkB,CAAC,IAAI,CAAC;UAC5C;QACJ,CAAC,CAAC;QAEF,MAAM;UAAE7C,GAAG;UAAE8C,OAAO;UAAEC;QAAY,CAAC,GAAGpC,SAAS,CAACX,GAAI;QACpDY,WAAW,CAACxB,GAAG,CAACsD,GAAG,CAACM,WAAW,EAAE;UAC7Bd,IAAI,EAAE,qBAAqB;UAC3BZ,MAAM,EAAE;YACJ2B,KAAK,EAAEjD,GAAG,CAACoC,MAAM,CAACc,EAAE;YACpBC,WAAW,EAAE5D,MAAM,CAAC6D,WAAW,iBAAiBZ,MAAM,KAAK;YAC3Da,aAAa,EAAE,CAACN,WAAW,CAACO,cAAc,CAAClB,MAAM,CAACc,EAAE;UACxD;QACJ,CAAC,CAAC;QAEFtC,WAAW,CAACxB,GAAG,CAACsD,GAAG,CAACM,WAAW,EAAE;UAC7Bd,IAAI,EAAE,2BAA2B;UACjCZ,MAAM,EAAE;YACJ2B,KAAK,EAAEjD,GAAG,CAACoC,MAAM,CAACc,EAAE;YACpBC,WAAW,EAAE5D,MAAM,CAAC6D,WAAW,iBAAiBZ,MAAM,WAAW;YACjEa,aAAa,EAAE,CAACN,WAAW,CAACO,cAAc,CAAClB,MAAM,CAACc,EAAE;UACxD;QACJ,CAAC,CAAC;QAEFtC,WAAW,CAACxB,GAAG,CAACsD,GAAG,CAACM,WAAW,EAAE;UAC7Bd,IAAI,EAAE,sBAAsB;UAC5BZ,MAAM,EAAE;YACJ2B,KAAK,EAAEjD,GAAG,CAACoC,MAAM,CAACc,EAAE;YACpBC,WAAW,EAAE5D,MAAM,CAAC6D,WAAW,iBAAiBZ,MAAM,MAAM;YAC5De,eAAe,EAAE,WAAW;YAC5BC,iBAAiB,EAAE,IAAI;YACvBC,gBAAgB,EAAE,CAACzD,GAAG,CAACoC,MAAM,CAACsB,sBAAsB,CAAC;YACrDC,SAAS,EAAEb,OAAO,CAACc,OAAO,CAACC,GAAG,CAACC,MAAM,IAAIA,MAAM,CAAC1B,MAAM,CAACc,EAAE;UAC7D;QACJ,CAAC,CAAC;QAEFtC,WAAW,CAACxB,GAAG,CAACsD,GAAG,CAACM,WAAW,EAAE;UAC7Bd,IAAI,EAAE,yBAAyB;UAC/BZ,MAAM,EAAE;YACJ2B,KAAK,EAAEjD,GAAG,CAACoC,MAAM,CAACc,EAAE;YACpBC,WAAW,EAAE5D,MAAM,CAAC6D,WAAW,iBAAiBZ,MAAM,SAAS;YAC/De,eAAe,EAAE,WAAW;YAC5BC,iBAAiB,EAAE,IAAI;YACvBC,gBAAgB,EAAE,CAACzD,GAAG,CAACoC,MAAM,CAACsB,sBAAsB,CAAC;YACrDC,SAAS,EAAEb,OAAO,CAACc,OAAO,CAACC,GAAG,CAACC,MAAM,IAAIA,MAAM,CAAC1B,MAAM,CAACc,EAAE;UAC7D;QACJ,CAAC,CAAC;MACN;MAEA,OAAOpD,gBAAgB,CAACP,MAAM,GAAG,GAAGa,IAAI,CAAC;IAC7C;EACJ,CAAC,CAAC;AACN","ignoreList":[]}
package/enterprise/createWebsitePulumiApp.js CHANGED
@@ -16,8 +16,18 @@ function createWebsitePulumiApp(projectAppParams = {}) {
16
16
  getParam
17
17
  }) => {
18
18
  const vpc = getParam(projectAppParams.vpc);
19
- const usingAdvancedVpcParams = vpc && typeof vpc !== "boolean";
20
- return usingAdvancedVpcParams && vpc.useExistingVpc ? false : Boolean(vpc);
19
+ if (!vpc) {
20
+ // This could be `false` or `undefined`. If `undefined`, down the line,
21
+ // this means "deploy into VPC if dealing with a production environment".
22
+ return vpc;
23
+ }
24
+
25
+ // If using an existing VPC, we ensure Webiny does not deploy its own VPC.
26
+ const usingAdvancedVpcParams = typeof vpc !== "boolean";
27
+ if (usingAdvancedVpcParams && vpc.useExistingVpc) {
28
+ return false;
29
+ }
30
+ return true;
21
31
  },
22
32
  pulumi(...args) {
23
33
  const [{
package/enterprise/createWebsitePulumiApp.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"names":["aws","_interopRequireWildcard","require","_createWebsitePulumiApp","_pulumi","createWebsitePulumiApp","projectAppParams","baseCreateWebsitePulumiApp","vpc","getParam","usingAdvancedVpcParams","useExistingVpc","Boolean","pulumi","args","onResource","addResource","lambdaFunctionsVpcConfig","Error","resource","isResourceOfType","lambda","Function","canUseVpc","meta","config","vpcConfig","iam","Role","isLambdaFunctionRole","RolePolicyAttachment","name","role","output","policyArn","ManagedPolicy","AWSLambdaVPCAccessExecutionRole"],"sources":["createWebsitePulumiApp.ts"],"sourcesContent":["import * as aws from \"@pulumi/aws\";\nimport {\n createWebsitePulumiApp as baseCreateWebsitePulumiApp,\n CreateWebsitePulumiAppParams as BaseCreateWebsitePulumiAppParams\n} from \"~/apps/website/createWebsitePulumiApp\";\nimport { isResourceOfType, PulumiAppParam } from \"@webiny/pulumi\";\n\nexport type WebsitePulumiApp = ReturnType<typeof createWebsitePulumiApp>;\n\nexport type WebsitePulumiAppAdvancedVpcParams = Partial<{\n useExistingVpc: {\n lambdaFunctionsVpcConfig: aws.types.input.lambda.FunctionVpcConfig;\n };\n}>;\n\nexport interface CreateWebsitePulumiAppParams\n extends Omit<BaseCreateWebsitePulumiAppParams, \"vpc\"> {\n vpc?: PulumiAppParam<boolean | WebsitePulumiAppAdvancedVpcParams>;\n}\n\nexport function createWebsitePulumiApp(projectAppParams: CreateWebsitePulumiAppParams = {}) {\n return baseCreateWebsitePulumiApp({\n ...projectAppParams,\n // If using existing VPC, we ensure `vpc` param is set to `false`.\n vpc: ({ getParam }) => {\n const vpc = getParam(projectAppParams.vpc);\n const usingAdvancedVpcParams = vpc && typeof vpc !== \"boolean\";\n return usingAdvancedVpcParams && vpc.useExistingVpc ? false : Boolean(vpc);\n },\n pulumi(...args) {\n const [{ getParam }] = args;\n const vpc = getParam(projectAppParams.vpc);\n const usingAdvancedVpcParams = vpc && typeof vpc !== \"boolean\";\n\n // Not using advanced VPC params? Then immediately exit.\n if (!usingAdvancedVpcParams) {\n return projectAppParams.pulumi?.(...args);\n }\n\n const [{ onResource, addResource }] = args;\n const { useExistingVpc } = vpc;\n\n if (useExistingVpc) {\n if (!useExistingVpc.lambdaFunctionsVpcConfig) {\n throw new Error(\n \"Cannot specify `useExistingVpc` parameter because the `lambdaFunctionsVpcConfig` parameter wasn't provided.\"\n );\n }\n\n onResource(resource => {\n if (isResourceOfType(resource, aws.lambda.Function)) {\n const canUseVpc = resource.meta.canUseVpc !== false;\n if (canUseVpc) {\n resource.config.vpcConfig(useExistingVpc!.lambdaFunctionsVpcConfig);\n }\n }\n\n if (isResourceOfType(resource, aws.iam.Role)) {\n if (resource.meta.isLambdaFunctionRole) {\n addResource(aws.iam.RolePolicyAttachment, {\n name: `${resource.name}-vpc-access-execution-role`,\n config: {\n role: resource.output.name,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaVPCAccessExecutionRole\n }\n });\n }\n }\n });\n }\n\n return projectAppParams.pulumi?.(...args);\n }\n });\n}\n"],"mappings":";;;;;;;AAAA,IAAAA,GAAA,GAAAC,uBAAA,CAAAC,OAAA;AACA,IAAAC,uBAAA,GAAAD,OAAA;AAIA,IAAAE,OAAA,GAAAF,OAAA;AAeO,SAASG,sBAAsBA,CAACC,gBAA8C,GAAG,CAAC,CAAC,EAAE;EACxF,OAAO,IAAAC,8CAA0B,EAAC;IAC9B,GAAGD,gBAAgB;IACnB;IACAE,GAAG,EAAEA,CAAC;MAAEC;IAAS,CAAC,KAAK;MACnB,MAAMD,GAAG,GAAGC,QAAQ,CAACH,gBAAgB,CAACE,GAAG,CAAC;MAC1C,MAAME,sBAAsB,GAAGF,GAAG,IAAI,OAAOA,GAAG,KAAK,SAAS;MAC9D,OAAOE,sBAAsB,IAAIF,GAAG,CAACG,cAAc,GAAG,KAAK,GAAGC,OAAO,CAACJ,GAAG,CAAC;IAC9E,CAAC;IACDK,MAAMA,CAAC,GAAGC,IAAI,EAAE;MACZ,MAAM,CAAC;QAAEL;MAAS,CAAC,CAAC,GAAGK,IAAI;MAC3B,MAAMN,GAAG,GAAGC,QAAQ,CAACH,gBAAgB,CAACE,GAAG,CAAC;MAC1C,MAAME,sBAAsB,GAAGF,GAAG,IAAI,OAAOA,GAAG,KAAK,SAAS;;MAE9D;MACA,IAAI,CAACE,sBAAsB,EAAE;QACzB,OAAOJ,gBAAgB,CAACO,MAAM,GAAG,GAAGC,IAAI,CAAC;MAC7C;MAEA,MAAM,CAAC;QAAEC,UAAU;QAAEC;MAAY,CAAC,CAAC,GAAGF,IAAI;MAC1C,MAAM;QAAEH;MAAe,CAAC,GAAGH,GAAG;MAE9B,IAAIG,cAAc,EAAE;QAChB,IAAI,CAACA,cAAc,CAACM,wBAAwB,EAAE;UAC1C,MAAM,IAAIC,KAAK,CACX,6GACJ,CAAC;QACL;QAEAH,UAAU,CAACI,QAAQ,IAAI;UACnB,IAAI,IAAAC,wBAAgB,EAACD,QAAQ,EAAEnB,GAAG,CAACqB,MAAM,CAACC,QAAQ,CAAC,EAAE;YACjD,MAAMC,SAAS,GAAGJ,QAAQ,CAACK,IAAI,CAACD,SAAS,KAAK,KAAK;YACnD,IAAIA,SAAS,EAAE;cACXJ,QAAQ,CAACM,MAAM,CAACC,SAAS,CAACf,cAAc,CAAEM,wBAAwB,CAAC;YACvE;UACJ;UAEA,IAAI,IAAAG,wBAAgB,EAACD,QAAQ,EAAEnB,GAAG,CAAC2B,GAAG,CAACC,IAAI,CAAC,EAAE;YAC1C,IAAIT,QAAQ,CAACK,IAAI,CAACK,oBAAoB,EAAE;cACpCb,WAAW,CAAChB,GAAG,CAAC2B,GAAG,CAACG,oBAAoB,EAAE;gBACtCC,IAAI,EAAE,GAAGZ,QAAQ,CAACY,IAAI,4BAA4B;gBAClDN,MAAM,EAAE;kBACJO,IAAI,EAAEb,QAAQ,CAACc,MAAM,CAACF,IAAI;kBAC1BG,SAAS,EAAElC,GAAG,CAAC2B,GAAG,CAACQ,aAAa,CAACC;gBACrC;cACJ,CAAC,CAAC;YACN;UACJ;QACJ,CAAC,CAAC;MACN;MAEA,OAAO9B,gBAAgB,CAACO,MAAM,GAAG,GAAGC,IAAI,CAAC;IAC7C;EACJ,CAAC,CAAC;AACN","ignoreList":[]}
1
+ {"version":3,"names":["aws","_interopRequireWildcard","require","_createWebsitePulumiApp","_pulumi","createWebsitePulumiApp","projectAppParams","baseCreateWebsitePulumiApp","vpc","getParam","usingAdvancedVpcParams","useExistingVpc","pulumi","args","onResource","addResource","lambdaFunctionsVpcConfig","Error","resource","isResourceOfType","lambda","Function","canUseVpc","meta","config","vpcConfig","iam","Role","isLambdaFunctionRole","RolePolicyAttachment","name","role","output","policyArn","ManagedPolicy","AWSLambdaVPCAccessExecutionRole"],"sources":["createWebsitePulumiApp.ts"],"sourcesContent":["import * as aws from \"@pulumi/aws\";\nimport {\n createWebsitePulumiApp as baseCreateWebsitePulumiApp,\n CreateWebsitePulumiAppParams as BaseCreateWebsitePulumiAppParams\n} from \"~/apps/website/createWebsitePulumiApp\";\nimport { isResourceOfType, PulumiAppParam } from \"@webiny/pulumi\";\n\nexport type WebsitePulumiApp = ReturnType<typeof createWebsitePulumiApp>;\n\nexport type WebsitePulumiAppAdvancedVpcParams = Partial<{\n useExistingVpc: {\n lambdaFunctionsVpcConfig: aws.types.input.lambda.FunctionVpcConfig;\n };\n}>;\n\nexport interface CreateWebsitePulumiAppParams\n extends Omit<BaseCreateWebsitePulumiAppParams, \"vpc\"> {\n vpc?: PulumiAppParam<boolean | WebsitePulumiAppAdvancedVpcParams>;\n}\n\nexport function createWebsitePulumiApp(projectAppParams: CreateWebsitePulumiAppParams = {}) {\n return baseCreateWebsitePulumiApp({\n ...projectAppParams,\n // If using existing VPC, we ensure `vpc` param is set to `false`.\n vpc: ({ getParam }) => {\n const vpc = getParam(projectAppParams.vpc);\n if (!vpc) {\n // This could be `false` or `undefined`. If `undefined`, down the line,\n // this means \"deploy into VPC if dealing with a production environment\".\n return vpc;\n }\n\n // If using an existing VPC, we ensure Webiny does not deploy its own VPC.\n const usingAdvancedVpcParams = typeof vpc !== \"boolean\";\n if (usingAdvancedVpcParams && vpc.useExistingVpc) {\n return false;\n }\n\n return true;\n },\n pulumi(...args) {\n const [{ getParam }] = args;\n const vpc = getParam(projectAppParams.vpc);\n const usingAdvancedVpcParams = vpc && typeof vpc !== \"boolean\";\n\n // Not using advanced VPC params? Then immediately exit.\n if (!usingAdvancedVpcParams) {\n return projectAppParams.pulumi?.(...args);\n }\n\n const [{ onResource, addResource }] = args;\n const { useExistingVpc } = vpc;\n\n if (useExistingVpc) {\n if (!useExistingVpc.lambdaFunctionsVpcConfig) {\n throw new Error(\n \"Cannot specify `useExistingVpc` parameter because the `lambdaFunctionsVpcConfig` parameter wasn't provided.\"\n );\n }\n\n onResource(resource => {\n if (isResourceOfType(resource, aws.lambda.Function)) {\n const canUseVpc = resource.meta.canUseVpc !== false;\n if (canUseVpc) {\n resource.config.vpcConfig(useExistingVpc!.lambdaFunctionsVpcConfig);\n }\n }\n\n if (isResourceOfType(resource, aws.iam.Role)) {\n if (resource.meta.isLambdaFunctionRole) {\n addResource(aws.iam.RolePolicyAttachment, {\n name: `${resource.name}-vpc-access-execution-role`,\n config: {\n role: resource.output.name,\n policyArn: aws.iam.ManagedPolicy.AWSLambdaVPCAccessExecutionRole\n }\n });\n }\n }\n });\n }\n\n return projectAppParams.pulumi?.(...args);\n }\n });\n}\n"],"mappings":";;;;;;;AAAA,IAAAA,GAAA,GAAAC,uBAAA,CAAAC,OAAA;AACA,IAAAC,uBAAA,GAAAD,OAAA;AAIA,IAAAE,OAAA,GAAAF,OAAA;AAeO,SAASG,sBAAsBA,CAACC,gBAA8C,GAAG,CAAC,CAAC,EAAE;EACxF,OAAO,IAAAC,8CAA0B,EAAC;IAC9B,GAAGD,gBAAgB;IACnB;IACAE,GAAG,EAAEA,CAAC;MAAEC;IAAS,CAAC,KAAK;MACnB,MAAMD,GAAG,GAAGC,QAAQ,CAACH,gBAAgB,CAACE,GAAG,CAAC;MAC1C,IAAI,CAACA,GAAG,EAAE;QACN;QACA;QACA,OAAOA,GAAG;MACd;;MAEA;MACA,MAAME,sBAAsB,GAAG,OAAOF,GAAG,KAAK,SAAS;MACvD,IAAIE,sBAAsB,IAAIF,GAAG,CAACG,cAAc,EAAE;QAC9C,OAAO,KAAK;MAChB;MAEA,OAAO,IAAI;IACf,CAAC;IACDC,MAAMA,CAAC,GAAGC,IAAI,EAAE;MACZ,MAAM,CAAC;QAAEJ;MAAS,CAAC,CAAC,GAAGI,IAAI;MAC3B,MAAML,GAAG,GAAGC,QAAQ,CAACH,gBAAgB,CAACE,GAAG,CAAC;MAC1C,MAAME,sBAAsB,GAAGF,GAAG,IAAI,OAAOA,GAAG,KAAK,SAAS;;MAE9D;MACA,IAAI,CAACE,sBAAsB,EAAE;QACzB,OAAOJ,gBAAgB,CAACM,MAAM,GAAG,GAAGC,IAAI,CAAC;MAC7C;MAEA,MAAM,CAAC;QAAEC,UAAU;QAAEC;MAAY,CAAC,CAAC,GAAGF,IAAI;MAC1C,MAAM;QAAEF;MAAe,CAAC,GAAGH,GAAG;MAE9B,IAAIG,cAAc,EAAE;QAChB,IAAI,CAACA,cAAc,CAACK,wBAAwB,EAAE;UAC1C,MAAM,IAAIC,KAAK,CACX,6GACJ,CAAC;QACL;QAEAH,UAAU,CAACI,QAAQ,IAAI;UACnB,IAAI,IAAAC,wBAAgB,EAACD,QAAQ,EAAElB,GAAG,CAACoB,MAAM,CAACC,QAAQ,CAAC,EAAE;YACjD,MAAMC,SAAS,GAAGJ,QAAQ,CAACK,IAAI,CAACD,SAAS,KAAK,KAAK;YACnD,IAAIA,SAAS,EAAE;cACXJ,QAAQ,CAACM,MAAM,CAACC,SAAS,CAACd,cAAc,CAAEK,wBAAwB,CAAC;YACvE;UACJ;UAEA,IAAI,IAAAG,wBAAgB,EAACD,QAAQ,EAAElB,GAAG,CAAC0B,GAAG,CAACC,IAAI,CAAC,EAAE;YAC1C,IAAIT,QAAQ,CAACK,IAAI,CAACK,oBAAoB,EAAE;cACpCb,WAAW,CAACf,GAAG,CAAC0B,GAAG,CAACG,oBAAoB,EAAE;gBACtCC,IAAI,EAAE,GAAGZ,QAAQ,CAACY,IAAI,4BAA4B;gBAClDN,MAAM,EAAE;kBACJO,IAAI,EAAEb,QAAQ,CAACc,MAAM,CAACF,IAAI;kBAC1BG,SAAS,EAAEjC,GAAG,CAAC0B,GAAG,CAACQ,aAAa,CAACC;gBACrC;cACJ,CAAC,CAAC;YACN;UACJ;QACJ,CAAC,CAAC;MACN;MAEA,OAAO7B,gBAAgB,CAACM,MAAM,GAAG,GAAGC,IAAI,CAAC;IAC7C;EACJ,CAAC,CAAC;AACN","ignoreList":[]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@webiny/pulumi-aws",
3
- "version": "5.42.0",
3
+ "version": "5.42.1-beta.1",
4
4
  "repository": {
5
5
  "type": "git",
6
6
  "url": "https://github.com/webiny/webiny-js.git"
@@ -16,18 +16,19 @@
16
16
  "@pulumi/aws": "^6.66.2",
17
17
  "@pulumi/pulumi": "^3.144.1",
18
18
  "@pulumi/random": "4.16.8",
19
- "@webiny/aws-sdk": "5.42.0",
20
- "@webiny/cli-plugin-deploy-pulumi": "5.42.0",
21
- "@webiny/pulumi": "5.42.0",
19
+ "@webiny/aws-sdk": "5.42.1-beta.1",
20
+ "@webiny/cli-plugin-deploy-pulumi": "5.42.1-beta.1",
21
+ "@webiny/pulumi": "5.42.1-beta.1",
22
+ "@webiny/wcp": "5.42.1-beta.1",
22
23
  "form-data": "4.0.0",
23
24
  "node-fetch": "2.6.7"
24
25
  },
25
26
  "devDependencies": {
26
- "@webiny/api-page-builder": "5.42.0",
27
- "@webiny/aws-layers": "5.42.0",
28
- "@webiny/cli": "5.42.0",
29
- "@webiny/feature-flags": "5.42.0",
30
- "@webiny/project-utils": "5.42.0",
27
+ "@webiny/api-page-builder": "5.42.1-beta.1",
28
+ "@webiny/aws-layers": "5.42.1-beta.1",
29
+ "@webiny/cli": "5.42.1-beta.1",
30
+ "@webiny/feature-flags": "5.42.1-beta.1",
31
+ "@webiny/project-utils": "5.42.1-beta.1",
31
32
  "chalk": "4.1.2",
32
33
  "lodash": "4.17.21",
33
34
  "mime": "3.0.0",
@@ -51,5 +52,5 @@
51
52
  ]
52
53
  }
53
54
  },
54
- "gitHead": "54553dc380e73678a22e132b20001b1f645b0e93"
55
+ "gitHead": "aa533cb9b24cfcd23c02f4ab64448082723d7dc1"
55
56
  }