alchemy-effect 0.0.0 → 0.2.0

package/src/aws/ec2/vpc.provider.ts

@@ -0,0 +1,285 @@
+import * as Effect from "effect/Effect";
+import * as Schedule from "effect/Schedule";
+
+import { App, type ProviderService } from "alchemy-effect";
+import type { ScopedPlanStatusSession } from "../../apply.ts";
+import { createTagger, createTagsList } from "../../tags.ts";
+import { Account } from "../account.ts";
+import { Region } from "../region.ts";
+import { EC2Client } from "./client.ts";
+import { Vpc, type VpcAttrs, type VpcProps } from "./vpc.ts";
+
+import type { EC2 } from "itty-aws/ec2";
+
+export const vpcProvider = () =>
+  Vpc.provider.effect(
+    Effect.gen(function* () {
+      const ec2 = yield* EC2Client;
+      const app = yield* App;
+      const region = yield* Region;
+      const accountId = yield* Account;
+      const tagged = yield* createTagger();
+
+      return {
+        diff: Effect.fn(function* ({ id, news, olds }) {
+          // 1. CIDR block changes
+          if (olds.cidrBlock !== news.cidrBlock) {
+            return { action: "replace" } as const;
+          }
+
+          // 2. Instance tenancy changes
+          if (olds.instanceTenancy !== news.instanceTenancy) {
+            return { action: "replace" } as const;
+          }
+
+          // 3. IPAM pool changes
+          if (olds.ipv4IpamPoolId !== news.ipv4IpamPoolId) {
+            return { action: "replace" } as const;
+          }
+
+          if (olds.ipv6IpamPoolId !== news.ipv6IpamPoolId) {
+            return { action: "replace" } as const;
+          }
+
+          // 4. IPv6 CIDR block changes
+          if (olds.ipv6CidrBlock !== news.ipv6CidrBlock) {
+            return { action: "replace" } as const;
+          }
+
+          // 5. IPv6 pool changes
+          if (olds.ipv6Pool !== news.ipv6Pool) {
+            return { action: "replace" } as const;
+          }
+        }),
+
+        create: Effect.fn(function* ({ id, news, session }) {
+          // 1. Prepare tags
+          const alchemyTags = tagged(id);
+          const userTags = news.tags ?? {};
+          const allTags = { ...alchemyTags, ...userTags };
+
+          // 2. Call CreateVpc
+          const createResult = yield* ec2.createVpc({
+            // TODO(sam): add all properties
+            AmazonProvidedIpv6CidrBlock: news.amazonProvidedIpv6CidrBlock,
+            InstanceTenancy: news.instanceTenancy,
+            CidrBlock: news.cidrBlock,
+            Ipv4IpamPoolId: news.ipv4IpamPoolId,
+            Ipv4NetmaskLength: news.ipv4NetmaskLength,
+            Ipv6Pool: news.ipv6Pool,
+            Ipv6CidrBlock: news.ipv6CidrBlock,
+            Ipv6IpamPoolId: news.ipv6IpamPoolId,
+            Ipv6NetmaskLength: news.ipv6NetmaskLength,
+            Ipv6CidrBlockNetworkBorderGroup:
+              news.ipv6CidrBlockNetworkBorderGroup,
+            TagSpecifications: [
+              {
+                ResourceType: "vpc",
+                Tags: createTagsList(allTags),
+              },
+            ],
+            DryRun: false,
+          });
+
+          const vpcId = createResult.Vpc!.VpcId!;
+          yield* session.note(`VPC created: ${vpcId}`);
+
+          // 3. Modify DNS attributes if specified (separate API calls)
+          yield* ec2.modifyVpcAttribute({
+            VpcId: vpcId,
+            EnableDnsSupport: { Value: news.enableDnsSupport ?? true },
+          });
+
+          if (news.enableDnsHostnames !== undefined) {
+            yield* ec2.modifyVpcAttribute({
+              VpcId: vpcId,
+              EnableDnsHostnames: { Value: news.enableDnsHostnames },
+            });
+          }
+
+          // 4. Wait for VPC to be available
+          const vpc = yield* waitForVpcAvailable(ec2, vpcId, session);
+
+          // 6. Return attributes
+          return {
+            vpcId,
+            vpcArn:
+              `arn:aws:ec2:${region}:${accountId}:vpc/${vpcId}` as VpcAttrs<VpcProps>["vpcArn"],
+            cidrBlock: vpc.CidrBlock!,
+            dhcpOptionsId: vpc.DhcpOptionsId!,
+            state: vpc.State!,
+            isDefault: vpc.IsDefault ?? false,
+            ownerId: vpc.OwnerId,
+            cidrBlockAssociationSet: vpc.CidrBlockAssociationSet?.map(
+              (assoc) => ({
+                associationId: assoc.AssociationId!,
+                cidrBlock: assoc.CidrBlock!,
+                cidrBlockState: {
+                  state: assoc.CidrBlockState!.State!,
+                  statusMessage: assoc.CidrBlockState!.StatusMessage,
+                },
+              }),
+            ),
+            ipv6CidrBlockAssociationSet: vpc.Ipv6CidrBlockAssociationSet?.map(
+              (assoc) => ({
+                associationId: assoc.AssociationId!,
+                ipv6CidrBlock: assoc.Ipv6CidrBlock!,
+                ipv6CidrBlockState: {
+                  state: assoc.Ipv6CidrBlockState!.State!,
+                  statusMessage: assoc.Ipv6CidrBlockState!.StatusMessage,
+                },
+                networkBorderGroup: assoc.NetworkBorderGroup,
+                ipv6Pool: assoc.Ipv6Pool,
+              }),
+            ),
+          } satisfies VpcAttrs<VpcProps>;
+        }),
+
+        update: Effect.fn(function* ({ news, olds, output, session }) {
+          const vpcId = output.vpcId;
+
+          // Only DNS and metrics settings can be updated
+          // Everything else requires replacement (handled by diff)
+
+          if (news.enableDnsSupport !== olds.enableDnsSupport) {
+            yield* ec2.modifyVpcAttribute({
+              VpcId: vpcId,
+              EnableDnsSupport: { Value: news.enableDnsSupport ?? true },
+            });
+            yield* session.note("Updated DNS support");
+          }
+
+          if (news.enableDnsHostnames !== olds.enableDnsHostnames) {
+            yield* ec2.modifyVpcAttribute({
+              VpcId: vpcId,
+              EnableDnsHostnames: { Value: news.enableDnsHostnames ?? false },
+            });
+            yield* session.note("Updated DNS hostnames");
+          }
+
+          // Note: Tag updates would go here if we support user tag changes
+
+          return output; // VPC attributes don't change from these updates
+        }),
+
+        delete: Effect.fn(function* ({ output, session }) {
+          const vpcId = output.vpcId;
+
+          yield* session.note(`Deleting VPC: ${vpcId}`);
+
+          // 1. Attempt to delete VPC
+          yield* ec2
+            .deleteVpc({
+              VpcId: vpcId,
+              DryRun: false,
+            })
+            .pipe(
+              Effect.tapError(Effect.logDebug),
+              Effect.catchTag("InvalidVpcID.NotFound", () => Effect.void),
+              // Retry on dependency violations (resources still being deleted)
+              Effect.retry({
+                while: (e) => {
+                  // DependencyViolation means there are still dependent resources
+                  // This can happen if subnets/IGW are being deleted concurrently
+                  return (
+                    e._tag === "ValidationError" &&
+                    e.message?.includes("DependencyViolation")
+                  );
+                },
+                schedule: Schedule.exponential(1000, 1.5).pipe(
+                  Schedule.intersect(Schedule.recurs(10)), // Try up to 10 times
+                  Schedule.tapOutput(([, attempt]) =>
+                    session.note(
+                      `Waiting for dependencies to clear... (attempt ${attempt + 1})`,
+                    ),
+                  ),
+                ),
+              }),
+            );
+
+          // 2. Wait for VPC to be fully deleted
+          yield* waitForVpcDeleted(ec2, vpcId, session);
+
+          yield* session.note(`VPC ${vpcId} deleted successfully`);
+        }),
+      } satisfies ProviderService<Vpc>;
+    }),
+  );
+
+/**
+ * Wait for VPC to be in available state
+ */
+const waitForVpcAvailable = (
+  ec2: EC2,
+  vpcId: string,
+  session?: ScopedPlanStatusSession,
+) =>
+  Effect.retry(
+    Effect.gen(function* () {
+      const result = yield* ec2
+        .describeVpcs({ VpcIds: [vpcId] })
+        .pipe(
+          Effect.catchTag("InvalidVpcID.NotFound", () =>
+            Effect.succeed({ Vpcs: [] }),
+          ),
+        );
+      const vpc = result.Vpcs![0];
+
+      if (vpc.State === "available") {
+        return vpc;
+      }
+
+      // Still pending, fail to trigger retry
+      return yield* Effect.fail(new Error("VPC not yet available"));
+    }),
+    {
+      schedule: Schedule.fixed(2000).pipe(
+        // Check every 2 seconds
+        Schedule.intersect(Schedule.recurs(30)), // Max 60 seconds
+        Schedule.tapOutput(([, attempt]) =>
+          session
+            ? session.note(
+                `Waiting for VPC to be available... (${(attempt + 1) * 2}s)`,
+              )
+            : Effect.void,
+        ),
+      ),
+    },
+  );
+
+/**
+ * Wait for VPC to be deleted
+ */
+const waitForVpcDeleted = (
+  ec2: EC2,
+  vpcId: string,
+  session: ScopedPlanStatusSession,
+) =>
+  Effect.gen(function* () {
+    yield* Effect.retry(
+      Effect.gen(function* () {
+        const result = yield* ec2.describeVpcs({ VpcIds: [vpcId] }).pipe(
+          Effect.tapError(Effect.logDebug),
+          Effect.catchTag("InvalidVpcID.NotFound", () =>
+            Effect.succeed({ Vpcs: [] }),
+          ),
+        );
+
+        if (!result.Vpcs || result.Vpcs.length === 0) {
+          return; // Successfully deleted
+        }
+
+        // Still exists, fail to trigger retry
+        return yield* Effect.fail(new Error("VPC still exists"));
+      }),
+      {
+        schedule: Schedule.fixed(2000).pipe(
+          // Check every 2 seconds
+          Schedule.intersect(Schedule.recurs(15)), // Max 30 seconds
+          Schedule.tapOutput(([, attempt]) =>
+            session.note(`Waiting for VPC deletion... (${(attempt + 1) * 2}s)`),
+          ),
+        ),
+      },
+    );
+  });

package/src/aws/ec2/vpc.ts

@@ -0,0 +1,152 @@
+import type * as EC2 from "itty-aws/ec2";
+import { Resource } from "../../resource.ts";
+import type { AccountID } from "../account.ts";
+import type { RegionID } from "../region.ts";
+
+export const Vpc = Resource<{
+  <const ID extends string, const Props extends VpcProps>(
+    id: ID,
+    props: Props,
+  ): Vpc<ID, Props>;
+}>("AWS.EC2.VPC");
+
+export interface Vpc<
+  ID extends string = string,
+  Props extends VpcProps = VpcProps,
+> extends Resource<"AWS.EC2.VPC", ID, Props, VpcAttrs<Props>> {}
+
+export interface VpcProps {
+  /**
+   * The IPv4 network range for the VPC, in CIDR notation.
+   * Required unless using IPAM.
+   * @example "10.0.0.0/16"
+   */
+  cidrBlock?: string;
+
+  /**
+   * The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR.
+   */
+  ipv4IpamPoolId?: string;
+
+  /**
+   * The netmask length of the IPv4 CIDR you want to allocate to this VPC from an IPAM pool.
+   */
+  ipv4NetmaskLength?: number;
+
+  /**
+   * The ID of an IPv6 IPAM pool which will be used to allocate this VPC an IPv6 CIDR.
+   */
+  ipv6IpamPoolId?: string;
+
+  /**
+   * The netmask length of the IPv6 CIDR you want to allocate to this VPC from an IPAM pool.
+   */
+  ipv6NetmaskLength?: number;
+
+  /**
+   * Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC.
+   */
+  ipv6CidrBlock?: string;
+
+  /**
+   * The ID of an IPv6 address pool from which to allocate the IPv6 CIDR block.
+   */
+  ipv6Pool?: string;
+
+  /**
+   * The Availability Zone or Local Zone Group name for the IPv6 CIDR block.
+   */
+  ipv6CidrBlockNetworkBorderGroup?: string;
+
+  /**
+   * The tenancy options for instances launched into the VPC.
+   * @default "default"
+   */
+  instanceTenancy?: EC2.Tenancy;
+
+  /**
+   * Whether DNS resolution is supported for the VPC.
+   * @default true
+   */
+  enableDnsSupport?: boolean;
+
+  /**
+   * Whether instances launched in the VPC get DNS hostnames.
+   * @default true
+   */
+  enableDnsHostnames?: boolean;
+
+  /**
+   * Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC.
+   */
+  amazonProvidedIpv6CidrBlock?: boolean;
+
+  /**
+   * Tags to assign to the VPC.
+   * These will be merged with alchemy auto-tags (alchemy::app, alchemy::stage, alchemy::id).
+   */
+  tags?: Record<string, string>;
+}
+
+export interface VpcAttrs<Props extends VpcProps> {
+  /**
+   * The ID of the VPC.
+   */
+  vpcId: string;
+
+  /**
+   * The Amazon Resource Name (ARN) of the VPC.
+   */
+  vpcArn: `arn:aws:ec2:${RegionID}:${AccountID}:vpc/${this["vpcId"]}`;
+
+  /**
+   * The primary IPv4 CIDR block for the VPC.
+   */
+  cidrBlock: string;
+
+  /**
+   * The ID of the set of DHCP options associated with the VPC.
+   */
+  dhcpOptionsId: string;
+
+  /**
+   * The current state of the VPC.
+   */
+  state: EC2.VpcState;
+
+  /**
+   * Whether the VPC is the default VPC.
+   */
+  isDefault: boolean;
+
+  /**
+   * The ID of the AWS account that owns the VPC.
+   */
+  ownerId?: string;
+
+  /**
+   * Information about the IPv4 CIDR blocks associated with the VPC.
+   */
+  cidrBlockAssociationSet?: Array<{
+    associationId: string;
+    cidrBlock: string;
+    cidrBlockState: {
+      state: EC2.VpcCidrBlockStateCode;
+      statusMessage?: string;
+    };
+  }>;
+
+  /**
+   * Information about the IPv6 CIDR blocks associated with the VPC.
+   */
+  ipv6CidrBlockAssociationSet?: Array<{
+    associationId: string;
+    ipv6CidrBlock: string;
+    ipv6CidrBlockState: {
+      state: EC2.VpcCidrBlockStateCode;
+      statusMessage?: string;
+    };
+    networkBorderGroup?: string;
+    ipv6Pool?: string;
+  }>;
+}

package/src/aws/iam.ts

@@ -0,0 +1,30 @@
+import * as Context from "effect/Context";
+import { IAM } from "itty-aws/iam";
+import { createAWSServiceClientLayer } from "./client.ts";
+
+export class IAMClient extends Context.Tag("AWS::IAM::Client")<
+  IAMClient,
+  IAM
+>() {}
+
+export const client = createAWSServiceClientLayer<typeof IAMClient, IAM>(
+  IAMClient,
+  IAM,
+);
+
+export interface PolicyDocument {
+  Version: "2012-10-17";
+  Statement: PolicyStatement[];
+}
+
+export interface PolicyStatement {
+  Effect: "Allow" | "Deny";
+  Sid?: string;
+  Action: string[];
+  Resource: string | string[];
+  Condition?: Record<string, Record<string, string | string[]>>;
+  Principal?: Record<string, string | string[]>;
+  NotPrincipal?: Record<string, string | string[]>;
+  NotAction?: string[];
+  NotResource?: string[];
+}

package/src/aws/index.ts

@@ -0,0 +1,54 @@
+import * as Layer from "effect/Layer";
+import * as ESBuild from "../esbuild.ts";
+import * as Account from "./account.ts";
+import * as Credentials from "./credentials.ts";
+import * as DynamoDB from "./dynamodb/index.ts";
+import * as EC2 from "./ec2/index.ts";
+import * as IAM from "./iam.ts";
+import * as Lambda from "./lambda/index.ts";
+import * as Region from "./region.ts";
+import * as S3 from "./s3.ts";
+import * as SQS from "./sqs/index.ts";
+import * as STS from "./sts.ts";
+// TODO(sam): should this be named?
+export * from "./profile.ts";
+
+export const providers = Layer.mergeAll(
+  Layer.provide(
+    Layer.provideMerge(Lambda.functionProvider(), ESBuild.layer()),
+    Lambda.client(),
+  ),
+  Layer.provide(SQS.queueProvider(), SQS.client()),
+  Layer.provide(DynamoDB.tableProvider(), DynamoDB.client()),
+  Layer.provide(EC2.vpcProvider(), EC2.client()),
+);
+
+export const bindings = Layer.mergeAll(
+  //
+  SQS.sendMessageFromLambdaFunction(),
+  SQS.queueEventSourceProvider(),
+  DynamoDB.getItemFromLambdaFunction(),
+);
+
+export const clients = Layer.mergeAll(
+  STS.client(),
+  IAM.client(),
+  S3.client(),
+  SQS.client(),
+  Lambda.client(),
+  DynamoDB.client(),
+  EC2.client(),
+);
+
+export const defaultProviders = providers.pipe(
+  Layer.provideMerge(bindings),
+  Layer.provideMerge(Account.fromIdentity()),
+  Layer.provideMerge(clients),
+);
+
+export const live = defaultProviders.pipe(
+  Layer.provide(Region.fromEnv()),
+  Layer.provide(Credentials.fromSSO()),
+);
+
+export default live;

package/src/aws/lambda/client.ts

@@ -0,0 +1,14 @@
+import * as Context from "effect/Context";
+
+import { Lambda } from "itty-aws/lambda";
+import { createAWSServiceClientLayer } from "../client.ts";
+
+export class LambdaClient extends Context.Tag("AWS.Lambda.Client")<
+  LambdaClient,
+  Lambda
+>() {}
+
+export const client = createAWSServiceClientLayer<typeof LambdaClient, Lambda>(
+  LambdaClient,
+  Lambda,
+);

package/src/aws/lambda/consume.ts

@@ -0,0 +1,63 @@
+import type { From } from "alchemy-effect";
+import { declare } from "alchemy-effect";
+import type {
+  Context as LambdaContext,
+  SQSBatchResponse,
+  SQSEvent,
+} from "aws-lambda";
+import * as Effect from "effect/Effect";
+import * as S from "effect/Schema";
+import * as SQS from "../sqs/index.ts";
+import * as Lambda from "./function.ts";
+
+export const consume =
+  <Q extends SQS.Queue, ID extends string, Req>(
+    id: ID,
+    {
+      queue,
+      handle,
+    }: {
+      queue: Q;
+      handle: (
+        event: SQS.QueueEvent<Q["props"]["schema"]["Type"]>,
+        context: LambdaContext,
+      ) => Effect.Effect<SQSBatchResponse | void, never, Req>;
+    },
+  ) =>
+  <const Props extends Lambda.FunctionProps<Req>>({
+    bindings,
+    ...props
+  }: Props) =>
+    Lambda.Function(id, {
+      handle: Effect.fn(function* (event: SQSEvent, context: LambdaContext) {
+        yield* declare<SQS.Consume<From<Q>>>();
+        const records = yield* Effect.all(
+          event.Records.map(
+            Effect.fn(function* (record) {
+              return {
+                ...record,
+                body: yield* S.validate(queue.props.schema)(record.body).pipe(
+                  Effect.catchAll(() => Effect.void),
+                ),
+              };
+            }),
+          ),
+        );
+        const response = yield* handle(
+          {
+            Records: records.filter((record) => record.body !== undefined),
+          },
+          context,
+        );
+        return {
+          batchItemFailures: [
+            ...(response?.batchItemFailures ?? []),
+            ...records
+              .filter((record) => record.body === undefined)
+              .map((failed) => ({
+                itemIdentifier: failed.messageId,
+              })),
+          ],
+        } satisfies SQSBatchResponse;
+      }),
+    })({ ...props, bindings: bindings.and(SQS.QueueEventSource(queue)) });

package/src/aws/lambda/function.handler.ts

@@ -0,0 +1,30 @@
+import type { Capability } from "alchemy-effect";
+import type { Context as LambdaContext } from "aws-lambda";
+import * as Effect from "effect/Effect";
+
+type Handler = (
+  event: any,
+  context: LambdaContext,
+) => Effect.Effect<any, any, never>;
+
+type HandlerEffect<Req = Capability> = Effect.Effect<Handler, any, Req>;
+
+const memo = Symbol.for("alchemy::memo");
+
+// TODO(sam): is there a better way to lazily evaluate the Effect and cache the result?
+const resolveHandler = async (
+  effect: HandlerEffect & {
+    [memo]?: Handler;
+  },
+) =>
+  (effect[memo] ??= await Effect.runPromise(
+    // safe to cast away the Capability requirements since they are phantoms
+    effect as HandlerEffect<never>,
+  ));
+
+export const toHandler =
+  <H extends Handler>(effect: Effect.Effect<H, any, Capability>) =>
+  async (event: any, context: LambdaContext) =>
+    Effect.runPromise(
+      (await resolveHandler(effect))(event, context),
+    ) as Promise<Effect.Effect.Success<ReturnType<H>>>;

package/src/aws/lambda/function.invoke.ts

@@ -0,0 +1,40 @@
+import * as Effect from "effect/Effect";
+
+import { $, Binding, type Capability, declare, toEnvKey } from "alchemy-effect";
+import { LambdaClient } from "./client.ts";
+import { Function } from "./function.ts";
+
+export interface InvokeFunction<Resource = unknown>
+  extends Capability<"AWS.Lambda.InvokeFunction", Resource> {}
+
+export const InvokeFunction = Binding<
+  <F extends Function>(func: F) => Binding<Function, InvokeFunction<$<F>>>
+>(Function, "AWS.Lambda.InvokeFunction");
+
+export const invoke = <F extends Function>(func: F, input: any) =>
+  Effect.gen(function* () {
+    const lambda = yield* LambdaClient;
+    const functionArn = process.env[`${func.id}-functionArn`]!;
+    yield* declare<InvokeFunction<F>>();
+    return yield* lambda.invoke({
+      FunctionName: functionArn,
+      InvocationType: "RequestResponse",
+      Payload: JSON.stringify(input),
+    });
+  });
+
+export const invokeFunctionFromLambda = InvokeFunction.provider.succeed({
+  attach: ({ source: func }) => ({
+    env: {
+      [toEnvKey(func.id, "FUNCTION_ARN")]: func.attr.functionArn,
+    },
+    policyStatements: [
+      {
+        Sid: "AWS.Lambda.InvokeFunction",
+        Effect: "Allow",
+        Action: ["lambda:InvokeFunction"],
+        Resource: [func.attr.functionArn],
+      },
+    ],
+  }),
+});