alchemy-effect 0.0.0 → 0.2.0

package/src/aws/lambda/function.provider.ts

@@ -0,0 +1,655 @@
+import crypto from "node:crypto";
+import path from "node:path";
+
+import { FileSystem } from "@effect/platform";
+import * as Effect from "effect/Effect";
+import * as Schedule from "effect/Schedule";
+
+import { App, DotAlchemy, type ProviderService } from "alchemy-effect";
+
+import type {
+  CreateFunctionRequest,
+  CreateFunctionUrlConfigRequest,
+  UpdateFunctionUrlConfigRequest,
+} from "itty-aws/lambda";
+import { createTagger, createTagsList, hasTags } from "../../tags.ts";
+import { Account } from "../account.ts";
+import * as IAM from "../iam.ts";
+import { Region } from "../region.ts";
+import { zipCode } from "../zip.ts";
+import { LambdaClient } from "./client.ts";
+import { Function, type FunctionAttr, type FunctionProps } from "./function.ts";
+
+export const functionProvider = () =>
+  Function.provider.effect(
+    Effect.gen(function* () {
+      const lambda = yield* LambdaClient;
+      const iam = yield* IAM.IAMClient;
+      const accountId = yield* Account;
+      const region = yield* Region;
+      const app = yield* App;
+      const dotAlchemy = yield* DotAlchemy;
+      const fs = yield* FileSystem.FileSystem;
+
+      // const assets = yield* Assets;
+
+      const createFunctionName = (id: string) =>
+        `${app.name}-${app.stage}-${id}-${region}`;
+      const createRoleName = (id: string) =>
+        `${app.name}-${app.stage}-${id}-${region}`;
+      const createPolicyName = (id: string) =>
+        `${app.name}-${app.stage}-${id}-${region}`;
+
+      const createPhysicalNames = (id: string) => {
+        const roleName = createRoleName(id);
+        const policyName = createPolicyName(id);
+        const functionName = createFunctionName(id);
+        return {
+          roleName,
+          policyName,
+          functionName,
+          roleArn: `arn:aws:iam::${accountId}:role/${roleName}`,
+          functionArn: `arn:aws:lambda:${region}:${accountId}:function:${functionName}`,
+        };
+      };
+
+      const attachBindings = Effect.fn(function* ({
+        roleName,
+        policyName,
+        // functionArn,
+        // functionName,
+        bindings,
+      }: {
+        roleName: string;
+        policyName: string;
+        functionArn: string;
+        functionName: string;
+        bindings: Function["binding"][];
+      }) {
+        const env = bindings
+          .map((binding) => binding?.env)
+          .reduce((acc, env) => ({ ...acc, ...(env ?? {}) }), {});
+        const policyStatements = bindings.flatMap(
+          (binding) =>
+            binding?.policyStatements?.map((stmt: IAM.PolicyStatement) => ({
+              ...stmt,
+              Sid: stmt.Sid?.replace(/[^A-Za-z0-9]+/gi, ""),
+            })) ?? [],
+        );
+
+        if (policyStatements.length > 0) {
+          yield* iam.putRolePolicy({
+            RoleName: roleName,
+            PolicyName: policyName,
+            PolicyDocument: JSON.stringify({
+              Version: "2012-10-17",
+              Statement: policyStatements,
+            } satisfies IAM.PolicyDocument),
+          });
+        } else {
+          yield* iam
+            .deleteRolePolicy({
+              RoleName: roleName,
+              PolicyName: policyName,
+            })
+            .pipe(Effect.catchTag("NoSuchEntityException", () => Effect.void));
+        }
+
+        return env;
+      });
+
+      const createRoleIfNotExists = Effect.fn(function* ({
+        id,
+        roleName,
+      }: {
+        id: string;
+        roleName: string;
+      }) {
+        yield* Effect.logDebug(`creating role ${id}`);
+        const role = yield* iam
+          .createRole({
+            RoleName: roleName,
+            AssumeRolePolicyDocument: JSON.stringify({
+              Version: "2012-10-17",
+              Statement: [
+                {
+                  Effect: "Allow",
+                  Principal: {
+                    Service: "lambda.amazonaws.com",
+                  },
+                  Action: "sts:AssumeRole",
+                },
+              ],
+            }),
+            Tags: createTagsList(tagged(id)),
+          })
+          .pipe(
+            Effect.catchTag("EntityAlreadyExistsException", () =>
+              iam
+                .getRole({
+                  RoleName: roleName,
+                })
+                .pipe(
+                  Effect.filterOrFail(
+                    (role) => hasTags(tagged(id), role.Role?.Tags),
+                    () =>
+                      new Error(
+                        `Role ${roleName} exists but has incorrect tags`,
+                      ),
+                  ),
+                ),
+            ),
+          );
+
+        yield* Effect.logDebug(`attaching policy ${id}`);
+        yield* iam
+          .attachRolePolicy({
+            RoleName: roleName,
+            PolicyArn:
+              "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+          })
+          .pipe(Effect.tapError(Effect.logDebug), Effect.tap(Effect.logDebug));
+
+        yield* Effect.logDebug(`attached policy ${id}`);
+        return role;
+      });
+
+      const bundleCode = Effect.fn(function* (
+        id: string,
+        props: FunctionProps,
+      ) {
+        const handler = props.handler ?? "default";
+        let file = path.relative(process.cwd(), props.main);
+        if (!file.startsWith(".")) {
+          file = `./${file}`;
+        }
+        const { bundle } = yield* Effect.promise(() => import("../bundle.ts"));
+        const outfile = path.join(
+          dotAlchemy,
+          "out",
+          `${app.name}-${app.stage}-${id}.ts`,
+        );
+        yield* bundle({
+          // entryPoints: [props.main],
+          // we use a virtual entry point so that we can pluck out the user's handler closure and only its dependencies (not the whole module)
+          stdin: {
+            contents: `import { ${handler} as handler } from "${file}";\nexport default handler;`,
+            resolveDir: process.cwd(),
+            loader: "ts",
+            sourcefile: "__index.ts",
+          },
+          bundle: true,
+          format: "esm",
+          platform: "node",
+          target: "node22",
+          sourcemap: true,
+          treeShaking: true,
+          write: true,
+          outfile,
+          minify: true,
+          external: ["@aws-sdk/*", "@smithy/*"],
+          logLevel: "error",
+        });
+        const code = yield* fs
+          .readFile(outfile)
+          .pipe(Effect.catchAll(Effect.die));
+        return {
+          code,
+          hash: yield* hashCode(code),
+        };
+      });
+
+      const hashCode = (code: string | Uint8Array<ArrayBufferLike>) =>
+        Effect.sync(() =>
+          crypto.createHash("sha256").update(code).digest("hex"),
+        );
+
+      const tagged = yield* createTagger();
+
+      const createOrUpdateFunction = Effect.fn(function* ({
+        id,
+        news,
+        roleArn,
+        code,
+        env,
+        functionName,
+      }: {
+        id: string;
+        news: FunctionProps;
+        roleArn: string;
+        code: string | Uint8Array<ArrayBufferLike>;
+        env: Record<string, string> | undefined;
+        functionName: string;
+      }) {
+        yield* Effect.logDebug(`creating function ${id}`);
+        const createFunctionRequest: CreateFunctionRequest = {
+          FunctionName: functionName,
+          Handler: `index.${news.handler ?? "default"}`,
+          Role: roleArn,
+          Code: {
+            // TODO(sam): upload to assets
+            ZipFile: yield* zipCode(code),
+          },
+          Runtime: news.runtime ?? "nodejs22.x",
+          Environment: env
+            ? {
+                Variables: env,
+              }
+            : undefined,
+          Tags: tagged(id),
+        };
+
+        const getAndUpdate = lambda
+          .getFunction({
+            FunctionName: functionName,
+          })
+          .pipe(
+            Effect.filterOrFail(
+              // if it exists and contains these tags, we will assume it was created by alchemy
+              // but state was lost, so if it exists, let's adopt it
+              (f) => hasTags(tagged(id), f.Tags),
+              () =>
+                // TODO(sam): add custom
+                new Error("Function tags do not match expected values"),
+            ),
+            Effect.flatMap(() =>
+              Effect.gen(function* () {
+                yield* Effect.logDebug(`updating function code ${id}`);
+                yield* lambda
+                  .updateFunctionCode({
+                    FunctionName: createFunctionRequest.FunctionName,
+                    Architectures: createFunctionRequest.Architectures,
+                    ZipFile: createFunctionRequest.Code.ZipFile,
+                    // TODO(sam): support uploading via S3
+                  })
+                  .pipe(
+                    Effect.retry({
+                      while: (e) => {
+                        console.log({ e });
+                        return (
+                          e._tag === "ResourceConflictException" ||
+                          (e._tag === "InvalidParameterValueException" &&
+                            e.message?.includes(
+                              "The role defined for the function cannot be assumed by Lambda.",
+                            ))
+                        );
+                      },
+                      schedule: Schedule.fixed(100),
+                    }),
+                  );
+                yield* Effect.logDebug(`updated function code ${id}`);
+                yield* lambda
+                  .updateFunctionConfiguration({
+                    FunctionName: createFunctionRequest.FunctionName,
+                    DeadLetterConfig: createFunctionRequest.DeadLetterConfig,
+                    Description: createFunctionRequest.Description,
+                    Environment: createFunctionRequest.Environment,
+                    EphemeralStorage: createFunctionRequest.EphemeralStorage,
+                    FileSystemConfigs: createFunctionRequest.FileSystemConfigs,
+                    Handler: createFunctionRequest.Handler,
+                    ImageConfig: createFunctionRequest.ImageConfig,
+                    KMSKeyArn: createFunctionRequest.KMSKeyArn,
+                    Layers: createFunctionRequest.Layers,
+                    LoggingConfig: createFunctionRequest.LoggingConfig,
+                    MemorySize: createFunctionRequest.MemorySize,
+                    // RevisionId: "???"
+                    Role: createFunctionRequest.Role,
+                    Runtime: createFunctionRequest.Runtime,
+                    SnapStart: createFunctionRequest.SnapStart,
+                    Timeout: createFunctionRequest.Timeout,
+                    TracingConfig: createFunctionRequest.TracingConfig,
+                    VpcConfig: createFunctionRequest.VpcConfig,
+                  })
+                  .pipe(
+                    Effect.retry({
+                      while: (e) =>
+                        e._tag === "ResourceConflictException" ||
+                        (e._tag === "InvalidParameterValueException" &&
+                          e.message?.includes(
+                            "The role defined for the function cannot be assumed by Lambda.",
+                          )),
+                      schedule: Schedule.exponential(100),
+                    }),
+                  );
+                yield* Effect.logDebug(`updated function configuration ${id}`);
+              }),
+            ),
+          );
+
+        yield* lambda.createFunction(createFunctionRequest).pipe(
+          Effect.tapError(Effect.logDebug),
+          Effect.retry({
+            while: (e) =>
+              e._tag === "InvalidParameterValueException" &&
+              e.message?.includes("cannot be assumed by Lambda"),
+            schedule: Schedule.exponential(10),
+          }),
+          Effect.catchTags({
+            ResourceConflictException: () => getAndUpdate,
+          }),
+        );
+      });
+
+      const createOrUpdateFunctionUrl = Effect.fn(function* ({
+        functionName,
+        url,
+        oldUrl,
+      }: {
+        functionName: string;
+        url: FunctionProps["url"];
+        oldUrl?: FunctionProps["url"];
+      }) {
+        // TODO(sam): support AWS_IAM
+        const authType = "NONE";
+        yield* Effect.logDebug(`creating function url config ${functionName}`);
+        if (url) {
+          const config = {
+            FunctionName: functionName,
+            AuthType: authType, // | AWS_IAM
+            // Cors: {
+            //   AllowCredentials: true,
+            //   AllowHeaders: ["*"],
+            //   AllowMethods: ["*"],
+            //   AllowOrigins: ["*"],
+            //   ExposeHeaders: ["*"],
+            //   MaxAge: 86400,
+            // },
+            InvokeMode: "BUFFERED", // | RESPONSE_STREAM
+            // Qualifier: "$LATEST"
+          } satisfies
+            | CreateFunctionUrlConfigRequest
+            | UpdateFunctionUrlConfigRequest;
+          const permission = {
+            FunctionName: functionName,
+            StatementId: "FunctionURLAllowPublicAccess",
+            Action: "lambda:InvokeFunctionUrl",
+            Principal: "*",
+            FunctionUrlAuthType: "NONE",
+          } as const;
+          const [{ FunctionUrl }] = yield* Effect.all([
+            lambda
+              .createFunctionUrlConfig(config)
+              .pipe(
+                Effect.catchTag("ResourceConflictException", () =>
+                  lambda.updateFunctionUrlConfig(config),
+                ),
+              ),
+            authType === "NONE"
+              ? lambda.addPermission(permission).pipe(
+                  Effect.catchTag("ResourceConflictException", () =>
+                    Effect.gen(function* () {
+                      yield* lambda.removePermission({
+                        FunctionName: functionName,
+                        StatementId: "FunctionURLAllowPublicAccess",
+                      });
+                      yield* lambda.addPermission(permission);
+                    }),
+                  ),
+                )
+              : Effect.void,
+          ]);
+          yield* Effect.logDebug(`created function url config ${functionName}`);
+          return FunctionUrl;
+        } else if (oldUrl) {
+          yield* Effect.logDebug(
+            `deleting function url config ${functionName}`,
+          );
+          yield* Effect.all([
+            lambda
+              .deleteFunctionUrlConfig({
+                FunctionName: functionName,
+              })
+              .pipe(
+                Effect.catchTag("ResourceNotFoundException", () => Effect.void),
+              ),
+            lambda
+              .removePermission({
+                FunctionName: functionName,
+                StatementId: "FunctionURLAllowPublicAccess",
+              })
+              .pipe(
+                Effect.catchTag("ResourceNotFoundException", () => Effect.void),
+              ),
+          ]);
+          yield* Effect.logDebug(`deleted function url config ${functionName}`);
+        }
+        return undefined;
+      });
+
+      const summary = ({ code }: { code: Uint8Array<ArrayBufferLike> }) =>
+        `${
+          code.length >= 1024 * 1024
+            ? `${(code.length / (1024 * 1024)).toFixed(2)}MB`
+            : code.length >= 1024
+              ? `${(code.length / 1024).toFixed(2)}KB`
+              : `${code.length}B`
+        }`;
+
+      return {
+        read: Effect.fn(function* ({ id, output }) {
+          if (output) {
+            yield* Effect.logDebug(`reading function ${id}`);
+            // example: refresh the function URL from the API
+            return {
+              ...output,
+              functionUrl: (yield* lambda
+                .getFunctionUrlConfig({
+                  FunctionName: createFunctionName(id),
+                })
+                .pipe(
+                  Effect.map((f) => f.FunctionUrl),
+                  Effect.retry({
+                    //   error: ResourceConflictException: The operation cannot be performed at this time.
+                    // An update is in progress for resource: arn:aws:lambda:us-west-2:084828582823:function:my-app-dev-Consumer-us-west-2
+                    while: (e) => e.name === "ResourceConflictException",
+                    schedule: Schedule.exponential(100),
+                  }),
+                  Effect.catchTag("ResourceNotFoundException", () =>
+                    Effect.succeed(undefined),
+                  ),
+                )) as any,
+            } satisfies FunctionAttr<FunctionProps>;
+          }
+          return output;
+        }),
+        diff: Effect.fn(function* ({ id, olds, news, output }) {
+          if (
+            // function name changed
+            output.functionName !==
+              (news.functionName ?? createFunctionName(id)) ||
+            // url changed
+            olds.url !== news.url
+          ) {
+            return { action: "replace" };
+          } else if (output.code.hash !== (yield* bundleCode(id, news)).hash) {
+            // code changed
+            return { action: "update" };
+          }
+        }),
+        precreate: Effect.fn(function* ({ id, news, session }) {
+          const { roleName, functionName, roleArn } = createPhysicalNames(id);
+
+          const role = yield* createRoleIfNotExists({ id, roleName });
+
+          // mock code
+          const code = "export default () => {}";
+          yield* createOrUpdateFunction({
+            id,
+            news,
+            roleArn: role.Role.Arn,
+            code,
+            functionName,
+            env: {},
+          });
+
+          return {
+            functionArn: `arn:aws:lambda:${region}:${accountId}:function:${functionName}`,
+            functionName,
+            functionUrl: undefined,
+            roleName: createRoleName(id),
+            code: {
+              hash: yield* hashCode(code),
+            },
+            roleArn,
+          } satisfies FunctionAttr<FunctionProps>;
+        }),
+        create: Effect.fn(function* ({ id, news, bindings, session }) {
+          const roleName = createRoleName(id);
+          const policyName = createPolicyName(id);
+          // const policyArn = `arn:aws:iam::${accountId}:policy/${policyName}`;
+          const functionName = news.functionName ?? createFunctionName(id);
+          const functionArn = `arn:aws:lambda:${region}:${accountId}:function:${functionName}`;
+
+          const role = yield* createRoleIfNotExists({ id, roleName });
+
+          const env = yield* attachBindings({
+            roleName,
+            policyName,
+            functionArn,
+            functionName,
+            bindings,
+          });
+
+          const { code, hash } = yield* bundleCode(id, news);
+
+          yield* createOrUpdateFunction({
+            id,
+            news,
+            roleArn: role.Role.Arn,
+            // TODO(sam): upload to assets
+            code,
+            env,
+            functionName,
+          });
+
+          const functionUrl = yield* createOrUpdateFunctionUrl({
+            functionName,
+            url: news.url,
+          });
+
+          yield* session.note(summary({ code }));
+
+          return {
+            functionArn,
+            functionName,
+            functionUrl: functionUrl as any,
+            roleName,
+            roleArn: role.Role.Arn,
+            code: {
+              hash,
+            },
+          } satisfies FunctionAttr<FunctionProps>;
+        }),
+        update: Effect.fn(function* ({
+          id,
+          news,
+          olds,
+          bindings,
+          output,
+          session,
+        }) {
+          const roleName = createRoleName(id);
+          const policyName = createPolicyName(id);
+          const functionName = news.functionName ?? createFunctionName(id);
+          const functionArn = `arn:aws:lambda:${region}:${accountId}:function:${functionName}`;
+
+          const env = yield* attachBindings({
+            roleName,
+            policyName,
+            functionArn,
+            functionName,
+            bindings,
+          });
+
+          const { code, hash } = yield* bundleCode(id, news);
+
+          yield* createOrUpdateFunction({
+            id,
+            news,
+            roleArn: output.roleArn,
+            // TODO(sam): upload to assets
+            code,
+            env,
+            functionName,
+          });
+
+          const functionUrl = yield* createOrUpdateFunctionUrl({
+            functionName,
+            url: news.url,
+            oldUrl: olds.url,
+          });
+
+          yield* session.note(summary({ code }));
+
+          return {
+            ...output,
+            functionArn,
+            functionName,
+            functionUrl: functionUrl as any,
+            roleName,
+            roleArn: output.roleArn,
+            code: {
+              hash,
+            },
+          } satisfies FunctionAttr<FunctionProps>;
+        }),
+        delete: Effect.fn(function* ({ output }) {
+          yield* iam
+            .listRolePolicies({
+              RoleName: output.roleName,
+            })
+            .pipe(
+              Effect.flatMap((policies) =>
+                Effect.all(
+                  (policies.PolicyNames ?? []).map((policyName) =>
+                    iam.deleteRolePolicy({
+                      RoleName: output.roleName,
+                      PolicyName: policyName,
+                    }),
+                  ),
+                ),
+              ),
+            );
+
+          yield* iam
+            .listAttachedRolePolicies({
+              RoleName: output.roleName,
+            })
+            .pipe(
+              Effect.flatMap((policies) =>
+                Effect.all(
+                  (policies.AttachedPolicies ?? []).map((policy) =>
+                    iam
+                      .detachRolePolicy({
+                        RoleName: output.roleName,
+                        PolicyArn: policy.PolicyArn!,
+                      })
+                      .pipe(
+                        Effect.catchTag(
+                          "NoSuchEntityException",
+                          () => Effect.void,
+                        ),
+                      ),
+                  ),
+                ),
+              ),
+            );
+
+          yield* lambda
+            .deleteFunction({
+              FunctionName: output.functionName,
+            })
+            .pipe(
+              Effect.catchTag("ResourceNotFoundException", () => Effect.void),
+            );
+
+          yield* iam
+            .deleteRole({
+              RoleName: output.roleName,
+            })
+            .pipe(Effect.catchTag("NoSuchEntityException", () => Effect.void));
+          return null as any;
+        }),
+      } satisfies ProviderService<Function>;
+    }),
+  );

package/src/aws/lambda/function.ts

@@ -0,0 +1,45 @@
+import { Runtime, type Capability, type RuntimeProps } from "alchemy-effect";
+import type * as IAM from "../iam.ts";
+
+export type { Context } from "aws-lambda";
+
+export interface FunctionProps<Req = any> extends RuntimeProps<Function, Req> {
+  functionName?: string;
+  functionArn?: string;
+  main: string;
+  handler?: string;
+  memory?: number;
+  runtime?: "nodejs20.x" | "nodejs22.x";
+  architecture?: "x86_64" | "arm64";
+  url?: boolean;
+}
+export declare namespace FunctionProps {
+  export type Simplified<Req> = FunctionProps<
+    Capability.Simplify<Extract<Req, Capability>>
+  >;
+}
+
+export type FunctionAttr<Props extends FunctionProps = FunctionProps> = {
+  functionArn: string;
+  functionName: string;
+  functionUrl: Props["url"] extends true ? string : undefined;
+  roleName: string;
+  roleArn: string;
+  code: {
+    hash: string;
+  };
+};
+
+export interface FunctionBinding {
+  env?: {
+    [key: string]: string;
+  };
+  policyStatements?: IAM.PolicyStatement[];
+}
+
+export interface Function extends Runtime<"AWS.Lambda.Function"> {
+  props: FunctionProps;
+  attr: FunctionAttr<Extract<this["props"], FunctionProps>>;
+  binding: FunctionBinding;
+}
+export const Function = Runtime("AWS.Lambda.Function")<Function>();

package/src/aws/lambda/index.ts

@@ -0,0 +1,9 @@
+export * from "./client.ts";
+export * from "./function.handler.ts";
+export * from "./function.invoke.ts";
+export * from "./function.provider.ts";
+export * from "./function.ts";
+export * from "./serve.ts";
+export * from "./consume.ts";
+
+// export type * as lambda from "aws-lambda";