alchemy-effect 0.2.0 → 0.3.0

package/src/assert-never.ts

@@ -0,0 +1,18 @@
+import * as Effect from "effect/Effect";
+import * as Data from "effect/Data";
+
+export class UnexpectedValueError extends Data.TaggedError(
+  "UnexpectedValueError",
+)<{
+  message: string;
+  value: never;
+}> {}
+
+export const assertNeverOrDie = (value: never): Effect.Effect<never> => {
+  return Effect.die(
+    new UnexpectedValueError({
+      message: `Unexpected value: ${value}`,
+      value,
+    }),
+  );
+};

package/src/aws/account.ts

@@ -3,6 +3,8 @@ import * as Data from "effect/Data";
 import * as Effect from "effect/Effect";
 import * as Layer from "effect/Layer";
 import * as STS from "./sts.ts";
+import { App } from "../app.ts";
+import { loadProfile } from "./credentials.ts";
 
 export class FailedToGetAccount extends Data.TaggedError(
   "AWS::Account::FailedToGetAccount",
@@ -18,12 +20,30 @@ export class Account extends Context.Tag("AWS::AccountID")<
   AccountID
 >() {}
 
-export const fromIdentity = () =>
+export class AWSStageConfigAccountMissing extends Data.TaggedError(
+  "AWSStageConfigAccountMissing",
+)<{
+  message: string;
+  stage: string;
+}> {}
+
+export const fromStageConfig = () =>
   Layer.effect(
     Account,
     Effect.gen(function* () {
-      const sts = yield* STS.STSClient;
-      const identity = yield* sts.getCallerIdentity({}).pipe(
+      const app = yield* App;
+      if (app.config.aws?.account) {
+        return app.config.aws.account;
+      }
+      const profileName = app.config.aws?.profile;
+      if (profileName) {
+        const profile = yield* loadProfile(profileName);
+        if (profile.sso_account_id) {
+          return profile.sso_account_id;
+        }
+      }
+      const client = yield* STS.STSClient;
+      const identity = yield* client.getCallerIdentity({}).pipe(
         Effect.catchAll(
           (err) =>
             new FailedToGetAccount({

package/src/aws/client.ts

@@ -21,7 +21,6 @@ export const createAWSServiceClientLayer =
       Effect.gen(function* () {
         const region = yield* Region;
         const credentials = yield* Credentials;
-        //
         const client = new clss({
           region,
           credentials: {

package/src/aws/config.ts

@@ -0,0 +1,16 @@
+import type { AccountID } from "./account.ts";
+import type { RegionID } from "./region.ts";
+import type { AwsCredentialIdentity } from "@smithy/types";
+
+export interface AwsStageConfig {
+  account?: AccountID;
+  region?: RegionID;
+  profile?: string;
+  credentials?: AwsCredentialIdentity;
+}
+
+declare module "../stage.ts" {
+  interface StageConfig {
+    aws?: AwsStageConfig;
+  }
+}

package/src/aws/credentials.ts

@@ -26,7 +26,8 @@ import * as Redacted from "effect/Redacted";
 import { createHash } from "node:crypto";
 import * as path from "node:path";
 import { parseIni, parseSSOSessionData } from "./parse-ini.ts";
-import { AwsProfile } from "./profile.ts";
+import { Profile } from "./profile.ts";
+import { App } from "../app.ts";
 
 export class Credentials extends Context.Tag("AWS::Credentials")<
   Credentials,
@@ -164,201 +165,235 @@ export interface SsoProfileConfig extends AwsProfileConfig {
   sso_role_name: string;
 }
 
+export const fromStageConfig = () =>
+  Layer.effect(
+    Credentials,
+    Effect.gen(function* () {
+      const app = yield* App;
+      if (app.config.aws?.profile) {
+        return yield* loadSSOCredentials(app.config.aws.profile);
+      } else if (app.config.aws?.credentials) {
+        return fromAwsCredentialIdentity(app.config.aws.credentials);
+      }
+      return yield* Effect.dieMessage(
+        "No AWS credentials found in stage config",
+      );
+    }),
+  );
+
 export const fromSSO = () =>
   Layer.effect(
     Credentials,
     Effect.gen(function* () {
-      const client = yield* HttpClient.HttpClient;
-      const fs = yield* FileSystem.FileSystem;
       const profileName = Option.getOrElse(
-        yield* Effect.serviceOption(AwsProfile),
+        yield* Effect.serviceOption(Profile),
         () => "default",
       );
+      return yield* loadSSOCredentials(profileName);
+    }),
+  );
 
-      const profiles: {
-        [profileName: string]: AwsProfileConfig;
-      } = yield* Effect.promise(() =>
-        ini.parseKnownFiles({ profile: profileName }),
+export const loadSSOCredentials = Effect.fn(function* (profileName: string) {
+  const client = yield* HttpClient.HttpClient;
+  const fs = yield* FileSystem.FileSystem;
+  const awsDir = path.join(ini.getHomeDir(), ".aws");
+  const cachePath = path.join(awsDir, "sso", "cache");
+
+  const profile = yield* loadProfile(profileName);
+
+  if (profile.sso_session) {
+    const hasher = createHash("sha1");
+    const cacheName = hasher.update(profile.sso_session).digest("hex");
+    const ssoTokenFilepath = path.join(cachePath, `${cacheName}.json`);
+    const cachedCredsFilePath = path.join(
+      cachePath,
+      `${cacheName}.credentials.json`,
+    );
+
+    const cachedCreds = yield* fs.readFileString(cachedCredsFilePath).pipe(
+      Effect.map((text) => JSON.parse(text)),
+      Effect.catchAll(() => Effect.void),
+    );
+
+    const isExpired = (expiry: number | string | undefined) => {
+      return (
+        expiry === undefined ||
+        new Date(expiry).getTime() - Date.now() <= EXPIRE_WINDOW_MS
       );
-
-      const profile = profiles[profileName];
-
-      if (!profile) {
-        yield* Effect.fail(
-          new ProfileNotFound({
-            message: `Profile ${profileName} not found`,
-            profile: profileName,
+    };
+
+    if (cachedCreds && !isExpired(cachedCreds.expiry)) {
+      return Credentials.of({
+        accessKeyId: Redacted.make(cachedCreds.accessKeyId),
+        secretAccessKey: Redacted.make(cachedCreds.secretAccessKey),
+        sessionToken: cachedCreds.sessionToken
+          ? Redacted.make(cachedCreds.sessionToken)
+          : undefined,
+        expiration: cachedCreds.expiry,
+      });
+    }
+
+    const ssoToken = yield* fs.readFileString(ssoTokenFilepath).pipe(
+      Effect.map((text) => JSON.parse(text) as SSOToken),
+      Effect.catchAll(() =>
+        Effect.fail(
+          new InvalidSSOToken({
+            message: `The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`,
+            sso_session: profile.sso_session!,
           }),
-        );
-      }
+        ),
+      ),
+    );
 
-      const awsDir = path.join(ini.getHomeDir(), ".aws");
-      const configPath = path.join(awsDir, "config");
-      const cachePath = path.join(awsDir, "sso", "cache");
-
-      if (profile.sso_session) {
-        const ssoRegion = Option.getOrUndefined(
-          yield* Effect.serviceOption(SsoRegion),
-        );
-        const ssoStartUrl = Option.getOrElse(
-          yield* Effect.serviceOption(SsoStartUrl),
-          () => profile.sso_start_url,
-        );
-
-        const ssoSessions = yield* fs.readFileString(configPath).pipe(
-          Effect.flatMap((config) =>
-            Effect.promise(async () => parseIni(config)),
-          ),
-          Effect.map(parseSSOSessionData),
-        );
-        const session = ssoSessions[profile.sso_session];
-        if (ssoRegion && ssoRegion !== session.sso_region) {
-          yield* Effect.fail(
-            new ConflictingSSORegion({
-              message: `Conflicting SSO region`,
-              ssoRegion: ssoRegion,
-              profile: profile.sso_session,
-            }),
-          );
-        }
-        if (ssoStartUrl && ssoStartUrl !== session.sso_start_url) {
-          yield* Effect.fail(
-            new ConflictingSSOStartUrl({
-              message: `Conflicting SSO start url`,
-              ssoStartUrl: ssoStartUrl,
-              profile: profile.sso_session,
-            }),
-          );
-        }
-        profile.sso_region = session.sso_region;
-        profile.sso_start_url = session.sso_start_url;
-
-        const ssoFields = [
-          "sso_start_url",
-          "sso_account_id",
-          "sso_region",
-          "sso_role_name",
-        ] as const satisfies (keyof SsoProfileConfig)[];
-        const missingFields = ssoFields.filter((field) => !profile[field]);
-        if (missingFields.length > 0) {
-          yield* Effect.fail(
-            new InvalidSSOProfile({
-              profile: profileName,
-              missingFields,
-              message:
-                `Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", ` +
-                `"sso_region", "sso_role_name", "sso_start_url". Got ${Object.keys(
-                  profile,
-                ).join(
-                  ", ",
-                )}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,
-            }),
-          );
-        }
-
-        const hasher = createHash("sha1");
-        const cacheName = hasher.update(profile.sso_session).digest("hex");
-        const ssoTokenFilepath = path.join(cachePath, `${cacheName}.json`);
-        const cachedCredsFilePath = path.join(
-          cachePath,
-          `${cacheName}.credentials.json`,
-        );
-
-        const cachedCreds = yield* fs.readFileString(cachedCredsFilePath).pipe(
-          Effect.map((text) => JSON.parse(text)),
-          Effect.catchAll(() => Effect.void),
-        );
-
-        const isExpired = (expiry: number | string | undefined) => {
-          return (
-            expiry === undefined ||
-            new Date(expiry).getTime() - Date.now() <= EXPIRE_WINDOW_MS
-          );
+    if (isExpired(ssoToken.expiresAt)) {
+      yield* Console.log(
+        `The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`,
+      );
+      yield* Effect.fail(
+        new ExpiredSSOToken({
+          message: `The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`,
+          profile: profileName,
+        }),
+      );
+    }
+
+    const response = yield* client.get(
+      `https://portal.sso.${profile.sso_region}.amazonaws.com/federation/credentials?account_id=${profile.sso_account_id}&role_name=${profile.sso_role_name}`,
+      {
+        headers: {
+          "User-Agent": "alchemy.run",
+          "Content-Type": "application/json",
+          "x-amz-sso_bearer_token": ssoToken.accessToken,
+        },
+      },
+    );
+
+    const credentials = (
+      (yield* response.json) as {
+        roleCredentials: {
+          accessKeyId: string;
+          secretAccessKey: string;
+          sessionToken: string;
+          expiration: number;
         };
-
-        if (cachedCreds && !isExpired(cachedCreds.expiry)) {
-          return Credentials.of({
-            accessKeyId: Redacted.make(cachedCreds.accessKeyId),
-            secretAccessKey: Redacted.make(cachedCreds.secretAccessKey),
-            sessionToken: cachedCreds.sessionToken
-              ? Redacted.make(cachedCreds.sessionToken)
-              : undefined,
-            expiration: cachedCreds.expiry,
-          });
-        }
-
-        const ssoToken = yield* fs.readFileString(ssoTokenFilepath).pipe(
-          Effect.map((text) => JSON.parse(text) as SSOToken),
-          Effect.catchAll(() =>
-            Effect.fail(
-              new InvalidSSOToken({
-                message: `The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`,
-                sso_session: profile.sso_session!,
-              }),
-            ),
-          ),
-        );
-
-        if (isExpired(ssoToken.expiresAt)) {
-          yield* Console.log(
-            `The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`,
-          );
-          yield* Effect.fail(
-            new ExpiredSSOToken({
-              message: `The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`,
-              profile: profileName,
-            }),
-          );
-        }
-
-        const response = yield* client.get(
-          `https://portal.sso.${profile.sso_region}.amazonaws.com/federation/credentials?account_id=${profile.sso_account_id}&role_name=${profile.sso_role_name}`,
-          {
-            headers: {
-              "User-Agent": "alchemy.run",
-              "Content-Type": "application/json",
-              "x-amz-sso_bearer_token": ssoToken.accessToken,
-            },
-          },
-        );
-
-        const credentials = (
-          (yield* response.json) as {
-            roleCredentials: {
-              accessKeyId: string;
-              secretAccessKey: string;
-              sessionToken: string;
-              expiration: number;
-            };
-          }
-        ).roleCredentials;
-
-        yield* fs.writeFileString(
-          cachedCredsFilePath,
-          JSON.stringify({
-            accessKeyId: credentials.accessKeyId,
-            secretAccessKey: credentials.secretAccessKey,
-            sessionToken: credentials.sessionToken,
-            expiry: credentials.expiration,
-          }),
-        );
-
-        return Credentials.of({
-          accessKeyId: Redacted.make(credentials.accessKeyId),
-          secretAccessKey: Redacted.make(credentials.secretAccessKey),
-          sessionToken: Redacted.make(credentials.sessionToken),
-          expiration: credentials.expiration,
-        });
       }
+    ).roleCredentials;
+
+    yield* fs.writeFileString(
+      cachedCredsFilePath,
+      JSON.stringify({
+        accessKeyId: credentials.accessKeyId,
+        secretAccessKey: credentials.secretAccessKey,
+        sessionToken: credentials.sessionToken,
+        expiry: credentials.expiration,
+      }),
+    );
+
+    return Credentials.of({
+      accessKeyId: Redacted.make(credentials.accessKeyId),
+      secretAccessKey: Redacted.make(credentials.secretAccessKey),
+      sessionToken: Redacted.make(credentials.sessionToken),
+      expiration: credentials.expiration,
+    });
+  }
+
+  return yield* Effect.fail(
+    new ProfileNotFound({
+      message: `Profile ${profileName} not found`,
+      profile: profileName,
+    }),
+  );
+});
+
+export const loadProfile = Effect.fn(function* (profileName: string) {
+  const fs = yield* FileSystem.FileSystem;
+  const profiles: {
+    [profileName: string]: AwsProfileConfig;
+  } = yield* Effect.promise(() =>
+    ini.parseKnownFiles({ profile: profileName }),
+  );
+
+  const profile = profiles[profileName];
 
-      return yield* Effect.fail(
-        new ProfileNotFound({
-          message: `Profile ${profileName} not found`,
+  if (!profile) {
+    yield* Effect.fail(
+      new ProfileNotFound({
+        message: `Profile ${profileName} not found`,
+        profile: profileName,
+      }),
+    );
+  }
+
+  const awsDir = path.join(ini.getHomeDir(), ".aws");
+  const configPath = path.join(awsDir, "config");
+
+  if (profile.sso_session) {
+    const ssoRegion = Option.getOrUndefined(
+      yield* Effect.serviceOption(SsoRegion),
+    );
+    const ssoStartUrl = Option.getOrElse(
+      yield* Effect.serviceOption(SsoStartUrl),
+      () => profile.sso_start_url,
+    );
+
+    const ssoSessions = yield* fs.readFileString(configPath).pipe(
+      Effect.flatMap((config) => Effect.promise(async () => parseIni(config))),
+      Effect.map(parseSSOSessionData),
+    );
+    const session = ssoSessions[profile.sso_session];
+    if (ssoRegion && ssoRegion !== session.sso_region) {
+      yield* Effect.fail(
+        new ConflictingSSORegion({
+          message: `Conflicting SSO region`,
+          ssoRegion: ssoRegion,
+          profile: profile.sso_session,
+        }),
+      );
+    }
+    if (ssoStartUrl && ssoStartUrl !== session.sso_start_url) {
+      yield* Effect.fail(
+        new ConflictingSSOStartUrl({
+          message: `Conflicting SSO start url`,
+          ssoStartUrl: ssoStartUrl,
+          profile: profile.sso_session,
+        }),
+      );
+    }
+    profile.sso_region = session.sso_region;
+    profile.sso_start_url = session.sso_start_url;
+
+    const ssoFields = [
+      "sso_start_url",
+      "sso_account_id",
+      "sso_region",
+      "sso_role_name",
+    ] as const satisfies (keyof SsoProfileConfig)[];
+    const missingFields = ssoFields.filter((field) => !profile[field]);
+    if (missingFields.length > 0) {
+      yield* Effect.fail(
+        new InvalidSSOProfile({
           profile: profileName,
+          missingFields,
+          message:
+            `Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", ` +
+            `"sso_region", "sso_role_name", "sso_start_url". Got ${Object.keys(
+              profile,
+            ).join(
+              ", ",
+            )}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,
         }),
       );
+    }
+    return profile;
+  }
+
+  return yield* Effect.fail(
+    new ProfileNotFound({
+      message: `Profile ${profileName} not found`,
+      profile: profileName,
     }),
   );
+});
 
 /**
  * Cached SSO token retrieved from SSO login flow.

package/src/aws/dynamodb/index.ts

@@ -6,7 +6,7 @@ export * from "./table.get-item.ts";
 export * from "./table.provider.ts";
 export * from "./table.ts";
 
-export type * as Alchemy from "../../index.ts";
-
 // TODO(sam): figure out a better strategy to workaround non-portable types
-// export type * as _ from "../../index.ts";
+export type * from "../../exports.ts";
+
+import "../config.ts";

package/src/aws/dynamodb/table.get-item.ts

@@ -1,14 +1,10 @@
-import {
-  Binding,
-  declare,
-  Policy,
-  toEnvKey,
-  type Capability,
-  type From,
-} from "alchemy-effect";
 import { Effect } from "effect";
 import type { ReturnConsumedCapacity } from "itty-aws/dynamodb";
-import { Function } from "../lambda/index.ts";
+import { Binding } from "../../binding.ts";
+import type { Capability } from "../../capability.ts";
+import { toEnvKey } from "../../env.ts";
+import { declare, type From, type Policy } from "../../policy.ts";
+import { Function } from "../lambda/function.ts";
 import { fromAttributeValue } from "./attribute-value.ts";
 import { DynamoDBClient } from "./client.ts";
 import type { Identifier } from "./expr.ts";