alchemy-effect 0.3.0 → 0.4.0

package/src/aws/ec2/route.provider.ts

@@ -0,0 +1,213 @@
+import * as Effect from "effect/Effect";
+import * as Schedule from "effect/Schedule";
+
+import type { EC2 } from "itty-aws/ec2";
+
+import { somePropsAreDifferent } from "../../diff.ts";
+import type { ProviderService } from "../../provider.ts";
+import { EC2Client } from "./client.ts";
+import { Route, type RouteAttrs, type RouteProps } from "./route.ts";
+
+export const routeProvider = () =>
+  Route.provider.effect(
+    Effect.gen(function* () {
+      const ec2 = yield* EC2Client;
+
+      return {
+        diff: Effect.fn(function* ({ news, olds }) {
+          // Route table change requires replacement
+          if (olds.routeTableId !== news.routeTableId) {
+            return { action: "replace" };
+          }
+
+          // Destination change requires replacement
+          if (
+            somePropsAreDifferent(olds, news, [
+              "destinationCidrBlock",
+              "destinationIpv6CidrBlock",
+              "destinationPrefixListId",
+            ])
+          ) {
+            return { action: "replace" };
+          }
+
+          // Target change can be done via ReplaceRoute (update)
+        }),
+
+        create: Effect.fn(function* ({ news, session }) {
+          // Call CreateRoute
+          yield* ec2
+            .createRoute({
+              RouteTableId: news.routeTableId,
+              DestinationCidrBlock: news.destinationCidrBlock,
+              DestinationIpv6CidrBlock: news.destinationIpv6CidrBlock,
+              DestinationPrefixListId: news.destinationPrefixListId,
+              GatewayId: news.gatewayId,
+              NatGatewayId: news.natGatewayId,
+              InstanceId: news.instanceId,
+              NetworkInterfaceId: news.networkInterfaceId,
+              VpcPeeringConnectionId: news.vpcPeeringConnectionId,
+              TransitGatewayId: news.transitGatewayId,
+              LocalGatewayId: news.localGatewayId,
+              CarrierGatewayId: news.carrierGatewayId,
+              EgressOnlyInternetGatewayId: news.egressOnlyInternetGatewayId,
+              CoreNetworkArn: news.coreNetworkArn,
+              VpcEndpointId: news.vpcEndpointId,
+              DryRun: false,
+            })
+            .pipe(
+              Effect.retry({
+                // Retry if route table is not yet available
+                while: (e) => e._tag === "InvalidRouteTableID.NotFound",
+                schedule: Schedule.exponential(100),
+              }),
+            );
+
+          const dest =
+            news.destinationCidrBlock ||
+            news.destinationIpv6CidrBlock ||
+            news.destinationPrefixListId ||
+            "unknown";
+          yield* session.note(`Route created: ${dest}`);
+
+          // Describe to get route details
+          const route = yield* describeRoute(ec2, news.routeTableId, news);
+
+          // Return attributes
+          return {
+            routeTableId: news.routeTableId,
+            destinationCidrBlock: news.destinationCidrBlock,
+            destinationIpv6CidrBlock: news.destinationIpv6CidrBlock,
+            destinationPrefixListId: news.destinationPrefixListId,
+            origin: route?.Origin ?? "CreateRoute",
+            state: route?.State ?? "active",
+            gatewayId: route?.GatewayId,
+            natGatewayId: route?.NatGatewayId,
+            instanceId: route?.InstanceId,
+            networkInterfaceId: route?.NetworkInterfaceId,
+            vpcPeeringConnectionId: route?.VpcPeeringConnectionId,
+            transitGatewayId: route?.TransitGatewayId,
+            localGatewayId: route?.LocalGatewayId,
+            carrierGatewayId: route?.CarrierGatewayId,
+            egressOnlyInternetGatewayId: route?.EgressOnlyInternetGatewayId,
+            coreNetworkArn: route?.CoreNetworkArn,
+          } satisfies RouteAttrs<RouteProps>;
+        }),
+
+        update: Effect.fn(function* ({ news, output, session }) {
+          // Use ReplaceRoute to update the target
+          yield* ec2
+            .replaceRoute({
+              RouteTableId: news.routeTableId,
+              DestinationCidrBlock: news.destinationCidrBlock,
+              DestinationIpv6CidrBlock: news.destinationIpv6CidrBlock,
+              DestinationPrefixListId: news.destinationPrefixListId,
+              GatewayId: news.gatewayId,
+              NatGatewayId: news.natGatewayId,
+              InstanceId: news.instanceId,
+              NetworkInterfaceId: news.networkInterfaceId,
+              VpcPeeringConnectionId: news.vpcPeeringConnectionId,
+              TransitGatewayId: news.transitGatewayId,
+              LocalGatewayId: news.localGatewayId,
+              CarrierGatewayId: news.carrierGatewayId,
+              EgressOnlyInternetGatewayId: news.egressOnlyInternetGatewayId,
+              CoreNetworkArn: news.coreNetworkArn,
+              DryRun: false,
+            })
+            .pipe(
+              Effect.tapError(Effect.log),
+              Effect.retry({
+                while: (e) => e._tag === "InvalidRouteTableID.NotFound",
+                schedule: Schedule.exponential(100),
+              }),
+            );
+
+          yield* session.note("Route target updated");
+
+          // Describe to get updated route details
+          const route = yield* describeRoute(ec2, news.routeTableId, news);
+
+          return {
+            ...output,
+            origin: route?.Origin ?? output.origin,
+            state: route?.State ?? output.state,
+            gatewayId: route?.GatewayId,
+            natGatewayId: route?.NatGatewayId,
+            instanceId: route?.InstanceId,
+            networkInterfaceId: route?.NetworkInterfaceId,
+            vpcPeeringConnectionId: route?.VpcPeeringConnectionId,
+            transitGatewayId: route?.TransitGatewayId,
+            localGatewayId: route?.LocalGatewayId,
+            carrierGatewayId: route?.CarrierGatewayId,
+            egressOnlyInternetGatewayId: route?.EgressOnlyInternetGatewayId,
+            coreNetworkArn: route?.CoreNetworkArn,
+          };
+        }),
+
+        delete: Effect.fn(function* ({ output, session }) {
+          const dest =
+            output.destinationCidrBlock ||
+            output.destinationIpv6CidrBlock ||
+            output.destinationPrefixListId ||
+            "unknown";
+
+          yield* session.note(`Deleting route: ${dest}`);
+
+          // Delete the route
+          yield* ec2
+            .deleteRoute({
+              RouteTableId: output.routeTableId,
+              DestinationCidrBlock: output.destinationCidrBlock,
+              DestinationIpv6CidrBlock: output.destinationIpv6CidrBlock,
+              DestinationPrefixListId: output.destinationPrefixListId,
+              DryRun: false,
+            })
+            .pipe(
+              Effect.tapError(Effect.logDebug),
+              Effect.catchTag("InvalidRoute.NotFound", () => Effect.void),
+              Effect.catchTag(
+                "InvalidRouteTableID.NotFound",
+                () => Effect.void,
+              ),
+            );
+
+          yield* session.note(`Route ${dest} deleted successfully`);
+        }),
+      } satisfies ProviderService<Route>;
+    }),
+  );
+
+/**
+ * Find a specific route in a route table
+ */
+const describeRoute = (ec2: EC2, routeTableId: string, props: RouteProps) =>
+  Effect.gen(function* () {
+    const result = yield* ec2
+      .describeRouteTables({ RouteTableIds: [routeTableId] })
+      .pipe(
+        Effect.catchTag("InvalidRouteTableID.NotFound", () =>
+          Effect.succeed({ RouteTables: [] }),
+        ),
+      );
+
+    const routeTable = result.RouteTables?.[0];
+    if (!routeTable) {
+      return undefined;
+    }
+
+    // Find the matching route
+    const route = routeTable.Routes?.find((r) => {
+      if (props.destinationCidrBlock) {
+        return r.DestinationCidrBlock === props.destinationCidrBlock;
+      }
+      if (props.destinationIpv6CidrBlock) {
+        return r.DestinationIpv6CidrBlock === props.destinationIpv6CidrBlock;
+      }
+      if (props.destinationPrefixListId) {
+        return r.DestinationPrefixListId === props.destinationPrefixListId;
+      }
+      return false;
+    });
+
+    return route;
+  });

package/src/aws/ec2/route.ts

@@ -0,0 +1,192 @@
+import type * as EC2 from "itty-aws/ec2";
+import type { Input } from "../../input.ts";
+import { Resource } from "../../resource.ts";
+import type { RouteTableId } from "./route-table.ts";
+
+export const Route = Resource<{
+  <const ID extends string, const Props extends RouteProps>(
+    id: ID,
+    props: Props,
+  ): Route<ID, Props>;
+}>("AWS.EC2.Route");
+
+export interface Route<
+  ID extends string = string,
+  Props extends RouteProps = RouteProps,
+> extends Resource<
+    "AWS.EC2.Route",
+    ID,
+    Props,
+    RouteAttrs<Input.Resolve<Props>>,
+    Route
+  > {}
+
+export interface RouteProps {
+  /**
+   * The ID of the route table where the route will be added.
+   * Required.
+   */
+  routeTableId: Input<RouteTableId>;
+
+  /**
+   * The IPv4 CIDR block used for the destination match.
+   * Either destinationCidrBlock, destinationIpv6CidrBlock, or destinationPrefixListId is required.
+   * @example "0.0.0.0/0"
+   */
+  destinationCidrBlock?: string;
+
+  /**
+   * The IPv6 CIDR block used for the destination match.
+   * Either destinationCidrBlock, destinationIpv6CidrBlock, or destinationPrefixListId is required.
+   * @example "::/0"
+   */
+  destinationIpv6CidrBlock?: string;
+
+  /**
+   * The ID of a prefix list used for the destination match.
+   * Either destinationCidrBlock, destinationIpv6CidrBlock, or destinationPrefixListId is required.
+   */
+  destinationPrefixListId?: string;
+
+  // ---- Target properties (exactly one required) ----
+
+  /**
+   * The ID of an internet gateway or virtual private gateway.
+   */
+  gatewayId?: Input<string>;
+
+  /**
+   * The ID of a NAT gateway.
+   */
+  natGatewayId?: Input<string>;
+
+  /**
+   * The ID of a NAT instance in your VPC.
+   * This operation fails unless exactly one network interface is attached.
+   */
+  instanceId?: Input<string>;
+
+  /**
+   * The ID of a network interface.
+   */
+  networkInterfaceId?: Input<string>;
+
+  /**
+   * The ID of a VPC peering connection.
+   */
+  vpcPeeringConnectionId?: Input<string>;
+
+  /**
+   * The ID of a transit gateway.
+   */
+  transitGatewayId?: Input<string>;
+
+  /**
+   * The ID of a local gateway.
+   */
+  localGatewayId?: Input<string>;
+
+  /**
+   * The ID of a carrier gateway.
+   * Use for Wavelength Zones only.
+   */
+  carrierGatewayId?: Input<string>;
+
+  /**
+   * The ID of an egress-only internet gateway.
+   * IPv6 traffic only.
+   */
+  egressOnlyInternetGatewayId?: Input<string>;
+
+  /**
+   * The Amazon Resource Name (ARN) of the core network.
+   */
+  coreNetworkArn?: Input<string>;
+
+  /**
+   * The ID of a VPC endpoint for Gateway Load Balancer.
+   */
+  vpcEndpointId?: Input<string>;
+}
+
+export interface RouteAttrs<Props extends RouteProps> {
+  /**
+   * The ID of the route table.
+   */
+  routeTableId: Props["routeTableId"];
+
+  /**
+   * The IPv4 CIDR block used for the destination match.
+   */
+  destinationCidrBlock?: Props["destinationCidrBlock"];
+
+  /**
+   * The IPv6 CIDR block used for the destination match.
+   */
+  destinationIpv6CidrBlock?: Props["destinationIpv6CidrBlock"];
+
+  /**
+   * The ID of a prefix list used for the destination match.
+   */
+  destinationPrefixListId?: Props["destinationPrefixListId"];
+
+  /**
+   * Describes how the route was created.
+   */
+  origin: EC2.RouteOrigin;
+
+  /**
+   * The state of the route.
+   */
+  state: EC2.RouteState;
+
+  /**
+   * The ID of the gateway (if applicable).
+   */
+  gatewayId?: string;
+
+  /**
+   * The ID of the NAT gateway (if applicable).
+   */
+  natGatewayId?: string;
+
+  /**
+   * The ID of the NAT instance (if applicable).
+   */
+  instanceId?: string;
+
+  /**
+   * The ID of the network interface (if applicable).
+   */
+  networkInterfaceId?: string;
+
+  /**
+   * The ID of the VPC peering connection (if applicable).
+   */
+  vpcPeeringConnectionId?: string;
+
+  /**
+   * The ID of the transit gateway (if applicable).
+   */
+  transitGatewayId?: string;
+
+  /**
+   * The ID of the local gateway (if applicable).
+   */
+  localGatewayId?: string;
+
+  /**
+   * The ID of the carrier gateway (if applicable).
+   */
+  carrierGatewayId?: string;
+
+  /**
+   * The ID of the egress-only internet gateway (if applicable).
+   */
+  egressOnlyInternetGatewayId?: string;
+
+  /**
+   * The Amazon Resource Name (ARN) of the core network (if applicable).
+   */
+  coreNetworkArn?: string;
+}

package/src/aws/ec2/subnet.provider.ts

@@ -11,8 +11,8 @@ import { EC2Client } from "./client.ts";
 import {
   Subnet,
   type SubnetAttrs,
-  type SubnetProps,
   type SubnetId,
+  type SubnetProps,
 } from "./subnet.ts";
 
 export const subnetProvider = () =>
@@ -22,6 +22,7 @@ export const subnetProvider = () =>
       const tagged = yield* createTagger();
 
       return {
+        stables: ["subnetId", "subnetArn", "ownerId", "vpcId"],
         diff: Effect.fn(function* ({ news, olds }) {
           if (
             somePropsAreDifferent(olds, news, [
@@ -71,7 +72,6 @@ export const subnetProvider = () =>
             })
             .pipe(
               Effect.retry({
-                // @ts-expect-error - this is unknown to itty-aws
                 while: (e) => e._tag === "InvalidVpcID.NotFound",
                 schedule: Schedule.exponential(100),
               }),

package/src/aws/ec2/vpc.provider.ts

@@ -3,15 +3,15 @@ import * as Schedule from "effect/Schedule";
 
 import type { EC2 } from "itty-aws/ec2";
 
-import type { VpcId } from "./vpc.ts";
 import type { ScopedPlanStatusSession } from "../../cli/service.ts";
 import { somePropsAreDifferent } from "../../diff.ts";
 import type { ProviderService } from "../../provider.ts";
-import { createTagger, createTagsList } from "../../tags.ts";
+import { createTagger, createTagsList, diffTags } from "../../tags.ts";
+import { Account } from "../account.ts";
+import { Region } from "../region.ts";
 import { EC2Client } from "./client.ts";
+import type { VpcId } from "./vpc.ts";
 import { Vpc, type VpcAttrs, type VpcProps } from "./vpc.ts";
-import { Region } from "../region.ts";
-import { Account } from "../account.ts";
 
 export const vpcProvider = () =>
   Vpc.provider.effect(
@@ -21,7 +21,17 @@ export const vpcProvider = () =>
       const accountId = yield* Account;
       const tagged = yield* createTagger();
 
+      const createTags = (
+        id: string,
+        tags?: Record<string, string>,
+      ): Record<string, string> => ({
+        Name: id,
+        ...tagged(id),
+        ...tags,
+      });
+
       return {
+        stables: ["vpcId", "vpcArn", "ownerId", "isDefault"],
         diff: Effect.fn(function* ({ news, olds }) {
           if (
             somePropsAreDifferent(olds, news, [
@@ -35,14 +45,10 @@ export const vpcProvider = () =>
             return { action: "replace" };
           }
         }),
-
         create: Effect.fn(function* ({ id, news, session }) {
-          // 1. Prepare tags
-          const alchemyTags = tagged(id);
-          const userTags = news.tags ?? {};
-          const allTags = { ...alchemyTags, ...userTags };
+          const tags = createTags(id, news.tags);
 
-          // 2. Call CreateVpc
+          // 1. Call CreateVpc
           const createResult = yield* ec2.createVpc({
             // TODO(sam): add all properties
             AmazonProvidedIpv6CidrBlock: news.amazonProvidedIpv6CidrBlock,
@@ -59,7 +65,7 @@ export const vpcProvider = () =>
             TagSpecifications: [
               {
                 ResourceType: "vpc",
-                Tags: createTagsList(allTags),
+                Tags: createTagsList(tags),
               },
             ],
             DryRun: false,
@@ -68,7 +74,7 @@ export const vpcProvider = () =>
           const vpcId = createResult.Vpc!.VpcId! as VpcId;
           yield* session.note(`VPC created: ${vpcId}`);
 
-          // 3. Modify DNS attributes if specified (separate API calls)
+          // 2. Modify DNS attributes if specified (separate API calls)
           yield* ec2.modifyVpcAttribute({
             VpcId: vpcId,
             EnableDnsSupport: { Value: news.enableDnsSupport ?? true },
@@ -116,10 +122,11 @@ export const vpcProvider = () =>
                 ipv6Pool: assoc.Ipv6Pool,
               }),
             ),
+            tags,
           } satisfies VpcAttrs<VpcProps>;
         }),
 
-        update: Effect.fn(function* ({ news, olds, output, session }) {
+        update: Effect.fn(function* ({ id, news, olds, output, session }) {
           const vpcId = output.vpcId;
 
           // Only DNS and metrics settings can be updated
@@ -141,9 +148,29 @@ export const vpcProvider = () =>
             yield* session.note("Updated DNS hostnames");
           }
 
-          // Note: Tag updates would go here if we support user tag changes
+          // Handle user tag updates
+          const newTags = createTags(id, news.tags);
+          const oldTags = output.tags ?? {};
+          const { removed, upsert } = diffTags(oldTags, newTags);
+          if (removed.length > 0) {
+            yield* ec2.deleteTags({
+              Resources: [vpcId],
+              Tags: removed.map((key) => ({ Key: key })),
+              DryRun: false,
+            });
+          }
+          if (upsert.length > 0) {
+            yield* ec2.createTags({
+              Resources: [vpcId],
+              Tags: upsert,
+              DryRun: false,
+            });
+          }
 
-          return output; // VPC attributes don't change from these updates
+          return {
+            ...output,
+            tags: newTags,
+          }; // VPC attributes don't change from these updates
         }),
 
         delete: Effect.fn(function* ({ output, session }) {
@@ -165,10 +192,7 @@ export const vpcProvider = () =>
                 while: (e) => {
                   // DependencyViolation means there are still dependent resources
                   // This can happen if subnets/IGW are being deleted concurrently
-                  return (
-                    e._tag === "ValidationError" &&
-                    e.message?.includes("DependencyViolation")
-                  );
+                  return e._tag === "DependencyViolation";
                 },
                 schedule: Schedule.exponential(1000, 1.5).pipe(
                   Schedule.intersect(Schedule.recurs(10)), // Try up to 10 times

package/src/aws/ec2/vpc.ts

@@ -160,4 +160,6 @@ export interface VpcAttrs<_Props extends VpcProps = VpcProps> {
     networkBorderGroup?: string;
     ipv6Pool?: string;
   }>;
+
+  tags?: Record<string, string>;
 }

package/src/aws/index.ts

@@ -1,7 +1,6 @@
 import * as Layer from "effect/Layer";
 
 // oxlint-disable-next-line no-unused-vars - needed or else provider types are transitively resolved through DynamoDB.Provider<..> lol
-import type { Provider } from "../provider.ts";
 
 import * as ESBuild from "../esbuild.ts";
 import * as Account from "./account.ts";
@@ -22,6 +21,10 @@ import "./config.ts";
 export const resources = () =>
   Layer.mergeAll(
     DynamoDB.tableProvider(),
+    EC2.internetGatewayProvider(),
+    EC2.routeProvider(),
+    EC2.routeTableAssociationProvider(),
+    EC2.routeTableProvider(),
     EC2.subnetProvider(),
     EC2.vpcProvider(),
     Lambda.functionProvider(),

package/src/aws/lambda/function.provider.ts

@@ -14,12 +14,12 @@ import { App } from "../../app.ts";
 import { DotAlchemy } from "../../dot-alchemy.ts";
 import type { ProviderService } from "../../provider.ts";
 import { createTagger, createTagsList, hasTags } from "../../tags.ts";
+import { Account } from "../account.ts";
 import * as IAM from "../iam.ts";
+import { Region } from "../region.ts";
 import { zipCode } from "../zip.ts";
 import { LambdaClient } from "./client.ts";
 import { Function, type FunctionAttr, type FunctionProps } from "./function.ts";
-import { Account } from "../account.ts";
-import { Region } from "../region.ts";
 
 export const functionProvider = () =>
   Function.provider.effect(
@@ -426,6 +426,28 @@ export const functionProvider = () =>
         }`;
 
       return {
+        stables: ["functionArn", "functionName", "roleName"],
+        diff: Effect.fn(function* ({ id, olds, news, output }) {
+          if (
+            // function name changed
+            output.functionName !==
+              (news.functionName ?? createFunctionName(id)) ||
+            // url changed
+            olds.url !== news.url
+          ) {
+            return { action: "replace" };
+          }
+          if (
+            output.code.hash !==
+            (yield* bundleCode(id, {
+              main: news.main,
+              handler: news.handler,
+            })).hash
+          ) {
+            // code changed
+            return { action: "update" };
+          }
+        }),
         read: Effect.fn(function* ({ id, output }) {
           if (output) {
             yield* Effect.logDebug(`reading function ${id}`);
@@ -452,27 +474,7 @@ export const functionProvider = () =>
           }
           return output;
         }),
-        diff: Effect.fn(function* ({ id, olds, news, output }) {
-          if (
-            // function name changed
-            output.functionName !==
-              (news.functionName ?? createFunctionName(id)) ||
-            // url changed
-            olds.url !== news.url
-          ) {
-            return { action: "replace" };
-          }
-          if (
-            output.code.hash !==
-            (yield* bundleCode(id, {
-              main: news.main,
-              handler: news.handler,
-            })).hash
-          ) {
-            // code changed
-            return { action: "update" };
-          }
-        }),
+
         precreate: Effect.fn(function* ({ id, news }) {
           const { roleName, functionName, roleArn } = createPhysicalNames(id);
 

package/src/aws/sqs/queue.provider.ts

@@ -3,10 +3,10 @@ import * as Schedule from "effect/Schedule";
 
 import { App } from "../../app.ts";
 import type { ProviderService } from "../../provider.ts";
+import { Account } from "../account.ts";
+import { Region } from "../region.ts";
 import { SQSClient } from "./client.ts";
 import { Queue, type QueueProps } from "./queue.ts";
-import { Region } from "../region.ts";
-import { Account } from "../account.ts";
 
 export const queueProvider = () =>
   Queue.provider.effect(
@@ -39,6 +39,7 @@ export const queueProvider = () =>
         VisibilityTimeout: props.visibilityTimeout?.toString(),
       });
       return {
+        stables: ["queueName", "queueUrl", "queueArn"],
         diff: Effect.fn(function* ({ id, news, olds }) {
           const oldFifo = olds.fifo ?? false;
           const newFifo = news.fifo ?? false;

package/src/cloudflare/kv/namespace.provider.ts

@@ -29,6 +29,7 @@ export const namespaceProvider = () =>
       });
 
       return {
+        stables: ["namespaceId", "accountId"],
         diff: ({ id, news, output }) =>
           Effect.sync(() => {
             if (output.accountId !== accountId) {