alchemy-effect 0.5.0 → 0.6.0

package/src/aws/ec2/nat-gateway.provider.ts

@@ -0,0 +1,341 @@
+import * as Data from "effect/Data";
+import * as Effect from "effect/Effect";
+import * as Schedule from "effect/Schedule";
+import type * as EC2 from "itty-aws/ec2";
+
+import type { ScopedPlanStatusSession } from "../../cli/service.ts";
+import {
+  createAlchemyTagFilters,
+  createTagger,
+  createTagsList,
+  diffTags,
+} from "../../tags.ts";
+import { Account } from "../account.ts";
+import { Region } from "../region.ts";
+import { EC2Client } from "./client.ts";
+import {
+  NatGateway,
+  type NatGatewayAttrs,
+  type NatGatewayId,
+  type NatGatewayProps,
+} from "./nat-gateway.ts";
+
+export const natGatewayProvider = () =>
+  NatGateway.provider.effect(
+    // @ts-expect-error
+    Effect.gen(function* () {
+      const ec2 = yield* EC2Client;
+      const region = yield* Region;
+      const accountId = yield* Account;
+      const tagged = yield* createTagger();
+
+      const createTags = (
+        id: string,
+        tags?: Record<string, string>,
+      ): Record<string, string> => ({
+        Name: id,
+        ...tagged(id),
+        ...tags,
+      });
+
+      const describeNatGateway = (natGatewayId: string) =>
+        ec2.describeNatGateways({ NatGatewayIds: [natGatewayId] }).pipe(
+          Effect.map((r) => r.NatGateways?.[0]),
+          Effect.flatMap((gw) =>
+            gw
+              ? Effect.succeed(gw)
+              : Effect.fail(new Error(`NAT Gateway ${natGatewayId} not found`)),
+          ),
+        );
+
+      const toAttrs = (
+        gw: EC2.NatGateway,
+      ): NatGatewayAttrs<NatGatewayProps> => {
+        const primaryAddress =
+          gw.NatGatewayAddresses?.find((a) => a.IsPrimary) ??
+          gw.NatGatewayAddresses?.[0];
+        return {
+          natGatewayId: gw.NatGatewayId as NatGatewayId,
+          natGatewayArn:
+            `arn:aws:ec2:${region}:${accountId}:natgateway/${gw.NatGatewayId}` as NatGatewayAttrs<NatGatewayProps>["natGatewayArn"],
+          subnetId: gw.SubnetId as NatGatewayAttrs<NatGatewayProps>["subnetId"],
+          vpcId: gw.VpcId!,
+          state: gw.State!,
+          connectivityType: gw.ConnectivityType!,
+          publicIp: primaryAddress?.PublicIp,
+          privateIp: primaryAddress?.PrivateIp,
+          natGatewayAddresses: gw.NatGatewayAddresses?.map((a) => ({
+            allocationId: a.AllocationId,
+            networkInterfaceId: a.NetworkInterfaceId,
+            privateIp: a.PrivateIp,
+            publicIp: a.PublicIp,
+            associationId: a.AssociationId,
+            isPrimary: a.IsPrimary,
+            failureMessage: a.FailureMessage,
+            status: a.Status,
+          })),
+          failureCode: gw.FailureCode,
+          failureMessage: gw.FailureMessage,
+          createTime:
+            gw.CreateTime instanceof Date
+              ? gw.CreateTime.toISOString()
+              : (gw.CreateTime as string | undefined),
+          deleteTime:
+            gw.DeleteTime instanceof Date
+              ? gw.DeleteTime.toISOString()
+              : (gw.DeleteTime as string | undefined),
+        };
+      };
+
+      // Find NAT Gateway by alchemy tags when we don't have the ID
+      const findNatGatewayByTags = Effect.fn(function* (id: string) {
+        const filters = yield* createAlchemyTagFilters(id);
+        const result = yield* ec2.describeNatGateways({ Filter: filters });
+
+        // Find a NAT Gateway that's not deleted and has matching tags
+        for (const gw of result.NatGateways ?? []) {
+          return gw;
+        }
+        return undefined;
+      });
+
+      return {
+        stables: ["natGatewayId", "natGatewayArn", "vpcId"],
+
+        read: Effect.fn(function* ({ id, output }) {
+          if (output) {
+            // We have the NAT Gateway ID, use it directly
+            return toAttrs(yield* describeNatGateway(output.natGatewayId));
+          }
+
+          // No output - try to find by tags (recovery from incomplete create)
+          const gw = yield* findNatGatewayByTags(id);
+          if (gw) {
+            return toAttrs(gw);
+          }
+
+          // Not found
+          return undefined;
+        }),
+
+        diff: Effect.fn(function* ({ news, olds }) {
+          // NAT Gateway is mostly immutable - any change to core properties requires replacement
+          if (
+            news.subnetId !== olds.subnetId ||
+            news.connectivityType !== olds.connectivityType ||
+            news.allocationId !== olds.allocationId
+          ) {
+            return { action: "replace" };
+          }
+          // Tags can be updated in-place
+        }),
+
+        create: Effect.fn(function* ({ id, news, session }) {
+          yield* session.note("Creating NAT Gateway...");
+
+          const result = yield* ec2.createNatGateway({
+            SubnetId: news.subnetId as string,
+            AllocationId: news.allocationId as string | undefined,
+            ConnectivityType: news.connectivityType ?? "public",
+            PrivateIpAddress: news.privateIpAddress,
+            SecondaryAllocationIds: news.secondaryAllocationIds as
+              | string[]
+              | undefined,
+            SecondaryPrivateIpAddresses: news.secondaryPrivateIpAddresses,
+            SecondaryPrivateIpAddressCount: news.secondaryPrivateIpAddressCount,
+            TagSpecifications: [
+              {
+                ResourceType: "natgateway",
+                Tags: createTagsList(createTags(id, news.tags)),
+              },
+            ],
+            DryRun: false,
+          });
+
+          const natGatewayId = result.NatGateway!.NatGatewayId!;
+          yield* session.note(`NAT Gateway created: ${natGatewayId}`);
+
+          // Wait for NAT Gateway to be available
+          const gw = yield* waitForNatGatewayAvailable(natGatewayId, session);
+
+          return toAttrs(gw);
+        }),
+
+        update: Effect.fn(function* ({ id, news, output, session }) {
+          const natGatewayId = output.natGatewayId;
+
+          // Handle tag updates
+          const newTags = createTags(id, news.tags);
+          const oldTags =
+            (yield* ec2
+              .describeTags({
+                Filters: [
+                  { Name: "resource-id", Values: [natGatewayId] },
+                  { Name: "resource-type", Values: ["natgateway"] },
+                ],
+              })
+              .pipe(
+                Effect.map(
+                  (r) =>
+                    Object.fromEntries(
+                      r.Tags?.map((t) => [t.Key!, t.Value!]) ?? [],
+                    ) as Record<string, string>,
+                ),
+              )) ?? {};
+
+          const { removed, upsert } = diffTags(oldTags, newTags);
+
+          if (removed.length > 0) {
+            yield* ec2.deleteTags({
+              Resources: [natGatewayId],
+              Tags: removed.map((key) => ({ Key: key })),
+              DryRun: false,
+            });
+          }
+          if (upsert.length > 0) {
+            yield* ec2.createTags({
+              Resources: [natGatewayId],
+              Tags: upsert,
+              DryRun: false,
+            });
+            yield* session.note("Updated tags");
+          }
+
+          // Refresh state
+          const gw = yield* describeNatGateway(natGatewayId);
+          return toAttrs(gw);
+        }),
+
+        delete: Effect.fn(function* ({ output, session }) {
+          const natGatewayId = output.natGatewayId;
+
+          yield* session.note(`Deleting NAT Gateway: ${natGatewayId}`);
+
+          yield* ec2
+            .deleteNatGateway({
+              NatGatewayId: natGatewayId,
+              DryRun: false,
+            })
+            .pipe(Effect.catchTag("NatGatewayNotFound", () => Effect.void));
+
+          // Wait for NAT Gateway to be deleted
+          yield* waitForNatGatewayDeleted(natGatewayId, session);
+
+          yield* session.note(`NAT Gateway ${natGatewayId} deleted`);
+        }),
+      };
+    }),
+  );
+
+// Retryable error: NAT Gateway is still pending
+class NatGatewayPending extends Data.TaggedError("NatGatewayPending")<{
+  natGatewayId: string;
+  state: string;
+}> {}
+
+// Terminal error: NAT Gateway creation failed
+class NatGatewayFailed extends Data.TaggedError("NatGatewayFailed")<{
+  natGatewayId: string;
+  failureCode?: string;
+  failureMessage?: string;
+}> {}
+
+// Terminal error: NAT Gateway not found
+class NatGatewayNotFound extends Data.TaggedError("NatGatewayNotFound")<{
+  natGatewayId: string;
+}> {}
+
+/**
+ * Wait for NAT Gateway to be in available state
+ */
+const waitForNatGatewayAvailable = (
+  natGatewayId: string,
+  session: ScopedPlanStatusSession,
+) =>
+  Effect.gen(function* () {
+    const ec2 = yield* EC2Client;
+    const result = yield* ec2.describeNatGateways({
+      NatGatewayIds: [natGatewayId],
+    });
+    const gw = result.NatGateways?.[0];
+
+    if (!gw) {
+      return yield* new NatGatewayNotFound({ natGatewayId });
+    }
+
+    if (gw.State === "available") {
+      return gw;
+    }
+
+    if (gw.State === "failed") {
+      return yield* new NatGatewayFailed({
+        natGatewayId,
+        failureCode: gw.FailureCode,
+        failureMessage: gw.FailureMessage,
+      });
+    }
+
+    // Still pending - this is the only retryable case
+    return yield* new NatGatewayPending({ natGatewayId, state: gw.State! });
+  }).pipe(
+    Effect.tapError(Effect.logDebug),
+    Effect.retry({
+      while: (e) => e._tag === "NatGatewayPending",
+      schedule: Schedule.fixed(5000).pipe(
+        Schedule.intersect(Schedule.recurs(60)), // Max 5 minutes
+        Schedule.tapOutput(([, attempt]) =>
+          session.note(
+            `Waiting for NAT Gateway to be available... (${(attempt + 1) * 5}s)`,
+          ),
+        ),
+      ),
+    }),
+  );
+
+// Retryable error: NAT Gateway is still deleting
+class NatGatewayDeleting extends Data.TaggedError("NatGatewayDeleting")<{
+  natGatewayId: string;
+  state: string;
+}> {}
+
+/**
+ * Wait for NAT Gateway to be deleted
+ */
+const waitForNatGatewayDeleted = (
+  natGatewayId: string,
+  session: ScopedPlanStatusSession,
+) =>
+  Effect.gen(function* () {
+    const ec2 = yield* EC2Client;
+    const result = yield* ec2
+      .describeNatGateways({ NatGatewayIds: [natGatewayId] })
+      .pipe(
+        Effect.catchTag("NatGatewayNotFound", () =>
+          Effect.succeed({ NatGateways: [] }),
+        ),
+      );
+
+    const gw = result.NatGateways?.[0];
+
+    if (!gw || gw.State === "deleted") {
+      return; // Successfully deleted
+    }
+
+    yield* Effect.logDebug(gw);
+
+    // Still deleting - this is the only retryable case
+    return yield* new NatGatewayDeleting({ natGatewayId, state: gw.State! });
+  }).pipe(
+    Effect.tapError(Effect.logDebug),
+    Effect.retry({
+      while: (e) => e._tag === "NatGatewayDeleting",
+      schedule: Schedule.fixed(5000).pipe(
+        Schedule.intersect(Schedule.recurs(60)), // Max 5 minutes
+        Schedule.tapOutput(([, attempt]) =>
+          session.note(
+            `Waiting for NAT Gateway deletion... (${(attempt + 1) * 5}s)`,
+          ),
+        ),
+      ),
+    }),
+  );

package/src/aws/ec2/nat-gateway.ts

@@ -0,0 +1,155 @@
+import type * as EC2 from "itty-aws/ec2";
+import type { Input } from "../../input.ts";
+import { Resource } from "../../resource.ts";
+import type { AccountID } from "../account.ts";
+import type { RegionID } from "../region.ts";
+import type { AllocationId } from "./eip.ts";
+import type { SubnetId } from "./subnet.ts";
+
+export const NatGateway = Resource<{
+  <const ID extends string, const Props extends NatGatewayProps>(
+    id: ID,
+    props: Props,
+  ): NatGateway<ID, Props>;
+}>("AWS.EC2.NatGateway");
+
+export interface NatGateway<
+  ID extends string = string,
+  Props extends NatGatewayProps = NatGatewayProps,
+> extends Resource<
+  "AWS.EC2.NatGateway",
+  ID,
+  Props,
+  NatGatewayAttrs<Input.Resolve<Props>>,
+  NatGateway
+> {}
+
+export type NatGatewayId<ID extends string = string> = `nat-${ID}`;
+export const NatGatewayId = <ID extends string>(
+  id: ID,
+): ID & NatGatewayId<ID> => `nat-${id}` as ID & NatGatewayId<ID>;
+
+export interface NatGatewayProps {
+  /**
+   * The subnet in which to create the NAT gateway.
+   * For public NAT gateways, this must be a public subnet.
+   */
+  subnetId: Input<SubnetId>;
+
+  /**
+   * The allocation ID of the Elastic IP address for the gateway.
+   * Required for public NAT gateways.
+   */
+  allocationId?: Input<AllocationId>;
+
+  /**
+   * Indicates whether the NAT gateway supports public or private connectivity.
+   * @default "public"
+   */
+  connectivityType?: EC2.ConnectivityType;
+
+  /**
+   * The private IPv4 address to assign to the NAT gateway.
+   * If you don't provide an address, a private IPv4 address will be automatically assigned.
+   */
+  privateIpAddress?: string;
+
+  /**
+   * Secondary allocation IDs for additional private IP addresses.
+   * Only valid for private NAT gateways.
+   */
+  secondaryAllocationIds?: Input<AllocationId>[];
+
+  /**
+   * Secondary private IPv4 addresses.
+   * Only valid for private NAT gateways.
+   */
+  secondaryPrivateIpAddresses?: string[];
+
+  /**
+   * The number of secondary private IPv4 addresses to assign.
+   * Only valid for private NAT gateways.
+   */
+  secondaryPrivateIpAddressCount?: number;
+
+  /**
+   * Tags to assign to the NAT gateway.
+   */
+  tags?: Record<string, Input<string>>;
+}
+
+export interface NatGatewayAttrs<Props extends NatGatewayProps> {
+  /**
+   * The ID of the NAT gateway.
+   */
+  natGatewayId: NatGatewayId;
+
+  /**
+   * The Amazon Resource Name (ARN) of the NAT gateway.
+   */
+  natGatewayArn: `arn:aws:ec2:${RegionID}:${AccountID}:natgateway/${this["natGatewayId"]}`;
+
+  /**
+   * The ID of the subnet in which the NAT gateway is located.
+   */
+  subnetId: Props["subnetId"];
+
+  /**
+   * The ID of the VPC in which the NAT gateway is located.
+   */
+  vpcId: string;
+
+  /**
+   * The current state of the NAT gateway.
+   */
+  state: EC2.NatGatewayState;
+
+  /**
+   * The connectivity type of the NAT gateway.
+   */
+  connectivityType: EC2.ConnectivityType;
+
+  /**
+   * The Elastic IP address associated with the NAT gateway (for public NAT gateways).
+   */
+  publicIp?: string;
+
+  /**
+   * The private IP address associated with the NAT gateway.
+   */
+  privateIp?: string;
+
+  /**
+   * Information about the IP addresses and network interface associated with the NAT gateway.
+   */
+  natGatewayAddresses?: Array<{
+    allocationId?: string;
+    networkInterfaceId?: string;
+    privateIp?: string;
+    publicIp?: string;
+    associationId?: string;
+    isPrimary?: boolean;
+    failureMessage?: string;
+    status?: EC2.NatGatewayAddressStatus;
+  }>;
+
+  /**
+   * If the NAT gateway could not be created, specifies the error code for the failure.
+   */
+  failureCode?: string;
+
+  /**
+   * If the NAT gateway could not be created, specifies the error message for the failure.
+   */
+  failureMessage?: string;
+
+  /**
+   * The date and time the NAT gateway was created.
+   */
+  createTime?: string;
+
+  /**
+   * The date and time the NAT gateway was deleted, if applicable.
+   */
+  deleteTime?: string;
+}

package/src/aws/ec2/network-acl-association.provider.ts

@@ -0,0 +1,181 @@
+import * as Effect from "effect/Effect";
+
+import type { ProviderService } from "../../provider.ts";
+import { EC2Client } from "./client.ts";
+import {
+  NetworkAclAssociation,
+  type NetworkAclAssociationId,
+} from "./network-acl-association.ts";
+import type { NetworkAclId } from "./network-acl.ts";
+import type { SubnetId } from "./subnet.ts";
+
+export const networkAclAssociationProvider = () =>
+  NetworkAclAssociation.provider.effect(
+    Effect.gen(function* () {
+      const ec2 = yield* EC2Client;
+
+      const findAssociation = (subnetId: string) =>
+        ec2
+          .describeNetworkAcls({
+            Filters: [{ Name: "association.subnet-id", Values: [subnetId] }],
+          })
+          .pipe(
+            Effect.map((r) => {
+              const acl = r.NetworkAcls?.[0];
+              const assoc = acl?.Associations?.find(
+                (a) => a.SubnetId === subnetId,
+              );
+              return assoc
+                ? {
+                    associationId: assoc.NetworkAclAssociationId!,
+                    networkAclId: assoc.NetworkAclId!,
+                    subnetId: assoc.SubnetId!,
+                  }
+                : undefined;
+            }),
+          );
+
+      return {
+        stables: ["subnetId"],
+
+        read: Effect.fn(function* ({ olds }) {
+          if (!olds) return undefined;
+          const assoc = yield* findAssociation(olds.subnetId as string);
+          if (!assoc) {
+            return yield* Effect.fail(
+              new Error(
+                `Network ACL Association not found for subnet ${olds.subnetId}`,
+              ),
+            );
+          }
+          return {
+            associationId: assoc.associationId as NetworkAclAssociationId,
+            networkAclId: assoc.networkAclId as NetworkAclId,
+            subnetId: assoc.subnetId as SubnetId,
+          };
+        }),
+
+        diff: Effect.fn(function* ({ news, olds }) {
+          // Subnet change requires replacement
+          if (news.subnetId !== olds.subnetId) {
+            return { action: "replace" };
+          }
+          // Network ACL change can be done via replaceNetworkAclAssociation
+        }),
+
+        create: Effect.fn(function* ({ news, session }) {
+          yield* session.note(
+            `Creating Network ACL Association for subnet ${news.subnetId}...`,
+          );
+
+          // First, find the current association for this subnet (every subnet has one)
+          const currentAssoc = yield* findAssociation(news.subnetId as string);
+          if (!currentAssoc) {
+            return yield* Effect.fail(
+              new Error(
+                `No existing Network ACL Association found for subnet ${news.subnetId}`,
+              ),
+            );
+          }
+
+          // Replace the association with the new network ACL
+          const result = yield* ec2.replaceNetworkAclAssociation({
+            AssociationId: currentAssoc.associationId,
+            NetworkAclId: news.networkAclId as string,
+            DryRun: false,
+          });
+
+          const newAssociationId = result.NewAssociationId!;
+          yield* session.note(
+            `Network ACL Association created: ${newAssociationId}`,
+          );
+
+          return {
+            associationId: newAssociationId as NetworkAclAssociationId,
+            networkAclId: news.networkAclId as NetworkAclId,
+            subnetId: news.subnetId as SubnetId,
+          };
+        }),
+
+        update: Effect.fn(function* ({ news, output, session }) {
+          yield* session.note(`Updating Network ACL Association...`);
+
+          // Replace the association with the new network ACL
+          const result = yield* ec2.replaceNetworkAclAssociation({
+            AssociationId: output.associationId,
+            NetworkAclId: news.networkAclId as string,
+            DryRun: false,
+          });
+
+          const newAssociationId = result.NewAssociationId!;
+          yield* session.note(
+            `Network ACL Association updated: ${newAssociationId}`,
+          );
+
+          return {
+            associationId: newAssociationId as NetworkAclAssociationId,
+            networkAclId: news.networkAclId as NetworkAclId,
+            subnetId: news.subnetId as SubnetId,
+          };
+        }),
+
+        delete: Effect.fn(function* ({ olds, output, session }) {
+          yield* session.note(`Deleting Network ACL Association...`);
+
+          // When deleting, we need to associate the subnet back to the default NACL
+          // Find the default NACL for the VPC
+          const subnetResult = yield* ec2.describeSubnets({
+            SubnetIds: [olds.subnetId as string],
+          });
+          const vpcId = subnetResult.Subnets?.[0]?.VpcId;
+
+          if (vpcId) {
+            const defaultAclResult = yield* ec2.describeNetworkAcls({
+              Filters: [
+                { Name: "vpc-id", Values: [vpcId] },
+                { Name: "default", Values: ["true"] },
+              ],
+            });
+
+            const defaultAclId =
+              defaultAclResult.NetworkAcls?.[0]?.NetworkAclId;
+
+            if (
+              defaultAclId &&
+              defaultAclId !== (olds.networkAclId as string)
+            ) {
+              // Replace with default NACL
+              yield* ec2
+                .replaceNetworkAclAssociation({
+                  AssociationId: output.associationId,
+                  NetworkAclId: defaultAclId,
+                  DryRun: false,
+                })
+                .pipe(
+                  Effect.catchTag(
+                    "InvalidAssociationID.NotFound",
+                    () => Effect.void,
+                  ),
+                );
+
+              yield* session.note(
+                `Network ACL Association reverted to default`,
+              );
+            } else {
+              yield* session.note(
+                `Already using default Network ACL, nothing to do`,
+              );
+            }
+          }
+        }),
+      } satisfies ProviderService<
+        NetworkAclAssociation,
+        any,
+        any,
+        any,
+        any,
+        any,
+        any
+      >;
+    }),
+  );