alchemy-effect 0.5.0 → 0.6.0

package/src/aws/ec2/network-acl-association.ts

@@ -0,0 +1,60 @@
+import type { Input } from "../../input.ts";
+import { Resource } from "../../resource.ts";
+import type { NetworkAclId } from "./network-acl.ts";
+import type { SubnetId } from "./subnet.ts";
+
+export const NetworkAclAssociation = Resource<{
+  <const ID extends string, const Props extends NetworkAclAssociationProps>(
+    id: ID,
+    props: Props,
+  ): NetworkAclAssociation<ID, Props>;
+}>("AWS.EC2.NetworkAclAssociation");
+
+export interface NetworkAclAssociation<
+  ID extends string = string,
+  Props extends NetworkAclAssociationProps = NetworkAclAssociationProps,
+> extends Resource<
+  "AWS.EC2.NetworkAclAssociation",
+  ID,
+  Props,
+  NetworkAclAssociationAttrs<Input.Resolve<Props>>,
+  NetworkAclAssociation
+> {}
+
+export type NetworkAclAssociationId<ID extends string = string> =
+  `aclassoc-${ID}`;
+export const NetworkAclAssociationId = <ID extends string>(
+  id: ID,
+): ID & NetworkAclAssociationId<ID> =>
+  `aclassoc-${id}` as ID & NetworkAclAssociationId<ID>;
+
+export interface NetworkAclAssociationProps {
+  /**
+   * The ID of the new network ACL to associate with the subnet.
+   */
+  networkAclId: Input<NetworkAclId>;
+
+  /**
+   * The ID of the subnet to associate with the network ACL.
+   */
+  subnetId: Input<SubnetId>;
+}
+
+export interface NetworkAclAssociationAttrs<
+  Props extends Input.Resolve<NetworkAclAssociationProps>,
+> {
+  /**
+   * The ID of the association between the network ACL and subnet.
+   */
+  associationId: NetworkAclAssociationId;
+
+  /**
+   * The ID of the network ACL.
+   */
+  networkAclId: Props["networkAclId"];
+
+  /**
+   * The ID of the subnet.
+   */
+  subnetId: Props["subnetId"];
+}

package/src/aws/ec2/network-acl-entry.provider.ts

@@ -0,0 +1,218 @@
+import * as Effect from "effect/Effect";
+
+import { EC2Client } from "./client.ts";
+import {
+  NetworkAclEntry,
+  type NetworkAclEntryAttrs,
+  type NetworkAclEntryProps,
+} from "./network-acl-entry.ts";
+
+export const networkAclEntryProvider = () =>
+  NetworkAclEntry.provider.effect(
+    // @ts-expect-error - TODO: fix this
+    Effect.gen(function* () {
+      const ec2 = yield* EC2Client;
+
+      const findEntry = (
+        networkAclId: string,
+        ruleNumber: number,
+        egress: boolean,
+      ) =>
+        ec2
+          .describeNetworkAcls({ NetworkAclIds: [networkAclId] })
+          .pipe(
+            Effect.map((r) =>
+              r.NetworkAcls?.[0]?.Entries?.find(
+                (e) => e.RuleNumber === ruleNumber && e.Egress === egress,
+              ),
+            ),
+          );
+
+      const toAttrs = (
+        props: NetworkAclEntryProps,
+        entry: NonNullable<
+          Awaited<
+            ReturnType<
+              typeof findEntry extends (
+                ...args: any
+              ) => Effect.Effect<infer R, any, any>
+                ? () => Promise<R>
+                : never
+            >
+          >
+        >,
+      ): NetworkAclEntryAttrs<NetworkAclEntryProps> => ({
+        networkAclId:
+          props.networkAclId as NetworkAclEntryAttrs<NetworkAclEntryProps>["networkAclId"],
+        ruleNumber:
+          entry.RuleNumber as NetworkAclEntryAttrs<NetworkAclEntryProps>["ruleNumber"],
+        egress: entry.Egress!,
+        protocol:
+          entry.Protocol as NetworkAclEntryAttrs<NetworkAclEntryProps>["protocol"],
+        ruleAction:
+          entry.RuleAction as NetworkAclEntryAttrs<NetworkAclEntryProps>["ruleAction"],
+        cidrBlock: entry.CidrBlock,
+        ipv6CidrBlock: entry.Ipv6CidrBlock,
+        icmpTypeCode: entry.IcmpTypeCode
+          ? {
+              code: entry.IcmpTypeCode.Code,
+              type: entry.IcmpTypeCode.Type,
+            }
+          : undefined,
+        portRange: entry.PortRange
+          ? {
+              from: entry.PortRange.From,
+              to: entry.PortRange.To,
+            }
+          : undefined,
+      });
+
+      return {
+        stables: [],
+
+        read: Effect.fn(function* ({ olds, output }) {
+          if (!output) return undefined;
+          const entry = yield* findEntry(
+            olds.networkAclId as string,
+            output.ruleNumber,
+            output.egress,
+          );
+          if (!entry) {
+            return yield* Effect.fail(
+              new Error(
+                `Network ACL Entry not found: ${output.networkAclId} rule ${output.ruleNumber} egress=${output.egress}`,
+              ),
+            );
+          }
+          return toAttrs(olds, entry);
+        }),
+
+        diff: Effect.fn(function* ({ news, olds }) {
+          // If network ACL, rule number, or egress changes, need to replace
+          if (
+            news.networkAclId !== olds.networkAclId ||
+            news.ruleNumber !== olds.ruleNumber ||
+            news.egress !== olds.egress
+          ) {
+            return { action: "replace" };
+          }
+          // Other properties can be updated by replacing the entry
+        }),
+
+        create: Effect.fn(function* ({ news, session }) {
+          yield* session.note(
+            `Creating Network ACL Entry (rule ${news.ruleNumber})...`,
+          );
+
+          yield* ec2.createNetworkAclEntry({
+            NetworkAclId: news.networkAclId as string,
+            RuleNumber: news.ruleNumber,
+            Protocol: news.protocol,
+            RuleAction: news.ruleAction,
+            Egress: news.egress ?? false,
+            CidrBlock: news.cidrBlock,
+            Ipv6CidrBlock: news.ipv6CidrBlock,
+            IcmpTypeCode: news.icmpTypeCode
+              ? {
+                  Code: news.icmpTypeCode.code,
+                  Type: news.icmpTypeCode.type,
+                }
+              : undefined,
+            PortRange: news.portRange
+              ? {
+                  From: news.portRange.from,
+                  To: news.portRange.to,
+                }
+              : undefined,
+            DryRun: false,
+          });
+
+          yield* session.note(
+            `Network ACL Entry created: rule ${news.ruleNumber}`,
+          );
+
+          const entry = yield* findEntry(
+            news.networkAclId as string,
+            news.ruleNumber,
+            news.egress ?? false,
+          );
+          if (!entry) {
+            return yield* Effect.fail(
+              new Error("Network ACL Entry not found after creation"),
+            );
+          }
+          return toAttrs(news, entry);
+        }),
+
+        update: Effect.fn(function* ({ news, session }) {
+          // To update a network ACL entry, we need to replace it
+          yield* session.note(
+            `Updating Network ACL Entry (rule ${news.ruleNumber})...`,
+          );
+
+          yield* ec2.replaceNetworkAclEntry({
+            NetworkAclId: news.networkAclId as string,
+            RuleNumber: news.ruleNumber,
+            Protocol: news.protocol,
+            RuleAction: news.ruleAction,
+            Egress: news.egress ?? false,
+            CidrBlock: news.cidrBlock,
+            Ipv6CidrBlock: news.ipv6CidrBlock,
+            IcmpTypeCode: news.icmpTypeCode
+              ? {
+                  Code: news.icmpTypeCode.code,
+                  Type: news.icmpTypeCode.type,
+                }
+              : undefined,
+            PortRange: news.portRange
+              ? {
+                  From: news.portRange.from,
+                  To: news.portRange.to,
+                }
+              : undefined,
+            DryRun: false,
+          });
+
+          yield* session.note(
+            `Network ACL Entry updated: rule ${news.ruleNumber}`,
+          );
+
+          const entry = yield* findEntry(
+            news.networkAclId as string,
+            news.ruleNumber,
+            news.egress ?? false,
+          );
+          if (!entry) {
+            return yield* Effect.fail(
+              new Error("Network ACL Entry not found after update"),
+            );
+          }
+          return toAttrs(news, entry);
+        }),
+
+        delete: Effect.fn(function* ({ olds, output, session }) {
+          yield* session.note(
+            `Deleting Network ACL Entry (rule ${output.ruleNumber})...`,
+          );
+
+          yield* ec2
+            .deleteNetworkAclEntry({
+              NetworkAclId: olds.networkAclId as string,
+              RuleNumber: output.ruleNumber,
+              Egress: output.egress,
+              DryRun: false,
+            })
+            .pipe(
+              Effect.catchTag(
+                "InvalidNetworkAclEntry.NotFound",
+                () => Effect.void,
+              ),
+            );
+
+          yield* session.note(
+            `Network ACL Entry deleted: rule ${output.ruleNumber}`,
+          );
+        }),
+      };
+    }),
+  );

package/src/aws/ec2/network-acl-entry.ts

@@ -0,0 +1,140 @@
+import type * as EC2 from "itty-aws/ec2";
+import type { Input } from "../../input.ts";
+import { Resource } from "../../resource.ts";
+import type { NetworkAclId } from "./network-acl.ts";
+
+export const NetworkAclEntry = Resource<{
+  <const ID extends string, const Props extends NetworkAclEntryProps>(
+    id: ID,
+    props: Props,
+  ): NetworkAclEntry<ID, Props>;
+}>("AWS.EC2.NetworkAclEntry");
+
+export interface NetworkAclEntry<
+  ID extends string = string,
+  Props extends NetworkAclEntryProps = NetworkAclEntryProps,
+> extends Resource<
+  "AWS.EC2.NetworkAclEntry",
+  ID,
+  Props,
+  NetworkAclEntryAttrs<Input.Resolve<Props>>,
+  NetworkAclEntry
+> {}
+
+export interface NetworkAclEntryProps {
+  /**
+   * The ID of the network ACL.
+   */
+  networkAclId: Input<NetworkAclId>;
+
+  /**
+   * The rule number for the entry (1-32766).
+   * Rules are evaluated in order from lowest to highest.
+   */
+  ruleNumber: number;
+
+  /**
+   * The protocol number.
+   * A value of "-1" means all protocols.
+   * Common values: 6 (TCP), 17 (UDP), 1 (ICMP)
+   */
+  protocol: string;
+
+  /**
+   * Whether to allow or deny the traffic that matches the rule.
+   */
+  ruleAction: EC2.RuleAction;
+
+  /**
+   * Whether this is an egress (outbound) rule.
+   * @default false (ingress)
+   */
+  egress?: boolean;
+
+  /**
+   * The IPv4 CIDR block.
+   * Either cidrBlock or ipv6CidrBlock must be specified.
+   */
+  cidrBlock?: string;
+
+  /**
+   * The IPv6 CIDR block.
+   * Either cidrBlock or ipv6CidrBlock must be specified.
+   */
+  ipv6CidrBlock?: string;
+
+  /**
+   * ICMP type and code. Required if protocol is 1 (ICMP) or 58 (ICMPv6).
+   */
+  icmpTypeCode?: {
+    /**
+     * The ICMP code. Use -1 to specify all codes.
+     */
+    code?: number;
+    /**
+     * The ICMP type. Use -1 to specify all types.
+     */
+    type?: number;
+  };
+
+  /**
+   * The port range for TCP/UDP protocols.
+   */
+  portRange?: {
+    /**
+     * The first port in the range.
+     */
+    from?: number;
+    /**
+     * The last port in the range.
+     */
+    to?: number;
+  };
+}
+
+export interface NetworkAclEntryAttrs<Props extends NetworkAclEntryProps> {
+  /**
+   * The ID of the network ACL.
+   */
+  networkAclId: Props["networkAclId"];
+
+  /**
+   * The rule number.
+   */
+  ruleNumber: Props["ruleNumber"];
+
+  /**
+   * Whether this is an egress rule.
+   */
+  egress: boolean;
+
+  /**
+   * The protocol.
+   */
+  protocol: Props["protocol"];
+
+  /**
+   * The rule action (allow or deny).
+   */
+  ruleAction: Props["ruleAction"];
+
+  /**
+   * The IPv4 CIDR block.
+   */
+  cidrBlock?: Props["cidrBlock"];
+
+  /**
+   * The IPv6 CIDR block.
+   */
+  ipv6CidrBlock?: Props["ipv6CidrBlock"];
+
+  /**
+   * The ICMP type and code.
+   */
+  icmpTypeCode?: Props["icmpTypeCode"];
+
+  /**
+   * The port range.
+   */
+  portRange?: Props["portRange"];
+}

package/src/aws/ec2/network-acl.provider.ts

@@ -0,0 +1,195 @@
+import type * as EC2 from "itty-aws/ec2";
+import * as Effect from "effect/Effect";
+import * as Schedule from "effect/Schedule";
+
+import { createTagger, createTagsList, diffTags } from "../../tags.ts";
+import { Account } from "../account.ts";
+import { Region } from "../region.ts";
+import { EC2Client } from "./client.ts";
+import {
+  type NetworkAclArn,
+  NetworkAcl,
+  type NetworkAclAttrs,
+  type NetworkAclId,
+} from "./network-acl.ts";
+import type { VpcId } from "./vpc.ts";
+
+export const networkAclProvider = () =>
+  NetworkAcl.provider.effect(
+    Effect.gen(function* () {
+      const ec2 = yield* EC2Client;
+      const region = yield* Region;
+      const accountId = yield* Account;
+      const tagged = yield* createTagger();
+
+      const createTags = (
+        id: string,
+        tags?: Record<string, string>,
+      ): Record<string, string> => ({
+        Name: id,
+        ...tagged(id),
+        ...tags,
+      });
+
+      const describeNetworkAcl = (networkAclId: string) =>
+        ec2.describeNetworkAcls({ NetworkAclIds: [networkAclId] }).pipe(
+          Effect.map((r) => r.NetworkAcls?.[0]),
+          Effect.flatMap((acl) =>
+            acl
+              ? Effect.succeed(acl)
+              : Effect.fail(new Error(`Network ACL ${networkAclId} not found`)),
+          ),
+        );
+
+      const toAttrs = (acl: EC2.NetworkAcl): NetworkAclAttrs => ({
+        networkAclId: acl.NetworkAclId as NetworkAclId,
+        networkAclArn:
+          `arn:aws:ec2:${region}:${accountId}:network-acl/${acl.NetworkAclId}` as NetworkAclArn,
+        vpcId: acl.VpcId as VpcId,
+        isDefault: acl.IsDefault ?? false,
+        ownerId: acl.OwnerId!,
+        entries: acl.Entries?.map((e) => ({
+          ruleNumber: e.RuleNumber!,
+          protocol: e.Protocol!,
+          ruleAction: e.RuleAction!,
+          egress: e.Egress!,
+          cidrBlock: e.CidrBlock,
+          ipv6CidrBlock: e.Ipv6CidrBlock,
+          icmpTypeCode: e.IcmpTypeCode
+            ? {
+                code: e.IcmpTypeCode.Code,
+                type: e.IcmpTypeCode.Type,
+              }
+            : undefined,
+          portRange: e.PortRange
+            ? {
+                from: e.PortRange.From,
+                to: e.PortRange.To,
+              }
+            : undefined,
+        })),
+        associations: acl.Associations?.map((a) => ({
+          networkAclAssociationId: a.NetworkAclAssociationId!,
+          networkAclId: a.NetworkAclId!,
+          subnetId: a.SubnetId!,
+        })),
+      });
+
+      return {
+        stables: ["networkAclId", "networkAclArn", "ownerId", "isDefault"],
+
+        read: Effect.fn(function* ({ output }) {
+          if (!output) return undefined;
+          const acl = yield* describeNetworkAcl(output.networkAclId);
+          return toAttrs(acl);
+        }),
+
+        diff: Effect.fn(function* ({ news, olds }) {
+          // VPC change requires replacement
+          if (news.vpcId !== olds.vpcId) {
+            return { action: "replace" };
+          }
+          // Tags can be updated in-place
+        }),
+
+        create: Effect.fn(function* ({ id, news, session }) {
+          yield* session.note("Creating Network ACL...");
+
+          const result = yield* ec2.createNetworkAcl({
+            VpcId: news.vpcId as string,
+            TagSpecifications: [
+              {
+                ResourceType: "network-acl",
+                Tags: createTagsList(createTags(id, news.tags)),
+              },
+            ],
+            DryRun: false,
+          });
+
+          const networkAclId = result.NetworkAcl!.NetworkAclId!;
+          yield* session.note(`Network ACL created: ${networkAclId}`);
+
+          const acl = yield* describeNetworkAcl(networkAclId);
+          return toAttrs(acl);
+        }),
+
+        update: Effect.fn(function* ({ id, news, output, session }) {
+          const networkAclId = output.networkAclId;
+
+          // Handle tag updates
+          const newTags = createTags(id, news.tags);
+          const oldTags =
+            (yield* ec2
+              .describeTags({
+                Filters: [
+                  { Name: "resource-id", Values: [networkAclId] },
+                  { Name: "resource-type", Values: ["network-acl"] },
+                ],
+              })
+              .pipe(
+                Effect.map(
+                  (r) =>
+                    Object.fromEntries(
+                      r.Tags?.map((t) => [t.Key!, t.Value!]) ?? [],
+                    ) as Record<string, string>,
+                ),
+              )) ?? {};
+
+          const { removed, upsert } = diffTags(oldTags, newTags);
+
+          if (removed.length > 0) {
+            yield* ec2.deleteTags({
+              Resources: [networkAclId],
+              Tags: removed.map((key) => ({ Key: key })),
+              DryRun: false,
+            });
+          }
+          if (upsert.length > 0) {
+            yield* ec2.createTags({
+              Resources: [networkAclId],
+              Tags: upsert,
+              DryRun: false,
+            });
+            yield* session.note("Updated tags");
+          }
+
+          const acl = yield* describeNetworkAcl(networkAclId);
+          return toAttrs(acl);
+        }),
+
+        delete: Effect.fn(function* ({ output, session }) {
+          const networkAclId = output.networkAclId;
+
+          yield* session.note(`Deleting Network ACL: ${networkAclId}`);
+
+          yield* ec2
+            .deleteNetworkAcl({
+              NetworkAclId: networkAclId,
+              DryRun: false,
+            })
+            .pipe(
+              Effect.catchTag(
+                "InvalidNetworkAclID.NotFound",
+                () => Effect.void,
+              ),
+              // Retry on dependency violations (e.g., associations still being removed)
+              Effect.retry({
+                while: (e) => {
+                  return e._tag === "DependencyViolation";
+                },
+                schedule: Schedule.exponential(1000, 1.5).pipe(
+                  Schedule.intersect(Schedule.recurs(15)),
+                  Schedule.tapOutput(([, attempt]) =>
+                    session.note(
+                      `Waiting for dependencies to clear... (attempt ${attempt + 1})`,
+                    ),
+                  ),
+                ),
+              }),
+            );
+
+          yield* session.note(`Network ACL ${networkAclId} deleted`);
+        }),
+      };
+    }),
+  );

package/src/aws/ec2/network-acl.ts

@@ -0,0 +1,102 @@
+import type * as EC2 from "itty-aws/ec2";
+import type { Input } from "../../input.ts";
+import { Resource } from "../../resource.ts";
+import type { AccountID } from "../account.ts";
+import type { RegionID } from "../region.ts";
+import type { VpcId } from "./vpc.ts";
+
+export const NetworkAcl = Resource<{
+  <const ID extends string, const Props extends NetworkAclProps>(
+    id: ID,
+    props: Props,
+  ): NetworkAcl<ID, Props>;
+}>("AWS.EC2.NetworkAcl");
+
+export interface NetworkAcl<
+  ID extends string = string,
+  Props extends NetworkAclProps = NetworkAclProps,
+> extends Resource<
+  "AWS.EC2.NetworkAcl",
+  ID,
+  Props,
+  NetworkAclAttrs<Input.Resolve<Props>>,
+  NetworkAcl
+> {}
+
+export type NetworkAclId<ID extends string = string> = `acl-${ID}`;
+export const NetworkAclId = <ID extends string>(
+  id: ID,
+): ID & NetworkAclId<ID> => `acl-${id}` as ID & NetworkAclId<ID>;
+
+export interface NetworkAclProps {
+  /**
+   * The VPC to create the network ACL in.
+   */
+  vpcId: Input<VpcId>;
+
+  /**
+   * Tags to assign to the network ACL.
+   */
+  tags?: Record<string, Input<string>>;
+}
+
+export type NetworkAclArn<ID extends NetworkAclId = NetworkAclId> =
+  `arn:aws:ec2:${RegionID}:${AccountID}:network-acl/${ID}`;
+
+export interface NetworkAclAttrs<
+  Props extends Input.Resolve<NetworkAclProps> = Input.Resolve<NetworkAclProps>,
+> {
+  /**
+   * The ID of the network ACL.
+   */
+  networkAclId: NetworkAclId;
+
+  /**
+   * The Amazon Resource Name (ARN) of the network ACL.
+   */
+  networkAclArn: NetworkAclArn<this["networkAclId"]>;
+
+  /**
+   * The ID of the VPC for the network ACL.
+   */
+  vpcId: Props["vpcId"];
+
+  /**
+   * Whether this is the default network ACL for the VPC.
+   */
+  isDefault: boolean;
+
+  /**
+   * The ID of the AWS account that owns the network ACL.
+   */
+  ownerId: string;
+
+  /**
+   * The entries (rules) in the network ACL.
+   */
+  entries?: Array<{
+    ruleNumber: number;
+    protocol: string;
+    ruleAction: EC2.RuleAction;
+    egress: boolean;
+    cidrBlock?: string;
+    ipv6CidrBlock?: string;
+    icmpTypeCode?: {
+      code?: number;
+      type?: number;
+    };
+    portRange?: {
+      from?: number;
+      to?: number;
+    };
+  }>;
+
+  /**
+   * The associations between the network ACL and subnets.
+   */
+  associations?: Array<{
+    networkAclAssociationId: string;
+    networkAclId: string;
+    subnetId: string;
+  }>;
+}