canopycms-cdk 0.0.0 → 0.0.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "canopycms-cdk",
-  "version": "0.0.0",
+  "version": "0.0.2",
   "description": "AWS CDK constructs and EC2 worker for CanopyCMS deployment",
   "license": "MIT",
   "repository": {
@@ -17,7 +17,6 @@
   },
   "files": [
     "dist",
-    "src",
     "worker/dist",
     "worker/canopy-worker.service"
   ],
@@ -53,8 +52,8 @@
   "devDependencies": {
     "@types/node": "^22.9.0",
     "aws-cdk-lib": "^2.150.0",
-    "canopycms": "*",
-    "canopycms-auth-clerk": "*",
+    "canopycms": "^0.0.2",
+    "canopycms-auth-clerk": "^0.0.2",
     "@octokit/rest": "^20.0.2",
     "simple-git": "^3.22.0",
     "@aws-sdk/client-secrets-manager": "^3.600.0",

package/src/constructs/cms-distribution.ts

@@ -1,151 +0,0 @@
-import { Construct } from 'constructs'
-import {
-  Duration,
-  Fn,
-  aws_cloudfront as cloudfront,
-  aws_cloudfront_origins as origins,
-  aws_certificatemanager as acm,
-  aws_route53 as route53,
-  aws_route53_targets as targets,
-  aws_lambda as lambda,
-} from 'aws-cdk-lib'
-
-export interface CanopyCmsDistributionProps {
-  /** Lambda Function URL from CanopyCmsService */
-  functionUrl: lambda.FunctionUrl
-
-  /** Domain name for the CMS (e.g., 'cms.docs.example.org') */
-  domainName: string
-
-  /** Route53 hosted zone domain (e.g., 'example.org') */
-  hostedZoneDomain: string
-
-  /** Optional: provide an existing hosted zone instead of looking up by domain */
-  hostedZone?: route53.IHostedZone
-
-  /** Optional: provide an existing ACM certificate instead of creating one */
-  certificate?: acm.ICertificate
-}
-
-/**
- * Optional CDK construct for CanopyCMS CloudFront distribution.
- *
- * Use this if you don't have existing CloudFront infrastructure.
- * If you do, use the functionUrl output from CanopyCmsService
- * and wire it into your own CloudFront setup.
- *
- * Creates:
- * - ACM certificate (DNS validated) — unless provided
- * - CloudFront distribution with Function URL origin
- * - Route53 A/AAAA alias records
- * - Cache policies: no-cache for /api/* and /edit*, cache /_next/static/*
- */
-export class CanopyCmsDistribution extends Construct {
-  /** The CloudFront distribution */
-  public readonly distribution: cloudfront.Distribution
-
-  constructor(scope: Construct, id: string, props: CanopyCmsDistributionProps) {
-    super(scope, id)
-
-    // ========================================================================
-    // DNS — Hosted Zone lookup
-    // ========================================================================
-
-    const hostedZone =
-      props.hostedZone ??
-      route53.HostedZone.fromLookup(this, 'Zone', {
-        domainName: props.hostedZoneDomain,
-      })
-
-    // ========================================================================
-    // ACM Certificate
-    // ========================================================================
-
-    const certificate =
-      props.certificate ??
-      new acm.Certificate(this, 'Cert', {
-        domainName: props.domainName,
-        validation: acm.CertificateValidation.fromDns(hostedZone),
-      })
-
-    // ========================================================================
-    // CloudFront Distribution
-    // ========================================================================
-
-    // Extract the domain from the Function URL (https://xxx.lambda-url.region.on.aws)
-    const functionUrlDomain = extractFunctionUrlDomain(props.functionUrl)
-
-    // Origin: Lambda Function URL
-    const origin = new origins.HttpOrigin(functionUrlDomain, {
-      protocolPolicy: cloudfront.OriginProtocolPolicy.HTTPS_ONLY,
-    })
-
-    // Cache policy for API/editor routes: no caching, forward all headers
-    const noCachePolicy = new cloudfront.CachePolicy(this, 'NoCachePolicy', {
-      cachePolicyName: `${id}-no-cache`,
-      defaultTtl: Duration.seconds(0),
-      maxTtl: Duration.seconds(0),
-      minTtl: Duration.seconds(0),
-      headerBehavior: cloudfront.CacheHeaderBehavior.allowList('Authorization', 'Cookie', 'Host'),
-      queryStringBehavior: cloudfront.CacheQueryStringBehavior.all(),
-      cookieBehavior: cloudfront.CacheCookieBehavior.all(),
-    })
-
-    // Cache policy for static assets
-    const staticCachePolicy = new cloudfront.CachePolicy(this, 'StaticCachePolicy', {
-      cachePolicyName: `${id}-static`,
-      defaultTtl: Duration.days(365),
-      maxTtl: Duration.days(365),
-      minTtl: Duration.days(365),
-      headerBehavior: cloudfront.CacheHeaderBehavior.none(),
-      queryStringBehavior: cloudfront.CacheQueryStringBehavior.none(),
-      cookieBehavior: cloudfront.CacheCookieBehavior.none(),
-    })
-
-    this.distribution = new cloudfront.Distribution(this, 'Distribution', {
-      domainNames: [props.domainName],
-      certificate,
-      defaultBehavior: {
-        origin,
-        cachePolicy: noCachePolicy,
-        viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
-        allowedMethods: cloudfront.AllowedMethods.ALLOW_ALL,
-        originRequestPolicy: cloudfront.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
-      },
-      additionalBehaviors: {
-        '/_next/static/*': {
-          origin,
-          cachePolicy: staticCachePolicy,
-          viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
-        },
-      },
-    })
-
-    // ========================================================================
-    // DNS Records
-    // ========================================================================
-
-    new route53.ARecord(this, 'ARecord', {
-      zone: hostedZone,
-      recordName: props.domainName,
-      target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(this.distribution)),
-    })
-
-    new route53.AaaaRecord(this, 'AaaaRecord', {
-      zone: hostedZone,
-      recordName: props.domainName,
-      target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(this.distribution)),
-    })
-  }
-}
-
-/**
- * Extract the domain from a Lambda Function URL.
- * The URL is like https://xxx.lambda-url.region.on.aws/
- * We need just the domain part for CloudFront origin.
- */
-function extractFunctionUrlDomain(functionUrl: lambda.FunctionUrl): string {
-  // Function URL is a Token at synth time, so we use Fn.select + Fn.split
-  // to extract the domain from the URL: https://xxx.lambda-url.region.on.aws/
-  return Fn.select(2, Fn.split('/', functionUrl.url))
-}

package/src/constructs/cms-service.ts

@@ -1,325 +0,0 @@
-import * as path from 'node:path'
-import { Construct } from 'constructs'
-import {
-  Duration,
-  RemovalPolicy,
-  aws_ec2 as ec2,
-  aws_efs as efs,
-  aws_iam as iam,
-  aws_lambda as lambda,
-  aws_autoscaling as autoscaling,
-  aws_s3_assets as s3assets,
-} from 'aws-cdk-lib'
-
-export interface CanopyCmsServiceProps {
-  /** Docker image for the CMS Lambda function */
-  cmsDockerImage: lambda.DockerImageCode
-
-  /** Optional: use an existing VPC instead of creating one */
-  vpc?: ec2.IVpc
-
-  /** Lambda memory in MB (default: 2048) */
-  memorySize?: number
-
-  /** Lambda timeout (default: 60 seconds) */
-  timeout?: Duration
-
-  /** Lambda reserved concurrency cap (default: 10) */
-  reservedConcurrency?: number
-
-  /** EC2 spot max price (default: on-demand rate for t4g.nano) */
-  spotMaxPrice?: string
-
-  /** Secrets Manager ARNs the worker needs to read (GitHub token, Clerk key) */
-  secretsArns?: string[]
-
-  /** Environment variables for the Lambda function */
-  environment?: Record<string, string>
-
-  /** EFS removal policy (default: RETAIN) */
-  efsRemovalPolicy?: RemovalPolicy
-
-  /** GitHub owner for worker git operations (e.g., 'safeinsights') */
-  githubOwner: string
-
-  /** GitHub repo name for worker git operations (e.g., 'docs-site') */
-  githubRepo: string
-
-  /** Secrets Manager ARN for the GitHub bot token */
-  githubTokenSecretArn?: string
-
-  /** Secrets Manager ARN for the Clerk secret key */
-  clerkSecretKeySecretArn?: string
-
-  /** Base branch name (default: 'main') */
-  baseBranch?: string
-}
-
-/**
- * Core CDK construct for CanopyCMS deployment.
- *
- * Creates:
- * - VPC (2 AZs, public + private subnets, NO NAT)
- * - EFS filesystem with access point at /workspace
- * - Lambda function (Docker image, EFS mount, private subnet, no internet)
- * - Lambda Function URL (for CloudFront origin)
- * - EC2 Worker (t4g.nano spot in ASG, public subnet, EFS mount, systemd)
- * - Security groups (least-privilege)
- * - IAM roles (Lambda: EFS only; EC2: EFS + Secrets Manager)
- */
-export class CanopyCmsService extends Construct {
-  /** Lambda Function URL — use as CloudFront origin */
-  public readonly functionUrl: lambda.FunctionUrl
-
-  /** The EFS filesystem */
-  public readonly fileSystem: efs.FileSystem
-
-  /** The VPC */
-  public readonly vpc: ec2.IVpc
-
-  /** The Lambda function */
-  public readonly lambdaFunction: lambda.Function
-
-  /** The EC2 worker Auto Scaling Group */
-  public readonly workerAsg: autoscaling.AutoScalingGroup
-
-  constructor(scope: Construct, id: string, props: CanopyCmsServiceProps) {
-    super(scope, id)
-
-    // ========================================================================
-    // VPC — 2 AZs, public + private subnets, NO NAT
-    // ========================================================================
-
-    this.vpc =
-      props.vpc ??
-      new ec2.Vpc(this, 'Vpc', {
-        maxAzs: 2,
-        natGateways: 0, // No NAT — Lambda has no internet access
-        subnetConfiguration: [
-          {
-            name: 'Public',
-            subnetType: ec2.SubnetType.PUBLIC,
-            cidrMask: 24,
-          },
-          {
-            name: 'Private',
-            subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
-            cidrMask: 24,
-          },
-        ],
-      })
-
-    // ========================================================================
-    // EFS — persistent filesystem for content, git repos, cache
-    // ========================================================================
-
-    const efsSg = new ec2.SecurityGroup(this, 'EfsSg', {
-      vpc: this.vpc,
-      description: 'CanopyCMS EFS',
-      allowAllOutbound: false,
-    })
-
-    this.fileSystem = new efs.FileSystem(this, 'FileSystem', {
-      vpc: this.vpc,
-      encrypted: true,
-      performanceMode: efs.PerformanceMode.GENERAL_PURPOSE,
-      removalPolicy: props.efsRemovalPolicy ?? RemovalPolicy.RETAIN,
-      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
-      securityGroup: efsSg,
-    })
-
-    const accessPoint = this.fileSystem.addAccessPoint('WorkspaceAP', {
-      path: '/workspace',
-      createAcl: {
-        ownerGid: '1000',
-        ownerUid: '1000',
-        permissions: '755',
-      },
-      posixUser: {
-        gid: '1000',
-        uid: '1000',
-      },
-    })
-
-    // ========================================================================
-    // Lambda — CMS app, private subnet, no internet, EFS mount
-    // ========================================================================
-
-    const lambdaSg = new ec2.SecurityGroup(this, 'LambdaSg', {
-      vpc: this.vpc,
-      description: 'CanopyCMS Lambda',
-      allowAllOutbound: false, // No internet access
-    })
-
-    // Lambda → EFS
-    efsSg.addIngressRule(lambdaSg, ec2.Port.tcp(2049), 'Lambda NFS access')
-
-    this.lambdaFunction = new lambda.DockerImageFunction(this, 'CmsFunction', {
-      code: props.cmsDockerImage,
-      memorySize: props.memorySize ?? 2048,
-      timeout: props.timeout ?? Duration.seconds(60),
-      reservedConcurrentExecutions: props.reservedConcurrency ?? 10,
-      vpc: this.vpc,
-      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
-      securityGroups: [lambdaSg],
-      filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, '/mnt/efs'),
-      environment: {
-        CANOPYCMS_WORKSPACE_ROOT: '/mnt/efs/workspace',
-        CANOPY_AUTH_CACHE_PATH: '/mnt/efs/workspace/.cache',
-        ...props.environment,
-      },
-    })
-
-    // Function URL for CloudFront origin
-    this.functionUrl = this.lambdaFunction.addFunctionUrl({
-      authType: lambda.FunctionUrlAuthType.NONE,
-    })
-
-    // ========================================================================
-    // EC2 Worker — t4g.nano spot, public subnet, internet, EFS mount
-    // ========================================================================
-
-    const workerSg = new ec2.SecurityGroup(this, 'WorkerSg', {
-      vpc: this.vpc,
-      description: 'CanopyCMS EC2 Worker',
-      allowAllOutbound: false,
-    })
-
-    // Worker ↔ EFS (ingress on EFS SG + egress on Worker SG)
-    efsSg.addIngressRule(workerSg, ec2.Port.tcp(2049), 'Worker NFS access')
-    workerSg.addEgressRule(efsSg, ec2.Port.tcp(2049), 'NFS to EFS')
-
-    // Worker → internet (HTTPS only)
-    workerSg.addEgressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(443), 'HTTPS outbound')
-
-    // Worker → DNS (needed for EFS DNS-based mount targets)
-    workerSg.addEgressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(53), 'DNS TCP')
-    workerSg.addEgressRule(ec2.Peer.anyIpv4(), ec2.Port.udp(53), 'DNS UDP')
-
-    // Worker IAM role
-    const workerRole = new iam.Role(this, 'WorkerRole', {
-      assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
-      description: 'CanopyCMS EC2 Worker role',
-    })
-
-    // Worker needs to read secrets
-    if (props.secretsArns && props.secretsArns.length > 0) {
-      workerRole.addToPolicy(
-        new iam.PolicyStatement({
-          actions: ['secretsmanager:GetSecretValue'],
-          resources: props.secretsArns,
-        }),
-      )
-    }
-
-    // Worker needs EFS access (handled via security group, but mount needs ec2:DescribeAvailabilityZones)
-    workerRole.addManagedPolicy(
-      iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonElasticFileSystemClientReadWriteAccess'),
-    )
-
-    // Worker S3 Asset — upload bundled worker code to CDK assets bucket
-    // The worker is bundled with esbuild into a single JS file (npm run build:worker)
-    const workerAsset = new s3assets.Asset(this, 'WorkerCode', {
-      path: path.join(__dirname, '../../worker/dist'),
-    })
-    workerAsset.grantRead(workerRole)
-
-    // Build worker .env file content from CDK props
-    const envLines = [
-      `CANOPYCMS_WORKSPACE_ROOT=/mnt/efs/workspace`,
-      `CANOPYCMS_GITHUB_OWNER=${props.githubOwner}`,
-      `CANOPYCMS_GITHUB_REPO=${props.githubRepo}`,
-      `CANOPYCMS_BASE_BRANCH=${props.baseBranch ?? 'main'}`,
-    ]
-    if (props.githubTokenSecretArn) {
-      envLines.push(`CANOPYCMS_GITHUB_TOKEN_SECRET_ARN=${props.githubTokenSecretArn}`)
-    }
-    if (props.clerkSecretKeySecretArn) {
-      envLines.push(`CLERK_SECRET_KEY_SECRET_ARN=${props.clerkSecretKeySecretArn}`)
-    }
-    const envFileContent = envLines.join('\n')
-
-    // UserData script
-    const userData = ec2.UserData.forLinux()
-    userData.addCommands(
-      '#!/bin/bash',
-      'set -euo pipefail',
-      '',
-      '# Install dependencies',
-      'yum install -y git',
-      'curl -fsSL https://rpm.nodesource.com/setup_20.x | bash -',
-      'yum install -y nodejs',
-      '',
-      '# Mount EFS',
-      'yum install -y amazon-efs-utils',
-      'mkdir -p /mnt/efs',
-      `mount -t efs ${this.fileSystem.fileSystemId}:/ /mnt/efs`,
-      '',
-      '# Download worker from CDK S3 Asset',
-      `aws s3 cp s3://${workerAsset.s3BucketName}/${workerAsset.s3ObjectKey} /tmp/canopy-worker.zip`,
-      'mkdir -p /opt/canopy-worker',
-      'cd /opt/canopy-worker',
-      'unzip -o /tmp/canopy-worker.zip',
-      '',
-      '# Write environment file for systemd service',
-      `cat > /opt/canopy-worker/.env << 'ENVEOF'`,
-      envFileContent,
-      'ENVEOF',
-      '',
-      '# Create systemd service',
-      `cat > /etc/systemd/system/canopy-worker.service << 'SVCEOF'`,
-      '[Unit]',
-      'Description=CanopyCMS Worker Daemon',
-      'After=network.target',
-      '',
-      '[Service]',
-      'Type=simple',
-      'User=ec2-user',
-      'WorkingDirectory=/opt/canopy-worker',
-      'ExecStart=/usr/bin/node index.js',
-      'Restart=always',
-      'RestartSec=5',
-      'TimeoutStartSec=300',
-      'StandardOutput=journal',
-      'StandardError=journal',
-      'EnvironmentFile=/opt/canopy-worker/.env',
-      '',
-      '[Install]',
-      'WantedBy=multi-user.target',
-      'SVCEOF',
-      '',
-      '# Set ownership for ec2-user',
-      'chown -R ec2-user:ec2-user /opt/canopy-worker',
-      '# Non-recursive: EFS access point enforces UID 1000 for Lambda.',
-      '# Only set ownership on mount point and workspace dir to avoid',
-      '# slow recursive chown on large filesystems during ASG replacements.',
-      'chown ec2-user:ec2-user /mnt/efs',
-      'mkdir -p /mnt/efs/workspace',
-      'chown ec2-user:ec2-user /mnt/efs/workspace',
-      '',
-      '# Start worker',
-      'systemctl daemon-reload',
-      'systemctl enable canopy-worker',
-      'systemctl start canopy-worker',
-    )
-
-    // Auto Scaling Group
-    this.workerAsg = new autoscaling.AutoScalingGroup(this, 'WorkerAsg', {
-      vpc: this.vpc,
-      vpcSubnets: { subnetType: ec2.SubnetType.PUBLIC },
-      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T4G, ec2.InstanceSize.NANO),
-      machineImage: ec2.MachineImage.latestAmazonLinux2023({
-        cpuType: ec2.AmazonLinuxCpuType.ARM_64,
-      }),
-      role: workerRole,
-      securityGroup: workerSg,
-      minCapacity: 1,
-      maxCapacity: 1,
-      userData,
-      spotPrice: props.spotMaxPrice ?? '0.0042', // On-demand rate for t4g.nano
-      healthCheck: autoscaling.HealthCheck.ec2({
-        grace: Duration.minutes(5),
-      }),
-    })
-  }
-}

package/src/index.ts

@@ -1,9 +0,0 @@
-// Worker daemon
-export { CmsWorker } from './worker'
-export type { CmsWorkerConfig } from './worker'
-
-// CDK Constructs
-export { CanopyCmsService } from './constructs/cms-service'
-export type { CanopyCmsServiceProps } from './constructs/cms-service'
-export { CanopyCmsDistribution } from './constructs/cms-distribution'
-export type { CanopyCmsDistributionProps } from './constructs/cms-distribution'

package/src/worker.ts

@@ -1,7 +0,0 @@
-/**
- * Re-export CmsWorker from the core canopycms package.
- * The worker is cloud-agnostic and auth-agnostic — it lives in canopycms core.
- * This file re-exports it for convenience from the CDK package.
- */
-export { CmsWorker } from 'canopycms/worker/cms-worker'
-export type { CmsWorkerConfig, AuthCacheRefresher } from 'canopycms/worker/cms-worker'