create-svc 0.1.10 → 0.1.11

package/templates/shared/scripts/authctl.ts

@@ -0,0 +1,231 @@
+import serviceConfig from "../service.config";
+import { existsSync } from "node:fs";
+
+type CommandResult = {
+  success: boolean;
+  stdout: string;
+  stderr: string;
+  exitCode: number;
+};
+
+const decoder = new TextDecoder();
+
+export type AuthDoctorResult = {
+  hasAuthctl: boolean;
+  hasResourceServerCommands: boolean;
+  detail: string;
+  resourceServerCommand?: ResourceServerCommand;
+};
+
+type ResourceServerCommand = {
+  subject: string;
+  mutationAction?: "upsert" | "create";
+  actions: string[];
+};
+
+type ResourceServerMutationCommand = ResourceServerCommand & {
+  mutationAction: "upsert" | "create";
+};
+
+export function defaultAuthResourceServerArgs() {
+  const auth = serviceConfig.auth;
+  return [
+    "--resource-server",
+    auth.resource_server.id,
+    "--audience",
+    auth.resource_server.audience,
+    "--stage",
+    serviceConfig.stage_default,
+    ...auth.resource_server.default_scopes.flatMap((scope) => ["--scope", scope]),
+  ];
+}
+
+export function runAuthCommand(args: string[]) {
+  const [subject, action, ...rest] = args;
+
+  if (!subject || subject === "doctor") {
+    const result = runAuthDoctor();
+    if (!result.hasAuthctl) {
+      throw new Error(result.detail);
+    }
+    return result.detail;
+  }
+
+  if (subject === "resource-server" || subject === "resource-servers") {
+    const command = resolveResourceServerCommand();
+    if (!command) {
+      throw new Error(
+        "authctl is installed but does not expose resource-server commands; install @anmho/authctl@0.1.1 or newer before managing auth resource servers"
+      );
+    }
+    if (action === "get" || action === "list") {
+      if (!command.actions.includes(action)) {
+        throw new Error(`authctl ${command.subject} does not expose ${action}`);
+      }
+      authctl([command.subject, action, ...rest]);
+      return `Auth resource server ${action} finished`;
+    }
+    const mutation = ensureResourceServerCommandAvailable();
+    const subcommand = action ?? mutation.mutationAction;
+    if (!mutation.mutationAction || (subcommand !== mutation.mutationAction && !(subcommand === "upsert" && mutation.mutationAction === "create"))) {
+      throw new Error(`Usage: service auth resource-server [${mutation.mutationAction}] [authctl args]`);
+    }
+    authctl([mutation.subject, mutation.mutationAction, ...defaultAuthResourceServerArgs(), "--json", ...rest]);
+    return `Auth resource server ready: ${serviceConfig.auth.resource_server.id}`;
+  }
+
+  if (subject === "client" || subject === "clients") {
+    return runClientCommand(action, rest);
+  }
+
+  throw new Error("Usage: service auth <doctor|resource-server|client> [args]");
+}
+
+export function ensureAuthResourceServer() {
+  const command = ensureResourceServerCommandAvailable();
+  authctl([command.subject, command.mutationAction, ...defaultAuthResourceServerArgs(), "--json"]);
+  return `Auth resource server ready: ${serviceConfig.auth.resource_server.audience}`;
+}
+
+export function runAuthDoctor(): AuthDoctorResult {
+  if (!authctlPath()) {
+    return {
+      hasAuthctl: false,
+      hasResourceServerCommands: false,
+      detail: "authctl is not installed; run bun install in this generated service or link @anmho/authctl before service create",
+    };
+  }
+
+  const doctor = authctl(["doctor", "--json"], { allowFailure: true, quiet: true });
+  const resourceServerCommand = resolveResourceServerCommand();
+  const hasResourceServerCommands = Boolean(resourceServerCommand?.mutationAction);
+
+  if (!doctor.success) {
+    return {
+      hasAuthctl: true,
+      hasResourceServerCommands,
+      resourceServerCommand,
+      detail: `authctl doctor failed: ${doctor.stderr || doctor.stdout}`,
+    };
+  }
+
+  if (!hasResourceServerCommands) {
+    return {
+      hasAuthctl: true,
+      hasResourceServerCommands: false,
+      resourceServerCommand,
+      detail:
+        "authctl is installed but does not expose resource-server upsert/create; install @anmho/authctl@0.1.1 or newer before service create",
+    };
+  }
+
+  return {
+    hasAuthctl: true,
+    hasResourceServerCommands: true,
+    resourceServerCommand,
+    detail: `authctl ready for ${serviceConfig.auth.resource_server.id}`,
+  };
+}
+
+function runClientCommand(action = "", rest: string[]) {
+  if (action === "create") {
+    authctl([
+      "clients",
+      "create",
+      "--client-app",
+      serviceConfig.auth.client.app_id,
+      "--client-identity",
+      serviceConfig.auth.client.identity,
+      ...defaultClientTargetArgs(rest),
+      "--stage",
+      serviceConfig.stage_default,
+      "--yes",
+      "--json",
+      ...rest,
+    ]);
+    return "Auth client created";
+  }
+
+  if (["list", "get", "rotate", "revoke"].includes(action)) {
+    authctl(["clients", action, ...rest]);
+    return `Auth client ${action} finished`;
+  }
+
+  throw new Error("Usage: service auth client <create|list|get|rotate|revoke> [args]");
+}
+
+function defaultClientTargetArgs(rest: string[]) {
+  const hasResourceServer = hasFlag(rest, "--resource-server");
+  const hasScope = hasFlag(rest, "--scope");
+  return [
+    ...(hasResourceServer ? [] : ["--resource-server", serviceConfig.auth.resource_server.id]),
+    ...(hasScope ? [] : serviceConfig.auth.resource_server.default_scopes.flatMap((scope) => ["--scope", scope])),
+  ];
+}
+
+function hasFlag(args: string[], name: string) {
+  return args.some((arg) => arg === name || arg.startsWith(`${name}=`));
+}
+
+function ensureResourceServerCommandAvailable(): ResourceServerMutationCommand {
+  const doctor = runAuthDoctor();
+  if (!doctor.hasAuthctl || !doctor.hasResourceServerCommands) {
+    throw new Error(doctor.detail);
+  }
+  if (!doctor.resourceServerCommand?.mutationAction) {
+    throw new Error("authctl resource-server command discovery failed");
+  }
+  return doctor.resourceServerCommand as ResourceServerMutationCommand;
+}
+
+function resolveResourceServerCommand(): ResourceServerCommand | undefined {
+  for (const subject of ["resource-servers", "resource-server", "resources"]) {
+    const help = authctl([subject, "--help"], { allowFailure: true, quiet: true });
+    const output = `${help.stdout}\n${help.stderr}`;
+    if (!help.success || !output.includes(subject)) {
+      continue;
+    }
+    const actions = ["upsert", "create", "get", "list"].filter((candidate) => output.includes(candidate));
+    const mutationAction = actions.includes("upsert") ? "upsert" : actions.includes("create") ? "create" : undefined;
+    if (actions.length > 0) {
+      return { subject, mutationAction, actions };
+    }
+  }
+  return undefined;
+}
+
+function authctl(args: string[], options: { allowFailure?: boolean; quiet?: boolean } = {}): CommandResult {
+  const command = authctlPath();
+  if (!command) {
+    throw new Error("authctl is not installed; run bun install in this generated service or link @anmho/authctl");
+  }
+
+  const result = Bun.spawnSync([command, ...args], {
+    cwd: process.cwd(),
+    env: process.env,
+    stdin: "inherit",
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+
+  const output = {
+    success: result.success,
+    stdout: result.stdout ? decoder.decode(result.stdout).trim() : "",
+    stderr: result.stderr ? decoder.decode(result.stderr).trim() : "",
+    exitCode: result.exitCode,
+  };
+
+  if (!output.success && !options.allowFailure) {
+    throw new Error(`authctl ${args.join(" ")} failed with exit code ${output.exitCode}\n${output.stderr || output.stdout}`);
+  }
+
+  if (output.stdout && !options.quiet) {
+    console.log(output.stdout);
+  }
+
+  return output;
+}
+
+function authctlPath() {
+  return existsSync("./node_modules/.bin/authctl") ? "./node_modules/.bin/authctl" : Bun.which("authctl");
+}

package/templates/shared/scripts/cloudrun/bootstrap.ts

@@ -1,5 +1,4 @@
 import { config } from "./config";
-import { publishProviderRuntimeSecrets } from "./integrations";
 import { ensureDatabase, getConnectionUri, resolveNeonConfig } from "./neon";
 import {
   addSecretVersion,
@@ -9,11 +8,11 @@ import {
   ensureProjectRole,
   ensureSecretAccessor,
   ensureServiceAccount,
-  ensureStorageBucket,
   gcloud,
   requireCommand,
   requireGcloudAuth,
   resolveDeploymentTarget,
+  resolveTemporalRuntimeConfig,
   runMain,
   runStep,
 } from "./lib";
@@ -31,8 +30,6 @@ export async function bootstrap() {
   });
 
   await runStep("Ensuring Artifact Registry repository", () => ensureArtifactRepository());
-  await runStep("Ensuring attachment storage bucket", () => ensureStorageBucket());
-
   await runStep("Granting project roles", () => {
     ensureProjectRole(`serviceAccount:${config.runtimeServiceAccount}`, "roles/secretmanager.secretAccessor");
   });
@@ -53,7 +50,19 @@ export async function bootstrap() {
     ensureSecretAccessor(target.databaseSecretName, `serviceAccount:${config.runtimeServiceAccount}`);
   });
 
-  await runStep("Publishing provider runtime secrets", () => publishProviderRuntimeSecrets(target));
+  await runStep("Publishing Temporal secrets", () => publishTemporalSecrets());
+}
+
+function publishTemporalSecrets() {
+  const temporal = resolveTemporalRuntimeConfig();
+  const apiKey = process.env.TEMPORAL_API_KEY?.trim();
+  if (!apiKey || !temporal.apiKeySecretName) {
+    return "No Temporal API key configured";
+  }
+
+  addSecretVersion(temporal.apiKeySecretName, apiKey);
+  ensureSecretAccessor(temporal.apiKeySecretName, `serviceAccount:${config.runtimeServiceAccount}`);
+  return temporal.apiKeySecretName;
 }
 
 if (import.meta.main) {

package/templates/shared/scripts/cloudrun/cleanup.ts

@@ -1,17 +1,22 @@
-import { log } from "@clack/prompts";
+import { confirm, isCancel, log } from "@clack/prompts";
 import { config } from "./config";
 import { deleteBranch, deleteDatabase, listBranches, resolveNeonConfig } from "./neon";
 import {
+  assertOwnedResource,
   deleteProject,
   deleteProductionDomainMapping,
   deleteSecret,
   deleteService,
   deleteServiceAccount,
+  describeCloudRunService,
+  describeProductionDomainMapping,
+  describeSecret,
   listCloudRunServices,
   listSecrets,
   parseCleanupArgs,
   requireCommand,
   requireGcloudAuth,
+  run,
   runMain,
   runStep,
 } from "./lib";
@@ -21,7 +26,12 @@ function matchesServiceResource(name: string) {
 }
 
 function matchesSecretResource(name: string) {
-  return name === `${config.serviceName}-database-url` || name.startsWith(`${config.serviceName}-pr-`) || name.startsWith(`${config.serviceName}-dev-`);
+  return (
+    name === `${config.serviceName}-database-url` ||
+    name === config.temporal.apiKeySecretName ||
+    name.startsWith(`${config.serviceName}-pr-`) ||
+    name.startsWith(`${config.serviceName}-dev-`)
+  );
 }
 
 export async function cleanup(args = Bun.argv.slice(2)) {
@@ -29,13 +39,16 @@ export async function cleanup(args = Bun.argv.slice(2)) {
   requireGcloudAuth();
 
   const options = parseCleanupArgs(args);
+  await requireDestroyConfirmation(options.force);
 
+  await runStep(`Verifying production domain mapping ${config.domain.hostname}`, () => assertProductionDomainMappingOwned());
   await runStep(`Deleting production domain mapping ${config.domain.hostname}`, () => deleteProductionDomainMapping());
 
   const services = await runStep("Finding Cloud Run services", () => listCloudRunServices());
   const serviceNames = services.filter(matchesServiceResource);
   await runStep("Deleting Cloud Run services", () => {
     for (const serviceName of serviceNames) {
+      assertOwnedResource(`Cloud Run service ${serviceName}`, describeCloudRunService(serviceName));
       deleteService(serviceName);
     }
   });
@@ -44,6 +57,7 @@ export async function cleanup(args = Bun.argv.slice(2)) {
   const secretNames = secrets.filter(matchesSecretResource);
   await runStep("Deleting service secrets", () => {
     for (const secretName of secretNames) {
+      assertOwnedResource(`Secret ${secretName}`, describeSecret(secretName));
       deleteSecret(secretName);
     }
   });
@@ -68,6 +82,8 @@ export async function cleanup(args = Bun.argv.slice(2)) {
     log.step(error instanceof Error ? error.message : String(error));
   }
 
+  await runStep("Deleting Grafana resources", async () => deleteGrafanaResources());
+
   await runStep("Deleting service-specific identity resources", () => {
     deleteServiceAccount(config.runtimeServiceAccount);
   });
@@ -78,9 +94,53 @@ export async function cleanup(args = Bun.argv.slice(2)) {
   }
 
   log.step(`Production API hostname released: ${config.domain.hostname}`);
-  return `Cleanup finished for ${config.serviceName}`;
+  return `Destroy finished for ${config.serviceName}`;
+}
+
+async function deleteGrafanaResources() {
+  if (!(await Bun.file("./grafana").exists())) {
+    return "No grafana directory configured";
+  }
+  if (!Bun.which("gcx")) {
+    return "gcx is not installed; Grafana resources were not deleted";
+  }
+
+  run("gcx", ["resources", "delete", "--path", "./grafana", "--yes", "--on-error", "ignore"]);
+  return "Grafana resources deleted from local manifests";
+}
+
+function assertProductionDomainMappingOwned() {
+  const mapping = describeProductionDomainMapping();
+  if (!mapping) {
+    return;
+  }
+
+  const routeName = mapping.spec?.routeName;
+  if (routeName !== config.serviceName) {
+    throw new Error(`${config.domain.hostname} maps to ${routeName || "an unknown service"}; refusing to delete ambiguous DNS mapping`);
+  }
+
+  assertOwnedResource(`Cloud Run service ${routeName}`, describeCloudRunService(routeName));
+}
+
+async function requireDestroyConfirmation(force: boolean) {
+  if (force) {
+    return;
+  }
+
+  if (!process.stdin.isTTY) {
+    throw new Error("service destroy requires --force when running non-interactively");
+  }
+
+  const answer = await confirm({
+    message: `Destroy resources owned by ${config.serviceName}?`,
+    initialValue: false,
+  });
+  if (isCancel(answer) || !answer) {
+    throw new Error("Destroy cancelled");
+  }
 }
 
 if (import.meta.main) {
-  await runMain("Cleanup", () => cleanup(Bun.argv.slice(2)));
+  await runMain("Destroy", () => cleanup(Bun.argv.slice(2)));
 }