dcl-ops-lib 5.17.0

package/createBucketWithUser.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBucketWithUser = void 0;
+const aws = require("@pulumi/aws");
+const pulumi = require("@pulumi/pulumi");
+function createBucketWithUser(name, bucketArgs) {
+    const user = new aws.iam.User(name, {
+        name,
+    });
+    const unprivilegedUserCreds = new aws.iam.AccessKey(name + "-key", {
+        user: user.name,
+    });
+    const bucket = new aws.s3.Bucket(name, bucketArgs);
+    const role = new aws.iam.Role(`${name}-role`, {
+        description: `Manage ${name} and make it publicly available`,
+        assumeRolePolicy: user.arn.apply((arn) => {
+            return aws.iam.assumeRolePolicyForPrincipal({ AWS: arn });
+        }),
+    });
+    const policyString = publicReadWithUserWrite(user.arn, bucket.bucket).apply((_) => _);
+    const bucketPolicy = new aws.s3.BucketPolicy(`${name}-read-policy`, {
+        bucket: bucket.bucket,
+        policy: policyString,
+    });
+    return {
+        role,
+        user: user.arn,
+        bucket: bucket.bucket,
+        bucketPolicyId: bucketPolicy.id,
+        accessKeyId: unprivilegedUserCreds.id,
+        secretAccessKey: unprivilegedUserCreds.secret,
+    };
+}
+exports.createBucketWithUser = createBucketWithUser;
+function publicReadWithUserWrite(userArn, bucketName) {
+    return pulumi.interpolate `{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Principal": "*",
+        "Action": ["s3:GetObject"],
+        "Resource": ["arn:aws:s3:::${bucketName}/*"]
+      },
+      {
+        "Effect": "Allow",
+        "Action": ["s3:*"],
+        "Principal": {
+          "AWS": ["${userArn}"]
+        },
+        "Resource": [
+          "arn:aws:s3:::${bucketName}",
+          "arn:aws:s3:::${bucketName}/*"
+        ]
+      }
+    ]
+  }`;
+}
+//# sourceMappingURL=createBucketWithUser.js.map

package/createFargateTask.d.ts

@@ -0,0 +1,100 @@
+import * as aws from "@pulumi/aws";
+import * as awsx from "@pulumi/awsx";
+import { ApplicationTargetGroupHealthCheck } from "@pulumi/awsx/lb";
+import * as pulumi from "@pulumi/pulumi";
+import { ExtraExposedServiceOptions } from "./exposePublicService";
+export declare const getDefaultLogs: (serviceName: string, logGroup: aws.cloudwatch.LogGroup) => pulumi.Output<aws.ecs.LogConfiguration>;
+export declare function getClusterInstance(cluster: string | awsx.ecs.Cluster | undefined): awsx.ecs.Cluster;
+export declare type ALBMapping = {
+    domain: string;
+    dockerListeningPort: number;
+    healthCheck?: Partial<ApplicationTargetGroupHealthCheck>;
+    extraExposedServiceOptions?: ExtraExposedServiceOptions;
+};
+export declare function getFargateExecutionRole(name: string, policyArnNamedMap: Record<string, pulumi.Input<string> | aws.iam.Policy>): {
+    role: aws.iam.Role;
+    policies: aws.iam.RolePolicyAttachment[];
+};
+export declare function getFargateTaskRole(name: string, policyArnNamedMap: Record<string, pulumi.Input<string> | aws.iam.Policy>): {
+    role: aws.iam.Role;
+    policies: aws.iam.RolePolicyAttachment[];
+};
+/**
+ *
+ * @param serviceName A name for this service. For example, "builder-api"
+ * @param dockerImage The docker image to run. "decentraland/builder-server" or "https://myregistry.com/org/imagename"
+ * @param dockerListeningPort The port where the HTTP API is exposed.
+ * @param environment Mapping of environment variables for the container
+ * @param hostname Domain where to serve this API
+ * @param options.securityGroups Additional Security Groups to add to the container. For example, the security group allowed to access a DB or an S3 bucket.
+ * @param options.cluster The cluster where to run this. If none is provided, the `defaultCluster` will be used ({@see infra/defaultCluster.ts})
+ * @param options.healthCheckPath
+ * @param options.policyArnNamedMap key-value named map of policies to attach to the default execution role for this task
+ */
+export declare function createFargateTask(serviceName: string, dockerImage: string | Promise<string> | pulumi.OutputInstance<string> | awsx.ecs.ContainerImageProvider, dockerListeningPort: number, environment: {
+    name: string;
+    value: pulumi.Input<string>;
+    secret?: boolean;
+}[], hostname: string, options: {
+    securityGroups?: (string | pulumi.Output<string>)[];
+    cluster?: awsx.ecs.Cluster | string;
+    healthCheck?: Partial<ApplicationTargetGroupHealthCheck>;
+    desiredCount?: number;
+    memoryReservation?: number;
+    cpuReservation?: number;
+    /**
+     * @deprecated use createInternalService() instead
+     */
+    dontExpose?: true;
+    version?: string;
+    essential?: boolean;
+    command?: string[];
+    extraExposedServiceOptions?: ExtraExposedServiceOptions;
+    extraPortMappings?: aws.ecs.PortMapping[];
+    extraALBMappings?: ALBMapping[];
+    executionRolePolicies?: Record<string, pulumi.Input<string> | aws.iam.Policy>;
+    taskRolePolicies?: Record<string, pulumi.Input<string> | aws.iam.Policy>;
+    secrets?: aws.ecs.Secret[] | pulumi.Input<aws.ecs.Secret[]>;
+    ignoreServiceDiscovery?: boolean;
+    team: "dapps" | "platform" | "data" | "marketing" | "infra";
+    metrics?: {
+        port?: number | string;
+        path: "/metrics";
+        jobName?: string;
+    };
+    dontAssignPublicIp?: boolean;
+    dependsOn?: pulumi.Resource[];
+    volumes?: aws.types.input.ecs.TaskDefinitionVolume[] | pulumi.Input<aws.types.input.ecs.TaskDefinitionVolume[]>;
+    deregistrationDelay?: pulumi.Input<number>;
+    mountPoints?: pulumi.Input<aws.ecs.MountPoint[]>;
+}): Promise<{
+    service: awsx.ecs.FargateService;
+    endpoint: string;
+    exposed?: undefined;
+} | {
+    endpoint: string;
+    service: awsx.ecs.FargateService;
+    exposed: {
+        domain: string;
+        certificate: pulumi.Input<string>;
+        record: void | aws.route53.Record;
+        targetGroup: awsx.elasticloadbalancingv2.ApplicationTargetGroup;
+        cloudflareRecord: void | import("@pulumi/cloudflare").Record;
+    };
+}>;
+export declare type InternalServiceOptions = {
+    serviceName: string;
+    cluster?: string | awsx.ecs.Cluster;
+    securityGroups?: awsx.ec2.SecurityGroupOrId[];
+    ignoreServiceDiscovery?: boolean;
+    serviceDiscoveryPort?: number;
+    desiredCount?: number;
+    executionRole?: aws.iam.Role;
+    taskRole?: aws.iam.Role;
+    containerInfo: awsx.ecs.Container;
+    assignPublicIp?: boolean;
+    dependsOn?: pulumi.Resource[];
+    volumes?: pulumi.Input<aws.types.input.ecs.TaskDefinitionVolume[]>;
+    team: string;
+};
+export declare function createInternalService(config: InternalServiceOptions): Promise<awsx.ecs.FargateService>;

package/createFargateTask.js

@@ -0,0 +1,321 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createInternalService = exports.createFargateTask = exports.getFargateTaskRole = exports.getFargateExecutionRole = exports.getClusterInstance = exports.getDefaultLogs = void 0;
+const aws = require("@pulumi/aws");
+const awsx = require("@pulumi/awsx");
+const pulumi = require("@pulumi/pulumi");
+const acceptAlb_1 = require("./acceptAlb");
+const acceptBastion_1 = require("./acceptBastion");
+const accessTheInternet_1 = require("./accessTheInternet");
+const domain_1 = require("./domain");
+const exposePublicService_1 = require("./exposePublicService");
+const network_1 = require("./network");
+const utils_1 = require("./utils");
+const vpc_1 = require("./vpc");
+const supra_1 = require("./supra");
+const stack_1 = require("./stack");
+const getDefaultLogs = (serviceName, logGroup) => pulumi.all([logGroup.id]).apply(([logGroupId]) => ({
+    logDriver: "awslogs",
+    options: {
+        "awslogs-group": logGroupId,
+        "awslogs-region": "us-east-1",
+        "awslogs-stream-prefix": serviceName,
+    },
+}));
+exports.getDefaultLogs = getDefaultLogs;
+const extraOpts = {
+    customTimeouts: {
+        create: "15m",
+        update: "15m",
+        delete: "15m",
+    },
+};
+const cachedClusterInstances = {};
+function getClusterInstance(cluster) {
+    if (undefined === cluster) {
+        const defaultClusterName = `${domain_1.env}-main`;
+        cluster = defaultClusterName;
+    }
+    if (typeof cluster === "string") {
+        if (!cachedClusterInstances[cluster]) {
+            cachedClusterInstances[cluster] = new awsx.ecs.Cluster(cluster + "-ref", {
+                cluster: aws.ecs.Cluster.get(cluster + "-ref-2", cluster),
+            });
+        }
+        return cachedClusterInstances[cluster];
+    }
+    return cluster;
+}
+exports.getClusterInstance = getClusterInstance;
+function getFargateExecutionRole(name, policyArnNamedMap) {
+    const assumeRolePolicy = awsx.ecs.TaskDefinition.defaultRoleAssumeRolePolicy();
+    const dependsOn = Object.values(policyArnNamedMap).filter(($) => $ instanceof pulumi.Resource);
+    const role = new aws.iam.Role(name, { assumeRolePolicy }, { dependsOn });
+    const policies = [];
+    awsx.ecs.TaskDefinition.defaultExecutionRolePolicyARNs().forEach((policyArn) => {
+        policies.push(new aws.iam.RolePolicyAttachment(`${name}-default-${(0, utils_1.sha256hash)(policyArn)}`, { role, policyArn }, { parent: role }));
+    });
+    Object.entries(policyArnNamedMap).forEach(([key, policyArn]) => {
+        if (policyArn instanceof aws.iam.Policy) {
+            policies.push(new aws.iam.RolePolicyAttachment(`${name}-${key}`, { role, policyArn: policyArn.arn }, { parent: role }));
+        }
+        else {
+            policies.push(new aws.iam.RolePolicyAttachment(`${name}-${key}`, { role, policyArn }, { parent: role }));
+        }
+    });
+    return { role, policies };
+}
+exports.getFargateExecutionRole = getFargateExecutionRole;
+function getFargateTaskRole(name, policyArnNamedMap) {
+    const assumeRolePolicy = awsx.ecs.TaskDefinition.defaultRoleAssumeRolePolicy();
+    const dependsOn = Object.values(policyArnNamedMap).filter(($) => $ instanceof pulumi.Resource);
+    const role = new aws.iam.Role(name, { assumeRolePolicy }, { dependsOn });
+    const policies = [];
+    awsx.ecs.TaskDefinition.defaultTaskRolePolicyARNs().forEach((policyArn) => {
+        policies.push(new aws.iam.RolePolicyAttachment(`${name}-default-${(0, utils_1.sha256hash)(policyArn)}`, { role, policyArn }, { parent: role }));
+    });
+    Object.entries(policyArnNamedMap).forEach(([key, policyArn]) => {
+        if (policyArn instanceof aws.iam.Policy) {
+            policies.push(new aws.iam.RolePolicyAttachment(`${name}-${key}`, { role, policyArn: policyArn.arn }, { parent: role }));
+        }
+        else {
+            policies.push(new aws.iam.RolePolicyAttachment(`${name}-${key}`, { role, policyArn }, { parent: role }));
+        }
+    });
+    return { role, policies };
+}
+exports.getFargateTaskRole = getFargateTaskRole;
+/**
+ *
+ * @param serviceName A name for this service. For example, "builder-api"
+ * @param dockerImage The docker image to run. "decentraland/builder-server" or "https://myregistry.com/org/imagename"
+ * @param dockerListeningPort The port where the HTTP API is exposed.
+ * @param environment Mapping of environment variables for the container
+ * @param hostname Domain where to serve this API
+ * @param options.securityGroups Additional Security Groups to add to the container. For example, the security group allowed to access a DB or an S3 bucket.
+ * @param options.cluster The cluster where to run this. If none is provided, the `defaultCluster` will be used ({@see infra/defaultCluster.ts})
+ * @param options.healthCheckPath
+ * @param options.policyArnNamedMap key-value named map of policies to attach to the default execution role for this task
+ */
+function createFargateTask(serviceName, dockerImage, dockerListeningPort, environment, hostname, options) {
+    return __awaiter(this, void 0, void 0, function* () {
+        let { healthCheck, essential, dontExpose, securityGroups, cluster, memoryReservation, command, version, desiredCount, cpuReservation, extraPortMappings, extraALBMappings, executionRolePolicies, taskRolePolicies, ignoreServiceDiscovery, secrets, metrics, dontAssignPublicIp, dependsOn, volumes, deregistrationDelay, mountPoints, team, } = options;
+        if (undefined === essential) {
+            essential = true;
+        }
+        if (undefined === memoryReservation) {
+            memoryReservation = 512;
+        }
+        if (undefined === cpuReservation) {
+            cpuReservation = 256;
+        }
+        if (undefined === desiredCount) {
+            desiredCount = 1;
+        }
+        if (undefined === securityGroups) {
+            securityGroups = [];
+        }
+        if (undefined === version) {
+            version = (0, stack_1.getStackId)();
+        }
+        if (undefined === extraPortMappings) {
+            extraPortMappings = [];
+        }
+        if (undefined === extraALBMappings) {
+            extraALBMappings = [];
+        }
+        if (undefined === dependsOn) {
+            dependsOn = [];
+        }
+        if (undefined === mountPoints) {
+            dependsOn = [];
+        }
+        const { role: executionRole, policies: executionPolicies } = getFargateExecutionRole(`${serviceName}-${version}-execution`, executionRolePolicies || {});
+        dependsOn.push(...executionPolicies);
+        const { role: taskRole, policies } = getFargateTaskRole(`${serviceName}-${version}-task`, taskRolePolicies || {});
+        dependsOn.push(...policies);
+        let dockerLabels = {};
+        if (metrics && (metrics.port || dockerListeningPort)) {
+            dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT =
+                "" + (metrics.port || dockerListeningPort);
+            dockerLabels.ECS_PROMETHEUS_METRICS_PATH = metrics.path || "/metrics";
+            if (metrics.jobName) {
+                dockerLabels.ECS_PROMETHEUS_JOB_NAME = metrics.jobName;
+            }
+            else {
+                dockerLabels.ECS_PROMETHEUS_JOB_NAME = serviceName;
+            }
+        }
+        // this port should be the internal port used for administrative purposes
+        let serviceDiscoveryPort = dockerListeningPort;
+        if (dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT) {
+            const vpc = yield (0, vpc_1.getVpc)();
+            const ingress = [];
+            new Set(dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT.split(/;/g).map(($) => parseInt($))).forEach((port) => {
+                // create a security group to enable metrics access by cwagent from inside the VPC
+                ingress.push({
+                    fromPort: port,
+                    toPort: port,
+                    protocol: "tcp",
+                    cidrBlocks: [vpc.vpc.cidrBlock],
+                });
+                if (!extraPortMappings.find(($) => $.hostPort != metrics.port) &&
+                    (port != dockerListeningPort || dontExpose)) {
+                    extraPortMappings.push({
+                        containerPort: port,
+                        hostPort: port,
+                        protocol: "tcp",
+                    });
+                }
+                serviceDiscoveryPort = port;
+            });
+            if (ingress.length) {
+                const sg = new aws.ec2.SecurityGroup(`${serviceName}-${version}-metrics-sg`, {
+                    vpcId: vpc.id,
+                    ingress,
+                });
+                securityGroups.push(sg.id);
+            }
+        }
+        if (dontExpose) {
+            const service = yield createInternalService({
+                serviceName,
+                cluster,
+                desiredCount,
+                assignPublicIp: !dontAssignPublicIp,
+                serviceDiscoveryPort,
+                ignoreServiceDiscovery,
+                securityGroups: [
+                    ...securityGroups,
+                    yield (0, accessTheInternet_1.accessTheInternetSecurityGroupId)(),
+                    yield (0, acceptBastion_1.acceptBastionSecurityGroupId)(),
+                ],
+                containerInfo: {
+                    secrets,
+                    environment,
+                    essential,
+                    image: dockerImage,
+                    command,
+                    memoryReservation,
+                    cpu: cpuReservation,
+                    portMappings: extraPortMappings,
+                    dockerLabels,
+                    mountPoints,
+                },
+                dependsOn,
+                volumes,
+                team,
+            });
+            return {
+                service,
+                endpoint: "not exposed",
+            };
+        }
+        const exposed = yield (0, exposePublicService_1.exposePublicService)(`${serviceName}-${version}`, hostname, dockerListeningPort, healthCheck, undefined, options.extraExposedServiceOptions, deregistrationDelay);
+        const extraALBMappingsExposed = [];
+        for (let extraALBMapping of extraALBMappings) {
+            const exposedExtra = yield (0, exposePublicService_1.exposePublicService)(`${serviceName}-${extraALBMapping.dockerListeningPort}-${version}`, extraALBMapping.domain, extraALBMapping.dockerListeningPort, extraALBMapping.healthCheck, undefined, extraALBMapping.extraExposedServiceOptions);
+            extraALBMappingsExposed.push(exposedExtra.targetGroup);
+        }
+        const portMapping = exposed.targetGroup;
+        const service = yield createInternalService({
+            serviceName,
+            cluster,
+            desiredCount,
+            executionRole,
+            taskRole,
+            assignPublicIp: !dontAssignPublicIp,
+            ignoreServiceDiscovery,
+            securityGroups: [
+                ...securityGroups,
+                yield (0, accessTheInternet_1.accessTheInternetSecurityGroupId)(),
+                yield (0, acceptAlb_1.acceptAlbSecurityGroupId)(),
+                yield (0, acceptBastion_1.acceptBastionSecurityGroupId)(),
+            ],
+            serviceDiscoveryPort,
+            containerInfo: {
+                secrets,
+                environment,
+                portMappings: [
+                    ...extraPortMappings,
+                    ...extraALBMappingsExposed,
+                    portMapping,
+                ],
+                essential,
+                image: dockerImage,
+                command,
+                memoryReservation,
+                cpu: cpuReservation,
+                dockerLabels,
+                mountPoints,
+            },
+            dependsOn,
+            volumes,
+            team,
+        });
+        return { endpoint: `https://${hostname}/`, service, exposed };
+    });
+}
+exports.createFargateTask = createFargateTask;
+function createInternalService(config) {
+    return __awaiter(this, void 0, void 0, function* () {
+        let { serviceName, cluster, securityGroups, ignoreServiceDiscovery, serviceDiscoveryPort, desiredCount, executionRole, taskRole, containerInfo, assignPublicIp, dependsOn, volumes, team, } = config;
+        if (!desiredCount)
+            desiredCount = 1;
+        assignPublicIp = !!assignPublicIp;
+        let serviceRegistries;
+        if (!ignoreServiceDiscovery) {
+            const serviceDiscovery = new aws.servicediscovery.Service(serviceName, {
+                name: serviceName,
+                description: "service discovery for " + serviceName,
+                dnsConfig: {
+                    dnsRecords: [
+                        { type: "A", ttl: 10 },
+                        { type: "SRV", ttl: 10 },
+                    ],
+                    namespaceId: (0, supra_1.getInternalServiceDiscoveryNamespaceId)(),
+                },
+            });
+            serviceRegistries = {
+                port: serviceDiscoveryPort,
+                registryArn: serviceDiscovery.arn,
+            };
+        }
+        const logGroup = new aws.cloudwatch.LogGroup((0, stack_1.getStackScopedName)(serviceName), {
+            name: (0, stack_1.getStackScopedName)(serviceName),
+            retentionInDays: 60,
+            tags: { ServiceName: serviceName, Team: team },
+        });
+        return new awsx.ecs.FargateService((0, stack_1.getStackScopedName)(serviceName), {
+            cluster: getClusterInstance(cluster),
+            tags: { ServiceName: serviceName, StackId: (0, stack_1.getStackId)() },
+            subnets: yield (0, network_1.getPrivateSubnetIds)(),
+            securityGroups: securityGroups,
+            serviceRegistries,
+            desiredCount,
+            enableEcsManagedTags: true,
+            assignPublicIp,
+            taskDefinitionArgs: {
+                executionRole,
+                taskRole,
+                tags: { ServiceName: serviceName, Team: team },
+                logGroup,
+                containers: {
+                    [serviceName]: Object.assign({ logConfiguration: (0, exports.getDefaultLogs)(serviceName, logGroup) }, containerInfo),
+                },
+                volumes: volumes,
+            },
+        }, Object.assign(Object.assign({}, extraOpts), { dependsOn }));
+    });
+}
+exports.createInternalService = createInternalService;
+//# sourceMappingURL=createFargateTask.js.map

package/createImageFromContext.d.ts

@@ -0,0 +1,12 @@
+import * as aws from "@pulumi/aws";
+import * as docker from "@pulumi/docker";
+import * as pulumi from "@pulumi/pulumi";
+export declare function createImageFromContext(name: string, context: string, options?: Partial<docker.DockerBuild>, imageOpts?: pulumi.ComponentResourceOptions): {
+    ecr: aws.ecr.Repository;
+    registry: pulumi.Output<{
+        server: string;
+        username: string;
+        password: string;
+    }>;
+    image: docker.Image;
+};

package/createImageFromContext.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createImageFromContext = void 0;
+const aws = require("@pulumi/aws");
+const docker = require("@pulumi/docker");
+const getImageRegistryAndCredentials_1 = require("./getImageRegistryAndCredentials");
+function createImageFromContext(name, context, options, imageOpts) {
+    const ecr = new aws.ecr.Repository(name);
+    const registry = (0, getImageRegistryAndCredentials_1.getImageRegistryAndCredentials)(ecr);
+    const image = new docker.Image(`${name}-image`, {
+        imageName: ecr.repositoryUrl,
+        build: Object.assign({ context, cacheFrom: true, env: {
+                DOCKER_BUILDKIT: "1",
+            } }, options),
+        registry: registry,
+    }, imageOpts);
+    return {
+        ecr,
+        registry,
+        image,
+    };
+}
+exports.createImageFromContext = createImageFromContext;
+//# sourceMappingURL=createImageFromContext.js.map

package/domain.d.ts

@@ -0,0 +1,10 @@
+declare const env: string;
+/** Internal TLD { prd=co stg=net dev=io }, managed by AWS */
+declare let envTLD: string;
+/** Public TLD { prd=org, stg=today dev=zone }, managed by Cloudflare */
+declare let publicTLD: string;
+export { env, envTLD, publicTLD };
+/** Internal domain for deployments i.e. "decentraland.co", managed by AWS */
+export declare const domain: string;
+/** Public domain for deployments i.e. "decentraland.org", managed by Cloudflare */
+export declare const publicDomain: string;

package/domain.js

@@ -0,0 +1,49 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.publicDomain = exports.domain = exports.publicTLD = exports.envTLD = exports.env = void 0;
+const env = process.env["ENVIRONMENT"];
+exports.env = env;
+if (env === undefined) {
+    throw new Error("Set the ENVIRONMENT environment before proceeding");
+}
+/** Internal TLD { prd=co stg=net dev=io }, managed by AWS */
+let envTLD = "";
+exports.envTLD = envTLD;
+switch (env) {
+    case "biz":
+        exports.envTLD = envTLD = "systems";
+        break;
+    case "prd":
+        exports.envTLD = envTLD = "co";
+        break;
+    case "stg":
+        exports.envTLD = envTLD = "net";
+        break;
+    case "dev":
+    default:
+        exports.envTLD = envTLD = "io";
+        break;
+}
+/** Public TLD { prd=org, stg=today dev=zone }, managed by Cloudflare */
+let publicTLD = "";
+exports.publicTLD = publicTLD;
+switch (env) {
+    case "biz":
+        exports.publicTLD = publicTLD = "systems";
+        break;
+    case "prd":
+        exports.publicTLD = publicTLD = "org";
+        break;
+    case "stg":
+        exports.publicTLD = publicTLD = "today";
+        break;
+    case "dev":
+    default:
+        exports.publicTLD = publicTLD = "zone";
+        break;
+}
+/** Internal domain for deployments i.e. "decentraland.co", managed by AWS */
+exports.domain = `decentraland.${envTLD}`;
+/** Public domain for deployments i.e. "decentraland.org", managed by Cloudflare */
+exports.publicDomain = `decentraland.${publicTLD}`;
+//# sourceMappingURL=domain.js.map

package/exposePublicService.d.ts

@@ -0,0 +1,26 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as aws from "@pulumi/aws";
+import * as awsx from "@pulumi/awsx";
+import * as cf from "@pulumi/cloudflare";
+import { ApplicationTargetGroupHealthCheck } from "@pulumi/awsx/lb";
+export declare type ExtraExposedServiceOptions = {
+    createCloudflareProxiedSubdomain?: boolean;
+    skipInternalDomain?: boolean;
+    targetGroupConditions?: pulumi.Input<aws.types.input.alb.ListenerRuleCondition>[];
+};
+/**
+ * Publicly expose a service on a given domain (with SSL). This will create a
+ * Target Group and a Listener for your microservice. Additionally, it will
+ * create a Route53 mapping of the DNS that will point to the load balancer.
+ *
+ * @param name the name of your service.
+ * @param domain
+ * @param port
+ */
+export declare function exposePublicService(name: string, domain: string, port: number, healthCheck?: Partial<ApplicationTargetGroupHealthCheck>, vpc?: awsx.ec2.Vpc, extraOptions?: ExtraExposedServiceOptions, deregistrationDelay?: pulumi.Input<number>): Promise<{
+    domain: string;
+    certificate: pulumi.Input<string>;
+    record: void | aws.route53.Record;
+    targetGroup: awsx.elasticloadbalancingv2.ApplicationTargetGroup;
+    cloudflareRecord: void | cf.Record;
+}>;