dcl-ops-lib 5.18.0 → 5.20.0

package/acceptAlb.d.ts

@@ -1,4 +1,8 @@
 import * as awsx from "@pulumi/awsx";
+/** @deprecated use makeSecurityGroupAccessibleFromSharedAlb instead */
 export declare const acceptAlbSecurityGroup: () => Promise<awsx.ec2.SecurityGroup>;
+/** @deprecated use makeSecurityGroupAccessibleFromSharedAlb instead */
 export declare function acceptAlbSecurityGroupId(): Promise<import("@pulumi/pulumi").Output<string>>;
+/** Makes a given securityGropup accesible by the shared supra ALB */
+export declare function makeSecurityGroupAccessibleFromSharedAlb(securityGroup: awsx.ec2.SecurityGroup): void;
 export default acceptAlbSecurityGroup;

package/acceptAlb.js

@@ -9,19 +9,32 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.acceptAlbSecurityGroupId = exports.acceptAlbSecurityGroup = void 0;
+exports.makeSecurityGroupAccessibleFromSharedAlb = exports.acceptAlbSecurityGroupId = exports.acceptAlbSecurityGroup = void 0;
 const awsx = require("@pulumi/awsx");
 const values_1 = require("./values");
 const withCache_1 = require("./withCache");
+/** @deprecated use makeSecurityGroupAccessibleFromSharedAlb instead */
 exports.acceptAlbSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
     const config = yield (0, values_1.getEnvConfiguration)();
     return awsx.ec2.SecurityGroup.fromExistingId(`accept-alb-sg-reference`, config.acceptAlb);
 }));
+/** @deprecated use makeSecurityGroupAccessibleFromSharedAlb instead */
 function acceptAlbSecurityGroupId() {
     return __awaiter(this, void 0, void 0, function* () {
         return (yield (0, exports.acceptAlbSecurityGroup)()).id;
     });
 }
 exports.acceptAlbSecurityGroupId = acceptAlbSecurityGroupId;
+/** Makes a given securityGropup accesible by the shared supra ALB */
+function makeSecurityGroupAccessibleFromSharedAlb(securityGroup) {
+    new awsx.ec2.IngressSecurityGroupRule("accept-alb-ingress-rule", securityGroup, {
+        sourceSecurityGroupId: (0, values_1.getEnvConfiguration)().then(($) => $.albSecurityGroupId),
+        description: `Allow access from the supra ALB`,
+        fromPort: 0,
+        toPort: 0,
+        protocol: "-1",
+    });
+}
+exports.makeSecurityGroupAccessibleFromSharedAlb = makeSecurityGroupAccessibleFromSharedAlb;
 exports.default = exports.acceptAlbSecurityGroup;
 //# sourceMappingURL=acceptAlb.js.map

package/acceptBastion.d.ts

@@ -1,4 +1,7 @@
 import * as awsx from "@pulumi/awsx";
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
 export declare const acceptBastionSecurityGroup: () => Promise<awsx.ec2.SecurityGroup>;
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
 export declare function acceptBastionSecurityGroupId(): Promise<import("@pulumi/pulumi").Output<string>>;
+export declare function makeSecurityGroupAccessibleFromBastion(securityGroup: awsx.ec2.SecurityGroup): void;
 export default acceptBastionSecurityGroup;

package/acceptBastion.js

@@ -9,19 +9,37 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.acceptBastionSecurityGroupId = exports.acceptBastionSecurityGroup = void 0;
+exports.makeSecurityGroupAccessibleFromBastion = exports.acceptBastionSecurityGroupId = exports.acceptBastionSecurityGroup = void 0;
 const awsx = require("@pulumi/awsx");
+const aws = require("@pulumi/aws");
 const values_1 = require("./values");
 const withCache_1 = require("./withCache");
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
 exports.acceptBastionSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
     const config = yield (0, values_1.getEnvConfiguration)();
     return awsx.ec2.SecurityGroup.fromExistingId(`accept-bastion-sg-reference`, config.acceptBastion);
 }));
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
 function acceptBastionSecurityGroupId() {
     return __awaiter(this, void 0, void 0, function* () {
         return (yield (0, exports.acceptBastionSecurityGroup)()).id;
     });
 }
 exports.acceptBastionSecurityGroupId = acceptBastionSecurityGroupId;
+const bastionSecurityGroupId = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
+    const config = yield (0, values_1.getEnvConfiguration)();
+    return config.bastionSecurityGroupId;
+}));
+function makeSecurityGroupAccessibleFromBastion(securityGroup) {
+    new aws.ec2.SecurityGroupRule("accesible-from-bastion", {
+        securityGroupId: securityGroup.id,
+        sourceSecurityGroupId: bastionSecurityGroupId(),
+        fromPort: -1,
+        toPort: -1,
+        type: "ingress",
+        protocol: "-1",
+    });
+}
+exports.makeSecurityGroupAccessibleFromBastion = makeSecurityGroupAccessibleFromBastion;
 exports.default = exports.acceptBastionSecurityGroup;
 //# sourceMappingURL=acceptBastion.js.map

package/accessTheInternet.d.ts

@@ -1,6 +1,14 @@
 import * as awsx from "@pulumi/awsx";
+/** @deprecated please use makeSecurityGroupAccessibleByCloudflare */
 export declare const accessCloudflareSecurityGroup: () => Promise<awsx.ec2.SecurityGroup>;
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
 export declare const accessTheInternetSecurityGroup: () => Promise<awsx.ec2.SecurityGroup>;
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
 export declare function accessTheInternetSecurityGroupId(): Promise<import("@pulumi/pulumi").Output<string>>;
 export default accessTheInternetSecurityGroup;
+/** @deprecated please use makeSecurityGroupAccessibleByCloudflare */
 export declare function accessFromCloudflareSecurityGroup(): Promise<import("@pulumi/pulumi").Output<string>>;
+/** Enables egress traffic to 0.0.0.0/0/all */
+export declare function makeSecurityGroupAccessTheInternet(securityGroup: awsx.ec2.SecurityGroup): void;
+/** Enables ingress traffic from cloudflare CIDRs */
+export declare function makeSecurityGroupAccessibleByCloudflare(securityGroup: awsx.ec2.SecurityGroup): Promise<void>;

package/accessTheInternet.js

@@ -9,19 +9,24 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.accessFromCloudflareSecurityGroup = exports.accessTheInternetSecurityGroupId = exports.accessTheInternetSecurityGroup = exports.accessCloudflareSecurityGroup = void 0;
+exports.makeSecurityGroupAccessibleByCloudflare = exports.makeSecurityGroupAccessTheInternet = exports.accessFromCloudflareSecurityGroup = exports.accessTheInternetSecurityGroupId = exports.accessTheInternetSecurityGroup = exports.accessCloudflareSecurityGroup = void 0;
 const awsx = require("@pulumi/awsx");
+const cloudflare = require("@pulumi/cloudflare");
 const supra_1 = require("./supra");
 const values_1 = require("./values");
 const withCache_1 = require("./withCache");
+const utils_1 = require("./utils");
+/** @deprecated please use makeSecurityGroupAccessibleByCloudflare */
 exports.accessCloudflareSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
     const config = yield (0, values_1.getEnvConfiguration)(); // ?
     return awsx.ec2.SecurityGroup.fromExistingId(`accept-cloudflare-web-sg-reference`, supra_1.supra.getOutputValue(`cloudflareAcceptWeb`));
 }));
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
 exports.accessTheInternetSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
     const config = yield (0, values_1.getEnvConfiguration)(); // ?
     return awsx.ec2.SecurityGroup.fromExistingId(`access-the-internet-sg-reference`, supra_1.supra.getOutputValue(`accessTheInternet`));
 }));
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
 function accessTheInternetSecurityGroupId() {
     return __awaiter(this, void 0, void 0, function* () {
         return (yield (0, exports.accessTheInternetSecurityGroup)()).id;
@@ -29,10 +34,45 @@ function accessTheInternetSecurityGroupId() {
 }
 exports.accessTheInternetSecurityGroupId = accessTheInternetSecurityGroupId;
 exports.default = exports.accessTheInternetSecurityGroup;
+/** @deprecated please use makeSecurityGroupAccessibleByCloudflare */
 function accessFromCloudflareSecurityGroup() {
     return __awaiter(this, void 0, void 0, function* () {
         return (yield (0, exports.accessCloudflareSecurityGroup)()).id;
     });
 }
 exports.accessFromCloudflareSecurityGroup = accessFromCloudflareSecurityGroup;
+/** Enables egress traffic to 0.0.0.0/0/all */
+function makeSecurityGroupAccessTheInternet(securityGroup) {
+    securityGroup.createEgressRule("access-the-internet", {
+        cidrBlocks: ["0.0.0.0/0"],
+        fromPort: -1,
+        toPort: -1,
+        protocol: "-1",
+    });
+}
+exports.makeSecurityGroupAccessTheInternet = makeSecurityGroupAccessTheInternet;
+/** Enables ingress traffic from cloudflare CIDRs */
+function makeSecurityGroupAccessibleByCloudflare(securityGroup) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const ips = yield cloudflare.getIpRanges({});
+        for (let block of ips.ipv4CidrBlocks) {
+            const hash = (0, utils_1.sha256hash)(block).substr(0, 6);
+            securityGroup.createIngressRule(`accept-cf-80-${hash}`, {
+                protocol: "tcp",
+                fromPort: 80,
+                toPort: 80,
+                cidrBlocks: [block],
+                description: `pulumi-supra-${hash}`,
+            });
+            securityGroup.createIngressRule(`accept-cf-443-${hash}`, {
+                protocol: "tcp",
+                fromPort: 443,
+                toPort: 443,
+                cidrBlocks: [block],
+                description: `pulumi-supra-${hash}`,
+            });
+        }
+    });
+}
+exports.makeSecurityGroupAccessibleByCloudflare = makeSecurityGroupAccessibleByCloudflare;
 //# sourceMappingURL=accessTheInternet.js.map

package/createFargateTask.js

@@ -15,7 +15,6 @@ const awsx = require("@pulumi/awsx");
 const pulumi = require("@pulumi/pulumi");
 const acceptAlb_1 = require("./acceptAlb");
 const acceptBastion_1 = require("./acceptBastion");
-const accessTheInternet_1 = require("./accessTheInternet");
 const domain_1 = require("./domain");
 const exposePublicService_1 = require("./exposePublicService");
 const network_1 = require("./network");
@@ -24,6 +23,7 @@ const vpc_1 = require("./vpc");
 const supra_1 = require("./supra");
 const stack_1 = require("./stack");
 const prometheus_1 = require("./prometheus");
+const accessTheInternet_1 = require("./accessTheInternet");
 const getDefaultLogs = (serviceName, logGroup) => pulumi.all([logGroup.id]).apply(([logGroupId]) => ({
     logDriver: "awslogs",
     options: {
@@ -157,12 +157,20 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
         }
         // this port should be the internal port used for administrative purposes
         let serviceDiscoveryPort = dockerListeningPort;
+        const vpc = yield (0, vpc_1.getVpc)();
+        const taskSecurityGroup = new awsx.ec2.SecurityGroup(`${serviceName}-${version}`, {
+            vpc,
+        });
         if (dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT) {
-            const vpc = yield (0, vpc_1.getVpc)();
-            const ingress = [];
+            let fromPort = 0;
+            let toPort = 0;
             new Set(dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT.split(/;/g).map(($) => parseInt($))).forEach((port) => {
+                if (fromPort == 0 || fromPort > port)
+                    fromPort = port;
+                if (toPort == 0 || toPort < port)
+                    toPort = port;
                 // create a security group to enable metrics access by cwagent from inside the VPC
-                ingress.push({
+                taskSecurityGroup.createIngressRule(`metrics-${port}`, {
                     fromPort: port,
                     toPort: port,
                     protocol: "tcp",
@@ -177,18 +185,13 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
                 }
                 serviceDiscoveryPort = port;
             });
-            if (ingress.length) {
-                const sg = new aws.ec2.SecurityGroup(`${serviceName}-${version}-metrics-sg`, {
-                    vpcId: vpc.id,
-                    ingress,
-                });
-                securityGroups.push(sg.id);
-            }
-            const prometheusSg = yield (0, prometheus_1.acceptPrometheusSgId)();
-            if (!securityGroups.includes(prometheusSg)) {
-                securityGroups.push(prometheusSg);
-            }
+            // enable prometheus to access fromPort-toPort
+            (0, prometheus_1.makeSecurityGroupAccessibleByPrometheus)(taskSecurityGroup, fromPort, toPort);
         }
+        // enable egress traffic from the task to the internet
+        (0, accessTheInternet_1.makeSecurityGroupAccessTheInternet)(taskSecurityGroup);
+        // make the container fully accessible from the bastion of the environment
+        (0, acceptBastion_1.makeSecurityGroupAccessibleFromBastion)(taskSecurityGroup);
         if (dontExpose) {
             const service = yield createInternalService({
                 serviceName,
@@ -197,11 +200,7 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
                 assignPublicIp: !dontAssignPublicIp,
                 serviceDiscoveryPort,
                 ignoreServiceDiscovery,
-                securityGroups: [
-                    ...securityGroups,
-                    yield (0, accessTheInternet_1.accessTheInternetSecurityGroupId)(),
-                    yield (0, acceptBastion_1.acceptBastionSecurityGroupId)(),
-                ],
+                securityGroups: [taskSecurityGroup.id, ...securityGroups],
                 containerInfo: {
                     secrets,
                     environment,
@@ -230,6 +229,8 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
             extraALBMappingsExposed.push(exposedExtra.targetGroup);
         }
         const portMapping = exposed.targetGroup;
+        // make the service accesible by the ALB
+        (0, acceptAlb_1.makeSecurityGroupAccessibleFromSharedAlb)(taskSecurityGroup);
         const service = yield createInternalService({
             serviceName,
             cluster,
@@ -238,12 +239,7 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
             taskRole,
             assignPublicIp: !dontAssignPublicIp,
             ignoreServiceDiscovery,
-            securityGroups: [
-                ...securityGroups,
-                yield (0, accessTheInternet_1.accessTheInternetSecurityGroupId)(),
-                yield (0, acceptAlb_1.acceptAlbSecurityGroupId)(),
-                yield (0, acceptBastion_1.acceptBastionSecurityGroupId)(),
-            ],
+            securityGroups: [taskSecurityGroup.id, ...securityGroups],
             serviceDiscoveryPort,
             containerInfo: {
                 secrets,

package/exposePublicService.js

@@ -44,12 +44,12 @@ function exposePublicService(name, domain, port, healthCheck = {}, vpc, extraOpt
         const slug = name;
         const targetVpc = vpc ? vpc : awsx.ec2.Vpc.getDefault();
         const targetDeregistrationDelay = deregistrationDelay ? deregistrationDelay : 300;
-        const targetGroup = alb.createTargetGroup(("tg-" + slug).substr(-32) /* last 32 chars */, {
+        const targetGroup = alb.createTargetGroup("tg-" + slug.substr(-32 + 12) /* last 32 chars, and take 7 chars for the -hash appended by pulumi */, {
             protocol: "HTTP",
             port,
             healthCheck: healthCheckValue,
             vpc: targetVpc,
-            deregistrationDelay: targetDeregistrationDelay
+            deregistrationDelay: targetDeregistrationDelay,
         });
         const domainParts = (0, getDomainAndSubdomain_1.getDomainAndSubdomain)(domain);
         const enabledHostnames = [];

package/lambda.js

@@ -66,7 +66,7 @@ function createLambda(fullyQualifiedDomainName, config) {
             });
         }
         const name = (0, stack_1.getStackScopedName)((subdomain || "ROOTDOMAIN") + "-" + lambdaName);
-        const lambda = new aws.lambda.Function(name, Object.assign({ name: name, handler: `${(0, path_1.basename)(file, ".js")}.handler`, timeout: 900, memorySize: 1024, runtime: "nodejs12.x", code: (extra === null || extra === void 0 ? void 0 : extra.code) ||
+        const lambda = new aws.lambda.Function(name, Object.assign({ name: name, handler: `${(0, path_1.basename)(file, ".js")}.handler`, timeout: 900, memorySize: 1024, runtime: "nodejs14.x", code: (extra === null || extra === void 0 ? void 0 : extra.code) ||
                 new pulumi.asset.AssetArchive({
                     [(0, path_1.basename)(file)]: new pulumi.asset.FileAsset(file),
                 }), role: (extra === null || extra === void 0 ? void 0 : extra.role) || lambdaApiGatewayRole.arn }, extra));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dcl-ops-lib",
-  "version": "5.18.0",
+  "version": "5.20.0",
   "scripts": {
     "build": "tsc && cp bin/* .",
     "clean": "rm *.d.ts *.js *.js.map"
@@ -27,11 +27,11 @@
     "typescript": "^4.4.3"
   },
   "dependencies": {
-    "@pulumi/aws": "^4.21.2",
+    "@pulumi/aws": "^4.22.0",
     "@pulumi/awsx": "^0.31.0",
-    "@pulumi/cloudflare": "^3.5.0",
+    "@pulumi/cloudflare": "^4.0.0",
     "@pulumi/docker": "^3.1.0",
-    "@pulumi/pulumi": "^3.13.0",
+    "@pulumi/pulumi": "^3.13.2",
     "mime": "^2.5.2"
   }
 }

package/prometheus.d.ts

@@ -1,3 +1,5 @@
 import * as pulumi from "@pulumi/pulumi";
+import * as awsx from "@pulumi/awsx";
 export declare const prometheusStack: () => Promise<pulumi.StackReference>;
-export declare const acceptPrometheusSgId: () => Promise<string>;
+export declare const prometheusSecurityGroupId: () => Promise<string>;
+export declare function makeSecurityGroupAccessibleByPrometheus(securityGroup: awsx.ec2.SecurityGroup, fromPort?: number, toPort?: number): void;

package/prometheus.js

@@ -9,15 +9,26 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.acceptPrometheusSgId = exports.prometheusStack = void 0;
+exports.makeSecurityGroupAccessibleByPrometheus = exports.prometheusSecurityGroupId = exports.prometheusStack = void 0;
 const pulumi = require("@pulumi/pulumi");
+const awsx = require("@pulumi/awsx");
 const domain_1 = require("./domain");
 const withCache_1 = require("./withCache");
 exports.prometheusStack = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
     return new pulumi.StackReference(`prometheus-${domain_1.env}`);
 }));
-exports.acceptPrometheusSgId = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
+exports.prometheusSecurityGroupId = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
     const prom = yield (0, exports.prometheusStack)();
-    return (yield prom.requireOutputValue("acceptPrometheusSecurityGroupId"));
+    return (yield prom.requireOutputValue("prometheusSecurityGroupId"));
 }));
+function makeSecurityGroupAccessibleByPrometheus(securityGroup, fromPort = 0, toPort = 0) {
+    new awsx.ec2.IngressSecurityGroupRule(`accept-prom-${fromPort}-${toPort}`, securityGroup, {
+        sourceSecurityGroupId: (0, exports.prometheusSecurityGroupId)(),
+        description: `Allow access from prometheus`,
+        fromPort,
+        toPort,
+        protocol: "-1",
+    });
+}
+exports.makeSecurityGroupAccessibleByPrometheus = makeSecurityGroupAccessibleByPrometheus;
 //# sourceMappingURL=prometheus.js.map

package/values.d.ts

@@ -4,8 +4,12 @@ export declare type EnvironmentValues = {
     publicSubnets: Subnet[];
     privateSubnets: Subnet[];
     internalSubnets: Subnet[];
+    /** @deprecated */
     acceptAlb: string;
+    /** @deprecated */
     acceptBastion: string;
     dbSecurity: string;
+    albSecurityGroupId: string;
+    bastionSecurityGroupId: string;
 };
 export declare const getEnvConfiguration: () => Promise<EnvironmentValues>;

package/values.js

@@ -23,6 +23,8 @@ exports.getEnvConfiguration = (0, withCache_1.default)(function () {
             acceptAlb: yield supra_1.supra.getOutputValue("acceptAlbSecurityGroupId"),
             acceptBastion: yield supra_1.supra.getOutputValue("acceptBastionSecurityGroupId"),
             dbSecurity: yield supra_1.supra.getOutputValue("acceptDbSecurityGroupId"),
+            albSecurityGroupId: yield supra_1.supra.getOutputValue("albSecurityGroupId"),
+            bastionSecurityGroupId: yield supra_1.supra.getOutputValue("bastionSecurityGroupId"),
         };
     });
 });