dcl-ops-lib 5.21.2 → 5.23.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/acceptAlb.d.ts +1 -1
- package/acceptAlb.js +3 -2
- package/acceptBastion.d.ts +1 -1
- package/acceptBastion.js +4 -3
- package/accessTheInternet.d.ts +1 -1
- package/accessTheInternet.js +2 -2
- package/createFargateTask.js +4 -4
- package/exposePublicService.d.ts +9 -2
- package/exposePublicService.js +27 -8
- package/package.json +1 -1
- package/prometheus.d.ts +1 -1
- package/prometheus.js +3 -2
- package/utils.d.ts +1 -0
- package/utils.js +8 -1
package/acceptAlb.d.ts
CHANGED
|
@@ -4,5 +4,5 @@ export declare const acceptAlbSecurityGroup: () => Promise<awsx.ec2.SecurityGrou
|
|
|
4
4
|
/** @deprecated use makeSecurityGroupAccessibleFromSharedAlb instead */
|
|
5
5
|
export declare function acceptAlbSecurityGroupId(): Promise<import("@pulumi/pulumi").Output<string>>;
|
|
6
6
|
/** Makes a given securityGropup accesible by the shared supra ALB */
|
|
7
|
-
export declare function makeSecurityGroupAccessibleFromSharedAlb(securityGroup: awsx.ec2.SecurityGroup): void;
|
|
7
|
+
export declare function makeSecurityGroupAccessibleFromSharedAlb(securityGroup: awsx.ec2.SecurityGroup, ruleName?: string): void;
|
|
8
8
|
export default acceptAlbSecurityGroup;
|
package/acceptAlb.js
CHANGED
|
@@ -11,6 +11,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
12
|
exports.makeSecurityGroupAccessibleFromSharedAlb = exports.acceptAlbSecurityGroupId = exports.acceptAlbSecurityGroup = void 0;
|
|
13
13
|
const awsx = require("@pulumi/awsx");
|
|
14
|
+
const utils_1 = require("./utils");
|
|
14
15
|
const values_1 = require("./values");
|
|
15
16
|
const withCache_1 = require("./withCache");
|
|
16
17
|
/** @deprecated use makeSecurityGroupAccessibleFromSharedAlb instead */
|
|
@@ -26,8 +27,8 @@ function acceptAlbSecurityGroupId() {
|
|
|
26
27
|
}
|
|
27
28
|
exports.acceptAlbSecurityGroupId = acceptAlbSecurityGroupId;
|
|
28
29
|
/** Makes a given securityGropup accesible by the shared supra ALB */
|
|
29
|
-
function makeSecurityGroupAccessibleFromSharedAlb(securityGroup) {
|
|
30
|
-
new awsx.ec2.IngressSecurityGroupRule("accept-alb-ingress-rule", securityGroup, {
|
|
30
|
+
function makeSecurityGroupAccessibleFromSharedAlb(securityGroup, ruleName = "") {
|
|
31
|
+
new awsx.ec2.IngressSecurityGroupRule((0, utils_1.withRuleName)("accept-alb-ingress-rule", ruleName), securityGroup, {
|
|
31
32
|
sourceSecurityGroupId: (0, values_1.getEnvConfiguration)().then(($) => $.albSecurityGroupId),
|
|
32
33
|
description: `Allow access from the supra ALB`,
|
|
33
34
|
fromPort: 0,
|
package/acceptBastion.d.ts
CHANGED
|
@@ -3,5 +3,5 @@ import * as awsx from "@pulumi/awsx";
|
|
|
3
3
|
export declare const acceptBastionSecurityGroup: () => Promise<awsx.ec2.SecurityGroup>;
|
|
4
4
|
/** @deprecated please use makeSecurityGroupAccessTheInternet */
|
|
5
5
|
export declare function acceptBastionSecurityGroupId(): Promise<import("@pulumi/pulumi").Output<string>>;
|
|
6
|
-
export declare function makeSecurityGroupAccessibleFromBastion(securityGroup: awsx.ec2.SecurityGroup): void;
|
|
6
|
+
export declare function makeSecurityGroupAccessibleFromBastion(securityGroup: awsx.ec2.SecurityGroup, ruleName?: string): void;
|
|
7
7
|
export default acceptBastionSecurityGroup;
|
package/acceptBastion.js
CHANGED
|
@@ -14,6 +14,7 @@ const awsx = require("@pulumi/awsx");
|
|
|
14
14
|
const aws = require("@pulumi/aws");
|
|
15
15
|
const values_1 = require("./values");
|
|
16
16
|
const withCache_1 = require("./withCache");
|
|
17
|
+
const utils_1 = require("./utils");
|
|
17
18
|
/** @deprecated please use makeSecurityGroupAccessTheInternet */
|
|
18
19
|
exports.acceptBastionSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
|
|
19
20
|
const config = yield (0, values_1.getEnvConfiguration)();
|
|
@@ -30,15 +31,15 @@ const bastionSecurityGroupId = (0, withCache_1.default)(() => __awaiter(void 0,
|
|
|
30
31
|
const config = yield (0, values_1.getEnvConfiguration)();
|
|
31
32
|
return config.bastionSecurityGroupId;
|
|
32
33
|
}));
|
|
33
|
-
function makeSecurityGroupAccessibleFromBastion(securityGroup) {
|
|
34
|
-
new aws.ec2.SecurityGroupRule("accesible-from-bastion", {
|
|
34
|
+
function makeSecurityGroupAccessibleFromBastion(securityGroup, ruleName = "") {
|
|
35
|
+
new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("accesible-from-bastion", ruleName), {
|
|
35
36
|
securityGroupId: securityGroup.id,
|
|
36
37
|
sourceSecurityGroupId: bastionSecurityGroupId(),
|
|
37
38
|
fromPort: -1,
|
|
38
39
|
toPort: -1,
|
|
39
40
|
type: "ingress",
|
|
40
41
|
protocol: "-1",
|
|
41
|
-
});
|
|
42
|
+
}, { deleteBeforeReplace: true });
|
|
42
43
|
}
|
|
43
44
|
exports.makeSecurityGroupAccessibleFromBastion = makeSecurityGroupAccessibleFromBastion;
|
|
44
45
|
exports.default = exports.acceptBastionSecurityGroup;
|
package/accessTheInternet.d.ts
CHANGED
|
@@ -9,6 +9,6 @@ export default accessTheInternetSecurityGroup;
|
|
|
9
9
|
/** @deprecated please use makeSecurityGroupAccessibleByCloudflare */
|
|
10
10
|
export declare function accessFromCloudflareSecurityGroup(): Promise<import("@pulumi/pulumi").Output<string>>;
|
|
11
11
|
/** Enables egress traffic to 0.0.0.0/0/all */
|
|
12
|
-
export declare function makeSecurityGroupAccessTheInternet(securityGroup: awsx.ec2.SecurityGroup): void;
|
|
12
|
+
export declare function makeSecurityGroupAccessTheInternet(securityGroup: awsx.ec2.SecurityGroup, ruleName?: string): void;
|
|
13
13
|
/** Enables ingress traffic from cloudflare CIDRs */
|
|
14
14
|
export declare function makeSecurityGroupAccessibleByCloudflare(securityGroup: awsx.ec2.SecurityGroup): Promise<void>;
|
package/accessTheInternet.js
CHANGED
|
@@ -42,8 +42,8 @@ function accessFromCloudflareSecurityGroup() {
|
|
|
42
42
|
}
|
|
43
43
|
exports.accessFromCloudflareSecurityGroup = accessFromCloudflareSecurityGroup;
|
|
44
44
|
/** Enables egress traffic to 0.0.0.0/0/all */
|
|
45
|
-
function makeSecurityGroupAccessTheInternet(securityGroup) {
|
|
46
|
-
securityGroup.createEgressRule("access-the-internet", {
|
|
45
|
+
function makeSecurityGroupAccessTheInternet(securityGroup, ruleName = "") {
|
|
46
|
+
securityGroup.createEgressRule((0, utils_1.withRuleName)("access-the-internet", ruleName), {
|
|
47
47
|
cidrBlocks: ["0.0.0.0/0"],
|
|
48
48
|
fromPort: -1,
|
|
49
49
|
toPort: -1,
|
package/createFargateTask.js
CHANGED
|
@@ -186,12 +186,12 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
|
|
|
186
186
|
serviceDiscoveryPort = port;
|
|
187
187
|
});
|
|
188
188
|
// enable prometheus to access fromPort-toPort
|
|
189
|
-
(0, prometheus_1.makeSecurityGroupAccessibleByPrometheus)(taskSecurityGroup, fromPort, toPort);
|
|
189
|
+
(0, prometheus_1.makeSecurityGroupAccessibleByPrometheus)(taskSecurityGroup, fromPort, toPort, serviceName);
|
|
190
190
|
}
|
|
191
191
|
// enable egress traffic from the task to the internet
|
|
192
|
-
(0, accessTheInternet_1.makeSecurityGroupAccessTheInternet)(taskSecurityGroup);
|
|
192
|
+
(0, accessTheInternet_1.makeSecurityGroupAccessTheInternet)(taskSecurityGroup, serviceName);
|
|
193
193
|
// make the container fully accessible from the bastion of the environment
|
|
194
|
-
(0, acceptBastion_1.makeSecurityGroupAccessibleFromBastion)(taskSecurityGroup);
|
|
194
|
+
(0, acceptBastion_1.makeSecurityGroupAccessibleFromBastion)(taskSecurityGroup, serviceName);
|
|
195
195
|
if (dontExpose) {
|
|
196
196
|
const service = yield createInternalService({
|
|
197
197
|
serviceName,
|
|
@@ -230,7 +230,7 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
|
|
|
230
230
|
}
|
|
231
231
|
const portMapping = exposed.targetGroup;
|
|
232
232
|
// make the service accesible by the ALB
|
|
233
|
-
(0, acceptAlb_1.makeSecurityGroupAccessibleFromSharedAlb)(taskSecurityGroup);
|
|
233
|
+
(0, acceptAlb_1.makeSecurityGroupAccessibleFromSharedAlb)(taskSecurityGroup, serviceName);
|
|
234
234
|
const service = yield createInternalService({
|
|
235
235
|
serviceName,
|
|
236
236
|
cluster,
|
package/exposePublicService.d.ts
CHANGED
|
@@ -3,8 +3,15 @@ import * as aws from "@pulumi/aws";
|
|
|
3
3
|
import * as awsx from "@pulumi/awsx";
|
|
4
4
|
import * as cf from "@pulumi/cloudflare";
|
|
5
5
|
import { ApplicationTargetGroupHealthCheck } from "@pulumi/awsx/lb";
|
|
6
|
-
export declare type
|
|
7
|
-
createCloudflareProxiedSubdomain
|
|
6
|
+
export declare type ProxiedCloudflareDomain = {
|
|
7
|
+
createCloudflareProxiedSubdomain: true;
|
|
8
|
+
};
|
|
9
|
+
export declare type UnproxiedCloudflareDomain = {
|
|
10
|
+
createCloudflareDNSWithoutProxy: true;
|
|
11
|
+
ttl: number;
|
|
12
|
+
};
|
|
13
|
+
export declare type CloudflareDomainOptions = ProxiedCloudflareDomain | UnproxiedCloudflareDomain | {};
|
|
14
|
+
export declare type ExtraExposedServiceOptions = CloudflareDomainOptions & {
|
|
8
15
|
skipInternalDomain?: boolean;
|
|
9
16
|
targetGroupConditions?: pulumi.Input<aws.types.input.alb.ListenerRuleCondition>[];
|
|
10
17
|
};
|
package/exposePublicService.js
CHANGED
|
@@ -24,6 +24,12 @@ const DEFAULT_HEALTHCHECK_VALUES = {
|
|
|
24
24
|
unhealthyThreshold: 5,
|
|
25
25
|
healthyThreshold: 5,
|
|
26
26
|
};
|
|
27
|
+
function isProxiedDomain(v) {
|
|
28
|
+
return typeof v == "object" && v && v.createCloudflareProxiedSubdomain;
|
|
29
|
+
}
|
|
30
|
+
function isUnProxiedDomain(v) {
|
|
31
|
+
return typeof v == "object" && v && v.createCloudflareDNSWithoutProxy;
|
|
32
|
+
}
|
|
27
33
|
/**
|
|
28
34
|
* Publicly expose a service on a given domain (with SSL). This will create a
|
|
29
35
|
* Target Group and a Listener for your microservice. Additionally, it will
|
|
@@ -37,7 +43,9 @@ function exposePublicService(name, domain, port, healthCheck = {}, vpc, extraOpt
|
|
|
37
43
|
return __awaiter(this, void 0, void 0, function* () {
|
|
38
44
|
const { alb, listener } = yield (0, alb_1.getAlb)();
|
|
39
45
|
const healthCheckValue = Object.assign({}, DEFAULT_HEALTHCHECK_VALUES, healthCheck);
|
|
40
|
-
const
|
|
46
|
+
const isProxied = isProxiedDomain(extraOptions);
|
|
47
|
+
const isUnproxied = isUnProxiedDomain(extraOptions);
|
|
48
|
+
const createCloudflareRecord = isProxied || isUnproxied || domain.endsWith(`.${domain_1.publicDomain}`);
|
|
41
49
|
const onlyCloudflare = (extraOptions && extraOptions.skipInternalDomain) || false;
|
|
42
50
|
const createInternalDomain = !onlyCloudflare;
|
|
43
51
|
const certificate = (0, certificate_1.getCertificateFor)(domain);
|
|
@@ -71,14 +79,25 @@ function exposePublicService(name, domain, port, healthCheck = {}, vpc, extraOpt
|
|
|
71
79
|
});
|
|
72
80
|
enabledHostnames.push(domain);
|
|
73
81
|
}
|
|
74
|
-
if (
|
|
82
|
+
if (createCloudflareRecord) {
|
|
75
83
|
enabledHostnames.push(domainParts.subdomain + "." + domain_1.publicDomain);
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
84
|
+
if (isUnProxiedDomain(extraOptions)) {
|
|
85
|
+
cloudflareRecord = yield (0, cloudflare_1.setRecord)({
|
|
86
|
+
recordName: domainParts.subdomain,
|
|
87
|
+
type: "CNAME",
|
|
88
|
+
value: alb.loadBalancer.dnsName,
|
|
89
|
+
proxied: false,
|
|
90
|
+
ttl: extraOptions.ttl || 600,
|
|
91
|
+
});
|
|
92
|
+
}
|
|
93
|
+
else {
|
|
94
|
+
cloudflareRecord = yield (0, cloudflare_1.setRecord)({
|
|
95
|
+
recordName: domainParts.subdomain,
|
|
96
|
+
type: "CNAME",
|
|
97
|
+
value: alb.loadBalancer.dnsName,
|
|
98
|
+
proxied: true,
|
|
99
|
+
});
|
|
100
|
+
}
|
|
82
101
|
}
|
|
83
102
|
if (enabledHostnames.length) {
|
|
84
103
|
new aws.alb.ListenerRule(`${domain_1.env}-ls-${slug}`, {
|
package/package.json
CHANGED
package/prometheus.d.ts
CHANGED
|
@@ -2,4 +2,4 @@ import * as pulumi from "@pulumi/pulumi";
|
|
|
2
2
|
import * as awsx from "@pulumi/awsx";
|
|
3
3
|
export declare const prometheusStack: () => Promise<pulumi.StackReference>;
|
|
4
4
|
export declare const prometheusSecurityGroupId: () => Promise<string>;
|
|
5
|
-
export declare function makeSecurityGroupAccessibleByPrometheus(securityGroup: awsx.ec2.SecurityGroup, fromPort?: number, toPort?: number): void;
|
|
5
|
+
export declare function makeSecurityGroupAccessibleByPrometheus(securityGroup: awsx.ec2.SecurityGroup, fromPort?: number, toPort?: number, ruleName?: string): void;
|
package/prometheus.js
CHANGED
|
@@ -14,6 +14,7 @@ const pulumi = require("@pulumi/pulumi");
|
|
|
14
14
|
const awsx = require("@pulumi/awsx");
|
|
15
15
|
const domain_1 = require("./domain");
|
|
16
16
|
const withCache_1 = require("./withCache");
|
|
17
|
+
const utils_1 = require("./utils");
|
|
17
18
|
exports.prometheusStack = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
|
|
18
19
|
return new pulumi.StackReference(`prometheus-${domain_1.env}`);
|
|
19
20
|
}));
|
|
@@ -21,8 +22,8 @@ exports.prometheusSecurityGroupId = (0, withCache_1.default)(() => __awaiter(voi
|
|
|
21
22
|
const prom = yield (0, exports.prometheusStack)();
|
|
22
23
|
return (yield prom.requireOutputValue("prometheusSecurityGroupId"));
|
|
23
24
|
}));
|
|
24
|
-
function makeSecurityGroupAccessibleByPrometheus(securityGroup, fromPort = 0, toPort = 0) {
|
|
25
|
-
new awsx.ec2.IngressSecurityGroupRule(`accept-prom-${fromPort}-${toPort}`, securityGroup, {
|
|
25
|
+
function makeSecurityGroupAccessibleByPrometheus(securityGroup, fromPort = 0, toPort = 0, ruleName = "") {
|
|
26
|
+
new awsx.ec2.IngressSecurityGroupRule((0, utils_1.withRuleName)(`accept-prom-${fromPort}-${toPort}`, ruleName), securityGroup, {
|
|
26
27
|
sourceSecurityGroupId: (0, exports.prometheusSecurityGroupId)(),
|
|
27
28
|
description: `Allow access from prometheus`,
|
|
28
29
|
fromPort,
|
package/utils.d.ts
CHANGED
package/utils.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.sha256hash = void 0;
|
|
3
|
+
exports.withRuleName = exports.sha256hash = void 0;
|
|
4
4
|
const crypto = require("crypto");
|
|
5
5
|
function sha256hash(s) {
|
|
6
6
|
const shasum = crypto.createHash("sha256");
|
|
@@ -8,4 +8,11 @@ function sha256hash(s) {
|
|
|
8
8
|
return shasum.digest("hex").substring(0, 8);
|
|
9
9
|
}
|
|
10
10
|
exports.sha256hash = sha256hash;
|
|
11
|
+
function withRuleName(name, ruleName) {
|
|
12
|
+
if (ruleName === null || ruleName === void 0 ? void 0 : ruleName.length) {
|
|
13
|
+
return `${ruleName}-${name}`;
|
|
14
|
+
}
|
|
15
|
+
return name;
|
|
16
|
+
}
|
|
17
|
+
exports.withRuleName = withRuleName;
|
|
11
18
|
//# sourceMappingURL=utils.js.map
|