dcl-ops-lib 5.26.3 → 5.26.4

package/StaticWebsite.d.ts

@@ -1,5 +1,5 @@
 import { Input } from "@pulumi/pulumi";
-export type StaticWebsite = {
+export declare type StaticWebsite = {
     domain: string;
     certificateArn?: string;
     additionalDomains?: string[];

package/acceptAlb.d.ts

@@ -1,4 +1,10 @@
-import * as aws from "@pulumi/aws";
-/** Makes a given securityGropup accesible by the shared supra ALB */
-export declare function makeSecurityGroupAccessibleFromSharedAlb(securityGroup: aws.ec2.SecurityGroup, ruleName?: string): void;
-export default makeSecurityGroupAccessibleFromSharedAlb;
+import * as awsx from "@pulumi/awsx";
+/** @deprecated use makeSecurityGroupAccessibleFromSharedAlb instead */
+export declare const acceptAlbSecurityGroup: () => Promise<awsx.ec2.SecurityGroup>;
+/** @deprecated use makeSecurityGroupAccessibleFromSharedAlb instead */
+export declare function acceptAlbSecurityGroupId(): Promise<import("@pulumi/pulumi").Output<string>>;
+/** @deprecated use makeSecurityGroupAccessibleFromSharedAlbV2 */
+export declare function makeSecurityGroupAccessibleFromSharedAlb(securityGroup: awsx.ec2.SecurityGroup): void;
+/** @deprecated Makes a given securityGropup accesible by the shared supra ALB */
+export declare function makeSecurityGroupAccessibleFromSharedAlbV2(securityGroup: awsx.ec2.SecurityGroup, ruleName?: string): void;
+export default acceptAlbSecurityGroup;

package/acceptAlb.js

@@ -1,12 +1,46 @@
 "use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.makeSecurityGroupAccessibleFromSharedAlb = void 0;
+exports.makeSecurityGroupAccessibleFromSharedAlbV2 = exports.makeSecurityGroupAccessibleFromSharedAlb = exports.acceptAlbSecurityGroupId = exports.acceptAlbSecurityGroup = void 0;
+const awsx = require("@pulumi/awsx");
 const aws = require("@pulumi/aws");
 const utils_1 = require("./utils");
 const values_1 = require("./values");
-/** Makes a given securityGropup accesible by the shared supra ALB */
-function makeSecurityGroupAccessibleFromSharedAlb(securityGroup, ruleName = "") {
-    new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("accept-alb-ingress-rule", ruleName), {
+const withCache_1 = require("./withCache");
+/** @deprecated use makeSecurityGroupAccessibleFromSharedAlb instead */
+exports.acceptAlbSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
+    const config = yield (0, values_1.getEnvConfiguration)();
+    return awsx.ec2.SecurityGroup.fromExistingId(`accept-alb-sg-reference`, config.acceptAlb);
+}));
+/** @deprecated use makeSecurityGroupAccessibleFromSharedAlb instead */
+function acceptAlbSecurityGroupId() {
+    return __awaiter(this, void 0, void 0, function* () {
+        return (yield (0, exports.acceptAlbSecurityGroup)()).id;
+    });
+}
+exports.acceptAlbSecurityGroupId = acceptAlbSecurityGroupId;
+/** @deprecated use makeSecurityGroupAccessibleFromSharedAlbV2 */
+function makeSecurityGroupAccessibleFromSharedAlb(securityGroup) {
+    new awsx.ec2.IngressSecurityGroupRule("accept-alb-ingress-rule", securityGroup, {
+        sourceSecurityGroupId: (0, values_1.getEnvConfiguration)().then(($) => $.albSecurityGroupId),
+        description: `Allow access from the supra ALB`,
+        fromPort: 0,
+        toPort: 0,
+        protocol: "-1",
+    });
+}
+exports.makeSecurityGroupAccessibleFromSharedAlb = makeSecurityGroupAccessibleFromSharedAlb;
+/** @deprecated Makes a given securityGropup accesible by the shared supra ALB */
+function makeSecurityGroupAccessibleFromSharedAlbV2(securityGroup, ruleName = "") {
+    new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("accept-alb-ingress-rule-v2", ruleName), {
         securityGroupId: securityGroup.id,
         sourceSecurityGroupId: (0, values_1.getEnvConfiguration)().then(($) => $.albSecurityGroupId),
         description: `Allow access from the supra ALB`,
@@ -16,6 +50,6 @@ function makeSecurityGroupAccessibleFromSharedAlb(securityGroup, ruleName = "")
         type: "egress",
     }, { deleteBeforeReplace: true });
 }
-exports.makeSecurityGroupAccessibleFromSharedAlb = makeSecurityGroupAccessibleFromSharedAlb;
-exports.default = makeSecurityGroupAccessibleFromSharedAlb;
+exports.makeSecurityGroupAccessibleFromSharedAlbV2 = makeSecurityGroupAccessibleFromSharedAlbV2;
+exports.default = exports.acceptAlbSecurityGroup;
 //# sourceMappingURL=acceptAlb.js.map

package/acceptBastion.d.ts

@@ -1,3 +1,9 @@
-import * as aws from "@pulumi/aws";
-export declare function makeSecurityGroupAccessibleFromBastion(securityGroup: aws.ec2.SecurityGroup, ruleName?: string): void;
-export default makeSecurityGroupAccessibleFromBastion;
+import * as awsx from "@pulumi/awsx";
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
+export declare const acceptBastionSecurityGroup: () => Promise<awsx.ec2.SecurityGroup>;
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
+export declare function acceptBastionSecurityGroupId(): Promise<import("@pulumi/pulumi").Output<string>>;
+/** @deprecated use makeSecurityGroupAccessibleFromBastionV2 */
+export declare function makeSecurityGroupAccessibleFromBastion(securityGroup: awsx.ec2.SecurityGroup): void;
+export declare function makeSecurityGroupAccessibleFromBastionV2(securityGroup: awsx.ec2.SecurityGroup, ruleName?: string): void;
+export default acceptBastionSecurityGroup;

package/acceptBastion.js

@@ -9,17 +9,31 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.makeSecurityGroupAccessibleFromBastion = void 0;
+exports.makeSecurityGroupAccessibleFromBastionV2 = exports.makeSecurityGroupAccessibleFromBastion = exports.acceptBastionSecurityGroupId = exports.acceptBastionSecurityGroup = void 0;
+const awsx = require("@pulumi/awsx");
 const aws = require("@pulumi/aws");
 const values_1 = require("./values");
 const withCache_1 = require("./withCache");
 const utils_1 = require("./utils");
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
+exports.acceptBastionSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
+    const config = yield (0, values_1.getEnvConfiguration)();
+    return awsx.ec2.SecurityGroup.fromExistingId(`accept-bastion-sg-reference`, config.acceptBastion);
+}));
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
+function acceptBastionSecurityGroupId() {
+    return __awaiter(this, void 0, void 0, function* () {
+        return (yield (0, exports.acceptBastionSecurityGroup)()).id;
+    });
+}
+exports.acceptBastionSecurityGroupId = acceptBastionSecurityGroupId;
 const bastionSecurityGroupId = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
     const config = yield (0, values_1.getEnvConfiguration)();
     return config.bastionSecurityGroupId;
 }));
-function makeSecurityGroupAccessibleFromBastion(securityGroup, ruleName = "") {
-    new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("accesible-from-bastion-v2", ruleName), {
+/** @deprecated use makeSecurityGroupAccessibleFromBastionV2 */
+function makeSecurityGroupAccessibleFromBastion(securityGroup) {
+    new aws.ec2.SecurityGroupRule("accesible-from-bastion", {
         securityGroupId: securityGroup.id,
         sourceSecurityGroupId: bastionSecurityGroupId(),
         fromPort: -1,
@@ -29,5 +43,16 @@ function makeSecurityGroupAccessibleFromBastion(securityGroup, ruleName = "") {
     }, { deleteBeforeReplace: true });
 }
 exports.makeSecurityGroupAccessibleFromBastion = makeSecurityGroupAccessibleFromBastion;
-exports.default = makeSecurityGroupAccessibleFromBastion;
+function makeSecurityGroupAccessibleFromBastionV2(securityGroup, ruleName = "") {
+    new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("accesible-from-bastion-v2", ruleName), {
+        securityGroupId: securityGroup.id,
+        sourceSecurityGroupId: bastionSecurityGroupId(),
+        fromPort: -1,
+        toPort: -1,
+        type: "ingress",
+        protocol: "-1",
+    }, { deleteBeforeReplace: true });
+}
+exports.makeSecurityGroupAccessibleFromBastionV2 = makeSecurityGroupAccessibleFromBastionV2;
+exports.default = exports.acceptBastionSecurityGroup;
 //# sourceMappingURL=acceptBastion.js.map

package/acceptDb.d.ts

@@ -1,4 +1,4 @@
-import * as aws from "@pulumi/aws";
-export declare const acceptDbSecurityGroup: () => Promise<aws.ec2.GetSecurityGroupResult>;
-export declare function acceptDbSecurityGroupId(): Promise<string>;
+import * as awsx from "@pulumi/awsx";
+export declare const acceptDbSecurityGroup: () => Promise<awsx.ec2.SecurityGroup>;
+export declare function acceptDbSecurityGroupId(): Promise<import("@pulumi/pulumi").Output<string>>;
 export default acceptDbSecurityGroup;

package/acceptDb.js

@@ -10,12 +10,12 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.acceptDbSecurityGroupId = exports.acceptDbSecurityGroup = void 0;
-const aws = require("@pulumi/aws");
+const awsx = require("@pulumi/awsx");
 const values_1 = require("./values");
 const withCache_1 = require("./withCache");
 exports.acceptDbSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
     const config = yield (0, values_1.getEnvConfiguration)();
-    return aws.ec2.getSecurityGroup({ name: config.dbSecurity });
+    return awsx.ec2.SecurityGroup.fromExistingId(`accept-db-sg-reference`, config.dbSecurity);
 }));
 function acceptDbSecurityGroupId() {
     return __awaiter(this, void 0, void 0, function* () {

package/accessTheInternet.d.ts

@@ -1,5 +1,16 @@
-import * as aws from "@pulumi/aws";
+import * as awsx from "@pulumi/awsx";
+/** @deprecated please use makeSecurityGroupAccessibleByCloudflare */
+export declare const accessCloudflareSecurityGroup: () => Promise<awsx.ec2.SecurityGroup>;
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
+export declare const accessTheInternetSecurityGroup: () => Promise<awsx.ec2.SecurityGroup>;
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
+export declare function accessTheInternetSecurityGroupId(): Promise<import("@pulumi/pulumi").Output<string>>;
+export default accessTheInternetSecurityGroup;
+/** @deprecated please use makeSecurityGroupAccessibleByCloudflare */
+export declare function accessFromCloudflareSecurityGroup(): Promise<import("@pulumi/pulumi").Output<string>>;
+/** @deprecated use makeSecurityGroupAccessTheInternetV2 */
+export declare function makeSecurityGroupAccessTheInternet(securityGroup: awsx.ec2.SecurityGroup): void;
 /** Enables egress traffic to 0.0.0.0/0/all */
-export declare function makeSecurityGroupAccessTheInternetV2(securityGroup: aws.ec2.SecurityGroup, ruleName?: string): void;
+export declare function makeSecurityGroupAccessTheInternetV2(securityGroup: awsx.ec2.SecurityGroup, ruleName?: string): void;
 /** Enables ingress traffic from cloudflare CIDRs */
-export declare function makeSecurityGroupAccessibleByCloudflare(securityGroup: aws.ec2.SecurityGroup): Promise<void>;
+export declare function makeSecurityGroupAccessibleByCloudflare(securityGroup: awsx.ec2.SecurityGroup): Promise<void>;

package/accessTheInternet.js

@@ -9,10 +9,49 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.makeSecurityGroupAccessibleByCloudflare = exports.makeSecurityGroupAccessTheInternetV2 = void 0;
+exports.makeSecurityGroupAccessibleByCloudflare = exports.makeSecurityGroupAccessTheInternetV2 = exports.makeSecurityGroupAccessTheInternet = exports.accessFromCloudflareSecurityGroup = exports.accessTheInternetSecurityGroupId = exports.accessTheInternetSecurityGroup = exports.accessCloudflareSecurityGroup = void 0;
+const awsx = require("@pulumi/awsx");
 const aws = require("@pulumi/aws");
 const cloudflare = require("@pulumi/cloudflare");
+const supra_1 = require("./supra");
+const values_1 = require("./values");
+const withCache_1 = require("./withCache");
 const utils_1 = require("./utils");
+/** @deprecated please use makeSecurityGroupAccessibleByCloudflare */
+exports.accessCloudflareSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
+    const config = yield (0, values_1.getEnvConfiguration)(); // ?
+    return awsx.ec2.SecurityGroup.fromExistingId(`accept-cloudflare-web-sg-reference`, supra_1.supra.getOutputValue(`cloudflareAcceptWeb`));
+}));
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
+exports.accessTheInternetSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
+    const config = yield (0, values_1.getEnvConfiguration)(); // ?
+    return awsx.ec2.SecurityGroup.fromExistingId(`access-the-internet-sg-reference`, supra_1.supra.getOutputValue(`accessTheInternet`));
+}));
+/** @deprecated please use makeSecurityGroupAccessTheInternet */
+function accessTheInternetSecurityGroupId() {
+    return __awaiter(this, void 0, void 0, function* () {
+        return (yield (0, exports.accessTheInternetSecurityGroup)()).id;
+    });
+}
+exports.accessTheInternetSecurityGroupId = accessTheInternetSecurityGroupId;
+exports.default = exports.accessTheInternetSecurityGroup;
+/** @deprecated please use makeSecurityGroupAccessibleByCloudflare */
+function accessFromCloudflareSecurityGroup() {
+    return __awaiter(this, void 0, void 0, function* () {
+        return (yield (0, exports.accessCloudflareSecurityGroup)()).id;
+    });
+}
+exports.accessFromCloudflareSecurityGroup = accessFromCloudflareSecurityGroup;
+/** @deprecated use makeSecurityGroupAccessTheInternetV2 */
+function makeSecurityGroupAccessTheInternet(securityGroup) {
+    securityGroup.createEgressRule("access-the-internet", {
+        cidrBlocks: ["0.0.0.0/0"],
+        fromPort: -1,
+        toPort: -1,
+        protocol: "-1",
+    });
+}
+exports.makeSecurityGroupAccessTheInternet = makeSecurityGroupAccessTheInternet;
 /** Enables egress traffic to 0.0.0.0/0/all */
 function makeSecurityGroupAccessTheInternetV2(securityGroup, ruleName = "") {
     new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("access-the-internet-v2", ruleName), {
@@ -31,24 +70,20 @@ function makeSecurityGroupAccessibleByCloudflare(securityGroup) {
         const ips = yield cloudflare.getIpRanges({});
         for (let block of ips.ipv4CidrBlocks) {
             const hash = (0, utils_1.sha256hash)(block).substring(0, 6);
-            new aws.ec2.SecurityGroupRule(`accept-cf-80-${hash}`, {
+            securityGroup.createIngressRule(`accept-cf-80-${hash}`, {
                 protocol: "tcp",
                 fromPort: 80,
                 toPort: 80,
                 cidrBlocks: [block],
-                type: "ingress",
-                securityGroupId: securityGroup.id,
                 description: `pulumi-supra-${hash}`,
-            }, { deleteBeforeReplace: true });
-            new aws.ec2.SecurityGroupRule(`accept-cf-443-${hash}`, {
+            });
+            securityGroup.createIngressRule(`accept-cf-443-${hash}`, {
                 protocol: "tcp",
                 fromPort: 443,
                 toPort: 443,
                 cidrBlocks: [block],
-                type: "ingress",
-                securityGroupId: securityGroup.id,
                 description: `pulumi-supra-${hash}`,
-            }, { deleteBeforeReplace: true });
+            });
         }
     });
 }

package/alb.d.ts

@@ -1,5 +1,6 @@
 import * as aws from "@pulumi/aws";
-export type ElbValues = {
+import * as awsx from "@pulumi/awsx";
+export declare type ElbValues = {
     dns: string;
     elbArn: string;
     elbUrn: string;
@@ -8,6 +9,6 @@ export type ElbValues = {
 };
 export declare const getAlb: () => Promise<{
     dns: string;
-    alb: aws.lb.GetLoadBalancerResult;
+    alb: awsx.elasticloadbalancingv2.ApplicationLoadBalancer;
     listener: aws.lb.GetListenerResult;
 }>;

package/alb.js

@@ -11,6 +11,8 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getAlb = void 0;
 const aws = require("@pulumi/aws");
+const awsx = require("@pulumi/awsx");
+const domain_1 = require("./domain");
 const supra_1 = require("./supra");
 const withCache_1 = require("./withCache");
 const cache = {
@@ -23,9 +25,9 @@ const cache = {
 };
 exports.getAlb = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
     const dns = yield supra_1.supra.getOutputValue("dns");
-    const loadBalancer = yield supra_1.supra.getOutputDetails("albInstance");
+    const loadBalancer = yield supra_1.supra.getOutputValue("albInstance");
     const elbValues = yield supra_1.supra.getOutputValue("elbValues");
-    const alb = yield aws.lb.getLoadBalancer({ arn: JSON.parse(loadBalancer.value).arn });
+    const alb = new awsx.lb.ApplicationLoadBalancer(`${domain_1.env}-alb-all`, { loadBalancer });
     const listener = yield aws.lb.getListener({ arn: elbValues.listenerArn });
     return { dns, alb, listener };
 }));

package/cloudflare.d.ts

@@ -1,12 +1,12 @@
 import * as pulumi from "@pulumi/pulumi";
 import * as cloudflare from "@pulumi/cloudflare";
-export type DeployWorkerConfig = {
+export declare type DeployWorkerConfig = {
     jsWorkerFileName: string;
     routes: pulumi.Input<string>[];
     env?: Record<string, pulumi.Input<string>>;
     overrides?: cloudflare.WorkerScriptArgs;
 };
-export type SetRecordConfig = {
+export declare type SetRecordConfig = {
     recordName: string;
     type: "CNAME" | "A" | "TXT";
     value: pulumi.Input<string>;
@@ -17,9 +17,8 @@ export type SetRecordConfig = {
     proxied: true;
 });
 export declare function getZoneId(): Promise<string>;
-export declare function getAccountId(): string;
 export declare function deployWorker(workerName: string, config: DeployWorkerConfig): Promise<{
-    [x: string]: pulumi.Output<string> | import("@pulumi/cloudflare/workerScript").WorkerScript;
-    worker: import("@pulumi/cloudflare/workerScript").WorkerScript;
+    [x: string]: pulumi.Output<string> | cloudflare.WorkerScript;
+    worker: cloudflare.WorkerScript;
 }>;
-export declare function setRecord(config: SetRecordConfig): Promise<import("@pulumi/cloudflare/record").Record>;
+export declare function setRecord(config: SetRecordConfig): Promise<cloudflare.Record>;

package/cloudflare.js

@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.setRecord = exports.deployWorker = exports.getAccountId = exports.getZoneId = void 0;
+exports.setRecord = exports.deployWorker = exports.getZoneId = void 0;
 const pulumi = require("@pulumi/pulumi");
 const cloudflare = require("@pulumi/cloudflare");
 const domain_1 = require("./domain");
@@ -23,15 +23,6 @@ function getZoneId() {
     });
 }
 exports.getZoneId = getZoneId;
-function getAccountId() {
-    if (process.env.CLOUDFLARE_ACCOUNT_ID) {
-        return process.env.CLOUDFLARE_ACCOUNT_ID;
-    }
-    else {
-        throw new Error("CLOUDFLARE_ACCOUNT_ID not set");
-    }
-}
-exports.getAccountId = getAccountId;
 function deployWorker(workerName, config) {
     return __awaiter(this, void 0, void 0, function* () {
         // get file contents
@@ -43,7 +34,7 @@ function deployWorker(workerName, config) {
         });
         // create the worker
         const worker = new cloudflare.WorkerScript(`${workerName}-${domain_1.publicTLD}`, Object.assign({ name: `${workerName}-${domain_1.publicTLD}`, content,
-            plainTextBindings, accountId: getAccountId() }, (config.overrides || {})));
+            plainTextBindings }, (config.overrides || {})));
         const ret = { [workerName + "-" + domain_1.publicTLD]: worker.id, worker };
         // create the routes
         let count = 0;

package/createBucketWithUser.d.ts

@@ -1,7 +1,8 @@
+import * as aws from "@pulumi/aws";
 import { BucketArgs } from "@pulumi/aws/s3/bucket";
 import * as pulumi from "@pulumi/pulumi";
 export declare function createBucketWithUser(name: string, bucketArgs?: BucketArgs): {
-    role: import("@pulumi/aws/iam/role").Role;
+    role: aws.iam.Role;
     user: pulumi.Output<string>;
     bucket: pulumi.Output<string>;
     bucketPolicyId: pulumi.Output<string>;

package/createFargateTask.d.ts

@@ -1,26 +1,28 @@
 import * as aws from "@pulumi/aws";
+import * as awsx from "@pulumi/awsx";
+import { ApplicationTargetGroupHealthCheck } from "@pulumi/awsx/lb";
 import * as pulumi from "@pulumi/pulumi";
 import { ExtraExposedServiceOptions } from "./exposePublicService";
-export declare const getDefaultLogs: (serviceName: string, logGroup: aws.cloudwatch.LogGroup) => aws.ecs.LogConfiguration;
-export declare function getClusterInstance(cluster: string | aws.ecs.Cluster | undefined): Promise<pulumi.Output<string> | string>;
-export type ALBMapping = {
+export declare const getDefaultLogs: (serviceName: string, logGroup: aws.cloudwatch.LogGroup) => pulumi.Output<aws.ecs.LogConfiguration>;
+export declare function getClusterInstance(cluster: string | awsx.ecs.Cluster | undefined): awsx.ecs.Cluster;
+export declare type ALBMapping = {
     domain: string;
     dockerListeningPort: number;
-    healthCheck?: Partial<aws.types.input.alb.TargetGroupHealthCheck>;
+    healthCheck?: Partial<ApplicationTargetGroupHealthCheck>;
     extraExposedServiceOptions?: ExtraExposedServiceOptions;
 };
 export declare function getFargateExecutionRole(name: string, policyArnNamedMap: Record<string, pulumi.Input<string> | aws.iam.Policy>): {
-    role: import("@pulumi/aws/iam/role").Role;
-    policies: import("@pulumi/aws/iam/rolePolicyAttachment").RolePolicyAttachment[];
+    role: aws.iam.Role;
+    policies: aws.iam.RolePolicyAttachment[];
 };
 export declare function getFargateTaskRole(name: string, policyArnNamedMap: Record<string, pulumi.Input<string> | aws.iam.Policy>): {
-    role: import("@pulumi/aws/iam/role").Role;
-    policies: import("@pulumi/aws/iam/rolePolicyAttachment").RolePolicyAttachment[];
+    role: aws.iam.Role;
+    policies: aws.iam.RolePolicyAttachment[];
 };
-export type FargateTaskOptions = {
+export declare type FargateTaskOptions = {
     securityGroups?: (string | pulumi.Output<string>)[];
-    cluster?: aws.ecs.Cluster | string;
-    healthCheck?: Partial<aws.types.input.alb.TargetGroupHealthCheck>;
+    cluster?: awsx.ecs.Cluster | string;
+    healthCheck?: Partial<ApplicationTargetGroupHealthCheck>;
     desiredCount?: number;
     memoryReservation?: number;
     cpuReservation?: number;
@@ -36,7 +38,7 @@ export type FargateTaskOptions = {
     extraALBMappings?: ALBMapping[];
     executionRolePolicies?: Record<string, pulumi.Input<string> | aws.iam.Policy>;
     taskRolePolicies?: Record<string, pulumi.Input<string> | aws.iam.Policy>;
-    secrets?: aws.ecs.Secret[];
+    secrets?: aws.ecs.Secret[] | pulumi.Input<aws.ecs.Secret[]>;
     ignoreServiceDiscovery?: boolean;
     team: "dapps" | "platform" | "data" | "marketing" | "infra";
     metrics?: {
@@ -48,8 +50,8 @@ export type FargateTaskOptions = {
     dependsOn?: pulumi.Resource[];
     volumes?: aws.types.input.ecs.TaskDefinitionVolume[] | pulumi.Input<aws.types.input.ecs.TaskDefinitionVolume[]>;
     deregistrationDelay?: pulumi.Input<number>;
-    mountPoints?: aws.ecs.MountPoint[];
-    repositoryCredentials?: aws.ecs.RepositoryCredentials;
+    mountPoints?: pulumi.Input<aws.ecs.MountPoint[]>;
+    repositoryCredentials?: pulumi.Input<aws.ecs.RepositoryCredentials>;
 };
 /**
  *
@@ -63,38 +65,38 @@ export type FargateTaskOptions = {
  * @param options.healthCheckPath
  * @param options.policyArnNamedMap key-value named map of policies to attach to the default execution role for this task
  */
-export declare function createFargateTask(serviceName: string, dockerImage: string | Promise<string> | pulumi.OutputInstance<string>, dockerListeningPort: number, environment: {
+export declare function createFargateTask(serviceName: string, dockerImage: string | Promise<string> | pulumi.OutputInstance<string> | awsx.ecs.ContainerImageProvider, dockerListeningPort: number, environment: {
     name: string;
     value: pulumi.Input<string>;
     secret?: boolean;
 }[], hostname: string, options: FargateTaskOptions): Promise<{
-    service: import("@pulumi/aws/ecs/service").Service;
+    service: awsx.ecs.FargateService;
     endpoint: string;
     exposed?: undefined;
 } | {
     endpoint: string;
-    service: import("@pulumi/aws/ecs/service").Service;
+    service: awsx.ecs.FargateService;
     exposed: {
         domain: string;
         certificate: pulumi.Input<string>;
-        record: import("@pulumi/aws/route53/record").Record | undefined;
-        targetGroup: import("@pulumi/aws/alb/targetGroup").TargetGroup;
-        cloudflareRecord: import("@pulumi/cloudflare/record").Record | undefined;
+        record: void | aws.route53.Record;
+        targetGroup: awsx.elasticloadbalancingv2.ApplicationTargetGroup;
+        cloudflareRecord: void | import("@pulumi/cloudflare").Record;
     };
 }>;
-export type InternalServiceOptions = {
+export declare type InternalServiceOptions = {
     serviceName: string;
-    cluster?: string | aws.ecs.Cluster;
-    securityGroups?: (string | pulumi.Output<string>)[];
+    cluster?: string | awsx.ecs.Cluster;
+    securityGroups?: awsx.ec2.SecurityGroupOrId[];
     ignoreServiceDiscovery?: boolean;
     serviceDiscoveryPort?: number;
     desiredCount?: number;
     executionRole?: aws.iam.Role;
     taskRole?: aws.iam.Role;
-    containerInfo: aws.ecs.ContainerDefinition;
+    containerInfo: awsx.ecs.Container;
     assignPublicIp?: boolean;
     dependsOn?: pulumi.Resource[];
     volumes?: pulumi.Input<aws.types.input.ecs.TaskDefinitionVolume[]>;
     team: string;
 };
-export declare function createInternalService(config: InternalServiceOptions): Promise<import("@pulumi/aws/ecs/service").Service>;
+export declare function createInternalService(config: InternalServiceOptions): Promise<awsx.ecs.FargateService>;

package/createFargateTask.js

@@ -11,27 +11,27 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createInternalService = exports.createFargateTask = exports.getFargateTaskRole = exports.getFargateExecutionRole = exports.getClusterInstance = exports.getDefaultLogs = void 0;
 const aws = require("@pulumi/aws");
+const awsx = require("@pulumi/awsx");
 const pulumi = require("@pulumi/pulumi");
 const acceptAlb_1 = require("./acceptAlb");
 const acceptBastion_1 = require("./acceptBastion");
 const domain_1 = require("./domain");
 const exposePublicService_1 = require("./exposePublicService");
 const network_1 = require("./network");
+const utils_1 = require("./utils");
 const vpc_1 = require("./vpc");
 const supra_1 = require("./supra");
 const stack_1 = require("./stack");
 const prometheus_1 = require("./prometheus");
 const accessTheInternet_1 = require("./accessTheInternet");
-const getDefaultLogs = (serviceName, logGroup) => {
-    return {
-        logDriver: "awslogs",
-        options: {
-            "awslogs-group": logGroup.name.apply((name) => name),
-            "awslogs-region": "us-east-1",
-            "awslogs-stream-prefix": serviceName,
-        },
-    };
-};
+const getDefaultLogs = (serviceName, logGroup) => pulumi.all([logGroup.id]).apply(([logGroupId]) => ({
+    logDriver: "awslogs",
+    options: {
+        "awslogs-group": logGroupId,
+        "awslogs-region": "us-east-1",
+        "awslogs-stream-prefix": serviceName,
+    },
+}));
 exports.getDefaultLogs = getDefaultLogs;
 const extraOpts = {
     customTimeouts: {
@@ -42,28 +42,29 @@ const extraOpts = {
 };
 const cachedClusterInstances = {};
 function getClusterInstance(cluster) {
-    return __awaiter(this, void 0, void 0, function* () {
-        if (undefined === cluster) {
-            const defaultClusterName = `${domain_1.env}-main`;
-            cluster = (yield aws.ecs.getCluster({ clusterName: defaultClusterName }, { async: true })).arn;
-        }
-        if (typeof cluster === "string") {
-            if (!cachedClusterInstances[cluster]) {
-                cachedClusterInstances[cluster] = (yield aws.ecs.getCluster({ clusterName: cluster }, { async: true })).arn;
-            }
-            return cachedClusterInstances[cluster];
+    if (undefined === cluster) {
+        const defaultClusterName = `${domain_1.env}-main`;
+        cluster = defaultClusterName;
+    }
+    if (typeof cluster === "string") {
+        if (!cachedClusterInstances[cluster]) {
+            cachedClusterInstances[cluster] = new awsx.ecs.Cluster(cluster + "-ref", {
+                cluster: aws.ecs.Cluster.get(cluster + "-ref-2", cluster),
+            });
         }
-        return cluster.arn;
-    });
+        return cachedClusterInstances[cluster];
+    }
+    return cluster;
 }
 exports.getClusterInstance = getClusterInstance;
 function getFargateExecutionRole(name, policyArnNamedMap) {
-    const assumeRolePolicy = aws.iam.assumeRolePolicyForPrincipal({
-        Service: "ecs-tasks.amazonaws.com",
-    });
+    const assumeRolePolicy = awsx.ecs.TaskDefinition.defaultRoleAssumeRolePolicy();
     const dependsOn = Object.values(policyArnNamedMap).filter(($) => $ instanceof pulumi.Resource);
     const role = new aws.iam.Role(name, { assumeRolePolicy }, { dependsOn });
     const policies = [];
+    awsx.ecs.TaskDefinition.defaultExecutionRolePolicyARNs().forEach((policyArn) => {
+        policies.push(new aws.iam.RolePolicyAttachment(`${name}-default-${(0, utils_1.sha256hash)(policyArn)}`, { role, policyArn }, { parent: role }));
+    });
     Object.entries(policyArnNamedMap).forEach(([key, policyArn]) => {
         if (policyArn instanceof aws.iam.Policy) {
             policies.push(new aws.iam.RolePolicyAttachment(`${name}-${key}`, { role, policyArn: policyArn.arn }, { parent: role }));
@@ -76,12 +77,13 @@ function getFargateExecutionRole(name, policyArnNamedMap) {
 }
 exports.getFargateExecutionRole = getFargateExecutionRole;
 function getFargateTaskRole(name, policyArnNamedMap) {
-    const assumeRolePolicy = aws.iam.assumeRolePolicyForPrincipal({
-        Service: "ecs-tasks.amazonaws.com",
-    });
+    const assumeRolePolicy = awsx.ecs.TaskDefinition.defaultRoleAssumeRolePolicy();
     const dependsOn = Object.values(policyArnNamedMap).filter(($) => $ instanceof pulumi.Resource);
     const role = new aws.iam.Role(name, { assumeRolePolicy }, { dependsOn });
     const policies = [];
+    awsx.ecs.TaskDefinition.defaultTaskRolePolicyARNs().forEach((policyArn) => {
+        policies.push(new aws.iam.RolePolicyAttachment(`${name}-default-${(0, utils_1.sha256hash)(policyArn)}`, { role, policyArn }, { parent: role }));
+    });
     Object.entries(policyArnNamedMap).forEach(([key, policyArn]) => {
         if (policyArn instanceof aws.iam.Policy) {
             policies.push(new aws.iam.RolePolicyAttachment(`${name}-${key}`, { role, policyArn: policyArn.arn }, { parent: role }));
@@ -136,10 +138,7 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
             dependsOn = [];
         }
         if (undefined === mountPoints) {
-            mountPoints = [];
-        }
-        if (undefined === secrets) {
-            secrets = [];
+            dependsOn = [];
         }
         const { role: executionRole, policies: executionPolicies } = getFargateExecutionRole(`${serviceName}-${version}-execution`, executionRolePolicies || {});
         dependsOn.push(...executionPolicies);
@@ -159,9 +158,8 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
         // this port should be the internal port used for administrative purposes
         let serviceDiscoveryPort = dockerListeningPort;
         const vpc = yield (0, vpc_1.getVpc)();
-        const taskSecurityGroup = new aws.ec2.SecurityGroup(`${serviceName}-${version}`, {
-            vpcId: vpc.id,
-            tags: { ServiceName: serviceName, Team: team },
+        const taskSecurityGroup = new awsx.ec2.SecurityGroup(`${serviceName}-${version}`, {
+            vpc,
         });
         if (dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT) {
             let fromPort = 0;
@@ -172,13 +170,11 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
                 if (toPort == 0 || toPort < port)
                     toPort = port;
                 // create a security group to enable metrics access by cwagent from inside the VPC
-                new aws.ec2.SecurityGroupRule(`metrics-${port}`, {
-                    type: "ingress",
+                taskSecurityGroup.createIngressRule(`metrics-${port}`, {
                     fromPort: port,
                     toPort: port,
                     protocol: "tcp",
-                    cidrBlocks: [vpc.cidrBlock],
-                    securityGroupId: taskSecurityGroup.id,
+                    cidrBlocks: [vpc.vpc.cidrBlock],
                 });
                 if (!extraPortMappings.find(($) => $.hostPort != metrics.port) && (port != dockerListeningPort || dontExpose)) {
                     extraPortMappings.push({
@@ -193,7 +189,7 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
             (0, prometheus_1.makeSecurityGroupAccessibleByPrometheus)(taskSecurityGroup, fromPort, toPort);
         }
         // enable egress traffic from the task to the internet
-        (0, accessTheInternet_1.makeSecurityGroupAccessTheInternetV2)(taskSecurityGroup);
+        (0, accessTheInternet_1.makeSecurityGroupAccessTheInternet)(taskSecurityGroup);
         // make the container fully accessible from the bastion of the environment
         (0, acceptBastion_1.makeSecurityGroupAccessibleFromBastion)(taskSecurityGroup);
         if (dontExpose) {
@@ -206,8 +202,7 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
                 ignoreServiceDiscovery,
                 securityGroups: [taskSecurityGroup.id, ...securityGroups],
                 containerInfo: {
-                    name: serviceName,
-                    secrets: [],
+                    secrets,
                     environment,
                     essential,
                     image: dockerImage,
@@ -233,12 +228,8 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
         for (let extraALBMapping of extraALBMappings) {
             const exposedExtra = yield (0, exposePublicService_1.exposePublicService)(`${serviceName}-${extraALBMapping.dockerListeningPort}-${version}`, extraALBMapping.domain, extraALBMapping.dockerListeningPort, extraALBMapping.healthCheck, undefined, extraALBMapping.extraExposedServiceOptions);
             extraALBMappingsExposed.push(exposedExtra.targetGroup);
-            extraPortMappings.push({
-                containerPort: extraALBMapping.dockerListeningPort,
-                hostPort: extraALBMapping.dockerListeningPort,
-            });
         }
-        const portMapping = { containerPort: dockerListeningPort, hostPort: dockerListeningPort };
+        const portMapping = exposed.targetGroup;
         // make the service accesible by the ALB
         (0, acceptAlb_1.makeSecurityGroupAccessibleFromSharedAlb)(taskSecurityGroup);
         const service = yield createInternalService({
@@ -252,10 +243,9 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
             securityGroups: [taskSecurityGroup.id, ...securityGroups],
             serviceDiscoveryPort,
             containerInfo: {
-                name: serviceName,
                 secrets,
                 environment,
-                portMappings: [...extraPortMappings, portMapping],
+                portMappings: [...extraPortMappings, ...extraALBMappingsExposed, portMapping],
                 essential,
                 image: dockerImage,
                 command,
@@ -302,27 +292,26 @@ function createInternalService(config) {
             retentionInDays: 60,
             tags: { ServiceName: serviceName, Team: team },
         });
-        const taskDefinition = new aws.ecs.TaskDefinition((0, stack_1.getStackScopedName)(serviceName) + "-taskdefinition", {
-            executionRoleArn: executionRole === null || executionRole === void 0 ? void 0 : executionRole.arn,
-            taskRoleArn: taskRole === null || taskRole === void 0 ? void 0 : taskRole.arn,
-            tags: { ServiceName: serviceName, Team: team },
-            containerDefinitions: JSON.stringify([Object.assign(Object.assign({}, containerInfo), { logConfiguration: (0, exports.getDefaultLogs)(serviceName, logGroup) })]),
-            volumes: volumes,
-            family: (0, stack_1.getStackScopedName)(serviceName),
-        }, { dependsOn: [logGroup] });
-        return new aws.ecs.Service((0, stack_1.getStackScopedName)(serviceName), {
-            cluster: yield getClusterInstance(cluster),
+        return new awsx.ecs.FargateService((0, stack_1.getStackScopedName)(serviceName), {
+            cluster: getClusterInstance(cluster),
             tags: { ServiceName: serviceName, StackId: (0, stack_1.getStackId)() },
-            networkConfiguration: {
-                subnets: yield (0, network_1.getPrivateSubnetIds)(),
-                securityGroups: securityGroups,
-                assignPublicIp
-            },
+            subnets: yield (0, network_1.getPrivateSubnetIds)(),
+            securityGroups: securityGroups,
             serviceRegistries,
             desiredCount,
             enableEcsManagedTags: true,
+            assignPublicIp,
             waitForSteadyState: false,
-            taskDefinition: taskDefinition.arn,
+            taskDefinitionArgs: {
+                executionRole,
+                taskRole,
+                tags: { ServiceName: serviceName, Team: team },
+                logGroup,
+                containers: {
+                    [serviceName]: Object.assign({ logConfiguration: (0, exports.getDefaultLogs)(serviceName, logGroup) }, containerInfo),
+                },
+                volumes: volumes,
+            },
         }, Object.assign(Object.assign({}, extraOpts), { dependsOn }));
     });
 }

package/createImageFromContext.d.ts

@@ -1,11 +1,12 @@
+import * as aws from "@pulumi/aws";
 import * as docker from "@pulumi/docker";
 import * as pulumi from "@pulumi/pulumi";
-export declare function createImageFromContext(name: string, context: string, options?: Partial<docker.types.input.DockerBuild>, imageOpts?: pulumi.ComponentResourceOptions): {
-    ecr: import("@pulumi/aws/ecr/repository").Repository;
+export declare function createImageFromContext(name: string, context: string, options?: Partial<docker.DockerBuild>, imageOpts?: pulumi.ComponentResourceOptions): {
+    ecr: aws.ecr.Repository;
     registry: pulumi.Output<{
         server: string;
         username: string;
         password: string;
     }>;
-    image: import("@pulumi/docker/image").Image;
+    image: docker.Image;
 };

package/createImageFromContext.js

@@ -9,7 +9,7 @@ function createImageFromContext(name, context, options, imageOpts) {
     const registry = (0, getImageRegistryAndCredentials_1.getImageRegistryAndCredentials)(ecr);
     const image = new docker.Image(`${name}-image`, {
         imageName: ecr.repositoryUrl,
-        build: Object.assign({ context, args: {
+        build: Object.assign({ context, cacheFrom: true, env: {
                 DOCKER_BUILDKIT: "1",
             } }, options),
         registry: registry,

package/exposePublicService.d.ts

@@ -1,15 +1,17 @@
 import * as pulumi from "@pulumi/pulumi";
 import * as aws from "@pulumi/aws";
-import { alb as albTypes } from "@pulumi/aws/types/input";
-export type ProxiedCloudflareDomain = {
+import * as awsx from "@pulumi/awsx";
+import * as cf from "@pulumi/cloudflare";
+import { ApplicationTargetGroupHealthCheck } from "@pulumi/awsx/lb";
+export declare type ProxiedCloudflareDomain = {
     createCloudflareProxiedSubdomain: true;
 };
-export type UnproxiedCloudflareDomain = {
+export declare type UnproxiedCloudflareDomain = {
     createCloudflareDNSWithoutProxy: true;
     ttl: number;
 };
-export type CloudflareDomainOptions = ProxiedCloudflareDomain | UnproxiedCloudflareDomain | {};
-export type ExtraExposedServiceOptions = CloudflareDomainOptions & {
+export declare type CloudflareDomainOptions = ProxiedCloudflareDomain | UnproxiedCloudflareDomain | {};
+export declare type ExtraExposedServiceOptions = CloudflareDomainOptions & {
     skipInternalDomain?: boolean;
     targetGroupConditions?: pulumi.Input<aws.types.input.alb.ListenerRuleCondition>[];
 };
@@ -22,10 +24,10 @@ export type ExtraExposedServiceOptions = CloudflareDomainOptions & {
  * @param domain
  * @param port
  */
-export declare function exposePublicService(name: string, domain: string, port: number, healthCheck?: Partial<albTypes.TargetGroupHealthCheck>, vpc?: aws.ec2.Vpc, extraOptions?: ExtraExposedServiceOptions, deregistrationDelay?: pulumi.Input<number>): Promise<{
+export declare function exposePublicService(name: string, domain: string, port: number, healthCheck?: Partial<ApplicationTargetGroupHealthCheck>, vpc?: awsx.ec2.Vpc, extraOptions?: ExtraExposedServiceOptions, deregistrationDelay?: pulumi.Input<number>): Promise<{
     domain: string;
     certificate: pulumi.Input<string>;
-    record: import("@pulumi/aws/route53/record").Record | undefined;
-    targetGroup: import("@pulumi/aws/alb/targetGroup").TargetGroup;
-    cloudflareRecord: import("@pulumi/cloudflare/record").Record | undefined;
+    record: void | aws.route53.Record;
+    targetGroup: awsx.elasticloadbalancingv2.ApplicationTargetGroup;
+    cloudflareRecord: void | cf.Record;
 }>;

package/exposePublicService.js

@@ -11,6 +11,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.exposePublicService = void 0;
 const aws = require("@pulumi/aws");
+const awsx = require("@pulumi/awsx");
 const domain_1 = require("./domain");
 const alb_1 = require("./alb");
 const certificate_1 = require("./certificate");
@@ -49,13 +50,13 @@ function exposePublicService(name, domain, port, healthCheck = {}, vpc, extraOpt
         const createInternalDomain = !onlyCloudflare;
         const certificate = (0, certificate_1.getCertificateFor)(domain);
         const slug = name;
-        const targetVpc = vpc ? vpc : yield aws.ec2.getVpc({ default: true }, { async: true });
+        const targetVpc = vpc ? vpc : awsx.ec2.Vpc.getDefault();
         const targetDeregistrationDelay = deregistrationDelay ? deregistrationDelay : 300;
-        const targetGroup = new aws.alb.TargetGroup("tg-" + slug.substr(-32 + 12), {
+        const targetGroup = alb.createTargetGroup("tg-" + slug.substr(-32 + 12) /* last 32 chars, and take 7 chars for the -hash appended by pulumi */, {
             protocol: "HTTP",
             port,
             healthCheck: healthCheckValue,
-            vpcId: targetVpc.id,
+            vpc: targetVpc,
             deregistrationDelay: targetDeregistrationDelay,
         });
         const domainParts = (0, getDomainAndSubdomain_1.getDomainAndSubdomain)(domain);
@@ -70,8 +71,8 @@ function exposePublicService(name, domain, port, healthCheck = {}, vpc, extraOpt
                 type: "A",
                 aliases: [
                     {
-                        name: alb.dnsName,
-                        zoneId: alb.zoneId,
+                        name: alb.loadBalancer.dnsName,
+                        zoneId: alb.loadBalancer.zoneId,
                         evaluateTargetHealth: false,
                     },
                 ],
@@ -84,7 +85,7 @@ function exposePublicService(name, domain, port, healthCheck = {}, vpc, extraOpt
                 cloudflareRecord = yield (0, cloudflare_1.setRecord)({
                     recordName: domainParts.subdomain,
                     type: "CNAME",
-                    value: alb.dnsName,
+                    value: alb.loadBalancer.dnsName,
                     proxied: false,
                     ttl: extraOptions.ttl || 600,
                 });
@@ -93,7 +94,7 @@ function exposePublicService(name, domain, port, healthCheck = {}, vpc, extraOpt
                 cloudflareRecord = yield (0, cloudflare_1.setRecord)({
                     recordName: domainParts.subdomain,
                     type: "CNAME",
-                    value: alb.dnsName,
+                    value: alb.loadBalancer.dnsName,
                     proxied: true,
                 });
             }
@@ -105,7 +106,7 @@ function exposePublicService(name, domain, port, healthCheck = {}, vpc, extraOpt
                 actions: [
                     {
                         type: "forward",
-                        targetGroupArn: targetGroup.arn,
+                        targetGroupArn: targetGroup.targetGroup.arn,
                     },
                 ],
             });

package/getSecurityGroup.d.ts

@@ -0,0 +1,6 @@
+import * as awsx from "@pulumi/awsx";
+import { Output } from '@pulumi/pulumi';
+export declare function createSecurityGroupFunction(name: string, id: string | Output<string>): {
+    getSecurityGroup: () => Promise<awsx.ec2.SecurityGroup | Output<awsx.ec2.SecurityGroup>>;
+    getSecurityGroupId: () => Promise<Output<string>>;
+};

package/getSecurityGroup.js

@@ -0,0 +1,51 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSecurityGroupFunction = void 0;
+const awsx = require("@pulumi/awsx");
+function createSecurityGroupFunction(name, id) {
+    let securityGroupOutput;
+    let securityGroupPromise;
+    function getSecurityGroup() {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!securityGroupOutput) {
+                if (!securityGroupPromise) {
+                    securityGroupPromise = new Promise((resolve, reject) => __awaiter(this, void 0, void 0, function* () {
+                        try {
+                            resolve(awsx.ec2.SecurityGroup.fromExistingId(name, id));
+                        }
+                        catch (e) {
+                            reject(e);
+                        }
+                    }));
+                    return yield securityGroupPromise;
+                }
+                else {
+                    return yield securityGroupPromise;
+                }
+            }
+            else {
+                return securityGroupOutput;
+            }
+        });
+    }
+    function getSecurityGroupId() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return (yield getSecurityGroup()).id;
+        });
+    }
+    return {
+        getSecurityGroup: getSecurityGroup,
+        getSecurityGroupId: getSecurityGroupId
+    };
+}
+exports.createSecurityGroupFunction = createSecurityGroupFunction;
+//# sourceMappingURL=getSecurityGroup.js.map

package/lambda.d.ts

@@ -1,7 +1,7 @@
+import * as awsx from "@pulumi/awsx";
 import * as aws from "@pulumi/aws";
-import * as apigateway from "@pulumi/aws-apigateway";
 import * as pulumi from "@pulumi/pulumi";
-export type LambdaOptions = {
+export declare type LambdaOptions = {
     folderName: string;
     extra?: Partial<aws.lambda.FunctionArgs>;
     attachRolePolicyArn?: Record<string, pulumi.Input<string>>;
@@ -9,10 +9,11 @@ export type LambdaOptions = {
 export declare function createGateway(options: {
     fullyQualifiedDomainName: string;
 }, fn: (addRoute: (config: LambdaOptions & {
-    method: apigateway.types.enums.Method;
+    method: awsx.apigateway.Method;
     path: string;
+    extraRoute?: awsx.apigateway.BaseRoute;
 }) => Promise<void>) => Promise<void>): Promise<{
-    gateway: import("@pulumi/aws-apigateway/restAPI").RestAPI;
-    record: import("@pulumi/aws/route53/record").Record;
+    gateway: awsx.apigateway.API;
+    record: aws.route53.Record;
     lambdasDomain: string;
 }>;

package/lambda.js

@@ -10,8 +10,8 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createGateway = void 0;
+const awsx = require("@pulumi/awsx");
 const aws = require("@pulumi/aws");
-const apigateway = require("@pulumi/aws-apigateway");
 const pulumi = require("@pulumi/pulumi");
 const path_1 = require("path");
 const domain_1 = require("./domain");
@@ -66,7 +66,7 @@ function createLambda(fullyQualifiedDomainName, config) {
             });
         }
         const name = (0, stack_1.getStackScopedName)((subdomain || "ROOTDOMAIN") + "-" + lambdaName);
-        const lambda = new aws.lambda.Function(name, Object.assign({ name: name, handler: `${(0, path_1.basename)(file, ".js")}.handler`, timeout: 900, memorySize: 1024, runtime: "nodejs18.x", code: (extra === null || extra === void 0 ? void 0 : extra.code) ||
+        const lambda = new aws.lambda.Function(name, Object.assign({ name: name, handler: `${(0, path_1.basename)(file, ".js")}.handler`, timeout: 900, memorySize: 1024, runtime: "nodejs14.x", code: (extra === null || extra === void 0 ? void 0 : extra.code) ||
                 new pulumi.asset.AssetArchive({
                     [(0, path_1.basename)(file)]: new pulumi.asset.FileAsset(file),
                 }), role: (extra === null || extra === void 0 ? void 0 : extra.role) || lambdaApiGatewayRole.arn }, extra));
@@ -78,13 +78,9 @@ function createGateway(options, fn) {
         const routes = [];
         yield fn(function configureApiGatewayLambda(config) {
             return __awaiter(this, void 0, void 0, function* () {
-                const { method, path } = config;
+                const { method, path, extraRoute } = config;
                 const lambda = yield createLambda(options.fullyQualifiedDomainName, config);
-                routes.push({
-                    method: method,
-                    path,
-                    eventHandler: lambda
-                });
+                routes.push(Object.assign({ method: method, path, eventHandler: lambda }, extraRoute));
             });
         });
         if (routes.length == 0) {
@@ -92,15 +88,15 @@ function createGateway(options, fn) {
         }
         const stageName = domain_1.env;
         // Create a public HTTP endpoint (using AWS APIGateway)
-        const gateway = new apigateway.RestAPI((0, stack_1.getStackScopedName)(options.fullyQualifiedDomainName.replace(/\./g, "-")), {
+        const gateway = new awsx.apigateway.API((0, stack_1.getStackScopedName)(options.fullyQualifiedDomainName.replace(/\./g, "-")), {
             routes: routes,
-            stageName
-        });
-        new aws.apigateway.Stage((0, stack_1.getStackScopedName)(`${options.fullyQualifiedDomainName.replace(/\./g, "-")}-stage`), {
-            restApi: gateway.api.id,
-            deployment: gateway.deployment.id,
             stageName,
-            xrayTracingEnabled: true
+            restApiArgs: {
+                name: "rest-api",
+            },
+            stageArgs: {
+                xrayTracingEnabled: true,
+            },
         });
         const { record, lambdasDomain } = yield configureApiGatewayDomain(options.fullyQualifiedDomainName, gateway);
         return {
@@ -124,7 +120,7 @@ function configureApiGatewayDomain(fullyQualifiedDomainName, gateway) {
             deleteBeforeReplace: true,
         });
         const webDomainMapping = new aws.apigateway.BasePathMapping((0, stack_1.getStackScopedName)(subdomain + "-bpm"), {
-            restApi: gateway.api.id,
+            restApi: gateway.restAPI,
             stageName: gateway.stage.stageName,
             domainName: webDomain.id,
         }, { dependsOn: [webDomain], deleteBeforeReplace: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dcl-ops-lib",
-  "version": "5.26.3",
+  "version": "5.26.4",
   "scripts": {
     "build": "tsc && cp bin/* . && node test.js",
     "clean": "rm *.d.ts *.js *.js.map"
@@ -20,20 +20,18 @@
     "extends": "@semantic-release/gitlab-config"
   },
   "devDependencies": {
-    "@semantic-release/gitlab-config": "^13.0.0",
-    "@types/mime": "^3.0.4",
-    "@types/node": "^20.9.3",
-    "semantic-release": "^22.0.8",
-    "typescript": "^5.3.2"
+    "@semantic-release/gitlab-config": "^10.0.1",
+    "@types/mime": "^3.0.1",
+    "@types/node": "^18.7.13",
+    "semantic-release": "^19.0.5",
+    "typescript": "^4.7.4"
   },
   "dependencies": {
-    "@pulumi/aws": "6.9.0",
-    "@pulumi/aws-apigateway": "^2.0.1",
-    "@pulumi/aws-native": "^0.86.0",
-    "@pulumi/awsx": "2.2.0",
-    "@pulumi/cloudflare": "5.15.0",
-    "@pulumi/docker": "4.5.0",
-    "@pulumi/pulumi": "3.94.2",
+    "@pulumi/aws": "5.11.0",
+    "@pulumi/awsx": "0.40.0",
+    "@pulumi/cloudflare": "4.9.0",
+    "@pulumi/docker": "3.4.1",
+    "@pulumi/pulumi": "3.38.0",
     "mime": "^3.0.0"
   }
 }

package/prometheus.d.ts

@@ -1,5 +1,9 @@
 import * as pulumi from "@pulumi/pulumi";
-import * as aws from "@pulumi/aws";
+import * as awsx from "@pulumi/awsx";
 export declare const prometheusStack: () => Promise<pulumi.StackReference>;
 export declare const prometheusSecurityGroupId: () => Promise<string>;
-export declare function makeSecurityGroupAccessibleByPrometheus(securityGroup: aws.ec2.SecurityGroup, fromPort?: number, toPort?: number, ruleName?: string): void;
+/**
+ * @deprecated use makeSecurityGroupAccessibleByPrometheusV2
+ */
+export declare function makeSecurityGroupAccessibleByPrometheus(securityGroup: awsx.ec2.SecurityGroup, fromPort?: number, toPort?: number): void;
+export declare function makeSecurityGroupAccessibleByPrometheusV2(securityGroup: awsx.ec2.SecurityGroup, fromPort?: number, toPort?: number, ruleName?: string): void;

package/prometheus.js

@@ -9,9 +9,9 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.makeSecurityGroupAccessibleByPrometheus = exports.prometheusSecurityGroupId = exports.prometheusStack = void 0;
+exports.makeSecurityGroupAccessibleByPrometheusV2 = exports.makeSecurityGroupAccessibleByPrometheus = exports.prometheusSecurityGroupId = exports.prometheusStack = void 0;
 const pulumi = require("@pulumi/pulumi");
-const aws = require("@pulumi/aws");
+const awsx = require("@pulumi/awsx");
 const domain_1 = require("./domain");
 const withCache_1 = require("./withCache");
 const utils_1 = require("./utils");
@@ -22,16 +22,27 @@ exports.prometheusSecurityGroupId = (0, withCache_1.default)(() => __awaiter(voi
     const prom = yield (0, exports.prometheusStack)();
     return (yield prom.requireOutputValue("prometheusSecurityGroupId"));
 }));
-function makeSecurityGroupAccessibleByPrometheus(securityGroup, fromPort = 0, toPort = 0, ruleName = "") {
-    new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("access-the-internet-v2", ruleName), {
+/**
+ * @deprecated use makeSecurityGroupAccessibleByPrometheusV2
+ */
+function makeSecurityGroupAccessibleByPrometheus(securityGroup, fromPort = 0, toPort = 0) {
+    new awsx.ec2.IngressSecurityGroupRule(`accept-prom-${fromPort}-${toPort}`, securityGroup, {
         sourceSecurityGroupId: (0, exports.prometheusSecurityGroupId)(),
         description: `Allow access from prometheus`,
         fromPort,
         toPort,
         protocol: "-1",
-        type: "egress",
-        securityGroupId: securityGroup.id,
-    }, { deleteBeforeReplace: true });
+    });
 }
 exports.makeSecurityGroupAccessibleByPrometheus = makeSecurityGroupAccessibleByPrometheus;
+function makeSecurityGroupAccessibleByPrometheusV2(securityGroup, fromPort = 0, toPort = 0, ruleName = "") {
+    new awsx.ec2.IngressSecurityGroupRule((0, utils_1.withRuleName)(`accept-prom-${fromPort}-${toPort}-v2`, ruleName), securityGroup, {
+        sourceSecurityGroupId: (0, exports.prometheusSecurityGroupId)(),
+        description: `Allow access from prometheus`,
+        fromPort,
+        toPort,
+        protocol: "-1",
+    });
+}
+exports.makeSecurityGroupAccessibleByPrometheusV2 = makeSecurityGroupAccessibleByPrometheusV2;
 //# sourceMappingURL=prometheus.js.map

package/secrets.d.ts

@@ -1,2 +1,3 @@
+import * as aws from '@pulumi/aws';
 import * as pulumi from '@pulumi/pulumi';
-export declare function secretToSSM(name: string, secureString: pulumi.Output<string>): import("@pulumi/aws/ssm/parameter").Parameter;
+export declare function secretToSSM(name: string, secureString: pulumi.Output<string>): aws.ssm.Parameter;

package/setupDatabasePermissions.d.ts

@@ -0,0 +1,2 @@
+import * as pulumi from "@pulumi/pulumi";
+export declare function setupDatabasePermissions(databaseName: string, databaseUsername: pulumi.Output<string>, databasePassword: pulumi.Output<string>): void;

package/setupDatabasePermissions.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setupDatabasePermissions = void 0;
+function setupDatabasePermissions(databaseName, databaseUsername, databasePassword) {
+    // Creating users in terraform+pulumi+aws+postgres is utterly broken.
+    // Need to do this manually.
+    // 
+    // CREATE DATABASE databaseName;
+    // CREATE ROLE databaseUsername WITH LOGIN PASSWORD 'password';
+    // GRANT ALL PRIVILEGES ON DATABASE databaseUsername TO databaseUsername;
+    throw new Error(`You need to do the DB setup manually. Sorry about it!
+    Please connect to the db through the bastion node and run:
+       CREATE DATABASE databaseName;
+       CREATE ROLE databaseUsername WITH LOGIN PASSWORD 'password';
+       GRANT ALL PRIVILEGES ON DATABASE databaseUsername TO databaseUsername;`);
+}
+exports.setupDatabasePermissions = setupDatabasePermissions;
+//# sourceMappingURL=setupDatabasePermissions.js.map

package/values.d.ts

@@ -1,8 +1,9 @@
-export type EnvironmentValues = {
+import { Subnet } from "@pulumi/awsx/ec2";
+export declare type EnvironmentValues = {
     defaultSecurityGroupId: string;
-    publicSubnets: string[];
-    privateSubnets: string[];
-    internalSubnets: string[];
+    publicSubnets: Subnet[];
+    privateSubnets: Subnet[];
+    internalSubnets: Subnet[];
     /** @deprecated */
     acceptAlb: string;
     /** @deprecated */

package/values.js

@@ -10,16 +10,16 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getEnvConfiguration = void 0;
-const aws = require("@pulumi/aws");
 const supra_1 = require("./supra");
+const vpc_1 = require("./vpc");
 const withCache_1 = require("./withCache");
 exports.getEnvConfiguration = (0, withCache_1.default)(function () {
     return __awaiter(this, void 0, void 0, function* () {
         return {
             defaultSecurityGroupId: yield supra_1.supra.getOutputValue("acceptBastionSecurityGroupId"),
-            publicSubnets: (yield aws.ec2.getSubnets({ filters: [{ name: "tag:type", values: ["public"] }] })).ids,
-            privateSubnets: (yield aws.ec2.getSubnets({ filters: [{ name: "tag:type", values: ["private"] }] })).ids,
-            internalSubnets: (yield aws.ec2.getSubnets({ filters: [{ name: "tag:type", values: ["internal"] }] })).ids,
+            publicSubnets: yield (yield (0, vpc_1.vpc)()).publicSubnets,
+            privateSubnets: yield (yield (0, vpc_1.vpc)()).privateSubnets,
+            internalSubnets: yield (yield (0, vpc_1.vpc)()).isolatedSubnets,
             acceptAlb: yield supra_1.supra.getOutputValue("acceptAlbSecurityGroupId"),
             acceptBastion: yield supra_1.supra.getOutputValue("acceptBastionSecurityGroupId"),
             dbSecurity: yield supra_1.supra.getOutputValue("acceptDbSecurityGroupId"),

package/vpc.d.ts

@@ -1,3 +1,3 @@
-import * as aws from '@pulumi/aws';
-export declare function vpc(): Promise<aws.ec2.GetVpcResult>;
+import * as awsx from '@pulumi/awsx';
+export declare function vpc(): Promise<awsx.ec2.Vpc>;
 export declare const getVpc: typeof vpc;

package/vpc.js

@@ -10,14 +10,14 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getVpc = exports.vpc = void 0;
-const aws = require("@pulumi/aws");
+const awsx = require("@pulumi/awsx");
 const supra_1 = require("./supra");
 let vpcReference;
 function vpc() {
     return __awaiter(this, void 0, void 0, function* () {
         if (!vpcReference) {
-            vpcReference = yield aws.ec2.getVpc({
-                id: yield supra_1.supra.getOutputValue('vpcId')
+            vpcReference = awsx.ec2.Vpc.fromExistingIds(`vpc-reference`, {
+                vpcId: yield supra_1.supra.getOutputValue('vpcId')
             });
         }
         return vpcReference;