dcl-ops-lib 5.26.4 → 6.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -1
- package/StaticWebsite.d.ts +1 -1
- package/acceptAlb.d.ts +4 -10
- package/acceptAlb.js +6 -40
- package/acceptBastion.d.ts +3 -9
- package/acceptBastion.js +4 -29
- package/acceptDb.d.ts +3 -3
- package/acceptDb.js +2 -2
- package/accessTheInternet.d.ts +3 -14
- package/accessTheInternet.js +9 -44
- package/alb.d.ts +2 -3
- package/alb.js +2 -4
- package/cloudflare.d.ts +6 -5
- package/cloudflare.js +11 -2
- package/createBucketWithUser.d.ts +1 -2
- package/createFargateTask.d.ts +25 -27
- package/createFargateTask.js +65 -54
- package/createImageFromContext.d.ts +3 -4
- package/createImageFromContext.js +1 -1
- package/domain.js +1 -1
- package/exposePublicService.d.ts +9 -11
- package/exposePublicService.js +8 -9
- package/lambda.d.ts +5 -6
- package/lambda.js +16 -12
- package/package.json +13 -11
- package/prometheus.d.ts +2 -6
- package/prometheus.js +7 -18
- package/secrets.d.ts +1 -2
- package/values.d.ts +4 -5
- package/values.js +4 -4
- package/vpc.d.ts +2 -2
- package/vpc.js +3 -3
- package/getSecurityGroup.d.ts +0 -6
- package/getSecurityGroup.js +0 -51
- package/setupDatabasePermissions.d.ts +0 -2
- package/setupDatabasePermissions.js +0 -18
package/README.md
CHANGED
package/StaticWebsite.d.ts
CHANGED
package/acceptAlb.d.ts
CHANGED
|
@@ -1,10 +1,4 @@
|
|
|
1
|
-
import * as
|
|
2
|
-
/**
|
|
3
|
-
export declare
|
|
4
|
-
|
|
5
|
-
export declare function acceptAlbSecurityGroupId(): Promise<import("@pulumi/pulumi").Output<string>>;
|
|
6
|
-
/** @deprecated use makeSecurityGroupAccessibleFromSharedAlbV2 */
|
|
7
|
-
export declare function makeSecurityGroupAccessibleFromSharedAlb(securityGroup: awsx.ec2.SecurityGroup): void;
|
|
8
|
-
/** @deprecated Makes a given securityGropup accesible by the shared supra ALB */
|
|
9
|
-
export declare function makeSecurityGroupAccessibleFromSharedAlbV2(securityGroup: awsx.ec2.SecurityGroup, ruleName?: string): void;
|
|
10
|
-
export default acceptAlbSecurityGroup;
|
|
1
|
+
import * as aws from "@pulumi/aws";
|
|
2
|
+
/** Makes a given securityGropup accesible by the shared supra ALB */
|
|
3
|
+
export declare function makeSecurityGroupAccessibleFromSharedAlb(securityGroup: aws.ec2.SecurityGroup, ruleName?: string): void;
|
|
4
|
+
export default makeSecurityGroupAccessibleFromSharedAlb;
|
package/acceptAlb.js
CHANGED
|
@@ -1,46 +1,12 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
3
|
-
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
4
|
-
return new (P || (P = Promise))(function (resolve, reject) {
|
|
5
|
-
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
6
|
-
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
7
|
-
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
8
|
-
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
|
-
});
|
|
10
|
-
};
|
|
11
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.
|
|
13
|
-
const awsx = require("@pulumi/awsx");
|
|
3
|
+
exports.makeSecurityGroupAccessibleFromSharedAlb = void 0;
|
|
14
4
|
const aws = require("@pulumi/aws");
|
|
15
5
|
const utils_1 = require("./utils");
|
|
16
6
|
const values_1 = require("./values");
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
const config = yield (0, values_1.getEnvConfiguration)();
|
|
21
|
-
return awsx.ec2.SecurityGroup.fromExistingId(`accept-alb-sg-reference`, config.acceptAlb);
|
|
22
|
-
}));
|
|
23
|
-
/** @deprecated use makeSecurityGroupAccessibleFromSharedAlb instead */
|
|
24
|
-
function acceptAlbSecurityGroupId() {
|
|
25
|
-
return __awaiter(this, void 0, void 0, function* () {
|
|
26
|
-
return (yield (0, exports.acceptAlbSecurityGroup)()).id;
|
|
27
|
-
});
|
|
28
|
-
}
|
|
29
|
-
exports.acceptAlbSecurityGroupId = acceptAlbSecurityGroupId;
|
|
30
|
-
/** @deprecated use makeSecurityGroupAccessibleFromSharedAlbV2 */
|
|
31
|
-
function makeSecurityGroupAccessibleFromSharedAlb(securityGroup) {
|
|
32
|
-
new awsx.ec2.IngressSecurityGroupRule("accept-alb-ingress-rule", securityGroup, {
|
|
33
|
-
sourceSecurityGroupId: (0, values_1.getEnvConfiguration)().then(($) => $.albSecurityGroupId),
|
|
34
|
-
description: `Allow access from the supra ALB`,
|
|
35
|
-
fromPort: 0,
|
|
36
|
-
toPort: 0,
|
|
37
|
-
protocol: "-1",
|
|
38
|
-
});
|
|
39
|
-
}
|
|
40
|
-
exports.makeSecurityGroupAccessibleFromSharedAlb = makeSecurityGroupAccessibleFromSharedAlb;
|
|
41
|
-
/** @deprecated Makes a given securityGropup accesible by the shared supra ALB */
|
|
42
|
-
function makeSecurityGroupAccessibleFromSharedAlbV2(securityGroup, ruleName = "") {
|
|
43
|
-
new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("accept-alb-ingress-rule-v2", ruleName), {
|
|
7
|
+
/** Makes a given securityGropup accesible by the shared supra ALB */
|
|
8
|
+
function makeSecurityGroupAccessibleFromSharedAlb(securityGroup, ruleName = "") {
|
|
9
|
+
new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("accept-alb-ingress-rule", ruleName), {
|
|
44
10
|
securityGroupId: securityGroup.id,
|
|
45
11
|
sourceSecurityGroupId: (0, values_1.getEnvConfiguration)().then(($) => $.albSecurityGroupId),
|
|
46
12
|
description: `Allow access from the supra ALB`,
|
|
@@ -50,6 +16,6 @@ function makeSecurityGroupAccessibleFromSharedAlbV2(securityGroup, ruleName = ""
|
|
|
50
16
|
type: "egress",
|
|
51
17
|
}, { deleteBeforeReplace: true });
|
|
52
18
|
}
|
|
53
|
-
exports.
|
|
54
|
-
exports.default =
|
|
19
|
+
exports.makeSecurityGroupAccessibleFromSharedAlb = makeSecurityGroupAccessibleFromSharedAlb;
|
|
20
|
+
exports.default = makeSecurityGroupAccessibleFromSharedAlb;
|
|
55
21
|
//# sourceMappingURL=acceptAlb.js.map
|
package/acceptBastion.d.ts
CHANGED
|
@@ -1,9 +1,3 @@
|
|
|
1
|
-
import * as
|
|
2
|
-
|
|
3
|
-
export
|
|
4
|
-
/** @deprecated please use makeSecurityGroupAccessTheInternet */
|
|
5
|
-
export declare function acceptBastionSecurityGroupId(): Promise<import("@pulumi/pulumi").Output<string>>;
|
|
6
|
-
/** @deprecated use makeSecurityGroupAccessibleFromBastionV2 */
|
|
7
|
-
export declare function makeSecurityGroupAccessibleFromBastion(securityGroup: awsx.ec2.SecurityGroup): void;
|
|
8
|
-
export declare function makeSecurityGroupAccessibleFromBastionV2(securityGroup: awsx.ec2.SecurityGroup, ruleName?: string): void;
|
|
9
|
-
export default acceptBastionSecurityGroup;
|
|
1
|
+
import * as aws from "@pulumi/aws";
|
|
2
|
+
export declare function makeSecurityGroupAccessibleFromBastion(securityGroup: aws.ec2.SecurityGroup, ruleName?: string): void;
|
|
3
|
+
export default makeSecurityGroupAccessibleFromBastion;
|
package/acceptBastion.js
CHANGED
|
@@ -9,41 +9,16 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
9
9
|
});
|
|
10
10
|
};
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.
|
|
13
|
-
const awsx = require("@pulumi/awsx");
|
|
12
|
+
exports.makeSecurityGroupAccessibleFromBastion = void 0;
|
|
14
13
|
const aws = require("@pulumi/aws");
|
|
15
14
|
const values_1 = require("./values");
|
|
16
15
|
const withCache_1 = require("./withCache");
|
|
17
16
|
const utils_1 = require("./utils");
|
|
18
|
-
/** @deprecated please use makeSecurityGroupAccessTheInternet */
|
|
19
|
-
exports.acceptBastionSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
|
|
20
|
-
const config = yield (0, values_1.getEnvConfiguration)();
|
|
21
|
-
return awsx.ec2.SecurityGroup.fromExistingId(`accept-bastion-sg-reference`, config.acceptBastion);
|
|
22
|
-
}));
|
|
23
|
-
/** @deprecated please use makeSecurityGroupAccessTheInternet */
|
|
24
|
-
function acceptBastionSecurityGroupId() {
|
|
25
|
-
return __awaiter(this, void 0, void 0, function* () {
|
|
26
|
-
return (yield (0, exports.acceptBastionSecurityGroup)()).id;
|
|
27
|
-
});
|
|
28
|
-
}
|
|
29
|
-
exports.acceptBastionSecurityGroupId = acceptBastionSecurityGroupId;
|
|
30
17
|
const bastionSecurityGroupId = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
|
|
31
18
|
const config = yield (0, values_1.getEnvConfiguration)();
|
|
32
19
|
return config.bastionSecurityGroupId;
|
|
33
20
|
}));
|
|
34
|
-
|
|
35
|
-
function makeSecurityGroupAccessibleFromBastion(securityGroup) {
|
|
36
|
-
new aws.ec2.SecurityGroupRule("accesible-from-bastion", {
|
|
37
|
-
securityGroupId: securityGroup.id,
|
|
38
|
-
sourceSecurityGroupId: bastionSecurityGroupId(),
|
|
39
|
-
fromPort: -1,
|
|
40
|
-
toPort: -1,
|
|
41
|
-
type: "ingress",
|
|
42
|
-
protocol: "-1",
|
|
43
|
-
}, { deleteBeforeReplace: true });
|
|
44
|
-
}
|
|
45
|
-
exports.makeSecurityGroupAccessibleFromBastion = makeSecurityGroupAccessibleFromBastion;
|
|
46
|
-
function makeSecurityGroupAccessibleFromBastionV2(securityGroup, ruleName = "") {
|
|
21
|
+
function makeSecurityGroupAccessibleFromBastion(securityGroup, ruleName = "") {
|
|
47
22
|
new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("accesible-from-bastion-v2", ruleName), {
|
|
48
23
|
securityGroupId: securityGroup.id,
|
|
49
24
|
sourceSecurityGroupId: bastionSecurityGroupId(),
|
|
@@ -53,6 +28,6 @@ function makeSecurityGroupAccessibleFromBastionV2(securityGroup, ruleName = "")
|
|
|
53
28
|
protocol: "-1",
|
|
54
29
|
}, { deleteBeforeReplace: true });
|
|
55
30
|
}
|
|
56
|
-
exports.
|
|
57
|
-
exports.default =
|
|
31
|
+
exports.makeSecurityGroupAccessibleFromBastion = makeSecurityGroupAccessibleFromBastion;
|
|
32
|
+
exports.default = makeSecurityGroupAccessibleFromBastion;
|
|
58
33
|
//# sourceMappingURL=acceptBastion.js.map
|
package/acceptDb.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import * as
|
|
2
|
-
export declare const acceptDbSecurityGroup: () => Promise<
|
|
3
|
-
export declare function acceptDbSecurityGroupId(): Promise<
|
|
1
|
+
import * as aws from "@pulumi/aws";
|
|
2
|
+
export declare const acceptDbSecurityGroup: () => Promise<aws.ec2.GetSecurityGroupResult>;
|
|
3
|
+
export declare function acceptDbSecurityGroupId(): Promise<string>;
|
|
4
4
|
export default acceptDbSecurityGroup;
|
package/acceptDb.js
CHANGED
|
@@ -10,12 +10,12 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
10
10
|
};
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
12
|
exports.acceptDbSecurityGroupId = exports.acceptDbSecurityGroup = void 0;
|
|
13
|
-
const
|
|
13
|
+
const aws = require("@pulumi/aws");
|
|
14
14
|
const values_1 = require("./values");
|
|
15
15
|
const withCache_1 = require("./withCache");
|
|
16
16
|
exports.acceptDbSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
|
|
17
17
|
const config = yield (0, values_1.getEnvConfiguration)();
|
|
18
|
-
return
|
|
18
|
+
return aws.ec2.getSecurityGroup({ name: config.dbSecurity });
|
|
19
19
|
}));
|
|
20
20
|
function acceptDbSecurityGroupId() {
|
|
21
21
|
return __awaiter(this, void 0, void 0, function* () {
|
package/accessTheInternet.d.ts
CHANGED
|
@@ -1,16 +1,5 @@
|
|
|
1
|
-
import * as
|
|
2
|
-
/** @deprecated please use makeSecurityGroupAccessibleByCloudflare */
|
|
3
|
-
export declare const accessCloudflareSecurityGroup: () => Promise<awsx.ec2.SecurityGroup>;
|
|
4
|
-
/** @deprecated please use makeSecurityGroupAccessTheInternet */
|
|
5
|
-
export declare const accessTheInternetSecurityGroup: () => Promise<awsx.ec2.SecurityGroup>;
|
|
6
|
-
/** @deprecated please use makeSecurityGroupAccessTheInternet */
|
|
7
|
-
export declare function accessTheInternetSecurityGroupId(): Promise<import("@pulumi/pulumi").Output<string>>;
|
|
8
|
-
export default accessTheInternetSecurityGroup;
|
|
9
|
-
/** @deprecated please use makeSecurityGroupAccessibleByCloudflare */
|
|
10
|
-
export declare function accessFromCloudflareSecurityGroup(): Promise<import("@pulumi/pulumi").Output<string>>;
|
|
11
|
-
/** @deprecated use makeSecurityGroupAccessTheInternetV2 */
|
|
12
|
-
export declare function makeSecurityGroupAccessTheInternet(securityGroup: awsx.ec2.SecurityGroup): void;
|
|
1
|
+
import * as aws from "@pulumi/aws";
|
|
13
2
|
/** Enables egress traffic to 0.0.0.0/0/all */
|
|
14
|
-
export declare function makeSecurityGroupAccessTheInternetV2(securityGroup:
|
|
3
|
+
export declare function makeSecurityGroupAccessTheInternetV2(securityGroup: aws.ec2.SecurityGroup, ruleName?: string): void;
|
|
15
4
|
/** Enables ingress traffic from cloudflare CIDRs */
|
|
16
|
-
export declare function makeSecurityGroupAccessibleByCloudflare(securityGroup:
|
|
5
|
+
export declare function makeSecurityGroupAccessibleByCloudflare(securityGroup: aws.ec2.SecurityGroup): Promise<void>;
|
package/accessTheInternet.js
CHANGED
|
@@ -9,49 +9,10 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
9
9
|
});
|
|
10
10
|
};
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.makeSecurityGroupAccessibleByCloudflare = exports.makeSecurityGroupAccessTheInternetV2 =
|
|
13
|
-
const awsx = require("@pulumi/awsx");
|
|
12
|
+
exports.makeSecurityGroupAccessibleByCloudflare = exports.makeSecurityGroupAccessTheInternetV2 = void 0;
|
|
14
13
|
const aws = require("@pulumi/aws");
|
|
15
14
|
const cloudflare = require("@pulumi/cloudflare");
|
|
16
|
-
const supra_1 = require("./supra");
|
|
17
|
-
const values_1 = require("./values");
|
|
18
|
-
const withCache_1 = require("./withCache");
|
|
19
15
|
const utils_1 = require("./utils");
|
|
20
|
-
/** @deprecated please use makeSecurityGroupAccessibleByCloudflare */
|
|
21
|
-
exports.accessCloudflareSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
|
|
22
|
-
const config = yield (0, values_1.getEnvConfiguration)(); // ?
|
|
23
|
-
return awsx.ec2.SecurityGroup.fromExistingId(`accept-cloudflare-web-sg-reference`, supra_1.supra.getOutputValue(`cloudflareAcceptWeb`));
|
|
24
|
-
}));
|
|
25
|
-
/** @deprecated please use makeSecurityGroupAccessTheInternet */
|
|
26
|
-
exports.accessTheInternetSecurityGroup = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
|
|
27
|
-
const config = yield (0, values_1.getEnvConfiguration)(); // ?
|
|
28
|
-
return awsx.ec2.SecurityGroup.fromExistingId(`access-the-internet-sg-reference`, supra_1.supra.getOutputValue(`accessTheInternet`));
|
|
29
|
-
}));
|
|
30
|
-
/** @deprecated please use makeSecurityGroupAccessTheInternet */
|
|
31
|
-
function accessTheInternetSecurityGroupId() {
|
|
32
|
-
return __awaiter(this, void 0, void 0, function* () {
|
|
33
|
-
return (yield (0, exports.accessTheInternetSecurityGroup)()).id;
|
|
34
|
-
});
|
|
35
|
-
}
|
|
36
|
-
exports.accessTheInternetSecurityGroupId = accessTheInternetSecurityGroupId;
|
|
37
|
-
exports.default = exports.accessTheInternetSecurityGroup;
|
|
38
|
-
/** @deprecated please use makeSecurityGroupAccessibleByCloudflare */
|
|
39
|
-
function accessFromCloudflareSecurityGroup() {
|
|
40
|
-
return __awaiter(this, void 0, void 0, function* () {
|
|
41
|
-
return (yield (0, exports.accessCloudflareSecurityGroup)()).id;
|
|
42
|
-
});
|
|
43
|
-
}
|
|
44
|
-
exports.accessFromCloudflareSecurityGroup = accessFromCloudflareSecurityGroup;
|
|
45
|
-
/** @deprecated use makeSecurityGroupAccessTheInternetV2 */
|
|
46
|
-
function makeSecurityGroupAccessTheInternet(securityGroup) {
|
|
47
|
-
securityGroup.createEgressRule("access-the-internet", {
|
|
48
|
-
cidrBlocks: ["0.0.0.0/0"],
|
|
49
|
-
fromPort: -1,
|
|
50
|
-
toPort: -1,
|
|
51
|
-
protocol: "-1",
|
|
52
|
-
});
|
|
53
|
-
}
|
|
54
|
-
exports.makeSecurityGroupAccessTheInternet = makeSecurityGroupAccessTheInternet;
|
|
55
16
|
/** Enables egress traffic to 0.0.0.0/0/all */
|
|
56
17
|
function makeSecurityGroupAccessTheInternetV2(securityGroup, ruleName = "") {
|
|
57
18
|
new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("access-the-internet-v2", ruleName), {
|
|
@@ -70,20 +31,24 @@ function makeSecurityGroupAccessibleByCloudflare(securityGroup) {
|
|
|
70
31
|
const ips = yield cloudflare.getIpRanges({});
|
|
71
32
|
for (let block of ips.ipv4CidrBlocks) {
|
|
72
33
|
const hash = (0, utils_1.sha256hash)(block).substring(0, 6);
|
|
73
|
-
|
|
34
|
+
new aws.ec2.SecurityGroupRule(`accept-cf-80-${hash}`, {
|
|
74
35
|
protocol: "tcp",
|
|
75
36
|
fromPort: 80,
|
|
76
37
|
toPort: 80,
|
|
77
38
|
cidrBlocks: [block],
|
|
39
|
+
type: "ingress",
|
|
40
|
+
securityGroupId: securityGroup.id,
|
|
78
41
|
description: `pulumi-supra-${hash}`,
|
|
79
|
-
});
|
|
80
|
-
|
|
42
|
+
}, { deleteBeforeReplace: true });
|
|
43
|
+
new aws.ec2.SecurityGroupRule(`accept-cf-443-${hash}`, {
|
|
81
44
|
protocol: "tcp",
|
|
82
45
|
fromPort: 443,
|
|
83
46
|
toPort: 443,
|
|
84
47
|
cidrBlocks: [block],
|
|
48
|
+
type: "ingress",
|
|
49
|
+
securityGroupId: securityGroup.id,
|
|
85
50
|
description: `pulumi-supra-${hash}`,
|
|
86
|
-
});
|
|
51
|
+
}, { deleteBeforeReplace: true });
|
|
87
52
|
}
|
|
88
53
|
});
|
|
89
54
|
}
|
package/alb.d.ts
CHANGED
|
@@ -1,6 +1,5 @@
|
|
|
1
1
|
import * as aws from "@pulumi/aws";
|
|
2
|
-
|
|
3
|
-
export declare type ElbValues = {
|
|
2
|
+
export type ElbValues = {
|
|
4
3
|
dns: string;
|
|
5
4
|
elbArn: string;
|
|
6
5
|
elbUrn: string;
|
|
@@ -9,6 +8,6 @@ export declare type ElbValues = {
|
|
|
9
8
|
};
|
|
10
9
|
export declare const getAlb: () => Promise<{
|
|
11
10
|
dns: string;
|
|
12
|
-
alb:
|
|
11
|
+
alb: aws.lb.GetLoadBalancerResult;
|
|
13
12
|
listener: aws.lb.GetListenerResult;
|
|
14
13
|
}>;
|
package/alb.js
CHANGED
|
@@ -11,8 +11,6 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
12
|
exports.getAlb = void 0;
|
|
13
13
|
const aws = require("@pulumi/aws");
|
|
14
|
-
const awsx = require("@pulumi/awsx");
|
|
15
|
-
const domain_1 = require("./domain");
|
|
16
14
|
const supra_1 = require("./supra");
|
|
17
15
|
const withCache_1 = require("./withCache");
|
|
18
16
|
const cache = {
|
|
@@ -25,9 +23,9 @@ const cache = {
|
|
|
25
23
|
};
|
|
26
24
|
exports.getAlb = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
|
|
27
25
|
const dns = yield supra_1.supra.getOutputValue("dns");
|
|
28
|
-
const loadBalancer = yield supra_1.supra.
|
|
26
|
+
const loadBalancer = yield supra_1.supra.getOutputDetails("albInstance");
|
|
29
27
|
const elbValues = yield supra_1.supra.getOutputValue("elbValues");
|
|
30
|
-
const alb =
|
|
28
|
+
const alb = yield aws.lb.getLoadBalancer({ arn: JSON.parse(loadBalancer.value).arn });
|
|
31
29
|
const listener = yield aws.lb.getListener({ arn: elbValues.listenerArn });
|
|
32
30
|
return { dns, alb, listener };
|
|
33
31
|
}));
|
package/cloudflare.d.ts
CHANGED
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
import * as pulumi from "@pulumi/pulumi";
|
|
2
2
|
import * as cloudflare from "@pulumi/cloudflare";
|
|
3
|
-
export
|
|
3
|
+
export type DeployWorkerConfig = {
|
|
4
4
|
jsWorkerFileName: string;
|
|
5
5
|
routes: pulumi.Input<string>[];
|
|
6
6
|
env?: Record<string, pulumi.Input<string>>;
|
|
7
7
|
overrides?: cloudflare.WorkerScriptArgs;
|
|
8
8
|
};
|
|
9
|
-
export
|
|
9
|
+
export type SetRecordConfig = {
|
|
10
10
|
recordName: string;
|
|
11
11
|
type: "CNAME" | "A" | "TXT";
|
|
12
12
|
value: pulumi.Input<string>;
|
|
@@ -17,8 +17,9 @@ export declare type SetRecordConfig = {
|
|
|
17
17
|
proxied: true;
|
|
18
18
|
});
|
|
19
19
|
export declare function getZoneId(): Promise<string>;
|
|
20
|
+
export declare function getAccountId(): string;
|
|
20
21
|
export declare function deployWorker(workerName: string, config: DeployWorkerConfig): Promise<{
|
|
21
|
-
[x: string]: pulumi.Output<string> | cloudflare.WorkerScript;
|
|
22
|
-
worker: cloudflare.WorkerScript;
|
|
22
|
+
[x: string]: pulumi.Output<string> | import("@pulumi/cloudflare/workerScript").WorkerScript;
|
|
23
|
+
worker: import("@pulumi/cloudflare/workerScript").WorkerScript;
|
|
23
24
|
}>;
|
|
24
|
-
export declare function setRecord(config: SetRecordConfig): Promise<cloudflare.Record>;
|
|
25
|
+
export declare function setRecord(config: SetRecordConfig): Promise<import("@pulumi/cloudflare/record").Record>;
|
package/cloudflare.js
CHANGED
|
@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
9
9
|
});
|
|
10
10
|
};
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.setRecord = exports.deployWorker = exports.getZoneId = void 0;
|
|
12
|
+
exports.setRecord = exports.deployWorker = exports.getAccountId = exports.getZoneId = void 0;
|
|
13
13
|
const pulumi = require("@pulumi/pulumi");
|
|
14
14
|
const cloudflare = require("@pulumi/cloudflare");
|
|
15
15
|
const domain_1 = require("./domain");
|
|
@@ -23,6 +23,15 @@ function getZoneId() {
|
|
|
23
23
|
});
|
|
24
24
|
}
|
|
25
25
|
exports.getZoneId = getZoneId;
|
|
26
|
+
function getAccountId() {
|
|
27
|
+
if (process.env.CLOUDFLARE_ACCOUNT_ID) {
|
|
28
|
+
return process.env.CLOUDFLARE_ACCOUNT_ID;
|
|
29
|
+
}
|
|
30
|
+
else {
|
|
31
|
+
throw new Error("CLOUDFLARE_ACCOUNT_ID not set");
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
exports.getAccountId = getAccountId;
|
|
26
35
|
function deployWorker(workerName, config) {
|
|
27
36
|
return __awaiter(this, void 0, void 0, function* () {
|
|
28
37
|
// get file contents
|
|
@@ -34,7 +43,7 @@ function deployWorker(workerName, config) {
|
|
|
34
43
|
});
|
|
35
44
|
// create the worker
|
|
36
45
|
const worker = new cloudflare.WorkerScript(`${workerName}-${domain_1.publicTLD}`, Object.assign({ name: `${workerName}-${domain_1.publicTLD}`, content,
|
|
37
|
-
plainTextBindings }, (config.overrides || {})));
|
|
46
|
+
plainTextBindings, accountId: getAccountId() }, (config.overrides || {})));
|
|
38
47
|
const ret = { [workerName + "-" + domain_1.publicTLD]: worker.id, worker };
|
|
39
48
|
// create the routes
|
|
40
49
|
let count = 0;
|
|
@@ -1,8 +1,7 @@
|
|
|
1
|
-
import * as aws from "@pulumi/aws";
|
|
2
1
|
import { BucketArgs } from "@pulumi/aws/s3/bucket";
|
|
3
2
|
import * as pulumi from "@pulumi/pulumi";
|
|
4
3
|
export declare function createBucketWithUser(name: string, bucketArgs?: BucketArgs): {
|
|
5
|
-
role: aws
|
|
4
|
+
role: import("@pulumi/aws/iam/role").Role;
|
|
6
5
|
user: pulumi.Output<string>;
|
|
7
6
|
bucket: pulumi.Output<string>;
|
|
8
7
|
bucketPolicyId: pulumi.Output<string>;
|
package/createFargateTask.d.ts
CHANGED
|
@@ -1,28 +1,26 @@
|
|
|
1
1
|
import * as aws from "@pulumi/aws";
|
|
2
|
-
import * as awsx from "@pulumi/awsx";
|
|
3
|
-
import { ApplicationTargetGroupHealthCheck } from "@pulumi/awsx/lb";
|
|
4
2
|
import * as pulumi from "@pulumi/pulumi";
|
|
5
3
|
import { ExtraExposedServiceOptions } from "./exposePublicService";
|
|
6
|
-
export declare const getDefaultLogs: (serviceName: string, logGroup: aws.cloudwatch.LogGroup) =>
|
|
7
|
-
export declare function getClusterInstance(cluster: string |
|
|
8
|
-
export
|
|
4
|
+
export declare const getDefaultLogs: (serviceName: string, logGroup: aws.cloudwatch.LogGroup) => aws.ecs.LogConfiguration;
|
|
5
|
+
export declare function getClusterInstance(cluster: string | aws.ecs.Cluster | undefined): Promise<pulumi.Output<string> | string>;
|
|
6
|
+
export type ALBMapping = {
|
|
9
7
|
domain: string;
|
|
10
8
|
dockerListeningPort: number;
|
|
11
|
-
healthCheck?: Partial<
|
|
9
|
+
healthCheck?: Partial<aws.types.input.alb.TargetGroupHealthCheck>;
|
|
12
10
|
extraExposedServiceOptions?: ExtraExposedServiceOptions;
|
|
13
11
|
};
|
|
14
12
|
export declare function getFargateExecutionRole(name: string, policyArnNamedMap: Record<string, pulumi.Input<string> | aws.iam.Policy>): {
|
|
15
|
-
role: aws
|
|
16
|
-
policies: aws
|
|
13
|
+
role: import("@pulumi/aws/iam/role").Role;
|
|
14
|
+
policies: import("@pulumi/aws/iam/rolePolicyAttachment").RolePolicyAttachment[];
|
|
17
15
|
};
|
|
18
16
|
export declare function getFargateTaskRole(name: string, policyArnNamedMap: Record<string, pulumi.Input<string> | aws.iam.Policy>): {
|
|
19
|
-
role: aws
|
|
20
|
-
policies: aws
|
|
17
|
+
role: import("@pulumi/aws/iam/role").Role;
|
|
18
|
+
policies: import("@pulumi/aws/iam/rolePolicyAttachment").RolePolicyAttachment[];
|
|
21
19
|
};
|
|
22
|
-
export
|
|
20
|
+
export type FargateTaskOptions = {
|
|
23
21
|
securityGroups?: (string | pulumi.Output<string>)[];
|
|
24
|
-
cluster?:
|
|
25
|
-
healthCheck?: Partial<
|
|
22
|
+
cluster?: aws.ecs.Cluster | string;
|
|
23
|
+
healthCheck?: Partial<aws.types.input.alb.TargetGroupHealthCheck>;
|
|
26
24
|
desiredCount?: number;
|
|
27
25
|
memoryReservation?: number;
|
|
28
26
|
cpuReservation?: number;
|
|
@@ -38,7 +36,7 @@ export declare type FargateTaskOptions = {
|
|
|
38
36
|
extraALBMappings?: ALBMapping[];
|
|
39
37
|
executionRolePolicies?: Record<string, pulumi.Input<string> | aws.iam.Policy>;
|
|
40
38
|
taskRolePolicies?: Record<string, pulumi.Input<string> | aws.iam.Policy>;
|
|
41
|
-
secrets?: aws.ecs.Secret[]
|
|
39
|
+
secrets?: aws.ecs.Secret[];
|
|
42
40
|
ignoreServiceDiscovery?: boolean;
|
|
43
41
|
team: "dapps" | "platform" | "data" | "marketing" | "infra";
|
|
44
42
|
metrics?: {
|
|
@@ -50,8 +48,8 @@ export declare type FargateTaskOptions = {
|
|
|
50
48
|
dependsOn?: pulumi.Resource[];
|
|
51
49
|
volumes?: aws.types.input.ecs.TaskDefinitionVolume[] | pulumi.Input<aws.types.input.ecs.TaskDefinitionVolume[]>;
|
|
52
50
|
deregistrationDelay?: pulumi.Input<number>;
|
|
53
|
-
mountPoints?:
|
|
54
|
-
repositoryCredentials?:
|
|
51
|
+
mountPoints?: aws.ecs.MountPoint[];
|
|
52
|
+
repositoryCredentials?: aws.ecs.RepositoryCredentials;
|
|
55
53
|
};
|
|
56
54
|
/**
|
|
57
55
|
*
|
|
@@ -65,38 +63,38 @@ export declare type FargateTaskOptions = {
|
|
|
65
63
|
* @param options.healthCheckPath
|
|
66
64
|
* @param options.policyArnNamedMap key-value named map of policies to attach to the default execution role for this task
|
|
67
65
|
*/
|
|
68
|
-
export declare function createFargateTask(serviceName: string, dockerImage: string | Promise<string> | pulumi.OutputInstance<string
|
|
66
|
+
export declare function createFargateTask(serviceName: string, dockerImage: string | Promise<string> | pulumi.OutputInstance<string>, dockerListeningPort: number, environment: {
|
|
69
67
|
name: string;
|
|
70
68
|
value: pulumi.Input<string>;
|
|
71
69
|
secret?: boolean;
|
|
72
70
|
}[], hostname: string, options: FargateTaskOptions): Promise<{
|
|
73
|
-
service:
|
|
71
|
+
service: import("@pulumi/aws/ecs/service").Service;
|
|
74
72
|
endpoint: string;
|
|
75
73
|
exposed?: undefined;
|
|
76
74
|
} | {
|
|
77
75
|
endpoint: string;
|
|
78
|
-
service:
|
|
76
|
+
service: import("@pulumi/aws/ecs/service").Service;
|
|
79
77
|
exposed: {
|
|
80
78
|
domain: string;
|
|
81
79
|
certificate: pulumi.Input<string>;
|
|
82
|
-
record:
|
|
83
|
-
targetGroup:
|
|
84
|
-
cloudflareRecord:
|
|
80
|
+
record: import("@pulumi/aws/route53/record").Record | undefined;
|
|
81
|
+
targetGroup: import("@pulumi/aws/alb/targetGroup").TargetGroup;
|
|
82
|
+
cloudflareRecord: import("@pulumi/cloudflare/record").Record | undefined;
|
|
85
83
|
};
|
|
86
84
|
}>;
|
|
87
|
-
export
|
|
85
|
+
export type InternalServiceOptions = {
|
|
88
86
|
serviceName: string;
|
|
89
|
-
cluster?: string |
|
|
90
|
-
securityGroups?:
|
|
87
|
+
cluster?: string | aws.ecs.Cluster;
|
|
88
|
+
securityGroups?: (string | pulumi.Output<string>)[];
|
|
91
89
|
ignoreServiceDiscovery?: boolean;
|
|
92
90
|
serviceDiscoveryPort?: number;
|
|
93
91
|
desiredCount?: number;
|
|
94
92
|
executionRole?: aws.iam.Role;
|
|
95
93
|
taskRole?: aws.iam.Role;
|
|
96
|
-
containerInfo:
|
|
94
|
+
containerInfo: aws.ecs.ContainerDefinition;
|
|
97
95
|
assignPublicIp?: boolean;
|
|
98
96
|
dependsOn?: pulumi.Resource[];
|
|
99
97
|
volumes?: pulumi.Input<aws.types.input.ecs.TaskDefinitionVolume[]>;
|
|
100
98
|
team: string;
|
|
101
99
|
};
|
|
102
|
-
export declare function createInternalService(config: InternalServiceOptions): Promise<
|
|
100
|
+
export declare function createInternalService(config: InternalServiceOptions): Promise<import("@pulumi/aws/ecs/service").Service>;
|
package/createFargateTask.js
CHANGED
|
@@ -11,27 +11,27 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
12
|
exports.createInternalService = exports.createFargateTask = exports.getFargateTaskRole = exports.getFargateExecutionRole = exports.getClusterInstance = exports.getDefaultLogs = void 0;
|
|
13
13
|
const aws = require("@pulumi/aws");
|
|
14
|
-
const awsx = require("@pulumi/awsx");
|
|
15
14
|
const pulumi = require("@pulumi/pulumi");
|
|
16
15
|
const acceptAlb_1 = require("./acceptAlb");
|
|
17
16
|
const acceptBastion_1 = require("./acceptBastion");
|
|
18
17
|
const domain_1 = require("./domain");
|
|
19
18
|
const exposePublicService_1 = require("./exposePublicService");
|
|
20
19
|
const network_1 = require("./network");
|
|
21
|
-
const utils_1 = require("./utils");
|
|
22
20
|
const vpc_1 = require("./vpc");
|
|
23
21
|
const supra_1 = require("./supra");
|
|
24
22
|
const stack_1 = require("./stack");
|
|
25
23
|
const prometheus_1 = require("./prometheus");
|
|
26
24
|
const accessTheInternet_1 = require("./accessTheInternet");
|
|
27
|
-
const getDefaultLogs = (serviceName, logGroup) =>
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
}
|
|
25
|
+
const getDefaultLogs = (serviceName, logGroup) => {
|
|
26
|
+
return {
|
|
27
|
+
logDriver: "awslogs",
|
|
28
|
+
options: {
|
|
29
|
+
"awslogs-group": logGroup.name.apply((name) => name),
|
|
30
|
+
"awslogs-region": "us-east-1",
|
|
31
|
+
"awslogs-stream-prefix": serviceName,
|
|
32
|
+
},
|
|
33
|
+
};
|
|
34
|
+
};
|
|
35
35
|
exports.getDefaultLogs = getDefaultLogs;
|
|
36
36
|
const extraOpts = {
|
|
37
37
|
customTimeouts: {
|
|
@@ -42,29 +42,28 @@ const extraOpts = {
|
|
|
42
42
|
};
|
|
43
43
|
const cachedClusterInstances = {};
|
|
44
44
|
function getClusterInstance(cluster) {
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
if (
|
|
51
|
-
cachedClusterInstances[cluster]
|
|
52
|
-
cluster
|
|
53
|
-
}
|
|
45
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
46
|
+
if (undefined === cluster) {
|
|
47
|
+
const defaultClusterName = `${domain_1.env}-main`;
|
|
48
|
+
cluster = (yield aws.ecs.getCluster({ clusterName: defaultClusterName }, { async: true })).arn;
|
|
49
|
+
}
|
|
50
|
+
if (typeof cluster === "string") {
|
|
51
|
+
if (!cachedClusterInstances[cluster]) {
|
|
52
|
+
cachedClusterInstances[cluster] = (yield aws.ecs.getCluster({ clusterName: cluster }, { async: true })).arn;
|
|
53
|
+
}
|
|
54
|
+
return cachedClusterInstances[cluster];
|
|
54
55
|
}
|
|
55
|
-
return
|
|
56
|
-
}
|
|
57
|
-
return cluster;
|
|
56
|
+
return cluster.arn;
|
|
57
|
+
});
|
|
58
58
|
}
|
|
59
59
|
exports.getClusterInstance = getClusterInstance;
|
|
60
60
|
function getFargateExecutionRole(name, policyArnNamedMap) {
|
|
61
|
-
const assumeRolePolicy =
|
|
61
|
+
const assumeRolePolicy = aws.iam.assumeRolePolicyForPrincipal({
|
|
62
|
+
Service: "ecs-tasks.amazonaws.com",
|
|
63
|
+
});
|
|
62
64
|
const dependsOn = Object.values(policyArnNamedMap).filter(($) => $ instanceof pulumi.Resource);
|
|
63
65
|
const role = new aws.iam.Role(name, { assumeRolePolicy }, { dependsOn });
|
|
64
66
|
const policies = [];
|
|
65
|
-
awsx.ecs.TaskDefinition.defaultExecutionRolePolicyARNs().forEach((policyArn) => {
|
|
66
|
-
policies.push(new aws.iam.RolePolicyAttachment(`${name}-default-${(0, utils_1.sha256hash)(policyArn)}`, { role, policyArn }, { parent: role }));
|
|
67
|
-
});
|
|
68
67
|
Object.entries(policyArnNamedMap).forEach(([key, policyArn]) => {
|
|
69
68
|
if (policyArn instanceof aws.iam.Policy) {
|
|
70
69
|
policies.push(new aws.iam.RolePolicyAttachment(`${name}-${key}`, { role, policyArn: policyArn.arn }, { parent: role }));
|
|
@@ -77,13 +76,12 @@ function getFargateExecutionRole(name, policyArnNamedMap) {
|
|
|
77
76
|
}
|
|
78
77
|
exports.getFargateExecutionRole = getFargateExecutionRole;
|
|
79
78
|
function getFargateTaskRole(name, policyArnNamedMap) {
|
|
80
|
-
const assumeRolePolicy =
|
|
79
|
+
const assumeRolePolicy = aws.iam.assumeRolePolicyForPrincipal({
|
|
80
|
+
Service: "ecs-tasks.amazonaws.com",
|
|
81
|
+
});
|
|
81
82
|
const dependsOn = Object.values(policyArnNamedMap).filter(($) => $ instanceof pulumi.Resource);
|
|
82
83
|
const role = new aws.iam.Role(name, { assumeRolePolicy }, { dependsOn });
|
|
83
84
|
const policies = [];
|
|
84
|
-
awsx.ecs.TaskDefinition.defaultTaskRolePolicyARNs().forEach((policyArn) => {
|
|
85
|
-
policies.push(new aws.iam.RolePolicyAttachment(`${name}-default-${(0, utils_1.sha256hash)(policyArn)}`, { role, policyArn }, { parent: role }));
|
|
86
|
-
});
|
|
87
85
|
Object.entries(policyArnNamedMap).forEach(([key, policyArn]) => {
|
|
88
86
|
if (policyArn instanceof aws.iam.Policy) {
|
|
89
87
|
policies.push(new aws.iam.RolePolicyAttachment(`${name}-${key}`, { role, policyArn: policyArn.arn }, { parent: role }));
|
|
@@ -138,7 +136,10 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
|
|
|
138
136
|
dependsOn = [];
|
|
139
137
|
}
|
|
140
138
|
if (undefined === mountPoints) {
|
|
141
|
-
|
|
139
|
+
mountPoints = [];
|
|
140
|
+
}
|
|
141
|
+
if (undefined === secrets) {
|
|
142
|
+
secrets = [];
|
|
142
143
|
}
|
|
143
144
|
const { role: executionRole, policies: executionPolicies } = getFargateExecutionRole(`${serviceName}-${version}-execution`, executionRolePolicies || {});
|
|
144
145
|
dependsOn.push(...executionPolicies);
|
|
@@ -158,8 +159,9 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
|
|
|
158
159
|
// this port should be the internal port used for administrative purposes
|
|
159
160
|
let serviceDiscoveryPort = dockerListeningPort;
|
|
160
161
|
const vpc = yield (0, vpc_1.getVpc)();
|
|
161
|
-
const taskSecurityGroup = new
|
|
162
|
-
vpc,
|
|
162
|
+
const taskSecurityGroup = new aws.ec2.SecurityGroup(`${serviceName}-${version}`, {
|
|
163
|
+
vpcId: vpc.id,
|
|
164
|
+
tags: { ServiceName: serviceName, Team: team },
|
|
163
165
|
});
|
|
164
166
|
if (dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT) {
|
|
165
167
|
let fromPort = 0;
|
|
@@ -170,11 +172,13 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
|
|
|
170
172
|
if (toPort == 0 || toPort < port)
|
|
171
173
|
toPort = port;
|
|
172
174
|
// create a security group to enable metrics access by cwagent from inside the VPC
|
|
173
|
-
|
|
175
|
+
new aws.ec2.SecurityGroupRule(`metrics-${port}`, {
|
|
176
|
+
type: "ingress",
|
|
174
177
|
fromPort: port,
|
|
175
178
|
toPort: port,
|
|
176
179
|
protocol: "tcp",
|
|
177
|
-
cidrBlocks: [vpc.
|
|
180
|
+
cidrBlocks: [vpc.cidrBlock],
|
|
181
|
+
securityGroupId: taskSecurityGroup.id,
|
|
178
182
|
});
|
|
179
183
|
if (!extraPortMappings.find(($) => $.hostPort != metrics.port) && (port != dockerListeningPort || dontExpose)) {
|
|
180
184
|
extraPortMappings.push({
|
|
@@ -189,7 +193,7 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
|
|
|
189
193
|
(0, prometheus_1.makeSecurityGroupAccessibleByPrometheus)(taskSecurityGroup, fromPort, toPort);
|
|
190
194
|
}
|
|
191
195
|
// enable egress traffic from the task to the internet
|
|
192
|
-
(0, accessTheInternet_1.
|
|
196
|
+
(0, accessTheInternet_1.makeSecurityGroupAccessTheInternetV2)(taskSecurityGroup);
|
|
193
197
|
// make the container fully accessible from the bastion of the environment
|
|
194
198
|
(0, acceptBastion_1.makeSecurityGroupAccessibleFromBastion)(taskSecurityGroup);
|
|
195
199
|
if (dontExpose) {
|
|
@@ -202,7 +206,8 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
|
|
|
202
206
|
ignoreServiceDiscovery,
|
|
203
207
|
securityGroups: [taskSecurityGroup.id, ...securityGroups],
|
|
204
208
|
containerInfo: {
|
|
205
|
-
|
|
209
|
+
name: serviceName,
|
|
210
|
+
secrets: [],
|
|
206
211
|
environment,
|
|
207
212
|
essential,
|
|
208
213
|
image: dockerImage,
|
|
@@ -228,8 +233,12 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
|
|
|
228
233
|
for (let extraALBMapping of extraALBMappings) {
|
|
229
234
|
const exposedExtra = yield (0, exposePublicService_1.exposePublicService)(`${serviceName}-${extraALBMapping.dockerListeningPort}-${version}`, extraALBMapping.domain, extraALBMapping.dockerListeningPort, extraALBMapping.healthCheck, undefined, extraALBMapping.extraExposedServiceOptions);
|
|
230
235
|
extraALBMappingsExposed.push(exposedExtra.targetGroup);
|
|
236
|
+
extraPortMappings.push({
|
|
237
|
+
containerPort: extraALBMapping.dockerListeningPort,
|
|
238
|
+
hostPort: extraALBMapping.dockerListeningPort,
|
|
239
|
+
});
|
|
231
240
|
}
|
|
232
|
-
const portMapping =
|
|
241
|
+
const portMapping = { containerPort: dockerListeningPort, hostPort: dockerListeningPort };
|
|
233
242
|
// make the service accesible by the ALB
|
|
234
243
|
(0, acceptAlb_1.makeSecurityGroupAccessibleFromSharedAlb)(taskSecurityGroup);
|
|
235
244
|
const service = yield createInternalService({
|
|
@@ -243,9 +252,10 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
|
|
|
243
252
|
securityGroups: [taskSecurityGroup.id, ...securityGroups],
|
|
244
253
|
serviceDiscoveryPort,
|
|
245
254
|
containerInfo: {
|
|
255
|
+
name: serviceName,
|
|
246
256
|
secrets,
|
|
247
257
|
environment,
|
|
248
|
-
portMappings: [...extraPortMappings,
|
|
258
|
+
portMappings: [...extraPortMappings, portMapping],
|
|
249
259
|
essential,
|
|
250
260
|
image: dockerImage,
|
|
251
261
|
command,
|
|
@@ -292,26 +302,27 @@ function createInternalService(config) {
|
|
|
292
302
|
retentionInDays: 60,
|
|
293
303
|
tags: { ServiceName: serviceName, Team: team },
|
|
294
304
|
});
|
|
295
|
-
|
|
296
|
-
|
|
305
|
+
const taskDefinition = new aws.ecs.TaskDefinition((0, stack_1.getStackScopedName)(serviceName) + "-taskdefinition", {
|
|
306
|
+
executionRoleArn: executionRole === null || executionRole === void 0 ? void 0 : executionRole.arn,
|
|
307
|
+
taskRoleArn: taskRole === null || taskRole === void 0 ? void 0 : taskRole.arn,
|
|
308
|
+
tags: { ServiceName: serviceName, Team: team },
|
|
309
|
+
containerDefinitions: JSON.stringify([Object.assign(Object.assign({}, containerInfo), { logConfiguration: (0, exports.getDefaultLogs)(serviceName, logGroup) })]),
|
|
310
|
+
volumes: volumes,
|
|
311
|
+
family: (0, stack_1.getStackScopedName)(serviceName),
|
|
312
|
+
}, { dependsOn: [logGroup] });
|
|
313
|
+
return new aws.ecs.Service((0, stack_1.getStackScopedName)(serviceName), {
|
|
314
|
+
cluster: yield getClusterInstance(cluster),
|
|
297
315
|
tags: { ServiceName: serviceName, StackId: (0, stack_1.getStackId)() },
|
|
298
|
-
|
|
299
|
-
|
|
316
|
+
networkConfiguration: {
|
|
317
|
+
subnets: yield (0, network_1.getPrivateSubnetIds)(),
|
|
318
|
+
securityGroups: securityGroups,
|
|
319
|
+
assignPublicIp
|
|
320
|
+
},
|
|
300
321
|
serviceRegistries,
|
|
301
322
|
desiredCount,
|
|
302
323
|
enableEcsManagedTags: true,
|
|
303
|
-
assignPublicIp,
|
|
304
324
|
waitForSteadyState: false,
|
|
305
|
-
|
|
306
|
-
executionRole,
|
|
307
|
-
taskRole,
|
|
308
|
-
tags: { ServiceName: serviceName, Team: team },
|
|
309
|
-
logGroup,
|
|
310
|
-
containers: {
|
|
311
|
-
[serviceName]: Object.assign({ logConfiguration: (0, exports.getDefaultLogs)(serviceName, logGroup) }, containerInfo),
|
|
312
|
-
},
|
|
313
|
-
volumes: volumes,
|
|
314
|
-
},
|
|
325
|
+
taskDefinition: taskDefinition.arn,
|
|
315
326
|
}, Object.assign(Object.assign({}, extraOpts), { dependsOn }));
|
|
316
327
|
});
|
|
317
328
|
}
|
|
@@ -1,12 +1,11 @@
|
|
|
1
|
-
import * as aws from "@pulumi/aws";
|
|
2
1
|
import * as docker from "@pulumi/docker";
|
|
3
2
|
import * as pulumi from "@pulumi/pulumi";
|
|
4
|
-
export declare function createImageFromContext(name: string, context: string, options?: Partial<docker.DockerBuild>, imageOpts?: pulumi.ComponentResourceOptions): {
|
|
5
|
-
ecr: aws
|
|
3
|
+
export declare function createImageFromContext(name: string, context: string, options?: Partial<docker.types.input.DockerBuild>, imageOpts?: pulumi.ComponentResourceOptions): {
|
|
4
|
+
ecr: import("@pulumi/aws/ecr/repository").Repository;
|
|
6
5
|
registry: pulumi.Output<{
|
|
7
6
|
server: string;
|
|
8
7
|
username: string;
|
|
9
8
|
password: string;
|
|
10
9
|
}>;
|
|
11
|
-
image: docker.Image;
|
|
10
|
+
image: import("@pulumi/docker/image").Image;
|
|
12
11
|
};
|
|
@@ -9,7 +9,7 @@ function createImageFromContext(name, context, options, imageOpts) {
|
|
|
9
9
|
const registry = (0, getImageRegistryAndCredentials_1.getImageRegistryAndCredentials)(ecr);
|
|
10
10
|
const image = new docker.Image(`${name}-image`, {
|
|
11
11
|
imageName: ecr.repositoryUrl,
|
|
12
|
-
build: Object.assign({ context,
|
|
12
|
+
build: Object.assign({ context, args: {
|
|
13
13
|
DOCKER_BUILDKIT: "1",
|
|
14
14
|
} }, options),
|
|
15
15
|
registry: registry,
|
package/domain.js
CHANGED
|
@@ -4,7 +4,7 @@ exports.publicDomain = exports.domain = exports.publicTLD = exports.envTLD = exp
|
|
|
4
4
|
const env = process.env["ENVIRONMENT"];
|
|
5
5
|
exports.env = env;
|
|
6
6
|
if (env === undefined) {
|
|
7
|
-
throw new Error("Set the ENVIRONMENT environment before proceeding");
|
|
7
|
+
throw new Error("Set the ENVIRONMENT environment before proceeding.");
|
|
8
8
|
}
|
|
9
9
|
/** Internal TLD { prd=co stg=net dev=io }, managed by AWS */
|
|
10
10
|
let envTLD = "";
|
package/exposePublicService.d.ts
CHANGED
|
@@ -1,17 +1,15 @@
|
|
|
1
1
|
import * as pulumi from "@pulumi/pulumi";
|
|
2
2
|
import * as aws from "@pulumi/aws";
|
|
3
|
-
import
|
|
4
|
-
|
|
5
|
-
import { ApplicationTargetGroupHealthCheck } from "@pulumi/awsx/lb";
|
|
6
|
-
export declare type ProxiedCloudflareDomain = {
|
|
3
|
+
import { alb as albTypes } from "@pulumi/aws/types/input";
|
|
4
|
+
export type ProxiedCloudflareDomain = {
|
|
7
5
|
createCloudflareProxiedSubdomain: true;
|
|
8
6
|
};
|
|
9
|
-
export
|
|
7
|
+
export type UnproxiedCloudflareDomain = {
|
|
10
8
|
createCloudflareDNSWithoutProxy: true;
|
|
11
9
|
ttl: number;
|
|
12
10
|
};
|
|
13
|
-
export
|
|
14
|
-
export
|
|
11
|
+
export type CloudflareDomainOptions = ProxiedCloudflareDomain | UnproxiedCloudflareDomain | {};
|
|
12
|
+
export type ExtraExposedServiceOptions = CloudflareDomainOptions & {
|
|
15
13
|
skipInternalDomain?: boolean;
|
|
16
14
|
targetGroupConditions?: pulumi.Input<aws.types.input.alb.ListenerRuleCondition>[];
|
|
17
15
|
};
|
|
@@ -24,10 +22,10 @@ export declare type ExtraExposedServiceOptions = CloudflareDomainOptions & {
|
|
|
24
22
|
* @param domain
|
|
25
23
|
* @param port
|
|
26
24
|
*/
|
|
27
|
-
export declare function exposePublicService(name: string, domain: string, port: number, healthCheck?: Partial<
|
|
25
|
+
export declare function exposePublicService(name: string, domain: string, port: number, healthCheck?: Partial<albTypes.TargetGroupHealthCheck>, vpc?: aws.ec2.Vpc, extraOptions?: ExtraExposedServiceOptions, deregistrationDelay?: pulumi.Input<number>): Promise<{
|
|
28
26
|
domain: string;
|
|
29
27
|
certificate: pulumi.Input<string>;
|
|
30
|
-
record:
|
|
31
|
-
targetGroup:
|
|
32
|
-
cloudflareRecord:
|
|
28
|
+
record: import("@pulumi/aws/route53/record").Record | undefined;
|
|
29
|
+
targetGroup: import("@pulumi/aws/alb/targetGroup").TargetGroup;
|
|
30
|
+
cloudflareRecord: import("@pulumi/cloudflare/record").Record | undefined;
|
|
33
31
|
}>;
|
package/exposePublicService.js
CHANGED
|
@@ -11,7 +11,6 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
12
|
exports.exposePublicService = void 0;
|
|
13
13
|
const aws = require("@pulumi/aws");
|
|
14
|
-
const awsx = require("@pulumi/awsx");
|
|
15
14
|
const domain_1 = require("./domain");
|
|
16
15
|
const alb_1 = require("./alb");
|
|
17
16
|
const certificate_1 = require("./certificate");
|
|
@@ -50,13 +49,13 @@ function exposePublicService(name, domain, port, healthCheck = {}, vpc, extraOpt
|
|
|
50
49
|
const createInternalDomain = !onlyCloudflare;
|
|
51
50
|
const certificate = (0, certificate_1.getCertificateFor)(domain);
|
|
52
51
|
const slug = name;
|
|
53
|
-
const targetVpc = vpc ? vpc :
|
|
52
|
+
const targetVpc = vpc ? vpc : yield aws.ec2.getVpc({ default: true }, { async: true });
|
|
54
53
|
const targetDeregistrationDelay = deregistrationDelay ? deregistrationDelay : 300;
|
|
55
|
-
const targetGroup = alb.
|
|
54
|
+
const targetGroup = new aws.alb.TargetGroup("tg-" + slug.substr(-32 + 12), {
|
|
56
55
|
protocol: "HTTP",
|
|
57
56
|
port,
|
|
58
57
|
healthCheck: healthCheckValue,
|
|
59
|
-
|
|
58
|
+
vpcId: targetVpc.id,
|
|
60
59
|
deregistrationDelay: targetDeregistrationDelay,
|
|
61
60
|
});
|
|
62
61
|
const domainParts = (0, getDomainAndSubdomain_1.getDomainAndSubdomain)(domain);
|
|
@@ -71,8 +70,8 @@ function exposePublicService(name, domain, port, healthCheck = {}, vpc, extraOpt
|
|
|
71
70
|
type: "A",
|
|
72
71
|
aliases: [
|
|
73
72
|
{
|
|
74
|
-
name: alb.
|
|
75
|
-
zoneId: alb.
|
|
73
|
+
name: alb.dnsName,
|
|
74
|
+
zoneId: alb.zoneId,
|
|
76
75
|
evaluateTargetHealth: false,
|
|
77
76
|
},
|
|
78
77
|
],
|
|
@@ -85,7 +84,7 @@ function exposePublicService(name, domain, port, healthCheck = {}, vpc, extraOpt
|
|
|
85
84
|
cloudflareRecord = yield (0, cloudflare_1.setRecord)({
|
|
86
85
|
recordName: domainParts.subdomain,
|
|
87
86
|
type: "CNAME",
|
|
88
|
-
value: alb.
|
|
87
|
+
value: alb.dnsName,
|
|
89
88
|
proxied: false,
|
|
90
89
|
ttl: extraOptions.ttl || 600,
|
|
91
90
|
});
|
|
@@ -94,7 +93,7 @@ function exposePublicService(name, domain, port, healthCheck = {}, vpc, extraOpt
|
|
|
94
93
|
cloudflareRecord = yield (0, cloudflare_1.setRecord)({
|
|
95
94
|
recordName: domainParts.subdomain,
|
|
96
95
|
type: "CNAME",
|
|
97
|
-
value: alb.
|
|
96
|
+
value: alb.dnsName,
|
|
98
97
|
proxied: true,
|
|
99
98
|
});
|
|
100
99
|
}
|
|
@@ -106,7 +105,7 @@ function exposePublicService(name, domain, port, healthCheck = {}, vpc, extraOpt
|
|
|
106
105
|
actions: [
|
|
107
106
|
{
|
|
108
107
|
type: "forward",
|
|
109
|
-
targetGroupArn: targetGroup.
|
|
108
|
+
targetGroupArn: targetGroup.arn,
|
|
110
109
|
},
|
|
111
110
|
],
|
|
112
111
|
});
|
package/lambda.d.ts
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
|
-
import * as awsx from "@pulumi/awsx";
|
|
2
1
|
import * as aws from "@pulumi/aws";
|
|
2
|
+
import * as apigateway from "@pulumi/aws-apigateway";
|
|
3
3
|
import * as pulumi from "@pulumi/pulumi";
|
|
4
|
-
export
|
|
4
|
+
export type LambdaOptions = {
|
|
5
5
|
folderName: string;
|
|
6
6
|
extra?: Partial<aws.lambda.FunctionArgs>;
|
|
7
7
|
attachRolePolicyArn?: Record<string, pulumi.Input<string>>;
|
|
@@ -9,11 +9,10 @@ export declare type LambdaOptions = {
|
|
|
9
9
|
export declare function createGateway(options: {
|
|
10
10
|
fullyQualifiedDomainName: string;
|
|
11
11
|
}, fn: (addRoute: (config: LambdaOptions & {
|
|
12
|
-
method:
|
|
12
|
+
method: apigateway.types.enums.Method;
|
|
13
13
|
path: string;
|
|
14
|
-
extraRoute?: awsx.apigateway.BaseRoute;
|
|
15
14
|
}) => Promise<void>) => Promise<void>): Promise<{
|
|
16
|
-
gateway:
|
|
17
|
-
record: aws
|
|
15
|
+
gateway: import("@pulumi/aws-apigateway/restAPI").RestAPI;
|
|
16
|
+
record: import("@pulumi/aws/route53/record").Record;
|
|
18
17
|
lambdasDomain: string;
|
|
19
18
|
}>;
|
package/lambda.js
CHANGED
|
@@ -10,8 +10,8 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
10
10
|
};
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
12
|
exports.createGateway = void 0;
|
|
13
|
-
const awsx = require("@pulumi/awsx");
|
|
14
13
|
const aws = require("@pulumi/aws");
|
|
14
|
+
const apigateway = require("@pulumi/aws-apigateway");
|
|
15
15
|
const pulumi = require("@pulumi/pulumi");
|
|
16
16
|
const path_1 = require("path");
|
|
17
17
|
const domain_1 = require("./domain");
|
|
@@ -66,7 +66,7 @@ function createLambda(fullyQualifiedDomainName, config) {
|
|
|
66
66
|
});
|
|
67
67
|
}
|
|
68
68
|
const name = (0, stack_1.getStackScopedName)((subdomain || "ROOTDOMAIN") + "-" + lambdaName);
|
|
69
|
-
const lambda = new aws.lambda.Function(name, Object.assign({ name: name, handler: `${(0, path_1.basename)(file, ".js")}.handler`, timeout: 900, memorySize: 1024, runtime: "
|
|
69
|
+
const lambda = new aws.lambda.Function(name, Object.assign({ name: name, handler: `${(0, path_1.basename)(file, ".js")}.handler`, timeout: 900, memorySize: 1024, runtime: "nodejs18.x", code: (extra === null || extra === void 0 ? void 0 : extra.code) ||
|
|
70
70
|
new pulumi.asset.AssetArchive({
|
|
71
71
|
[(0, path_1.basename)(file)]: new pulumi.asset.FileAsset(file),
|
|
72
72
|
}), role: (extra === null || extra === void 0 ? void 0 : extra.role) || lambdaApiGatewayRole.arn }, extra));
|
|
@@ -78,9 +78,13 @@ function createGateway(options, fn) {
|
|
|
78
78
|
const routes = [];
|
|
79
79
|
yield fn(function configureApiGatewayLambda(config) {
|
|
80
80
|
return __awaiter(this, void 0, void 0, function* () {
|
|
81
|
-
const { method, path
|
|
81
|
+
const { method, path } = config;
|
|
82
82
|
const lambda = yield createLambda(options.fullyQualifiedDomainName, config);
|
|
83
|
-
routes.push(
|
|
83
|
+
routes.push({
|
|
84
|
+
method: method,
|
|
85
|
+
path,
|
|
86
|
+
eventHandler: lambda
|
|
87
|
+
});
|
|
84
88
|
});
|
|
85
89
|
});
|
|
86
90
|
if (routes.length == 0) {
|
|
@@ -88,15 +92,15 @@ function createGateway(options, fn) {
|
|
|
88
92
|
}
|
|
89
93
|
const stageName = domain_1.env;
|
|
90
94
|
// Create a public HTTP endpoint (using AWS APIGateway)
|
|
91
|
-
const gateway = new
|
|
95
|
+
const gateway = new apigateway.RestAPI((0, stack_1.getStackScopedName)(options.fullyQualifiedDomainName.replace(/\./g, "-")), {
|
|
92
96
|
routes: routes,
|
|
97
|
+
stageName
|
|
98
|
+
});
|
|
99
|
+
new aws.apigateway.Stage((0, stack_1.getStackScopedName)(`${options.fullyQualifiedDomainName.replace(/\./g, "-")}-stage`), {
|
|
100
|
+
restApi: gateway.api.id,
|
|
101
|
+
deployment: gateway.deployment.id,
|
|
93
102
|
stageName,
|
|
94
|
-
|
|
95
|
-
name: "rest-api",
|
|
96
|
-
},
|
|
97
|
-
stageArgs: {
|
|
98
|
-
xrayTracingEnabled: true,
|
|
99
|
-
},
|
|
103
|
+
xrayTracingEnabled: true
|
|
100
104
|
});
|
|
101
105
|
const { record, lambdasDomain } = yield configureApiGatewayDomain(options.fullyQualifiedDomainName, gateway);
|
|
102
106
|
return {
|
|
@@ -120,7 +124,7 @@ function configureApiGatewayDomain(fullyQualifiedDomainName, gateway) {
|
|
|
120
124
|
deleteBeforeReplace: true,
|
|
121
125
|
});
|
|
122
126
|
const webDomainMapping = new aws.apigateway.BasePathMapping((0, stack_1.getStackScopedName)(subdomain + "-bpm"), {
|
|
123
|
-
restApi: gateway.
|
|
127
|
+
restApi: gateway.api.id,
|
|
124
128
|
stageName: gateway.stage.stageName,
|
|
125
129
|
domainName: webDomain.id,
|
|
126
130
|
}, { dependsOn: [webDomain], deleteBeforeReplace: true });
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "dcl-ops-lib",
|
|
3
|
-
"version": "
|
|
3
|
+
"version": "6.0.1",
|
|
4
4
|
"scripts": {
|
|
5
5
|
"build": "tsc && cp bin/* . && node test.js",
|
|
6
6
|
"clean": "rm *.d.ts *.js *.js.map"
|
|
@@ -20,18 +20,20 @@
|
|
|
20
20
|
"extends": "@semantic-release/gitlab-config"
|
|
21
21
|
},
|
|
22
22
|
"devDependencies": {
|
|
23
|
-
"@semantic-release/gitlab-config": "^
|
|
24
|
-
"@types/mime": "^3.0.
|
|
25
|
-
"@types/node": "^
|
|
26
|
-
"semantic-release": "^
|
|
27
|
-
"typescript": "^
|
|
23
|
+
"@semantic-release/gitlab-config": "^13.0.0",
|
|
24
|
+
"@types/mime": "^3.0.4",
|
|
25
|
+
"@types/node": "^20.9.3",
|
|
26
|
+
"semantic-release": "^22.0.8",
|
|
27
|
+
"typescript": "^5.3.2"
|
|
28
28
|
},
|
|
29
29
|
"dependencies": {
|
|
30
|
-
"@pulumi/aws": "
|
|
31
|
-
"@pulumi/
|
|
32
|
-
"@pulumi/
|
|
33
|
-
"@pulumi/
|
|
34
|
-
"@pulumi/
|
|
30
|
+
"@pulumi/aws": "6.9.0",
|
|
31
|
+
"@pulumi/aws-apigateway": "^2.0.1",
|
|
32
|
+
"@pulumi/aws-native": "^0.86.0",
|
|
33
|
+
"@pulumi/awsx": "2.2.0",
|
|
34
|
+
"@pulumi/cloudflare": "5.15.0",
|
|
35
|
+
"@pulumi/docker": "4.5.0",
|
|
36
|
+
"@pulumi/pulumi": "3.94.2",
|
|
35
37
|
"mime": "^3.0.0"
|
|
36
38
|
}
|
|
37
39
|
}
|
package/prometheus.d.ts
CHANGED
|
@@ -1,9 +1,5 @@
|
|
|
1
1
|
import * as pulumi from "@pulumi/pulumi";
|
|
2
|
-
import * as
|
|
2
|
+
import * as aws from "@pulumi/aws";
|
|
3
3
|
export declare const prometheusStack: () => Promise<pulumi.StackReference>;
|
|
4
4
|
export declare const prometheusSecurityGroupId: () => Promise<string>;
|
|
5
|
-
|
|
6
|
-
* @deprecated use makeSecurityGroupAccessibleByPrometheusV2
|
|
7
|
-
*/
|
|
8
|
-
export declare function makeSecurityGroupAccessibleByPrometheus(securityGroup: awsx.ec2.SecurityGroup, fromPort?: number, toPort?: number): void;
|
|
9
|
-
export declare function makeSecurityGroupAccessibleByPrometheusV2(securityGroup: awsx.ec2.SecurityGroup, fromPort?: number, toPort?: number, ruleName?: string): void;
|
|
5
|
+
export declare function makeSecurityGroupAccessibleByPrometheus(securityGroup: aws.ec2.SecurityGroup, fromPort?: number, toPort?: number, ruleName?: string): void;
|
package/prometheus.js
CHANGED
|
@@ -9,9 +9,9 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
9
9
|
});
|
|
10
10
|
};
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.
|
|
12
|
+
exports.makeSecurityGroupAccessibleByPrometheus = exports.prometheusSecurityGroupId = exports.prometheusStack = void 0;
|
|
13
13
|
const pulumi = require("@pulumi/pulumi");
|
|
14
|
-
const
|
|
14
|
+
const aws = require("@pulumi/aws");
|
|
15
15
|
const domain_1 = require("./domain");
|
|
16
16
|
const withCache_1 = require("./withCache");
|
|
17
17
|
const utils_1 = require("./utils");
|
|
@@ -22,27 +22,16 @@ exports.prometheusSecurityGroupId = (0, withCache_1.default)(() => __awaiter(voi
|
|
|
22
22
|
const prom = yield (0, exports.prometheusStack)();
|
|
23
23
|
return (yield prom.requireOutputValue("prometheusSecurityGroupId"));
|
|
24
24
|
}));
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
*/
|
|
28
|
-
function makeSecurityGroupAccessibleByPrometheus(securityGroup, fromPort = 0, toPort = 0) {
|
|
29
|
-
new awsx.ec2.IngressSecurityGroupRule(`accept-prom-${fromPort}-${toPort}`, securityGroup, {
|
|
25
|
+
function makeSecurityGroupAccessibleByPrometheus(securityGroup, fromPort = 0, toPort = 0, ruleName = "") {
|
|
26
|
+
new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("access-the-internet-v2", ruleName), {
|
|
30
27
|
sourceSecurityGroupId: (0, exports.prometheusSecurityGroupId)(),
|
|
31
28
|
description: `Allow access from prometheus`,
|
|
32
29
|
fromPort,
|
|
33
30
|
toPort,
|
|
34
31
|
protocol: "-1",
|
|
35
|
-
|
|
32
|
+
type: "egress",
|
|
33
|
+
securityGroupId: securityGroup.id,
|
|
34
|
+
}, { deleteBeforeReplace: true });
|
|
36
35
|
}
|
|
37
36
|
exports.makeSecurityGroupAccessibleByPrometheus = makeSecurityGroupAccessibleByPrometheus;
|
|
38
|
-
function makeSecurityGroupAccessibleByPrometheusV2(securityGroup, fromPort = 0, toPort = 0, ruleName = "") {
|
|
39
|
-
new awsx.ec2.IngressSecurityGroupRule((0, utils_1.withRuleName)(`accept-prom-${fromPort}-${toPort}-v2`, ruleName), securityGroup, {
|
|
40
|
-
sourceSecurityGroupId: (0, exports.prometheusSecurityGroupId)(),
|
|
41
|
-
description: `Allow access from prometheus`,
|
|
42
|
-
fromPort,
|
|
43
|
-
toPort,
|
|
44
|
-
protocol: "-1",
|
|
45
|
-
});
|
|
46
|
-
}
|
|
47
|
-
exports.makeSecurityGroupAccessibleByPrometheusV2 = makeSecurityGroupAccessibleByPrometheusV2;
|
|
48
37
|
//# sourceMappingURL=prometheus.js.map
|
package/secrets.d.ts
CHANGED
|
@@ -1,3 +1,2 @@
|
|
|
1
|
-
import * as aws from '@pulumi/aws';
|
|
2
1
|
import * as pulumi from '@pulumi/pulumi';
|
|
3
|
-
export declare function secretToSSM(name: string, secureString: pulumi.Output<string>): aws
|
|
2
|
+
export declare function secretToSSM(name: string, secureString: pulumi.Output<string>): import("@pulumi/aws/ssm/parameter").Parameter;
|
package/values.d.ts
CHANGED
|
@@ -1,9 +1,8 @@
|
|
|
1
|
-
|
|
2
|
-
export declare type EnvironmentValues = {
|
|
1
|
+
export type EnvironmentValues = {
|
|
3
2
|
defaultSecurityGroupId: string;
|
|
4
|
-
publicSubnets:
|
|
5
|
-
privateSubnets:
|
|
6
|
-
internalSubnets:
|
|
3
|
+
publicSubnets: string[];
|
|
4
|
+
privateSubnets: string[];
|
|
5
|
+
internalSubnets: string[];
|
|
7
6
|
/** @deprecated */
|
|
8
7
|
acceptAlb: string;
|
|
9
8
|
/** @deprecated */
|
package/values.js
CHANGED
|
@@ -10,16 +10,16 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
10
10
|
};
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
12
|
exports.getEnvConfiguration = void 0;
|
|
13
|
+
const aws = require("@pulumi/aws");
|
|
13
14
|
const supra_1 = require("./supra");
|
|
14
|
-
const vpc_1 = require("./vpc");
|
|
15
15
|
const withCache_1 = require("./withCache");
|
|
16
16
|
exports.getEnvConfiguration = (0, withCache_1.default)(function () {
|
|
17
17
|
return __awaiter(this, void 0, void 0, function* () {
|
|
18
18
|
return {
|
|
19
19
|
defaultSecurityGroupId: yield supra_1.supra.getOutputValue("acceptBastionSecurityGroupId"),
|
|
20
|
-
publicSubnets: yield (
|
|
21
|
-
privateSubnets: yield (
|
|
22
|
-
internalSubnets: yield (
|
|
20
|
+
publicSubnets: (yield aws.ec2.getSubnets({ filters: [{ name: "tag:type", values: ["public"] }] })).ids,
|
|
21
|
+
privateSubnets: (yield aws.ec2.getSubnets({ filters: [{ name: "tag:type", values: ["private"] }] })).ids,
|
|
22
|
+
internalSubnets: (yield aws.ec2.getSubnets({ filters: [{ name: "tag:type", values: ["internal"] }] })).ids,
|
|
23
23
|
acceptAlb: yield supra_1.supra.getOutputValue("acceptAlbSecurityGroupId"),
|
|
24
24
|
acceptBastion: yield supra_1.supra.getOutputValue("acceptBastionSecurityGroupId"),
|
|
25
25
|
dbSecurity: yield supra_1.supra.getOutputValue("acceptDbSecurityGroupId"),
|
package/vpc.d.ts
CHANGED
|
@@ -1,3 +1,3 @@
|
|
|
1
|
-
import * as
|
|
2
|
-
export declare function vpc(): Promise<
|
|
1
|
+
import * as aws from '@pulumi/aws';
|
|
2
|
+
export declare function vpc(): Promise<aws.ec2.GetVpcResult>;
|
|
3
3
|
export declare const getVpc: typeof vpc;
|
package/vpc.js
CHANGED
|
@@ -10,14 +10,14 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
10
10
|
};
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
12
|
exports.getVpc = exports.vpc = void 0;
|
|
13
|
-
const
|
|
13
|
+
const aws = require("@pulumi/aws");
|
|
14
14
|
const supra_1 = require("./supra");
|
|
15
15
|
let vpcReference;
|
|
16
16
|
function vpc() {
|
|
17
17
|
return __awaiter(this, void 0, void 0, function* () {
|
|
18
18
|
if (!vpcReference) {
|
|
19
|
-
vpcReference =
|
|
20
|
-
|
|
19
|
+
vpcReference = yield aws.ec2.getVpc({
|
|
20
|
+
id: yield supra_1.supra.getOutputValue('vpcId')
|
|
21
21
|
});
|
|
22
22
|
}
|
|
23
23
|
return vpcReference;
|
package/getSecurityGroup.d.ts
DELETED
|
@@ -1,6 +0,0 @@
|
|
|
1
|
-
import * as awsx from "@pulumi/awsx";
|
|
2
|
-
import { Output } from '@pulumi/pulumi';
|
|
3
|
-
export declare function createSecurityGroupFunction(name: string, id: string | Output<string>): {
|
|
4
|
-
getSecurityGroup: () => Promise<awsx.ec2.SecurityGroup | Output<awsx.ec2.SecurityGroup>>;
|
|
5
|
-
getSecurityGroupId: () => Promise<Output<string>>;
|
|
6
|
-
};
|
package/getSecurityGroup.js
DELETED
|
@@ -1,51 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
3
|
-
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
4
|
-
return new (P || (P = Promise))(function (resolve, reject) {
|
|
5
|
-
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
6
|
-
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
7
|
-
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
8
|
-
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
|
-
});
|
|
10
|
-
};
|
|
11
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.createSecurityGroupFunction = void 0;
|
|
13
|
-
const awsx = require("@pulumi/awsx");
|
|
14
|
-
function createSecurityGroupFunction(name, id) {
|
|
15
|
-
let securityGroupOutput;
|
|
16
|
-
let securityGroupPromise;
|
|
17
|
-
function getSecurityGroup() {
|
|
18
|
-
return __awaiter(this, void 0, void 0, function* () {
|
|
19
|
-
if (!securityGroupOutput) {
|
|
20
|
-
if (!securityGroupPromise) {
|
|
21
|
-
securityGroupPromise = new Promise((resolve, reject) => __awaiter(this, void 0, void 0, function* () {
|
|
22
|
-
try {
|
|
23
|
-
resolve(awsx.ec2.SecurityGroup.fromExistingId(name, id));
|
|
24
|
-
}
|
|
25
|
-
catch (e) {
|
|
26
|
-
reject(e);
|
|
27
|
-
}
|
|
28
|
-
}));
|
|
29
|
-
return yield securityGroupPromise;
|
|
30
|
-
}
|
|
31
|
-
else {
|
|
32
|
-
return yield securityGroupPromise;
|
|
33
|
-
}
|
|
34
|
-
}
|
|
35
|
-
else {
|
|
36
|
-
return securityGroupOutput;
|
|
37
|
-
}
|
|
38
|
-
});
|
|
39
|
-
}
|
|
40
|
-
function getSecurityGroupId() {
|
|
41
|
-
return __awaiter(this, void 0, void 0, function* () {
|
|
42
|
-
return (yield getSecurityGroup()).id;
|
|
43
|
-
});
|
|
44
|
-
}
|
|
45
|
-
return {
|
|
46
|
-
getSecurityGroup: getSecurityGroup,
|
|
47
|
-
getSecurityGroupId: getSecurityGroupId
|
|
48
|
-
};
|
|
49
|
-
}
|
|
50
|
-
exports.createSecurityGroupFunction = createSecurityGroupFunction;
|
|
51
|
-
//# sourceMappingURL=getSecurityGroup.js.map
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.setupDatabasePermissions = void 0;
|
|
4
|
-
function setupDatabasePermissions(databaseName, databaseUsername, databasePassword) {
|
|
5
|
-
// Creating users in terraform+pulumi+aws+postgres is utterly broken.
|
|
6
|
-
// Need to do this manually.
|
|
7
|
-
//
|
|
8
|
-
// CREATE DATABASE databaseName;
|
|
9
|
-
// CREATE ROLE databaseUsername WITH LOGIN PASSWORD 'password';
|
|
10
|
-
// GRANT ALL PRIVILEGES ON DATABASE databaseUsername TO databaseUsername;
|
|
11
|
-
throw new Error(`You need to do the DB setup manually. Sorry about it!
|
|
12
|
-
Please connect to the db through the bastion node and run:
|
|
13
|
-
CREATE DATABASE databaseName;
|
|
14
|
-
CREATE ROLE databaseUsername WITH LOGIN PASSWORD 'password';
|
|
15
|
-
GRANT ALL PRIVILEGES ON DATABASE databaseUsername TO databaseUsername;`);
|
|
16
|
-
}
|
|
17
|
-
exports.setupDatabasePermissions = setupDatabasePermissions;
|
|
18
|
-
//# sourceMappingURL=setupDatabasePermissions.js.map
|