dcl-ops-lib 8.3.3 → 9.1.0

package/lambda.js

@@ -1,13 +1,4 @@
 "use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createGateway = void 0;
 const aws = require("@pulumi/aws");
@@ -19,137 +10,138 @@ const cloudflare_1 = require("./cloudflare");
 const getDomainAndSubdomain_1 = require("./getDomainAndSubdomain");
 const certificate_1 = require("./certificate");
 const stack_1 = require("./stack");
-function createLambda(fullyQualifiedDomainName, config) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const { folderName, extra, attachRolePolicyArn } = config;
-        const file = require.resolve(folderName);
-        const lambdaName = (0, path_1.basename)(folderName);
-        if (!lambdaName.match(/^[a-zA-Z0-9-_]+$/)) {
-            throw new Error("Invalid(/^[a-zA-Z0-9-_]+$/) folder name: " + folderName);
-        }
-        const { subdomain } = (0, getDomainAndSubdomain_1.getDomainAndSubdomain)(fullyQualifiedDomainName);
-        const rolename = `${subdomain || "ROOTDOMAIN"}-${lambdaName}-role`;
-        // Configure IAM so that the AWS Lambda can be run.
-        const lambdaApiGatewayRole = new aws.iam.Role((0, stack_1.getStackScopedName)(rolename), {
-            assumeRolePolicy: {
-                Version: "2012-10-17",
-                Statement: [
-                    {
-                        Action: "sts:AssumeRole",
-                        Principal: {
-                            Service: "lambda.amazonaws.com",
-                        },
-                        Effect: "Allow",
-                        Sid: "",
+async function createLambda(fullyQualifiedDomainName, config) {
+    const { folderName, extra, attachRolePolicyArn } = config;
+    const file = require.resolve(folderName);
+    const lambdaName = (0, path_1.basename)(folderName);
+    if (!lambdaName.match(/^[a-zA-Z0-9-_]+$/)) {
+        throw new Error("Invalid(/^[a-zA-Z0-9-_]+$/) folder name: " + folderName);
+    }
+    const { subdomain } = (0, getDomainAndSubdomain_1.getDomainAndSubdomain)(fullyQualifiedDomainName);
+    const rolename = `${subdomain || "ROOTDOMAIN"}-${lambdaName}-role`;
+    // Configure IAM so that the AWS Lambda can be run.
+    const lambdaApiGatewayRole = new aws.iam.Role((0, stack_1.getStackScopedName)(rolename), {
+        assumeRolePolicy: {
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Action: "sts:AssumeRole",
+                    Principal: {
+                        Service: "lambda.amazonaws.com",
                     },
-                ],
-            },
-        });
-        // attach AWSLambdaBasicExecutionRole
-        // https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
-        // write cloudwatch logs
-        new aws.iam.RolePolicyAttachment((0, stack_1.getStackScopedName)(`${rolename}-AWSLambdaBasicExecutionRole`), {
-            role: lambdaApiGatewayRole,
-            policyArn: aws.iam.ManagedPolicies.AWSLambdaBasicExecutionRole,
-        });
-        // upload xray traces
-        new aws.iam.RolePolicyAttachment((0, stack_1.getStackScopedName)(`${rolename}-AWSXRayDaemonWriteAccess`), {
-            role: lambdaApiGatewayRole,
-            policyArn: aws.iam.ManagedPolicies.AWSXRayDaemonWriteAccess,
-        });
-        if (attachRolePolicyArn) {
-            Object.entries(attachRolePolicyArn).forEach(([name, policyArn]) => {
-                new aws.iam.RolePolicyAttachment((0, stack_1.getStackScopedName)(`${rolename}-${name}`), {
-                    role: lambdaApiGatewayRole,
-                    policyArn,
-                });
-            });
-        }
-        const name = (0, stack_1.getStackScopedName)((subdomain || "ROOTDOMAIN") + "-" + lambdaName);
-        const lambda = new aws.lambda.Function(name, Object.assign({ name: name, handler: `${(0, path_1.basename)(file, ".js")}.handler`, timeout: 900, memorySize: 1024, runtime: "nodejs18.x", code: (extra === null || extra === void 0 ? void 0 : extra.code) ||
-                new pulumi.asset.AssetArchive({
-                    [(0, path_1.basename)(file)]: new pulumi.asset.FileAsset(file),
-                }), role: (extra === null || extra === void 0 ? void 0 : extra.role) || lambdaApiGatewayRole.arn }, extra));
-        return lambda;
+                    Effect: "Allow",
+                    Sid: "",
+                },
+            ],
+        },
     });
-}
-function createGateway(options, fn) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const routes = [];
-        yield fn(function configureApiGatewayLambda(config) {
-            return __awaiter(this, void 0, void 0, function* () {
-                const { method, path } = config;
-                const lambda = yield createLambda(options.fullyQualifiedDomainName, config);
-                routes.push({
-                    method: method,
-                    path,
-                    eventHandler: lambda
-                });
+    // attach AWSLambdaBasicExecutionRole
+    // https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
+    // write cloudwatch logs
+    new aws.iam.RolePolicyAttachment((0, stack_1.getStackScopedName)(`${rolename}-AWSLambdaBasicExecutionRole`), {
+        role: lambdaApiGatewayRole,
+        policyArn: aws.iam.ManagedPolicies.AWSLambdaBasicExecutionRole,
+    });
+    // upload xray traces
+    new aws.iam.RolePolicyAttachment((0, stack_1.getStackScopedName)(`${rolename}-AWSXRayDaemonWriteAccess`), {
+        role: lambdaApiGatewayRole,
+        policyArn: aws.iam.ManagedPolicies.AWSXRayDaemonWriteAccess,
+    });
+    if (attachRolePolicyArn) {
+        Object.entries(attachRolePolicyArn).forEach(([name, policyArn]) => {
+            new aws.iam.RolePolicyAttachment((0, stack_1.getStackScopedName)(`${rolename}-${name}`), {
+                role: lambdaApiGatewayRole,
+                policyArn,
             });
         });
-        if (routes.length == 0) {
-            throw new Error("Warning! No routes were configured");
-        }
-        const stageName = domain_1.env;
-        // Create a public HTTP endpoint (using AWS APIGateway)
-        const gateway = new apigateway.RestAPI((0, stack_1.getStackScopedName)(options.fullyQualifiedDomainName.replace(/\./g, "-")), {
-            routes: routes,
-            stageName
-        });
-        new aws.apigateway.Stage((0, stack_1.getStackScopedName)(`${options.fullyQualifiedDomainName.replace(/\./g, "-")}-stage`), {
-            restApi: gateway.api.id,
-            deployment: gateway.deployment.id,
-            stageName,
-            xrayTracingEnabled: true
+    }
+    const name = (0, stack_1.getStackScopedName)((subdomain || "ROOTDOMAIN") + "-" + lambdaName);
+    const lambda = new aws.lambda.Function(name, {
+        name: name,
+        handler: `${(0, path_1.basename)(file, ".js")}.handler`,
+        timeout: 900,
+        memorySize: 1024,
+        runtime: "nodejs18.x",
+        code: extra?.code ||
+            new pulumi.asset.AssetArchive({
+                [(0, path_1.basename)(file)]: new pulumi.asset.FileAsset(file),
+            }),
+        role: extra?.role || lambdaApiGatewayRole.arn,
+        ...extra,
+    });
+    return lambda;
+}
+async function createGateway(options, fn) {
+    const routes = [];
+    await fn(async function configureApiGatewayLambda(config) {
+        const { method, path } = config;
+        const lambda = await createLambda(options.fullyQualifiedDomainName, config);
+        routes.push({
+            method: method,
+            path,
+            eventHandler: lambda
         });
-        const { record, lambdasDomain } = yield configureApiGatewayDomain(options.fullyQualifiedDomainName, gateway);
-        return {
-            gateway,
-            record,
-            lambdasDomain,
-        };
     });
+    if (routes.length == 0) {
+        throw new Error("Warning! No routes were configured");
+    }
+    const stageName = domain_1.env;
+    // Create a public HTTP endpoint (using AWS APIGateway)
+    const gateway = new apigateway.RestAPI((0, stack_1.getStackScopedName)(options.fullyQualifiedDomainName.replace(/\./g, "-")), {
+        routes: routes,
+        stageName
+    });
+    new aws.apigateway.Stage((0, stack_1.getStackScopedName)(`${options.fullyQualifiedDomainName.replace(/\./g, "-")}-stage`), {
+        restApi: gateway.api.id,
+        deployment: gateway.deployment.id,
+        stageName,
+        xrayTracingEnabled: true
+    });
+    const { record, lambdasDomain } = await configureApiGatewayDomain(options.fullyQualifiedDomainName, gateway);
+    return {
+        gateway,
+        record,
+        lambdasDomain,
+    };
 }
 exports.createGateway = createGateway;
-function configureApiGatewayDomain(fullyQualifiedDomainName, gateway) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const domainParts = (0, getDomainAndSubdomain_1.getDomainAndSubdomain)(fullyQualifiedDomainName);
-        const subdomain = domainParts.subdomain || "ROOTDOMAIN";
-        // Configure an edge-optimized domain for our API Gateway. This will configure a Cloudfront CDN
-        // distribution behind the scenes and serve our API Gateway at a custom domain name over SSL.
-        const webDomain = new aws.apigateway.DomainName((0, stack_1.getStackScopedName)(subdomain + "-dn"), {
-            certificateArn: (0, certificate_1.getCertificateFor)(fullyQualifiedDomainName),
-            domainName: fullyQualifiedDomainName,
-        }, {
-            deleteBeforeReplace: true,
-        });
-        const webDomainMapping = new aws.apigateway.BasePathMapping((0, stack_1.getStackScopedName)(subdomain + "-bpm"), {
-            restApi: gateway.api.id,
-            stageName: gateway.stage.stageName,
-            domainName: webDomain.id,
-        }, { dependsOn: [webDomain], deleteBeforeReplace: true });
-        const hostedZone = yield aws.route53.getZone({ name: domainParts.parentDomain }, { async: true });
-        const record = new aws.route53.Record((0, stack_1.getStackScopedName)(fullyQualifiedDomainName), {
-            name: domainParts.subdomain || "",
-            zoneId: hostedZone.zoneId,
-            type: "A",
-            aliases: [
-                {
-                    evaluateTargetHealth: true,
-                    name: webDomain.cloudfrontDomainName,
-                    zoneId: webDomain.cloudfrontZoneId,
-                },
-            ],
-        }, { dependsOn: [webDomainMapping] });
-        if (domainParts.parentDomain.replace(/\.$/, "") == domain_1.publicDomain) {
-            (0, cloudflare_1.setRecord)({
-                proxied: true,
-                recordName: domainParts.subdomain,
-                type: "CNAME",
-                value: webDomain.cloudfrontDomainName,
-            });
-        }
-        return { record, lambdasDomain: fullyQualifiedDomainName };
+async function configureApiGatewayDomain(fullyQualifiedDomainName, gateway) {
+    const domainParts = (0, getDomainAndSubdomain_1.getDomainAndSubdomain)(fullyQualifiedDomainName);
+    const subdomain = domainParts.subdomain || "ROOTDOMAIN";
+    // Configure an edge-optimized domain for our API Gateway. This will configure a Cloudfront CDN
+    // distribution behind the scenes and serve our API Gateway at a custom domain name over SSL.
+    const webDomain = new aws.apigateway.DomainName((0, stack_1.getStackScopedName)(subdomain + "-dn"), {
+        certificateArn: (0, certificate_1.getCertificateFor)(fullyQualifiedDomainName),
+        domainName: fullyQualifiedDomainName,
+    }, {
+        deleteBeforeReplace: true,
     });
+    const webDomainMapping = new aws.apigateway.BasePathMapping((0, stack_1.getStackScopedName)(subdomain + "-bpm"), {
+        restApi: gateway.api.id,
+        stageName: gateway.stage.stageName,
+        domainName: webDomain.id,
+    }, { dependsOn: [webDomain], deleteBeforeReplace: true });
+    const hostedZone = await aws.route53.getZone({ name: domainParts.parentDomain }, { async: true });
+    const record = new aws.route53.Record((0, stack_1.getStackScopedName)(fullyQualifiedDomainName), {
+        name: domainParts.subdomain || "",
+        zoneId: hostedZone.zoneId,
+        type: "A",
+        aliases: [
+            {
+                evaluateTargetHealth: true,
+                name: webDomain.cloudfrontDomainName,
+                zoneId: webDomain.cloudfrontZoneId,
+            },
+        ],
+    }, { dependsOn: [webDomainMapping] });
+    if (domainParts.parentDomain.replace(/\.$/, "") == domain_1.publicDomain) {
+        (0, cloudflare_1.setRecord)({
+            proxied: true,
+            recordName: domainParts.subdomain,
+            type: "CNAME",
+            value: webDomain.cloudfrontDomainName,
+        });
+    }
+    return { record, lambdasDomain: fullyQualifiedDomainName };
 }
 //# sourceMappingURL=lambda.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dcl-ops-lib",
-  "version": "8.3.3",
+  "version": "9.1.0",
   "scripts": {
     "build": "tsc && cp bin/* . && node test.js",
     "clean": "rm *.d.ts *.js *.js.map"
@@ -15,25 +15,29 @@
   "main": "index.js",
   "release": {
     "branches": [
-      "master"
+      "master",
+      {
+        "name": "next",
+        "prerelease": true
+      }
     ],
     "extends": "@semantic-release/gitlab-config"
   },
   "devDependencies": {
-    "@semantic-release/gitlab-config": "^13.0.0",
+    "@semantic-release/gitlab-config": "^14.0.1",
     "@types/mime": "^3.0.4",
     "@types/node": "20.9.3",
-    "semantic-release": "^22.0.8",
+    "semantic-release": "^24.2.9",
     "typescript": "5.3.2"
   },
   "dependencies": {
-    "@pulumi/aws": "6.9.0",
-    "@pulumi/aws-apigateway": "^2.0.1",
+    "@pulumi/aws": "6.83.2",
+    "@pulumi/aws-apigateway": "2.6.3",
     "@pulumi/aws-native": "^0.86.0",
-    "@pulumi/awsx": "2.2.0",
+    "@pulumi/awsx": "2.22.0",
     "@pulumi/cloudflare": "5.15.0",
-    "@pulumi/docker": "4.5.0",
-    "@pulumi/pulumi": "3.94.2",
+    "@pulumi/docker": "4.11.0",
+    "@pulumi/pulumi": "3.212.0",
     "mime": "^3.0.0"
   }
 }

package/prometheus.js

@@ -1,13 +1,4 @@
 "use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.makeSecurityGroupAccessibleByPrometheus = exports.prometheusSecurityGroupId = exports.prometheusStack = void 0;
 const pulumi = require("@pulumi/pulumi");
@@ -15,13 +6,13 @@ const aws = require("@pulumi/aws");
 const domain_1 = require("./domain");
 const withCache_1 = require("./withCache");
 const utils_1 = require("./utils");
-exports.prometheusStack = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
+exports.prometheusStack = (0, withCache_1.default)(async () => {
     return new pulumi.StackReference(`prometheus-${domain_1.env}`);
-}));
-exports.prometheusSecurityGroupId = (0, withCache_1.default)(() => __awaiter(void 0, void 0, void 0, function* () {
-    const prom = yield (0, exports.prometheusStack)();
-    return (yield prom.requireOutputValue("prometheusSecurityGroupId"));
-}));
+});
+exports.prometheusSecurityGroupId = (0, withCache_1.default)(async () => {
+    const prom = await (0, exports.prometheusStack)();
+    return (await prom.requireOutputValue("prometheusSecurityGroupId"));
+});
 function makeSecurityGroupAccessibleByPrometheus(securityGroup, fromPort = 0, toPort = 0, ruleName = "") {
     new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("allow-prometheus", ruleName), {
         sourceSecurityGroupId: (0, exports.prometheusSecurityGroupId)(),

package/scheduledTaskBase.d.ts

@@ -0,0 +1,142 @@
+import * as aws from "@pulumi/aws";
+import * as pulumi from "@pulumi/pulumi";
+import { Team, MetricsConfig } from "./fargateHelpers";
+export { Team, MetricsConfig };
+/**
+ * Retry policy configuration
+ */
+export type RetryPolicyConfig = {
+    /**
+     * Maximum number of retry attempts (0-185)
+     */
+    maxRetries?: number;
+    /**
+     * Maximum age of the event in seconds before it's discarded
+     */
+    maxAgeSeconds?: number;
+};
+/**
+ * Base options shared between scheduled and SQS-triggered tasks
+ */
+export type BaseFargateTaskOptions = {
+    /**
+     * Team that owns this task
+     */
+    team: Team;
+    /**
+     * CPU units for the task (256, 512, 1024, 2048, 4096)
+     */
+    cpu?: number;
+    /**
+     * Memory in MB for the task (512 - 30720, depending on CPU)
+     */
+    memory?: number;
+    /**
+     * Ephemeral storage in GB (20-200)
+     */
+    ephemeralStorageInGB?: number;
+    /**
+     * Environment variables for the container
+     */
+    environment?: {
+        name: string;
+        value: pulumi.Input<string>;
+    }[];
+    /**
+     * Secrets from SSM/Secrets Manager
+     */
+    secrets?: aws.ecs.Secret[];
+    /**
+     * Override the container's default command
+     */
+    command?: string[];
+    /**
+     * Override the container's entry point
+     */
+    entryPoint?: string[];
+    /**
+     * Additional security groups
+     */
+    securityGroups?: (string | pulumi.Output<string>)[];
+    /**
+     * Whether to assign a public IP (default: false)
+     */
+    assignPublicIp?: boolean;
+    /**
+     * Prometheus metrics configuration
+     */
+    metrics?: MetricsConfig;
+    /**
+     * CloudWatch log retention in days (default: 60)
+     */
+    logRetentionDays?: number;
+    /**
+     * Policies for the task execution role
+     */
+    executionRolePolicies?: Record<string, pulumi.Input<string> | aws.iam.Policy>;
+    /**
+     * Policies for the task role (application permissions)
+     */
+    taskRolePolicies?: Record<string, pulumi.Input<string> | aws.iam.Policy>;
+    /**
+     * ECS cluster to run the task on
+     */
+    cluster?: aws.ecs.Cluster | string;
+    /**
+     * Number of tasks to launch per invocation (default: 1)
+     */
+    taskCount?: number;
+    /**
+     * Runtime platform configuration (e.g., for ARM64)
+     */
+    runtimePlatform?: aws.types.input.ecs.TaskDefinitionRuntimePlatform;
+    /**
+     * Volumes to attach to the task
+     */
+    volumes?: pulumi.Input<aws.types.input.ecs.TaskDefinitionVolume[]>;
+    /**
+     * Mount points for the container
+     */
+    mountPoints?: aws.ecs.MountPoint[];
+    /**
+     * Repository credentials for private registries
+     */
+    repositoryCredentials?: aws.ecs.RepositoryCredentials;
+    /**
+     * Additional resources to depend on
+     */
+    dependsOn?: pulumi.Resource[];
+};
+/**
+ * Result of creating the base task infrastructure
+ */
+export type BaseTaskInfrastructure = {
+    taskDefinition: aws.ecs.TaskDefinition;
+    taskSecurityGroup: aws.ec2.SecurityGroup;
+    logGroup: aws.cloudwatch.LogGroup;
+    executionRole: aws.iam.Role;
+    taskRole: aws.iam.Role;
+    eventBridgeRole: aws.iam.Role;
+    eventBridgePolicy: aws.iam.RolePolicy;
+    clusterArn: string | pulumi.Output<string>;
+    subnetIds: string[];
+    securityGroups: (string | pulumi.Output<string>)[];
+    assignPublicIp: boolean;
+    taskCount: number;
+    resourcePrefix: string;
+    taskName: string;
+    team: Team;
+};
+/**
+ * Creates the base infrastructure shared by both scheduled and SQS-triggered Fargate tasks.
+ * This includes: task definition, security group, log group, and IAM roles.
+ *
+ * Note: Slack notifications are now handled globally by the ops-lambdas EventBridge rule.
+ *
+ * @param taskName A name for this task
+ * @param dockerImage The docker image to run
+ * @param options Base configuration options
+ * @param eventBridgeServices AWS services that can assume the EventBridge role
+ * @returns Base infrastructure resources
+ */
+export declare function createBaseTaskInfrastructure(taskName: string, dockerImage: string | Promise<string> | pulumi.OutputInstance<string>, options: BaseFargateTaskOptions, eventBridgeServices: string[]): Promise<BaseTaskInfrastructure>;

package/scheduledTaskBase.js

@@ -0,0 +1,146 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBaseTaskInfrastructure = void 0;
+const aws = require("@pulumi/aws");
+const pulumi = require("@pulumi/pulumi");
+const network_1 = require("./network");
+const vpc_1 = require("./vpc");
+const stack_1 = require("./stack");
+const accessTheInternet_1 = require("./accessTheInternet");
+const createFargateTask_1 = require("./createFargateTask");
+const fargateHelpers_1 = require("./fargateHelpers");
+/**
+ * Creates the base infrastructure shared by both scheduled and SQS-triggered Fargate tasks.
+ * This includes: task definition, security group, log group, and IAM roles.
+ *
+ * Note: Slack notifications are now handled globally by the ops-lambdas EventBridge rule.
+ *
+ * @param taskName A name for this task
+ * @param dockerImage The docker image to run
+ * @param options Base configuration options
+ * @param eventBridgeServices AWS services that can assume the EventBridge role
+ * @returns Base infrastructure resources
+ */
+async function createBaseTaskInfrastructure(taskName, dockerImage, options, eventBridgeServices) {
+    const { team, cpu = fargateHelpers_1.DEFAULT_CPU, memory = fargateHelpers_1.DEFAULT_MEMORY, ephemeralStorageInGB, environment = [], secrets = [], command, entryPoint, securityGroups = [], assignPublicIp = false, metrics, logRetentionDays = fargateHelpers_1.DEFAULT_LOG_RETENTION_DAYS, executionRolePolicies = {}, taskRolePolicies = {}, cluster, taskCount = fargateHelpers_1.DEFAULT_DESIRED_COUNT, runtimePlatform, volumes, mountPoints = [], repositoryCredentials, dependsOn = [], } = options;
+    const version = (0, stack_1.getStackId)();
+    const resourcePrefix = `${taskName}-${version}`;
+    // Create execution role
+    const { role: executionRole, policies: executionPolicies } = (0, createFargateTask_1.getFargateExecutionRole)(`${resourcePrefix}-execution`, executionRolePolicies);
+    dependsOn.push(...executionPolicies);
+    // Create task role
+    const { role: taskRole, policies: taskPolicies } = (0, createFargateTask_1.getFargateTaskRole)(`${resourcePrefix}-task`, taskRolePolicies);
+    dependsOn.push(...taskPolicies);
+    // Get VPC for security group
+    const vpc = await (0, vpc_1.getVpc)();
+    // Create security group for the task
+    const taskSecurityGroup = (0, fargateHelpers_1.createTaskSecurityGroup)(resourcePrefix, vpc.id, taskName, team);
+    // Configure docker labels for Prometheus metrics
+    let dockerLabels = {};
+    let portMappings = [];
+    if (metrics) {
+        const prometheusConfig = (0, fargateHelpers_1.configurePrometheusMetrics)(taskName, metrics);
+        dockerLabels = prometheusConfig.dockerLabels;
+        portMappings = prometheusConfig.portMappings;
+        // Setup security group rules for Prometheus access
+        (0, fargateHelpers_1.setupPrometheusSecurityRules)(resourcePrefix, taskSecurityGroup, vpc.cidrBlock, prometheusConfig.metricsPort, taskName);
+    }
+    // Enable egress traffic to the internet
+    (0, accessTheInternet_1.makeSecurityGroupAccessTheInternetV2)(taskSecurityGroup, taskName);
+    // Create CloudWatch Log Group
+    const logGroup = (0, fargateHelpers_1.createLogGroup)(taskName, team, logRetentionDays);
+    // Build container definition
+    const containerDefinition = (0, fargateHelpers_1.buildContainerDefinition)({
+        name: taskName,
+        image: dockerImage,
+        cpu,
+        memory,
+        environment,
+        secrets,
+        command,
+        entryPoint,
+        portMappings,
+        dockerLabels,
+        mountPoints,
+        repositoryCredentials,
+        logConfiguration: (0, createFargateTask_1.getDefaultLogs)(taskName, logGroup),
+    });
+    // Create ECS Task Definition
+    const taskDefinition = (0, fargateHelpers_1.createFargateTaskDefinition)({
+        name: taskName,
+        executionRoleArn: executionRole.arn,
+        taskRoleArn: taskRole.arn,
+        containerDefinitions: pulumi.jsonStringify([containerDefinition]),
+        team,
+        cpu,
+        memory,
+        ephemeralStorageInGB,
+        runtimePlatform,
+        volumes,
+        dependsOn: [logGroup, ...dependsOn],
+    });
+    // Get cluster ARN and subnet IDs
+    const clusterArn = await (0, createFargateTask_1.getClusterInstance)(cluster);
+    const subnetIds = await (0, network_1.getPrivateSubnetIds)();
+    // Create IAM role for EventBridge to run ECS tasks
+    const eventBridgeRole = new aws.iam.Role(`${resourcePrefix}-eventbridge-role`, {
+        assumeRolePolicy: JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Principal: {
+                        Service: eventBridgeServices,
+                    },
+                    Action: "sts:AssumeRole",
+                },
+            ],
+        }),
+        tags: (0, fargateHelpers_1.createResourceTags)(taskName, team),
+    });
+    // Create policy for EventBridge to run ECS tasks
+    const eventBridgePolicy = new aws.iam.RolePolicy(`${resourcePrefix}-eventbridge-policy`, {
+        role: eventBridgeRole.id,
+        policy: pulumi
+            .all([taskDefinition.arn, executionRole.arn, taskRole.arn])
+            .apply(([taskDefArn, execRoleArn, taskRoleArn]) => JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Action: "ecs:RunTask",
+                    Resource: taskDefArn,
+                    Condition: {
+                        ArnLike: {
+                            "ecs:cluster": clusterArn,
+                        },
+                    },
+                },
+                {
+                    Effect: "Allow",
+                    Action: "iam:PassRole",
+                    Resource: [execRoleArn, taskRoleArn],
+                },
+            ],
+        })),
+    });
+    return {
+        taskDefinition,
+        taskSecurityGroup,
+        logGroup,
+        executionRole,
+        taskRole,
+        eventBridgeRole,
+        eventBridgePolicy,
+        clusterArn,
+        subnetIds,
+        securityGroups: [taskSecurityGroup.id, ...securityGroups],
+        assignPublicIp,
+        taskCount,
+        resourcePrefix,
+        taskName,
+        team,
+    };
+}
+exports.createBaseTaskInfrastructure = createBaseTaskInfrastructure;
+//# sourceMappingURL=scheduledTaskBase.js.map

package/slack.d.ts

@@ -0,0 +1,4 @@
+import * as pulumi from "@pulumi/pulumi";
+export declare const slackStack: () => Promise<pulumi.StackReference>;
+export declare const getSlackNotificationTopicArn: () => Promise<string>;
+export declare const getSlackNotificationLambdaArn: () => Promise<string>;