dcl-ops-lib 9.0.0 → 9.1.0

package/createFargateTask.d.ts

@@ -2,6 +2,7 @@ import * as aws from "@pulumi/aws";
 import * as pulumi from "@pulumi/pulumi";
 import { ExtraExposedServiceOptions } from "./exposePublicService";
 import { HealthCheck } from "@pulumi/aws/ecs";
+import { Team } from "./fargateHelpers";
 export declare const getDefaultLogs: (serviceName: string, logGroup: aws.cloudwatch.LogGroup) => aws.ecs.LogConfiguration;
 export declare function getClusterInstance(cluster: string | aws.ecs.Cluster | undefined): Promise<pulumi.Output<string> | string>;
 export type ALBMapping = {
@@ -42,7 +43,7 @@ export type FargateTaskOptions = {
     taskRolePolicies?: Record<string, pulumi.Input<string> | aws.iam.Policy>;
     secrets?: aws.ecs.Secret[];
     ignoreServiceDiscovery?: boolean;
-    team: "dapps" | "platform" | "data" | "marketing" | "infra";
+    team: Team;
     metrics?: {
         port?: number | string;
         path: "/metrics";
@@ -127,7 +128,7 @@ export type InternalServiceOptions = {
     forceNewDeployment?: boolean;
     dependsOn?: pulumi.Resource[];
     volumes?: pulumi.Input<aws.types.input.ecs.TaskDefinitionVolume[]>;
-    team: string;
+    team: Team;
     targetGroups: aws.alb.TargetGroup[];
     runtimePlatform?: aws.types.input.ecs.TaskDefinitionRuntimePlatform;
     appAutoscaling?: {

package/createFargateTask.js

@@ -13,11 +13,12 @@ const supra_1 = require("./supra");
 const stack_1 = require("./stack");
 const prometheus_1 = require("./prometheus");
 const accessTheInternet_1 = require("./accessTheInternet");
+const fargateHelpers_1 = require("./fargateHelpers");
 const getDefaultLogs = (serviceName, logGroup) => {
     return {
         logDriver: "awslogs",
         options: {
-            "awslogs-group": (0, stack_1.getStackScopedName)(serviceName),
+            "awslogs-group": logGroup.name,
             "awslogs-region": "us-east-1",
             "awslogs-stream-prefix": serviceName,
         },
@@ -106,13 +107,13 @@ async function createFargateTask(serviceName, dockerImage, dockerListeningPort,
         essential = true;
     }
     if (undefined === memoryReservation) {
-        memoryReservation = 512;
+        memoryReservation = fargateHelpers_1.DEFAULT_MEMORY;
     }
     if (undefined === cpuReservation) {
-        cpuReservation = 256;
+        cpuReservation = fargateHelpers_1.DEFAULT_CPU;
     }
     if (undefined === desiredCount) {
-        desiredCount = 1;
+        desiredCount = fargateHelpers_1.DEFAULT_DESIRED_COUNT;
     }
     if (undefined === securityGroups) {
         securityGroups = [];
@@ -156,7 +157,7 @@ async function createFargateTask(serviceName, dockerImage, dockerListeningPort,
     const vpc = await (0, vpc_1.getVpc)();
     const taskSecurityGroup = new aws.ec2.SecurityGroup(`${serviceName}-${version}`, {
         vpcId: vpc.id,
-        tags: { ServiceName: serviceName, Team: team },
+        tags: (0, fargateHelpers_1.createResourceTags)(serviceName, team),
     });
     if (dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT) {
         let fromPort = 0;
@@ -312,37 +313,28 @@ async function createInternalService(config) {
             registryArn: serviceDiscovery.arn,
         };
     }
-    const logGroup = new aws.cloudwatch.LogGroup((0, stack_1.getStackScopedName)(serviceName), {
-        name: (0, stack_1.getStackScopedName)(serviceName),
-        retentionInDays: 60,
-        tags: { ServiceName: serviceName, Team: team },
-    });
-    const taskDefinition = new aws.ecs.TaskDefinition((0, stack_1.getStackScopedName)(serviceName) + "-taskdefinition", {
+    const logGroup = (0, fargateHelpers_1.createLogGroup)(serviceName, team);
+    const taskDefinition = (0, fargateHelpers_1.createFargateTaskDefinition)({
+        name: serviceName,
         executionRoleArn: executionRole?.arn,
         taskRoleArn: taskRole?.arn,
-        tags: { ServiceName: serviceName, Team: team },
         containerDefinitions: pulumi.jsonStringify([
             {
                 ...containerInfo,
                 logConfiguration: (0, exports.getDefaultLogs)(serviceName, logGroup),
             },
         ]),
-        ephemeralStorage: !!ephemeralStorageInGB
-            ? {
-                sizeInGib: ephemeralStorageInGB,
-            }
-            : undefined,
-        cpu: containerInfo.cpu?.toString(),
-        memory: containerInfo.memoryReservation?.toString(),
-        runtimePlatform: runtimePlatform,
-        requiresCompatibilities: ["FARGATE"],
-        networkMode: "awsvpc",
-        volumes: volumes,
-        family: (0, stack_1.getStackScopedName)(serviceName),
-    }, { dependsOn: [logGroup] });
+        team,
+        cpu: containerInfo.cpu ?? fargateHelpers_1.DEFAULT_CPU,
+        memory: containerInfo.memoryReservation ?? fargateHelpers_1.DEFAULT_MEMORY,
+        ephemeralStorageInGB,
+        runtimePlatform,
+        volumes,
+        dependsOn: [logGroup],
+    });
     const service = new aws.ecs.Service((0, stack_1.getStackScopedName)(serviceName), {
         cluster: await getClusterInstance(cluster),
-        tags: { ServiceName: serviceName, StackId: (0, stack_1.getStackId)(), Team: team },
+        tags: (0, fargateHelpers_1.createResourceTags)(serviceName, team, { StackId: (0, stack_1.getStackId)() }),
         networkConfiguration: {
             subnets: await (0, network_1.getPrivateSubnetIds)(),
             securityGroups: securityGroups,
@@ -363,7 +355,7 @@ async function createInternalService(config) {
         ],
     }, {
         ...extraOpts,
-        dependsOn
+        dependsOn,
     });
     if (appAutoscaling) {
         setAutoscaling(service, serviceName, { appAutoscaling, desiredCount });

package/createSQSTriggeredFargateTask.d.ts

@@ -0,0 +1,63 @@
+import * as pulumi from "@pulumi/pulumi";
+import { BaseFargateTaskOptions } from "./scheduledTaskBase";
+/**
+ * SQS trigger configuration for the task
+ */
+export type SqsTriggerConfig = {
+    /**
+     * ARN of the SQS queue to trigger from
+     */
+    queueArn: pulumi.Input<string>;
+    /**
+     * Number of messages per batch (default: 1)
+     * Each batch triggers one task invocation
+     */
+    batchSize?: number;
+    /**
+     * Maximum batching window in seconds (default: 0)
+     * How long to wait to accumulate messages before triggering
+     */
+    maximumBatchingWindowSeconds?: number;
+};
+/**
+ * Options for creating an SQS-triggered Fargate task
+ */
+export type SQSTriggeredFargateTaskOptions = BaseFargateTaskOptions & {
+    /**
+     * SQS queue trigger configuration - required
+     */
+    sqsTrigger: SqsTriggerConfig;
+};
+/**
+ * Creates a Fargate task that is triggered by messages in an SQS queue.
+ * Uses EventBridge Pipes to connect the SQS queue to ECS task execution.
+ *
+ * @param taskName A name for this task. For example, "order-processor"
+ * @param dockerImage The docker image to run
+ * @param options Configuration options for the SQS-triggered task
+ *
+ * @example
+ * ```typescript
+ * await createSQSTriggeredFargateTask("order-processor", "myapp/processor:latest", {
+ *   sqsTrigger: {
+ *     queueArn: ordersQueue.arn,
+ *     batchSize: 10,
+ *     maximumBatchingWindowSeconds: 30,
+ *   },
+ *   cpu: 512,
+ *   memory: 1024,
+ *   environment: [{ name: "DB_HOST", value: dbHost }],
+ *   slackChannel: "#order-processing-alerts",
+ *   team: "platform",
+ * });
+ * ```
+ */
+export declare function createSQSTriggeredFargateTask(taskName: string, dockerImage: string | Promise<string> | pulumi.OutputInstance<string>, options: SQSTriggeredFargateTaskOptions): Promise<{
+    taskDefinition: import("@pulumi/aws/ecs/taskDefinition").TaskDefinition;
+    taskSecurityGroup: import("@pulumi/aws/ec2/securityGroup").SecurityGroup;
+    logGroup: import("@pulumi/aws/cloudwatch/logGroup").LogGroup;
+    executionRole: import("@pulumi/aws/iam/role").Role;
+    taskRole: import("@pulumi/aws/iam/role").Role;
+    eventBridgeRole: import("@pulumi/aws/iam/role").Role;
+    pipe: import("@pulumi/aws/pipes/pipe").Pipe;
+}>;

package/createSQSTriggeredFargateTask.js

@@ -0,0 +1,110 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSQSTriggeredFargateTask = void 0;
+const aws = require("@pulumi/aws");
+const pulumi = require("@pulumi/pulumi");
+const stack_1 = require("./stack");
+const scheduledTaskBase_1 = require("./scheduledTaskBase");
+/**
+ * Creates a Fargate task that is triggered by messages in an SQS queue.
+ * Uses EventBridge Pipes to connect the SQS queue to ECS task execution.
+ *
+ * @param taskName A name for this task. For example, "order-processor"
+ * @param dockerImage The docker image to run
+ * @param options Configuration options for the SQS-triggered task
+ *
+ * @example
+ * ```typescript
+ * await createSQSTriggeredFargateTask("order-processor", "myapp/processor:latest", {
+ *   sqsTrigger: {
+ *     queueArn: ordersQueue.arn,
+ *     batchSize: 10,
+ *     maximumBatchingWindowSeconds: 30,
+ *   },
+ *   cpu: 512,
+ *   memory: 1024,
+ *   environment: [{ name: "DB_HOST", value: dbHost }],
+ *   slackChannel: "#order-processing-alerts",
+ *   team: "platform",
+ * });
+ * ```
+ */
+async function createSQSTriggeredFargateTask(taskName, dockerImage, options) {
+    const { sqsTrigger, ...baseOptions } = options;
+    // Create base infrastructure (task definition, security group, IAM roles, etc.)
+    const base = await (0, scheduledTaskBase_1.createBaseTaskInfrastructure)(taskName, dockerImage, baseOptions, ["pipes.amazonaws.com"] // EventBridge Pipes service
+    );
+    // Add SQS permissions to the EventBridge role
+    const sqsPolicy = new aws.iam.RolePolicy(`${base.resourcePrefix}-sqs-policy`, {
+        role: base.eventBridgeRole.id,
+        policy: pulumi.output(sqsTrigger.queueArn).apply((queueArn) => JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Action: [
+                        // Permissions needed to read from SQS
+                        "sqs:ReceiveMessage",
+                        "sqs:DeleteMessage",
+                        "sqs:GetQueueAttributes",
+                    ],
+                    Resource: queueArn,
+                },
+            ],
+        })),
+    });
+    // Create EventBridge Pipe to connect SQS queue to ECS task
+    const pipe = new aws.pipes.Pipe(`${base.resourcePrefix}-sqs-pipe`, {
+        // Unique name for this pipe
+        name: (0, stack_1.getStackScopedName)(taskName),
+        // IAM role that the pipe assumes to read from source and invoke target
+        roleArn: base.eventBridgeRole.arn,
+        // Source: the SQS queue to read messages from
+        source: sqsTrigger.queueArn,
+        // Source configuration for SQS
+        sourceParameters: {
+            sqsQueueParameters: {
+                // Number of messages to retrieve per batch (1-10000)
+                batchSize: sqsTrigger.batchSize || 1,
+                // Maximum time to wait for a full batch before triggering (0-300 seconds)
+                maximumBatchingWindowInSeconds: sqsTrigger.maximumBatchingWindowSeconds || 0,
+            },
+        },
+        // Target: the ECS cluster to run tasks on
+        target: base.clusterArn,
+        // Target configuration for ECS tasks
+        targetParameters: {
+            ecsTaskParameters: {
+                // The task definition to run
+                taskDefinitionArn: base.taskDefinition.arn,
+                // Number of task instances to launch per invocation
+                taskCount: base.taskCount,
+                // Launch type: FARGATE for serverless containers
+                launchType: "FARGATE",
+                // Network configuration for awsvpc network mode
+                networkConfiguration: {
+                    awsVpcConfiguration: {
+                        // Private subnets where the task will run
+                        subnets: base.subnetIds,
+                        // Security groups controlling inbound/outbound traffic
+                        securityGroups: base.securityGroups,
+                        // Whether to assign a public IP (ENABLED/DISABLED)
+                        assignPublicIp: base.assignPublicIp ? "ENABLED" : "DISABLED",
+                    },
+                },
+            },
+        },
+        tags: { ServiceName: taskName, Team: base.team },
+    }, { dependsOn: [base.eventBridgePolicy, sqsPolicy, base.taskDefinition] });
+    return {
+        taskDefinition: base.taskDefinition,
+        taskSecurityGroup: base.taskSecurityGroup,
+        logGroup: base.logGroup,
+        executionRole: base.executionRole,
+        taskRole: base.taskRole,
+        eventBridgeRole: base.eventBridgeRole,
+        pipe,
+    };
+}
+exports.createSQSTriggeredFargateTask = createSQSTriggeredFargateTask;
+//# sourceMappingURL=createSQSTriggeredFargateTask.js.map

package/createScheduledFargateTask.d.ts

@@ -0,0 +1,75 @@
+import * as pulumi from "@pulumi/pulumi";
+import { BaseFargateTaskOptions, RetryPolicyConfig } from "./scheduledTaskBase";
+/**
+ * Schedule configuration for the task
+ */
+export type ScheduleConfig = {
+    /**
+     * Schedule expression in cron or rate format
+     * Cron: "cron(0 12 * * ? *)" - runs daily at noon UTC
+     * Rate: "rate(1 hour)" - runs every hour
+     */
+    expression: string;
+    /**
+     * Timezone for the schedule (default: "UTC")
+     * Example: "America/New_York", "Europe/London"
+     */
+    timezone?: string;
+    /**
+     * Whether the schedule is enabled (default: true)
+     */
+    enabled?: boolean;
+    /**
+     * Optional start date for the schedule (ISO 8601 format)
+     */
+    startDate?: string;
+    /**
+     * Optional end date for the schedule (ISO 8601 format)
+     */
+    endDate?: string;
+};
+/**
+ * Options for creating a scheduled Fargate task
+ */
+export type ScheduledFargateTaskOptions = BaseFargateTaskOptions & {
+    /**
+     * Schedule configuration (cron/rate expression) - required
+     */
+    schedule: ScheduleConfig;
+    /**
+     * Retry policy for failed task invocations
+     */
+    retryPolicy?: RetryPolicyConfig;
+};
+/**
+ * Creates a scheduled Fargate task that runs on a cron/rate schedule.
+ *
+ * @param taskName A name for this task. For example, "daily-cleanup"
+ * @param dockerImage The docker image to run
+ * @param options Configuration options for the scheduled task
+ *
+ * @example
+ * ```typescript
+ * await createScheduledFargateTask("daily-cleanup", "myapp/cleanup:latest", {
+ *   schedule: {
+ *     expression: "cron(0 2 * * ? *)", // Daily at 2 AM
+ *     timezone: "America/New_York",
+ *   },
+ *   cpu: 512,
+ *   memory: 1024,
+ *   environment: [{ name: "DB_HOST", value: dbHost }],
+ *   slackChannel: "#scheduled-tasks-alerts",
+ *   team: "platform",
+ * });
+ * ```
+ */
+export declare function createScheduledFargateTask(taskName: string, dockerImage: string | Promise<string> | pulumi.OutputInstance<string>, options: ScheduledFargateTaskOptions): Promise<{
+    taskDefinition: import("@pulumi/aws/ecs/taskDefinition").TaskDefinition;
+    taskSecurityGroup: import("@pulumi/aws/ec2/securityGroup").SecurityGroup;
+    logGroup: import("@pulumi/aws/cloudwatch/logGroup").LogGroup;
+    executionRole: import("@pulumi/aws/iam/role").Role;
+    taskRole: import("@pulumi/aws/iam/role").Role;
+    eventBridgeRole: import("@pulumi/aws/iam/role").Role;
+    scheduler: import("@pulumi/aws/scheduler/schedule").Schedule;
+    scheduleGroup: import("@pulumi/aws/scheduler/scheduleGroup").ScheduleGroup;
+}>;

package/createScheduledFargateTask.js

@@ -0,0 +1,108 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createScheduledFargateTask = void 0;
+const aws = require("@pulumi/aws");
+const stack_1 = require("./stack");
+const scheduledTaskBase_1 = require("./scheduledTaskBase");
+/**
+ * Creates a scheduled Fargate task that runs on a cron/rate schedule.
+ *
+ * @param taskName A name for this task. For example, "daily-cleanup"
+ * @param dockerImage The docker image to run
+ * @param options Configuration options for the scheduled task
+ *
+ * @example
+ * ```typescript
+ * await createScheduledFargateTask("daily-cleanup", "myapp/cleanup:latest", {
+ *   schedule: {
+ *     expression: "cron(0 2 * * ? *)", // Daily at 2 AM
+ *     timezone: "America/New_York",
+ *   },
+ *   cpu: 512,
+ *   memory: 1024,
+ *   environment: [{ name: "DB_HOST", value: dbHost }],
+ *   slackChannel: "#scheduled-tasks-alerts",
+ *   team: "platform",
+ * });
+ * ```
+ */
+async function createScheduledFargateTask(taskName, dockerImage, options) {
+    const { schedule, retryPolicy, ...baseOptions } = options;
+    // Create base infrastructure (task definition, security group, IAM roles, etc.)
+    const base = await (0, scheduledTaskBase_1.createBaseTaskInfrastructure)(taskName, dockerImage, baseOptions, ["scheduler.amazonaws.com"] // EventBridge Scheduler service
+    );
+    // Schedule groups allow organizing related schedules together
+    // and applying resource-based policies at the group level
+    const scheduleGroup = new aws.scheduler.ScheduleGroup(`${base.resourcePrefix}-schedule-group`, {
+        name: (0, stack_1.getStackScopedName)(taskName),
+        tags: { ServiceName: taskName, Team: base.team },
+    });
+    const scheduler = new aws.scheduler.Schedule(`${base.resourcePrefix}-schedule`, {
+        // Unique name for this schedule within the AWS account and region
+        name: (0, stack_1.getStackScopedName)(taskName),
+        // Associate with the schedule group for organization
+        groupName: scheduleGroup.name,
+        // Schedule expression: supports cron() and rate() formats
+        // Examples: "cron(0 12 * * ? *)" for daily at noon, "rate(1 hour)" for hourly
+        scheduleExpression: schedule.expression,
+        // Timezone for interpreting cron expressions (default: UTC)
+        // Examples: "America/New_York", "Europe/London", "UTC"
+        scheduleExpressionTimezone: schedule.timezone || "UTC",
+        // Whether the schedule is active (ENABLED) or paused (DISABLED)
+        state: schedule.enabled !== false ? "ENABLED" : "DISABLED",
+        // Optional: Schedule won't trigger before this date (ISO 8601 format)
+        startDate: schedule.startDate,
+        // Optional: Schedule won't trigger after this date (ISO 8601 format)
+        endDate: schedule.endDate,
+        // Flexible time window allows EventBridge to invoke the target within a window
+        // OFF = invoke at exact scheduled time, FLEXIBLE = invoke within specified window
+        flexibleTimeWindow: {
+            mode: "OFF",
+        },
+        target: {
+            // Target is the ECS cluster that will run the task
+            arn: base.clusterArn,
+            // IAM role that EventBridge assumes to invoke the target
+            roleArn: base.eventBridgeRole.arn,
+            // ECS-specific parameters for running Fargate tasks
+            ecsParameters: {
+                // The task definition to run
+                taskDefinitionArn: base.taskDefinition.arn,
+                // Number of task instances to launch (default: 1)
+                taskCount: base.taskCount,
+                // Launch type: FARGATE for serverless, EC2 for container instances
+                launchType: "FARGATE",
+                // Network configuration for tasks using awsvpc network mode
+                networkConfiguration: {
+                    // Private subnets where the task will run
+                    subnets: base.subnetIds,
+                    // Security groups controlling inbound/outbound traffic
+                    securityGroups: base.securityGroups,
+                    // Whether to assign a public IP (needed for ECR pulls without NAT)
+                    assignPublicIp: base.assignPublicIp,
+                },
+            },
+            // Retry policy if the scheduler fails to invoke the target
+            retryPolicy: retryPolicy
+                ? {
+                    // Maximum number of retry attempts (0-185)
+                    maximumRetryAttempts: retryPolicy.maxRetries,
+                    // Maximum time to keep retrying before giving up (in seconds)
+                    maximumEventAgeInSeconds: retryPolicy.maxAgeSeconds,
+                }
+                : undefined,
+        },
+    }, { dependsOn: [base.eventBridgePolicy, base.taskDefinition] });
+    return {
+        taskDefinition: base.taskDefinition,
+        taskSecurityGroup: base.taskSecurityGroup,
+        logGroup: base.logGroup,
+        executionRole: base.executionRole,
+        taskRole: base.taskRole,
+        eventBridgeRole: base.eventBridgeRole,
+        scheduler,
+        scheduleGroup,
+    };
+}
+exports.createScheduledFargateTask = createScheduledFargateTask;
+//# sourceMappingURL=createScheduledFargateTask.js.map

package/fargateHelpers.d.ts

@@ -0,0 +1,220 @@
+import * as aws from "@pulumi/aws";
+import * as pulumi from "@pulumi/pulumi";
+/**
+ * Team type used by all Fargate-related functions for ownership tagging
+ */
+export type Team = "dapps" | "platform" | "data" | "marketing" | "infra";
+/**
+ * Prometheus metrics configuration
+ */
+export type MetricsConfig = {
+    /**
+     * Port where metrics are exposed
+     */
+    port: number | string;
+    /**
+     * Path to the metrics endpoint (default: "/metrics")
+     */
+    path?: string;
+    /**
+     * Job name for Prometheus (default: task/service name)
+     */
+    jobName?: string;
+};
+/**
+ * Default CPU units for Fargate tasks (256 = 0.25 vCPU)
+ */
+export declare const DEFAULT_CPU = 256;
+/**
+ * Default memory in MB for Fargate tasks
+ */
+export declare const DEFAULT_MEMORY = 512;
+/**
+ * Default CloudWatch log retention in days
+ */
+export declare const DEFAULT_LOG_RETENTION_DAYS = 60;
+/**
+ * Default desired count for ECS services
+ */
+export declare const DEFAULT_DESIRED_COUNT = 1;
+/**
+ * Creates standard resource tags for Fargate resources
+ *
+ * @param serviceName The name of the service/task
+ * @param team Team that owns this resource
+ * @param additionalTags Optional additional tags to merge
+ * @returns Record of tags
+ */
+export declare function createResourceTags(serviceName: string, team: Team, additionalTags?: Record<string, string>): Record<string, string>;
+/**
+ * Creates a CloudWatch Log Group with consistent settings
+ *
+ * @param name The name for the log group (will be stack-scoped)
+ * @param team Team that owns this resource
+ * @param retentionInDays Log retention in days (default: 60)
+ * @returns The created CloudWatch Log Group
+ */
+export declare function createLogGroup(name: string, team: Team, retentionInDays?: number): aws.cloudwatch.LogGroup;
+/**
+ * Creates a security group for a Fargate task/service with standard tags
+ *
+ * @param name Resource name for the security group
+ * @param vpcId The VPC ID where the security group will be created
+ * @param serviceName The name of the service (for tagging)
+ * @param team Team that owns this resource
+ * @returns The created EC2 Security Group
+ */
+export declare function createTaskSecurityGroup(name: string, vpcId: pulumi.Input<string>, serviceName: string, team: Team): aws.ec2.SecurityGroup;
+/**
+ * Configures docker labels for Prometheus metrics discovery
+ *
+ * @param taskName The name of the task/service
+ * @param metrics Metrics configuration
+ * @returns Docker labels, port mappings, and the parsed metrics port
+ */
+export declare function configurePrometheusMetrics(taskName: string, metrics: MetricsConfig): {
+    dockerLabels: Record<string, string>;
+    portMappings: aws.ecs.PortMapping[];
+    metricsPort: number;
+};
+/**
+ * Creates security group rules to allow Prometheus metrics scraping
+ *
+ * @param resourcePrefix Prefix for resource names
+ * @param securityGroup The security group to add rules to
+ * @param vpcCidrBlock The VPC CIDR block for ingress rules
+ * @param metricsPort The port where metrics are exposed
+ * @param taskName The name of the task/service
+ */
+export declare function setupPrometheusSecurityRules(resourcePrefix: string, securityGroup: aws.ec2.SecurityGroup, vpcCidrBlock: string, metricsPort: number, taskName: string): void;
+/**
+ * Options for building a container definition
+ */
+export type ContainerDefinitionOptions = {
+    /**
+     * Container name
+     */
+    name: string;
+    /**
+     * Docker image to run
+     */
+    image: string | Promise<string> | pulumi.OutputInstance<string>;
+    /**
+     * CPU units for this container
+     */
+    cpu: number;
+    /**
+     * Memory reservation in MB
+     */
+    memory: number;
+    /**
+     * Environment variables
+     */
+    environment?: {
+        name: string;
+        value: pulumi.Input<string>;
+    }[];
+    /**
+     * Secrets from SSM/Secrets Manager
+     */
+    secrets?: aws.ecs.Secret[];
+    /**
+     * Override command
+     */
+    command?: string[];
+    /**
+     * Override entry point
+     */
+    entryPoint?: string[];
+    /**
+     * Port mappings
+     */
+    portMappings?: aws.ecs.PortMapping[];
+    /**
+     * Docker labels (e.g., for Prometheus)
+     */
+    dockerLabels?: Record<string, string>;
+    /**
+     * Mount points for volumes
+     */
+    mountPoints?: aws.ecs.MountPoint[];
+    /**
+     * Repository credentials for private registries
+     */
+    repositoryCredentials?: aws.ecs.RepositoryCredentials;
+    /**
+     * Log configuration
+     */
+    logConfiguration: aws.ecs.LogConfiguration;
+    /**
+     * Whether this container is essential (default: true)
+     */
+    essential?: boolean;
+    /**
+     * Container health check
+     */
+    healthCheck?: aws.ecs.HealthCheck;
+};
+/**
+ * Builds a container definition object for ECS task definitions
+ *
+ * @param options Container definition options
+ * @returns Container definition object
+ */
+export declare function buildContainerDefinition(options: ContainerDefinitionOptions): aws.ecs.ContainerDefinition;
+/**
+ * Options for creating a Fargate task definition
+ */
+export type FargateTaskDefinitionOptions = {
+    /**
+     * Name for the task definition
+     */
+    name: string;
+    /**
+     * Execution role ARN (optional for some use cases)
+     */
+    executionRoleArn?: pulumi.Input<string>;
+    /**
+     * Task role ARN (optional for some use cases)
+     */
+    taskRoleArn?: pulumi.Input<string>;
+    /**
+     * JSON-stringified container definitions
+     */
+    containerDefinitions: pulumi.Input<string>;
+    /**
+     * Team that owns this resource
+     */
+    team: Team;
+    /**
+     * CPU units for the task
+     */
+    cpu: pulumi.Input<number>;
+    /**
+     * Memory in MB for the task
+     */
+    memory: pulumi.Input<number>;
+    /**
+     * Ephemeral storage in GB (20-200)
+     */
+    ephemeralStorageInGB?: number;
+    /**
+     * Runtime platform configuration (e.g., for ARM64)
+     */
+    runtimePlatform?: aws.types.input.ecs.TaskDefinitionRuntimePlatform;
+    /**
+     * Volumes to attach
+     */
+    volumes?: pulumi.Input<aws.types.input.ecs.TaskDefinitionVolume[]>;
+    /**
+     * Resources to depend on
+     */
+    dependsOn?: pulumi.Resource[];
+};
+/**
+ * Creates a Fargate task definition with standard settings
+ *
+ * @param options Task definition options
+ * @returns The created ECS Task Definition
+ */
+export declare function createFargateTaskDefinition(options: FargateTaskDefinitionOptions): aws.ecs.TaskDefinition;

package/fargateHelpers.js

@@ -0,0 +1,178 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createFargateTaskDefinition = exports.buildContainerDefinition = exports.setupPrometheusSecurityRules = exports.configurePrometheusMetrics = exports.createTaskSecurityGroup = exports.createLogGroup = exports.createResourceTags = exports.DEFAULT_DESIRED_COUNT = exports.DEFAULT_LOG_RETENTION_DAYS = exports.DEFAULT_MEMORY = exports.DEFAULT_CPU = void 0;
+const aws = require("@pulumi/aws");
+const pulumi = require("@pulumi/pulumi");
+const stack_1 = require("./stack");
+const prometheus_1 = require("./prometheus");
+// ============================================================================
+// Default Constants
+// ============================================================================
+/**
+ * Default CPU units for Fargate tasks (256 = 0.25 vCPU)
+ */
+exports.DEFAULT_CPU = 256;
+/**
+ * Default memory in MB for Fargate tasks
+ */
+exports.DEFAULT_MEMORY = 512;
+/**
+ * Default CloudWatch log retention in days
+ */
+exports.DEFAULT_LOG_RETENTION_DAYS = 60;
+/**
+ * Default desired count for ECS services
+ */
+exports.DEFAULT_DESIRED_COUNT = 1;
+// ============================================================================
+// Helper Functions
+// ============================================================================
+/**
+ * Creates standard resource tags for Fargate resources
+ *
+ * @param serviceName The name of the service/task
+ * @param team Team that owns this resource
+ * @param additionalTags Optional additional tags to merge
+ * @returns Record of tags
+ */
+function createResourceTags(serviceName, team, additionalTags) {
+    return {
+        ServiceName: serviceName,
+        Team: team,
+        ...additionalTags,
+    };
+}
+exports.createResourceTags = createResourceTags;
+/**
+ * Creates a CloudWatch Log Group with consistent settings
+ *
+ * @param name The name for the log group (will be stack-scoped)
+ * @param team Team that owns this resource
+ * @param retentionInDays Log retention in days (default: 60)
+ * @returns The created CloudWatch Log Group
+ */
+function createLogGroup(name, team, retentionInDays = 60) {
+    return new aws.cloudwatch.LogGroup((0, stack_1.getStackScopedName)(name), {
+        name: (0, stack_1.getStackScopedName)(name),
+        retentionInDays,
+        tags: { ServiceName: name, Team: team },
+    });
+}
+exports.createLogGroup = createLogGroup;
+/**
+ * Creates a security group for a Fargate task/service with standard tags
+ *
+ * @param name Resource name for the security group
+ * @param vpcId The VPC ID where the security group will be created
+ * @param serviceName The name of the service (for tagging)
+ * @param team Team that owns this resource
+ * @returns The created EC2 Security Group
+ */
+function createTaskSecurityGroup(name, vpcId, serviceName, team) {
+    return new aws.ec2.SecurityGroup(name, {
+        vpcId,
+        tags: { ServiceName: serviceName, Team: team },
+    });
+}
+exports.createTaskSecurityGroup = createTaskSecurityGroup;
+/**
+ * Configures docker labels for Prometheus metrics discovery
+ *
+ * @param taskName The name of the task/service
+ * @param metrics Metrics configuration
+ * @returns Docker labels, port mappings, and the parsed metrics port
+ */
+function configurePrometheusMetrics(taskName, metrics) {
+    const metricsPort = typeof metrics.port === "string" ? parseInt(metrics.port) : metrics.port;
+    const dockerLabels = {
+        ECS_PROMETHEUS_EXPORTER_PORT: "" + metricsPort,
+        ECS_PROMETHEUS_METRICS_PATH: metrics.path || "/metrics",
+        ECS_PROMETHEUS_JOB_NAME: metrics.jobName || taskName,
+    };
+    const portMappings = [
+        {
+            containerPort: metricsPort,
+            hostPort: metricsPort,
+            protocol: "tcp",
+        },
+    ];
+    return { dockerLabels, portMappings, metricsPort };
+}
+exports.configurePrometheusMetrics = configurePrometheusMetrics;
+/**
+ * Creates security group rules to allow Prometheus metrics scraping
+ *
+ * @param resourcePrefix Prefix for resource names
+ * @param securityGroup The security group to add rules to
+ * @param vpcCidrBlock The VPC CIDR block for ingress rules
+ * @param metricsPort The port where metrics are exposed
+ * @param taskName The name of the task/service
+ */
+function setupPrometheusSecurityRules(resourcePrefix, securityGroup, vpcCidrBlock, metricsPort, taskName) {
+    // Create security group rule for metrics access from VPC
+    new aws.ec2.SecurityGroupRule(`${resourcePrefix}-metrics-${metricsPort}`, {
+        type: "ingress",
+        fromPort: metricsPort,
+        toPort: metricsPort,
+        protocol: "tcp",
+        cidrBlocks: [vpcCidrBlock],
+        securityGroupId: securityGroup.id,
+    });
+    // Enable Prometheus to access the metrics port
+    (0, prometheus_1.makeSecurityGroupAccessibleByPrometheus)(securityGroup, metricsPort, metricsPort, taskName);
+}
+exports.setupPrometheusSecurityRules = setupPrometheusSecurityRules;
+/**
+ * Builds a container definition object for ECS task definitions
+ *
+ * @param options Container definition options
+ * @returns Container definition object
+ */
+function buildContainerDefinition(options) {
+    const { name, image, cpu, memory, environment = [], secrets = [], command, entryPoint, portMappings = [], dockerLabels = {}, mountPoints = [], repositoryCredentials, logConfiguration, essential = true, healthCheck, } = options;
+    return {
+        name,
+        image,
+        essential,
+        environment,
+        secrets,
+        command,
+        entryPoint,
+        cpu,
+        memoryReservation: memory,
+        portMappings,
+        dockerLabels,
+        mountPoints,
+        repositoryCredentials,
+        logConfiguration,
+        healthCheck,
+    };
+}
+exports.buildContainerDefinition = buildContainerDefinition;
+/**
+ * Creates a Fargate task definition with standard settings
+ *
+ * @param options Task definition options
+ * @returns The created ECS Task Definition
+ */
+function createFargateTaskDefinition(options) {
+    const { name, executionRoleArn, taskRoleArn, containerDefinitions, team, cpu, memory, ephemeralStorageInGB, runtimePlatform, volumes, dependsOn = [], } = options;
+    return new aws.ecs.TaskDefinition(`${(0, stack_1.getStackScopedName)(name)}-taskdefinition`, {
+        executionRoleArn,
+        taskRoleArn,
+        tags: createResourceTags(name, team),
+        containerDefinitions,
+        ephemeralStorage: ephemeralStorageInGB
+            ? { sizeInGib: ephemeralStorageInGB }
+            : undefined,
+        cpu: pulumi.output(cpu).apply((c) => c.toString()),
+        memory: pulumi.output(memory).apply((m) => m.toString()),
+        runtimePlatform,
+        requiresCompatibilities: ["FARGATE"],
+        networkMode: "awsvpc",
+        volumes,
+        family: (0, stack_1.getStackScopedName)(name),
+    }, { dependsOn });
+}
+exports.createFargateTaskDefinition = createFargateTaskDefinition;
+//# sourceMappingURL=fargateHelpers.js.map

package/index.d.ts

@@ -0,0 +1,32 @@
+export * from "./acceptAlb";
+export * from "./acceptBastion";
+export * from "./acceptDb";
+export * from "./accessTheInternet";
+export * from "./alb";
+export * from "./buildStatic";
+export * from "./certificate";
+export * from "./cloudflare";
+export * from "./cloudwatchLogs";
+export * from "./createBucketWithUser";
+export * from "./createFargateTask";
+export * from "./createImageFromContext";
+export * from "./createScheduledFargateTask";
+export * from "./createSQSTriggeredFargateTask";
+export * from "./domain";
+export * from "./exposePublicService";
+export * from "./getAmi";
+export * from "./getDomainAndSubdomain";
+export * from "./getImageRegistryAndCredentials";
+export * from "./lambda";
+export * from "./network";
+export * from "./prometheus";
+export * from "./scheduledTaskBase";
+export * from "./secrets";
+export * from "./slack";
+export * from "./stack";
+export * from "./StaticWebsite";
+export * from "./supra";
+export * from "./utils";
+export * from "./values";
+export * from "./vpc";
+export { default as withCache } from "./withCache";

package/index.js

@@ -0,0 +1,52 @@
+"use strict";
+// Re-export all modules for convenient imports from "dcl-ops-lib"
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.withCache = void 0;
+__exportStar(require("./acceptAlb"), exports);
+__exportStar(require("./acceptBastion"), exports);
+__exportStar(require("./acceptDb"), exports);
+__exportStar(require("./accessTheInternet"), exports);
+__exportStar(require("./alb"), exports);
+__exportStar(require("./buildStatic"), exports);
+__exportStar(require("./certificate"), exports);
+__exportStar(require("./cloudflare"), exports);
+__exportStar(require("./cloudwatchLogs"), exports);
+__exportStar(require("./createBucketWithUser"), exports);
+__exportStar(require("./createFargateTask"), exports);
+__exportStar(require("./createImageFromContext"), exports);
+__exportStar(require("./createScheduledFargateTask"), exports);
+__exportStar(require("./createSQSTriggeredFargateTask"), exports);
+__exportStar(require("./domain"), exports);
+__exportStar(require("./exposePublicService"), exports);
+__exportStar(require("./getAmi"), exports);
+__exportStar(require("./getDomainAndSubdomain"), exports);
+__exportStar(require("./getImageRegistryAndCredentials"), exports);
+__exportStar(require("./lambda"), exports);
+__exportStar(require("./network"), exports);
+__exportStar(require("./prometheus"), exports);
+__exportStar(require("./scheduledTaskBase"), exports);
+__exportStar(require("./secrets"), exports);
+__exportStar(require("./slack"), exports);
+__exportStar(require("./stack"), exports);
+__exportStar(require("./StaticWebsite"), exports);
+__exportStar(require("./supra"), exports);
+__exportStar(require("./utils"), exports);
+__exportStar(require("./values"), exports);
+__exportStar(require("./vpc"), exports);
+var withCache_1 = require("./withCache");
+Object.defineProperty(exports, "withCache", { enumerable: true, get: function () { return withCache_1.default; } });
+//# sourceMappingURL=index.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dcl-ops-lib",
-  "version": "9.0.0",
+  "version": "9.1.0",
   "scripts": {
     "build": "tsc && cp bin/* . && node test.js",
     "clean": "rm *.d.ts *.js *.js.map"

package/scheduledTaskBase.d.ts

@@ -0,0 +1,142 @@
+import * as aws from "@pulumi/aws";
+import * as pulumi from "@pulumi/pulumi";
+import { Team, MetricsConfig } from "./fargateHelpers";
+export { Team, MetricsConfig };
+/**
+ * Retry policy configuration
+ */
+export type RetryPolicyConfig = {
+    /**
+     * Maximum number of retry attempts (0-185)
+     */
+    maxRetries?: number;
+    /**
+     * Maximum age of the event in seconds before it's discarded
+     */
+    maxAgeSeconds?: number;
+};
+/**
+ * Base options shared between scheduled and SQS-triggered tasks
+ */
+export type BaseFargateTaskOptions = {
+    /**
+     * Team that owns this task
+     */
+    team: Team;
+    /**
+     * CPU units for the task (256, 512, 1024, 2048, 4096)
+     */
+    cpu?: number;
+    /**
+     * Memory in MB for the task (512 - 30720, depending on CPU)
+     */
+    memory?: number;
+    /**
+     * Ephemeral storage in GB (20-200)
+     */
+    ephemeralStorageInGB?: number;
+    /**
+     * Environment variables for the container
+     */
+    environment?: {
+        name: string;
+        value: pulumi.Input<string>;
+    }[];
+    /**
+     * Secrets from SSM/Secrets Manager
+     */
+    secrets?: aws.ecs.Secret[];
+    /**
+     * Override the container's default command
+     */
+    command?: string[];
+    /**
+     * Override the container's entry point
+     */
+    entryPoint?: string[];
+    /**
+     * Additional security groups
+     */
+    securityGroups?: (string | pulumi.Output<string>)[];
+    /**
+     * Whether to assign a public IP (default: false)
+     */
+    assignPublicIp?: boolean;
+    /**
+     * Prometheus metrics configuration
+     */
+    metrics?: MetricsConfig;
+    /**
+     * CloudWatch log retention in days (default: 60)
+     */
+    logRetentionDays?: number;
+    /**
+     * Policies for the task execution role
+     */
+    executionRolePolicies?: Record<string, pulumi.Input<string> | aws.iam.Policy>;
+    /**
+     * Policies for the task role (application permissions)
+     */
+    taskRolePolicies?: Record<string, pulumi.Input<string> | aws.iam.Policy>;
+    /**
+     * ECS cluster to run the task on
+     */
+    cluster?: aws.ecs.Cluster | string;
+    /**
+     * Number of tasks to launch per invocation (default: 1)
+     */
+    taskCount?: number;
+    /**
+     * Runtime platform configuration (e.g., for ARM64)
+     */
+    runtimePlatform?: aws.types.input.ecs.TaskDefinitionRuntimePlatform;
+    /**
+     * Volumes to attach to the task
+     */
+    volumes?: pulumi.Input<aws.types.input.ecs.TaskDefinitionVolume[]>;
+    /**
+     * Mount points for the container
+     */
+    mountPoints?: aws.ecs.MountPoint[];
+    /**
+     * Repository credentials for private registries
+     */
+    repositoryCredentials?: aws.ecs.RepositoryCredentials;
+    /**
+     * Additional resources to depend on
+     */
+    dependsOn?: pulumi.Resource[];
+};
+/**
+ * Result of creating the base task infrastructure
+ */
+export type BaseTaskInfrastructure = {
+    taskDefinition: aws.ecs.TaskDefinition;
+    taskSecurityGroup: aws.ec2.SecurityGroup;
+    logGroup: aws.cloudwatch.LogGroup;
+    executionRole: aws.iam.Role;
+    taskRole: aws.iam.Role;
+    eventBridgeRole: aws.iam.Role;
+    eventBridgePolicy: aws.iam.RolePolicy;
+    clusterArn: string | pulumi.Output<string>;
+    subnetIds: string[];
+    securityGroups: (string | pulumi.Output<string>)[];
+    assignPublicIp: boolean;
+    taskCount: number;
+    resourcePrefix: string;
+    taskName: string;
+    team: Team;
+};
+/**
+ * Creates the base infrastructure shared by both scheduled and SQS-triggered Fargate tasks.
+ * This includes: task definition, security group, log group, and IAM roles.
+ *
+ * Note: Slack notifications are now handled globally by the ops-lambdas EventBridge rule.
+ *
+ * @param taskName A name for this task
+ * @param dockerImage The docker image to run
+ * @param options Base configuration options
+ * @param eventBridgeServices AWS services that can assume the EventBridge role
+ * @returns Base infrastructure resources
+ */
+export declare function createBaseTaskInfrastructure(taskName: string, dockerImage: string | Promise<string> | pulumi.OutputInstance<string>, options: BaseFargateTaskOptions, eventBridgeServices: string[]): Promise<BaseTaskInfrastructure>;

package/scheduledTaskBase.js

@@ -0,0 +1,146 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBaseTaskInfrastructure = void 0;
+const aws = require("@pulumi/aws");
+const pulumi = require("@pulumi/pulumi");
+const network_1 = require("./network");
+const vpc_1 = require("./vpc");
+const stack_1 = require("./stack");
+const accessTheInternet_1 = require("./accessTheInternet");
+const createFargateTask_1 = require("./createFargateTask");
+const fargateHelpers_1 = require("./fargateHelpers");
+/**
+ * Creates the base infrastructure shared by both scheduled and SQS-triggered Fargate tasks.
+ * This includes: task definition, security group, log group, and IAM roles.
+ *
+ * Note: Slack notifications are now handled globally by the ops-lambdas EventBridge rule.
+ *
+ * @param taskName A name for this task
+ * @param dockerImage The docker image to run
+ * @param options Base configuration options
+ * @param eventBridgeServices AWS services that can assume the EventBridge role
+ * @returns Base infrastructure resources
+ */
+async function createBaseTaskInfrastructure(taskName, dockerImage, options, eventBridgeServices) {
+    const { team, cpu = fargateHelpers_1.DEFAULT_CPU, memory = fargateHelpers_1.DEFAULT_MEMORY, ephemeralStorageInGB, environment = [], secrets = [], command, entryPoint, securityGroups = [], assignPublicIp = false, metrics, logRetentionDays = fargateHelpers_1.DEFAULT_LOG_RETENTION_DAYS, executionRolePolicies = {}, taskRolePolicies = {}, cluster, taskCount = fargateHelpers_1.DEFAULT_DESIRED_COUNT, runtimePlatform, volumes, mountPoints = [], repositoryCredentials, dependsOn = [], } = options;
+    const version = (0, stack_1.getStackId)();
+    const resourcePrefix = `${taskName}-${version}`;
+    // Create execution role
+    const { role: executionRole, policies: executionPolicies } = (0, createFargateTask_1.getFargateExecutionRole)(`${resourcePrefix}-execution`, executionRolePolicies);
+    dependsOn.push(...executionPolicies);
+    // Create task role
+    const { role: taskRole, policies: taskPolicies } = (0, createFargateTask_1.getFargateTaskRole)(`${resourcePrefix}-task`, taskRolePolicies);
+    dependsOn.push(...taskPolicies);
+    // Get VPC for security group
+    const vpc = await (0, vpc_1.getVpc)();
+    // Create security group for the task
+    const taskSecurityGroup = (0, fargateHelpers_1.createTaskSecurityGroup)(resourcePrefix, vpc.id, taskName, team);
+    // Configure docker labels for Prometheus metrics
+    let dockerLabels = {};
+    let portMappings = [];
+    if (metrics) {
+        const prometheusConfig = (0, fargateHelpers_1.configurePrometheusMetrics)(taskName, metrics);
+        dockerLabels = prometheusConfig.dockerLabels;
+        portMappings = prometheusConfig.portMappings;
+        // Setup security group rules for Prometheus access
+        (0, fargateHelpers_1.setupPrometheusSecurityRules)(resourcePrefix, taskSecurityGroup, vpc.cidrBlock, prometheusConfig.metricsPort, taskName);
+    }
+    // Enable egress traffic to the internet
+    (0, accessTheInternet_1.makeSecurityGroupAccessTheInternetV2)(taskSecurityGroup, taskName);
+    // Create CloudWatch Log Group
+    const logGroup = (0, fargateHelpers_1.createLogGroup)(taskName, team, logRetentionDays);
+    // Build container definition
+    const containerDefinition = (0, fargateHelpers_1.buildContainerDefinition)({
+        name: taskName,
+        image: dockerImage,
+        cpu,
+        memory,
+        environment,
+        secrets,
+        command,
+        entryPoint,
+        portMappings,
+        dockerLabels,
+        mountPoints,
+        repositoryCredentials,
+        logConfiguration: (0, createFargateTask_1.getDefaultLogs)(taskName, logGroup),
+    });
+    // Create ECS Task Definition
+    const taskDefinition = (0, fargateHelpers_1.createFargateTaskDefinition)({
+        name: taskName,
+        executionRoleArn: executionRole.arn,
+        taskRoleArn: taskRole.arn,
+        containerDefinitions: pulumi.jsonStringify([containerDefinition]),
+        team,
+        cpu,
+        memory,
+        ephemeralStorageInGB,
+        runtimePlatform,
+        volumes,
+        dependsOn: [logGroup, ...dependsOn],
+    });
+    // Get cluster ARN and subnet IDs
+    const clusterArn = await (0, createFargateTask_1.getClusterInstance)(cluster);
+    const subnetIds = await (0, network_1.getPrivateSubnetIds)();
+    // Create IAM role for EventBridge to run ECS tasks
+    const eventBridgeRole = new aws.iam.Role(`${resourcePrefix}-eventbridge-role`, {
+        assumeRolePolicy: JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Principal: {
+                        Service: eventBridgeServices,
+                    },
+                    Action: "sts:AssumeRole",
+                },
+            ],
+        }),
+        tags: (0, fargateHelpers_1.createResourceTags)(taskName, team),
+    });
+    // Create policy for EventBridge to run ECS tasks
+    const eventBridgePolicy = new aws.iam.RolePolicy(`${resourcePrefix}-eventbridge-policy`, {
+        role: eventBridgeRole.id,
+        policy: pulumi
+            .all([taskDefinition.arn, executionRole.arn, taskRole.arn])
+            .apply(([taskDefArn, execRoleArn, taskRoleArn]) => JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Action: "ecs:RunTask",
+                    Resource: taskDefArn,
+                    Condition: {
+                        ArnLike: {
+                            "ecs:cluster": clusterArn,
+                        },
+                    },
+                },
+                {
+                    Effect: "Allow",
+                    Action: "iam:PassRole",
+                    Resource: [execRoleArn, taskRoleArn],
+                },
+            ],
+        })),
+    });
+    return {
+        taskDefinition,
+        taskSecurityGroup,
+        logGroup,
+        executionRole,
+        taskRole,
+        eventBridgeRole,
+        eventBridgePolicy,
+        clusterArn,
+        subnetIds,
+        securityGroups: [taskSecurityGroup.id, ...securityGroups],
+        assignPublicIp,
+        taskCount,
+        resourcePrefix,
+        taskName,
+        team,
+    };
+}
+exports.createBaseTaskInfrastructure = createBaseTaskInfrastructure;
+//# sourceMappingURL=scheduledTaskBase.js.map

package/slack.d.ts

@@ -0,0 +1,4 @@
+import * as pulumi from "@pulumi/pulumi";
+export declare const slackStack: () => Promise<pulumi.StackReference>;
+export declare const getSlackNotificationTopicArn: () => Promise<string>;
+export declare const getSlackNotificationLambdaArn: () => Promise<string>;

package/slack.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSlackNotificationLambdaArn = exports.getSlackNotificationTopicArn = exports.slackStack = void 0;
+const pulumi = require("@pulumi/pulumi");
+const domain_1 = require("./domain");
+const withCache_1 = require("./withCache");
+// Stack reference to the ops-lambdas stack that contains the Slack notifier infrastructure
+exports.slackStack = (0, withCache_1.default)(async () => {
+    return new pulumi.StackReference(`ops-lambdas-${domain_1.env}`);
+});
+// Get the SNS topic ARN for Slack notifications
+exports.getSlackNotificationTopicArn = (0, withCache_1.default)(async () => {
+    const stack = await (0, exports.slackStack)();
+    return (await stack.requireOutputValue("slackNotifierTopicArn"));
+});
+// Get the Lambda ARN for direct invocation (optional, prefer SNS topic)
+exports.getSlackNotificationLambdaArn = (0, withCache_1.default)(async () => {
+    const stack = await (0, exports.slackStack)();
+    return (await stack.requireOutputValue("slackNotifierLambdaArn"));
+});
+//# sourceMappingURL=slack.js.map