dcl-ops-lib 9.2.0 → 9.3.1

package/acceptNlb.d.ts

@@ -0,0 +1,3 @@
+import * as aws from "@pulumi/aws";
+/** Makes a given security group accessible by the shared supra NLB on the reserved port range (7700-7799) */
+export declare function makeSecurityGroupAccessibleFromSharedNlb(securityGroup: aws.ec2.SecurityGroup, ruleName?: string): void;

package/acceptNlb.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.makeSecurityGroupAccessibleFromSharedNlb = void 0;
+const aws = require("@pulumi/aws");
+const utils_1 = require("./utils");
+const values_1 = require("./values");
+/** Makes a given security group accessible by the shared supra NLB on the reserved port range (7700-7799) */
+function makeSecurityGroupAccessibleFromSharedNlb(securityGroup, ruleName = "") {
+    const nlbSgId = (0, values_1.getEnvConfiguration)().then(($) => {
+        if (!$.nlbSecurityGroupId) {
+            throw new Error("NLB security group not found.");
+        }
+        return $.nlbSecurityGroupId;
+    });
+    new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("accept-nlb-udp-ingress-rule", ruleName), {
+        securityGroupId: securityGroup.id,
+        sourceSecurityGroupId: nlbSgId,
+        description: `Allow UDP 7700-7799 from the supra NLB`,
+        fromPort: 7700,
+        toPort: 7799,
+        protocol: "udp",
+        type: "ingress",
+    }, { deleteBeforeReplace: true });
+    new aws.ec2.SecurityGroupRule((0, utils_1.withRuleName)("accept-nlb-tcp-ingress-rule", ruleName), {
+        securityGroupId: securityGroup.id,
+        sourceSecurityGroupId: nlbSgId,
+        description: `Allow TCP 7700-7799 from the supra NLB`,
+        fromPort: 7700,
+        toPort: 7799,
+        protocol: "tcp",
+        type: "ingress",
+    }, { deleteBeforeReplace: true });
+}
+exports.makeSecurityGroupAccessibleFromSharedNlb = makeSecurityGroupAccessibleFromSharedNlb;
+//# sourceMappingURL=acceptNlb.js.map

package/createFargateTask.d.ts

@@ -1,6 +1,7 @@
 import * as aws from "@pulumi/aws";
 import * as pulumi from "@pulumi/pulumi";
 import { ExtraExposedServiceOptions } from "./exposePublicService";
+import { NLBMapping } from "./exposeNlbService";
 import { HealthCheck } from "@pulumi/aws/ecs";
 import { Team } from "./fargateHelpers";
 export declare const getDefaultLogs: (serviceName: string, logGroup: aws.cloudwatch.LogGroup) => aws.ecs.LogConfiguration;
@@ -39,6 +40,7 @@ export type FargateTaskOptions = {
     forceNewDeployment?: boolean;
     extraPortMappings?: aws.ecs.PortMapping[];
     extraALBMappings?: ALBMapping[];
+    nlbMappings?: NLBMapping[];
     executionRolePolicies?: Record<string, pulumi.Input<string> | aws.iam.Policy>;
     taskRolePolicies?: Record<string, pulumi.Input<string> | aws.iam.Policy>;
     secrets?: aws.ecs.Secret[];

package/createFargateTask.js

@@ -4,9 +4,11 @@ exports.createInternalService = exports.createFargateTask = exports.getFargateTa
 const aws = require("@pulumi/aws");
 const pulumi = require("@pulumi/pulumi");
 const acceptAlb_1 = require("./acceptAlb");
+const acceptNlb_1 = require("./acceptNlb");
 const acceptBastion_1 = require("./acceptBastion");
 const domain_1 = require("./domain");
 const exposePublicService_1 = require("./exposePublicService");
+const exposeNlbService_1 = require("./exposeNlbService");
 const network_1 = require("./network");
 const vpc_1 = require("./vpc");
 const supra_1 = require("./supra");
@@ -102,7 +104,7 @@ exports.getFargateTaskRole = getFargateTaskRole;
  * @param options.appAutoscaling Configuration for autoscaling
  */
 async function createFargateTask(serviceName, dockerImage, dockerListeningPort, environment, hostname, options) {
-    let { healthCheck, healthCheckContainer, essential, dontExpose, securityGroups, cluster, memoryReservation, command, version, ephemeralStorageInGB, desiredCount, cpuReservation, extraPortMappings, extraALBMappings, executionRolePolicies, taskRolePolicies, ignoreServiceDiscovery, secrets, metrics, forceNewDeployment, dontAssignPublicIp, dependsOn, volumes, deregistrationDelay, mountPoints, repositoryCredentials, team, appAutoscaling, enableExecuteCommand, } = options;
+    let { healthCheck, healthCheckContainer, essential, dontExpose, securityGroups, cluster, memoryReservation, command, version, ephemeralStorageInGB, desiredCount, cpuReservation, extraPortMappings, extraALBMappings, nlbMappings, executionRolePolicies, taskRolePolicies, ignoreServiceDiscovery, secrets, metrics, forceNewDeployment, dontAssignPublicIp, dependsOn, volumes, deregistrationDelay, mountPoints, repositoryCredentials, team, appAutoscaling, enableExecuteCommand, } = options;
     if (undefined === essential) {
         essential = true;
     }
@@ -127,6 +129,9 @@ async function createFargateTask(serviceName, dockerImage, dockerListeningPort,
     if (undefined === extraALBMappings) {
         extraALBMappings = [];
     }
+    if (undefined === nlbMappings) {
+        nlbMappings = [];
+    }
     if (undefined === dependsOn) {
         dependsOn = [];
     }
@@ -235,7 +240,13 @@ async function createFargateTask(serviceName, dockerImage, dockerListeningPort,
             endpoint: "not exposed",
         };
     }
-    const exposed = await (0, exposePublicService_1.exposePublicService)(`${serviceName}-${version}`, hostname, dockerListeningPort, healthCheck, vpc.id, options.extraExposedServiceOptions, deregistrationDelay);
+    // unified-dns mode: if any NLB mapping omits separateDomain, the NLB owns
+    // the public Cloudflare record, so tell the ALB to skip creating one.
+    const nlbOwnsCloudflareRecord = nlbMappings.some((m) => !m.separateDomain);
+    const albExtraOptions = nlbOwnsCloudflareRecord
+        ? { ...options.extraExposedServiceOptions, skipCloudflareRecord: true }
+        : options.extraExposedServiceOptions;
+    const exposed = await (0, exposePublicService_1.exposePublicService)(`${serviceName}-${version}`, hostname, dockerListeningPort, healthCheck, vpc.id, albExtraOptions, deregistrationDelay);
     targetGroups.push(exposed.targetGroup);
     for (let extraALBMapping of extraALBMappings) {
         const exposedExtra = await (0, exposePublicService_1.exposePublicService)(`${serviceName}-${extraALBMapping.dockerListeningPort}-${version}`, extraALBMapping.domain, extraALBMapping.dockerListeningPort, extraALBMapping.healthCheck, vpc.id, extraALBMapping.extraExposedServiceOptions);
@@ -248,12 +259,39 @@ async function createFargateTask(serviceName, dockerImage, dockerListeningPort,
             });
         }
     }
+    // NLB mappings: expose UDP/TCP ports via the shared Network Load Balancer
+    for (let nlbMapping of nlbMappings) {
+        const exposedNlb = await (0, exposeNlbService_1.exposeNlbService)(`${serviceName}-${nlbMapping.port}-${version}`, hostname, nlbMapping.port, nlbMapping.protocol, vpc.id, nlbMapping.healthCheck, nlbMapping.separateDomain);
+        targetGroups.push(exposedNlb.targetGroup);
+        if (!extraPortMappings.find((p) => p.hostPort === nlbMapping.port)) {
+            extraPortMappings.push({
+                containerPort: nlbMapping.port,
+                hostPort: nlbMapping.port,
+                protocol: nlbMapping.protocol,
+            });
+        }
+        // Allow inbound traffic on the specific port from anywhere
+        // (NLB preserves client source IPs for UDP)
+        new aws.ec2.SecurityGroupRule(`${serviceName}-nlb-${nlbMapping.protocol}-${nlbMapping.port}`, {
+            securityGroupId: taskSecurityGroup.id,
+            type: "ingress",
+            fromPort: nlbMapping.port,
+            toPort: nlbMapping.port,
+            protocol: nlbMapping.protocol,
+            cidrBlocks: ["0.0.0.0/0"],
+            description: `Allow ${nlbMapping.protocol.toUpperCase()} ${nlbMapping.port} from NLB (client IP preserved)`,
+        });
+    }
     const portMapping = {
         containerPort: dockerListeningPort,
         hostPort: dockerListeningPort,
     };
     // make the service accesible by the ALB
     (0, acceptAlb_1.makeSecurityGroupAccessibleFromSharedAlb)(taskSecurityGroup);
+    // make the service accessible by the NLB (if any NLB mappings exist)
+    if (nlbMappings.length > 0) {
+        (0, acceptNlb_1.makeSecurityGroupAccessibleFromSharedNlb)(taskSecurityGroup, serviceName);
+    }
     const service = await createInternalService({
         serviceName,
         cluster,

package/exposeNlbService.d.ts

@@ -0,0 +1,36 @@
+export type NLBMapping = {
+    /** The port to expose on the NLB (must be in 7700-7799 range) */
+    port: number;
+    protocol: "udp" | "tcp";
+    /** Health check config — NLB uses HTTP/TCP health checks even for UDP targets */
+    healthCheck?: {
+        port: string;
+        path?: string;
+        protocol?: "HTTP" | "TCP";
+    };
+    /**
+     * split-dns mode: provide a dedicated subdomain for NLB traffic
+     * (e.g. "pulse-udp." + publicDomain). The main hostname stays proxied via ALB.
+     *
+     * unified-dns mode (default): omit this — the main hostname's Cloudflare record
+     * becomes unproxied and points to the NLB instead of the ALB.
+     */
+    separateDomain?: string;
+};
+/**
+ * Expose a service port via the shared NLB. Creates an NLB target group,
+ * listener, and Cloudflare DNS record.
+ *
+ * @param name unique resource name prefix
+ * @param domain the service's main hostname (e.g. "pulse-server.decentraland.zone")
+ * @param port the port to expose (e.g. 7777)
+ * @param protocol "udp" or "tcp"
+ * @param vpcId VPC ID for the target group
+ * @param healthCheck health check config for the NLB target group
+ * @param separateDomain if provided, creates DNS on this domain instead of the main one
+ */
+export declare function exposeNlbService(name: string, domain: string, port: number, protocol: "udp" | "tcp", vpcId: string, healthCheck?: NLBMapping["healthCheck"], separateDomain?: string): Promise<{
+    targetGroup: import("@pulumi/aws/lb/targetGroup").TargetGroup;
+    listener: import("@pulumi/aws/lb/listener").Listener;
+    cloudflareRecord: import("@pulumi/cloudflare/record").Record | undefined;
+}>;

package/exposeNlbService.js

@@ -0,0 +1,90 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.exposeNlbService = void 0;
+const aws = require("@pulumi/aws");
+const domain_1 = require("./domain");
+const nlb_1 = require("./nlb");
+const getDomainAndSubdomain_1 = require("./getDomainAndSubdomain");
+const cloudflare_1 = require("./cloudflare");
+const DEFAULT_NLB_HEALTHCHECK = {
+    protocol: "HTTP",
+    path: "/health",
+    port: "5000",
+    interval: 30,
+    healthyThreshold: 3,
+    unhealthyThreshold: 3,
+};
+/**
+ * Expose a service port via the shared NLB. Creates an NLB target group,
+ * listener, and Cloudflare DNS record.
+ *
+ * @param name unique resource name prefix
+ * @param domain the service's main hostname (e.g. "pulse-server.decentraland.zone")
+ * @param port the port to expose (e.g. 7777)
+ * @param protocol "udp" or "tcp"
+ * @param vpcId VPC ID for the target group
+ * @param healthCheck health check config for the NLB target group
+ * @param separateDomain if provided, creates DNS on this domain instead of the main one
+ */
+async function exposeNlbService(name, domain, port, protocol, vpcId, healthCheck, separateDomain) {
+    if (port < 7700 || port > 7799) {
+        throw new Error(`NLB port ${port} is outside the allowed range (7700-7799). Update the NLB security group in supra to allow a wider range if needed.`);
+    }
+    const nlbResult = await (0, nlb_1.getNlb)();
+    if (!nlbResult) {
+        throw new Error("NLB is not available in this environment. NLB is only deployed in dev and prd.");
+    }
+    const { nlb } = nlbResult;
+    const healthCheckConfig = {
+        ...DEFAULT_NLB_HEALTHCHECK,
+        ...healthCheck,
+    };
+    // AWS target group names max 32 chars (base + dash + 7 random = base ≤ 24).
+    // "ntg-" (4) + last 20 chars of name = 24 max.
+    const tgSlug = name.slice(-20);
+    const targetGroup = new aws.lb.TargetGroup(`ntg-${tgSlug}`, {
+        port,
+        protocol: protocol.toUpperCase(),
+        targetType: "ip",
+        vpcId,
+        healthCheck: {
+            protocol: healthCheckConfig.protocol,
+            port: healthCheckConfig.port,
+            path: healthCheckConfig.protocol === "HTTP" ? healthCheckConfig.path : undefined,
+            interval: healthCheckConfig.interval,
+            healthyThreshold: healthCheckConfig.healthyThreshold,
+            unhealthyThreshold: healthCheckConfig.unhealthyThreshold,
+        },
+    });
+    const listener = new aws.lb.Listener(`nlb-ls-${name}`, {
+        loadBalancerArn: nlb.arn,
+        port,
+        protocol: protocol.toUpperCase(),
+        defaultActions: [
+            {
+                type: "forward",
+                targetGroupArn: targetGroup.arn,
+            },
+        ],
+    });
+    // DNS: create an unproxied Cloudflare CNAME pointing to the NLB
+    const dnsDomain = separateDomain || domain;
+    const domainParts = (0, getDomainAndSubdomain_1.getDomainAndSubdomain)(dnsDomain);
+    let cloudflareRecord;
+    if (dnsDomain.endsWith(`.${domain_1.publicDomain}`)) {
+        cloudflareRecord = await (0, cloudflare_1.setRecord)({
+            recordName: domainParts.subdomain,
+            type: "CNAME",
+            value: nlb.dnsName,
+            proxied: false,
+            ttl: 300,
+        });
+    }
+    return {
+        targetGroup,
+        listener,
+        cloudflareRecord,
+    };
+}
+exports.exposeNlbService = exposeNlbService;
+//# sourceMappingURL=exposeNlbService.js.map

package/exposePublicService.d.ts

@@ -11,6 +11,7 @@ export type UnproxiedCloudflareDomain = {
 export type CloudflareDomainOptions = ProxiedCloudflareDomain | UnproxiedCloudflareDomain | {};
 export type ExtraExposedServiceOptions = CloudflareDomainOptions & {
     skipInternalDomain?: boolean;
+    skipCloudflareRecord?: boolean;
     targetGroupConditions?: pulumi.Input<aws.types.input.alb.ListenerRuleCondition>[];
 };
 /**

package/exposePublicService.js

@@ -34,7 +34,8 @@ async function exposePublicService(name, domain, port, healthCheck = {}, vpcId,
     const healthCheckValue = Object.assign({}, DEFAULT_HEALTHCHECK_VALUES, healthCheck);
     const isProxied = isProxiedDomain(extraOptions);
     const isUnproxied = isUnProxiedDomain(extraOptions);
-    const createCloudflareRecord = isProxied || isUnproxied || domain.endsWith(`.${domain_1.publicDomain}`);
+    const skipCloudflare = (extraOptions && extraOptions.skipCloudflareRecord) || false;
+    const createCloudflareRecord = !skipCloudflare && (isProxied || isUnproxied || domain.endsWith(`.${domain_1.publicDomain}`));
     const onlyCloudflare = (extraOptions && extraOptions.skipInternalDomain) || false;
     const createInternalDomain = !onlyCloudflare;
     const certificate = (0, certificate_1.getCertificateFor)(domain);

package/index.d.ts

@@ -1,4 +1,5 @@
 export * from "./acceptAlb";
+export * from "./acceptNlb";
 export * from "./acceptBastion";
 export * from "./acceptDb";
 export * from "./accessTheInternet";
@@ -14,11 +15,13 @@ export * from "./createScheduledFargateTask";
 export * from "./createSQSTriggeredFargateTask";
 export * from "./domain";
 export * from "./exposePublicService";
+export * from "./exposeNlbService";
 export * from "./getAmi";
 export * from "./getDomainAndSubdomain";
 export * from "./getImageRegistryAndCredentials";
 export * from "./lambda";
 export * from "./network";
+export * from "./nlb";
 export * from "./prometheus";
 export * from "./scheduledTaskBase";
 export * from "./secrets";

package/index.js

@@ -17,6 +17,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.withCache = void 0;
 __exportStar(require("./acceptAlb"), exports);
+__exportStar(require("./acceptNlb"), exports);
 __exportStar(require("./acceptBastion"), exports);
 __exportStar(require("./acceptDb"), exports);
 __exportStar(require("./accessTheInternet"), exports);
@@ -32,11 +33,13 @@ __exportStar(require("./createScheduledFargateTask"), exports);
 __exportStar(require("./createSQSTriggeredFargateTask"), exports);
 __exportStar(require("./domain"), exports);
 __exportStar(require("./exposePublicService"), exports);
+__exportStar(require("./exposeNlbService"), exports);
 __exportStar(require("./getAmi"), exports);
 __exportStar(require("./getDomainAndSubdomain"), exports);
 __exportStar(require("./getImageRegistryAndCredentials"), exports);
 __exportStar(require("./lambda"), exports);
 __exportStar(require("./network"), exports);
+__exportStar(require("./nlb"), exports);
 __exportStar(require("./prometheus"), exports);
 __exportStar(require("./scheduledTaskBase"), exports);
 __exportStar(require("./secrets"), exports);

package/nlb.d.ts

@@ -0,0 +1,4 @@
+import * as aws from "@pulumi/aws";
+export declare const getNlb: () => Promise<{
+    nlb: aws.lb.GetLoadBalancerResult;
+} | undefined>;

package/nlb.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getNlb = void 0;
+const aws = require("@pulumi/aws");
+const supra_1 = require("./supra");
+const withCache_1 = require("./withCache");
+exports.getNlb = (0, withCache_1.default)(async () => {
+    const nlbInstance = await supra_1.supra.getOutputValue("nlbInstance");
+    if (!nlbInstance) {
+        return undefined;
+    }
+    const nlb = await aws.lb.getLoadBalancer({ arn: nlbInstance.arn });
+    return { nlb };
+});
+//# sourceMappingURL=nlb.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dcl-ops-lib",
-  "version": "9.2.0",
+  "version": "9.3.1",
   "scripts": {
     "build": "tsc && cp bin/* . && node test.js",
     "clean": "rm *.d.ts *.js *.js.map"

package/values.d.ts

@@ -10,5 +10,6 @@ export type EnvironmentValues = {
     dbSecurity: string;
     albSecurityGroupId: string;
     bastionSecurityGroupId: string;
+    nlbSecurityGroupId?: string;
 };
 export declare const getEnvConfiguration: () => Promise<EnvironmentValues>;

package/values.js

@@ -15,6 +15,7 @@ exports.getEnvConfiguration = (0, withCache_1.default)(async function () {
         dbSecurity: await supra_1.supra.getOutputValue("acceptDbSecurityGroupId"),
         albSecurityGroupId: await supra_1.supra.getOutputValue("albSecurityGroupId"),
         bastionSecurityGroupId: await supra_1.supra.getOutputValue("bastionSecurityGroupId"),
+        nlbSecurityGroupId: (await supra_1.supra.getOutputValue("nlbSecurityGroupId")) || undefined,
     };
 });
 //# sourceMappingURL=values.js.map