puls-dev 0.1.0

package/dist/providers/aws/lambda.js

@@ -0,0 +1,159 @@
+import { readFileSync, unlinkSync } from 'node:fs';
+import { execSync } from 'node:child_process';
+import { tmpdir } from 'node:os';
+import { join, extname } from 'node:path';
+import { GetFunctionCommand, CreateFunctionCommand, UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, DeleteFunctionCommand, } from '@aws-sdk/client-lambda';
+import { GetRoleCommand, CreateRoleCommand, AttachRolePolicyCommand, } from '@aws-sdk/client-iam';
+import { BaseBuilder } from '../../core/resource.js';
+import { getLambdaClient, getIAMClient } from './api.js';
+import { resolveEnvVars } from './secrets.js';
+const ASSUME_ROLE_POLICY = JSON.stringify({
+    Version: '2012-10-17',
+    Statement: [{ Effect: 'Allow', Principal: { Service: 'lambda.amazonaws.com' }, Action: 'sts:AssumeRole' }],
+});
+export class LambdaBuilder extends BaseBuilder {
+    _runtime = 'nodejs20.x';
+    _handler = 'index.handler';
+    _memory = 128;
+    _timeout = 30;
+    _codePath;
+    _env = {};
+    _roleArn;
+    resolvedArn = null;
+    constructor(name) {
+        super(name);
+        this.discoveryPromise = this.discoverFunction(name);
+    }
+    async discoverFunction(name) {
+        try {
+            const result = await getLambdaClient().send(new GetFunctionCommand({ FunctionName: name }));
+            this.resolvedArn = result.Configuration?.FunctionArn ?? null;
+            return result.Configuration ?? null;
+        }
+        catch (e) {
+            if (e.name === 'ResourceNotFoundException')
+                return null;
+            if (e.name === 'CredentialsProviderError')
+                return null;
+            throw e;
+        }
+    }
+    code(pathOrZip) { this._codePath = pathOrZip; return this; }
+    runtime(r) { this._runtime = r; return this; }
+    handler(h) { this._handler = h; return this; }
+    memory(mb) { this._memory = mb; return this; }
+    timeout(seconds) { this._timeout = seconds; return this; }
+    role(arn) { this._roleArn = arn; return this; }
+    env(vars) { this._env = { ...this._env, ...vars }; return this; }
+    async ensureRole() {
+        if (this._roleArn)
+            return this._roleArn;
+        const roleName = `puls-lambda-${this.name}-role`;
+        const iam = getIAMClient();
+        try {
+            const existing = await iam.send(new GetRoleCommand({ RoleName: roleName }));
+            return existing.Role.Arn;
+        }
+        catch (e) {
+            if (e.name !== 'NoSuchEntityException')
+                throw e;
+        }
+        const created = await iam.send(new CreateRoleCommand({
+            RoleName: roleName,
+            AssumeRolePolicyDocument: ASSUME_ROLE_POLICY,
+            Description: `Execution role for OpsDSL Lambda "${this.name}"`,
+        }));
+        await iam.send(new AttachRolePolicyCommand({
+            RoleName: roleName,
+            PolicyArn: 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
+        }));
+        console.log(`   ✅ Created execution role: ${roleName}`);
+        // IAM propagation — Lambda rejects a brand-new role for ~10s
+        await new Promise(r => setTimeout(r, 10_000));
+        return created.Role.Arn;
+    }
+    buildZip() {
+        if (!this._codePath)
+            throw new Error(`[Lambda:${this.name}] .code(path) is required`);
+        if (extname(this._codePath) === '.zip') {
+            return readFileSync(this._codePath);
+        }
+        const outPath = join(tmpdir(), `puls-lambda-${this.name}-${Date.now()}.zip`);
+        execSync(`cd "${this._codePath}" && zip -r "${outPath}" .`, { stdio: 'pipe' });
+        const buf = readFileSync(outPath);
+        unlinkSync(outPath);
+        return buf;
+    }
+    async deploy() {
+        const dryRun = this.isDryRunActive();
+        const existing = await this.discoveryPromise;
+        const lambda = getLambdaClient();
+        console.log(`\n⚡ Finalizing Lambda Function "${this.name}"...`);
+        if (dryRun) {
+            console.log(`   📝 [PLAN] ${existing ? 'Update' : 'Create'} function "${this.name}"`);
+            console.log(`      └─ Runtime: ${this._runtime} | Handler: ${this._handler}`);
+            console.log(`      └─ Memory: ${this._memory}MB | Timeout: ${this._timeout}s`);
+            if (this._codePath)
+                console.log(`      └─ Code: ${this._codePath}`);
+            if (Object.keys(this._env).length)
+                console.log(`      └─ Env vars: ${Object.keys(this._env).join(', ')}`);
+            this.resolvedArn = `arn:aws:lambda:DRYRUN:000000000000:function:${this.name}`;
+            return { name: this.name, arn: this.resolvedArn };
+        }
+        const [roleArn, resolvedEnv] = await Promise.all([
+            this.ensureRole(),
+            resolveEnvVars(this._env),
+        ]);
+        const config = {
+            FunctionName: this.name,
+            Runtime: this._runtime,
+            Handler: this._handler,
+            MemorySize: this._memory,
+            Timeout: this._timeout,
+            Role: roleArn,
+            Environment: Object.keys(resolvedEnv).length ? { Variables: resolvedEnv } : undefined,
+        };
+        if (existing) {
+            this.resolvedArn = existing.FunctionArn;
+            await lambda.send(new UpdateFunctionConfigurationCommand(config));
+            if (this._codePath) {
+                await lambda.send(new UpdateFunctionCodeCommand({
+                    FunctionName: this.name,
+                    ZipFile: this.buildZip(),
+                }));
+                console.log(`   ✅ Updated function "${this.name}" (code + config)`);
+            }
+            else {
+                console.log(`   ✅ Updated function "${this.name}" (config only)`);
+            }
+        }
+        else {
+            if (!this._codePath)
+                throw new Error(`[Lambda:${this.name}] .code(path) is required to create a function`);
+            const result = await lambda.send(new CreateFunctionCommand({
+                ...config,
+                Code: { ZipFile: this.buildZip() },
+            }));
+            this.resolvedArn = result.FunctionArn;
+            console.log(`🚀 Created function "${this.name}" (arn=${this.resolvedArn})`);
+        }
+        await this.deploySidecars();
+        return { name: this.name, arn: this.resolvedArn };
+    }
+    async destroy() {
+        const dryRun = this.isDryRunActive();
+        const existing = await this.discoveryPromise;
+        console.log(`\n🗑️  Destroying Lambda Function "${this.name}"...`);
+        if (!existing) {
+            console.log(`   ✅ Function "${this.name}" does not exist — nothing to do`);
+            return { destroyed: this.name };
+        }
+        if (dryRun) {
+            console.log(`   📝 [PLAN] Delete function "${this.name}"`);
+            return { destroyed: this.name };
+        }
+        await getLambdaClient().send(new DeleteFunctionCommand({ FunctionName: this.name }));
+        console.log(`   ✅ Deleted function "${this.name}"`);
+        return { destroyed: this.name };
+    }
+}

package/dist/providers/aws/list.d.ts

@@ -0,0 +1,2 @@
+import type { AwsInventory } from '../../types/inventory.js';
+export declare function listAwsResources(): Promise<AwsInventory>;

package/dist/providers/aws/list.js

@@ -0,0 +1,44 @@
+import { ListDistributionsCommand } from '@aws-sdk/client-cloudfront';
+import { ListBucketsCommand } from '@aws-sdk/client-s3';
+import { ListFunctionsCommand } from '@aws-sdk/client-lambda';
+import { DescribeDBInstancesCommand } from '@aws-sdk/client-rds';
+import { ListHostedZonesCommand } from '@aws-sdk/client-route-53';
+import { getCFClient, getS3Client, getLambdaClient, getRDSClient, getR53Client } from './api.js';
+import { Config } from '../../core/config.js';
+export async function listAwsResources() {
+    const region = Config.get().providers.aws.region;
+    const [cfResult, s3Result, lambdaResult, rdsResult, r53Result] = await Promise.all([
+        getCFClient().send(new ListDistributionsCommand({})),
+        getS3Client().send(new ListBucketsCommand({})),
+        getLambdaClient().send(new ListFunctionsCommand({ MaxItems: 50 })),
+        getRDSClient().send(new DescribeDBInstancesCommand({})),
+        getR53Client().send(new ListHostedZonesCommand({})),
+    ]);
+    const distributions = (cfResult.DistributionList?.Items ?? []).map((d) => ({
+        id: d.Id,
+        domain: d.DomainName,
+        aliases: d.Aliases?.Items ?? [],
+        status: d.Status ?? '',
+    }));
+    const buckets = (s3Result.Buckets ?? []).map((b) => ({
+        name: b.Name,
+    }));
+    const lambdas = (lambdaResult.Functions ?? []).map((f) => ({
+        name: f.FunctionName,
+        runtime: f.Runtime ?? 'unknown',
+        memorySizeMb: f.MemorySize ?? 0,
+    }));
+    const rdsInstances = (rdsResult.DBInstances ?? []).map((i) => ({
+        identifier: i.DBInstanceIdentifier,
+        engine: `${i.Engine} ${i.EngineVersion}`,
+        instanceClass: i.DBInstanceClass,
+        status: i.DBInstanceStatus ?? '',
+        endpoint: i.Endpoint?.Address,
+    }));
+    const hostedZones = (r53Result.HostedZones ?? []).map((z) => ({
+        name: z.Name,
+        id: z.Id.replace('/hostedzone/', ''),
+        recordCount: z.ResourceRecordSetCount ?? 0,
+    }));
+    return { region, distributions, buckets, lambdas, rdsInstances, hostedZones };
+}

package/dist/providers/aws/rds.d.ts

@@ -0,0 +1,46 @@
+import { BaseBuilder } from '../../core/resource.js';
+export declare class RDSBuilder extends BaseBuilder {
+    private _engine;
+    private _engineVersion;
+    private _instanceClass;
+    private _storage;
+    private _username?;
+    private _password?;
+    private _dbName?;
+    private _subnetIds?;
+    private _securityGroupIds?;
+    private _publicAccess;
+    resolvedEndpoint: string | null;
+    resolvedPort: number | null;
+    resolvedArn: string | null;
+    constructor(name: string);
+    engine(e: {
+        engine: string;
+        version: string;
+    }): this;
+    size(instanceClass: string): this;
+    storage(gb: number): this;
+    subnets(ids: string[]): this;
+    securityGroups(ids: string[]): this;
+    publicAccess(enabled?: boolean): this;
+    database(name: string): this;
+    credentials(username: string, password: string): this;
+    private discoverInstance;
+    private discoverDefaultVpc;
+    private ensureSubnetGroup;
+    private ensureSecurityGroup;
+    deploy(): Promise<{
+        name: string;
+        endpoint: string;
+        port: number;
+        arn?: undefined;
+    } | {
+        name: string;
+        endpoint: string | null;
+        port: number | null;
+        arn: string | null;
+    }>;
+    destroy(): Promise<{
+        destroyed: string;
+    }>;
+}

package/dist/providers/aws/rds.js

@@ -0,0 +1,227 @@
+import { DescribeDBInstancesCommand, CreateDBInstanceCommand, ModifyDBInstanceCommand, DeleteDBInstanceCommand, DescribeDBSubnetGroupsCommand, CreateDBSubnetGroupCommand, } from '@aws-sdk/client-rds';
+import { DescribeVpcsCommand, DescribeSubnetsCommand, DescribeSecurityGroupsCommand, CreateSecurityGroupCommand, AuthorizeSecurityGroupIngressCommand, } from '@aws-sdk/client-ec2';
+import { BaseBuilder } from '../../core/resource.js';
+import { getRDSClient, getEC2Client } from './api.js';
+import { Config } from '../../core/config.js';
+const DB_PORT = {
+    postgres: 5432,
+    mysql: 3306,
+    mariadb: 3306,
+};
+export class RDSBuilder extends BaseBuilder {
+    _engine = 'postgres';
+    _engineVersion = '16';
+    _instanceClass = 'db.t3.micro';
+    _storage = 20;
+    _username;
+    _password;
+    _dbName;
+    _subnetIds;
+    _securityGroupIds;
+    _publicAccess = false;
+    resolvedEndpoint = null;
+    resolvedPort = null;
+    resolvedArn = null;
+    constructor(name) {
+        super(name);
+        this.discoveryPromise = this.discoverInstance(name);
+    }
+    engine(e) {
+        this._engine = e.engine;
+        this._engineVersion = e.version;
+        return this;
+    }
+    size(instanceClass) { this._instanceClass = instanceClass; return this; }
+    storage(gb) { this._storage = gb; return this; }
+    subnets(ids) { this._subnetIds = ids; return this; }
+    securityGroups(ids) { this._securityGroupIds = ids; return this; }
+    publicAccess(enabled = true) { this._publicAccess = enabled; return this; }
+    database(name) { this._dbName = name; return this; }
+    credentials(username, password) {
+        this._username = username;
+        this._password = password;
+        return this;
+    }
+    async discoverInstance(identifier) {
+        try {
+            const result = await getRDSClient().send(new DescribeDBInstancesCommand({
+                DBInstanceIdentifier: identifier,
+            }));
+            const instance = result.DBInstances?.[0];
+            if (!instance || instance.DBInstanceStatus === 'deleting')
+                return null;
+            this.resolvedArn = instance.DBInstanceArn ?? null;
+            this.resolvedEndpoint = instance.Endpoint?.Address ?? null;
+            this.resolvedPort = instance.Endpoint?.Port ?? null;
+            return instance;
+        }
+        catch (e) {
+            if (e.name === 'DBInstanceNotFound')
+                return null;
+            if (e.name === 'CredentialsProviderError')
+                return null;
+            throw e;
+        }
+    }
+    async discoverDefaultVpc() {
+        const ec2 = getEC2Client();
+        const vpcs = await ec2.send(new DescribeVpcsCommand({
+            Filters: [{ Name: 'isDefault', Values: ['true'] }],
+        }));
+        const vpc = vpcs.Vpcs?.[0];
+        if (!vpc?.VpcId)
+            throw new Error(`[RDS:${this.name}] No default VPC found. Use .subnets(ids[]) to specify subnets.`);
+        const subnets = await ec2.send(new DescribeSubnetsCommand({
+            Filters: [{ Name: 'vpc-id', Values: [vpc.VpcId] }],
+        }));
+        const subnetIds = (subnets.Subnets ?? []).map(s => s.SubnetId).filter(Boolean);
+        return { vpcId: vpc.VpcId, vpcCidr: vpc.CidrBlock, subnetIds };
+    }
+    async ensureSubnetGroup(subnetIds) {
+        const rds = getRDSClient();
+        const groupName = `puls-${this.name}-subnet-group`;
+        try {
+            await rds.send(new DescribeDBSubnetGroupsCommand({ DBSubnetGroupName: groupName }));
+            return groupName;
+        }
+        catch (e) {
+            if (e.name !== 'DBSubnetGroupNotFoundFault')
+                throw e;
+        }
+        await rds.send(new CreateDBSubnetGroupCommand({
+            DBSubnetGroupName: groupName,
+            DBSubnetGroupDescription: `OpsDSL subnet group for RDS instance "${this.name}"`,
+            SubnetIds: subnetIds,
+        }));
+        console.log(`   ✅ Created DB subnet group: ${groupName}`);
+        return groupName;
+    }
+    async ensureSecurityGroup(vpcId, vpcCidr) {
+        const ec2 = getEC2Client();
+        const sgName = `puls-${this.name}-db-sg`;
+        const port = DB_PORT[this._engine] ?? 5432;
+        const existing = await ec2.send(new DescribeSecurityGroupsCommand({
+            Filters: [
+                { Name: 'group-name', Values: [sgName] },
+                { Name: 'vpc-id', Values: [vpcId] },
+            ],
+        }));
+        if (existing.SecurityGroups?.length)
+            return existing.SecurityGroups[0].GroupId;
+        const created = await ec2.send(new CreateSecurityGroupCommand({
+            GroupName: sgName,
+            Description: `OpsDSL DB access for "${this.name}"`,
+            VpcId: vpcId,
+        }));
+        const sgId = created.GroupId;
+        // Allow inbound on DB port from VPC CIDR only (secure default)
+        // Use .publicAccess() to open to the internet
+        const cidr = this._publicAccess ? '0.0.0.0/0' : vpcCidr;
+        await ec2.send(new AuthorizeSecurityGroupIngressCommand({
+            GroupId: sgId,
+            IpPermissions: [{
+                    IpProtocol: 'tcp',
+                    FromPort: port,
+                    ToPort: port,
+                    IpRanges: [{ CidrIp: cidr, Description: this._publicAccess ? 'Public access' : 'VPC only' }],
+                }],
+        }));
+        console.log(`   ✅ Created security group: ${sgName} (${sgId}) — port ${port} open to ${cidr}`);
+        return sgId;
+    }
+    async deploy() {
+        const dryRun = this.isDryRunActive();
+        const existing = await this.discoveryPromise;
+        const region = Config.get().providers.aws?.region ?? 'us-east-1';
+        const port = DB_PORT[this._engine] ?? 5432;
+        console.log(`\n⚡ Finalizing RDS Instance "${this.name}"...`);
+        if (dryRun) {
+            console.log(`   📝 [PLAN] ${existing ? 'Update' : 'Create'} RDS instance "${this.name}"`);
+            console.log(`      └─ Engine: ${this._engine} ${this._engineVersion}`);
+            console.log(`      └─ Class: ${this._instanceClass} | Storage: ${this._storage}GB`);
+            console.log(`      └─ Port: ${port} | Public: ${this._publicAccess}`);
+            this.resolvedEndpoint = `${this.name}.DRYRUN.${region}.rds.amazonaws.com`;
+            this.resolvedPort = port;
+            return { name: this.name, endpoint: this.resolvedEndpoint, port: this.resolvedPort };
+        }
+        if (!this._username || !this._password) {
+            throw new Error(`[RDS:${this.name}] .credentials(username, password) is required`);
+        }
+        // Resolve networking — only hit EC2 if needed
+        let subnetGroupName;
+        let securityGroupIds;
+        if (this._subnetIds && this._securityGroupIds) {
+            subnetGroupName = await this.ensureSubnetGroup(this._subnetIds);
+            securityGroupIds = this._securityGroupIds;
+        }
+        else {
+            const { vpcId, vpcCidr, subnetIds } = await this.discoverDefaultVpc();
+            subnetGroupName = await this.ensureSubnetGroup(this._subnetIds ?? subnetIds);
+            securityGroupIds = this._securityGroupIds ?? [await this.ensureSecurityGroup(vpcId, vpcCidr)];
+        }
+        const rds = getRDSClient();
+        if (existing) {
+            await rds.send(new ModifyDBInstanceCommand({
+                DBInstanceIdentifier: this.name,
+                DBInstanceClass: this._instanceClass,
+                AllocatedStorage: this._storage,
+                VpcSecurityGroupIds: securityGroupIds,
+                ApplyImmediately: true,
+            }));
+            console.log(`   ✅ Modification queued for "${this.name}" (ApplyImmediately)`);
+        }
+        else {
+            await rds.send(new CreateDBInstanceCommand({
+                DBInstanceIdentifier: this.name,
+                DBInstanceClass: this._instanceClass,
+                Engine: this._engine,
+                EngineVersion: this._engineVersion,
+                MasterUsername: this._username,
+                MasterUserPassword: this._password,
+                AllocatedStorage: this._storage,
+                DBName: this._dbName,
+                DBSubnetGroupName: subnetGroupName,
+                VpcSecurityGroupIds: securityGroupIds,
+                PubliclyAccessible: this._publicAccess,
+                StorageType: 'gp3',
+                BackupRetentionPeriod: 7,
+                DeletionProtection: false,
+            }));
+            console.log(`🚀 Creating RDS instance "${this.name}" — waiting for available...`);
+            await this.waitFor(`"${this.name}" to become available`, async () => {
+                const r = await getRDSClient().send(new DescribeDBInstancesCommand({ DBInstanceIdentifier: this.name }));
+                const inst = r.DBInstances?.[0];
+                if (inst?.DBInstanceStatus === 'available') {
+                    this.resolvedEndpoint = inst.Endpoint?.Address ?? null;
+                    this.resolvedPort = inst.Endpoint?.Port ?? null;
+                    this.resolvedArn = inst.DBInstanceArn ?? null;
+                    return true;
+                }
+                return false;
+            }, { intervalMs: 30_000, timeoutMs: 1_200_000 });
+            console.log(`   🌐 Endpoint: ${this.resolvedEndpoint}:${this.resolvedPort}`);
+        }
+        await this.deploySidecars();
+        return { name: this.name, endpoint: this.resolvedEndpoint, port: this.resolvedPort, arn: this.resolvedArn };
+    }
+    async destroy() {
+        const dryRun = this.isDryRunActive();
+        const existing = await this.discoveryPromise;
+        console.log(`\n🗑️  Destroying RDS Instance "${this.name}"...`);
+        if (!existing) {
+            console.log(`   ✅ Instance "${this.name}" does not exist — nothing to do`);
+            return { destroyed: this.name };
+        }
+        if (dryRun) {
+            console.log(`   📝 [PLAN] Delete RDS instance "${this.name}" (no final snapshot)`);
+            return { destroyed: this.name };
+        }
+        await getRDSClient().send(new DeleteDBInstanceCommand({
+            DBInstanceIdentifier: this.name,
+            SkipFinalSnapshot: true,
+            DeleteAutomatedBackups: true,
+        }));
+        console.log(`   ✅ Deletion initiated for "${this.name}" (takes a few minutes)`);
+        return { destroyed: this.name };
+    }
+}

package/dist/providers/aws/route53.d.ts

@@ -0,0 +1,38 @@
+import { BaseBuilder } from '../../core/resource.js';
+import { Output } from '../../core/output.js';
+import { ACMCertificateBuilder } from './acm.js';
+import type { RegistrantContact } from '../../types/aws.js';
+export declare class Route53Builder extends BaseBuilder {
+    readonly out: {
+        zone: Output<{
+            name: string;
+            id: string;
+        }>;
+    };
+    zoneName: string;
+    zoneId?: string;
+    private records;
+    private _isRegistering;
+    private _registrantContact?;
+    private _wantsWildcardSSL;
+    constructor(zoneName?: string);
+    private discoverZone;
+    randomDomain(): this;
+    cert(): ACMCertificateBuilder | undefined;
+    withWildcardSSL(): this;
+    register(contact?: RegistrantContact): this;
+    record(name: string, type: 'A' | 'CNAME' | 'AAAA', value: string): this;
+    pointer(name: string, target: BaseBuilder): this;
+    deploy(): Promise<{
+        zone: string;
+        id: string | undefined;
+    }>;
+    private registerDomain;
+    private mapContact;
+    private normalizePhone;
+    upsertCnames(records: {
+        name: string;
+        value: string;
+    }[]): Promise<void>;
+    private upsertRecords;
+}