relight-cli 0.1.0 → 0.3.0

package/src/lib/providers/aws/db.js

@@ -0,0 +1,504 @@
+import { randomBytes } from "crypto";
+import { awsQueryApi, awsJsonApi, xmlVal, xmlList, xmlBlock } from "../../clouds/aws.js";
+import { getCloudMeta, setCloudMeta } from "../../config.js";
+
+var SHARED_INSTANCE = "relight-shared";
+
+function userName(name) {
+  return `app_${name.replace(/-/g, "_")}`;
+}
+
+function dbName(name) {
+  return `relight_${name.replace(/-/g, "_")}`;
+}
+
+function isSharedInstance(dbId) {
+  return dbId === SHARED_INSTANCE;
+}
+
+async function connectPg(connectionUrl) {
+  var pg = await import("pg");
+  var Client = pg.default?.Client || pg.Client;
+  var client = new Client({ connectionString: connectionUrl });
+  await client.connect();
+  return client;
+}
+
+// --- Security group for RDS public access ---
+
+async function ensureSecurityGroup(cfg) {
+  var cr = { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey };
+  var sgName = "relight-rds-public";
+
+  // Check if security group exists
+  var descXml = await awsQueryApi(
+    "DescribeSecurityGroups",
+    { "Filter.1.Name": "group-name", "Filter.1.Value.1": sgName },
+    "ec2",
+    cr,
+    cfg.region
+  );
+
+  var sgBlock = xmlBlock(descXml, "securityGroupInfo");
+  var existing = sgBlock ? xmlBlock(sgBlock, "item") : null;
+  if (existing) {
+    var sgId = xmlVal(existing, "groupId");
+    if (sgId) return sgId;
+  }
+
+  // Get default VPC
+  var vpcXml = await awsQueryApi(
+    "DescribeVpcs",
+    { "Filter.1.Name": "isDefault", "Filter.1.Value.1": "true" },
+    "ec2",
+    cr,
+    cfg.region
+  );
+  var vpcId = xmlVal(vpcXml, "vpcId");
+  if (!vpcId) throw new Error("No default VPC found. Create one or specify a VPC.");
+
+  // Create security group
+  var createXml = await awsQueryApi(
+    "CreateSecurityGroup",
+    {
+      GroupName: sgName,
+      GroupDescription: "Relight RDS public access on port 5432",
+      VpcId: vpcId,
+    },
+    "ec2",
+    cr,
+    cfg.region
+  );
+  var newSgId = xmlVal(createXml, "groupId");
+  if (!newSgId) throw new Error("Failed to create security group.");
+
+  // Authorize inbound on port 5432
+  await awsQueryApi(
+    "AuthorizeSecurityGroupIngress",
+    {
+      GroupId: newSgId,
+      "IpPermissions.1.IpProtocol": "tcp",
+      "IpPermissions.1.FromPort": "5432",
+      "IpPermissions.1.ToPort": "5432",
+      "IpPermissions.1.IpRanges.1.CidrIp": "0.0.0.0/0",
+    },
+    "ec2",
+    cr,
+    cfg.region
+  );
+
+  return newSgId;
+}
+
+// --- Poll for RDS instance to become available ---
+
+async function waitForInstance(cfg, instName) {
+  var cr = { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey };
+
+  for (var i = 0; i < 180; i++) {
+    var xml = await awsQueryApi(
+      "DescribeDBInstances",
+      { DBInstanceIdentifier: instName },
+      "rds",
+      cr,
+      cfg.region
+    );
+
+    var status = xmlVal(xml, "DBInstanceStatus");
+    if (status === "available") return;
+    if (status === "failed" || status === "incompatible-parameters") {
+      throw new Error(`RDS instance reached status: ${status}`);
+    }
+
+    await new Promise((r) => setTimeout(r, 10000));
+  }
+  throw new Error("Timed out waiting for RDS instance to become available.");
+}
+
+// --- Get RDS endpoint ---
+
+function getRdsEndpoint(xml) {
+  var endpointBlock = xmlBlock(xml, "Endpoint");
+  if (!endpointBlock) return null;
+  var host = xmlVal(endpointBlock, "Address");
+  var port = xmlVal(endpointBlock, "Port") || "5432";
+  return { host, port };
+}
+
+// --- Shared instance management ---
+
+async function getOrCreateSharedInstance(cfg) {
+  var cr = { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey };
+  var meta = getCloudMeta("aws", "sharedDb");
+
+  if (meta && meta.instance) {
+    // Verify instance still exists
+    try {
+      var xml = await awsQueryApi(
+        "DescribeDBInstances",
+        { DBInstanceIdentifier: SHARED_INSTANCE },
+        "rds",
+        cr,
+        cfg.region
+      );
+      var endpoint = getRdsEndpoint(xml);
+      if (endpoint && endpoint.host !== meta.host) {
+        meta.host = endpoint.host;
+        meta.port = endpoint.port;
+        setCloudMeta("aws", "sharedDb", meta);
+      }
+      return meta;
+    } catch (e) {
+      // Instance gone, recreate
+    }
+  }
+
+  // Create shared RDS instance
+  var sgId = await ensureSecurityGroup(cfg);
+  var masterPassword = randomBytes(24).toString("base64url");
+
+  process.stderr.write("  Creating shared RDS instance (one-time, takes 5-15 minutes)...\n");
+  await awsQueryApi(
+    "CreateDBInstance",
+    {
+      DBInstanceIdentifier: SHARED_INSTANCE,
+      DBInstanceClass: "db.t4g.micro",
+      Engine: "postgres",
+      EngineVersion: "15",
+      MasterUsername: "relight_admin",
+      MasterUserPassword: masterPassword,
+      DBName: "postgres",
+      AllocatedStorage: "20",
+      PubliclyAccessible: "true",
+      "VpcSecurityGroupIds.member.1": sgId,
+      BackupRetentionPeriod: "0",
+    },
+    "rds",
+    cr,
+    cfg.region
+  );
+
+  await waitForInstance(cfg, SHARED_INSTANCE);
+
+  // Get endpoint
+  var xml = await awsQueryApi(
+    "DescribeDBInstances",
+    { DBInstanceIdentifier: SHARED_INSTANCE },
+    "rds",
+    cr,
+    cfg.region
+  );
+  var endpoint = getRdsEndpoint(xml);
+  if (!endpoint || !endpoint.host) throw new Error("No endpoint found for shared RDS instance.");
+
+  meta = {
+    instance: SHARED_INSTANCE,
+    host: endpoint.host,
+    port: endpoint.port,
+    masterPassword,
+  };
+  setCloudMeta("aws", "sharedDb", meta);
+
+  return meta;
+}
+
+async function connectAsAdmin(cfg) {
+  var meta = getCloudMeta("aws", "sharedDb");
+  if (!meta || !meta.masterPassword) {
+    throw new Error("Shared DB master credentials not found. Run `relight db create` first.");
+  }
+  var url = `postgresql://relight_admin:${encodeURIComponent(meta.masterPassword)}@${meta.host}:${meta.port}/postgres`;
+  var client = await connectPg(url);
+  return { client, meta };
+}
+
+async function destroySharedInstanceIfEmpty(cfg) {
+  var { client } = await connectAsAdmin(cfg);
+  try {
+    var res = await client.query(
+      "SELECT datname FROM pg_database WHERE datname LIKE 'relight_%'"
+    );
+    if (res.rows.length > 0) return false;
+  } finally {
+    await client.end();
+  }
+
+  // No relight databases remain - destroy the shared instance
+  var cr = { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey };
+  await awsQueryApi(
+    "DeleteDBInstance",
+    { DBInstanceIdentifier: SHARED_INSTANCE, SkipFinalSnapshot: "true" },
+    "rds",
+    cr,
+    cfg.region
+  );
+  setCloudMeta("aws", "sharedDb", undefined);
+  return true;
+}
+
+// --- Public API ---
+
+export async function createDatabase(cfg, name, opts = {}) {
+  var meta = await getOrCreateSharedInstance(cfg);
+  var database = dbName(name);
+  var user = userName(name);
+  var password = randomBytes(24).toString("base64url");
+
+  // Connect as admin to create database and user
+  var adminUrl = `postgresql://relight_admin:${encodeURIComponent(meta.masterPassword)}@${meta.host}:${meta.port}/postgres`;
+  var client = await connectPg(adminUrl);
+  try {
+    await client.query(`CREATE USER ${user} WITH PASSWORD '${password.replace(/'/g, "''")}'`);
+    await client.query(`CREATE DATABASE ${database} OWNER ${user}`);
+  } finally {
+    await client.end();
+  }
+
+  var connectionUrl = `postgresql://${user}:${encodeURIComponent(password)}@${meta.host}:${meta.port}/${database}`;
+
+  return {
+    dbId: SHARED_INSTANCE,
+    dbName: database,
+    dbUser: user,
+    dbToken: password,
+    connectionUrl,
+  };
+}
+
+export async function destroyDatabase(cfg, name, opts = {}) {
+  var dbId = opts.dbId;
+  if (!dbId) {
+    throw new Error("dbId is required to destroy an AWS database.");
+  }
+
+  // Legacy per-app instance: delete the whole instance
+  if (!isSharedInstance(dbId)) {
+    var cr = { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey };
+    await awsQueryApi(
+      "DeleteDBInstance",
+      { DBInstanceIdentifier: dbId, SkipFinalSnapshot: "true" },
+      "rds",
+      cr,
+      cfg.region
+    );
+    return;
+  }
+
+  // Shared instance: drop database and user
+  var database = dbName(name);
+  var user = userName(name);
+
+  var { client } = await connectAsAdmin(cfg);
+  try {
+    // Terminate active connections to the database
+    await client.query(
+      `SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE datname = '${database}' AND pid <> pg_backend_pid()`
+    );
+    await client.query(`DROP DATABASE IF EXISTS ${database}`);
+    await client.query(`DROP USER IF EXISTS ${user}`);
+  } finally {
+    await client.end();
+  }
+
+  // Check if shared instance should be destroyed
+  await destroySharedInstanceIfEmpty(cfg);
+}
+
+export async function getDatabaseInfo(cfg, name, opts = {}) {
+  var dbId = opts.dbId;
+  if (!dbId) {
+    throw new Error("dbId is required to get AWS database info.");
+  }
+
+  var database = dbName(name);
+  var cr = { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey };
+  var xml = await awsQueryApi(
+    "DescribeDBInstances",
+    { DBInstanceIdentifier: dbId },
+    "rds",
+    cr,
+    cfg.region
+  );
+
+  var endpoint = getRdsEndpoint(xml);
+  var displayUser = isSharedInstance(dbId) ? userName(name) : "relight";
+
+  var connectionUrl = endpoint
+    ? `postgresql://${displayUser}:****@${endpoint.host}:${endpoint.port}/${database}`
+    : null;
+
+  return {
+    dbId,
+    dbName: database,
+    connectionUrl,
+    size: null,
+    numTables: null,
+    createdAt: xmlVal(xml, "InstanceCreateTime") || null,
+  };
+}
+
+export async function queryDatabase(cfg, name, sql, params, opts = {}) {
+  if (!opts.connectionUrl) {
+    throw new Error("connectionUrl is required to query an AWS database.");
+  }
+
+  var client = await connectPg(opts.connectionUrl);
+
+  try {
+    var result = await client.query(sql, params || []);
+    return {
+      results: result.rows,
+      meta: { changes: result.rowCount, rows_read: result.rows.length },
+    };
+  } finally {
+    await client.end();
+  }
+}
+
+export async function importDatabase(cfg, name, sqlContent, opts = {}) {
+  if (!opts.connectionUrl) {
+    throw new Error("connectionUrl is required to import into an AWS database.");
+  }
+
+  var client = await connectPg(opts.connectionUrl);
+
+  try {
+    await client.query(sqlContent);
+  } finally {
+    await client.end();
+  }
+}
+
+export async function exportDatabase(cfg, name, opts = {}) {
+  if (!opts.connectionUrl) {
+    throw new Error("connectionUrl is required to export an AWS database.");
+  }
+
+  var database = dbName(name);
+  var client = await connectPg(opts.connectionUrl);
+
+  try {
+    var tablesRes = await client.query(
+      "SELECT tablename FROM pg_tables WHERE schemaname = 'public' ORDER BY tablename"
+    );
+    var tables = tablesRes.rows.map((r) => r.tablename);
+
+    var dump = [];
+    dump.push("-- PostgreSQL dump generated by relight");
+    dump.push(`-- Database: ${database}`);
+    dump.push(`-- Date: ${new Date().toISOString()}`);
+    dump.push("");
+
+    for (var t of tables) {
+      var colsRes = await client.query(
+        `SELECT column_name, data_type, is_nullable, column_default
+         FROM information_schema.columns
+         WHERE table_name = $1 AND table_schema = 'public'
+         ORDER BY ordinal_position`,
+        [t]
+      );
+
+      var cols = colsRes.rows.map((c) => {
+        var def = `  "${c.column_name}" ${c.data_type}`;
+        if (c.column_default) def += ` DEFAULT ${c.column_default}`;
+        if (c.is_nullable === "NO") def += " NOT NULL";
+        return def;
+      });
+
+      dump.push(`CREATE TABLE IF NOT EXISTS "${t}" (`);
+      dump.push(cols.join(",\n"));
+      dump.push(");");
+      dump.push("");
+
+      var dataRes = await client.query(`SELECT * FROM "${t}"`);
+      for (var row of dataRes.rows) {
+        var values = Object.values(row).map((v) => {
+          if (v === null) return "NULL";
+          if (typeof v === "number") return String(v);
+          if (typeof v === "boolean") return v ? "TRUE" : "FALSE";
+          return "'" + String(v).replace(/'/g, "''") + "'";
+        });
+        var colNames = Object.keys(row).map((c) => `"${c}"`).join(", ");
+        dump.push(`INSERT INTO "${t}" (${colNames}) VALUES (${values.join(", ")});`);
+      }
+      dump.push("");
+    }
+
+    return dump.join("\n");
+  } finally {
+    await client.end();
+  }
+}
+
+export async function rotateToken(cfg, name, opts = {}) {
+  var dbId = opts.dbId;
+  if (!dbId) {
+    throw new Error("dbId is required to rotate an AWS database token.");
+  }
+
+  var newPassword = randomBytes(24).toString("base64url");
+  var connectionUrl;
+  var database = dbName(name);
+
+  if (isSharedInstance(dbId)) {
+    // Update via admin connection
+    var user = userName(name);
+    var { client, meta } = await connectAsAdmin(cfg);
+    try {
+      await client.query(`ALTER USER ${user} WITH PASSWORD '${newPassword.replace(/'/g, "''")}'`);
+    } finally {
+      await client.end();
+    }
+    connectionUrl = `postgresql://${user}:${encodeURIComponent(newPassword)}@${meta.host}:${meta.port}/${database}`;
+  } else {
+    // Legacy: update RDS master password
+    var cr = { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey };
+    await awsQueryApi(
+      "ModifyDBInstance",
+      {
+        DBInstanceIdentifier: dbId,
+        MasterUserPassword: newPassword,
+      },
+      "rds",
+      cr,
+      cfg.region
+    );
+
+    var xml = await awsQueryApi(
+      "DescribeDBInstances",
+      { DBInstanceIdentifier: dbId },
+      "rds",
+      cr,
+      cfg.region
+    );
+    var endpoint = getRdsEndpoint(xml);
+    connectionUrl = endpoint
+      ? `postgresql://relight:${encodeURIComponent(newPassword)}@${endpoint.host}:${endpoint.port}/${database}`
+      : null;
+  }
+
+  return { dbToken: newPassword, connectionUrl };
+}
+
+export async function resetDatabase(cfg, name, opts = {}) {
+  if (!opts.connectionUrl) {
+    throw new Error("connectionUrl is required to reset an AWS database.");
+  }
+
+  var client = await connectPg(opts.connectionUrl);
+
+  try {
+    var tablesRes = await client.query(
+      "SELECT tablename FROM pg_tables WHERE schemaname = 'public'"
+    );
+    var tables = tablesRes.rows.map((r) => r.tablename);
+
+    for (var t of tables) {
+      await client.query(`DROP TABLE IF EXISTS "${t}" CASCADE`);
+    }
+
+    return tables;
+  } finally {
+    await client.end();
+  }
+}