serverless-plugin-module-registry 1.0.12 → 1.0.13

package/src/internal-infrastructure/handlers/custom-stream-enabler.ts

@@ -0,0 +1,163 @@
+/**
+ * Custom CloudFormation Resource Handler for Enabling DynamoDB Streams
+ *
+ * This Lambda function enables DynamoDB Streams on an existing table.
+ * It's invoked by CloudFormation as a custom resource.
+ */
+
+import {
+  DynamoDBClient,
+  DescribeTableCommand,
+  UpdateTableCommand,
+  StreamViewType
+} from '@aws-sdk/client-dynamodb'
+import * as https from 'https'
+import * as url from 'url'
+
+interface CloudFormationCustomResourceEvent {
+  RequestType: 'Create' | 'Update' | 'Delete'
+  ResponseURL: string
+  StackId: string
+  RequestId: string
+  ResourceType: string
+  LogicalResourceId: string
+  PhysicalResourceId?: string
+  ResourceProperties: {
+    ServiceToken: string
+    TableName: string
+    StreamViewType: StreamViewType
+  }
+}
+
+interface CloudFormationContext {
+  logStreamName: string
+}
+
+const client = new DynamoDBClient({
+  maxAttempts: 3,
+  retryMode: 'adaptive'
+})
+
+/**
+ * Send response to CloudFormation
+ */
+async function sendResponse(
+  event: CloudFormationCustomResourceEvent,
+  context: CloudFormationContext,
+  status: 'SUCCESS' | 'FAILED',
+  data?: Record<string, any>,
+  physicalResourceId?: string
+): Promise<void> {
+  const responseBody = JSON.stringify({
+    Status: status,
+    Reason: `See CloudWatch Log Stream: ${context.logStreamName}`,
+    PhysicalResourceId: physicalResourceId || context.logStreamName,
+    StackId: event.StackId,
+    RequestId: event.RequestId,
+    LogicalResourceId: event.LogicalResourceId,
+    Data: data || {}
+  })
+
+  const parsedUrl = url.parse(event.ResponseURL)
+  const options = {
+    hostname: parsedUrl.hostname,
+    port: 443,
+    path: parsedUrl.path,
+    method: 'PUT',
+    headers: {
+      'Content-Type': '',
+      'Content-Length': responseBody.length
+    }
+  }
+
+  return new Promise((resolve, reject) => {
+    const req = https.request(options, () => resolve())
+    req.on('error', reject)
+    req.write(responseBody)
+    req.end()
+  })
+}
+
+/**
+ * Enable DynamoDB Streams on a table (idempotent)
+ */
+async function enableStreams(
+  tableName: string,
+  streamViewType: StreamViewType
+): Promise<string | undefined> {
+  // Check current stream status
+  const describeResult = await client.send(
+    new DescribeTableCommand({ TableName: tableName })
+  )
+
+  const streamEnabled = describeResult.Table?.StreamSpecification?.StreamEnabled
+  const currentStreamArn = describeResult.Table?.LatestStreamArn
+
+  if (streamEnabled) {
+    console.log(`Streams already enabled on table: ${tableName}`)
+    return currentStreamArn
+  }
+
+  console.log(`Enabling streams on table: ${tableName}`)
+
+  // Enable streams
+  await client.send(new UpdateTableCommand({
+    TableName: tableName,
+    StreamSpecification: {
+      StreamEnabled: true,
+      StreamViewType: streamViewType
+    }
+  }))
+
+  // Wait for stream to be created
+  await new Promise(resolve => setTimeout(resolve, 2000))
+
+  // Get updated table info with stream ARN
+  const updatedTable = await client.send(
+    new DescribeTableCommand({ TableName: tableName })
+  )
+
+  return updatedTable.Table?.LatestStreamArn
+}
+
+/**
+ * Lambda handler for Custom CloudFormation Resource
+ */
+export async function handler(
+  event: CloudFormationCustomResourceEvent,
+  context: CloudFormationContext
+): Promise<void> {
+  console.log('Event:', JSON.stringify(event, null, 2))
+
+  try {
+    const { TableName, StreamViewType } = event.ResourceProperties
+    const requestType = event.RequestType
+
+    if (requestType === 'Delete') {
+      // On delete, leave streams enabled for safety
+      console.log('Delete request - leaving streams enabled for safety')
+      await sendResponse(event, context, 'SUCCESS', {}, TableName)
+      return
+    }
+
+    // Create or Update: Enable streams (idempotent)
+    const streamArn = await enableStreams(TableName, StreamViewType)
+
+    await sendResponse(
+      event,
+      context,
+      'SUCCESS',
+      { StreamArn: streamArn },
+      TableName
+    )
+  } catch (error) {
+    console.error('Error enabling streams:', error)
+    await sendResponse(
+      event,
+      context,
+      'FAILED',
+      {},
+      event.PhysicalResourceId
+    )
+  }
+}

package/src/internal-infrastructure/handlers/role-updater.ts

@@ -0,0 +1,402 @@
+import { SQSEvent } from 'aws-lambda'
+import { DynamoDBClient, QueryCommand } from '@aws-sdk/client-dynamodb'
+import {
+  IAMClient,
+  ListRolesCommand,
+  GetRoleCommand,
+  TagRoleCommand,
+  ListAttachedRolePoliciesCommand,
+  AttachRolePolicyCommand,
+  ListPoliciesCommand,
+} from '@aws-sdk/client-iam'
+import { CloudWatchClient, PutMetricDataCommand } from '@aws-sdk/client-cloudwatch'
+import { createLogger } from './shared/logger'
+import { RoleUpdateMessage } from './shared/types'
+
+const logger = createLogger('role-updater')
+
+const dynamoClient = new DynamoDBClient({ maxAttempts: 3, retryMode: 'adaptive' })
+const iamClient = new IAMClient({ maxAttempts: 3, retryMode: 'adaptive' })
+const cloudwatchClient = new CloudWatchClient({})
+
+/**
+ * Parse module and feature from SK
+ * SK Format: MODULE#{moduleName}#FEATURE#{featureId}
+ */
+function parseFeatureId(sk: string): string | null {
+  const parts = sk.split('#')
+  if (parts.length === 4 && parts[0] === 'MODULE' && parts[2] === 'FEATURE') {
+    return parts[3] // Extract featureId
+  }
+  return null
+}
+
+/**
+ * Query DynamoDB for all features assigned to a role+module
+ */
+async function queryRoleFeatures(
+  roleName: string,
+  moduleName: string,
+  tableName: string
+): Promise<string[]> {
+  const result = await dynamoClient.send(new QueryCommand({
+    TableName: tableName,
+    KeyConditionExpression: 'PK = :pk AND begins_with(SK, :sk)',
+    ExpressionAttributeValues: {
+      ':pk': { S: `ROLE#${roleName}` },
+      ':sk': { S: `MODULE#${moduleName}#` },
+    },
+  }))
+
+  if (!result.Items || result.Items.length === 0) {
+    return []
+  }
+
+  const featureIds: string[] = []
+  for (const item of result.Items) {
+    const sk = item.SK?.S || item.sk?.S
+    if (sk) {
+      const featureId = parseFeatureId(sk)
+      if (featureId) {
+        featureIds.push(featureId)
+      }
+    }
+  }
+
+  return featureIds
+}
+
+/**
+ * Build tag value from sorted feature IDs
+ */
+function buildTagValue(featureIds: string[]): string {
+  const sorted = [...featureIds].sort()
+  return sorted.join(':')
+}
+
+/**
+ * List all IAM roles matching the naming pattern: *-{roleType}
+ */
+async function listRolesMatchingPattern(roleType: string): Promise<string[]> {
+  const matchingRoles: string[] = []
+  let marker: string | undefined
+
+  do {
+    const response = await iamClient.send(new ListRolesCommand({ Marker: marker }))
+
+    const matches = response.Roles?.filter(role =>
+      role.RoleName?.includes(`-${roleType}`)
+    ) ?? []
+
+    matchingRoles.push(...matches.map(r => r.RoleName!))
+    marker = response.Marker
+  } while (marker)
+
+  logger.info('Found tenant roles', {
+    roleType,
+    count: matchingRoles.length,
+  })
+
+  return matchingRoles
+}
+
+/**
+ * Update role tags idempotently
+ */
+async function updateRoleTags(
+  roleName: string,
+  tagKey: string,
+  tagValue: string
+): Promise<boolean> {
+  try {
+    // Get current role tags
+    const roleResponse = await iamClient.send(new GetRoleCommand({ RoleName: roleName }))
+    const currentTags = roleResponse.Role?.Tags || []
+
+    // Check if tag already exists with same value
+    const existingTag = currentTags.find(t => t.Key === tagKey)
+    if (existingTag?.Value === tagValue) {
+      logger.info('Tag unchanged, skipping update', { roleName, tagKey })
+      return false // No update needed
+    }
+
+    // Update tag
+    await iamClient.send(new TagRoleCommand({
+      RoleName: roleName,
+      Tags: [{ Key: tagKey, Value: tagValue }],
+    }))
+
+    logger.info('Updated tag', {
+      roleName,
+      tagKey,
+      tagValue,
+      previousValue: existingTag?.Value || 'none',
+    })
+
+    return true // Updated
+  } catch (error) {
+    logger.error('Failed to update role tags', error as Error, { roleName, tagKey })
+    throw error
+  }
+}
+
+/**
+ * Find policy ARN by module name
+ */
+async function findModulePolicy(
+  moduleName: string,
+  policyPrefix?: string,
+  accountId?: string
+): Promise<string | null> {
+  try {
+    let marker: string | undefined
+
+    do {
+      const response = await iamClient.send(new ListPoliciesCommand({
+        Scope: 'Local',
+        Marker: marker,
+      }))
+
+      const matchingPolicy = response.Policies?.find(p =>
+        p.PolicyName?.includes(moduleName)
+      )
+
+      if (matchingPolicy?.Arn) {
+        return matchingPolicy.Arn
+      }
+
+      marker = response.Marker
+    } while (marker)
+
+    // Policy not found - construct expected ARN pattern
+    if (policyPrefix && accountId) {
+      return `arn:aws:iam::${accountId}:policy/${policyPrefix}-${moduleName}`
+    }
+
+    return null
+  } catch (error) {
+    logger.error('Failed to find module policy', error as Error, { moduleName })
+    return null
+  }
+}
+
+/**
+ * Attach policy to role if not already attached
+ */
+async function attachPolicyIfMissing(
+  roleName: string,
+  moduleName: string,
+  policyPrefix?: string,
+  accountId?: string
+): Promise<boolean> {
+  try {
+    // Find the policy ARN
+    const policyArn = await findModulePolicy(moduleName, policyPrefix, accountId)
+    if (!policyArn) {
+      logger.warn('Module policy not found', { roleName, moduleName })
+      return false // Module may not have a policy yet
+    }
+
+    // List attached policies
+    const attachedResponse = await iamClient.send(
+      new ListAttachedRolePoliciesCommand({ RoleName: roleName })
+    )
+    const attachedPolicies = attachedResponse.AttachedPolicies || []
+
+    // Check if policy already attached
+    const hasPolicy = attachedPolicies.some(p => p.PolicyArn === policyArn)
+    if (hasPolicy) {
+      logger.info('Policy already attached', { roleName, moduleName, policyArn })
+      return false // No update needed
+    }
+
+    // Attach policy
+    await iamClient.send(new AttachRolePolicyCommand({
+      RoleName: roleName,
+      PolicyArn: policyArn,
+    }))
+
+    logger.info('Attached policy', { roleName, moduleName, policyArn })
+
+    return true // Attached
+  } catch (error) {
+    logger.error('Failed to attach policy', error as Error, { roleName, moduleName })
+    // Don't throw - policy attachment failure shouldn't block tag updates
+    return false
+  }
+}
+
+/**
+ * Process a single role update message
+ */
+async function processRoleUpdate(
+  message: RoleUpdateMessage,
+  tableName: string,
+  policyPrefix?: string,
+  accountId?: string
+): Promise<void> {
+  const { roleName, moduleName } = message
+
+  logger.info('Processing role update', { roleName, moduleName })
+
+  // Step 1: Query all features for this role+module
+  const featureIds = await queryRoleFeatures(roleName, moduleName, tableName)
+
+  logger.info('Retrieved features', {
+    roleName,
+    moduleName,
+    featureCount: featureIds.length,
+  })
+
+  // Step 2: Build tag value
+  const tagValue = buildTagValue(featureIds)
+  const tagKey = `${moduleName}Features`
+
+  logger.info('Built tag value', { roleName, moduleName, tagKey, tagValue })
+
+  // Step 3: Find all tenant roles matching the role type
+  const tenantRoles = await listRolesMatchingPattern(roleName)
+
+  if (tenantRoles.length === 0) {
+    logger.warn('No tenant roles found', { roleType: roleName })
+    return
+  }
+
+  // Step 4: Update each role
+  let rolesUpdated = 0
+  let policiesAttached = 0
+
+  for (const tenantRole of tenantRoles) {
+    try {
+      // Update tags
+      const tagUpdated = await updateRoleTags(tenantRole, tagKey, tagValue)
+      if (tagUpdated) {
+        rolesUpdated++
+      }
+
+      // Attach policy
+      const policyAttached = await attachPolicyIfMissing(tenantRole, moduleName, policyPrefix, accountId)
+      if (policyAttached) {
+        policiesAttached++
+      }
+    } catch (error) {
+      logger.error('Failed to update tenant role', error as Error, {
+        tenantRole,
+        roleName,
+        moduleName,
+      })
+      // Continue processing other roles
+    }
+  }
+
+  logger.info('Completed role update', {
+    roleName,
+    moduleName,
+    totalRoles: tenantRoles.length,
+    rolesUpdated,
+    policiesAttached,
+  })
+}
+
+/**
+ * Publish CloudWatch metrics
+ */
+async function publishMetrics(
+  messagesProcessed: number,
+  rolesUpdated: number,
+  errors: number,
+  duration: number
+): Promise<void> {
+  try {
+    await cloudwatchClient.send(new PutMetricDataCommand({
+      Namespace: 'ModuleRegistry/RoleAutomation',
+      MetricData: [
+        {
+          MetricName: 'SQSMessagesProcessed',
+          Value: messagesProcessed,
+          Unit: 'Count',
+          Timestamp: new Date(),
+        },
+        {
+          MetricName: 'RoleUpdatesProcessed',
+          Value: rolesUpdated,
+          Unit: 'Count',
+          Timestamp: new Date(),
+        },
+        {
+          MetricName: 'Errors',
+          Value: errors,
+          Unit: 'Count',
+          Timestamp: new Date(),
+        },
+        {
+          MetricName: 'ProcessingDuration',
+          Value: duration,
+          Unit: 'Milliseconds',
+          Timestamp: new Date(),
+        },
+      ],
+    }))
+  } catch (error) {
+    logger.error('Failed to publish metrics', error as Error)
+    // Don't throw - metric failure shouldn't fail the Lambda
+  }
+}
+
+/**
+ * Main Lambda handler for processing SQS messages
+ */
+export async function handler(event: SQSEvent): Promise<void> {
+  const startTime = Date.now()
+  let messagesProcessed = 0
+  let errors = 0
+
+  const DYNAMODB_TABLE_NAME = process.env.DYNAMODB_TABLE_NAME
+  const POLICY_PREFIX = process.env.POLICY_PREFIX
+  const AWS_ACCOUNT_ID = process.env.AWS_ACCOUNT_ID
+
+  logger.info('Processing SQS event', {
+    messageCount: event.Records.length,
+  })
+
+  if (!DYNAMODB_TABLE_NAME) {
+    logger.error('DYNAMODB_TABLE_NAME environment variable not set')
+    throw new Error('DYNAMODB_TABLE_NAME environment variable not set')
+  }
+
+  // Process each SQS message
+  for (const record of event.Records) {
+    try {
+      const message: RoleUpdateMessage = JSON.parse(record.body)
+
+      await processRoleUpdate(message, DYNAMODB_TABLE_NAME, POLICY_PREFIX, AWS_ACCOUNT_ID)
+
+      messagesProcessed++
+    } catch (error) {
+      errors++
+      logger.error('Failed to process SQS message', error as Error, {
+        messageId: record.messageId,
+      })
+      // Continue processing other messages
+      // Failed messages will stay in queue and retry via SQS visibility timeout
+    }
+  }
+
+  const duration = Date.now() - startTime
+
+  // Publish metrics
+  await publishMetrics(messagesProcessed, messagesProcessed, errors, duration)
+
+  logger.info('Completed SQS processing', {
+    totalMessages: event.Records.length,
+    messagesProcessed,
+    errors,
+    duration,
+  })
+
+  // If there were errors, log them but don't throw
+  // SQS will handle retries for failed messages
+  if (errors > 0) {
+    logger.warn('Some messages failed processing', { errors })
+  }
+}

package/src/internal-infrastructure/handlers/shared/logger.ts

@@ -0,0 +1,48 @@
+/**
+ * Structured logger for Lambda functions
+ * Outputs JSON for CloudWatch Logs Insights queries
+ */
+
+export interface LogMetadata {
+  [key: string]: string | number | boolean | undefined;
+}
+
+export interface Logger {
+  info: (_message: string, _metadata?: LogMetadata) => void;
+  error: (_message: string, _error?: Error, _metadata?: LogMetadata) => void;
+  warn: (_message: string, _metadata?: LogMetadata) => void;
+}
+
+export function createLogger(context: string): Logger {
+  return {
+    info: (message: string, metadata?: LogMetadata) => {
+      console.log(JSON.stringify({
+        level: 'INFO',
+        context,
+        message,
+        timestamp: new Date().toISOString(),
+        ...metadata,
+      }))
+    },
+    error: (message: string, error?: Error, metadata?: LogMetadata) => {
+      console.error(JSON.stringify({
+        level: 'ERROR',
+        context,
+        message,
+        error: error?.message,
+        stack: error?.stack,
+        timestamp: new Date().toISOString(),
+        ...metadata,
+      }))
+    },
+    warn: (message: string, metadata?: LogMetadata) => {
+      console.warn(JSON.stringify({
+        level: 'WARN',
+        context,
+        message,
+        timestamp: new Date().toISOString(),
+        ...metadata,
+      }))
+    },
+  }
+}

package/src/internal-infrastructure/handlers/shared/types.ts

@@ -0,0 +1,31 @@
+/**
+ * Shared types for Lambda handlers
+ */
+
+/**
+ * Message payload for SQS queue
+ */
+export interface RoleUpdateMessage {
+  roleName: string;       // e.g., "authenticated"
+  moduleName: string;     // e.g., "sign"
+  eventType: 'INSERT' | 'MODIFY' | 'REMOVE';
+  timestamp: string;
+}
+
+/**
+ * Parsed module and feature from DynamoDB SK
+ */
+export interface ModuleFeature {
+  moduleName: string;
+  featureId: string;
+}
+
+/**
+ * Feature change event payload for EventBridge
+ */
+export interface FeatureChangeEvent {
+  moduleName: string;      // e.g., "public"
+  featureId: string;       // e.g., "abc123"
+  eventType: 'INSERT' | 'MODIFY' | 'REMOVE';
+  timestamp: string;       // ISO 8601
+}