npm - serverless-plugin-module-registry - Versions diffs - 1.0.8 → 1.0.9 - Mend

serverless-plugin-module-registry 1.0.8 → 1.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -540,6 +540,74 @@ Look for `[module-registry]` prefixed logs for plugin-specific information.
 - Policy ARNs resolved at deployment time
 - No runtime AWS API calls for policy management
+## 🔐 Tenant Role Creation
+The module registry provides a utility function to create IAM roles for tenant onboarding with ABAC (Attribute-Based Access Control) tags.
+### Usage
+```typescript
+import { createTenantRoles } from 'serverless-plugin-module-registry/tenant'
+// During tenant onboarding
+const roleArns = await createTenantRoles({
+  tenantId: 'acme',
+  identityPoolId: 'us-east-1:12345678-1234-1234-1234-123456789012',
+  modules: ['sign', 'workforce'],  // Optional: filter to specific modules
+  config: {
+    tableName: 'ModuleRegistry',
+    region: 'us-east-1',
+    policyPrefix: 'api'
+  },
+  logger: {
+    info: (msg, data) => console.log(msg, data),
+    warning: (msg, data) => console.warn(msg, data),
+    error: (msg, err) => console.error(msg, err)
+  }
+})
+console.log(roleArns)
+// {
+//   authenticated: "arn:aws:iam::123456789012:role/api-acme-authenticated",
+//   unauthenticated: "arn:aws:iam::123456789012:role/api-acme-unauthenticated"
+// }
+```
+### What It Does
+1. **Discovers Roles**: Queries DynamoDB to find all role types (authenticated, unauthenticated, admin, etc.)
+2. **Collects Features**: For each role, gathers all module features and builds ABAC tags
+3. **Creates IAM Roles**: Creates roles with proper Cognito trust policies and ABAC tags
+4. **Attaches Policies**: Attaches module ManagedPolicies to roles
+5. **Registers with Cognito**: Attaches roles to the Cognito Identity Pool
+### Role Naming Convention
+Roles follow the pattern: `{policyPrefix}-{tenantId}-{roleType}`
+Examples:
+- `api-acme-authenticated`
+- `api-acme-unauthenticated`
+- `api-acme-admin`
+### ABAC Tags
+Each role is tagged with module features in the format:
+```
+{moduleName}Features: "feature1:feature2:feature3"
+```
+Example tags:
+- `signFeatures`: `"7tmARMbS:BRUBT2SN:F8d3wY_v"`
+- `workforceFeatures`: `"abc123:def456:ghi789"`
+### Idempotency
+The function is idempotent - it can be called multiple times safely:
+- Existing roles are updated with new tags and policies
+- No duplicate roles are created
+- Cognito attachment is updated if needed
 ## 🔒 Security Considerations
 ### IAM Policies
@@ -547,6 +615,7 @@ Look for `[module-registry]` prefixed logs for plugin-specific information.
 - Generated policies follow **least privilege** principle
 - Endpoint-specific resource ARNs (not wildcards)
 - Custom policies allow fine-grained permission control
+- Tenant roles use Cognito Identity Pool trust policies
 ### Access Control

package/dist/index.d.ts CHANGED Viewed

@@ -252,6 +252,43 @@ declare class AIRegistryGenerator {
     private cleanFeatureKey;
 }
+/**
+ * Type definitions for Tenant Role Creation
+ */
+interface RoleSpec {
+    roleName: string;
+    tags: Record<string, string>;
+    policyArns: string[];
+}
+interface CreateTenantRolesParams {
+    tenantId: string;
+    identityPoolId: string;
+    modules?: string[];
+    config: {
+        tableName: string;
+        region: string;
+        policyPrefix: string;
+    };
+    logger: {
+        info: (message: string, data?: any) => void;
+        warning: (message: string, data?: any) => void;
+        error: (message: string, error?: any) => void;
+    };
+}
+interface TenantRoleArns {
+    [roleName: string]: string;
+}
+/**
+ * Tenant Role Creator
+ * Creates IAM roles with ABAC tags and Cognito Identity Pool registration
+ */
+/**
+ * Main function to create tenant IAM roles with ABAC tags
+ */
+declare function createTenantRoles(params: CreateTenantRolesParams): Promise<TenantRoleArns>;
 /**
  * Serverless Module Registry Plugin
  * -------------------------------------------
@@ -413,6 +450,11 @@ declare class ServerlessModuleRegistryPlugin {
      * Ensure DynamoDB table exists using AWS SDK v3, then update registry data
      */
     private ensureTableAndUpdateData;
+    /**
+     * Deploy internal infrastructure (DynamoDB table, Streams, SQS, Lambda processors)
+     * Runs BEFORE main deployment to ensure table exists
+     */
+    private deployInternalInfrastructure;
     /**
      * Handler for the registryGenerate command
      */
@@ -423,4 +465,4 @@ declare class ServerlessModuleRegistryPlugin {
     private generateServicePackageCommand;
 }
-export { AIRegistryGenerator, ServerlessModuleRegistryPlugin, createCustomFeature, createModuleRegistryLogger, ServerlessModuleRegistryPlugin as default, generateAbacTags, generateAllModuleAbacPolicies, generateModuleAbacPolicy, getAllEndpoints, getFeatureById, getFeatureDetails, getModuleFeatures, getModuleMetadata, getNonCustomEndpoints, getRequiredModulePolicyArns, listAllModules };
+export { AIRegistryGenerator, type CreateTenantRolesParams, type RoleSpec, ServerlessModuleRegistryPlugin, type TenantRoleArns, createCustomFeature, createModuleRegistryLogger, createTenantRoles, ServerlessModuleRegistryPlugin as default, generateAbacTags, generateAllModuleAbacPolicies, generateModuleAbacPolicy, getAllEndpoints, getFeatureById, getFeatureDetails, getModuleFeatures, getModuleMetadata, getNonCustomEndpoints, getRequiredModulePolicyArns, listAllModules };