serverless-plugin-module-registry 1.0.9-alpha.0 → 1.0.10-alpha.0

package/README.md

@@ -540,6 +540,74 @@ Look for `[module-registry]` prefixed logs for plugin-specific information.
 - Policy ARNs resolved at deployment time
 - No runtime AWS API calls for policy management
 
+## 🔐 Tenant Role Creation
+
+The module registry provides a utility function to create IAM roles for tenant onboarding with ABAC (Attribute-Based Access Control) tags.
+
+### Usage
+
+```typescript
+import { createTenantRoles } from 'serverless-plugin-module-registry/tenant'
+
+// During tenant onboarding
+const roleArns = await createTenantRoles({
+  tenantId: 'acme',
+  identityPoolId: 'us-east-1:12345678-1234-1234-1234-123456789012',
+  modules: ['sign', 'workforce'],  // Optional: filter to specific modules
+  config: {
+    tableName: 'ModuleRegistry',
+    region: 'us-east-1',
+    policyPrefix: 'api'
+  },
+  logger: {
+    info: (msg, data) => console.log(msg, data),
+    warning: (msg, data) => console.warn(msg, data),
+    error: (msg, err) => console.error(msg, err)
+  }
+})
+
+console.log(roleArns)
+// {
+//   authenticated: "arn:aws:iam::123456789012:role/api-acme-authenticated",
+//   unauthenticated: "arn:aws:iam::123456789012:role/api-acme-unauthenticated"
+// }
+```
+
+### What It Does
+
+1. **Discovers Roles**: Queries DynamoDB to find all role types (authenticated, unauthenticated, admin, etc.)
+2. **Collects Features**: For each role, gathers all module features and builds ABAC tags
+3. **Creates IAM Roles**: Creates roles with proper Cognito trust policies and ABAC tags
+4. **Attaches Policies**: Attaches module ManagedPolicies to roles
+5. **Registers with Cognito**: Attaches roles to the Cognito Identity Pool
+
+### Role Naming Convention
+
+Roles follow the pattern: `{policyPrefix}-{tenantId}-{roleType}`
+
+Examples:
+- `api-acme-authenticated`
+- `api-acme-unauthenticated`
+- `api-acme-admin`
+
+### ABAC Tags
+
+Each role is tagged with module features in the format:
+```
+{moduleName}Features: "feature1:feature2:feature3"
+```
+
+Example tags:
+- `signFeatures`: `"7tmARMbS:BRUBT2SN:F8d3wY_v"`
+- `workforceFeatures`: `"abc123:def456:ghi789"`
+
+### Idempotency
+
+The function is idempotent - it can be called multiple times safely:
+- Existing roles are updated with new tags and policies
+- No duplicate roles are created
+- Cognito attachment is updated if needed
+
 ## 🔒 Security Considerations
 
 ### IAM Policies
@@ -547,6 +615,7 @@ Look for `[module-registry]` prefixed logs for plugin-specific information.
 - Generated policies follow **least privilege** principle
 - Endpoint-specific resource ARNs (not wildcards)
 - Custom policies allow fine-grained permission control
+- Tenant roles use Cognito Identity Pool trust policies
 
 ### Access Control
 

package/dist/index.d.ts

@@ -155,7 +155,9 @@ declare function generateAbacTags(
 declare function getRequiredModulePolicyArns(
   selectedFeatures: SelectedFeature[], 
   accountId: string,
-  policyPrefix: string
+  service: string,
+  stage: string,
+  region: string
 ): Promise<string[]>
 
 /**
@@ -171,9 +173,9 @@ declare function createModuleRegistryLogger(context: string): {
  * AI-powered Registry Generation
  */
 interface Logger {
-    info: (message: string) => void;
-    warning: (message: string) => void;
-    error: (message: string) => void;
+    info: (_message: string) => void;
+    warning: (_message: string) => void;
+    error: (_message: string) => void;
 }
 interface FunctionAnalysis {
     handler: string;
@@ -252,6 +254,43 @@ declare class AIRegistryGenerator {
     private cleanFeatureKey;
 }
 
+/**
+ * Type definitions for Tenant Role Creation
+ */
+interface RoleSpec {
+    roleName: string;
+    tags: Record<string, string>;
+    policyArns: string[];
+}
+interface CreateTenantRolesParams {
+    tenantId: string;
+    identityPoolId: string;
+    modules?: string[];
+    config: {
+        tableName: string;
+        region: string;
+        policyPrefix: string;
+    };
+    logger: {
+        info: (_message: string, _data?: any) => void;
+        warning: (_message: string, _data?: any) => void;
+        error: (_message: string, _error?: any) => void;
+    };
+}
+interface TenantRoleArns {
+    [roleName: string]: string;
+}
+
+/**
+ * Tenant Role Creator
+ * Creates IAM roles with ABAC tags and Cognito Identity Pool registration
+ */
+
+/**
+ * Main function to create tenant IAM roles with ABAC tags
+ */
+declare function createTenantRoles(params: CreateTenantRolesParams): Promise<TenantRoleArns>;
+
 /**
  * Serverless Module Registry Plugin
  * -------------------------------------------
@@ -413,6 +452,11 @@ declare class ServerlessModuleRegistryPlugin {
      * Ensure DynamoDB table exists using AWS SDK v3, then update registry data
      */
     private ensureTableAndUpdateData;
+    /**
+     * Deploy internal infrastructure (DynamoDB table, Streams, SQS, Lambda processors)
+     * Runs BEFORE main deployment to ensure table exists
+     */
+    private deployInternalInfrastructure;
     /**
      * Handler for the registryGenerate command
      */
@@ -423,4 +467,4 @@ declare class ServerlessModuleRegistryPlugin {
     private generateServicePackageCommand;
 }
 
-export { AIRegistryGenerator, ServerlessModuleRegistryPlugin, createCustomFeature, createModuleRegistryLogger, ServerlessModuleRegistryPlugin as default, generateAbacTags, generateAllModuleAbacPolicies, generateModuleAbacPolicy, getAllEndpoints, getFeatureById, getFeatureDetails, getModuleFeatures, getModuleMetadata, getNonCustomEndpoints, getRequiredModulePolicyArns, listAllModules };
+export { AIRegistryGenerator, type CreateTenantRolesParams, type RoleSpec, ServerlessModuleRegistryPlugin, type TenantRoleArns, createCustomFeature, createModuleRegistryLogger, createTenantRoles, ServerlessModuleRegistryPlugin as default, generateAbacTags, generateAllModuleAbacPolicies, generateModuleAbacPolicy, getAllEndpoints, getFeatureById, getFeatureDetails, getModuleFeatures, getModuleMetadata, getNonCustomEndpoints, getRequiredModulePolicyArns, listAllModules };