sst 2.0.0-rc.29 → 2.0.0-rc.30
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/constructs/Auth.js +2 -2
- package/constructs/EdgeFunction.js +2 -2
- package/constructs/Job.d.ts +1 -1
- package/constructs/Job.js +2 -1
- package/constructs/Secret.js +4 -2
- package/constructs/SsrSite.js +1 -1
- package/constructs/Stack.js +3 -3
- package/constructs/StaticSite.js +1 -1
- package/constructs/deprecated/NextjsSite.js +3 -3
- package/constructs/util/apiGatewayV2Domain.js +11 -2
- package/constructs/util/permission.js +8 -8
- package/package.json +1 -1
package/constructs/Auth.js
CHANGED
|
@@ -67,7 +67,7 @@ export class Auth extends Construct {
|
|
|
67
67
|
},
|
|
68
68
|
permissions: {
|
|
69
69
|
"ssm:GetParameters": [
|
|
70
|
-
`arn:
|
|
70
|
+
`arn:${Stack.of(this).partition}:ssm:${app.region}:${app.account}:parameter${getParameterPath(this, PUBLIC_KEY_PROP)}`
|
|
71
71
|
]
|
|
72
72
|
}
|
|
73
73
|
};
|
|
@@ -117,7 +117,7 @@ export class Auth extends Construct {
|
|
|
117
117
|
actions: ["ssm:GetParameters"],
|
|
118
118
|
effect: Effect.ALLOW,
|
|
119
119
|
resources: [
|
|
120
|
-
`arn:
|
|
120
|
+
`arn:${Stack.of(this).partition}:ssm:${app.region}:${app.account}:parameter${getParameterPath(this, "*")}`
|
|
121
121
|
]
|
|
122
122
|
})
|
|
123
123
|
]);
|
|
@@ -97,7 +97,7 @@ ${exports}
|
|
|
97
97
|
const role = new iam.Role(this.scope, `ServerLambdaRole`, {
|
|
98
98
|
assumedBy: new iam.CompositePrincipal(new iam.ServicePrincipal("lambda.amazonaws.com"), new iam.ServicePrincipal("edgelambda.amazonaws.com")),
|
|
99
99
|
managedPolicies: [
|
|
100
|
-
iam.ManagedPolicy.fromManagedPolicyArn(this, "EdgeLambdaPolicy",
|
|
100
|
+
iam.ManagedPolicy.fromManagedPolicyArn(this, "EdgeLambdaPolicy", `arn:${Stack.of(this).partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole`),
|
|
101
101
|
],
|
|
102
102
|
});
|
|
103
103
|
// Attach permission
|
|
@@ -171,7 +171,7 @@ ${exports}
|
|
|
171
171
|
provider.role?.addToPrincipalPolicy(new iam.PolicyStatement({
|
|
172
172
|
effect: iam.Effect.ALLOW,
|
|
173
173
|
actions: ["s3:*"],
|
|
174
|
-
resources: [`arn:
|
|
174
|
+
resources: [`arn:${stack.partition}:s3:::${asset.s3BucketName}/${asset.s3ObjectKey}`],
|
|
175
175
|
}));
|
|
176
176
|
// Create custom resource to replace the code
|
|
177
177
|
const resource = new CustomResource(this.scope, resId, {
|
package/constructs/Job.d.ts
CHANGED
package/constructs/Job.js
CHANGED
|
@@ -6,6 +6,7 @@ import { Construct } from "constructs";
|
|
|
6
6
|
import * as iam from "aws-cdk-lib/aws-iam";
|
|
7
7
|
import * as lambda from "aws-cdk-lib/aws-lambda";
|
|
8
8
|
import * as codebuild from "aws-cdk-lib/aws-codebuild";
|
|
9
|
+
import { Stack } from "./Stack.js";
|
|
9
10
|
import { Function } from "./Function.js";
|
|
10
11
|
import { toCdkDuration } from "./util/duration.js";
|
|
11
12
|
import { attachPermissionsToRole } from "./util/permission.js";
|
|
@@ -252,7 +253,7 @@ export class Job extends Construct {
|
|
|
252
253
|
actions: ["s3:*"],
|
|
253
254
|
effect: iam.Effect.ALLOW,
|
|
254
255
|
resources: [
|
|
255
|
-
`arn:
|
|
256
|
+
`arn:${Stack.of(this).partition}:s3:::${codeConfig.s3Location?.bucketName}/${codeConfig.s3Location?.objectKey}`,
|
|
256
257
|
],
|
|
257
258
|
}),
|
|
258
259
|
]);
|
package/constructs/Secret.js
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { Construct } from "constructs";
|
|
2
|
+
import { Stack } from "./Stack.js";
|
|
2
3
|
import { ENVIRONMENT_PLACEHOLDER, getParameterPath, getParameterFallbackPath } from "./util/functionBinding.js";
|
|
3
4
|
/**
|
|
4
5
|
* The `Secret` construct is a higher level CDK construct that makes it easy to manage app secrets.
|
|
@@ -32,6 +33,7 @@ export class Secret extends Construct {
|
|
|
32
33
|
/** @internal */
|
|
33
34
|
getFunctionBinding() {
|
|
34
35
|
const app = this.node.root;
|
|
36
|
+
const partition = Stack.of(this).partition;
|
|
35
37
|
return {
|
|
36
38
|
clientPackage: "config",
|
|
37
39
|
variables: {
|
|
@@ -43,8 +45,8 @@ export class Secret extends Construct {
|
|
|
43
45
|
},
|
|
44
46
|
permissions: {
|
|
45
47
|
"ssm:GetParameters": [
|
|
46
|
-
`arn:
|
|
47
|
-
`arn:
|
|
48
|
+
`arn:${partition}:ssm:${app.region}:${app.account}:parameter${getParameterPath(this, "value")}`,
|
|
49
|
+
`arn:${partition}:ssm:${app.region}:${app.account}:parameter${getParameterFallbackPath(this, "value")}`
|
|
48
50
|
],
|
|
49
51
|
},
|
|
50
52
|
};
|
package/constructs/SsrSite.js
CHANGED
|
@@ -213,7 +213,7 @@ export class SsrSite extends Construct {
|
|
|
213
213
|
},
|
|
214
214
|
permissions: {
|
|
215
215
|
"ssm:GetParameters": [
|
|
216
|
-
`arn:
|
|
216
|
+
`arn:${Stack.of(this).partition}:ssm:${app.region}:${app.account}:parameter${getParameterPath(this, "url")}`,
|
|
217
217
|
],
|
|
218
218
|
},
|
|
219
219
|
};
|
package/constructs/Stack.js
CHANGED
|
@@ -207,10 +207,10 @@ export class Stack extends cdk.Stack {
|
|
|
207
207
|
const app = useApp();
|
|
208
208
|
// Add permissions to migrate SSM paths for secrets
|
|
209
209
|
this.customResourceHandler.addToRolePolicy(new iam.PolicyStatement({
|
|
210
|
-
actions: ["ssm:GetParametersByPath", "ssm:PutParameter"],
|
|
210
|
+
actions: ["ssm:GetParametersByPath", "ssm:PutParameter", "sns:Publish"],
|
|
211
211
|
resources: [
|
|
212
|
-
`arn:
|
|
213
|
-
`arn:
|
|
212
|
+
`arn:${this.partition}1:ssm:${app.region}:${app.account}:parameter/sst/${app.name}/${app.stage}/*`,
|
|
213
|
+
`arn:${this.partition}2:ssm:${app.region}:${app.account}:parameter/sst/${app.name}/.fallback/*`,
|
|
214
214
|
],
|
|
215
215
|
}));
|
|
216
216
|
new cdk.CustomResource(this, "SecretsMigration", {
|
package/constructs/StaticSite.js
CHANGED
|
@@ -161,7 +161,7 @@ export class StaticSite extends Construct {
|
|
|
161
161
|
},
|
|
162
162
|
permissions: {
|
|
163
163
|
"ssm:GetParameters": [
|
|
164
|
-
`arn:
|
|
164
|
+
`arn:${Stack.of(this).partition}:ssm:${app.region}:${app.account}:parameter${getParameterPath(this, "url")}`,
|
|
165
165
|
],
|
|
166
166
|
},
|
|
167
167
|
};
|
|
@@ -253,7 +253,7 @@ export class NextjsSite extends Construct {
|
|
|
253
253
|
},
|
|
254
254
|
permissions: {
|
|
255
255
|
"ssm:GetParameters": [
|
|
256
|
-
`arn:
|
|
256
|
+
`arn:${Stack.of(this).partition}:ssm:${app.region}:${app.account}:parameter${getParameterPath(this, "url")}`,
|
|
257
257
|
],
|
|
258
258
|
},
|
|
259
259
|
};
|
|
@@ -391,7 +391,7 @@ export class NextjsSite extends Construct {
|
|
|
391
391
|
const role = new iam.Role(this, `EdgeLambdaRole`, {
|
|
392
392
|
assumedBy: new iam.CompositePrincipal(new iam.ServicePrincipal("lambda.amazonaws.com"), new iam.ServicePrincipal("edgelambda.amazonaws.com")),
|
|
393
393
|
managedPolicies: [
|
|
394
|
-
iam.ManagedPolicy.fromManagedPolicyArn(this, "EdgeLambdaPolicy",
|
|
394
|
+
iam.ManagedPolicy.fromManagedPolicyArn(this, "EdgeLambdaPolicy", `arn:${Stack.of(this).partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole`),
|
|
395
395
|
],
|
|
396
396
|
});
|
|
397
397
|
// Attach permission
|
|
@@ -473,7 +473,7 @@ export class NextjsSite extends Construct {
|
|
|
473
473
|
provider.role?.addToPrincipalPolicy(new iam.PolicyStatement({
|
|
474
474
|
effect: iam.Effect.ALLOW,
|
|
475
475
|
actions: ["s3:*"],
|
|
476
|
-
resources: [`arn:
|
|
476
|
+
resources: [`arn:${Stack.of(this).partition}:s3:::${asset.s3BucketName}/${asset.s3ObjectKey}`],
|
|
477
477
|
}));
|
|
478
478
|
// Create custom resource
|
|
479
479
|
const resource = new CustomResource(this, resId, {
|
|
@@ -32,7 +32,7 @@ function buildDataForStringInput(scope, customDomain) {
|
|
|
32
32
|
}
|
|
33
33
|
assertDomainNameIsLowerCase(customDomain);
|
|
34
34
|
const domainName = customDomain;
|
|
35
|
-
const hostedZoneDomain = domainName
|
|
35
|
+
const hostedZoneDomain = parseRoute53Domain(domainName);
|
|
36
36
|
const hostedZone = lookupHostedZone(scope, hostedZoneDomain);
|
|
37
37
|
const certificate = createCertificate(scope, domainName, hostedZone);
|
|
38
38
|
const apigDomain = createApigDomain(scope, domainName, certificate);
|
|
@@ -71,7 +71,7 @@ function buildDataForInternalDomainInput(scope, customDomain) {
|
|
|
71
71
|
hostedZone = customDomain.cdk.hostedZone;
|
|
72
72
|
}
|
|
73
73
|
else {
|
|
74
|
-
const hostedZoneDomain = domainName
|
|
74
|
+
const hostedZoneDomain = parseRoute53Domain(domainName);
|
|
75
75
|
hostedZone = lookupHostedZone(scope, hostedZoneDomain);
|
|
76
76
|
}
|
|
77
77
|
// Create certificate
|
|
@@ -199,3 +199,12 @@ function assertDomainNameIsLowerCase(domainName) {
|
|
|
199
199
|
throw new Error(`The domain name needs to be in lowercase`);
|
|
200
200
|
}
|
|
201
201
|
}
|
|
202
|
+
function parseRoute53Domain(domainName) {
|
|
203
|
+
const parts = domainName.split(".");
|
|
204
|
+
// If the domain contains subdomain, ie. api.example.com,
|
|
205
|
+
// strip the subdomain and use the root domain, ie. example.com.
|
|
206
|
+
// Otherwise, use the domain as is.
|
|
207
|
+
return parts.length <= 2
|
|
208
|
+
? domainName
|
|
209
|
+
: parts.slice(1).join(".");
|
|
210
|
+
}
|
|
@@ -85,23 +85,23 @@ function permissionsToStatementsAndGrants(permissions) {
|
|
|
85
85
|
////////////////////////////////////
|
|
86
86
|
else if (permission instanceof Api) {
|
|
87
87
|
const httpApi = permission.cdk.httpApi;
|
|
88
|
-
const { account, region } = Stack.of(httpApi);
|
|
88
|
+
const { account, region, partition } = Stack.of(httpApi);
|
|
89
89
|
statements.push(buildPolicyStatement("execute-api:Invoke", [
|
|
90
|
-
`arn:
|
|
90
|
+
`arn:${partition}:execute-api:${region}:${account}:${httpApi.httpApiId}/*`
|
|
91
91
|
]));
|
|
92
92
|
}
|
|
93
93
|
else if (permission instanceof ApiGatewayV1Api) {
|
|
94
94
|
const restApi = permission.cdk.restApi;
|
|
95
|
-
const { account, region } = Stack.of(restApi);
|
|
95
|
+
const { account, region, partition } = Stack.of(restApi);
|
|
96
96
|
statements.push(buildPolicyStatement("execute-api:Invoke", [
|
|
97
|
-
`arn:
|
|
97
|
+
`arn:${partition}:execute-api:${region}:${account}:${restApi.restApiId}/*`
|
|
98
98
|
]));
|
|
99
99
|
}
|
|
100
100
|
else if (permission instanceof WebSocketApi) {
|
|
101
101
|
const webSocketApi = permission.cdk.webSocketApi;
|
|
102
|
-
const { account, region } = Stack.of(webSocketApi);
|
|
102
|
+
const { account, region, partition } = Stack.of(webSocketApi);
|
|
103
103
|
statements.push(buildPolicyStatement("execute-api:Invoke", [
|
|
104
|
-
`arn:
|
|
104
|
+
`arn:${partition}:execute-api:${region}:${account}:${webSocketApi.apiId}/*`
|
|
105
105
|
]));
|
|
106
106
|
statements.push(buildPolicyStatement("execute-api:ManageConnections", [
|
|
107
107
|
permission._connectionsArn
|
|
@@ -109,9 +109,9 @@ function permissionsToStatementsAndGrants(permissions) {
|
|
|
109
109
|
}
|
|
110
110
|
else if (permission instanceof AppSyncApi) {
|
|
111
111
|
const graphqlApi = permission.cdk.graphqlApi;
|
|
112
|
-
const { account, region } = Stack.of(graphqlApi);
|
|
112
|
+
const { account, region, partition } = Stack.of(graphqlApi);
|
|
113
113
|
statements.push(buildPolicyStatement("appsync:GraphQL", [
|
|
114
|
-
`arn:
|
|
114
|
+
`arn:${partition}:appsync:${region}:${account}:apis/${graphqlApi.apiId}/*`
|
|
115
115
|
]));
|
|
116
116
|
}
|
|
117
117
|
else if (permission instanceof Table) {
|