sst 3.0.0 → 3.0.1-1

package/constructs/WebSocketApi.js

@@ -1,404 +0,0 @@
-import { Construct } from "constructs";
-import { CustomResource } from "aws-cdk-lib/core";
-import * as iam from "aws-cdk-lib/aws-iam";
-import * as apig from "@aws-cdk/aws-apigatewayv2-alpha";
-import * as apigAuthorizers from "@aws-cdk/aws-apigatewayv2-authorizers-alpha";
-import { Effect, Policy, PolicyStatement } from "aws-cdk-lib/aws-iam";
-import { Stack } from "./Stack.js";
-import { getFunctionRef, isCDKConstruct } from "./Construct.js";
-import { Function as Fn, } from "./Function.js";
-import * as apigV2Domain from "./util/apiGatewayV2Domain.js";
-import * as apigV2AccessLog from "./util/apiGatewayV2AccessLog.js";
-import { WebSocketLambdaIntegration } from "@aws-cdk/aws-apigatewayv2-integrations-alpha/lib/websocket/index.js";
-/////////////////////
-// Construct
-/////////////////////
-/**
- * The `WebSocketApi` construct is a higher level CDK construct that makes it easy to create a WebSocket API.
- *
- * @example
- * ```js
- * import { WebSocketApi } from "sst/constructs";
- *
- * new WebSocketApi(stack, "Api", {
- *   routes: {
- *     $connect: "src/connect.main",
- *     $default: "src/default.main",
- *     $disconnect: "src/disconnect.main",
- *     sendMessage: "src/sendMessage.main",
- *   },
- * });
- * ```
- */
-export class WebSocketApi extends Construct {
-    id;
-    cdk;
-    _customDomainUrl;
-    functions = {};
-    apigRoutes = {};
-    bindingForAllRoutes = [];
-    permissionsAttachedForAllRoutes = [];
-    authorizer;
-    props;
-    constructor(scope, id, props) {
-        super(scope, props?.cdk?.id || id);
-        this.id = id;
-        this.props = props || {};
-        this.cdk = {};
-        this.createWebSocketApi();
-        this.createWebSocketStage();
-        this.addAuthorizer();
-        this.addRoutes(this, this.props.routes || {});
-        // Allows functions to make ApiGatewayManagementApi.postToConnection calls.
-        this.attachPermissions([
-            new iam.PolicyStatement({
-                effect: iam.Effect.ALLOW,
-                actions: ["execute-api:ManageConnections"],
-                resources: [this._connectionsArn],
-            }),
-        ]);
-    }
-    /**
-     * Url of the WebSocket API
-     */
-    get url() {
-        return this.cdk.webSocketStage.url;
-    }
-    /**
-     * Custom domain url if it's configured
-     */
-    get customDomainUrl() {
-        return this._customDomainUrl;
-    }
-    /**
-     * List of routes of the websocket api
-     */
-    get routes() {
-        return Object.keys(this.functions);
-    }
-    get _connectionsArn() {
-        this.cdk.webSocketApi.grantManageConnections;
-        return Stack.of(this).formatArn({
-            service: "execute-api",
-            resourceName: "*/*/@connections/*",
-            resource: this.cdk.webSocketApi.apiId,
-        });
-    }
-    /**
-     * Add routes to an already created WebSocket API
-     *
-     * @example
-     * ```js
-     * api.addRoutes(stack, {
-     *   "$connect": "src/connect.main",
-     * })
-     * ```
-     */
-    addRoutes(scope, routes) {
-        Object.keys(routes).forEach((routeKey) => {
-            this.addRoute(scope, routeKey, routes[routeKey]);
-        });
-    }
-    /**
-     * Get the instance of the internally created Function, for a given route key where the `routeKey` is the key used to define a route. For example, `$connect`.
-     *
-     * @example
-     * ```js
-     * const fn = api.getFunction("$connect");
-     * ```
-     */
-    getFunction(routeKey) {
-        return this.functions[this.normalizeRouteKey(routeKey)];
-    }
-    /**
-     * Get the instance of the internally created Route, for a given route key where the `routeKey` is the key used to define a route. For example, `$connect`.
-     *
-     * @example
-     * ```js
-     * const route = api.getRoute("$connect");
-     * ```
-     */
-    getRoute(routeKey) {
-        return this.apigRoutes[this.normalizeRouteKey(routeKey)];
-    }
-    /**
-     * Binds the given list of resources to all the routes.
-     *
-     * @example
-     *
-     * ```js
-     * api.bind([STRIPE_KEY, bucket]);
-     * ```
-     */
-    bind(constructs) {
-        Object.values(this.functions).forEach((fn) => fn.bind(constructs));
-        this.bindingForAllRoutes.push(...constructs);
-    }
-    /**
-     * Binds the given list of resources to a specific route.
-     *
-     * @example
-     * ```js
-     * api.bindToRoute("$connect", [STRIPE_KEY, bucket]);
-     * ```
-     *
-     */
-    bindToRoute(routeKey, constructs) {
-        const fn = this.getFunction(routeKey);
-        if (!fn) {
-            throw new Error(`Failed to bind resources. Route "${routeKey}" does not exist.`);
-        }
-        fn.bind(constructs);
-    }
-    /**
-     * Attaches the given list of permissions to all the routes. This allows the functions to access other AWS resources.
-     *
-     * @example
-     *
-     * ```js
-     * api.attachPermissions(["s3"]);
-     * ```
-     */
-    attachPermissions(permissions) {
-        Object.values(this.functions).forEach((fn) => fn.attachPermissions(permissions));
-        this.permissionsAttachedForAllRoutes.push(permissions);
-    }
-    /**
-     * Attaches the given list of permissions to a specific route. This allows that function to access other AWS resources.
-     *
-     * @example
-     * ```js
-     * api.attachPermissionsToRoute("$connect", ["s3"]);
-     * ```
-     *
-     */
-    attachPermissionsToRoute(routeKey, permissions) {
-        const fn = this.getFunction(routeKey);
-        if (!fn) {
-            throw new Error(`Failed to attach permissions. Route "${routeKey}" does not exist.`);
-        }
-        fn.attachPermissions(permissions);
-    }
-    getConstructMetadata() {
-        return {
-            type: "WebSocketApi",
-            data: {
-                url: this.url,
-                httpApiId: this.cdk.webSocketApi.apiId,
-                customDomainUrl: this._customDomainUrl,
-                routes: Object.entries(this.functions).map(([routeKey, fn]) => ({
-                    route: routeKey,
-                    fn: getFunctionRef(fn),
-                })),
-            },
-        };
-    }
-    /** @internal */
-    getFunctionBinding() {
-        return {
-            clientPackage: "websocket-api",
-            variables: {
-                url: {
-                    type: "plain",
-                    value: this.customDomainUrl || this.url,
-                },
-                httpsUrl: {
-                    type: "plain",
-                    value: (this.customDomainUrl || this.url).replace("wss://", "https://"),
-                },
-            },
-            permissions: {
-                "execute-api:ManageConnections": [this._connectionsArn],
-            },
-        };
-    }
-    createWebSocketApi() {
-        const { cdk } = this.props;
-        const id = this.node.id;
-        const app = this.node.root;
-        if (isCDKConstruct(cdk?.webSocketApi)) {
-            this.cdk.webSocketApi = cdk?.webSocketApi;
-        }
-        else {
-            // Validate input
-            if (isCDKConstruct(cdk?.webSocketStage)) {
-                throw new Error(`Cannot import the "webSocketStage" when the "webSocketApi" is not imported.`);
-            }
-            const webSocketApiProps = (cdk?.webSocketApi ||
-                {});
-            // Create WebSocket API
-            this.cdk.webSocketApi = new apig.WebSocketApi(this, "Api", {
-                apiName: app.logicalPrefixedName(id),
-                ...webSocketApiProps,
-            });
-        }
-    }
-    createWebSocketStage() {
-        const { cdk, accessLog, customDomain } = this.props;
-        if (isCDKConstruct(cdk?.webSocketStage)) {
-            if (accessLog !== undefined) {
-                throw new Error(`Cannot configure the "accessLog" when "webSocketStage" is a construct`);
-            }
-            if (customDomain !== undefined) {
-                throw new Error(`Cannot configure the "customDomain" when "webSocketStage" is a construct`);
-            }
-            this.cdk.webSocketStage = cdk?.webSocketStage;
-        }
-        else {
-            const webSocketStageProps = (cdk?.webSocketStage ||
-                {});
-            // Validate input
-            if (webSocketStageProps.domainMapping !== undefined) {
-                throw new Error(`Do not configure the "webSocketStage.domainMapping". Use the "customDomain" to configure the Api domain.`);
-            }
-            // Configure Custom Domain
-            const customDomainData = apigV2Domain.buildCustomDomainData(this, customDomain);
-            let domainMapping;
-            if (customDomainData) {
-                if (customDomainData.isApigDomainCreated) {
-                    this.cdk.domainName = customDomainData.apigDomain;
-                }
-                if (customDomainData.isCertificatedCreated) {
-                    this.cdk.certificate =
-                        customDomainData.certificate;
-                }
-                domainMapping = {
-                    domainName: customDomainData.apigDomain,
-                    mappingKey: customDomainData.mappingKey,
-                };
-                this._customDomainUrl = `wss://${customDomainData.url}`;
-            }
-            // Create CloudWatch Role
-            const customResource = this.createCloudWatchRole();
-            // Create stage
-            // note: create the CloudWatch role before creating the Api
-            this.cdk.webSocketStage = new apig.WebSocketStage(this, "Stage", {
-                webSocketApi: this.cdk.webSocketApi,
-                stageName: this.node.root.stage,
-                autoDeploy: true,
-                domainMapping,
-                ...webSocketStageProps,
-            });
-            this.cdk.webSocketStage.node.addDependency(customResource);
-            // Configure Access Log
-            this.cdk.accessLogGroup = apigV2AccessLog.buildAccessLogData(this, accessLog, this.cdk.webSocketStage, true);
-        }
-    }
-    createCloudWatchRole() {
-        const stack = Stack.of(this);
-        const roleName = "apigateway-cloudwatch-logs-role";
-        const roleArn = `arn:${stack.partition}:iam::${stack.account}:role/${roleName}`;
-        const policy = new Policy(this, "APIGatewayCloudWatchRolePolicy", {
-            statements: [
-                new PolicyStatement({
-                    effect: Effect.ALLOW,
-                    actions: ["apigateway:GET", "apigateway:PATCH"],
-                    resources: [
-                        `arn:${stack.partition}:apigateway:${stack.region}::/account`,
-                    ],
-                }),
-                new PolicyStatement({
-                    effect: Effect.ALLOW,
-                    actions: ["iam:CreateRole", "iam:PassRole", "iam:AttachRolePolicy"],
-                    resources: [roleArn],
-                }),
-            ],
-        });
-        stack.customResourceHandler.role?.attachInlinePolicy(policy);
-        const resource = new CustomResource(this, "APIGatewayCloudWatchRole", {
-            serviceToken: stack.customResourceHandler.functionArn,
-            resourceType: "Custom::APIGatewayCloudWatchRole",
-            properties: {
-                roleName,
-                roleArn,
-            },
-        });
-        resource.node.addDependency(policy);
-        return resource;
-    }
-    addAuthorizer() {
-        const { authorizer } = this.props;
-        if (!authorizer || authorizer === "none") {
-            this.authorizer = "none";
-        }
-        else if (authorizer === "iam") {
-            this.authorizer = "iam";
-        }
-        else if (authorizer.cdk?.authorizer) {
-            this.authorizer = authorizer.cdk.authorizer;
-        }
-        else if (!authorizer.function) {
-            throw new Error(`Missing "function" for authorizer`);
-        }
-        else {
-            this.authorizer = new apigAuthorizers.WebSocketLambdaAuthorizer("WebSocketAuthorizer", authorizer.function, {
-                authorizerName: authorizer.name,
-                identitySource: authorizer.identitySource,
-            });
-        }
-    }
-    addRoute(scope, routeKey, routeValue) {
-        ///////////////////
-        // Normalize routeKey
-        ///////////////////
-        routeKey = this.normalizeRouteKey(routeKey);
-        if (this.functions[routeKey]) {
-            throw new Error(`A route already exists for "${routeKey}"`);
-        }
-        ///////////////////
-        // Create Function
-        ///////////////////
-        const lambda = Fn.fromDefinition(scope, routeKey, Fn.isInlineDefinition(routeValue) ? routeValue : routeValue.function, this.props.defaults?.function, `The "defaults.function" cannot be applied if an instance of a Function construct is passed in. Make sure to define all the routes using FunctionProps, so the Api construct can apply the "defaults.function" to them.`);
-        ///////////////////
-        // Get authorization
-        ///////////////////
-        const { authorizationType, authorizer } = this.buildRouteAuth();
-        ///////////////////
-        // Create route
-        ///////////////////
-        const route = new apig.WebSocketRoute(scope, `Route_${routeKey}`, {
-            webSocketApi: this.cdk.webSocketApi,
-            routeKey,
-            integration: new WebSocketLambdaIntegration(`Integration_${routeKey}`, lambda),
-            authorizer: routeKey === "$connect" ? authorizer : undefined,
-        });
-        ///////////////////
-        // Configure authorization
-        ///////////////////
-        // Note: as of CDK v1.138.0, aws-apigatewayv2.WebSocketRoute does not
-        //       support IAM authorization type. We need to manually configure it.
-        if (routeKey === "$connect") {
-            // Configure route authorization type
-            // Note: we need to explicitly set `cfnRoute.authorizationType` to `NONE`
-            //       because if it were set to `AWS_IAM`, and then it is removed from
-            //       the CloudFormation template (ie. set to undefined), CloudFormation
-            //       doesn't updates the route. The route's authorizationType would
-            //       still be `AWS_IAM`.
-            const cfnRoute = route.node.defaultChild;
-            cfnRoute.authorizationType = authorizationType;
-        }
-        ///////////////////
-        // Store function
-        ///////////////////
-        this.apigRoutes[routeKey] = route;
-        this.functions[routeKey] = lambda;
-        // attached existing permissions
-        this.permissionsAttachedForAllRoutes.forEach((permissions) => lambda.attachPermissions(permissions));
-        lambda.bind(this.bindingForAllRoutes);
-    }
-    buildRouteAuth() {
-        if (this.authorizer === "none") {
-            return { authorizationType: "NONE" };
-        }
-        else if (this.authorizer === "iam") {
-            return { authorizationType: "AWS_IAM" };
-        }
-        return {
-            authorizationType: "CUSTOM",
-            authorizer: this.authorizer,
-        };
-    }
-    normalizeRouteKey(routeKey) {
-        return routeKey.trim();
-    }
-}

package/constructs/cdk/HttpAwsIntegration.d.ts

@@ -1,32 +0,0 @@
-import { HttpIntegrationSubtype, HttpRouteIntegrationBindOptions, HttpRouteIntegrationConfig, HttpRouteIntegration, ParameterMapping, IntegrationCredentials } from "@aws-cdk/aws-apigatewayv2-alpha";
-/**
- * Properties to initialize a new `HttpProxyIntegration`.
- */
-export interface HttpAwsIntegrationProps {
-    /**
-     * Specifies the AWS service action to invoke
-     */
-    readonly subtype: HttpIntegrationSubtype;
-    /**
-     * Specifies how to transform HTTP requests before sending them to the backend
-     */
-    readonly parameterMapping: ParameterMapping;
-    /**
-     * The credentials with which to invoke the integration.
-     *
-     * @default - no credentials, use resource-based permissions on supported AWS services
-     */
-    readonly credentials: IntegrationCredentials;
-}
-/**
- * The HTTP Proxy integration resource for HTTP API
- */
-export declare class HttpAwsIntegration extends HttpRouteIntegration {
-    private readonly props;
-    /**
-     * @param id id of the underlying integration construct
-     * @param props properties to configure the integration
-     */
-    constructor(id: string, props: HttpAwsIntegrationProps);
-    bind(_: HttpRouteIntegrationBindOptions): HttpRouteIntegrationConfig;
-}

package/constructs/cdk/HttpAwsIntegration.js

@@ -1,24 +0,0 @@
-import { HttpIntegrationType, HttpRouteIntegration, PayloadFormatVersion, } from "@aws-cdk/aws-apigatewayv2-alpha";
-/**
- * The HTTP Proxy integration resource for HTTP API
- */
-export class HttpAwsIntegration extends HttpRouteIntegration {
-    props;
-    /**
-     * @param id id of the underlying integration construct
-     * @param props properties to configure the integration
-     */
-    constructor(id, props) {
-        super(id);
-        this.props = props;
-    }
-    bind(_) {
-        return {
-            payloadFormatVersion: PayloadFormatVersion.VERSION_1_0,
-            type: HttpIntegrationType.AWS_PROXY,
-            subtype: this.props.subtype,
-            parameterMapping: this.props.parameterMapping,
-            credentials: this.props.credentials,
-        };
-    }
-}

package/constructs/cdk/certificate-base.d.ts

@@ -1,18 +0,0 @@
-import { Metric, MetricOptions } from "aws-cdk-lib/aws-cloudwatch";
-import { Resource } from "aws-cdk-lib/core";
-import { ICertificate } from "aws-cdk-lib/aws-certificatemanager";
-/**
- * Shared implementation details of ICertificate implementations.
- *
- * @internal
- */
-export declare abstract class CertificateBase extends Resource implements ICertificate {
-    abstract readonly certificateArn: string;
-    /**
-     * If the certificate is provisionned in a different region than the
-     * containing stack, this should be the region in which the certificate lives
-     * so we can correctly create `Metric` instances.
-     */
-    protected readonly region?: string;
-    metricDaysToExpiry(props?: MetricOptions): Metric;
-}

package/constructs/cdk/certificate-base.js

@@ -1,26 +0,0 @@
-import { Metric, Stats } from "aws-cdk-lib/aws-cloudwatch";
-import { Duration, Resource } from "aws-cdk-lib/core";
-/**
- * Shared implementation details of ICertificate implementations.
- *
- * @internal
- */
-export class CertificateBase extends Resource {
-    /**
-     * If the certificate is provisionned in a different region than the
-     * containing stack, this should be the region in which the certificate lives
-     * so we can correctly create `Metric` instances.
-     */
-    region;
-    metricDaysToExpiry(props) {
-        return new Metric({
-            period: Duration.days(1),
-            ...props,
-            dimensionsMap: { CertificateArn: this.certificateArn },
-            metricName: "DaysToExpiry",
-            namespace: "AWS/CertificateManager",
-            region: this.region,
-            statistic: Stats.MINIMUM,
-        });
-    }
-}

package/constructs/cdk/dns-validated-certificate.d.ts

@@ -1,77 +0,0 @@
-import { Construct } from "constructs";
-import { ITaggable, TagManager, RemovalPolicy } from "aws-cdk-lib/core";
-import { CertificateProps, ICertificate } from "aws-cdk-lib/aws-certificatemanager";
-import * as iam from "aws-cdk-lib/aws-iam";
-import * as route53 from "aws-cdk-lib/aws-route53";
-import { CertificateBase } from "./certificate-base.js";
-/**
- * Properties to create a DNS validated certificate managed by AWS Certificate Manager
- *
- */
-export interface DnsValidatedCertificateProps extends CertificateProps {
-    /**
-     * Route 53 Hosted Zone used to perform DNS validation of the request.  The zone
-     * must be authoritative for the domain name specified in the Certificate Request.
-     */
-    readonly hostedZone: route53.IHostedZone;
-    /**
-     * AWS region that will host the certificate. This is needed especially
-     * for certificates used for CloudFront distributions, which require the region
-     * to be us-east-1.
-     *
-     * @default the region the stack is deployed in.
-     */
-    readonly region?: string;
-    /**
-     * An endpoint of Route53 service, which is not necessary as AWS SDK could figure
-     * out the right endpoints for most regions, but for some regions such as those in
-     * aws-cn partition, the default endpoint is not working now, hence the right endpoint
-     * need to be specified through this prop.
-     *
-     * Route53 is not been officially launched in China, it is only available for AWS
-     * internal accounts now. To make DnsValidatedCertificate work for internal accounts
-     * now, a special endpoint needs to be provided.
-     *
-     * @default - The AWS SDK will determine the Route53 endpoint to use based on region
-     */
-    readonly route53Endpoint?: string;
-    /**
-     * Role to use for the custom resource that creates the validated certificate
-     *
-     * @default - A new role will be created
-     */
-    readonly customResourceRole?: iam.IRole;
-    /**
-     * When set to true, when the DnsValidatedCertificate is deleted,
-     * the associated Route53 validation records are removed.
-     *
-     * CAUTION: If multiple certificates share the same domains (and same validation records),
-     * this can cause the other certificates to fail renewal and/or not validate.
-     * Not recommended for production use.
-     *
-     * @default false
-     */
-    readonly cleanupRoute53Records?: boolean;
-}
-/**
- * A certificate managed by AWS Certificate Manager.  Will be automatically
- * validated using DNS validation against the specified Route 53 hosted zone.
- *
- * @resource AWS::CertificateManager::Certificate
- */
-export declare class DnsValidatedCertificate extends CertificateBase implements ICertificate, ITaggable {
-    readonly certificateArn: string;
-    /**
-     * Resource Tags.
-     * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html#cfn-certificatemanager-certificate-tags
-     */
-    readonly tags: TagManager;
-    protected readonly region?: string;
-    private normalizedZoneName;
-    private hostedZoneId;
-    private domainName;
-    private _removalPolicy?;
-    constructor(scope: Construct, id: string, props: DnsValidatedCertificateProps);
-    applyRemovalPolicy(policy: RemovalPolicy): void;
-    private validateDnsValidatedCertificate;
-}