terruvim-core-test 0.0.1

package/dist/src/factories/albFactory.js

@@ -0,0 +1,331 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AlbFactory = void 0;
+const aws = __importStar(require("@pulumi/aws"));
+const pulumi = __importStar(require("@pulumi/pulumi"));
+const resourceFactory_1 = require("./resourceFactory");
+const buildAlbCloudWatchAlarmsHelper_1 = require("./buildAlbCloudWatchAlarmsHelper");
+const buildAlbCloudWatchDashboardHelper_1 = require("./buildAlbCloudWatchDashboardHelper");
+const buildAlbResourceHelper_1 = require("./buildAlbResourceHelper");
+const buildAlbListenersHelper_1 = require("./buildAlbListenersHelper");
+const buildAlbTargetGroupsHelper_1 = require("./buildAlbTargetGroupsHelper");
+const buildAlbListenerRulesHelper_1 = require("./buildAlbListenerRulesHelper");
+const buildAlbWafAssociationHelper_1 = require("./buildAlbWafAssociationHelper");
+const buildAlbRoute53RecordHelper_1 = require("./buildAlbRoute53RecordHelper");
+const wafFactory_1 = require("./wafFactory");
+class AlbFactory extends resourceFactory_1.ResourceFactory {
+    static supportsProviderRegistry = true;
+    async createResource(config, provider, providerRegistry = {}) {
+        const { vpcId, subnetIds, sgId, route53Provider } = config.inputs;
+        const getRoute53Provider = () => {
+            let selectedProvider;
+            if (!route53Provider)
+                selectedProvider = provider;
+            else if (typeof route53Provider === "object" && route53Provider !== null)
+                selectedProvider = route53Provider;
+            else if (typeof route53Provider === "string" && providerRegistry && providerRegistry[route53Provider])
+                selectedProvider = providerRegistry[route53Provider];
+            else {
+                throw new Error(`route53Provider='${route53Provider}' is not found in providerRegistry. Available keys: ${Object.keys(providerRegistry).join(", ")}. Must be an aws.Provider object or a valid provider name string for cross-account Route53 access.`);
+            }
+            return selectedProvider;
+        };
+        const { certificateArn, domain, hostedZoneId, monitoring, accessLogs, waf, targetGroups, listenerRules, securityEnhancements, tags, deletionProtection, crossZone, dualstack, enableCertProvisioning } = config.configuration || {};
+        if (!sgId) {
+            throw new Error("ALB requires sgId (security group id) to be provided in inputs");
+        }
+        const alb = (0, buildAlbResourceHelper_1.buildAlbResourceHelper)({
+            name: `${config.meta.environment}-${config.id}`,
+            vpcId,
+            subnetIds,
+            sgId,
+            accessLogs,
+            deletionProtection,
+            crossZone,
+            dualstack,
+            tags,
+            provider
+        });
+        let wafAssoc;
+        let effectiveWafArn = waf?.wafArn;
+        if (waf && waf.enabled && (!effectiveWafArn || waf.wafConfig?.enabled)) {
+            const wafName = `${config.meta.environment}-${config.id}-alb-waf`;
+            let wafConfig;
+            if (waf.wafConfig?.customConfig) {
+                wafConfig = {
+                    name: wafName,
+                    scope: "REGIONAL",
+                    defaultAction: "allow",
+                    ...waf.wafConfig.customConfig,
+                };
+            }
+            else if (waf.wafConfig?.useSecureDefaults !== false) {
+                wafConfig = wafFactory_1.WafFactory.createSecureWafConfig(wafName, "REGIONAL");
+                if (waf.wafConfig?.rateLimiting) {
+                    wafConfig.rateLimiting = waf.wafConfig.rateLimiting;
+                }
+                if (waf.wafConfig?.ipRestrictions) {
+                    wafConfig.ipRestrictions = waf.wafConfig.ipRestrictions;
+                }
+                if (waf.wafConfig?.geoRestrictions) {
+                    wafConfig.geoRestrictions = waf.wafConfig.geoRestrictions;
+                }
+                if (waf.wafConfig?.managedRuleGroups) {
+                    const managedRules = waf.wafConfig.managedRuleGroups;
+                    wafConfig.managedRuleGroups = [];
+                    if (managedRules.enableCommonRules !== false) {
+                        wafConfig.managedRuleGroups.push({
+                            name: "AWSManagedRulesCommonRuleSet",
+                            vendorName: "AWS",
+                            priority: 10,
+                            overrideAction: "count",
+                        });
+                    }
+                    if (managedRules.enableKnownBadInputs !== false) {
+                        wafConfig.managedRuleGroups.push({
+                            name: "AWSManagedRulesKnownBadInputsRuleSet",
+                            vendorName: "AWS",
+                            priority: 20,
+                            overrideAction: "count",
+                        });
+                    }
+                    if (managedRules.enableSQLInjection !== false) {
+                        wafConfig.managedRuleGroups.push({
+                            name: "AWSManagedRulesSQLiRuleSet",
+                            vendorName: "AWS",
+                            priority: 30,
+                            overrideAction: "count",
+                        });
+                    }
+                    if (managedRules.enableLinuxRules !== false) {
+                        wafConfig.managedRuleGroups.push({
+                            name: "AWSManagedRulesLinuxRuleSet",
+                            vendorName: "AWS",
+                            priority: 40,
+                            overrideAction: "count",
+                        });
+                    }
+                    if (managedRules.enableIpReputation !== false) {
+                        wafConfig.managedRuleGroups.push({
+                            name: "AWSManagedRulesAmazonIpReputationList",
+                            vendorName: "AWS",
+                            priority: 50,
+                            overrideAction: "count",
+                        });
+                    }
+                    if (managedRules.enableAnonymousIp !== false) {
+                        wafConfig.managedRuleGroups.push({
+                            name: "AWSManagedRulesAnonymousIpList",
+                            vendorName: "AWS",
+                            priority: 60,
+                            overrideAction: "count",
+                        });
+                    }
+                }
+                if (waf.wafConfig?.customRules?.length) {
+                    wafConfig.customRegexRules = waf.wafConfig.customRules.map(rule => ({
+                        name: rule.name,
+                        priority: rule.priority,
+                        regex: rule.regex || "/.*",
+                        action: rule.action,
+                        fieldToMatch: { type: "uri" },
+                    }));
+                }
+                if (waf.wafConfig?.logging) {
+                    wafConfig.logging = waf.wafConfig.logging;
+                }
+            }
+            else {
+                wafConfig = {
+                    name: wafName,
+                    scope: "REGIONAL",
+                    description: `WAF for ALB ${config.meta.environment}-${config.id}`,
+                    defaultAction: "allow",
+                    rateLimiting: {
+                        enabled: true,
+                        limit: 2000,
+                        action: "block",
+                    },
+                    visibilityConfig: {
+                        cloudwatchMetricsEnabled: true,
+                        sampledRequestsEnabled: true,
+                    },
+                    tags: tags,
+                };
+            }
+            const createdWaf = wafFactory_1.WafFactory.createWaf(wafConfig, provider);
+            effectiveWafArn = createdWaf.arn;
+        }
+        if (waf && waf.enabled && effectiveWafArn) {
+            wafAssoc = (0, buildAlbWafAssociationHelper_1.buildAlbWafAssociationHelper)(`${config.meta.environment}-${config.id}`, alb.arn, effectiveWafArn, provider);
+        }
+        let effectiveCertificateArn = certificateArn;
+        let acmCert, acmValidationRecord, certValidation;
+        if ((!certificateArn || certificateArn === "") && enableCertProvisioning && domain && hostedZoneId) {
+            const acmProvider = provider;
+            acmCert = new aws.acm.Certificate(`${config.meta.environment}-${config.id}-cert`, {
+                domainName: domain,
+                validationMethod: "DNS",
+                tags,
+            }, { provider: acmProvider });
+            acmValidationRecord = pulumi.all([acmCert.domainValidationOptions]).apply(([options]) => {
+                if (!options || options.length === 0)
+                    return undefined;
+                const opt = options[0];
+                return new aws.route53.Record(`${config.meta.environment}-${config.id}-acm-validation`, {
+                    name: opt.resourceRecordName,
+                    zoneId: hostedZoneId,
+                    type: opt.resourceRecordType,
+                    records: [opt.resourceRecordValue],
+                    ttl: 300,
+                }, { provider: getRoute53Provider() });
+            });
+            certValidation = pulumi.all([acmCert.arn, acmCert.domainValidationOptions]).apply(([arn, options]) => {
+                const fqdns = options && options.length > 0 ? [options[0].resourceRecordName] : [];
+                return new aws.acm.CertificateValidation(`${config.meta.environment}-${config.id}-cert-validation`, {
+                    certificateArn: arn,
+                    validationRecordFqdns: fqdns,
+                }, { provider: acmProvider });
+            });
+            effectiveCertificateArn = certValidation.apply(v => v.certificateArn);
+        }
+        if (!effectiveCertificateArn) {
+            throw new Error("certificateArn is required for HTTPS listener and downstream rules");
+        }
+        const { httpsListener, httpListener: albListener } = (0, buildAlbListenersHelper_1.buildAlbListenersHelper)({
+            name: `${config.meta.environment}-${config.id}`,
+            albArn: alb.arn,
+            certificateArn: effectiveCertificateArn,
+            tlsPolicy: securityEnhancements?.tlsPolicy,
+            provider
+        });
+        let createdTargetGroups = [];
+        if (targetGroups && targetGroups.length > 0) {
+            createdTargetGroups = (0, buildAlbTargetGroupsHelper_1.buildAlbTargetGroupsHelper)({
+                name: `${config.meta.environment}-${config.id}`,
+                vpcId,
+                targetGroups,
+                provider
+            });
+        }
+        let createdListenerRules = [];
+        if (listenerRules && listenerRules.length > 0) {
+            createdListenerRules = (0, buildAlbListenerRulesHelper_1.buildAlbListenerRulesHelper)({
+                name: `${config.meta.environment}-${config.id}`,
+                listenerArn: httpsListener.arn,
+                rules: listenerRules,
+                provider
+            });
+        }
+        let monitoringResources;
+        let dashboardResource;
+        if (monitoring?.enabled) {
+            monitoringResources = (0, buildAlbCloudWatchAlarmsHelper_1.buildAlbCloudWatchAlarmsHelper)(`${config.meta.environment}-${config.id}`, {
+                albArn: alb.arn,
+                alarmActions: monitoring.alarms?.map(a => a.alarmActionArn),
+                okActions: monitoring.alarms?.map(a => a.okActionArn),
+                tags,
+            });
+            if (monitoring.dashboard) {
+                dashboardResource = (0, buildAlbCloudWatchDashboardHelper_1.buildAlbCloudWatchDashboardHelper)(`${config.meta.environment}-${config.id}`, {
+                    albArn: alb.arn,
+                    albDnsName: alb.dnsName,
+                    tags,
+                });
+            }
+        }
+        let record;
+        if (domain && hostedZoneId) {
+            record = (0, buildAlbRoute53RecordHelper_1.buildAlbRoute53RecordHelper)(`${config.meta.environment}-${config.id}`, domain, hostedZoneId, alb.dnsName, alb.zoneId, getRoute53Provider());
+        }
+        return { alb, albListener, httpsListener, createdTargetGroups, createdListenerRules, wafAssoc, monitoringResources, dashboardResource };
+    }
+    getOutputs(resource) {
+        return {
+            arn: resource.alb.arn,
+            name: resource.alb.name,
+            dnsName: resource.alb.dnsName,
+            sgId: resource.alb.securityGroups[0],
+            listenerArn: resource.httpsListener ? resource.httpsListener.arn : resource.albListener.arn,
+            httpsListenerArn: resource.httpsListener?.arn || pulumi.output(""),
+            targetGroupArn: resource.createdTargetGroups?.[0]?.arn || pulumi.output(undefined),
+        };
+    }
+    validateConfig(config) {
+        if (!config.id) {
+            throw new Error("ALB config must include id");
+        }
+        if (!config.inputs?.vpcId) {
+            throw new Error("ALB config must include vpcId in inputs");
+        }
+        if (!config.inputs?.subnetIds || config.inputs.subnetIds.length < 2) {
+            throw new Error("ALB config must include at least two subnetIds in inputs");
+        }
+        if (!config.inputs?.sgId) {
+            throw new Error("ALB config must include sgId in inputs");
+        }
+        const certArn = config.configuration?.certificateArn;
+        const enableCertProvisioning = config.configuration?.enableCertProvisioning;
+        const domain = config.configuration?.domain;
+        const hostedZoneId = config.configuration?.hostedZoneId;
+        if (!certArn && !(enableCertProvisioning && domain && hostedZoneId)) {
+            throw new Error("certificateArn is required for HTTPS listener unless ACM automation is enabled and domain/hostedZoneId are set");
+        }
+        if (config.configuration?.accessLogs?.enabled && !config.configuration.accessLogs.bucketArn) {
+            throw new Error("accessLogs.enabled=true requires bucketArn");
+        }
+        if (config.configuration?.waf?.enabled) {
+            if (!config.configuration.waf.wafArn && !config.configuration.waf.wafConfig) {
+                throw new Error("waf.enabled=true requires either wafArn or wafConfig");
+            }
+        }
+        if (config.configuration?.targetGroups) {
+            for (const tg of config.configuration.targetGroups) {
+                if (!tg.name || !tg.port || !tg.protocol) {
+                    throw new Error("Each targetGroup must have name, port, and protocol");
+                }
+            }
+        }
+        if (config.configuration?.listenerRules) {
+            for (const rule of config.configuration.listenerRules) {
+                if (!rule.priority || !rule.conditions || !rule.actions) {
+                    throw new Error("Each listenerRule must have priority, conditions, and actions");
+                }
+            }
+        }
+    }
+}
+exports.AlbFactory = AlbFactory;

package/dist/src/factories/attachSecretAccessPolicy.js

@@ -0,0 +1,56 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.attachSecretAccessPolicy = attachSecretAccessPolicy;
+const aws = __importStar(require("@pulumi/aws"));
+const pulumi = __importStar(require("@pulumi/pulumi"));
+function attachSecretAccessPolicy(params) {
+    return new aws.iam.RolePolicy(`${params.name}-secrets-policy`, {
+        role: params.role.id,
+        policy: pulumi.all([params.secretArn]).apply(([secretArn]) => JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Action: [
+                        "secretsmanager:GetSecretValue",
+                        "secretsmanager:DescribeSecret"
+                    ],
+                    Resource: secretArn,
+                },
+            ],
+        })),
+    });
+}