feat: formless

.projenrc.js

@@ -8,8 +8,14 @@ const project = new typescript.TypeScriptProject({
   deps: [
     "@aws-sdk/client-cloudcontrol",
     "@aws-sdk/client-ssm",
+    "@aws-sdk/client-eventbridge",
+    "@aws-sdk/client-iam",
+    "@aws-sdk/client-sts",
+    "@aws-sdk/client-sqs",
     "fast-json-patch",
     "immutable",
+    "cdk-assets",
+    "aws-sdk",
   ],
   devDeps: ["@types/immutable", "ts-node"],
   eslintOptions: {
@@ -18,6 +24,9 @@ const project = new typescript.TypeScriptProject({
   releaseToNpm: true,
   docgen: true,
   gitignore: [".DS_Store"],
+  tsconfig: {
+    compilerOptions: { target: "es2020", lib: ["es2020"] },
+  },
 });
 
 project.synth();

.vscode/settings.json

@@ -18,7 +18,11 @@
   "[markdown]": {
     "editor.defaultFormatter": "esbenp.prettier-vscode",
     "editor.formatOnSave": true,
-    "editor.quickSuggestions": true,
+    "editor.quickSuggestions": {
+      "comments": "on",
+      "strings": "on",
+      "other": "on"
+    },
     "editor.suggest.showReferences": true,
     "editor.wordWrap": "on"
   },

README.md

@@ -1,10 +1,10 @@
 # node-cfn
 
-This is a toy-implementation of the AWS CloudFormation deployment engine in TypeScript and Node-JS. It was built as an experiment to better underestand why CloudFormation is so slow and to also experiment locally with new features.
+This is a toy-implementation of the AWS CloudFormation deployment engine in TypeScript and Node-JS. It was built as an experiment to better understand why CloudFormation is so slow and to also experiment locally with new features.
 
 It is built on top of the [AWS Cloud Control API](https://aws.amazon.com/cloudcontrolapi/) and thus only supports the [resources that are supported by the Cloud Control API](https://docs.aws.amazon.com/cloudcontrolapi/latest/userguide/supported-resources.html).
 
-The most important missing feature right now is Rollbacks, so this tool should not be considered useful for any type of production service. The hope is that it can become a playground for CloudFormation enhancements and to stand as a performance benchmark for the official AWS CloudFormation sevice. I dream of the day when CloudFormation is as fast as Terraform and Pulumi's provisioning engines.
+The most important missing feature right now is Rollbacks, so this tool should not be considered useful for any type of production service. The hope is that it can become a playground for CloudFormation enhancements and to stand as a performance benchmark for the official AWS CloudFormation service. I dream of the day when CloudFormation is as fast as Terraform and Pulumi's provisioning engines.
 
 ## Supported Features
 
@@ -14,6 +14,7 @@ The most important missing feature right now is Rollbacks, so this tool should n
 - [x] Intrinsic Functions (`Ref`, `!Ref`, `Fn::GetAtt`, `Fn::Join`, `Fn::Split`, `Fn::Select`, `Fn::FindInMap`, `Fn::Sub`, etc.)
 - [ ] Rollbacks on failure
 - [ ] Outputs and cross-stack references
+- [ ] Assets
 
 ## Usage
 

docs/index.html

@@ -61,9 +61,9 @@ <h1>node-cfn</h1>
 				<a href="#node-cfn" id="node-cfn" style="color: inherit; text-decoration: none;">
 					<h1>node-cfn</h1>
 				</a>
-				<p>This is a toy-implementation of the AWS CloudFormation deployment engine in TypeScript and Node-JS. It was built as an experiment to better underestand why CloudFormation is so slow and to also experiment locally with new features.</p>
+				<p>This is a toy-implementation of the AWS CloudFormation deployment engine in TypeScript and Node-JS. It was built as an experiment to better understand why CloudFormation is so slow and to also experiment locally with new features.</p>
 				<p>It is built on top of the <a href="https://aws.amazon.com/cloudcontrolapi/">AWS Cloud Control API</a> and thus only supports the <a href="https://docs.aws.amazon.com/cloudcontrolapi/latest/userguide/supported-resources.html">resources that are supported by the Cloud Control API</a>.</p>
-				<p>The most important missing feature right now is Rollbacks, so this tool should not be considered useful for any type of production service. The hope is that it can become a playground for CloudFormation enhancements and to stand as a performance benchmark for the official AWS CloudFormation sevice. I dream of the day when CloudFormation is as fast as Terraform and Pulumi&#39;s provisioning engines.</p>
+				<p>The most important missing feature right now is Rollbacks, so this tool should not be considered useful for any type of production service. The hope is that it can become a playground for CloudFormation enhancements and to stand as a performance benchmark for the official AWS CloudFormation service. I dream of the day when CloudFormation is as fast as Terraform and Pulumi&#39;s provisioning engines.</p>
 				<a href="#supported-features" id="supported-features" style="color: inherit; text-decoration: none;">
 					<h2>Supported Features</h2>
 				</a>
@@ -74,6 +74,7 @@ <h2>Supported Features</h2>
 					<li><input checked="" disabled="" type="checkbox"> Intrinsic Functions (<code>Ref</code>, <code>!Ref</code>, <code>Fn::GetAtt</code>, <code>Fn::Join</code>, <code>Fn::Split</code>, <code>Fn::Select</code>, <code>Fn::FindInMap</code>, <code>Fn::Sub</code>, etc.)</li>
 					<li><input disabled="" type="checkbox"> Rollbacks on failure</li>
 					<li><input disabled="" type="checkbox"> Outputs and cross-stack references</li>
+					<li><input disabled="" type="checkbox"> Assets</li>
 				</ul>
 				<a href="#usage" id="usage" style="color: inherit; text-decoration: none;">
 					<h2>Usage</h2>

src/aws.ts

@@ -0,0 +1,109 @@
+import { Account, ClientOptions, IAws } from "cdk-assets";
+import s3_v2 from "aws-sdk/clients/s3";
+import secrets_manager_v2 from "aws-sdk/clients/secretsmanager";
+import ecr_v2 from "aws-sdk/clients/ecr";
+import sts from "@aws-sdk/client-sts";
+import * as os from "os";
+import { ChainableTemporaryCredentials, Credentials } from "aws-sdk";
+
+export default class AwsClient implements IAws {
+  constructor(
+    private account: string,
+    private region: string,
+    private sdkConfig?: any
+  ) {}
+
+  async discoverPartition(): Promise<string> {
+    return "aws";
+  }
+  async discoverDefaultRegion(): Promise<string> {
+    return this.region;
+  }
+  async discoverCurrentAccount(): Promise<Account> {
+    return {
+      accountId: this.account,
+      partition: await this.discoverPartition(),
+    };
+  }
+  async discoverTargetAccount(options: ClientOptions): Promise<Account> {
+    const stsClient = await this.stsClient(await this.awsOptions(options));
+    const response = await stsClient.send(new sts.GetCallerIdentityCommand({}));
+    if (!response.Account || !response.Arn) {
+      throw new Error(
+        `Unrecognized response from STS: '${JSON.stringify(response)}'`
+      );
+    }
+    return {
+      accountId: response.Account!,
+      partition: response.Arn!.split(":")[1],
+    };
+  }
+  async s3Client(options: ClientOptions): Promise<s3_v2> {
+    return new s3_v2(options);
+  }
+  async stsClient(options: ClientOptions): Promise<sts.STSClient> {
+    return new sts.STSClient(options);
+  }
+  async ecrClient(options: ClientOptions): Promise<ecr_v2> {
+    return new ecr_v2(options);
+  }
+  async secretsManagerClient(
+    options: ClientOptions
+  ): Promise<secrets_manager_v2> {
+    return new secrets_manager_v2(await this.awsOptions(options));
+  }
+  async awsOptions(options: ClientOptions) {
+    let credentials;
+    if (options.assumeRoleArn) {
+      credentials = await this.assumeRole(
+        options.region,
+        options.assumeRoleArn,
+        options.assumeRoleExternalId
+      );
+    }
+    return {
+      ...this.sdkConfig,
+      region: options.region,
+      customUserAgent: "node-cfn",
+      credentials,
+    };
+  }
+  /**
+   * Explicit manual AssumeRole call
+   *
+   * Necessary since I can't seem to get the built-in support for ChainableTemporaryCredentials to work.
+   *
+   * It needs an explicit configuration of `masterCredentials`, we need to put
+   * a `DefaultCredentialProverChain()` in there but that is not possible.
+   */
+  async assumeRole(
+    region: string | undefined,
+    roleArn: string,
+    externalId?: string
+  ): Promise<Credentials> {
+    return new ChainableTemporaryCredentials({
+      params: {
+        RoleArn: roleArn,
+        ExternalId: externalId,
+        RoleSessionName: `node-cfn-${safeUsername()}`,
+      },
+      stsConfig: {
+        region,
+        customUserAgent: "node-cfn",
+      },
+    });
+  }
+}
+
+/**
+ * Return the username with characters invalid for a RoleSessionName removed
+ *
+ * @see https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters
+ */
+function safeUsername() {
+  try {
+    return os.userInfo().username.replace(/[^\w+=,.@-]/g, "@");
+  } catch (e) {
+    return "noname";
+  }
+}

src/graph.ts

@@ -34,8 +34,10 @@ export function buildDependencyGraph(
   const graph: DependencyGraph = {};
   for (const [logicalId, resource] of Object.entries(template.Resources)) {
     const references: string[] = [];
-    for (const propExpr of Object.values(resource.Properties)) {
-      references.push(...findReferences(propExpr));
+    if (resource.Properties) {
+      for (const propExpr of Object.values(resource.Properties)) {
+        references.push(...findReferences(propExpr));
+      }
     }
     graph[logicalId] = Array.from(new Set(references));
   }

src/module-handler.ts

@@ -0,0 +1,128 @@
+// need to define how to create/update/delete a resource of type X when encountered.
+/**
+ * registration and discovery - For now, manually register.
+ *  Default deploy registers, collection of key to object with interfaces.
+ *   Can use object with more definitions.
+ * Separate promise for
+ */
+
+import { CloudControlHandler } from "./module-handlers/cloud-control";
+import { EventBusModuleHandler } from "./module-handlers/event-bus";
+import { InlinePolicyHandler } from "./module-handlers/inline-policy";
+import { ManagedPolicyHandler } from "./module-handlers/managed-policy";
+import { QueuePolicyHandler } from "./module-handlers/queue-policy";
+import type { PhysicalResource, ResourceType } from "./resource";
+
+export interface CreateRequest<Properties> {
+  logicalId: string;
+  resourceType: ResourceType;
+  definition: Properties;
+}
+
+export interface UpdateRequest<Properties> extends CreateRequest<Properties> {
+  previous: PhysicalResource<Properties>;
+}
+
+export interface DeleteRequest<Properties> {
+  logicalId: string;
+  resourceType: ResourceType;
+  physicalId: string;
+  previous: PhysicalResource<Properties>;
+  /**
+   * True when the resource was already snapshot before the delete.
+   */
+  snapshotDone: boolean;
+}
+
+export interface ModuleOperationResultMetadata {
+  /**
+   * Minimum milliseconds to wait after all deployment operations are complete.
+   *
+   * If it takes around 10s for a Policy update (paddingMillis: 10000) to be reflected (consistency), but
+   * the rest of the deployment only takes 5s, we will wait at least 5s before completing the deployment.
+   *
+   * TODO: replace with a consistent vs referable API.
+   */
+  paddingMillis?: number;
+}
+
+export type ModuleOperationResult<Properties = any> = Promise<
+  | PhysicalResource<Properties>
+  | ({ resource: PhysicalResource<Properties> } & ModuleOperationResultMetadata)
+>;
+
+/**
+ * TODO: support optional snapshot.
+ */
+export interface ModuleHandler<Properties = any> {
+  create(request: CreateRequest<Properties>): ModuleOperationResult<Properties>;
+  update(request: UpdateRequest<Properties>): ModuleOperationResult<Properties>;
+  delete(
+    request: DeleteRequest<Properties>
+  ): Promise<void | ModuleOperationResultMetadata>;
+}
+
+export type ModuleHandlerInitializer<Properties = any> = (
+  props: ModuleHandlerProps
+) => ModuleHandler<Properties>;
+
+export const DEFAULT_MODULE_HANDLER_KEY = "FORMLESS_DEFAULT";
+
+export const DefaultModuleHandlers: Record<
+  string,
+  ModuleHandler | ModuleHandlerInitializer
+> = {
+  "AWS::Events::EventBus": (props) => new EventBusModuleHandler(props),
+  "AWS::Events::Rule": (props) => new EventBusModuleHandler(props),
+  "AWS::IAM::Policy": (props) => new InlinePolicyHandler(props),
+  "AWS::IAM::ManagedPolicy": (props) => new ManagedPolicyHandler(props),
+  "AWS::SQS::QueuePolicy": (props) => new QueuePolicyHandler(props),
+  [DEFAULT_MODULE_HANDLER_KEY]: (props) => new CloudControlHandler(props),
+};
+
+export interface ModuleHandlerProps {
+  sdkConfig: any;
+  account: string;
+  region: string;
+}
+
+export function initModuleHandlers(
+  props: ModuleHandlerProps,
+  moduleHandlers: Record<string, ModuleHandler | ModuleHandlerInitializer>
+): Record<string, ModuleHandler> {
+  return Object.fromEntries(
+    Object.entries(moduleHandlers).map(([key, handler]) => [
+      key,
+      typeof handler === "function" ? handler(props) : handler,
+    ])
+  );
+}
+
+export class ModuleHandlerProvider {
+  private readonly __cache: Record<string, ModuleHandler>;
+  constructor(
+    private props: ModuleHandlerProps,
+    private moduleHandlers: Record<
+      string,
+      ModuleHandler | ModuleHandlerInitializer
+    >
+  ) {
+    this.__cache = {};
+  }
+
+  getHandler(key: string): ModuleHandler<any> {
+    if (key in this.__cache) {
+      return this.__cache[key];
+    } else if (key in this.moduleHandlers) {
+      const handler = this.moduleHandlers[key];
+      return (this.__cache[key] =
+        typeof handler === "function" ? handler(this.props) : handler);
+    } else if (DEFAULT_MODULE_HANDLER_KEY in this.moduleHandlers) {
+      return this.getHandler(DEFAULT_MODULE_HANDLER_KEY);
+    } else {
+      throw new Error(
+        `No handler was found for ${key} and no default handler (${DEFAULT_MODULE_HANDLER_KEY}) was provided.`
+      );
+    }
+  }
+}