chore: wip

Author: chrisbbreuer

.stacks/core/buddy/src/commands/cloud.ts

@@ -1,9 +1,9 @@
-import process from 'node:process'
 import { intro, italic, log, outro, prompts, runCommand, underline } from '@stacksjs/cli'
 import { addJumpBox, deleteCdkRemnants, deleteJumpBox, deleteLogGroups, deleteStacksBuckets, deleteStacksFunctions, getJumpBoxInstanceId } from '@stacksjs/cloud'
 import { path as p } from '@stacksjs/path'
 import type { CLI, CloudCliOptions } from '@stacksjs/types'
 import { ExitCode } from '@stacksjs/types'
+import process from 'node:process'
 
 export function cloud(buddy: CLI) {
   const descriptions = {
@@ -152,7 +152,7 @@ export function cloud(buddy: CLI) {
         stdin: 'inherit',
       })
 
-      await outro('Your cloud has now been removed', { startTime, useSeconds: true })
+      await outro('Your cloud has been removed', { startTime, useSeconds: true })
       process.exit(ExitCode.Success)
     })
 
@@ -220,12 +220,14 @@ export function cloud(buddy: CLI) {
       const result3 = await deleteStacksFunctions()
 
       if (result3.isErr()) {
-        if (result3.error !== 'No stacks functions found') {
+        if (result3.error !== 'No stacks functions found')
           await outro('While deleting the Origin Request Lambda function, there was an issue', { startTime, useSeconds: true }, result3.error)
-          process.exit(ExitCode.FatalError)
-        }
+
+        process.exit(ExitCode.FatalError)
       }
 
+      log.info(result3.value)
+
       log.info('Removing any remaining Stacks logs...')
       const result4 = await deleteLogGroups()
       // TODO: investigate other regions for edge (cloudfront) logs

.stacks/core/cloud/src/cloud.ts

@@ -416,77 +416,58 @@ export class StacksCloud extends Stack {
     }
 
     if (config.security.firewall?.httpHeaders?.length) {
-      priorities.push(1)
-      rules.push({
-        name: 'HttpHeaderRule',
-        priority: priorities.length,
-        statement: {
-          byteMatchStatement: {
-            fieldToMatch: {
-              singleHeader: {
-                name: config.security.firewall.httpHeaders,
+      config.security.firewall.httpHeaders.forEach((header, index) => {
+        priorities.push(1)
+        rules.push({
+          name: `HttpHeaderRule${index}`,
+          priority: priorities.length,
+          statement: {
+            byteMatchStatement: {
+              fieldToMatch: {
+                singleHeader: {
+                  name: header,
+                },
               },
+              positionalConstraint: 'EXACTLY',
+              searchString: 'true',
+              textTransformations: [
+                {
+                  priority: index,
+                  type: 'NONE',
+                },
+              ],
             },
-            positionalConstraint: 'EXACTLY',
-            searchString: 'true',
-            textTransformations: [
-              {
-                priority: 0,
-                type: 'NONE',
-              },
-            ],
           },
-        },
-        action: {
-          block: {},
-        },
-        visibilityConfig: {
-          sampledRequestsEnabled: true,
-          cloudWatchMetricsEnabled: true,
-          metricName: 'HttpHeaderRule',
-        },
-      })
-    }
-
-    if (config.security.firewall?.queryString?.length) {
-      priorities.push(1)
-      rules.push({
-        name: 'QueryStringRule',
-        priority: priorities.length,
-        statement: {
-          byteMatchStatement: {
-            fieldToMatch: {
-              queryString: {},
-            },
-            positionalConstraint: 'EXACTLY',
-            searchString: config.security.firewall.queryString.join(', '),
-            textTransformations: [
-              {
-                priority: 0,
-                type: 'NONE',
-              },
-            ],
+          action: {
+            block: {},
           },
-        },
-        action: {
-          block: {},
-        },
-        visibilityConfig: {
-          sampledRequestsEnabled: true,
-          cloudWatchMetricsEnabled: true,
-          metricName: 'QueryStringRule',
-        },
+          visibilityConfig: {
+            sampledRequestsEnabled: true,
+            cloudWatchMetricsEnabled: true,
+            metricName: `HttpHeaderRule${index}`,
+          },
+        })
       })
     }
 
-    // if (config.security.firewall?.ipSets?.length) {
+    // if (config.security.firewall?.queryString?.length) {
     //   priorities.push(1)
     //   rules.push({
-    //     name: 'IpSetRule',
+    //     name: 'QueryStringRule',
     //     priority: priorities.length,
     //     statement: {
-    //       ipSetReferenceStatement: {
-    //         arn: config.security.firewall.ipSets,
+    //       byteMatchStatement: {
+    //         fieldToMatch: {
+    //           queryString: {},
+    //         },
+    //         positionalConstraint: 'EXACTLY',
+    //         searchString: config.security.firewall.queryString.join(', '),
+    //         textTransformations: [
+    //           {
+    //             priority: 0,
+    //             type: 'NONE',
+    //           },
+    //         ],
     //       },
     //     },
     //     action: {
@@ -495,86 +476,76 @@ export class StacksCloud extends Stack {
     //     visibilityConfig: {
     //       sampledRequestsEnabled: true,
     //       cloudWatchMetricsEnabled: true,
-    //       metricName: 'IpSetRule',
+    //       metricName: 'QueryStringRule',
     //     },
     //   })
     // }
 
-    if (config.security.firewall?.rateLimitPerMinute) {
-      priorities.push(1)
-      rules.push({
-        name: 'RateLimitRule',
-        priority: priorities.length,
-        statement: {
-          rateBasedStatement: {
-            limit: config.security.firewall.rateLimitPerMinute,
-            aggregateKeyType: 'IP',
-            scopeDownStatement: {
-              notStatement: {
-                statement: {
-                  rateBasedStatement: {
-                    limit: config.security.firewall.rateLimitPerMinute,
-                    aggregateKeyType: 'IP',
-                  },
-                },
-              },
-            },
-          },
-        },
-        action: {
-          block: {},
-        },
-        visibilityConfig: {
-          sampledRequestsEnabled: true,
-          cloudWatchMetricsEnabled: true,
-          metricName: 'RateLimitRule',
-        },
-      })
-    }
+    // if (config.security.firewall?.rateLimitPerMinute) {
+    //   priorities.push(1)
+    //   rules.push({
+    //     name: 'RateLimitRule',
+    //     priority: priorities.length,
+    //     statement: {
+    //       rateBasedStatement: {
+    //         limit: config.security.firewall.rateLimitPerMinute,
+    //         aggregateKeyType: 'IP',
+    //       },
+    //     },
+    //     action: {
+    //       block: {},
+    //     },
+    //     visibilityConfig: {
+    //       sampledRequestsEnabled: true,
+    //       cloudWatchMetricsEnabled: true,
+    //       metricName: 'RateLimitRule',
+    //     },
+    //   })
+    // }
 
-    if (config.security.firewall?.useIpReputationLists) {
-      priorities.push(1)
-      rules.push({
-        name: 'IpReputationRule',
-        priority: priorities.length,
-        statement: {
-          managedRuleGroupStatement: {
-            vendorName: 'AWS',
-            name: 'AWSManagedRulesAmazonIpReputationList',
-          },
-        },
-        action: {
-          block: {},
-        },
-        visibilityConfig: {
-          sampledRequestsEnabled: true,
-          cloudWatchMetricsEnabled: true,
-          metricName: 'IpReputationRule',
-        },
-      })
-    }
+    // if (config.security.firewall?.useIpReputationLists) {
+    //   priorities.push(1)
+    //   rules.push({
+    //     name: 'IpReputationRule',
+    //     priority: priorities.length,
+    //     statement: {
+    //       managedRuleGroupStatement: {
+    //         vendorName: 'AWS',
+    //         name: 'AWSManagedRulesAmazonIpReputationList',
+    //       },
+    //     },
+    //     action: {
+    //       block: {},
+    //     },
+    //     visibilityConfig: {
+    //       sampledRequestsEnabled: true,
+    //       cloudWatchMetricsEnabled: true,
+    //       metricName: 'IpReputationRule',
+    //     },
+    //   })
+    // }
 
-    if (config.security.firewall?.useKnownBadInputsRuleSet) {
-      priorities.push(1)
-      rules.push({
-        name: 'KnownBadInputsRule',
-        priority: priorities.length,
-        statement: {
-          managedRuleGroupStatement: {
-            vendorName: 'AWS',
-            name: 'AWSManagedRulesKnownBadInputsRuleSet',
-          },
-        },
-        action: {
-          block: {},
-        },
-        visibilityConfig: {
-          sampledRequestsEnabled: true,
-          cloudWatchMetricsEnabled: true,
-          metricName: 'KnownBadInputsRule',
-        },
-      })
-    }
+    // if (config.security.firewall?.useKnownBadInputsRuleSet) {
+    //   priorities.push(1)
+    //   rules.push({
+    //     name: 'KnownBadInputsRule',
+    //     priority: priorities.length,
+    //     statement: {
+    //       managedRuleGroupStatement: {
+    //         vendorName: 'AWS',
+    //         name: 'AWSManagedRulesKnownBadInputsRuleSet',
+    //       },
+    //     },
+    //     action: {
+    //       block: {},
+    //     },
+    //     visibilityConfig: {
+    //       sampledRequestsEnabled: true,
+    //       cloudWatchMetricsEnabled: true,
+    //       metricName: 'KnownBadInputsRule',
+    //     },
+    //   })
+    // }
 
     return rules
   }
@@ -749,21 +720,23 @@ export class StacksCloud extends Stack {
 
     const sesPrincipal = new iam.ServicePrincipal('ses.amazonaws.com')
 
-    this.storage.emailBucket.addToResourcePolicy(new iam.PolicyStatement({
+    const sesPolicy = new iam.PolicyStatement({
       sid: 'AllowSESPuts',
       effect: iam.Effect.ALLOW,
       principals: [sesPrincipal],
       actions: ['s3:PutObject'],
       resources: [
-        // this.storage.emailBucket.arnForObjects('tmp/email_in/*'),
-        this.storage.emailBucket.arnForObjects('*'),
+        `${this.storage.emailBucket.bucketArn}`,
+        `${this.storage.emailBucket.bucketArn}/*`,
       ],
       conditions: {
         StringEquals: {
           'aws:Referer': this.account,
         },
       },
-    }))
+    })
+
+    this.storage.emailBucket.addToResourcePolicy(sesPolicy)
 
     const iamGroup = new iam.Group(this, 'IAMGroup', {
       groupName: `${this.appName}-${appEnv}-email-management-s3-group`,
@@ -788,8 +761,8 @@ export class StacksCloud extends Stack {
         's3:PutObjectVersionAcl',
       ],
       resources: [
-        `arn:aws:s3:::${this.storage.emailBucket.bucketName}`,
-        `arn:aws:s3:::${this.storage.emailBucket.bucketName}/*`,
+        `${this.storage.emailBucket.bucketArn}`,
+        `${this.storage.emailBucket.bucketArn}/*`,
       ],
     })
 

.stacks/core/cloud/src/helpers.ts

@@ -266,11 +266,18 @@ export async function deleteStacksFunctions() {
   const stacksFunctions = data.Functions?.filter(func => func.FunctionName?.includes('stacks')) || []
 
   if (!stacksFunctions || stacksFunctions.length === 0)
-    return err('No stacks functions found')
+    return ok('No stacks functions found')
 
   const promises = stacksFunctions.map(func => lambda.deleteFunction({ FunctionName: func.FunctionName || '' }))
 
-  await Promise.all(promises)
+  await Promise.all(promises).catch((error: Error) => {
+    if (error.message.includes('it is a replicated function')) {
+      log.info('Function is replicated, skipping...')
+      return ok('CloudFront is still deleting the some functions. Try again later.')
+    }
+
+    return err(handleError('Error deleting stacks functions', error))
+  })
 
   return ok('Stacks functions deleted')
 }

.stacks/docs/.vitepress/custom.css renamed to .stacks/docs/.vitepress/theme/custom.css

@@ -0,0 +1,5 @@
+// .vitepress/theme/index.js
+import DefaultTheme from 'vitepress/theme'
+import './custom.css'
+
+export default DefaultTheme

.stacks/docs/.vitepress/theme/index.ts

@@ -1,5 +1,5 @@
 dependencies:
-  aws.amazon.com/cdk: ^2.101.1
+  aws.amazon.com/cdk: ^2.102.0
   aws.amazon.com/cli: ^2.13.7
   bun.sh: ^1.0.6
   caddyserver.com: ^2.7.4