feat(wrangler): add support for FedRAMP High compliance region (#9321)

* feat(wrangler): add support for FedRAMP High compliance region

Now it is possible to target Wrangler at the FedRAMP High compliance region.
There are two ways to signal to Wrangler to run in this mode:

- set `"compliance_region": "fedramp_high"` in a Wrangler configuration
- set `CLOUDFLARE_COMPLIANCE_REGION=fedramp_high` environment variable when running Wrangler

If both are provided then the environment variable overrides the configured value.

When in this mode OAuth authentication is not supported.
It is necessary to authenticate using a Cloudflare API Token acquired from the Cloudflare FedRAMP High dashboard.

Most bindings and commands are supported in this mode.

- Unsupported commands may result in API requests that are not supported - possibly 422 Unprocessable Entity responses.
- Unsupported bindings may work in local dev, as there is no local validation, but will fail at Worker deployment time.

Resolves DEVX-1921.

* update workers.dev domain for fed mode

* error when env var and config don't line up

* fix env-var factory regression from earlier commits in this PR

* ensure that the local runtime controller passes through region to start mixed mode

* Check the logged-in state in the remote runtime controller rather than at the start of `wrangler dev`.

By this point we have the resolved config, so we can user the compliance region
but also it handles the case where a user toggles remote mode on during a dev session.

* Print compliance region in `wrangler whoami`

* fixups

* move ComplianceConfig type to misc-variables

* more fixes

* agh

* tighten ComplianceConfig so that it must be defined

* revert unnecessary change to `usingLocalNamespace`

* fix up the tests

* remove unnecessary empty line

Author: petebacondarwin

.changeset/swift-bees-agree.md

@@ -0,0 +1,23 @@
+---
+"wrangler": minor
+---
+
+Add support for FedRAMP High compliance region
+
+Now it is possible to target Wrangler at the FedRAMP High compliance region.
+There are two ways to signal to Wrangler to run in this mode:
+
+- set `"compliance_region": "fedramp_high"` in a Wrangler configuration
+- set `CLOUDFLARE_COMPLIANCE_REGION=fedramp_high` environment variable when running Wrangler
+
+If both are provided and the values do not match then Wrangler will exit with an error.
+
+When in this mode OAuth authentication is not supported.
+It is necessary to authenticate using a Cloudflare API Token acquired from the Cloudflare FedRAMP High dashboard.
+
+Most bindings and commands are supported in this mode.
+
+- Unsupported commands may result in API requests that are not supported - possibly 422 Unprocessable Entity responses.
+- Unsupported bindings may work in local dev, as there is no local validation, but will fail at Worker deployment time.
+
+Resolves DEVX-1921.

.vscode/settings.json

@@ -14,6 +14,7 @@
 		"esbuild",
 		"eslintcache",
 		"execa",
+		"fedramp",
 		"filestat",
 		"haikunate",
 		"haikunator",

packages/wrangler/src/__tests__/ai.local.test.ts

@@ -1,10 +1,12 @@
 import { Request } from "miniflare";
 import { HttpResponse } from "msw";
 import { Headers } from "undici";
-import { AIFetcher } from "../ai/fetcher";
+import { getAIFetcher } from "../ai/fetcher";
 import * as internal from "../cfetch/internal";
+import { COMPLIANCE_REGION_CONFIG_UNKNOWN } from "../environment-variables/misc-variables";
 import * as user from "../user";
-import type { RequestInit } from "undici";
+
+const AIFetcher = getAIFetcher(COMPLIANCE_REGION_CONFIG_UNKNOWN);
 
 describe("ai", () => {
 	describe("fetcher", () => {
@@ -16,7 +18,7 @@ describe("ai", () => {
 			it("should send x-forwarded header", async () => {
 				vi.spyOn(user, "getAccountId").mockImplementation(async () => "123");
 				vi.spyOn(internal, "performApiFetch").mockImplementation(
-					async (resource: string, init: RequestInit = {}) => {
+					async (config, resource, init = {}) => {
 						const headers = new Headers(init.headers);
 						return HttpResponse.json({
 							xForwarded: headers.get("X-Forwarded"),
@@ -44,7 +46,7 @@ describe("ai", () => {
 			it("account id should be set", async () => {
 				vi.spyOn(user, "getAccountId").mockImplementation(async () => "123");
 				vi.spyOn(internal, "performApiFetch").mockImplementation(
-					async (resource: string) => {
+					async (config, resource) => {
 						return HttpResponse.json({
 							resource: resource,
 						});

packages/wrangler/src/__tests__/api/startDevWorker/BundleController.test.ts

@@ -40,6 +40,7 @@ function configDefaults(
 	const persist = path.join(process.cwd(), ".wrangler/persist");
 	return {
 		name: "test-worker",
+		complianceRegion: undefined,
 		entrypoint: "NOT_REAL",
 		projectRoot: "NOT_REAL",
 		build: unusable<StartDevWorkerOptions["build"]>(),

packages/wrangler/src/__tests__/api/startDevWorker/LocalRuntimeController.test.ts

@@ -128,6 +128,7 @@ function configDefaults(
 ): StartDevWorkerOptions {
 	return {
 		name: "test-worker",
+		complianceRegion: undefined,
 		entrypoint: "NOT_REAL",
 		projectRoot: "NOT_REAL",
 		build: unusable<StartDevWorkerOptions["build"]>(),

packages/wrangler/src/__tests__/cert.test.ts

@@ -10,6 +10,7 @@ import {
 	uploadMTlsCertificateFromFs,
 } from "../api";
 import { type MTlsCertificateResponse } from "../api/mtls-certificate";
+import { COMPLIANCE_REGION_CONFIG_UNKNOWN } from "../environment-variables/misc-variables";
 import { mockAccountId, mockApiToken } from "./helpers/mock-account-id";
 import { mockConsoleMethods } from "./helpers/mock-console";
 import { mockConfirm } from "./helpers/mock-dialogs";
@@ -202,11 +203,15 @@ describe("wrangler", () => {
 						expires_on: oneYearLater.toISOString(),
 					});
 
-					const cert = await uploadMTlsCertificate("some-account-id", {
-						certificateChain: "BEGIN CERTIFICATE...",
-						privateKey: "BEGIN PRIVATE KEY...",
-						name: "my_cert",
-					});
+					const cert = await uploadMTlsCertificate(
+						COMPLIANCE_REGION_CONFIG_UNKNOWN,
+						"some-account-id",
+						{
+							certificateChain: "BEGIN CERTIFICATE...",
+							privateKey: "BEGIN PRIVATE KEY...",
+							name: "my_cert",
+						}
+					);
 
 					expect(cert.id).toEqual("1234");
 					expect(cert.issuer).toEqual("example.com...");
@@ -219,11 +224,15 @@ describe("wrangler", () => {
 			describe("uploadMTlsCertificateFromFs", () => {
 				it("should fail to read cert and key files when missing", async () => {
 					await expect(
-						uploadMTlsCertificateFromFs("some-account-id", {
-							certificateChainFilename: "cert.pem",
-							privateKeyFilename: "key.pem",
-							name: "my_cert",
-						})
+						uploadMTlsCertificateFromFs(
+							COMPLIANCE_REGION_CONFIG_UNKNOWN,
+							"some-account-id",
+							{
+								certificateChainFilename: "cert.pem",
+								privateKeyFilename: "key.pem",
+								name: "my_cert",
+							}
+						)
 					).rejects.toMatchInlineSnapshot(
 						`[ParseError: Could not read file: cert.pem]`
 					);
@@ -238,11 +247,15 @@ describe("wrangler", () => {
 					writeFileSync("cert.pem", "BEGIN CERTIFICATE...");
 					writeFileSync("key.pem", "BEGIN PRIVATE KEY...");
 
-					const cert = await uploadMTlsCertificateFromFs("some-account-id", {
-						certificateChainFilename: "cert.pem",
-						privateKeyFilename: "key.pem",
-						name: "my_cert",
-					});
+					const cert = await uploadMTlsCertificateFromFs(
+						COMPLIANCE_REGION_CONFIG_UNKNOWN,
+						"some-account-id",
+						{
+							certificateChainFilename: "cert.pem",
+							privateKeyFilename: "key.pem",
+							name: "my_cert",
+						}
+					);
 
 					expect(cert.id).toEqual("1234");
 					expect(cert.issuer).toEqual("example.com...");
@@ -255,11 +268,15 @@ describe("wrangler", () => {
 			describe("uploadCaCertificateFromFs", () => {
 				it("should fail to read ca cert when file is missing", async () => {
 					await expect(
-						uploadCaCertificateFromFs("some-account-id", {
-							certificates: "caCert.pem",
-							ca: true,
-							name: "my_cert",
-						})
+						uploadCaCertificateFromFs(
+							COMPLIANCE_REGION_CONFIG_UNKNOWN,
+							"some-account-id",
+							{
+								certificates: "caCert.pem",
+								ca: true,
+								name: "my_cert",
+							}
+						)
 					).rejects.toMatchInlineSnapshot(
 						`[ParseError: Could not read file: caCert.pem]`
 					);
@@ -273,11 +290,15 @@ describe("wrangler", () => {
 
 					writeFileSync("caCert.pem", "BEGIN CERTIFICATE...");
 
-					const cert = await uploadCaCertificateFromFs("some-account-id", {
-						certificates: "caCert.pem",
-						ca: true,
-						name: "my_cert",
-					});
+					const cert = await uploadCaCertificateFromFs(
+						COMPLIANCE_REGION_CONFIG_UNKNOWN,
+						"some-account-id",
+						{
+							certificates: "caCert.pem",
+							ca: true,
+							name: "my_cert",
+						}
+					);
 
 					expect(cert.id).toEqual("1234");
 					expect(cert.issuer).toEqual("example.com...");
@@ -309,7 +330,12 @@ describe("wrangler", () => {
 						},
 					]);
 
-					const certs = await listMTlsCertificates("some-account-id", {}, true);
+					const certs = await listMTlsCertificates(
+						COMPLIANCE_REGION_CONFIG_UNKNOWN,
+						"some-account-id",
+						{},
+						true
+					);
 
 					expect(certs).toHaveLength(2);
 
@@ -334,7 +360,11 @@ describe("wrangler", () => {
 						expires_on: oneYearLater.toISOString(),
 					});
 
-					const cert = await getMTlsCertificate("some-account-id", "1234");
+					const cert = await getMTlsCertificate(
+						COMPLIANCE_REGION_CONFIG_UNKNOWN,
+						"some-account-id",
+						"1234"
+					);
 
 					expect(cert.id).toEqual("1234");
 					expect(cert.issuer).toEqual("example.com...");
@@ -358,6 +388,7 @@ describe("wrangler", () => {
 					]);
 
 					const cert = await getMTlsCertificateByName(
+						COMPLIANCE_REGION_CONFIG_UNKNOWN,
 						"some-account-id",
 						"cert one",
 						true
@@ -374,7 +405,12 @@ describe("wrangler", () => {
 					const mock = mockGetMTlsCertificates([]);
 
 					await expect(
-						getMTlsCertificateByName("some-account-id", "cert one", true)
+						getMTlsCertificateByName(
+							COMPLIANCE_REGION_CONFIG_UNKNOWN,
+							"some-account-id",
+							"cert one",
+							true
+						)
 					).rejects.toMatchInlineSnapshot(
 						`[Error: certificate not found with name "cert one"]`
 					);
@@ -403,7 +439,12 @@ describe("wrangler", () => {
 					]);
 
 					await expect(
-						getMTlsCertificateByName("some-account-id", "cert one", true)
+						getMTlsCertificateByName(
+							COMPLIANCE_REGION_CONFIG_UNKNOWN,
+							"some-account-id",
+							"cert one",
+							true
+						)
 					).rejects.toMatchInlineSnapshot(
 						`[Error: multiple certificates found with name "cert one"]`
 					);
@@ -416,7 +457,11 @@ describe("wrangler", () => {
 				test("calls delete mts_certificates endpoint", async () => {
 					const mock = mockDeleteMTlsCertificate();
 
-					await deleteMTlsCertificate("some-account-id", "1234");
+					await deleteMTlsCertificate(
+						COMPLIANCE_REGION_CONFIG_UNKNOWN,
+						"some-account-id",
+						"1234"
+					);
 
 					expect(mock.calls).toEqual(1);
 				});

packages/wrangler/src/__tests__/core/command-registration.test.ts

@@ -225,10 +225,11 @@ describe("CommandRegistry", () => {
 		registry.define([
 			{
 				command: "wrangler original-command",
-				// @ts-expect-error missing definition
 				definition: {
 					metadata: {
 						status: "stable",
+						description: "Original command",
+						owner: "Workers: Authoring and Testing",
 					},
 				},
 			},

packages/wrangler/src/__tests__/d1/timeTravel.test.ts

@@ -1,5 +1,6 @@
 import { http, HttpResponse } from "msw";
 import { throwIfDatabaseIsAlpha } from "../../d1/timeTravel/utils";
+import { COMPLIANCE_REGION_CONFIG_UNKNOWN } from "../../environment-variables/misc-variables";
 import { mockAccountId, mockApiToken } from "../helpers/mock-account-id";
 import { mockConsoleMethods } from "../helpers/mock-console";
 import { useMockIsTTY } from "../helpers/mock-istty";
@@ -71,7 +72,11 @@ describe("time-travel", () => {
 				})
 			);
 			await expect(
-				throwIfDatabaseIsAlpha("1701", "d5b1d127-xxxx-xxxx-xxxx-cbc69f0a9e06")
+				throwIfDatabaseIsAlpha(
+					COMPLIANCE_REGION_CONFIG_UNKNOWN,
+					"1701",
+					"d5b1d127-xxxx-xxxx-xxxx-cbc69f0a9e06"
+				)
 			).rejects.toThrowError(
 				"Time travel is not available for alpha D1 databases. You will need to migrate to a new database for access to this feature."
 			);
@@ -107,6 +112,7 @@ describe("time-travel", () => {
 				})
 			);
 			const result = await throwIfDatabaseIsAlpha(
+				COMPLIANCE_REGION_CONFIG_UNKNOWN,
 				"1701",
 				"d5b1d127-xxxx-xxxx-xxxx-cbc69f0a9e06"
 			);

packages/wrangler/src/__tests__/deploy.test.ts

@@ -482,8 +482,8 @@ describe("deploy", () => {
 			Please ensure it has the correct permissions for this operation.
 
 			Getting User settings...
-			ℹ️  The API Token is read from the CLOUDFLARE_API_TOKEN in your environment.
 			👋 You are logged in with an API Token, associated with the email [email protected].
+			ℹ️  The API Token is read from the CLOUDFLARE_API_TOKEN in your environment.
 			┌─┬─┐
 			│ Account Name │ Account ID │
 			├─┼─┤
@@ -12866,6 +12866,73 @@ export default{
 			`);
 		});
 	});
+
+	describe("compliance region support", () => {
+		it("should upload to the public region by default", async () => {
+			writeWranglerConfig({});
+			writeWorkerSource();
+			mockUploadWorkerRequest({
+				expectedBaseUrl: "api.cloudflare.com",
+			});
+			mockSubDomainRequest();
+			mockGetWorkerSubdomain({ enabled: true });
+
+			await runWrangler("deploy ./index.js");
+		});
+
+		it("should upload to the FedRAMP High region if set in config", async () => {
+			writeWranglerConfig({
+				compliance_region: "fedramp_high",
+			});
+			writeWorkerSource();
+			mockUploadWorkerRequest({
+				expectedBaseUrl: "api.fed.cloudflare.com",
+			});
+			mockSubDomainRequest();
+			mockGetWorkerSubdomain({ enabled: true });
+
+			await runWrangler("deploy ./index.js");
+		});
+
+		it("should upload to the FedRAMP High region if set in an env var", async () => {
+			vi.stubEnv("CLOUDFLARE_COMPLIANCE_REGION", "fedramp_high");
+			writeWranglerConfig({});
+			writeWorkerSource();
+			mockUploadWorkerRequest({
+				expectedBaseUrl: "api.fed.cloudflare.com",
+			});
+			mockSubDomainRequest();
+			mockGetWorkerSubdomain({ enabled: true });
+
+			await runWrangler("deploy ./index.js");
+		});
+
+		it("should error if the region is set in both env var and configured, and they conflict", async () => {
+			vi.stubEnv("CLOUDFLARE_COMPLIANCE_REGION", "public");
+			writeWranglerConfig({ compliance_region: "fedramp_high" });
+			writeWorkerSource();
+
+			await expect(runWrangler("deploy ./index.js")).rejects
+				.toThrowErrorMatchingInlineSnapshot(`
+				[Error: The compliance region has been set to different values in two places:
+				 - \`CLOUDFLARE_COMPLIANCE_REGION\` environment variable: \`public\`
+				 - \`compliance_region\` configuration property: \`fedramp_high\`]
+			`);
+		});
+
+		it("should not error if the region is set in both env var and configured, and they are the same", async () => {
+			vi.stubEnv("CLOUDFLARE_COMPLIANCE_REGION", "fedramp_high");
+			writeWranglerConfig({ compliance_region: "fedramp_high" });
+			writeWorkerSource();
+			mockUploadWorkerRequest({
+				expectedBaseUrl: "api.fed.cloudflare.com",
+			});
+			mockSubDomainRequest();
+			mockGetWorkerSubdomain({ enabled: true });
+
+			await runWrangler("deploy ./index.js");
+		});
+	});
 });
 
 /** Write mock assets to the file system so they can be uploaded. */