Start adding CFN

Author: Veetaha

codegen/package-lock.json

@@ -17,6 +17,7 @@
     "constructs": "^10.4.2",
     "fs-extra": "^11.3.0",
     "lodash": "^4.17.21",
-    "prettier": "^3.5.3"
+    "prettier": "^3.5.3",
+    "yaml": "^2.7.1"
   }
 }

codegen/package.json

@@ -1,23 +1,38 @@
 import { ArkErrors } from "arktype";
-import { inputs, InputsIn } from "./inputs";
+import { CloudFormationParams, TerraformParams } from "./params";
 import * as mir from "./mir";
-import * as tf from "./orchestrator/terraform";
+import * as terraform from "./orchestrator/terraform";
+import * as cloudformation from "./orchestrator/cloudformation";
 
-export { inputs };
+export type CloudFormationParams = typeof CloudFormationParams.inferIn;
+export type TerraformParams = typeof TerraformParams.inferIn;
 
-export function generate(inputsIn: InputsIn) {
-  const result = inputs(inputsIn);
+export function generateCloudFormation(paramsIn: CloudFormationParams) {
+  const params = CloudFormationParams(paramsIn);
+  return generate(params, cloudformation.generate);
+}
+
+export function generateTerraform(paramsIn: TerraformParams) {
+  const params = TerraformParams(paramsIn);
+  return generate(params, terraform.generate);
+}
 
-  if (result instanceof ArkErrors) {
-    throw new Error(`Invalid inputs: ${result}`);
+type Generator<P extends mir.Params, R> = (
+  resources: Record<string, mir.Resource>,
+  params: P,
+) => R;
+
+function generate<P extends mir.Params, R, F extends Generator<P, R>>(
+  params: P | ArkErrors,
+  generator: F,
+): R {
+  if (params instanceof ArkErrors) {
+    throw new Error(`Invalid params: ${params}`);
   }
 
-  const resources = mir.resources(result);
+  const resources = mir.resources(params);
 
-  tf.generate(resources);
-}
+  params.tags["elastio:resource"] = "true";
 
-generate({
-  connectorAccountId: "123456789012",
-  connectorRoleExternalId: "external-id",
-});
+  return generator(resources, params);
+}

codegen/src/asset-account/index.ts

@@ -1,10 +1,10 @@
 import * as iam from "../../common/iam";
 import * as inventory from "../../common/inventory";
-import { Inputs } from "../inputs";
+import type { Params } from ".";
 import _ from "lodash";
 import { IamRole } from "./resource";
 
-export function cloudConnectorRole(inputs: Inputs): IamRole {
+export function cloudConnectorRole(params: Params): IamRole {
   const otherStatements: Record<string, iam.PolicyStatement[]> = {
     WriteEc2: [
       // Create and copy snapshots to the cloud connector account
@@ -41,7 +41,7 @@ export function cloudConnectorRole(inputs: Inputs): IamRole {
         Condition: {
           // Needed to add createVolumePermission for the connector account.
           StringEquals: {
-            "ec2:Add/userId": inputs.connectorAccountId,
+            "ec2:Add/userId": params.connectorAccountId,
             // Even though EC2 IAM reference says there are two more
             // things that could be used in the condition:
             // "ec2:Attribute" and "ec2:Attribute/${AttributeName}",
@@ -239,15 +239,15 @@ export function cloudConnectorRole(inputs: Inputs): IamRole {
 
       Principal: {
         AWS:
-          `arn:aws:iam::${inputs.connectorAccountId}:role/` +
-          inputs.iamResourceNamesPrefix +
+          `arn:aws:iam::${params.connectorAccountId}:role/` +
+          params.iamResourceNamesPrefix +
           "ElastioCloudConnectorBastion" +
-          inputs.iamResourceNamesSuffix,
+          params.iamResourceNamesSuffix,
       },
 
       Condition: {
         StringEquals: {
-          "sts:ExternalId": inputs.connectorRoleExternalId,
+          "sts:ExternalId": params.connectorRoleExternalId,
         },
       },
     },

codegen/src/asset-account/mir/cloud-connector.ts

@@ -1,12 +1,16 @@
 import type { Resource } from "./resource";
-import { Inputs } from "../inputs";
 import { cloudConnectorRole } from "./cloud-connector";
+import { CloudFormationParams, TerraformParams } from "../params";
 
 export { Resource };
 
+export type Params =
+  | typeof CloudFormationParams.inferOut
+  | typeof TerraformParams.inferOut;
+
 const version = "0.35.13";
 
-export function resources(inputs: Inputs): Record<string, Resource> {
+export function resources(inputs: Params): Record<string, Resource> {
   return {
     inventory_event_target: {
       type: "aws_iam_role",

codegen/src/asset-account/mir/index.ts

@@ -0,0 +1,107 @@
+import _ from "lodash";
+import * as hclTools from "@cdktf/hcl-tools";
+import * as iam from "../../common/iam";
+import * as prettier from "prettier";
+import { CloudFormationParams } from "../params";
+import { Resource } from "../mir";
+
+async function literal(value: unknown): Promise<string> {
+  const json = JSON.stringify(value, null, 2);
+
+  const pretty = await prettier.format(json, { parser: "json" });
+  return pretty.trim();
+}
+
+async function jsonencode(value: unknown): Promise<string> {
+  return `jsonencode(\n${await literal(value)}\n)`;
+}
+
+function policyDocument(statements: iam.PolicyStatement[]) {
+  return {
+    Version: "2012-10-17",
+    Statement: statements.map((statement) => ({
+      Effect: statement.Effect ?? "Allow",
+      ...statement,
+    })),
+  };
+}
+
+export type CloudFormationParams = typeof CloudFormationParams.inferOut;
+
+export interface CloudFormationProject {
+  files: Record<string, string>;
+}
+
+export async function generate(
+  resources: Record<string, Resource>,
+  params: CloudFormationParams,
+): Promise<CloudFormationProject> {
+  const parts = [
+    `locals {
+      tags = ${await literal(params.tags)}
+    }`,
+  ];
+
+  for (const [id, resource] of Object.entries(resources)) {
+    switch (resource.type) {
+      case "aws_iam_role": {
+        parts.push(
+          `resource "aws_iam_role" ${literal(id)} {
+            name = ${literal(resource.name)}
+            tags = local.tags
+            assume_role_policy = ${await jsonencode(policyDocument([resource.assumeRolePolicy]))}
+          }`,
+        );
+
+        const statements = Object.entries(resource.statements);
+
+        if (statements.length === 0) {
+          continue;
+        }
+
+        const policies = _.mapValues(
+          resource.statements,
+          (statement) => policyDocument(statement).Statement,
+        );
+
+        parts.push(
+          `resource "aws_iam_role_policy" ${literal(id)} {
+            role = aws_iam_role.${id}.name
+            name = each.key
+            policy = jsonencode(
+              {
+                "Version": "2012-10-17",
+                "Statement": each.value
+              }
+            )
+            for_each = ${await literal(policies)}
+          }`,
+        );
+      }
+      case "aws_ssm_parameter": {
+      }
+    }
+  }
+
+  parts.push(`
+    data "aws_caller_identity" "current" {}
+    locals {
+      account_id = data.aws_caller_identity.current.account_id
+    }
+  `);
+
+  const content = parts
+    .join("\n\n")
+    .replaceAll("{{account_id}}", "${local.account_id}")
+    .replaceAll(/\{\{(.*)\}\}/g, "${$1}");
+
+  const formatted = (await hclTools.format(content)).trim();
+
+  console.log(formatted);
+
+  return {
+    files: {
+      "main.tf": formatted,
+    },
+  };
+}

codegen/src/asset-account/orchestrator/cloudformation.ts

@@ -1,11 +1,13 @@
-import type { Resource } from "../mir";
 import _ from "lodash";
 import * as hclTools from "@cdktf/hcl-tools";
 import * as iam from "../../common/iam";
 import * as prettier from "prettier";
+import { TerraformParams } from "../params";
+import { Resource } from "../mir";
 
 async function literal(value: unknown): Promise<string> {
   const json = JSON.stringify(value, null, 2);
+
   const pretty = await prettier.format(json, { parser: "json" });
   return pretty.trim();
 }
@@ -18,21 +20,35 @@ function policyDocument(statements: iam.PolicyStatement[]) {
   return {
     Version: "2012-10-17",
     Statement: statements.map((statement) => ({
-      ...statement,
       Effect: statement.Effect ?? "Allow",
+      ...statement,
     })),
   };
 }
 
-export async function generate(resources: Record<string, Resource>) {
-  const parts = [];
+export type TerraformParams = typeof TerraformParams.inferOut;
+
+export interface TerraformProject {
+  files: Record<string, string>;
+}
+
+export async function generate(
+  resources: Record<string, Resource>,
+  params: TerraformParams,
+): Promise<TerraformProject> {
+  const parts = [
+    `locals {
+      tags = ${await literal(params.tags)}
+    }`,
+  ];
 
   for (const [id, resource] of Object.entries(resources)) {
     switch (resource.type) {
       case "aws_iam_role": {
         parts.push(
-          `resource "aws_iam_role" "${id}" {
-            name = "${resource.name}"
+          `resource "aws_iam_role" ${literal(id)} {
+            name = ${literal(resource.name)}
+            tags = local.tags
             assume_role_policy = ${await jsonencode(policyDocument([resource.assumeRolePolicy]))}
           }`,
         );
@@ -49,7 +65,7 @@ export async function generate(resources: Record<string, Resource>) {
         );
 
         parts.push(
-          `resource "aws_iam_role_policy" "${id}" {
+          `resource "aws_iam_role_policy" ${literal(id)} {
             role = aws_iam_role.${id}.name
             name = each.key
             policy = jsonencode(
@@ -79,9 +95,13 @@ export async function generate(resources: Record<string, Resource>) {
     .replaceAll("{{account_id}}", "${local.account_id}")
     .replaceAll(/\{\{(.*)\}\}/g, "${$1}");
 
-  console.log(await hclTools.format(content));
-}
+  const formatted = (await hclTools.format(content)).trim();
+
+  console.log(formatted);
 
-function camelCaseToSnakeCase(str: string): string {
-  return str.replace(/([a-z])([A-Z])/g, "$1_$2").toLowerCase();
+  return {
+    files: {
+      "main.tf": formatted,
+    },
+  };
 }