Adding support for EU region (permitio#137)

* Adding support for EU region

* Tests added

* Fix OAuth Login Bug, API Key Validation Bug, Terraform Export Bug, Infinite Loop Bug with policy create simple, Missing Actions Bug

* Default roles added for exporter

Author: EliMoshkovich

source/commands/env/export/generators/RoleGenerator.ts

@@ -8,10 +8,6 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 
-// Define default global roles that should be excluded from creation
-// These roles already exist in Permit by default
-const DEFAULT_GLOBAL_ROLES = ['admin', 'editor', 'viewer'];
-
 interface RoleData {
 	key: string;
 	terraformId: string;
@@ -183,10 +179,8 @@ export class RoleGenerator implements HCLGenerator {
 	): string {
 		let terraformId = roleKey;
 
-		const isDefaultRole = DEFAULT_GLOBAL_ROLES.includes(roleKey);
-
-		// For duplicate roles or default roles, use resource__role format
-		if (isDuplicate || isDefaultRole || this.usedTerraformIds.has(roleKey)) {
+		// For duplicate roles, use resource__role format
+		if (isDuplicate || this.usedTerraformIds.has(roleKey)) {
 			terraformId = resourceKey
 				? `${resourceKey}__${roleKey}`
 				: `global_${roleKey}`;
@@ -300,13 +294,6 @@ export class RoleGenerator implements HCLGenerator {
 		const validRoles: RoleData[] = [];
 
 		for (const role of roles) {
-			// Skip default global roles that already exist in the system
-			if (DEFAULT_GLOBAL_ROLES.includes(role.key)) {
-				// Still add to the ID map for role derivations
-				this.roleIdMap.set(role.key, role.key);
-				continue;
-			}
-
 			// Generate Terraform ID
 			const terraformId = this.generateTerraformId(role.key);
 

source/commands/env/export/utils.ts

@@ -1,4 +1,5 @@
 import { WarningCollector } from './types.js';
+import { getPermitApiUrl } from '../../../config.js';
 
 export function createSafeId(...parts: string[]): string {
 	return parts
@@ -36,7 +37,7 @@ variable "PERMIT_API_KEY" {
 }
 
 provider "permitio" {
-  api_url = "https://api.permit.io"
+  api_url = "${getPermitApiUrl()}"
   api_key = var.PERMIT_API_KEY
 }
 `;

source/commands/login.tsx

@@ -2,7 +2,8 @@ import React, { useCallback, useEffect, useState } from 'react';
 import { Text } from 'ink';
 import { type infer as zInfer, object, string } from 'zod';
 import { option } from 'pastel';
-import { saveAuthToken } from '../lib/auth.js';
+import { saveAuthToken, saveRegion } from '../lib/auth.js';
+import { setRegion } from '../config.js';
 import LoginFlow from '../components/LoginFlow.js';
 import EnvironmentSelection, {
 	ActiveState,
@@ -25,6 +26,14 @@ export const options = object({
 				description: 'Use predefined workspace to Login',
 			}),
 		),
+	region: string()
+		.optional()
+		.describe(
+			option({
+				description: 'Permit region: us or eu (default: us)',
+				alias: 'r',
+			}),
+		),
 });
 
 type Props = {
@@ -38,9 +47,14 @@ type Props = {
 };
 
 export default function Login({
-	options: { apiKey, workspace },
+	options: { apiKey, workspace, region },
 	loginSuccess,
 }: Props) {
+	// Set region IMMEDIATELY before anything else (synchronously)
+	if (region && (region === 'us' || region === 'eu')) {
+		setRegion(region as 'us' | 'eu');
+	}
+
 	const [state, setState] = useState<'login' | 'signup' | 'env' | 'done'>(
 		'login',
 	);
@@ -51,6 +65,13 @@ export default function Login({
 	const [organization, setOrganization] = useState<string>('');
 	const [environment, setEnvironment] = useState<string>('');
 
+	// Save region to keystore after successful login
+	useEffect(() => {
+		if (region && (region === 'us' || region === 'eu')) {
+			saveRegion(region as 'us' | 'eu');
+		}
+	}, [region]);
+
 	const onEnvironmentSelectSuccess = useCallback(
 		async (
 			organisation: ActiveState,

source/components/AuthProvider.tsx

@@ -13,7 +13,7 @@ import React, {
 	useState,
 } from 'react';
 import { Text, Newline } from 'ink';
-import { loadAuthToken } from '../lib/auth.js';
+import { loadAuthToken, loadRegion } from '../lib/auth.js';
 import Login from '../commands/login.js';
 import {
 	ApiKeyCreate,
@@ -131,6 +131,11 @@ export function AuthProvider({
 			redirect_scope: 'organization' | 'project' | 'login',
 		) => {
 			try {
+				// Load region from storage BEFORE validating API key
+				await loadRegion().catch(() => {
+					// Ignore errors - will default to 'us'
+				});
+
 				const token = await loadAuthToken();
 				const {
 					valid,
@@ -188,6 +193,11 @@ export function AuthProvider({
 	useEffect(() => {
 		if (state === 'validate') {
 			(async () => {
+				// Load region from storage BEFORE validating API key
+				await loadRegion().catch(() => {
+					// Ignore errors - will default to 'us'
+				});
+
 				const {
 					valid,
 					scope: keyScope,

source/components/policy/CreateSimpleWizard.tsx

@@ -30,6 +30,10 @@ export default function CreateSimpleWizard({
 	const parsedActions = useParseActions(presentActions);
 	const parsedRoles = useParseRoles(presentRoles);
 
+	// Track if preset data has been processed
+	const [hasProcessedPresetData, setHasProcessedPresetData] =
+		React.useState(false);
+
 	// Initialize step based on preset values
 	const getInitialStep = () => {
 		if (presentResources && presentActions && presentRoles) return 'complete';
@@ -109,10 +113,13 @@ export default function CreateSimpleWizard({
 	};
 
 	const handleRolesComplete = useCallback(
-		async (roles: components['schemas']['RoleCreate'][]) => {
+		async (
+			roles: components['schemas']['RoleCreate'][],
+			resourcesToCreate?: components['schemas']['ResourceCreate'][],
+		) => {
 			setStatus('processing');
 			try {
-				await createBulkResources(resources);
+				await createBulkResources(resourcesToCreate || resources);
 				await createBulkRoles(roles);
 				setStatus('success');
 				setResources([]);
@@ -125,6 +132,9 @@ export default function CreateSimpleWizard({
 	);
 
 	useEffect(() => {
+		// Only process preset data once
+		if (hasProcessedPresetData) return;
+
 		const processPresetData = async () => {
 			if (presentResources && presentActions && presentRoles) {
 				try {
@@ -133,7 +143,8 @@ export default function CreateSimpleWizard({
 						actions: parsedActions,
 					}));
 					setResources(resourcesWithActions);
-					await handleRolesComplete(parsedRoles);
+					setHasProcessedPresetData(true);
+					await handleRolesComplete(parsedRoles, resourcesWithActions);
 				} catch (err) {
 					handleError((err as Error).message);
 				}
@@ -143,19 +154,24 @@ export default function CreateSimpleWizard({
 					actions: parsedActions,
 				}));
 				setResources(resourcesWithActions);
+				setHasProcessedPresetData(true);
 			}
 		};
 
-		processPresetData();
+		if (
+			(presentResources && presentActions && presentRoles) ||
+			(presentResources && presentActions)
+		) {
+			processPresetData();
+		}
+		// eslint-disable-next-line react-hooks/exhaustive-deps
 	}, [
 		presentResources,
 		presentActions,
 		presentRoles,
 		parsedResources,
 		parsedActions,
 		parsedRoles,
-		handleRolesComplete,
-		handleError,
 	]);
 
 	return (

source/components/policy/create/TerraformGenerator.tsx

@@ -1,4 +1,5 @@
 import { PolicyData } from './types.js';
+import { getPermitApiUrl } from '../../../config.js';
 
 interface TerraformGeneratorProps {
 	tableData: PolicyData;
@@ -37,7 +38,7 @@ export const generateTerraform = ({
 }
 
 provider "permitio" {
-  api_url = "https://api.permit.io"
+  api_url = "${getPermitApiUrl()}"
   api_key = "${authToken}"
 }
 

source/config.ts

@@ -1,21 +1,93 @@
 export const KEY_FILE_PATH = './permit.key';
 export const KEYSTORE_PERMIT_SERVICE_NAME = 'Permit.io';
 export const DEFAULT_PERMIT_KEYSTORE_ACCOUNT = 'PERMIT_DEFAULT_ENV';
-export const CLOUD_PDP_URL = 'https://cloudpdp.api.permit.io';
-export const PERMIT_API_URL = 'https://api.permit.io';
-export const PERMIT_API_STATISTICS_URL =
-	'https://pdp-statistics.api.permit.io/v2/stats';
-export const API_URL = 'https://api.permit.io/v2/';
-export const FACTS_API_URL = `${API_URL}facts/`;
-export const API_PDPS_CONFIG_URL = `${API_URL}pdps/me/config`;
-export const PERMIT_ORIGIN_URL = 'https://app.permit.io';
+export const REGION_KEYSTORE_ACCOUNT = 'PERMIT_REGION';
+
+// Region type
+export type PermitRegion = 'us' | 'eu';
+
+// Get region from environment variable or default to 'us'
+let currentRegion: PermitRegion =
+	(process.env['PERMIT_REGION'] as PermitRegion) || 'us';
+
+// Function to set the current region
+export const setRegion = (region: PermitRegion) => {
+	currentRegion = region;
+};
+
+// Function to get the current region
+export const getRegion = (): PermitRegion => {
+	return currentRegion;
+};
+
+// Function to get region-specific subdomain
+const getRegionSubdomain = (region: PermitRegion): string => {
+	return region === 'eu' ? 'eu.' : '';
+};
+
+// Region-aware URL getters
+export const getPermitApiUrl = (): string => {
+	const subdomain = getRegionSubdomain(currentRegion);
+	return `https://api.${subdomain}permit.io`;
+};
+
+export const getPermitOriginUrl = (): string => {
+	const subdomain = getRegionSubdomain(currentRegion);
+	return `https://app.${subdomain}permit.io`;
+};
+
+export const getAuthPermitDomain = (): string => {
+	const subdomain = getRegionSubdomain(currentRegion);
+	return `app.${subdomain}permit.io`;
+};
+
+export const getCloudPdpUrl = (): string => {
+	if (currentRegion === 'eu') {
+		return 'https://cloudpdp.api.eu-central-1.permit.io';
+	}
+	return 'https://cloudpdp.api.permit.io';
+};
+
+export const getPermitApiStatisticsUrl = (): string => {
+	if (currentRegion === 'eu') {
+		return 'https://pdp-statistics.api.eu-central-1.permit.io/v2/stats';
+	}
+	return 'https://pdp-statistics.api.permit.io/v2/stats';
+};
+
+export const getApiUrl = (): string => {
+	return `${getPermitApiUrl()}/v2/`;
+};
+
+export const getFactsApiUrl = (): string => {
+	return `${getApiUrl()}facts/`;
+};
+
+export const getApiPdpsConfigUrl = (): string => {
+	return `${getApiUrl()}pdps/me/config`;
+};
+
+export const getAuthApiUrl = (): string => {
+	return `${getPermitApiUrl()}/v1/`;
+};
+
+// Legacy exports (maintain backwards compatibility)
+export const CLOUD_PDP_URL = getCloudPdpUrl();
+export const PERMIT_API_URL = getPermitApiUrl();
+export const PERMIT_API_STATISTICS_URL = getPermitApiStatisticsUrl();
+export const API_URL = getApiUrl();
+export const FACTS_API_URL = getFactsApiUrl();
+export const API_PDPS_CONFIG_URL = getApiPdpsConfigUrl();
+export const PERMIT_ORIGIN_URL = getPermitOriginUrl();
+export const AUTH_PERMIT_DOMAIN = getAuthPermitDomain();
+export const AUTH_API_URL = getAuthApiUrl();
 
 export const AUTH_REDIRECT_HOST = 'localhost';
 export const AUTH_REDIRECT_PORT = 62419;
 export const AUTH_REDIRECT_URI = `http://${AUTH_REDIRECT_HOST}:${AUTH_REDIRECT_PORT}`;
-export const AUTH_PERMIT_DOMAIN = 'app.permit.io';
-export const AUTH_API_URL = 'https://api.permit.io/v1/';
+// auth.permit.io is common for both regions
 export const AUTH_PERMIT_URL = 'https://auth.permit.io';
+export const AUTH0_AUDIENCE = 'https://api.permit.io/v1/'; // Auth0 audience is shared across all regions
 
 export const TERRAFORM_PERMIT_URL =
 	'https://permit-cli-terraform.up.railway.app';

source/hooks/export/PermitSDK.ts

@@ -1,5 +1,6 @@
 import { Permit } from 'permitio';
 import React from 'react';
+import { getPermitApiUrl } from '../../config.js';
 
 export const usePermitSDK = (
 	token: string,
@@ -10,6 +11,7 @@ export const usePermitSDK = (
 			new Permit({
 				token,
 				pdp: pdpUrl,
+				apiUrl: getPermitApiUrl(),
 			}),
 		[token, pdpUrl],
 	);

source/hooks/useClient.ts

@@ -1,5 +1,9 @@
 import type { paths } from '../lib/api/v1.js';
-import { CLOUD_PDP_URL, PERMIT_API_URL, PERMIT_ORIGIN_URL } from '../config.js';
+import {
+	getCloudPdpUrl,
+	getPermitApiUrl,
+	getPermitOriginUrl,
+} from '../config.js';
 import type { paths as PdpPaths } from '../lib/api/pdp-v1.js';
 
 import createClient, {
@@ -308,10 +312,10 @@ const useClient = () => {
 
 	const authenticatedApiClient = useCallback(() => {
 		const client = createClient<paths>({
-			baseUrl: PERMIT_API_URL,
+			baseUrl: getPermitApiUrl(),
 			headers: {
 				Accept: '*/*',
-				Origin: PERMIT_ORIGIN_URL,
+				Origin: getPermitOriginUrl(),
 				'Content-Type': 'application/json',
 				Authorization: `Bearer ${globalTokenGetterSetter.tokenGetter()}`,
 			},
@@ -321,7 +325,7 @@ const useClient = () => {
 
 	const authenticatedPdpClient = useCallback((pdp_url?: string) => {
 		const client = createClient<PdpPaths>({
-			baseUrl: pdp_url ?? CLOUD_PDP_URL,
+			baseUrl: pdp_url ?? getCloudPdpUrl(),
 			headers: {
 				Accept: '*/*',
 				'Content-Type': 'application/json',
@@ -503,10 +507,10 @@ const useClient = () => {
 		cookie?: string | null,
 	) => {
 		const client = createClient<paths>({
-			baseUrl: PERMIT_API_URL,
+			baseUrl: getPermitApiUrl(),
 			headers: {
 				Accept: '*/*',
-				Origin: PERMIT_ORIGIN_URL,
+				Origin: getPermitOriginUrl(),
 				'Content-Type': 'application/json',
 				Authorization: `Bearer ${accessToken}`,
 				Cookie: cookie,