feat(endpoint-exposer): groups por ruta y autorización con header — spec requiere limpieza#18
Open
sebastiancorrea81 wants to merge 103 commits into
Open
feat(endpoint-exposer): groups por ruta y autorización con header — spec requiere limpieza#18sebastiancorrea81 wants to merge 103 commits into
sebastiancorrea81 wants to merge 103 commits into
Conversation
feat: implement external dns and httproute feat: change logic to get specification id feat: add switch for different dns types feat: add switch for different dns types feat: add endpoint exposer service specs feat: add domain editable feat: add domain editable feat: implement new route schema feat: implement new route schema feat: implement new route schema feat: implement new route schema feat: implement new route schema feat: implement new route schema fix: get scope fix: get scope fix: path fix: get httproute if exists fix: get httproute if exists fix: get httproute rules feat: implement echo for link and unlink feat: implement echo for link and unlink feat: implement echo for link and unlink feat: implement echo for link and unlink feat: implement echo for link and unlink chore: change service slug feat: update flow feat: update flow feat: update flow feat: update flow feat: update flow feat: update flow feat: update flow feat: update flow feat: update flow feat: accept prefix and reg ex
…ayout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…orm input Remove scope from the link creation form. The scope is now automatically derived by matching the link's service dimensions against available application scopes (excluding deleted ones). The resolved scope is stored in link results so it appears in the read view. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Link form now uses a routes array (method, path, visibility, groups
per route) matching the original service spec UI pattern
- HTTPRoutes split by visibility: ee-link-{id}-public / -private
- One Cedar policy created per route; all IDs stored as policy_ids array
- Delete cleans up both HTTPRoute variants and all policy IDs
- scope field removed from form (inferred from service dimensions)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… limit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add description field to routes to force provider diff detection. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…reuse - Entrypoint: map update action type to link-update workflow - build_link_context: reuse stored HTTPROUTE_NAME and SCOPE on update - link-update.yaml: delete old policies, rebuild HTTPRoute, create new policies Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- build_link_context: derive HTTPROUTE_NAME from link.id (stable) instead of action.id (changes on every update) - delete_link_policies_by_name: search AVP by HTTPROUTE_NAME in description instead of relying on stored policy_ids - link-update.yaml: use delete_link_policies_by_name for cleanup Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
np service workflow exec treats intermediate steps without output or configuration as terminal. Adding POLICIES_DELETED output keeps the pipeline flowing to build httproute and create avp policy. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When np service workflow exec sources scripts, exit 0 kills the parent workflow process and skips remaining steps. Replace early exit 0 paths with if/else blocks so the workflow continues normally. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds avp_policy_store_id as an optional service parameter. If left empty during creation, a new AVP policy store is automatically provisioned and its ID is stored in service results for subsequent actions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Routes visibility was redundant since the gateway is already determined by the scope type (internal → gateway-private, external → gateway-public). Simplified build_link_httproute to use a single HTTPRoute per link, selecting the gateway based on scope.service.attributes.visibility. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ributes delete_link_policy silently skipped deletion when ACTION_LINK_ATTRIBUTES_POLICY_IDS was not stored. Now unlink.yaml builds context first (HTTPROUTE_NAME derived from stable LINK_ID) and uses delete_link_policies_by_name which searches AVP by name. delete_link_httproute also falls back to HTTPROUTE_NAME from context. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…g workflow exit 0 in sourced scripts kills the parent workflow process, causing apply and store service results steps to never run. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…yaml Having the step in both create.yaml (via include) and update.yaml was causing it to not run. Let the include mechanism inherit it from create.yaml. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
exit 0 in sourced scripts terminates the parent workflow process, preventing any steps after apply (store service results, store link results) from running. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
build_link_httproute now stamps each route with {scope: $SCOPE} before
sourcing process_routes, which needs the field to resolve the backend.
process_routes was looking up scopes by .slug but route configs always
reference scope names; align with the rest of the codebase (.name).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Link creation/update was failing with ResourceNotFoundException because AVP_POLICY_STORE_ID was falling back to a hardcoded default that does not exist in the target environment. - Add ensure_policy_store step to link.yaml and link-update.yaml so the store is created on demand if not already configured. - Extend ensure_policy_store to also look in .service.parameters so it picks up the ID stored by the service create/update workflow. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ce.parameters In NullPlatform, service action results (stored via np service action update --results) are exposed as .service.attributes, not .service.parameters. Reading the wrong field caused build_link_context and ensure_policy_store to always get an empty ID, triggering a new policy store creation on every link action instead of reusing the one created during service setup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds delete_policy_store script and a new step in the delete workflow so the AVP policy store is cleaned up when a service is removed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The workflow runner only executes steps defined in the base (create.yaml) when using include. Added delete_policy_store as a placeholder step in create.yaml that skips by default, activated only in delete.yaml via DELETE_POLICY_STORE=true. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
np service action update --results only stores at the action level (ephemeral). Added np service patch to also write avp_policy_store_id to service.attributes so subsequent actions (delete) can find it. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ensure_policy_store now calls np service patch immediately after creating the store, so the id is persisted even if later steps don't run - create.yaml: move store service results before delete avp policy store so it runs at step 8 (workflow appears to stop at that position) - delete.yaml: add type/file to apply step override so the runner can execute it and continue to delete avp policy store Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…tion The workflow runner interprets explicit exit 0 as a signal to stop the entire workflow. Replace early exit with if/else so the script completes naturally and subsequent steps (apply, delete avp policy store) can run. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ema validation Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ice stores The Lambda authorizer uses an infrastructure-managed policy store (provisioned by Terraform). Services now read the store ID from SSM on first run and cache it in service.attributes to avoid repeated SSM calls. The store is never deleted by service workflows — it is owned by infrastructure. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The store is now discovered automatically via SSM — users no longer need to provide or see this infrastructure detail when creating a service. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…of SSM lookup Simplifies the integration by removing the SSM dependency and IAM requirement. The operator provides the store ID (Terraform output policy_store_id) when creating the service. The field is required and only editable on create. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…eference security module Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resumen
Branch experimental que agrega el campo
groupspor ruta en el service spec, permitiendo restringir el acceso a rutas por grupos de usuarios. Construido sobrefeature/endpoint-exposer.Cambios clave respecto a feature/endpoint-exposer
El
specs/service-spec.json.tplagrega:groupspor ruta — array de grupos autorizados para acceder a cada ruta. Si está vacío, la ruta es pública.authorizationen el spec conenabled,headerNameyallowedValues.Este branch tiene contenido hardcodeado específico de un cliente que NO debe llegar a main:
groupsson grupos de AD específicos:AWS_PlataformaUpstream_Gestor_Desa,AWS_PlataformaUpstream_Administrador_Desa, etc.publicDomainyprivateDomainestán fijados aidp.poc.nullapps.io.visible_tousa{{ env.Getenv "NRN" }}en lugar de ser configurable.assignable_to: "dimension"en lugar de"any".La idea del campo
groupses valiosa pero el spec necesita hacerse genérico antes de poder mergearse.Test plan
groupsdebe ser un array libre de strings o un enum configurable por instanciagroupspara generarAuthorizationPolicyde Istio