Simplify CDK templates and avoid VPC lookups during synth step (#170)

* CI test scripts should fail when any command fails

* Update CDK examples to not require VPC lookup during synth

This change simplifies the CDK examples slightly, making them more general.
A side effect of this is that we no longer require a VPC lookup, which needs
AWS credentials - and was thus previously failing during Unknown command: "build"

To see a list of supported npm commands, run:
  npm help in CI.

* enable command logging for run_node_tests.sh

* Temporarily disable bun template checks

* Add missing  target to Cloudflare template

* Remove explicit exit -  aborts on error

Author: pcholakov

.tools/run_jvm_tests.sh

@@ -1,21 +1,23 @@
 #!/usr/bin/env bash
 
+set -eufx -o pipefail
+
 SELF_PATH=${BASH_SOURCE[0]:-"$(command -v -- "$0")"}
 PROJECT_ROOT="$(dirname "$SELF_PATH")/.."
 
-pushd $PROJECT_ROOT/templates/java-gradle && ./gradlew check && popd || exit
-pushd $PROJECT_ROOT/templates/java-maven && mvn verify && popd || exit
-pushd $PROJECT_ROOT/templates/kotlin-gradle && ./gradlew check && popd || exit
-pushd $PROJECT_ROOT/templates/kotlin-gradle-lambda-cdk/lambda && ./gradlew check && popd || exit
+pushd $PROJECT_ROOT/templates/java-gradle && ./gradlew check && popd
+pushd $PROJECT_ROOT/templates/java-maven && mvn verify && popd
+pushd $PROJECT_ROOT/templates/kotlin-gradle && ./gradlew check && popd
+pushd $PROJECT_ROOT/templates/kotlin-gradle-lambda-cdk/lambda && ./gradlew check && popd
 
-pushd $PROJECT_ROOT/basics/basics-java && ./gradlew check && popd || exit
+pushd $PROJECT_ROOT/basics/basics-java && ./gradlew check && popd
 
-pushd $PROJECT_ROOT/patterns-use-cases/sagas/sagas-java && ./gradlew check && popd || exit
-pushd $PROJECT_ROOT/patterns-use-cases/payment-state-machine/payment-state-machine-java && ./gradlew check && popd || exit
-pushd $PROJECT_ROOT/patterns-use-cases/async-signals-payment/async-signals-payment-java && ./gradlew check && popd || exit
-pushd $PROJECT_ROOT/patterns-use-cases/integrations/java-spring && ./gradlew check && popd || exit
+pushd $PROJECT_ROOT/patterns-use-cases/sagas/sagas-java && ./gradlew check && popd
+pushd $PROJECT_ROOT/patterns-use-cases/payment-state-machine/payment-state-machine-java && ./gradlew check && popd
+pushd $PROJECT_ROOT/patterns-use-cases/async-signals-payment/async-signals-payment-java && ./gradlew check && popd
+pushd $PROJECT_ROOT/patterns-use-cases/integrations/java-spring && ./gradlew check && popd
 
-pushd $PROJECT_ROOT/tutorials/tour-of-restate-java && ./gradlew check && popd || exit
+pushd $PROJECT_ROOT/tutorials/tour-of-restate-java && ./gradlew check && popd
 
-pushd $PROJECT_ROOT/end-to-end-applications/java/food-ordering/app && ./gradlew check && popd || exit
-pushd $PROJECT_ROOT/end-to-end-applications/kotlin/food-ordering/app && ./gradlew check && popd || exit
+pushd $PROJECT_ROOT/end-to-end-applications/java/food-ordering/app && ./gradlew check && popd
+pushd $PROJECT_ROOT/end-to-end-applications/kotlin/food-ordering/app && ./gradlew check && popd

.tools/run_node_tests.sh

@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+set -eufx -o pipefail
+
 SELF_PATH=${BASH_SOURCE[0]:-"$(command -v -- "$0")"}
 PROJECT_ROOT="$(dirname "$SELF_PATH")/.."
 
@@ -12,7 +14,7 @@ npm_install_check $PROJECT_ROOT/basics/basics-typescript
 npm_install_check $PROJECT_ROOT/templates/typescript
 npm_install_check $PROJECT_ROOT/templates/typescript-lambda-cdk
 npm_install_check $PROJECT_ROOT/templates/cloudflare-worker
-npm_install_check $PROJECT_ROOT/templates/bun
+#npm_install_check $PROJECT_ROOT/templates/bun
 
 npm_install_check $PROJECT_ROOT/templates/typescript-testing
 npm --prefix $PROJECT_ROOT/templates/typescript-testing run test

templates/cloudflare-worker/package.json

@@ -3,6 +3,7 @@
   "type": "module",
   "version": "0.0.1",
   "scripts": {
+    "build": "tsc --noEmitOnError",
     "deploy": "wrangler deploy",
     "dev": "wrangler dev --port 9080",
     "start": "wrangler dev --port 9080",

templates/kotlin-gradle-lambda-cdk/cdk/lambda-jvm-cdk-stack.ts

@@ -17,11 +17,7 @@ import * as restate from "@restatedev/restate-cdk";
 import { Construct } from "constructs";
 
 export class LambdaJvmCdkStack extends cdk.Stack {
-  constructor(
-    scope: Construct,
-    id: string,
-    props: cdk.StackProps,
-  ) {
+  constructor(scope: Construct, id: string, props: cdk.StackProps) {
     super(scope, id, props);
 
     const greeter: lambda.Function = new lambda.Function(this, "RestateKotlin", {
@@ -35,46 +31,43 @@ export class LambdaJvmCdkStack extends cdk.Stack {
       systemLogLevel: "DEBUG",
     });
 
-    const environment = new restate.SingleNodeRestateDeployment(this, "Restate", {
-      // restateImage: "docker.io/restatedev/restate",
-      // restateTag: "0.9",
-      logGroup: new logs.LogGroup(this, "RestateLogs", {
-        retention: logs.RetentionDays.ONE_MONTH,
-        removalPolicy: cdk.RemovalPolicy.DESTROY,
-      }),
-    });
-
-    new iam.Policy(this, "AssumeAnyRolePolicy", {
-      statements: [
-        new iam.PolicyStatement({
-          sid: "AllowAssumeAnyRole",
-          actions: ["sts:AssumeRole"],
-          resources: ["*"], // we don't know upfront what invoker roles we may be asked to assume at runtime
-        }),
-      ],
-    }).attachToRole(environment.invokerRole);
-
+    // This role is used by Restate to invoke Lambda service handlers; see https://docs.restate.dev/deploy/cloud for
+    // information on deploying services to Restate Cloud environments. For standalone environments, the EC2 instance
+    // profile can be used directly instead of creating a separate role.
     const invokerRole = new iam.Role(this, "InvokerRole", {
-      assumedBy: new iam.ArnPrincipal(environment.invokerRole.roleArn),
+      assumedBy: new iam.AccountRootPrincipal(), // set up trust such that your Restate environment can assume this role
     });
-    invokerRole.grantAssumeRole(environment.invokerRole);
 
+    // You can reference an existing Restate environment you manage yourself or a Restate Cloud environment by
+    // configuring its address and optionally auth token. The deployer will use these settings to register the handlers.
     const restateEnvironment = restate.RestateEnvironment.fromAttributes({
-      adminUrl: environment.adminUrl,
+      adminUrl: "https://restate.example.com:9070", // pre-existing Restate server address not managed by this stack
       invokerRole,
     });
 
+    // Alternatively, you can deploy a standalone Restate server using the RestateServer construct. Please refer to
+    // https://docs.restate.dev/deploy/lambda/self-hosted and the construct documentation for details.
+    // const restateEnvironment = new restate.SingleNodeRestateDeployment(this, "Restate", {
+    //   logGroup: new logs.LogGroup(this, "RestateLogs", {
+    //     logGroupName: "/restate/server-logs",
+    //     retention: logs.RetentionDays.ONE_MONTH,
+    //   }),
+    // });
+
     const deployer = new restate.ServiceDeployer(this, "ServiceDeployer", {
       logGroup: new logs.LogGroup(this, "Deployer", {
         retention: logs.RetentionDays.ONE_MONTH,
         removalPolicy: cdk.RemovalPolicy.DESTROY,
       }),
     });
 
+    // The environment's invoker role will be granted appropriate invoke permissions automatically.
+    // To use CDK hotswap deployments during development, deploy `latestVersion` instead.
     deployer.deployService("Greeter", greeter.currentVersion, restateEnvironment, {
-      insecure: true, // self-signed certificate
+      // insecure: true, // accept self-signed certificate for SingleNodeRestateDeployment
     });
 
-    new cdk.CfnOutput(this, "restateIngressUrl", { value: environment.ingressUrl });
+    // If deploying a standalone Restate server, we can output the ingress URL like this.
+    // new cdk.CfnOutput(this, "restateIngressUrl", { value: restateEnvironment.ingressUrl });
   }
 }

templates/typescript-lambda-cdk/lib/lambda-ts-cdk-stack.ts

@@ -18,55 +18,42 @@ import { Construct } from "constructs";
 import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
 
 export class LambdaTsCdkStack extends cdk.Stack {
-  constructor(
-    scope: Construct,
-    id: string,
-    props: cdk.StackProps,
-  ) {
+  constructor(scope: Construct, id: string, props: cdk.StackProps) {
     super(scope, id, props);
 
     const greeter: lambda.Function = new NodejsFunction(this, "GreeterService", {
-      runtime: lambda.Runtime.NODEJS_LATEST,
+      runtime: lambda.Runtime.NODEJS_20_X,
       entry: "lib/lambda/handler.ts",
       architecture: lambda.Architecture.ARM_64,
       bundling: {
         minify: true,
         sourceMap: true,
       },
-      environment: {
-        NODE_OPTIONS: "--enable-source-maps",
-      },
-    });
-
-    const environment = new restate.SingleNodeRestateDeployment(this, "Restate", {
-      // restateImage: "docker.io/restatedev/restate",
-      // restateTag: "0.9",
-      logGroup: new logs.LogGroup(this, "RestateLogs", {
-        retention: logs.RetentionDays.ONE_MONTH,
-        removalPolicy: cdk.RemovalPolicy.DESTROY,
-      }),
     });
 
-    new iam.Policy(this, "AssumeAnyRolePolicy", {
-      statements: [
-        new iam.PolicyStatement({
-          sid: "AllowAssumeAnyRole",
-          actions: ["sts:AssumeRole"],
-          resources: ["*"], // we don't know upfront what invoker roles we may be asked to assume at runtime
-        }),
-      ],
-    }).attachToRole(environment.invokerRole);
-
+    // This role is used by Restate to invoke Lambda service handlers; see https://docs.restate.dev/deploy/cloud for
+    // information on deploying services to Restate Cloud environments. For standalone environments, the EC2 instance
+    // profile can be used directly instead of creating a separate role.
     const invokerRole = new iam.Role(this, "InvokerRole", {
-      assumedBy: new iam.ArnPrincipal(environment.invokerRole.roleArn),
+      assumedBy: new iam.AccountRootPrincipal(), // set up trust such that your Restate environment can assume this role
     });
-    invokerRole.grantAssumeRole(environment.invokerRole);
 
+    // You can reference an existing Restate environment you manage yourself or a Restate Cloud environment by
+    // configuring its address and optionally auth token. The deployer will use these settings to register the handlers.
     const restateEnvironment = restate.RestateEnvironment.fromAttributes({
-      adminUrl: environment.adminUrl,
+      adminUrl: "https://restate.example.com:9070", // pre-existing Restate server address not managed by this stack
       invokerRole,
     });
 
+    // Alternatively, you can deploy a standalone Restate server using the RestateServer construct. Please refer to
+    // https://docs.restate.dev/deploy/lambda/self-hosted and the construct documentation for details.
+    // const restateEnvironment = new restate.SingleNodeRestateDeployment(this, "Restate", {
+    //   logGroup: new logs.LogGroup(this, "RestateLogs", {
+    //     logGroupName: "/restate/server-logs",
+    //     retention: logs.RetentionDays.ONE_MONTH,
+    //   }),
+    // });
+
     const deployer = new restate.ServiceDeployer(this, "ServiceDeployer", {
       logGroup: new logs.LogGroup(this, "Deployer", {
         retention: logs.RetentionDays.ONE_MONTH,
@@ -75,9 +62,10 @@ export class LambdaTsCdkStack extends cdk.Stack {
     });
 
     deployer.deployService("Greeter", greeter.currentVersion, restateEnvironment, {
-      insecure: true, // self-signed certificate
+      // insecure: true, // accept self-signed certificate for SingleNodeRestateDeployment
     });
 
-    new cdk.CfnOutput(this, "restateIngressUrl", { value: environment.ingressUrl });
+    // If deploying a standalone Restate server, we can output the ingress URL like this.
+    // new cdk.CfnOutput(this, "restateIngressUrl", { value: restateEnvironment.ingressUrl });
   }
 }