feat(cloudflare): Hyperdrive → AWS Aurora example + ref-bindable bindings#645
Draft
sam-goodwin wants to merge 3 commits into
Draft
feat(cloudflare): Hyperdrive → AWS Aurora example + ref-bindable bindings#645sam-goodwin wants to merge 3 commits into
sam-goodwin wants to merge 3 commits into
Conversation
…ings
Cross-cloud story: a Cloudflare Worker reaching AWS RDS Aurora through
Hyperdrive, with Drizzle migrations applied via the RDS Data API.
- Resource binding by ref: a Worker can now bind a resource created in
another stack/provider via `SomeResource.ref(id, { stack })` — the bind
tagged-template resolves a RefExpr to its `resourceId`, and `RefExpr`
exposes `LogicalId`. This keeps AWS requirements/credentials out of the
Worker (a Worker has no AWS env at runtime), which is what makes a
Worker→AWS-backed-Hyperdrive binding possible.
- example `cloudflare-aurora-hyperdrive`: infra stack (Aurora + Hyperdrive)
+ app stack (Worker binding the Hyperdrive by ref). Public-firewall path
is implemented and live-tested end to end (deploy → CRUD over
Hyperdrive → Aurora → destroy). The Tunnel + Access (private) path is
documented with trade-offs and scaffolded (cloudflared Dockerfile),
implementation in progress.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
|
Install the packages built from this commit: alchemy bun add alchemy@https://pkg.ing/alchemy/60ee787@alchemy.run/better-auth bun add @alchemy.run/better-auth@https://pkg.ing/@alchemy.run/better-auth/60ee787@alchemy.run/pr-package bun add @alchemy.run/pr-package@https://pkg.ing/@alchemy.run/pr-package/60ee787 |
cloudflared on ECS Fargate + Cloudflare Tunnel (TCP) + Access (self-hosted app, Service-Auth policy, service token) fronting a private Aurora cluster, with Hyperdrive using an Access-protected origin. Adds tunnel-infra/tunnel-app stacks and a zone-gated tunnel suite to the integ test. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Tunnel + Access (private) path now provisions and round-trips CRUD end to end: Worker → Hyperdrive → Access → Tunnel → cloudflared (ECS) → private Aurora. - cloudflared on Fargate: pin `runtimePlatform` to the deploy host's arch so Fargate can pull the locally-built image (arm64 Macs → Graviton). - SecurityGroup: allow cloudflared's outbound Tunnel control plane on 7844 (QUIC/UDP + HTTP2/TCP) — without it the connector never registers. - Resolve the zone via `findZoneByName` (default `alchemy-test-2.us`) instead of requiring a `CLOUDFLARE_ZONE_ID` env var. - Add `scripts/enable-universal-ssl.ts`: `bun nuke` can leave a test zone with Universal SSL "enabled" but zero cert packs (no edge cert), which makes Hyperdrive's create-time validation fail with HANDSHAKE_FAILURE_ON_CLIENT_HELLO. The script re-orders the universal cert (toggle off→on) and waits for an active pack. Documented in the README. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacked on #640. Adds the Cloudflare → AWS Aurora story: a Worker reaching Aurora through Hyperdrive, with Drizzle migrations applied via the RDS Data API.
Ref-bindable resources (framework)
A Cloudflare Worker can't carry AWS requirements in its init — a deployed Worker has no AWS credentials at runtime — so it can't bind a Hyperdrive whose origin is created from an AWS resource the usual way. The fix lets a Worker bind a resource by reference into another stack, so the AWS side stays in its own stack and the Worker bundle stays Cloudflare-only:
Resource.ts— thehost.bind\...`tagged-template resolves aRefExprto itsresourceId` for the binding key.Output.ts—RefExprexposesLogicalId(binding metadata reads it; it wasundefinedfor refs).Example —
examples/cloudflare-aurora-hyperdriveTwo stacks: infra (Aurora +
Drizzle.Schema+AWS.RDS.Schemamigrations + the Hyperdrive) and app (the Worker binding the Hyperdrive by ref). Deploy infra → app.Public-firewall path — implemented + live-tested (deploy both stacks → user CRUD over Worker → Hyperdrive → Aurora → destroy, all green; verified via curl). The Hyperdrive's origin is gated on the migration resource so Cloudflare's connect-time validation runs only after the writer is reachable.
Tunnel + Access path — documented + scaffolded (WIP). Keeps Aurora private behind
cloudflared(ECS) + a Cloudflare Tunnel + Access. The README documents both paths with security/perf trade-offs.Status
Draft: the Tunnel + Access path is documented and scaffolded (cloudflared Dockerfile) but not yet implemented/live-tested. The public path and the framework change are complete and validated against real AWS + Cloudflare.