Add endpoint to generate registry credentials for a deployment

Author: myftija

apps/webapp/app/routes/api.v1.deployments.$deploymentId.generate-registry-credentials.ts

@@ -0,0 +1,100 @@
+import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
+import {
+  type GenerateRegistryCredentialsResponseBody,
+  ProgressDeploymentRequestBody,
+  tryCatch,
+} from "@trigger.dev/core/v3";
+import { z } from "zod";
+import { authenticateRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
+import { DeploymentService } from "~/v3/services/deployment.server";
+
+const ParamsSchema = z.object({
+  deploymentId: z.string(),
+});
+
+export async function action({ request, params }: ActionFunctionArgs) {
+  if (request.method.toUpperCase() !== "POST") {
+    return json({ error: "Method Not Allowed" }, { status: 405 });
+  }
+
+  const parsedParams = ParamsSchema.safeParse(params);
+
+  if (!parsedParams.success) {
+    return json({ error: "Invalid params" }, { status: 400 });
+  }
+
+  const authenticationResult = await authenticateRequest(request, {
+    apiKey: true,
+    organizationAccessToken: false,
+    personalAccessToken: false,
+  });
+
+  if (!authenticationResult || !authenticationResult.result.ok) {
+    logger.info("Invalid or missing api key", { url: request.url });
+    return json({ error: "Invalid or Missing API key" }, { status: 401 });
+  }
+
+  const { environment: authenticatedEnv } = authenticationResult.result;
+  const { deploymentId } = parsedParams.data;
+
+  const [, rawBody] = await tryCatch(request.json());
+  const body = ProgressDeploymentRequestBody.safeParse(rawBody ?? {});
+
+  if (!body.success) {
+    return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
+  }
+
+  const deploymentService = new DeploymentService();
+
+  return await deploymentService.generateRegistryCredentials(authenticatedEnv, deploymentId).match(
+    (result) => {
+      return json(
+        {
+          username: result.username,
+          password: result.password,
+          expiresAt: result.expiresAt.toISOString(),
+          repositoryUri: result.repositoryUri,
+        } satisfies GenerateRegistryCredentialsResponseBody,
+        { status: 200 }
+      );
+    },
+    (error) => {
+      switch (error.type) {
+        case "deployment_not_found":
+          return json({ error: "Deployment not found" }, { status: 404 });
+        case "deployment_has_no_image_reference":
+          logger.error(
+            "Failed to generate registry credentials: deployment_has_no_image_reference",
+            { deploymentId }
+          );
+          return json({ error: "Deployment has no image reference" }, { status: 409 });
+        case "deployment_is_already_final":
+          return json(
+            { error: "Failed to generate registry credentials: deployment_is_already_final" },
+            { status: 409 }
+          );
+        case "missing_registry_credentials":
+          logger.error("Failed to generate registry credentials: missing_registry_credentials", {
+            deploymentId,
+          });
+          return json({ error: "Missing registry credentials" }, { status: 409 });
+        case "registry_not_supported":
+          logger.error("Failed to generate registry credentials: registry_not_supported", {
+            deploymentId,
+          });
+          return json({ error: "Registry not supported" }, { status: 409 });
+        case "registry_region_not_supported":
+          logger.error("Failed to generate registry credentials: registry_region_not_supported", {
+            deploymentId,
+          });
+          return json({ error: "Registry region not supported" }, { status: 409 });
+        case "other":
+        default:
+          error.type satisfies "other";
+          logger.error("Failed to generate registry credentials", { error: error.cause });
+          return json({ error: "Internal server error" }, { status: 500 });
+      }
+    }
+  );
+}

apps/webapp/app/services/platform.v3.server.ts

@@ -511,6 +511,24 @@ export async function setBillingAlert(
   return result;
 }
 
+export async function generateRegistryCredentials(
+  projectId: string,
+  region: "us-east-1" | "eu-central-1"
+) {
+  if (!client) return undefined;
+  const result = await client.generateRegistryCredentials(projectId, region);
+  if (!result.success) {
+    logger.error("Error generating registry credentials", {
+      error: result.error,
+      projectId,
+      region,
+    });
+    throw new Error("Failed to generate registry credentials");
+  }
+
+  return result;
+}
+
 function isCloud(): boolean {
   const acceptableHosts = [
     "https://cloud.trigger.dev",

apps/webapp/app/v3/services/deployment.server.ts

@@ -7,6 +7,7 @@ import { TimeoutDeploymentService } from "./timeoutDeployment.server";
 import { env } from "~/env.server";
 import { createRemoteImageBuild } from "../remoteImageBuilder.server";
 import { FINAL_DEPLOYMENT_STATUSES } from "./failDeployment.server";
+import { generateRegistryCredentials } from "~/services/platform.v3.server";
 
 export class DeploymentService extends BaseService {
   /**
@@ -231,4 +232,92 @@ export class DeploymentService extends BaseService {
       .andThen(deleteTimeout)
       .map(() => undefined);
   }
+
+  /**
+   * Generates registry credentials for a deployment. Returns an error if the deployment is in a final state.
+   *
+   * Uses the `platform` package, only available in cloud.
+   *
+   * @param authenticatedEnv The environment which the deployment belongs to.
+   * @param friendlyId The friendly deployment ID.
+   */
+  public generateRegistryCredentials(
+    authenticatedEnv: Pick<AuthenticatedEnvironment, "projectId">,
+    friendlyId: string
+  ) {
+    const validateDeployment = (
+      deployment: Pick<WorkerDeployment, "id" | "status" | "imageReference">
+    ) => {
+      if (FINAL_DEPLOYMENT_STATUSES.includes(deployment.status)) {
+        return errAsync({ type: "deployment_is_already_final" as const });
+      }
+      return okAsync(deployment);
+    };
+
+    const getDeploymentRegion = (deployment: Pick<WorkerDeployment, "imageReference">) => {
+      if (!deployment.imageReference) {
+        return errAsync({ type: "deployment_has_no_image_reference" as const });
+      }
+      if (!deployment.imageReference.includes("amazonaws.com")) {
+        return errAsync({ type: "registry_not_supported" as const });
+      }
+
+      // we should connect the deployment to a region more explicitly in the future
+      // for now we just use the image reference to determine the region
+      if (deployment.imageReference.includes("us-east-1")) {
+        return okAsync({ region: "us-east-1" as const });
+      }
+      if (deployment.imageReference.includes("eu-central-1")) {
+        return okAsync({ region: "eu-central-1" as const });
+      }
+
+      return errAsync({ type: "registry_region_not_supported" as const });
+    };
+
+    const generateCredentials = ({ region }: { region: "us-east-1" | "eu-central-1" }) =>
+      fromPromise(generateRegistryCredentials(authenticatedEnv.projectId, region), (error) => ({
+        type: "other" as const,
+        cause: error,
+      })).andThen((result) => {
+        if (!result || !result.success) {
+          return errAsync({ type: "missing_registry_credentials" as const });
+        }
+        return okAsync({
+          username: result.username,
+          password: result.password,
+          expiresAt: new Date(result.expiresAt),
+          repositoryUri: result.repositoryUri,
+        });
+      });
+
+    return this.getDeployment(authenticatedEnv.projectId, friendlyId)
+      .andThen(validateDeployment)
+      .andThen(getDeploymentRegion)
+      .andThen(generateCredentials);
+  }
+
+  private getDeployment(projectId: string, friendlyId: string) {
+    return fromPromise(
+      this._prisma.workerDeployment.findFirst({
+        where: {
+          friendlyId,
+          projectId,
+        },
+        select: {
+          status: true,
+          id: true,
+          imageReference: true,
+        },
+      }),
+      (error) => ({
+        type: "other" as const,
+        cause: error,
+      })
+    ).andThen((deployment) => {
+      if (!deployment) {
+        return errAsync({ type: "deployment_not_found" as const });
+      }
+      return okAsync(deployment);
+    });
+  }
 }

apps/webapp/package.json

@@ -117,7 +117,7 @@
     "@trigger.dev/core": "workspace:*",
     "@trigger.dev/database": "workspace:*",
     "@trigger.dev/otlp-importer": "workspace:*",
-    "@trigger.dev/platform": "1.0.18",
+    "@trigger.dev/platform": "0.0.0-prerelease-ecr-20251021203336",
     "@trigger.dev/redis-worker": "workspace:*",
     "@trigger.dev/sdk": "workspace:*",
     "@types/pg": "8.6.6",

packages/core/src/v3/schemas/api.ts

@@ -439,6 +439,17 @@ export const InitializeDeploymentRequestBody = z.object({
 
 export type InitializeDeploymentRequestBody = z.infer<typeof InitializeDeploymentRequestBody>;
 
+export const GenerateRegistryCredentialsResponseBody = z.object({
+  username: z.string(),
+  password: z.string(),
+  expiresAt: z.string(),
+  repositoryUri: z.string(),
+});
+
+export type GenerateRegistryCredentialsResponseBody = z.infer<
+  typeof GenerateRegistryCredentialsResponseBody
+>;
+
 export const DeploymentErrorData = z.object({
   name: z.string(),
   message: z.string(),