This tool helps verify that SST infrastructure provides correct resource bindings to lambdas.
- Reads the Pulumi state file (
./state.json) to get "linked values encryption key". - Scans
.sst/artifactsfor all artifact subdirectories.- Reads each
bundle.mjsfile to find allResource.usages. - Reads values provided in the
resource.encfile.
- Reads each
- Compares the resources found in
bundle.mjswith those in theresource.encfile and reports discrepancies.
- Node.js installed
- pnpm installed
Install dependencies using pnpm:
pnpm install- deploy the stage and export the Pulumi state file
# CWD: inside the SST project root directory
# deploy the stage to generate the bundle.mjs files + resource.enc files
pnpm sst --stage "<stagename>" deploy
# get pulumi state file of stage
# => this will expose encrypted credentials, so be careful with it ⚠️
pnpm sst --stage "<stagename>" state export --decrypt > state.json- run this tool to check SST artifacts against the linked values from infrastructure
# NOTE: modify the index.ts file to your project setup (the ARTIFACTS_DIR and STATE_FILE_PATH variables)
# CWD: inside the tool directory
pnpm run-toolSST Artifact Resource Bindings:
[MobileApiFunction]
- MainAuthJwtSigningKey
- MainBucket
- MainTable
- MainWebSocketApi
resource.enc file Links:
- MainBucket
- MainTable
- MainWebSocketApi
DISCREPANCIES FOUND:
Resources in bundle.mjs but not in resource.enc file:
- MainAuthJwtSigningKey
- no test coverage that this tools works after SST upgrades (tool is used and verified on sst@3.13.10)
- currently there is no focus to make code improvements (awaiting feedback from SST team to idealy provide native support for this)
- parts of the code were generated by AI prompting - see prompt.md