feat: add IsProd components and encryption guardrail (#5131)

Author: adrians5j

packages/create-webiny-project/_templates/aws/ddb-os/webiny.config.tsx

@@ -7,6 +7,10 @@ export const Extensions = () => {
         <>
             <Infra.Aws.DefaultRegion name={"{REGION}"} />
             <Infra.OpenSearch enabled={true} />
+            {/* Encryption MUST always be configured for production environments. */}
+            <Infra.Env.IsProd>
+                <Infra.Encryption passphrase={process.env.WEBINY_ENCRYPTION_PASSPHRASE} />
+            </Infra.Env.IsProd>
             <Cognito />
         </>
     );

packages/create-webiny-project/_templates/aws/ddb/webiny.config.tsx

@@ -6,6 +6,10 @@ export const Extensions = () => {
     return (
         <>
             <Infra.Aws.DefaultRegion name={"{REGION}"} />
+            {/* Encryption MUST always be configured for production environments. */}
+            <Infra.Env.IsProd>
+                <Infra.Encryption passphrase={process.env.WEBINY_ENCRYPTION_PASSPHRASE} />
+            </Infra.Env.IsProd>
             <Cognito />
         </>
     );

packages/project/src/extensions/Project.tsx

@@ -27,6 +27,7 @@ export const Project = () => {
             <AdminBeforeWatch src={p("EnsureApiDeployedBeforeAdminWatch.js")} />
             <AdminAfterDeploy src={p("TelemetryNoLongerNewUser.js")} />
             <BeforeDeploy src={p("EnsureTelemetryEnabledForOss.js")} />
+            <BeforeDeploy src={p("ValidateEncryptionBeforeDeploy.js")} />
             <CoreBeforeDeploy src={p("ValidateProductionPulumiState.js")} />
         </>
     );

packages/project/src/extensions/Project/ValidateEncryptionBeforeDeploy.ts

@@ -0,0 +1,51 @@
+import {
+    BeforeDeploy,
+    GetProductionEnvironments,
+    GetProjectConfig,
+    ProjectSdkParamsService
+} from "~/abstractions/index.js";
+import { GracefulError } from "@webiny/project";
+
+class ValidateEncryptionBeforeDeployImpl implements BeforeDeploy.Interface {
+    constructor(
+        private getProductionEnvironments: GetProductionEnvironments.Interface,
+        private projectSdkParamsService: ProjectSdkParamsService.Interface,
+        private getProjectConfig: GetProjectConfig.Interface
+    ) {}
+
+    async execute() {
+        const { env } = this.projectSdkParamsService.get();
+        const prodEnvs = await this.getProductionEnvironments.execute();
+
+        if (!prodEnvs.includes(env)) {
+            return;
+        }
+
+        const projectConfig = await this.getProjectConfig.execute();
+        const [encryption] = projectConfig.extensionsByType("Infra/Encryption");
+
+        if (encryption) {
+            return;
+        }
+
+        const error = new Error("Encryption is not configured for production environment.");
+
+        const message = [
+            "Deploying to a production environment requires encryption to be configured.",
+            "Set the %s environment variable and add %s to your project config.",
+            "Learn more: https://webiny.link/encryption"
+        ].join(" ");
+
+        throw GracefulError.from(
+            error,
+            message,
+            "WEBINY_ENCRYPTION_PASSPHRASE",
+            "<Infra.Encryption>"
+        );
+    }
+}
+
+export const ValidateEncryptionBeforeDeploy = BeforeDeploy.createImplementation({
+    implementation: ValidateEncryptionBeforeDeployImpl,
+    dependencies: [GetProductionEnvironments, ProjectSdkParamsService, GetProjectConfig]
+});