Ruslan Akchurin · Sydney
AboutWriting
Making IaC boring
Published

Appendix A: The shape, runnable

The companion repository.

The series named the shape in prose and diagrams. This companion makes it executable: four tiers cut by ownership, typed cross-tier contracts, and resolver probes that refuse bad composition before any provider call.

It runs as an isolated demo, all placeholder. No provider SDKs, credentials, live domains, or production configuration. Domains use the reserved .invalid suffix, and every name is a generic fixture.

Read the code.

Run it

No install. Native TypeScript on Node 22.6 or newer:

node demo/run.ts

The walkthrough applies the tiers in order, resolves every contract, prints the resource plan and the release waves, then fires the refusal probes. The same walkthrough is split into three short screen recordings in the repo.

What a consumer looks like

Fail before apply showed the resolver: the helper that refuses. This is the other side of that seam, a workload consuming the contract. It asks serviceProjects for its assigned project by name and attaches to the shared network by key. It never creates its own project; that membership line belongs to the environment tier (Define tier membership).

workloads/workload-api/index.ts
// A workload consumes the environment
// contract. It never creates its project.
const assigned =
  getServiceProject(envRef, 'workload-api')

const subnet = getNetwork(envRef, 'primary')
  .apply((n) => n.primarySubnetId)

// ...then builds its service, runtime
// identity, and prefix-scoped secret
// access inside the assigned project,
// and publishes backends for edge.

What the demo refuses

The walkthrough ends by composing the system wrong on purpose. Each probe is refused by name before any apply:

Each miscomposition stops at a named refusal The demo composes the system wrong on purpose, and every bad path is refused by name before any provider call. Validated helpers refuse two of them: an unknown service ('unknown-worker' is not in serviceProjects, which holds workload-api and web-app), and an undeclared capability (web-app has no artifactRegistry capability). Domain topology refuses a duplicate zone owner ('api.staging' is claimed twice in one environment). Shared-surface binding rules refuse a DNS write outside the app zone ('api.staging.example.invalid' is outside '*.app.staging...invalid'). All four are caught at preview, before apply — the accent bracket that spans them. COMPOSED WRONG ON PURPOSE BEFORE APPLY validated helpers unknown service in serviceProjects 'unknown-worker' not found have: workload-api, web-app capability never declared service 'web-app' has no artifactRegistry capability domain topology duplicate zone owner 'api.staging' claimed twice in one environment shared-surface binding rules DNS write outside the app zone 'api.staging.example.invalid' outside '*.app.staging...invalid'
Each miscomposition stops at a named refusal

Map it back to the series

The repo reads alongside the parts:

  • organisation/, environment/, workloads/, and edge/ are the tier cut from Start with the shape.
  • lib/*/types.ts and the build*Output producers are what each tier publishes, from The contract.
  • The environment-owned ServiceProject boundary is the membership rule from Define tier membership.
  • lib/*/consumer.ts, assertDnsRequest, and assertSecretRequest are the resolver gates from Fail before apply.
  • MIGRATION.md maps the deletion order from Re-cut the system.

The repo carries its own README and a MIGRATION.md that maps the deletion order onto the code. Composed wrong on purpose, every bad path stops at a named refusal before any apply.