@aligent/cdk-header-change-detection 1.7.0 → 1.7.1

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @aligent/cdk-header-change-detection
 
+## 1.7.1
+
+### Patch Changes
+
+- [#1523](https://github.com/aligent/cdk-constructs/pull/1523) [`2550ceb`](https://github.com/aligent/cdk-constructs/commit/2550cebd411cf2cfd5b92deba17e18a5a3d3d012) Thanks [@TheOrangePuff](https://github.com/TheOrangePuff)! - Fixes changeset publishing to work correctly by switching from dist-based builds to in-place compilation within packages
+
 ## 1.7.0
 
 ### Minor Changes

package/index.d.ts

@@ -0,0 +1,2 @@
+import { HeaderChangeDetection, HeaderChangeDetectionProps } from "./lib/header-change-detection";
+export { HeaderChangeDetection, HeaderChangeDetectionProps };

package/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HeaderChangeDetection = void 0;
+const header_change_detection_1 = require("./lib/header-change-detection");
+Object.defineProperty(exports, "HeaderChangeDetection", { enumerable: true, get: function () { return header_change_detection_1.HeaderChangeDetection; } });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJpbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSwyRUFHdUM7QUFFOUIsc0dBSlAsK0NBQXFCLE9BSU8iLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQge1xuICBIZWFkZXJDaGFuZ2VEZXRlY3Rpb24sXG4gIEhlYWRlckNoYW5nZURldGVjdGlvblByb3BzLFxufSBmcm9tIFwiLi9saWIvaGVhZGVyLWNoYW5nZS1kZXRlY3Rpb25cIjtcblxuZXhwb3J0IHsgSGVhZGVyQ2hhbmdlRGV0ZWN0aW9uLCBIZWFkZXJDaGFuZ2VEZXRlY3Rpb25Qcm9wcyB9O1xuIl19

package/lib/header-change-detection.d.ts

@@ -0,0 +1,49 @@
+import { Duration } from "aws-cdk-lib";
+import { RuleProps, Schedule } from "aws-cdk-lib/aws-events";
+import { SnsTopic } from "aws-cdk-lib/aws-events-targets";
+import { Construct } from "constructs";
+export interface HeaderChangeDetectionProps {
+    /**
+     * List of URLs to monitor for header changes
+     */
+    urls: string[];
+    /**
+     * Optional list of additional headers to monitor
+     *
+     * @default []
+     */
+    additionalHeaders?: string[];
+    /**
+     * Optionally disable all the default headers
+     *
+     * @default false
+     */
+    disableDefaults?: boolean;
+    /**
+     * SNS Topic to send change detection notifications to
+     */
+    snsTopic: SnsTopic;
+    /**
+     * The schedule for performing the header check
+     *
+     * @default Schedule.rate(Duration.hours(1))
+     */
+    schedule?: Schedule;
+    /**
+     * Optionally pass any rule properties
+     */
+    ruleProps?: Partial<RuleProps>;
+    /**
+     * Optionally accept HTTP status codes other than 200
+     *
+     * @default ["200"]
+     */
+    acceptedHttpStatus?: string[];
+    /**
+     * For extended Lambda timeout. Default: 10 seconds
+     */
+    lambdaTimeout?: Duration;
+}
+export declare class HeaderChangeDetection extends Construct {
+    constructor(scope: Construct, id: string, props: HeaderChangeDetectionProps);
+}

package/lib/header-change-detection.js

@@ -0,0 +1,77 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HeaderChangeDetection = void 0;
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const aws_dynamodb_1 = require("aws-cdk-lib/aws-dynamodb");
+const aws_events_1 = require("aws-cdk-lib/aws-events");
+const aws_events_targets_1 = require("aws-cdk-lib/aws-events-targets");
+const aws_lambda_1 = require("aws-cdk-lib/aws-lambda");
+const constructs_1 = require("constructs");
+const path_1 = require("path");
+const cdk_esbuild_1 = require("@aligent/cdk-esbuild");
+const command = [
+    "sh",
+    "-c",
+    'echo "Docker build not supported. Please install esbuild."',
+];
+const defaultHeaders = [
+    "content-security-policy",
+    "content-security-policy-report-only",
+    "reporting-endpoints",
+    "strict-transport-security",
+    "x-frame-options",
+    "x-content-type-options",
+    "cross-origin-opener-policy",
+    "cross-origin-embedder-policy",
+    "cross-origin-resource-policy",
+    "referrer-policy",
+    "permission-policy",
+    "cache-control",
+];
+class HeaderChangeDetection extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        var _a;
+        super(scope, id);
+        const headers = props.disableDefaults ? [] : defaultHeaders;
+        headers.push(...(((_a = props.additionalHeaders) === null || _a === void 0 ? void 0 : _a.map(header => header.toLowerCase())) || []));
+        const table = new aws_dynamodb_1.Table(this, "Table", {
+            partitionKey: {
+                name: "Url",
+                type: aws_dynamodb_1.AttributeType.STRING,
+            },
+            billingMode: aws_dynamodb_1.BillingMode.PAY_PER_REQUEST,
+        });
+        const schedule = new aws_events_1.Rule(this, "EventRule", {
+            schedule: props.schedule || aws_events_1.Schedule.rate(aws_cdk_lib_1.Duration.hours(1)),
+            ...props.ruleProps,
+        });
+        const lambda = new aws_lambda_1.Function(this, "HeaderCheck", {
+            architecture: aws_lambda_1.Architecture.X86_64,
+            runtime: aws_lambda_1.Runtime.NODEJS_22_X,
+            handler: "header-check.handler",
+            timeout: props.lambdaTimeout || aws_cdk_lib_1.Duration.seconds(10),
+            code: aws_lambda_1.Code.fromAsset((0, path_1.join)(__dirname, "lambda"), {
+                bundling: {
+                    command,
+                    image: aws_cdk_lib_1.DockerImage.fromRegistry("busybox"),
+                    local: new cdk_esbuild_1.Esbuild({
+                        entryPoints: [(0, path_1.join)(__dirname, "lambda/header-check.ts")],
+                    }),
+                },
+            }),
+            environment: {
+                URLS: props.urls.join(","),
+                HEADERS: headers.join(","),
+                TABLE: table.tableName,
+                TOPIC_ARN: props.snsTopic.topic.topicArn,
+                ACCEPTED_HTTP_STATUS: (props.acceptedHttpStatus || ["200"]).join(","),
+            },
+        });
+        schedule.addTarget(new aws_events_targets_1.LambdaFunction(lambda));
+        table.grantWriteData(lambda);
+        table.grantReadData(lambda);
+        props.snsTopic.topic.grantPublish(lambda);
+    }
+}
+exports.HeaderChangeDetection = HeaderChangeDetection;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaGVhZGVyLWNoYW5nZS1kZXRlY3Rpb24uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJoZWFkZXItY2hhbmdlLWRldGVjdGlvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSw2Q0FBb0Q7QUFDcEQsMkRBQTZFO0FBQzdFLHVEQUFtRTtBQUNuRSx1RUFBMEU7QUFDMUUsdURBQStFO0FBQy9FLDJDQUF1QztBQUN2QywrQkFBNEI7QUFDNUIsc0RBQStDO0FBb0QvQyxNQUFNLE9BQU8sR0FBRztJQUNkLElBQUk7SUFDSixJQUFJO0lBQ0osNERBQTREO0NBQzdELENBQUM7QUFFRixNQUFNLGNBQWMsR0FBRztJQUNyQix5QkFBeUI7SUFDekIscUNBQXFDO0lBQ3JDLHFCQUFxQjtJQUNyQiwyQkFBMkI7SUFDM0IsaUJBQWlCO0lBQ2pCLHdCQUF3QjtJQUN4Qiw0QkFBNEI7SUFDNUIsOEJBQThCO0lBQzlCLDhCQUE4QjtJQUM5QixpQkFBaUI7SUFDakIsbUJBQW1CO0lBQ25CLGVBQWU7Q0FDaEIsQ0FBQztBQUVGLE1BQWEscUJBQXNCLFNBQVEsc0JBQVM7SUFDbEQsWUFBWSxLQUFnQixFQUFFLEVBQVUsRUFBRSxLQUFpQzs7UUFDekUsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVqQixNQUFNLE9BQU8sR0FBRyxLQUFLLENBQUMsZUFBZSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLGNBQWMsQ0FBQztRQUU1RCxPQUFPLENBQUMsSUFBSSxDQUNWLEdBQUcsQ0FBQyxDQUFBLE1BQUEsS0FBSyxDQUFDLGlCQUFpQiwwQ0FBRSxHQUFHLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQyxNQUFNLENBQUMsV0FBVyxFQUFFLENBQUMsS0FBSSxFQUFFLENBQUMsQ0FDeEUsQ0FBQztRQUVGLE1BQU0sS0FBSyxHQUFHLElBQUksb0JBQUssQ0FBQyxJQUFJLEVBQUUsT0FBTyxFQUFFO1lBQ3JDLFlBQVksRUFBRTtnQkFDWixJQUFJLEVBQUUsS0FBSztnQkFDWCxJQUFJLEVBQUUsNEJBQWEsQ0FBQyxNQUFNO2FBQzNCO1lBQ0QsV0FBVyxFQUFFLDBCQUFXLENBQUMsZUFBZTtTQUN6QyxDQUFDLENBQUM7UUFFSCxNQUFNLFFBQVEsR0FBRyxJQUFJLGlCQUFJLENBQUMsSUFBSSxFQUFFLFdBQVcsRUFBRTtZQUMzQyxRQUFRLEVBQUUsS0FBSyxDQUFDLFFBQVEsSUFBSSxxQkFBUSxDQUFDLElBQUksQ0FBQyxzQkFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUM1RCxHQUFHLEtBQUssQ0FBQyxTQUFTO1NBQ25CLENBQUMsQ0FBQztRQUVILE1BQU0sTUFBTSxHQUFHLElBQUkscUJBQVEsQ0FBQyxJQUFJLEVBQUUsYUFBYSxFQUFFO1lBQy9DLFlBQVksRUFBRSx5QkFBWSxDQUFDLE1BQU07WUFDakMsT0FBTyxFQUFFLG9CQUFPLENBQUMsV0FBVztZQUM1QixPQUFPLEVBQUUsc0JBQXNCO1lBQy9CLE9BQU8sRUFBRSxLQUFLLENBQUMsYUFBYSxJQUFJLHNCQUFRLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztZQUNwRCxJQUFJLEVBQUUsaUJBQUksQ0FBQyxTQUFTLENBQUMsSUFBQSxXQUFJLEVBQUMsU0FBUyxFQUFFLFFBQVEsQ0FBQyxFQUFFO2dCQUM5QyxRQUFRLEVBQUU7b0JBQ1IsT0FBTztvQkFDUCxLQUFLLEVBQUUseUJBQVcsQ0FBQyxZQUFZLENBQUMsU0FBUyxDQUFDO29CQUMxQyxLQUFLLEVBQUUsSUFBSSxxQkFBTyxDQUFDO3dCQUNqQixXQUFXLEVBQUUsQ0FBQyxJQUFBLFdBQUksRUFBQyxTQUFTLEVBQUUsd0JBQXdCLENBQUMsQ0FBQztxQkFDekQsQ0FBQztpQkFDSDthQUNGLENBQUM7WUFDRixXQUFXLEVBQUU7Z0JBQ1gsSUFBSSxFQUFFLEtBQUssQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQztnQkFDMUIsT0FBTyxFQUFFLE9BQU8sQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDO2dCQUMxQixLQUFLLEVBQUUsS0FBSyxDQUFDLFNBQVM7Z0JBQ3RCLFNBQVMsRUFBRSxLQUFLLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxRQUFRO2dCQUN4QyxvQkFBb0IsRUFBRSxDQUFDLEtBQUssQ0FBQyxrQkFBa0IsSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQzthQUN0RTtTQUNGLENBQUMsQ0FBQztRQUVILFFBQVEsQ0FBQyxTQUFTLENBQUMsSUFBSSxtQ0FBYyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUM7UUFFL0MsS0FBSyxDQUFDLGNBQWMsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUM3QixLQUFLLENBQUMsYUFBYSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQzVCLEtBQUssQ0FBQyxRQUFRLENBQUMsS0FBSyxDQUFDLFlBQVksQ0FBQyxNQUFNLENBQUMsQ0FBQztJQUM1QyxDQUFDO0NBQ0Y7QUFwREQsc0RBb0RDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgRG9ja2VySW1hZ2UsIER1cmF0aW9uIH0gZnJvbSBcImF3cy1jZGstbGliXCI7XG5pbXBvcnQgeyBBdHRyaWJ1dGVUeXBlLCBCaWxsaW5nTW9kZSwgVGFibGUgfSBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWR5bmFtb2RiXCI7XG5pbXBvcnQgeyBSdWxlLCBSdWxlUHJvcHMsIFNjaGVkdWxlIH0gZnJvbSBcImF3cy1jZGstbGliL2F3cy1ldmVudHNcIjtcbmltcG9ydCB7IExhbWJkYUZ1bmN0aW9uLCBTbnNUb3BpYyB9IGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtZXZlbnRzLXRhcmdldHNcIjtcbmltcG9ydCB7IEFyY2hpdGVjdHVyZSwgQ29kZSwgRnVuY3Rpb24sIFJ1bnRpbWUgfSBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWxhbWJkYVwiO1xuaW1wb3J0IHsgQ29uc3RydWN0IH0gZnJvbSBcImNvbnN0cnVjdHNcIjtcbmltcG9ydCB7IGpvaW4gfSBmcm9tIFwicGF0aFwiO1xuaW1wb3J0IHsgRXNidWlsZCB9IGZyb20gXCJAYWxpZ2VudC9jZGstZXNidWlsZFwiO1xuXG5leHBvcnQgaW50ZXJmYWNlIEhlYWRlckNoYW5nZURldGVjdGlvblByb3BzIHtcbiAgLyoqXG4gICAqIExpc3Qgb2YgVVJMcyB0byBtb25pdG9yIGZvciBoZWFkZXIgY2hhbmdlc1xuICAgKi9cbiAgdXJsczogc3RyaW5nW107XG5cbiAgLyoqXG4gICAqIE9wdGlvbmFsIGxpc3Qgb2YgYWRkaXRpb25hbCBoZWFkZXJzIHRvIG1vbml0b3JcbiAgICpcbiAgICogQGRlZmF1bHQgW11cbiAgICovXG4gIGFkZGl0aW9uYWxIZWFkZXJzPzogc3RyaW5nW107XG5cbiAgLyoqXG4gICAqIE9wdGlvbmFsbHkgZGlzYWJsZSBhbGwgdGhlIGRlZmF1bHQgaGVhZGVyc1xuICAgKlxuICAgKiBAZGVmYXVsdCBmYWxzZVxuICAgKi9cbiAgZGlzYWJsZURlZmF1bHRzPzogYm9vbGVhbjtcblxuICAvKipcbiAgICogU05TIFRvcGljIHRvIHNlbmQgY2hhbmdlIGRldGVjdGlvbiBub3RpZmljYXRpb25zIHRvXG4gICAqL1xuICBzbnNUb3BpYzogU25zVG9waWM7XG5cbiAgLyoqXG4gICAqIFRoZSBzY2hlZHVsZSBmb3IgcGVyZm9ybWluZyB0aGUgaGVhZGVyIGNoZWNrXG4gICAqXG4gICAqIEBkZWZhdWx0IFNjaGVkdWxlLnJhdGUoRHVyYXRpb24uaG91cnMoMSkpXG4gICAqL1xuICBzY2hlZHVsZT86IFNjaGVkdWxlO1xuXG4gIC8qKlxuICAgKiBPcHRpb25hbGx5IHBhc3MgYW55IHJ1bGUgcHJvcGVydGllc1xuICAgKi9cbiAgcnVsZVByb3BzPzogUGFydGlhbDxSdWxlUHJvcHM+O1xuXG4gIC8qKlxuICAgKiBPcHRpb25hbGx5IGFjY2VwdCBIVFRQIHN0YXR1cyBjb2RlcyBvdGhlciB0aGFuIDIwMFxuICAgKlxuICAgKiBAZGVmYXVsdCBbXCIyMDBcIl1cbiAgICovXG4gIGFjY2VwdGVkSHR0cFN0YXR1cz86IHN0cmluZ1tdO1xuXG4gIC8qKlxuICAgKiBGb3IgZXh0ZW5kZWQgTGFtYmRhIHRpbWVvdXQuIERlZmF1bHQ6IDEwIHNlY29uZHNcbiAgICovXG4gIGxhbWJkYVRpbWVvdXQ/OiBEdXJhdGlvbjtcbn1cblxuY29uc3QgY29tbWFuZCA9IFtcbiAgXCJzaFwiLFxuICBcIi1jXCIsXG4gICdlY2hvIFwiRG9ja2VyIGJ1aWxkIG5vdCBzdXBwb3J0ZWQuIFBsZWFzZSBpbnN0YWxsIGVzYnVpbGQuXCInLFxuXTtcblxuY29uc3QgZGVmYXVsdEhlYWRlcnMgPSBbXG4gIFwiY29udGVudC1zZWN1cml0eS1wb2xpY3lcIixcbiAgXCJjb250ZW50LXNlY3VyaXR5LXBvbGljeS1yZXBvcnQtb25seVwiLFxuICBcInJlcG9ydGluZy1lbmRwb2ludHNcIixcbiAgXCJzdHJpY3QtdHJhbnNwb3J0LXNlY3VyaXR5XCIsXG4gIFwieC1mcmFtZS1vcHRpb25zXCIsXG4gIFwieC1jb250ZW50LXR5cGUtb3B0aW9uc1wiLFxuICBcImNyb3NzLW9yaWdpbi1vcGVuZXItcG9saWN5XCIsXG4gIFwiY3Jvc3Mtb3JpZ2luLWVtYmVkZGVyLXBvbGljeVwiLFxuICBcImNyb3NzLW9yaWdpbi1yZXNvdXJjZS1wb2xpY3lcIixcbiAgXCJyZWZlcnJlci1wb2xpY3lcIixcbiAgXCJwZXJtaXNzaW9uLXBvbGljeVwiLFxuICBcImNhY2hlLWNvbnRyb2xcIixcbl07XG5cbmV4cG9ydCBjbGFzcyBIZWFkZXJDaGFuZ2VEZXRlY3Rpb24gZXh0ZW5kcyBDb25zdHJ1Y3Qge1xuICBjb25zdHJ1Y3RvcihzY29wZTogQ29uc3RydWN0LCBpZDogc3RyaW5nLCBwcm9wczogSGVhZGVyQ2hhbmdlRGV0ZWN0aW9uUHJvcHMpIHtcbiAgICBzdXBlcihzY29wZSwgaWQpO1xuXG4gICAgY29uc3QgaGVhZGVycyA9IHByb3BzLmRpc2FibGVEZWZhdWx0cyA/IFtdIDogZGVmYXVsdEhlYWRlcnM7XG5cbiAgICBoZWFkZXJzLnB1c2goXG4gICAgICAuLi4ocHJvcHMuYWRkaXRpb25hbEhlYWRlcnM/Lm1hcChoZWFkZXIgPT4gaGVhZGVyLnRvTG93ZXJDYXNlKCkpIHx8IFtdKVxuICAgICk7XG5cbiAgICBjb25zdCB0YWJsZSA9IG5ldyBUYWJsZSh0aGlzLCBcIlRhYmxlXCIsIHtcbiAgICAgIHBhcnRpdGlvbktleToge1xuICAgICAgICBuYW1lOiBcIlVybFwiLFxuICAgICAgICB0eXBlOiBBdHRyaWJ1dGVUeXBlLlNUUklORyxcbiAgICAgIH0sXG4gICAgICBiaWxsaW5nTW9kZTogQmlsbGluZ01vZGUuUEFZX1BFUl9SRVFVRVNULFxuICAgIH0pO1xuXG4gICAgY29uc3Qgc2NoZWR1bGUgPSBuZXcgUnVsZSh0aGlzLCBcIkV2ZW50UnVsZVwiLCB7XG4gICAgICBzY2hlZHVsZTogcHJvcHMuc2NoZWR1bGUgfHwgU2NoZWR1bGUucmF0ZShEdXJhdGlvbi5ob3VycygxKSksXG4gICAgICAuLi5wcm9wcy5ydWxlUHJvcHMsXG4gICAgfSk7XG5cbiAgICBjb25zdCBsYW1iZGEgPSBuZXcgRnVuY3Rpb24odGhpcywgXCJIZWFkZXJDaGVja1wiLCB7XG4gICAgICBhcmNoaXRlY3R1cmU6IEFyY2hpdGVjdHVyZS5YODZfNjQsXG4gICAgICBydW50aW1lOiBSdW50aW1lLk5PREVKU18yMl9YLFxuICAgICAgaGFuZGxlcjogXCJoZWFkZXItY2hlY2suaGFuZGxlclwiLFxuICAgICAgdGltZW91dDogcHJvcHMubGFtYmRhVGltZW91dCB8fCBEdXJhdGlvbi5zZWNvbmRzKDEwKSxcbiAgICAgIGNvZGU6IENvZGUuZnJvbUFzc2V0KGpvaW4oX19kaXJuYW1lLCBcImxhbWJkYVwiKSwge1xuICAgICAgICBidW5kbGluZzoge1xuICAgICAgICAgIGNvbW1hbmQsXG4gICAgICAgICAgaW1hZ2U6IERvY2tlckltYWdlLmZyb21SZWdpc3RyeShcImJ1c3lib3hcIiksXG4gICAgICAgICAgbG9jYWw6IG5ldyBFc2J1aWxkKHtcbiAgICAgICAgICAgIGVudHJ5UG9pbnRzOiBbam9pbihfX2Rpcm5hbWUsIFwibGFtYmRhL2hlYWRlci1jaGVjay50c1wiKV0sXG4gICAgICAgICAgfSksXG4gICAgICAgIH0sXG4gICAgICB9KSxcbiAgICAgIGVudmlyb25tZW50OiB7XG4gICAgICAgIFVSTFM6IHByb3BzLnVybHMuam9pbihcIixcIiksXG4gICAgICAgIEhFQURFUlM6IGhlYWRlcnMuam9pbihcIixcIiksXG4gICAgICAgIFRBQkxFOiB0YWJsZS50YWJsZU5hbWUsXG4gICAgICAgIFRPUElDX0FSTjogcHJvcHMuc25zVG9waWMudG9waWMudG9waWNBcm4sXG4gICAgICAgIEFDQ0VQVEVEX0hUVFBfU1RBVFVTOiAocHJvcHMuYWNjZXB0ZWRIdHRwU3RhdHVzIHx8IFtcIjIwMFwiXSkuam9pbihcIixcIiksXG4gICAgICB9LFxuICAgIH0pO1xuXG4gICAgc2NoZWR1bGUuYWRkVGFyZ2V0KG5ldyBMYW1iZGFGdW5jdGlvbihsYW1iZGEpKTtcblxuICAgIHRhYmxlLmdyYW50V3JpdGVEYXRhKGxhbWJkYSk7XG4gICAgdGFibGUuZ3JhbnRSZWFkRGF0YShsYW1iZGEpO1xuICAgIHByb3BzLnNuc1RvcGljLnRvcGljLmdyYW50UHVibGlzaChsYW1iZGEpO1xuICB9XG59XG4iXX0=

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aligent/cdk-header-change-detection",
-  "version": "1.7.0",
+  "version": "1.7.1",
   "main": "index.js",
   "license": "MIT",
   "homepage": "https://github.com/aligent/aws-cdk-constructs/tree/main/packages/header-change-detection#readme",

package/index.ts

@@ -1,6 +0,0 @@
-import {
-  HeaderChangeDetection,
-  HeaderChangeDetectionProps,
-} from "./lib/header-change-detection";
-
-export { HeaderChangeDetection, HeaderChangeDetectionProps };

package/jest.config.ts

@@ -1,11 +0,0 @@
-/* eslint-disable */
-export default {
-  displayName: "header-change-detection",
-  preset: "../../jest.preset.js",
-  testEnvironment: "node",
-  transform: {
-    "^.+\\.[tj]s$": ["ts-jest", { tsconfig: "<rootDir>/tsconfig.spec.json" }],
-  },
-  moduleFileExtensions: ["ts", "js", "html"],
-  coverageDirectory: "../../coverage/packages/header-change-detection",
-};

package/lib/header-change-detection.ts

@@ -1,133 +0,0 @@
-import { DockerImage, Duration } from "aws-cdk-lib";
-import { AttributeType, BillingMode, Table } from "aws-cdk-lib/aws-dynamodb";
-import { Rule, RuleProps, Schedule } from "aws-cdk-lib/aws-events";
-import { LambdaFunction, SnsTopic } from "aws-cdk-lib/aws-events-targets";
-import { Architecture, Code, Function, Runtime } from "aws-cdk-lib/aws-lambda";
-import { Construct } from "constructs";
-import { join } from "path";
-import { Esbuild } from "@aligent/cdk-esbuild";
-
-export interface HeaderChangeDetectionProps {
-  /**
-   * List of URLs to monitor for header changes
-   */
-  urls: string[];
-
-  /**
-   * Optional list of additional headers to monitor
-   *
-   * @default []
-   */
-  additionalHeaders?: string[];
-
-  /**
-   * Optionally disable all the default headers
-   *
-   * @default false
-   */
-  disableDefaults?: boolean;
-
-  /**
-   * SNS Topic to send change detection notifications to
-   */
-  snsTopic: SnsTopic;
-
-  /**
-   * The schedule for performing the header check
-   *
-   * @default Schedule.rate(Duration.hours(1))
-   */
-  schedule?: Schedule;
-
-  /**
-   * Optionally pass any rule properties
-   */
-  ruleProps?: Partial<RuleProps>;
-
-  /**
-   * Optionally accept HTTP status codes other than 200
-   *
-   * @default ["200"]
-   */
-  acceptedHttpStatus?: string[];
-
-  /**
-   * For extended Lambda timeout. Default: 10 seconds
-   */
-  lambdaTimeout?: Duration;
-}
-
-const command = [
-  "sh",
-  "-c",
-  'echo "Docker build not supported. Please install esbuild."',
-];
-
-const defaultHeaders = [
-  "content-security-policy",
-  "content-security-policy-report-only",
-  "reporting-endpoints",
-  "strict-transport-security",
-  "x-frame-options",
-  "x-content-type-options",
-  "cross-origin-opener-policy",
-  "cross-origin-embedder-policy",
-  "cross-origin-resource-policy",
-  "referrer-policy",
-  "permission-policy",
-  "cache-control",
-];
-
-export class HeaderChangeDetection extends Construct {
-  constructor(scope: Construct, id: string, props: HeaderChangeDetectionProps) {
-    super(scope, id);
-
-    const headers = props.disableDefaults ? [] : defaultHeaders;
-
-    headers.push(
-      ...(props.additionalHeaders?.map(header => header.toLowerCase()) || [])
-    );
-
-    const table = new Table(this, "Table", {
-      partitionKey: {
-        name: "Url",
-        type: AttributeType.STRING,
-      },
-      billingMode: BillingMode.PAY_PER_REQUEST,
-    });
-
-    const schedule = new Rule(this, "EventRule", {
-      schedule: props.schedule || Schedule.rate(Duration.hours(1)),
-      ...props.ruleProps,
-    });
-
-    const lambda = new Function(this, "HeaderCheck", {
-      architecture: Architecture.X86_64,
-      runtime: Runtime.NODEJS_22_X,
-      handler: "header-check.handler",
-      timeout: props.lambdaTimeout || Duration.seconds(10),
-      code: Code.fromAsset(join(__dirname, "lambda"), {
-        bundling: {
-          command,
-          image: DockerImage.fromRegistry("busybox"),
-          local: new Esbuild({
-            entryPoints: [join(__dirname, "lambda/header-check.ts")],
-          }),
-        },
-      }),
-      environment: {
-        URLS: props.urls.join(","),
-        HEADERS: headers.join(","),
-        TABLE: table.tableName,
-        TOPIC_ARN: props.snsTopic.topic.topicArn,
-        ACCEPTED_HTTP_STATUS: (props.acceptedHttpStatus || ["200"]).join(","),
-      },
-    });
-
-    schedule.addTarget(new LambdaFunction(lambda));
-
-    table.grantWriteData(lambda);
-    table.grantReadData(lambda);
-    props.snsTopic.topic.grantPublish(lambda);
-  }
-}

package/lib/lambda/header-check.ts

@@ -1,360 +0,0 @@
-// We know the environment variables will exist so safe to ignore this
-/* eslint-disable @typescript-eslint/no-non-null-assertion */
-
-import axios from "axios";
-import {
-  DynamoDBClient,
-  BatchGetItemCommand,
-  BatchGetItemCommandInput,
-  KeysAndAttributes,
-  UpdateItemCommandInput,
-  UpdateItemCommand,
-  AttributeValueUpdate,
-  UpdateItemCommandOutput,
-} from "@aws-sdk/client-dynamodb";
-import { PublishCommand, PublishInput, SNSClient } from "@aws-sdk/client-sns";
-
-const URLS = process.env.URLS;
-const HEADERS = process.env.HEADERS;
-const TABLE = process.env.TABLE!;
-
-const config = "";
-const DB_CLIENT = new DynamoDBClient(config);
-
-const securityHeaders = HEADERS?.split(",") || [];
-
-// Accept status 200 default
-const ACCEPTED_HTTP_STATUS = (process.env.ACCEPTED_HTTP_STATUS || "200")
-  .split(",")
-  .map(code => parseInt(code.trim(), 10));
-
-console.log("ACCEPTED_HTTP_STATUS:", ACCEPTED_HTTP_STATUS);
-
-type Headers = Map<string, string | undefined>;
-
-// A map of URLs and their headers
-type URLHeaders = Map<string, Headers>;
-
-export const handler = async () => {
-  const urls = URLS?.split(",") || [];
-
-  // Fetch stored headers
-  const [storedUrlHeaders, currentUrlHeaders] = await Promise.all([
-    getStoredValues(urls),
-    fetchHeaders(urls),
-  ]);
-
-  // Find any differences between the headers
-  const headerDifferences = new Map<string, Difference[]>();
-  let differencesDetected = false;
-  const dbUpdates = urls.map(url => {
-    const currentHeaders = currentUrlHeaders.get(url);
-    const storedHeaders =
-      storedUrlHeaders.get(url) || new Map<string, string | undefined>();
-
-    if (!currentHeaders)
-      throw new Error(`Could not get current headers for ${url}`);
-
-    // Check all headers that we care about
-    headerDifferences.set(
-      url,
-      compareHeaders(securityHeaders, storedHeaders, currentHeaders)
-    );
-
-    const headersToUpdate: Headers = new Map<string, string | undefined>();
-    headerDifferences.get(url)?.forEach(difference => {
-      headersToUpdate.set(difference.header, difference.currentValue);
-      differencesDetected = true;
-    });
-
-    return updateStoredValues(url, headersToUpdate);
-  });
-
-  await Promise.all(dbUpdates);
-
-  if (differencesDetected)
-    await sendToSns(formatDifferences(headerDifferences));
-};
-
-/**
- * Fetch security headers for the given urls
- *
- * @param urls list of urls to fetch headers from
- */
-const fetchHeaders = async (urls: string[]): Promise<URLHeaders> => {
-  const currentUrlHeaders: URLHeaders = new Map<string, Headers>();
-
-  // Make an axios request for each url
-  await Promise.all(
-    urls.map(url =>
-      axios.get(url, { validateStatus: () => true }).then(response => {
-        if (!ACCEPTED_HTTP_STATUS.includes(response.status)) {
-          console.warn(
-            `Skipping ${url} — status ${response.status} not allowed`
-          );
-          return;
-        }
-
-        const headers: Headers = new Map<string, string | undefined>();
-
-        Object.entries(response.headers).forEach(([headerName, value]) => {
-          if (securityHeaders?.includes(headerName))
-            headers.set(headerName, value as string);
-        });
-
-        currentUrlHeaders.set(url, headers);
-      })
-    )
-  );
-
-  return currentUrlHeaders;
-};
-
-/**
- * Get values stored in DynamoDB table from a list of string keys.
- * Assumes the call is made to the header change detection table.
- * This table has a primary key of Url (string) with an unknown
- * number of string fields.
- *
- * @param keys array of strings
- */
-const getStoredValues = async (keys: string[]): Promise<URLHeaders> => {
-  if (keys.length === 0) {
-    console.log("No keys were passed");
-    return new Map<string, Headers>();
-  }
-
-  // Construct the command input
-  const primaryKeys = keys.map(url => {
-    return {
-      Url: {
-        S: url,
-      },
-    };
-  });
-  const requestItems = {
-    [TABLE]: {
-      Keys: primaryKeys,
-    },
-  };
-
-  return dynamoBatchRequest(requestItems);
-};
-
-/**
- * Update stored headers for the given url.
- * If the header no longer has a value, delete it. Otherwise update it.
- *
- * @param url the url to update - this is the primary key
- * @param headers record of headers to update
- */
-const updateStoredValues = async (
-  url: string,
-  headers: Headers
-): Promise<UpdateItemCommandOutput | undefined> => {
-  // Convert headers to attribute value update attributes
-  const attributes: Record<string, AttributeValueUpdate> = {};
-  headers.forEach((value, headerName) => {
-    // If the value exists update it, otherwise remove it
-    if (value) {
-      attributes[headerName] = {
-        Value: {
-          S: Array.isArray(value) ? value.join("; ") : value,
-        },
-        Action: "PUT",
-      };
-    } else {
-      attributes[headerName] = {
-        Action: "DELETE",
-      };
-    }
-  });
-
-  if (Object.values(attributes).length === 0) {
-    console.log(`No attribute value changes for ${url}`);
-    return;
-  }
-
-  return dynamoUpdateRequest(url, attributes);
-};
-
-/**
- * Recursive function to get multiple items from a DynamoDB table
- *
- * @param requestItems
- * @returns Promise<URLHeaders>
- */
-const dynamoBatchRequest = async (
-  requestItems: Record<string, KeysAndAttributes> | undefined
-): Promise<URLHeaders> => {
-  console.log(
-    `Starting batch request with items: ${JSON.stringify(requestItems)}`
-  );
-
-  // Validate that request items has values
-  if (Object.keys(requestItems || {})?.length === 0)
-    return new Map<string, Headers>();
-
-  const batchGetInput: BatchGetItemCommandInput = {
-    RequestItems: requestItems,
-  };
-  const batchGetCommand = new BatchGetItemCommand(batchGetInput);
-
-  // Fetch stored stored headers
-  const response = await DB_CLIENT.send(batchGetCommand);
-  const responses = response.Responses?.[TABLE];
-
-  if (!responses) return new Map<string, Headers>();
-
-  console.log(
-    `Got following data from dynamo table: ${JSON.stringify(responses)}`
-  );
-
-  const storedUrlHeaders: URLHeaders = new Map<string, Headers>();
-  Object.values(responses).forEach(headers => {
-    const urlHeaders: Headers = new Map<string, string | undefined>();
-
-    let url = "";
-    Object.entries(headers).forEach(([headerName, value]) => {
-      if (headerName === "Url") {
-        url = value.S!;
-      } else {
-        urlHeaders.set(headerName, value.S!);
-      }
-    });
-    storedUrlHeaders.set(url, urlHeaders);
-  });
-
-  // Process any remaining keys
-  const nextUrlHeaders = await dynamoBatchRequest(response.UnprocessedKeys);
-
-  // Merge data into one object and return
-  return new Map<string, Headers>([...storedUrlHeaders, ...nextUrlHeaders]);
-};
-
-/**
- * Send an update command to DynamoDB
- *
- * @param url the url to update - this is the primary key
- * @param attributes Record<string, AttributeValueUpdate>
- */
-const dynamoUpdateRequest = async (
-  url: string,
-  attributes: Record<string, AttributeValueUpdate>
-): Promise<UpdateItemCommandOutput> => {
-  console.log(
-    `Updating ${url} in table with: ${JSON.stringify(Object.entries(attributes))}`
-  );
-
-  const updateItemInput: UpdateItemCommandInput = {
-    TableName: TABLE,
-    Key: {
-      Url: {
-        S: url,
-      },
-    },
-    AttributeUpdates: attributes,
-  };
-  const updateItemCommand = new UpdateItemCommand(updateItemInput);
-
-  return DB_CLIENT.send(updateItemCommand);
-};
-
-interface Difference {
-  header: string;
-  storedValue: string | undefined;
-  currentValue: string | undefined;
-}
-
-/**
- * Compare values of two lists of headers. Return any headers that have differences
- * along with their stored and current values.
- *
- * @param headers list of headers we want to compare
- * @param stored list of headers that were last found on the site
- * @param current list of headers currently on the site
- * @returns
- */
-const compareHeaders = (
-  headers: string[],
-  stored: Headers,
-  current: Headers
-): Difference[] => {
-  const differences: Difference[] = [];
-
-  headers.forEach(header => {
-    const currentValue = current.get(header);
-    const storedValue = stored.get(header);
-
-    if (currentValue !== storedValue) {
-      differences.push({
-        header,
-        storedValue: storedValue,
-        currentValue: currentValue,
-      });
-    }
-  });
-
-  return differences;
-};
-
-/**
- * Format the differences so they can be easily read in an email.
- *
- * Outputs a string that looks like this:
- *
- * Headers differences found:
- * == https://aligent.com.au/ ===
- *
- * Header: example-header-name
- * Stored Value: No stored value
- * Current Value: example-value
- *
- * === https://aligent.com.au/contact ===
- *
- * Header: example-header-name
- * Stored Value: No stored value
- * Current Value: example-value
- *
- * Header: example-header-name-2
- * Stored Value: previous-value
- * Current Value: new-example-value
- *
- * @param differences Map<string, Difference[]> where the key is the URL
- */
-const formatDifferences = (differences: Map<string, Difference[]>): string => {
-  const message = Array.from(differences.keys()).reduce((text, url) => {
-    console.log(text, url);
-    // Skip the url if there are no differences
-    if (differences.get(url)?.length === 0) {
-      return text;
-    }
-
-    // Format headers nicely
-    const headers = differences.get(url)?.reduce((headerText, header) => {
-      return (headerText += `\r\nHeader: ${header.header}\r\nStored Value: ${header.storedValue}\r\nCurrent Value: ${header.currentValue}\r\n`);
-    }, "");
-
-    return `${text}\r\n=== ${url} ===\r\n ${headers}`;
-  }, "");
-
-  return `Header differences found${message}`;
-};
-
-const TOPIC_ARN = process.env.TOPIC_ARN!;
-const SNS_CLIENT = new SNSClient();
-
-/**
- * Send a message to the SNS topic
- *
- * @param message string to send to sns
- */
-const sendToSns = async (message: string) => {
-  const publishInput: PublishInput = {
-    TopicArn: TOPIC_ARN,
-    Message: message,
-    Subject: "Security Header Change detected",
-  };
-  const publishCommand = new PublishCommand(publishInput);
-  await SNS_CLIENT.send(publishCommand);
-};

package/project.json

@@ -1,45 +0,0 @@
-{
-  "name": "header-change-detection",
-  "$schema": "../../node_modules/nx/schemas/project-schema.json",
-  "sourceRoot": "packages/header-change-detection/lib",
-  "projectType": "application",
-  "targets": {
-    "build": {
-      "executor": "@nx/js:tsc",
-      "options": {
-        "main": "packages/header-change-detection/index.ts",
-        "outputPath": "dist/header-change-detection",
-        "tsConfig": "packages/header-change-detection/tsconfig.app.json",
-        "assets": [
-          "packages/header-change-detection/lib/lambda/**",
-          "packages/header-change-detection/README.md",
-          "packages/header-change-detection/docs/**"
-        ]
-      },
-      "dependsOn": ["merge-gitignore"]
-    },
-    "lint": {
-      "executor": "@nx/eslint:lint",
-      "outputs": ["{options.outputFile}"]
-    },
-    "test": {
-      "executor": "@nx/jest:jest",
-      "outputs": ["{workspaceRoot}/coverage/{projectRoot}"],
-      "options": {
-        "jestConfig": "packages/header-change-detection/jest.config.ts",
-        "passWithNoTests": true
-      }
-    },
-    "publish": {
-      "command": "node tools/scripts/publish.mjs header-change-detection {args.ver} {args.tag}",
-      "dependsOn": ["build"]
-    },
-    "merge-gitignore": {
-      "executor": "nx:run-commands",
-      "options": {
-        "command": "node tools/scripts/merge-gitignore.mjs header-change-detection"
-      }
-    }
-  },
-  "tags": []
-}

package/tsconfig.app.json

@@ -1,10 +0,0 @@
-{
-  "extends": "./tsconfig.json",
-  "compilerOptions": {
-    "outDir": "../../dist/out-tsc",
-    "module": "commonjs",
-    "types": ["node"]
-  },
-  "exclude": ["./jest.config.ts", "lib/lambda/**/*.ts"],
-  "include": ["lib/**/*.ts", "index.ts"]
-}

package/tsconfig.json

@@ -1,16 +0,0 @@
-{
-  "extends": "../../tsconfig.base.json",
-  "files": [],
-  "include": [],
-  "references": [
-    {
-      "path": "./tsconfig.app.json"
-    },
-    {
-      "path": "./tsconfig.spec.json"
-    }
-  ],
-  "compilerOptions": {
-    "esModuleInterop": true
-  }
-}

package/tsconfig.spec.json

@@ -1,8 +0,0 @@
-{
-  "extends": "./tsconfig.json",
-  "compilerOptions": {
-    "outDir": "../../dist/out-tsc",
-    "module": "commonjs",
-    "types": ["jest", "node"]
-  }
-}