@aws/nx-plugin 0.82.2 → 0.83.1

package/src/utils/files/common/constructs/src/core/runtime-config.ts.template

@@ -1,10 +1,41 @@
-import { Stack, Stage } from 'aws-cdk-lib';
-import { Construct } from 'constructs';
+import {
+  ArnFormat,
+  Aspects,
+  CfnOutput,
+  Lazy,
+  Names,
+  Stack,
+  Stage,
+} from 'aws-cdk-lib';
+import {
+  CfnApplication,
+  CfnConfigurationProfile,
+  CfnDeployment,
+  CfnDeploymentStrategy,
+  CfnEnvironment,
+  CfnHostedConfigurationVersion,
+} from 'aws-cdk-lib/aws-appconfig';
+import { Grant, IGrantable } from 'aws-cdk-lib/aws-iam';
+import { Construct, IConstruct } from 'constructs';
 
 const RuntimeConfigKey = '__RuntimeConfig__';
 
+/**
+ * Stage-scoped singleton that collects runtime configuration from CDK constructs
+ * and delivers it to server-side (AppConfig) and client-side (S3) consumers.
+ *
+ * Configuration is organised into namespaces (mapped to AppConfig Configuration Profiles):
+ * ```ts
+ * const rc = RuntimeConfig.ensure(this);
+ * rc.set('connection', 'cognitoProps', { region: '...', userPoolId: '...' });
+ * rc.set('tables', 'users', { tableName: '...', arn: '...' });
+ * ```
+ */
 export class RuntimeConfig extends Construct {
-  private readonly _runtimeConfig: any = {};
+  private readonly _namespaces = new Map<string, Record<string, any>>();
+  private _appConfigApplicationId?: string;
+  private _appConfigApplicationArn?: string;
+  private _aspectRegistered = false;
 
   static ensure(scope: Construct): RuntimeConfig {
     const parent = Stage.of(scope) ?? Stack.of(scope);
@@ -24,7 +55,128 @@ export class RuntimeConfig extends Construct {
     super(scope, id);
   }
 
-  get config(): any {
-    return this._runtimeConfig;
+  /** Sets a key in the given namespace. Creates the namespace if it doesn't exist. */
+  set(namespace: string, key: string, value: any): void {
+    let data = this._namespaces.get(namespace);
+    if (!data) {
+      data = {};
+      this._namespaces.set(namespace, data);
+    }
+    data[key] = value;
+  }
+
+  /** Returns the config data for a namespace. Creates it if it doesn't exist. */
+  get(namespace: string): Record<string, any> {
+    let data = this._namespaces.get(namespace);
+    if (!data) {
+      data = {};
+      this._namespaces.set(namespace, data);
+    }
+    return data;
+  }
+
+  /** Returns a lazy token resolving to the AppConfig Application ID. */
+  get appConfigApplicationId(): string {
+    this.ensureAspect();
+    return Lazy.string({
+      produce: () => {
+        if (!this._appConfigApplicationId) {
+          throw new Error(
+            'RuntimeConfig AppConfig resources were not created.',
+          );
+        }
+        return this._appConfigApplicationId;
+      },
+    });
+  }
+
+  /** Grants a server-side consumer permission to read from AppConfig. */
+  grantReadAppConfig(grantee: IGrantable): Grant {
+    this.ensureAspect();
+    return Grant.addToPrincipal({
+      grantee,
+      actions: [
+        'appconfig:StartConfigurationSession',
+        'appconfig:GetLatestConfiguration',
+      ],
+      resourceArns: [
+        Lazy.string({ produce: () => this._appConfigApplicationArn }),
+      ],
+    });
+  }
+
+  private ensureAspect(): void {
+    if (this._aspectRegistered) return;
+    this._aspectRegistered = true;
+    let created = false;
+
+    Aspects.of(this.node.scope!).add({
+      visit: (node: IConstruct) => {
+        if (created || !(node instanceof Stack)) return;
+        created = true;
+
+        const stack = node;
+        const name = Names.uniqueResourceName(this, {
+          maxLength: 64,
+          separator: '-',
+        });
+
+        const app = new CfnApplication(stack, 'RcAppConfigApp', { name });
+        const strategy = new CfnDeploymentStrategy(
+          stack,
+          'RcAppConfigStrategy',
+          {
+            name,
+            deploymentDurationInMinutes: 0,
+            growthFactor: 100,
+            replicateTo: 'NONE',
+            finalBakeTimeInMinutes: 0,
+          },
+        );
+        const env = new CfnEnvironment(stack, 'RcAppConfigEnv', {
+          applicationId: app.ref,
+          name: 'default',
+        });
+
+        for (const [ns, data] of this._namespaces.entries()) {
+          const profile = new CfnConfigurationProfile(
+            stack,
+            `RcAppConfigProfile${ns}`,
+            {
+              applicationId: app.ref,
+              name: ns,
+              locationUri: 'hosted',
+              type: 'AWS.Freeform',
+            },
+          );
+          const version = new CfnHostedConfigurationVersion(
+            stack,
+            `RcAppConfigVersion${ns}`,
+            {
+              applicationId: app.ref,
+              configurationProfileId: profile.ref,
+              contentType: 'application/json',
+              content: Lazy.string({ produce: () => stack.toJsonString(data) }),
+            },
+          );
+          new CfnDeployment(stack, `RcAppConfigDeploy${ns}`, {
+            applicationId: app.ref,
+            environmentId: env.ref,
+            configurationProfileId: profile.ref,
+            configurationVersion: version.ref,
+            deploymentStrategyId: strategy.ref,
+          });
+        }
+
+        new CfnOutput(stack, 'RuntimeConfigApplicationId', { value: app.ref });
+        this._appConfigApplicationId = app.ref;
+        this._appConfigApplicationArn = stack.formatArn({
+          service: 'appconfig',
+          resource: 'application',
+          resourceName: `${app.ref}/*`,
+          arnFormat: ArnFormat.SLASH_RESOURCE_NAME,
+        });
+      },
+    });
   }
 }

package/src/utils/files/terraform/src/core/runtime-config/appconfig/appconfig.tf.template

@@ -0,0 +1,100 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.0"
+    }
+  }
+}
+
+variable "application_name" {
+  description = "Name of the AppConfig application"
+  type        = string
+}
+
+locals {
+  config_dir = "${path.module}/../../../../../../../dist/packages/common/terraform/runtime-config"
+}
+
+# AppConfig Application
+resource "aws_appconfig_application" "runtime_config" {
+  name        = var.application_name
+  description = "Runtime configuration for ${var.application_name}"
+}
+
+# AppConfig Environment
+resource "aws_appconfig_environment" "default" {
+  name           = "default"
+  application_id = aws_appconfig_application.runtime_config.id
+}
+
+# Instant deployment strategy (zero wait)
+resource "aws_appconfig_deployment_strategy" "instant" {
+  name                           = "${var.application_name}-instant"
+  deployment_duration_in_minutes = 0
+  growth_factor                  = 100
+  replicate_to                   = "NONE"
+  final_bake_time_in_minutes     = 0
+}
+
+# Read all namespace JSON files from the config directory
+locals {
+  namespace_files = fileset(local.config_dir, "*.json")
+  namespaces = {
+    for f in local.namespace_files :
+    trimsuffix(f, ".json") => jsondecode(file("${local.config_dir}/${f}"))
+  }
+}
+
+# Configuration Profile per namespace
+resource "aws_appconfig_configuration_profile" "namespace" {
+  for_each = local.namespaces
+
+  application_id = aws_appconfig_application.runtime_config.id
+  name           = each.key
+  location_uri   = "hosted"
+  type           = "AWS.Freeform"
+}
+
+# Hosted Configuration Version per namespace
+resource "aws_appconfig_hosted_configuration_version" "namespace" {
+  for_each = local.namespaces
+
+  application_id           = aws_appconfig_application.runtime_config.id
+  configuration_profile_id = aws_appconfig_configuration_profile.namespace[each.key].configuration_profile_id
+  content_type             = "application/json"
+  content                  = jsonencode(each.value)
+}
+
+# Deployment per namespace
+resource "aws_appconfig_deployment" "namespace" {
+  for_each = local.namespaces
+
+  application_id           = aws_appconfig_application.runtime_config.id
+  environment_id           = aws_appconfig_environment.default.environment_id
+  configuration_profile_id = aws_appconfig_configuration_profile.namespace[each.key].configuration_profile_id
+  configuration_version    = aws_appconfig_hosted_configuration_version.namespace[each.key].version_number
+  deployment_strategy_id   = aws_appconfig_deployment_strategy.instant.id
+}
+
+# Outputs
+output "application_id" {
+  description = "AppConfig Application ID"
+  value       = aws_appconfig_application.runtime_config.id
+}
+
+output "application_arn" {
+  description = "AppConfig Application ARN"
+  value       = aws_appconfig_application.runtime_config.arn
+}
+
+output "environment_id" {
+  description = "AppConfig Environment ID"
+  value       = aws_appconfig_environment.default.environment_id
+}

package/src/utils/files/terraform/src/core/runtime-config/entry/entry.tf.template

@@ -8,22 +8,30 @@ terraform {
 }
 
 # Variables
-variable "key_path" {
-  description = "Dot-separated path for the configuration key (e.g., 'apis.FooApi', 'cognito.userPoolId')"
+variable "namespace" {
+  description = "Namespace for the configuration entry (e.g., 'connection', 'tables')"
+  type        = string
+  default     = "connection"
+}
+
+variable "key" {
+  description = "Key name within the namespace (e.g., 'apis', 'cognitoProps')"
   type        = string
 }
 
 variable "value" {
-  description = "Value to set at the key path"
+  description = "Value to set at the key"
   type        = any
 }
 
 locals {
-  config_file_path = "${path.module}/../../../../../../../dist/packages/common/terraform/runtime-config.json"
+  config_dir       = "${path.module}/../../../../../../../dist/packages/common/terraform/runtime-config"
+  config_file_path = "${local.config_dir}/${var.namespace}.json"
 }
 
-# This module writes an entry to runtime-config.json which is provided to any static websites
-# as a way to pass deploy-time values to the UI such as API urls
+# This module writes an entry to a namespaced runtime config JSON file.
+# Each namespace maps to a separate file (e.g., connection.json, tables.json)
+# which is then used by the AppConfig module and static website module.
 
 data "external" "updated_config" {
   program = ["uv", "run", "python", "-c", <<-EOT
@@ -37,7 +45,7 @@ from pathlib import Path
 # Read input from Terraform
 input_data = json.load(sys.stdin)
 config_file = input_data['config_file']
-key_path = input_data['key_path']
+key = input_data['key']
 value = json.loads(input_data['value'])
 
 # Create lock file path
@@ -69,14 +77,8 @@ for attempt in range(max_retries):
                 with open(config_file, 'r') as f:
                     config = json.load(f)
 
-                # Set the nested key using dot notation
-                keys = key_path.split('.')
-                current = config
-                for key in keys[:-1]:
-                    if key not in current:
-                        current[key] = {}
-                    current = current[key]
-                current[keys[-1]] = value
+                # Set the key directly in the namespace file
+                config[key] = value
 
                 # Write updated config back to file atomically
                 temp_file = config_file + '.tmp'
@@ -113,7 +115,7 @@ EOT
 
   query = {
     config_file = local.config_file_path
-    key_path    = var.key_path
+    key         = var.key
     value       = jsonencode(var.value)
   }
-}
+}

package/src/utils/files/terraform/src/core/runtime-config/read/read.tf.template

@@ -7,22 +7,29 @@ terraform {
   }
 }
 
+variable "namespace" {
+  description = "Namespace to read (e.g., 'connection'). If not set, reads all namespaces."
+  type        = string
+  default     = "connection"
+}
+
 locals {
-  config_file_path = "${path.module}/../../../../../../../dist/packages/common/terraform/runtime-config.json"
+  config_dir       = "${path.module}/../../../../../../../dist/packages/common/terraform/runtime-config"
+  config_file_path = "${local.config_dir}/${var.namespace}.json"
 }
 
-# Read the runtime config file - will fail gracefully if file doesn't exist
+# Read the namespaced runtime config file
 data "local_file" "runtime_config" {
   filename = local.config_file_path
 }
 
 # Outputs
 output "config" {
-  description = "Runtime configuration object"
+  description = "Runtime configuration object for the namespace"
   value       = jsondecode(data.local_file.runtime_config.content)
 }
 
 output "config_json" {
-  description = "Runtime configuration as JSON string"
+  description = "Runtime configuration as JSON string for the namespace"
   value       = data.local_file.runtime_config.content
-}
+}

package/src/utils/identity-constructs/files/cdk/core/user-identity.ts.template

@@ -46,12 +46,12 @@ export class UserIdentity extends Construct {
       this.userPoolDomain
     );
 
-    RuntimeConfig.ensure(this).config.cognitoProps = {
+    RuntimeConfig.ensure(this).set('connection', 'cognitoProps', {
       region: Stack.of(this).region,
       identityPoolId: this.identityPool.identityPoolId,
       userPoolId: this.userPool.userPoolId,
       userPoolWebClientId: this.userPoolClient.userPoolClientId,
-    };
+    });
 
     suppressRules(
       this.userPool,

package/src/utils/identity-constructs/files/terraform/core/user-identity/add-callback-url/add-callback-url.tf.template

@@ -16,6 +16,8 @@ variable "callback_url" {
 # Read runtime config to get user pool client details
 module "runtime_config_reader" {
   source = "../../runtime-config/read"
+
+  namespace = "connection"
 }
 
 # Extract cognito details from runtime config

package/src/utils/identity-constructs/files/terraform/core/user-identity/identity/identity.tf.template

@@ -270,6 +270,14 @@ resource "aws_cognito_user_pool_client" "web_client" {
   # Auth session validity
   auth_session_validity = 3
 
+  # Callback urls are added via the add-callback-url module and should not be overwritten.
+  lifecycle {
+    ignore_changes = [
+      callback_urls,
+      logout_urls
+    ]
+  }
+
 }
 
 # Identity Pool
@@ -368,7 +376,8 @@ resource "aws_cognito_managed_login_branding" "managed_login_branding" {
 module "add_cognito_to_runtime_config" {
   source = "../../runtime-config/entry"
 
-  key_path = "cognitoProps"
+  namespace = "connection"
+  key       = "cognitoProps"
   value = {
     region              = data.aws_region.current.name
     identityPoolId      = aws_cognito_identity_pool.identity_pool.id

package/src/utils/versions.d.ts

@@ -13,8 +13,10 @@ export declare const TS_VERSIONS: {
     readonly '@aws-smithy/server-node': "1.0.0-alpha.10";
     readonly '@aws-lambda-powertools/logger': "2.31.0";
     readonly '@aws-lambda-powertools/metrics': "2.31.0";
+    readonly '@aws-lambda-powertools/parameters': "2.31.0";
     readonly '@aws-lambda-powertools/tracer': "2.31.0";
     readonly '@aws-lambda-powertools/parser': "2.31.0";
+    readonly '@aws-sdk/client-appconfigdata': "3.1004.0";
     readonly '@middy/core': "6.4.5";
     readonly '@nxlv/python': "22.1.1";
     readonly '@nx-extend/terraform': "9.0.1";

package/src/utils/versions.js

@@ -16,8 +16,10 @@ exports.TS_VERSIONS = {
     '@aws-smithy/server-node': '1.0.0-alpha.10',
     '@aws-lambda-powertools/logger': '2.31.0',
     '@aws-lambda-powertools/metrics': '2.31.0',
+    '@aws-lambda-powertools/parameters': '2.31.0',
     '@aws-lambda-powertools/tracer': '2.31.0',
     '@aws-lambda-powertools/parser': '2.31.0',
+    '@aws-sdk/client-appconfigdata': '3.1004.0',
     '@middy/core': '6.4.5',
     '@nxlv/python': '22.1.1',
     '@nx-extend/terraform': '9.0.1',

package/src/utils/versions.js.map

@@ -1 +1 @@
-{"version":3,"file":"versions.js","sourceRoot":"","sources":["../../../../../packages/nx-plugin/src/utils/versions.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH;;GAEG;AACU,QAAA,WAAW,GAAG;IACzB,0BAA0B,EAAE,UAAU;IACtC,qBAAqB,EAAE,UAAU;IACjC,+BAA+B,EAAE,UAAU;IAC3C,+BAA+B,EAAE,gBAAgB;IACjD,yBAAyB,EAAE,gBAAgB;IAC3C,+BAA+B,EAAE,QAAQ;IACzC,gCAAgC,EAAE,QAAQ;IAC1C,+BAA+B,EAAE,QAAQ;IACzC,+BAA+B,EAAE,QAAQ;IACzC,aAAa,EAAE,OAAO;IACtB,cAAc,EAAE,QAAQ;IACxB,sBAAsB,EAAE,OAAO;IAC/B,YAAY,EAAE,QAAQ;IACtB,WAAW,EAAE,QAAQ;IACrB,qBAAqB,EAAE,QAAQ;IAC/B,2BAA2B,EAAE,QAAQ;IACrC,iCAAiC,EAAE,QAAQ;IAC3C,qBAAqB,EAAE,OAAO;IAC9B,wBAAwB,EAAE,SAAS;IACnC,yBAAyB,EAAE,SAAS;IACpC,4BAA4B,EAAE,SAAS;IACvC,+BAA+B,EAAE,SAAS;IAC1C,wBAAwB,EAAE,SAAS;IACnC,qCAAqC,EAAE,SAAS;IAChD,+BAA+B,EAAE,UAAU;IAC3C,kCAAkC,EAAE,QAAQ;IAC5C,uBAAuB,EAAE,SAAS;IAClC,gCAAgC,EAAE,QAAQ;IAC1C,4BAA4B,EAAE,SAAS;IACvC,cAAc,EAAE,SAAS;IACzB,cAAc,EAAE,SAAS;IACzB,aAAa,EAAE,UAAU;IACzB,mBAAmB,EAAE,UAAU;IAC/B,aAAa,EAAE,QAAQ;IACvB,WAAW,EAAE,QAAQ;IACrB,gBAAgB,EAAE,OAAO;IACzB,eAAe,EAAE,QAAQ;IACzB,qBAAqB,EAAE,QAAQ;IAC/B,YAAY,EAAE,QAAQ;IACtB,SAAS,EAAE,QAAQ;IACnB,SAAS,EAAE,UAAU;IACrB,aAAa,EAAE,SAAS;IACxB,sCAAsC,EAAE,iBAAiB;IACzD,mBAAmB,EAAE,QAAQ;IAC7B,UAAU,EAAE,QAAQ;IACpB,IAAI,EAAE,OAAO;IACb,0BAA0B,EAAE,OAAO;IACnC,IAAI,EAAE,OAAO;IACb,SAAS,EAAE,OAAO;IAClB,OAAO,EAAE,QAAQ;IACjB,uBAAuB,EAAE,QAAQ;IACjC,8BAA8B,EAAE,OAAO;IACvC,wBAAwB,EAAE,OAAO;IACjC,OAAO,EAAE,OAAO;IAChB,qBAAqB,EAAE,OAAO;IAC9B,cAAc,EAAE,OAAO;IACvB,GAAG,EAAE,OAAO;IACZ,mBAAmB,EAAE,QAAQ;IAC7B,gBAAgB,EAAE,OAAO;IACzB,QAAQ,EAAE,OAAO;IACjB,oBAAoB,EAAE,OAAO;IAC7B,KAAK,EAAE,QAAQ;IACf,WAAW,EAAE,QAAQ;IACrB,MAAM,EAAE,OAAO;IACf,QAAQ,EAAE,YAAY;IACtB,oBAAoB,EAAE,QAAQ;IAC9B,WAAW,EAAE,OAAO;IACpB,mBAAmB,EAAE,OAAO;IAC5B,GAAG,EAAE,QAAQ;IACb,cAAc,EAAE,SAAS;IACzB,UAAU,EAAE,OAAO;IACnB,MAAM,EAAE,OAAO;IACf,gBAAgB,EAAE,OAAO;IACzB,gBAAgB,EAAE,OAAO;IACzB,MAAM,EAAE,QAAQ;IAChB,qBAAqB,EAAE,OAAO;IAC9B,GAAG,EAAE,OAAO;IACZ,EAAE,EAAE,QAAQ;CACJ,CAAC;AAGX;;GAEG;AACI,MAAM,YAAY,GAAG,CAAC,IAAqB,EAAE,EAAE,CACpD,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,mBAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AADpD,QAAA,YAAY,gBACwC;AAEjE;;GAEG;AACU,QAAA,WAAW,GAAG;IACzB,uBAAuB,EAAE,UAAU;IACnC,+BAA+B,EAAE,UAAU;IAC3C,+BAA+B,EAAE,UAAU;IAC3C,0BAA0B,EAAE,UAAU;IACtC,mBAAmB,EAAE,SAAS;IAC9B,KAAK,EAAE,WAAW;IAClB,OAAO,EAAE,WAAW;IACpB,OAAO,EAAE,WAAW;IACpB,mBAAmB,EAAE,WAAW;IAChC,GAAG,EAAE,UAAU;IACf,mBAAmB,EAAE,UAAU;IAC/B,gBAAgB,EAAE,UAAU;IAC5B,sBAAsB,EAAE,UAAU;IAClC,OAAO,EAAE,UAAU;CACX,CAAC;AAGX;;GAEG;AACI,MAAM,cAAc,GAAG,CAAC,IAAqB,EAAE,EAAE,CACtD,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,GAAG,mBAAW,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AADpC,QAAA,cAAc,kBACsB"}
+{"version":3,"file":"versions.js","sourceRoot":"","sources":["../../../../../packages/nx-plugin/src/utils/versions.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH;;GAEG;AACU,QAAA,WAAW,GAAG;IACzB,0BAA0B,EAAE,UAAU;IACtC,qBAAqB,EAAE,UAAU;IACjC,+BAA+B,EAAE,UAAU;IAC3C,+BAA+B,EAAE,gBAAgB;IACjD,yBAAyB,EAAE,gBAAgB;IAC3C,+BAA+B,EAAE,QAAQ;IACzC,gCAAgC,EAAE,QAAQ;IAC1C,mCAAmC,EAAE,QAAQ;IAC7C,+BAA+B,EAAE,QAAQ;IACzC,+BAA+B,EAAE,QAAQ;IACzC,+BAA+B,EAAE,UAAU;IAC3C,aAAa,EAAE,OAAO;IACtB,cAAc,EAAE,QAAQ;IACxB,sBAAsB,EAAE,OAAO;IAC/B,YAAY,EAAE,QAAQ;IACtB,WAAW,EAAE,QAAQ;IACrB,qBAAqB,EAAE,QAAQ;IAC/B,2BAA2B,EAAE,QAAQ;IACrC,iCAAiC,EAAE,QAAQ;IAC3C,qBAAqB,EAAE,OAAO;IAC9B,wBAAwB,EAAE,SAAS;IACnC,yBAAyB,EAAE,SAAS;IACpC,4BAA4B,EAAE,SAAS;IACvC,+BAA+B,EAAE,SAAS;IAC1C,wBAAwB,EAAE,SAAS;IACnC,qCAAqC,EAAE,SAAS;IAChD,+BAA+B,EAAE,UAAU;IAC3C,kCAAkC,EAAE,QAAQ;IAC5C,uBAAuB,EAAE,SAAS;IAClC,gCAAgC,EAAE,QAAQ;IAC1C,4BAA4B,EAAE,SAAS;IACvC,cAAc,EAAE,SAAS;IACzB,cAAc,EAAE,SAAS;IACzB,aAAa,EAAE,UAAU;IACzB,mBAAmB,EAAE,UAAU;IAC/B,aAAa,EAAE,QAAQ;IACvB,WAAW,EAAE,QAAQ;IACrB,gBAAgB,EAAE,OAAO;IACzB,eAAe,EAAE,QAAQ;IACzB,qBAAqB,EAAE,QAAQ;IAC/B,YAAY,EAAE,QAAQ;IACtB,SAAS,EAAE,QAAQ;IACnB,SAAS,EAAE,UAAU;IACrB,aAAa,EAAE,SAAS;IACxB,sCAAsC,EAAE,iBAAiB;IACzD,mBAAmB,EAAE,QAAQ;IAC7B,UAAU,EAAE,QAAQ;IACpB,IAAI,EAAE,OAAO;IACb,0BAA0B,EAAE,OAAO;IACnC,IAAI,EAAE,OAAO;IACb,SAAS,EAAE,OAAO;IAClB,OAAO,EAAE,QAAQ;IACjB,uBAAuB,EAAE,QAAQ;IACjC,8BAA8B,EAAE,OAAO;IACvC,wBAAwB,EAAE,OAAO;IACjC,OAAO,EAAE,OAAO;IAChB,qBAAqB,EAAE,OAAO;IAC9B,cAAc,EAAE,OAAO;IACvB,GAAG,EAAE,OAAO;IACZ,mBAAmB,EAAE,QAAQ;IAC7B,gBAAgB,EAAE,OAAO;IACzB,QAAQ,EAAE,OAAO;IACjB,oBAAoB,EAAE,OAAO;IAC7B,KAAK,EAAE,QAAQ;IACf,WAAW,EAAE,QAAQ;IACrB,MAAM,EAAE,OAAO;IACf,QAAQ,EAAE,YAAY;IACtB,oBAAoB,EAAE,QAAQ;IAC9B,WAAW,EAAE,OAAO;IACpB,mBAAmB,EAAE,OAAO;IAC5B,GAAG,EAAE,QAAQ;IACb,cAAc,EAAE,SAAS;IACzB,UAAU,EAAE,OAAO;IACnB,MAAM,EAAE,OAAO;IACf,gBAAgB,EAAE,OAAO;IACzB,gBAAgB,EAAE,OAAO;IACzB,MAAM,EAAE,QAAQ;IAChB,qBAAqB,EAAE,OAAO;IAC9B,GAAG,EAAE,OAAO;IACZ,EAAE,EAAE,QAAQ;CACJ,CAAC;AAGX;;GAEG;AACI,MAAM,YAAY,GAAG,CAAC,IAAqB,EAAE,EAAE,CACpD,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,mBAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AADpD,QAAA,YAAY,gBACwC;AAEjE;;GAEG;AACU,QAAA,WAAW,GAAG;IACzB,uBAAuB,EAAE,UAAU;IACnC,+BAA+B,EAAE,UAAU;IAC3C,+BAA+B,EAAE,UAAU;IAC3C,0BAA0B,EAAE,UAAU;IACtC,mBAAmB,EAAE,SAAS;IAC9B,KAAK,EAAE,WAAW;IAClB,OAAO,EAAE,WAAW;IACpB,OAAO,EAAE,WAAW;IACpB,mBAAmB,EAAE,WAAW;IAChC,GAAG,EAAE,UAAU;IACf,mBAAmB,EAAE,UAAU;IAC/B,gBAAgB,EAAE,UAAU;IAC5B,sBAAsB,EAAE,UAAU;IAClC,OAAO,EAAE,UAAU;CACX,CAAC;AAGX;;GAEG;AACI,MAAM,cAAc,GAAG,CAAC,IAAqB,EAAE,EAAE,CACtD,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,GAAG,mBAAW,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AADpC,QAAA,cAAc,kBACsB"}

package/src/utils/website-constructs/files/cdk/core/static-website.ts.template

@@ -1,4 +1,4 @@
-import { CfnOutput, CfnResource, RemovalPolicy, Stack } from 'aws-cdk-lib';
+import { CfnOutput, CfnResource, Lazy, RemovalPolicy, Stack } from 'aws-cdk-lib';
 import { Distribution, ViewerProtocolPolicy } from 'aws-cdk-lib/aws-cloudfront';
 import { S3BucketOrigin } from 'aws-cdk-lib/aws-cloudfront-origins';
 import {
@@ -145,9 +145,14 @@ export class StaticWebsite extends Construct {
     this.bucketDeployment = new BucketDeployment(this, 'WebsiteDeployment', {
       sources: [
         Source.asset(websiteFilePath),
-        Source.jsonData(
+        Source.data(
           DEFAULT_RUNTIME_CONFIG_FILENAME,
-          RuntimeConfig.ensure(this).config
+          Lazy.string({
+            produce: () =>
+              Stack.of(this).toJsonString(
+                RuntimeConfig.ensure(this).get('connection'),
+              ),
+          }),
         ),
       ],
       destinationBucket: this.websiteBucket,

package/src/utils/website-constructs/files/terraform/core/static-website/static-website.tf.template

@@ -263,6 +263,13 @@ resource "aws_s3_bucket_ownership_controls" "distribution_logs_ownership" {
   }
 }
 
+resource "aws_s3_bucket_acl" "distribution_logs_acl" {
+  #checkov:skip=CKV_AWS_70:ACL required for CloudFront standard logging
+  bucket = aws_s3_bucket.distribution_logs.id
+  acl    = "log-delivery-write"
+
+  depends_on = [aws_s3_bucket_ownership_controls.distribution_logs_ownership]
+}
 
 resource "aws_s3_bucket_logging" "distribution_logs_logging" {
   bucket = aws_s3_bucket.distribution_logs.id
@@ -495,9 +502,11 @@ resource "aws_s3_bucket_policy" "website_cloudfront_policy" {
   depends_on = [aws_cloudfront_distribution.website]
 }
 
-# Read runtime config using the reader module
+# Read runtime config using the reader module (connection namespace for website)
 module "runtime_config_reader" {
   source = "../runtime-config/read"
+
+  namespace = "connection"
 }
 
 # Upload website files to S3