@byaga/cdk-patterns 0.6.1 → 0.8.0

package/.fleet/run.json

@@ -0,0 +1,11 @@
+{
+    "configurations": [
+        {
+            "type": "npm",
+            "name": "cdk-patterns build",
+            "command": "run",
+            "scripts": "build",
+        },
+
+    ]
+}

package/lib/ApiCertificate.d.ts

@@ -1,10 +1,10 @@
 import { Certificate } from "aws-cdk-lib/aws-certificatemanager";
 import { IHostedZone } from "aws-cdk-lib/aws-route53";
-import IDeployStack from "./IDeployStack";
+import DeployStack from "./DeployStack";
 import IDomainConfig from "./IDomainConfig";
 export declare class ApiCertificate extends Certificate {
     hostedZone: IHostedZone;
     domain: string;
-    constructor(stack: IDeployStack, id: string, domain: IDomainConfig);
+    constructor(stack: DeployStack, id: string, domain: IDomainConfig);
 }
 export default ApiCertificate;

package/lib/ApiCertificate.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.ApiCertificate = void 0;
 const aws_certificatemanager_1 = require("aws-cdk-lib/aws-certificatemanager");
 const aws_route53_1 = require("aws-cdk-lib/aws-route53");
-const aws_cdk_lib_1 = require("aws-cdk-lib");
+const Output_1 = require("./Output");
 class ApiCertificate extends aws_certificatemanager_1.Certificate {
     hostedZone;
     domain;
@@ -12,19 +12,18 @@ class ApiCertificate extends aws_certificatemanager_1.Certificate {
         if (domain.subdomain)
             certDomain.splice(0, 0, domain.subdomain);
         const domainName = certDomain.join('.');
+        console.log('Getting Hosted Zone', domain.hostedZone.name);
         const hostedZone = aws_route53_1.HostedZone.fromHostedZoneAttributes(stack, stack.genId(id, 'hosted-zone'), {
             hostedZoneId: domain.hostedZone.id,
             zoneName: domain.hostedZone.name
         });
+        console.log('Defining Certificate For', domainName);
         super(stack, stack.genId(id), {
             domainName,
             validation: aws_certificatemanager_1.CertificateValidation.fromDns(hostedZone)
         });
         this.domain = domainName;
-        new aws_cdk_lib_1.CfnOutput(this, stack.genId(id, "certificate-output"), {
-            value: this.certificateArn,
-            exportName: stack.genName(id)
-        });
+        new Output_1.Output(stack, id, this.certificateArn);
         this.hostedZone = hostedZone;
     }
 }

package/lib/CognitoApiGatewayAuthorizer.d.ts

@@ -0,0 +1,19 @@
+import { Construct } from 'constructs';
+import { CfnAuthorizer, IAuthorizer } from 'aws-cdk-lib/aws-apigateway';
+import { CfnAuthorizerProps } from 'aws-cdk-lib/aws-apigateway/lib/apigateway.generated';
+/**
+ * Custom construct that implements a Cognito based API Gateway Authorizer.
+ *
+ * @see https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_author
+ *
+ * @see https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.CfnAuthorizer.html
+ * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html
+ * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
+ * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html
+ *
+ * @see https://github.com/aws/aws-cdk/issues/5618#issuecomment-666922559
+ */
+export declare class CognitoApiGatewayAuthorizer extends CfnAuthorizer implements IAuthorizer {
+    readonly authorizerId: string;
+    constructor(scope: Construct, id: string, props: CfnAuthorizerProps);
+}

package/lib/CognitoApiGatewayAuthorizer.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CognitoApiGatewayAuthorizer = void 0;
+const aws_apigateway_1 = require("aws-cdk-lib/aws-apigateway");
+/**
+ * Custom construct that implements a Cognito based API Gateway Authorizer.
+ *
+ * @see https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_author
+ *
+ * @see https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.CfnAuthorizer.html
+ * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html
+ * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
+ * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html
+ *
+ * @see https://github.com/aws/aws-cdk/issues/5618#issuecomment-666922559
+ */
+class CognitoApiGatewayAuthorizer extends aws_apigateway_1.CfnAuthorizer {
+    authorizerId;
+    constructor(scope, id, props) {
+        super(scope, id, props);
+        this.authorizerId = this.ref;
+    }
+}
+exports.CognitoApiGatewayAuthorizer = CognitoApiGatewayAuthorizer;

package/lib/DeployStack.d.ts

@@ -0,0 +1,20 @@
+import { Stack } from 'aws-cdk-lib';
+import IStackArguments from './IStackArguments';
+import { IConstruct } from "constructs";
+export declare class DeployStack extends Stack {
+    registry: {
+        [t: string]: {
+            [n: string]: any;
+        };
+    };
+    stage: string;
+    name: string;
+    genName(...name: string[]): string;
+    genId(...name: string[]): string;
+    static genStackResourceName(stackName: string, resource: string, stage?: string): string;
+    static genStackResourceId(stackName: string, resource: string, stage?: string): string;
+    constructor(scope: IConstruct, props: IStackArguments);
+    get(type: string, name: string): any;
+    set(type: string, name: string, instance: any): any;
+}
+export default DeployStack;

package/lib/DeployStack.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeployStack = void 0;
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+class DeployStack extends aws_cdk_lib_1.Stack {
+    registry = {};
+    stage;
+    name;
+    genName(...name) {
+        return DeployStack.genStackResourceName(this.name, this.stage, name.filter(n => !!n).join('-'));
+    }
+    genId(...name) {
+        return DeployStack.genStackResourceId(this.name, this.stage, name.filter(n => !!n).join('-'));
+    }
+    static genStackResourceName(stackName, resource, stage = 'develop') {
+        let name = stackName[0].toLowerCase() + stackName.substr(1);
+        name = name.replace(/[A-Z]/g, v => '-' + v.toLowerCase());
+        return `${name}-${resource}-${stage}`.toLowerCase();
+    }
+    static genStackResourceId(stackName, resource, stage = 'develop') {
+        const constructName = `${stackName}-${resource}-${stage}`;
+        return constructName[0].toUpperCase() + constructName.substr(1).replace(/-./g, v => (v[1] || '').toUpperCase());
+    }
+    constructor(scope, props) {
+        const options = (props || {});
+        const { stage = 'develop' } = options;
+        super(scope, props.stackName + '-' + stage, {
+            ...props,
+            stackName: props.stackName + '-' + stage
+        });
+        const stack = this;
+        stack.name = props.stackName || '';
+        stack.stage = stage;
+        stack.tags.setTag('Stage', stage);
+        stack.tags.setTag('Stack', this.genName('ui-stack'));
+    }
+    get(type, name) {
+        const items = this.registry[type];
+        return (items && items[name]) || null;
+    }
+    set(type, name, instance) {
+        this.registry[type] = this.registry[type] || {};
+        this.registry[type][name] = instance;
+        return instance;
+    }
+}
+exports.DeployStack = DeployStack;
+exports.default = DeployStack;

package/lib/DynamoDbTable.d.ts

@@ -0,0 +1,12 @@
+import { Table } from 'aws-cdk-lib/aws-dynamodb';
+import { Policy } from "aws-cdk-lib/aws-iam";
+import { DeployStack } from "./DeployStack";
+interface DynamoDbTableConfig {
+    partitionKey: string;
+    sortKey?: string;
+}
+export declare class DynamoDbTable extends Table {
+    getPolicy: Policy;
+    constructor(stack: DeployStack, id: string, props: DynamoDbTableConfig);
+}
+export {};

package/lib/DynamoDbTable.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DynamoDbTable = void 0;
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const aws_dynamodb_1 = require("aws-cdk-lib/aws-dynamodb");
+const aws_iam_1 = require("aws-cdk-lib/aws-iam");
+class DynamoDbTable extends aws_dynamodb_1.Table {
+    getPolicy;
+    constructor(stack, id, props) {
+        console.log('Creating DynamoDb Table', stack.genName(id, 'data-table'));
+        super(stack, stack.genId(id, 'data-table'), {
+            tableName: stack.genName(id, 'data-table'),
+            partitionKey: { name: props.partitionKey, type: aws_dynamodb_1.AttributeType.STRING },
+            sortKey: props.sortKey ? { name: props.sortKey, type: aws_dynamodb_1.AttributeType.STRING } : undefined,
+            billingMode: aws_dynamodb_1.BillingMode.PAY_PER_REQUEST,
+            removalPolicy: aws_cdk_lib_1.RemovalPolicy.DESTROY
+        });
+        stack.set('dynamo', id, this);
+        new aws_cdk_lib_1.CfnOutput(stack, stack.genId(id, 'table'), {
+            value: this.tableName,
+            exportName: stack.genName(id, 'table')
+        });
+        this.getPolicy = new aws_iam_1.Policy(stack, stack.genId(id, 'get-policy'), {
+            statements: [
+                new aws_iam_1.PolicyStatement({
+                    actions: ['dynamodb:GetItem'],
+                    effect: aws_iam_1.Effect.ALLOW,
+                    resources: [this.tableArn]
+                })
+            ]
+        });
+    }
+}
+exports.DynamoDbTable = DynamoDbTable;

package/lib/FunctionIntegration.d.ts

@@ -0,0 +1,21 @@
+import { DeployStack } from "./DeployStack";
+import { Function, FunctionProps } from "aws-cdk-lib/aws-lambda";
+import { JsonSchema, MethodOptions } from "aws-cdk-lib/aws-apigateway";
+import { Duration } from "aws-cdk-lib";
+import { RestApi } from "./RestApi";
+interface AddToApiOptions {
+    requestSchema?: JsonSchema;
+    methodOptions?: MethodOptions;
+}
+export interface FunctionIntegrationProps {
+    funcProps: FunctionProps;
+    timeout?: Duration;
+    memory?: number;
+}
+export declare class FunctionIntegration extends Function {
+    stack: DeployStack;
+    name: string;
+    constructor(stack: DeployStack, id: string, options: FunctionIntegrationProps);
+    attach(api: RestApi, httpMethod: string, path: string, props: AddToApiOptions): void;
+}
+export {};

package/lib/FunctionIntegration.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FunctionIntegration = void 0;
+const aws_lambda_1 = require("aws-cdk-lib/aws-lambda");
+const aws_apigateway_1 = require("aws-cdk-lib/aws-apigateway");
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const apply_honeycomb_to_lambda_1 = require("./methods/apply-honeycomb-to-lambda");
+const aws_logs_1 = require("aws-cdk-lib/aws-logs");
+class FunctionIntegration extends aws_lambda_1.Function {
+    stack;
+    name;
+    constructor(stack, id, options) {
+        const props = (0, apply_honeycomb_to_lambda_1.applyHoneycombToLambda)(stack, {
+            functionName: stack.genName(id),
+            memorySize: options.memory || 256,
+            timeout: options.timeout || aws_cdk_lib_1.Duration.seconds(16),
+            logRetention: aws_logs_1.RetentionDays.ONE_WEEK,
+            ...options.funcProps
+        });
+        super(stack, stack.genId(id, 'lambda'), props);
+        this.stack = stack;
+        this.name = id;
+        stack.set('lambda', id, this);
+        new aws_cdk_lib_1.CfnOutput(stack, stack.genId(id, 'function-name'), {
+            value: this.functionName,
+            exportName: stack.genName(id, 'function-name')
+        });
+    }
+    attach(api, httpMethod, path, props) {
+        const resource = api.path(path);
+        const integration = new aws_apigateway_1.LambdaIntegration(this, {
+            requestTemplates: {
+                'application/json': '{ "statusCode": "200" }'
+            }
+        });
+        let options = props?.methodOptions || {};
+        const schema = props?.requestSchema;
+        if (schema)
+            options = applySchema(this.stack, this.name, schema, options, resource);
+        const method = resource.addMethod(httpMethod, integration, options);
+    }
+}
+exports.FunctionIntegration = FunctionIntegration;
+function applySchema(stack, name, schema, options, path) {
+    return {
+        ...options,
+        requestValidator: new aws_apigateway_1.RequestValidator(stack, stack.genId(name, 'validator'), {
+            restApi: path.api,
+            requestValidatorName: stack.genName(name, 'validator'),
+            validateRequestBody: true
+        }),
+        requestModels: {
+            'application/json': new aws_apigateway_1.Model(stack, stack.genId(name, 'model'), {
+                schema: schema,
+                contentType: 'application/json',
+                restApi: path.api,
+                modelName: stack.genId(name, 'model')
+            })
+        }
+    };
+}

package/lib/ICorsConfig.d.ts

@@ -0,0 +1,5 @@
+export interface ICorsConfig {
+    maxAge?: number;
+    exposeHeaders?: string[];
+    allowOrigin?: string | string[];
+}

package/lib/ICorsConfig.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/NodeJsLambda.d.ts

@@ -0,0 +1,13 @@
+import { FunctionOptions } from "aws-cdk-lib/aws-lambda";
+import { DeployStack } from "./DeployStack";
+import { FunctionIntegration } from "./FunctionIntegration";
+import { Duration } from "aws-cdk-lib";
+interface NodeFunctionProps {
+    funcProps?: FunctionOptions;
+    timeout?: Duration;
+    memory?: number;
+}
+export declare class NodeJsLambda extends FunctionIntegration {
+    constructor(stack: DeployStack, id: string, options?: NodeFunctionProps);
+}
+export {};

package/lib/NodeJsLambda.js

@@ -0,0 +1,28 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NodeJsLambda = void 0;
+const aws_lambda_1 = require("aws-cdk-lib/aws-lambda");
+const FunctionIntegration_1 = require("./FunctionIntegration");
+const build_node_source_1 = require("./methods/build-node-source");
+const duration_1 = __importDefault(require("./methods/duration"));
+class NodeJsLambda extends FunctionIntegration_1.FunctionIntegration {
+    constructor(stack, id, options) {
+        console.log('Defining Node Lambda', id);
+        const done = (0, duration_1.default)();
+        const { buildDir } = (0, build_node_source_1.buildNodeSource)('lambda', id);
+        console.log('Total Build Duration (ms)', done());
+        super(stack, id, {
+            ...options,
+            funcProps: {
+                ...options?.funcProps,
+                code: aws_lambda_1.Code.fromAsset(buildDir),
+                handler: `${id}.handler`,
+                runtime: aws_lambda_1.Runtime.NODEJS_18_X
+            }
+        });
+    }
+}
+exports.NodeJsLambda = NodeJsLambda;

package/lib/Output.d.ts

@@ -0,0 +1,5 @@
+import { CfnOutput } from 'aws-cdk-lib/core';
+import { DeployStack } from './DeployStack';
+export declare class Output extends CfnOutput {
+    constructor(stack: DeployStack, name: string, value: string);
+}

package/lib/Output.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Output = void 0;
+const core_1 = require("aws-cdk-lib/core");
+class Output extends core_1.CfnOutput {
+    constructor(stack, name, value) {
+        super(stack, stack.genId(name, 'output'), {
+            value,
+            exportName: stack.genName(name)
+        });
+    }
+}
+exports.Output = Output;

package/lib/RestApi.d.ts

@@ -0,0 +1,28 @@
+import { RestApi as RestApiBase, IDomainName, IResource } from "aws-cdk-lib/aws-apigateway";
+import { DeployStack } from "./DeployStack";
+import { ICorsConfig } from "./ICorsConfig";
+import { PolicyStatement } from "aws-cdk-lib/aws-iam";
+interface IRestApiConfig {
+    cors?: ICorsConfig;
+    allowCredentials: boolean;
+}
+interface IBasePathMappingConfig {
+    domain?: IDomainName;
+    domainName?: string;
+    hostedZoneId?: string;
+}
+interface IResourceNode {
+    children: {
+        [key: string]: IResourceNode;
+    };
+    node: IResource;
+}
+export declare class RestApi extends RestApiBase {
+    _id: string;
+    _tree: IResourceNode;
+    constructor(stack: DeployStack, id: string, props: IRestApiConfig);
+    addBasePathMapping(stack: DeployStack, config: IBasePathMappingConfig): void;
+    addAuthorizedRole(stack: DeployStack, roleArn: string): PolicyStatement;
+    path(uri: string): IResource;
+}
+export {};

package/lib/RestApi.js

@@ -0,0 +1,142 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RestApi = void 0;
+const aws_apigateway_1 = require("aws-cdk-lib/aws-apigateway");
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const aws_iam_1 = require("aws-cdk-lib/aws-iam");
+const DEFAULT_EXPOSE_HEADERS = ['Date'];
+class RestApi extends aws_apigateway_1.RestApi {
+    _id;
+    _tree;
+    constructor(stack, id, props) {
+        const { stage } = stack;
+        console.log('Defining Rest API', stack.genId(id, 'api'));
+        const cors = props.cors || {};
+        const allowOrigins = Array.isArray(cors.allowOrigin) ? cors.allowOrigin : [cors.allowOrigin || '*'];
+        super(stack, stack.genId(id, 'api'), {
+            restApiName: stack.genName('api'),
+            deploy: true,
+            deployOptions: {
+                stageName: stage,
+                tracingEnabled: true
+            },
+            minCompressionSize: aws_cdk_lib_1.Size.bytes(1000),
+            endpointConfiguration: {
+                types: [aws_apigateway_1.EndpointType.EDGE]
+            },
+            defaultCorsPreflightOptions: {
+                allowHeaders: ['*'],
+                allowMethods: ['*'],
+                allowCredentials: props.allowCredentials,
+                allowOrigins,
+                maxAge: aws_cdk_lib_1.Duration.seconds(cors.maxAge || 86400),
+                exposeHeaders: cors.exposeHeaders || DEFAULT_EXPOSE_HEADERS
+            }
+        });
+        this._id = id;
+        // APIs MUST have at least one endpoint, so this will give it one
+        console.log('Adding health endpoint', '/health');
+        const health = this.root.addResource('health');
+        health.addMethod("GET", new aws_apigateway_1.MockIntegration({
+            requestTemplates: {
+                "application/json": "{\"statusCode\": 200}"
+            },
+            integrationResponses: [{
+                    statusCode: '200',
+                    contentHandling: aws_apigateway_1.ContentHandling.CONVERT_TO_TEXT,
+                    responseTemplates: {
+                        'application/json': `
+##  See http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html
+##  This template will pass through all parameters including path, querystring, header, stage variables, and context through to the integration endpoint via the body/payload
+#set($allParams = $input.params())
+{
+"body-json" : $input.json('$'),
+"params" : {
+#foreach($type in $allParams.keySet())
+    #set($params = $allParams.get($type))
+"$type" : {
+    #foreach($paramName in $params.keySet())
+    "$paramName" : "$util.escapeJavaScript($params.get($paramName))"
+        #if($foreach.hasNext),#end
+    #end
+}
+    #if($foreach.hasNext),#end
+#end
+},
+"stage-variables" : {
+#foreach($key in $stageVariables.keySet())
+"$key" : "$util.escapeJavaScript($stageVariables.get($key))"
+    #if($foreach.hasNext),#end
+#end
+},
+"context" : {
+    "account-id" : "$context.identity.accountId",
+    "api-id" : "$context.apiId",
+    "api-key" : "$context.identity.apiKey",
+    "authorizer-principal-id" : "$context.authorizer.principalId",
+    "caller" : "$context.identity.caller",
+    "cognito-authentication-provider" : "$context.identity.cognitoAuthenticationProvider",
+    "cognito-authentication-type" : "$context.identity.cognitoAuthenticationType",
+    "cognito-identity-id" : "$context.identity.cognitoIdentityId",
+    "cognito-identity-pool-id" : "$context.identity.cognitoIdentityPoolId",
+    "http-method" : "$context.httpMethod",
+    "stage" : "$context.stage",
+    "source-ip" : "$context.identity.sourceIp",
+    "user" : "$context.identity.user",
+    "user-agent" : "$context.identity.userAgent",
+    "user-arn" : "$context.identity.userArn",
+    "request-id" : "$context.requestId",
+    "resource-id" : "$context.resourceId",
+    "resource-path" : "$context.resourcePath"
+    }
+}`
+                    }
+                }]
+        }), {
+            methodResponses: [{ statusCode: "200" }]
+        });
+        this._tree = { node: this.root, children: {} };
+    }
+    addBasePathMapping(stack, config) {
+        let domain = config.domain;
+        if (!domain && config.domainName && config.hostedZoneId) {
+            domain = aws_apigateway_1.DomainName.fromDomainNameAttributes(stack, stack.genName('domain-name'), {
+                domainName: config.domainName,
+                domainNameAliasHostedZoneId: config.hostedZoneId,
+                domainNameAliasTarget: this.restApiRootResourceId
+            });
+        }
+        if (!domain)
+            throw new Error('Missing Domain Configuration For Base Path Mapping');
+        new aws_apigateway_1.BasePathMapping(stack, stack.genId(this._id, 'base-path-mapping'), {
+            domainName: domain,
+            stage: this.deploymentStage,
+            restApi: this,
+            basePath: this._id
+        });
+    }
+    addAuthorizedRole(stack, roleArn) {
+        const policyStatement = new aws_iam_1.PolicyStatement({
+            effect: aws_iam_1.Effect.ALLOW,
+            actions: ['execute-api:Invoke']
+        });
+        const authRole = aws_iam_1.Role.fromRoleArn(stack, stack.genId('authenticated-role'), roleArn);
+        authRole.attachInlinePolicy(new aws_iam_1.Policy(stack, stack.genId('api-access-policy'), {
+            statements: [policyStatement]
+        }));
+        return policyStatement;
+    }
+    path(uri) {
+        const { node } = uri.split('/').reduce((resource, path) => {
+            if (!resource.children[path]) {
+                resource.children[path] = {
+                    children: {},
+                    node: resource.node.addResource(path)
+                };
+            }
+            return resource.children[path];
+        }, this._tree);
+        return node;
+    }
+}
+exports.RestApi = RestApi;

package/lib/Role.d.ts

@@ -1,6 +1,6 @@
 import { IPrincipal, Role as CdkRole } from "aws-cdk-lib/aws-iam";
 import { Duration } from "aws-cdk-lib";
-import { IDeployStack } from "./IDeployStack";
+import { DeployStack } from "./DeployStack";
 import { IManagedPolicy } from "aws-cdk-lib/aws-iam/lib/managed-policy";
 import { PolicyDocument } from "aws-cdk-lib/aws-iam/lib/policy-document";
 interface IRoleProps {
@@ -134,6 +134,6 @@ interface IRoleProps {
     readonly description?: string;
 }
 export declare class Role extends CdkRole {
-    constructor(stack: IDeployStack, id: string, props: IRoleProps);
+    constructor(stack: DeployStack, id: string, props: IRoleProps);
 }
 export {};

package/lib/Role.js

@@ -2,7 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Role = void 0;
 const aws_iam_1 = require("aws-cdk-lib/aws-iam");
-const aws_cdk_lib_1 = require("aws-cdk-lib");
+const Output_1 = require("./Output");
 class Role extends aws_iam_1.Role {
     constructor(stack, id, props) {
         console.log('Defining Role', stack.genId(id));
@@ -21,10 +21,7 @@ class Role extends aws_iam_1.Role {
             roleName: stack.genName(props.roleName || id),
             assumedBy: props.assumedBy
         });
-        new aws_cdk_lib_1.CfnOutput(stack, stack.genId(id, 'arn-output'), {
-            value: this.roleArn,
-            exportName: stack.genName(id, 'arn')
-        });
+        new Output_1.Output(stack, `${id}-arn`, this.roleArn);
     }
 }
 exports.Role = Role;

package/lib/SsmParameter.d.ts

@@ -0,0 +1,18 @@
+import { DeployStack } from "./DeployStack";
+import { IStringParameter } from "aws-cdk-lib/aws-ssm";
+import { IGrantable } from "aws-cdk-lib/aws-iam";
+import { IKey } from "aws-cdk-lib/aws-kms";
+interface SsmParameterOptions {
+    decryptWithKey?: IKey;
+}
+export declare class SsmParameter {
+    parameterName: string;
+    parameterArn: string;
+    decryptWithKey?: IKey;
+    _stack: DeployStack;
+    constructor(stack: DeployStack, name: string, options?: SsmParameterOptions);
+    grantRead(grantee: IGrantable): void;
+    get stringValue(): string;
+    getParameter(): IStringParameter;
+}
+export {};

package/lib/SsmParameter.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SsmParameter = void 0;
+const aws_ssm_1 = require("aws-cdk-lib/aws-ssm");
+const aws_iam_1 = require("aws-cdk-lib/aws-iam");
+const paramCache = {};
+class SsmParameter {
+    parameterName;
+    parameterArn;
+    decryptWithKey;
+    _stack;
+    constructor(stack, name, options) {
+        if (name[0] !== '/')
+            name = '/' + name;
+        this.parameterName = `/${stack.name}${name}`;
+        this.parameterArn = `arn:aws:ssm:${stack.region}:${stack.account}:parameter${this.parameterName}`;
+        this._stack = stack;
+        this.decryptWithKey = options?.decryptWithKey;
+    }
+    grantRead(grantee) {
+        grantee.grantPrincipal.addToPrincipalPolicy(new aws_iam_1.PolicyStatement({
+            effect: aws_iam_1.Effect.ALLOW,
+            actions: ['ssm:GetParameter'],
+            resources: [this.parameterArn]
+        }));
+        if (this.decryptWithKey) {
+            this.decryptWithKey.grantDecrypt(grantee);
+        }
+    }
+    get stringValue() {
+        return this.getParameter().stringValue;
+    }
+    getParameter() {
+        if (!paramCache[this.parameterArn]) {
+            paramCache[this.parameterArn] = aws_ssm_1.StringParameter.fromStringParameterName(this._stack, this._stack.genId(this.parameterName.substring(1).replace('/', '_')), this.parameterName);
+        }
+        return paramCache[this.parameterArn];
+    }
+}
+exports.SsmParameter = SsmParameter;