@cdklabs/cdk-appmod-catalog-blueprints 1.0.0

package/lib/utilities/lambda-iam-utils.d.ts

@@ -0,0 +1,145 @@
+import * as iam from 'aws-cdk-lib/aws-iam';
+import { Construct } from 'constructs';
+/**
+ * Stack information
+ */
+export interface LambdaIamUtilsStackInfo {
+    readonly region: string;
+    readonly account: string;
+}
+/**
+ * Configuration options for Lambda CloudWatch Logs permissions
+ */
+export interface LambdaLogsPermissionsProps {
+    /**
+     * The construct scope (used to generate unique names)
+     */
+    readonly scope: Construct;
+    /**
+     * The base name of the Lambda function
+     */
+    readonly functionName: string;
+    /**
+     * Custom log group name pattern
+     * @default '/aws/lambda/{uniqueFunctionName}'
+     */
+    readonly logGroupName?: string;
+    /**
+     * AWS region for the log group ARN
+     */
+    readonly region: string;
+    /**
+     * AWS account ID for the log group ARN
+     */
+    readonly account: string;
+}
+/**
+ * Result of creating Lambda logs permissions
+ */
+export interface LambdaLogsPermissionsResult {
+    /**
+     * The policy statements for CloudWatch Logs
+     */
+    readonly policyStatements: iam.PolicyStatement[];
+    /**
+     * The unique function name that was generated
+     */
+    readonly uniqueFunctionName: string;
+}
+/**
+ * Utility class for creating secure Lambda IAM policy statements with minimal permissions
+ */
+export declare class LambdaIamUtils {
+    /**
+     * Creates CloudWatch Logs policy statements for Lambda execution
+     *
+     * @param props Configuration properties
+     * @returns Object containing policy statements and the unique function name
+     */
+    static createLogsPermissions(props: LambdaLogsPermissionsProps): LambdaLogsPermissionsResult;
+    static generateLambdaVPCPermissions(): iam.PolicyStatement;
+    /**
+     * Generates a unique function name using CDK's built-in functionality
+     *
+     * @param scope The construct scope
+     * @param baseName The base name for the function
+     * @returns Unique function name
+     */
+    static generateUniqueFunctionName(scope: Construct, baseName: string): string;
+    /**
+     * Creates VPC permissions for Lambda functions running in VPC
+     *
+     * @returns Array of IAM PolicyStatements for VPC access
+     */
+    static createVpcPermissions(): iam.PolicyStatement[];
+    /**
+     * Creates X-Ray tracing permissions for Lambda functions
+     *
+     * @returns Array of IAM PolicyStatements for X-Ray tracing
+     */
+    static createXRayPermissions(): iam.PolicyStatement[];
+    /**
+     * Helper method to get region and account from a construct
+     *
+     * @param scope The construct scope
+     * @returns LambdaIamUtilsStackInfo
+     */
+    static getStackInfo(scope: Construct): LambdaIamUtilsStackInfo;
+    /**
+     * Creates a policy statement for DynamoDB table access
+     *
+     * @param tableArn The ARN of the DynamoDB table
+     * @param actions The DynamoDB actions to allow
+     * @returns PolicyStatement for DynamoDB access
+     */
+    static createDynamoDbPolicyStatement(tableArn: string, actions?: string[]): iam.PolicyStatement;
+    /**
+     * Creates a policy statement for S3 bucket access
+     *
+     * @param bucketArn The ARN of the S3 bucket
+     * @param actions The S3 actions to allow
+     * @param includeObjects Whether to include object-level permissions
+     * @returns PolicyStatement for S3 access
+     */
+    static createS3PolicyStatement(bucketArn: string, actions?: string[], includeObjects?: boolean): iam.PolicyStatement;
+    /**
+     * Creates a policy statement for SQS queue access
+     *
+     * @param queueArn The ARN of the SQS queue
+     * @param actions The SQS actions to allow
+     * @returns PolicyStatement for SQS access
+     */
+    static createSqsPolicyStatement(queueArn: string, actions?: string[]): iam.PolicyStatement;
+    /**
+     * Creates a policy statement for SNS topic access
+     *
+     * @param topicArn The ARN of the SNS topic
+     * @param actions The SNS actions to allow
+     * @returns PolicyStatement for SNS access
+     */
+    static createSnsPolicyStatement(topicArn: string, actions?: string[]): iam.PolicyStatement;
+    /**
+     * Creates a policy statement for Step Functions execution
+     *
+     * @param stateMachineArn The ARN of the Step Functions state machine
+     * @param actions The Step Functions actions to allow
+     * @returns PolicyStatement for Step Functions access
+     */
+    static createStepFunctionsPolicyStatement(stateMachineArn: string, actions?: string[]): iam.PolicyStatement;
+    /**
+     * Creates a policy statement for Secrets Manager access
+     *
+     * @param secretArn The ARN of the secret
+     * @param actions The Secrets Manager actions to allow
+     * @returns PolicyStatement for Secrets Manager access
+     */
+    static createSecretsManagerPolicyStatement(secretArn: string, actions?: string[]): iam.PolicyStatement;
+    /**
+     * Creates a policy statement for KMS key access
+     *
+     * @param keyArn The ARN of the KMS key
+     * @param actions The KMS actions to allow
+     * @returns PolicyStatement for KMS access
+     */
+    static createKmsPolicyStatement(keyArn: string, actions?: string[]): iam.PolicyStatement;
+}

package/lib/utilities/lambda-iam-utils.js

@@ -0,0 +1,235 @@
+"use strict";
+var _a;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LambdaIamUtils = void 0;
+const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti");
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+const cdk = require("aws-cdk-lib");
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const iam = require("aws-cdk-lib/aws-iam");
+/**
+ * Utility class for creating secure Lambda IAM policy statements with minimal permissions
+ */
+class LambdaIamUtils {
+    /**
+     * Creates CloudWatch Logs policy statements for Lambda execution
+     *
+     * @param props Configuration properties
+     * @returns Object containing policy statements and the unique function name
+     */
+    static createLogsPermissions(props) {
+        // Generate unique function name using construct node path
+        const uniqueFunctionName = LambdaIamUtils.generateUniqueFunctionName(props.scope, props.functionName);
+        const logGroupName = props.logGroupName || `/aws/lambda/${uniqueFunctionName}`;
+        const policyStatements = [
+            // Permission to create log group
+            new iam.PolicyStatement({
+                effect: iam.Effect.ALLOW,
+                actions: ['logs:CreateLogGroup'],
+                resources: [
+                    `arn:aws:logs:${props.region}:${props.account}:log-group:${logGroupName}:*`,
+                ],
+            }),
+            // Permission to create log streams and put log events
+            new iam.PolicyStatement({
+                effect: iam.Effect.ALLOW,
+                actions: [
+                    'logs:CreateLogStream',
+                    'logs:PutLogEvents',
+                ],
+                resources: [
+                    `arn:aws:logs:${props.region}:${props.account}:log-group:${logGroupName}:*`,
+                ],
+            }),
+        ];
+        return {
+            policyStatements,
+            uniqueFunctionName,
+        };
+    }
+    static generateLambdaVPCPermissions() {
+        return new iam.PolicyStatement({
+            effect: iam.Effect.ALLOW,
+            actions: [
+                'ec2:CreateNetworkInterface',
+                'ec2:DescribeNetworkInterfaces',
+                'ec2:DescribeSubnets',
+                'ec2:DeleteNetworkInterface',
+                'ec2:AssignPrivateIpAddresses',
+                'ec2:UnassignPrivateIpAddresses',
+                'ec2:DescribeSecurityGroups',
+                'ec2:DescribeVpcs',
+                'ec2:GetSecurityGroupsForVpc',
+            ],
+            resources: ['*'],
+        });
+    }
+    /**
+     * Generates a unique function name using CDK's built-in functionality
+     *
+     * @param scope The construct scope
+     * @param baseName The base name for the function
+     * @returns Unique function name
+     */
+    static generateUniqueFunctionName(scope, baseName) {
+        return `${baseName}-${aws_cdk_lib_1.Names.uniqueResourceName(scope, { maxLength: 64 - (baseName.length + 1) }).toLowerCase()}`;
+    }
+    /**
+     * Creates VPC permissions for Lambda functions running in VPC
+     *
+     * @returns Array of IAM PolicyStatements for VPC access
+     */
+    static createVpcPermissions() {
+        return [
+            new iam.PolicyStatement({
+                effect: iam.Effect.ALLOW,
+                actions: [
+                    'ec2:CreateNetworkInterface',
+                    'ec2:DescribeNetworkInterfaces',
+                    'ec2:DeleteNetworkInterface',
+                    'ec2:AttachNetworkInterface',
+                    'ec2:DetachNetworkInterface',
+                ],
+                resources: ['*'], // VPC permissions require wildcard resources
+            }),
+        ];
+    }
+    /**
+     * Creates X-Ray tracing permissions for Lambda functions
+     *
+     * @returns Array of IAM PolicyStatements for X-Ray tracing
+     */
+    static createXRayPermissions() {
+        return [
+            new iam.PolicyStatement({
+                effect: iam.Effect.ALLOW,
+                actions: [
+                    'xray:PutTraceSegments',
+                    'xray:PutTelemetryRecords',
+                ],
+                resources: ['*'], // X-Ray permissions require wildcard resources
+            }),
+        ];
+    }
+    /**
+     * Helper method to get region and account from a construct
+     *
+     * @param scope The construct scope
+     * @returns LambdaIamUtilsStackInfo
+     */
+    static getStackInfo(scope) {
+        const stack = cdk.Stack.of(scope);
+        return {
+            region: stack.region,
+            account: stack.account,
+        };
+    }
+    /**
+     * Creates a policy statement for DynamoDB table access
+     *
+     * @param tableArn The ARN of the DynamoDB table
+     * @param actions The DynamoDB actions to allow
+     * @returns PolicyStatement for DynamoDB access
+     */
+    static createDynamoDbPolicyStatement(tableArn, actions = ['dynamodb:GetItem', 'dynamodb:PutItem', 'dynamodb:UpdateItem', 'dynamodb:DeleteItem', 'dynamodb:Query', 'dynamodb:Scan']) {
+        return new iam.PolicyStatement({
+            effect: iam.Effect.ALLOW,
+            actions,
+            resources: [tableArn, `${tableArn}/index/*`], // Include GSI access
+        });
+    }
+    /**
+     * Creates a policy statement for S3 bucket access
+     *
+     * @param bucketArn The ARN of the S3 bucket
+     * @param actions The S3 actions to allow
+     * @param includeObjects Whether to include object-level permissions
+     * @returns PolicyStatement for S3 access
+     */
+    static createS3PolicyStatement(bucketArn, actions = ['s3:GetObject', 's3:PutObject'], includeObjects = true) {
+        const resources = [bucketArn];
+        if (includeObjects) {
+            resources.push(`${bucketArn}/*`);
+        }
+        return new iam.PolicyStatement({
+            effect: iam.Effect.ALLOW,
+            actions,
+            resources,
+        });
+    }
+    /**
+     * Creates a policy statement for SQS queue access
+     *
+     * @param queueArn The ARN of the SQS queue
+     * @param actions The SQS actions to allow
+     * @returns PolicyStatement for SQS access
+     */
+    static createSqsPolicyStatement(queueArn, actions = ['sqs:ReceiveMessage', 'sqs:DeleteMessage', 'sqs:GetQueueAttributes']) {
+        return new iam.PolicyStatement({
+            effect: iam.Effect.ALLOW,
+            actions,
+            resources: [queueArn],
+        });
+    }
+    /**
+     * Creates a policy statement for SNS topic access
+     *
+     * @param topicArn The ARN of the SNS topic
+     * @param actions The SNS actions to allow
+     * @returns PolicyStatement for SNS access
+     */
+    static createSnsPolicyStatement(topicArn, actions = ['sns:Publish']) {
+        return new iam.PolicyStatement({
+            effect: iam.Effect.ALLOW,
+            actions,
+            resources: [topicArn],
+        });
+    }
+    /**
+     * Creates a policy statement for Step Functions execution
+     *
+     * @param stateMachineArn The ARN of the Step Functions state machine
+     * @param actions The Step Functions actions to allow
+     * @returns PolicyStatement for Step Functions access
+     */
+    static createStepFunctionsPolicyStatement(stateMachineArn, actions = ['states:StartExecution']) {
+        return new iam.PolicyStatement({
+            effect: iam.Effect.ALLOW,
+            actions,
+            resources: [stateMachineArn],
+        });
+    }
+    /**
+     * Creates a policy statement for Secrets Manager access
+     *
+     * @param secretArn The ARN of the secret
+     * @param actions The Secrets Manager actions to allow
+     * @returns PolicyStatement for Secrets Manager access
+     */
+    static createSecretsManagerPolicyStatement(secretArn, actions = ['secretsmanager:GetSecretValue']) {
+        return new iam.PolicyStatement({
+            effect: iam.Effect.ALLOW,
+            actions,
+            resources: [secretArn],
+        });
+    }
+    /**
+     * Creates a policy statement for KMS key access
+     *
+     * @param keyArn The ARN of the KMS key
+     * @param actions The KMS actions to allow
+     * @returns PolicyStatement for KMS access
+     */
+    static createKmsPolicyStatement(keyArn, actions = ['kms:Decrypt', 'kms:GenerateDataKey']) {
+        return new iam.PolicyStatement({
+            effect: iam.Effect.ALLOW,
+            actions,
+            resources: [keyArn],
+        });
+    }
+}
+exports.LambdaIamUtils = LambdaIamUtils;
+_a = JSII_RTTI_SYMBOL_1;
+LambdaIamUtils[_a] = { fqn: "@cdklabs/cdk-appmod-catalog-blueprints.LambdaIamUtils", version: "1.0.0" };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibGFtYmRhLWlhbS11dGlscy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3VzZS1jYXNlcy91dGlsaXRpZXMvbGFtYmRhLWlhbS11dGlscy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQUFBLHFFQUFxRTtBQUNyRSxzQ0FBc0M7QUFDdEMsbUNBQW1DO0FBQ25DLDZDQUFvQztBQUNwQywyQ0FBMkM7QUF5RDNDOztHQUVHO0FBQ0gsTUFBYSxjQUFjO0lBQ3pCOzs7OztPQUtHO0lBQ0ksTUFBTSxDQUFDLHFCQUFxQixDQUFDLEtBQWlDO1FBQ25FLDBEQUEwRDtRQUMxRCxNQUFNLGtCQUFrQixHQUFHLGNBQWMsQ0FBQywwQkFBMEIsQ0FBQyxLQUFLLENBQUMsS0FBSyxFQUFFLEtBQUssQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUN0RyxNQUFNLFlBQVksR0FBRyxLQUFLLENBQUMsWUFBWSxJQUFJLGVBQWUsa0JBQWtCLEVBQUUsQ0FBQztRQUUvRSxNQUFNLGdCQUFnQixHQUFHO1lBQ3ZCLGlDQUFpQztZQUNqQyxJQUFJLEdBQUcsQ0FBQyxlQUFlLENBQUM7Z0JBQ3RCLE1BQU0sRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLEtBQUs7Z0JBQ3hCLE9BQU8sRUFBRSxDQUFDLHFCQUFxQixDQUFDO2dCQUNoQyxTQUFTLEVBQUU7b0JBQ1QsZ0JBQWdCLEtBQUssQ0FBQyxNQUFNLElBQUksS0FBSyxDQUFDLE9BQU8sY0FBYyxZQUFZLElBQUk7aUJBQzVFO2FBQ0YsQ0FBQztZQUNGLHNEQUFzRDtZQUN0RCxJQUFJLEdBQUcsQ0FBQyxlQUFlLENBQUM7Z0JBQ3RCLE1BQU0sRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLEtBQUs7Z0JBQ3hCLE9BQU8sRUFBRTtvQkFDUCxzQkFBc0I7b0JBQ3RCLG1CQUFtQjtpQkFDcEI7Z0JBQ0QsU0FBUyxFQUFFO29CQUNULGdCQUFnQixLQUFLLENBQUMsTUFBTSxJQUFJLEtBQUssQ0FBQyxPQUFPLGNBQWMsWUFBWSxJQUFJO2lCQUM1RTthQUNGLENBQUM7U0FDSCxDQUFDO1FBRUYsT0FBTztZQUNMLGdCQUFnQjtZQUNoQixrQkFBa0I7U0FDbkIsQ0FBQztJQUNKLENBQUM7SUFFTSxNQUFNLENBQUMsNEJBQTRCO1FBQ3hDLE9BQU8sSUFBSSxHQUFHLENBQUMsZUFBZSxDQUFDO1lBQzdCLE1BQU0sRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLEtBQUs7WUFDeEIsT0FBTyxFQUFFO2dCQUNQLDRCQUE0QjtnQkFDNUIsK0JBQStCO2dCQUMvQixxQkFBcUI7Z0JBQ3JCLDRCQUE0QjtnQkFDNUIsOEJBQThCO2dCQUM5QixnQ0FBZ0M7Z0JBQ2hDLDRCQUE0QjtnQkFDNUIsa0JBQWtCO2dCQUNsQiw2QkFBNkI7YUFDOUI7WUFDRCxTQUFTLEVBQUUsQ0FBQyxHQUFHLENBQUM7U0FDakIsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLE1BQU0sQ0FBQywwQkFBMEIsQ0FBQyxLQUFnQixFQUFFLFFBQWdCO1FBQ3pFLE9BQU8sR0FBRyxRQUFRLElBQUksbUJBQUssQ0FBQyxrQkFBa0IsQ0FBQyxLQUFLLEVBQUUsRUFBRSxTQUFTLEVBQUUsRUFBRSxHQUFHLENBQUMsUUFBUSxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsV0FBVyxFQUFFLEVBQUUsQ0FBQztJQUNuSCxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNJLE1BQU0sQ0FBQyxvQkFBb0I7UUFDaEMsT0FBTztZQUNMLElBQUksR0FBRyxDQUFDLGVBQWUsQ0FBQztnQkFDdEIsTUFBTSxFQUFFLEdBQUcsQ0FBQyxNQUFNLENBQUMsS0FBSztnQkFDeEIsT0FBTyxFQUFFO29CQUNQLDRCQUE0QjtvQkFDNUIsK0JBQStCO29CQUMvQiw0QkFBNEI7b0JBQzVCLDRCQUE0QjtvQkFDNUIsNEJBQTRCO2lCQUM3QjtnQkFDRCxTQUFTLEVBQUUsQ0FBQyxHQUFHLENBQUMsRUFBRSw2Q0FBNkM7YUFDaEUsQ0FBQztTQUNILENBQUM7SUFDSixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNJLE1BQU0sQ0FBQyxxQkFBcUI7UUFDakMsT0FBTztZQUNMLElBQUksR0FBRyxDQUFDLGVBQWUsQ0FBQztnQkFDdEIsTUFBTSxFQUFFLEdBQUcsQ0FBQyxNQUFNLENBQUMsS0FBSztnQkFDeEIsT0FBTyxFQUFFO29CQUNQLHVCQUF1QjtvQkFDdkIsMEJBQTBCO2lCQUMzQjtnQkFDRCxTQUFTLEVBQUUsQ0FBQyxHQUFHLENBQUMsRUFBRSwrQ0FBK0M7YUFDbEUsQ0FBQztTQUNILENBQUM7SUFDSixDQUFDO0lBRUQ7Ozs7O09BS0c7SUFDSSxNQUFNLENBQUMsWUFBWSxDQUFDLEtBQWdCO1FBQ3pDLE1BQU0sS0FBSyxHQUFHLEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBQ2xDLE9BQU87WUFDTCxNQUFNLEVBQUUsS0FBSyxDQUFDLE1BQU07WUFDcEIsT0FBTyxFQUFFLEtBQUssQ0FBQyxPQUFPO1NBQ3ZCLENBQUM7SUFDSixDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0ksTUFBTSxDQUFDLDZCQUE2QixDQUN6QyxRQUFnQixFQUNoQixVQUFvQixDQUFDLGtCQUFrQixFQUFFLGtCQUFrQixFQUFFLHFCQUFxQixFQUFFLHFCQUFxQixFQUFFLGdCQUFnQixFQUFFLGVBQWUsQ0FBQztRQUU3SSxPQUFPLElBQUksR0FBRyxDQUFDLGVBQWUsQ0FBQztZQUM3QixNQUFNLEVBQUUsR0FBRyxDQUFDLE1BQU0sQ0FBQyxLQUFLO1lBQ3hCLE9BQU87WUFDUCxTQUFTLEVBQUUsQ0FBQyxRQUFRLEVBQUUsR0FBRyxRQUFRLFVBQVUsQ0FBQyxFQUFFLHFCQUFxQjtTQUNwRSxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQ7Ozs7Ozs7T0FPRztJQUNJLE1BQU0sQ0FBQyx1QkFBdUIsQ0FDbkMsU0FBaUIsRUFDakIsVUFBb0IsQ0FBQyxjQUFjLEVBQUUsY0FBYyxDQUFDLEVBQ3BELGlCQUEwQixJQUFJO1FBRTlCLE1BQU0sU0FBUyxHQUFHLENBQUMsU0FBUyxDQUFDLENBQUM7UUFDOUIsSUFBSSxjQUFjLEVBQUUsQ0FBQztZQUNuQixTQUFTLENBQUMsSUFBSSxDQUFDLEdBQUcsU0FBUyxJQUFJLENBQUMsQ0FBQztRQUNuQyxDQUFDO1FBRUQsT0FBTyxJQUFJLEdBQUcsQ0FBQyxlQUFlLENBQUM7WUFDN0IsTUFBTSxFQUFFLEdBQUcsQ0FBQyxNQUFNLENBQUMsS0FBSztZQUN4QixPQUFPO1lBQ1AsU0FBUztTQUNWLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSSxNQUFNLENBQUMsd0JBQXdCLENBQ3BDLFFBQWdCLEVBQ2hCLFVBQW9CLENBQUMsb0JBQW9CLEVBQUUsbUJBQW1CLEVBQUUsd0JBQXdCLENBQUM7UUFFekYsT0FBTyxJQUFJLEdBQUcsQ0FBQyxlQUFlLENBQUM7WUFDN0IsTUFBTSxFQUFFLEdBQUcsQ0FBQyxNQUFNLENBQUMsS0FBSztZQUN4QixPQUFPO1lBQ1AsU0FBUyxFQUFFLENBQUMsUUFBUSxDQUFDO1NBQ3RCLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSSxNQUFNLENBQUMsd0JBQXdCLENBQ3BDLFFBQWdCLEVBQ2hCLFVBQW9CLENBQUMsYUFBYSxDQUFDO1FBRW5DLE9BQU8sSUFBSSxHQUFHLENBQUMsZUFBZSxDQUFDO1lBQzdCLE1BQU0sRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLEtBQUs7WUFDeEIsT0FBTztZQUNQLFNBQVMsRUFBRSxDQUFDLFFBQVEsQ0FBQztTQUN0QixDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0ksTUFBTSxDQUFDLGtDQUFrQyxDQUM5QyxlQUF1QixFQUN2QixVQUFvQixDQUFDLHVCQUF1QixDQUFDO1FBRTdDLE9BQU8sSUFBSSxHQUFHLENBQUMsZUFBZSxDQUFDO1lBQzdCLE1BQU0sRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLEtBQUs7WUFDeEIsT0FBTztZQUNQLFNBQVMsRUFBRSxDQUFDLGVBQWUsQ0FBQztTQUM3QixDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0ksTUFBTSxDQUFDLG1DQUFtQyxDQUMvQyxTQUFpQixFQUNqQixVQUFvQixDQUFDLCtCQUErQixDQUFDO1FBRXJELE9BQU8sSUFBSSxHQUFHLENBQUMsZUFBZSxDQUFDO1lBQzdCLE1BQU0sRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLEtBQUs7WUFDeEIsT0FBTztZQUNQLFNBQVMsRUFBRSxDQUFDLFNBQVMsQ0FBQztTQUN2QixDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0ksTUFBTSxDQUFDLHdCQUF3QixDQUNwQyxNQUFjLEVBQ2QsVUFBb0IsQ0FBQyxhQUFhLEVBQUUscUJBQXFCLENBQUM7UUFFMUQsT0FBTyxJQUFJLEdBQUcsQ0FBQyxlQUFlLENBQUM7WUFDN0IsTUFBTSxFQUFFLEdBQUcsQ0FBQyxNQUFNLENBQUMsS0FBSztZQUN4QixPQUFPO1lBQ1AsU0FBUyxFQUFFLENBQUMsTUFBTSxDQUFDO1NBQ3BCLENBQUMsQ0FBQztJQUNMLENBQUM7O0FBN1BILHdDQThQQyIsInNvdXJjZXNDb250ZW50IjpbIi8vIENvcHlyaWdodCBBbWF6b24uY29tLCBJbmMuIG9yIGl0cyBhZmZpbGlhdGVzLiBBbGwgUmlnaHRzIFJlc2VydmVkLlxuLy8gU1BEWC1MaWNlbnNlLUlkZW50aWZpZXI6IEFwYWNoZS0yLjBcbmltcG9ydCAqIGFzIGNkayBmcm9tICdhd3MtY2RrLWxpYic7XG5pbXBvcnQgeyBOYW1lcyB9IGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCAqIGFzIGlhbSBmcm9tICdhd3MtY2RrLWxpYi9hd3MtaWFtJztcbmltcG9ydCB7IENvbnN0cnVjdCB9IGZyb20gJ2NvbnN0cnVjdHMnO1xuXG4vKipcbiAqIFN0YWNrIGluZm9ybWF0aW9uXG4gKi9cbmV4cG9ydCBpbnRlcmZhY2UgTGFtYmRhSWFtVXRpbHNTdGFja0luZm8ge1xuICByZWFkb25seSByZWdpb246IHN0cmluZztcbiAgcmVhZG9ubHkgYWNjb3VudDogc3RyaW5nO1xufVxuXG4vKipcbiAqIENvbmZpZ3VyYXRpb24gb3B0aW9ucyBmb3IgTGFtYmRhIENsb3VkV2F0Y2ggTG9ncyBwZXJtaXNzaW9uc1xuICovXG5leHBvcnQgaW50ZXJmYWNlIExhbWJkYUxvZ3NQZXJtaXNzaW9uc1Byb3BzIHtcbiAgLyoqXG4gICAqIFRoZSBjb25zdHJ1Y3Qgc2NvcGUgKHVzZWQgdG8gZ2VuZXJhdGUgdW5pcXVlIG5hbWVzKVxuICAgKi9cbiAgcmVhZG9ubHkgc2NvcGU6IENvbnN0cnVjdDtcblxuICAvKipcbiAgICogVGhlIGJhc2UgbmFtZSBvZiB0aGUgTGFtYmRhIGZ1bmN0aW9uXG4gICAqL1xuICByZWFkb25seSBmdW5jdGlvbk5hbWU6IHN0cmluZztcblxuICAvKipcbiAgICogQ3VzdG9tIGxvZyBncm91cCBuYW1lIHBhdHRlcm5cbiAgICogQGRlZmF1bHQgJy9hd3MvbGFtYmRhL3t1bmlxdWVGdW5jdGlvbk5hbWV9J1xuICAgKi9cbiAgcmVhZG9ubHkgbG9nR3JvdXBOYW1lPzogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBBV1MgcmVnaW9uIGZvciB0aGUgbG9nIGdyb3VwIEFSTlxuICAgKi9cbiAgcmVhZG9ubHkgcmVnaW9uOiBzdHJpbmc7XG5cbiAgLyoqXG4gICAqIEFXUyBhY2NvdW50IElEIGZvciB0aGUgbG9nIGdyb3VwIEFSTlxuICAgKi9cbiAgcmVhZG9ubHkgYWNjb3VudDogc3RyaW5nO1xufVxuXG4vKipcbiAqIFJlc3VsdCBvZiBjcmVhdGluZyBMYW1iZGEgbG9ncyBwZXJtaXNzaW9uc1xuICovXG5leHBvcnQgaW50ZXJmYWNlIExhbWJkYUxvZ3NQZXJtaXNzaW9uc1Jlc3VsdCB7XG4gIC8qKlxuICAgKiBUaGUgcG9saWN5IHN0YXRlbWVudHMgZm9yIENsb3VkV2F0Y2ggTG9nc1xuICAgKi9cbiAgcmVhZG9ubHkgcG9saWN5U3RhdGVtZW50czogaWFtLlBvbGljeVN0YXRlbWVudFtdO1xuXG4gIC8qKlxuICAgKiBUaGUgdW5pcXVlIGZ1bmN0aW9uIG5hbWUgdGhhdCB3YXMgZ2VuZXJhdGVkXG4gICAqL1xuICByZWFkb25seSB1bmlxdWVGdW5jdGlvbk5hbWU6IHN0cmluZztcbn1cblxuLyoqXG4gKiBVdGlsaXR5IGNsYXNzIGZvciBjcmVhdGluZyBzZWN1cmUgTGFtYmRhIElBTSBwb2xpY3kgc3RhdGVtZW50cyB3aXRoIG1pbmltYWwgcGVybWlzc2lvbnNcbiAqL1xuZXhwb3J0IGNsYXNzIExhbWJkYUlhbVV0aWxzIHtcbiAgLyoqXG4gICAqIENyZWF0ZXMgQ2xvdWRXYXRjaCBMb2dzIHBvbGljeSBzdGF0ZW1lbnRzIGZvciBMYW1iZGEgZXhlY3V0aW9uXG4gICAqXG4gICAqIEBwYXJhbSBwcm9wcyBDb25maWd1cmF0aW9uIHByb3BlcnRpZXNcbiAgICogQHJldHVybnMgT2JqZWN0IGNvbnRhaW5pbmcgcG9saWN5IHN0YXRlbWVudHMgYW5kIHRoZSB1bmlxdWUgZnVuY3Rpb24gbmFtZVxuICAgKi9cbiAgcHVibGljIHN0YXRpYyBjcmVhdGVMb2dzUGVybWlzc2lvbnMocHJvcHM6IExhbWJkYUxvZ3NQZXJtaXNzaW9uc1Byb3BzKTogTGFtYmRhTG9nc1Blcm1pc3Npb25zUmVzdWx0IHtcbiAgICAvLyBHZW5lcmF0ZSB1bmlxdWUgZnVuY3Rpb24gbmFtZSB1c2luZyBjb25zdHJ1Y3Qgbm9kZSBwYXRoXG4gICAgY29uc3QgdW5pcXVlRnVuY3Rpb25OYW1lID0gTGFtYmRhSWFtVXRpbHMuZ2VuZXJhdGVVbmlxdWVGdW5jdGlvbk5hbWUocHJvcHMuc2NvcGUsIHByb3BzLmZ1bmN0aW9uTmFtZSk7XG4gICAgY29uc3QgbG9nR3JvdXBOYW1lID0gcHJvcHMubG9nR3JvdXBOYW1lIHx8IGAvYXdzL2xhbWJkYS8ke3VuaXF1ZUZ1bmN0aW9uTmFtZX1gO1xuXG4gICAgY29uc3QgcG9saWN5U3RhdGVtZW50cyA9IFtcbiAgICAgIC8vIFBlcm1pc3Npb24gdG8gY3JlYXRlIGxvZyBncm91cFxuICAgICAgbmV3IGlhbS5Qb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBlZmZlY3Q6IGlhbS5FZmZlY3QuQUxMT1csXG4gICAgICAgIGFjdGlvbnM6IFsnbG9nczpDcmVhdGVMb2dHcm91cCddLFxuICAgICAgICByZXNvdXJjZXM6IFtcbiAgICAgICAgICBgYXJuOmF3czpsb2dzOiR7cHJvcHMucmVnaW9ufToke3Byb3BzLmFjY291bnR9OmxvZy1ncm91cDoke2xvZ0dyb3VwTmFtZX06KmAsXG4gICAgICAgIF0sXG4gICAgICB9KSxcbiAgICAgIC8vIFBlcm1pc3Npb24gdG8gY3JlYXRlIGxvZyBzdHJlYW1zIGFuZCBwdXQgbG9nIGV2ZW50c1xuICAgICAgbmV3IGlhbS5Qb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBlZmZlY3Q6IGlhbS5FZmZlY3QuQUxMT1csXG4gICAgICAgIGFjdGlvbnM6IFtcbiAgICAgICAgICAnbG9nczpDcmVhdGVMb2dTdHJlYW0nLFxuICAgICAgICAgICdsb2dzOlB1dExvZ0V2ZW50cycsXG4gICAgICAgIF0sXG4gICAgICAgIHJlc291cmNlczogW1xuICAgICAgICAgIGBhcm46YXdzOmxvZ3M6JHtwcm9wcy5yZWdpb259OiR7cHJvcHMuYWNjb3VudH06bG9nLWdyb3VwOiR7bG9nR3JvdXBOYW1lfToqYCxcbiAgICAgICAgXSxcbiAgICAgIH0pLFxuICAgIF07XG5cbiAgICByZXR1cm4ge1xuICAgICAgcG9saWN5U3RhdGVtZW50cyxcbiAgICAgIHVuaXF1ZUZ1bmN0aW9uTmFtZSxcbiAgICB9O1xuICB9XG5cbiAgcHVibGljIHN0YXRpYyBnZW5lcmF0ZUxhbWJkYVZQQ1Blcm1pc3Npb25zKCk6IGlhbS5Qb2xpY3lTdGF0ZW1lbnQge1xuICAgIHJldHVybiBuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICBlZmZlY3Q6IGlhbS5FZmZlY3QuQUxMT1csXG4gICAgICBhY3Rpb25zOiBbXG4gICAgICAgICdlYzI6Q3JlYXRlTmV0d29ya0ludGVyZmFjZScsXG4gICAgICAgICdlYzI6RGVzY3JpYmVOZXR3b3JrSW50ZXJmYWNlcycsXG4gICAgICAgICdlYzI6RGVzY3JpYmVTdWJuZXRzJyxcbiAgICAgICAgJ2VjMjpEZWxldGVOZXR3b3JrSW50ZXJmYWNlJyxcbiAgICAgICAgJ2VjMjpBc3NpZ25Qcml2YXRlSXBBZGRyZXNzZXMnLFxuICAgICAgICAnZWMyOlVuYXNzaWduUHJpdmF0ZUlwQWRkcmVzc2VzJyxcbiAgICAgICAgJ2VjMjpEZXNjcmliZVNlY3VyaXR5R3JvdXBzJyxcbiAgICAgICAgJ2VjMjpEZXNjcmliZVZwY3MnLFxuICAgICAgICAnZWMyOkdldFNlY3VyaXR5R3JvdXBzRm9yVnBjJyxcbiAgICAgIF0sXG4gICAgICByZXNvdXJjZXM6IFsnKiddLFxuICAgIH0pO1xuICB9XG5cbiAgLyoqXG4gICAqIEdlbmVyYXRlcyBhIHVuaXF1ZSBmdW5jdGlvbiBuYW1lIHVzaW5nIENESydzIGJ1aWx0LWluIGZ1bmN0aW9uYWxpdHlcbiAgICpcbiAgICogQHBhcmFtIHNjb3BlIFRoZSBjb25zdHJ1Y3Qgc2NvcGVcbiAgICogQHBhcmFtIGJhc2VOYW1lIFRoZSBiYXNlIG5hbWUgZm9yIHRoZSBmdW5jdGlvblxuICAgKiBAcmV0dXJucyBVbmlxdWUgZnVuY3Rpb24gbmFtZVxuICAgKi9cbiAgcHVibGljIHN0YXRpYyBnZW5lcmF0ZVVuaXF1ZUZ1bmN0aW9uTmFtZShzY29wZTogQ29uc3RydWN0LCBiYXNlTmFtZTogc3RyaW5nKTogc3RyaW5nIHtcbiAgICByZXR1cm4gYCR7YmFzZU5hbWV9LSR7TmFtZXMudW5pcXVlUmVzb3VyY2VOYW1lKHNjb3BlLCB7IG1heExlbmd0aDogNjQgLSAoYmFzZU5hbWUubGVuZ3RoICsgMSkgfSkudG9Mb3dlckNhc2UoKX1gO1xuICB9XG5cbiAgLyoqXG4gICAqIENyZWF0ZXMgVlBDIHBlcm1pc3Npb25zIGZvciBMYW1iZGEgZnVuY3Rpb25zIHJ1bm5pbmcgaW4gVlBDXG4gICAqXG4gICAqIEByZXR1cm5zIEFycmF5IG9mIElBTSBQb2xpY3lTdGF0ZW1lbnRzIGZvciBWUEMgYWNjZXNzXG4gICAqL1xuICBwdWJsaWMgc3RhdGljIGNyZWF0ZVZwY1Blcm1pc3Npb25zKCk6IGlhbS5Qb2xpY3lTdGF0ZW1lbnRbXSB7XG4gICAgcmV0dXJuIFtcbiAgICAgIG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgZWZmZWN0OiBpYW0uRWZmZWN0LkFMTE9XLFxuICAgICAgICBhY3Rpb25zOiBbXG4gICAgICAgICAgJ2VjMjpDcmVhdGVOZXR3b3JrSW50ZXJmYWNlJyxcbiAgICAgICAgICAnZWMyOkRlc2NyaWJlTmV0d29ya0ludGVyZmFjZXMnLFxuICAgICAgICAgICdlYzI6RGVsZXRlTmV0d29ya0ludGVyZmFjZScsXG4gICAgICAgICAgJ2VjMjpBdHRhY2hOZXR3b3JrSW50ZXJmYWNlJyxcbiAgICAgICAgICAnZWMyOkRldGFjaE5ldHdvcmtJbnRlcmZhY2UnLFxuICAgICAgICBdLFxuICAgICAgICByZXNvdXJjZXM6IFsnKiddLCAvLyBWUEMgcGVybWlzc2lvbnMgcmVxdWlyZSB3aWxkY2FyZCByZXNvdXJjZXNcbiAgICAgIH0pLFxuICAgIF07XG4gIH1cblxuICAvKipcbiAgICogQ3JlYXRlcyBYLVJheSB0cmFjaW5nIHBlcm1pc3Npb25zIGZvciBMYW1iZGEgZnVuY3Rpb25zXG4gICAqXG4gICAqIEByZXR1cm5zIEFycmF5IG9mIElBTSBQb2xpY3lTdGF0ZW1lbnRzIGZvciBYLVJheSB0cmFjaW5nXG4gICAqL1xuICBwdWJsaWMgc3RhdGljIGNyZWF0ZVhSYXlQZXJtaXNzaW9ucygpOiBpYW0uUG9saWN5U3RhdGVtZW50W10ge1xuICAgIHJldHVybiBbXG4gICAgICBuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgIGVmZmVjdDogaWFtLkVmZmVjdC5BTExPVyxcbiAgICAgICAgYWN0aW9uczogW1xuICAgICAgICAgICd4cmF5OlB1dFRyYWNlU2VnbWVudHMnLFxuICAgICAgICAgICd4cmF5OlB1dFRlbGVtZXRyeVJlY29yZHMnLFxuICAgICAgICBdLFxuICAgICAgICByZXNvdXJjZXM6IFsnKiddLCAvLyBYLVJheSBwZXJtaXNzaW9ucyByZXF1aXJlIHdpbGRjYXJkIHJlc291cmNlc1xuICAgICAgfSksXG4gICAgXTtcbiAgfVxuXG4gIC8qKlxuICAgKiBIZWxwZXIgbWV0aG9kIHRvIGdldCByZWdpb24gYW5kIGFjY291bnQgZnJvbSBhIGNvbnN0cnVjdFxuICAgKlxuICAgKiBAcGFyYW0gc2NvcGUgVGhlIGNvbnN0cnVjdCBzY29wZVxuICAgKiBAcmV0dXJucyBMYW1iZGFJYW1VdGlsc1N0YWNrSW5mb1xuICAgKi9cbiAgcHVibGljIHN0YXRpYyBnZXRTdGFja0luZm8oc2NvcGU6IENvbnN0cnVjdCk6IExhbWJkYUlhbVV0aWxzU3RhY2tJbmZvIHtcbiAgICBjb25zdCBzdGFjayA9IGNkay5TdGFjay5vZihzY29wZSk7XG4gICAgcmV0dXJuIHtcbiAgICAgIHJlZ2lvbjogc3RhY2sucmVnaW9uLFxuICAgICAgYWNjb3VudDogc3RhY2suYWNjb3VudCxcbiAgICB9O1xuICB9XG5cbiAgLyoqXG4gICAqIENyZWF0ZXMgYSBwb2xpY3kgc3RhdGVtZW50IGZvciBEeW5hbW9EQiB0YWJsZSBhY2Nlc3NcbiAgICpcbiAgICogQHBhcmFtIHRhYmxlQXJuIFRoZSBBUk4gb2YgdGhlIER5bmFtb0RCIHRhYmxlXG4gICAqIEBwYXJhbSBhY3Rpb25zIFRoZSBEeW5hbW9EQiBhY3Rpb25zIHRvIGFsbG93XG4gICAqIEByZXR1cm5zIFBvbGljeVN0YXRlbWVudCBmb3IgRHluYW1vREIgYWNjZXNzXG4gICAqL1xuICBwdWJsaWMgc3RhdGljIGNyZWF0ZUR5bmFtb0RiUG9saWN5U3RhdGVtZW50KFxuICAgIHRhYmxlQXJuOiBzdHJpbmcsXG4gICAgYWN0aW9uczogc3RyaW5nW10gPSBbJ2R5bmFtb2RiOkdldEl0ZW0nLCAnZHluYW1vZGI6UHV0SXRlbScsICdkeW5hbW9kYjpVcGRhdGVJdGVtJywgJ2R5bmFtb2RiOkRlbGV0ZUl0ZW0nLCAnZHluYW1vZGI6UXVlcnknLCAnZHluYW1vZGI6U2NhbiddLFxuICApOiBpYW0uUG9saWN5U3RhdGVtZW50IHtcbiAgICByZXR1cm4gbmV3IGlhbS5Qb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgZWZmZWN0OiBpYW0uRWZmZWN0LkFMTE9XLFxuICAgICAgYWN0aW9ucyxcbiAgICAgIHJlc291cmNlczogW3RhYmxlQXJuLCBgJHt0YWJsZUFybn0vaW5kZXgvKmBdLCAvLyBJbmNsdWRlIEdTSSBhY2Nlc3NcbiAgICB9KTtcbiAgfVxuXG4gIC8qKlxuICAgKiBDcmVhdGVzIGEgcG9saWN5IHN0YXRlbWVudCBmb3IgUzMgYnVja2V0IGFjY2Vzc1xuICAgKlxuICAgKiBAcGFyYW0gYnVja2V0QXJuIFRoZSBBUk4gb2YgdGhlIFMzIGJ1Y2tldFxuICAgKiBAcGFyYW0gYWN0aW9ucyBUaGUgUzMgYWN0aW9ucyB0byBhbGxvd1xuICAgKiBAcGFyYW0gaW5jbHVkZU9iamVjdHMgV2hldGhlciB0byBpbmNsdWRlIG9iamVjdC1sZXZlbCBwZXJtaXNzaW9uc1xuICAgKiBAcmV0dXJucyBQb2xpY3lTdGF0ZW1lbnQgZm9yIFMzIGFjY2Vzc1xuICAgKi9cbiAgcHVibGljIHN0YXRpYyBjcmVhdGVTM1BvbGljeVN0YXRlbWVudChcbiAgICBidWNrZXRBcm46IHN0cmluZyxcbiAgICBhY3Rpb25zOiBzdHJpbmdbXSA9IFsnczM6R2V0T2JqZWN0JywgJ3MzOlB1dE9iamVjdCddLFxuICAgIGluY2x1ZGVPYmplY3RzOiBib29sZWFuID0gdHJ1ZSxcbiAgKTogaWFtLlBvbGljeVN0YXRlbWVudCB7XG4gICAgY29uc3QgcmVzb3VyY2VzID0gW2J1Y2tldEFybl07XG4gICAgaWYgKGluY2x1ZGVPYmplY3RzKSB7XG4gICAgICByZXNvdXJjZXMucHVzaChgJHtidWNrZXRBcm59LypgKTtcbiAgICB9XG5cbiAgICByZXR1cm4gbmV3IGlhbS5Qb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgZWZmZWN0OiBpYW0uRWZmZWN0LkFMTE9XLFxuICAgICAgYWN0aW9ucyxcbiAgICAgIHJlc291cmNlcyxcbiAgICB9KTtcbiAgfVxuXG4gIC8qKlxuICAgKiBDcmVhdGVzIGEgcG9saWN5IHN0YXRlbWVudCBmb3IgU1FTIHF1ZXVlIGFjY2Vzc1xuICAgKlxuICAgKiBAcGFyYW0gcXVldWVBcm4gVGhlIEFSTiBvZiB0aGUgU1FTIHF1ZXVlXG4gICAqIEBwYXJhbSBhY3Rpb25zIFRoZSBTUVMgYWN0aW9ucyB0byBhbGxvd1xuICAgKiBAcmV0dXJucyBQb2xpY3lTdGF0ZW1lbnQgZm9yIFNRUyBhY2Nlc3NcbiAgICovXG4gIHB1YmxpYyBzdGF0aWMgY3JlYXRlU3FzUG9saWN5U3RhdGVtZW50KFxuICAgIHF1ZXVlQXJuOiBzdHJpbmcsXG4gICAgYWN0aW9uczogc3RyaW5nW10gPSBbJ3NxczpSZWNlaXZlTWVzc2FnZScsICdzcXM6RGVsZXRlTWVzc2FnZScsICdzcXM6R2V0UXVldWVBdHRyaWJ1dGVzJ10sXG4gICk6IGlhbS5Qb2xpY3lTdGF0ZW1lbnQge1xuICAgIHJldHVybiBuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICBlZmZlY3Q6IGlhbS5FZmZlY3QuQUxMT1csXG4gICAgICBhY3Rpb25zLFxuICAgICAgcmVzb3VyY2VzOiBbcXVldWVBcm5dLFxuICAgIH0pO1xuICB9XG5cbiAgLyoqXG4gICAqIENyZWF0ZXMgYSBwb2xpY3kgc3RhdGVtZW50IGZvciBTTlMgdG9waWMgYWNjZXNzXG4gICAqXG4gICAqIEBwYXJhbSB0b3BpY0FybiBUaGUgQVJOIG9mIHRoZSBTTlMgdG9waWNcbiAgICogQHBhcmFtIGFjdGlvbnMgVGhlIFNOUyBhY3Rpb25zIHRvIGFsbG93XG4gICAqIEByZXR1cm5zIFBvbGljeVN0YXRlbWVudCBmb3IgU05TIGFjY2Vzc1xuICAgKi9cbiAgcHVibGljIHN0YXRpYyBjcmVhdGVTbnNQb2xpY3lTdGF0ZW1lbnQoXG4gICAgdG9waWNBcm46IHN0cmluZyxcbiAgICBhY3Rpb25zOiBzdHJpbmdbXSA9IFsnc25zOlB1Ymxpc2gnXSxcbiAgKTogaWFtLlBvbGljeVN0YXRlbWVudCB7XG4gICAgcmV0dXJuIG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgIGVmZmVjdDogaWFtLkVmZmVjdC5BTExPVyxcbiAgICAgIGFjdGlvbnMsXG4gICAgICByZXNvdXJjZXM6IFt0b3BpY0Fybl0sXG4gICAgfSk7XG4gIH1cblxuICAvKipcbiAgICogQ3JlYXRlcyBhIHBvbGljeSBzdGF0ZW1lbnQgZm9yIFN0ZXAgRnVuY3Rpb25zIGV4ZWN1dGlvblxuICAgKlxuICAgKiBAcGFyYW0gc3RhdGVNYWNoaW5lQXJuIFRoZSBBUk4gb2YgdGhlIFN0ZXAgRnVuY3Rpb25zIHN0YXRlIG1hY2hpbmVcbiAgICogQHBhcmFtIGFjdGlvbnMgVGhlIFN0ZXAgRnVuY3Rpb25zIGFjdGlvbnMgdG8gYWxsb3dcbiAgICogQHJldHVybnMgUG9saWN5U3RhdGVtZW50IGZvciBTdGVwIEZ1bmN0aW9ucyBhY2Nlc3NcbiAgICovXG4gIHB1YmxpYyBzdGF0aWMgY3JlYXRlU3RlcEZ1bmN0aW9uc1BvbGljeVN0YXRlbWVudChcbiAgICBzdGF0ZU1hY2hpbmVBcm46IHN0cmluZyxcbiAgICBhY3Rpb25zOiBzdHJpbmdbXSA9IFsnc3RhdGVzOlN0YXJ0RXhlY3V0aW9uJ10sXG4gICk6IGlhbS5Qb2xpY3lTdGF0ZW1lbnQge1xuICAgIHJldHVybiBuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICBlZmZlY3Q6IGlhbS5FZmZlY3QuQUxMT1csXG4gICAgICBhY3Rpb25zLFxuICAgICAgcmVzb3VyY2VzOiBbc3RhdGVNYWNoaW5lQXJuXSxcbiAgICB9KTtcbiAgfVxuXG4gIC8qKlxuICAgKiBDcmVhdGVzIGEgcG9saWN5IHN0YXRlbWVudCBmb3IgU2VjcmV0cyBNYW5hZ2VyIGFjY2Vzc1xuICAgKlxuICAgKiBAcGFyYW0gc2VjcmV0QXJuIFRoZSBBUk4gb2YgdGhlIHNlY3JldFxuICAgKiBAcGFyYW0gYWN0aW9ucyBUaGUgU2VjcmV0cyBNYW5hZ2VyIGFjdGlvbnMgdG8gYWxsb3dcbiAgICogQHJldHVybnMgUG9saWN5U3RhdGVtZW50IGZvciBTZWNyZXRzIE1hbmFnZXIgYWNjZXNzXG4gICAqL1xuICBwdWJsaWMgc3RhdGljIGNyZWF0ZVNlY3JldHNNYW5hZ2VyUG9saWN5U3RhdGVtZW50KFxuICAgIHNlY3JldEFybjogc3RyaW5nLFxuICAgIGFjdGlvbnM6IHN0cmluZ1tdID0gWydzZWNyZXRzbWFuYWdlcjpHZXRTZWNyZXRWYWx1ZSddLFxuICApOiBpYW0uUG9saWN5U3RhdGVtZW50IHtcbiAgICByZXR1cm4gbmV3IGlhbS5Qb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgZWZmZWN0OiBpYW0uRWZmZWN0LkFMTE9XLFxuICAgICAgYWN0aW9ucyxcbiAgICAgIHJlc291cmNlczogW3NlY3JldEFybl0sXG4gICAgfSk7XG4gIH1cblxuICAvKipcbiAgICogQ3JlYXRlcyBhIHBvbGljeSBzdGF0ZW1lbnQgZm9yIEtNUyBrZXkgYWNjZXNzXG4gICAqXG4gICAqIEBwYXJhbSBrZXlBcm4gVGhlIEFSTiBvZiB0aGUgS01TIGtleVxuICAgKiBAcGFyYW0gYWN0aW9ucyBUaGUgS01TIGFjdGlvbnMgdG8gYWxsb3dcbiAgICogQHJldHVybnMgUG9saWN5U3RhdGVtZW50IGZvciBLTVMgYWNjZXNzXG4gICAqL1xuICBwdWJsaWMgc3RhdGljIGNyZWF0ZUttc1BvbGljeVN0YXRlbWVudChcbiAgICBrZXlBcm46IHN0cmluZyxcbiAgICBhY3Rpb25zOiBzdHJpbmdbXSA9IFsna21zOkRlY3J5cHQnLCAna21zOkdlbmVyYXRlRGF0YUtleSddLFxuICApOiBpYW0uUG9saWN5U3RhdGVtZW50IHtcbiAgICByZXR1cm4gbmV3IGlhbS5Qb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgZWZmZWN0OiBpYW0uRWZmZWN0LkFMTE9XLFxuICAgICAgYWN0aW9ucyxcbiAgICAgIHJlc291cmNlczogW2tleUFybl0sXG4gICAgfSk7XG4gIH1cbn1cbiJdfQ==

package/lib/utilities/lambda_layers/data-masking/layer-construct.d.ts

@@ -0,0 +1,42 @@
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { Construct } from 'constructs';
+/**
+ * Properties for the DataMaskingLayerConstruct
+ */
+export interface DataMaskingLayerProps {
+    /**
+     * Description for the Lambda layer
+     * @default 'Lambda layer for masking sensitive data in document processing'
+     */
+    description?: string;
+    /**
+     * Custom masking patterns to add to the default ones
+     * @default {}
+     */
+    customPatterns?: Record<string, {
+        /**
+         * Regular expression pattern as string
+         */
+        regex: string;
+        /**
+         * Mask to apply (string or function name)
+         */
+        mask: string;
+    }>;
+}
+/**
+ * Construct that creates a Lambda layer for data masking
+ */
+export declare class DataMaskingLayerConstruct extends Construct {
+    /**
+     * The Lambda layer containing masking utilities
+     */
+    readonly layer: lambda.LayerVersion;
+    constructor(scope: Construct, id: string, props?: DataMaskingLayerProps);
+    /**
+     * Adds the masking layer to a Lambda function
+     * @param fn Lambda function to add the layer to
+     * @param maskingConfig Optional masking configuration to add as environment variable
+     */
+    addToFunction(fn: lambda.Function, maskingConfig?: Record<string, string[]>): void;
+}

package/lib/utilities/lambda_layers/data-masking/layer-construct.js

@@ -0,0 +1,53 @@
+"use strict";
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DataMaskingLayerConstruct = void 0;
+const path = require("path");
+const lambda = require("aws-cdk-lib/aws-lambda");
+const constructs_1 = require("constructs");
+/**
+ * Construct that creates a Lambda layer for data masking
+ */
+class DataMaskingLayerConstruct extends constructs_1.Construct {
+    constructor(scope, id, props = {}) {
+        super(scope, id);
+        // Create the Lambda layer
+        this.layer = new lambda.LayerVersion(this, 'DataMaskingLayer', {
+            code: lambda.Code.fromAsset(path.join(__dirname, '../../../utilities/lambda_layers/data-masking')),
+            compatibleRuntimes: [
+                lambda.Runtime.NODEJS_16_X,
+                lambda.Runtime.NODEJS_18_X,
+                lambda.Runtime.NODEJS_20_X,
+            ],
+            description: props.description || 'Lambda layer for masking sensitive data',
+            license: 'Apache-2.0',
+        });
+        // Add metadata about available masking patterns
+        const defaultPatterns = [
+            'nric', 'ssn', 'creditCard', 'email', 'phone', 'passport',
+        ];
+        // Add custom patterns if provided
+        const allPatterns = [...defaultPatterns];
+        if (props.customPatterns) {
+            allPatterns.push(...Object.keys(props.customPatterns));
+        }
+        // Add metadata to the construct
+        this.node.addMetadata('maskingPatterns', allPatterns.join(', '));
+    }
+    /**
+     * Adds the masking layer to a Lambda function
+     * @param fn Lambda function to add the layer to
+     * @param maskingConfig Optional masking configuration to add as environment variable
+     */
+    addToFunction(fn, maskingConfig) {
+        // Add the layer to the function
+        fn.addLayers(this.layer);
+        // Add masking configuration if provided
+        if (maskingConfig) {
+            fn.addEnvironment('MASKING_CONFIG', JSON.stringify(maskingConfig));
+        }
+    }
+}
+exports.DataMaskingLayerConstruct = DataMaskingLayerConstruct;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibGF5ZXItY29uc3RydWN0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vdXNlLWNhc2VzL3V0aWxpdGllcy9sYW1iZGFfbGF5ZXJzL2RhdGEtbWFza2luZy9sYXllci1jb25zdHJ1Y3QudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUFBLHFFQUFxRTtBQUNyRSxzQ0FBc0M7OztBQUV0Qyw2QkFBNkI7QUFDN0IsaURBQWlEO0FBQ2pELDJDQUF1QztBQTZCdkM7O0dBRUc7QUFDSCxNQUFhLHlCQUEwQixTQUFRLHNCQUFTO0lBTXRELFlBQVksS0FBZ0IsRUFBRSxFQUFVLEVBQUUsUUFBK0IsRUFBRTtRQUN6RSxLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1FBRWpCLDBCQUEwQjtRQUMxQixJQUFJLENBQUMsS0FBSyxHQUFHLElBQUksTUFBTSxDQUFDLFlBQVksQ0FBQyxJQUFJLEVBQUUsa0JBQWtCLEVBQUU7WUFDN0QsSUFBSSxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFLCtDQUErQyxDQUFDLENBQUM7WUFDbEcsa0JBQWtCLEVBQUU7Z0JBQ2xCLE1BQU0sQ0FBQyxPQUFPLENBQUMsV0FBVztnQkFDMUIsTUFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXO2dCQUMxQixNQUFNLENBQUMsT0FBTyxDQUFDLFdBQVc7YUFDM0I7WUFDRCxXQUFXLEVBQUUsS0FBSyxDQUFDLFdBQVcsSUFBSSx5Q0FBeUM7WUFDM0UsT0FBTyxFQUFFLFlBQVk7U0FDdEIsQ0FBQyxDQUFDO1FBRUgsZ0RBQWdEO1FBQ2hELE1BQU0sZUFBZSxHQUFHO1lBQ3RCLE1BQU0sRUFBRSxLQUFLLEVBQUUsWUFBWSxFQUFFLE9BQU8sRUFBRSxPQUFPLEVBQUUsVUFBVTtTQUMxRCxDQUFDO1FBRUYsa0NBQWtDO1FBQ2xDLE1BQU0sV0FBVyxHQUFHLENBQUMsR0FBRyxlQUFlLENBQUMsQ0FBQztRQUN6QyxJQUFJLEtBQUssQ0FBQyxjQUFjLEVBQUUsQ0FBQztZQUN6QixXQUFXLENBQUMsSUFBSSxDQUFDLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsY0FBYyxDQUFDLENBQUMsQ0FBQztRQUN6RCxDQUFDO1FBRUQsZ0NBQWdDO1FBQ2hDLElBQUksQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLGlCQUFpQixFQUFFLFdBQVcsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQztJQUNuRSxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNJLGFBQWEsQ0FBQyxFQUFtQixFQUFFLGFBQXdDO1FBQ2hGLGdDQUFnQztRQUNoQyxFQUFFLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUV6Qix3Q0FBd0M7UUFDeEMsSUFBSSxhQUFhLEVBQUUsQ0FBQztZQUNsQixFQUFFLENBQUMsY0FBYyxDQUFDLGdCQUFnQixFQUFFLElBQUksQ0FBQyxTQUFTLENBQUMsYUFBYSxDQUFDLENBQUMsQ0FBQztRQUNyRSxDQUFDO0lBQ0gsQ0FBQztDQUNGO0FBbERELDhEQWtEQyIsInNvdXJjZXNDb250ZW50IjpbIi8vIENvcHlyaWdodCBBbWF6b24uY29tLCBJbmMuIG9yIGl0cyBhZmZpbGlhdGVzLiBBbGwgUmlnaHRzIFJlc2VydmVkLlxuLy8gU1BEWC1MaWNlbnNlLUlkZW50aWZpZXI6IEFwYWNoZS0yLjBcblxuaW1wb3J0ICogYXMgcGF0aCBmcm9tICdwYXRoJztcbmltcG9ydCAqIGFzIGxhbWJkYSBmcm9tICdhd3MtY2RrLWxpYi9hd3MtbGFtYmRhJztcbmltcG9ydCB7IENvbnN0cnVjdCB9IGZyb20gJ2NvbnN0cnVjdHMnO1xuXG4vKipcbiAqIFByb3BlcnRpZXMgZm9yIHRoZSBEYXRhTWFza2luZ0xheWVyQ29uc3RydWN0XG4gKi9cbmV4cG9ydCBpbnRlcmZhY2UgRGF0YU1hc2tpbmdMYXllclByb3BzIHtcbiAgLyoqXG4gICAqIERlc2NyaXB0aW9uIGZvciB0aGUgTGFtYmRhIGxheWVyXG4gICAqIEBkZWZhdWx0ICdMYW1iZGEgbGF5ZXIgZm9yIG1hc2tpbmcgc2Vuc2l0aXZlIGRhdGEgaW4gZG9jdW1lbnQgcHJvY2Vzc2luZydcbiAgICovXG4gIGRlc2NyaXB0aW9uPzogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBDdXN0b20gbWFza2luZyBwYXR0ZXJucyB0byBhZGQgdG8gdGhlIGRlZmF1bHQgb25lc1xuICAgKiBAZGVmYXVsdCB7fVxuICAgKi9cbiAgY3VzdG9tUGF0dGVybnM/OiBSZWNvcmQ8c3RyaW5nLCB7XG4gICAgLyoqXG4gICAgICogUmVndWxhciBleHByZXNzaW9uIHBhdHRlcm4gYXMgc3RyaW5nXG4gICAgICovXG4gICAgcmVnZXg6IHN0cmluZztcblxuICAgIC8qKlxuICAgICAqIE1hc2sgdG8gYXBwbHkgKHN0cmluZyBvciBmdW5jdGlvbiBuYW1lKVxuICAgICAqL1xuICAgIG1hc2s6IHN0cmluZztcbiAgfT47XG59XG5cbi8qKlxuICogQ29uc3RydWN0IHRoYXQgY3JlYXRlcyBhIExhbWJkYSBsYXllciBmb3IgZGF0YSBtYXNraW5nXG4gKi9cbmV4cG9ydCBjbGFzcyBEYXRhTWFza2luZ0xheWVyQ29uc3RydWN0IGV4dGVuZHMgQ29uc3RydWN0IHtcbiAgLyoqXG4gICAqIFRoZSBMYW1iZGEgbGF5ZXIgY29udGFpbmluZyBtYXNraW5nIHV0aWxpdGllc1xuICAgKi9cbiAgcHVibGljIHJlYWRvbmx5IGxheWVyOiBsYW1iZGEuTGF5ZXJWZXJzaW9uO1xuXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBDb25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzOiBEYXRhTWFza2luZ0xheWVyUHJvcHMgPSB7fSkge1xuICAgIHN1cGVyKHNjb3BlLCBpZCk7XG5cbiAgICAvLyBDcmVhdGUgdGhlIExhbWJkYSBsYXllclxuICAgIHRoaXMubGF5ZXIgPSBuZXcgbGFtYmRhLkxheWVyVmVyc2lvbih0aGlzLCAnRGF0YU1hc2tpbmdMYXllcicsIHtcbiAgICAgIGNvZGU6IGxhbWJkYS5Db2RlLmZyb21Bc3NldChwYXRoLmpvaW4oX19kaXJuYW1lLCAnLi4vLi4vLi4vdXRpbGl0aWVzL2xhbWJkYV9sYXllcnMvZGF0YS1tYXNraW5nJykpLFxuICAgICAgY29tcGF0aWJsZVJ1bnRpbWVzOiBbXG4gICAgICAgIGxhbWJkYS5SdW50aW1lLk5PREVKU18xNl9YLFxuICAgICAgICBsYW1iZGEuUnVudGltZS5OT0RFSlNfMThfWCxcbiAgICAgICAgbGFtYmRhLlJ1bnRpbWUuTk9ERUpTXzIwX1gsXG4gICAgICBdLFxuICAgICAgZGVzY3JpcHRpb246IHByb3BzLmRlc2NyaXB0aW9uIHx8ICdMYW1iZGEgbGF5ZXIgZm9yIG1hc2tpbmcgc2Vuc2l0aXZlIGRhdGEnLFxuICAgICAgbGljZW5zZTogJ0FwYWNoZS0yLjAnLFxuICAgIH0pO1xuXG4gICAgLy8gQWRkIG1ldGFkYXRhIGFib3V0IGF2YWlsYWJsZSBtYXNraW5nIHBhdHRlcm5zXG4gICAgY29uc3QgZGVmYXVsdFBhdHRlcm5zID0gW1xuICAgICAgJ25yaWMnLCAnc3NuJywgJ2NyZWRpdENhcmQnLCAnZW1haWwnLCAncGhvbmUnLCAncGFzc3BvcnQnLFxuICAgIF07XG5cbiAgICAvLyBBZGQgY3VzdG9tIHBhdHRlcm5zIGlmIHByb3ZpZGVkXG4gICAgY29uc3QgYWxsUGF0dGVybnMgPSBbLi4uZGVmYXVsdFBhdHRlcm5zXTtcbiAgICBpZiAocHJvcHMuY3VzdG9tUGF0dGVybnMpIHtcbiAgICAgIGFsbFBhdHRlcm5zLnB1c2goLi4uT2JqZWN0LmtleXMocHJvcHMuY3VzdG9tUGF0dGVybnMpKTtcbiAgICB9XG5cbiAgICAvLyBBZGQgbWV0YWRhdGEgdG8gdGhlIGNvbnN0cnVjdFxuICAgIHRoaXMubm9kZS5hZGRNZXRhZGF0YSgnbWFza2luZ1BhdHRlcm5zJywgYWxsUGF0dGVybnMuam9pbignLCAnKSk7XG4gIH1cblxuICAvKipcbiAgICogQWRkcyB0aGUgbWFza2luZyBsYXllciB0byBhIExhbWJkYSBmdW5jdGlvblxuICAgKiBAcGFyYW0gZm4gTGFtYmRhIGZ1bmN0aW9uIHRvIGFkZCB0aGUgbGF5ZXIgdG9cbiAgICogQHBhcmFtIG1hc2tpbmdDb25maWcgT3B0aW9uYWwgbWFza2luZyBjb25maWd1cmF0aW9uIHRvIGFkZCBhcyBlbnZpcm9ubWVudCB2YXJpYWJsZVxuICAgKi9cbiAgcHVibGljIGFkZFRvRnVuY3Rpb24oZm46IGxhbWJkYS5GdW5jdGlvbiwgbWFza2luZ0NvbmZpZz86IFJlY29yZDxzdHJpbmcsIHN0cmluZ1tdPik6IHZvaWQge1xuICAgIC8vIEFkZCB0aGUgbGF5ZXIgdG8gdGhlIGZ1bmN0aW9uXG4gICAgZm4uYWRkTGF5ZXJzKHRoaXMubGF5ZXIpO1xuXG4gICAgLy8gQWRkIG1hc2tpbmcgY29uZmlndXJhdGlvbiBpZiBwcm92aWRlZFxuICAgIGlmIChtYXNraW5nQ29uZmlnKSB7XG4gICAgICBmbi5hZGRFbnZpcm9ubWVudCgnTUFTS0lOR19DT05GSUcnLCBKU09OLnN0cmluZ2lmeShtYXNraW5nQ29uZmlnKSk7XG4gICAgfVxuICB9XG59XG4iXX0=

package/lib/utilities/lambda_layers/data-masking/layer-construct.ts

@@ -0,0 +1,88 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import * as path from 'path';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { Construct } from 'constructs';
+
+/**
+ * Properties for the DataMaskingLayerConstruct
+ */
+export interface DataMaskingLayerProps {
+  /**
+   * Description for the Lambda layer
+   * @default 'Lambda layer for masking sensitive data in document processing'
+   */
+  description?: string;
+
+  /**
+   * Custom masking patterns to add to the default ones
+   * @default {}
+   */
+  customPatterns?: Record<string, {
+    /**
+     * Regular expression pattern as string
+     */
+    regex: string;
+
+    /**
+     * Mask to apply (string or function name)
+     */
+    mask: string;
+  }>;
+}
+
+/**
+ * Construct that creates a Lambda layer for data masking
+ */
+export class DataMaskingLayerConstruct extends Construct {
+  /**
+   * The Lambda layer containing masking utilities
+   */
+  public readonly layer: lambda.LayerVersion;
+
+  constructor(scope: Construct, id: string, props: DataMaskingLayerProps = {}) {
+    super(scope, id);
+
+    // Create the Lambda layer
+    this.layer = new lambda.LayerVersion(this, 'DataMaskingLayer', {
+      code: lambda.Code.fromAsset(path.join(__dirname, '../../../utilities/lambda_layers/data-masking')),
+      compatibleRuntimes: [
+        lambda.Runtime.NODEJS_16_X,
+        lambda.Runtime.NODEJS_18_X,
+        lambda.Runtime.NODEJS_20_X,
+      ],
+      description: props.description || 'Lambda layer for masking sensitive data',
+      license: 'Apache-2.0',
+    });
+
+    // Add metadata about available masking patterns
+    const defaultPatterns = [
+      'nric', 'ssn', 'creditCard', 'email', 'phone', 'passport',
+    ];
+
+    // Add custom patterns if provided
+    const allPatterns = [...defaultPatterns];
+    if (props.customPatterns) {
+      allPatterns.push(...Object.keys(props.customPatterns));
+    }
+
+    // Add metadata to the construct
+    this.node.addMetadata('maskingPatterns', allPatterns.join(', '));
+  }
+
+  /**
+   * Adds the masking layer to a Lambda function
+   * @param fn Lambda function to add the layer to
+   * @param maskingConfig Optional masking configuration to add as environment variable
+   */
+  public addToFunction(fn: lambda.Function, maskingConfig?: Record<string, string[]>): void {
+    // Add the layer to the function
+    fn.addLayers(this.layer);
+
+    // Add masking configuration if provided
+    if (maskingConfig) {
+      fn.addEnvironment('MASKING_CONFIG', JSON.stringify(maskingConfig));
+    }
+  }
+}

package/lib/utilities/observability/bedrock-observability.d.ts

@@ -0,0 +1,18 @@
+import { RemovalPolicy } from 'aws-cdk-lib';
+import { Role } from 'aws-cdk-lib/aws-iam';
+import { Key } from 'aws-cdk-lib/aws-kms';
+import { LogGroup } from 'aws-cdk-lib/aws-logs';
+import { Construct } from 'constructs';
+import { LogGroupDataProtectionProps } from './log-group-data-protection-props';
+export interface BedrockObservabilityProps {
+    readonly logGroupDataProtection?: LogGroupDataProtectionProps;
+    readonly loggingRole?: Role;
+    readonly overrideExistingConfiguration?: boolean;
+    readonly removalPolicy?: RemovalPolicy;
+}
+export declare class BedrockObservability extends Construct {
+    readonly logGroup: LogGroup;
+    readonly loggingRole: Role;
+    readonly encryptionKey: Key;
+    constructor(scope: Construct, id: string, props?: BedrockObservabilityProps);
+}