@cdklabs/cdk-hyperledger-fabric-network 0.0.20

package/LICENSE

@@ -0,0 +1,15 @@
+Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 
+

package/README.md

@@ -0,0 +1,150 @@
+# Hyperledger Fabric on Amazon Managed Blockchain
+
+![license](https://img.shields.io/github/license/cdklabs/cdk-hyperledger-fabric-network?color=green)
+![release](https://img.shields.io/github/v/release/cdklabs/cdk-hyperledger-fabric-network?color=green)
+![npm:version](https://img.shields.io/npm/v/@cdklabs/cdk-hyperledger-fabric-network?color=blue)
+![PyPi:version](https://img.shields.io/pypi/v/cdklabs.cdk-hypderledger-fabric-network?color=blue)
+![Maven:version](https://img.shields.io/maven-central/v/io.github.cdklabs/cdk-hypderledger-fabric-network?color=blue)
+![NuGet:version](https://img.shields.io/nuget/v/Cdklabs.CdkHyperledgerFabricNetwork?color=blue)
+
+This repository contains a CDK construct to deploy a Hyperledger Fabric network
+running on Amazon Managed Blockchain. It builds out a member and its nodes, a VPC
+and associated endpoint to access them, and a set of users enrolled on the network.
+
+The following functionality is planned for future releases:
+
+*  Create channels on nodes
+*  Instantiate chaincode on nodes
+
+
+## Installation
+
+Note that this construct requires [AWS CDK v2](https://docs.aws.amazon.com/cdk/v2/guide/getting_started.html#getting_started_install).
+
+#### JavaScript
+
+```bash
+npm install --save @cdklabs/cdk-hyperledger-fabric-network
+```
+
+#### Python
+
+```bash
+pip3 install cdklabs.cdk-hyperledger-fabric-network
+```
+
+#### Java
+
+Add the following to `pom.xml`:
+
+```xml
+<dependency>
+  <groupId>io.github.cdklabs</groupId>
+  <artifactId>cdk-hypderledger-fabric-network</artifactId>
+</dependency>
+```
+
+#### .NET
+
+```bash
+dotnet add package Cdklabs.CdkHyperledgerFabricNetwork
+```
+
+
+## Usage
+
+A minimally complete deployment is shown below. By default, a standard network
+will be created running Hyperledger Fabric 1.4 with a single `bc.t3.small` node.
+
+```typescript
+import { Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { HyperledgerFabricNetwork } from '@cdklabs/cdk-hyperledger-fabric-network';
+
+class MyStack extends Stack {
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+    new HyperledgerFabricNetwork(this, 'Example', {
+      networkName: 'MyNetwork',
+      memberName: 'MyMember',
+    });
+  }
+}
+```
+
+The equivalent Python code is as follows:
+
+```python
+from aws_cdk import Stack
+from cdklabs.cdk_hyperledger_fabric_network import HyperledgerFabricNetwork
+
+class MyStack(Stack):
+    def __init__(self, scope, id, **kwargs):
+        super().__init__(scope, id, **kwargs)
+        HyperledgerFabricNetwork(
+            self, 'Example',
+            network_name='MyNetwork',
+            member_name='MyMember',
+        )
+```
+
+The following is a more complex instantiation illustrating some of the options available.
+
+```typescript
+new HyperledgerFabricNetwork(this, 'Example', {
+  networkName: 'MyNetwork',
+  networkDescription: 'This is my Hyperledger Fabric network',
+  memberName: 'MyMember',
+  networkDescription: 'This is my Hyperledger Fabric member',
+  frameworkVersion: hyperledger.FrameworkVersion.VERSION_1_2,
+  proposalDurationInHours: 48,
+  thresholdPercentage: 75,
+  nodes: [
+    {
+      availabilityZone: 'us-east-1a',
+      instanceType: hyperledger.InstanceType.STANDARD5_LARGE,
+    },
+    {
+      availabilityZone: 'us-east-1b',
+      instanceType: hyperledger.InstanceType.STANDARD5_LARGE,
+    },
+  ],
+  users: [
+    { userId: 'AppUser1', affilitation: 'MyMember' },
+    { userId: 'AppUser2', affilitation: 'MyMember.department1' },
+  ],
+});
+```
+
+See the [API Documentation](API.md) for details on all available input and output parameters.
+
+
+## References
+
+*  [AWS CDK](https://docs.aws.amazon.com/cdk/v2/guide/home.html)
+*  [Amazon Managed Blockchain](https://aws.amazon.com/managed-blockchain/)
+*  [Hyperledger Fabric](https://hyperledger-fabric.readthedocs.io/)
+*  [Node Fabric SDK](https://hyperledger.github.io/fabric-sdk-node/release-1.4/index.html)
+*  [Fabric Chaincode Node](https://hyperledger.github.io/fabric-chaincode-node/)
+
+
+## Contributing
+
+Pull requests are welcomed. Please review the [Contributing Guidelines](CONTRIBUTING.md)
+and the [Code of Conduct](CODE_OF_CONDUCT.md).
+
+
+## Security
+
+See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.
+
+
+## Authors
+
+*  Jud Neer (judneer@amazon.com)
+*  Vignesh Rajasingh (vrajasin@amazon.com)
+
+
+## License
+
+This project is licensed under the MIT-0 License. See the [LICENSE](LICENSE) file for details.

package/examples/python/hyperledger.py

@@ -0,0 +1,90 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+
+
+import os
+
+import aws_cdk as cdk
+
+import cdk_hyperledger_fabric_network as hyperledger
+
+
+class HyperledgerTestStack(cdk.Stack):
+
+    def __init__(self, scope, id, **kwargs):
+        super().__init__(scope, id, **kwargs)
+        network = hyperledger.HyperledgerFabricNetwork(
+            self, 'MyNetwork',
+            network_name='IntegrationTestNetwork',
+            member_name='IntegrationTestMember',
+            nodes=[
+                {'availability_zone': 'us-east-1a', 'instance_type': hyperledger.InstanceType.STANDARD5_LARGE},
+                {'availability_zone': 'us-east-1b', 'instance_yype': hyperledger.InstanceType.STANDARD5_LARGE},
+            ],
+        )
+        cdk.CfnOutput(
+            self, 'NetworkId',
+            description='Managed Blockchain network identifier',
+            value=network.networkId,
+        )
+        cdk.CfnOutput(
+            self, 'MemberId',
+            description='Managed Blockchain member identifier',
+            value=network.memberId,
+        )
+        cdk.CfnOutput(
+            self, 'VpcEndpointServiceName',
+            description='Managed Blockchain network VPC endpoint service name',
+            value=network.vpcEndpointServiceName,
+        )
+        cdk.CfnOutput(
+            self, 'OrdererEndpoint',
+            description='Managed Blockchain network ordering service endpoint',
+            value=network.ordererEndpoint,
+        )
+        cdk.CfnOutput(
+            self, 'CaEndpoint',
+            description='Managed Blockchain member CA endpoint',
+            value=network.caEndpoint,
+        )
+        cdk.CfnOutput(
+            self, 'AdminPasswordArn',
+            description='Secret ARN for the Hyperledger Fabric admin password',
+            value=network.adminPasswordSecret.secretFullArn or network.adminPasswordSecret.secretArn,
+        )
+        cdk.CfnOutput(
+            self, 'AdminPrivateKeyArn',
+            description='Secret ARN for Hyperledger Fabric admin private key',
+            value=network.adminPrivateKeySecret.secretFullArn or network.adminPrivateKeySecret.secretArn,
+        )
+        cdk.CfnOutput(
+            self, 'AdminSignedCertArn',
+            description='Secret ARN for Hyperledger Fabric admin signed certificate',
+            value=network.adminSignedCertSecret.secretFullArn or network.adminSignedCertSecret.secretArn,
+        )
+        cdk.CfnOutput(
+            self, 'NodeIds',
+            description='Comma-separated list of Managed Blockchain node identifiers',
+            value=','.join(n.nodeId for n in network.nodes),
+        )
+        cdk.CfnOutput(
+            self, 'NodeEndpoints',
+            description='Comma-separated list of Managed Blockchain node endpoints',
+            value=','.join(n.endpoint for n in network.nodes),
+        )
+        cdk.CfnOutput(
+            self, 'NodeEventEndpoints',
+            description='Comma-separated list of Managed Blockchain node event endpoints',
+            value=','.join(n.eventEndpoint for n in network.nodes),
+        )
+
+
+app = cdk.App()
+
+HyperledgerTestStack(
+    app, 'HyperledgerTestStack',
+    env={
+        'account': os.environ['CDK_DEFAULT_ACCOUNT'],
+        'region': os.environ['CDK_DEFAULT_REGION'],
+    }
+)

package/examples/typescript/hyperledger.ts

@@ -0,0 +1,106 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-0
+
+
+import * as cdk from 'aws-cdk-lib';
+import * as cdknag from 'cdk-nag';
+import * as constructs from 'constructs';
+
+import * as hyperledger from 'cdk-hyperledger-fabric-network';
+
+
+class HyperledgerTestStack extends cdk.Stack {
+
+  constructor(scope: constructs.Construct, id: string, props?: cdk.StackProps) {
+
+    super(scope, id, props);
+
+    const network = new hyperledger.HyperledgerFabricNetwork(this, 'IntegrationTestNetwork', {
+      networkName: 'IntegrationTestNetwork',
+      memberName: 'IntegrationTestMember',
+      nodes: [
+        {
+          availabilityZone: 'us-east-1a',
+          instanceType: hyperledger.InstanceType.STANDARD5_LARGE,
+        },
+        {
+          availabilityZone: 'us-east-1b',
+          instanceType: hyperledger.InstanceType.STANDARD5_LARGE,
+        },
+      ],
+    });
+
+    new cdk.CfnOutput(this, 'NetworkId', {
+      description: 'Managed Blockchain network identifier',
+      value: network.networkId,
+    });
+
+    new cdk.CfnOutput(this, 'MemberId', {
+      description: 'Managed Blockchain member identifier',
+      value: network.memberId,
+    });
+
+    new cdk.CfnOutput(this, 'VpcEndpointServiceName', {
+      description: 'Managed Blockchain network VPC endpoint service name',
+      value: network.vpcEndpointServiceName,
+    });
+
+    new cdk.CfnOutput(this, 'OrdererEndpoint', {
+      description: 'Managed Blockchain network ordering service endpoint',
+      value: network.ordererEndpoint,
+    });
+
+    new cdk.CfnOutput(this, 'CaEndpoint', {
+      description: 'Managed Blockchain member CA endpoint',
+      value: network.caEndpoint,
+    });
+
+    new cdk.CfnOutput(this, 'AdminPasswordArn', {
+      description: 'Secret ARN for the Hyperledger Fabric admin password',
+      value: network.adminPasswordSecret.secretFullArn ?? network.adminPasswordSecret.secretArn,
+    });
+
+    new cdk.CfnOutput(this, 'AdminPrivateKeyArn', {
+      description: 'Secret ARN for Hyperledger Fabric admin private key',
+      value: network.adminPrivateKeySecret.secretFullArn ?? network.adminPrivateKeySecret.secretArn,
+    });
+
+    new cdk.CfnOutput(this, 'AdminSignedCertArn', {
+      description: 'Secret ARN for Hyperledger Fabric admin signed certificate',
+      value: network.adminSignedCertSecret.secretFullArn ?? network.adminSignedCertSecret.secretArn,
+    });
+
+    new cdk.CfnOutput(this, 'NodeIds', {
+      description: 'Comma-separated list of Managed Blockchain node identifiers',
+      value: network.nodes.map(n => n.nodeId).join(','),
+    });
+
+    new cdk.CfnOutput(this, 'NodeEndpoints', {
+      description: 'Comma-separated list of Managed Blockchain node endpoints',
+      value: network.nodes.map(n => n.endpoint).join(','),
+    });
+
+    new cdk.CfnOutput(this, 'NodeEventEndpoints', {
+      description: 'Comma-separated list of Managed Blockchain node event endpoints',
+      value: network.nodes.map(n => n.eventEndpoint).join(','),
+    });
+
+  }
+}
+
+
+const app = new cdk.App();
+
+const stack = new HyperledgerTestStack(app, 'HyperledgerTestStack', {
+  env: {
+    account: process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_DEFAULT_REGION,
+  },
+});
+
+cdk.Aspects.of(stack).add(new cdknag.AwsSolutionsChecks({ verbose: true }));
+
+cdknag.NagSuppressions.addStackSuppressions(stack, [
+  { id: 'AwsSolutions-SMG4', reason: 'Secrets created for Managed Blockchain users do not support auto-rotation' },
+  { id: 'AwsSolutions-IAM4', reason: 'The CDK custom resource framework uses a managed policy for its Lambda' },
+]);

package/lambdas/fabric/.eslintrc.js

@@ -0,0 +1,17 @@
+module.exports = {
+  "env": {
+    "browser": false,
+    "commonjs": false,
+    "es2021": true,
+  },
+  "extends": "airbnb",
+  "parserOptions": {
+    "ecmaVersion": 13,
+  },
+  "rules": {
+    "max-len": ["error", {
+      "code": 120,
+    }],
+    "no-console": "off",
+  },
+};

package/lambdas/fabric/enroll-admin.js

@@ -0,0 +1,33 @@
+const FabricCAClient = require('fabric-ca-client');
+const utilities = require('./utilities');
+
+// Extract environment variables
+const adminPasswordArn = process.env.ADMIN_PASSWORD_ARN;
+const caEndpoint = process.env.CA_ENDPOINT;
+const privateKeyArn = process.env.PRIVATE_KEY_ARN;
+const signedCertArn = process.env.SIGNED_CERT_ARN;
+const tlsCertBucket = process.env.TLS_CERT_BUCKET;
+const tlsCertKey = process.env.TLS_CERT_KEY;
+
+const caUrl = `https://${caEndpoint}`;
+const caName = utilities.getCaName(caEndpoint);
+
+// Enroll the admin only on creation
+exports.handler = async (event) => {
+  if (event.RequestType === 'Create') {
+    try {
+      // Get the TLS cert from S3
+      const caTlsCert = await utilities.getS3Object(tlsCertBucket, tlsCertKey);
+      // Get the admin credentials from Secrets Manager
+      const adminPwd = await utilities.getSecret(adminPasswordArn);
+      // Create a new client for interacting with the CA
+      const ca = new FabricCAClient(caUrl, { trustedRoots: caTlsCert, verify: false }, caName);
+      // Enroll the admin user, and import the new identity into Secrets Manager
+      const enrollment = await ca.enroll({ enrollmentID: 'admin', enrollmentSecret: adminPwd });
+      await utilities.putSecret(privateKeyArn, enrollment.key.toBytes());
+      await utilities.putSecret(signedCertArn, enrollment.certificate);
+    } catch (error) {
+      console.error(`Failed to enroll admin user: ${error}`);
+    }
+  }
+};

package/lambdas/fabric/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "fabric",
+  "version": "0.0.1",
+  "dependencies": {
+    "@aws-sdk/client-s3": "3.53.1",
+    "@aws-sdk/client-secrets-manager": "3.53.0",
+    "fabric-ca-client": "2.2.13",
+    "fabric-common": "2.2.13"
+  },
+  "devDependencies": {
+    "eslint": "^8.11.0",
+    "eslint-config-airbnb": "^19.0.4"
+  }
+}

package/lambdas/fabric/register-user.js

@@ -0,0 +1,62 @@
+const FabricCAClient = require('fabric-ca-client');
+const { User } = require('fabric-common');
+const utilities = require('./utilities');
+
+// Extract environment variables
+const caEndpoint = process.env.CA_ENDPOINT;
+const orgName = process.env.MEMBER_NAME;
+const privateKeyArn = process.env.PRIVATE_KEY_ARN;
+const signedCertArn = process.env.SIGNED_CERT_ARN;
+const tlsCertBucket = process.env.TLS_CERT_BUCKET;
+const tlsCertKey = process.env.TLS_CERT_KEY;
+
+const adminId = 'admin';
+const caUrl = `https://${caEndpoint}`;
+const caName = utilities.getCaName(caEndpoint);
+const mspId = `${orgName}Msp`;
+
+// Register and enroll users only on Create
+exports.handler = async (event) => {
+  const userData = event.ResourceProperties;
+  const { userId, affiliation } = userData;
+  if (event.RequestType === 'Create') {
+    try {
+      // Get the TLS cert from S3
+      const caTlsCert = await utilities.getS3Object(tlsCertBucket, tlsCertKey);
+      // Get the admin credentials from Secrets Manager
+      const adminPrivateKey = await utilities.getSecret(privateKeyArn);
+      const adminSignedCert = await utilities.getSecret(signedCertArn);
+      // Create a new client for interacting with the CA
+      const ca = new FabricCAClient(caUrl, { trustedRoots: caTlsCert, verify: false }, caName);
+      // Create a user object for the Admin; the password argument on createUser method
+      // is not used in creating the signed identity, so default it to an empty string
+      const adminUser = User.createUser(adminId, '', mspId, adminSignedCert, adminPrivateKey);
+      // Check if user is already registered; return if it already exists
+      const identityService = ca.newIdentityService();
+      const identityObject = await identityService.getAll(adminUser);
+      const userResult = identityObject.result;
+      if (userResult.identities && userResult.identities.find((e) => e.id === userId)) {
+        console.info(`${userId} already exist.`);
+        return;
+      }
+      // Admin user has the org(member) as the root affiliation by default; if another
+      // affiliation is requested, check for its existence and add if it does not exist
+      if (affiliation !== orgName) {
+        const affObject = ca.newAffiliationService();
+        const affRequest = await affObject.getAll(adminUser);
+        const affResult = affRequest.result;
+        if (!affResult.affiliations || !affResult.affiliations.find((e) => e.name === affiliation)) {
+          await affObject.create({ name: affiliation }, adminUser);
+        }
+      }
+      // Register and enroll the user as client, and import the new identity into Secrets Manager
+      const userSecret = await ca.register({ enrollmentID: userId, role: 'client', affiliation }, adminUser);
+      const userEnroll = await ca.enroll({ enrollmentID: userId, enrollmentSecret: userSecret });
+      await utilities.putSecret(userData.passwordArn, userSecret);
+      await utilities.putSecret(userData.privateKeyArn, userEnroll.key.toBytes());
+      await utilities.putSecret(userData.signedCertArn, userEnroll.certificate);
+    } catch (error) {
+      console.error(`Failed to enroll user ${userId}: ${error}`);
+    }
+  }
+};

package/lambdas/fabric/utilities.js

@@ -0,0 +1,54 @@
+const {
+  GetObjectCommand,
+  S3Client,
+} = require('@aws-sdk/client-s3');
+
+const {
+  GetSecretValueCommand,
+  PutSecretValueCommand,
+  SecretsManagerClient,
+} = require('@aws-sdk/client-secrets-manager');
+
+const s3Client = new S3Client();
+const smClient = new SecretsManagerClient();
+
+// Convert a ReadableStream to a string
+async function streamToString(stream) {
+  stream.setEncoding('utf8');
+  let data = '';
+  for await (const chunk of stream) { /* eslint-disable-line no-restricted-syntax */
+    data += chunk;
+  }
+  return data;
+}
+
+// Extract the name from a CA endpoint
+function getCaName(caEndpoint) {
+  const caName = caEndpoint.split('.')[1].split('-');
+  caName[1] = caName[1].toUpperCase();
+  return caName.join('-');
+}
+
+// Retrieve an object from S3
+async function getS3Object(bucketName, key) {
+  const objectData = await s3Client.send(new GetObjectCommand({ Bucket: bucketName, Key: key }));
+  return streamToString(objectData.Body);
+}
+
+// Retrieve a secret from Secrets Manager
+async function getSecret(secretArn) {
+  const secretData = await smClient.send(new GetSecretValueCommand({ SecretId: secretArn }));
+  return secretData.SecretString;
+}
+
+// Store a secret in Secrets Manager
+async function putSecret(secretArn, secret) {
+  return smClient.send(new PutSecretValueCommand({ SecretId: secretArn, SecretString: secret }));
+}
+
+module.exports = {
+  getCaName,
+  getS3Object,
+  getSecret,
+  putSecret,
+};

package/lib/client.d.ts

@@ -0,0 +1,31 @@
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as constructs from 'constructs';
+import * as network from './network';
+/**
+ * Construct properties for `HyperledgerFabricVpc`
+ */
+export interface HyperledgerFabricClientProps {
+    /**
+     * Client VPC to create the endpoints. If not provided,
+     * VPC will be created with the default properties
+     * (CIDR-`10.0.0.0/16` and subnets of type `PRIVATE_ISOLATED`)
+     *
+     */
+    readonly vpc?: ec2.IVpc;
+}
+/**
+ * Creates a VPC and endpoint that allows Hyperledger Fabric client to
+ * interact with the Hyperledger Fabric endpoints that Amazon Managed Blockchain
+ * exposes for the member and network resources.
+ */
+export declare class HyperledgerFabricClient extends constructs.Construct {
+    /**
+     * The client VPC that has endpoint to access the Amazon Managed Blockchain
+     */
+    readonly vpc: ec2.IVpc;
+    /**
+     * Managed Blockchain network VPC endpoint
+     */
+    readonly vpcEndpoint: ec2.InterfaceVpcEndpoint;
+    constructor(scope: network.HyperledgerFabricNetwork, id: string, props?: HyperledgerFabricClientProps);
+}

package/lib/client.js

@@ -0,0 +1,40 @@
+"use strict";
+var _a;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HyperledgerFabricClient = void 0;
+const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti");
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-0
+const cdk = require("aws-cdk-lib");
+const ec2 = require("aws-cdk-lib/aws-ec2");
+const constructs = require("constructs");
+/**
+ * Creates a VPC and endpoint that allows Hyperledger Fabric client to
+ * interact with the Hyperledger Fabric endpoints that Amazon Managed Blockchain
+ * exposes for the member and network resources.
+ */
+class HyperledgerFabricClient extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        // Collect metadata on the stack
+        const region = cdk.Stack.of(this).region;
+        // Populate instance variables from input properties, using defaults if values not provided
+        if (typeof props === 'undefined')
+            props = {};
+        this.vpc = props.vpc ?? new ec2.Vpc(this, 'ClientVpc', { subnetConfiguration: [{ name: 'Private', subnetType: ec2.SubnetType.PRIVATE_ISOLATED }] });
+        const vpcEndpointServiceName = scope.vpcEndpointServiceName.replace(`com.amazonaws.${region}.`, '');
+        // Add VPC FlowLogs with the default setting of trafficType:ALL and destination:CloudWatchLogs
+        this.vpc.addFlowLog('FlowLog');
+        // Add a VPC endpoint to access the Managed Blockchain
+        const vpcService = new ec2.InterfaceVpcEndpointService(vpcEndpointServiceName);
+        this.vpcEndpoint = this.vpc.addInterfaceEndpoint('NetworkEndpoint', { service: vpcService, open: false, privateDnsEnabled: true });
+        // Add VPC endpoint to access Secrets Manager
+        this.vpc.addInterfaceEndpoint('SecretsManagerEndpoint', { service: ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER });
+        // Add VPC endpoint to access S3
+        this.vpc.addGatewayEndpoint('S3Endpoint', { service: ec2.GatewayVpcEndpointAwsService.S3 });
+    }
+}
+exports.HyperledgerFabricClient = HyperledgerFabricClient;
+_a = JSII_RTTI_SYMBOL_1;
+HyperledgerFabricClient[_a] = { fqn: "@cdklabs/cdk-hyperledger-fabric-network.HyperledgerFabricClient", version: "0.0.20" };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xpZW50LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vc3JjL2NsaWVudC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQUFBLHFFQUFxRTtBQUNyRSxpQ0FBaUM7QUFFakMsbUNBQW1DO0FBQ25DLDJDQUEyQztBQUMzQyx5Q0FBeUM7QUFrQnpDOzs7O0dBSUc7QUFDSCxNQUFhLHVCQUF3QixTQUFRLFVBQVUsQ0FBQyxTQUFTO0lBWS9ELFlBQVksS0FBdUMsRUFBRSxFQUFVLEVBQUUsS0FBb0M7UUFDbkcsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVqQixnQ0FBZ0M7UUFDaEMsTUFBTSxNQUFNLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBRXpDLDJGQUEyRjtRQUMzRixJQUFJLE9BQU8sS0FBSyxLQUFLLFdBQVc7WUFBRSxLQUFLLEdBQUcsRUFBRSxDQUFDO1FBQzdDLElBQUksQ0FBQyxHQUFHLEdBQUcsS0FBSyxDQUFDLEdBQUcsSUFBSSxJQUFJLEdBQUcsQ0FBQyxHQUFHLENBQUMsSUFBSSxFQUFFLFdBQVcsRUFBRSxFQUFFLG1CQUFtQixFQUFFLENBQUMsRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLFVBQVUsRUFBRSxHQUFHLENBQUMsVUFBVSxDQUFDLGdCQUFnQixFQUFFLENBQUMsRUFBRSxDQUFDLENBQUM7UUFDcEosTUFBTSxzQkFBc0IsR0FBRyxLQUFLLENBQUMsc0JBQXNCLENBQUMsT0FBTyxDQUFDLGlCQUFpQixNQUFNLEdBQUcsRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVwRyw4RkFBOEY7UUFDOUYsSUFBSSxDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUMsU0FBUyxDQUFDLENBQUM7UUFFL0Isc0RBQXNEO1FBQ3RELE1BQU0sVUFBVSxHQUFHLElBQUksR0FBRyxDQUFDLDJCQUEyQixDQUFFLHNCQUFzQixDQUFFLENBQUM7UUFDakYsSUFBSSxDQUFDLFdBQVcsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLG9CQUFvQixDQUFDLGlCQUFpQixFQUFFLEVBQUUsT0FBTyxFQUFFLFVBQVUsRUFBRSxJQUFJLEVBQUUsS0FBSyxFQUFFLGlCQUFpQixFQUFFLElBQUksRUFBRSxDQUFDLENBQUM7UUFFbkksNkNBQTZDO1FBQzdDLElBQUksQ0FBQyxHQUFHLENBQUMsb0JBQW9CLENBQUMsd0JBQXdCLEVBQUUsRUFBRSxPQUFPLEVBQUUsR0FBRyxDQUFDLDhCQUE4QixDQUFDLGVBQWUsRUFBRSxDQUFDLENBQUM7UUFFekgsZ0NBQWdDO1FBQ2hDLElBQUksQ0FBQyxHQUFHLENBQUMsa0JBQWtCLENBQUMsWUFBWSxFQUFFLEVBQUUsT0FBTyxFQUFFLEdBQUcsQ0FBQyw0QkFBNEIsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDO0lBRTlGLENBQUM7O0FBcENILDBEQXNDQyIsInNvdXJjZXNDb250ZW50IjpbIi8vIENvcHlyaWdodCBBbWF6b24uY29tLCBJbmMuIG9yIGl0cyBhZmZpbGlhdGVzLiBBbGwgUmlnaHRzIFJlc2VydmVkLlxuLy8gU1BEWC1MaWNlbnNlLUlkZW50aWZpZXI6IE1JVC0wXG5cbmltcG9ydCAqIGFzIGNkayBmcm9tICdhd3MtY2RrLWxpYic7XG5pbXBvcnQgKiBhcyBlYzIgZnJvbSAnYXdzLWNkay1saWIvYXdzLWVjMic7XG5pbXBvcnQgKiBhcyBjb25zdHJ1Y3RzIGZyb20gJ2NvbnN0cnVjdHMnO1xuXG5pbXBvcnQgKiBhcyBuZXR3b3JrIGZyb20gJy4vbmV0d29yayc7XG5cbi8qKlxuICogQ29uc3RydWN0IHByb3BlcnRpZXMgZm9yIGBIeXBlcmxlZGdlckZhYnJpY1ZwY2BcbiAqL1xuZXhwb3J0IGludGVyZmFjZSBIeXBlcmxlZGdlckZhYnJpY0NsaWVudFByb3BzIHtcbiAgLyoqXG4gICAqIENsaWVudCBWUEMgdG8gY3JlYXRlIHRoZSBlbmRwb2ludHMuIElmIG5vdCBwcm92aWRlZCxcbiAgICogVlBDIHdpbGwgYmUgY3JlYXRlZCB3aXRoIHRoZSBkZWZhdWx0IHByb3BlcnRpZXNcbiAgICogKENJRFItYDEwLjAuMC4wLzE2YCBhbmQgc3VibmV0cyBvZiB0eXBlIGBQUklWQVRFX0lTT0xBVEVEYClcbiAgICpcbiAgICovXG4gIHJlYWRvbmx5IHZwYz86IGVjMi5JVnBjO1xuXG59XG5cbi8qKlxuICogQ3JlYXRlcyBhIFZQQyBhbmQgZW5kcG9pbnQgdGhhdCBhbGxvd3MgSHlwZXJsZWRnZXIgRmFicmljIGNsaWVudCB0b1xuICogaW50ZXJhY3Qgd2l0aCB0aGUgSHlwZXJsZWRnZXIgRmFicmljIGVuZHBvaW50cyB0aGF0IEFtYXpvbiBNYW5hZ2VkIEJsb2NrY2hhaW5cbiAqIGV4cG9zZXMgZm9yIHRoZSBtZW1iZXIgYW5kIG5ldHdvcmsgcmVzb3VyY2VzLlxuICovXG5leHBvcnQgY2xhc3MgSHlwZXJsZWRnZXJGYWJyaWNDbGllbnQgZXh0ZW5kcyBjb25zdHJ1Y3RzLkNvbnN0cnVjdCB7XG5cbiAgLyoqXG4gICAqIFRoZSBjbGllbnQgVlBDIHRoYXQgaGFzIGVuZHBvaW50IHRvIGFjY2VzcyB0aGUgQW1hem9uIE1hbmFnZWQgQmxvY2tjaGFpblxuICAgKi9cbiAgcHVibGljIHJlYWRvbmx5IHZwYzogZWMyLklWcGM7XG5cbiAgLyoqXG4gICAqIE1hbmFnZWQgQmxvY2tjaGFpbiBuZXR3b3JrIFZQQyBlbmRwb2ludFxuICAgKi9cbiAgcHVibGljIHJlYWRvbmx5IHZwY0VuZHBvaW50OiBlYzIuSW50ZXJmYWNlVnBjRW5kcG9pbnQ7XG5cbiAgY29uc3RydWN0b3Ioc2NvcGU6IG5ldHdvcmsuSHlwZXJsZWRnZXJGYWJyaWNOZXR3b3JrLCBpZDogc3RyaW5nLCBwcm9wcz86IEh5cGVybGVkZ2VyRmFicmljQ2xpZW50UHJvcHMpIHtcbiAgICBzdXBlcihzY29wZSwgaWQpO1xuXG4gICAgLy8gQ29sbGVjdCBtZXRhZGF0YSBvbiB0aGUgc3RhY2tcbiAgICBjb25zdCByZWdpb24gPSBjZGsuU3RhY2sub2YodGhpcykucmVnaW9uO1xuXG4gICAgLy8gUG9wdWxhdGUgaW5zdGFuY2UgdmFyaWFibGVzIGZyb20gaW5wdXQgcHJvcGVydGllcywgdXNpbmcgZGVmYXVsdHMgaWYgdmFsdWVzIG5vdCBwcm92aWRlZFxuICAgIGlmICh0eXBlb2YgcHJvcHMgPT09ICd1bmRlZmluZWQnKSBwcm9wcyA9IHt9O1xuICAgIHRoaXMudnBjID0gcHJvcHMudnBjID8/IG5ldyBlYzIuVnBjKHRoaXMsICdDbGllbnRWcGMnLCB7IHN1Ym5ldENvbmZpZ3VyYXRpb246IFt7IG5hbWU6ICdQcml2YXRlJywgc3VibmV0VHlwZTogZWMyLlN1Ym5ldFR5cGUuUFJJVkFURV9JU09MQVRFRCB9XSB9KTtcbiAgICBjb25zdCB2cGNFbmRwb2ludFNlcnZpY2VOYW1lID0gc2NvcGUudnBjRW5kcG9pbnRTZXJ2aWNlTmFtZS5yZXBsYWNlKGBjb20uYW1hem9uYXdzLiR7cmVnaW9ufS5gLCAnJyk7XG5cbiAgICAvLyBBZGQgVlBDIEZsb3dMb2dzIHdpdGggdGhlIGRlZmF1bHQgc2V0dGluZyBvZiB0cmFmZmljVHlwZTpBTEwgYW5kIGRlc3RpbmF0aW9uOkNsb3VkV2F0Y2hMb2dzXG4gICAgdGhpcy52cGMuYWRkRmxvd0xvZygnRmxvd0xvZycpO1xuXG4gICAgLy8gQWRkIGEgVlBDIGVuZHBvaW50IHRvIGFjY2VzcyB0aGUgTWFuYWdlZCBCbG9ja2NoYWluXG4gICAgY29uc3QgdnBjU2VydmljZSA9IG5ldyBlYzIuSW50ZXJmYWNlVnBjRW5kcG9pbnRTZXJ2aWNlKCB2cGNFbmRwb2ludFNlcnZpY2VOYW1lICk7XG4gICAgdGhpcy52cGNFbmRwb2ludCA9IHRoaXMudnBjLmFkZEludGVyZmFjZUVuZHBvaW50KCdOZXR3b3JrRW5kcG9pbnQnLCB7IHNlcnZpY2U6IHZwY1NlcnZpY2UsIG9wZW46IGZhbHNlLCBwcml2YXRlRG5zRW5hYmxlZDogdHJ1ZSB9KTtcblxuICAgIC8vIEFkZCBWUEMgZW5kcG9pbnQgdG8gYWNjZXNzIFNlY3JldHMgTWFuYWdlclxuICAgIHRoaXMudnBjLmFkZEludGVyZmFjZUVuZHBvaW50KCdTZWNyZXRzTWFuYWdlckVuZHBvaW50JywgeyBzZXJ2aWNlOiBlYzIuSW50ZXJmYWNlVnBjRW5kcG9pbnRBd3NTZXJ2aWNlLlNFQ1JFVFNfTUFOQUdFUiB9KTtcblxuICAgIC8vIEFkZCBWUEMgZW5kcG9pbnQgdG8gYWNjZXNzIFMzXG4gICAgdGhpcy52cGMuYWRkR2F0ZXdheUVuZHBvaW50KCdTM0VuZHBvaW50JywgeyBzZXJ2aWNlOiBlYzIuR2F0ZXdheVZwY0VuZHBvaW50QXdzU2VydmljZS5TMyB9KTtcblxuICB9XG5cbn1cbiJdfQ==

package/lib/identity.d.ts

@@ -0,0 +1,25 @@
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as customresources from 'aws-cdk-lib/custom-resources';
+import * as constructs from 'constructs';
+import * as network from './network';
+/**
+ * Creates custom resources to enroll admin and register user
+ * identities with the CA using the fabric-ca-client SDK.
+ * Admin identity is enrolled by default. User identities are
+ * registered and enrolled, if provided.
+ */
+export declare class HyperledgerFabricIdentity extends constructs.Construct {
+    /**
+     * Role for custom resource lambda to assume
+     */
+    static customRole: iam.Role;
+    /**
+     * Custom provider to register user identity
+     */
+    static userProvider: customresources.Provider;
+    /**
+     * Custom provider to enroll admin identity
+     */
+    readonly adminProvider: customresources.Provider;
+    constructor(scope: network.HyperledgerFabricNetwork, id: string);
+}