@composurecdk/cloudfront 0.1.3 → 0.3.2

package/README.md

@@ -0,0 +1,182 @@
+# @composurecdk/cloudfront
+
+CloudFront builders for [ComposureCDK](../../README.md).
+
+This package provides a fluent builder for CloudFront distributions with secure, AWS-recommended defaults. It wraps the CDK [Distribution](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html) construct — refer to the CDK documentation for the full set of configurable properties.
+
+## Distribution Builder
+
+```ts
+import { createDistributionBuilder } from "@composurecdk/cloudfront";
+import { S3BucketOrigin } from "aws-cdk-lib/aws-cloudfront-origins";
+
+const cdn = createDistributionBuilder()
+  .origin(S3BucketOrigin.withOriginAccessControl(bucket))
+  .comment("My website CDN")
+  .build(stack, "CDN");
+```
+
+Every [DistributionProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.DistributionProps.html) property (except `defaultBehavior.origin`) is available as a fluent setter on the builder. The origin is set via the dedicated `.origin()` method, which supports `Ref` for cross-component wiring.
+
+### Cross-component wiring
+
+The `origin` method accepts a `Ref` for use in composed systems:
+
+```ts
+import { compose, ref } from "@composurecdk/core";
+import type { BucketBuilderResult } from "@composurecdk/s3";
+
+const cdn = createDistributionBuilder().origin(
+  ref<BucketBuilderResult>("site", (r) => S3BucketOrigin.withOriginAccessControl(r.bucket)),
+);
+
+compose({ site: createBucketBuilder(), cdn }, { site: [], cdn: ["site"] }).build(stack, "Website");
+```
+
+## Secure Defaults
+
+`createDistributionBuilder` applies the following defaults. Each can be overridden via the builder's fluent API.
+
+| Property                                | Default             | Rationale                                                                |
+| --------------------------------------- | ------------------- | ------------------------------------------------------------------------ |
+| `accessLogging`                         | `true`              | Auto-creates an S3 logging bucket for access log audit trail.            |
+| `priceClass`                            | `PRICE_CLASS_100`   | North America and Europe edge locations — sufficient and cost-effective. |
+| `httpVersion`                           | `HTTP2_AND_3`       | Enables HTTP/2 and HTTP/3 (QUIC) for improved performance.               |
+| `defaultRootObject`                     | `"index.html"`      | Standard for static website hosting.                                     |
+| `minimumProtocolVersion`                | `TLS_V1_2_2021`     | Requires TLS 1.2+ to prevent older, less secure protocol negotiation.    |
+| `defaultBehavior.viewerProtocolPolicy`  | `REDIRECT_TO_HTTPS` | Ensures all viewer traffic is encrypted in transit.                      |
+| `defaultBehavior.responseHeadersPolicy` | `SECURITY_HEADERS`  | Applies managed security headers (HSTS, X-Content-Type-Options, etc.).   |
+
+These defaults are guided by the [AWS Well-Architected Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/protecting-data-in-transit.html).
+
+The defaults are exported as `DISTRIBUTION_DEFAULTS` for visibility and testing:
+
+```ts
+import { DISTRIBUTION_DEFAULTS } from "@composurecdk/cloudfront";
+```
+
+### Overriding defaults
+
+```ts
+import { PriceClass, ViewerProtocolPolicy } from "aws-cdk-lib/aws-cloudfront";
+
+const cdn = createDistributionBuilder()
+  .origin(myOrigin)
+  .priceClass(PriceClass.PRICE_CLASS_ALL)
+  .accessLogging(false)
+  .defaultBehavior({ viewerProtocolPolicy: ViewerProtocolPolicy.ALLOW_ALL })
+  .build(stack, "CDN");
+```
+
+### Access logging
+
+By default, the builder creates an S3 logging bucket (using `@composurecdk/s3` with its secure defaults) and configures it as the distribution's log destination. The created bucket is returned in the build result:
+
+```ts
+const result = createDistributionBuilder().origin(myOrigin).build(stack, "CDN");
+
+result.distribution; // Distribution
+result.accessLogsBucket; // Bucket | undefined
+```
+
+To provide your own bucket instead, set `logBucket` — the auto-created logging bucket is skipped. To disable access logging entirely, set `.accessLogging(false)`.
+
+## Recommended Alarms
+
+The builder creates [AWS-recommended CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#CloudFront) by default. No alarm actions are configured — access alarms from the build result to add SNS topics or other actions.
+
+| Alarm           | Metric                        | Default threshold | Created when |
+| --------------- | ----------------------------- | ----------------- | ------------ |
+| `errorRate`     | 5xxErrorRate (Average, 1 min) | > 5 (5%)          | Always       |
+| `originLatency` | OriginLatency (p90, 1 min)    | > 5000ms          | Always       |
+
+The `originLatency` alarm requires [additional CloudFront metrics](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/viewing-cloudfront-metrics.html#monitoring-console.distributions-additional) to be enabled on the distribution. With the default `treatMissingData: NOT_BREACHING`, the alarm will not fire when additional metrics are not enabled.
+
+Function-level alarms (FunctionValidationErrors, FunctionExecutionErrors, FunctionThrottles) require per-function dimensions. Use `addAlarm` to add them — see [Custom alarms](#custom-alarms) below.
+
+The defaults are exported as `DISTRIBUTION_ALARM_DEFAULTS` for visibility and testing:
+
+```ts
+import { DISTRIBUTION_ALARM_DEFAULTS } from "@composurecdk/cloudfront";
+```
+
+### Customizing thresholds
+
+Override individual alarm properties via `recommendedAlarms`. Unspecified fields keep their defaults.
+
+```ts
+const cdn = createDistributionBuilder()
+  .origin(myOrigin)
+  .recommendedAlarms({
+    errorRate: { threshold: 2, evaluationPeriods: 3 },
+    originLatency: { threshold: 3000 },
+  });
+```
+
+### Disabling alarms
+
+Disable all recommended alarms:
+
+```ts
+builder.recommendedAlarms(false);
+// or
+builder.recommendedAlarms({ enabled: false });
+```
+
+Disable individual alarms:
+
+```ts
+builder.recommendedAlarms({ errorRate: false });
+```
+
+### Custom alarms
+
+Add custom alarms alongside the recommended ones via `addAlarm`. The callback receives an `AlarmDefinitionBuilder` typed to the CloudFront `Distribution`.
+
+For function-level alarms, provide the function name dimension:
+
+```ts
+import { Metric } from "aws-cdk-lib/aws-cloudwatch";
+
+const cdn = createDistributionBuilder()
+  .origin(myOrigin)
+  .addAlarm("functionErrors", (alarm) =>
+    alarm
+      .metric(
+        (dist) =>
+          new Metric({
+            namespace: "AWS/CloudFront",
+            metricName: "FunctionExecutionErrors",
+            dimensionsMap: {
+              DistributionId: dist.distributionId,
+              FunctionName: "MyViewerRequestFn",
+              Region: "Global",
+            },
+            statistic: "Sum",
+            period: Duration.minutes(1),
+          }),
+      )
+      .threshold(0)
+      .greaterThan()
+      .evaluationPeriods(5)
+      .datapointsToAlarm(5)
+      .description("CloudFront function execution errors detected"),
+  );
+```
+
+### Applying alarm actions
+
+Alarms are returned in the build result as `Record<string, Alarm>`:
+
+```ts
+const result = cdn.build(stack, "CDN");
+
+const alertTopic = new Topic(stack, "AlertTopic");
+for (const alarm of Object.values(result.alarms)) {
+  alarm.addAlarmAction(new SnsAction(alertTopic));
+}
+```
+
+## Examples
+
+- [StaticWebsiteStack](../examples/src/static-website/app.ts) — S3 + CloudFront static website with OAC, error pages, and content deployment

package/dist/alarm-config.d.ts

@@ -0,0 +1,45 @@
+import type { AlarmConfig } from "@composurecdk/cloudwatch";
+/**
+ * Controls which recommended alarms are created for a CloudFront distribution.
+ * All applicable alarms are enabled by default with AWS-recommended thresholds.
+ * Set individual alarms to `false` to disable them, or provide an
+ * {@link AlarmConfig} to tune thresholds.
+ *
+ * Function-level alarms (FunctionValidationErrors, FunctionExecutionErrors,
+ * FunctionThrottles) require per-function dimensions and are not created
+ * automatically. Use {@link IDistributionBuilder.addAlarm} to add them.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#CloudFront
+ */
+export interface DistributionAlarmConfig {
+    /**
+     * Master switch: set to `false` to disable all recommended alarms.
+     * Individual alarms can also be disabled via their own entry.
+     * @default true
+     */
+    enabled?: boolean;
+    /**
+     * Alarm when the distribution's 5xx error rate is elevated.
+     *
+     * Metric: `AWS/CloudFront 5xxErrorRate`, statistic Average, period 1 minute.
+     * Default threshold: > 5 (5% error rate).
+     *
+     * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#CloudFront
+     */
+    errorRate?: AlarmConfig | false;
+    /**
+     * Alarm when origin response latency is elevated.
+     *
+     * Metric: `AWS/CloudFront OriginLatency`, statistic p90, period 1 minute.
+     * Default threshold: > 5000ms (5 seconds).
+     *
+     * Requires [additional CloudFront metrics](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/viewing-cloudfront-metrics.html#monitoring-console.distributions-additional)
+     * to be enabled on the distribution for this alarm to receive data.
+     * With the default `treatMissingData: NOT_BREACHING`, the alarm will
+     * not fire when additional metrics are not enabled.
+     *
+     * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#CloudFront
+     */
+    originLatency?: AlarmConfig | false;
+}
+//# sourceMappingURL=alarm-config.d.ts.map

package/dist/alarm-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"alarm-config.d.ts","sourceRoot":"","sources":["../src/alarm-config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAE5D;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,uBAAuB;IACtC;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB;;;;;;;OAOG;IACH,SAAS,CAAC,EAAE,WAAW,GAAG,KAAK,CAAC;IAEhC;;;;;;;;;;;;OAYG;IACH,aAAa,CAAC,EAAE,WAAW,GAAG,KAAK,CAAC;CACrC"}

package/dist/alarm-config.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=alarm-config.js.map

package/dist/alarm-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"alarm-config.js","sourceRoot":"","sources":["../src/alarm-config.ts"],"names":[],"mappings":""}

package/dist/alarm-defaults.d.ts

@@ -0,0 +1,14 @@
+import type { AlarmConfig } from "@composurecdk/cloudwatch";
+interface DistributionAlarmDefaults {
+    enabled: true;
+    errorRate: Required<AlarmConfig>;
+    originLatency: Required<AlarmConfig>;
+}
+/**
+ * AWS-recommended default alarm configuration for CloudFront distributions.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#CloudFront
+ */
+export declare const DISTRIBUTION_ALARM_DEFAULTS: DistributionAlarmDefaults;
+export {};
+//# sourceMappingURL=alarm-defaults.d.ts.map

package/dist/alarm-defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"alarm-defaults.d.ts","sourceRoot":"","sources":["../src/alarm-defaults.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAE5D,UAAU,yBAAyB;IACjC,OAAO,EAAE,IAAI,CAAC;IACd,SAAS,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC;IACjC,aAAa,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC;CACtC;AAED;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,EAAE,yBAyBzC,CAAC"}

package/dist/alarm-defaults.js

@@ -0,0 +1,31 @@
+import { TreatMissingData } from "aws-cdk-lib/aws-cloudwatch";
+/**
+ * AWS-recommended default alarm configuration for CloudFront distributions.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#CloudFront
+ */
+export const DISTRIBUTION_ALARM_DEFAULTS = {
+    enabled: true,
+    /**
+     * Elevated 5xx error rate indicates origin or CloudFront issues.
+     * Threshold set above 0 to avoid excessive sensitivity from transient errors.
+     */
+    errorRate: {
+        threshold: 5,
+        evaluationPeriods: 5,
+        datapointsToAlarm: 5,
+        treatMissingData: TreatMissingData.NOT_BREACHING,
+    },
+    /**
+     * Origin taking too long to respond can lead to 504 errors.
+     * Default 5000ms threshold provides a reasonable starting point;
+     * ideally set to ~80% of your origin response timeout.
+     */
+    originLatency: {
+        threshold: 5000,
+        evaluationPeriods: 5,
+        datapointsToAlarm: 5,
+        treatMissingData: TreatMissingData.NOT_BREACHING,
+    },
+};
+//# sourceMappingURL=alarm-defaults.js.map

package/dist/alarm-defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"alarm-defaults.js","sourceRoot":"","sources":["../src/alarm-defaults.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAS9D;;;;GAIG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAA8B;IACpE,OAAO,EAAE,IAAI;IAEb;;;OAGG;IACH,SAAS,EAAE;QACT,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,iBAAiB,EAAE,CAAC;QACpB,gBAAgB,EAAE,gBAAgB,CAAC,aAAa;KACjD;IAED;;;;OAIG;IACH,aAAa,EAAE;QACb,SAAS,EAAE,IAAI;QACf,iBAAiB,EAAE,CAAC;QACpB,iBAAiB,EAAE,CAAC;QACpB,gBAAgB,EAAE,gBAAgB,CAAC,aAAa;KACjD;CACF,CAAC"}

package/dist/distribution-alarms.d.ts

@@ -0,0 +1,26 @@
+import { type Alarm } from "aws-cdk-lib/aws-cloudwatch";
+import type { Distribution } from "aws-cdk-lib/aws-cloudfront";
+import type { IConstruct } from "constructs";
+import type { AlarmDefinition } from "@composurecdk/cloudwatch";
+import { AlarmDefinitionBuilder } from "@composurecdk/cloudwatch";
+import type { DistributionAlarmConfig } from "./alarm-config.js";
+/**
+ * Resolves the recommended alarm configuration into fully-resolved
+ * {@link AlarmDefinition}s for a CloudFront distribution.
+ */
+export declare function resolveDistributionAlarmDefinitions(distribution: Distribution, config: DistributionAlarmConfig | undefined): AlarmDefinition[];
+/**
+ * Creates AWS-recommended CloudWatch alarms for a CloudFront distribution,
+ * merging recommended definitions with any custom alarm builders.
+ *
+ * @param scope - CDK construct scope for creating alarm constructs.
+ * @param id - Base identifier for alarm construct ids.
+ * @param distribution - The CloudFront distribution to create alarms for.
+ * @param config - User-provided alarm configuration, or `false` to disable all.
+ * @param customAlarms - Custom alarm builders added via `addAlarm()`.
+ * @returns A record mapping alarm keys to their created Alarm constructs.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#CloudFront
+ */
+export declare function createDistributionAlarms(scope: IConstruct, id: string, distribution: Distribution, config: DistributionAlarmConfig | false | undefined, customAlarms?: AlarmDefinitionBuilder<Distribution>[]): Record<string, Alarm>;
+//# sourceMappingURL=distribution-alarms.d.ts.map

package/dist/distribution-alarms.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"distribution-alarms.d.ts","sourceRoot":"","sources":["../src/distribution-alarms.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,KAAK,EAAqC,MAAM,4BAA4B,CAAC;AAC3F,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,sBAAsB,EAAoC,MAAM,0BAA0B,CAAC;AACpG,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AA2BjE;;;GAGG;AACH,wBAAgB,mCAAmC,CACjD,YAAY,EAAE,YAAY,EAC1B,MAAM,EAAE,uBAAuB,GAAG,SAAS,GAC1C,eAAe,EAAE,CAqCnB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,UAAU,EACjB,EAAE,EAAE,MAAM,EACV,YAAY,EAAE,YAAY,EAC1B,MAAM,EAAE,uBAAuB,GAAG,KAAK,GAAG,SAAS,EACnD,YAAY,GAAE,sBAAsB,CAAC,YAAY,CAAC,EAAO,GACxD,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAUvB"}

package/dist/distribution-alarms.js

@@ -0,0 +1,82 @@
+import { Duration } from "aws-cdk-lib";
+import { ComparisonOperator, Metric, Stats } from "aws-cdk-lib/aws-cloudwatch";
+import { createAlarms, resolveAlarmConfig } from "@composurecdk/cloudwatch";
+import { DISTRIBUTION_ALARM_DEFAULTS } from "./alarm-defaults.js";
+const METRIC_PERIOD = Duration.minutes(1);
+const METRIC_PERIOD_LABEL = `${String(METRIC_PERIOD.toMinutes())} minute`;
+/**
+ * Creates a CloudFront distribution metric with the correct namespace and
+ * dimensions (DistributionId + Region=Global).
+ */
+function distributionMetric(distribution, metricName, statistic) {
+    return new Metric({
+        namespace: "AWS/CloudFront",
+        metricName,
+        dimensionsMap: {
+            DistributionId: distribution.distributionId,
+            Region: "Global",
+        },
+        statistic,
+        period: METRIC_PERIOD,
+    });
+}
+/**
+ * Resolves the recommended alarm configuration into fully-resolved
+ * {@link AlarmDefinition}s for a CloudFront distribution.
+ */
+export function resolveDistributionAlarmDefinitions(distribution, config) {
+    if (config?.enabled === false)
+        return [];
+    const definitions = [];
+    if (config?.errorRate !== false) {
+        const cfg = resolveAlarmConfig(config?.errorRate, DISTRIBUTION_ALARM_DEFAULTS.errorRate);
+        definitions.push({
+            key: "errorRate",
+            metric: distributionMetric(distribution, "5xxErrorRate", Stats.AVERAGE),
+            threshold: cfg.threshold,
+            comparisonOperator: ComparisonOperator.GREATER_THAN_THRESHOLD,
+            evaluationPeriods: cfg.evaluationPeriods,
+            datapointsToAlarm: cfg.datapointsToAlarm,
+            treatMissingData: cfg.treatMissingData,
+            description: `CloudFront distribution 5xx error rate is elevated. Threshold: > ${String(cfg.threshold)}% in ${METRIC_PERIOD_LABEL}.`,
+        });
+    }
+    if (config?.originLatency !== false) {
+        const cfg = resolveAlarmConfig(config?.originLatency, DISTRIBUTION_ALARM_DEFAULTS.originLatency);
+        definitions.push({
+            key: "originLatency",
+            metric: distributionMetric(distribution, "OriginLatency", Stats.percentile(90)),
+            threshold: cfg.threshold,
+            comparisonOperator: ComparisonOperator.GREATER_THAN_THRESHOLD,
+            evaluationPeriods: cfg.evaluationPeriods,
+            datapointsToAlarm: cfg.datapointsToAlarm,
+            treatMissingData: cfg.treatMissingData,
+            description: `CloudFront origin latency is elevated. Threshold: > ${String(cfg.threshold)}ms p90 in ${METRIC_PERIOD_LABEL}.`,
+        });
+    }
+    return definitions;
+}
+/**
+ * Creates AWS-recommended CloudWatch alarms for a CloudFront distribution,
+ * merging recommended definitions with any custom alarm builders.
+ *
+ * @param scope - CDK construct scope for creating alarm constructs.
+ * @param id - Base identifier for alarm construct ids.
+ * @param distribution - The CloudFront distribution to create alarms for.
+ * @param config - User-provided alarm configuration, or `false` to disable all.
+ * @param customAlarms - Custom alarm builders added via `addAlarm()`.
+ * @returns A record mapping alarm keys to their created Alarm constructs.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#CloudFront
+ */
+export function createDistributionAlarms(scope, id, distribution, config, customAlarms = []) {
+    if (config === false)
+        return {};
+    const enabled = config?.enabled ?? DISTRIBUTION_ALARM_DEFAULTS.enabled;
+    if (!enabled)
+        return {};
+    const recommended = resolveDistributionAlarmDefinitions(distribution, config);
+    const custom = customAlarms.map((b) => b.resolve(distribution));
+    return createAlarms(scope, id, [...recommended, ...custom]);
+}
+//# sourceMappingURL=distribution-alarms.js.map

package/dist/distribution-alarms.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"distribution-alarms.js","sourceRoot":"","sources":["../src/distribution-alarms.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAc,kBAAkB,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,4BAA4B,CAAC;AAI3F,OAAO,EAA0B,YAAY,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAEpG,OAAO,EAAE,2BAA2B,EAAE,MAAM,qBAAqB,CAAC;AAElE,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAC1C,MAAM,mBAAmB,GAAG,GAAG,MAAM,CAAC,aAAa,CAAC,SAAS,EAAE,CAAC,SAAS,CAAC;AAE1E;;;GAGG;AACH,SAAS,kBAAkB,CACzB,YAA0B,EAC1B,UAAkB,EAClB,SAAiB;IAEjB,OAAO,IAAI,MAAM,CAAC;QAChB,SAAS,EAAE,gBAAgB;QAC3B,UAAU;QACV,aAAa,EAAE;YACb,cAAc,EAAE,YAAY,CAAC,cAAc;YAC3C,MAAM,EAAE,QAAQ;SACjB;QACD,SAAS;QACT,MAAM,EAAE,aAAa;KACtB,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mCAAmC,CACjD,YAA0B,EAC1B,MAA2C;IAE3C,IAAI,MAAM,EAAE,OAAO,KAAK,KAAK;QAAE,OAAO,EAAE,CAAC;IAEzC,MAAM,WAAW,GAAsB,EAAE,CAAC;IAE1C,IAAI,MAAM,EAAE,SAAS,KAAK,KAAK,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,kBAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,2BAA2B,CAAC,SAAS,CAAC,CAAC;QACzF,WAAW,CAAC,IAAI,CAAC;YACf,GAAG,EAAE,WAAW;YAChB,MAAM,EAAE,kBAAkB,CAAC,YAAY,EAAE,cAAc,EAAE,KAAK,CAAC,OAAO,CAAC;YACvE,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,kBAAkB,EAAE,kBAAkB,CAAC,sBAAsB;YAC7D,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;YACxC,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;YACxC,gBAAgB,EAAE,GAAG,CAAC,gBAAgB;YACtC,WAAW,EAAE,oEAAoE,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,mBAAmB,GAAG;SACrI,CAAC,CAAC;IACL,CAAC;IAED,IAAI,MAAM,EAAE,aAAa,KAAK,KAAK,EAAE,CAAC;QACpC,MAAM,GAAG,GAAG,kBAAkB,CAC5B,MAAM,EAAE,aAAa,EACrB,2BAA2B,CAAC,aAAa,CAC1C,CAAC;QACF,WAAW,CAAC,IAAI,CAAC;YACf,GAAG,EAAE,eAAe;YACpB,MAAM,EAAE,kBAAkB,CAAC,YAAY,EAAE,eAAe,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YAC/E,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,kBAAkB,EAAE,kBAAkB,CAAC,sBAAsB;YAC7D,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;YACxC,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;YACxC,gBAAgB,EAAE,GAAG,CAAC,gBAAgB;YACtC,WAAW,EAAE,uDAAuD,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,aAAa,mBAAmB,GAAG;SAC7H,CAAC,CAAC;IACL,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,wBAAwB,CACtC,KAAiB,EACjB,EAAU,EACV,YAA0B,EAC1B,MAAmD,EACnD,eAAuD,EAAE;IAEzD,IAAI,MAAM,KAAK,KAAK;QAAE,OAAO,EAAE,CAAC;IAEhC,MAAM,OAAO,GAAG,MAAM,EAAE,OAAO,IAAI,2BAA2B,CAAC,OAAO,CAAC;IACvE,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IAExB,MAAM,WAAW,GAAG,mCAAmC,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;IAEhE,OAAO,YAAY,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC,GAAG,WAAW,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC;AAC9D,CAAC"}

package/dist/distribution-builder.d.ts

@@ -1,7 +1,11 @@
 import { Distribution, type DistributionProps, type IOrigin, type AddBehaviorOptions } from "aws-cdk-lib/aws-cloudfront";
+import { type ICertificate } from "aws-cdk-lib/aws-certificatemanager";
+import { type Alarm } from "aws-cdk-lib/aws-cloudwatch";
 import { type Bucket } from "aws-cdk-lib/aws-s3";
 import { type IConstruct } from "constructs";
 import { type IBuilder, type Lifecycle, type Resolvable } from "@composurecdk/core";
+import { AlarmDefinitionBuilder } from "@composurecdk/cloudwatch";
+import type { DistributionAlarmConfig } from "./alarm-config.js";
 /**
  * Configuration properties for the CloudFront distribution builder.
  *
@@ -14,7 +18,7 @@ import { type IBuilder, type Lifecycle, type Resolvable } from "@composurecdk/co
  * The `enableLogging` CDK prop is replaced by {@link accessLogging}, which
  * auto-creates a logging bucket with secure defaults when enabled.
  */
-export interface DistributionBuilderProps extends Omit<DistributionProps, "defaultBehavior" | "enableLogging"> {
+export interface DistributionBuilderProps extends Omit<DistributionProps, "defaultBehavior" | "enableLogging" | "certificate"> {
     /**
      * Whether to automatically create an S3 bucket for CloudFront standard
      * access logging.
@@ -31,6 +35,14 @@ export interface DistributionBuilderProps extends Omit<DistributionProps, "defau
      * bucket takes precedence.
      */
     accessLogging?: boolean;
+    /**
+     * The ACM certificate to associate with the distribution for HTTPS.
+     *
+     * Accepts a concrete {@link ICertificate} or a {@link Resolvable} —
+     * typically a {@link Ref} produced by a composed `@composurecdk/acm`
+     * certificate builder. The certificate must be issued in `us-east-1`.
+     */
+    certificate?: Resolvable<ICertificate>;
     /**
      * Options for the default cache behavior, excluding `origin`.
      *
@@ -40,6 +52,24 @@ export interface DistributionBuilderProps extends Omit<DistributionProps, "defau
      * configured here.
      */
     defaultBehavior?: AddBehaviorOptions;
+    /**
+     * Configuration for AWS-recommended CloudWatch alarms.
+     *
+     * By default, the builder creates recommended alarms for 5xx error rate
+     * and origin latency. Individual alarms can be customized or disabled.
+     * Set to `false` to disable all alarms.
+     *
+     * No alarm actions are configured by default since notification
+     * methods are user-specific. Access alarms from the build result
+     * or use an `afterBuild` hook to apply actions.
+     *
+     * Function-level alarms (FunctionValidationErrors, FunctionExecutionErrors,
+     * FunctionThrottles) require per-function dimensions. Use
+     * {@link IDistributionBuilder.addAlarm} to add them.
+     *
+     * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#CloudFront
+     */
+    recommendedAlarms?: DistributionAlarmConfig | false;
 }
 /**
  * The build output of a {@link IDistributionBuilder}. Contains the CDK constructs
@@ -53,6 +83,19 @@ export interface DistributionBuilderResult {
      * logging was disabled or the user provided their own bucket.
      */
     accessLogsBucket?: Bucket;
+    /**
+     * CloudWatch alarms created for the distribution, keyed by alarm name.
+     *
+     * Includes both AWS-recommended alarms and any custom alarms added
+     * via {@link IDistributionBuilder.addAlarm}. Access individual alarms
+     * by key (e.g., `result.alarms.errorRate`).
+     *
+     * No alarm actions are configured — apply them via the result or an
+     * `afterBuild` hook.
+     *
+     * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#CloudFront
+     */
+    alarms: Record<string, Alarm>;
 }
 /**
  * A fluent builder for configuring and creating a CloudFront distribution.
@@ -83,6 +126,8 @@ export type IDistributionBuilder = IBuilder<DistributionBuilderProps, Distributi
 declare class DistributionBuilder implements Lifecycle<DistributionBuilderResult> {
     props: Partial<DistributionBuilderProps>;
     private _origin?;
+    private readonly customAlarms;
+    addAlarm(key: string, configure: (alarm: AlarmDefinitionBuilder<Distribution>) => AlarmDefinitionBuilder<Distribution>): this;
     /**
      * Sets the default origin for the distribution.
      *

package/dist/distribution-builder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"distribution-builder.d.ts","sourceRoot":"","sources":["../src/distribution-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,KAAK,iBAAiB,EACtB,KAAK,OAAO,EACZ,KAAK,kBAAkB,EACxB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,KAAK,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAEjD,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAEL,KAAK,QAAQ,EACb,KAAK,SAAS,EAEd,KAAK,UAAU,EAChB,MAAM,oBAAoB,CAAC;AAI5B;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,wBAAyB,SAAQ,IAAI,CACpD,iBAAiB,EACjB,iBAAiB,GAAG,eAAe,CACpC;IACC;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB;;;;;;;OAOG;IACH,eAAe,CAAC,EAAE,kBAAkB,CAAC;CACtC;AAED;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,oEAAoE;IACpE,YAAY,EAAE,YAAY,CAAC;IAE3B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,MAAM,oBAAoB,GAAG,QAAQ,CAAC,wBAAwB,EAAE,mBAAmB,CAAC,CAAC;AAE3F,cAAM,mBAAoB,YAAW,SAAS,CAAC,yBAAyB,CAAC;IACvE,KAAK,EAAE,OAAO,CAAC,wBAAwB,CAAC,CAAM;IAC9C,OAAO,CAAC,OAAO,CAAC,CAAsB;IAEtC;;;;;;;;OAQG;IACH,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,OAAO,CAAC,GAAG,IAAI;IAKzC,KAAK,CACH,KAAK,EAAE,UAAU,EACjB,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,yBAAyB;CAgD7B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,yBAAyB,IAAI,oBAAoB,CAEhE"}
+{"version":3,"file":"distribution-builder.d.ts","sourceRoot":"","sources":["../src/distribution-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,KAAK,iBAAiB,EACtB,KAAK,OAAO,EACZ,KAAK,kBAAkB,EACxB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,oCAAoC,CAAC;AACvE,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,KAAK,MAAM,EAAmB,MAAM,oBAAoB,CAAC;AAElE,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAEL,KAAK,QAAQ,EACb,KAAK,SAAS,EAEd,KAAK,UAAU,EAChB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAElE,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AAIjE;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,wBAAyB,SAAQ,IAAI,CACpD,iBAAiB,EACjB,iBAAiB,GAAG,eAAe,GAAG,aAAa,CACpD;IACC;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;IAEvC;;;;;;;OAOG;IACH,eAAe,CAAC,EAAE,kBAAkB,CAAC;IAErC;;;;;;;;;;;;;;;;OAgBG;IACH,iBAAiB,CAAC,EAAE,uBAAuB,GAAG,KAAK,CAAC;CACrD;AAED;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,oEAAoE;IACpE,YAAY,EAAE,YAAY,CAAC;IAE3B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;;;;;;;;;OAWG;IACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,MAAM,oBAAoB,GAAG,QAAQ,CAAC,wBAAwB,EAAE,mBAAmB,CAAC,CAAC;AAE3F,cAAM,mBAAoB,YAAW,SAAS,CAAC,yBAAyB,CAAC;IACvE,KAAK,EAAE,OAAO,CAAC,wBAAwB,CAAC,CAAM;IAC9C,OAAO,CAAC,OAAO,CAAC,CAAsB;IACtC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAA8C;IAE3E,QAAQ,CACN,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,CACT,KAAK,EAAE,sBAAsB,CAAC,YAAY,CAAC,KACxC,sBAAsB,CAAC,YAAY,CAAC,GACxC,IAAI;IAKP;;;;;;;;OAQG;IACH,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,OAAO,CAAC,GAAG,IAAI;IAKzC,KAAK,CACH,KAAK,EAAE,UAAU,EACjB,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,yBAAyB;CA4E7B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,yBAAyB,IAAI,oBAAoB,CAEhE"}

package/dist/distribution-builder.js

@@ -1,11 +1,19 @@
 import { Distribution, } from "aws-cdk-lib/aws-cloudfront";
+import { ObjectOwnership } from "aws-cdk-lib/aws-s3";
 import { RemovalPolicy } from "aws-cdk-lib";
 import { Builder, resolve, } from "@composurecdk/core";
+import { AlarmDefinitionBuilder } from "@composurecdk/cloudwatch";
 import { createBucketBuilder } from "@composurecdk/s3";
+import { createDistributionAlarms } from "./distribution-alarms.js";
 import { DISTRIBUTION_DEFAULTS } from "./defaults.js";
 class DistributionBuilder {
     props = {};
     _origin;
+    customAlarms = [];
+    addAlarm(key, configure) {
+        this.customAlarms.push(configure(new AlarmDefinitionBuilder(key)));
+        return this;
+    }
     /**
      * Sets the default origin for the distribution.
      *
@@ -25,7 +33,8 @@ class DistributionBuilder {
             throw new Error(`DistributionBuilder "${id}" requires an origin. ` +
                 `Call .origin() with an IOrigin or a Ref to one.`);
         }
-        const { accessLogging, defaultBehavior: userBehavior, ...distProps } = this.props;
+        const { accessLogging, certificate, defaultBehavior: userBehavior, recommendedAlarms: alarmConfig, ...distProps } = this.props;
+        const resolvedCertificate = certificate ? resolve(certificate, context ?? {}) : undefined;
         const { accessLogging: defaultAccessLogging, defaultBehavior: defaultBehavior, ...cdkDefaults } = DISTRIBUTION_DEFAULTS;
         const autoAccessLog = (accessLogging ?? defaultAccessLogging) && !distProps.logBucket;
         let accessLogsBucket;
@@ -33,6 +42,9 @@ class DistributionBuilder {
         if (autoAccessLog) {
             accessLogsBucket = createBucketBuilder()
                 .accessLogging(false)
+                .versioned(false)
+                // CloudFront standard logging writes via ACLs, which requires BucketOwnerPreferred.
+                .objectOwnership(ObjectOwnership.BUCKET_OWNER_PREFERRED)
                 .removalPolicy(RemovalPolicy.RETAIN)
                 .build(scope, `${id}AccessLogs`).bucket;
             accessLogProps = {
@@ -44,15 +56,24 @@ class DistributionBuilder {
             ...cdkDefaults,
             ...accessLogProps,
             ...distProps,
+            ...(resolvedCertificate ? { certificate: resolvedCertificate } : {}),
             defaultBehavior: {
                 ...defaultBehavior,
                 ...userBehavior,
                 origin: resolvedOrigin,
             },
         };
+        const distribution = new Distribution(scope, id, mergedProps);
+        // Ensure CloudFront is deleted before the access logs bucket during stack teardown.
+        // Without this, CloudFront may still be writing logs while the bucket is being emptied/deleted.
+        if (accessLogsBucket) {
+            distribution.node.addDependency(accessLogsBucket);
+        }
+        const alarms = createDistributionAlarms(scope, id, distribution, alarmConfig, this.customAlarms);
         return {
-            distribution: new Distribution(scope, id, mergedProps),
+            distribution,
             accessLogsBucket,
+            alarms,
         };
     }
 }

package/dist/distribution-builder.js.map

@@ -1 +1 @@
-{"version":3,"file":"distribution-builder.js","sourceRoot":"","sources":["../src/distribution-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,GAIb,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,OAAO,EACL,OAAO,EAGP,OAAO,GAER,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAwFtD,MAAM,mBAAmB;IACvB,KAAK,GAAsC,EAAE,CAAC;IACtC,OAAO,CAAuB;IAEtC;;;;;;;;OAQG;IACH,MAAM,CAAC,MAA2B;QAChC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CACH,KAAiB,EACjB,EAAU,EACV,OAAgC;QAEhC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEvF,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CACb,wBAAwB,EAAE,wBAAwB;gBAChD,iDAAiD,CACpD,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,aAAa,EAAE,eAAe,EAAE,YAAY,EAAE,GAAG,SAAS,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QAClF,MAAM,EACJ,aAAa,EAAE,oBAAoB,EACnC,eAAe,EAAE,eAAe,EAChC,GAAG,WAAW,EACf,GAAG,qBAAqB,CAAC;QAC1B,MAAM,aAAa,GAAG,CAAC,aAAa,IAAI,oBAAoB,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;QAEtF,IAAI,gBAAoC,CAAC;QACzC,IAAI,cAAc,GAAG,EAAE,CAAC;QAExB,IAAI,aAAa,EAAE,CAAC;YAClB,gBAAgB,GAAG,mBAAmB,EAAE;iBACrC,aAAa,CAAC,KAAK,CAAC;iBACpB,aAAa,CAAC,aAAa,CAAC,MAAM,CAAC;iBACnC,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC,MAAM,CAAC;YAC1C,cAAc,GAAG;gBACf,aAAa,EAAE,IAAI;gBACnB,SAAS,EAAE,gBAAgB;aAC5B,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG;YAClB,GAAG,WAAW;YACd,GAAG,cAAc;YACjB,GAAG,SAAS;YACZ,eAAe,EAAE;gBACf,GAAG,eAAe;gBAClB,GAAG,YAAY;gBACf,MAAM,EAAE,cAAc;aACvB;SACmB,CAAC;QAEvB,OAAO;YACL,YAAY,EAAE,IAAI,YAAY,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC;YACtD,gBAAgB;SACjB,CAAC;IACJ,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,yBAAyB;IACvC,OAAO,OAAO,CAAgD,mBAAmB,CAAC,CAAC;AACrF,CAAC"}
+{"version":3,"file":"distribution-builder.js","sourceRoot":"","sources":["../src/distribution-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,GAIb,MAAM,4BAA4B,CAAC;AAGpC,OAAO,EAAe,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,OAAO,EACL,OAAO,EAGP,OAAO,GAER,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAEvD,OAAO,EAAE,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AACpE,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAkItD,MAAM,mBAAmB;IACvB,KAAK,GAAsC,EAAE,CAAC;IACtC,OAAO,CAAuB;IACrB,YAAY,GAA2C,EAAE,CAAC;IAE3E,QAAQ,CACN,GAAW,EACX,SAEyC;QAEzC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,sBAAsB,CAAe,GAAG,CAAC,CAAC,CAAC,CAAC;QACjF,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;OAQG;IACH,MAAM,CAAC,MAA2B;QAChC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CACH,KAAiB,EACjB,EAAU,EACV,OAAgC;QAEhC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEvF,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CACb,wBAAwB,EAAE,wBAAwB;gBAChD,iDAAiD,CACpD,CAAC;QACJ,CAAC;QAED,MAAM,EACJ,aAAa,EACb,WAAW,EACX,eAAe,EAAE,YAAY,EAC7B,iBAAiB,EAAE,WAAW,EAC9B,GAAG,SAAS,EACb,GAAG,IAAI,CAAC,KAAK,CAAC;QACf,MAAM,mBAAmB,GAAG,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAC1F,MAAM,EACJ,aAAa,EAAE,oBAAoB,EACnC,eAAe,EAAE,eAAe,EAChC,GAAG,WAAW,EACf,GAAG,qBAAqB,CAAC;QAC1B,MAAM,aAAa,GAAG,CAAC,aAAa,IAAI,oBAAoB,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;QAEtF,IAAI,gBAAoC,CAAC;QACzC,IAAI,cAAc,GAAG,EAAE,CAAC;QAExB,IAAI,aAAa,EAAE,CAAC;YAClB,gBAAgB,GAAG,mBAAmB,EAAE;iBACrC,aAAa,CAAC,KAAK,CAAC;iBACpB,SAAS,CAAC,KAAK,CAAC;gBACjB,oFAAoF;iBACnF,eAAe,CAAC,eAAe,CAAC,sBAAsB,CAAC;iBACvD,aAAa,CAAC,aAAa,CAAC,MAAM,CAAC;iBACnC,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC,MAAM,CAAC;YAC1C,cAAc,GAAG;gBACf,aAAa,EAAE,IAAI;gBACnB,SAAS,EAAE,gBAAgB;aAC5B,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG;YAClB,GAAG,WAAW;YACd,GAAG,cAAc;YACjB,GAAG,SAAS;YACZ,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,mBAAmB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpE,eAAe,EAAE;gBACf,GAAG,eAAe;gBAClB,GAAG,YAAY;gBACf,MAAM,EAAE,cAAc;aACvB;SACmB,CAAC;QAEvB,MAAM,YAAY,GAAG,IAAI,YAAY,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAE9D,oFAAoF;QACpF,gGAAgG;QAChG,IAAI,gBAAgB,EAAE,CAAC;YACrB,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,MAAM,GAAG,wBAAwB,CACrC,KAAK,EACL,EAAE,EACF,YAAY,EACZ,WAAW,EACX,IAAI,CAAC,YAAY,CAClB,CAAC;QAEF,OAAO;YACL,YAAY;YACZ,gBAAgB;YAChB,MAAM;SACP,CAAC;IACJ,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,yBAAyB;IACvC,OAAO,OAAO,CAAgD,mBAAmB,CAAC,CAAC;AACrF,CAAC"}

package/dist/index.d.ts

@@ -1,3 +1,5 @@
 export { createDistributionBuilder, type DistributionBuilderResult, type IDistributionBuilder, } from "./distribution-builder.js";
 export { DISTRIBUTION_DEFAULTS } from "./defaults.js";
+export { type DistributionAlarmConfig } from "./alarm-config.js";
+export { DISTRIBUTION_ALARM_DEFAULTS } from "./alarm-defaults.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,KAAK,yBAAyB,EAC9B,KAAK,oBAAoB,GAC1B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,EACzB,KAAK,yBAAyB,EAC9B,KAAK,oBAAoB,GAC1B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,KAAK,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AACjE,OAAO,EAAE,2BAA2B,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/index.js

@@ -1,3 +1,4 @@
 export { createDistributionBuilder, } from "./distribution-builder.js";
 export { DISTRIBUTION_DEFAULTS } from "./defaults.js";
+export { DISTRIBUTION_ALARM_DEFAULTS } from "./alarm-defaults.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,GAG1B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,yBAAyB,GAG1B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAEtD,OAAO,EAAE,2BAA2B,EAAE,MAAM,qBAAqB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@composurecdk/cloudfront",
-  "version": "0.1.3",
+  "version": "0.3.2",
   "description": "Composable CloudFront distribution builder with well-architected defaults",
   "repository": {
     "type": "git",
@@ -35,16 +35,17 @@
   },
   "type": "module",
   "peerDependencies": {
-    "@composurecdk/core": "^0.1.0",
-    "@composurecdk/s3": "^0.1.0",
+    "@composurecdk/cloudwatch": "^0.3.0",
+    "@composurecdk/core": "^0.3.0",
+    "@composurecdk/s3": "^0.3.0",
     "aws-cdk-lib": "^2.0.0",
     "constructs": "^10.0.0"
   },
   "devDependencies": {
-    "@types/node": "^25.5.0",
-    "aws-cdk-lib": "^2.245.0",
+    "@types/node": "^25.6.0",
+    "aws-cdk-lib": "^2.250.0",
     "constructs": "^10.6.0",
-    "typescript": "^6.0.2",
-    "vitest": "^4.1.2"
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.4"
   }
 }