@composurecdk/ec2 0.8.0 → 0.8.2

package/README.md

@@ -220,6 +220,74 @@ createVpcBuilder().flowLogs(false);
 
 For multiple flow logs against the same VPC, omit this config and create additional `FlowLog` constructs directly against the returned `vpc`.
 
+## Security Group Builder
+
+```ts
+import { createSecurityGroupBuilder } from "@composurecdk/ec2";
+import { Peer, Port } from "aws-cdk-lib/aws-ec2";
+
+const web = createSecurityGroupBuilder()
+  .vpc(vpc)
+  .description("Public web tier")
+  .addIngressRule(Peer.anyIpv4(), Port.tcp(443), "Public HTTPS")
+  .addEgressRule(Peer.anyIpv4(), Port.tcp(443), "HTTPS to origin")
+  .build(stack, "WebSg");
+```
+
+Every [SecurityGroupProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroupProps.html) property is available as a fluent setter on the builder, except `vpc` which is set via the dedicated `.vpc()` method to support cross-component wiring with `ref<T>(...)`.
+
+Ingress and egress rules are accumulated via `addIngressRule`, `addEgressRule`, and `addSelfIngress` (for the intra-SG "allow within the cluster" pattern). Each peer is a `Resolvable<IPeer>`, so it can be a concrete `IPeer` (a CIDR via `Peer.ipv4(...)`, another `ISecurityGroup`, a prefix list, …) or a `Ref` to a sibling component's output.
+
+### Security Group Defaults
+
+| Property           | Default | Rationale                                                                                                                                                |
+| ------------------ | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `allowAllOutbound` | `false` | Closes the implicit `0.0.0.0/0` egress rule CDK ships by default. Every outbound flow becomes an explicit `addEgressRule` — the least-privilege default. |
+
+Two properties intentionally have no default — they are application-specific and must be supplied explicitly:
+
+- `vpc` (via the `.vpc()` method)
+- `description` (a short, human-readable summary of the SG's purpose; whitespace-only values are rejected)
+
+The defaults are exported as `SECURITY_GROUP_DEFAULTS` for visibility and testing:
+
+```ts
+import { SECURITY_GROUP_DEFAULTS } from "@composurecdk/ec2";
+```
+
+### Wiring two SGs via `ref`
+
+The canonical cross-component pattern — a bastion SG and a database SG that talks to it — declares the dependency in `compose()` and resolves the peer at build time:
+
+```ts
+import { compose, ref } from "@composurecdk/core";
+import { createSecurityGroupBuilder, createVpcBuilder } from "@composurecdk/ec2";
+import type { SecurityGroupBuilderResult, VpcBuilderResult } from "@composurecdk/ec2";
+import { Port } from "aws-cdk-lib/aws-ec2";
+
+compose(
+  {
+    network: createVpcBuilder(),
+    bastion: createSecurityGroupBuilder()
+      .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+      .description("Bastion host"),
+    database: createSecurityGroupBuilder()
+      .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+      .description("Database")
+      .addIngressRule(
+        ref<SecurityGroupBuilderResult>("bastion").get("securityGroup"),
+        Port.tcp(5432),
+        "Bastion to Postgres",
+      ),
+  },
+  { network: [], bastion: ["network"], database: ["network", "bastion"] },
+).build(stack, "App");
+```
+
+### Recommended Alarms
+
+The Security Group builder does **not** create CloudWatch alarms. Security groups do not emit CloudWatch metrics — the [AWS recommended-alarms reference](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html) has no SG entry. Operational visibility for SGs comes from adjacent signals (VPC Flow Logs, GuardDuty findings, CloudTrail `AuthorizeSecurityGroupIngress`/`Egress` events), none of which belong on the builder result.
+
 ## Volume Builder
 
 ```ts

package/dist/commonjs/index.d.ts

@@ -11,4 +11,6 @@ export { type VolumeAlarmConfig } from "./volume-alarm-config.js";
 export { VOLUME_ALARM_DEFAULTS } from "./volume-alarm-defaults.js";
 export { createVpcBuilder, type FlowLogsConfig, type IVpcBuilder, type VpcBuilderProps, type VpcBuilderResult, } from "./vpc-builder.js";
 export { VPC_DEFAULTS } from "./vpc-defaults.js";
+export { createSecurityGroupBuilder, type ISecurityGroupBuilder, type SecurityGroupBuilderProps, type SecurityGroupBuilderResult, } from "./security-group-builder.js";
+export { SECURITY_GROUP_DEFAULTS } from "./security-group-defaults.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/commonjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,EACrB,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,GAC3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AAC5E,OAAO,EAAE,KAAK,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AAC1F,OAAO,EAAE,gCAAgC,EAAE,MAAM,0CAA0C,CAAC;AAE5F,OAAO,EACL,mBAAmB,EACnB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EACL,gBAAgB,EAChB,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,EACrB,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,GAC3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AAC5E,OAAO,EAAE,KAAK,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AAC1F,OAAO,EAAE,gCAAgC,EAAE,MAAM,0CAA0C,CAAC;AAE5F,OAAO,EACL,mBAAmB,EACnB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EACL,gBAAgB,EAChB,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EACL,0BAA0B,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,GAChC,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC"}

package/dist/commonjs/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.VPC_DEFAULTS = exports.createVpcBuilder = exports.VOLUME_ALARM_DEFAULTS = exports.VOLUME_DEFAULTS = exports.createVolumeBuilder = exports.VOLUME_ATTACHMENT_ALARM_DEFAULTS = exports.INSTANCE_ALARM_DEFAULTS = exports.INSTANCE_DEFAULTS = exports.createInstanceBuilder = void 0;
+exports.SECURITY_GROUP_DEFAULTS = exports.createSecurityGroupBuilder = exports.VPC_DEFAULTS = exports.createVpcBuilder = exports.VOLUME_ALARM_DEFAULTS = exports.VOLUME_DEFAULTS = exports.createVolumeBuilder = exports.VOLUME_ATTACHMENT_ALARM_DEFAULTS = exports.INSTANCE_ALARM_DEFAULTS = exports.INSTANCE_DEFAULTS = exports.createInstanceBuilder = void 0;
 var instance_builder_js_1 = require("./instance-builder.js");
 Object.defineProperty(exports, "createInstanceBuilder", { enumerable: true, get: function () { return instance_builder_js_1.createInstanceBuilder; } });
 var instance_defaults_js_1 = require("./instance-defaults.js");
@@ -19,4 +19,8 @@ var vpc_builder_js_1 = require("./vpc-builder.js");
 Object.defineProperty(exports, "createVpcBuilder", { enumerable: true, get: function () { return vpc_builder_js_1.createVpcBuilder; } });
 var vpc_defaults_js_1 = require("./vpc-defaults.js");
 Object.defineProperty(exports, "VPC_DEFAULTS", { enumerable: true, get: function () { return vpc_defaults_js_1.VPC_DEFAULTS; } });
+var security_group_builder_js_1 = require("./security-group-builder.js");
+Object.defineProperty(exports, "createSecurityGroupBuilder", { enumerable: true, get: function () { return security_group_builder_js_1.createSecurityGroupBuilder; } });
+var security_group_defaults_js_1 = require("./security-group-defaults.js");
+Object.defineProperty(exports, "SECURITY_GROUP_DEFAULTS", { enumerable: true, get: function () { return security_group_defaults_js_1.SECURITY_GROUP_DEFAULTS; } });
 //# sourceMappingURL=index.js.map

package/dist/commonjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,6DAK+B;AAJ7B,4HAAA,qBAAqB,OAAA;AAKvB,+DAA2D;AAAlD,yHAAA,iBAAiB,OAAA;AAE1B,2EAAuE;AAA9D,qIAAA,uBAAuB,OAAA;AAGhC,mGAA4F;AAAnF,0JAAA,gCAAgC,OAAA;AAEzC,yDAK6B;AAJ3B,wHAAA,mBAAmB,OAAA;AAKrB,2DAAuD;AAA9C,qHAAA,eAAe,OAAA;AAExB,uEAAmE;AAA1D,iIAAA,qBAAqB,OAAA;AAE9B,mDAM0B;AALxB,kHAAA,gBAAgB,OAAA;AAMlB,qDAAiD;AAAxC,+GAAA,YAAY,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,6DAK+B;AAJ7B,4HAAA,qBAAqB,OAAA;AAKvB,+DAA2D;AAAlD,yHAAA,iBAAiB,OAAA;AAE1B,2EAAuE;AAA9D,qIAAA,uBAAuB,OAAA;AAGhC,mGAA4F;AAAnF,0JAAA,gCAAgC,OAAA;AAEzC,yDAK6B;AAJ3B,wHAAA,mBAAmB,OAAA;AAKrB,2DAAuD;AAA9C,qHAAA,eAAe,OAAA;AAExB,uEAAmE;AAA1D,iIAAA,qBAAqB,OAAA;AAE9B,mDAM0B;AALxB,kHAAA,gBAAgB,OAAA;AAMlB,qDAAiD;AAAxC,+GAAA,YAAY,OAAA;AAErB,yEAKqC;AAJnC,uIAAA,0BAA0B,OAAA;AAK5B,2EAAuE;AAA9D,qIAAA,uBAAuB,OAAA"}

package/dist/commonjs/security-group-builder.d.ts

@@ -0,0 +1,148 @@
+import { type IPeer, type IVpc, type Port, SecurityGroup, type SecurityGroupProps } from "aws-cdk-lib/aws-ec2";
+import { type IConstruct } from "constructs";
+import { COPY_STATE, type Lifecycle, type Resolvable } from "@composurecdk/core";
+import { type ITaggedBuilder } from "@composurecdk/cloudformation";
+/**
+ * Configuration properties for the security group builder.
+ *
+ * Extends the CDK {@link SecurityGroupProps} but lifts `vpc` off the props
+ * object — it is supplied via the dedicated
+ * {@link ISecurityGroupBuilder.vpc | .vpc()} method so it can accept a
+ * {@link Resolvable} for cross-component wiring (e.g. a sibling
+ * `VpcBuilder`).
+ *
+ * Ingress and egress rules are added imperatively via
+ * {@link ISecurityGroupBuilder.addIngressRule | .addIngressRule()},
+ * {@link ISecurityGroupBuilder.addEgressRule | .addEgressRule()}, and
+ * {@link ISecurityGroupBuilder.addSelfIngress | .addSelfIngress()} so each
+ * peer can also be a {@link Resolvable}.
+ */
+export type SecurityGroupBuilderProps = Omit<SecurityGroupProps, "vpc">;
+/**
+ * The build output of an {@link ISecurityGroupBuilder}. Contains the CDK
+ * constructs created during {@link Lifecycle.build}, keyed by role.
+ *
+ * The `securityGroup` is itself an `IConnectable` and `IPeer`, so consumers
+ * compose against it directly — there is no separate `connections` field on
+ * the result.
+ *
+ * The builder creates no CloudWatch alarms. Security groups do not emit
+ * CloudWatch metrics, so the
+ * [recommended-alarms reference](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html)
+ * has no SG entry. Operational visibility comes from adjacent signals —
+ * VPC Flow Logs, GuardDuty findings, CloudTrail authorize-events.
+ */
+export interface SecurityGroupBuilderResult {
+    securityGroup: SecurityGroup;
+}
+/**
+ * A fluent builder for configuring and creating an AWS EC2 security group.
+ *
+ * Each configuration property from the CDK {@link SecurityGroupProps} (other
+ * than `vpc`) is exposed as an overloaded method: call with a value to set
+ * it, or with no arguments to read it. The `vpc` is set via the dedicated
+ * {@link ISecurityGroupBuilder.vpc | .vpc()} method that accepts a
+ * {@link Resolvable} for cross-component wiring with sibling builders.
+ *
+ * Ingress and egress rules are accumulated via
+ * {@link ISecurityGroupBuilder.addIngressRule | .addIngressRule()},
+ * {@link ISecurityGroupBuilder.addEgressRule | .addEgressRule()}, and
+ * {@link ISecurityGroupBuilder.addSelfIngress | .addSelfIngress()} and
+ * applied when {@link Lifecycle.build | build()} runs. Each peer is a
+ * {@link Resolvable} so it can be a concrete `IPeer` (including another
+ * `ISecurityGroup`) or a {@link ref | Ref} to a sibling component's output.
+ *
+ * The builder implements {@link Lifecycle}, so it can be used directly as a
+ * component in a {@link compose | composed system}.
+ *
+ * @see https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html
+ *
+ * @example
+ * ```ts
+ * compose(
+ *   {
+ *     network: createVpcBuilder(),
+ *     bastion: createSecurityGroupBuilder()
+ *       .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+ *       .description("Bastion host"),
+ *     database: createSecurityGroupBuilder()
+ *       .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+ *       .description("Database")
+ *       .addIngressRule(
+ *         ref<SecurityGroupBuilderResult>("bastion").get("securityGroup"),
+ *         Port.tcp(5432),
+ *         "Bastion to Postgres",
+ *       ),
+ *   },
+ *   { network: [], bastion: ["network"], database: ["network", "bastion"] },
+ * );
+ * ```
+ */
+export type ISecurityGroupBuilder = ITaggedBuilder<SecurityGroupBuilderProps, SecurityGroupBuilder>;
+declare class SecurityGroupBuilder implements Lifecycle<SecurityGroupBuilderResult> {
+    #private;
+    props: Partial<SecurityGroupBuilderProps>;
+    /**
+     * Sets the VPC the security group is created in.
+     *
+     * Accepts a concrete {@link IVpc} or a {@link Ref} that resolves to one
+     * at build time — e.g. a sibling {@link IVpcBuilder} in the same
+     * composed system.
+     *
+     * @param vpc - The VPC or a Ref to one.
+     * @returns This builder for chaining.
+     */
+    vpc(vpc: Resolvable<IVpc>): this;
+    /**
+     * Adds an ingress rule. The peer accepts any {@link IPeer} — a concrete
+     * `Peer.ipv4(...)`, another `ISecurityGroup`, a prefix list — or a
+     * {@link Ref} that resolves to one.
+     *
+     * @param peer - The source of the allowed traffic.
+     * @param port - The port or port range.
+     * @param description - Optional human-readable description of the rule.
+     * @returns This builder for chaining.
+     */
+    addIngressRule(peer: Resolvable<IPeer>, port: Port, description?: string): this;
+    /**
+     * Adds an egress rule. Required when `allowAllOutbound` is `false`
+     * (the builder default — see {@link SECURITY_GROUP_DEFAULTS}). The peer
+     * accepts any {@link IPeer} or a {@link Ref} that resolves to one.
+     *
+     * @param peer - The destination of the allowed traffic.
+     * @param port - The port or port range.
+     * @param description - Optional human-readable description of the rule.
+     * @returns This builder for chaining.
+     */
+    addEgressRule(peer: Resolvable<IPeer>, port: Port, description?: string): this;
+    /**
+     * Adds an ingress rule whose peer is the security group itself —
+     * the canonical "allow intra-SG traffic on port N" pattern. The peer
+     * cannot be expressed at configuration time because the security group
+     * identity does not exist yet; the builder wires it after the SG is
+     * constructed.
+     *
+     * @param port - The port or port range.
+     * @param description - Optional human-readable description of the rule.
+     * @returns This builder for chaining.
+     */
+    addSelfIngress(port: Port, description?: string): this;
+    /** @internal — see ADR-0005. */
+    [COPY_STATE](target: SecurityGroupBuilder): void;
+    build(scope: IConstruct, id: string, context?: Record<string, object>): SecurityGroupBuilderResult;
+}
+/**
+ * Creates a new {@link ISecurityGroupBuilder} for configuring an AWS EC2
+ * security group.
+ *
+ * The returned builder exposes every {@link SecurityGroupBuilderProps}
+ * property as a fluent setter/getter, plus
+ * {@link ISecurityGroupBuilder.vpc | .vpc()} for cross-component VPC wiring
+ * and the `addIngressRule` / `addEgressRule` / `addSelfIngress` accumulators.
+ * It implements {@link Lifecycle} for use with {@link compose}.
+ *
+ * @returns A fluent builder for an AWS EC2 security group.
+ */
+export declare function createSecurityGroupBuilder(): ISecurityGroupBuilder;
+export {};
+//# sourceMappingURL=security-group-builder.d.ts.map

package/dist/commonjs/security-group-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-group-builder.d.ts","sourceRoot":"","sources":["../../src/security-group-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,KAAK,EACV,KAAK,IAAI,EACT,KAAK,IAAI,EACT,aAAa,EACb,KAAK,kBAAkB,EACxB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,KAAK,SAAS,EAAW,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;AAGlF;;;;;;;;;;;;;;GAcG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC;AAExE;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,0BAA0B;IACzC,aAAa,EAAE,aAAa,CAAC;CAC9B;AAcD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,MAAM,MAAM,qBAAqB,GAAG,cAAc,CAAC,yBAAyB,EAAE,oBAAoB,CAAC,CAAC;AAEpG,cAAM,oBAAqB,YAAW,SAAS,CAAC,0BAA0B,CAAC;;IACzE,KAAK,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAM;IAK/C;;;;;;;;;OASG;IACH,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI;IAKhC;;;;;;;;;OASG;IACH,cAAc,CAAC,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAU/E;;;;;;;;;OASG;IACH,aAAa,CAAC,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAU9E;;;;;;;;;;OAUG;IACH,cAAc,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAQtD,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,oBAAoB,GAAG,IAAI;IAMhD,KAAK,CACH,KAAK,EAAE,UAAU,EACjB,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,0BAA0B;CAiD9B;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,0BAA0B,IAAI,qBAAqB,CAElE"}

package/dist/commonjs/security-group-builder.js

@@ -0,0 +1,146 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSecurityGroupBuilder = createSecurityGroupBuilder;
+const aws_ec2_1 = require("aws-cdk-lib/aws-ec2");
+const core_1 = require("@composurecdk/core");
+const cloudformation_1 = require("@composurecdk/cloudformation");
+const security_group_defaults_js_1 = require("./security-group-defaults.js");
+class SecurityGroupBuilder {
+    props = {};
+    #peerRules = [];
+    #selfIngress = [];
+    #vpc;
+    /**
+     * Sets the VPC the security group is created in.
+     *
+     * Accepts a concrete {@link IVpc} or a {@link Ref} that resolves to one
+     * at build time — e.g. a sibling {@link IVpcBuilder} in the same
+     * composed system.
+     *
+     * @param vpc - The VPC or a Ref to one.
+     * @returns This builder for chaining.
+     */
+    vpc(vpc) {
+        this.#vpc = vpc;
+        return this;
+    }
+    /**
+     * Adds an ingress rule. The peer accepts any {@link IPeer} — a concrete
+     * `Peer.ipv4(...)`, another `ISecurityGroup`, a prefix list — or a
+     * {@link Ref} that resolves to one.
+     *
+     * @param peer - The source of the allowed traffic.
+     * @param port - The port or port range.
+     * @param description - Optional human-readable description of the rule.
+     * @returns This builder for chaining.
+     */
+    addIngressRule(peer, port, description) {
+        this.#peerRules.push({
+            direction: "ingress",
+            peer,
+            port,
+            ...(description !== undefined ? { description } : {}),
+        });
+        return this;
+    }
+    /**
+     * Adds an egress rule. Required when `allowAllOutbound` is `false`
+     * (the builder default — see {@link SECURITY_GROUP_DEFAULTS}). The peer
+     * accepts any {@link IPeer} or a {@link Ref} that resolves to one.
+     *
+     * @param peer - The destination of the allowed traffic.
+     * @param port - The port or port range.
+     * @param description - Optional human-readable description of the rule.
+     * @returns This builder for chaining.
+     */
+    addEgressRule(peer, port, description) {
+        this.#peerRules.push({
+            direction: "egress",
+            peer,
+            port,
+            ...(description !== undefined ? { description } : {}),
+        });
+        return this;
+    }
+    /**
+     * Adds an ingress rule whose peer is the security group itself —
+     * the canonical "allow intra-SG traffic on port N" pattern. The peer
+     * cannot be expressed at configuration time because the security group
+     * identity does not exist yet; the builder wires it after the SG is
+     * constructed.
+     *
+     * @param port - The port or port range.
+     * @param description - Optional human-readable description of the rule.
+     * @returns This builder for chaining.
+     */
+    addSelfIngress(port, description) {
+        this.#selfIngress.push({
+            port,
+            ...(description !== undefined ? { description } : {}),
+        });
+        return this;
+    }
+    /** @internal — see ADR-0005. */
+    [core_1.COPY_STATE](target) {
+        target.#vpc = this.#vpc;
+        target.#peerRules.push(...this.#peerRules);
+        target.#selfIngress.push(...this.#selfIngress);
+    }
+    build(scope, id, context) {
+        const resolvedVpc = this.#vpc ? (0, core_1.resolve)(this.#vpc, context) : undefined;
+        if (!resolvedVpc) {
+            throw new Error(`SecurityGroupBuilder "${id}" requires a VPC. ` +
+                "Call .vpc() with an IVpc or a Ref to one.");
+        }
+        if (this.props.description === undefined || this.props.description.trim() === "") {
+            throw new Error(`SecurityGroupBuilder "${id}" requires a description. ` +
+                "Call .description() with a short summary of the SG's purpose.");
+        }
+        // Drop keys whose value is `undefined` so a fluent call like
+        // `.allowAllOutbound(undefined)` (common in "optional override" code:
+        // `b.allowAllOutbound(cfg?.allowAllOutbound)`) does not clobber the
+        // closed-egress default with explicit `undefined`.
+        const userProps = {};
+        for (const key of Object.keys(this.props)) {
+            const value = this.props[key];
+            if (value !== undefined) {
+                userProps[key] = value;
+            }
+        }
+        const mergedProps = {
+            ...security_group_defaults_js_1.SECURITY_GROUP_DEFAULTS,
+            ...userProps,
+            vpc: resolvedVpc,
+        };
+        const securityGroup = new aws_ec2_1.SecurityGroup(scope, id, mergedProps);
+        for (const rule of this.#peerRules) {
+            const peer = (0, core_1.resolve)(rule.peer, context);
+            if (rule.direction === "ingress") {
+                securityGroup.addIngressRule(peer, rule.port, rule.description);
+            }
+            else {
+                securityGroup.addEgressRule(peer, rule.port, rule.description);
+            }
+        }
+        for (const rule of this.#selfIngress) {
+            securityGroup.addIngressRule(securityGroup, rule.port, rule.description);
+        }
+        return { securityGroup };
+    }
+}
+/**
+ * Creates a new {@link ISecurityGroupBuilder} for configuring an AWS EC2
+ * security group.
+ *
+ * The returned builder exposes every {@link SecurityGroupBuilderProps}
+ * property as a fluent setter/getter, plus
+ * {@link ISecurityGroupBuilder.vpc | .vpc()} for cross-component VPC wiring
+ * and the `addIngressRule` / `addEgressRule` / `addSelfIngress` accumulators.
+ * It implements {@link Lifecycle} for use with {@link compose}.
+ *
+ * @returns A fluent builder for an AWS EC2 security group.
+ */
+function createSecurityGroupBuilder() {
+    return (0, cloudformation_1.taggedBuilder)(SecurityGroupBuilder);
+}
+//# sourceMappingURL=security-group-builder.js.map

package/dist/commonjs/security-group-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-group-builder.js","sourceRoot":"","sources":["../../src/security-group-builder.ts"],"names":[],"mappings":";;AAkQA,gEAEC;AApQD,iDAM6B;AAE7B,6CAA0F;AAC1F,iEAAkF;AAClF,6EAAuE;AA8FvE,MAAM,oBAAoB;IACxB,KAAK,GAAuC,EAAE,CAAC;IACtC,UAAU,GAAmB,EAAE,CAAC;IAChC,YAAY,GAAsB,EAAE,CAAC;IAC9C,IAAI,CAAoB;IAExB;;;;;;;;;OASG;IACH,GAAG,CAAC,GAAqB;QACvB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACH,cAAc,CAAC,IAAuB,EAAE,IAAU,EAAE,WAAoB;QACtE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,SAAS;YACpB,IAAI;YACJ,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACH,aAAa,CAAC,IAAuB,EAAE,IAAU,EAAE,WAAoB;QACrE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,QAAQ;YACnB,IAAI;YACJ,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;OAUG;IACH,cAAc,CAAC,IAAU,EAAE,WAAoB;QAC7C,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;YACrB,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,CAAC,iBAAU,CAAC,CAAC,MAA4B;QACvC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACxB,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;QAC3C,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CACH,KAAiB,EACjB,EAAU,EACV,OAAgC;QAEhC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAA,cAAO,EAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACxE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,yBAAyB,EAAE,oBAAoB;gBAC7C,2CAA2C,CAC9C,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACjF,MAAM,IAAI,KAAK,CACb,yBAAyB,EAAE,4BAA4B;gBACrD,+DAA+D,CAClE,CAAC;QACJ,CAAC;QAED,6DAA6D;QAC7D,sEAAsE;QACtE,oEAAoE;QACpE,mDAAmD;QACnD,MAAM,SAAS,GAAuC,EAAE,CAAC;QACzD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAwC,EAAE,CAAC;YACjF,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACvB,SAAqC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACtD,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG;YAClB,GAAG,oDAAuB;YAC1B,GAAG,SAAS;YACZ,GAAG,EAAE,WAAW;SACK,CAAC;QAExB,MAAM,aAAa,GAAG,IAAI,uBAAa,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAEhE,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,IAAA,cAAO,EAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACzC,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBACjC,aAAa,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YAClE,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACrC,aAAa,CAAC,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAC3E,CAAC;QAED,OAAO,EAAE,aAAa,EAAE,CAAC;IAC3B,CAAC;CACF;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,0BAA0B;IACxC,OAAO,IAAA,8BAAa,EAAkD,oBAAoB,CAAC,CAAC;AAC9F,CAAC"}

package/dist/commonjs/security-group-defaults.d.ts

@@ -0,0 +1,13 @@
+import type { SecurityGroupProps } from "aws-cdk-lib/aws-ec2";
+/**
+ * Secure, AWS-recommended defaults applied to every security group built
+ * with {@link createSecurityGroupBuilder}. Each property can be individually
+ * overridden via the builder's fluent API.
+ *
+ * Two properties intentionally have no default — they are application-
+ * specific and must be supplied explicitly:
+ *   - `vpc` (via the builder's `.vpc()` method)
+ *   - `description` (a short, human-readable summary of the SG's purpose)
+ */
+export declare const SECURITY_GROUP_DEFAULTS: Partial<SecurityGroupProps>;
+//# sourceMappingURL=security-group-defaults.d.ts.map

package/dist/commonjs/security-group-defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-group-defaults.d.ts","sourceRoot":"","sources":["../../src/security-group-defaults.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAE9D;;;;;;;;;GASG;AACH,eAAO,MAAM,uBAAuB,EAAE,OAAO,CAAC,kBAAkB,CAY/D,CAAC"}

package/dist/commonjs/security-group-defaults.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SECURITY_GROUP_DEFAULTS = void 0;
+/**
+ * Secure, AWS-recommended defaults applied to every security group built
+ * with {@link createSecurityGroupBuilder}. Each property can be individually
+ * overridden via the builder's fluent API.
+ *
+ * Two properties intentionally have no default — they are application-
+ * specific and must be supplied explicitly:
+ *   - `vpc` (via the builder's `.vpc()` method)
+ *   - `description` (a short, human-readable summary of the SG's purpose)
+ */
+exports.SECURITY_GROUP_DEFAULTS = {
+    /**
+     * Closed-by-default egress. CDK's stock default is `true`, which creates
+     * an implicit `0.0.0.0/0` outbound rule on every SG — flagged by
+     * compliance scanners and incompatible with the project's least-privilege
+     * stance. Closing egress forces every outbound flow to be expressed as
+     * an explicit `addEgressRule` (or `.allowAllOutbound(true)` to opt back
+     * into the CDK default).
+     *
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_layered.html
+     */
+    allowAllOutbound: false,
+};
+//# sourceMappingURL=security-group-defaults.js.map

package/dist/commonjs/security-group-defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-group-defaults.js","sourceRoot":"","sources":["../../src/security-group-defaults.ts"],"names":[],"mappings":";;;AAEA;;;;;;;;;GASG;AACU,QAAA,uBAAuB,GAAgC;IAClE;;;;;;;;;OASG;IACH,gBAAgB,EAAE,KAAK;CACxB,CAAC"}

package/dist/esm/index.d.ts

@@ -11,4 +11,6 @@ export { type VolumeAlarmConfig } from "./volume-alarm-config.js";
 export { VOLUME_ALARM_DEFAULTS } from "./volume-alarm-defaults.js";
 export { createVpcBuilder, type FlowLogsConfig, type IVpcBuilder, type VpcBuilderProps, type VpcBuilderResult, } from "./vpc-builder.js";
 export { VPC_DEFAULTS } from "./vpc-defaults.js";
+export { createSecurityGroupBuilder, type ISecurityGroupBuilder, type SecurityGroupBuilderProps, type SecurityGroupBuilderResult, } from "./security-group-builder.js";
+export { SECURITY_GROUP_DEFAULTS } from "./security-group-defaults.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,EACrB,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,GAC3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AAC5E,OAAO,EAAE,KAAK,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AAC1F,OAAO,EAAE,gCAAgC,EAAE,MAAM,0CAA0C,CAAC;AAE5F,OAAO,EACL,mBAAmB,EACnB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EACL,gBAAgB,EAChB,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,EACrB,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,GAC3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AAC5E,OAAO,EAAE,KAAK,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AAC1F,OAAO,EAAE,gCAAgC,EAAE,MAAM,0CAA0C,CAAC;AAE5F,OAAO,EACL,mBAAmB,EACnB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EACL,gBAAgB,EAChB,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EACL,0BAA0B,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,GAChC,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC"}

package/dist/esm/index.js

@@ -7,4 +7,6 @@ export { VOLUME_DEFAULTS } from "./volume-defaults.js";
 export { VOLUME_ALARM_DEFAULTS } from "./volume-alarm-defaults.js";
 export { createVpcBuilder, } from "./vpc-builder.js";
 export { VPC_DEFAULTS } from "./vpc-defaults.js";
+export { createSecurityGroupBuilder, } from "./security-group-builder.js";
+export { SECURITY_GROUP_DEFAULTS } from "./security-group-defaults.js";
 //# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,GAItB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAGvE,OAAO,EAAE,gCAAgC,EAAE,MAAM,0CAA0C,CAAC;AAE5F,OAAO,EACL,mBAAmB,GAIpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EACL,gBAAgB,GAKjB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,GAItB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAGvE,OAAO,EAAE,gCAAgC,EAAE,MAAM,0CAA0C,CAAC;AAE5F,OAAO,EACL,mBAAmB,GAIpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EACL,gBAAgB,GAKjB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EACL,0BAA0B,GAI3B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC"}

package/dist/esm/security-group-builder.d.ts

@@ -0,0 +1,148 @@
+import { type IPeer, type IVpc, type Port, SecurityGroup, type SecurityGroupProps } from "aws-cdk-lib/aws-ec2";
+import { type IConstruct } from "constructs";
+import { COPY_STATE, type Lifecycle, type Resolvable } from "@composurecdk/core";
+import { type ITaggedBuilder } from "@composurecdk/cloudformation";
+/**
+ * Configuration properties for the security group builder.
+ *
+ * Extends the CDK {@link SecurityGroupProps} but lifts `vpc` off the props
+ * object — it is supplied via the dedicated
+ * {@link ISecurityGroupBuilder.vpc | .vpc()} method so it can accept a
+ * {@link Resolvable} for cross-component wiring (e.g. a sibling
+ * `VpcBuilder`).
+ *
+ * Ingress and egress rules are added imperatively via
+ * {@link ISecurityGroupBuilder.addIngressRule | .addIngressRule()},
+ * {@link ISecurityGroupBuilder.addEgressRule | .addEgressRule()}, and
+ * {@link ISecurityGroupBuilder.addSelfIngress | .addSelfIngress()} so each
+ * peer can also be a {@link Resolvable}.
+ */
+export type SecurityGroupBuilderProps = Omit<SecurityGroupProps, "vpc">;
+/**
+ * The build output of an {@link ISecurityGroupBuilder}. Contains the CDK
+ * constructs created during {@link Lifecycle.build}, keyed by role.
+ *
+ * The `securityGroup` is itself an `IConnectable` and `IPeer`, so consumers
+ * compose against it directly — there is no separate `connections` field on
+ * the result.
+ *
+ * The builder creates no CloudWatch alarms. Security groups do not emit
+ * CloudWatch metrics, so the
+ * [recommended-alarms reference](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html)
+ * has no SG entry. Operational visibility comes from adjacent signals —
+ * VPC Flow Logs, GuardDuty findings, CloudTrail authorize-events.
+ */
+export interface SecurityGroupBuilderResult {
+    securityGroup: SecurityGroup;
+}
+/**
+ * A fluent builder for configuring and creating an AWS EC2 security group.
+ *
+ * Each configuration property from the CDK {@link SecurityGroupProps} (other
+ * than `vpc`) is exposed as an overloaded method: call with a value to set
+ * it, or with no arguments to read it. The `vpc` is set via the dedicated
+ * {@link ISecurityGroupBuilder.vpc | .vpc()} method that accepts a
+ * {@link Resolvable} for cross-component wiring with sibling builders.
+ *
+ * Ingress and egress rules are accumulated via
+ * {@link ISecurityGroupBuilder.addIngressRule | .addIngressRule()},
+ * {@link ISecurityGroupBuilder.addEgressRule | .addEgressRule()}, and
+ * {@link ISecurityGroupBuilder.addSelfIngress | .addSelfIngress()} and
+ * applied when {@link Lifecycle.build | build()} runs. Each peer is a
+ * {@link Resolvable} so it can be a concrete `IPeer` (including another
+ * `ISecurityGroup`) or a {@link ref | Ref} to a sibling component's output.
+ *
+ * The builder implements {@link Lifecycle}, so it can be used directly as a
+ * component in a {@link compose | composed system}.
+ *
+ * @see https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html
+ *
+ * @example
+ * ```ts
+ * compose(
+ *   {
+ *     network: createVpcBuilder(),
+ *     bastion: createSecurityGroupBuilder()
+ *       .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+ *       .description("Bastion host"),
+ *     database: createSecurityGroupBuilder()
+ *       .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+ *       .description("Database")
+ *       .addIngressRule(
+ *         ref<SecurityGroupBuilderResult>("bastion").get("securityGroup"),
+ *         Port.tcp(5432),
+ *         "Bastion to Postgres",
+ *       ),
+ *   },
+ *   { network: [], bastion: ["network"], database: ["network", "bastion"] },
+ * );
+ * ```
+ */
+export type ISecurityGroupBuilder = ITaggedBuilder<SecurityGroupBuilderProps, SecurityGroupBuilder>;
+declare class SecurityGroupBuilder implements Lifecycle<SecurityGroupBuilderResult> {
+    #private;
+    props: Partial<SecurityGroupBuilderProps>;
+    /**
+     * Sets the VPC the security group is created in.
+     *
+     * Accepts a concrete {@link IVpc} or a {@link Ref} that resolves to one
+     * at build time — e.g. a sibling {@link IVpcBuilder} in the same
+     * composed system.
+     *
+     * @param vpc - The VPC or a Ref to one.
+     * @returns This builder for chaining.
+     */
+    vpc(vpc: Resolvable<IVpc>): this;
+    /**
+     * Adds an ingress rule. The peer accepts any {@link IPeer} — a concrete
+     * `Peer.ipv4(...)`, another `ISecurityGroup`, a prefix list — or a
+     * {@link Ref} that resolves to one.
+     *
+     * @param peer - The source of the allowed traffic.
+     * @param port - The port or port range.
+     * @param description - Optional human-readable description of the rule.
+     * @returns This builder for chaining.
+     */
+    addIngressRule(peer: Resolvable<IPeer>, port: Port, description?: string): this;
+    /**
+     * Adds an egress rule. Required when `allowAllOutbound` is `false`
+     * (the builder default — see {@link SECURITY_GROUP_DEFAULTS}). The peer
+     * accepts any {@link IPeer} or a {@link Ref} that resolves to one.
+     *
+     * @param peer - The destination of the allowed traffic.
+     * @param port - The port or port range.
+     * @param description - Optional human-readable description of the rule.
+     * @returns This builder for chaining.
+     */
+    addEgressRule(peer: Resolvable<IPeer>, port: Port, description?: string): this;
+    /**
+     * Adds an ingress rule whose peer is the security group itself —
+     * the canonical "allow intra-SG traffic on port N" pattern. The peer
+     * cannot be expressed at configuration time because the security group
+     * identity does not exist yet; the builder wires it after the SG is
+     * constructed.
+     *
+     * @param port - The port or port range.
+     * @param description - Optional human-readable description of the rule.
+     * @returns This builder for chaining.
+     */
+    addSelfIngress(port: Port, description?: string): this;
+    /** @internal — see ADR-0005. */
+    [COPY_STATE](target: SecurityGroupBuilder): void;
+    build(scope: IConstruct, id: string, context?: Record<string, object>): SecurityGroupBuilderResult;
+}
+/**
+ * Creates a new {@link ISecurityGroupBuilder} for configuring an AWS EC2
+ * security group.
+ *
+ * The returned builder exposes every {@link SecurityGroupBuilderProps}
+ * property as a fluent setter/getter, plus
+ * {@link ISecurityGroupBuilder.vpc | .vpc()} for cross-component VPC wiring
+ * and the `addIngressRule` / `addEgressRule` / `addSelfIngress` accumulators.
+ * It implements {@link Lifecycle} for use with {@link compose}.
+ *
+ * @returns A fluent builder for an AWS EC2 security group.
+ */
+export declare function createSecurityGroupBuilder(): ISecurityGroupBuilder;
+export {};
+//# sourceMappingURL=security-group-builder.d.ts.map

package/dist/esm/security-group-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-group-builder.d.ts","sourceRoot":"","sources":["../../src/security-group-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,KAAK,EACV,KAAK,IAAI,EACT,KAAK,IAAI,EACT,aAAa,EACb,KAAK,kBAAkB,EACxB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,KAAK,SAAS,EAAW,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;AAGlF;;;;;;;;;;;;;;GAcG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC;AAExE;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,0BAA0B;IACzC,aAAa,EAAE,aAAa,CAAC;CAC9B;AAcD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,MAAM,MAAM,qBAAqB,GAAG,cAAc,CAAC,yBAAyB,EAAE,oBAAoB,CAAC,CAAC;AAEpG,cAAM,oBAAqB,YAAW,SAAS,CAAC,0BAA0B,CAAC;;IACzE,KAAK,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAM;IAK/C;;;;;;;;;OASG;IACH,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI;IAKhC;;;;;;;;;OASG;IACH,cAAc,CAAC,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAU/E;;;;;;;;;OASG;IACH,aAAa,CAAC,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAU9E;;;;;;;;;;OAUG;IACH,cAAc,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAQtD,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,oBAAoB,GAAG,IAAI;IAMhD,KAAK,CACH,KAAK,EAAE,UAAU,EACjB,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,0BAA0B;CAiD9B;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,0BAA0B,IAAI,qBAAqB,CAElE"}

package/dist/esm/security-group-builder.js

@@ -0,0 +1,143 @@
+import { SecurityGroup, } from "aws-cdk-lib/aws-ec2";
+import { COPY_STATE, resolve } from "@composurecdk/core";
+import { taggedBuilder } from "@composurecdk/cloudformation";
+import { SECURITY_GROUP_DEFAULTS } from "./security-group-defaults.js";
+class SecurityGroupBuilder {
+    props = {};
+    #peerRules = [];
+    #selfIngress = [];
+    #vpc;
+    /**
+     * Sets the VPC the security group is created in.
+     *
+     * Accepts a concrete {@link IVpc} or a {@link Ref} that resolves to one
+     * at build time — e.g. a sibling {@link IVpcBuilder} in the same
+     * composed system.
+     *
+     * @param vpc - The VPC or a Ref to one.
+     * @returns This builder for chaining.
+     */
+    vpc(vpc) {
+        this.#vpc = vpc;
+        return this;
+    }
+    /**
+     * Adds an ingress rule. The peer accepts any {@link IPeer} — a concrete
+     * `Peer.ipv4(...)`, another `ISecurityGroup`, a prefix list — or a
+     * {@link Ref} that resolves to one.
+     *
+     * @param peer - The source of the allowed traffic.
+     * @param port - The port or port range.
+     * @param description - Optional human-readable description of the rule.
+     * @returns This builder for chaining.
+     */
+    addIngressRule(peer, port, description) {
+        this.#peerRules.push({
+            direction: "ingress",
+            peer,
+            port,
+            ...(description !== undefined ? { description } : {}),
+        });
+        return this;
+    }
+    /**
+     * Adds an egress rule. Required when `allowAllOutbound` is `false`
+     * (the builder default — see {@link SECURITY_GROUP_DEFAULTS}). The peer
+     * accepts any {@link IPeer} or a {@link Ref} that resolves to one.
+     *
+     * @param peer - The destination of the allowed traffic.
+     * @param port - The port or port range.
+     * @param description - Optional human-readable description of the rule.
+     * @returns This builder for chaining.
+     */
+    addEgressRule(peer, port, description) {
+        this.#peerRules.push({
+            direction: "egress",
+            peer,
+            port,
+            ...(description !== undefined ? { description } : {}),
+        });
+        return this;
+    }
+    /**
+     * Adds an ingress rule whose peer is the security group itself —
+     * the canonical "allow intra-SG traffic on port N" pattern. The peer
+     * cannot be expressed at configuration time because the security group
+     * identity does not exist yet; the builder wires it after the SG is
+     * constructed.
+     *
+     * @param port - The port or port range.
+     * @param description - Optional human-readable description of the rule.
+     * @returns This builder for chaining.
+     */
+    addSelfIngress(port, description) {
+        this.#selfIngress.push({
+            port,
+            ...(description !== undefined ? { description } : {}),
+        });
+        return this;
+    }
+    /** @internal — see ADR-0005. */
+    [COPY_STATE](target) {
+        target.#vpc = this.#vpc;
+        target.#peerRules.push(...this.#peerRules);
+        target.#selfIngress.push(...this.#selfIngress);
+    }
+    build(scope, id, context) {
+        const resolvedVpc = this.#vpc ? resolve(this.#vpc, context) : undefined;
+        if (!resolvedVpc) {
+            throw new Error(`SecurityGroupBuilder "${id}" requires a VPC. ` +
+                "Call .vpc() with an IVpc or a Ref to one.");
+        }
+        if (this.props.description === undefined || this.props.description.trim() === "") {
+            throw new Error(`SecurityGroupBuilder "${id}" requires a description. ` +
+                "Call .description() with a short summary of the SG's purpose.");
+        }
+        // Drop keys whose value is `undefined` so a fluent call like
+        // `.allowAllOutbound(undefined)` (common in "optional override" code:
+        // `b.allowAllOutbound(cfg?.allowAllOutbound)`) does not clobber the
+        // closed-egress default with explicit `undefined`.
+        const userProps = {};
+        for (const key of Object.keys(this.props)) {
+            const value = this.props[key];
+            if (value !== undefined) {
+                userProps[key] = value;
+            }
+        }
+        const mergedProps = {
+            ...SECURITY_GROUP_DEFAULTS,
+            ...userProps,
+            vpc: resolvedVpc,
+        };
+        const securityGroup = new SecurityGroup(scope, id, mergedProps);
+        for (const rule of this.#peerRules) {
+            const peer = resolve(rule.peer, context);
+            if (rule.direction === "ingress") {
+                securityGroup.addIngressRule(peer, rule.port, rule.description);
+            }
+            else {
+                securityGroup.addEgressRule(peer, rule.port, rule.description);
+            }
+        }
+        for (const rule of this.#selfIngress) {
+            securityGroup.addIngressRule(securityGroup, rule.port, rule.description);
+        }
+        return { securityGroup };
+    }
+}
+/**
+ * Creates a new {@link ISecurityGroupBuilder} for configuring an AWS EC2
+ * security group.
+ *
+ * The returned builder exposes every {@link SecurityGroupBuilderProps}
+ * property as a fluent setter/getter, plus
+ * {@link ISecurityGroupBuilder.vpc | .vpc()} for cross-component VPC wiring
+ * and the `addIngressRule` / `addEgressRule` / `addSelfIngress` accumulators.
+ * It implements {@link Lifecycle} for use with {@link compose}.
+ *
+ * @returns A fluent builder for an AWS EC2 security group.
+ */
+export function createSecurityGroupBuilder() {
+    return taggedBuilder(SecurityGroupBuilder);
+}
+//# sourceMappingURL=security-group-builder.js.map

package/dist/esm/security-group-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-group-builder.js","sourceRoot":"","sources":["../../src/security-group-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,aAAa,GAEd,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAkB,OAAO,EAAmB,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAuB,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AA8FvE,MAAM,oBAAoB;IACxB,KAAK,GAAuC,EAAE,CAAC;IACtC,UAAU,GAAmB,EAAE,CAAC;IAChC,YAAY,GAAsB,EAAE,CAAC;IAC9C,IAAI,CAAoB;IAExB;;;;;;;;;OASG;IACH,GAAG,CAAC,GAAqB;QACvB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACH,cAAc,CAAC,IAAuB,EAAE,IAAU,EAAE,WAAoB;QACtE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,SAAS;YACpB,IAAI;YACJ,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACH,aAAa,CAAC,IAAuB,EAAE,IAAU,EAAE,WAAoB;QACrE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,QAAQ;YACnB,IAAI;YACJ,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;OAUG;IACH,cAAc,CAAC,IAAU,EAAE,WAAoB;QAC7C,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;YACrB,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAA4B;QACvC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACxB,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;QAC3C,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CACH,KAAiB,EACjB,EAAU,EACV,OAAgC;QAEhC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACxE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,yBAAyB,EAAE,oBAAoB;gBAC7C,2CAA2C,CAC9C,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACjF,MAAM,IAAI,KAAK,CACb,yBAAyB,EAAE,4BAA4B;gBACrD,+DAA+D,CAClE,CAAC;QACJ,CAAC;QAED,6DAA6D;QAC7D,sEAAsE;QACtE,oEAAoE;QACpE,mDAAmD;QACnD,MAAM,SAAS,GAAuC,EAAE,CAAC;QACzD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAwC,EAAE,CAAC;YACjF,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACvB,SAAqC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACtD,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG;YAClB,GAAG,uBAAuB;YAC1B,GAAG,SAAS;YACZ,GAAG,EAAE,WAAW;SACK,CAAC;QAExB,MAAM,aAAa,GAAG,IAAI,aAAa,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAEhE,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACzC,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBACjC,aAAa,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YAClE,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACrC,aAAa,CAAC,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAC3E,CAAC;QAED,OAAO,EAAE,aAAa,EAAE,CAAC;IAC3B,CAAC;CACF;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,aAAa,CAAkD,oBAAoB,CAAC,CAAC;AAC9F,CAAC"}

package/dist/esm/security-group-defaults.d.ts

@@ -0,0 +1,13 @@
+import type { SecurityGroupProps } from "aws-cdk-lib/aws-ec2";
+/**
+ * Secure, AWS-recommended defaults applied to every security group built
+ * with {@link createSecurityGroupBuilder}. Each property can be individually
+ * overridden via the builder's fluent API.
+ *
+ * Two properties intentionally have no default — they are application-
+ * specific and must be supplied explicitly:
+ *   - `vpc` (via the builder's `.vpc()` method)
+ *   - `description` (a short, human-readable summary of the SG's purpose)
+ */
+export declare const SECURITY_GROUP_DEFAULTS: Partial<SecurityGroupProps>;
+//# sourceMappingURL=security-group-defaults.d.ts.map

package/dist/esm/security-group-defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-group-defaults.d.ts","sourceRoot":"","sources":["../../src/security-group-defaults.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAE9D;;;;;;;;;GASG;AACH,eAAO,MAAM,uBAAuB,EAAE,OAAO,CAAC,kBAAkB,CAY/D,CAAC"}

package/dist/esm/security-group-defaults.js

@@ -0,0 +1,24 @@
+/**
+ * Secure, AWS-recommended defaults applied to every security group built
+ * with {@link createSecurityGroupBuilder}. Each property can be individually
+ * overridden via the builder's fluent API.
+ *
+ * Two properties intentionally have no default — they are application-
+ * specific and must be supplied explicitly:
+ *   - `vpc` (via the builder's `.vpc()` method)
+ *   - `description` (a short, human-readable summary of the SG's purpose)
+ */
+export const SECURITY_GROUP_DEFAULTS = {
+    /**
+     * Closed-by-default egress. CDK's stock default is `true`, which creates
+     * an implicit `0.0.0.0/0` outbound rule on every SG — flagged by
+     * compliance scanners and incompatible with the project's least-privilege
+     * stance. Closing egress forces every outbound flow to be expressed as
+     * an explicit `addEgressRule` (or `.allowAllOutbound(true)` to opt back
+     * into the CDK default).
+     *
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_layered.html
+     */
+    allowAllOutbound: false,
+};
+//# sourceMappingURL=security-group-defaults.js.map

package/dist/esm/security-group-defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-group-defaults.js","sourceRoot":"","sources":["../../src/security-group-defaults.ts"],"names":[],"mappings":"AAEA;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAgC;IAClE;;;;;;;;;OASG;IACH,gBAAgB,EAAE,KAAK;CACxB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@composurecdk/ec2",
-  "version": "0.8.0",
+  "version": "0.8.2",
   "description": "Composable EC2 instance and VPC builders with well-architected defaults",
   "repository": {
     "type": "git",
@@ -41,15 +41,15 @@
     "@composurecdk/cloudwatch": "^0.8.0",
     "@composurecdk/core": "^0.8.0",
     "@composurecdk/logs": "^0.8.0",
-    "aws-cdk-lib": "^2.0.0",
+    "aws-cdk-lib": "^2.54.0",
     "constructs": "^10.0.0"
   },
   "devDependencies": {
-    "@types/node": "^25.6.2",
-    "aws-cdk-lib": "^2.253.1",
+    "@types/node": "^25.9.1",
+    "aws-cdk-lib": "^2.257.0",
     "constructs": "^10.6.0",
     "typescript": "^6.0.2",
-    "vitest": "^4.1.2"
+    "vitest": "^4.1.7"
   },
   "exports": {
     "./package.json": "./package.json",