npm - @composurecdk/ec2 - Versions diffs - 0.8.3 → 0.8.5 - Mend

@composurecdk/ec2 0.8.3 → 0.8.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (70) hide show

package/README.md +200 -0
package/dist/commonjs/index.d.ts +20 -0
package/dist/commonjs/index.d.ts.map +1 -1
package/dist/commonjs/index.js +23 -1
package/dist/commonjs/index.js.map +1 -1
package/dist/commonjs/interface-endpoint-alarm-config.d.ts +34 -0
package/dist/commonjs/interface-endpoint-alarm-config.d.ts.map +1 -0
package/dist/commonjs/interface-endpoint-alarm-config.js +3 -0
package/dist/commonjs/interface-endpoint-alarm-config.js.map +1 -0
package/dist/commonjs/interface-endpoint-alarm-defaults.d.ts +13 -0
package/dist/commonjs/interface-endpoint-alarm-defaults.d.ts.map +1 -0
package/dist/commonjs/interface-endpoint-alarm-defaults.js +28 -0
package/dist/commonjs/interface-endpoint-alarm-defaults.js.map +1 -0
package/dist/commonjs/interface-endpoint-alarms.d.ts +13 -0
package/dist/commonjs/interface-endpoint-alarms.d.ts.map +1 -0
package/dist/commonjs/interface-endpoint-alarms.js +58 -0
package/dist/commonjs/interface-endpoint-alarms.js.map +1 -0
package/dist/commonjs/interface-endpoint-builder.d.ts +135 -0
package/dist/commonjs/interface-endpoint-builder.d.ts.map +1 -0
package/dist/commonjs/interface-endpoint-builder.js +126 -0
package/dist/commonjs/interface-endpoint-builder.js.map +1 -0
package/dist/commonjs/interface-endpoint-defaults.d.ts +14 -0
package/dist/commonjs/interface-endpoint-defaults.d.ts.map +1 -0
package/dist/commonjs/interface-endpoint-defaults.js +27 -0
package/dist/commonjs/interface-endpoint-defaults.js.map +1 -0
package/dist/commonjs/security-group-builder.d.ts.map +1 -1
package/dist/commonjs/security-group-builder.js +7 -0
package/dist/commonjs/security-group-builder.js.map +1 -1
package/dist/commonjs/security-group-constraints.d.ts +17 -0
package/dist/commonjs/security-group-constraints.d.ts.map +1 -0
package/dist/commonjs/security-group-constraints.js +70 -0
package/dist/commonjs/security-group-constraints.js.map +1 -0
package/dist/commonjs/vpc-builder.d.ts.map +1 -1
package/dist/commonjs/vpc-builder.js +11 -0
package/dist/commonjs/vpc-builder.js.map +1 -1
package/dist/esm/index.d.ts +20 -0
package/dist/esm/index.d.ts.map +1 -1
package/dist/esm/index.js +19 -0
package/dist/esm/index.js.map +1 -1
package/dist/esm/interface-endpoint-alarm-config.d.ts +34 -0
package/dist/esm/interface-endpoint-alarm-config.d.ts.map +1 -0
package/dist/esm/interface-endpoint-alarm-config.js +2 -0
package/dist/esm/interface-endpoint-alarm-config.js.map +1 -0
package/dist/esm/interface-endpoint-alarm-defaults.d.ts +13 -0
package/dist/esm/interface-endpoint-alarm-defaults.d.ts.map +1 -0
package/dist/esm/interface-endpoint-alarm-defaults.js +25 -0
package/dist/esm/interface-endpoint-alarm-defaults.js.map +1 -0
package/dist/esm/interface-endpoint-alarms.d.ts +13 -0
package/dist/esm/interface-endpoint-alarms.d.ts.map +1 -0
package/dist/esm/interface-endpoint-alarms.js +55 -0
package/dist/esm/interface-endpoint-alarms.js.map +1 -0
package/dist/esm/interface-endpoint-builder.d.ts +135 -0
package/dist/esm/interface-endpoint-builder.d.ts.map +1 -0
package/dist/esm/interface-endpoint-builder.js +123 -0
package/dist/esm/interface-endpoint-builder.js.map +1 -0
package/dist/esm/interface-endpoint-defaults.d.ts +14 -0
package/dist/esm/interface-endpoint-defaults.d.ts.map +1 -0
package/dist/esm/interface-endpoint-defaults.js +24 -0
package/dist/esm/interface-endpoint-defaults.js.map +1 -0
package/dist/esm/security-group-builder.d.ts.map +1 -1
package/dist/esm/security-group-builder.js +7 -0
package/dist/esm/security-group-builder.js.map +1 -1
package/dist/esm/security-group-constraints.d.ts +17 -0
package/dist/esm/security-group-constraints.d.ts.map +1 -0
package/dist/esm/security-group-constraints.js +66 -0
package/dist/esm/security-group-constraints.js.map +1 -0
package/dist/esm/vpc-builder.d.ts.map +1 -1
package/dist/esm/vpc-builder.js +11 -0
package/dist/esm/vpc-builder.js.map +1 -1
package/package.json +16 -5

package/dist/commonjs/interface-endpoint-builder.js ADDED Viewed

@@ -0,0 +1,126 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createInterfaceEndpointBuilder = createInterfaceEndpointBuilder;
+const aws_ec2_1 = require("aws-cdk-lib/aws-ec2");
+const core_1 = require("@composurecdk/core");
+const cloudformation_1 = require("@composurecdk/cloudformation");
+const cloudwatch_1 = require("@composurecdk/cloudwatch");
+const security_group_builder_js_1 = require("./security-group-builder.js");
+const interface_endpoint_defaults_js_1 = require("./interface-endpoint-defaults.js");
+const interface_endpoint_alarms_js_1 = require("./interface-endpoint-alarms.js");
+class InterfaceEndpointBuilder {
+    props = {};
+    #access = [];
+    #customAlarms = [];
+    #vpc;
+    #securityGroups;
+    /**
+     * Sets the VPC the endpoint is created in. Accepts a concrete {@link IVpc}
+     * or a {@link Ref} to a sibling {@link IVpcBuilder}.
+     */
+    vpc(vpc) {
+        this.#vpc = vpc;
+        return this;
+    }
+    /**
+     * Bring-your-own security groups. Each entry is a {@link Resolvable}, so it
+     * can be a concrete {@link ISecurityGroup} or a {@link Ref} to a sibling
+     * `SecurityGroupBuilder` — giving you full ingress/egress/port control. When
+     * set, the builder creates no security group of its own and
+     * {@link InterfaceEndpointBuilderResult.securityGroup} is `undefined`.
+     *
+     * Mutually exclusive with {@link allowDefaultPortFrom}.
+     */
+    securityGroups(securityGroups) {
+        this.#securityGroups = securityGroups;
+        return this;
+    }
+    /**
+     * Managed-SG shortcut: wires `peer` to the auto-created security group via
+     * CDK's `endpoint.connections.allowDefaultPortFrom(peer)` — opening ingress
+     * on the managed SG from `peer`'s SG **and** egress from `peer`'s SG to the
+     * managed SG, on the service's default port (443 for AWS services).
+     *
+     * Because this delegates to CDK connections, `peer` must be an
+     * {@link IConnectable} (e.g. a `SecurityGroup` or `Instance`), not a raw
+     * `IPeer` (e.g. `Peer.ipv4(...)`). For CIDR-based rules use BYO mode with
+     * an explicit `addIngressRule` on your own {@link SecurityGroupBuilder}.
+     *
+     * Mutually exclusive with {@link securityGroups}.
+     */
+    allowDefaultPortFrom(peer, description) {
+        this.#access.push({ peer, description });
+        return this;
+    }
+    /**
+     * Adds a custom CloudWatch alarm alongside the recommended ones. The
+     * callback receives an {@link AlarmDefinitionBuilder} typed to the
+     * `InterfaceVpcEndpoint` construct, giving access to the endpoint at
+     * build time for metric dimension wiring.
+     */
+    addAlarm(key, configure) {
+        this.#customAlarms.push(configure(new cloudwatch_1.AlarmDefinitionBuilder(key)));
+        return this;
+    }
+    /** @internal — see ADR-0005. */
+    [core_1.COPY_STATE](target) {
+        target.#vpc = this.#vpc;
+        target.#securityGroups = this.#securityGroups ? [...this.#securityGroups] : undefined;
+        target.#access.push(...this.#access);
+        target.#customAlarms.push(...this.#customAlarms);
+    }
+    build(scope, id, context) {
+        const resolvedVpc = this.#vpc ? (0, core_1.resolve)(this.#vpc, context) : undefined;
+        if (!resolvedVpc) {
+            throw new Error(`InterfaceEndpointBuilder "${id}" requires a VPC. Call .vpc() with an IVpc or a Ref to one.`);
+        }
+        const { recommendedAlarms: alarmConfig, service, ...endpointProps } = this.props;
+        if (service === undefined) {
+            throw new Error(`InterfaceEndpointBuilder "${id}" requires a service. ` +
+                "Call .service() with an InterfaceVpcEndpointAwsService or a custom IInterfaceVpcEndpointService.");
+        }
+        const byo = this.#securityGroups;
+        if (byo !== undefined && this.#access.length > 0) {
+            throw new Error(`InterfaceEndpointBuilder "${id}": .allowDefaultPortFrom() applies only to the ` +
+                "auto-created security group and cannot be combined with .securityGroups() — " +
+                "add the ingress rule to your own SecurityGroupBuilder instead.");
+        }
+        let managedSecurityGroup;
+        let securityGroups;
+        if (byo !== undefined) {
+            securityGroups = byo.map((sg) => (0, core_1.resolve)(sg, context));
+        }
+        else {
+            managedSecurityGroup = (0, security_group_builder_js_1.createSecurityGroupBuilder)()
+                .vpc(resolvedVpc)
+                .description(`Interface endpoint ${id}`)
+                .build(scope, `${id}Sg`).securityGroup;
+            securityGroups = [managedSecurityGroup];
+        }
+        const endpoint = new aws_ec2_1.InterfaceVpcEndpoint(scope, id, {
+            ...interface_endpoint_defaults_js_1.INTERFACE_ENDPOINT_DEFAULTS,
+            ...endpointProps,
+            service,
+            vpc: resolvedVpc,
+            securityGroups,
+            // Always explicit: `open: true` would silently add a VPC-wide :443 rule.
+            open: false,
+        });
+        for (const rule of this.#access) {
+            endpoint.connections.allowDefaultPortFrom((0, core_1.resolve)(rule.peer, context), rule.description);
+        }
+        const alarms = (0, interface_endpoint_alarms_js_1.createInterfaceEndpointAlarms)(scope, id, endpoint, alarmConfig, this.#customAlarms);
+        return { endpoint, securityGroup: managedSecurityGroup, alarms };
+    }
+}
+/**
+ * Creates a new {@link IInterfaceEndpointBuilder} for a single VPC interface
+ * endpoint. The returned builder exposes every
+ * {@link InterfaceEndpointBuilderProps} property as a fluent setter/getter,
+ * plus `.vpc()`, `.securityGroups()` (BYO), and `.allowDefaultPortFrom()`
+ * (managed-SG shortcut).
+ */
+function createInterfaceEndpointBuilder() {
+    return (0, cloudformation_1.taggedBuilder)(InterfaceEndpointBuilder);
+}
+//# sourceMappingURL=interface-endpoint-builder.js.map

package/dist/commonjs/interface-endpoint-builder.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"interface-endpoint-builder.js","sourceRoot":"","sources":["../../src/interface-endpoint-builder.ts"],"names":[],"mappings":";;AA6PA,wEAIC;AAhQD,iDAO6B;AAE7B,6CAA0F;AAC1F,iEAAkF;AAClF,yDAAkE;AAClE,2EAAyE;AACzE,qFAA+E;AAE/E,iFAA+E;AA2F/E,MAAM,wBAAwB;IAC5B,KAAK,GAA2C,EAAE,CAAC;IAC1C,OAAO,GAAiB,EAAE,CAAC;IAC3B,aAAa,GAAmD,EAAE,CAAC;IAC5E,IAAI,CAAoB;IACxB,eAAe,CAAgC;IAE/C;;;OAGG;IACH,GAAG,CAAC,GAAqB;QACvB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;OAQG;IACH,cAAc,CAAC,cAA4C;QACzD,IAAI,CAAC,eAAe,GAAG,cAAc,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,oBAAoB,CAAC,IAA8B,EAAE,WAAoB;QACvE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACH,QAAQ,CACN,GAAW,EACX,SAEiD;QAEjD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,mCAAsB,CAAuB,GAAG,CAAC,CAAC,CAAC,CAAC;QAC1F,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,CAAC,iBAAU,CAAC,CAAC,MAAgC;QAC3C,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACxB,MAAM,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACtF,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CACH,KAAiB,EACjB,EAAU,EACV,OAAgC;QAEhC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAA,cAAO,EAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACxE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,6BAA6B,EAAE,6DAA6D,CAC7F,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,iBAAiB,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,aAAa,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QACjF,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CACb,6BAA6B,EAAE,wBAAwB;gBACrD,kGAAkG,CACrG,CAAC;QACJ,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC;QACjC,IAAI,GAAG,KAAK,SAAS,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CACb,6BAA6B,EAAE,iDAAiD;gBAC9E,8EAA8E;gBAC9E,gEAAgE,CACnE,CAAC;QACJ,CAAC;QAED,IAAI,oBAA+C,CAAC;QACpD,IAAI,cAAgC,CAAC;QACrC,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACtB,cAAc,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAA,cAAO,EAAC,EAAE,EAAE,OAAO,CAAC,CAAC,CAAC;QACzD,CAAC;aAAM,CAAC;YACN,oBAAoB,GAAG,IAAA,sDAA0B,GAAE;iBAChD,GAAG,CAAC,WAAW,CAAC;iBAChB,WAAW,CAAC,sBAAsB,EAAE,EAAE,CAAC;iBACvC,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC,aAAa,CAAC;YACzC,cAAc,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAC1C,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,8BAAoB,CAAC,KAAK,EAAE,EAAE,EAAE;YACnD,GAAG,4DAA2B;YAC9B,GAAG,aAAa;YAChB,OAAO;YACP,GAAG,EAAE,WAAW;YAChB,cAAc;YACd,yEAAyE;YACzE,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;QAEH,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAChC,QAAQ,CAAC,WAAW,CAAC,oBAAoB,CAAC,IAAA,cAAO,EAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAC3F,CAAC;QAED,MAAM,MAAM,GAAG,IAAA,4DAA6B,EAC1C,KAAK,EACL,EAAE,EACF,QAAQ,EACR,WAAW,EACX,IAAI,CAAC,aAAa,CACnB,CAAC;QAEF,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,EAAE,CAAC;IACnE,CAAC;CACF;AAED;;;;;;GAMG;AACH,SAAgB,8BAA8B;IAC5C,OAAO,IAAA,8BAAa,EAClB,wBAAwB,CACzB,CAAC;AACJ,CAAC"}

package/dist/commonjs/interface-endpoint-defaults.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import type { InterfaceVpcEndpointProps } from "aws-cdk-lib/aws-ec2";
+/**
+ * Secure, AWS-recommended defaults applied to every interface endpoint built
+ * with {@link createInterfaceEndpointBuilder}. Each property can be
+ * individually overridden via the builder's fluent API.
+ *
+ * Note `open` is intentionally *not* here: the builder always sets it to
+ * `false` (see the builder's `build()`). Allowing it through would silently
+ * add a VPC-wide rule to the managed security group behind the caller's back;
+ * ingress is always explicit — via `.allowDefaultPortFrom()` (managed SG) or
+ * the BYO `SecurityGroupBuilder`.
+ */
+export declare const INTERFACE_ENDPOINT_DEFAULTS: Partial<InterfaceVpcEndpointProps>;
+//# sourceMappingURL=interface-endpoint-defaults.d.ts.map

package/dist/commonjs/interface-endpoint-defaults.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"interface-endpoint-defaults.d.ts","sourceRoot":"","sources":["../../src/interface-endpoint-defaults.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAErE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,2BAA2B,EAAE,OAAO,CAAC,yBAAyB,CAW1E,CAAC"}

package/dist/commonjs/interface-endpoint-defaults.js ADDED Viewed

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.INTERFACE_ENDPOINT_DEFAULTS = void 0;
+/**
+ * Secure, AWS-recommended defaults applied to every interface endpoint built
+ * with {@link createInterfaceEndpointBuilder}. Each property can be
+ * individually overridden via the builder's fluent API.
+ *
+ * Note `open` is intentionally *not* here: the builder always sets it to
+ * `false` (see the builder's `build()`). Allowing it through would silently
+ * add a VPC-wide rule to the managed security group behind the caller's back;
+ * ingress is always explicit — via `.allowDefaultPortFrom()` (managed SG) or
+ * the BYO `SecurityGroupBuilder`.
+ */
+exports.INTERFACE_ENDPOINT_DEFAULTS = {
+    /**
+     * Private DNS enables `<service>.<region>.amazonaws.com` to resolve to the
+     * endpoint ENIs instead of the public service IP addresses, keeping traffic
+     * on the AWS network without requiring application-level changes. Disabled
+     * by default in raw CDK; always on here because every AWS-service use case
+     * requires it for transparent private access.
+     *
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_private_connectivity.html
+     */
+    privateDnsEnabled: true,
+};
+//# sourceMappingURL=interface-endpoint-defaults.js.map

package/dist/commonjs/interface-endpoint-defaults.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"interface-endpoint-defaults.js","sourceRoot":"","sources":["../../src/interface-endpoint-defaults.ts"],"names":[],"mappings":";;;AAEA;;;;;;;;;;GAUG;AACU,QAAA,2BAA2B,GAAuC;IAC7E;;;;;;;;OAQG;IACH,iBAAiB,EAAE,IAAI;CACxB,CAAC"}

package/dist/commonjs/security-group-builder.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"security-group-builder.d.ts","sourceRoot":"","sources":["../../src/security-group-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,KAAK,EACV,KAAK,IAAI,EACT,KAAK,IAAI,EACT,aAAa,EACb,KAAK,kBAAkB,EACxB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,KAAK,SAAS,EAAW,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;~~AAGlF~~;;;;;;;;;;;;;;GAcG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC;AAExE;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,0BAA0B;IACzC,aAAa,EAAE,aAAa,CAAC;CAC9B;AAcD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,MAAM,MAAM,qBAAqB,GAAG,cAAc,CAAC,yBAAyB,EAAE,oBAAoB,CAAC,CAAC;AAEpG,cAAM,oBAAqB,YAAW,SAAS,CAAC,0BAA0B,CAAC;;IACzE,KAAK,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAM;IAK/C;;;;;;;;;OASG;IACH,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI;IAKhC;;;;;;;;;OASG;IACH,cAAc,CAAC,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAU/E;;;;;;;;;OASG;IACH,aAAa,CAAC,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAU9E;;;;;;;;;;OAUG;IACH,cAAc,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAQtD,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,oBAAoB,GAAG,IAAI;IAMhD,KAAK,CACH,KAAK,EAAE,UAAU,EACjB,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,0BAA0B;~~CAiD9B~~;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,0BAA0B,IAAI,qBAAqB,CAElE"}
1	+ {"version":3,"file":"security-group-builder.d.ts","sourceRoot":"","sources":["../../src/security-group-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,KAAK,EACV,KAAK,IAAI,EACT,KAAK,IAAI,EACT,aAAa,EACb,KAAK,kBAAkB,EACxB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,KAAK,SAAS,EAAW,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;AAOlF;;;;;;;;;;;;;;GAcG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC;AAExE;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,0BAA0B;IACzC,aAAa,EAAE,aAAa,CAAC;CAC9B;AAcD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,MAAM,MAAM,qBAAqB,GAAG,cAAc,CAAC,yBAAyB,EAAE,oBAAoB,CAAC,CAAC;AAEpG,cAAM,oBAAqB,YAAW,SAAS,CAAC,0BAA0B,CAAC;;IACzE,KAAK,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAM;IAK/C;;;;;;;;;OASG;IACH,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI;IAKhC;;;;;;;;;OASG;IACH,cAAc,CAAC,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAU/E;;;;;;;;;OASG;IACH,aAAa,CAAC,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAU9E;;;;;;;;;;OAUG;IACH,cAAc,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAQtD,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,oBAAoB,GAAG,IAAI;IAMhD,KAAK,CACH,KAAK,EAAE,UAAU,EACjB,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,0BAA0B;CAwD9B;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,0BAA0B,IAAI,qBAAqB,CAElE"}

package/dist/commonjs/security-group-builder.js CHANGED Viewed

@@ -5,6 +5,7 @@ const aws_ec2_1 = require("aws-cdk-lib/aws-ec2");
 const core_1 = require("@composurecdk/core");
 const cloudformation_1 = require("@composurecdk/cloudformation");
 const security_group_defaults_js_1 = require("./security-group-defaults.js");
+const security_group_constraints_js_1 = require("./security-group-constraints.js");
 class SecurityGroupBuilder {
     props = {};
     #peerRules = [];
@@ -96,6 +97,12 @@ class SecurityGroupBuilder {
             throw new Error(`SecurityGroupBuilder "${id}" requires a description. ` +
                 "Call .description() with a short summary of the SG's purpose.");
         }
+        // Fail at synth, at the authoring call site, instead of CREATE_FAILED at
+        // deploy time. The validators skip unresolved tokens (ADR-0010).
+        (0, security_group_constraints_js_1.validateSecurityGroupDescription)(this.props.description);
+        if (this.props.securityGroupName !== undefined) {
+            (0, security_group_constraints_js_1.validateSecurityGroupName)(this.props.securityGroupName);
+        }
         // Drop keys whose value is `undefined` so a fluent call like
         // `.allowAllOutbound(undefined)` (common in "optional override" code:
         // `b.allowAllOutbound(cfg?.allowAllOutbound)`) does not clobber the

package/dist/commonjs/security-group-builder.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"security-group-builder.js","sourceRoot":"","sources":["../../src/security-group-builder.ts"],"names":[],"mappings":";;~~AAkQA~~,gEAEC;~~AApQD~~,iDAM6B;AAE7B,6CAA0F;AAC1F,iEAAkF;AAClF,6EAAuE;~~AA8FvE~~,MAAM,oBAAoB;IACxB,KAAK,GAAuC,EAAE,CAAC;IACtC,UAAU,GAAmB,EAAE,CAAC;IAChC,YAAY,GAAsB,EAAE,CAAC;IAC9C,IAAI,CAAoB;IAExB;;;;;;;;;OASG;IACH,GAAG,CAAC,GAAqB;QACvB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACH,cAAc,CAAC,IAAuB,EAAE,IAAU,EAAE,WAAoB;QACtE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,SAAS;YACpB,IAAI;YACJ,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACH,aAAa,CAAC,IAAuB,EAAE,IAAU,EAAE,WAAoB;QACrE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,QAAQ;YACnB,IAAI;YACJ,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;OAUG;IACH,cAAc,CAAC,IAAU,EAAE,WAAoB;QAC7C,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;YACrB,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,CAAC,iBAAU,CAAC,CAAC,MAA4B;QACvC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACxB,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;QAC3C,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CACH,KAAiB,EACjB,EAAU,EACV,OAAgC;QAEhC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAA,cAAO,EAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACxE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,yBAAyB,EAAE,oBAAoB;gBAC7C,2CAA2C,CAC9C,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACjF,MAAM,IAAI,KAAK,CACb,yBAAyB,EAAE,4BAA4B;gBACrD,+DAA+D,CAClE,CAAC;QACJ,CAAC;QAED,6DAA6D;QAC7D,sEAAsE;QACtE,oEAAoE;QACpE,mDAAmD;QACnD,MAAM,SAAS,GAAuC,EAAE,CAAC;QACzD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAwC,EAAE,CAAC;YACjF,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACvB,SAAqC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACtD,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG;YAClB,GAAG,oDAAuB;YAC1B,GAAG,SAAS;YACZ,GAAG,EAAE,WAAW;SACK,CAAC;QAExB,MAAM,aAAa,GAAG,IAAI,uBAAa,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAEhE,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,IAAA,cAAO,EAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACzC,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBACjC,aAAa,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YAClE,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACrC,aAAa,CAAC,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAC3E,CAAC;QAED,OAAO,EAAE,aAAa,EAAE,CAAC;IAC3B,CAAC;CACF;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,0BAA0B;IACxC,OAAO,IAAA,8BAAa,EAAkD,oBAAoB,CAAC,CAAC;AAC9F,CAAC"}
1	+ {"version":3,"file":"security-group-builder.js","sourceRoot":"","sources":["../../src/security-group-builder.ts"],"names":[],"mappings":";;AA6QA,gEAEC;AA/QD,iDAM6B;AAE7B,6CAA0F;AAC1F,iEAAkF;AAClF,6EAAuE;AACvE,mFAGyC;AA8FzC,MAAM,oBAAoB;IACxB,KAAK,GAAuC,EAAE,CAAC;IACtC,UAAU,GAAmB,EAAE,CAAC;IAChC,YAAY,GAAsB,EAAE,CAAC;IAC9C,IAAI,CAAoB;IAExB;;;;;;;;;OASG;IACH,GAAG,CAAC,GAAqB;QACvB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACH,cAAc,CAAC,IAAuB,EAAE,IAAU,EAAE,WAAoB;QACtE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,SAAS;YACpB,IAAI;YACJ,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACH,aAAa,CAAC,IAAuB,EAAE,IAAU,EAAE,WAAoB;QACrE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,QAAQ;YACnB,IAAI;YACJ,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;OAUG;IACH,cAAc,CAAC,IAAU,EAAE,WAAoB;QAC7C,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;YACrB,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,CAAC,iBAAU,CAAC,CAAC,MAA4B;QACvC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACxB,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;QAC3C,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CACH,KAAiB,EACjB,EAAU,EACV,OAAgC;QAEhC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAA,cAAO,EAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACxE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,yBAAyB,EAAE,oBAAoB;gBAC7C,2CAA2C,CAC9C,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACjF,MAAM,IAAI,KAAK,CACb,yBAAyB,EAAE,4BAA4B;gBACrD,+DAA+D,CAClE,CAAC;QACJ,CAAC;QAED,yEAAyE;QACzE,iEAAiE;QACjE,IAAA,gEAAgC,EAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACzD,IAAI,IAAI,CAAC,KAAK,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;YAC/C,IAAA,yDAAyB,EAAC,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAC1D,CAAC;QAED,6DAA6D;QAC7D,sEAAsE;QACtE,oEAAoE;QACpE,mDAAmD;QACnD,MAAM,SAAS,GAAuC,EAAE,CAAC;QACzD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAwC,EAAE,CAAC;YACjF,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACvB,SAAqC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACtD,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG;YAClB,GAAG,oDAAuB;YAC1B,GAAG,SAAS;YACZ,GAAG,EAAE,WAAW;SACK,CAAC;QAExB,MAAM,aAAa,GAAG,IAAI,uBAAa,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAEhE,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,IAAA,cAAO,EAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACzC,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBACjC,aAAa,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YAClE,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACrC,aAAa,CAAC,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAC3E,CAAC;QAED,OAAO,EAAE,aAAa,EAAE,CAAC;IAC3B,CAAC;CACF;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,0BAA0B;IACxC,OAAO,IAAA,8BAAa,EAAkD,oBAAoB,CAAC,CAAC;AAC9F,CAAC"}

package/dist/commonjs/security-group-constraints.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * Validates an EC2 security group description. Unresolved CDK tokens are
+ * skipped — their value is resolved by CloudFormation and is not knowable at
+ * synth (ADR-0010).
+ *
+ * @throws on invalid input.
+ */
+export declare function validateSecurityGroupDescription(raw: string): void;
+/**
+ * Validates an EC2 security group name. AWS additionally reserves the `sg-`
+ * prefix for generated group IDs, so a user-supplied name must not use it.
+ * Unresolved CDK tokens are skipped (ADR-0010).
+ *
+ * @throws on invalid input.
+ */
+export declare function validateSecurityGroupName(raw: string): void;
+//# sourceMappingURL=security-group-constraints.d.ts.map

package/dist/commonjs/security-group-constraints.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"security-group-constraints.d.ts","sourceRoot":"","sources":["../../src/security-group-constraints.ts"],"names":[],"mappings":"AA2CA;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAGlE;AAED;;;;;;GAMG;AACH,wBAAgB,yBAAyB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAQ3D"}

package/dist/commonjs/security-group-constraints.js ADDED Viewed

@@ -0,0 +1,70 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateSecurityGroupDescription = validateSecurityGroupDescription;
+exports.validateSecurityGroupName = validateSecurityGroupName;
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const cloudformation_1 = require("@composurecdk/cloudformation");
+/**
+ * AWS-property constraints for EC2 security groups.
+ *
+ * The catalogue mechanism (`stringConstraint` / `validateString`) lives in
+ * `@composurecdk/cloudformation`; this per-resource data lives next to the
+ * builder that enforces it. The trigger for the catalogue was an em-dash in a
+ * `GroupDescription` reaching CloudFormation and failing at CREATE_FAILED — a
+ * `validate*` call in `build()` turns that into a `cdk synth` error. See
+ * ADR-0010.
+ *
+ * The constraints themselves are module-private; the package exposes only the
+ * `validate*` functions (via the `constraints` namespace in the package index).
+ *
+ * `GroupDescription` and `GroupName` share the same EC2 character set, so they
+ * spread the same class fragments; the comma/bracket tail beyond the shared
+ * `charSets.AWS_NAME_PUNCT` spine is EC2-specific and stays local.
+ */
+const SG_TAIL = ",\\[\\]&;{}!$*";
+const SG_CHAR_CLASS = `${cloudformation_1.charSets.ALNUM}${cloudformation_1.charSets.AWS_NAME_PUNCT}${SG_TAIL}`;
+const SG_ALLOWED = "ASCII letters, digits, spaces and ._-:/()#,@[]+=&;{}!$*";
+const SG_SOURCE = "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html";
+const SECURITY_GROUP_DESCRIPTION = (0, cloudformation_1.stringConstraint)({
+    name: "EC2 SecurityGroup GroupDescription",
+    charClass: SG_CHAR_CLASS,
+    maxLength: 255,
+    allowed: SG_ALLOWED,
+    source: SG_SOURCE,
+});
+const SECURITY_GROUP_NAME = (0, cloudformation_1.stringConstraint)({
+    name: "EC2 SecurityGroup GroupName",
+    charClass: SG_CHAR_CLASS,
+    minLength: 1,
+    maxLength: 255,
+    allowed: SG_ALLOWED,
+    source: SG_SOURCE,
+});
+/**
+ * Validates an EC2 security group description. Unresolved CDK tokens are
+ * skipped — their value is resolved by CloudFormation and is not knowable at
+ * synth (ADR-0010).
+ *
+ * @throws on invalid input.
+ */
+function validateSecurityGroupDescription(raw) {
+    if (aws_cdk_lib_1.Token.isUnresolved(raw))
+        return;
+    (0, cloudformation_1.validateString)(raw, SECURITY_GROUP_DESCRIPTION);
+}
+/**
+ * Validates an EC2 security group name. AWS additionally reserves the `sg-`
+ * prefix for generated group IDs, so a user-supplied name must not use it.
+ * Unresolved CDK tokens are skipped (ADR-0010).
+ *
+ * @throws on invalid input.
+ */
+function validateSecurityGroupName(raw) {
+    if (aws_cdk_lib_1.Token.isUnresolved(raw))
+        return;
+    if (raw.startsWith("sg-")) {
+        throw new Error(`EC2 SecurityGroup GroupName "${raw}" must not start with the reserved "sg-" prefix. See ${SG_SOURCE}.`);
+    }
+    (0, cloudformation_1.validateString)(raw, SECURITY_GROUP_NAME);
+}
+//# sourceMappingURL=security-group-constraints.js.map

package/dist/commonjs/security-group-constraints.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"security-group-constraints.js","sourceRoot":"","sources":["../../src/security-group-constraints.ts"],"names":[],"mappings":";;AAkDA,4EAGC;AASD,8DAQC;AAtED,6CAAoC;AACpC,iEAA0F;AAE1F;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,OAAO,GAAG,gBAAgB,CAAC;AACjC,MAAM,aAAa,GAAG,GAAG,yBAAQ,CAAC,KAAK,GAAG,yBAAQ,CAAC,cAAc,GAAG,OAAO,EAAE,CAAC;AAC9E,MAAM,UAAU,GAAG,yDAAyD,CAAC;AAC7E,MAAM,SAAS,GACb,qFAAqF,CAAC;AAExF,MAAM,0BAA0B,GAAG,IAAA,iCAAgB,EAAC;IAClD,IAAI,EAAE,oCAAoC;IAC1C,SAAS,EAAE,aAAa;IACxB,SAAS,EAAE,GAAG;IACd,OAAO,EAAE,UAAU;IACnB,MAAM,EAAE,SAAS;CAClB,CAAC,CAAC;AAEH,MAAM,mBAAmB,GAAG,IAAA,iCAAgB,EAAC;IAC3C,IAAI,EAAE,6BAA6B;IACnC,SAAS,EAAE,aAAa;IACxB,SAAS,EAAE,CAAC;IACZ,SAAS,EAAE,GAAG;IACd,OAAO,EAAE,UAAU;IACnB,MAAM,EAAE,SAAS;CAClB,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,SAAgB,gCAAgC,CAAC,GAAW;IAC1D,IAAI,mBAAK,CAAC,YAAY,CAAC,GAAG,CAAC;QAAE,OAAO;IACpC,IAAA,+BAAc,EAAC,GAAG,EAAE,0BAA0B,CAAC,CAAC;AAClD,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,yBAAyB,CAAC,GAAW;IACnD,IAAI,mBAAK,CAAC,YAAY,CAAC,GAAG,CAAC;QAAE,OAAO;IACpC,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,gCAAgC,GAAG,wDAAwD,SAAS,GAAG,CACxG,CAAC;IACJ,CAAC;IACD,IAAA,+BAAc,EAAC,GAAG,EAAE,mBAAmB,CAAC,CAAC;AAC3C,CAAC"}

package/dist/commonjs/vpc-builder.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"vpc-builder.d.ts","sourceRoot":"","sources":["../../src/vpc-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAE,KAAK,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAC7E,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAyB,KAAK,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGlF;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,cAAc,GACtB,KAAK,GACL;IACE,gFAAgF;IAChF,WAAW,CAAC,EAAE,kBAAkB,CAAC;IACjC;;;;OAIG;IACH,SAAS,CAAC,EAAE,CAAC,CAAC,EAAE,gBAAgB,KAAK,gBAAgB,CAAC;CACvD,CAAC;AAEN;;;;;;GAMG;AACH,MAAM,WAAW,eAAgB,SAAQ,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC;IACjE,wFAAwF;IACxF,QAAQ,CAAC,EAAE,cAAc,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,GAAG,CAAC;IAET;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,QAAQ,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,MAAM,WAAW,GAAG,cAAc,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;AAItE,cAAM,UAAW,YAAW,SAAS,CAAC,gBAAgB,CAAC;IACrD,KAAK,EAAE,OAAO,CAAC,eAAe,CAAC,CAAM;IAErC,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,gBAAgB;~~CAgBvD~~;AA2CD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAE9C"}
1	+ {"version":3,"file":"vpc-builder.d.ts","sourceRoot":"","sources":["../../src/vpc-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAE,KAAK,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAC7E,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAyB,KAAK,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGlF;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,cAAc,GACtB,KAAK,GACL;IACE,gFAAgF;IAChF,WAAW,CAAC,EAAE,kBAAkB,CAAC;IACjC;;;;OAIG;IACH,SAAS,CAAC,EAAE,CAAC,CAAC,EAAE,gBAAgB,KAAK,gBAAgB,CAAC;CACvD,CAAC;AAEN;;;;;;GAMG;AACH,MAAM,WAAW,eAAgB,SAAQ,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC;IACjE,wFAAwF;IACxF,QAAQ,CAAC,EAAE,cAAc,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,GAAG,CAAC;IAET;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,QAAQ,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,MAAM,WAAW,GAAG,cAAc,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;AAItE,cAAM,UAAW,YAAW,SAAS,CAAC,gBAAgB,CAAC;IACrD,KAAK,EAAE,OAAO,CAAC,eAAe,CAAC,CAAM;IAErC,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,gBAAgB;CA8BvD;AA2CD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAE9C"}

package/dist/commonjs/vpc-builder.js CHANGED Viewed

@@ -11,11 +11,22 @@ class VpcBuilder {
     build(scope, id) {
         const { flowLogs: flowLogsConfig, ...vpcProps } = this.props;
         const { flowLogsLogGroup, flowLogProps } = resolveFlowLogs(scope, id, flowLogsConfig);
+        // CDK accepts `availabilityZones` or `maxAzs`, but not both. When the user
+        // pins AZs explicitly, the default `maxAzs` must yield to their intent;
+        // setting both is a genuine conflict and fails fast.
+        const userPinnedAzs = vpcProps.availabilityZones !== undefined;
+        if (userPinnedAzs && vpcProps.maxAzs !== undefined) {
+            throw new Error(`VpcBuilder "${id}": .availabilityZones() and .maxAzs() are mutually exclusive — ` +
+                `CDK accepts one or the other, not both.`);
+        }
         const mergedProps = {
             ...vpc_defaults_js_1.VPC_DEFAULTS,
             ...flowLogProps,
             ...vpcProps,
         };
+        if (userPinnedAzs) {
+            delete mergedProps.maxAzs;
+        }
         return {
             vpc: new aws_ec2_1.Vpc(scope, id, mergedProps),
             flowLogsLogGroup,

package/dist/commonjs/vpc-builder.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"vpc-builder.js","sourceRoot":"","sources":["../../src/vpc-builder.ts"],"names":[],"mappings":";;~~AAgLA~~,4CAEC;~~AAlLD~~,iDAA6E;AAI7E,iEAAkF;AAClF,6CAAkF;AAClF,uDAAiD;AAmFjD,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAE9C,MAAM,UAAU;IACd,KAAK,GAA6B,EAAE,CAAC;IAErC,KAAK,CAAC,KAAiB,EAAE,EAAU;QACjC,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,GAAG,QAAQ,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QAE7D,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAAG,eAAe,CAAC,KAAK,EAAE,EAAE,EAAE,cAAc,CAAC,CAAC;QAEtF,MAAM,WAAW,GAAG;YAClB,GAAG,8BAAY;YACf,GAAG,YAAY;YACf,GAAG,QAAQ;SACZ,CAAC;~~QAEF~~,OAAO;YACL,GAAG,EAAE,IAAI,aAAG,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC;YACpC,gBAAgB;SACjB,CAAC;IACJ,CAAC;CACF;AAED,SAAS,eAAe,CACtB,KAAiB,EACjB,EAAU,EACV,GAA+B;IAE/B,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QAClB,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IAC9B,CAAC;IAED,IAAI,GAAG,EAAE,WAAW,KAAK,SAAS,EAAE,CAAC;QACnC,IAAI,GAAG,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CACb,gEAAgE;gBAC9D,gEAAgE,CACnE,CAAC;QACJ,CAAC;QACD,OAAO;YACL,YAAY,EAAE;gBACZ,QAAQ,EAAE,EAAE,CAAC,oBAAoB,CAAC,EAAE,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,EAAE;aACvE;SACF,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,GAAG,IAAA,4BAAqB,GAAE,CAAC;IACzC,IAAI,GAAG,EAAE,SAAS,EAAE,CAAC;QACnB,UAAU,GAAG,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,gBAAgB,GAAG,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC;IAEnF,OAAO;QACL,gBAAgB;QAChB,YAAY,EAAE;YACZ,QAAQ,EAAE;gBACR,CAAC,oBAAoB,CAAC,EAAE;oBACtB,WAAW,EAAE,4BAAkB,CAAC,gBAAgB,CAAC,gBAAgB,CAAC;iBACnE;aACF;SACF;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,SAAgB,gBAAgB;IAC9B,OAAO,IAAA,8BAAa,EAA8B,UAAU,CAAC,CAAC;AAChE,CAAC"}
1	+ {"version":3,"file":"vpc-builder.js","sourceRoot":"","sources":["../../src/vpc-builder.ts"],"names":[],"mappings":";;AA8LA,4CAEC;AAhMD,iDAA6E;AAI7E,iEAAkF;AAClF,6CAAkF;AAClF,uDAAiD;AAmFjD,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAE9C,MAAM,UAAU;IACd,KAAK,GAA6B,EAAE,CAAC;IAErC,KAAK,CAAC,KAAiB,EAAE,EAAU;QACjC,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,GAAG,QAAQ,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QAE7D,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAAG,eAAe,CAAC,KAAK,EAAE,EAAE,EAAE,cAAc,CAAC,CAAC;QAEtF,2EAA2E;QAC3E,wEAAwE;QACxE,qDAAqD;QACrD,MAAM,aAAa,GAAG,QAAQ,CAAC,iBAAiB,KAAK,SAAS,CAAC;QAC/D,IAAI,aAAa,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CACb,eAAe,EAAE,iEAAiE;gBAChF,yCAAyC,CAC5C,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG;YAClB,GAAG,8BAAY;YACf,GAAG,YAAY;YACf,GAAG,QAAQ;SACZ,CAAC;QACF,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,WAAW,CAAC,MAAM,CAAC;QAC5B,CAAC;QAED,OAAO;YACL,GAAG,EAAE,IAAI,aAAG,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC;YACpC,gBAAgB;SACjB,CAAC;IACJ,CAAC;CACF;AAED,SAAS,eAAe,CACtB,KAAiB,EACjB,EAAU,EACV,GAA+B;IAE/B,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QAClB,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IAC9B,CAAC;IAED,IAAI,GAAG,EAAE,WAAW,KAAK,SAAS,EAAE,CAAC;QACnC,IAAI,GAAG,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CACb,gEAAgE;gBAC9D,gEAAgE,CACnE,CAAC;QACJ,CAAC;QACD,OAAO;YACL,YAAY,EAAE;gBACZ,QAAQ,EAAE,EAAE,CAAC,oBAAoB,CAAC,EAAE,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,EAAE;aACvE;SACF,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,GAAG,IAAA,4BAAqB,GAAE,CAAC;IACzC,IAAI,GAAG,EAAE,SAAS,EAAE,CAAC;QACnB,UAAU,GAAG,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,gBAAgB,GAAG,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC;IAEnF,OAAO;QACL,gBAAgB;QAChB,YAAY,EAAE;YACZ,QAAQ,EAAE;gBACR,CAAC,oBAAoB,CAAC,EAAE;oBACtB,WAAW,EAAE,4BAAkB,CAAC,gBAAgB,CAAC,gBAAgB,CAAC;iBACnE;aACF;SACF;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,SAAgB,gBAAgB;IAC9B,OAAO,IAAA,8BAAa,EAA8B,UAAU,CAAC,CAAC;AAChE,CAAC"}

package/dist/esm/index.d.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import { validateSecurityGroupDescription, validateSecurityGroupName } from "./security-group-constraints.js";
 export { createInstanceBuilder, type IInstanceBuilder, type InstanceBuilderProps, type InstanceBuilderResult, } from "./instance-builder.js";
 export { INSTANCE_DEFAULTS } from "./instance-defaults.js";
 export { type InstanceAlarmConfig } from "./instance-alarm-config.js";
@@ -13,4 +14,23 @@ export { createVpcBuilder, type FlowLogsConfig, type IVpcBuilder, type VpcBuilde
 export { VPC_DEFAULTS } from "./vpc-defaults.js";
 export { createSecurityGroupBuilder, type ISecurityGroupBuilder, type SecurityGroupBuilderProps, type SecurityGroupBuilderResult, } from "./security-group-builder.js";
 export { SECURITY_GROUP_DEFAULTS } from "./security-group-defaults.js";
+export { createInterfaceEndpointBuilder, type IInterfaceEndpointBuilder, type InterfaceEndpointBuilderProps, type InterfaceEndpointBuilderResult, } from "./interface-endpoint-builder.js";
+export { INTERFACE_ENDPOINT_DEFAULTS } from "./interface-endpoint-defaults.js";
+export { type InterfaceEndpointAlarmConfig } from "./interface-endpoint-alarm-config.js";
+export { INTERFACE_ENDPOINT_ALARM_DEFAULTS } from "./interface-endpoint-alarm-defaults.js";
+/**
+ * This package's AWS-property constraints, grouped by application strategy.
+ * The `constraints.validate.*` / `constraints.sanitize.*` shape is identical
+ * in every builder package, so it is discoverable without importing anything
+ * beyond the package you already use. The underlying constraint definitions and
+ * `validate*` functions stay module-private — this namespace is the only public
+ * surface for them. See ADR-0010.
+ */
+export declare const constraints: {
+    validate: {
+        securityGroupDescription: typeof validateSecurityGroupDescription;
+        securityGroupName: typeof validateSecurityGroupName;
+    };
+    sanitize: {};
+};
 //# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"~~AAAA~~,OAAO,EACL,qBAAqB,EACrB,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,GAC3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AAC5E,OAAO,EAAE,KAAK,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AAC1F,OAAO,EAAE,gCAAgC,EAAE,MAAM,0CAA0C,CAAC;AAE5F,OAAO,EACL,mBAAmB,EACnB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EACL,gBAAgB,EAChB,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EACL,0BAA0B,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,GAChC,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,gCAAgC,EAChC,yBAAyB,EAC1B,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,qBAAqB,EACrB,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,GAC3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AAC5E,OAAO,EAAE,KAAK,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AAC1F,OAAO,EAAE,gCAAgC,EAAE,MAAM,0CAA0C,CAAC;AAE5F,OAAO,EACL,mBAAmB,EACnB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EACL,gBAAgB,EAChB,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EACL,0BAA0B,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,GAChC,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAEvE,OAAO,EACL,8BAA8B,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,6BAA6B,EAClC,KAAK,8BAA8B,GACpC,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAC/E,OAAO,EAAE,KAAK,4BAA4B,EAAE,MAAM,sCAAsC,CAAC;AACzF,OAAO,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAE3F;;;;;;;GAOG;AACH,eAAO,MAAM,WAAW;;;;;;CAMO,CAAC"}

package/dist/esm/index.js CHANGED Viewed

@@ -1,3 +1,4 @@
+import { validateSecurityGroupDescription, validateSecurityGroupName, } from "./security-group-constraints.js";
 export { createInstanceBuilder, } from "./instance-builder.js";
 export { INSTANCE_DEFAULTS } from "./instance-defaults.js";
 export { INSTANCE_ALARM_DEFAULTS } from "./instance-alarm-defaults.js";
@@ -9,4 +10,22 @@ export { createVpcBuilder, } from "./vpc-builder.js";
 export { VPC_DEFAULTS } from "./vpc-defaults.js";
 export { createSecurityGroupBuilder, } from "./security-group-builder.js";
 export { SECURITY_GROUP_DEFAULTS } from "./security-group-defaults.js";
+export { createInterfaceEndpointBuilder, } from "./interface-endpoint-builder.js";
+export { INTERFACE_ENDPOINT_DEFAULTS } from "./interface-endpoint-defaults.js";
+export { INTERFACE_ENDPOINT_ALARM_DEFAULTS } from "./interface-endpoint-alarm-defaults.js";
+/**
+ * This package's AWS-property constraints, grouped by application strategy.
+ * The `constraints.validate.*` / `constraints.sanitize.*` shape is identical
+ * in every builder package, so it is discoverable without importing anything
+ * beyond the package you already use. The underlying constraint definitions and
+ * `validate*` functions stay module-private — this namespace is the only public
+ * surface for them. See ADR-0010.
+ */
+export const constraints = {
+    validate: {
+        securityGroupDescription: validateSecurityGroupDescription,
+        securityGroupName: validateSecurityGroupName,
+    },
+    sanitize: {},
+};
 //# sourceMappingURL=index.js.map

package/dist/esm/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"~~AAAA~~,OAAO,EACL,qBAAqB,GAItB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAGvE,OAAO,EAAE,gCAAgC,EAAE,MAAM,0CAA0C,CAAC;AAE5F,OAAO,EACL,mBAAmB,GAIpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EACL,gBAAgB,GAKjB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EACL,0BAA0B,GAI3B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,gCAAgC,EAChC,yBAAyB,GAC1B,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,qBAAqB,GAItB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAGvE,OAAO,EAAE,gCAAgC,EAAE,MAAM,0CAA0C,CAAC;AAE5F,OAAO,EACL,mBAAmB,GAIpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EACL,gBAAgB,GAKjB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EACL,0BAA0B,GAI3B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAEvE,OAAO,EACL,8BAA8B,GAI/B,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAE/E,OAAO,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAE3F;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,QAAQ,EAAE;QACR,wBAAwB,EAAE,gCAAgC;QAC1D,iBAAiB,EAAE,yBAAyB;KAC7C;IACD,QAAQ,EAAE,EAAE;CACiB,CAAC"}

package/dist/esm/interface-endpoint-alarm-config.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import type { AlarmConfig } from "@composurecdk/cloudwatch";
+/**
+ * Controls which recommended alarms are created for a VPC interface endpoint.
+ * All alarms are enabled by default with AWS-recommended thresholds.
+ * Set individual alarms to `false` to disable them, or provide an
+ * {@link AlarmConfig} to tune thresholds.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+ */
+export interface InterfaceEndpointAlarmConfig {
+    /**
+     * Master switch: set to `false` to disable all recommended alarms.
+     * Individual alarms can also be disabled via their own entry.
+     * @default true
+     */
+    enabled?: boolean;
+    /**
+     * Alarm when the endpoint drops packets, indicating the endpoint or
+     * endpoint service is unhealthy, a security group is blocking traffic,
+     * or packets are hitting the 8,500-byte PrivateLink MTU limit.
+     *
+     * Metric: `AWS/PrivateLinkEndpoints PacketsDropped`, statistic Sum,
+     * period 1 minute. Default threshold: > 0 over 5 consecutive 1-minute
+     * windows.
+     *
+     * If your workload intentionally sends packets larger than 8,500 bytes
+     * you may want to raise the threshold to reduce noise from expected MTU
+     * drops.
+     *
+     * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+     */
+    packetsDropped?: AlarmConfig | false;
+}
+//# sourceMappingURL=interface-endpoint-alarm-config.d.ts.map

package/dist/esm/interface-endpoint-alarm-config.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"interface-endpoint-alarm-config.d.ts","sourceRoot":"","sources":["../../src/interface-endpoint-alarm-config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAE5D;;;;;;;GAOG;AACH,MAAM,WAAW,4BAA4B;IAC3C;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB;;;;;;;;;;;;;;OAcG;IACH,cAAc,CAAC,EAAE,WAAW,GAAG,KAAK,CAAC;CACtC"}

package/dist/esm/interface-endpoint-alarm-config.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=interface-endpoint-alarm-config.js.map

package/dist/esm/interface-endpoint-alarm-config.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"interface-endpoint-alarm-config.js","sourceRoot":"","sources":["../../src/interface-endpoint-alarm-config.ts"],"names":[],"mappings":""}

package/dist/esm/interface-endpoint-alarm-defaults.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import type { AlarmConfigDefaults } from "@composurecdk/cloudwatch";
+interface InterfaceEndpointAlarmDefaults {
+    enabled: true;
+    packetsDropped: AlarmConfigDefaults;
+}
+/**
+ * AWS-recommended default alarm configuration for VPC interface endpoints.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+ */
+export declare const INTERFACE_ENDPOINT_ALARM_DEFAULTS: InterfaceEndpointAlarmDefaults;
+export {};
+//# sourceMappingURL=interface-endpoint-alarm-defaults.d.ts.map

package/dist/esm/interface-endpoint-alarm-defaults.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"interface-endpoint-alarm-defaults.d.ts","sourceRoot":"","sources":["../../src/interface-endpoint-alarm-defaults.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAEpE,UAAU,8BAA8B;IACtC,OAAO,EAAE,IAAI,CAAC;IACd,cAAc,EAAE,mBAAmB,CAAC;CACrC;AAED;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,EAAE,8BAkB/C,CAAC"}

package/dist/esm/interface-endpoint-alarm-defaults.js ADDED Viewed

@@ -0,0 +1,25 @@
+import { TreatMissingData } from "aws-cdk-lib/aws-cloudwatch";
+/**
+ * AWS-recommended default alarm configuration for VPC interface endpoints.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+ */
+export const INTERFACE_ENDPOINT_ALARM_DEFAULTS = {
+    enabled: true,
+    /**
+     * Any sustained packet drop at the endpoint signals a connectivity or
+     * configuration problem — an unhealthy endpoint service, a security group
+     * blocking traffic, or jumbo frames exceeding the 8,500-byte PrivateLink
+     * MTU. Five consecutive 1-minute periods avoids false alarms from isolated
+     * oversized packets while still catching persistent issues quickly.
+     *
+     * @see https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-troubleshoot.html
+     */
+    packetsDropped: {
+        threshold: 0,
+        evaluationPeriods: 5,
+        datapointsToAlarm: 5,
+        treatMissingData: TreatMissingData.NOT_BREACHING,
+    },
+};
+//# sourceMappingURL=interface-endpoint-alarm-defaults.js.map

package/dist/esm/interface-endpoint-alarm-defaults.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"interface-endpoint-alarm-defaults.js","sourceRoot":"","sources":["../../src/interface-endpoint-alarm-defaults.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAQ9D;;;;GAIG;AACH,MAAM,CAAC,MAAM,iCAAiC,GAAmC;IAC/E,OAAO,EAAE,IAAI;IAEb;;;;;;;;OAQG;IACH,cAAc,EAAE;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,iBAAiB,EAAE,CAAC;QACpB,gBAAgB,EAAE,gBAAgB,CAAC,aAAa;KACjD;CACF,CAAC"}

package/dist/esm/interface-endpoint-alarms.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { type Alarm } from "aws-cdk-lib/aws-cloudwatch";
+import { type InterfaceVpcEndpoint } from "aws-cdk-lib/aws-ec2";
+import type { IConstruct } from "constructs";
+import { AlarmDefinitionBuilder } from "@composurecdk/cloudwatch";
+import type { InterfaceEndpointAlarmConfig } from "./interface-endpoint-alarm-config.js";
+/**
+ * Creates AWS-recommended CloudWatch alarms for a VPC interface endpoint,
+ * merging recommended definitions with any custom alarm builders.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+ */
+export declare function createInterfaceEndpointAlarms(scope: IConstruct, id: string, endpoint: InterfaceVpcEndpoint, config: InterfaceEndpointAlarmConfig | false | undefined, customAlarms?: AlarmDefinitionBuilder<InterfaceVpcEndpoint>[]): Record<string, Alarm>;
+//# sourceMappingURL=interface-endpoint-alarms.d.ts.map

package/dist/esm/interface-endpoint-alarms.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"interface-endpoint-alarms.d.ts","sourceRoot":"","sources":["../../src/interface-endpoint-alarms.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,KAAK,EAAqC,MAAM,4BAA4B,CAAC;AAC3F,OAAO,EAAE,KAAK,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,OAAO,EAAE,sBAAsB,EAAoC,MAAM,0BAA0B,CAAC;AACpG,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,sCAAsC,CAAC;AAsDzF;;;;;GAKG;AACH,wBAAgB,6BAA6B,CAC3C,KAAK,EAAE,UAAU,EACjB,EAAE,EAAE,MAAM,EACV,QAAQ,EAAE,oBAAoB,EAC9B,MAAM,EAAE,4BAA4B,GAAG,KAAK,GAAG,SAAS,EACxD,YAAY,GAAE,sBAAsB,CAAC,oBAAoB,CAAC,EAAO,GAChE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAUvB"}

package/dist/esm/interface-endpoint-alarms.js ADDED Viewed

@@ -0,0 +1,55 @@
+import { Duration } from "aws-cdk-lib";
+import { ComparisonOperator, Metric, Stats } from "aws-cdk-lib/aws-cloudwatch";
+import { createAlarms, resolveAlarmConfig } from "@composurecdk/cloudwatch";
+import { INTERFACE_ENDPOINT_ALARM_DEFAULTS } from "./interface-endpoint-alarm-defaults.js";
+const PACKETS_DROPPED_PERIOD = Duration.minutes(1);
+const PACKETS_DROPPED_PERIOD_LABEL = `${String(PACKETS_DROPPED_PERIOD.toMinutes())} minute`;
+function endpointMetric(endpoint, metricName, statistic, period) {
+    return new Metric({
+        namespace: "AWS/PrivateLinkEndpoints",
+        metricName,
+        dimensionsMap: { "VPC Endpoint Id": endpoint.vpcEndpointId },
+        statistic,
+        period,
+    });
+}
+function resolveEndpointAlarmDefinitions(endpoint, config) {
+    if (config?.enabled === false)
+        return [];
+    const definitions = [];
+    if (config?.packetsDropped !== false) {
+        const cfg = resolveAlarmConfig(config?.packetsDropped, INTERFACE_ENDPOINT_ALARM_DEFAULTS.packetsDropped);
+        definitions.push({
+            key: "packetsDropped",
+            alarmName: cfg.alarmName,
+            metric: endpointMetric(endpoint, "PacketsDropped", Stats.SUM, PACKETS_DROPPED_PERIOD),
+            threshold: cfg.threshold,
+            comparisonOperator: ComparisonOperator.GREATER_THAN_THRESHOLD,
+            evaluationPeriods: cfg.evaluationPeriods,
+            datapointsToAlarm: cfg.datapointsToAlarm,
+            treatMissingData: cfg.treatMissingData,
+            description: `VPC interface endpoint is dropping packets — possible endpoint service unhealthy, ` +
+                `security group blocking traffic, or packets exceeding the 8,500-byte PrivateLink MTU. ` +
+                `Threshold: > ${String(cfg.threshold)} (sum) over ` +
+                `${String(cfg.evaluationPeriods)} x ${PACKETS_DROPPED_PERIOD_LABEL}.`,
+        });
+    }
+    return definitions;
+}
+/**
+ * Creates AWS-recommended CloudWatch alarms for a VPC interface endpoint,
+ * merging recommended definitions with any custom alarm builders.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+ */
+export function createInterfaceEndpointAlarms(scope, id, endpoint, config, customAlarms = []) {
+    if (config === false)
+        return {};
+    const enabled = config?.enabled ?? INTERFACE_ENDPOINT_ALARM_DEFAULTS.enabled;
+    if (!enabled)
+        return {};
+    const recommended = resolveEndpointAlarmDefinitions(endpoint, config);
+    const custom = customAlarms.map((b) => b.resolve(endpoint));
+    return createAlarms(scope, id, [...recommended, ...custom]);
+}
+//# sourceMappingURL=interface-endpoint-alarms.js.map