@composurecdk/ec2 0.8.3 → 0.8.5

package/dist/esm/interface-endpoint-alarms.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interface-endpoint-alarms.js","sourceRoot":"","sources":["../../src/interface-endpoint-alarms.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAc,kBAAkB,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,4BAA4B,CAAC;AAI3F,OAAO,EAA0B,YAAY,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAEpG,OAAO,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAE3F,MAAM,sBAAsB,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AACnD,MAAM,4BAA4B,GAAG,GAAG,MAAM,CAAC,sBAAsB,CAAC,SAAS,EAAE,CAAC,SAAS,CAAC;AAE5F,SAAS,cAAc,CACrB,QAA8B,EAC9B,UAAkB,EAClB,SAAiB,EACjB,MAAgB;IAEhB,OAAO,IAAI,MAAM,CAAC;QAChB,SAAS,EAAE,0BAA0B;QACrC,UAAU;QACV,aAAa,EAAE,EAAE,iBAAiB,EAAE,QAAQ,CAAC,aAAa,EAAE;QAC5D,SAAS;QACT,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,SAAS,+BAA+B,CACtC,QAA8B,EAC9B,MAAgD;IAEhD,IAAI,MAAM,EAAE,OAAO,KAAK,KAAK;QAAE,OAAO,EAAE,CAAC;IAEzC,MAAM,WAAW,GAAsB,EAAE,CAAC;IAE1C,IAAI,MAAM,EAAE,cAAc,KAAK,KAAK,EAAE,CAAC;QACrC,MAAM,GAAG,GAAG,kBAAkB,CAC5B,MAAM,EAAE,cAAc,EACtB,iCAAiC,CAAC,cAAc,CACjD,CAAC;QACF,WAAW,CAAC,IAAI,CAAC;YACf,GAAG,EAAE,gBAAgB;YACrB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,MAAM,EAAE,cAAc,CAAC,QAAQ,EAAE,gBAAgB,EAAE,KAAK,CAAC,GAAG,EAAE,sBAAsB,CAAC;YACrF,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,kBAAkB,EAAE,kBAAkB,CAAC,sBAAsB;YAC7D,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;YACxC,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;YACxC,gBAAgB,EAAE,GAAG,CAAC,gBAAgB;YACtC,WAAW,EACT,oFAAoF;gBACpF,wFAAwF;gBACxF,gBAAgB,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,cAAc;gBACnD,GAAG,MAAM,CAAC,GAAG,CAAC,iBAAiB,CAAC,MAAM,4BAA4B,GAAG;SACxE,CAAC,CAAC;IACL,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,6BAA6B,CAC3C,KAAiB,EACjB,EAAU,EACV,QAA8B,EAC9B,MAAwD,EACxD,eAA+D,EAAE;IAEjE,IAAI,MAAM,KAAK,KAAK;QAAE,OAAO,EAAE,CAAC;IAEhC,MAAM,OAAO,GAAG,MAAM,EAAE,OAAO,IAAI,iCAAiC,CAAC,OAAO,CAAC;IAC7E,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IAExB,MAAM,WAAW,GAAG,+BAA+B,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACtE,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;IAE5D,OAAO,YAAY,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC,GAAG,WAAW,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC;AAC9D,CAAC"}

package/dist/esm/interface-endpoint-builder.d.ts

@@ -0,0 +1,135 @@
+import { type Alarm } from "aws-cdk-lib/aws-cloudwatch";
+import { InterfaceVpcEndpoint, type IConnectable, type InterfaceVpcEndpointProps, type ISecurityGroup, type IVpc, type SecurityGroup } from "aws-cdk-lib/aws-ec2";
+import { type IConstruct } from "constructs";
+import { COPY_STATE, type Lifecycle, type Resolvable } from "@composurecdk/core";
+import { type ITaggedBuilder } from "@composurecdk/cloudformation";
+import { AlarmDefinitionBuilder } from "@composurecdk/cloudwatch";
+import type { InterfaceEndpointAlarmConfig } from "./interface-endpoint-alarm-config.js";
+/**
+ * Configuration properties for the interface-endpoint builder.
+ *
+ * Lifts three CDK props off the props object:
+ * - `vpc` — supplied via {@link IInterfaceEndpointBuilder.vpc | .vpc()} so it
+ *   can accept a {@link Resolvable} for cross-component wiring.
+ * - `securityGroups` — supplied via
+ *   {@link IInterfaceEndpointBuilder.securityGroups | .securityGroups()} so
+ *   each can be a {@link Resolvable} (typically a sibling
+ *   `SecurityGroupBuilder`).
+ * - `open` — always `false`; ingress is explicit (see the builder docs).
+ */
+export interface InterfaceEndpointBuilderProps extends Omit<InterfaceVpcEndpointProps, "vpc" | "securityGroups" | "open"> {
+    /**
+     * Configuration for AWS-recommended CloudWatch alarms.
+     *
+     * By default, the builder creates recommended alarms with sensible
+     * thresholds. Individual alarms can be customized or disabled. Set to
+     * `false` to disable all alarms.
+     *
+     * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+     */
+    recommendedAlarms?: InterfaceEndpointAlarmConfig | false;
+}
+/**
+ * The build output of an {@link IInterfaceEndpointBuilder}.
+ *
+ * `securityGroup` is present only in **managed mode** — i.e. when the caller
+ * did *not* supply `.securityGroups(...)`, so the builder auto-created one. It
+ * is exposed for cases where sibling builders need to reference the
+ * auto-created SG directly. In **BYO mode** it is `undefined`: the caller
+ * already holds refs to the security groups they passed in.
+ */
+export interface InterfaceEndpointBuilderResult {
+    endpoint: InterfaceVpcEndpoint;
+    securityGroup?: SecurityGroup;
+    alarms: Record<string, Alarm>;
+}
+/**
+ * A fluent builder for a single VPC interface endpoint (AWS PrivateLink).
+ *
+ * Unlike raw CDK — where interface endpoints exist only as a post-build
+ * `vpc.addInterfaceEndpoint(...)` call whose security group is never exposed —
+ * this builder is a first-class {@link compose} component. It maps 1:1 to a
+ * CDK `InterfaceVpcEndpoint` (one `service` per endpoint); group several into
+ * one access policy by pointing them at the same security group.
+ *
+ * **Security group, two modes:**
+ * - *BYO* — call {@link IInterfaceEndpointBuilder.securityGroups | .securityGroups([...])}
+ *   with security groups you fully manage (typically sibling
+ *   `SecurityGroupBuilder`s). Full ingress/egress/port control; the builder
+ *   creates no SG and `securityGroup` is absent from the result.
+ * - *Managed shortcut* — omit `.securityGroups()` and the builder auto-creates
+ *   a closed SG, exposes it on the result, and for each peer you pass to
+ *   {@link IInterfaceEndpointBuilder.allowDefaultPortFrom} it opens ingress on
+ *   the managed SG **and** egress on the peer's SG — matching exactly what CDK's
+ *   `connections.allowDefaultPortFrom(...)` does bidirectionally.
+ *
+ * The two are mutually exclusive — combining BYO `.securityGroups()` with
+ * `.allowDefaultPortFrom()` throws, since the rule would have nowhere it
+ * could be applied that the caller isn't already managing.
+ *
+ * @see https://docs.aws.amazon.com/vpc/latest/privatelink/
+ *
+ * @example Managed shortcut (the SSM-from-bastion common case)
+ * ```ts
+ * createInterfaceEndpointBuilder()
+ *   .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+ *   .service(InterfaceVpcEndpointAwsService.SSM)
+ *   .subnets({ subnetType: SubnetType.PRIVATE_ISOLATED })
+ *   .allowDefaultPortFrom(ref<SecurityGroupBuilderResult>("bastionSg").get("securityGroup"));
+ * // result = { endpoint, securityGroup }
+ * ```
+ */
+export type IInterfaceEndpointBuilder = ITaggedBuilder<InterfaceEndpointBuilderProps, InterfaceEndpointBuilder>;
+declare class InterfaceEndpointBuilder implements Lifecycle<InterfaceEndpointBuilderResult> {
+    #private;
+    props: Partial<InterfaceEndpointBuilderProps>;
+    /**
+     * Sets the VPC the endpoint is created in. Accepts a concrete {@link IVpc}
+     * or a {@link Ref} to a sibling {@link IVpcBuilder}.
+     */
+    vpc(vpc: Resolvable<IVpc>): this;
+    /**
+     * Bring-your-own security groups. Each entry is a {@link Resolvable}, so it
+     * can be a concrete {@link ISecurityGroup} or a {@link Ref} to a sibling
+     * `SecurityGroupBuilder` — giving you full ingress/egress/port control. When
+     * set, the builder creates no security group of its own and
+     * {@link InterfaceEndpointBuilderResult.securityGroup} is `undefined`.
+     *
+     * Mutually exclusive with {@link allowDefaultPortFrom}.
+     */
+    securityGroups(securityGroups: Resolvable<ISecurityGroup>[]): this;
+    /**
+     * Managed-SG shortcut: wires `peer` to the auto-created security group via
+     * CDK's `endpoint.connections.allowDefaultPortFrom(peer)` — opening ingress
+     * on the managed SG from `peer`'s SG **and** egress from `peer`'s SG to the
+     * managed SG, on the service's default port (443 for AWS services).
+     *
+     * Because this delegates to CDK connections, `peer` must be an
+     * {@link IConnectable} (e.g. a `SecurityGroup` or `Instance`), not a raw
+     * `IPeer` (e.g. `Peer.ipv4(...)`). For CIDR-based rules use BYO mode with
+     * an explicit `addIngressRule` on your own {@link SecurityGroupBuilder}.
+     *
+     * Mutually exclusive with {@link securityGroups}.
+     */
+    allowDefaultPortFrom(peer: Resolvable<IConnectable>, description?: string): this;
+    /**
+     * Adds a custom CloudWatch alarm alongside the recommended ones. The
+     * callback receives an {@link AlarmDefinitionBuilder} typed to the
+     * `InterfaceVpcEndpoint` construct, giving access to the endpoint at
+     * build time for metric dimension wiring.
+     */
+    addAlarm(key: string, configure: (alarm: AlarmDefinitionBuilder<InterfaceVpcEndpoint>) => AlarmDefinitionBuilder<InterfaceVpcEndpoint>): this;
+    /** @internal — see ADR-0005. */
+    [COPY_STATE](target: InterfaceEndpointBuilder): void;
+    build(scope: IConstruct, id: string, context?: Record<string, object>): InterfaceEndpointBuilderResult;
+}
+/**
+ * Creates a new {@link IInterfaceEndpointBuilder} for a single VPC interface
+ * endpoint. The returned builder exposes every
+ * {@link InterfaceEndpointBuilderProps} property as a fluent setter/getter,
+ * plus `.vpc()`, `.securityGroups()` (BYO), and `.allowDefaultPortFrom()`
+ * (managed-SG shortcut).
+ */
+export declare function createInterfaceEndpointBuilder(): IInterfaceEndpointBuilder;
+export {};
+//# sourceMappingURL=interface-endpoint-builder.d.ts.map

package/dist/esm/interface-endpoint-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interface-endpoint-builder.d.ts","sourceRoot":"","sources":["../../src/interface-endpoint-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EACL,oBAAoB,EACpB,KAAK,YAAY,EACjB,KAAK,yBAAyB,EAC9B,KAAK,cAAc,EACnB,KAAK,IAAI,EACT,KAAK,aAAa,EACnB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,KAAK,SAAS,EAAW,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAGlE,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,sCAAsC,CAAC;AAGzF;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,6BAA8B,SAAQ,IAAI,CACzD,yBAAyB,EACzB,KAAK,GAAG,gBAAgB,GAAG,MAAM,CAClC;IACC;;;;;;;;OAQG;IACH,iBAAiB,CAAC,EAAE,4BAA4B,GAAG,KAAK,CAAC;CAC1D;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;CAC/B;AAOD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,MAAM,MAAM,yBAAyB,GAAG,cAAc,CACpD,6BAA6B,EAC7B,wBAAwB,CACzB,CAAC;AAEF,cAAM,wBAAyB,YAAW,SAAS,CAAC,8BAA8B,CAAC;;IACjF,KAAK,EAAE,OAAO,CAAC,6BAA6B,CAAC,CAAM;IAMnD;;;OAGG;IACH,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI;IAKhC;;;;;;;;OAQG;IACH,cAAc,CAAC,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC,EAAE,GAAG,IAAI;IAKlE;;;;;;;;;;;;OAYG;IACH,oBAAoB,CAAC,IAAI,EAAE,UAAU,CAAC,YAAY,CAAC,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAKhF;;;;;OAKG;IACH,QAAQ,CACN,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,CACT,KAAK,EAAE,sBAAsB,CAAC,oBAAoB,CAAC,KAChD,sBAAsB,CAAC,oBAAoB,CAAC,GAChD,IAAI;IAKP,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,wBAAwB,GAAG,IAAI;IAOpD,KAAK,CACH,KAAK,EAAE,UAAU,EACjB,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,8BAA8B;CA6DlC;AAED;;;;;;GAMG;AACH,wBAAgB,8BAA8B,IAAI,yBAAyB,CAI1E"}

package/dist/esm/interface-endpoint-builder.js

@@ -0,0 +1,123 @@
+import { InterfaceVpcEndpoint, } from "aws-cdk-lib/aws-ec2";
+import { COPY_STATE, resolve } from "@composurecdk/core";
+import { taggedBuilder } from "@composurecdk/cloudformation";
+import { AlarmDefinitionBuilder } from "@composurecdk/cloudwatch";
+import { createSecurityGroupBuilder } from "./security-group-builder.js";
+import { INTERFACE_ENDPOINT_DEFAULTS } from "./interface-endpoint-defaults.js";
+import { createInterfaceEndpointAlarms } from "./interface-endpoint-alarms.js";
+class InterfaceEndpointBuilder {
+    props = {};
+    #access = [];
+    #customAlarms = [];
+    #vpc;
+    #securityGroups;
+    /**
+     * Sets the VPC the endpoint is created in. Accepts a concrete {@link IVpc}
+     * or a {@link Ref} to a sibling {@link IVpcBuilder}.
+     */
+    vpc(vpc) {
+        this.#vpc = vpc;
+        return this;
+    }
+    /**
+     * Bring-your-own security groups. Each entry is a {@link Resolvable}, so it
+     * can be a concrete {@link ISecurityGroup} or a {@link Ref} to a sibling
+     * `SecurityGroupBuilder` — giving you full ingress/egress/port control. When
+     * set, the builder creates no security group of its own and
+     * {@link InterfaceEndpointBuilderResult.securityGroup} is `undefined`.
+     *
+     * Mutually exclusive with {@link allowDefaultPortFrom}.
+     */
+    securityGroups(securityGroups) {
+        this.#securityGroups = securityGroups;
+        return this;
+    }
+    /**
+     * Managed-SG shortcut: wires `peer` to the auto-created security group via
+     * CDK's `endpoint.connections.allowDefaultPortFrom(peer)` — opening ingress
+     * on the managed SG from `peer`'s SG **and** egress from `peer`'s SG to the
+     * managed SG, on the service's default port (443 for AWS services).
+     *
+     * Because this delegates to CDK connections, `peer` must be an
+     * {@link IConnectable} (e.g. a `SecurityGroup` or `Instance`), not a raw
+     * `IPeer` (e.g. `Peer.ipv4(...)`). For CIDR-based rules use BYO mode with
+     * an explicit `addIngressRule` on your own {@link SecurityGroupBuilder}.
+     *
+     * Mutually exclusive with {@link securityGroups}.
+     */
+    allowDefaultPortFrom(peer, description) {
+        this.#access.push({ peer, description });
+        return this;
+    }
+    /**
+     * Adds a custom CloudWatch alarm alongside the recommended ones. The
+     * callback receives an {@link AlarmDefinitionBuilder} typed to the
+     * `InterfaceVpcEndpoint` construct, giving access to the endpoint at
+     * build time for metric dimension wiring.
+     */
+    addAlarm(key, configure) {
+        this.#customAlarms.push(configure(new AlarmDefinitionBuilder(key)));
+        return this;
+    }
+    /** @internal — see ADR-0005. */
+    [COPY_STATE](target) {
+        target.#vpc = this.#vpc;
+        target.#securityGroups = this.#securityGroups ? [...this.#securityGroups] : undefined;
+        target.#access.push(...this.#access);
+        target.#customAlarms.push(...this.#customAlarms);
+    }
+    build(scope, id, context) {
+        const resolvedVpc = this.#vpc ? resolve(this.#vpc, context) : undefined;
+        if (!resolvedVpc) {
+            throw new Error(`InterfaceEndpointBuilder "${id}" requires a VPC. Call .vpc() with an IVpc or a Ref to one.`);
+        }
+        const { recommendedAlarms: alarmConfig, service, ...endpointProps } = this.props;
+        if (service === undefined) {
+            throw new Error(`InterfaceEndpointBuilder "${id}" requires a service. ` +
+                "Call .service() with an InterfaceVpcEndpointAwsService or a custom IInterfaceVpcEndpointService.");
+        }
+        const byo = this.#securityGroups;
+        if (byo !== undefined && this.#access.length > 0) {
+            throw new Error(`InterfaceEndpointBuilder "${id}": .allowDefaultPortFrom() applies only to the ` +
+                "auto-created security group and cannot be combined with .securityGroups() — " +
+                "add the ingress rule to your own SecurityGroupBuilder instead.");
+        }
+        let managedSecurityGroup;
+        let securityGroups;
+        if (byo !== undefined) {
+            securityGroups = byo.map((sg) => resolve(sg, context));
+        }
+        else {
+            managedSecurityGroup = createSecurityGroupBuilder()
+                .vpc(resolvedVpc)
+                .description(`Interface endpoint ${id}`)
+                .build(scope, `${id}Sg`).securityGroup;
+            securityGroups = [managedSecurityGroup];
+        }
+        const endpoint = new InterfaceVpcEndpoint(scope, id, {
+            ...INTERFACE_ENDPOINT_DEFAULTS,
+            ...endpointProps,
+            service,
+            vpc: resolvedVpc,
+            securityGroups,
+            // Always explicit: `open: true` would silently add a VPC-wide :443 rule.
+            open: false,
+        });
+        for (const rule of this.#access) {
+            endpoint.connections.allowDefaultPortFrom(resolve(rule.peer, context), rule.description);
+        }
+        const alarms = createInterfaceEndpointAlarms(scope, id, endpoint, alarmConfig, this.#customAlarms);
+        return { endpoint, securityGroup: managedSecurityGroup, alarms };
+    }
+}
+/**
+ * Creates a new {@link IInterfaceEndpointBuilder} for a single VPC interface
+ * endpoint. The returned builder exposes every
+ * {@link InterfaceEndpointBuilderProps} property as a fluent setter/getter,
+ * plus `.vpc()`, `.securityGroups()` (BYO), and `.allowDefaultPortFrom()`
+ * (managed-SG shortcut).
+ */
+export function createInterfaceEndpointBuilder() {
+    return taggedBuilder(InterfaceEndpointBuilder);
+}
+//# sourceMappingURL=interface-endpoint-builder.js.map

package/dist/esm/interface-endpoint-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interface-endpoint-builder.js","sourceRoot":"","sources":["../../src/interface-endpoint-builder.ts"],"names":[],"mappings":"AACA,OAAO,EACL,oBAAoB,GAMrB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAkB,OAAO,EAAmB,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAuB,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,0BAA0B,EAAE,MAAM,6BAA6B,CAAC;AACzE,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAE/E,OAAO,EAAE,6BAA6B,EAAE,MAAM,gCAAgC,CAAC;AA2F/E,MAAM,wBAAwB;IAC5B,KAAK,GAA2C,EAAE,CAAC;IAC1C,OAAO,GAAiB,EAAE,CAAC;IAC3B,aAAa,GAAmD,EAAE,CAAC;IAC5E,IAAI,CAAoB;IACxB,eAAe,CAAgC;IAE/C;;;OAGG;IACH,GAAG,CAAC,GAAqB;QACvB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;OAQG;IACH,cAAc,CAAC,cAA4C;QACzD,IAAI,CAAC,eAAe,GAAG,cAAc,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,oBAAoB,CAAC,IAA8B,EAAE,WAAoB;QACvE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACH,QAAQ,CACN,GAAW,EACX,SAEiD;QAEjD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,sBAAsB,CAAuB,GAAG,CAAC,CAAC,CAAC,CAAC;QAC1F,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAgC;QAC3C,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACxB,MAAM,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACtF,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CACH,KAAiB,EACjB,EAAU,EACV,OAAgC;QAEhC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACxE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,6BAA6B,EAAE,6DAA6D,CAC7F,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,iBAAiB,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,aAAa,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QACjF,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CACb,6BAA6B,EAAE,wBAAwB;gBACrD,kGAAkG,CACrG,CAAC;QACJ,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC;QACjC,IAAI,GAAG,KAAK,SAAS,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CACb,6BAA6B,EAAE,iDAAiD;gBAC9E,8EAA8E;gBAC9E,gEAAgE,CACnE,CAAC;QACJ,CAAC;QAED,IAAI,oBAA+C,CAAC;QACpD,IAAI,cAAgC,CAAC;QACrC,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACtB,cAAc,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC,CAAC;QACzD,CAAC;aAAM,CAAC;YACN,oBAAoB,GAAG,0BAA0B,EAAE;iBAChD,GAAG,CAAC,WAAW,CAAC;iBAChB,WAAW,CAAC,sBAAsB,EAAE,EAAE,CAAC;iBACvC,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC,aAAa,CAAC;YACzC,cAAc,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAC1C,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,oBAAoB,CAAC,KAAK,EAAE,EAAE,EAAE;YACnD,GAAG,2BAA2B;YAC9B,GAAG,aAAa;YAChB,OAAO;YACP,GAAG,EAAE,WAAW;YAChB,cAAc;YACd,yEAAyE;YACzE,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;QAEH,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAChC,QAAQ,CAAC,WAAW,CAAC,oBAAoB,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAC3F,CAAC;QAED,MAAM,MAAM,GAAG,6BAA6B,CAC1C,KAAK,EACL,EAAE,EACF,QAAQ,EACR,WAAW,EACX,IAAI,CAAC,aAAa,CACnB,CAAC;QAEF,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,EAAE,CAAC;IACnE,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,UAAU,8BAA8B;IAC5C,OAAO,aAAa,CAClB,wBAAwB,CACzB,CAAC;AACJ,CAAC"}

package/dist/esm/interface-endpoint-defaults.d.ts

@@ -0,0 +1,14 @@
+import type { InterfaceVpcEndpointProps } from "aws-cdk-lib/aws-ec2";
+/**
+ * Secure, AWS-recommended defaults applied to every interface endpoint built
+ * with {@link createInterfaceEndpointBuilder}. Each property can be
+ * individually overridden via the builder's fluent API.
+ *
+ * Note `open` is intentionally *not* here: the builder always sets it to
+ * `false` (see the builder's `build()`). Allowing it through would silently
+ * add a VPC-wide rule to the managed security group behind the caller's back;
+ * ingress is always explicit — via `.allowDefaultPortFrom()` (managed SG) or
+ * the BYO `SecurityGroupBuilder`.
+ */
+export declare const INTERFACE_ENDPOINT_DEFAULTS: Partial<InterfaceVpcEndpointProps>;
+//# sourceMappingURL=interface-endpoint-defaults.d.ts.map

package/dist/esm/interface-endpoint-defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interface-endpoint-defaults.d.ts","sourceRoot":"","sources":["../../src/interface-endpoint-defaults.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAErE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,2BAA2B,EAAE,OAAO,CAAC,yBAAyB,CAW1E,CAAC"}

package/dist/esm/interface-endpoint-defaults.js

@@ -0,0 +1,24 @@
+/**
+ * Secure, AWS-recommended defaults applied to every interface endpoint built
+ * with {@link createInterfaceEndpointBuilder}. Each property can be
+ * individually overridden via the builder's fluent API.
+ *
+ * Note `open` is intentionally *not* here: the builder always sets it to
+ * `false` (see the builder's `build()`). Allowing it through would silently
+ * add a VPC-wide rule to the managed security group behind the caller's back;
+ * ingress is always explicit — via `.allowDefaultPortFrom()` (managed SG) or
+ * the BYO `SecurityGroupBuilder`.
+ */
+export const INTERFACE_ENDPOINT_DEFAULTS = {
+    /**
+     * Private DNS enables `<service>.<region>.amazonaws.com` to resolve to the
+     * endpoint ENIs instead of the public service IP addresses, keeping traffic
+     * on the AWS network without requiring application-level changes. Disabled
+     * by default in raw CDK; always on here because every AWS-service use case
+     * requires it for transparent private access.
+     *
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_network_protection_private_connectivity.html
+     */
+    privateDnsEnabled: true,
+};
+//# sourceMappingURL=interface-endpoint-defaults.js.map

package/dist/esm/interface-endpoint-defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interface-endpoint-defaults.js","sourceRoot":"","sources":["../../src/interface-endpoint-defaults.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAuC;IAC7E;;;;;;;;OAQG;IACH,iBAAiB,EAAE,IAAI;CACxB,CAAC"}

package/dist/esm/security-group-builder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security-group-builder.d.ts","sourceRoot":"","sources":["../../src/security-group-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,KAAK,EACV,KAAK,IAAI,EACT,KAAK,IAAI,EACT,aAAa,EACb,KAAK,kBAAkB,EACxB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,KAAK,SAAS,EAAW,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;AAGlF;;;;;;;;;;;;;;GAcG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC;AAExE;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,0BAA0B;IACzC,aAAa,EAAE,aAAa,CAAC;CAC9B;AAcD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,MAAM,MAAM,qBAAqB,GAAG,cAAc,CAAC,yBAAyB,EAAE,oBAAoB,CAAC,CAAC;AAEpG,cAAM,oBAAqB,YAAW,SAAS,CAAC,0BAA0B,CAAC;;IACzE,KAAK,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAM;IAK/C;;;;;;;;;OASG;IACH,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI;IAKhC;;;;;;;;;OASG;IACH,cAAc,CAAC,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAU/E;;;;;;;;;OASG;IACH,aAAa,CAAC,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAU9E;;;;;;;;;;OAUG;IACH,cAAc,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAQtD,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,oBAAoB,GAAG,IAAI;IAMhD,KAAK,CACH,KAAK,EAAE,UAAU,EACjB,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,0BAA0B;CAiD9B;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,0BAA0B,IAAI,qBAAqB,CAElE"}
+{"version":3,"file":"security-group-builder.d.ts","sourceRoot":"","sources":["../../src/security-group-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,KAAK,EACV,KAAK,IAAI,EACT,KAAK,IAAI,EACT,aAAa,EACb,KAAK,kBAAkB,EACxB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,KAAK,SAAS,EAAW,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;AAOlF;;;;;;;;;;;;;;GAcG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC;AAExE;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,0BAA0B;IACzC,aAAa,EAAE,aAAa,CAAC;CAC9B;AAcD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,MAAM,MAAM,qBAAqB,GAAG,cAAc,CAAC,yBAAyB,EAAE,oBAAoB,CAAC,CAAC;AAEpG,cAAM,oBAAqB,YAAW,SAAS,CAAC,0BAA0B,CAAC;;IACzE,KAAK,EAAE,OAAO,CAAC,yBAAyB,CAAC,CAAM;IAK/C;;;;;;;;;OASG;IACH,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI;IAKhC;;;;;;;;;OASG;IACH,cAAc,CAAC,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAU/E;;;;;;;;;OASG;IACH,aAAa,CAAC,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAU9E;;;;;;;;;;OAUG;IACH,cAAc,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAQtD,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,oBAAoB,GAAG,IAAI;IAMhD,KAAK,CACH,KAAK,EAAE,UAAU,EACjB,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,0BAA0B;CAwD9B;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,0BAA0B,IAAI,qBAAqB,CAElE"}

package/dist/esm/security-group-builder.js

@@ -2,6 +2,7 @@ import { SecurityGroup, } from "aws-cdk-lib/aws-ec2";
 import { COPY_STATE, resolve } from "@composurecdk/core";
 import { taggedBuilder } from "@composurecdk/cloudformation";
 import { SECURITY_GROUP_DEFAULTS } from "./security-group-defaults.js";
+import { validateSecurityGroupDescription, validateSecurityGroupName, } from "./security-group-constraints.js";
 class SecurityGroupBuilder {
     props = {};
     #peerRules = [];
@@ -93,6 +94,12 @@ class SecurityGroupBuilder {
             throw new Error(`SecurityGroupBuilder "${id}" requires a description. ` +
                 "Call .description() with a short summary of the SG's purpose.");
         }
+        // Fail at synth, at the authoring call site, instead of CREATE_FAILED at
+        // deploy time. The validators skip unresolved tokens (ADR-0010).
+        validateSecurityGroupDescription(this.props.description);
+        if (this.props.securityGroupName !== undefined) {
+            validateSecurityGroupName(this.props.securityGroupName);
+        }
         // Drop keys whose value is `undefined` so a fluent call like
         // `.allowAllOutbound(undefined)` (common in "optional override" code:
         // `b.allowAllOutbound(cfg?.allowAllOutbound)`) does not clobber the

package/dist/esm/security-group-builder.js.map

@@ -1 +1 @@
-{"version":3,"file":"security-group-builder.js","sourceRoot":"","sources":["../../src/security-group-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,aAAa,GAEd,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAkB,OAAO,EAAmB,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAuB,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AA8FvE,MAAM,oBAAoB;IACxB,KAAK,GAAuC,EAAE,CAAC;IACtC,UAAU,GAAmB,EAAE,CAAC;IAChC,YAAY,GAAsB,EAAE,CAAC;IAC9C,IAAI,CAAoB;IAExB;;;;;;;;;OASG;IACH,GAAG,CAAC,GAAqB;QACvB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACH,cAAc,CAAC,IAAuB,EAAE,IAAU,EAAE,WAAoB;QACtE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,SAAS;YACpB,IAAI;YACJ,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACH,aAAa,CAAC,IAAuB,EAAE,IAAU,EAAE,WAAoB;QACrE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,QAAQ;YACnB,IAAI;YACJ,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;OAUG;IACH,cAAc,CAAC,IAAU,EAAE,WAAoB;QAC7C,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;YACrB,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAA4B;QACvC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACxB,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;QAC3C,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CACH,KAAiB,EACjB,EAAU,EACV,OAAgC;QAEhC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACxE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,yBAAyB,EAAE,oBAAoB;gBAC7C,2CAA2C,CAC9C,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACjF,MAAM,IAAI,KAAK,CACb,yBAAyB,EAAE,4BAA4B;gBACrD,+DAA+D,CAClE,CAAC;QACJ,CAAC;QAED,6DAA6D;QAC7D,sEAAsE;QACtE,oEAAoE;QACpE,mDAAmD;QACnD,MAAM,SAAS,GAAuC,EAAE,CAAC;QACzD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAwC,EAAE,CAAC;YACjF,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACvB,SAAqC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACtD,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG;YAClB,GAAG,uBAAuB;YAC1B,GAAG,SAAS;YACZ,GAAG,EAAE,WAAW;SACK,CAAC;QAExB,MAAM,aAAa,GAAG,IAAI,aAAa,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAEhE,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACzC,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBACjC,aAAa,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YAClE,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACrC,aAAa,CAAC,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAC3E,CAAC;QAED,OAAO,EAAE,aAAa,EAAE,CAAC;IAC3B,CAAC;CACF;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,aAAa,CAAkD,oBAAoB,CAAC,CAAC;AAC9F,CAAC"}
+{"version":3,"file":"security-group-builder.js","sourceRoot":"","sources":["../../src/security-group-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,aAAa,GAEd,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAkB,OAAO,EAAmB,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAuB,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EACL,gCAAgC,EAChC,yBAAyB,GAC1B,MAAM,iCAAiC,CAAC;AA8FzC,MAAM,oBAAoB;IACxB,KAAK,GAAuC,EAAE,CAAC;IACtC,UAAU,GAAmB,EAAE,CAAC;IAChC,YAAY,GAAsB,EAAE,CAAC;IAC9C,IAAI,CAAoB;IAExB;;;;;;;;;OASG;IACH,GAAG,CAAC,GAAqB;QACvB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACH,cAAc,CAAC,IAAuB,EAAE,IAAU,EAAE,WAAoB;QACtE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,SAAS;YACpB,IAAI;YACJ,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACH,aAAa,CAAC,IAAuB,EAAE,IAAU,EAAE,WAAoB;QACrE,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,QAAQ;YACnB,IAAI;YACJ,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;OAUG;IACH,cAAc,CAAC,IAAU,EAAE,WAAoB;QAC7C,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;YACrB,IAAI;YACJ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAA4B;QACvC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACxB,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;QAC3C,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CACH,KAAiB,EACjB,EAAU,EACV,OAAgC;QAEhC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACxE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,yBAAyB,EAAE,oBAAoB;gBAC7C,2CAA2C,CAC9C,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YACjF,MAAM,IAAI,KAAK,CACb,yBAAyB,EAAE,4BAA4B;gBACrD,+DAA+D,CAClE,CAAC;QACJ,CAAC;QAED,yEAAyE;QACzE,iEAAiE;QACjE,gCAAgC,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACzD,IAAI,IAAI,CAAC,KAAK,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;YAC/C,yBAAyB,CAAC,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAC1D,CAAC;QAED,6DAA6D;QAC7D,sEAAsE;QACtE,oEAAoE;QACpE,mDAAmD;QACnD,MAAM,SAAS,GAAuC,EAAE,CAAC;QACzD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAwC,EAAE,CAAC;YACjF,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACvB,SAAqC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACtD,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG;YAClB,GAAG,uBAAuB;YAC1B,GAAG,SAAS;YACZ,GAAG,EAAE,WAAW;SACK,CAAC;QAExB,MAAM,aAAa,GAAG,IAAI,aAAa,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAEhE,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACzC,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBACjC,aAAa,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YAClE,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACrC,aAAa,CAAC,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAC3E,CAAC;QAED,OAAO,EAAE,aAAa,EAAE,CAAC;IAC3B,CAAC;CACF;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,aAAa,CAAkD,oBAAoB,CAAC,CAAC;AAC9F,CAAC"}

package/dist/esm/security-group-constraints.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Validates an EC2 security group description. Unresolved CDK tokens are
+ * skipped — their value is resolved by CloudFormation and is not knowable at
+ * synth (ADR-0010).
+ *
+ * @throws on invalid input.
+ */
+export declare function validateSecurityGroupDescription(raw: string): void;
+/**
+ * Validates an EC2 security group name. AWS additionally reserves the `sg-`
+ * prefix for generated group IDs, so a user-supplied name must not use it.
+ * Unresolved CDK tokens are skipped (ADR-0010).
+ *
+ * @throws on invalid input.
+ */
+export declare function validateSecurityGroupName(raw: string): void;
+//# sourceMappingURL=security-group-constraints.d.ts.map

package/dist/esm/security-group-constraints.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-group-constraints.d.ts","sourceRoot":"","sources":["../../src/security-group-constraints.ts"],"names":[],"mappings":"AA2CA;;;;;;GAMG;AACH,wBAAgB,gCAAgC,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAGlE;AAED;;;;;;GAMG;AACH,wBAAgB,yBAAyB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAQ3D"}

package/dist/esm/security-group-constraints.js

@@ -0,0 +1,66 @@
+import { Token } from "aws-cdk-lib";
+import { charSets, stringConstraint, validateString } from "@composurecdk/cloudformation";
+/**
+ * AWS-property constraints for EC2 security groups.
+ *
+ * The catalogue mechanism (`stringConstraint` / `validateString`) lives in
+ * `@composurecdk/cloudformation`; this per-resource data lives next to the
+ * builder that enforces it. The trigger for the catalogue was an em-dash in a
+ * `GroupDescription` reaching CloudFormation and failing at CREATE_FAILED — a
+ * `validate*` call in `build()` turns that into a `cdk synth` error. See
+ * ADR-0010.
+ *
+ * The constraints themselves are module-private; the package exposes only the
+ * `validate*` functions (via the `constraints` namespace in the package index).
+ *
+ * `GroupDescription` and `GroupName` share the same EC2 character set, so they
+ * spread the same class fragments; the comma/bracket tail beyond the shared
+ * `charSets.AWS_NAME_PUNCT` spine is EC2-specific and stays local.
+ */
+const SG_TAIL = ",\\[\\]&;{}!$*";
+const SG_CHAR_CLASS = `${charSets.ALNUM}${charSets.AWS_NAME_PUNCT}${SG_TAIL}`;
+const SG_ALLOWED = "ASCII letters, digits, spaces and ._-:/()#,@[]+=&;{}!$*";
+const SG_SOURCE = "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html";
+const SECURITY_GROUP_DESCRIPTION = stringConstraint({
+    name: "EC2 SecurityGroup GroupDescription",
+    charClass: SG_CHAR_CLASS,
+    maxLength: 255,
+    allowed: SG_ALLOWED,
+    source: SG_SOURCE,
+});
+const SECURITY_GROUP_NAME = stringConstraint({
+    name: "EC2 SecurityGroup GroupName",
+    charClass: SG_CHAR_CLASS,
+    minLength: 1,
+    maxLength: 255,
+    allowed: SG_ALLOWED,
+    source: SG_SOURCE,
+});
+/**
+ * Validates an EC2 security group description. Unresolved CDK tokens are
+ * skipped — their value is resolved by CloudFormation and is not knowable at
+ * synth (ADR-0010).
+ *
+ * @throws on invalid input.
+ */
+export function validateSecurityGroupDescription(raw) {
+    if (Token.isUnresolved(raw))
+        return;
+    validateString(raw, SECURITY_GROUP_DESCRIPTION);
+}
+/**
+ * Validates an EC2 security group name. AWS additionally reserves the `sg-`
+ * prefix for generated group IDs, so a user-supplied name must not use it.
+ * Unresolved CDK tokens are skipped (ADR-0010).
+ *
+ * @throws on invalid input.
+ */
+export function validateSecurityGroupName(raw) {
+    if (Token.isUnresolved(raw))
+        return;
+    if (raw.startsWith("sg-")) {
+        throw new Error(`EC2 SecurityGroup GroupName "${raw}" must not start with the reserved "sg-" prefix. See ${SG_SOURCE}.`);
+    }
+    validateString(raw, SECURITY_GROUP_NAME);
+}
+//# sourceMappingURL=security-group-constraints.js.map

package/dist/esm/security-group-constraints.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-group-constraints.js","sourceRoot":"","sources":["../../src/security-group-constraints.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAE1F;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,OAAO,GAAG,gBAAgB,CAAC;AACjC,MAAM,aAAa,GAAG,GAAG,QAAQ,CAAC,KAAK,GAAG,QAAQ,CAAC,cAAc,GAAG,OAAO,EAAE,CAAC;AAC9E,MAAM,UAAU,GAAG,yDAAyD,CAAC;AAC7E,MAAM,SAAS,GACb,qFAAqF,CAAC;AAExF,MAAM,0BAA0B,GAAG,gBAAgB,CAAC;IAClD,IAAI,EAAE,oCAAoC;IAC1C,SAAS,EAAE,aAAa;IACxB,SAAS,EAAE,GAAG;IACd,OAAO,EAAE,UAAU;IACnB,MAAM,EAAE,SAAS;CAClB,CAAC,CAAC;AAEH,MAAM,mBAAmB,GAAG,gBAAgB,CAAC;IAC3C,IAAI,EAAE,6BAA6B;IACnC,SAAS,EAAE,aAAa;IACxB,SAAS,EAAE,CAAC;IACZ,SAAS,EAAE,GAAG;IACd,OAAO,EAAE,UAAU;IACnB,MAAM,EAAE,SAAS;CAClB,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,UAAU,gCAAgC,CAAC,GAAW;IAC1D,IAAI,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC;QAAE,OAAO;IACpC,cAAc,CAAC,GAAG,EAAE,0BAA0B,CAAC,CAAC;AAClD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,yBAAyB,CAAC,GAAW;IACnD,IAAI,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC;QAAE,OAAO;IACpC,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,gCAAgC,GAAG,wDAAwD,SAAS,GAAG,CACxG,CAAC;IACJ,CAAC;IACD,cAAc,CAAC,GAAG,EAAE,mBAAmB,CAAC,CAAC;AAC3C,CAAC"}

package/dist/esm/vpc-builder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"vpc-builder.d.ts","sourceRoot":"","sources":["../../src/vpc-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAE,KAAK,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAC7E,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAyB,KAAK,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGlF;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,cAAc,GACtB,KAAK,GACL;IACE,gFAAgF;IAChF,WAAW,CAAC,EAAE,kBAAkB,CAAC;IACjC;;;;OAIG;IACH,SAAS,CAAC,EAAE,CAAC,CAAC,EAAE,gBAAgB,KAAK,gBAAgB,CAAC;CACvD,CAAC;AAEN;;;;;;GAMG;AACH,MAAM,WAAW,eAAgB,SAAQ,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC;IACjE,wFAAwF;IACxF,QAAQ,CAAC,EAAE,cAAc,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,GAAG,CAAC;IAET;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,QAAQ,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,MAAM,WAAW,GAAG,cAAc,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;AAItE,cAAM,UAAW,YAAW,SAAS,CAAC,gBAAgB,CAAC;IACrD,KAAK,EAAE,OAAO,CAAC,eAAe,CAAC,CAAM;IAErC,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,gBAAgB;CAgBvD;AA2CD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAE9C"}
+{"version":3,"file":"vpc-builder.d.ts","sourceRoot":"","sources":["../../src/vpc-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAE,KAAK,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAC7E,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAyB,KAAK,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGlF;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,cAAc,GACtB,KAAK,GACL;IACE,gFAAgF;IAChF,WAAW,CAAC,EAAE,kBAAkB,CAAC;IACjC;;;;OAIG;IACH,SAAS,CAAC,EAAE,CAAC,CAAC,EAAE,gBAAgB,KAAK,gBAAgB,CAAC;CACvD,CAAC;AAEN;;;;;;GAMG;AACH,MAAM,WAAW,eAAgB,SAAQ,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC;IACjE,wFAAwF;IACxF,QAAQ,CAAC,EAAE,cAAc,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,GAAG,CAAC;IAET;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,QAAQ,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,MAAM,WAAW,GAAG,cAAc,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;AAItE,cAAM,UAAW,YAAW,SAAS,CAAC,gBAAgB,CAAC;IACrD,KAAK,EAAE,OAAO,CAAC,eAAe,CAAC,CAAM;IAErC,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,GAAG,gBAAgB;CA8BvD;AA2CD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAE9C"}

package/dist/esm/vpc-builder.js

@@ -8,11 +8,22 @@ class VpcBuilder {
     build(scope, id) {
         const { flowLogs: flowLogsConfig, ...vpcProps } = this.props;
         const { flowLogsLogGroup, flowLogProps } = resolveFlowLogs(scope, id, flowLogsConfig);
+        // CDK accepts `availabilityZones` or `maxAzs`, but not both. When the user
+        // pins AZs explicitly, the default `maxAzs` must yield to their intent;
+        // setting both is a genuine conflict and fails fast.
+        const userPinnedAzs = vpcProps.availabilityZones !== undefined;
+        if (userPinnedAzs && vpcProps.maxAzs !== undefined) {
+            throw new Error(`VpcBuilder "${id}": .availabilityZones() and .maxAzs() are mutually exclusive — ` +
+                `CDK accepts one or the other, not both.`);
+        }
         const mergedProps = {
             ...VPC_DEFAULTS,
             ...flowLogProps,
             ...vpcProps,
         };
+        if (userPinnedAzs) {
+            delete mergedProps.maxAzs;
+        }
         return {
             vpc: new Vpc(scope, id, mergedProps),
             flowLogsLogGroup,

package/dist/esm/vpc-builder.js.map

@@ -1 +1 @@
-{"version":3,"file":"vpc-builder.js","sourceRoot":"","sources":["../../src/vpc-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAiB,MAAM,qBAAqB,CAAC;AAI7E,OAAO,EAAuB,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAE,qBAAqB,EAAyB,MAAM,oBAAoB,CAAC;AAClF,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAmFjD,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAE9C,MAAM,UAAU;IACd,KAAK,GAA6B,EAAE,CAAC;IAErC,KAAK,CAAC,KAAiB,EAAE,EAAU;QACjC,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,GAAG,QAAQ,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QAE7D,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAAG,eAAe,CAAC,KAAK,EAAE,EAAE,EAAE,cAAc,CAAC,CAAC;QAEtF,MAAM,WAAW,GAAG;YAClB,GAAG,YAAY;YACf,GAAG,YAAY;YACf,GAAG,QAAQ;SACZ,CAAC;QAEF,OAAO;YACL,GAAG,EAAE,IAAI,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC;YACpC,gBAAgB;SACjB,CAAC;IACJ,CAAC;CACF;AAED,SAAS,eAAe,CACtB,KAAiB,EACjB,EAAU,EACV,GAA+B;IAE/B,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QAClB,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IAC9B,CAAC;IAED,IAAI,GAAG,EAAE,WAAW,KAAK,SAAS,EAAE,CAAC;QACnC,IAAI,GAAG,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CACb,gEAAgE;gBAC9D,gEAAgE,CACnE,CAAC;QACJ,CAAC;QACD,OAAO;YACL,YAAY,EAAE;gBACZ,QAAQ,EAAE,EAAE,CAAC,oBAAoB,CAAC,EAAE,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,EAAE;aACvE;SACF,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,GAAG,qBAAqB,EAAE,CAAC;IACzC,IAAI,GAAG,EAAE,SAAS,EAAE,CAAC;QACnB,UAAU,GAAG,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,gBAAgB,GAAG,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC;IAEnF,OAAO;QACL,gBAAgB;QAChB,YAAY,EAAE;YACZ,QAAQ,EAAE;gBACR,CAAC,oBAAoB,CAAC,EAAE;oBACtB,WAAW,EAAE,kBAAkB,CAAC,gBAAgB,CAAC,gBAAgB,CAAC;iBACnE;aACF;SACF;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,aAAa,CAA8B,UAAU,CAAC,CAAC;AAChE,CAAC"}
+{"version":3,"file":"vpc-builder.js","sourceRoot":"","sources":["../../src/vpc-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,GAAG,EAAiB,MAAM,qBAAqB,CAAC;AAI7E,OAAO,EAAuB,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAE,qBAAqB,EAAyB,MAAM,oBAAoB,CAAC;AAClF,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAmFjD,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAE9C,MAAM,UAAU;IACd,KAAK,GAA6B,EAAE,CAAC;IAErC,KAAK,CAAC,KAAiB,EAAE,EAAU;QACjC,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,GAAG,QAAQ,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QAE7D,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAAG,eAAe,CAAC,KAAK,EAAE,EAAE,EAAE,cAAc,CAAC,CAAC;QAEtF,2EAA2E;QAC3E,wEAAwE;QACxE,qDAAqD;QACrD,MAAM,aAAa,GAAG,QAAQ,CAAC,iBAAiB,KAAK,SAAS,CAAC;QAC/D,IAAI,aAAa,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CACb,eAAe,EAAE,iEAAiE;gBAChF,yCAAyC,CAC5C,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG;YAClB,GAAG,YAAY;YACf,GAAG,YAAY;YACf,GAAG,QAAQ;SACZ,CAAC;QACF,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,WAAW,CAAC,MAAM,CAAC;QAC5B,CAAC;QAED,OAAO;YACL,GAAG,EAAE,IAAI,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC;YACpC,gBAAgB;SACjB,CAAC;IACJ,CAAC;CACF;AAED,SAAS,eAAe,CACtB,KAAiB,EACjB,EAAU,EACV,GAA+B;IAE/B,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QAClB,OAAO,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IAC9B,CAAC;IAED,IAAI,GAAG,EAAE,WAAW,KAAK,SAAS,EAAE,CAAC;QACnC,IAAI,GAAG,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CACb,gEAAgE;gBAC9D,gEAAgE,CACnE,CAAC;QACJ,CAAC;QACD,OAAO;YACL,YAAY,EAAE;gBACZ,QAAQ,EAAE,EAAE,CAAC,oBAAoB,CAAC,EAAE,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,EAAE;aACvE;SACF,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,GAAG,qBAAqB,EAAE,CAAC;IACzC,IAAI,GAAG,EAAE,SAAS,EAAE,CAAC;QACnB,UAAU,GAAG,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,gBAAgB,GAAG,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC;IAEnF,OAAO;QACL,gBAAgB;QAChB,YAAY,EAAE;YACZ,QAAQ,EAAE;gBACR,CAAC,oBAAoB,CAAC,EAAE;oBACtB,WAAW,EAAE,kBAAkB,CAAC,gBAAgB,CAAC,gBAAgB,CAAC;iBACnE;aACF;SACF;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,aAAa,CAA8B,UAAU,CAAC,CAAC;AAChE,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@composurecdk/ec2",
-  "version": "0.8.3",
+  "version": "0.8.5",
   "description": "Composable EC2 instance and VPC builders with well-architected defaults",
   "repository": {
     "type": "git",
@@ -20,7 +20,18 @@
     "test": "vitest run --passWithNoTests",
     "test:watch": "vitest"
   },
-  "keywords": [],
+  "keywords": [
+    "aws",
+    "cdk",
+    "aws-cdk",
+    "infrastructure-as-code",
+    "iac",
+    "composurecdk",
+    "ec2",
+    "vpc",
+    "networking",
+    "compute"
+  ],
   "author": "Jason Duffett (https://github.com/laazyj)",
   "license": "MIT",
   "publishConfig": {
@@ -45,11 +56,11 @@
     "constructs": "^10.0.0"
   },
   "devDependencies": {
-    "@types/node": "^25.9.1",
-    "aws-cdk-lib": "^2.257.0",
+    "@types/node": "^25.9.3",
+    "aws-cdk-lib": "^2.258.1",
     "constructs": "^10.6.0",
     "typescript": "^6.0.2",
-    "vitest": "^4.1.7"
+    "vitest": "^4.1.8"
   },
   "exports": {
     "./package.json": "./package.json",