npm - @composurecdk/ec2 - Versions diffs - 0.8.4 → 0.8.5 - Mend

@composurecdk/ec2 0.8.4 → 0.8.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/README.md CHANGED Viewed

@@ -288,6 +288,206 @@ compose(
 The Security Group builder does **not** create CloudWatch alarms. Security groups do not emit CloudWatch metrics — the [AWS recommended-alarms reference](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html) has no SG entry. Operational visibility for SGs comes from adjacent signals (VPC Flow Logs, GuardDuty findings, CloudTrail `AuthorizeSecurityGroupIngress`/`Egress` events), none of which belong on the builder result.
+## Interface Endpoint Builder
+VPC interface endpoints (AWS PrivateLink) have no props-time surface in CDK —
+the only way to add one is the post-build `vpc.addInterfaceEndpoint(...)` call,
+whose security group is never exposed. `createInterfaceEndpointBuilder` makes an
+endpoint a first-class `compose()` component. It maps **1:1 to a CDK
+`InterfaceVpcEndpoint`** (one `service` per endpoint) and supports two security
+group modes:
+- **BYO** — `.securityGroups([...])` with SGs you fully manage (typically
+  sibling `SecurityGroupBuilder`s): full ingress/egress/port control.
+- **Managed shortcut** — omit `.securityGroups()` and the builder auto-creates a
+  closed SG, exposes it on the result, and `.allowDefaultPortFrom(peer)` wires
+  bidirectionally: ingress on the managed SG from the peer **and** egress from
+  the peer's SG to the managed SG (on the service's default port, 443).
+The two are mutually exclusive (combining them throws). To group several
+endpoints under one access policy, point them at the same security group.
+### Minimalist single service (managed shortcut)
+```ts
+import { compose, ref } from "@composurecdk/core";
+import {
+  createInterfaceEndpointBuilder,
+  createSecurityGroupBuilder,
+  createVpcBuilder,
+  type SecurityGroupBuilderResult,
+  type VpcBuilderResult,
+} from "@composurecdk/ec2";
+import { InterfaceVpcEndpointAwsService, SubnetType } from "aws-cdk-lib/aws-ec2";
+compose(
+  {
+    network: createVpcBuilder().natGateways(0),
+    bastionSg: createSecurityGroupBuilder()
+      .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+      .description("Bastion"),
+    ssm: createInterfaceEndpointBuilder()
+      .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+      .service(InterfaceVpcEndpointAwsService.SSM)
+      .subnets({ subnetType: SubnetType.PRIVATE_ISOLATED })
+      .allowDefaultPortFrom(ref<SecurityGroupBuilderResult>("bastionSg").get("securityGroup")),
+  },
+  { network: [], bastionSg: ["network"], ssm: ["network", "bastionSg"] },
+).build(stack, "App");
+// result.ssm = { endpoint: InterfaceVpcEndpoint, securityGroup: SecurityGroup }
+```
+The managed `securityGroup` is present on the result for cases where another
+component needs a direct reference to it (e.g. BYO-mode builders that share
+one SG across several endpoints). The peer's egress rule is wired automatically
+by `.allowDefaultPortFrom()` — no manual `addEgressRule` call needed.
+### SSM access (multiple endpoints, one shared SG)
+SSM/Session Manager in a NAT-free VPC needs three endpoints with identical
+ingress. One endpoint per builder — share a single BYO `SecurityGroupBuilder`
+across all three. The access policy lives on the shared SG, not on individual
+endpoints:
+```ts
+import { compose, ref } from "@composurecdk/core";
+import {
+  createInterfaceEndpointBuilder,
+  createSecurityGroupBuilder,
+  createVpcBuilder,
+  type SecurityGroupBuilderResult,
+  type VpcBuilderResult,
+} from "@composurecdk/ec2";
+import { InterfaceVpcEndpointAwsService, Port, SubnetType } from "aws-cdk-lib/aws-ec2";
+compose(
+  {
+    network: createVpcBuilder().natGateways(0),
+    bastionSg: createSecurityGroupBuilder()
+      .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+      .description("Bastion"),
+    // One SG shared by all three endpoints — the access policy lives here.
+    endpointSg: createSecurityGroupBuilder()
+      .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+      .description("SSM endpoints")
+      .addIngressRule(
+        ref<SecurityGroupBuilderResult>("bastionSg").get("securityGroup"),
+        Port.tcp(443),
+      ),
+    ssm: createInterfaceEndpointBuilder()
+      .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+      .service(InterfaceVpcEndpointAwsService.SSM)
+      .subnets({ subnetType: SubnetType.PRIVATE_ISOLATED })
+      .securityGroups([ref<SecurityGroupBuilderResult>("endpointSg").get("securityGroup")]),
+    ssmmessages: createInterfaceEndpointBuilder()
+      .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+      .service(InterfaceVpcEndpointAwsService.SSM_MESSAGES)
+      .subnets({ subnetType: SubnetType.PRIVATE_ISOLATED })
+      .securityGroups([ref<SecurityGroupBuilderResult>("endpointSg").get("securityGroup")]),
+    ec2messages: createInterfaceEndpointBuilder()
+      .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+      .service(InterfaceVpcEndpointAwsService.EC2_MESSAGES)
+      .subnets({ subnetType: SubnetType.PRIVATE_ISOLATED })
+      .securityGroups([ref<SecurityGroupBuilderResult>("endpointSg").get("securityGroup")]),
+  },
+  {
+    network: [],
+    bastionSg: ["network"],
+    endpointSg: ["network", "bastionSg"],
+    ssm: ["network", "endpointSg"],
+    ssmmessages: ["network", "endpointSg"],
+    ec2messages: ["network", "endpointSg"],
+  },
+).build(stack, "App");
+```
+### Complex / custom service (BYO security group)
+A custom PrivateLink service on a non-443 port, with precise ingress _and_
+egress controlled by the `SecurityGroupBuilder` you already have:
+```ts
+import { InterfaceVpcEndpointService, Port } from "aws-cdk-lib/aws-ec2";
+compose(
+  {
+    network: createVpcBuilder(),
+    appSg: createSecurityGroupBuilder()
+      .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+      .description("App tier"),
+    endpointSg: createSecurityGroupBuilder()
+      .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+      .description("Partner PrivateLink endpoint")
+      .addIngressRule(ref<SecurityGroupBuilderResult>("appSg").get("securityGroup"), Port.tcp(8443))
+      .addEgressRule(ref<SecurityGroupBuilderResult>("appSg").get("securityGroup"), Port.tcp(8443)),
+    partner: createInterfaceEndpointBuilder()
+      .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+      .service(
+        new InterfaceVpcEndpointService("com.amazonaws.vpce.eu-west-1.vpce-svc-0abc123", 8443),
+      )
+      .securityGroups([ref<SecurityGroupBuilderResult>("endpointSg").get("securityGroup")]),
+  },
+  {
+    network: [],
+    appSg: ["network"],
+    endpointSg: ["network", "appSg"],
+    partner: ["network", "endpointSg"],
+  },
+).build(stack, "App");
+// result.partner = { endpoint: InterfaceVpcEndpoint }  (no managed securityGroup in BYO mode)
+```
+### Interface Endpoint Defaults
+`createInterfaceEndpointBuilder` applies the following defaults. Each can be overridden via the builder's fluent API.
+| Property            | Default | Rationale                                                                                                                                                                                                       |
+| ------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `privateDnsEnabled` | `true`  | Enables `<service>.<region>.amazonaws.com` to resolve to the endpoint ENIs, keeping traffic on the AWS network without requiring application-level changes. Disabled by default in raw CDK for custom services. |
+The defaults are exported as `INTERFACE_ENDPOINT_DEFAULTS` for visibility and testing:
+```ts
+import { INTERFACE_ENDPOINT_DEFAULTS } from "@composurecdk/ec2";
+```
+### Recommended Alarms
+The builder creates [AWS-recommended CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints) by default. No alarm actions are configured — wire actions via `alarmActionsPolicy` from `@composurecdk/cloudwatch`, or by accessing alarms from the build result.
+| Alarm            | Metric                      | Default threshold            | Created when |
+| ---------------- | --------------------------- | ---------------------------- | ------------ |
+| `packetsDropped` | PacketsDropped (Sum, 1 min) | > 0 over 5 consecutive 1-min | Always       |
+If your workload intentionally sends packets larger than 8,500 bytes (the PrivateLink MTU limit), raise the threshold to reduce noise from expected MTU drops:
+```ts
+createInterfaceEndpointBuilder()
+  .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+  .service(InterfaceVpcEndpointAwsService.SSM)
+  .recommendedAlarms({ packetsDropped: { threshold: 100 } });
+```
+Disable all recommended alarms:
+```ts
+builder.recommendedAlarms(false);
+// or
+builder.recommendedAlarms({ enabled: false });
+```
+Disable individual alarms:
+```ts
+builder.recommendedAlarms({ packetsDropped: false });
+```
+The defaults are exported as `INTERFACE_ENDPOINT_ALARM_DEFAULTS` for visibility and testing:
+```ts
+import { INTERFACE_ENDPOINT_ALARM_DEFAULTS } from "@composurecdk/ec2";
+```
 ## Volume Builder
 ```ts

package/dist/commonjs/index.d.ts CHANGED Viewed

@@ -14,6 +14,10 @@ export { createVpcBuilder, type FlowLogsConfig, type IVpcBuilder, type VpcBuilde
 export { VPC_DEFAULTS } from "./vpc-defaults.js";
 export { createSecurityGroupBuilder, type ISecurityGroupBuilder, type SecurityGroupBuilderProps, type SecurityGroupBuilderResult, } from "./security-group-builder.js";
 export { SECURITY_GROUP_DEFAULTS } from "./security-group-defaults.js";
+export { createInterfaceEndpointBuilder, type IInterfaceEndpointBuilder, type InterfaceEndpointBuilderProps, type InterfaceEndpointBuilderResult, } from "./interface-endpoint-builder.js";
+export { INTERFACE_ENDPOINT_DEFAULTS } from "./interface-endpoint-defaults.js";
+export { type InterfaceEndpointAlarmConfig } from "./interface-endpoint-alarm-config.js";
+export { INTERFACE_ENDPOINT_ALARM_DEFAULTS } from "./interface-endpoint-alarm-defaults.js";
 /**
  * This package's AWS-property constraints, grouped by application strategy.
  * The `constraints.validate.*` / `constraints.sanitize.*` shape is identical

package/dist/commonjs/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,gCAAgC,EAChC,yBAAyB,EAC1B,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,qBAAqB,EACrB,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,GAC3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AAC5E,OAAO,EAAE,KAAK,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AAC1F,OAAO,EAAE,gCAAgC,EAAE,MAAM,0CAA0C,CAAC;AAE5F,OAAO,EACL,mBAAmB,EACnB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EACL,gBAAgB,EAChB,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EACL,0BAA0B,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,GAChC,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAEvE;;;;;;;GAOG;AACH,eAAO,MAAM,WAAW;;;;;;CAMO,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,gCAAgC,EAChC,yBAAyB,EAC1B,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,qBAAqB,EACrB,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,GAC3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AAC5E,OAAO,EAAE,KAAK,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AAC1F,OAAO,EAAE,gCAAgC,EAAE,MAAM,0CAA0C,CAAC;AAE5F,OAAO,EACL,mBAAmB,EACnB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EACL,gBAAgB,EAChB,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EACL,0BAA0B,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,GAChC,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAEvE,OAAO,EACL,8BAA8B,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,6BAA6B,EAClC,KAAK,8BAA8B,GACpC,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAC/E,OAAO,EAAE,KAAK,4BAA4B,EAAE,MAAM,sCAAsC,CAAC;AACzF,OAAO,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAE3F;;;;;;;GAOG;AACH,eAAO,MAAM,WAAW;;;;;;CAMO,CAAC"}

package/dist/commonjs/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.constraints = exports.SECURITY_GROUP_DEFAULTS = exports.createSecurityGroupBuilder = exports.VPC_DEFAULTS = exports.createVpcBuilder = exports.VOLUME_ALARM_DEFAULTS = exports.VOLUME_DEFAULTS = exports.createVolumeBuilder = exports.VOLUME_ATTACHMENT_ALARM_DEFAULTS = exports.INSTANCE_ALARM_DEFAULTS = exports.INSTANCE_DEFAULTS = exports.createInstanceBuilder = void 0;
+exports.constraints = exports.INTERFACE_ENDPOINT_ALARM_DEFAULTS = exports.INTERFACE_ENDPOINT_DEFAULTS = exports.createInterfaceEndpointBuilder = exports.SECURITY_GROUP_DEFAULTS = exports.createSecurityGroupBuilder = exports.VPC_DEFAULTS = exports.createVpcBuilder = exports.VOLUME_ALARM_DEFAULTS = exports.VOLUME_DEFAULTS = exports.createVolumeBuilder = exports.VOLUME_ATTACHMENT_ALARM_DEFAULTS = exports.INSTANCE_ALARM_DEFAULTS = exports.INSTANCE_DEFAULTS = exports.createInstanceBuilder = void 0;
 const security_group_constraints_js_1 = require("./security-group-constraints.js");
 var instance_builder_js_1 = require("./instance-builder.js");
 Object.defineProperty(exports, "createInstanceBuilder", { enumerable: true, get: function () { return instance_builder_js_1.createInstanceBuilder; } });
@@ -24,6 +24,12 @@ var security_group_builder_js_1 = require("./security-group-builder.js");
 Object.defineProperty(exports, "createSecurityGroupBuilder", { enumerable: true, get: function () { return security_group_builder_js_1.createSecurityGroupBuilder; } });
 var security_group_defaults_js_1 = require("./security-group-defaults.js");
 Object.defineProperty(exports, "SECURITY_GROUP_DEFAULTS", { enumerable: true, get: function () { return security_group_defaults_js_1.SECURITY_GROUP_DEFAULTS; } });
+var interface_endpoint_builder_js_1 = require("./interface-endpoint-builder.js");
+Object.defineProperty(exports, "createInterfaceEndpointBuilder", { enumerable: true, get: function () { return interface_endpoint_builder_js_1.createInterfaceEndpointBuilder; } });
+var interface_endpoint_defaults_js_1 = require("./interface-endpoint-defaults.js");
+Object.defineProperty(exports, "INTERFACE_ENDPOINT_DEFAULTS", { enumerable: true, get: function () { return interface_endpoint_defaults_js_1.INTERFACE_ENDPOINT_DEFAULTS; } });
+var interface_endpoint_alarm_defaults_js_1 = require("./interface-endpoint-alarm-defaults.js");
+Object.defineProperty(exports, "INTERFACE_ENDPOINT_ALARM_DEFAULTS", { enumerable: true, get: function () { return interface_endpoint_alarm_defaults_js_1.INTERFACE_ENDPOINT_ALARM_DEFAULTS; } });
 /**
  * This package's AWS-property constraints, grouped by application strategy.
  * The `constraints.validate.*` / `constraints.sanitize.*` shape is identical

package/dist/commonjs/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AACA,mFAGyC;AAEzC,6DAK+B;AAJ7B,4HAAA,qBAAqB,OAAA;AAKvB,+DAA2D;AAAlD,yHAAA,iBAAiB,OAAA;AAE1B,2EAAuE;AAA9D,qIAAA,uBAAuB,OAAA;AAGhC,mGAA4F;AAAnF,0JAAA,gCAAgC,OAAA;AAEzC,yDAK6B;AAJ3B,wHAAA,mBAAmB,OAAA;AAKrB,2DAAuD;AAA9C,qHAAA,eAAe,OAAA;AAExB,uEAAmE;AAA1D,iIAAA,qBAAqB,OAAA;AAE9B,mDAM0B;AALxB,kHAAA,gBAAgB,OAAA;AAMlB,qDAAiD;AAAxC,+GAAA,YAAY,OAAA;AAErB,yEAKqC;AAJnC,uIAAA,0BAA0B,OAAA;AAK5B,2EAAuE;AAA9D,qIAAA,uBAAuB,OAAA;AAEhC;;;;;;;GAOG;AACU,QAAA,WAAW,GAAG;IACzB,QAAQ,EAAE;QACR,wBAAwB,EAAE,gEAAgC;QAC1D,iBAAiB,EAAE,yDAAyB;KAC7C;IACD,QAAQ,EAAE,EAAE;CACiB,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AACA,mFAGyC;AAEzC,6DAK+B;AAJ7B,4HAAA,qBAAqB,OAAA;AAKvB,+DAA2D;AAAlD,yHAAA,iBAAiB,OAAA;AAE1B,2EAAuE;AAA9D,qIAAA,uBAAuB,OAAA;AAGhC,mGAA4F;AAAnF,0JAAA,gCAAgC,OAAA;AAEzC,yDAK6B;AAJ3B,wHAAA,mBAAmB,OAAA;AAKrB,2DAAuD;AAA9C,qHAAA,eAAe,OAAA;AAExB,uEAAmE;AAA1D,iIAAA,qBAAqB,OAAA;AAE9B,mDAM0B;AALxB,kHAAA,gBAAgB,OAAA;AAMlB,qDAAiD;AAAxC,+GAAA,YAAY,OAAA;AAErB,yEAKqC;AAJnC,uIAAA,0BAA0B,OAAA;AAK5B,2EAAuE;AAA9D,qIAAA,uBAAuB,OAAA;AAEhC,iFAKyC;AAJvC,+IAAA,8BAA8B,OAAA;AAKhC,mFAA+E;AAAtE,6IAAA,2BAA2B,OAAA;AAEpC,+FAA2F;AAAlF,yJAAA,iCAAiC,OAAA;AAE1C;;;;;;;GAOG;AACU,QAAA,WAAW,GAAG;IACzB,QAAQ,EAAE;QACR,wBAAwB,EAAE,gEAAgC;QAC1D,iBAAiB,EAAE,yDAAyB;KAC7C;IACD,QAAQ,EAAE,EAAE;CACiB,CAAC"}

package/dist/commonjs/interface-endpoint-alarm-config.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import type { AlarmConfig } from "@composurecdk/cloudwatch";
+/**
+ * Controls which recommended alarms are created for a VPC interface endpoint.
+ * All alarms are enabled by default with AWS-recommended thresholds.
+ * Set individual alarms to `false` to disable them, or provide an
+ * {@link AlarmConfig} to tune thresholds.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+ */
+export interface InterfaceEndpointAlarmConfig {
+    /**
+     * Master switch: set to `false` to disable all recommended alarms.
+     * Individual alarms can also be disabled via their own entry.
+     * @default true
+     */
+    enabled?: boolean;
+    /**
+     * Alarm when the endpoint drops packets, indicating the endpoint or
+     * endpoint service is unhealthy, a security group is blocking traffic,
+     * or packets are hitting the 8,500-byte PrivateLink MTU limit.
+     *
+     * Metric: `AWS/PrivateLinkEndpoints PacketsDropped`, statistic Sum,
+     * period 1 minute. Default threshold: > 0 over 5 consecutive 1-minute
+     * windows.
+     *
+     * If your workload intentionally sends packets larger than 8,500 bytes
+     * you may want to raise the threshold to reduce noise from expected MTU
+     * drops.
+     *
+     * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+     */
+    packetsDropped?: AlarmConfig | false;
+}
+//# sourceMappingURL=interface-endpoint-alarm-config.d.ts.map

package/dist/commonjs/interface-endpoint-alarm-config.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"interface-endpoint-alarm-config.d.ts","sourceRoot":"","sources":["../../src/interface-endpoint-alarm-config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAE5D;;;;;;;GAOG;AACH,MAAM,WAAW,4BAA4B;IAC3C;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB;;;;;;;;;;;;;;OAcG;IACH,cAAc,CAAC,EAAE,WAAW,GAAG,KAAK,CAAC;CACtC"}

package/dist/commonjs/interface-endpoint-alarm-config.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=interface-endpoint-alarm-config.js.map

package/dist/commonjs/interface-endpoint-alarm-config.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"interface-endpoint-alarm-config.js","sourceRoot":"","sources":["../../src/interface-endpoint-alarm-config.ts"],"names":[],"mappings":""}

package/dist/commonjs/interface-endpoint-alarm-defaults.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import type { AlarmConfigDefaults } from "@composurecdk/cloudwatch";
+interface InterfaceEndpointAlarmDefaults {
+    enabled: true;
+    packetsDropped: AlarmConfigDefaults;
+}
+/**
+ * AWS-recommended default alarm configuration for VPC interface endpoints.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+ */
+export declare const INTERFACE_ENDPOINT_ALARM_DEFAULTS: InterfaceEndpointAlarmDefaults;
+export {};
+//# sourceMappingURL=interface-endpoint-alarm-defaults.d.ts.map

package/dist/commonjs/interface-endpoint-alarm-defaults.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"interface-endpoint-alarm-defaults.d.ts","sourceRoot":"","sources":["../../src/interface-endpoint-alarm-defaults.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAEpE,UAAU,8BAA8B;IACtC,OAAO,EAAE,IAAI,CAAC;IACd,cAAc,EAAE,mBAAmB,CAAC;CACrC;AAED;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,EAAE,8BAkB/C,CAAC"}

package/dist/commonjs/interface-endpoint-alarm-defaults.js ADDED Viewed

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.INTERFACE_ENDPOINT_ALARM_DEFAULTS = void 0;
+const aws_cloudwatch_1 = require("aws-cdk-lib/aws-cloudwatch");
+/**
+ * AWS-recommended default alarm configuration for VPC interface endpoints.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+ */
+exports.INTERFACE_ENDPOINT_ALARM_DEFAULTS = {
+    enabled: true,
+    /**
+     * Any sustained packet drop at the endpoint signals a connectivity or
+     * configuration problem — an unhealthy endpoint service, a security group
+     * blocking traffic, or jumbo frames exceeding the 8,500-byte PrivateLink
+     * MTU. Five consecutive 1-minute periods avoids false alarms from isolated
+     * oversized packets while still catching persistent issues quickly.
+     *
+     * @see https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-troubleshoot.html
+     */
+    packetsDropped: {
+        threshold: 0,
+        evaluationPeriods: 5,
+        datapointsToAlarm: 5,
+        treatMissingData: aws_cloudwatch_1.TreatMissingData.NOT_BREACHING,
+    },
+};
+//# sourceMappingURL=interface-endpoint-alarm-defaults.js.map

package/dist/commonjs/interface-endpoint-alarm-defaults.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"interface-endpoint-alarm-defaults.js","sourceRoot":"","sources":["../../src/interface-endpoint-alarm-defaults.ts"],"names":[],"mappings":";;;AAAA,+DAA8D;AAQ9D;;;;GAIG;AACU,QAAA,iCAAiC,GAAmC;IAC/E,OAAO,EAAE,IAAI;IAEb;;;;;;;;OAQG;IACH,cAAc,EAAE;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,iBAAiB,EAAE,CAAC;QACpB,gBAAgB,EAAE,iCAAgB,CAAC,aAAa;KACjD;CACF,CAAC"}

package/dist/commonjs/interface-endpoint-alarms.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { type Alarm } from "aws-cdk-lib/aws-cloudwatch";
+import { type InterfaceVpcEndpoint } from "aws-cdk-lib/aws-ec2";
+import type { IConstruct } from "constructs";
+import { AlarmDefinitionBuilder } from "@composurecdk/cloudwatch";
+import type { InterfaceEndpointAlarmConfig } from "./interface-endpoint-alarm-config.js";
+/**
+ * Creates AWS-recommended CloudWatch alarms for a VPC interface endpoint,
+ * merging recommended definitions with any custom alarm builders.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+ */
+export declare function createInterfaceEndpointAlarms(scope: IConstruct, id: string, endpoint: InterfaceVpcEndpoint, config: InterfaceEndpointAlarmConfig | false | undefined, customAlarms?: AlarmDefinitionBuilder<InterfaceVpcEndpoint>[]): Record<string, Alarm>;
+//# sourceMappingURL=interface-endpoint-alarms.d.ts.map

package/dist/commonjs/interface-endpoint-alarms.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"interface-endpoint-alarms.d.ts","sourceRoot":"","sources":["../../src/interface-endpoint-alarms.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,KAAK,EAAqC,MAAM,4BAA4B,CAAC;AAC3F,OAAO,EAAE,KAAK,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,OAAO,EAAE,sBAAsB,EAAoC,MAAM,0BAA0B,CAAC;AACpG,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,sCAAsC,CAAC;AAsDzF;;;;;GAKG;AACH,wBAAgB,6BAA6B,CAC3C,KAAK,EAAE,UAAU,EACjB,EAAE,EAAE,MAAM,EACV,QAAQ,EAAE,oBAAoB,EAC9B,MAAM,EAAE,4BAA4B,GAAG,KAAK,GAAG,SAAS,EACxD,YAAY,GAAE,sBAAsB,CAAC,oBAAoB,CAAC,EAAO,GAChE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAUvB"}

package/dist/commonjs/interface-endpoint-alarms.js ADDED Viewed

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createInterfaceEndpointAlarms = createInterfaceEndpointAlarms;
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const aws_cloudwatch_1 = require("aws-cdk-lib/aws-cloudwatch");
+const cloudwatch_1 = require("@composurecdk/cloudwatch");
+const interface_endpoint_alarm_defaults_js_1 = require("./interface-endpoint-alarm-defaults.js");
+const PACKETS_DROPPED_PERIOD = aws_cdk_lib_1.Duration.minutes(1);
+const PACKETS_DROPPED_PERIOD_LABEL = `${String(PACKETS_DROPPED_PERIOD.toMinutes())} minute`;
+function endpointMetric(endpoint, metricName, statistic, period) {
+    return new aws_cloudwatch_1.Metric({
+        namespace: "AWS/PrivateLinkEndpoints",
+        metricName,
+        dimensionsMap: { "VPC Endpoint Id": endpoint.vpcEndpointId },
+        statistic,
+        period,
+    });
+}
+function resolveEndpointAlarmDefinitions(endpoint, config) {
+    if (config?.enabled === false)
+        return [];
+    const definitions = [];
+    if (config?.packetsDropped !== false) {
+        const cfg = (0, cloudwatch_1.resolveAlarmConfig)(config?.packetsDropped, interface_endpoint_alarm_defaults_js_1.INTERFACE_ENDPOINT_ALARM_DEFAULTS.packetsDropped);
+        definitions.push({
+            key: "packetsDropped",
+            alarmName: cfg.alarmName,
+            metric: endpointMetric(endpoint, "PacketsDropped", aws_cloudwatch_1.Stats.SUM, PACKETS_DROPPED_PERIOD),
+            threshold: cfg.threshold,
+            comparisonOperator: aws_cloudwatch_1.ComparisonOperator.GREATER_THAN_THRESHOLD,
+            evaluationPeriods: cfg.evaluationPeriods,
+            datapointsToAlarm: cfg.datapointsToAlarm,
+            treatMissingData: cfg.treatMissingData,
+            description: `VPC interface endpoint is dropping packets — possible endpoint service unhealthy, ` +
+                `security group blocking traffic, or packets exceeding the 8,500-byte PrivateLink MTU. ` +
+                `Threshold: > ${String(cfg.threshold)} (sum) over ` +
+                `${String(cfg.evaluationPeriods)} x ${PACKETS_DROPPED_PERIOD_LABEL}.`,
+        });
+    }
+    return definitions;
+}
+/**
+ * Creates AWS-recommended CloudWatch alarms for a VPC interface endpoint,
+ * merging recommended definitions with any custom alarm builders.
+ *
+ * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+ */
+function createInterfaceEndpointAlarms(scope, id, endpoint, config, customAlarms = []) {
+    if (config === false)
+        return {};
+    const enabled = config?.enabled ?? interface_endpoint_alarm_defaults_js_1.INTERFACE_ENDPOINT_ALARM_DEFAULTS.enabled;
+    if (!enabled)
+        return {};
+    const recommended = resolveEndpointAlarmDefinitions(endpoint, config);
+    const custom = customAlarms.map((b) => b.resolve(endpoint));
+    return (0, cloudwatch_1.createAlarms)(scope, id, [...recommended, ...custom]);
+}
+//# sourceMappingURL=interface-endpoint-alarms.js.map

package/dist/commonjs/interface-endpoint-alarms.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"interface-endpoint-alarms.js","sourceRoot":"","sources":["../../src/interface-endpoint-alarms.ts"],"names":[],"mappings":";;AAkEA,sEAgBC;AAlFD,6CAAuC;AACvC,+DAA2F;AAI3F,yDAAoG;AAEpG,iGAA2F;AAE3F,MAAM,sBAAsB,GAAG,sBAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AACnD,MAAM,4BAA4B,GAAG,GAAG,MAAM,CAAC,sBAAsB,CAAC,SAAS,EAAE,CAAC,SAAS,CAAC;AAE5F,SAAS,cAAc,CACrB,QAA8B,EAC9B,UAAkB,EAClB,SAAiB,EACjB,MAAgB;IAEhB,OAAO,IAAI,uBAAM,CAAC;QAChB,SAAS,EAAE,0BAA0B;QACrC,UAAU;QACV,aAAa,EAAE,EAAE,iBAAiB,EAAE,QAAQ,CAAC,aAAa,EAAE;QAC5D,SAAS;QACT,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,SAAS,+BAA+B,CACtC,QAA8B,EAC9B,MAAgD;IAEhD,IAAI,MAAM,EAAE,OAAO,KAAK,KAAK;QAAE,OAAO,EAAE,CAAC;IAEzC,MAAM,WAAW,GAAsB,EAAE,CAAC;IAE1C,IAAI,MAAM,EAAE,cAAc,KAAK,KAAK,EAAE,CAAC;QACrC,MAAM,GAAG,GAAG,IAAA,+BAAkB,EAC5B,MAAM,EAAE,cAAc,EACtB,wEAAiC,CAAC,cAAc,CACjD,CAAC;QACF,WAAW,CAAC,IAAI,CAAC;YACf,GAAG,EAAE,gBAAgB;YACrB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,MAAM,EAAE,cAAc,CAAC,QAAQ,EAAE,gBAAgB,EAAE,sBAAK,CAAC,GAAG,EAAE,sBAAsB,CAAC;YACrF,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,kBAAkB,EAAE,mCAAkB,CAAC,sBAAsB;YAC7D,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;YACxC,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;YACxC,gBAAgB,EAAE,GAAG,CAAC,gBAAgB;YACtC,WAAW,EACT,oFAAoF;gBACpF,wFAAwF;gBACxF,gBAAgB,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,cAAc;gBACnD,GAAG,MAAM,CAAC,GAAG,CAAC,iBAAiB,CAAC,MAAM,4BAA4B,GAAG;SACxE,CAAC,CAAC;IACL,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;;GAKG;AACH,SAAgB,6BAA6B,CAC3C,KAAiB,EACjB,EAAU,EACV,QAA8B,EAC9B,MAAwD,EACxD,eAA+D,EAAE;IAEjE,IAAI,MAAM,KAAK,KAAK;QAAE,OAAO,EAAE,CAAC;IAEhC,MAAM,OAAO,GAAG,MAAM,EAAE,OAAO,IAAI,wEAAiC,CAAC,OAAO,CAAC;IAC7E,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IAExB,MAAM,WAAW,GAAG,+BAA+B,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACtE,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;IAE5D,OAAO,IAAA,yBAAY,EAAC,KAAK,EAAE,EAAE,EAAE,CAAC,GAAG,WAAW,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC;AAC9D,CAAC"}

package/dist/commonjs/interface-endpoint-builder.d.ts ADDED Viewed

@@ -0,0 +1,135 @@
+import { type Alarm } from "aws-cdk-lib/aws-cloudwatch";
+import { InterfaceVpcEndpoint, type IConnectable, type InterfaceVpcEndpointProps, type ISecurityGroup, type IVpc, type SecurityGroup } from "aws-cdk-lib/aws-ec2";
+import { type IConstruct } from "constructs";
+import { COPY_STATE, type Lifecycle, type Resolvable } from "@composurecdk/core";
+import { type ITaggedBuilder } from "@composurecdk/cloudformation";
+import { AlarmDefinitionBuilder } from "@composurecdk/cloudwatch";
+import type { InterfaceEndpointAlarmConfig } from "./interface-endpoint-alarm-config.js";
+/**
+ * Configuration properties for the interface-endpoint builder.
+ *
+ * Lifts three CDK props off the props object:
+ * - `vpc` — supplied via {@link IInterfaceEndpointBuilder.vpc | .vpc()} so it
+ *   can accept a {@link Resolvable} for cross-component wiring.
+ * - `securityGroups` — supplied via
+ *   {@link IInterfaceEndpointBuilder.securityGroups | .securityGroups()} so
+ *   each can be a {@link Resolvable} (typically a sibling
+ *   `SecurityGroupBuilder`).
+ * - `open` — always `false`; ingress is explicit (see the builder docs).
+ */
+export interface InterfaceEndpointBuilderProps extends Omit<InterfaceVpcEndpointProps, "vpc" | "securityGroups" | "open"> {
+    /**
+     * Configuration for AWS-recommended CloudWatch alarms.
+     *
+     * By default, the builder creates recommended alarms with sensible
+     * thresholds. Individual alarms can be customized or disabled. Set to
+     * `false` to disable all alarms.
+     *
+     * @see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#PrivateLinkEndpoints
+     */
+    recommendedAlarms?: InterfaceEndpointAlarmConfig | false;
+}
+/**
+ * The build output of an {@link IInterfaceEndpointBuilder}.
+ *
+ * `securityGroup` is present only in **managed mode** — i.e. when the caller
+ * did *not* supply `.securityGroups(...)`, so the builder auto-created one. It
+ * is exposed for cases where sibling builders need to reference the
+ * auto-created SG directly. In **BYO mode** it is `undefined`: the caller
+ * already holds refs to the security groups they passed in.
+ */
+export interface InterfaceEndpointBuilderResult {
+    endpoint: InterfaceVpcEndpoint;
+    securityGroup?: SecurityGroup;
+    alarms: Record<string, Alarm>;
+}
+/**
+ * A fluent builder for a single VPC interface endpoint (AWS PrivateLink).
+ *
+ * Unlike raw CDK — where interface endpoints exist only as a post-build
+ * `vpc.addInterfaceEndpoint(...)` call whose security group is never exposed —
+ * this builder is a first-class {@link compose} component. It maps 1:1 to a
+ * CDK `InterfaceVpcEndpoint` (one `service` per endpoint); group several into
+ * one access policy by pointing them at the same security group.
+ *
+ * **Security group, two modes:**
+ * - *BYO* — call {@link IInterfaceEndpointBuilder.securityGroups | .securityGroups([...])}
+ *   with security groups you fully manage (typically sibling
+ *   `SecurityGroupBuilder`s). Full ingress/egress/port control; the builder
+ *   creates no SG and `securityGroup` is absent from the result.
+ * - *Managed shortcut* — omit `.securityGroups()` and the builder auto-creates
+ *   a closed SG, exposes it on the result, and for each peer you pass to
+ *   {@link IInterfaceEndpointBuilder.allowDefaultPortFrom} it opens ingress on
+ *   the managed SG **and** egress on the peer's SG — matching exactly what CDK's
+ *   `connections.allowDefaultPortFrom(...)` does bidirectionally.
+ *
+ * The two are mutually exclusive — combining BYO `.securityGroups()` with
+ * `.allowDefaultPortFrom()` throws, since the rule would have nowhere it
+ * could be applied that the caller isn't already managing.
+ *
+ * @see https://docs.aws.amazon.com/vpc/latest/privatelink/
+ *
+ * @example Managed shortcut (the SSM-from-bastion common case)
+ * ```ts
+ * createInterfaceEndpointBuilder()
+ *   .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+ *   .service(InterfaceVpcEndpointAwsService.SSM)
+ *   .subnets({ subnetType: SubnetType.PRIVATE_ISOLATED })
+ *   .allowDefaultPortFrom(ref<SecurityGroupBuilderResult>("bastionSg").get("securityGroup"));
+ * // result = { endpoint, securityGroup }
+ * ```
+ */
+export type IInterfaceEndpointBuilder = ITaggedBuilder<InterfaceEndpointBuilderProps, InterfaceEndpointBuilder>;
+declare class InterfaceEndpointBuilder implements Lifecycle<InterfaceEndpointBuilderResult> {
+    #private;
+    props: Partial<InterfaceEndpointBuilderProps>;
+    /**
+     * Sets the VPC the endpoint is created in. Accepts a concrete {@link IVpc}
+     * or a {@link Ref} to a sibling {@link IVpcBuilder}.
+     */
+    vpc(vpc: Resolvable<IVpc>): this;
+    /**
+     * Bring-your-own security groups. Each entry is a {@link Resolvable}, so it
+     * can be a concrete {@link ISecurityGroup} or a {@link Ref} to a sibling
+     * `SecurityGroupBuilder` — giving you full ingress/egress/port control. When
+     * set, the builder creates no security group of its own and
+     * {@link InterfaceEndpointBuilderResult.securityGroup} is `undefined`.
+     *
+     * Mutually exclusive with {@link allowDefaultPortFrom}.
+     */
+    securityGroups(securityGroups: Resolvable<ISecurityGroup>[]): this;
+    /**
+     * Managed-SG shortcut: wires `peer` to the auto-created security group via
+     * CDK's `endpoint.connections.allowDefaultPortFrom(peer)` — opening ingress
+     * on the managed SG from `peer`'s SG **and** egress from `peer`'s SG to the
+     * managed SG, on the service's default port (443 for AWS services).
+     *
+     * Because this delegates to CDK connections, `peer` must be an
+     * {@link IConnectable} (e.g. a `SecurityGroup` or `Instance`), not a raw
+     * `IPeer` (e.g. `Peer.ipv4(...)`). For CIDR-based rules use BYO mode with
+     * an explicit `addIngressRule` on your own {@link SecurityGroupBuilder}.
+     *
+     * Mutually exclusive with {@link securityGroups}.
+     */
+    allowDefaultPortFrom(peer: Resolvable<IConnectable>, description?: string): this;
+    /**
+     * Adds a custom CloudWatch alarm alongside the recommended ones. The
+     * callback receives an {@link AlarmDefinitionBuilder} typed to the
+     * `InterfaceVpcEndpoint` construct, giving access to the endpoint at
+     * build time for metric dimension wiring.
+     */
+    addAlarm(key: string, configure: (alarm: AlarmDefinitionBuilder<InterfaceVpcEndpoint>) => AlarmDefinitionBuilder<InterfaceVpcEndpoint>): this;
+    /** @internal — see ADR-0005. */
+    [COPY_STATE](target: InterfaceEndpointBuilder): void;
+    build(scope: IConstruct, id: string, context?: Record<string, object>): InterfaceEndpointBuilderResult;
+}
+/**
+ * Creates a new {@link IInterfaceEndpointBuilder} for a single VPC interface
+ * endpoint. The returned builder exposes every
+ * {@link InterfaceEndpointBuilderProps} property as a fluent setter/getter,
+ * plus `.vpc()`, `.securityGroups()` (BYO), and `.allowDefaultPortFrom()`
+ * (managed-SG shortcut).
+ */
+export declare function createInterfaceEndpointBuilder(): IInterfaceEndpointBuilder;
+export {};
+//# sourceMappingURL=interface-endpoint-builder.d.ts.map

package/dist/commonjs/interface-endpoint-builder.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"interface-endpoint-builder.d.ts","sourceRoot":"","sources":["../../src/interface-endpoint-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EACL,oBAAoB,EACpB,KAAK,YAAY,EACjB,KAAK,yBAAyB,EAC9B,KAAK,cAAc,EACnB,KAAK,IAAI,EACT,KAAK,aAAa,EACnB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,KAAK,SAAS,EAAW,KAAK,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,KAAK,cAAc,EAAiB,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAGlE,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,sCAAsC,CAAC;AAGzF;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,6BAA8B,SAAQ,IAAI,CACzD,yBAAyB,EACzB,KAAK,GAAG,gBAAgB,GAAG,MAAM,CAClC;IACC;;;;;;;;OAQG;IACH,iBAAiB,CAAC,EAAE,4BAA4B,GAAG,KAAK,CAAC;CAC1D;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;CAC/B;AAOD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,MAAM,MAAM,yBAAyB,GAAG,cAAc,CACpD,6BAA6B,EAC7B,wBAAwB,CACzB,CAAC;AAEF,cAAM,wBAAyB,YAAW,SAAS,CAAC,8BAA8B,CAAC;;IACjF,KAAK,EAAE,OAAO,CAAC,6BAA6B,CAAC,CAAM;IAMnD;;;OAGG;IACH,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI;IAKhC;;;;;;;;OAQG;IACH,cAAc,CAAC,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC,EAAE,GAAG,IAAI;IAKlE;;;;;;;;;;;;OAYG;IACH,oBAAoB,CAAC,IAAI,EAAE,UAAU,CAAC,YAAY,CAAC,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI;IAKhF;;;;;OAKG;IACH,QAAQ,CACN,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,CACT,KAAK,EAAE,sBAAsB,CAAC,oBAAoB,CAAC,KAChD,sBAAsB,CAAC,oBAAoB,CAAC,GAChD,IAAI;IAKP,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,wBAAwB,GAAG,IAAI;IAOpD,KAAK,CACH,KAAK,EAAE,UAAU,EACjB,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,8BAA8B;CA6DlC;AAED;;;;;;GAMG;AACH,wBAAgB,8BAA8B,IAAI,yBAAyB,CAI1E"}