@composurecdk/neptune 0.8.3

package/dist/esm/cluster-builder.js

@@ -0,0 +1,137 @@
+import { ClusterParameterGroup, DatabaseCluster, } from "@aws-cdk/aws-neptune-alpha";
+import { COPY_STATE, resolve } from "@composurecdk/core";
+import { taggedBuilder } from "@composurecdk/cloudformation";
+import { AlarmDefinitionBuilder } from "@composurecdk/cloudwatch";
+import { CLUSTER_DEFAULTS } from "./cluster-defaults.js";
+import { CLUSTER_PARAMETER_GROUP_DEFAULTS, clusterParameterGroupFamily, } from "./cluster-parameter-group-defaults.js";
+import { createClusterAlarms } from "./cluster-alarms.js";
+class ClusterBuilder {
+    props = {};
+    #customAlarms = [];
+    #accessors = [];
+    #vpc;
+    /**
+     * Sets the VPC the cluster runs in. Required. Accepts a concrete
+     * {@link IVpc} or a {@link Ref} that resolves to one at build time — the
+     * standard cross-component wiring path (e.g. to a sibling `VpcBuilder`).
+     *
+     * @param vpc - The VPC or a Ref to one.
+     * @returns This builder for chaining.
+     */
+    vpc(vpc) {
+        this.#vpc = vpc;
+        return this;
+    }
+    /**
+     * Grants a principal both network and IAM access to the cluster in a single
+     * declaration. At build time this applies
+     * `cluster.connections.allowDefaultPortFrom(peer)` (opening the cluster's
+     * port to the peer's security group) and `cluster.grantConnect(peer)`
+     * (granting the IAM `connect` action required by the cluster's
+     * IAM-authentication default).
+     *
+     * Accepts a concrete {@link ClusterAccessor} or a {@link Ref} to one, so the
+     * grant can be declared inside `compose()` rather than wired up in an
+     * `afterBuild` hook.
+     *
+     * @param peer - The principal to grant access to, or a Ref to one.
+     * @returns This builder for chaining.
+     */
+    allowAccessFrom(peer) {
+        this.#accessors.push(peer);
+        return this;
+    }
+    /**
+     * Adds a custom CloudWatch alarm to be created alongside the recommended
+     * alarms. The callback receives an {@link AlarmDefinitionBuilder} scoped to
+     * the built cluster; configure it fluently and return it.
+     *
+     * @param key - A unique key for the alarm (used to generate the alarm id).
+     * @param configure - Callback that configures the alarm definition.
+     * @returns This builder for chaining.
+     */
+    addAlarm(key, configure) {
+        this.#customAlarms.push(configure(new AlarmDefinitionBuilder(key)));
+        return this;
+    }
+    /** @internal — see ADR-0005. */
+    [COPY_STATE](target) {
+        target.#vpc = this.#vpc;
+        target.#customAlarms.push(...this.#customAlarms);
+        target.#accessors.push(...this.#accessors);
+    }
+    build(scope, id, context) {
+        const resolvedVpc = this.#vpc ? resolve(this.#vpc, context) : undefined;
+        if (!resolvedVpc) {
+            throw new Error(`ClusterBuilder "${id}" requires a VPC. Call .vpc() with an IVpc or a Ref to one.`);
+        }
+        const { recommendedAlarms: alarmConfig, securityGroups: resolvableSgs, clusterParameters, clusterParameterGroup: userParameterGroup, ...clusterProps } = this.props;
+        if (clusterProps.instanceType === undefined) {
+            throw new Error(`ClusterBuilder "${id}" requires an instance type. Call .instanceType() with a ` +
+                `provisioned class (e.g. InstanceType.R6G_LARGE) or InstanceType.SERVERLESS ` +
+                `paired with .serverlessScalingConfiguration().`);
+        }
+        if (userParameterGroup !== undefined && clusterParameters !== undefined) {
+            throw new Error(`ClusterBuilder "${id}": .clusterParameters() cannot be combined with a ` +
+                `user-managed .clusterParameterGroup() — the supplied group is not mutated by ` +
+                `this builder. Set the parameters on your own group instead.`);
+        }
+        const clusterParameterGroup = userParameterGroup ??
+            new ClusterParameterGroup(scope, `${id}ParameterGroup`, {
+                family: clusterParameterGroupFamily(clusterProps.engineVersion),
+                parameters: { ...CLUSTER_PARAMETER_GROUP_DEFAULTS, ...clusterParameters },
+            });
+        const securityGroups = resolvableSgs?.map((sg) => resolve(sg, context));
+        const mergedProps = {
+            ...CLUSTER_DEFAULTS,
+            ...clusterProps,
+            vpc: resolvedVpc,
+            clusterParameterGroup,
+            ...(securityGroups ? { securityGroups } : {}),
+        };
+        const cluster = new DatabaseCluster(scope, id, mergedProps);
+        for (const resolvable of this.#accessors) {
+            const peer = resolve(resolvable, context);
+            cluster.connections.allowDefaultPortFrom(peer);
+            // The IAM `connect` grant is only meaningful when IAM authentication is
+            // enabled (the default). If a user has turned it off, opening the
+            // network path is the whole grant — a grantConnect policy would be inert.
+            if (mergedProps.iamAuthentication !== false) {
+                cluster.grantConnect(peer);
+            }
+        }
+        const alarms = createClusterAlarms(scope, id, cluster, alarmConfig, mergedProps.serverlessScalingConfiguration, this.#customAlarms);
+        return { cluster, subnetGroup: cluster.subnetGroup, clusterParameterGroup, alarms };
+    }
+}
+/**
+ * Creates a new {@link IClusterBuilder} for configuring an Amazon Neptune
+ * cluster.
+ *
+ * This is the entry point for defining a Neptune component. The returned
+ * builder exposes every {@link ClusterBuilderProps} property as a fluent
+ * setter/getter, plus {@link IClusterBuilder.vpc | .vpc()} and
+ * {@link IClusterBuilder.allowAccessFrom | .allowAccessFrom()} for
+ * cross-component wiring with Ref support. It implements {@link Lifecycle}
+ * for use with {@link compose}.
+ *
+ * @returns A fluent builder for an Amazon Neptune cluster.
+ *
+ * @example
+ * ```ts
+ * const system = compose(
+ *   {
+ *     network: createVpcBuilder().maxAzs(2),
+ *     graph: createClusterBuilder()
+ *       .vpc(ref<VpcBuilderResult>("network").get("vpc"))
+ *       .instanceType(InstanceType.SERVERLESS)
+ *       .serverlessScalingConfiguration({ minCapacity: 1, maxCapacity: 8 }),
+ *   },
+ *   { network: [], graph: ["network"] },
+ * );
+ * ```
+ */
+export function createClusterBuilder() {
+    return taggedBuilder(ClusterBuilder);
+}
+//# sourceMappingURL=cluster-builder.js.map

package/dist/esm/cluster-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cluster-builder.js","sourceRoot":"","sources":["../../src/cluster-builder.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,qBAAqB,EACrB,eAAe,GAKhB,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EAAE,UAAU,EAAkB,OAAO,EAAmB,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAuB,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EACL,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uCAAuC,CAAC;AAE/C,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AA4H1D,MAAM,cAAc;IAClB,KAAK,GAAiC,EAAE,CAAC;IAChC,aAAa,GAA+C,EAAE,CAAC;IAC/D,UAAU,GAAkC,EAAE,CAAC;IACxD,IAAI,CAAoB;IAExB;;;;;;;OAOG;IACH,GAAG,CAAC,GAAqB;QACvB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,eAAe,CAAC,IAAiC;QAC/C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;OAQG;IACH,QAAQ,CACN,GAAW,EACX,SAE6C;QAE7C,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,sBAAsB,CAAmB,GAAG,CAAC,CAAC,CAAC,CAAC;QACtF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,CAAC,UAAU,CAAC,CAAC,MAAsB;QACjC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACxB,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC;QACjD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,KAAiB,EAAE,EAAU,EAAE,OAAgC;QACnE,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACxE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,mBAAmB,EAAE,6DAA6D,CACnF,CAAC;QACJ,CAAC;QAED,MAAM,EACJ,iBAAiB,EAAE,WAAW,EAC9B,cAAc,EAAE,aAAa,EAC7B,iBAAiB,EACjB,qBAAqB,EAAE,kBAAkB,EACzC,GAAG,YAAY,EAChB,GAAG,IAAI,CAAC,KAAK,CAAC;QAEf,IAAI,YAAY,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CACb,mBAAmB,EAAE,2DAA2D;gBAC9E,6EAA6E;gBAC7E,gDAAgD,CACnD,CAAC;QACJ,CAAC;QAED,IAAI,kBAAkB,KAAK,SAAS,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACxE,MAAM,IAAI,KAAK,CACb,mBAAmB,EAAE,oDAAoD;gBACvE,+EAA+E;gBAC/E,6DAA6D,CAChE,CAAC;QACJ,CAAC;QAED,MAAM,qBAAqB,GACzB,kBAAkB;YAClB,IAAI,qBAAqB,CAAC,KAAK,EAAE,GAAG,EAAE,gBAAgB,EAAE;gBACtD,MAAM,EAAE,2BAA2B,CAAC,YAAY,CAAC,aAAa,CAAC;gBAC/D,UAAU,EAAE,EAAE,GAAG,gCAAgC,EAAE,GAAG,iBAAiB,EAAE;aAC1E,CAAC,CAAC;QAEL,MAAM,cAAc,GAAG,aAAa,EAAE,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC,CAAC;QAExE,MAAM,WAAW,GAAG;YAClB,GAAG,gBAAgB;YACnB,GAAG,YAAY;YACf,GAAG,EAAE,WAAW;YAChB,qBAAqB;YACrB,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtB,CAAC;QAE1B,MAAM,OAAO,GAAG,IAAI,eAAe,CAAC,KAAK,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAE5D,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACzC,MAAM,IAAI,GAAG,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC1C,OAAO,CAAC,WAAW,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC;YAC/C,wEAAwE;YACxE,kEAAkE;YAClE,0EAA0E;YAC1E,IAAI,WAAW,CAAC,iBAAiB,KAAK,KAAK,EAAE,CAAC;gBAC5C,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,mBAAmB,CAChC,KAAK,EACL,EAAE,EACF,OAAO,EACP,WAAW,EACX,WAAW,CAAC,8BAA8B,EAC1C,IAAI,CAAC,aAAa,CACnB,CAAC;QAEF,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,CAAC,WAAW,EAAE,qBAAqB,EAAE,MAAM,EAAE,CAAC;IACtF,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,aAAa,CAAsC,cAAc,CAAC,CAAC;AAC5E,CAAC"}

package/dist/esm/cluster-defaults.d.ts

@@ -0,0 +1,19 @@
+import { type DatabaseClusterProps } from "@aws-cdk/aws-neptune-alpha";
+/**
+ * Secure, AWS-recommended defaults applied to every Neptune cluster built
+ * with {@link createClusterBuilder}. Each property can be individually
+ * overridden via the builder's fluent API.
+ *
+ * Every default is anchored first to the AWS Well-Architected Framework
+ * (the _why_) and then to the Neptune User Guide (the _how_), matching the
+ * citation convention used across the other builder packages.
+ *
+ * Notably absent: `instanceType`. Defaulting an instance type would create
+ * surprise cost, so the builder requires the caller to pick one explicitly
+ * (a provisioned class such as `InstanceType.R6G_LARGE`, or
+ * `InstanceType.SERVERLESS` paired with `serverlessScalingConfiguration`).
+ *
+ * @see https://docs.aws.amazon.com/prescriptive-guidance/latest/neptune-well-architected-framework/introduction.html
+ */
+export declare const CLUSTER_DEFAULTS: Partial<DatabaseClusterProps>;
+//# sourceMappingURL=cluster-defaults.d.ts.map

package/dist/esm/cluster-defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cluster-defaults.d.ts","sourceRoot":"","sources":["../../src/cluster-defaults.ts"],"names":[],"mappings":"AAEA,OAAO,EAAW,KAAK,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAEhF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,gBAAgB,EAAE,OAAO,CAAC,oBAAoB,CAuE1D,CAAC"}

package/dist/esm/cluster-defaults.js

@@ -0,0 +1,84 @@
+import { RemovalPolicy, Duration } from "aws-cdk-lib";
+import { RetentionDays } from "aws-cdk-lib/aws-logs";
+import { LogType } from "@aws-cdk/aws-neptune-alpha";
+/**
+ * Secure, AWS-recommended defaults applied to every Neptune cluster built
+ * with {@link createClusterBuilder}. Each property can be individually
+ * overridden via the builder's fluent API.
+ *
+ * Every default is anchored first to the AWS Well-Architected Framework
+ * (the _why_) and then to the Neptune User Guide (the _how_), matching the
+ * citation convention used across the other builder packages.
+ *
+ * Notably absent: `instanceType`. Defaulting an instance type would create
+ * surprise cost, so the builder requires the caller to pick one explicitly
+ * (a provisioned class such as `InstanceType.R6G_LARGE`, or
+ * `InstanceType.SERVERLESS` paired with `serverlessScalingConfiguration`).
+ *
+ * @see https://docs.aws.amazon.com/prescriptive-guidance/latest/neptune-well-architected-framework/introduction.html
+ */
+export const CLUSTER_DEFAULTS = {
+    /**
+     * Encrypt the cluster volume at rest. Uses the AWS-managed Neptune key
+     * unless a customer-managed key is supplied via `.kmsKey()`.
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_rest_encrypt.html
+     * @see https://docs.aws.amazon.com/neptune/latest/userguide/encrypt.html
+     */
+    storageEncrypted: true,
+    /**
+     * Require IAM authentication for data-plane connections, removing the
+     * need for long-lived static credentials. Pair with `.allowAccessFrom()`
+     * (or `cluster.grantConnect()`) to authorise principals.
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/framework/sec-03.html
+     * @see https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html
+     */
+    iamAuthentication: true,
+    /**
+     * Retain the cluster on stack deletion/replacement so graph data is not
+     * destroyed by an errant `cdk destroy`. Ephemeral/dev stacks override to
+     * `RemovalPolicy.DESTROY`.
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/rel_backing_up_data_identified_backups_data.html
+     */
+    removalPolicy: RemovalPolicy.RETAIN,
+    /**
+     * Block accidental deletion of the cluster itself. The CDK L2 would infer
+     * this from `RemovalPolicy.RETAIN`; setting it explicitly keeps the
+     * security posture auditable rather than implicit.
+     * @see https://docs.aws.amazon.com/securityhub/latest/userguide/neptune-controls.html
+     */
+    deletionProtection: true,
+    /**
+     * Retain automated backups for 7 days. The CDK default is 1 day; AWS
+     * Well-Architected recommends a longer window for production data.
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/rel_backing_up_data_automated_backups_data.html
+     */
+    backupRetention: Duration.days(7),
+    /**
+     * Export audit logs to CloudWatch Logs. Audit logging is the only log
+     * type Neptune exports to CloudWatch, and it only emits once
+     * `neptune_enable_audit_log` is set on the cluster parameter group — which
+     * the builder's auto-created parameter group does by default.
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html
+     * @see https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html
+     */
+    cloudwatchLogsExports: [LogType.AUDIT],
+    /**
+     * Expire exported audit logs after one month, matching the
+     * `@composurecdk/logs` retention default rather than keeping them forever.
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/framework/cost-05.html
+     */
+    cloudwatchLogsRetention: RetentionDays.ONE_MONTH,
+    /**
+     * Copy cluster tags onto automated snapshots so cost-allocation and
+     * ownership tags survive into backups.
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/framework/ops-04.html
+     */
+    copyTagsToSnapshot: true,
+    /**
+     * Apply patched minor engine versions automatically during the
+     * maintenance window.
+     * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_validate_software_integrity.html
+     */
+    autoMinorVersionUpgrade: true,
+};
+//# sourceMappingURL=cluster-defaults.js.map

package/dist/esm/cluster-defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cluster-defaults.js","sourceRoot":"","sources":["../../src/cluster-defaults.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,OAAO,EAA6B,MAAM,4BAA4B,CAAC;AAEhF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAkC;IAC7D;;;;;OAKG;IACH,gBAAgB,EAAE,IAAI;IAEtB;;;;;;OAMG;IACH,iBAAiB,EAAE,IAAI;IAEvB;;;;;OAKG;IACH,aAAa,EAAE,aAAa,CAAC,MAAM;IAEnC;;;;;OAKG;IACH,kBAAkB,EAAE,IAAI;IAExB;;;;OAIG;IACH,eAAe,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IAEjC;;;;;;;OAOG;IACH,qBAAqB,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAEtC;;;;OAIG;IACH,uBAAuB,EAAE,aAAa,CAAC,SAAS;IAEhD;;;;OAIG;IACH,kBAAkB,EAAE,IAAI;IAExB;;;;OAIG;IACH,uBAAuB,EAAE,IAAI;CAC9B,CAAC"}

package/dist/esm/cluster-parameter-group-defaults.d.ts

@@ -0,0 +1,30 @@
+import { EngineVersion, ParameterGroupFamily } from "@aws-cdk/aws-neptune-alpha";
+/**
+ * Default parameters applied to the cluster parameter group the builder
+ * auto-creates when the caller does not supply their own. These change
+ * engine behaviour (not just observability), so each is documented and
+ * individually overridable via `.clusterParameters({...})`.
+ *
+ * `neptune_enable_audit_log` is what actually turns audit logging on inside
+ * the engine — without it, the `cloudwatchLogsExports: [AUDIT]` cluster
+ * default creates an empty log stream. The two defaults are deliberately
+ * paired so audit logging works end-to-end out of the box.
+ *
+ * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html
+ * @see https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html#auditing-enable
+ */
+export declare const CLUSTER_PARAMETER_GROUP_DEFAULTS: Record<string, string>;
+/**
+ * Derives the cluster parameter group family from a Neptune engine version.
+ *
+ * A cluster parameter group must declare a family compatible with the
+ * cluster's engine version, or the deploy fails. Rather than make the caller
+ * keep the two in sync by hand, the builder derives the family from the
+ * `engineVersion` (when set) so the auto-created parameter group is always
+ * compatible. When no engine version is pinned, Neptune uses a current
+ * 1.4.x engine, so the family defaults to {@link ParameterGroupFamily.NEPTUNE_1_4}.
+ *
+ * @see https://docs.aws.amazon.com/neptune/latest/userguide/parameters.html
+ */
+export declare function clusterParameterGroupFamily(engineVersion?: EngineVersion): ParameterGroupFamily;
+//# sourceMappingURL=cluster-parameter-group-defaults.d.ts.map

package/dist/esm/cluster-parameter-group-defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cluster-parameter-group-defaults.d.ts","sourceRoot":"","sources":["../../src/cluster-parameter-group-defaults.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAEjF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,gCAAgC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAGnE,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,wBAAgB,2BAA2B,CAAC,aAAa,CAAC,EAAE,aAAa,GAAG,oBAAoB,CAgB/F"}

package/dist/esm/cluster-parameter-group-defaults.js

@@ -0,0 +1,49 @@
+import { ParameterGroupFamily } from "@aws-cdk/aws-neptune-alpha";
+/**
+ * Default parameters applied to the cluster parameter group the builder
+ * auto-creates when the caller does not supply their own. These change
+ * engine behaviour (not just observability), so each is documented and
+ * individually overridable via `.clusterParameters({...})`.
+ *
+ * `neptune_enable_audit_log` is what actually turns audit logging on inside
+ * the engine — without it, the `cloudwatchLogsExports: [AUDIT]` cluster
+ * default creates an empty log stream. The two defaults are deliberately
+ * paired so audit logging works end-to-end out of the box.
+ *
+ * @see https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html
+ * @see https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html#auditing-enable
+ */
+export const CLUSTER_PARAMETER_GROUP_DEFAULTS = {
+    /** Enable engine audit logging so the audit log export carries data. */
+    neptune_enable_audit_log: "1",
+};
+/**
+ * Derives the cluster parameter group family from a Neptune engine version.
+ *
+ * A cluster parameter group must declare a family compatible with the
+ * cluster's engine version, or the deploy fails. Rather than make the caller
+ * keep the two in sync by hand, the builder derives the family from the
+ * `engineVersion` (when set) so the auto-created parameter group is always
+ * compatible. When no engine version is pinned, Neptune uses a current
+ * 1.4.x engine, so the family defaults to {@link ParameterGroupFamily.NEPTUNE_1_4}.
+ *
+ * @see https://docs.aws.amazon.com/neptune/latest/userguide/parameters.html
+ */
+export function clusterParameterGroupFamily(engineVersion) {
+    // version strings are "major.minor.patch.build", e.g. "1.4.5.1".
+    const [major, minor] = (engineVersion?.version ?? "1.4").split(".");
+    const majorMinor = `${major}.${minor}`;
+    switch (majorMinor) {
+        case "1.0":
+        case "1.1":
+            return ParameterGroupFamily.NEPTUNE_1;
+        case "1.2":
+            return ParameterGroupFamily.NEPTUNE_1_2;
+        case "1.3":
+            return ParameterGroupFamily.NEPTUNE_1_3;
+        default:
+            // 1.4 and anything newer the builder has not been taught about yet.
+            return ParameterGroupFamily.NEPTUNE_1_4;
+    }
+}
+//# sourceMappingURL=cluster-parameter-group-defaults.js.map

package/dist/esm/cluster-parameter-group-defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cluster-parameter-group-defaults.js","sourceRoot":"","sources":["../../src/cluster-parameter-group-defaults.ts"],"names":[],"mappings":"AAAA,OAAO,EAAiB,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAEjF;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAA2B;IACtE,wEAAwE;IACxE,wBAAwB,EAAE,GAAG;CAC9B,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,2BAA2B,CAAC,aAA6B;IACvE,iEAAiE;IACjE,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,IAAI,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpE,MAAM,UAAU,GAAG,GAAG,KAAK,IAAI,KAAK,EAAE,CAAC;IACvC,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,KAAK,CAAC;QACX,KAAK,KAAK;YACR,OAAO,oBAAoB,CAAC,SAAS,CAAC;QACxC,KAAK,KAAK;YACR,OAAO,oBAAoB,CAAC,WAAW,CAAC;QAC1C,KAAK,KAAK;YACR,OAAO,oBAAoB,CAAC,WAAW,CAAC;QAC1C;YACE,oEAAoE;YACpE,OAAO,oBAAoB,CAAC,WAAW,CAAC;IAC5C,CAAC;AACH,CAAC"}

package/dist/esm/index.d.ts

@@ -0,0 +1,6 @@
+export { createClusterBuilder, type ClusterAccessor, type ClusterBuilderProps, type ClusterBuilderResult, type IClusterBuilder, } from "./cluster-builder.js";
+export { CLUSTER_DEFAULTS } from "./cluster-defaults.js";
+export { CLUSTER_PARAMETER_GROUP_DEFAULTS, clusterParameterGroupFamily, } from "./cluster-parameter-group-defaults.js";
+export { type NeptuneClusterAlarmConfig } from "./cluster-alarm-config.js";
+export { CLUSTER_ALARM_DEFAULTS } from "./cluster-alarm-defaults.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,oBAAoB,EACpB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,eAAe,GACrB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EACL,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uCAAuC,CAAC;AAC/C,OAAO,EAAE,KAAK,yBAAyB,EAAE,MAAM,2BAA2B,CAAC;AAC3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC"}

package/dist/esm/index.js

@@ -0,0 +1,5 @@
+export { createClusterBuilder, } from "./cluster-builder.js";
+export { CLUSTER_DEFAULTS } from "./cluster-defaults.js";
+export { CLUSTER_PARAMETER_GROUP_DEFAULTS, clusterParameterGroupFamily, } from "./cluster-parameter-group-defaults.js";
+export { CLUSTER_ALARM_DEFAULTS } from "./cluster-alarm-defaults.js";
+//# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,oBAAoB,GAKrB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EACL,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uCAAuC,CAAC;AAE/C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC"}

package/dist/esm/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

package/package.json

@@ -0,0 +1,71 @@
+{
+  "name": "@composurecdk/neptune",
+  "version": "0.8.3",
+  "description": "Composable Amazon Neptune cluster builder with well-architected defaults",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/laazyj/composureCDK",
+    "directory": "packages/neptune"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "clean": "rm -rf dist .tshy .tshy-build",
+    "build": "tshy",
+    "typecheck": "tsc --noEmit",
+    "check:exports": "attw --pack . --profile node16 && publint",
+    "test": "vitest run --passWithNoTests",
+    "test:watch": "vitest"
+  },
+  "keywords": [],
+  "author": "Jason Duffett (https://github.com/laazyj)",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "type": "module",
+  "engines": {
+    "node": ">=20"
+  },
+  "tshy": {
+    "exports": {
+      "./package.json": "./package.json",
+      ".": "./src/index.ts"
+    }
+  },
+  "peerDependencies": {
+    "@aws-cdk/aws-neptune-alpha": "^2.257.0-alpha.0",
+    "@composurecdk/cloudformation": "^0.8.0",
+    "@composurecdk/cloudwatch": "^0.8.0",
+    "@composurecdk/core": "^0.8.0",
+    "aws-cdk-lib": "^2.257.0",
+    "constructs": "^10.0.0"
+  },
+  "devDependencies": {
+    "@aws-cdk/aws-neptune-alpha": "2.257.0-alpha.0",
+    "@types/node": "^25.9.1",
+    "aws-cdk-lib": "^2.257.0",
+    "constructs": "^10.6.0",
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.7"
+  },
+  "exports": {
+    "./package.json": "./package.json",
+    ".": {
+      "import": {
+        "types": "./dist/esm/index.d.ts",
+        "default": "./dist/esm/index.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/index.d.ts",
+        "default": "./dist/commonjs/index.js"
+      }
+    }
+  },
+  "main": "./dist/commonjs/index.js",
+  "types": "./dist/commonjs/index.d.ts",
+  "module": "./dist/esm/index.js"
+}