@dga-itc/aws-cdk-constructs 1.0.0

package/README.md

@@ -0,0 +1,219 @@
+# AWS Infrastructure Constructs
+
+Reusable AWS infrastructure constructs for AWS CDK projects.
+
+## Overview
+
+This package provides a collection of well-tested, production-ready infrastructure constructs:
+- **VPC**: Multi-AZ VPC with public/private subnets, NAT gateways, flow logs
+- **ALB**: Application Load Balancer with HTTP/HTTPS listeners
+- **NLB**: Network Load Balancer with TCP/TLS listeners
+- **ECS Cluster**: Fargate-enabled cluster with container insights
+- **ECS Service**: Fargate service with ALB integration, auto-scaling support
+- **RDS**: PostgreSQL/MySQL databases with automated backups
+- **ElastiCache**: Redis/Memcached clusters
+- **EFS**: Elastic File System with encryption
+- **Bastion**: EC2 bastion host for secure access
+- **NACL**: Network ACL rules management
+- **ECR**: Container registry with lifecycle policies
+
+## Installation
+
+### Option 1: npm link (Local Development)
+
+```bash
+# In the aws-infra-constructs directory
+npm link
+
+# In your project directory
+npm link @dga-itc/aws-cdk-constructs
+```
+
+### Option 2: File Path Reference
+
+Add to your `package.json`:
+
+```json
+{
+  "dependencies": {
+    "@dga-itc/aws-cdk-constructs": "file:../aws-infra-constructs"
+  }
+}
+```
+
+### Option 3: GitHub Packages
+
+```bash
+npm install @dga-itc/aws-cdk-constructs --registry=https://npm.pkg.github.com
+```
+
+### Option 4: npmjs.org (Public Package)
+
+```bash
+npm install @dga-itc/aws-cdk-constructs
+```
+
+## Usage
+
+### AWS CDK Example
+
+```typescript
+import { Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { VpcConstruct, AlbConstruct, EcsClusterConstruct } from '@dga-itc/aws-cdk-constructs';
+
+export class MyInfraStack extends Stack {
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+
+    // Create VPC
+    const vpc = new VpcConstruct(this, 'MyVpc', {
+      vpcName: 'my-vpc',
+      cidr: '10.0.0.0/16',
+      maxAzs: 2,
+      natGateways: 1,
+    });
+
+    // Create ALB
+    const alb = new AlbConstruct(this, 'MyAlb', {
+      albName: 'my-alb',
+      vpc: vpc.vpc,
+      internetFacing: true,
+    });
+
+    // Create ECS Cluster
+    const cluster = new EcsClusterConstruct(this, 'MyCluster', {
+      clusterName: 'my-cluster',
+      vpc: vpc.vpc,
+      containerInsights: true,
+    });
+  }
+}
+```
+
+### Terraform CDK Example
+
+```typescript
+import { TerraformStack } from 'cdktf';
+import { Construct } from 'constructs';
+import { 
+  EcsServiceConstruct, 
+  AlbListenerRuleConstruct,
+  PriorityTracker 
+} from '@dga-itc/aws-cdk-constructs';
+
+export class MyServiceStack extends TerraformStack {
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+
+    const priorityTracker = new PriorityTracker();
+
+    // Create ECS Service
+    const service = new EcsServiceConstruct(this, 'api-service', {
+      serviceName: 'api',
+      environment: 'prod',
+      region: 'us-east-1',
+      accountId: '123456789012',
+      vpcId: 'vpc-xxx',
+      privateSubnetIds: ['subnet-xxx', 'subnet-yyy'],
+      ecsClusterName: 'my-cluster',
+      ecsClusterArn: 'arn:aws:ecs:...',
+      containerImage: 'nginx:latest',
+      containerPort: 80,
+      cpu: 256,
+      memory: 512,
+      desiredCount: 2,
+      healthCheckPath: '/health',
+    });
+
+    // Create ALB Listener Rule
+    const listenerRule = new AlbListenerRuleConstruct(this, 'api-rule', {
+      serviceName: 'api',
+      environment: 'prod',
+      listenerArn: 'arn:aws:elasticloadbalancing:...',
+      targetGroupArn: service.targetGroup.arn,
+      priority: priorityTracker.getNextPriority('api', '/api/*'),
+      pathPattern: '/api/*',
+    });
+
+    priorityTracker.printSummary();
+  }
+}
+```
+
+## Available Constructs
+
+### AWS CDK Constructs
+
+| Construct | Description |
+|-----------|-------------|
+| `VpcConstruct` | VPC with public/private subnets |
+| `AlbConstruct` | Application Load Balancer |
+| `NlbConstruct` | Network Load Balancer |
+| `EcsClusterConstruct` | ECS Cluster with capacity providers |
+| `EcsServiceConstruct` | ECS Service (AWS CDK version) |
+| `RdsConstruct` | RDS Database (PostgreSQL/MySQL) |
+| `ElastiCacheConstruct` | Redis cluster |
+| `EfsConstruct` | Elastic File System |
+| `BastionConstruct` | Bastion host for SSH access |
+| `NaclConstruct` | Network ACL rules |
+| `EcrConstruct` | ECR repository |
+
+### Terraform CDK Constructs
+
+| Construct | Description |
+|-----------|-------------|
+| `EcsServiceConstruct` | ECS Fargate Service with auto-scaling |
+| `AlbListenerRuleConstruct` | ALB Listener Rule with priority management |
+| `PriorityTracker` | Utility for managing ALB rule priorities |
+
+## Development
+
+### Build
+
+```bash
+npm run build
+```
+
+### Test
+
+```bash
+npm test
+```
+
+### Publish
+
+```bash
+# To npmjs.org
+npm publish
+
+# To GitHub Packages
+npm publish --registry=https://npm.pkg.github.com
+
+# To AWS CodeArtifact
+aws codeartifact login --tool npm --domain mycompany --repository npm-private
+npm publish
+```
+
+## Peer Dependencies
+
+This package requires the following peer dependencies:
+
+- `aws-cdk-lib`: ^2.0.0
+- `constructs`: ^10.0.0
+- `cdktf`: ^0.20.0
+- `@cdktf/provider-aws`: ^19.0.0
+
+Make sure these are installed in your project.
+
+## License
+
+MIT
+
+## Contributing
+
+Contributions are welcome! Please open an issue or submit a pull request.
+
+## Support
+
+For issues and questions, please open an issue on GitHub.

package/dist/aws-cdk/constructs/acm.d.ts

@@ -0,0 +1,28 @@
+import { Construct } from 'constructs';
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
+import { AcmConfig } from '../interfaces/acm-config';
+export interface AcmConstructProps {
+    config: AcmConfig;
+}
+/**
+ * ACM Construct - สร้างหรือ import SSL/TLS Certificate
+ *
+ * Modes:
+ * - request: ขอ certificate ใหม่จาก ACM (DNS/Email validation)
+ * - import:  นำเข้า certificate จาก PEM (ผ่าน SSM/Secrets Manager)
+ */
+export declare class AcmConstruct extends Construct {
+    readonly certificate: acm.ICertificate;
+    readonly certificateArn: string;
+    private readonly removalPolicy;
+    constructor(scope: Construct, id: string, props: AcmConstructProps);
+    private validateConfig;
+    private createRequestCertificate;
+    private createImportCertificate;
+    /**
+     * ถ้า param ขึ้นต้นด้วย 'arn:aws:secretsmanager:' → ดึงจาก Secrets Manager
+     * ถ้าไม่ → ดึงจาก SSM Parameter
+     */
+    private resolvePrivateKey;
+    private createOutputs;
+}

package/dist/aws-cdk/constructs/acm.js

@@ -0,0 +1,239 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AcmConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const acm = __importStar(require("aws-cdk-lib/aws-certificatemanager"));
+const route53 = __importStar(require("aws-cdk-lib/aws-route53"));
+const ssm = __importStar(require("aws-cdk-lib/aws-ssm"));
+const secretsmanager = __importStar(require("aws-cdk-lib/aws-secretsmanager"));
+const iam = __importStar(require("aws-cdk-lib/aws-iam"));
+const cr = __importStar(require("aws-cdk-lib/custom-resources"));
+/**
+ * ACM Construct - สร้างหรือ import SSL/TLS Certificate
+ *
+ * Modes:
+ * - request: ขอ certificate ใหม่จาก ACM (DNS/Email validation)
+ * - import:  นำเข้า certificate จาก PEM (ผ่าน SSM/Secrets Manager)
+ */
+class AcmConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { config } = props;
+        this.removalPolicy = config.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        // Validate config
+        this.validateConfig(config);
+        // Create or Import certificate based on mode
+        if (config.mode === 'request') {
+            this.certificate = this.createRequestCertificate(config);
+        }
+        else {
+            this.certificate = this.createImportCertificate(config);
+        }
+        this.certificateArn = this.certificate.certificateArn;
+        // Outputs
+        this.createOutputs(config);
+    }
+    // ==========================================
+    // Validation
+    // ==========================================
+    validateConfig(config) {
+        if (config.mode === 'request') {
+            if (!config.request) {
+                throw new Error(`ACM "${config.stackName}": mode is 'request' but 'request' config is not provided.`);
+            }
+            if (!config.request.domainName) {
+                throw new Error(`ACM "${config.stackName}": request mode requires 'domainName'.`);
+            }
+        }
+        if (config.mode === 'import') {
+            if (!config.import) {
+                throw new Error(`ACM "${config.stackName}": mode is 'import' but 'import' config is not provided.`);
+            }
+            if (!config.import.certificateBodyParam || !config.import.privateKeyParam) {
+                throw new Error(`ACM "${config.stackName}": import mode requires 'certificateBodyParam' and 'privateKeyParam'.`);
+            }
+        }
+    }
+    // ==========================================
+    // Request Mode — ขอ certificate ใหม่จาก ACM
+    // ==========================================
+    createRequestCertificate(config) {
+        const requestConfig = config.request;
+        // Resolve validation method
+        let validation;
+        const validationMethod = requestConfig.validationMethod ?? 'DNS';
+        if (validationMethod === 'DNS' && requestConfig.hostedZoneId && requestConfig.hostedZoneName) {
+            // Auto DNS validation with Route53
+            const hostedZone = route53.HostedZone.fromHostedZoneAttributes(this, 'HostedZone', {
+                hostedZoneId: requestConfig.hostedZoneId,
+                zoneName: requestConfig.hostedZoneName,
+            });
+            validation = acm.CertificateValidation.fromDns(hostedZone);
+        }
+        else if (validationMethod === 'DNS') {
+            // DNS validation without auto-creation (manual DNS record)
+            validation = acm.CertificateValidation.fromDns();
+        }
+        else {
+            // Email validation
+            validation = acm.CertificateValidation.fromEmail();
+        }
+        // Resolve key algorithm
+        let keyAlgorithm;
+        if (requestConfig.keyAlgorithm) {
+            switch (requestConfig.keyAlgorithm) {
+                case 'RSA_2048':
+                    keyAlgorithm = acm.KeyAlgorithm.RSA_2048;
+                    break;
+                case 'EC_prime256v1':
+                    keyAlgorithm = acm.KeyAlgorithm.EC_PRIME256V1;
+                    break;
+                case 'EC_secp384r1':
+                    keyAlgorithm = acm.KeyAlgorithm.EC_SECP384R1;
+                    break;
+            }
+        }
+        const cert = new acm.Certificate(this, 'Certificate', {
+            domainName: requestConfig.domainName,
+            subjectAlternativeNames: requestConfig.subjectAlternativeNames,
+            validation,
+            keyAlgorithm,
+            transparencyLoggingEnabled: requestConfig.transparencyLoggingEnabled ?? true,
+        });
+        cert.applyRemovalPolicy(this.removalPolicy);
+        return cert;
+    }
+    // ==========================================
+    // Import Mode — นำเข้า certificate จาก PEM
+    // ==========================================
+    createImportCertificate(config) {
+        const importConfig = config.import;
+        // ใช้ AwsCustomResource เพราะ CloudFormation ไม่มี native import certificate
+        // Custom Resource จะเรียก ACM ImportCertificate API โดยตรง
+        const importParams = {
+            'Certificate': ssm.StringParameter.valueForStringParameter(this, importConfig.certificateBodyParam),
+            'PrivateKey': this.resolvePrivateKey(importConfig.privateKeyParam),
+        };
+        if (importConfig.certificateChainParam) {
+            importParams['CertificateChain'] = ssm.StringParameter.valueForStringParameter(this, importConfig.certificateChainParam);
+        }
+        const importCert = new cr.AwsCustomResource(this, 'ImportCertificate', {
+            onCreate: {
+                service: 'ACM',
+                action: 'importCertificate',
+                parameters: importParams,
+                physicalResourceId: cr.PhysicalResourceId.fromResponse('CertificateArn'),
+            },
+            onUpdate: {
+                service: 'ACM',
+                action: 'importCertificate',
+                parameters: importParams,
+                physicalResourceId: cr.PhysicalResourceId.fromResponse('CertificateArn'),
+            },
+            onDelete: {
+                service: 'ACM',
+                action: 'deleteCertificate',
+                parameters: {
+                    CertificateArn: new cr.PhysicalResourceIdReference(),
+                },
+            },
+            policy: cr.AwsCustomResourcePolicy.fromStatements([
+                new iam.PolicyStatement({
+                    actions: [
+                        'acm:ImportCertificate',
+                        'acm:DeleteCertificate',
+                        'acm:DescribeCertificate',
+                    ],
+                    resources: ['*'],
+                }),
+                new iam.PolicyStatement({
+                    actions: [
+                        'ssm:GetParameter',
+                    ],
+                    resources: ['*'],
+                }),
+                new iam.PolicyStatement({
+                    actions: [
+                        'secretsmanager:GetSecretValue',
+                    ],
+                    resources: ['*'],
+                }),
+            ]),
+        });
+        const certArn = importCert.getResponseField('CertificateArn');
+        return acm.Certificate.fromCertificateArn(this, 'ImportedCertificateRef', certArn);
+    }
+    // ==========================================
+    // Helper: Resolve Private Key
+    // ==========================================
+    /**
+     * ถ้า param ขึ้นต้นด้วย 'arn:aws:secretsmanager:' → ดึงจาก Secrets Manager
+     * ถ้าไม่ → ดึงจาก SSM Parameter
+     */
+    resolvePrivateKey(param) {
+        if (param.startsWith('arn:aws:secretsmanager:')) {
+            const secret = secretsmanager.Secret.fromSecretCompleteArn(this, 'PrivateKeySecret', param);
+            return secret.secretValue.unsafeUnwrap();
+        }
+        return ssm.StringParameter.valueForStringParameter(this, param);
+    }
+    // ==========================================
+    // Outputs
+    // ==========================================
+    createOutputs(config) {
+        if (config.enableExport === false)
+            return;
+        const stack = cdk.Stack.of(this);
+        const prefix = config.stackName;
+        new cdk.CfnOutput(stack, 'AcmCertificateArn', {
+            value: this.certificateArn,
+            description: `ACM Certificate ARN (${config.mode} mode)`,
+            exportName: `${prefix}-ACM-CertificateArn`,
+        });
+        if (config.mode === 'request' && config.request) {
+            new cdk.CfnOutput(stack, 'AcmDomainName', {
+                value: config.request.domainName,
+                description: 'ACM Certificate Domain Name',
+                exportName: `${prefix}-ACM-DomainName`,
+            });
+        }
+    }
+}
+exports.AcmConstruct = AcmConstruct;

package/dist/aws-cdk/constructs/alb.d.ts

@@ -0,0 +1,28 @@
+import { Construct } from 'constructs';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
+import { AlbConfig } from '../interfaces/alb-config';
+import { VpcConstruct } from './vpc';
+export interface AlbConstructProps {
+    config: AlbConfig;
+    /** VpcConstruct from NetworkStack */
+    vpcConstruct: VpcConstruct;
+}
+/**
+ * ALB Construct - สร้าง ALB + Security Group + Listeners
+ *
+ * อ้างอิง VpcConstruct จาก NetworkStack เพื่อดึง VPC + Subnets
+ */
+export declare class AlbConstruct extends Construct {
+    readonly alb: elbv2.ApplicationLoadBalancer;
+    readonly securityGroup: ec2.SecurityGroup;
+    readonly httpListener?: elbv2.ApplicationListener;
+    readonly httpsListener?: elbv2.ApplicationListener;
+    private readonly removalPolicy;
+    constructor(scope: Construct, id: string, props: AlbConstructProps);
+    private resolveVpc;
+    private createSecurityGroup;
+    private createAlb;
+    private createListeners;
+    private createOutputs;
+}