@dga-itc/aws-cdk-constructs 1.0.0

package/dist/aws-cdk/constructs/waf.js

@@ -0,0 +1,350 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WafConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const wafv2 = __importStar(require("aws-cdk-lib/aws-wafv2"));
+const logs = __importStar(require("aws-cdk-lib/aws-logs"));
+/**
+ * WAF v2 Construct — สร้าง WebACL พร้อม AWS Managed Rule Sets
+ *
+ * Features:
+ * - AWS Managed Rule Groups (Common, SQLi, KnownBadInputs, etc.)
+ * - Rate Limiting per IP
+ * - Geo Blocking
+ * - IP Allow/Block Lists
+ * - CloudWatch Logging (filtered)
+ *
+ * Scopes:
+ * - CLOUDFRONT → ต้อง deploy ใน us-east-1, ใช้กับ CloudFront
+ * - REGIONAL   → ใช้กับ ALB, API Gateway, AppSync
+ */
+class WafConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { config } = props;
+        this.removalPolicy = config.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        // A. Create IP Sets (if configured)
+        const ipSets = this.createIpSets(config);
+        // B. Build all rules
+        const rules = this.buildRules(config, ipSets);
+        // C. Create WebACL
+        this.webAcl = this.createWebAcl(config, rules);
+        this.webAclArn = this.webAcl.attrArn;
+        // D. Create Logging (optional)
+        if (config.logging) {
+            this.logGroup = this.createLogging(config);
+        }
+        // E. (Optional) Associate with resources (REGIONAL scope only)
+        if (config.scope === 'REGIONAL' && config.associatedResourceArns) {
+            this.createAssociations(config.associatedResourceArns);
+        }
+        // F. Apply Removal Policy
+        this.webAcl.applyRemovalPolicy(this.removalPolicy);
+        // G. Outputs
+        this.createOutputs(config);
+    }
+    // ==========================================
+    // IP Sets
+    // ==========================================
+    createIpSets(config) {
+        const ipSets = new Map();
+        if (config.ipAllowList) {
+            const allowSet = this.createIpSet('AllowList', config.ipAllowList, config.scope);
+            ipSets.set('allow', allowSet);
+        }
+        if (config.ipBlockList) {
+            const blockSet = this.createIpSet('BlockList', config.ipBlockList, config.scope);
+            ipSets.set('block', blockSet);
+        }
+        return ipSets;
+    }
+    createIpSet(logicalId, ipSetConfig, scope) {
+        const ipSet = new wafv2.CfnIPSet(this, logicalId, {
+            name: ipSetConfig.name,
+            scope,
+            ipAddressVersion: ipSetConfig.ipAddressVersion ?? 'IPV4',
+            addresses: ipSetConfig.addresses,
+            description: `${ipSetConfig.action} list — ${ipSetConfig.name}`,
+        });
+        ipSet.applyRemovalPolicy(this.removalPolicy);
+        return ipSet;
+    }
+    // ==========================================
+    // Build Rules
+    // ==========================================
+    buildRules(config, ipSets) {
+        const rules = [];
+        const metricsEnabled = config.enableCloudWatchMetrics !== false;
+        const sampledEnabled = config.enableSampledRequests !== false;
+        // ── IP Allow List ──
+        if (config.ipAllowList && ipSets.has('allow')) {
+            rules.push({
+                name: config.ipAllowList.name,
+                priority: config.ipAllowList.priority,
+                statement: {
+                    ipSetReferenceStatement: {
+                        arn: ipSets.get('allow').attrArn,
+                    },
+                },
+                action: this.resolveAction(config.ipAllowList.action),
+                visibilityConfig: {
+                    cloudWatchMetricsEnabled: metricsEnabled,
+                    sampledRequestsEnabled: sampledEnabled,
+                    metricName: config.ipAllowList.name.replace(/[^a-zA-Z0-9]/g, ''),
+                },
+            });
+        }
+        // ── IP Block List ──
+        if (config.ipBlockList && ipSets.has('block')) {
+            rules.push({
+                name: config.ipBlockList.name,
+                priority: config.ipBlockList.priority,
+                statement: {
+                    ipSetReferenceStatement: {
+                        arn: ipSets.get('block').attrArn,
+                    },
+                },
+                action: this.resolveAction(config.ipBlockList.action),
+                visibilityConfig: {
+                    cloudWatchMetricsEnabled: metricsEnabled,
+                    sampledRequestsEnabled: sampledEnabled,
+                    metricName: config.ipBlockList.name.replace(/[^a-zA-Z0-9]/g, ''),
+                },
+            });
+        }
+        // ── Geo Blocking ──
+        if (config.geoBlock) {
+            const geoAction = config.geoBlock.action === 'count'
+                ? { count: {} }
+                : { block: {} };
+            rules.push({
+                name: 'GeoBlocking',
+                priority: config.geoBlock.priority,
+                statement: {
+                    geoMatchStatement: {
+                        countryCodes: config.geoBlock.countryCodes,
+                    },
+                },
+                action: geoAction,
+                visibilityConfig: {
+                    cloudWatchMetricsEnabled: metricsEnabled,
+                    sampledRequestsEnabled: sampledEnabled,
+                    metricName: 'GeoBlocking',
+                },
+            });
+        }
+        // ── Rate Limiting ──
+        if (config.rateLimit) {
+            const rlAction = config.rateLimit.action === 'count'
+                ? { count: {} }
+                : { block: {} };
+            rules.push({
+                name: 'RateLimitPerIP',
+                priority: config.rateLimit.priority,
+                statement: {
+                    rateBasedStatement: {
+                        limit: config.rateLimit.limit,
+                        aggregateKeyType: 'IP',
+                    },
+                },
+                action: rlAction,
+                visibilityConfig: {
+                    cloudWatchMetricsEnabled: metricsEnabled,
+                    sampledRequestsEnabled: sampledEnabled,
+                    metricName: 'RateLimitPerIP',
+                },
+            });
+        }
+        // ── AWS Managed Rule Groups ──
+        if (config.managedRuleGroups) {
+            config.managedRuleGroups.forEach((rg) => {
+                rules.push(this.buildManagedRuleGroup(rg, metricsEnabled, sampledEnabled));
+            });
+        }
+        return rules;
+    }
+    buildManagedRuleGroup(rg, metricsEnabled, sampledEnabled) {
+        // Build excluded rules list
+        const excludedRules = rg.excludedRules?.map((ruleName) => ({
+            name: ruleName,
+        }));
+        // Build rule action overrides
+        const ruleActionOverrides = rg.ruleOverrides
+            ? Object.entries(rg.ruleOverrides).map(([ruleName, action]) => ({
+                name: ruleName,
+                actionToUse: this.resolveAction(action),
+            }))
+            : undefined;
+        // Override action: 'none' = enforce rules, 'count' = count only
+        const overrideAction = rg.overrideAction === 'count'
+            ? { count: {} }
+            : { none: {} };
+        return {
+            name: rg.name,
+            priority: rg.priority,
+            overrideAction,
+            statement: {
+                managedRuleGroupStatement: {
+                    vendorName: rg.vendorName ?? 'AWS',
+                    name: rg.name,
+                    excludedRules,
+                    ruleActionOverrides,
+                },
+            },
+            visibilityConfig: {
+                cloudWatchMetricsEnabled: metricsEnabled,
+                sampledRequestsEnabled: sampledEnabled,
+                metricName: rg.name.replace(/[^a-zA-Z0-9]/g, ''),
+            },
+        };
+    }
+    resolveAction(action) {
+        switch (action) {
+            case 'allow':
+                return { allow: {} };
+            case 'block':
+                return { block: {} };
+            case 'count':
+            default:
+                return { count: {} };
+        }
+    }
+    // ==========================================
+    // WebACL
+    // ==========================================
+    createWebAcl(config, rules) {
+        const defaultAction = config.defaultAction === 'block'
+            ? { block: {} }
+            : { allow: {} };
+        const metricsEnabled = config.enableCloudWatchMetrics !== false;
+        const sampledEnabled = config.enableSampledRequests !== false;
+        return new wafv2.CfnWebACL(this, 'WebACL', {
+            name: config.webAclName,
+            description: config.description ?? `WAF WebACL for ${config.stackName}`,
+            scope: config.scope,
+            defaultAction,
+            rules,
+            visibilityConfig: {
+                cloudWatchMetricsEnabled: metricsEnabled,
+                sampledRequestsEnabled: sampledEnabled,
+                metricName: config.webAclName.replace(/[^a-zA-Z0-9]/g, ''),
+            },
+        });
+    }
+    // ==========================================
+    // Logging
+    // ==========================================
+    createLogging(config) {
+        const logConfig = config.logging;
+        const logRemoval = logConfig.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        // ⚠️ WAF log group name ต้องขึ้นต้นด้วย 'aws-waf-logs-'
+        const logGroup = new logs.LogGroup(this, 'LogGroup', {
+            logGroupName: `aws-waf-logs-${config.stackName}`,
+            retention: logConfig.retention ?? logs.RetentionDays.ONE_MONTH,
+            removalPolicy: logRemoval,
+        });
+        // Logging Configuration
+        const loggingConfig = new wafv2.CfnLoggingConfiguration(this, 'LoggingConfig', {
+            resourceArn: this.webAcl.attrArn,
+            logDestinationConfigs: [logGroup.logGroupArn],
+        });
+        // Log filter — default: log blocked requests only
+        if (logConfig.logFilter !== 'all') {
+            loggingConfig.addPropertyOverride('LoggingFilter', {
+                DefaultBehavior: 'DROP',
+                Filters: [{
+                        Behavior: 'KEEP',
+                        Conditions: [{
+                                ActionCondition: { Action: 'BLOCK' },
+                            }],
+                        Requirement: 'MEETS_ANY',
+                    }],
+            });
+        }
+        // Dependency: LoggingConfiguration ต้องสร้างหลัง WebACL
+        loggingConfig.addDependency(this.webAcl);
+        return logGroup;
+    }
+    // ==========================================
+    // Resource Associations (REGIONAL only)
+    // ==========================================
+    createAssociations(resourceArns) {
+        resourceArns.forEach((arn, index) => {
+            const assoc = new wafv2.CfnWebACLAssociation(this, `Association${index}`, {
+                webAclArn: this.webAcl.attrArn,
+                resourceArn: arn,
+            });
+            assoc.addDependency(this.webAcl);
+        });
+    }
+    // ==========================================
+    // Outputs
+    // ==========================================
+    createOutputs(config) {
+        const stack = cdk.Stack.of(this);
+        new cdk.CfnOutput(stack, 'WebACLArn', {
+            value: this.webAcl.attrArn,
+            description: 'WAF WebACL ARN',
+            exportName: `${config.stackName}-WebACL-Arn`,
+        });
+        new cdk.CfnOutput(stack, 'WebACLId', {
+            value: this.webAcl.ref,
+            description: 'WAF WebACL ID',
+            exportName: `${config.stackName}-WebACL-Id`,
+        });
+        new cdk.CfnOutput(stack, 'WebACLName', {
+            value: config.webAclName,
+            description: 'WAF WebACL Name',
+        });
+        new cdk.CfnOutput(stack, 'WAFScope', {
+            value: config.scope,
+            description: 'WAF Scope (CLOUDFRONT or REGIONAL)',
+        });
+        if (this.logGroup) {
+            new cdk.CfnOutput(stack, 'LogGroupName', {
+                value: this.logGroup.logGroupName,
+                description: 'WAF Log Group Name',
+            });
+        }
+    }
+}
+exports.WafConstruct = WafConstruct;

package/dist/aws-cdk/interfaces/account-config.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Account Configuration Interface
+ *
+ * ใช้เป็น "resource" กลางสำหรับกำหนด region ให้แต่ละ environment
+ *
+ * account ID มาจาก --profile ตอน deploy (CDK_DEFAULT_ACCOUNT) ไม่ต้องใส่ใน config
+ *
+ * วิธีใช้:
+ * 1. สร้าง AccountConfig ใน configs/accounts/ (เช่น myapp-prod.ts)
+ * 2. ทุก service config ใส่ accountConfigName เพื่ออ้างอิง
+ * 3. bin/main.ts จะ resolve region จาก accountConfigName, account จาก --profile
+ */
+export interface AccountConfig {
+    /** ชื่อ account config (ใช้อ้างอิงจาก service configs) */
+    name: string;
+    /** AWS Region (e.g., 'us-east-1') — override region จาก profile */
+    region: string;
+}

package/dist/aws-cdk/interfaces/account-config.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/aws-cdk/interfaces/acm-config.d.ts

@@ -0,0 +1,94 @@
+/**
+ * ACM Configuration Interface
+ *
+ * รองรับ 2 โหมด:
+ * - request: ขอ certificate ใหม่จาก ACM (DNS/Email validation)
+ * - import:  นำเข้า certificate ที่มีอยู่แล้ว (PEM format)
+ *
+ * วิธีใช้:
+ * 1. สร้าง AcmConfig ใน configs/acm/ (เช่น demo-dev-acm-e1.ts)
+ * 2. ลงทะเบียนใน configs/acm/index.ts
+ * 3. bin/main.ts จะสร้าง AcmStack อัตโนมัติ
+ */
+/** โหมดการสร้าง Certificate */
+export type AcmMode = 'request' | 'import';
+/** วิธี Validation สำหรับ request mode */
+export type AcmValidationMethod = 'DNS' | 'EMAIL';
+/**
+ * Request mode config — ขอ certificate ใหม่จาก ACM
+ */
+export interface AcmRequestConfig {
+    /** Domain name หลัก (e.g., 'example.com') */
+    domainName: string;
+    /** Subject Alternative Names (e.g., ['*.example.com', 'api.example.com']) */
+    subjectAlternativeNames?: string[];
+    /** Validation method (default: 'DNS') */
+    validationMethod?: AcmValidationMethod;
+    /**
+     * Route53 Hosted Zone ID — ถ้าใส่จะสร้าง DNS validation record อัตโนมัติ
+     * (ใช้ได้เฉพาะ validationMethod = 'DNS')
+     */
+    hostedZoneId?: string;
+    /** Hosted Zone name (required if hostedZoneId is set) */
+    hostedZoneName?: string;
+    /** Key algorithm (default: 'RSA_2048') */
+    keyAlgorithm?: 'RSA_2048' | 'EC_prime256v1' | 'EC_secp384r1';
+    /**
+     * Enable transparency logging (default: true)
+     * Certificate Transparency Logging ช่วยตรวจสอบว่า cert ถูก issue อย่างถูกต้อง
+     */
+    transparencyLoggingEnabled?: boolean;
+}
+/**
+ * Import mode config — นำเข้า certificate ที่มีอยู่แล้ว
+ *
+ * ใช้ SSM Parameter Store หรือ Secrets Manager เก็บค่า PEM
+ * (ไม่ควร hardcode ค่า PEM ใน config โดยตรง)
+ */
+export interface AcmImportConfig {
+    /** Certificate body (PEM format) — หรือ SSM parameter name ที่เก็บค่า */
+    certificateBodyParam: string;
+    /** Certificate private key (PEM format) — หรือ Secrets Manager ARN ที่เก็บค่า */
+    privateKeyParam: string;
+    /** Certificate chain (PEM format) — optional, หรือ SSM parameter name */
+    certificateChainParam?: string;
+}
+/**
+ * ACM Config — รวม request + import mode
+ */
+export interface AcmConfig {
+    /** ชื่อ CloudFormation stack (ถ้าใช้ regions จะถูก suffix ด้วย region shorthand อัตโนมัติ) */
+    stackName: string;
+    /** AWS Region (ถ้าไม่กำหนดจะใช้ CDK_DEFAULT_REGION) */
+    region?: string;
+    /** AWS Account (ถ้าไม่กำหนดจะใช้ CDK_DEFAULT_ACCOUNT) */
+    account?: string;
+    /** อ้างอิง Account Config name (ดู configs/accounts/) */
+    accountConfigName?: string;
+    /**
+     * สร้าง certificate ในหลาย regions พร้อมกัน
+     * เช่น ['ap-southeast-7', 'us-east-1']
+     *
+     * ถ้าใส่ regions:
+     * - stackName จะถูก suffix ด้วย region shorthand (e.g., 'my-acm' → 'my-acm-apse7', 'my-acm-use1')
+     * - จะสร้าง 1 stack ต่อ 1 region
+     * - ไม่ต้องใส่ region / accountConfigName (จะถูก override)
+     *
+     * ถ้าไม่ใส่ regions → ใช้ region เดียวจาก accountConfigName / region / CDK_DEFAULT_REGION
+     */
+    regions?: string[];
+    /** โหมดการสร้าง certificate */
+    mode: AcmMode;
+    /** Config สำหรับ request mode (required if mode = 'request') */
+    request?: AcmRequestConfig;
+    /** Config สำหรับ import mode (required if mode = 'import') */
+    import?: AcmImportConfig;
+    /** Removal policy (default: 'destroy') */
+    removalPolicy?: 'destroy' | 'retain';
+    /** Export certificate ARN เป็น CfnOutput (default: true) */
+    enableExport?: boolean;
+    /** อ้างอิง Tag Config name (ดู configs/tags/) */
+    tagConfigName?: string;
+    /** Tags เสริม — merge กับ tagConfigName (override ถ้า key ซ้ำ) */
+    tags?: Record<string, string>;
+}

package/dist/aws-cdk/interfaces/acm-config.js

@@ -0,0 +1,14 @@
+"use strict";
+/**
+ * ACM Configuration Interface
+ *
+ * รองรับ 2 โหมด:
+ * - request: ขอ certificate ใหม่จาก ACM (DNS/Email validation)
+ * - import:  นำเข้า certificate ที่มีอยู่แล้ว (PEM format)
+ *
+ * วิธีใช้:
+ * 1. สร้าง AcmConfig ใน configs/acm/ (เช่น demo-dev-acm-e1.ts)
+ * 2. ลงทะเบียนใน configs/acm/index.ts
+ * 3. bin/main.ts จะสร้าง AcmStack อัตโนมัติ
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/aws-cdk/interfaces/alb-config.d.ts

@@ -0,0 +1,72 @@
+import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
+export type AlbScheme = 'internet-facing' | 'internal';
+export interface AlbListenerConfig {
+    /** Enable HTTP listener (default: true) */
+    httpEnabled?: boolean;
+    /** HTTP port (default: 80) */
+    httpPort?: number;
+    /** Redirect HTTP to HTTPS (default: true if HTTPS is enabled) */
+    httpRedirectToHttps?: boolean;
+    /** Enable HTTPS listener (default: true) */
+    httpsEnabled?: boolean;
+    /** HTTPS port (default: 443) */
+    httpsPort?: number;
+    /** ACM certificate ARN - required if httpsEnabled */
+    certificateArn?: string;
+    /** Additional certificates for same listener */
+    additionalCertificateArns?: string[];
+    /** SSL policy (default: RECOMMENDED_TLS) */
+    sslPolicy?: elbv2.SslPolicy;
+}
+export interface AlbSecurityConfig {
+    /** Allow HTTP from 0.0.0.0/0 (default: true for internet-facing) */
+    allowHttpFromAnywhere?: boolean;
+    /** Allow HTTPS from 0.0.0.0/0 (default: true for internet-facing) */
+    allowHttpsFromAnywhere?: boolean;
+    /** Additional CIDRs to allow */
+    allowFromCidrs?: string[];
+    /** Additional Security Group IDs to allow */
+    allowFromSecurityGroupIds?: string[];
+    /** Drop invalid HTTP headers (default: true) */
+    dropInvalidHeaderFields?: boolean;
+    /** Idle timeout in seconds (default: 60) */
+    idleTimeoutSeconds?: number;
+}
+/**
+ * VpcRef - อ้างอิง VPC stack ใน CDK app เดียวกัน
+ */
+export interface AlbVpcRefSource {
+    vpcStackName: string;
+    /** ใช้ subnet ชื่ออะไร (default: 'public') */
+    subnetName?: string;
+}
+export interface AlbConfig {
+    stackName: string;
+    albName: string;
+    region?: string;
+    account?: string;
+    /** อ้างอิง Account Config name (ดู configs/accounts/) */
+    accountConfigName?: string;
+    /** Custom Security Group name (optional, removes CDK hash suffix) */
+    securityGroupName?: string;
+    /** ALB scheme */
+    scheme: AlbScheme;
+    /** VPC source - อ้างอิง VPC stack */
+    source: AlbVpcRefSource;
+    /** Listener configuration */
+    listener?: AlbListenerConfig;
+    /** Security configuration */
+    security?: AlbSecurityConfig;
+    /** Deletion protection (default: false) */
+    deletionProtection?: boolean;
+    /** Removal policy (default: 'destroy') */
+    removalPolicy?: 'destroy' | 'retain';
+    /** Access logs */
+    accessLogsEnabled?: boolean;
+    accessLogsBucket?: string;
+    accessLogsPrefix?: string;
+    /** อ้างอิง Tag Config name (ดู configs/tags/) */
+    tagConfigName?: string;
+    /** Tags เสริม — merge กับ tagConfigName (override ถ้า key ซ้ำ) */
+    tags?: Record<string, string>;
+}

package/dist/aws-cdk/interfaces/alb-config.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/aws-cdk/interfaces/bastion-config.d.ts

@@ -0,0 +1,77 @@
+/**
+ * Bastion Host Configuration Interface
+ *
+ * สำหรับสร้าง EC2 Bastion Host เพื่อ:
+ * - เข้าถึง RDS สำหรับ migrate ข้อมูล
+ * - Mount EFS สำหรับอัปโหลดไฟล์
+ * - ส่ง SSH key ให้ vendor ได้
+ */
+export interface BastionVpcRefSource {
+    vpcStackName: string;
+    /** ใช้ subnet ชื่ออะไรสำหรับวาง Bastion (default: 'private') */
+    subnetName?: string;
+}
+export interface BastionEfsMount {
+    /** EFS stack name สำหรับ cross-stack reference */
+    efsStackName: string;
+    /** Mount path บน EC2 (default: '/mnt/efs') */
+    mountPath?: string;
+    /** Access Point name ที่จะใช้ (optional) */
+    accessPointName?: string;
+}
+export interface BastionRdsAccess {
+    /** RDS stack name สำหรับ cross-stack reference */
+    rdsStackName: string;
+    /** Port ของ database (default: 3306) */
+    port?: number;
+}
+export interface BastionRedisAccess {
+    /** ElastiCache stack name สำหรับ cross-stack reference */
+    elastiCacheStackName: string;
+    /** Port ของ Redis (default: 6379) */
+    port?: number;
+}
+export interface BastionConfig {
+    stackName: string;
+    instanceName: string;
+    region?: string;
+    account?: string;
+    /** อ้างอิง Account Config name (ดู configs/accounts/) */
+    accountConfigName?: string;
+    /** VPC source - อ้างอิง VPC stack */
+    source: BastionVpcRefSource;
+    /** Custom Security Group name (optional) */
+    securityGroupName?: string;
+    /** EC2 Instance Type (default: 't3.micro') */
+    instanceType?: string;
+    /** Key Pair name - ถ้าไม่ระบุจะสร้างใหม่ */
+    keyPairName?: string;
+    /** สร้าง Key Pair ใหม่หรือไม่ (default: true) */
+    createKeyPair?: boolean;
+    /** AMI ID (optional - ถ้าไม่ระบุจะใช้ Amazon Linux 2023) */
+    amiId?: string;
+    /** Allowed SSH CIDR blocks (default: ไม่เปิด SSH จากข้างนอก) */
+    allowedSshCidrs?: string[];
+    /** Associate public IP address (default: false) - ต้องวางใน public subnet */
+    associatePublicIpAddress?: boolean;
+    /** EBS volume size in GB (default: 20) */
+    volumeSize?: number;
+    /** EBS volume type (default: 'gp3') */
+    volumeType?: 'gp2' | 'gp3';
+    /** EFS mount configuration (optional) */
+    efsMount?: BastionEfsMount;
+    /** RDS access configuration (optional) */
+    rdsAccess?: BastionRdsAccess;
+    /** Redis access configuration (optional) */
+    redisAccess?: BastionRedisAccess;
+    /** Install MySQL/MariaDB client (default: true) */
+    installMysqlClient?: boolean;
+    /** Additional user data script (optional) */
+    additionalUserData?: string;
+    /** Removal policy (default: 'destroy' - bastion เป็น temporary) */
+    removalPolicy?: 'destroy' | 'retain';
+    /** อ้างอิง Tag Config name (ดู configs/tags/) */
+    tagConfigName?: string;
+    /** Tags เสริม — merge กับ tagConfigName (override ถ้า key ซ้ำ) */
+    tags?: Record<string, string>;
+}

package/dist/aws-cdk/interfaces/bastion-config.js

@@ -0,0 +1,10 @@
+"use strict";
+/**
+ * Bastion Host Configuration Interface
+ *
+ * สำหรับสร้าง EC2 Bastion Host เพื่อ:
+ * - เข้าถึง RDS สำหรับ migrate ข้อมูล
+ * - Mount EFS สำหรับอัปโหลดไฟล์
+ * - ส่ง SSH key ให้ vendor ได้
+ */
+Object.defineProperty(exports, "__esModule", { value: true });