@dga-itc/aws-cdk-constructs 1.0.0

package/dist/aws-cdk/interfaces/cloudfront-config.d.ts

@@ -0,0 +1,154 @@
+/**
+ * CloudFront + VPC Origin Config Interface
+ *
+ * ใช้สำหรับสร้าง CloudFront Distribution ที่ชี้ไปยัง Private ALB
+ * ผ่าน VPC Origin — ไม่ต้องเปิด ALB เป็น internet-facing
+ *
+ * Architecture:
+ *   Client → CloudFront (edge) → VPC Origin → Private ALB → ECS Fargate
+ *
+ * VPC Origin:
+ *   CloudFront จะเชื่อมต่อ ALB ผ่าน AWS backbone โดยตรง
+ *   ไม่ต้อง expose ALB ออก internet
+ */
+export interface CloudFrontVpcOriginConfig {
+    /** ชื่อ VPC Origin (display name) */
+    name: string;
+    /** HTTP port ฝั่ง origin (default: 80) */
+    httpPort?: number;
+    /** HTTPS port ฝั่ง origin (default: 443) */
+    httpsPort?: number;
+    /**
+     * Protocol policy ไป origin
+     * - 'https-only' → ส่ง HTTPS เท่านั้น (recommended)
+     * - 'http-only' → ส่ง HTTP เท่านั้น
+     * - 'match-viewer' → ส่งตาม protocol ที่ viewer ใช้
+     * (default: 'https-only')
+     */
+    originProtocolPolicy?: 'http-only' | 'https-only' | 'match-viewer';
+    /** Origin read timeout ในวินาที (default: 30) */
+    originReadTimeout?: number;
+    /** Origin keep-alive timeout ในวินาที (default: 5) */
+    originKeepaliveTimeout?: number;
+}
+export interface CloudFrontCacheBehaviorConfig {
+    /**
+     * Viewer protocol policy
+     * - 'redirect-to-https' → redirect HTTP → HTTPS (recommended)
+     * - 'https-only' → HTTPS only, reject HTTP
+     * - 'allow-all' → allow both
+     * (default: 'redirect-to-https')
+     */
+    viewerProtocolPolicy?: 'allow-all' | 'https-only' | 'redirect-to-https';
+    /** Allowed HTTP methods (default: all methods) */
+    allowedMethods?: string[];
+    /** Cached HTTP methods (default: ['GET', 'HEAD']) */
+    cachedMethods?: string[];
+    /**
+     * Cache Policy ID (AWS Managed Policies):
+     * - '658327ea-f89d-4fab-a63d-7e88639e58f6' = CachingOptimized
+     * - '4135ea2d-6df8-44a3-9df3-4b5a84be39ad' = CachingDisabled
+     * - 'b2884449-e4de-46a7-ac36-70bc7f1ddd6d' = CachingOptimizedForUncompressedObjects
+     * (default: CachingDisabled — เหมาะกับ dynamic content)
+     */
+    cachePolicyId?: string;
+    /**
+     * Origin Request Policy ID (AWS Managed Policies):
+     * - '216adef6-5c7f-47e4-b989-5492eafa07d3' = AllViewer
+     * - '33f36d7e-f396-46d9-90e0-52428a34d9dc' = AllViewerAndCloudFrontHeaders-2022-06
+     * (default: AllViewer — forward ทุก header/cookie/querystring ไป origin)
+     */
+    originRequestPolicyId?: string;
+    /** Response Headers Policy ID */
+    responseHeadersPolicyId?: string;
+    /** Compress objects automatically (default: true) */
+    compress?: boolean;
+}
+export interface CloudFrontAdditionalBehavior {
+    /** Path pattern (e.g., '/api/*', '/static/*', '*.jpg') */
+    pathPattern: string;
+    /** Cache behavior config for this path */
+    behavior: CloudFrontCacheBehaviorConfig;
+}
+export interface CloudFrontCustomErrorResponseConfig {
+    /** HTTP error code to intercept (e.g., 403, 404, 500, 502, 503, 504) */
+    errorCode: number;
+    /** Response HTTP code to return (e.g., 200 for SPA fallback) */
+    responseCode?: number;
+    /** Custom error page path (e.g., '/index.html' for SPA) */
+    responsePagePath?: string;
+    /** Error caching TTL in seconds (default: 300) */
+    errorCachingMinTtl?: number;
+}
+export interface CloudFrontConfig {
+    stackName: string;
+    /** Comment / description สำหรับ distribution */
+    distributionComment?: string;
+    /** Account config reference (ดู configs/accounts/) */
+    accountConfigName?: string;
+    account?: string;
+    region?: string;
+    /** Source references — อ้างอิง VPC + ALB stacks */
+    source: {
+        /** VPC stack name — ใช้ดึง VPC ID */
+        vpcStackName: string;
+        /** ALB stack name — ใช้ดึง ALB ARN + DNS Name */
+        albStackName: string;
+    };
+    /**
+     * ACM stack name สำหรับ CloudFront
+     * ⚠️ ต้องเป็น ACM certificate ใน us-east-1 เท่านั้น
+     * อ้างอิงจาก AcmStack (e.g., 'demo-dev-acm-request-use1')
+     */
+    acmStackName?: string;
+    /** ACM certificate ARN ตรงๆ (ต้องเป็น us-east-1) */
+    certificateArn?: string;
+    /** Minimum SSL/TLS protocol version (default: 'TLSv1.2_2021') */
+    minimumProtocolVersion?: string;
+    /** Domain aliases (e.g., ['app.example.com', 'www.example.com']) */
+    domainNames?: string[];
+    /** VPC Origin configuration */
+    vpcOrigin: CloudFrontVpcOriginConfig;
+    /** Default cache behavior (applies to all paths unless overridden) */
+    defaultCacheBehavior?: CloudFrontCacheBehaviorConfig;
+    /** Additional path-based cache behaviors */
+    additionalBehaviors?: CloudFrontAdditionalBehavior[];
+    /**
+     * WAF stack name — อ้างอิง WafStack เพื่อดึง WebACL ARN อัตโนมัติ
+     * ⚠️ WAF scope ต้องเป็น CLOUDFRONT และ deploy ใน us-east-1
+     * ถ้าระบุ wafStackName จะ override webAclId
+     */
+    wafStackName?: string;
+    /** WAF Web ACL ARN ตรงๆ (ต้องเป็น WAF v2 ใน us-east-1) */
+    webAclId?: string;
+    /**
+     * อัปเดต ALB Security Group อัตโนมัติ
+     * เพิ่ม rule allow HTTPS จาก CloudFront VPC Origin
+     * (default: true)
+     *
+     * ⚠️ สำหรับ production ควรใช้ cloudFrontPrefixListId แทน 0.0.0.0/0
+     */
+    updateAlbSecurityGroup?: boolean;
+    /**
+     * CloudFront Origin-Facing Managed Prefix List ID
+     * ใช้แทน 0.0.0.0/0 สำหรับ ALB SG rule (แนะนำสำหรับ production)
+     *
+     * ดู prefix list ID ได้จาก VPC Console → Managed Prefix Lists
+     * ชื่อ: com.amazonaws.global.cloudfront.origin-facing
+     */
+    cloudFrontPrefixListId?: string;
+    /** Price class (default: 'PriceClass_200') */
+    priceClass?: 'PriceClass_100' | 'PriceClass_200' | 'PriceClass_All';
+    /** HTTP version (default: 'http2and3') */
+    httpVersion?: 'http1.1' | 'http2' | 'http2and3' | 'http3';
+    /** Enable/disable distribution (default: true) */
+    enabled?: boolean;
+    /** Custom error responses (e.g., SPA fallback) */
+    customErrorResponses?: CloudFrontCustomErrorResponseConfig[];
+    /** Removal policy (default: 'destroy') */
+    removalPolicy?: 'destroy' | 'retain';
+    /** Tag config name (ดู configs/tags/) */
+    tagConfigName?: string;
+    /** Additional tags */
+    tags?: Record<string, string>;
+}

package/dist/aws-cdk/interfaces/cloudfront-config.js

@@ -0,0 +1,15 @@
+"use strict";
+/**
+ * CloudFront + VPC Origin Config Interface
+ *
+ * ใช้สำหรับสร้าง CloudFront Distribution ที่ชี้ไปยัง Private ALB
+ * ผ่าน VPC Origin — ไม่ต้องเปิด ALB เป็น internet-facing
+ *
+ * Architecture:
+ *   Client → CloudFront (edge) → VPC Origin → Private ALB → ECS Fargate
+ *
+ * VPC Origin:
+ *   CloudFront จะเชื่อมต่อ ALB ผ่าน AWS backbone โดยตรง
+ *   ไม่ต้อง expose ALB ออก internet
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/aws-cdk/interfaces/ecr-config.d.ts

@@ -0,0 +1,40 @@
+export interface EcrLifecycleRule {
+    /** Rule priority (lower = higher priority) */
+    rulePriority: number;
+    /** Rule description */
+    description: string;
+    /** Tag status: 'tagged' | 'untagged' | 'any' */
+    tagStatus: 'tagged' | 'untagged' | 'any';
+    /** Tag prefix list (required if tagStatus = 'tagged') */
+    tagPrefixList?: string[];
+    /** Maximum number of images to keep */
+    maxImageCount?: number;
+    /** Maximum age of images in days */
+    maxImageAgeDays?: number;
+}
+export interface EcrConfig {
+    stackName: string;
+    repositoryName: string;
+    region?: string;
+    account?: string;
+    /** อ้างอิง Account Config name (ดู configs/accounts/) */
+    accountConfigName?: string;
+    /** Image tag mutability (default: 'MUTABLE') */
+    imageTagMutability?: 'MUTABLE' | 'IMMUTABLE';
+    /** Enable image scan on push (default: true) */
+    scanOnPush?: boolean;
+    /** Empty the repository on delete (default: true when removalPolicy = 'destroy') */
+    emptyOnDelete?: boolean;
+    /** Lifecycle rules */
+    lifecycleRules?: EcrLifecycleRule[];
+    /** Shorthand: keep last N tagged images (used if lifecycleRules not specified) */
+    lifecycleMaxImages?: number;
+    /** Shorthand: delete untagged images older than N days (used if lifecycleRules not specified) */
+    lifecycleDaysUntagged?: number;
+    /** Removal policy (default: 'destroy') */
+    removalPolicy?: 'destroy' | 'retain';
+    /** อ้างอิง Tag Config name (ดู configs/tags/) */
+    tagConfigName?: string;
+    /** Tags เสริม — merge กับ tagConfigName (override ถ้า key ซ้ำ) */
+    tags?: Record<string, string>;
+}

package/dist/aws-cdk/interfaces/ecr-config.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/aws-cdk/interfaces/ecs-cluster-config.d.ts

@@ -0,0 +1,30 @@
+export interface EcsClusterConfig {
+    stackName: string;
+    clusterName: string;
+    region?: string;
+    account?: string;
+    /** อ้างอิง Account Config name (ดู configs/accounts/) */
+    accountConfigName?: string;
+    /** VPC stack name ที่จะสร้าง ECS Cluster */
+    source: {
+        vpcStackName: string;
+    };
+    /** Container Insights (default: true) */
+    containerInsightsEnabled?: boolean;
+    /** Enable execute command for debugging (default: false) */
+    enableExecuteCommand?: boolean;
+    /** Default capacity provider strategy */
+    capacityProviders?: ('FARGATE' | 'FARGATE_SPOT')[];
+    /** Default capacity provider strategy weights */
+    defaultCapacityProviderStrategy?: {
+        capacityProvider: 'FARGATE' | 'FARGATE_SPOT';
+        weight: number;
+        base?: number;
+    }[];
+    /** Removal policy (default: 'destroy') */
+    removalPolicy?: 'destroy' | 'retain';
+    /** อ้างอิง Tag Config name (ดู configs/tags/) */
+    tagConfigName?: string;
+    /** Tags เสริม — merge กับ tagConfigName (override ถ้า key ซ้ำ) */
+    tags?: Record<string, string>;
+}

package/dist/aws-cdk/interfaces/ecs-cluster-config.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/aws-cdk/interfaces/ecs-service-config.d.ts

@@ -0,0 +1,237 @@
+import * as logs from 'aws-cdk-lib/aws-logs';
+/**
+ * ECS Service Mode:
+ * - 'web':    HTTP service ที่มี ALB + TargetGroup + ListenerRule
+ * - 'worker': Background service ไม่ต้อง ALB (queue processors, cron jobs)
+ */
+export type EcsServiceMode = 'web' | 'worker';
+/**
+ * Custom naming for ECS resources
+ * ใช้กำหนดชื่อ resources ให้อ่านง่าย แทน auto-generated names จาก CDK
+ */
+export interface EcsServiceNamingConfig {
+    /** Custom Target Group name (max 32 chars, web mode only) */
+    targetGroupName?: string;
+    /** Custom Task Definition family name */
+    taskDefinitionFamily?: string;
+    /** Custom Task Role name (ignored if taskRoleArn provided) */
+    taskRoleName?: string;
+    /** Custom Execution Role name (ignored if executionRoleArn provided) */
+    executionRoleName?: string;
+    /** Custom Security Group name */
+    securityGroupName?: string;
+}
+export interface EcsServiceContainerConfig {
+    /** Container / service name */
+    name: string;
+    /**
+     * Container image
+     * - ECR URI: 958563415684.dkr.ecr.ap-southeast-7.amazonaws.com/repo:tag
+     * - Docker Hub: nginx:latest
+     */
+    image: string;
+    /** Container port (default: 80) */
+    port: number;
+    /** CPU units (256 = 0.25 vCPU) */
+    cpu: number;
+    /** Memory in MiB */
+    memory: number;
+    /** Desired task count */
+    desiredCount: number;
+    /** Ephemeral storage in GiB (default: 20, range: 21-200) */
+    ephemeralStorageGiB?: number;
+    /**
+     * Enable init process (PID 1) inside the container.
+     * Required for ECS Exec to work properly on Fargate.
+     * Uses tini as init process for signal handling and zombie reaping.
+     * Default: true (when enableExecuteCommand is true)
+     */
+    initProcessEnabled?: boolean;
+    /** Command override for the container entrypoint */
+    command?: string[];
+    /** Environment variables */
+    environmentVariables?: Record<string, string>;
+    /**
+     * Secrets from AWS Secrets Manager
+     * Key = env var name in container
+     * Value = full ARN of the secret, optionally with JSON field:
+     *   - Plain secret:    'arn:aws:secretsmanager:region:account:secret:name-suffix'
+     *   - JSON field:      'arn:aws:secretsmanager:region:account:secret:name-suffix:fieldName'
+     *
+     * Example:
+     * ```
+     * secrets: {
+     *   DB_PASSWORD: 'arn:aws:secretsmanager:ap-southeast-7:123456:secret:db-creds-AbCdEf:password',
+     *   API_KEY: 'arn:aws:secretsmanager:ap-southeast-7:123456:secret:api-key-XyZwVu',
+     * }
+     * ```
+     */
+    secrets?: Record<string, string>;
+}
+export interface EcsServiceRoutingConfig {
+    /** Host header condition (e.g., 'app.example.com', ไม่ใส่ = match ทุก domain) */
+    domainName?: string;
+    /** Path pattern (e.g., '/api/*') */
+    pathPattern: string;
+    /** Listener rule priority (ต้อง unique ต่อ listener) */
+    priority: number;
+    /** Health check path */
+    healthCheckPath: string;
+    /** Health check interval in seconds (default: 30) */
+    healthCheckInterval?: number;
+    /** Health check timeout in seconds (default: 5) */
+    healthCheckTimeout?: number;
+    /** Healthy threshold count (default: 2) */
+    healthyThresholdCount?: number;
+    /** Unhealthy threshold count (default: 3) */
+    unhealthyThresholdCount?: number;
+    /** Deregistration delay in seconds (default: 30) */
+    deregistrationDelay?: number;
+}
+export interface EcsServiceLogConfig {
+    /** Log retention (default: ONE_WEEK) */
+    retention?: logs.RetentionDays;
+    /** Log group removal policy (default: DESTROY) */
+    removalPolicy?: 'destroy' | 'retain';
+}
+export interface EcsServiceSecurityGroupConfig {
+    /** Allow all TCP ports from ALB SG (default: true, ignored for worker) */
+    allowAllFromAlb?: boolean;
+    /** Additional Security Group IDs to allow all TCP from */
+    additionalSourceSgIds?: string[];
+    /** Additional CIDRs to allow inbound traffic */
+    allowFromCidrs?: string[];
+}
+/**
+ * IAM policy statement สำหรับ Task Role
+ * ใช้กรณีต้องการสร้าง inline policy ให้ Task Role อัตโนมัติ
+ */
+export interface EcsServicePolicyStatement {
+    /** Policy effect (default: 'Allow') */
+    effect?: 'Allow' | 'Deny';
+    /** Actions e.g., ['s3:GetObject', 'sqs:SendMessage'] */
+    actions: string[];
+    /** Resources e.g., ['arn:aws:s3:::my-bucket/*'] ใช้ ['*'] สำหรับ all resources */
+    resources: string[];
+}
+/**
+ * Preset policy names สำหรับ Task Role
+ * ใช้ AWS Managed Policies เป็นหลัก, fallback เป็น inline สำหรับ services ที่ไม่มี managed policy
+ *
+ * Task Role Presets (AWS Managed Policies):
+ * - 'ssm-parameters'     : AmazonSSMReadOnlyAccess
+ * - 'sqs'                : AmazonSQSFullAccess
+ * - 'sns'                : AmazonSNSFullAccess
+ * - 's3-read'            : AmazonS3ReadOnlyAccess
+ * - 's3-full'            : AmazonS3FullAccess
+ * - 'dynamodb'           : AmazonDynamoDBFullAccess
+ * - 'ses'                : AmazonSESFullAccess
+ * - 'xray'               : AWSXRayDaemonWriteAccess
+ * - 'cloudwatch-metrics' : CloudWatchAgentServerPolicy
+ * - 'bedrock'            : AmazonBedrockFullAccess
+ *
+ * Task Role Presets (Inline Policies):
+ * - 'secrets-manager'    : GetSecretValue, DescribeSecret (read-only)
+ * - 'rds-connect'        : rds-db:connect (IAM authentication)
+ * - 'elasticache'        : elasticache:Connect, Describe* (IAM auth + discovery)
+ * - 'ecs-exec'           : ssmmessages:* (ECS Exec debugging)
+ * - 'kms'                : Decrypt, GenerateDataKey (encryption)
+ *
+ * Execution Role Presets (Inline Policies):
+ * - 'exec-secrets-injection' : secretsmanager:GetSecretValue (inject secrets ตอน container start)
+ * - 'exec-ssm-injection'     : ssm:GetParameters (inject SSM params ตอน container start)
+ * - 'exec-kms'               : kms:Decrypt (decrypt secrets/params ที่เข้ารหัสด้วย KMS)
+ */
+export type TaskRolePresetPolicy = 'secrets-manager' | 'ssm-parameters' | 'sqs' | 'sns' | 's3-read' | 's3-full' | 'dynamodb' | 'rds-connect' | 'ses' | 'xray' | 'ecs-exec' | 'cloudwatch-metrics' | 'bedrock' | 'kms' | 'efs' | 'elasticache';
+export type ExecutionRolePresetPolicy = 'exec-secrets-injection' | 'exec-ssm-injection' | 'exec-kms';
+export interface EcsServiceIamConfig {
+    /**
+     * Task Role - role ที่ container ใช้ขณะ runtime
+     * - ไม่ระบุ: CDK auto-create empty role
+     * - ระบุ ARN: import existing role (ไม่สร้างใหม่)
+     */
+    taskRoleArn?: string;
+    /**
+     * Task Execution Role - role ที่ ECS agent ใช้ (pull image, write logs)
+     * - ไม่ระบุ: CDK auto-create with AmazonECSTaskExecutionRolePolicy
+     * - ระบุ ARN: import existing role (ไม่สร้างใหม่)
+     */
+    executionRoleArn?: string;
+    /**
+     * Preset policies สำหรับ Task Role
+     * เลือก preset ที่ต้องการ CDK จะสร้าง role + policies ให้อัตโนมัติ
+     * (ถูก ignore ถ้าระบุ taskRoleArn)
+     */
+    taskRolePresets?: TaskRolePresetPolicy[];
+    /**
+     * Preset policies สำหรับ Execution Role
+     * เพิ่มเติมจาก AmazonECSTaskExecutionRolePolicy ที่ CDK ให้มาแล้ว
+     * (ถูก ignore ถ้าระบุ executionRoleArn)
+     */
+    executionRolePresets?: ExecutionRolePresetPolicy[];
+    /**
+     * Inline policies สำหรับ Task Role (ใช้เมื่อไม่ได้ระบุ taskRoleArn)
+     * ใช้ร่วมกับ presets ได้ — CDK จะรวม policies ทั้งหมด
+     */
+    taskRolePolicies?: EcsServicePolicyStatement[];
+    /**
+     * AWS Managed Policy ARNs สำหรับ Task Role
+     * e.g., ['arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess']
+     */
+    taskRoleManagedPolicyArns?: string[];
+}
+export interface EcsServiceSource {
+    /** VPC stack name */
+    vpcStackName: string;
+    /** Subnet name for service tasks (default: 'private') */
+    subnetName?: string;
+    /** ECS Cluster stack name */
+    ecsClusterStackName: string;
+    /** ALB stack name (required for web mode, omit for worker) */
+    albStackName?: string;
+    /** EFS stack name - เปิด NFS ingress ที่ EFS SG ให้ ECS SG เข้าถึง (optional) */
+    efsStackName?: string;
+    /** RDS stack name - เปิด DB ingress ที่ RDS SG ให้ ECS SG เข้าถึง (optional) */
+    rdsStackName?: string;
+    /** ElastiCache stack name - เปิด Redis ingress ที่ Redis SG ให้ ECS SG เข้าถึง (optional) */
+    elastiCacheStackName?: string;
+}
+export interface EcsServiceConfig {
+    stackName: string;
+    region?: string;
+    account?: string;
+    /** อ้างอิง Account Config name (ดู configs/accounts/) */
+    accountConfigName?: string;
+    /** Service mode: 'web' or 'worker' (default: 'web') */
+    serviceMode?: EcsServiceMode;
+    /** Source stack references (vpcRef mode) */
+    source: EcsServiceSource;
+    /** Custom naming for resources (optional) */
+    naming?: EcsServiceNamingConfig;
+    /** Container configuration */
+    container: EcsServiceContainerConfig;
+    /** Routing configuration (required for web mode) */
+    routing?: EcsServiceRoutingConfig;
+    /** Logging configuration */
+    logging?: EcsServiceLogConfig;
+    /** Security group configuration */
+    securityGroup?: EcsServiceSecurityGroupConfig;
+    /** IAM role configuration (optional, CDK auto-create if not specified) */
+    iam?: EcsServiceIamConfig;
+    /** Enable ECS Exec for debugging (default: true) */
+    enableExecuteCommand?: boolean;
+    /** Circuit breaker with rollback (default: true) */
+    circuitBreakerEnabled?: boolean;
+    /** Min healthy percent during deployment (default: 50) */
+    minHealthyPercent?: number;
+    /** Max healthy percent during deployment (default: 200) */
+    maxHealthyPercent?: number;
+    /** Assign public IP to tasks (default: false) */
+    assignPublicIp?: boolean;
+    /** Removal policy (default: 'destroy') */
+    removalPolicy?: 'destroy' | 'retain';
+    /** อ้างอิง Tag Config name (ดู configs/tags/) */
+    tagConfigName?: string;
+    /** Tags เสริม — merge กับ tagConfigName (override ถ้า key ซ้ำ) */
+    tags?: Record<string, string>;
+}

package/dist/aws-cdk/interfaces/ecs-service-config.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/aws-cdk/interfaces/efs-config.d.ts

@@ -0,0 +1,56 @@
+/**
+ * EFS Configuration Interface
+ *
+ * สำหรับสร้าง Elastic File System สำหรับ ECS Fargate
+ */
+export interface EfsAccessPointConfig {
+    /** Access Point name */
+    name: string;
+    /** Path in EFS */
+    path: string;
+    /** POSIX User ID (default: 33 for www-data) */
+    posixUid?: number;
+    /** POSIX Group ID (default: 33 for www-data) */
+    posixGid?: number;
+    /** Directory permissions (default: '755') */
+    permissions?: string;
+}
+export interface EfsVpcRefSource {
+    vpcStackName: string;
+    /** ใช้ subnet ชื่ออะไรสำหรับ mount targets (default: 'private-ecs') */
+    subnetName?: string;
+}
+export interface EfsConfig {
+    stackName: string;
+    fileSystemName: string;
+    region?: string;
+    account?: string;
+    /** อ้างอิง Account Config name (ดู configs/accounts/) */
+    accountConfigName?: string;
+    /** VPC source - อ้างอิง VPC stack */
+    source: EfsVpcRefSource;
+    /** Custom Security Group name (optional) */
+    securityGroupName?: string;
+    /** Performance mode (default: 'generalPurpose') */
+    performanceMode?: 'generalPurpose' | 'maxIO';
+    /** Throughput mode (default: 'bursting') */
+    throughputMode?: 'bursting' | 'provisioned' | 'elastic';
+    /** Provisioned throughput in MiB/s (required if throughputMode is 'provisioned') */
+    provisionedThroughput?: number;
+    /** Enable encryption at rest (default: true) */
+    encrypted?: boolean;
+    /** KMS key ARN for encryption (optional, uses AWS managed key if not specified) */
+    kmsKeyArn?: string;
+    /** Lifecycle policy - transition to IA after N days (default: 30) */
+    transitionToIaAfterDays?: number;
+    /** Lifecycle policy - transition to primary storage after N accesses (optional) */
+    transitionToPrimaryStorageAfterAccesses?: number;
+    /** Access points to create */
+    accessPoints?: EfsAccessPointConfig[];
+    /** Removal policy (default: 'retain' for data safety) */
+    removalPolicy?: 'destroy' | 'retain';
+    /** อ้างอิง Tag Config name (ดู configs/tags/) */
+    tagConfigName?: string;
+    /** Tags เสริม — merge กับ tagConfigName (override ถ้า key ซ้ำ) */
+    tags?: Record<string, string>;
+}

package/dist/aws-cdk/interfaces/efs-config.js

@@ -0,0 +1,7 @@
+"use strict";
+/**
+ * EFS Configuration Interface
+ *
+ * สำหรับสร้าง Elastic File System สำหรับ ECS Fargate
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/aws-cdk/interfaces/elasticache-config.d.ts

@@ -0,0 +1,56 @@
+/**
+ * ElastiCache Redis Configuration Interface
+ *
+ * สำหรับสร้าง ElastiCache Redis Replication Group
+ */
+export interface ElastiCacheVpcRefSource {
+    vpcStackName: string;
+    /** ใช้ subnet ชื่ออะไร (default: 'cache') */
+    subnetName?: string;
+}
+export interface ElastiCacheConfig {
+    stackName: string;
+    clusterName: string;
+    region?: string;
+    account?: string;
+    /** อ้างอิง Account Config name (ดู configs/accounts/) */
+    accountConfigName?: string;
+    /** VPC source - อ้างอิง VPC stack */
+    source: ElastiCacheVpcRefSource;
+    /** Custom Security Group name (optional) */
+    securityGroupName?: string;
+    /** Redis engine version (default: '7.0') */
+    engineVersion?: string;
+    /** Node type (default: 'cache.t3.micro') */
+    nodeType?: string;
+    /** Number of cache clusters/nodes (default: 2 for Multi-AZ) */
+    numCacheClusters?: number;
+    /** Enable Multi-AZ (default: true) */
+    multiAzEnabled?: boolean;
+    /** Enable automatic failover (default: true) */
+    automaticFailoverEnabled?: boolean;
+    /** Enable encryption at rest (default: true) */
+    atRestEncryptionEnabled?: boolean;
+    /** Enable encryption in transit (default: true) */
+    transitEncryptionEnabled?: boolean;
+    /** Auth token from Secrets Manager ARN (optional) */
+    authTokenSecretArn?: string;
+    /** Snapshot retention limit in days (default: 5) */
+    snapshotRetentionLimit?: number;
+    /** Snapshot window (default: '03:00-05:00') */
+    snapshotWindow?: string;
+    /** Maintenance window (default: 'sun:05:00-sun:07:00') */
+    maintenanceWindow?: string;
+    /** Port (default: 6379) */
+    port?: number;
+    /** Parameter group family (default: 'redis7') */
+    parameterGroupFamily?: string;
+    /** Custom parameters */
+    parameters?: Record<string, string>;
+    /** Removal policy (default: 'retain' for data safety) */
+    removalPolicy?: 'destroy' | 'retain';
+    /** อ้างอิง Tag Config name (ดู configs/tags/) */
+    tagConfigName?: string;
+    /** Tags เสริม — merge กับ tagConfigName (override ถ้า key ซ้ำ) */
+    tags?: Record<string, string>;
+}

package/dist/aws-cdk/interfaces/elasticache-config.js

@@ -0,0 +1,7 @@
+"use strict";
+/**
+ * ElastiCache Redis Configuration Interface
+ *
+ * สำหรับสร้าง ElastiCache Redis Replication Group
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/aws-cdk/interfaces/nacl-config.d.ts

@@ -0,0 +1 @@
+export { NaclRuleConfig, NaclConfig } from '../constructs/nacl';

package/dist/aws-cdk/interfaces/nacl-config.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+// Note: NetworkSecurityConfig and NaclVpcSource are stack-level types, not included in this package