@dga-itc/aws-cdk-constructs 1.0.0

package/dist/aws-cdk/constructs/alb.js

@@ -0,0 +1,304 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AlbConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
+const elbv2 = __importStar(require("aws-cdk-lib/aws-elasticloadbalancingv2"));
+const acm = __importStar(require("aws-cdk-lib/aws-certificatemanager"));
+/**
+ * ALB Construct - สร้าง ALB + Security Group + Listeners
+ *
+ * อ้างอิง VpcConstruct จาก NetworkStack เพื่อดึง VPC + Subnets
+ */
+class AlbConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { config, vpcConstruct } = props;
+        this.removalPolicy = config.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        // ------------------------------------------
+        // A. Resolve VPC & Subnets
+        // ------------------------------------------
+        const { vpc, subnets } = this.resolveVpc(config, vpcConstruct);
+        // ------------------------------------------
+        // B. Create Security Group
+        // ------------------------------------------
+        this.securityGroup = this.createSecurityGroup(vpc, config);
+        // ------------------------------------------
+        // C. Create ALB
+        // ------------------------------------------
+        this.alb = this.createAlb(config, vpc, subnets);
+        // ------------------------------------------
+        // D. Create Listeners
+        // ------------------------------------------
+        const { httpListener, httpsListener } = this.createListeners(config);
+        this.httpListener = httpListener;
+        this.httpsListener = httpsListener;
+        // ------------------------------------------
+        // E. Apply Removal Policy
+        // ------------------------------------------
+        this.alb.applyRemovalPolicy(this.removalPolicy);
+        this.securityGroup.applyRemovalPolicy(this.removalPolicy);
+        // ------------------------------------------
+        // F. Outputs
+        // ------------------------------------------
+        this.createOutputs(config);
+    }
+    // ==========================================
+    // Resolve VPC
+    // ==========================================
+    resolveVpc(config, vpcConstruct) {
+        const subnetName = config.source.subnetName ?? 'public';
+        const cfnSubnets = vpcConstruct.subnetsByName.get(subnetName);
+        if (!cfnSubnets || cfnSubnets.length === 0) {
+            throw new Error(`No subnets found with name "${subnetName}" in VPC construct. ` +
+                `Available: ${Array.from(vpcConstruct.subnetsByName.keys()).join(', ')}`);
+        }
+        // Build subnets with routeTableId from VpcConstruct
+        const subnetIds = [];
+        const subnets = [];
+        const azs = [];
+        const routeTableIds = [];
+        // Find matching subnet keys from vpcConstruct.subnets map
+        vpcConstruct.subnets.forEach((cfnSubnet, subnetKey) => {
+            if (subnetKey.startsWith(`${subnetName}-`)) {
+                const az = subnetKey.replace(`${subnetName}-`, '');
+                const routeTableId = vpcConstruct.subnetRouteTableMap.get(subnetKey);
+                subnetIds.push(cfnSubnet.ref);
+                azs.push(cfnSubnet.availabilityZone);
+                if (routeTableId)
+                    routeTableIds.push(routeTableId);
+                subnets.push(ec2.Subnet.fromSubnetAttributes(this, `VpcRefSubnet-${az}`, {
+                    subnetId: cfnSubnet.ref,
+                    availabilityZone: cfnSubnet.availabilityZone,
+                    routeTableId,
+                }));
+            }
+        });
+        const hasRtIds = routeTableIds.length === subnetIds.length;
+        const vpc = ec2.Vpc.fromVpcAttributes(this, 'VpcRefVpc', {
+            vpcId: vpcConstruct.vpc.ref,
+            availabilityZones: azs,
+            publicSubnetIds: config.scheme === 'internet-facing' ? subnetIds : undefined,
+            publicSubnetRouteTableIds: config.scheme === 'internet-facing' && hasRtIds ? routeTableIds : undefined,
+            privateSubnetIds: config.scheme === 'internal' ? subnetIds : undefined,
+            privateSubnetRouteTableIds: config.scheme === 'internal' && hasRtIds ? routeTableIds : undefined,
+        });
+        return { vpc, subnets };
+    }
+    // ==========================================
+    // Security Group
+    // ==========================================
+    createSecurityGroup(vpc, config) {
+        const security = config.security ?? {};
+        const isInternetFacing = config.scheme === 'internet-facing';
+        const sg = new ec2.SecurityGroup(this, 'AlbSecurityGroup', {
+            vpc,
+            securityGroupName: config.securityGroupName,
+            description: `Security group for ${config.albName} ALB (${config.scheme})`,
+            allowAllOutbound: true,
+        });
+        // HTTP Ingress
+        const allowHttp = security.allowHttpFromAnywhere ?? isInternetFacing;
+        if (allowHttp) {
+            const httpPort = config.listener?.httpPort ?? 80;
+            sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(httpPort), `Allow HTTP from anywhere (port ${httpPort})`);
+        }
+        // HTTPS Ingress
+        const allowHttps = security.allowHttpsFromAnywhere ?? isInternetFacing;
+        if (allowHttps) {
+            const httpsPort = config.listener?.httpsPort ?? 443;
+            sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(httpsPort), `Allow HTTPS from anywhere (port ${httpsPort})`);
+        }
+        // Additional CIDRs
+        if (security.allowFromCidrs) {
+            security.allowFromCidrs.forEach((cidr, index) => {
+                sg.addIngressRule(ec2.Peer.ipv4(cidr), ec2.Port.allTraffic(), `Allow from additional CIDR ${index + 1}: ${cidr}`);
+            });
+        }
+        // Additional Security Groups
+        if (security.allowFromSecurityGroupIds) {
+            security.allowFromSecurityGroupIds.forEach((sgId, index) => {
+                sg.addIngressRule(ec2.Peer.securityGroupId(sgId), ec2.Port.allTraffic(), `Allow from additional SG ${index + 1}: ${sgId}`);
+            });
+        }
+        return sg;
+    }
+    // ==========================================
+    // Create ALB
+    // ==========================================
+    createAlb(config, vpc, subnets) {
+        const security = config.security ?? {};
+        return new elbv2.ApplicationLoadBalancer(this, 'ApplicationLoadBalancer', {
+            vpc,
+            vpcSubnets: { subnets },
+            loadBalancerName: config.albName,
+            internetFacing: config.scheme === 'internet-facing',
+            securityGroup: this.securityGroup,
+            deletionProtection: config.deletionProtection ?? false,
+            idleTimeout: cdk.Duration.seconds(security.idleTimeoutSeconds ?? 60),
+            dropInvalidHeaderFields: security.dropInvalidHeaderFields ?? true,
+        });
+    }
+    // ==========================================
+    // Create Listeners
+    // ==========================================
+    createListeners(config) {
+        const listenerConfig = config.listener ?? {};
+        let httpListener;
+        let httpsListener;
+        // HTTPS Listener
+        const httpsEnabled = listenerConfig.httpsEnabled ?? true;
+        if (httpsEnabled) {
+            if (!listenerConfig.certificateArn) {
+                throw new Error('HTTPS listener requires certificateArn');
+            }
+            const certificate = acm.Certificate.fromCertificateArn(this, 'Certificate', listenerConfig.certificateArn);
+            httpsListener = this.alb.addListener('HttpsListener', {
+                port: listenerConfig.httpsPort ?? 443,
+                protocol: elbv2.ApplicationProtocol.HTTPS,
+                certificates: [certificate],
+                sslPolicy: listenerConfig.sslPolicy ?? elbv2.SslPolicy.RECOMMENDED_TLS,
+                defaultAction: elbv2.ListenerAction.fixedResponse(404, {
+                    contentType: 'text/plain',
+                    messageBody: 'Not Found',
+                }),
+            });
+            // /health path → 200 OK (สำหรับ NLB health check)
+            httpsListener.addAction('HealthCheck', {
+                priority: 1,
+                conditions: [elbv2.ListenerCondition.pathPatterns(['/health'])],
+                action: elbv2.ListenerAction.fixedResponse(200, {
+                    contentType: 'text/plain',
+                    messageBody: 'OK',
+                }),
+            });
+            // Additional certificates
+            if (listenerConfig.additionalCertificateArns) {
+                listenerConfig.additionalCertificateArns.forEach((certArn, index) => {
+                    const additionalCert = acm.Certificate.fromCertificateArn(this, `AdditionalCertificate${index + 1}`, certArn);
+                    httpsListener.addCertificates(`AdditionalCerts${index + 1}`, [additionalCert]);
+                });
+            }
+        }
+        // HTTP Listener
+        const httpEnabled = listenerConfig.httpEnabled ?? true;
+        if (httpEnabled) {
+            const httpRedirectToHttps = listenerConfig.httpRedirectToHttps ?? httpsEnabled;
+            if (httpRedirectToHttps && httpsListener) {
+                httpListener = this.alb.addListener('HttpListener', {
+                    port: listenerConfig.httpPort ?? 80,
+                    protocol: elbv2.ApplicationProtocol.HTTP,
+                    defaultAction: elbv2.ListenerAction.redirect({
+                        protocol: 'HTTPS',
+                        port: String(listenerConfig.httpsPort ?? 443),
+                        permanent: true,
+                    }),
+                });
+            }
+            else {
+                httpListener = this.alb.addListener('HttpListener', {
+                    port: listenerConfig.httpPort ?? 80,
+                    protocol: elbv2.ApplicationProtocol.HTTP,
+                    defaultAction: elbv2.ListenerAction.fixedResponse(404, {
+                        contentType: 'text/plain',
+                        messageBody: 'Not Found',
+                    }),
+                });
+            }
+            // /health path → 200 OK (สำหรับ NLB health check)
+            httpListener.addAction('HealthCheck', {
+                priority: 1,
+                conditions: [elbv2.ListenerCondition.pathPatterns(['/health'])],
+                action: elbv2.ListenerAction.fixedResponse(200, {
+                    contentType: 'text/plain',
+                    messageBody: 'OK',
+                }),
+            });
+        }
+        return { httpListener, httpsListener };
+    }
+    // ==========================================
+    // Outputs
+    // ==========================================
+    createOutputs(config) {
+        const stack = cdk.Stack.of(this);
+        const prefix = config.stackName;
+        new cdk.CfnOutput(stack, 'AlbArn', {
+            value: this.alb.loadBalancerArn,
+            description: 'Application Load Balancer ARN',
+            exportName: `${prefix}-ALB-Arn`,
+        });
+        new cdk.CfnOutput(stack, 'AlbDnsName', {
+            value: this.alb.loadBalancerDnsName,
+            description: 'ALB DNS Name',
+            exportName: `${prefix}-ALB-DnsName`,
+        });
+        new cdk.CfnOutput(stack, 'AlbCanonicalHostedZoneId', {
+            value: this.alb.loadBalancerCanonicalHostedZoneId,
+            description: 'ALB Canonical Hosted Zone ID (for Route53 alias records)',
+            exportName: `${prefix}-ALB-HostedZoneId`,
+        });
+        new cdk.CfnOutput(stack, 'SecurityGroupId', {
+            value: this.securityGroup.securityGroupId,
+            description: 'ALB Security Group ID',
+            exportName: `${prefix}-ALB-SecurityGroup-Id`,
+        });
+        if (this.httpListener) {
+            new cdk.CfnOutput(stack, 'HttpListenerArn', {
+                value: this.httpListener.listenerArn,
+                description: 'HTTP Listener ARN',
+                exportName: `${prefix}-ALB-HTTPListener-Arn`,
+            });
+        }
+        if (this.httpsListener) {
+            new cdk.CfnOutput(stack, 'HttpsListenerArn', {
+                value: this.httpsListener.listenerArn,
+                description: 'HTTPS Listener ARN',
+                exportName: `${prefix}-ALB-HTTPSListener-Arn`,
+            });
+        }
+        new cdk.CfnOutput(stack, 'AlbFullName', {
+            value: this.alb.loadBalancerFullName,
+            description: 'ALB Full Name (for CloudWatch metrics)',
+            exportName: `${prefix}-ALB-FullName`,
+        });
+    }
+}
+exports.AlbConstruct = AlbConstruct;

package/dist/aws-cdk/constructs/bastion.d.ts

@@ -0,0 +1,46 @@
+import { Construct } from 'constructs';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { BastionConfig } from '../interfaces/bastion-config';
+import { VpcConstruct } from './vpc';
+import { EfsConstruct } from './efs';
+import { RdsConstruct } from './rds';
+import { ElastiCacheConstruct } from './elasticache';
+export interface BastionConstructProps {
+    config: BastionConfig;
+    /** VpcConstruct from NetworkStack */
+    vpcConstruct: VpcConstruct;
+    /** EfsConstruct (optional) - สำหรับ mount EFS */
+    efsConstruct?: EfsConstruct;
+    /** RdsConstruct (optional) - สำหรับเปิด ingress rule */
+    rdsConstruct?: RdsConstruct;
+    /** ElastiCacheConstruct (optional) - สำหรับเปิด ingress rule */
+    elastiCacheConstruct?: ElastiCacheConstruct;
+}
+/**
+ * Bastion Host Construct - สร้าง EC2 Bastion Host
+ *
+ * Features:
+ * - SSH Key Pair (สร้างใหม่ หรือใช้ existing)
+ * - Auto-mount EFS (optional)
+ * - Auto allow RDS security group ingress (optional)
+ * - Install MySQL/MariaDB client
+ * - SSM Session Manager support
+ *
+ * Key Pair จะถูกเก็บใน AWS Systems Manager Parameter Store
+ * ดึง private key: aws ssm get-parameter --name /ec2/keypair/{key-pair-id} --with-decryption
+ */
+export declare class BastionConstruct extends Construct {
+    readonly instance: ec2.Instance;
+    readonly securityGroup: ec2.SecurityGroup;
+    readonly keyPair: ec2.KeyPair | undefined;
+    private readonly removalPolicy;
+    private readonly resolvedRegion;
+    constructor(scope: Construct, id: string, props: BastionConstructProps);
+    private resolveVpc;
+    private createKeyPair;
+    private createSecurityGroup;
+    private buildUserData;
+    private createInstance;
+    private setupSecurityAccess;
+    private createOutputs;
+}

package/dist/aws-cdk/constructs/bastion.js

@@ -0,0 +1,332 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BastionConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
+const iam = __importStar(require("aws-cdk-lib/aws-iam"));
+/**
+ * Bastion Host Construct - สร้าง EC2 Bastion Host
+ *
+ * Features:
+ * - SSH Key Pair (สร้างใหม่ หรือใช้ existing)
+ * - Auto-mount EFS (optional)
+ * - Auto allow RDS security group ingress (optional)
+ * - Install MySQL/MariaDB client
+ * - SSM Session Manager support
+ *
+ * Key Pair จะถูกเก็บใน AWS Systems Manager Parameter Store
+ * ดึง private key: aws ssm get-parameter --name /ec2/keypair/{key-pair-id} --with-decryption
+ */
+class BastionConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { config, vpcConstruct, efsConstruct, rdsConstruct, elastiCacheConstruct } = props;
+        // Resolve region: ใช้ config.region ถ้ามี, ไม่งั้น fallback ไป Stack region
+        this.resolvedRegion = config.region ?? cdk.Stack.of(this).region;
+        this.removalPolicy = config.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        // A. Resolve VPC & Subnets
+        const { vpc, subnets } = this.resolveVpc(config, vpcConstruct);
+        // B. Create Key Pair
+        this.keyPair = this.createKeyPair(config);
+        // C. Create Security Group
+        this.securityGroup = this.createSecurityGroup(vpc, config);
+        // D. Build User Data
+        const userData = this.buildUserData(config, efsConstruct);
+        // E. Create EC2 Instance
+        this.instance = this.createInstance(config, vpc, subnets, userData);
+        // F. Setup cross-stack security (EFS + RDS + Redis ingress)
+        this.setupSecurityAccess(config, efsConstruct, rdsConstruct, elastiCacheConstruct);
+        // G. Apply Removal Policy
+        this.instance.applyRemovalPolicy(this.removalPolicy);
+        this.securityGroup.applyRemovalPolicy(this.removalPolicy);
+        // H. Outputs
+        this.createOutputs(config);
+    }
+    // ==========================================
+    // Resolve VPC
+    // ==========================================
+    resolveVpc(config, vpcConstruct) {
+        const subnetName = config.source.subnetName ?? 'private';
+        const cfnSubnets = vpcConstruct.subnetsByName.get(subnetName);
+        if (!cfnSubnets || cfnSubnets.length === 0) {
+            throw new Error(`No subnets found with name "${subnetName}" in VPC construct. ` +
+                `Available: ${Array.from(vpcConstruct.subnetsByName.keys()).join(', ')}`);
+        }
+        // Build subnets with routeTableId from VpcConstruct
+        const subnetIds = [];
+        const subnets = [];
+        const azs = [];
+        const routeTableIds = [];
+        vpcConstruct.subnets.forEach((cfnSubnet, subnetKey) => {
+            if (subnetKey.startsWith(`${subnetName}-`)) {
+                const az = subnetKey.replace(`${subnetName}-`, '');
+                const routeTableId = vpcConstruct.subnetRouteTableMap.get(subnetKey);
+                subnetIds.push(cfnSubnet.ref);
+                azs.push(cfnSubnet.availabilityZone);
+                if (routeTableId)
+                    routeTableIds.push(routeTableId);
+                subnets.push(ec2.Subnet.fromSubnetAttributes(this, `Subnet-${az}`, {
+                    subnetId: cfnSubnet.ref,
+                    availabilityZone: cfnSubnet.availabilityZone,
+                    routeTableId,
+                }));
+            }
+        });
+        const isPublic = config.associatePublicIpAddress === true;
+        const hasRtIds = routeTableIds.length === subnetIds.length;
+        const vpc = ec2.Vpc.fromVpcAttributes(this, 'Vpc', {
+            vpcId: vpcConstruct.vpc.ref,
+            availabilityZones: azs,
+            ...(isPublic
+                ? { publicSubnetIds: subnetIds, publicSubnetRouteTableIds: hasRtIds ? routeTableIds : undefined }
+                : { privateSubnetIds: subnetIds, privateSubnetRouteTableIds: hasRtIds ? routeTableIds : undefined }),
+        });
+        return { vpc, subnets };
+    }
+    // ==========================================
+    // Key Pair
+    // ==========================================
+    createKeyPair(config) {
+        if (config.createKeyPair === false && config.keyPairName) {
+            // ใช้ existing key pair
+            return undefined;
+        }
+        const keyPairName = config.keyPairName ?? `${config.instanceName}-keypair`;
+        const keyPair = new ec2.KeyPair(this, 'KeyPair', {
+            keyPairName,
+            type: ec2.KeyPairType.RSA,
+            format: ec2.KeyPairFormat.PEM,
+        });
+        keyPair.applyRemovalPolicy(this.removalPolicy);
+        return keyPair;
+    }
+    // ==========================================
+    // Security Group
+    // ==========================================
+    createSecurityGroup(vpc, config) {
+        const sg = new ec2.SecurityGroup(this, 'BastionSecurityGroup', {
+            vpc,
+            securityGroupName: config.securityGroupName ?? `${config.instanceName}-sg`,
+            description: `Security group for ${config.instanceName} Bastion Host`,
+            allowAllOutbound: true, // Bastion ต้องการ outbound สำหรับ yum/apt, SSM, etc.
+        });
+        // เปิด SSH จาก CIDR ที่กำหนด (ถ้ามี)
+        if (config.allowedSshCidrs && config.allowedSshCidrs.length > 0) {
+            for (const cidr of config.allowedSshCidrs) {
+                sg.addIngressRule(ec2.Peer.ipv4(cidr), ec2.Port.tcp(22), `Allow SSH from ${cidr}`);
+            }
+        }
+        return sg;
+    }
+    // ==========================================
+    // User Data
+    // ==========================================
+    buildUserData(config, efsConstruct) {
+        const userData = ec2.UserData.forLinux();
+        // Base packages
+        userData.addCommands('#!/bin/bash', 'set -euxo pipefail', '', '# Update system', 'dnf update -y', '', '# Install essential tools', 'dnf install -y amazon-efs-utils nfs-utils htop jq unzip');
+        // Install MySQL/MariaDB client
+        if (config.installMysqlClient !== false) {
+            userData.addCommands('', '# Install MariaDB client', 'dnf install -y mariadb105');
+        }
+        // Mount EFS
+        if (config.efsMount && efsConstruct) {
+            const mountPath = config.efsMount.mountPath ?? '/mnt/efs';
+            userData.addCommands('', `# Mount EFS at ${mountPath}`, `mkdir -p ${mountPath}`, `echo "${efsConstruct.fileSystem.fileSystemId}:/ ${mountPath} efs _netdev,tls,iam 0 0" >> /etc/fstab`, `mount -a`, `chmod 755 ${mountPath}`, '', '# Create uploads directory with www-data permissions', `mkdir -p ${mountPath}/uploads`, `chown 33:33 ${mountPath}/uploads`, `chmod 755 ${mountPath}/uploads`);
+        }
+        // Additional user data
+        if (config.additionalUserData) {
+            userData.addCommands('', '# Additional user data', config.additionalUserData);
+        }
+        // Completion marker
+        userData.addCommands('', '# Signal completion', 'echo "Bastion setup completed at $(date)" > /var/log/bastion-setup.log');
+        return userData;
+    }
+    // ==========================================
+    // EC2 Instance
+    // ==========================================
+    createInstance(config, vpc, subnets, userData) {
+        // Instance type
+        const instanceTypeStr = config.instanceType ?? 't3.micro';
+        const [family, size] = instanceTypeStr.split('.');
+        const instanceType = ec2.InstanceType.of(family, size);
+        // AMI - Amazon Linux 2023
+        const machineImage = config.amiId
+            ? ec2.MachineImage.genericLinux({ [this.resolvedRegion]: config.amiId })
+            : ec2.MachineImage.latestAmazonLinux2023();
+        // IAM Role สำหรับ SSM Session Manager + EFS
+        const role = new iam.Role(this, 'BastionRole', {
+            assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
+            managedPolicies: [
+                // SSM Session Manager - เข้า bastion ผ่าน console ได้โดยไม่ต้องเปิด SSH
+                iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'),
+                // EFS access
+                iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonElasticFileSystemClientReadWriteAccess'),
+            ],
+            description: `Role for ${config.instanceName} Bastion Host`,
+        });
+        // Key pair reference
+        let keyName;
+        if (this.keyPair) {
+            keyName = this.keyPair.keyPairName;
+        }
+        else if (config.keyPairName) {
+            keyName = config.keyPairName;
+        }
+        const isPublic = config.associatePublicIpAddress === true;
+        const instance = new ec2.Instance(this, 'BastionInstance', {
+            vpc,
+            vpcSubnets: isPublic
+                ? { subnetType: ec2.SubnetType.PUBLIC }
+                : { subnets: [subnets[0]] },
+            instanceType,
+            machineImage,
+            securityGroup: this.securityGroup,
+            keyPair: this.keyPair,
+            role,
+            userData,
+            instanceName: config.instanceName,
+            associatePublicIpAddress: isPublic,
+            blockDevices: [
+                {
+                    deviceName: '/dev/xvda',
+                    volume: ec2.BlockDeviceVolume.ebs(config.volumeSize ?? 20, {
+                        volumeType: config.volumeType === 'gp2'
+                            ? ec2.EbsDeviceVolumeType.GP2
+                            : ec2.EbsDeviceVolumeType.GP3,
+                        encrypted: true,
+                    }),
+                },
+            ],
+        });
+        return instance;
+    }
+    // ==========================================
+    // Cross-Stack Security Access
+    // ==========================================
+    setupSecurityAccess(config, efsConstruct, rdsConstruct, elastiCacheConstruct) {
+        // Allow Bastion → EFS (NFS port 2049)
+        // สร้าง ingress rule ใน Bastion stack เพื่อหลีกเลี่ยง cyclic dependency
+        if (efsConstruct) {
+            new ec2.CfnSecurityGroupIngress(this, 'EfsNfsIngress', {
+                groupId: efsConstruct.securityGroup.securityGroupId,
+                sourceSecurityGroupId: this.securityGroup.securityGroupId,
+                ipProtocol: 'tcp',
+                fromPort: 2049,
+                toPort: 2049,
+                description: `Allow NFS from ${config.instanceName} Bastion`,
+            });
+        }
+        // Allow Bastion → RDS (MySQL/MariaDB port)
+        if (rdsConstruct) {
+            const dbPort = config.rdsAccess?.port ?? 3306;
+            new ec2.CfnSecurityGroupIngress(this, 'RdsDbIngress', {
+                groupId: rdsConstruct.securityGroup.securityGroupId,
+                sourceSecurityGroupId: this.securityGroup.securityGroupId,
+                ipProtocol: 'tcp',
+                fromPort: dbPort,
+                toPort: dbPort,
+                description: `Allow DB access from ${config.instanceName} Bastion`,
+            });
+        }
+        // Allow Bastion → Redis (port 6379)
+        if (elastiCacheConstruct) {
+            const redisPort = config.redisAccess?.port ?? 6379;
+            new ec2.CfnSecurityGroupIngress(this, 'RedisIngress', {
+                groupId: elastiCacheConstruct.securityGroup.securityGroupId,
+                sourceSecurityGroupId: this.securityGroup.securityGroupId,
+                ipProtocol: 'tcp',
+                fromPort: redisPort,
+                toPort: redisPort,
+                description: `Allow Redis access from ${config.instanceName} Bastion`,
+            });
+        }
+    }
+    // ==========================================
+    // Outputs
+    // ==========================================
+    createOutputs(config) {
+        new cdk.CfnOutput(this, 'InstanceId', {
+            value: this.instance.instanceId,
+            description: 'Bastion EC2 Instance ID',
+            exportName: `${config.stackName}-InstanceId`,
+        });
+        new cdk.CfnOutput(this, 'PrivateIp', {
+            value: this.instance.instancePrivateIp,
+            description: 'Bastion Private IP Address',
+            exportName: `${config.stackName}-PrivateIp`,
+        });
+        if (config.associatePublicIpAddress) {
+            new cdk.CfnOutput(this, 'PublicIp', {
+                value: this.instance.instancePublicIp,
+                description: 'Bastion Public IP Address',
+                exportName: `${config.stackName}-PublicIp`,
+            });
+            new cdk.CfnOutput(this, 'SshCommand', {
+                value: `ssh -i standard-bastion.pem ec2-user@<PUBLIC_IP>`,
+                description: 'SSH command to connect to Bastion (replace <PUBLIC_IP> with actual IP)',
+                exportName: `${config.stackName}-SshCommand`,
+            });
+        }
+        new cdk.CfnOutput(this, 'SecurityGroupId', {
+            value: this.securityGroup.securityGroupId,
+            description: 'Bastion Security Group ID',
+            exportName: `${config.stackName}-BastionSecurityGroupId`,
+        });
+        if (this.keyPair) {
+            new cdk.CfnOutput(this, 'KeyPairId', {
+                value: this.keyPair.keyPairId,
+                description: 'Key Pair ID - ดึง private key: aws ssm get-parameter --name /ec2/keypair/{this-id} --with-decryption --query Parameter.Value --output text',
+                exportName: `${config.stackName}-KeyPairId`,
+            });
+            new cdk.CfnOutput(this, 'GetPrivateKeyCommand', {
+                value: `aws ssm get-parameter --name /ec2/keypair/${this.keyPair.keyPairId} --with-decryption --query Parameter.Value --output text --region ${this.resolvedRegion}`,
+                description: 'Command to retrieve SSH private key from SSM Parameter Store',
+                exportName: `${config.stackName}-GetPrivateKeyCommand`,
+            });
+        }
+        new cdk.CfnOutput(this, 'SsmConnectCommand', {
+            value: `aws ssm start-session --target ${this.instance.instanceId} --region ${this.resolvedRegion}`,
+            description: 'Command to connect via SSM Session Manager (no SSH key needed)',
+            exportName: `${config.stackName}-SsmConnectCommand`,
+        });
+    }
+}
+exports.BastionConstruct = BastionConstruct;