@dga-itc/aws-cdk-constructs 1.0.0

package/dist/aws-cdk/constructs/cloudfront.d.ts

@@ -0,0 +1,45 @@
+import { Construct } from 'constructs';
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import { CloudFrontConfig } from '../interfaces/cloudfront-config';
+import { VpcConstruct } from './vpc';
+import { AlbConstruct } from './alb';
+import { AcmConstruct } from './acm';
+export interface CloudFrontConstructProps {
+    config: CloudFrontConfig;
+    /** VpcConstruct from NetworkStack */
+    vpcConstruct: VpcConstruct;
+    /** AlbConstruct from AlbStack — origin target */
+    albConstruct: AlbConstruct;
+    /** AcmConstruct from AcmStack — certificate สำหรับ CloudFront (us-east-1) */
+    acmConstruct?: AcmConstruct;
+}
+/**
+ * CloudFront + VPC Origin Construct
+ *
+ * สร้าง:
+ *   1. CloudFront VPC Origin — เชื่อมต่อ ALB private ผ่าน AWS backbone
+ *   2. CloudFront Distribution — CDN ด้านหน้า
+ *   3. (Optional) ALB SG rule — allow CloudFront traffic
+ *
+ * Architecture:
+ *   Client → CloudFront Edge → VPC Origin → Private ALB → ECS
+ */
+export declare class CloudFrontConstruct extends Construct {
+    readonly distribution: cloudfront.CfnDistribution;
+    readonly vpcOrigin: cloudfront.CfnVpcOrigin;
+    readonly distributionDomainName: string;
+    readonly distributionId: string;
+    readonly vpcOriginId: string;
+    private readonly removalPolicy;
+    constructor(scope: Construct, id: string, props: CloudFrontConstructProps);
+    private createVpcOrigin;
+    private createDistribution;
+    /**
+     * เพิ่ม inbound rule ให้ ALB SG เพื่อรับ traffic จาก CloudFront VPC Origin
+     *
+     * ถ้ามี cloudFrontPrefixListId → ใช้ managed prefix list (recommended สำหรับ production)
+     * ถ้าไม่มี → allow จาก 0.0.0.0/0 (ALB เป็น internal อยู่แล้ว ปลอดภัยในระดับหนึ่ง)
+     */
+    private addAlbSecurityGroupRule;
+    private createOutputs;
+}

package/dist/aws-cdk/constructs/cloudfront.js

@@ -0,0 +1,261 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CloudFrontConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const cloudfront = __importStar(require("aws-cdk-lib/aws-cloudfront"));
+const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
+/**
+ * CloudFront + VPC Origin Construct
+ *
+ * สร้าง:
+ *   1. CloudFront VPC Origin — เชื่อมต่อ ALB private ผ่าน AWS backbone
+ *   2. CloudFront Distribution — CDN ด้านหน้า
+ *   3. (Optional) ALB SG rule — allow CloudFront traffic
+ *
+ * Architecture:
+ *   Client → CloudFront Edge → VPC Origin → Private ALB → ECS
+ */
+class CloudFrontConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { config, vpcConstruct, albConstruct, acmConstruct } = props;
+        this.removalPolicy = config.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        // ------------------------------------------
+        // A. Create VPC Origin
+        // ------------------------------------------
+        this.vpcOrigin = this.createVpcOrigin(config, albConstruct);
+        // ------------------------------------------
+        // B. Create CloudFront Distribution
+        // ------------------------------------------
+        this.distribution = this.createDistribution(config, albConstruct, acmConstruct);
+        // ------------------------------------------
+        // C. (Optional) Update ALB Security Group
+        // ------------------------------------------
+        if (config.updateAlbSecurityGroup !== false) {
+            this.addAlbSecurityGroupRule(config, albConstruct);
+        }
+        // ------------------------------------------
+        // D. Apply Removal Policy
+        // ------------------------------------------
+        this.vpcOrigin.applyRemovalPolicy(this.removalPolicy);
+        this.distribution.applyRemovalPolicy(this.removalPolicy);
+        // ------------------------------------------
+        // E. Expose Attributes
+        // ------------------------------------------
+        this.distributionDomainName = this.distribution.attrDomainName;
+        this.distributionId = this.distribution.ref;
+        this.vpcOriginId = this.vpcOrigin.attrId;
+        // ------------------------------------------
+        // F. Outputs
+        // ------------------------------------------
+        this.createOutputs(config);
+    }
+    // ==========================================
+    // A. VPC Origin
+    // ==========================================
+    createVpcOrigin(config, albConstruct) {
+        const vo = config.vpcOrigin;
+        return new cloudfront.CfnVpcOrigin(this, 'VpcOrigin', {
+            vpcOriginEndpointConfig: {
+                arn: albConstruct.alb.loadBalancerArn,
+                httpPort: vo.httpPort ?? 80,
+                httpsPort: vo.httpsPort ?? 443,
+                name: vo.name,
+                originProtocolPolicy: vo.originProtocolPolicy ?? 'https-only',
+            },
+        });
+    }
+    // ==========================================
+    // B. Distribution
+    // ==========================================
+    createDistribution(config, albConstruct, acmConstruct) {
+        const originId = 'vpc-alb-origin';
+        const voConfig = config.vpcOrigin;
+        const defaultBehavior = config.defaultCacheBehavior ?? {};
+        // --- Viewer Certificate ---
+        const certArn = acmConstruct?.certificateArn ?? config.certificateArn;
+        let viewerCertificate;
+        if (certArn && config.domainNames && config.domainNames.length > 0) {
+            viewerCertificate = {
+                acmCertificateArn: certArn,
+                minimumProtocolVersion: config.minimumProtocolVersion ?? 'TLSv1.2_2021',
+                sslSupportMethod: 'sni-only',
+            };
+        }
+        else {
+            viewerCertificate = {
+                cloudFrontDefaultCertificate: true,
+            };
+        }
+        // --- Default Cache Behavior ---
+        const defaultCacheBehavior = {
+            targetOriginId: originId,
+            viewerProtocolPolicy: defaultBehavior.viewerProtocolPolicy ?? 'redirect-to-https',
+            allowedMethods: defaultBehavior.allowedMethods
+                ?? ['GET', 'HEAD', 'OPTIONS', 'PUT', 'POST', 'PATCH', 'DELETE'],
+            cachedMethods: defaultBehavior.cachedMethods ?? ['GET', 'HEAD'],
+            // Default: CachingDisabled — เหมาะกับ dynamic content (ALB → ECS)
+            cachePolicyId: defaultBehavior.cachePolicyId
+                ?? '4135ea2d-6df8-44a3-9df3-4b5a84be39ad',
+            // Default: AllViewer — forward ทุก header ไป origin
+            originRequestPolicyId: defaultBehavior.originRequestPolicyId
+                ?? '216adef6-5c7f-47e4-b989-5492eafa07d3',
+            compress: defaultBehavior.compress ?? true,
+            responseHeadersPolicyId: defaultBehavior.responseHeadersPolicyId,
+        };
+        // --- Additional Cache Behaviors ---
+        const cacheBehaviors = config.additionalBehaviors?.map((ab) => ({
+            pathPattern: ab.pathPattern,
+            targetOriginId: originId,
+            viewerProtocolPolicy: ab.behavior.viewerProtocolPolicy ?? 'redirect-to-https',
+            allowedMethods: ab.behavior.allowedMethods ?? ['GET', 'HEAD'],
+            cachedMethods: ab.behavior.cachedMethods ?? ['GET', 'HEAD'],
+            // Default: CachingOptimized — เหมาะกับ static content
+            cachePolicyId: ab.behavior.cachePolicyId
+                ?? '658327ea-f89d-4fab-a63d-7e88639e58f6',
+            originRequestPolicyId: ab.behavior.originRequestPolicyId,
+            compress: ab.behavior.compress ?? true,
+            responseHeadersPolicyId: ab.behavior.responseHeadersPolicyId,
+        }));
+        // --- Custom Error Responses ---
+        const customErrorResponses = config.customErrorResponses?.map((err) => ({
+            errorCode: err.errorCode,
+            responseCode: err.responseCode,
+            responsePagePath: err.responsePagePath,
+            errorCachingMinTtl: err.errorCachingMinTtl,
+        }));
+        // --- Create Distribution ---
+        const distribution = new cloudfront.CfnDistribution(this, 'Distribution', {
+            distributionConfig: {
+                enabled: config.enabled ?? true,
+                comment: config.distributionComment
+                    ?? `${config.stackName} — CloudFront + VPC Origin → Private ALB`,
+                httpVersion: config.httpVersion ?? 'http2and3',
+                priceClass: config.priceClass ?? 'PriceClass_200',
+                // Origin: ALB via VPC Origin
+                origins: [{
+                        domainName: albConstruct.alb.loadBalancerDnsName,
+                        id: originId,
+                        // VPC Origin Config จะถูก add ผ่าน escape hatch ด้านล่าง
+                    }],
+                defaultCacheBehavior,
+                cacheBehaviors,
+                viewerCertificate,
+                aliases: config.domainNames,
+                webAclId: config.webAclId,
+                customErrorResponses,
+            },
+        });
+        // --- Add VpcOriginConfig via escape hatch ---
+        // ใช้ addPropertyOverride เพื่อความเข้ากันได้กับ CDK ทุกเวอร์ชัน
+        distribution.addPropertyOverride('DistributionConfig.Origins.0.VpcOriginConfig', {
+            VpcOriginId: this.vpcOrigin.attrId,
+            OriginReadTimeout: voConfig.originReadTimeout ?? 30,
+            OriginKeepaliveTimeout: voConfig.originKeepaliveTimeout ?? 5,
+        });
+        // ลบ customOriginConfig / s3OriginConfig ที่อาจถูก generate อัตโนมัติ
+        distribution.addPropertyDeletionOverride('DistributionConfig.Origins.0.S3OriginConfig');
+        return distribution;
+    }
+    // ==========================================
+    // C. ALB Security Group Rule
+    // ==========================================
+    /**
+     * เพิ่ม inbound rule ให้ ALB SG เพื่อรับ traffic จาก CloudFront VPC Origin
+     *
+     * ถ้ามี cloudFrontPrefixListId → ใช้ managed prefix list (recommended สำหรับ production)
+     * ถ้าไม่มี → allow จาก 0.0.0.0/0 (ALB เป็น internal อยู่แล้ว ปลอดภัยในระดับหนึ่ง)
+     */
+    addAlbSecurityGroupRule(config, albConstruct) {
+        const httpsPort = config.vpcOrigin.httpsPort ?? 443;
+        const httpPort = config.vpcOrigin.httpPort ?? 80;
+        if (config.cloudFrontPrefixListId) {
+            // Use managed prefix list (more restrictive)
+            albConstruct.securityGroup.addIngressRule(ec2.Peer.prefixList(config.cloudFrontPrefixListId), ec2.Port.tcp(httpsPort), 'Allow HTTPS from CloudFront VPC Origin (managed prefix list)');
+            if (config.vpcOrigin.originProtocolPolicy === 'http-only') {
+                albConstruct.securityGroup.addIngressRule(ec2.Peer.prefixList(config.cloudFrontPrefixListId), ec2.Port.tcp(httpPort), 'Allow HTTP from CloudFront VPC Origin (managed prefix list)');
+            }
+        }
+        else {
+            // Fallback: allow from anywhere
+            // ⚠️ ALB เป็น internal (private subnets) จึงยังปลอดภัย
+            // สำหรับ production ควรระบุ cloudFrontPrefixListId
+            albConstruct.securityGroup.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(httpsPort), 'Allow HTTPS from CloudFront VPC Origin');
+            if (config.vpcOrigin.originProtocolPolicy === 'http-only') {
+                albConstruct.securityGroup.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(httpPort), 'Allow HTTP from CloudFront VPC Origin');
+            }
+        }
+    }
+    // ==========================================
+    // F. Outputs
+    // ==========================================
+    createOutputs(config) {
+        const stack = cdk.Stack.of(this);
+        const prefix = config.stackName;
+        new cdk.CfnOutput(stack, 'DistributionId', {
+            value: this.distribution.ref,
+            description: 'CloudFront Distribution ID',
+            exportName: `${prefix}-CF-DistributionId`,
+        });
+        new cdk.CfnOutput(stack, 'DistributionDomainName', {
+            value: this.distribution.attrDomainName,
+            description: 'CloudFront Distribution Domain Name (*.cloudfront.net)',
+            exportName: `${prefix}-CF-DomainName`,
+        });
+        new cdk.CfnOutput(stack, 'VpcOriginId', {
+            value: this.vpcOrigin.attrId,
+            description: 'CloudFront VPC Origin ID',
+            exportName: `${prefix}-CF-VpcOriginId`,
+        });
+        new cdk.CfnOutput(stack, 'VpcOriginArn', {
+            value: this.vpcOrigin.attrArn,
+            description: 'CloudFront VPC Origin ARN',
+            exportName: `${prefix}-CF-VpcOriginArn`,
+        });
+        if (config.domainNames && config.domainNames.length > 0) {
+            new cdk.CfnOutput(stack, 'Aliases', {
+                value: config.domainNames.join(', '),
+                description: 'CloudFront Domain Aliases',
+                exportName: `${prefix}-CF-Aliases`,
+            });
+        }
+    }
+}
+exports.CloudFrontConstruct = CloudFrontConstruct;

package/dist/aws-cdk/constructs/ecr.d.ts

@@ -0,0 +1,17 @@
+import { Construct } from 'constructs';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
+import { EcrConfig } from '../interfaces/ecr-config';
+export interface EcrConstructProps {
+    config: EcrConfig;
+}
+/**
+ * ECR Construct - สร้าง ECR Repository + Lifecycle Rules
+ */
+export declare class EcrConstruct extends Construct {
+    readonly repository: ecr.Repository;
+    private readonly removalPolicy;
+    constructor(scope: Construct, id: string, props: EcrConstructProps);
+    private createRepository;
+    private addLifecycleRules;
+    private createOutputs;
+}

package/dist/aws-cdk/constructs/ecr.js

@@ -0,0 +1,143 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EcrConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const ecr = __importStar(require("aws-cdk-lib/aws-ecr"));
+/**
+ * ECR Construct - สร้าง ECR Repository + Lifecycle Rules
+ */
+class EcrConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { config } = props;
+        this.removalPolicy = config.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        // A. Create Repository
+        this.repository = this.createRepository(config);
+        // B. Add Lifecycle Rules
+        this.addLifecycleRules(config);
+        // C. Apply Removal Policy
+        this.repository.applyRemovalPolicy(this.removalPolicy);
+        // D. Outputs
+        this.createOutputs(config);
+    }
+    // ==========================================
+    // Create Repository
+    // ==========================================
+    createRepository(config) {
+        const isDestroy = config.removalPolicy !== 'retain';
+        return new ecr.Repository(this, 'EcrRepository', {
+            repositoryName: config.repositoryName,
+            imageTagMutability: config.imageTagMutability === 'IMMUTABLE'
+                ? ecr.TagMutability.IMMUTABLE
+                : ecr.TagMutability.MUTABLE,
+            imageScanOnPush: config.scanOnPush ?? true,
+            removalPolicy: this.removalPolicy,
+            emptyOnDelete: config.emptyOnDelete ?? isDestroy,
+        });
+    }
+    // ==========================================
+    // Add Lifecycle Rules
+    // ==========================================
+    addLifecycleRules(config) {
+        // ถ้ามี lifecycleRules แบบ custom ใช้ตัวนั้น
+        if (config.lifecycleRules && config.lifecycleRules.length > 0) {
+            config.lifecycleRules.forEach((rule) => {
+                this.repository.addLifecycleRule({
+                    rulePriority: rule.rulePriority,
+                    description: rule.description,
+                    tagStatus: rule.tagStatus === 'tagged'
+                        ? ecr.TagStatus.TAGGED
+                        : rule.tagStatus === 'untagged'
+                            ? ecr.TagStatus.UNTAGGED
+                            : ecr.TagStatus.ANY,
+                    tagPrefixList: rule.tagPrefixList,
+                    maxImageCount: rule.maxImageCount,
+                    maxImageAge: rule.maxImageAgeDays
+                        ? cdk.Duration.days(rule.maxImageAgeDays)
+                        : undefined,
+                });
+            });
+            return;
+        }
+        // ถ้าไม่มี lifecycleRules ใช้ shorthand
+        const maxImages = config.lifecycleMaxImages ?? 30;
+        const daysUntagged = config.lifecycleDaysUntagged ?? 14;
+        // Rule 1: Keep last N tagged images
+        this.repository.addLifecycleRule({
+            rulePriority: 1,
+            description: `Keep last ${maxImages} tagged images`,
+            tagStatus: ecr.TagStatus.TAGGED,
+            tagPrefixList: ['v', 'latest', 'main', 'dev', 'prod', 'uat', 'pre-prod'],
+            maxImageCount: maxImages,
+        });
+        // Rule 2: Delete old untagged images
+        this.repository.addLifecycleRule({
+            rulePriority: 2,
+            description: `Delete untagged images older than ${daysUntagged} days`,
+            tagStatus: ecr.TagStatus.UNTAGGED,
+            maxImageAge: cdk.Duration.days(daysUntagged),
+        });
+    }
+    // ==========================================
+    // Outputs
+    // ==========================================
+    createOutputs(config) {
+        const stack = cdk.Stack.of(this);
+        const prefix = config.stackName;
+        // Use sanitized repo name for unique output IDs within same stack
+        const repoShort = config.repositoryName.replace(/[^a-zA-Z0-9]/g, '');
+        new cdk.CfnOutput(stack, `${repoShort}EcrRepositoryUri`, {
+            value: this.repository.repositoryUri,
+            description: `ECR Repository URI (${config.repositoryName})`,
+            exportName: `${prefix}-ECR-Uri`,
+        });
+        new cdk.CfnOutput(stack, `${repoShort}EcrRepositoryArn`, {
+            value: this.repository.repositoryArn,
+            description: `ECR Repository ARN (${config.repositoryName})`,
+            exportName: `${prefix}-ECR-Arn`,
+        });
+        new cdk.CfnOutput(stack, `${repoShort}EcrRepositoryName`, {
+            value: this.repository.repositoryName,
+            description: `ECR Repository Name (${config.repositoryName})`,
+            exportName: `${prefix}-ECR-Name`,
+        });
+    }
+}
+exports.EcrConstruct = EcrConstruct;

package/dist/aws-cdk/constructs/ecs-cluster.d.ts

@@ -0,0 +1,21 @@
+import { Construct } from 'constructs';
+import * as ecs from 'aws-cdk-lib/aws-ecs';
+import { EcsClusterConfig } from '../interfaces/ecs-cluster-config';
+import { VpcConstruct } from './vpc';
+export interface EcsClusterConstructProps {
+    config: EcsClusterConfig;
+    vpcConstruct: VpcConstruct;
+}
+/**
+ * ECS Cluster Construct - สร้าง ECS Cluster + Container Insights
+ *
+ * อ้างอิง VpcConstruct จาก NetworkStack เพื่อดึง VPC
+ */
+export declare class EcsClusterConstruct extends Construct {
+    readonly cluster: ecs.Cluster;
+    private readonly removalPolicy;
+    constructor(scope: Construct, id: string, props: EcsClusterConstructProps);
+    private resolveVpc;
+    private createCluster;
+    private createOutputs;
+}

package/dist/aws-cdk/constructs/ecs-cluster.js

@@ -0,0 +1,124 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EcsClusterConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
+const ecs = __importStar(require("aws-cdk-lib/aws-ecs"));
+/**
+ * ECS Cluster Construct - สร้าง ECS Cluster + Container Insights
+ *
+ * อ้างอิง VpcConstruct จาก NetworkStack เพื่อดึง VPC
+ */
+class EcsClusterConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { config, vpcConstruct } = props;
+        this.removalPolicy = config.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        // A. Resolve VPC
+        const vpc = this.resolveVpc(vpcConstruct);
+        // B. Create Cluster
+        this.cluster = this.createCluster(config, vpc);
+        // C. Apply Removal Policy
+        this.cluster.applyRemovalPolicy(this.removalPolicy);
+        // D. Outputs
+        this.createOutputs(config);
+    }
+    // ==========================================
+    // Resolve VPC
+    // ==========================================
+    resolveVpc(vpcConstruct) {
+        // ดึง AZ จาก subnets ทั้งหมด
+        const allAzs = new Set();
+        vpcConstruct.subnetsByName.forEach((subnets) => {
+            subnets.forEach((s) => {
+                if (s.availabilityZone)
+                    allAzs.add(s.availabilityZone);
+            });
+        });
+        return ec2.Vpc.fromVpcAttributes(this, 'Vpc', {
+            vpcId: vpcConstruct.vpc.ref,
+            availabilityZones: Array.from(allAzs),
+        });
+    }
+    // ==========================================
+    // Create Cluster
+    // ==========================================
+    createCluster(config, vpc) {
+        const insightsEnabled = config.containerInsightsEnabled ?? true;
+        const cluster = new ecs.Cluster(this, 'EcsCluster', {
+            vpc,
+            clusterName: config.clusterName,
+            containerInsightsV2: insightsEnabled
+                ? ecs.ContainerInsights.ENHANCED
+                : ecs.ContainerInsights.DISABLED,
+            enableFargateCapacityProviders: true,
+            executeCommandConfiguration: config.enableExecuteCommand
+                ? { logging: ecs.ExecuteCommandLogging.DEFAULT }
+                : undefined,
+        });
+        // Default capacity provider strategy (ต้องส่ง array ทั้งหมดในครั้งเดียว)
+        if (config.defaultCapacityProviderStrategy && config.defaultCapacityProviderStrategy.length > 0) {
+            cluster.addDefaultCapacityProviderStrategy(config.defaultCapacityProviderStrategy.map((strategy) => ({
+                capacityProvider: strategy.capacityProvider,
+                weight: strategy.weight,
+                base: strategy.base,
+            })));
+        }
+        return cluster;
+    }
+    // ==========================================
+    // Outputs
+    // ==========================================
+    createOutputs(config) {
+        const stack = cdk.Stack.of(this);
+        const prefix = config.stackName;
+        new cdk.CfnOutput(stack, 'EcsClusterName', {
+            value: this.cluster.clusterName,
+            description: 'ECS Cluster Name',
+            exportName: `${prefix}-ECS-ClusterName`,
+        });
+        new cdk.CfnOutput(stack, 'EcsClusterArn', {
+            value: this.cluster.clusterArn,
+            description: 'ECS Cluster ARN',
+            exportName: `${prefix}-ECS-ClusterArn`,
+        });
+    }
+}
+exports.EcsClusterConstruct = EcsClusterConstruct;