@dga-itc/aws-cdk-constructs 1.0.0

package/dist/aws-cdk/constructs/efs.d.ts

@@ -0,0 +1,31 @@
+import { Construct } from 'constructs';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as efs from 'aws-cdk-lib/aws-efs';
+import { EfsConfig } from '../interfaces/efs-config';
+import { VpcConstruct } from './vpc';
+export interface EfsConstructProps {
+    config: EfsConfig;
+    /** VpcConstruct from NetworkStack */
+    vpcConstruct: VpcConstruct;
+}
+/**
+ * EFS Construct - สร้าง Elastic File System + Mount Targets + Access Points
+ *
+ * ใช้สำหรับ persistent storage ของ ECS Fargate tasks
+ */
+export declare class EfsConstruct extends Construct {
+    readonly fileSystem: efs.FileSystem;
+    readonly securityGroup: ec2.SecurityGroup;
+    readonly accessPoints: Map<string, efs.AccessPoint>;
+    private readonly removalPolicy;
+    constructor(scope: Construct, id: string, props: EfsConstructProps);
+    private resolveVpc;
+    private createSecurityGroup;
+    private createFileSystem;
+    private createAccessPoints;
+    private createOutputs;
+    /**
+     * Allow NFS access from a security group
+     */
+    allowNfsFrom(sg: ec2.ISecurityGroup, description?: string): void;
+}

package/dist/aws-cdk/constructs/efs.js

@@ -0,0 +1,241 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EfsConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
+const efs = __importStar(require("aws-cdk-lib/aws-efs"));
+/**
+ * EFS Construct - สร้าง Elastic File System + Mount Targets + Access Points
+ *
+ * ใช้สำหรับ persistent storage ของ ECS Fargate tasks
+ */
+class EfsConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.accessPoints = new Map();
+        const { config, vpcConstruct } = props;
+        this.removalPolicy = config.removalPolicy === 'destroy'
+            ? aws_cdk_lib_1.RemovalPolicy.DESTROY
+            : aws_cdk_lib_1.RemovalPolicy.RETAIN;
+        // A. Resolve VPC & Subnets
+        const { vpc, subnets } = this.resolveVpc(config, vpcConstruct);
+        // B. Create Security Group
+        this.securityGroup = this.createSecurityGroup(vpc, config);
+        // C. Create EFS File System
+        this.fileSystem = this.createFileSystem(config, vpc, subnets);
+        // D. Create Access Points
+        this.createAccessPoints(config);
+        // E. Apply Removal Policy
+        this.fileSystem.applyRemovalPolicy(this.removalPolicy);
+        this.securityGroup.applyRemovalPolicy(this.removalPolicy);
+        // F. Outputs
+        this.createOutputs(config);
+    }
+    // ==========================================
+    // Resolve VPC
+    // ==========================================
+    resolveVpc(config, vpcConstruct) {
+        const subnetName = config.source.subnetName ?? 'private-ecs';
+        const cfnSubnets = vpcConstruct.subnetsByName.get(subnetName);
+        if (!cfnSubnets || cfnSubnets.length === 0) {
+            throw new Error(`No subnets found with name "${subnetName}" in VPC construct. ` +
+                `Available: ${Array.from(vpcConstruct.subnetsByName.keys()).join(', ')}`);
+        }
+        // Build subnets with routeTableId from VpcConstruct
+        const subnetIds = [];
+        const subnets = [];
+        const azs = [];
+        const routeTableIds = [];
+        vpcConstruct.subnets.forEach((cfnSubnet, subnetKey) => {
+            if (subnetKey.startsWith(`${subnetName}-`)) {
+                const az = subnetKey.replace(`${subnetName}-`, '');
+                const routeTableId = vpcConstruct.subnetRouteTableMap.get(subnetKey);
+                subnetIds.push(cfnSubnet.ref);
+                azs.push(cfnSubnet.availabilityZone);
+                if (routeTableId)
+                    routeTableIds.push(routeTableId);
+                subnets.push(ec2.Subnet.fromSubnetAttributes(this, `Subnet-${az}`, {
+                    subnetId: cfnSubnet.ref,
+                    availabilityZone: cfnSubnet.availabilityZone,
+                    routeTableId,
+                }));
+            }
+        });
+        const hasRtIds = routeTableIds.length === subnetIds.length;
+        const vpc = ec2.Vpc.fromVpcAttributes(this, 'Vpc', {
+            vpcId: vpcConstruct.vpc.ref,
+            availabilityZones: azs,
+            privateSubnetIds: subnetIds,
+            privateSubnetRouteTableIds: hasRtIds ? routeTableIds : undefined,
+        });
+        return { vpc, subnets };
+    }
+    // ==========================================
+    // Security Group
+    // ==========================================
+    createSecurityGroup(vpc, config) {
+        const sg = new ec2.SecurityGroup(this, 'EfsSecurityGroup', {
+            vpc,
+            securityGroupName: config.securityGroupName,
+            description: `Security group for ${config.fileSystemName} EFS`,
+            allowAllOutbound: false, // EFS doesn't need outbound
+        });
+        // EFS listens on port 2049 (NFS)
+        // Ingress rules will be added by ECS service construct
+        return sg;
+    }
+    // ==========================================
+    // Create EFS File System
+    // ==========================================
+    createFileSystem(config, vpc, subnets) {
+        const performanceMode = config.performanceMode === 'maxIO'
+            ? efs.PerformanceMode.MAX_IO
+            : efs.PerformanceMode.GENERAL_PURPOSE;
+        let throughputMode;
+        switch (config.throughputMode) {
+            case 'provisioned':
+                throughputMode = efs.ThroughputMode.PROVISIONED;
+                break;
+            case 'elastic':
+                throughputMode = efs.ThroughputMode.ELASTIC;
+                break;
+            default:
+                throughputMode = efs.ThroughputMode.BURSTING;
+        }
+        const transitionDays = config.transitionToIaAfterDays ?? 30;
+        let lifecyclePolicy;
+        switch (transitionDays) {
+            case 7:
+                lifecyclePolicy = efs.LifecyclePolicy.AFTER_7_DAYS;
+                break;
+            case 14:
+                lifecyclePolicy = efs.LifecyclePolicy.AFTER_14_DAYS;
+                break;
+            case 30:
+                lifecyclePolicy = efs.LifecyclePolicy.AFTER_30_DAYS;
+                break;
+            case 60:
+                lifecyclePolicy = efs.LifecyclePolicy.AFTER_60_DAYS;
+                break;
+            case 90:
+                lifecyclePolicy = efs.LifecyclePolicy.AFTER_90_DAYS;
+                break;
+            default: lifecyclePolicy = efs.LifecyclePolicy.AFTER_30_DAYS;
+        }
+        const fs = new efs.FileSystem(this, 'FileSystem', {
+            vpc,
+            vpcSubnets: { subnets },
+            fileSystemName: config.fileSystemName,
+            securityGroup: this.securityGroup,
+            performanceMode,
+            throughputMode,
+            provisionedThroughputPerSecond: config.provisionedThroughput
+                ? cdk.Size.mebibytes(config.provisionedThroughput)
+                : undefined,
+            encrypted: config.encrypted ?? true,
+            lifecyclePolicy,
+        });
+        return fs;
+    }
+    // ==========================================
+    // Create Access Points
+    // ==========================================
+    createAccessPoints(config) {
+        if (!config.accessPoints || config.accessPoints.length === 0) {
+            return;
+        }
+        for (const apConfig of config.accessPoints) {
+            const uid = apConfig.posixUid ?? 33; // www-data
+            const gid = apConfig.posixGid ?? 33;
+            const permissions = apConfig.permissions ?? '755';
+            const accessPoint = new efs.AccessPoint(this, `AccessPoint${apConfig.name}`, {
+                fileSystem: this.fileSystem,
+                path: apConfig.path,
+                posixUser: {
+                    uid: uid.toString(),
+                    gid: gid.toString(),
+                },
+                createAcl: {
+                    ownerUid: uid.toString(),
+                    ownerGid: gid.toString(),
+                    permissions,
+                },
+            });
+            accessPoint.applyRemovalPolicy(this.removalPolicy);
+            this.accessPoints.set(apConfig.name, accessPoint);
+        }
+    }
+    // ==========================================
+    // Outputs
+    // ==========================================
+    createOutputs(config) {
+        new cdk.CfnOutput(this, 'FileSystemId', {
+            value: this.fileSystem.fileSystemId,
+            description: 'EFS File System ID',
+            exportName: `${config.stackName}-FileSystemId`,
+        });
+        new cdk.CfnOutput(this, 'FileSystemArn', {
+            value: this.fileSystem.fileSystemArn,
+            description: 'EFS File System ARN',
+            exportName: `${config.stackName}-FileSystemArn`,
+        });
+        new cdk.CfnOutput(this, 'SecurityGroupId', {
+            value: this.securityGroup.securityGroupId,
+            description: 'EFS Security Group ID',
+            exportName: `${config.stackName}-EfsSecurityGroupId`,
+        });
+        // Output access point IDs
+        for (const [name, ap] of this.accessPoints) {
+            new cdk.CfnOutput(this, `AccessPointId${name}`, {
+                value: ap.accessPointId,
+                description: `Access Point ID for ${name}`,
+                exportName: `${config.stackName}-AccessPointId-${name}`,
+            });
+        }
+    }
+    // ==========================================
+    // Public Methods
+    // ==========================================
+    /**
+     * Allow NFS access from a security group
+     */
+    allowNfsFrom(sg, description) {
+        this.securityGroup.addIngressRule(ec2.Peer.securityGroupId(sg.securityGroupId), ec2.Port.tcp(2049), description ?? 'Allow NFS from specified security group');
+    }
+}
+exports.EfsConstruct = EfsConstruct;

package/dist/aws-cdk/constructs/elasticache.d.ts

@@ -0,0 +1,35 @@
+import { Construct } from 'constructs';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as elasticache from 'aws-cdk-lib/aws-elasticache';
+import { ElastiCacheConfig } from '../interfaces/elasticache-config';
+import { VpcConstruct } from './vpc';
+export interface ElastiCacheConstructProps {
+    config: ElastiCacheConfig;
+    /** VpcConstruct from NetworkStack */
+    vpcConstruct: VpcConstruct;
+}
+/**
+ * ElastiCache Redis Construct - สร้าง Redis Replication Group
+ *
+ * Features:
+ * - Multi-AZ with automatic failover
+ * - Encryption at rest and in transit
+ * - Subnet group for isolated subnets
+ */
+export declare class ElastiCacheConstruct extends Construct {
+    readonly replicationGroup: elasticache.CfnReplicationGroup;
+    readonly securityGroup: ec2.SecurityGroup;
+    readonly subnetGroup: elasticache.CfnSubnetGroup;
+    private readonly removalPolicy;
+    constructor(scope: Construct, id: string, props: ElastiCacheConstructProps);
+    private resolveVpc;
+    private createSecurityGroup;
+    private createSubnetGroup;
+    private createParameterGroup;
+    private createReplicationGroup;
+    private createOutputs;
+    /**
+     * Allow Redis access from a security group
+     */
+    allowRedisFrom(sg: ec2.ISecurityGroup, description?: string): void;
+}

package/dist/aws-cdk/constructs/elasticache.js

@@ -0,0 +1,210 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ElastiCacheConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
+const elasticache = __importStar(require("aws-cdk-lib/aws-elasticache"));
+/**
+ * ElastiCache Redis Construct - สร้าง Redis Replication Group
+ *
+ * Features:
+ * - Multi-AZ with automatic failover
+ * - Encryption at rest and in transit
+ * - Subnet group for isolated subnets
+ */
+class ElastiCacheConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { config, vpcConstruct } = props;
+        this.removalPolicy = config.removalPolicy === 'destroy'
+            ? aws_cdk_lib_1.RemovalPolicy.DESTROY
+            : aws_cdk_lib_1.RemovalPolicy.RETAIN;
+        // A. Resolve VPC & Subnets
+        const { vpc, subnetIds } = this.resolveVpc(config, vpcConstruct);
+        // B. Create Security Group
+        this.securityGroup = this.createSecurityGroup(vpc, config);
+        // C. Create Subnet Group
+        this.subnetGroup = this.createSubnetGroup(config, subnetIds);
+        // D. Create Parameter Group (optional)
+        const parameterGroup = this.createParameterGroup(config);
+        // E. Create Replication Group
+        this.replicationGroup = this.createReplicationGroup(config, parameterGroup);
+        // F. Apply Removal Policy
+        this.replicationGroup.applyRemovalPolicy(this.removalPolicy);
+        this.securityGroup.applyRemovalPolicy(this.removalPolicy);
+        // G. Outputs
+        this.createOutputs(config);
+    }
+    // ==========================================
+    // Resolve VPC
+    // ==========================================
+    resolveVpc(config, vpcConstruct) {
+        const subnetName = config.source.subnetName ?? 'cache';
+        const cfnSubnets = vpcConstruct.subnetsByName.get(subnetName);
+        if (!cfnSubnets || cfnSubnets.length === 0) {
+            throw new Error(`No subnets found with name "${subnetName}" in VPC construct. ` +
+                `Available: ${Array.from(vpcConstruct.subnetsByName.keys()).join(', ')}`);
+        }
+        // Build subnetIds and routeTableIds from VpcConstruct
+        const subnetIds = [];
+        const azs = [];
+        const routeTableIds = [];
+        vpcConstruct.subnets.forEach((cfnSubnet, subnetKey) => {
+            if (subnetKey.startsWith(`${subnetName}-`)) {
+                const routeTableId = vpcConstruct.subnetRouteTableMap.get(subnetKey);
+                subnetIds.push(cfnSubnet.ref);
+                azs.push(cfnSubnet.availabilityZone);
+                if (routeTableId)
+                    routeTableIds.push(routeTableId);
+            }
+        });
+        const hasRtIds = routeTableIds.length === subnetIds.length;
+        const vpc = ec2.Vpc.fromVpcAttributes(this, 'Vpc', {
+            vpcId: vpcConstruct.vpc.ref,
+            availabilityZones: azs,
+            isolatedSubnetIds: subnetIds,
+            isolatedSubnetRouteTableIds: hasRtIds ? routeTableIds : undefined,
+        });
+        return { vpc, subnetIds };
+    }
+    // ==========================================
+    // Security Group
+    // ==========================================
+    createSecurityGroup(vpc, config) {
+        const port = config.port ?? 6379;
+        const sg = new ec2.SecurityGroup(this, 'RedisSecurityGroup', {
+            vpc,
+            securityGroupName: config.securityGroupName,
+            description: `Security group for ${config.clusterName} ElastiCache Redis`,
+            allowAllOutbound: true, // Allow response traffic back to clients (ECS, Bastion)
+        });
+        // Ingress rules will be added by ECS service construct
+        return sg;
+    }
+    // ==========================================
+    // Subnet Group
+    // ==========================================
+    createSubnetGroup(config, subnetIds) {
+        return new elasticache.CfnSubnetGroup(this, 'SubnetGroup', {
+            description: `Subnet group for ${config.clusterName} Redis`,
+            subnetIds,
+            cacheSubnetGroupName: `${config.clusterName}-subnet-group`,
+        });
+    }
+    // ==========================================
+    // Parameter Group
+    // ==========================================
+    createParameterGroup(config) {
+        if (!config.parameters || Object.keys(config.parameters).length === 0) {
+            return undefined;
+        }
+        const family = config.parameterGroupFamily ?? 'redis7';
+        return new elasticache.CfnParameterGroup(this, 'ParameterGroup', {
+            cacheParameterGroupFamily: family,
+            description: `Parameter group for ${config.clusterName} Redis`,
+            properties: config.parameters,
+        });
+    }
+    // ==========================================
+    // Replication Group
+    // ==========================================
+    createReplicationGroup(config, parameterGroup) {
+        const port = config.port ?? 6379;
+        const numCacheClusters = config.numCacheClusters ?? 2;
+        const multiAz = config.multiAzEnabled ?? true;
+        const automaticFailover = config.automaticFailoverEnabled ?? true;
+        const replicationGroup = new elasticache.CfnReplicationGroup(this, 'ReplicationGroup', {
+            replicationGroupDescription: `Redis cluster for ${config.clusterName}`,
+            replicationGroupId: config.clusterName,
+            engine: 'redis',
+            engineVersion: config.engineVersion ?? '7.0',
+            cacheNodeType: config.nodeType ?? 'cache.t3.micro',
+            numCacheClusters,
+            automaticFailoverEnabled: numCacheClusters > 1 ? automaticFailover : false,
+            multiAzEnabled: numCacheClusters > 1 ? multiAz : false,
+            cacheSubnetGroupName: this.subnetGroup.cacheSubnetGroupName,
+            securityGroupIds: [this.securityGroup.securityGroupId],
+            port,
+            atRestEncryptionEnabled: config.atRestEncryptionEnabled ?? true,
+            transitEncryptionEnabled: config.transitEncryptionEnabled ?? true,
+            cacheParameterGroupName: parameterGroup?.ref,
+            snapshotRetentionLimit: config.snapshotRetentionLimit ?? 5,
+            snapshotWindow: config.snapshotWindow ?? '03:00-05:00',
+            preferredMaintenanceWindow: config.maintenanceWindow ?? 'sun:05:00-sun:07:00',
+        });
+        // Add dependency on subnet group
+        replicationGroup.addDependency(this.subnetGroup);
+        return replicationGroup;
+    }
+    // ==========================================
+    // Outputs
+    // ==========================================
+    createOutputs(config) {
+        new cdk.CfnOutput(this, 'ReplicationGroupId', {
+            value: this.replicationGroup.ref,
+            description: 'ElastiCache Replication Group ID',
+            exportName: `${config.stackName}-ReplicationGroupId`,
+        });
+        new cdk.CfnOutput(this, 'PrimaryEndpoint', {
+            value: this.replicationGroup.attrPrimaryEndPointAddress,
+            description: 'Redis Primary Endpoint Address',
+            exportName: `${config.stackName}-PrimaryEndpoint`,
+        });
+        new cdk.CfnOutput(this, 'PrimaryEndpointPort', {
+            value: this.replicationGroup.attrPrimaryEndPointPort,
+            description: 'Redis Primary Endpoint Port',
+            exportName: `${config.stackName}-PrimaryEndpointPort`,
+        });
+        new cdk.CfnOutput(this, 'SecurityGroupId', {
+            value: this.securityGroup.securityGroupId,
+            description: 'Redis Security Group ID',
+            exportName: `${config.stackName}-RedisSecurityGroupId`,
+        });
+    }
+    // ==========================================
+    // Public Methods
+    // ==========================================
+    /**
+     * Allow Redis access from a security group
+     */
+    allowRedisFrom(sg, description) {
+        const port = 6379;
+        this.securityGroup.addIngressRule(ec2.Peer.securityGroupId(sg.securityGroupId), ec2.Port.tcp(port), description ?? 'Allow Redis from specified security group');
+    }
+}
+exports.ElastiCacheConstruct = ElastiCacheConstruct;

package/dist/aws-cdk/constructs/nacl.d.ts

@@ -0,0 +1,37 @@
+import { Construct } from 'constructs';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+export interface NaclRuleConfig {
+    ruleNumber: number;
+    protocol: number;
+    ruleAction: 'allow' | 'deny';
+    cidr: string;
+    fromPort?: number;
+    toPort?: number;
+    egress: boolean;
+}
+export interface NaclConfig {
+    name: string;
+    subnetNames: string[];
+    rules: NaclRuleConfig[];
+}
+export interface NaclConstructProps {
+    /** VPC ID (can be ref or imported value) */
+    vpcId: string;
+    /** Prefix for resource naming */
+    namePrefix: string;
+    /** NACL configurations */
+    nacls: NaclConfig[];
+    /** CfnSubnet objects grouped by name */
+    subnets: Map<string, ec2.CfnSubnet[]>;
+    /** Removal policy (default: 'destroy') */
+    removalPolicy?: 'destroy' | 'retain';
+    /** Additional tags */
+    tags?: Record<string, string>;
+}
+/**
+ * NACL construct - สร้าง NACLs และ associate กับ subnets
+ */
+export declare class NaclConstruct extends Construct {
+    readonly nacls: Map<string, ec2.CfnNetworkAcl>;
+    constructor(scope: Construct, id: string, props: NaclConstructProps);
+}

package/dist/aws-cdk/constructs/nacl.js

@@ -0,0 +1,88 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NaclConstruct = void 0;
+const constructs_1 = require("constructs");
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
+/**
+ * NACL construct - สร้าง NACLs และ associate กับ subnets
+ */
+class NaclConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.nacls = new Map();
+        const { vpcId, namePrefix, nacls, subnets, removalPolicy: rp, tags } = props;
+        const removalPolicy = rp === 'retain' ? aws_cdk_lib_1.RemovalPolicy.RETAIN : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        nacls.forEach((naclConfig) => {
+            // Create NACL
+            const nacl = new ec2.CfnNetworkAcl(this, `Nacl-${naclConfig.name}`, {
+                vpcId: vpcId,
+                tags: [
+                    { key: 'Name', value: `${namePrefix}-${naclConfig.name}-nacl` },
+                    ...Object.entries(tags || {}).map(([key, value]) => ({ key, value })),
+                ],
+            });
+            nacl.applyRemovalPolicy(removalPolicy);
+            this.nacls.set(naclConfig.name, nacl);
+            // Add rules
+            naclConfig.rules.forEach((rule, ruleIndex) => {
+                new ec2.CfnNetworkAclEntry(this, `NaclRule-${naclConfig.name}-${ruleIndex}`, {
+                    networkAclId: nacl.ref,
+                    ruleNumber: rule.ruleNumber,
+                    protocol: rule.protocol,
+                    ruleAction: rule.ruleAction,
+                    cidrBlock: rule.cidr,
+                    egress: rule.egress,
+                    portRange: rule.fromPort !== undefined ? {
+                        from: rule.fromPort,
+                        to: rule.toPort ?? rule.fromPort,
+                    } : undefined,
+                });
+            });
+            // Associate with subnets
+            naclConfig.subnetNames.forEach((subnetName) => {
+                const subnetList = subnets.get(subnetName) || [];
+                subnetList.forEach((subnet, index) => {
+                    new ec2.CfnSubnetNetworkAclAssociation(this, `NaclAssoc-${naclConfig.name}-${subnetName}-${index}`, {
+                        subnetId: subnet.ref,
+                        networkAclId: nacl.ref,
+                    });
+                });
+            });
+        });
+    }
+}
+exports.NaclConstruct = NaclConstruct;

package/dist/aws-cdk/constructs/nlb.d.ts

@@ -0,0 +1,39 @@
+import { Construct } from 'constructs';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
+import { NlbConfig } from '../interfaces/nlb-config';
+import { VpcConstruct } from './vpc';
+import { AlbConstruct } from './alb';
+export interface NlbConstructProps {
+    config: NlbConfig;
+    vpcConstruct: VpcConstruct;
+    /** ALB construct ที่จะเป็น target ของ NLB */
+    albConstruct: AlbConstruct;
+}
+/**
+ * NLB Construct - สร้าง NLB (internet-facing) + Security Group + Listeners
+ *
+ * Pattern: NLB (internet-facing) → ALB (internal)
+ * - NLB SG: allow inbound from internet
+ * - ALB SG: auto-add ingress from NLB SG (via CfnSecurityGroupIngress เพื่อหลีกเลี่ยง circular dependency)
+ * - Target Group: type ALB, forward traffic ไปที่ internal ALB
+ */
+export declare class NlbConstruct extends Construct {
+    readonly nlb: elbv2.NetworkLoadBalancer;
+    readonly securityGroup: ec2.SecurityGroup;
+    private readonly removalPolicy;
+    constructor(scope: Construct, id: string, props: NlbConstructProps);
+    private resolveVpc;
+    private createSecurityGroup;
+    private createNlb;
+    private createListeners;
+    /**
+     * เพิ่ม ingress rule ใน ALB SG ให้รับ traffic จาก NLB SG
+     * ใช้ CfnSecurityGroupIngress (L1) แทน sg.addIngressRule (L2)
+     * เพื่อหลีกเลี่ยง circular cross-stack dependency
+     *
+     * Resource นี้จะอยู่ใน NlbStack → reference AlbStack's SG ID ผ่าน Fn::ImportValue (one-way)
+     */
+    private addAlbSgIngress;
+    private createOutputs;
+}