@dga-itc/aws-cdk-constructs 1.0.0

package/dist/aws-cdk/constructs/self-signed-cert.d.ts

@@ -0,0 +1,83 @@
+import { Construct } from 'constructs';
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
+export interface SelfSignedCertificateConstructProps {
+    /**
+     * Domain name for the certificate (CN)
+     * Example: 'example.local', '*.example.local'
+     */
+    domainName: string;
+    /**
+     * Certificate validity in days
+     * Default: 365
+     */
+    validityDays?: number;
+    /**
+     * Organization name
+     * Default: 'Demo'
+     */
+    organization?: string;
+    /**
+     * Country code (2 letters)
+     * Default: 'TH'
+     */
+    country?: string;
+    /**
+     * Removal policy
+     * Default: 'destroy'
+     */
+    removalPolicy?: 'destroy' | 'retain';
+    /**
+     * Stack name for CloudFormation outputs
+     */
+    stackName: string;
+}
+/**
+ * Self-Signed Certificate Construct
+ *
+ * Generates a self-signed SSL/TLS certificate and imports it to ACM.
+ *
+ * Features:
+ * - Generates certificate during CDK synth (no runtime dependencies)
+ * - Imports to ACM using Custom Resource
+ * - Auto-deletes certificate when stack is destroyed
+ * - Suitable for dev/test environments
+ *
+ * ⚠️ WARNING: Self-signed certificates are NOT trusted by browsers.
+ * Use only for development/testing. For production, use ACM request mode
+ * or import certificates from a trusted CA.
+ *
+ * Example:
+ * ```typescript
+ * const cert = new SelfSignedCertificateConstruct(this, 'SelfSignedCert', {
+ *   stackName: 'my-stack',
+ *   domainName: 'app.local',
+ *   validityDays: 365,
+ * });
+ *
+ * // Use with ALB
+ * const alb = new AlbConstruct(this, 'Alb', {
+ *   config: {
+ *     enableHttps: true,
+ *     certificateArn: cert.certificateArn,
+ *   }
+ * });
+ * ```
+ */
+export declare class SelfSignedCertificateConstruct extends Construct {
+    readonly certificate: acm.ICertificate;
+    readonly certificateArn: string;
+    private readonly removalPolicy;
+    constructor(scope: Construct, id: string, props: SelfSignedCertificateConstructProps);
+    /**
+     * Generate self-signed certificate using OpenSSL
+     *
+     * Certificate is cached in .cdk-selfsigned/ directory to ensure
+     * consistent values across synth runs (prevents cross-stack export changes).
+     * Delete the cache directory to force regeneration.
+     */
+    private generateCertificate;
+    /**
+     * Create CloudFormation outputs
+     */
+    private createOutputs;
+}

package/dist/aws-cdk/constructs/self-signed-cert.js

@@ -0,0 +1,215 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SelfSignedCertificateConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const acm = __importStar(require("aws-cdk-lib/aws-certificatemanager"));
+const cr = __importStar(require("aws-cdk-lib/custom-resources"));
+const iam = __importStar(require("aws-cdk-lib/aws-iam"));
+const child_process_1 = require("child_process");
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+/**
+ * Self-Signed Certificate Construct
+ *
+ * Generates a self-signed SSL/TLS certificate and imports it to ACM.
+ *
+ * Features:
+ * - Generates certificate during CDK synth (no runtime dependencies)
+ * - Imports to ACM using Custom Resource
+ * - Auto-deletes certificate when stack is destroyed
+ * - Suitable for dev/test environments
+ *
+ * ⚠️ WARNING: Self-signed certificates are NOT trusted by browsers.
+ * Use only for development/testing. For production, use ACM request mode
+ * or import certificates from a trusted CA.
+ *
+ * Example:
+ * ```typescript
+ * const cert = new SelfSignedCertificateConstruct(this, 'SelfSignedCert', {
+ *   stackName: 'my-stack',
+ *   domainName: 'app.local',
+ *   validityDays: 365,
+ * });
+ *
+ * // Use with ALB
+ * const alb = new AlbConstruct(this, 'Alb', {
+ *   config: {
+ *     enableHttps: true,
+ *     certificateArn: cert.certificateArn,
+ *   }
+ * });
+ * ```
+ */
+class SelfSignedCertificateConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.removalPolicy = props.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        // Generate certificate during synth
+        const { certBody, privateKey } = this.generateCertificate(props);
+        // Import to ACM using Custom Resource
+        const importCert = new cr.AwsCustomResource(this, 'ImportCertificate', {
+            onCreate: {
+                service: 'ACM',
+                action: 'importCertificate',
+                parameters: {
+                    Certificate: certBody,
+                    PrivateKey: privateKey,
+                },
+                physicalResourceId: cr.PhysicalResourceId.fromResponse('CertificateArn'),
+            },
+            onUpdate: {
+                service: 'ACM',
+                action: 'importCertificate',
+                parameters: {
+                    Certificate: certBody,
+                    PrivateKey: privateKey,
+                },
+                physicalResourceId: cr.PhysicalResourceId.fromResponse('CertificateArn'),
+            },
+            onDelete: {
+                service: 'ACM',
+                action: 'deleteCertificate',
+                parameters: {
+                    CertificateArn: new cr.PhysicalResourceIdReference(),
+                },
+            },
+            policy: cr.AwsCustomResourcePolicy.fromStatements([
+                new iam.PolicyStatement({
+                    actions: [
+                        'acm:ImportCertificate',
+                        'acm:DeleteCertificate',
+                        'acm:DescribeCertificate',
+                    ],
+                    resources: ['*'],
+                }),
+            ]),
+        });
+        // Get certificate ARN from response
+        this.certificateArn = importCert.getResponseField('CertificateArn');
+        this.certificate = acm.Certificate.fromCertificateArn(this, 'Certificate', this.certificateArn);
+        // Outputs
+        this.createOutputs(props);
+    }
+    /**
+     * Generate self-signed certificate using OpenSSL
+     *
+     * Certificate is cached in .cdk-selfsigned/ directory to ensure
+     * consistent values across synth runs (prevents cross-stack export changes).
+     * Delete the cache directory to force regeneration.
+     */
+    generateCertificate(props) {
+        const validityDays = props.validityDays ?? 365;
+        const organization = props.organization ?? 'Demo';
+        const country = props.country ?? 'TH';
+        // Cache directory: .cdk-selfsigned/<stackName>/ in project root
+        const projectRoot = process.cwd();
+        const cacheDir = (0, path_1.join)(projectRoot, '.cdk-selfsigned', props.stackName);
+        const cachedKeyFile = (0, path_1.join)(cacheDir, 'key.pem');
+        const cachedCertFile = (0, path_1.join)(cacheDir, 'cert.pem');
+        // Use cached certificate if exists
+        if ((0, fs_1.existsSync)(cachedKeyFile) && (0, fs_1.existsSync)(cachedCertFile)) {
+            console.log(`🔐 Using cached self-signed certificate for ${props.domainName}`);
+            console.log(`   Cache: ${cacheDir}`);
+            const certBody = (0, fs_1.readFileSync)(cachedCertFile, 'utf8');
+            const privateKey = (0, fs_1.readFileSync)(cachedKeyFile, 'utf8');
+            return { certBody, privateKey };
+        }
+        // Generate new certificate
+        const tmpDir = (0, fs_1.mkdtempSync)((0, path_1.join)((0, os_1.tmpdir)(), 'cdk-selfsigned-'));
+        const keyFile = (0, path_1.join)(tmpDir, 'key.pem');
+        const certFile = (0, path_1.join)(tmpDir, 'cert.pem');
+        try {
+            console.log(`🔐 Generating self-signed certificate for ${props.domainName}...`);
+            // Generate private key (2048-bit RSA)
+            (0, child_process_1.execSync)(`openssl genrsa 2048 > "${keyFile}"`, { stdio: 'pipe' });
+            // Generate self-signed certificate
+            const subject = `/CN=${props.domainName}/O=${organization}/C=${country}`;
+            (0, child_process_1.execSync)(`openssl req -new -x509 -key "${keyFile}" -out "${certFile}" -days ${validityDays} -subj "${subject}"`, { stdio: 'pipe' });
+            // Read certificate and key
+            const certBody = (0, fs_1.readFileSync)(certFile, 'utf8');
+            const privateKey = (0, fs_1.readFileSync)(keyFile, 'utf8');
+            // Save to cache
+            (0, fs_1.mkdirSync)(cacheDir, { recursive: true });
+            (0, fs_1.writeFileSync)(cachedKeyFile, privateKey, { mode: 0o600 });
+            (0, fs_1.writeFileSync)(cachedCertFile, certBody);
+            console.log(`✅ Certificate generated and cached`);
+            console.log(`   Domain: ${props.domainName}`);
+            console.log(`   Valid for: ${validityDays} days`);
+            console.log(`   Cache: ${cacheDir}`);
+            console.log(`   ⚠️  Delete cache to regenerate: rm -rf ${cacheDir}`);
+            return { certBody, privateKey };
+        }
+        catch (error) {
+            throw new Error(`Failed to generate self-signed certificate: ${error}\n` +
+                `Make sure OpenSSL is installed and available in PATH.`);
+        }
+        finally {
+            // Cleanup temp files
+            try {
+                (0, fs_1.rmSync)(tmpDir, { recursive: true, force: true });
+            }
+            catch (e) {
+                // Ignore cleanup errors
+            }
+        }
+    }
+    /**
+     * Create CloudFormation outputs
+     */
+    createOutputs(props) {
+        const stack = cdk.Stack.of(this);
+        new cdk.CfnOutput(stack, 'SelfSignedCertificateArn', {
+            value: this.certificateArn,
+            description: `Self-signed certificate ARN for ${props.domainName}`,
+            exportName: `${props.stackName}-SelfSignedCert-Arn`,
+        });
+        new cdk.CfnOutput(stack, 'SelfSignedCertificateDomain', {
+            value: props.domainName,
+            description: 'Certificate domain name',
+            exportName: `${props.stackName}-SelfSignedCert-Domain`,
+        });
+        new cdk.CfnOutput(stack, 'SelfSignedCertificateValidity', {
+            value: `${props.validityDays ?? 365} days`,
+            description: 'Certificate validity period',
+        });
+    }
+}
+exports.SelfSignedCertificateConstruct = SelfSignedCertificateConstruct;

package/dist/aws-cdk/constructs/sqs.d.ts

@@ -0,0 +1,30 @@
+import { Construct } from 'constructs';
+import * as sqs from 'aws-cdk-lib/aws-sqs';
+import { SqsConfig } from '../interfaces/sqs-config';
+export interface SqsConstructProps {
+    config: SqsConfig;
+}
+/**
+ * SQS Construct — สร้าง SQS Queue + Dead Letter Queue
+ *
+ * สร้าง:
+ *   1. Main Queue (Standard หรือ FIFO)
+ *   2. Dead Letter Queue (optional) — รับ message ที่ process ไม่สำเร็จ
+ *   3. Access Policy (optional) — cross-account permissions
+ *   4. Redrive Allow Policy (optional) — สำหรับ DLQ
+ */
+export declare class SqsConstruct extends Construct {
+    readonly queue: sqs.Queue;
+    readonly deadLetterQueue?: sqs.Queue;
+    readonly queueArn: string;
+    readonly queueUrl: string;
+    readonly deadLetterQueueArn?: string;
+    readonly deadLetterQueueUrl?: string;
+    private readonly removalPolicy;
+    constructor(scope: Construct, id: string, props: SqsConstructProps);
+    private createDeadLetterQueue;
+    private createMainQueue;
+    private resolveEncryption;
+    private addAccessPolicies;
+    private createOutputs;
+}

package/dist/aws-cdk/constructs/sqs.js

@@ -0,0 +1,268 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SqsConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const sqs = __importStar(require("aws-cdk-lib/aws-sqs"));
+const kms = __importStar(require("aws-cdk-lib/aws-kms"));
+const iam = __importStar(require("aws-cdk-lib/aws-iam"));
+/**
+ * SQS Construct — สร้าง SQS Queue + Dead Letter Queue
+ *
+ * สร้าง:
+ *   1. Main Queue (Standard หรือ FIFO)
+ *   2. Dead Letter Queue (optional) — รับ message ที่ process ไม่สำเร็จ
+ *   3. Access Policy (optional) — cross-account permissions
+ *   4. Redrive Allow Policy (optional) — สำหรับ DLQ
+ */
+class SqsConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { config } = props;
+        this.removalPolicy = config.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        // ------------------------------------------
+        // A. Create Dead Letter Queue (ต้องสร้างก่อน Main Queue)
+        // ------------------------------------------
+        if (config.deadLetterQueue) {
+            this.deadLetterQueue = this.createDeadLetterQueue(config);
+            this.deadLetterQueueArn = this.deadLetterQueue.queueArn;
+            this.deadLetterQueueUrl = this.deadLetterQueue.queueUrl;
+        }
+        // ------------------------------------------
+        // B. Create Main Queue
+        // ------------------------------------------
+        this.queue = this.createMainQueue(config);
+        this.queueArn = this.queue.queueArn;
+        this.queueUrl = this.queue.queueUrl;
+        // ------------------------------------------
+        // C. Access Policies
+        // ------------------------------------------
+        this.addAccessPolicies(config);
+        // ------------------------------------------
+        // D. Apply Removal Policy
+        // ------------------------------------------
+        this.queue.applyRemovalPolicy(this.removalPolicy);
+        if (this.deadLetterQueue) {
+            this.deadLetterQueue.applyRemovalPolicy(this.removalPolicy);
+        }
+        // ------------------------------------------
+        // E. Outputs
+        // ------------------------------------------
+        this.createOutputs(config);
+    }
+    // ==========================================
+    // A. Create Dead Letter Queue
+    // ==========================================
+    createDeadLetterQueue(config) {
+        const dlqConfig = config.deadLetterQueue;
+        const fifo = config.fifo ?? false;
+        // DLQ name: custom หรือ <queueName>-dlq
+        let dlqName = dlqConfig.queueName ?? `${config.queueName}-dlq`;
+        if (fifo && !dlqName.endsWith('.fifo')) {
+            dlqName += '.fifo';
+        }
+        // Encryption
+        const encryption = this.resolveEncryption(config);
+        const dlq = new sqs.Queue(this, 'DeadLetterQueue', {
+            queueName: dlqName,
+            fifo,
+            retentionPeriod: cdk.Duration.seconds(dlqConfig.retentionPeriod ?? 1209600), // 14 วัน
+            visibilityTimeout: cdk.Duration.seconds(dlqConfig.visibilityTimeout ?? config.visibilityTimeout ?? 30),
+            encryption: encryption.type,
+            encryptionMasterKey: encryption.key,
+            dataKeyReuse: encryption.dataKeyReuse,
+        });
+        return dlq;
+    }
+    // ==========================================
+    // B. Create Main Queue
+    // ==========================================
+    createMainQueue(config) {
+        const fifo = config.fifo ?? false;
+        // Queue name
+        let queueName = config.queueName;
+        if (fifo && !queueName.endsWith('.fifo')) {
+            queueName += '.fifo';
+        }
+        // Encryption
+        const encryption = this.resolveEncryption(config);
+        // Dead Letter Queue settings
+        let deadLetterQueue;
+        if (this.deadLetterQueue && config.deadLetterQueue) {
+            deadLetterQueue = {
+                queue: this.deadLetterQueue,
+                maxReceiveCount: config.deadLetterQueue.maxReceiveCount ?? 3,
+            };
+        }
+        const queue = new sqs.Queue(this, 'Queue', {
+            queueName,
+            fifo,
+            contentBasedDeduplication: fifo ? (config.contentBasedDeduplication ?? false) : undefined,
+            visibilityTimeout: cdk.Duration.seconds(config.visibilityTimeout ?? 30),
+            retentionPeriod: cdk.Duration.seconds(config.retentionPeriod ?? 345600), // 4 วัน
+            deliveryDelay: cdk.Duration.seconds(config.deliveryDelay ?? 0),
+            receiveMessageWaitTime: cdk.Duration.seconds(config.receiveMessageWaitTime ?? 0),
+            maxMessageSizeBytes: config.maxMessageSize ?? 262144, // 256 KB
+            deadLetterQueue,
+            encryption: encryption.type,
+            encryptionMasterKey: encryption.key,
+            dataKeyReuse: encryption.dataKeyReuse,
+        });
+        // FIFO High Throughput — ตั้งค่าผ่าน L1 escape hatch
+        if (fifo && config.highThroughputFifo) {
+            const cfnQueue = queue.node.defaultChild;
+            cfnQueue.addPropertyOverride('DeduplicationScope', 'messageGroup');
+            cfnQueue.addPropertyOverride('FifoThroughputLimit', 'perMessageGroupId');
+        }
+        else if (fifo && config.fifoThroughputLimit === 'perMessageGroupId') {
+            const cfnQueue = queue.node.defaultChild;
+            cfnQueue.addPropertyOverride('FifoThroughputLimit', 'perMessageGroupId');
+        }
+        return queue;
+    }
+    // ==========================================
+    // Encryption Helper
+    // ==========================================
+    resolveEncryption(config) {
+        const encConfig = config.encryption;
+        const encType = encConfig?.type ?? 'sqs-managed';
+        if (encType === 'kms' && encConfig?.kmsKeyArn) {
+            return {
+                type: sqs.QueueEncryption.KMS,
+                key: kms.Key.fromKeyArn(this, 'EncryptionKey', encConfig.kmsKeyArn),
+                dataKeyReuse: cdk.Duration.seconds(encConfig.kmsDataKeyReusePeriod ?? 300),
+            };
+        }
+        if (encType === 'none') {
+            return { type: sqs.QueueEncryption.UNENCRYPTED };
+        }
+        // Default: SQS managed
+        return { type: sqs.QueueEncryption.SQS_MANAGED };
+    }
+    // ==========================================
+    // C. Access Policies
+    // ==========================================
+    addAccessPolicies(config) {
+        // Allow SendMessage from specific accounts
+        if (config.allowSendFromAccounts && config.allowSendFromAccounts.length > 0) {
+            const principals = config.allowSendFromAccounts.map((accountId) => new iam.AccountPrincipal(accountId));
+            this.queue.addToResourcePolicy(new iam.PolicyStatement({
+                sid: 'AllowSendFromAccounts',
+                effect: iam.Effect.ALLOW,
+                principals,
+                actions: ['sqs:SendMessage'],
+                resources: [this.queue.queueArn],
+            }));
+        }
+        // Allow ReceiveMessage + DeleteMessage from specific accounts
+        if (config.allowReceiveFromAccounts && config.allowReceiveFromAccounts.length > 0) {
+            const principals = config.allowReceiveFromAccounts.map((accountId) => new iam.AccountPrincipal(accountId));
+            this.queue.addToResourcePolicy(new iam.PolicyStatement({
+                sid: 'AllowReceiveFromAccounts',
+                effect: iam.Effect.ALLOW,
+                principals,
+                actions: [
+                    'sqs:ReceiveMessage',
+                    'sqs:DeleteMessage',
+                    'sqs:GetQueueAttributes',
+                ],
+                resources: [this.queue.queueArn],
+            }));
+        }
+        // Redrive allow policy on DLQ
+        if (this.deadLetterQueue && config.redriveAllowPolicy) {
+            const rap = config.redriveAllowPolicy;
+            if (rap.redrivePermission === 'denyAll') {
+                // Deny all queues from using this as DLQ
+                const cfnDlq = this.deadLetterQueue.node.defaultChild;
+                cfnDlq.addPropertyOverride('RedriveAllowPolicy', {
+                    redrivePermission: 'denyAll',
+                });
+            }
+            else if (rap.redrivePermission === 'byQueue' && rap.sourceQueueArns) {
+                const cfnDlq = this.deadLetterQueue.node.defaultChild;
+                cfnDlq.addPropertyOverride('RedriveAllowPolicy', {
+                    redrivePermission: 'byQueue',
+                    sourceQueueArns: rap.sourceQueueArns,
+                });
+            }
+            // 'allowAll' is the default — ไม่ต้องตั้งค่า
+        }
+    }
+    // ==========================================
+    // E. Outputs
+    // ==========================================
+    createOutputs(config) {
+        const stack = cdk.Stack.of(this);
+        const prefix = config.stackName;
+        new cdk.CfnOutput(stack, 'QueueUrl', {
+            value: this.queue.queueUrl,
+            description: 'SQS Queue URL',
+            exportName: `${prefix}-SQS-QueueUrl`,
+        });
+        new cdk.CfnOutput(stack, 'QueueArn', {
+            value: this.queue.queueArn,
+            description: 'SQS Queue ARN',
+            exportName: `${prefix}-SQS-QueueArn`,
+        });
+        new cdk.CfnOutput(stack, 'QueueName', {
+            value: this.queue.queueName,
+            description: 'SQS Queue Name',
+            exportName: `${prefix}-SQS-QueueName`,
+        });
+        if (this.deadLetterQueue) {
+            new cdk.CfnOutput(stack, 'DlqUrl', {
+                value: this.deadLetterQueue.queueUrl,
+                description: 'Dead Letter Queue URL',
+                exportName: `${prefix}-SQS-DlqUrl`,
+            });
+            new cdk.CfnOutput(stack, 'DlqArn', {
+                value: this.deadLetterQueue.queueArn,
+                description: 'Dead Letter Queue ARN',
+                exportName: `${prefix}-SQS-DlqArn`,
+            });
+            new cdk.CfnOutput(stack, 'DlqName', {
+                value: this.deadLetterQueue.queueName,
+                description: 'Dead Letter Queue Name',
+                exportName: `${prefix}-SQS-DlqName`,
+            });
+        }
+    }
+}
+exports.SqsConstruct = SqsConstruct;

package/dist/aws-cdk/constructs/vpc.d.ts

@@ -0,0 +1,30 @@
+import { Construct } from 'constructs';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { VpcConfig } from '../interfaces/vpc-config';
+export interface VpcConstructProps {
+    config: VpcConfig;
+}
+export declare class VpcConstruct extends Construct {
+    readonly vpc: ec2.CfnVPC;
+    readonly subnets: Map<string, ec2.CfnSubnet>;
+    readonly subnetsByName: Map<string, ec2.CfnSubnet[]>;
+    readonly routeTables: Map<string, ec2.CfnRouteTable>;
+    /** Map: subnetKey (name-az) → routeTableId (CfnRouteTable.ref) */
+    readonly subnetRouteTableMap: Map<string, string>;
+    readonly natGateways: ec2.CfnNatGateway[];
+    private igw?;
+    private readonly removalPolicy;
+    constructor(scope: Construct, id: string, props: VpcConstructProps);
+    private createRoutesForRouteTable;
+    private createDefaultRoutes;
+    private createRoute;
+    /**
+     * Get routeTableId for a subnet by name and az
+     * ลองหา key "name-az" ก่อน, ถ้าไม่เจอ fallback ไป "name" (routeTablePerAz: false)
+     */
+    getRouteTableId(subnetName: string, az: string): string | undefined;
+    /**
+     * Export VPC and subnet IDs for cross-stack references (e.g., Network Security Stack)
+     */
+    exportForSecurityStack(stackName: string): void;
+}