@dga-itc/aws-cdk-constructs 1.0.0

package/dist/aws-cdk/constructs/vpc.js

@@ -0,0 +1,423 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VpcConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
+const logs = __importStar(require("aws-cdk-lib/aws-logs"));
+const iam = __importStar(require("aws-cdk-lib/aws-iam"));
+const nacl_1 = require("./nacl");
+class VpcConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.subnets = new Map();
+        this.subnetsByName = new Map();
+        this.routeTables = new Map();
+        /** Map: subnetKey (name-az) → routeTableId (CfnRouteTable.ref) */
+        this.subnetRouteTableMap = new Map();
+        this.natGateways = [];
+        const { config } = props;
+        // Resolve region: ใช้ config.region ถ้ามี, ไม่งั้น fallback ไป Stack region
+        const resolvedRegion = config.region ?? cdk.Stack.of(this).region;
+        // Determine removal policy (default: retain for prod, destroy for others)
+        this.removalPolicy = config.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : config.removalPolicy === 'destroy'
+                ? aws_cdk_lib_1.RemovalPolicy.DESTROY
+                : config.type === 'prod'
+                    ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+                    : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        // 1. Create VPC
+        this.vpc = new ec2.CfnVPC(this, 'Vpc', {
+            cidrBlock: config.cidr,
+            enableDnsHostnames: config.enableDnsHostnames ?? true,
+            enableDnsSupport: config.enableDnsSupport ?? true,
+            tags: [{ key: 'Name', value: `${config.name}-${config.type}-vpc` }],
+        });
+        this.vpc.applyRemovalPolicy(this.removalPolicy);
+        // 1.1 Add Secondary CIDRs
+        const allCidrs = [config.cidr, ...(config.secondaryCidrs || [])];
+        const secondaryCidrBlocks = [];
+        if (config.secondaryCidrs) {
+            config.secondaryCidrs.forEach((cidr, index) => {
+                const cidrBlock = new ec2.CfnVPCCidrBlock(this, `SecondaryCidr-${index}`, {
+                    vpcId: this.vpc.ref,
+                    cidrBlock: cidr,
+                });
+                cidrBlock.applyRemovalPolicy(this.removalPolicy);
+                secondaryCidrBlocks.push(cidrBlock);
+            });
+        }
+        // Helper: check if subnet CIDR is in secondary CIDR range
+        const isInSecondaryCidr = (subnetCidr) => {
+            if (!config.secondaryCidrs)
+                return false;
+            const subnetIp = subnetCidr.split('/')[0].split('.').map(Number);
+            return config.secondaryCidrs.some(cidr => {
+                const [cidrIp, cidrMask] = cidr.split('/');
+                const cidrParts = cidrIp.split('.').map(Number);
+                const mask = parseInt(cidrMask);
+                const maskBits = ~((1 << (32 - mask)) - 1) >>> 0;
+                const subnetNum = (subnetIp[0] << 24) + (subnetIp[1] << 16) + (subnetIp[2] << 8) + subnetIp[3];
+                const cidrNum = (cidrParts[0] << 24) + (cidrParts[1] << 16) + (cidrParts[2] << 8) + cidrParts[3];
+                return (subnetNum & maskBits) === (cidrNum & maskBits);
+            });
+        };
+        // 2. Create Internet Gateway (ถ้ามี public subnet)
+        const hasPublicSubnet = config.subnets.some(s => s.type === 'public');
+        if (hasPublicSubnet) {
+            this.igw = new ec2.CfnInternetGateway(this, 'Igw', {
+                tags: [{ key: 'Name', value: `${config.name}-${config.type}-igw` }],
+            });
+            this.igw.applyRemovalPolicy(this.removalPolicy);
+            const igwAttachment = new ec2.CfnVPCGatewayAttachment(this, 'IgwAttachment', {
+                vpcId: this.vpc.ref,
+                internetGatewayId: this.igw.ref,
+            });
+            igwAttachment.applyRemovalPolicy(this.removalPolicy);
+        }
+        // 3. Create NAT Gateways ก่อน (เพื่อให้ใช้ใน custom routes ได้)
+        // เก็บ NAT subnet configs ไว้สำหรับสร้าง route table ทีหลัง
+        const natSubnetConfigs = [];
+        if (config.natGateways) {
+            config.natGateways.forEach((natConfig, index) => {
+                // หา public subnet ที่ match (ถ้าระบุ az จะหาตาม az)
+                const publicSubnetConfig = config.subnets.find(s => s.type === 'public' &&
+                    s.name === natConfig.subnetName &&
+                    (natConfig.az ? s.az === natConfig.az : true));
+                if (publicSubnetConfig) {
+                    const eip = new ec2.CfnEIP(this, `NatEip-${index}`, {
+                        domain: 'vpc',
+                        tags: [{ key: 'Name', value: `${config.name}-${config.type}-nat-eip-${publicSubnetConfig.az}` }],
+                    });
+                    eip.applyRemovalPolicy(this.removalPolicy);
+                    // สร้าง subnet สำหรับ NAT ก่อน
+                    const subnetKey = `${publicSubnetConfig.name}-${publicSubnetConfig.az}`;
+                    // ตรวจสอบว่า subnet นี้สร้างไปแล้วหรือยัง
+                    let natSubnet = this.subnets.get(subnetKey);
+                    if (!natSubnet) {
+                        natSubnet = new ec2.CfnSubnet(this, `NatSubnet-${publicSubnetConfig.az}`, {
+                            vpcId: this.vpc.ref,
+                            cidrBlock: publicSubnetConfig.cidr,
+                            availabilityZone: `${resolvedRegion}${publicSubnetConfig.az}`,
+                            mapPublicIpOnLaunch: true,
+                            tags: [{ key: 'Name', value: `${config.name}-${config.type}-${publicSubnetConfig.name}-${publicSubnetConfig.az}` }],
+                        });
+                        natSubnet.applyRemovalPolicy(this.removalPolicy);
+                        // Track NAT subnet in maps for exports
+                        this.subnets.set(subnetKey, natSubnet);
+                        if (!this.subnetsByName.has(publicSubnetConfig.name)) {
+                            this.subnetsByName.set(publicSubnetConfig.name, []);
+                        }
+                        this.subnetsByName.get(publicSubnetConfig.name).push(natSubnet);
+                        // เก็บ config ไว้สำหรับสร้าง route table
+                        natSubnetConfigs.push(publicSubnetConfig);
+                    }
+                    const nat = new ec2.CfnNatGateway(this, `Nat-${publicSubnetConfig.az}`, {
+                        subnetId: natSubnet.ref,
+                        allocationId: eip.attrAllocationId,
+                        tags: [{ key: 'Name', value: `${config.name}-${config.type}-nat-${publicSubnetConfig.az}` }],
+                    });
+                    nat.applyRemovalPolicy(this.removalPolicy);
+                    this.natGateways.push(nat);
+                }
+            });
+        }
+        // 3.1 Create Route Tables for NAT subnets
+        natSubnetConfigs.forEach(subnetConfig => {
+            const subnetKey = `${subnetConfig.name}-${subnetConfig.az}`;
+            const natSubnet = this.subnets.get(subnetKey);
+            const routeTablePerAz = config.routeTablePerAz ?? true;
+            const rtKey = routeTablePerAz
+                ? `${subnetConfig.name}-${subnetConfig.az}`
+                : subnetConfig.name;
+            let routeTable;
+            if (this.routeTables.has(rtKey)) {
+                routeTable = this.routeTables.get(rtKey);
+            }
+            else {
+                const rtName = routeTablePerAz
+                    ? `${config.name}-${config.type}-${subnetConfig.name}-${subnetConfig.az}-rt`
+                    : `${config.name}-${config.type}-${subnetConfig.name}-rt`;
+                routeTable = new ec2.CfnRouteTable(this, `RT-${rtKey}`, {
+                    vpcId: this.vpc.ref,
+                    tags: [{ key: 'Name', value: rtName }],
+                });
+                routeTable.applyRemovalPolicy(this.removalPolicy);
+                this.routeTables.set(rtKey, routeTable);
+                // Add routes
+                this.createRoutesForRouteTable(config, subnetConfig, routeTable, rtKey);
+            }
+            const rtAssoc = new ec2.CfnSubnetRouteTableAssociation(this, `RTAssoc-${subnetKey}`, {
+                subnetId: natSubnet.ref,
+                routeTableId: routeTable.ref,
+            });
+            rtAssoc.applyRemovalPolicy(this.removalPolicy);
+            // Track subnet → routeTable mapping
+            this.subnetRouteTableMap.set(subnetKey, routeTable.ref);
+        });
+        // 4. Create Subnets และ Route Tables
+        const createdSubnets = new Set(); // track subnets ที่สร้างแล้ว (จาก NAT)
+        // Mark NAT subnets as created
+        if (config.natGateways) {
+            config.natGateways.forEach(natConfig => {
+                const publicSubnetConfig = config.subnets.find(s => s.type === 'public' &&
+                    s.name === natConfig.subnetName &&
+                    (natConfig.az ? s.az === natConfig.az : true));
+                if (publicSubnetConfig) {
+                    createdSubnets.add(`${publicSubnetConfig.name}-${publicSubnetConfig.az}`);
+                }
+            });
+        }
+        config.subnets.forEach((subnetConfig, index) => {
+            const subnetKey = `${subnetConfig.name}-${subnetConfig.az}`;
+            // Skip ถ้าสร้างไปแล้ว (จาก NAT)
+            if (createdSubnets.has(subnetKey)) {
+                return;
+            }
+            const subnet = new ec2.CfnSubnet(this, `Subnet-${subnetKey}`, {
+                vpcId: this.vpc.ref,
+                cidrBlock: subnetConfig.cidr,
+                availabilityZone: `${resolvedRegion}${subnetConfig.az}`,
+                mapPublicIpOnLaunch: subnetConfig.type === 'public',
+                tags: [{ key: 'Name', value: `${config.name}-${config.type}-${subnetConfig.name}-${subnetConfig.az}` }],
+            });
+            subnet.applyRemovalPolicy(this.removalPolicy);
+            // Add dependency on secondary CIDR if subnet is in secondary range
+            if (isInSecondaryCidr(subnetConfig.cidr)) {
+                secondaryCidrBlocks.forEach(cidrBlock => {
+                    subnet.addDependency(cidrBlock);
+                });
+            }
+            this.subnets.set(subnetKey, subnet);
+            // Group by name for NACLs and exports
+            if (!this.subnetsByName.has(subnetConfig.name)) {
+                this.subnetsByName.set(subnetConfig.name, []);
+            }
+            this.subnetsByName.get(subnetConfig.name).push(subnet);
+            // Create Route Table
+            const routeTablePerAz = config.routeTablePerAz ?? true;
+            const rtKey = routeTablePerAz
+                ? `${subnetConfig.name}-${subnetConfig.az}` // แยกตาม AZ
+                : subnetConfig.name; // ใช้ร่วมกันตาม name
+            let routeTable;
+            if (this.routeTables.has(rtKey)) {
+                // ใช้ route table ที่มีอยู่แล้ว
+                routeTable = this.routeTables.get(rtKey);
+            }
+            else {
+                // สร้าง route table ใหม่
+                const rtName = routeTablePerAz
+                    ? `${config.name}-${config.type}-${subnetConfig.name}-${subnetConfig.az}-rt`
+                    : `${config.name}-${config.type}-${subnetConfig.name}-rt`;
+                routeTable = new ec2.CfnRouteTable(this, `RT-${rtKey}`, {
+                    vpcId: this.vpc.ref,
+                    tags: [{ key: 'Name', value: rtName }],
+                });
+                routeTable.applyRemovalPolicy(this.removalPolicy);
+                this.routeTables.set(rtKey, routeTable);
+                // Add routes from routeTables config or use default
+                this.createRoutesForRouteTable(config, subnetConfig, routeTable, rtKey);
+            }
+            const rtAssoc = new ec2.CfnSubnetRouteTableAssociation(this, `RTAssoc-${subnetKey}`, {
+                subnetId: subnet.ref,
+                routeTableId: routeTable.ref,
+            });
+            rtAssoc.applyRemovalPolicy(this.removalPolicy);
+            // Track subnet → routeTable mapping
+            this.subnetRouteTableMap.set(subnetKey, routeTable.ref);
+        });
+        // 5. Enable Flow Logs
+        if (config.enableFlowLogs) {
+            const logGroup = new logs.LogGroup(this, 'FlowLogGroup', {
+                logGroupName: `/vpc/${config.name}-${config.type}/flow-logs`,
+                retention: logs.RetentionDays.ONE_MONTH,
+                removalPolicy: this.removalPolicy,
+            });
+            const flowLogRole = new iam.Role(this, 'FlowLogRole', {
+                assumedBy: new iam.ServicePrincipal('vpc-flow-logs.amazonaws.com'),
+            });
+            flowLogRole.applyRemovalPolicy(this.removalPolicy);
+            logGroup.grantWrite(flowLogRole);
+            const flowLog = new ec2.CfnFlowLog(this, 'FlowLog', {
+                resourceId: this.vpc.ref,
+                resourceType: 'VPC',
+                trafficType: 'ALL',
+                logDestinationType: 'cloud-watch-logs',
+                logGroupName: logGroup.logGroupName,
+                deliverLogsPermissionArn: flowLogRole.roleArn,
+            });
+            flowLog.applyRemovalPolicy(this.removalPolicy);
+        }
+        // 6. Create NACLs (inline mode)
+        if (config.nacls && config.nacls.length > 0) {
+            new nacl_1.NaclConstruct(this, 'Nacl', {
+                vpcId: this.vpc.ref,
+                namePrefix: `${config.name}-${config.type}`,
+                nacls: config.nacls,
+                subnets: this.subnetsByName,
+                tags: config.tags,
+            });
+        }
+    }
+    createRoutesForRouteTable(config, subnetConfig, routeTable, rtKey) {
+        const routeTablePerAz = config.routeTablePerAz ?? true;
+        // หา custom route table config ที่ match
+        let rtConfig;
+        if (config.routeTables) {
+            if (routeTablePerAz) {
+                // หา config ที่ match ทั้ง name และ az
+                rtConfig = config.routeTables.find(rt => rt.name === subnetConfig.name && rt.az === subnetConfig.az);
+                // ถ้าไม่เจอ ลองหาที่ match แค่ name (ไม่ระบุ az = ใช้กับทุก az)
+                if (!rtConfig) {
+                    rtConfig = config.routeTables.find(rt => rt.name === subnetConfig.name && !rt.az);
+                }
+            }
+            else {
+                // หา config ที่ match name
+                rtConfig = config.routeTables.find(rt => rt.name === subnetConfig.name);
+            }
+        }
+        if (rtConfig) {
+            // ใช้ custom routes
+            rtConfig.routes.forEach((route, routeIndex) => {
+                this.createRoute(routeTable, route.destinationCidr, route.target, `${rtKey}-${routeIndex}`);
+            });
+        }
+        else {
+            // ใช้ default routes ตาม subnet type
+            this.createDefaultRoutes(subnetConfig, routeTable, rtKey);
+        }
+    }
+    createDefaultRoutes(subnetConfig, routeTable, rtKey) {
+        switch (subnetConfig.type) {
+            case 'public':
+                if (this.igw) {
+                    new ec2.CfnRoute(this, `Route-Default-${rtKey}`, {
+                        routeTableId: routeTable.ref,
+                        destinationCidrBlock: '0.0.0.0/0',
+                        gatewayId: this.igw.ref,
+                    });
+                }
+                break;
+            case 'private':
+                if (this.natGateways.length > 0) {
+                    new ec2.CfnRoute(this, `Route-Default-${rtKey}`, {
+                        routeTableId: routeTable.ref,
+                        destinationCidrBlock: '0.0.0.0/0',
+                        natGatewayId: this.natGateways[0].ref,
+                    });
+                }
+                break;
+            // isolated ไม่มี default route
+        }
+    }
+    createRoute(routeTable, destinationCidr, target, routeId) {
+        const routeProps = {
+            routeTableId: routeTable.ref,
+            destinationCidrBlock: destinationCidr,
+        };
+        switch (target.type) {
+            case 'igw':
+                if (this.igw) {
+                    new ec2.CfnRoute(this, `Route-${routeId}`, {
+                        ...routeProps,
+                        gatewayId: this.igw.ref,
+                    });
+                }
+                break;
+            case 'nat':
+                if (this.natGateways[target.natIndex]) {
+                    new ec2.CfnRoute(this, `Route-${routeId}`, {
+                        ...routeProps,
+                        natGatewayId: this.natGateways[target.natIndex].ref,
+                    });
+                }
+                break;
+            case 'vpcPeering':
+                new ec2.CfnRoute(this, `Route-${routeId}`, {
+                    ...routeProps,
+                    vpcPeeringConnectionId: target.peeringId,
+                });
+                break;
+            case 'transitGateway':
+                new ec2.CfnRoute(this, `Route-${routeId}`, {
+                    ...routeProps,
+                    transitGatewayId: target.tgwId,
+                });
+                break;
+            case 'vpcEndpoint':
+                new ec2.CfnRoute(this, `Route-${routeId}`, {
+                    ...routeProps,
+                    vpcEndpointId: target.endpointId,
+                });
+                break;
+        }
+    }
+    /**
+     * Get routeTableId for a subnet by name and az
+     * ลองหา key "name-az" ก่อน, ถ้าไม่เจอ fallback ไป "name" (routeTablePerAz: false)
+     */
+    getRouteTableId(subnetName, az) {
+        return this.subnetRouteTableMap.get(`${subnetName}-${az}`)
+            ?? this.subnetRouteTableMap.get(subnetName);
+    }
+    /**
+     * Export VPC and subnet IDs for cross-stack references (e.g., Network Security Stack)
+     */
+    exportForSecurityStack(stackName) {
+        const stack = cdk.Stack.of(this);
+        // Export VPC ID
+        new cdk.CfnOutput(stack, 'VpcIdExport', {
+            value: this.vpc.ref,
+            exportName: `${stackName}-VpcId`,
+        });
+        // Export subnet IDs grouped by name
+        this.subnetsByName.forEach((subnets, name) => {
+            const subnetIds = subnets.map(s => s.ref);
+            new cdk.CfnOutput(stack, `SubnetIds-${name}`, {
+                value: cdk.Fn.join(',', subnetIds),
+                exportName: `${stackName}-SubnetIds-${name}`,
+            });
+            new cdk.CfnOutput(stack, `SubnetCount-${name}`, {
+                value: subnets.length.toString(),
+                exportName: `${stackName}-SubnetCount-${name}`,
+            });
+        });
+    }
+}
+exports.VpcConstruct = VpcConstruct;

package/dist/aws-cdk/constructs/waf.d.ts

@@ -0,0 +1,37 @@
+import { Construct } from 'constructs';
+import * as wafv2 from 'aws-cdk-lib/aws-wafv2';
+import * as logs from 'aws-cdk-lib/aws-logs';
+import { WafConfig } from '../interfaces/waf-config';
+export interface WafConstructProps {
+    config: WafConfig;
+}
+/**
+ * WAF v2 Construct — สร้าง WebACL พร้อม AWS Managed Rule Sets
+ *
+ * Features:
+ * - AWS Managed Rule Groups (Common, SQLi, KnownBadInputs, etc.)
+ * - Rate Limiting per IP
+ * - Geo Blocking
+ * - IP Allow/Block Lists
+ * - CloudWatch Logging (filtered)
+ *
+ * Scopes:
+ * - CLOUDFRONT → ต้อง deploy ใน us-east-1, ใช้กับ CloudFront
+ * - REGIONAL   → ใช้กับ ALB, API Gateway, AppSync
+ */
+export declare class WafConstruct extends Construct {
+    readonly webAcl: wafv2.CfnWebACL;
+    readonly webAclArn: string;
+    readonly logGroup?: logs.LogGroup;
+    private readonly removalPolicy;
+    constructor(scope: Construct, id: string, props: WafConstructProps);
+    private createIpSets;
+    private createIpSet;
+    private buildRules;
+    private buildManagedRuleGroup;
+    private resolveAction;
+    private createWebAcl;
+    private createLogging;
+    private createAssociations;
+    private createOutputs;
+}