@emarketeer/ts-microservice-commons 7.1.0-beta.21 → 7.1.0-beta.22

package/dist/cdk/cjs/index.js

@@ -2075,6 +2075,7 @@ class EmStack extends cdk.Stack {
             costCenter: props.costCenter,
             customTags: props.tags
         });
+        cdk.Tags.of(this).add('em-microservice', `${props.stage}-${props.serviceName}`);
         if (props.useSharedRole) {
             this.sharedRole = new awsIam.Role(this, 'LambdaExecutionRole', {
                 roleName: `${props.serviceName}-${props.stage}-${this.region}-lambdaRole`,
@@ -2100,8 +2101,24 @@ class EmStack extends cdk.Stack {
      * This means existing Serverless stacks are migrated in-place — no manual
      * logical ID overrides needed.
      */
+    /**
+     * Merge per-call config with defaultFunctionConfig.
+     * Environment is deep-merged (per-call values override matching keys).
+     * All other fields use per-call values when provided.
+     */
+    mergeConfig(config) {
+        const defaults = this.defaultFunctionConfig;
+        const merged = { ...defaults, ...config };
+        if (defaults.environment || config.environment) {
+            merged.environment = {
+                ...(defaults.environment ?? {}),
+                ...(config.environment ?? {})
+            };
+        }
+        return merged;
+    }
     createFunction(id, config) {
-        const merged = { ...this.defaultFunctionConfig, ...config };
+        const merged = this.mergeConfig(config);
         const resolved = resolveHandlerPath(merged);
         const functionName = resolved.functionName;
         const handler = resolved.handler ?? merged.handler;
@@ -2148,7 +2165,7 @@ class EmStack extends cdk.Stack {
      * ```
      */
     createQueueConsumer(id, config) {
-        const merged = { ...this.defaultFunctionConfig, ...config };
+        const merged = this.mergeConfig(config);
         const { functionName } = resolveHandlerPath(merged);
         return new LambdaWithQueue(this, id, {
             ...merged,
@@ -2175,7 +2192,7 @@ class EmStack extends cdk.Stack {
     createScheduledFunction(id, config) {
         const { schedule, ruleName, ruleDescription, ...functionConfig } = config;
         const fn = this.createFunction(id, functionConfig);
-        const resolved = resolveHandlerPath({ ...this.defaultFunctionConfig, ...functionConfig });
+        const resolved = resolveHandlerPath(this.mergeConfig(functionConfig));
         const rule = new EmEventBridgeRule(this, `${id}Rule`, {
             stage: config.stage ?? this.stage,
             serviceName: config.serviceName ?? this.serviceName,
@@ -2202,6 +2219,61 @@ class EmStack extends cdk.Stack {
         const arn = `arn:${cdk.Aws.PARTITION}:sns:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:${this.stage}-alarm-email`;
         return awsSns.Topic.fromTopicArn(this, 'AlarmTopic', arn);
     }
+    /**
+     * Add a Lambda invoke policy to the shared role (account-scoped).
+     * Requires `useSharedRole: true`.
+     */
+    addLambdaInvokePolicy() {
+        this.requireSharedRole('addLambdaInvokePolicy');
+        this.sharedRole.addToPolicy(new awsIam.PolicyStatement({
+            effect: awsIam.Effect.ALLOW,
+            actions: ['lambda:InvokeFunction'],
+            resources: [`arn:${cdk.Aws.PARTITION}:lambda:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:function:*`]
+        }));
+    }
+    /**
+     * Add a Kinesis PutRecord/PutRecords policy to the shared role.
+     * @param streamName - Short stream name (prefixed with `{stage}-`).
+     */
+    addKinesisPolicy(streamName) {
+        this.requireSharedRole('addKinesisPolicy');
+        const arn = `arn:${cdk.Aws.PARTITION}:kinesis:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:stream/${this.stage}-${streamName}`;
+        this.sharedRole.addToPolicy(new awsIam.PolicyStatement({
+            effect: awsIam.Effect.ALLOW,
+            actions: ['kinesis:PutRecord', 'kinesis:PutRecords'],
+            resources: [arn]
+        }));
+    }
+    /**
+     * Add an SNS Publish policy to the shared role.
+     * @param topic - An ITopic reference.
+     */
+    addSnsPublishPolicy(topic) {
+        this.requireSharedRole('addSnsPublishPolicy');
+        this.sharedRole.addToPolicy(new awsIam.PolicyStatement({
+            effect: awsIam.Effect.ALLOW,
+            actions: ['sns:Publish'],
+            resources: [topic.topicArn]
+        }));
+    }
+    /**
+     * Add an SQS SendMessage policy to the shared role.
+     * @param queueName - Short queue name (prefixed with `{stage}-`).
+     */
+    addSqsSendPolicy(queueName) {
+        this.requireSharedRole('addSqsSendPolicy');
+        const arn = `arn:${cdk.Aws.PARTITION}:sqs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:${this.stage}-${queueName}`;
+        this.sharedRole.addToPolicy(new awsIam.PolicyStatement({
+            effect: awsIam.Effect.ALLOW,
+            actions: ['sqs:SendMessage', 'sqs:GetQueueAttributes', 'sqs:GetQueueUrl'],
+            resources: [arn]
+        }));
+    }
+    requireSharedRole(methodName) {
+        if (!this.sharedRole) {
+            throw new Error(`${methodName}() requires useSharedRole: true on the stack.`);
+        }
+    }
     /**
      * Create a CfnOutput with a stable export name.
      * Export pattern: `sls-{serviceName}-{stage}-{outputKey}`
@@ -2245,6 +2317,9 @@ function createRdsVpcConfig(scope, stage, config) {
     if (config.overrideLogicalIds?.ingress) {
         ingress.overrideLogicalId(config.overrideLogicalIds.ingress);
     }
+    if (config.sharedRole) {
+        config.sharedRole.addManagedPolicy(awsIam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole'));
+    }
     return {
         vpc,
         vpcSubnets: { subnets: privateSubnets },