npm - @fjall/components-infrastructure - Versions diffs - 0.100.0 → 1.1.0 - Mend

@fjall/components-infrastructure 0.100.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (74) hide show

package/dist/lib/patterns/aws/interfaces/database.d.ts CHANGED Viewed

@@ -23,7 +23,7 @@ import { type Secret } from "../../../resources/aws/secrets/index.js";
 import { type SnapshotTarget } from "../../../utils/databaseTypes.js";
 import { type IMigrationContributor } from "./migrationContributor.js";
 export { type SnapshotTarget } from "../../../utils/databaseTypes.js";
-export { MIGRATION_SNAPSHOT_NAME_PREFIX, EXPECTED_SCHEMA_VERSION_ENV, EXPECTED_SCHEMA_VERSION_TOOL_ENV } from "@fjall/util";
+export { MIGRATION_SNAPSHOT_NAME_PREFIX, EXPECTED_SCHEMA_VERSION_ENV, EXPECTED_SCHEMA_VERSION_TOOL_ENV, EXPECTED_CH_SCHEMA_VERSION_ENV } from "@fjall/util";
 /**
  * Declarative migration configuration on a relational database. Drives:
  *  - the schema-version resolver at synth (filesystem scan of `dir`)
@@ -42,6 +42,21 @@ export type MigrationsConfig = {
     readonly dir: string;
     readonly versionResolver: (dir: string) => string;
 };
+/**
+ * Declarative migration configuration on a ClickHouse database. Drives:
+ *  - the schema-version resolver at synth (filesystem scan of `dir`)
+ *  - the `EXPECTED_CH_SCHEMA_VERSION` auto-injection through every
+ *    connected service's containers
+ *
+ * The default resolver picks the lexicographically-latest `*.sql` filename
+ * under `dir` (skipping `*.dev.sql`), matching what `runSqlMigrations`
+ * records in `_schema_migrations.ch_version`. `versionResolver` overrides
+ * the default for projects with a different file convention.
+ */
+export type ClickHouseMigrationsConfig = {
+    readonly dir: string;
+    readonly versionResolver?: (dir: string) => string;
+};
 /**
  * Database type discriminator.
  * Relational types share the IRelationalDatabase interface.
@@ -267,6 +282,22 @@ export interface IClickHouseDatabase extends IDatabase, IConnectable, IMigration
     getBackupBucket(): IBucket;
     /** Get the cold-tier bucket, or `undefined` when cold-tier storage is disabled. */
     getColdTierBucket(): IBucket | undefined;
+    /**
+     * Returns the migration configuration declared on this ClickHouse database,
+     * or `undefined` when the user did not declare one. When set, every
+     * container of every service in this database's `connections:` graph
+     * receives an `EXPECTED_CH_SCHEMA_VERSION` env entry (unless service-level
+     * `schemaGate: false`).
+     */
+    getMigrationsConfig(): ClickHouseMigrationsConfig | undefined;
+    /**
+     * Resolves `migrations.dir` via the resolver (default
+     * `pickLatestClickHouseMigration`) at synth time. Returns `undefined`
+     * when no `migrations:` was declared. Throws when declared but the
+     * directory is empty / unreadable / contains no matching entries — fail
+     * loud, never silent.
+     */
+    getExpectedSchemaVersion(): string | undefined;
     /**
      * Grant connect permissions to a grantee.
      * Adds the grantee to the database security group on both ports.

package/dist/lib/patterns/aws/interfaces/database.js CHANGED Viewed

@@ -13,7 +13,7 @@
  * dynamo.getTableName(); // ✓ Available on IDynamoDBDatabase
  * dynamo.getHostEndpoint(); // ✗ Compile error - not on IDynamoDBDatabase
  */
-export { MIGRATION_SNAPSHOT_NAME_PREFIX, EXPECTED_SCHEMA_VERSION_ENV, EXPECTED_SCHEMA_VERSION_TOOL_ENV } from "@fjall/util";
+export { MIGRATION_SNAPSHOT_NAME_PREFIX, EXPECTED_SCHEMA_VERSION_ENV, EXPECTED_SCHEMA_VERSION_TOOL_ENV, EXPECTED_CH_SCHEMA_VERSION_ENV } from "@fjall/util";
 /**
  * Relational database type discriminator.
  */

package/dist/lib/resources/aws/database/clickhouseConstants.d.ts CHANGED Viewed

@@ -53,6 +53,27 @@ export declare const CLICKHOUSE_TASK_MEMORY_MIB = 3072;
 export declare const CLICKHOUSE_HTTP_PORT = 8123;
 export declare const CLICKHOUSE_NATIVE_PORT = 9000;
 export declare const CLICKHOUSE_PROMETHEUS_PORT = 9363;
+/** TLS-mode ClickHouse ports.
+ *  HTTPS replaces 8123; secure native protocol replaces 9000.
+ *  See aiDocs/patterns/clickhouse-tls-pattern.md § "The contract". */
+export declare const CLICKHOUSE_HTTPS_PORT = 8443;
+export declare const CLICKHOUSE_TCP_SECURE_PORT = 9440;
+/** Mount path inside the main ClickHouse container for the materialised
+ *  TLS cert + key. The init container writes to a shared task-scoped volume
+ *  mounted here read-only on the main container. */
+export declare const CLICKHOUSE_TLS_CERT_MOUNT_PATH = "/etc/clickhouse-server/certs";
+/** Task-scoped Docker volume name shared between the TLS init container
+ *  (writer) and the main ClickHouse container (reader). */
+export declare const CLICKHOUSE_TLS_CERT_VOLUME_NAME = "tls-certs";
+/** UID:GID the official ClickHouse image runs as. Init container `chown`s
+ *  the materialised cert files to this UID so the server can read them. */
+export declare const CLICKHOUSE_UID = 101;
+/** Digest-pinned alpine image used by the TLS init container. The init
+ *  container needs `jq` (extracts `cert`+`key` from the server-cert JSON
+ *  secret); alpine ships it via `apk add` — but pinning the digest avoids
+ *  fetching `:latest` on every deploy. Bump in lockstep with renovate
+ *  alerts; CI verifies the digest resolves. */
+export declare const ALPINE_INIT_CONTAINER_IMAGE = "public.ecr.aws/docker/library/alpine:3.20@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d";
 /** EBS device name for the data volume (must match user data script). */
 export declare const CLICKHOUSE_EBS_DEVICE_NAME = "/dev/xvdf";
 /** EBS mount path on the EC2 host. */

package/dist/lib/resources/aws/database/clickhouseConstants.js CHANGED Viewed

@@ -53,6 +53,27 @@ export const CLICKHOUSE_TASK_MEMORY_MIB = 3072;
 export const CLICKHOUSE_HTTP_PORT = 8123;
 export const CLICKHOUSE_NATIVE_PORT = 9000;
 export const CLICKHOUSE_PROMETHEUS_PORT = 9363;
+/** TLS-mode ClickHouse ports.
+ *  HTTPS replaces 8123; secure native protocol replaces 9000.
+ *  See aiDocs/patterns/clickhouse-tls-pattern.md § "The contract". */
+export const CLICKHOUSE_HTTPS_PORT = 8443;
+export const CLICKHOUSE_TCP_SECURE_PORT = 9440;
+/** Mount path inside the main ClickHouse container for the materialised
+ *  TLS cert + key. The init container writes to a shared task-scoped volume
+ *  mounted here read-only on the main container. */
+export const CLICKHOUSE_TLS_CERT_MOUNT_PATH = "/etc/clickhouse-server/certs";
+/** Task-scoped Docker volume name shared between the TLS init container
+ *  (writer) and the main ClickHouse container (reader). */
+export const CLICKHOUSE_TLS_CERT_VOLUME_NAME = "tls-certs";
+/** UID:GID the official ClickHouse image runs as. Init container `chown`s
+ *  the materialised cert files to this UID so the server can read them. */
+export const CLICKHOUSE_UID = 101;
+/** Digest-pinned alpine image used by the TLS init container. The init
+ *  container needs `jq` (extracts `cert`+`key` from the server-cert JSON
+ *  secret); alpine ships it via `apk add` — but pinning the digest avoids
+ *  fetching `:latest` on every deploy. Bump in lockstep with renovate
+ *  alerts; CI verifies the digest resolves. */
+export const ALPINE_INIT_CONTAINER_IMAGE = "public.ecr.aws/docker/library/alpine:3.20@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d";
 /** EBS device name for the data volume (must match user data script). */
 export const CLICKHOUSE_EBS_DEVICE_NAME = "/dev/xvdf";
 /** EBS mount path on the EC2 host. */

package/dist/lib/resources/aws/database/clickhouseSecurityGroup.d.ts CHANGED Viewed

@@ -10,5 +10,7 @@ import { SecurityGroup } from "../networking/securityGroup.js";
  *
  * Self-referencing native-port ingress is kept so the optimise/backup
  * scheduled tasks (which share this SG) can reach the ClickHouse server.
+ * Under TLS modes, the secure native port (9440) is the self-referencing
+ * port; under `mode: "none"` the plaintext native port stays.
  */
 export declare function createClickHouseSecurityGroup(scope: Construct, vpc: IVpc, nativePort: number): SecurityGroup;

package/dist/lib/resources/aws/database/clickhouseSecurityGroup.js CHANGED Viewed

@@ -9,6 +9,8 @@ import { SecurityGroup } from "../networking/securityGroup.js";
  *
  * Self-referencing native-port ingress is kept so the optimise/backup
  * scheduled tasks (which share this SG) can reach the ClickHouse server.
+ * Under TLS modes, the secure native port (9440) is the self-referencing
+ * port; under `mode: "none"` the plaintext native port stays.
  */
 export function createClickHouseSecurityGroup(scope, vpc, nativePort) {
     const sg = new SecurityGroup(scope, "ClickHouseSecurityGroup", {

package/dist/lib/resources/aws/database/clickhouseUserData.d.ts CHANGED Viewed

@@ -19,6 +19,27 @@ export interface BuildClickHouseUserDataOptions {
         bucketName: string;
         region: string;
     };
+    /**
+     * When true, the server config emits `<https_port>`, `<tcp_port_secure>`,
+     * and an `<openSSL><server>` block referencing the cert files materialised
+     * at `CLICKHOUSE_TLS_CERT_MOUNT_PATH` by the user-data bootstrap step.
+     * Plaintext `<http_port>` is omitted to avoid mixed-protocol exposure.
+     * Default: false. When true, `caSecretArn` and `serverSecretArn` MUST be
+     * supplied so the bootstrap step can materialise the cert PEMs.
+     */
+    tlsActive?: boolean;
+    /**
+     * Secrets Manager ARN holding the CA cert as raw PEM. Required when
+     * `tlsActive` is true. Fetched at instance boot via the EC2 instance role
+     * and written to `${dataMount}/server-certs/ca.crt`.
+     */
+    caSecretArn?: string;
+    /**
+     * Secrets Manager ARN holding the server cert + key as JSON
+     * `{ "cert": "<pem>", "key": "<pem>" }`. Required when `tlsActive` is true.
+     * Fetched at instance boot and written to `${dataMount}/server-certs/server.{crt,key}`.
+     */
+    serverSecretArn?: string;
 }
 export declare function generateServerConfigXml(options: BuildClickHouseUserDataOptions): string;
 export interface GenerateUsersConfigXmlOptions {

package/dist/lib/resources/aws/database/clickhouseUserData.js CHANGED Viewed

@@ -1,7 +1,8 @@
-import { CLICKHOUSE_DATA_MOUNT_PATH, CLICKHOUSE_EBS_DEVICE_NAME, CLICKHOUSE_CONFIG_SUBDIR, CLICKHOUSE_USERS_SUBDIR, CLICKHOUSE_HTTP_PORT, CLICKHOUSE_PROMETHEUS_PORT, clickHousePasswordSha256Snippet } from "./clickhouseConstants.js";
+import { CLICKHOUSE_DATA_MOUNT_PATH, CLICKHOUSE_EBS_DEVICE_NAME, CLICKHOUSE_CONFIG_SUBDIR, CLICKHOUSE_USERS_SUBDIR, CLICKHOUSE_HTTP_PORT, CLICKHOUSE_HTTPS_PORT, CLICKHOUSE_TCP_SECURE_PORT, CLICKHOUSE_TLS_CERT_MOUNT_PATH, CLICKHOUSE_PROMETHEUS_PORT, clickHousePasswordSha256Snippet } from "./clickhouseConstants.js";
 import { renderUsersXml } from "./clickhouseXmlRenderer.js";
 export function generateServerConfigXml(options) {
     const { backupBucketName, backupBucketRegion, coldTier } = options;
+    const tlsActive = options.tlsActive ?? false;
     const storageBlock = coldTier !== undefined
         ? `    <storage_configuration>
         <!-- Same CH 26 rule as the no-cold-tier branch: a <local_ssd> disk
@@ -145,7 +146,19 @@ export function generateServerConfigXml(options) {
         <number_of_free_entries_in_pool_to_lower_max_size_of_merge>1</number_of_free_entries_in_pool_to_lower_max_size_of_merge>
         <number_of_free_entries_in_pool_to_execute_optimize_entire_partition>1</number_of_free_entries_in_pool_to_execute_optimize_entire_partition>
     </merge_tree>
-    <http_port>${CLICKHOUSE_HTTP_PORT}</http_port>
+${tlsActive
+        ? `    <https_port>${CLICKHOUSE_HTTPS_PORT}</https_port>
+    <tcp_port_secure>${CLICKHOUSE_TCP_SECURE_PORT}</tcp_port_secure>
+    <openSSL>
+        <server>
+            <certificateFile>${CLICKHOUSE_TLS_CERT_MOUNT_PATH}/server.crt</certificateFile>
+            <privateKeyFile>${CLICKHOUSE_TLS_CERT_MOUNT_PATH}/server.key</privateKeyFile>
+            <verificationMode>relaxed</verificationMode>
+            <disableProtocols>sslv2,sslv3,tlsv1,tlsv1_1</disableProtocols>
+            <preferServerCiphers>true</preferServerCiphers>
+        </server>
+    </openSSL>`
+        : `    <http_port>${CLICKHOUSE_HTTP_PORT}</http_port>`}
     <custom_settings_prefixes>current_</custom_settings_prefixes>
     <!-- HTTP keep-alive window. Must exceed @clickhouse/client idle_socket_ttl (15 s)
          so the client always closes the socket first. Prevents ECONNRESET on reuse. -->
@@ -247,6 +260,38 @@ function compactUserDataScript(script) {
  */
 export function buildClickHouseUserData(options) {
     const serverConfigXml = generateServerConfigXml(options);
+    const tlsActive = options.tlsActive ?? false;
+    if (tlsActive &&
+        (options.caSecretArn === undefined || options.serverSecretArn === undefined)) {
+        throw new Error("buildClickHouseUserData: tlsActive=true requires both caSecretArn and serverSecretArn");
+    }
+    const tlsBootstrap = tlsActive
+        ? `
+# Materialise TLS certs from Secrets Manager. The EC2 instance role carries
+# the secretsmanager:GetSecretValue grant; certs land on the EBS-backed mount
+# at \`$MOUNT_POINT/server-certs/\` and are bind-mounted read-only into the
+# CH container at /etc/clickhouse-server/certs. Cert rotation triggers task
+# replacement via the CA_CERT_SHA256 env on dependent services (the cert
+# generator emits the digest as a CFN Data attribute).
+mkdir -p "$MOUNT_POINT/server-certs"
+# jq is needed to extract cert + key fields from the server bundle JSON.
+# AL2023 ECS-optimised AMIs ship without jq; install it if missing.
+command -v jq >/dev/null 2>&1 || dnf install -y jq || yum install -y jq
+# Fetch CA (raw PEM SecretString). Quoting prevents word-splitting on multi-line PEM.
+CA_PEM=$(aws secretsmanager get-secret-value --secret-id "${options.caSecretArn ?? ""}" --query SecretString --output text)
+printf '%s\\n' "$CA_PEM" > "$MOUNT_POINT/server-certs/ca.crt"
+# Fetch server bundle (JSON { "cert": "<pem>", "key": "<pem>" }).
+SERVER_JSON=$(aws secretsmanager get-secret-value --secret-id "${options.serverSecretArn ?? ""}" --query SecretString --output text)
+printf '%s' "$SERVER_JSON" | jq -r .cert > "$MOUNT_POINT/server-certs/server.crt"
+printf '%s' "$SERVER_JSON" | jq -r .key > "$MOUNT_POINT/server-certs/server.key"
+chown -R 101:101 "$MOUNT_POINT/server-certs"
+chmod 600 "$MOUNT_POINT/server-certs/server.key"
+`
+        : "";
     const script = `#!/bin/bash
 set -euo pipefail
@@ -333,7 +378,7 @@ if [ "$USERS_CONFIG_RETRIEVED" != "1" ]; then
 fi
 chown -R 101:101 "$MOUNT_POINT"
-`;
+${tlsBootstrap}`;
     return compactUserDataScript(script);
 }
 /**

package/dist/lib/resources/aws/database/clickhouseXmlRenderer.d.ts CHANGED Viewed

@@ -45,7 +45,7 @@ export interface RenderUsersXmlOptions {
  *
  * **Schema-admin-only emission.** Only the schema admin lands in the XML.
  * Managed-password workload users are created at runtime by the migration
- * helper (`@fjall/clickhouse-migrations § provisionUsersFromEnv`) — they
+ * helper (`@fjall/clickhouse § provisionUsersFromEnv`) — they
  * authenticate via plaintext from `USER_<NAME>_PASSWORD` env vars at runtime
  * and bind their profiles via customer SQL.
  *

package/dist/lib/resources/aws/database/clickhouseXmlRenderer.js CHANGED Viewed

@@ -73,7 +73,7 @@ ${body}
  *
  * **Schema-admin-only emission.** Only the schema admin lands in the XML.
  * Managed-password workload users are created at runtime by the migration
- * helper (`@fjall/clickhouse-migrations § provisionUsersFromEnv`) — they
+ * helper (`@fjall/clickhouse § provisionUsersFromEnv`) — they
  * authenticate via plaintext from `USER_<NAME>_PASSWORD` env vars at runtime
  * and bind their profiles via customer SQL.
  *

package/dist/lib/resources/aws/secrets/index.d.ts CHANGED Viewed

@@ -2,3 +2,5 @@ export * from "./alias.js";
 export * from "./kms.js";
 export * from "./parameter.js";
 export * from "./secret.js";
+export * from "./tlsCaSecret.js";
+export * from "./tlsServerSecret.js";

package/dist/lib/resources/aws/secrets/index.js CHANGED Viewed

@@ -2,3 +2,5 @@ export * from "./alias.js";
 export * from "./kms.js";
 export * from "./parameter.js";
 export * from "./secret.js";
+export * from "./tlsCaSecret.js";
+export * from "./tlsServerSecret.js";

package/dist/lib/resources/aws/secrets/tlsCaSecret.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import type { Construct } from "constructs";
+import { Secret } from "./secret.js";
+export interface TlsCaSecretProps {
+    /** Drives the deterministic secret name `fjall-<appName>-clickhouse-tls-ca`. */
+    readonly appName: string;
+}
+/**
+ * ClickHouse TLS CA cert (public — clients pin against this). Retained on
+ * delete so client-side trust anchors survive accidental stack teardown.
+ */
+export declare class TlsCaSecret extends Secret {
+    constructor(scope: Construct, id: string, props: TlsCaSecretProps);
+}

package/dist/lib/resources/aws/secrets/tlsCaSecret.js ADDED Viewed

@@ -0,0 +1,15 @@
+import { RemovalPolicy } from "aws-cdk-lib";
+import { Secret } from "./secret.js";
+/**
+ * ClickHouse TLS CA cert (public — clients pin against this). Retained on
+ * delete so client-side trust anchors survive accidental stack teardown.
+ */
+export class TlsCaSecret extends Secret {
+    constructor(scope, id, props) {
+        super(scope, id, {
+            secretName: `fjall-${props.appName}-clickhouse-tls-ca`,
+            description: "ClickHouse TLS CA cert (public — clients pin against this)"
+        });
+        this.secret.applyRemovalPolicy(RemovalPolicy.RETAIN);
+    }
+}

package/dist/lib/resources/aws/secrets/tlsServerSecret.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { Construct } from "constructs";
+import { Secret } from "./secret.js";
+export interface TlsServerSecretProps {
+    /** Drives the deterministic secret name `fjall-<appName>-clickhouse-tls-server`. */
+    readonly appName: string;
+}
+/**
+ * ClickHouse TLS server cert + key (JSON: `{ cert, key }`). Retained on
+ * delete so cert material survives accidental stack teardown; the private
+ * key only leaves Secrets Manager via ECS executionRole + the TLS init
+ * container that materialises it onto the shared volume.
+ */
+export declare class TlsServerSecret extends Secret {
+    constructor(scope: Construct, id: string, props: TlsServerSecretProps);
+}

package/dist/lib/resources/aws/secrets/tlsServerSecret.js ADDED Viewed

@@ -0,0 +1,17 @@
+import { RemovalPolicy } from "aws-cdk-lib";
+import { Secret } from "./secret.js";
+/**
+ * ClickHouse TLS server cert + key (JSON: `{ cert, key }`). Retained on
+ * delete so cert material survives accidental stack teardown; the private
+ * key only leaves Secrets Manager via ECS executionRole + the TLS init
+ * container that materialises it onto the shared volume.
+ */
+export class TlsServerSecret extends Secret {
+    constructor(scope, id, props) {
+        super(scope, id, {
+            secretName: `fjall-${props.appName}-clickhouse-tls-server`,
+            description: "ClickHouse TLS server cert + key (JSON: { cert, key })"
+        });
+        this.secret.applyRemovalPolicy(RemovalPolicy.RETAIN);
+    }
+}

package/dist/lib/resources/aws/utilities/index.d.ts CHANGED Viewed

@@ -3,3 +3,4 @@ export * from "./codeBuild.js";
 export * from "./customResource.js";
 export * from "./customResourceProvider.js";
 export * from "./resourceShare.js";
+export * from "./tlsCertGenerator.js";

package/dist/lib/resources/aws/utilities/index.js CHANGED Viewed

@@ -3,3 +3,4 @@ export * from "./codeBuild.js";
 export * from "./customResource.js";
 export * from "./customResourceProvider.js";
 export * from "./resourceShare.js";
+export * from "./tlsCertGenerator.js";

package/dist/lib/resources/aws/utilities/tlsCertGenerator.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+import { Construct } from "constructs";
+import { TlsCaSecret } from "../secrets/tlsCaSecret.js";
+import { TlsServerSecret } from "../secrets/tlsServerSecret.js";
+export interface TlsCertGeneratorProps {
+    /** Drives the deterministic Secrets Manager names of the two cert secrets. */
+    readonly appName: string;
+    /**
+     * Hostname embedded as CN + SAN dns entry on the leaf cert. Typically the
+     * Cloud Map SRV name the ClickHouse service answers on.
+     */
+    readonly hostname: string;
+    /** CA cert validity in years (default 10). Bumping forces re-issuance on next deploy. */
+    readonly caValidityYears?: number;
+    /** Leaf cert validity in years (default 5). Bumping forces re-issuance on next deploy. */
+    readonly leafValidityYears?: number;
+}
+/**
+ * Custom-resource Lambda that mints a self-signed CA + leaf cert on stack
+ * deploy and persists them to Secrets Manager. The CA secret carries the
+ * raw PEM (public — clients pin against it); the server secret carries a
+ * JSON `{ cert, key }` payload consumed by the TLS init container.
+ *
+ * `caCertSha256` is exposed for downstream consumers to wire into their
+ * container `environment` block as `CA_CERT_SHA256` — its CFN value
+ * changes whenever the cert regenerates, forcing task-def replacement so
+ * services pick up the new trust anchor.
+ */
+export declare class TlsCertGenerator extends Construct {
+    readonly caSecret: TlsCaSecret;
+    readonly serverSecret: TlsServerSecret;
+    readonly caCertSha256: string;
+    constructor(scope: Construct, id: string, props: TlsCertGeneratorProps);
+}

package/dist/lib/resources/aws/utilities/tlsCertGenerator.js ADDED Viewed

@@ -0,0 +1,67 @@
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { Duration, Stack } from "aws-cdk-lib";
+import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { Runtime } from "aws-cdk-lib/aws-lambda";
+import { Construct } from "constructs";
+import { TlsCaSecret } from "../secrets/tlsCaSecret.js";
+import { TlsServerSecret } from "../secrets/tlsServerSecret.js";
+import { CustomResource } from "./customResource.js";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+/**
+ * Resolves relative to the compiled location too — the build step copies
+ * the asset directory into dist/lib/lambda-assets/cert-generator/asset/,
+ * mirroring the source tree, so the same relative walk works post-build.
+ */
+const LAMBDA_ASSET_DIR = join(__dirname, "../../../lambda-assets/cert-generator/asset");
+const DEFAULT_CA_VALIDITY_YEARS = 10;
+const DEFAULT_LEAF_VALIDITY_YEARS = 5;
+const LAMBDA_TIMEOUT = Duration.minutes(2);
+/**
+ * Custom-resource Lambda that mints a self-signed CA + leaf cert on stack
+ * deploy and persists them to Secrets Manager. The CA secret carries the
+ * raw PEM (public — clients pin against it); the server secret carries a
+ * JSON `{ cert, key }` payload consumed by the TLS init container.
+ *
+ * `caCertSha256` is exposed for downstream consumers to wire into their
+ * container `environment` block as `CA_CERT_SHA256` — its CFN value
+ * changes whenever the cert regenerates, forcing task-def replacement so
+ * services pick up the new trust anchor.
+ */
+export class TlsCertGenerator extends Construct {
+    caSecret;
+    serverSecret;
+    caCertSha256;
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.caSecret = new TlsCaSecret(this, "Ca", { appName: props.appName });
+        this.serverSecret = new TlsServerSecret(this, "Server", {
+            appName: props.appName
+        });
+        const stack = Stack.of(this);
+        const caSecretArnPattern = `arn:${stack.partition}:secretsmanager:${stack.region}:${stack.account}:secret:fjall-${props.appName}-clickhouse-tls-ca-*`;
+        const serverSecretArnPattern = `arn:${stack.partition}:secretsmanager:${stack.region}:${stack.account}:secret:fjall-${props.appName}-clickhouse-tls-server-*`;
+        const writePolicy = new PolicyStatement({
+            effect: Effect.ALLOW,
+            actions: ["secretsmanager:PutSecretValue"],
+            resources: [caSecretArnPattern, serverSecretArnPattern]
+        });
+        const cr = new CustomResource(this, "Generator", {
+            runtime: Runtime.NODEJS_22_X,
+            timeout: LAMBDA_TIMEOUT,
+            codePath: LAMBDA_ASSET_DIR,
+            handler: "index.handler",
+            lambdaDescription: `${id} ClickHouse TLS cert generator`,
+            roleDescription: `Execution role for ${id} cert generator (PutSecretValue on two cert secrets)`,
+            inlinePolicy: [writePolicy],
+            properties: {
+                caSecretArn: this.caSecret.secret.secretArn,
+                serverSecretArn: this.serverSecret.secret.secretArn,
+                hostname: props.hostname,
+                caValidityYears: String(props.caValidityYears ?? DEFAULT_CA_VALIDITY_YEARS),
+                leafValidityYears: String(props.leafValidityYears ?? DEFAULT_LEAF_VALIDITY_YEARS)
+            }
+        });
+        this.caCertSha256 = cr.resource.getAttString("CaCertSha256");
+    }
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/components-infrastructure",
-  "version": "0.100.0",
+  "version": "1.1.0",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
   "bin": {
@@ -33,7 +33,8 @@
   "scripts": {
     "clean": "rm -rf ./dist",
     "clean:node": "rm -rf ./node_modules",
-    "build": "tsc && cp -r lib/layers dist/lib/layers && cp lib/resources/aws/compute/lifecycleHookLambda.source.cjs dist/lib/resources/aws/compute/lifecycleHookLambda.source.cjs && cp lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs dist/lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs && cp lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs dist/lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs",
+    "build:cert-gen-lambda": "node lib/lambda-assets/cert-generator/src/build.mjs",
+    "build": "npm run build:cert-gen-lambda && tsc && cp -r lib/layers dist/lib/layers && mkdir -p dist/lib/lambda-assets/cert-generator/asset && cp lib/lambda-assets/cert-generator/asset/index.js dist/lib/lambda-assets/cert-generator/asset/index.js && cp lib/lambda-assets/cert-generator/asset/package.json dist/lib/lambda-assets/cert-generator/asset/package.json && cp lib/resources/aws/compute/lifecycleHookLambda.source.cjs dist/lib/resources/aws/compute/lifecycleHookLambda.source.cjs && cp lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs dist/lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs && cp lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs dist/lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs",
     "watch": "tsc -w",
     "watch:only": "tsc -w",
     "test": "vitest run",
@@ -49,6 +50,7 @@
   },
   "devDependencies": {
     "@aws-sdk/client-elastic-load-balancing-v2": "^3.1045.0",
+    "@peculiar/x509": "1.14.0",
     "@types/aws-lambda": "^8.10.161",
     "@types/node": "^25.6.0",
     "@types/uuid": "^11.0.0",
@@ -61,8 +63,8 @@
   },
   "dependencies": {
     "@aws-sdk/client-organizations": "^3.1038.0",
-    "@fjall/generator": "^0.100.0",
-    "@fjall/util": "^0.100.0",
+    "@fjall/generator": "^1.1.0",
+    "@fjall/util": "^1.1.0",
     "constructs": "^10.0.0",
     "uuid": "^14.0.0"
   },
@@ -77,5 +79,5 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "gitHead": "9eb16c56de49e6757cfd6352ad860dd125c6c21e"
+  "gitHead": "437ec726425bd7610b83a57c12c1a4e1980bbb01"
 }

package/dist/lib/config/aws/__t17fixture.js DELETED Viewed

@@ -1,3 +0,0 @@
-import { Rule } from "aws-cdk-lib/aws-events";
-import { LambdaFunction } from "aws-cdk-lib/aws-events-targets";
-console.log(Rule, LambdaFunction);

package/dist/lib/config/aws/__t17fixtureType.d.ts DELETED Viewed

	@@ -1,2 +0,0 @@
1	- import { type IRule } from "aws-cdk-lib/aws-events";
2	- export type T = IRule;

package/dist/lib/config/aws/__t17fixtureType.js DELETED Viewed

	@@ -1 +0,0 @@
1	- export {};

package/dist/lib/config/aws/eventBus.d.ts DELETED Viewed

@@ -1,7 +0,0 @@
-import { CfnOutput } from "aws-cdk-lib";
-import { Construct } from "constructs";
-export declare class DefaultEventBus extends Construct {
-    readonly defaultEventBusName: CfnOutput;
-    readonly defaultEventBusArn: CfnOutput;
-    constructor(scope: Construct, id: string);
-}

package/dist/lib/config/aws/eventBus.js DELETED Viewed

@@ -1,21 +0,0 @@
-import { CfnOutput } from "aws-cdk-lib";
-import * as Events from "aws-cdk-lib/aws-events";
-import { Construct } from "constructs";
-export class DefaultEventBus extends Construct {
-    defaultEventBusName;
-    defaultEventBusArn;
-    constructor(scope, id) {
-        super(scope, id);
-        const eventBridge = Events.EventBus.fromEventBusName(this, "defaultEventBus", "default");
-        this.defaultEventBusName = new CfnOutput(this, "defaultEventBusName", {
-            key: `defaultEventBusName`,
-            value: eventBridge.eventBusName,
-            exportName: "defaultEventBusName"
-        });
-        this.defaultEventBusArn = new CfnOutput(this, "defaultEventBusArn", {
-            key: `defaultEventBusArn`,
-            value: eventBridge.eventBusArn,
-            exportName: "defaultEventBusArn"
-        });
-    }
-}

package/dist/lib/config/aws/identityCenterGroupMembership.d.ts DELETED Viewed

@@ -1,10 +0,0 @@
-import { NestedStack, type StackProps } from "aws-cdk-lib";
-import { type Construct } from "constructs";
-interface IdentityCenterGroupMembershipProps extends StackProps {
-    groupName: string;
-    groupMembers: string[];
-}
-export declare class IdentityCenterGroupMembership extends NestedStack {
-    constructor(scope: Construct, id: string, props: IdentityCenterGroupMembershipProps);
-}
-export {};