npm - @fjall/components-infrastructure - Versions diffs - 0.100.0 → 1.1.0 - Mend

@fjall/components-infrastructure 0.100.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (74) hide show

package/dist/lib/config/aws/identityCenterGroupMembership.js DELETED Viewed

@@ -1,102 +0,0 @@
-import { Fn, NestedStack } from "aws-cdk-lib";
-import * as customResources from "aws-cdk-lib/custom-resources";
-import { AwsCustomResource } from "../../resources/aws/utilities/awsCustomResource.js";
-const IDENTITY_STORE_SERVICE = "identityStore";
-const IDENTITY_CENTER_USERS_RESOURCE_TYPE = "Custom::IdentityCenterUsers";
-// TODO: This requires a deletion and recreation to update
-export class IdentityCenterGroupMembership extends NestedStack {
-    constructor(scope, id, props) {
-        super(scope, id);
-        const identityStoreId = Fn.importValue("identityStoreId");
-        const groupId = Fn.importValue(`${props.groupName}GroupId`);
-        for (const member of props.groupMembers) {
-            const memberSuffix = (member.split("@")[0] ?? member)
-                .split(/[^a-zA-Z0-9]/)
-                .filter((part) => part.length > 0)
-                .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
-                .join("") +
-                props.groupName.charAt(0).toUpperCase() +
-                props.groupName.slice(1);
-            const listUsersCall = {
-                service: IDENTITY_STORE_SERVICE,
-                action: "listUsers",
-                parameters: {
-                    IdentityStoreId: identityStoreId,
-                    Filters: [
-                        {
-                            AttributePath: "UserName",
-                            AttributeValue: member
-                        }
-                    ]
-                },
-                physicalResourceId: customResources.PhysicalResourceId.of(`listUsers${memberSuffix}`)
-            };
-            const listUser = new AwsCustomResource(this, `ListUsersResource${memberSuffix}`, {
-                onCreate: listUsersCall,
-                onUpdate: listUsersCall
-            });
-            const userId = listUser.getResponseField("Users.0.UserId");
-            const groupMembershipId = new AwsCustomResource(this, `CreateGroupMembershipResource${memberSuffix}`, {
-                onCreate: {
-                    service: IDENTITY_STORE_SERVICE,
-                    action: "createGroupMembership",
-                    parameters: {
-                        GroupId: groupId,
-                        IdentityStoreId: identityStoreId,
-                        MemberId: {
-                            UserId: userId
-                        }
-                    },
-                    physicalResourceId: customResources.PhysicalResourceId.of(`createGroupMembership${memberSuffix}`)
-                },
-                resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
-            });
-            const refreshMembership = new AwsCustomResource(this, `RefreshMembershipResource${memberSuffix}`, {
-                onUpdate: {
-                    service: IDENTITY_STORE_SERVICE,
-                    action: "deleteGroupMembership",
-                    parameters: {
-                        IdentityStoreId: identityStoreId,
-                        MembershipId: groupMembershipId.getResponseField("MembershipId")
-                    },
-                    physicalResourceId: customResources.PhysicalResourceId.of(`refreshGroupMembership${memberSuffix}`)
-                },
-                resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
-            });
-            const recreateMembership = new AwsCustomResource(this, `RecreateGroupMembershipResource${memberSuffix}`, {
-                onUpdate: {
-                    service: IDENTITY_STORE_SERVICE,
-                    action: "createGroupMembership",
-                    parameters: {
-                        GroupId: groupId,
-                        IdentityStoreId: identityStoreId,
-                        MemberId: {
-                            UserId: userId
-                        }
-                    },
-                    physicalResourceId: customResources.PhysicalResourceId.of(`recreateGroupMembership${memberSuffix}`),
-                    // createGroupMembership throws ConflictException when the
-                    // membership already exists — keeps onUpdate idempotent.
-                    ignoreErrorCodesMatching: "ConflictException"
-                },
-                resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
-            });
-            refreshMembership.node.addDependency(recreateMembership);
-            const deleteMembership = new AwsCustomResource(this, `DeleteGroupMembershipResource${memberSuffix}`, {
-                onDelete: {
-                    service: IDENTITY_STORE_SERVICE,
-                    action: "deleteGroupMembership",
-                    parameters: {
-                        IdentityStoreId: identityStoreId,
-                        MembershipId: groupMembershipId.getResponseField("MembershipId")
-                    },
-                    // deleteGroupMembership throws ResourceNotFoundException when
-                    // the membership is already gone — keeps onDelete idempotent.
-                    ignoreErrorCodesMatching: "ResourceNotFoundException"
-                },
-                resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
-            });
-            deleteMembership.node.addDependency(groupMembershipId);
-        }
-    }
-}

package/dist/lib/config/aws/securityBaseline.d.ts DELETED Viewed

@@ -1,15 +0,0 @@
-import { Construct } from "constructs";
-export interface SecurityBaselineProps {
-    /** Controls which services are instantiated. "off" creates nothing. */
-    level: "off" | "baseline" | "compliance";
-}
-/**
- * Convenience orchestrator for per-account security services.
- * Instantiates child constructs based on the selected level.
- *
- * Does NOT include ConfigRulePreset -- Config Rules are applied independently
- * at the Account stack level with environment-aware presets.
- */
-export declare class SecurityBaseline extends Construct {
-    constructor(scope: Construct, id: string, props: SecurityBaselineProps);
-}

package/dist/lib/config/aws/securityBaseline.js DELETED Viewed

@@ -1,27 +0,0 @@
-import { Construct } from "constructs";
-import { GuardDutyDetector } from "./guardDutyDetector.js";
-import { SecurityHubHub } from "./securityHubHub.js";
-import { ConfigRecorder } from "./configRecorder.js";
-import { AccountAccessAnalyser } from "./accessAnalyser.js";
-import { InspectorEnablement } from "./inspectorEnablement.js";
-/**
- * Convenience orchestrator for per-account security services.
- * Instantiates child constructs based on the selected level.
- *
- * Does NOT include ConfigRulePreset -- Config Rules are applied independently
- * at the Account stack level with environment-aware presets.
- */
-export class SecurityBaseline extends Construct {
-    constructor(scope, id, props) {
-        super(scope, id);
-        if (props.level === "off")
-            return;
-        new GuardDutyDetector(this, "GuardDuty");
-        new SecurityHubHub(this, "SecurityHub");
-        new ConfigRecorder(this, "Config");
-        new AccountAccessAnalyser(this, "AccessAnalyser");
-        if (props.level === "compliance") {
-            new InspectorEnablement(this, "Inspector");
-        }
-    }
-}

package/dist/lib/patterns/aws/_eslint_test_tmp/leak.d.ts DELETED Viewed

	@@ -1 +0,0 @@
1	- export {};

package/dist/lib/patterns/aws/_eslint_test_tmp/leak.js DELETED Viewed

@@ -1,4 +0,0 @@
-import { Port } from "aws-cdk-lib/aws-ec2";
-import { PrivateDnsNamespace } from "aws-cdk-lib/aws-servicediscovery";
-const _x = Port.tcp(9000);
-const _y = PrivateDnsNamespace;

package/dist/lib/patterns/aws/managedIdentityCenter.d.ts DELETED Viewed

@@ -1,4 +0,0 @@
-import { Stack } from "aws-cdk-lib";
-export declare class ManagedIdentityCenter extends Stack {
-    constructor(id: string);
-}

package/dist/lib/patterns/aws/managedIdentityCenter.js DELETED Viewed

@@ -1,19 +0,0 @@
-import { Stack } from "aws-cdk-lib";
-import * as fs from "fs";
-import App from "../../app.js";
-import { IdentityCenterGroupMembership } from "../../config/aws/identityCenterGroupMembership.js";
-export class ManagedIdentityCenter extends Stack {
-    constructor(id) {
-        super(App.getInstance(), id);
-        const configFile = fs.readFileSync("../identity-center-config.json", {
-            encoding: "utf8"
-        });
-        const identityCenterConfig = JSON.parse(configFile);
-        identityCenterConfig.forEach((config) => {
-            new IdentityCenterGroupMembership(this, `Managed${config.group}Group`, {
-                groupName: config.group,
-                groupMembers: config.members
-            });
-        });
-    }
-}

package/dist/lib/patterns/aws/subdomainHostedZone.d.ts DELETED Viewed

@@ -1,9 +0,0 @@
-import { Stack } from "aws-cdk-lib";
-export interface subdomainHostedZoneProps {
-    delegatedZone: string;
-    parentHostedZoneName: string;
-    parentAccountName: string;
-}
-export declare class SubdomainHostedZone extends Stack {
-    constructor(id: string, props: subdomainHostedZoneProps);
-}

package/dist/lib/patterns/aws/subdomainHostedZone.js DELETED Viewed

@@ -1,34 +0,0 @@
-import * as route53 from "aws-cdk-lib/aws-route53";
-import { CfnOutput, Stack } from "aws-cdk-lib";
-import { Role } from "../../resources/aws/iam/index.js";
-import getAccountId from "../../utils/getAccountId.js";
-import App from "../../app.js";
-export class SubdomainHostedZone extends Stack {
-    constructor(id, props) {
-        super(App.getInstance(), id);
-        // DelegationRoleArn
-        const delegationRoleArn = Stack.of(this).formatArn({
-            account: getAccountId(props.parentAccountName),
-            region: "",
-            resource: "role",
-            resourceName: `${props.parentHostedZoneName.split(".", 1)}DelegateHostedZoneRole`,
-            service: "iam"
-        });
-        // Delegate Hosted Zone Role
-        const hostedZoneDelegationRole = Role.fromRoleArn(this, "hostedZoneDelegationRole", delegationRoleArn);
-        // Subdomains
-        const delegatedHostedZone = new route53.HostedZone(this, `${props.delegatedZone}HostedZone`, {
-            zoneName: props.delegatedZone
-        });
-        new route53.CrossAccountZoneDelegationRecord(this, `${props.delegatedZone}DelegationRole`, {
-            delegationRole: hostedZoneDelegationRole,
-            delegatedZone: delegatedHostedZone,
-            parentHostedZoneName: props.parentHostedZoneName
-        });
-        new CfnOutput(this, `${props.delegatedZone.split(".").join("")}HostedZoneId`, {
-            key: `${props.delegatedZone.split(".").join("")}HostedZoneId`,
-            value: delegatedHostedZone.hostedZoneId,
-            exportName: `${props.delegatedZone.split(".").join("")}HostedZoneId`
-        });
-    }
-}

package/dist/lib/resources/aws/analytics/clickhouse.d.ts DELETED Viewed

@@ -1,15 +0,0 @@
-import { Connections, type IConnectable } from "aws-cdk-lib/aws-ec2";
-import { Construct } from "constructs";
-import type { ClickHouseProps, ClickHouseOutputs } from "./clickhouseTypes.js";
-/**
- * ClickHouse analytics infrastructure.
- *
- * Creates a single-node ClickHouse instance on ECS EC2 with a dedicated
- * gp3 EBS volume for data persistence. Designed for analytical workloads
- * (cost aggregation, deployment metrics, audit logs) rather than OLTP.
- */
-export default class ClickHouse extends Construct implements IConnectable {
-    readonly connections: Connections;
-    readonly outputs: ClickHouseOutputs;
-    constructor(scope: Construct, id: string, props: ClickHouseProps);
-}

package/dist/lib/resources/aws/analytics/clickhouse.js DELETED Viewed

@@ -1,310 +0,0 @@
-import { Cluster, Ec2TaskDefinition, NetworkMode, ContainerImage, LogDriver, AsgCapacityProvider, EcsOptimizedImage, Ec2Service, Secret as EcsSecret } from "aws-cdk-lib/aws-ecs";
-import { ScheduledEc2Task } from "aws-cdk-lib/aws-ecs-patterns";
-import { Schedule } from "aws-cdk-lib/aws-applicationautoscaling";
-import { InstanceType, SubnetType, Connections, Port, UserData } from "aws-cdk-lib/aws-ec2";
-import { AutoScalingGroup, Monitoring, BlockDeviceVolume, EbsDeviceVolumeType } from "aws-cdk-lib/aws-autoscaling";
-import { Duration, Stack } from "aws-cdk-lib";
-import { Construct } from "constructs";
-import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs";
-import { S3Bucket } from "../storage/s3.js";
-import { Secret } from "../secrets/secret.js";
-import { vpcHasNatGateways } from "../../../utils/vpcUtils.js";
-import { inferAmiHardwareType } from "../compute/ecsConstants.js";
-import { createClickHouseSecurityGroup } from "./clickhouseSecurityGroup.js";
-import { generateClickHouseUserData } from "./clickhouseUserData.js";
-import { createClickHouseAlarms } from "./clickhouseAlarms.js";
-import { CLICKHOUSE_CLUSTER_NAME, DEFAULT_CLICKHOUSE_INSTANCE_TYPE, CLICKHOUSE_IMAGE, CLICKHOUSE_EBS_VOLUME_SIZE_GB, CLICKHOUSE_EBS_IOPS, CLICKHOUSE_EBS_THROUGHPUT_MBPS, CLICKHOUSE_TASK_MEMORY_MIB, CLICKHOUSE_TASK_CPU_UNITS, CLICKHOUSE_HTTP_PORT, CLICKHOUSE_NATIVE_PORT, CLICKHOUSE_PROMETHEUS_PORT, CLICKHOUSE_DATA_MOUNT_PATH, CLICKHOUSE_SECRETS_PREFIX, CLICKHOUSE_SECRET_NAMES, CLICKHOUSE_SECRET_OPTIONS, CLICKHOUSE_HEALTH_CHECK, CLICKHOUSE_EBS_DEVICE_NAME, CLICKHOUSE_CONFIG_SUBDIR, CLICKHOUSE_USERS_SUBDIR, OPTIMISE_FINAL_SCHEDULE, REPLACING_MERGE_TREE_TABLES, OPTIMISE_MV_TABLES, CLICKHOUSE_CLOUDMAP_NAMESPACE, CLICKHOUSE_CLOUDMAP_SERVICE_NAME, OPTIMISE_TASK_MEMORY_MIB, OPTIMISE_TASK_CPU_UNITS, BACKUP_SCHEDULE, BACKUP_TASK_MEMORY_MIB, BACKUP_TASK_CPU_UNITS, BACKUP_RETENTION_DAYS } from "./clickhouseConstants.js";
-function createClickHouseSecret(scope, id, secretKey, description) {
-    return new Secret(scope, id, {
-        secretName: `${CLICKHOUSE_SECRETS_PREFIX}/${secretKey}`,
-        description,
-        generateSecretString: CLICKHOUSE_SECRET_OPTIONS
-    });
-}
-/**
- * ClickHouse analytics infrastructure.
- *
- * Creates a single-node ClickHouse instance on ECS EC2 with a dedicated
- * gp3 EBS volume for data persistence. Designed for analytical workloads
- * (cost aggregation, deployment metrics, audit logs) rather than OLTP.
- */
-export default class ClickHouse extends Construct {
-    connections;
-    outputs;
-    constructor(scope, id, props) {
-        super(scope, id);
-        const contextValue = this.node.tryGetContext("clickhouseInstanceType");
-        const instanceType = (typeof contextValue === "string" ? contextValue : undefined) ??
-            props.instanceType ??
-            DEFAULT_CLICKHOUSE_INSTANCE_TYPE;
-        // 1. Security group
-        const securityGroup = createClickHouseSecurityGroup(this, props.vpc, props.webappSecurityGroup);
-        // 2. Secrets Manager secrets (auto-generated passwords)
-        const appPasswordSecret = createClickHouseSecret(this, "ClickHouseAppPassword", CLICKHOUSE_SECRET_NAMES.APP_PASSWORD, "ClickHouse application user password");
-        const auditPasswordSecret = createClickHouseSecret(this, "ClickHouseAuditPassword", CLICKHOUSE_SECRET_NAMES.AUDIT_PASSWORD, "ClickHouse audit user password");
-        const backupPasswordSecret = createClickHouseSecret(this, "ClickHouseBackupPassword", CLICKHOUSE_SECRET_NAMES.BACKUP_PASSWORD, "ClickHouse backup user password");
-        const schemaPasswordSecret = createClickHouseSecret(this, "ClickHouseSchemaPassword", CLICKHOUSE_SECRET_NAMES.SCHEMA_PASSWORD, "ClickHouse schema migration user password");
-        // 3. ECS cluster with Cloud Map namespace for service discovery
-        const cluster = new Cluster(this, "ClickHouseCluster", {
-            clusterName: CLICKHOUSE_CLUSTER_NAME,
-            vpc: props.vpc,
-            defaultCloudMapNamespace: {
-                name: CLICKHOUSE_CLOUDMAP_NAMESPACE,
-                vpc: props.vpc
-            }
-        });
-        // 4. Auto Scaling Group with gp3 EBS volume
-        const amiHardwareType = inferAmiHardwareType(instanceType);
-        const hasNat = vpcHasNatGateways(props.vpc);
-        const subnetType = hasNat
-            ? SubnetType.PRIVATE_WITH_EGRESS
-            : SubnetType.PUBLIC;
-        const userData = UserData.custom(generateClickHouseUserData({
-            cfAccountId: props.r2Config?.accountId
-        }));
-        const asg = new AutoScalingGroup(this, "ClickHouseAsg", {
-            autoScalingGroupName: `${CLICKHOUSE_CLUSTER_NAME}-asg`,
-            vpc: props.vpc,
-            vpcSubnets: {
-                subnetType
-            },
-            securityGroup,
-            minCapacity: 1,
-            maxCapacity: 1,
-            desiredCapacity: 1,
-            instanceType: new InstanceType(instanceType),
-            machineImage: EcsOptimizedImage.amazonLinux2023(amiHardwareType),
-            instanceMonitoring: Monitoring.BASIC,
-            blockDevices: [
-                {
-                    deviceName: CLICKHOUSE_EBS_DEVICE_NAME,
-                    volume: BlockDeviceVolume.ebs(CLICKHOUSE_EBS_VOLUME_SIZE_GB, {
-                        volumeType: EbsDeviceVolumeType.GP3,
-                        iops: CLICKHOUSE_EBS_IOPS,
-                        throughput: CLICKHOUSE_EBS_THROUGHPUT_MBPS,
-                        encrypted: true
-                    })
-                }
-            ],
-            userData
-        });
-        // 5. Capacity provider
-        const capacityProvider = new AsgCapacityProvider(this, "ClickHouseCapacityProvider", {
-            autoScalingGroup: asg,
-            enableManagedDraining: true,
-            enableManagedTerminationProtection: false
-        });
-        cluster.addAsgCapacityProvider(capacityProvider);
-        // 6. Task definition with bind mount for EBS volume
-        const taskDefinition = new Ec2TaskDefinition(this, "ClickHouseTaskDefinition", {
-            family: CLICKHOUSE_CLUSTER_NAME,
-            networkMode: NetworkMode.AWS_VPC
-        });
-        taskDefinition.addVolume({
-            name: "clickhouse-data",
-            host: {
-                sourcePath: CLICKHOUSE_DATA_MOUNT_PATH
-            }
-        });
-        taskDefinition.addVolume({
-            name: "clickhouse-config",
-            host: {
-                sourcePath: `${CLICKHOUSE_DATA_MOUNT_PATH}/${CLICKHOUSE_CONFIG_SUBDIR}`
-            }
-        });
-        taskDefinition.addVolume({
-            name: "clickhouse-users",
-            host: {
-                sourcePath: `${CLICKHOUSE_DATA_MOUNT_PATH}/${CLICKHOUSE_USERS_SUBDIR}`
-            }
-        });
-        // 7. Container
-        const container = taskDefinition.addContainer("clickhouse", {
-            image: ContainerImage.fromRegistry(CLICKHOUSE_IMAGE),
-            memoryLimitMiB: CLICKHOUSE_TASK_MEMORY_MIB,
-            cpu: CLICKHOUSE_TASK_CPU_UNITS,
-            logging: LogDriver.awsLogs({
-                streamPrefix: "clickhouse",
-                logRetention: RetentionDays.TWO_WEEKS
-            }),
-            healthCheck: {
-                command: [
-                    "CMD-SHELL",
-                    `curl -f http://localhost:${CLICKHOUSE_HTTP_PORT}/?query=SELECT%201 || exit 1`
-                ],
-                interval: Duration.seconds(CLICKHOUSE_HEALTH_CHECK.INTERVAL_SECONDS),
-                timeout: Duration.seconds(CLICKHOUSE_HEALTH_CHECK.TIMEOUT_SECONDS),
-                retries: CLICKHOUSE_HEALTH_CHECK.RETRIES,
-                startPeriod: Duration.seconds(CLICKHOUSE_HEALTH_CHECK.START_PERIOD_SECONDS)
-            },
-            secrets: {
-                CLICKHOUSE_APP_PASSWORD: EcsSecret.fromSecretsManager(appPasswordSecret.secret),
-                CLICKHOUSE_AUDIT_PASSWORD: EcsSecret.fromSecretsManager(auditPasswordSecret.secret),
-                ...(props.r2Config
-                    ? {
-                        R2_ACCESS_KEY: EcsSecret.fromSecretsManager(props.r2Config.accessKeySecret),
-                        R2_SECRET_KEY: EcsSecret.fromSecretsManager(props.r2Config.secretKeySecret)
-                    }
-                    : {})
-            },
-            portMappings: [
-                { containerPort: CLICKHOUSE_HTTP_PORT, hostPort: CLICKHOUSE_HTTP_PORT },
-                {
-                    containerPort: CLICKHOUSE_NATIVE_PORT,
-                    hostPort: CLICKHOUSE_NATIVE_PORT
-                },
-                {
-                    containerPort: CLICKHOUSE_PROMETHEUS_PORT,
-                    hostPort: CLICKHOUSE_PROMETHEUS_PORT
-                }
-            ]
-        });
-        container.addMountPoints({
-            sourceVolume: "clickhouse-data",
-            containerPath: "/var/lib/clickhouse",
-            readOnly: false
-        }, {
-            sourceVolume: "clickhouse-config",
-            containerPath: "/etc/clickhouse-server/config.d",
-            readOnly: true
-        }, {
-            sourceVolume: "clickhouse-users",
-            containerPath: "/etc/clickhouse-server/users.d",
-            readOnly: true
-        });
-        // 8. ECS service with Cloud Map registration for optimise task discovery
-        const clickHouseHost = `${CLICKHOUSE_CLOUDMAP_SERVICE_NAME}.${CLICKHOUSE_CLOUDMAP_NAMESPACE}`;
-        new Ec2Service(this, "ClickHouseService", {
-            cluster,
-            taskDefinition,
-            desiredCount: 1,
-            capacityProviderStrategies: [
-                {
-                    capacityProvider: capacityProvider.capacityProviderName,
-                    weight: 1
-                }
-            ],
-            circuitBreaker: { rollback: true },
-            cloudMapOptions: {
-                name: CLICKHOUSE_CLOUDMAP_SERVICE_NAME
-            }
-        });
-        // 9. Scheduled OPTIMIZE TABLE FINAL task (deduplicates ReplacingMergeTree tables)
-        const optimiseQuery = [
-            ...REPLACING_MERGE_TREE_TABLES.map((table) => `OPTIMIZE TABLE analytics.${table} FINAL`),
-            ...OPTIMISE_MV_TABLES.map((table) => `OPTIMIZE TABLE analytics.${table}`)
-        ].join("; ");
-        new ScheduledEc2Task(this, "ClickHouseOptimiseTask", {
-            cluster,
-            schedule: Schedule.expression(OPTIMISE_FINAL_SCHEDULE),
-            scheduledEc2TaskImageOptions: {
-                image: ContainerImage.fromRegistry(CLICKHOUSE_IMAGE),
-                memoryLimitMiB: OPTIMISE_TASK_MEMORY_MIB,
-                cpu: OPTIMISE_TASK_CPU_UNITS,
-                command: [
-                    "clickhouse-client",
-                    "--host",
-                    clickHouseHost,
-                    "--port",
-                    String(CLICKHOUSE_NATIVE_PORT),
-                    "--user",
-                    "schema_admin",
-                    "--query",
-                    `${optimiseQuery};`
-                ],
-                secrets: {
-                    CLICKHOUSE_PASSWORD: EcsSecret.fromSecretsManager(schemaPasswordSecret.secret)
-                },
-                logDriver: LogDriver.awsLogs({
-                    streamPrefix: "clickhouse-optimise",
-                    logRetention: RetentionDays.ONE_WEEK
-                })
-            },
-            securityGroups: [securityGroup],
-            subnetSelection: {
-                subnetType
-            }
-        });
-        // 10. S3 bucket for weekly backups
-        const backupBucket = new S3Bucket(this, "ClickHouseBackupBucket", {
-            versioned: true,
-            lifecycleRules: [
-                {
-                    enabled: true,
-                    expiration: Duration.days(BACKUP_RETENTION_DAYS),
-                    noncurrentVersionExpiration: Duration.days(BACKUP_RETENTION_DAYS)
-                }
-            ]
-        });
-        // 11. Scheduled weekly backup to S3
-        const backupDestUrl = `https://${backupBucket.bucketName}.s3.${Stack.of(this).region}.amazonaws.com/`;
-        const backupTaskLogGroup = new LogGroup(this, "ClickHouseBackupTaskLogGroup", {
-            retention: RetentionDays.TWO_WEEKS
-        });
-        new ScheduledEc2Task(this, "ClickHouseBackupTask", {
-            cluster,
-            schedule: Schedule.expression(BACKUP_SCHEDULE),
-            scheduledEc2TaskImageOptions: {
-                image: ContainerImage.fromRegistry(CLICKHOUSE_IMAGE),
-                memoryLimitMiB: BACKUP_TASK_MEMORY_MIB,
-                cpu: BACKUP_TASK_CPU_UNITS,
-                command: [
-                    "sh",
-                    "-c",
-                    `STAMP=$(date +%Y%m%d-%H%M%S) && clickhouse-client --host ${clickHouseHost} --port ${CLICKHOUSE_NATIVE_PORT} --user backup_reader --password "$CLICKHOUSE_BACKUP_PASSWORD" --query "BACKUP DATABASE analytics TO S3('${backupDestUrl}weekly-$STAMP/')"`
-                ],
-                secrets: {
-                    CLICKHOUSE_BACKUP_PASSWORD: EcsSecret.fromSecretsManager(backupPasswordSecret.secret)
-                },
-                logDriver: LogDriver.awsLogs({
-                    streamPrefix: "clickhouse-backup",
-                    logGroup: backupTaskLogGroup
-                })
-            },
-            securityGroups: [securityGroup],
-            subnetSelection: {
-                subnetType
-            }
-        });
-        // BACKUP DATABASE TO S3 runs inside the ClickHouse server process on the
-        // ASG instance, not the ephemeral backup task; the grant must therefore
-        // attach to the ASG instance role, not the task role.
-        backupBucket.grantReadWrite(asg.role);
-        // 12. Grant secret read to execution role
-        const executionRole = taskDefinition.executionRole;
-        if (!executionRole) {
-            throw new Error("ClickHouse task definition has no execution role — cannot grant secret access");
-        }
-        appPasswordSecret.secret.grantRead(executionRole);
-        auditPasswordSecret.secret.grantRead(executionRole);
-        backupPasswordSecret.secret.grantRead(executionRole);
-        schemaPasswordSecret.secret.grantRead(executionRole);
-        if (props.alarmTopic) {
-            if (!props.webappLogGroup) {
-                throw new Error("ClickHouse: alarmTopic requires webappLogGroup so the stuck-merge metric filter can be wired.");
-            }
-            createClickHouseAlarms({
-                scope: this,
-                asg,
-                alarmTopic: props.alarmTopic,
-                webappLogGroup: props.webappLogGroup,
-                backupTaskLogGroup
-            });
-        }
-        // 13. Connections and outputs
-        this.connections = new Connections({
-            securityGroups: [securityGroup],
-            defaultPort: Port.tcp(CLICKHOUSE_HTTP_PORT)
-        });
-        this.outputs = {
-            securityGroup,
-            backupBucket,
-            secrets: {
-                appPassword: appPasswordSecret.secret,
-                auditPassword: auditPasswordSecret.secret,
-                backupPassword: backupPasswordSecret.secret,
-                schemaPassword: schemaPasswordSecret.secret
-            }
-        };
-    }
-}

package/dist/lib/resources/aws/analytics/clickhouseAlarms.d.ts DELETED Viewed

@@ -1,49 +0,0 @@
-import { Alarm } from "aws-cdk-lib/aws-cloudwatch";
-import type { AutoScalingGroup } from "aws-cdk-lib/aws-autoscaling";
-import type { ITopic } from "aws-cdk-lib/aws-sns";
-import type { ILogGroup } from "aws-cdk-lib/aws-logs";
-import type { Construct } from "constructs";
-export interface ClickHouseAlarmThresholds {
-    /** EC2 host CPU % over 5 min. Default 90. */
-    cpuThreshold?: number;
-    /** EC2 host memory % over 5 min (requires CWAgent). Default 80. */
-    memoryThreshold?: number;
-    /** EBS root-volume disk % used. Default 70 (warn) — paired with critical at 85. */
-    diskWarnThreshold?: number;
-    /** EBS root-volume disk % used. Default 85. */
-    diskCriticalThreshold?: number;
-}
-export interface ClickHouseAlarmsProps {
-    scope: Construct;
-    asg: AutoScalingGroup;
-    alarmTopic: ITopic;
-    /**
-     * Webapp log group. Required to wire the stuck-merge alarm — `client.ts`
-     * emits `serverLogger.warn("ClickHouse", "Stuck merge detected")` when
-     * `system.merges` shows a merge elapsed > 30 min.
-     */
-    webappLogGroup: ILogGroup;
-    /**
-     * Backup-task log group. Required to wire the backup-failure alarm —
-     * `BACKUP DATABASE … TO S3(…)` emits `AccessDenied` / `S3Exception` lines
-     * when the IAM grant or bucket policy is misconfigured (silent before the
-     * alarm landed; the daily backup task exited non-zero with no signal).
-     */
-    backupTaskLogGroup: ILogGroup;
-    config?: ClickHouseAlarmThresholds;
-}
-/**
- * Single-node ClickHouse posture alarms. Covers host-level CPU + (optional)
- * memory and disk via the CloudWatch Agent metric namespace `CWAgent`, plus
- * two log-driven alarms:
- *
- * - **Stuck merges** — `client.ts` polls `system.merges` every 5 min and logs
- *   `serverLogger.warn("ClickHouse", "Stuck merge detected")` when elapsed
- *   exceeds 30 min. The metric filter on the webapp log group emits a count
- *   metric per match; the alarm fires on Sum >= 1 over 5 min × 2 evaluations.
- * - **Backup failures** — `AccessDenied` or `S3Exception` from the backup
- *   task's BACKUP DATABASE TO S3 statement. Closes the silent-failure mode
- *   that masked the original IAM-grant misconfiguration (see
- *   `designs/2026-04-27-clickhouse-backup-iam-role.md`).
- */
-export declare function createClickHouseAlarms(props: ClickHouseAlarmsProps): Alarm[];