@fjall/components-infrastructure 0.102.0 → 1.1.0

package/dist/lib/resources/aws/secrets/tlsServerSecret.js

@@ -0,0 +1,17 @@
+import { RemovalPolicy } from "aws-cdk-lib";
+import { Secret } from "./secret.js";
+/**
+ * ClickHouse TLS server cert + key (JSON: `{ cert, key }`). Retained on
+ * delete so cert material survives accidental stack teardown; the private
+ * key only leaves Secrets Manager via ECS executionRole + the TLS init
+ * container that materialises it onto the shared volume.
+ */
+export class TlsServerSecret extends Secret {
+    constructor(scope, id, props) {
+        super(scope, id, {
+            secretName: `fjall-${props.appName}-clickhouse-tls-server`,
+            description: "ClickHouse TLS server cert + key (JSON: { cert, key })"
+        });
+        this.secret.applyRemovalPolicy(RemovalPolicy.RETAIN);
+    }
+}

package/dist/lib/resources/aws/utilities/index.d.ts

@@ -3,3 +3,4 @@ export * from "./codeBuild.js";
 export * from "./customResource.js";
 export * from "./customResourceProvider.js";
 export * from "./resourceShare.js";
+export * from "./tlsCertGenerator.js";

package/dist/lib/resources/aws/utilities/index.js

@@ -3,3 +3,4 @@ export * from "./codeBuild.js";
 export * from "./customResource.js";
 export * from "./customResourceProvider.js";
 export * from "./resourceShare.js";
+export * from "./tlsCertGenerator.js";

package/dist/lib/resources/aws/utilities/tlsCertGenerator.d.ts

@@ -0,0 +1,33 @@
+import { Construct } from "constructs";
+import { TlsCaSecret } from "../secrets/tlsCaSecret.js";
+import { TlsServerSecret } from "../secrets/tlsServerSecret.js";
+export interface TlsCertGeneratorProps {
+    /** Drives the deterministic Secrets Manager names of the two cert secrets. */
+    readonly appName: string;
+    /**
+     * Hostname embedded as CN + SAN dns entry on the leaf cert. Typically the
+     * Cloud Map SRV name the ClickHouse service answers on.
+     */
+    readonly hostname: string;
+    /** CA cert validity in years (default 10). Bumping forces re-issuance on next deploy. */
+    readonly caValidityYears?: number;
+    /** Leaf cert validity in years (default 5). Bumping forces re-issuance on next deploy. */
+    readonly leafValidityYears?: number;
+}
+/**
+ * Custom-resource Lambda that mints a self-signed CA + leaf cert on stack
+ * deploy and persists them to Secrets Manager. The CA secret carries the
+ * raw PEM (public — clients pin against it); the server secret carries a
+ * JSON `{ cert, key }` payload consumed by the TLS init container.
+ *
+ * `caCertSha256` is exposed for downstream consumers to wire into their
+ * container `environment` block as `CA_CERT_SHA256` — its CFN value
+ * changes whenever the cert regenerates, forcing task-def replacement so
+ * services pick up the new trust anchor.
+ */
+export declare class TlsCertGenerator extends Construct {
+    readonly caSecret: TlsCaSecret;
+    readonly serverSecret: TlsServerSecret;
+    readonly caCertSha256: string;
+    constructor(scope: Construct, id: string, props: TlsCertGeneratorProps);
+}

package/dist/lib/resources/aws/utilities/tlsCertGenerator.js

@@ -0,0 +1,67 @@
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { Duration, Stack } from "aws-cdk-lib";
+import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { Runtime } from "aws-cdk-lib/aws-lambda";
+import { Construct } from "constructs";
+import { TlsCaSecret } from "../secrets/tlsCaSecret.js";
+import { TlsServerSecret } from "../secrets/tlsServerSecret.js";
+import { CustomResource } from "./customResource.js";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+/**
+ * Resolves relative to the compiled location too — the build step copies
+ * the asset directory into dist/lib/lambda-assets/cert-generator/asset/,
+ * mirroring the source tree, so the same relative walk works post-build.
+ */
+const LAMBDA_ASSET_DIR = join(__dirname, "../../../lambda-assets/cert-generator/asset");
+const DEFAULT_CA_VALIDITY_YEARS = 10;
+const DEFAULT_LEAF_VALIDITY_YEARS = 5;
+const LAMBDA_TIMEOUT = Duration.minutes(2);
+/**
+ * Custom-resource Lambda that mints a self-signed CA + leaf cert on stack
+ * deploy and persists them to Secrets Manager. The CA secret carries the
+ * raw PEM (public — clients pin against it); the server secret carries a
+ * JSON `{ cert, key }` payload consumed by the TLS init container.
+ *
+ * `caCertSha256` is exposed for downstream consumers to wire into their
+ * container `environment` block as `CA_CERT_SHA256` — its CFN value
+ * changes whenever the cert regenerates, forcing task-def replacement so
+ * services pick up the new trust anchor.
+ */
+export class TlsCertGenerator extends Construct {
+    caSecret;
+    serverSecret;
+    caCertSha256;
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.caSecret = new TlsCaSecret(this, "Ca", { appName: props.appName });
+        this.serverSecret = new TlsServerSecret(this, "Server", {
+            appName: props.appName
+        });
+        const stack = Stack.of(this);
+        const caSecretArnPattern = `arn:${stack.partition}:secretsmanager:${stack.region}:${stack.account}:secret:fjall-${props.appName}-clickhouse-tls-ca-*`;
+        const serverSecretArnPattern = `arn:${stack.partition}:secretsmanager:${stack.region}:${stack.account}:secret:fjall-${props.appName}-clickhouse-tls-server-*`;
+        const writePolicy = new PolicyStatement({
+            effect: Effect.ALLOW,
+            actions: ["secretsmanager:PutSecretValue"],
+            resources: [caSecretArnPattern, serverSecretArnPattern]
+        });
+        const cr = new CustomResource(this, "Generator", {
+            runtime: Runtime.NODEJS_22_X,
+            timeout: LAMBDA_TIMEOUT,
+            codePath: LAMBDA_ASSET_DIR,
+            handler: "index.handler",
+            lambdaDescription: `${id} ClickHouse TLS cert generator`,
+            roleDescription: `Execution role for ${id} cert generator (PutSecretValue on two cert secrets)`,
+            inlinePolicy: [writePolicy],
+            properties: {
+                caSecretArn: this.caSecret.secret.secretArn,
+                serverSecretArn: this.serverSecret.secret.secretArn,
+                hostname: props.hostname,
+                caValidityYears: String(props.caValidityYears ?? DEFAULT_CA_VALIDITY_YEARS),
+                leafValidityYears: String(props.leafValidityYears ?? DEFAULT_LEAF_VALIDITY_YEARS)
+            }
+        });
+        this.caCertSha256 = cr.resource.getAttString("CaCertSha256");
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/components-infrastructure",
-  "version": "0.102.0",
+  "version": "1.1.0",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
   "bin": {
@@ -33,7 +33,8 @@
   "scripts": {
     "clean": "rm -rf ./dist",
     "clean:node": "rm -rf ./node_modules",
-    "build": "tsc && cp -r lib/layers dist/lib/layers && cp lib/resources/aws/compute/lifecycleHookLambda.source.cjs dist/lib/resources/aws/compute/lifecycleHookLambda.source.cjs && cp lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs dist/lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs && cp lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs dist/lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs",
+    "build:cert-gen-lambda": "node lib/lambda-assets/cert-generator/src/build.mjs",
+    "build": "npm run build:cert-gen-lambda && tsc && cp -r lib/layers dist/lib/layers && mkdir -p dist/lib/lambda-assets/cert-generator/asset && cp lib/lambda-assets/cert-generator/asset/index.js dist/lib/lambda-assets/cert-generator/asset/index.js && cp lib/lambda-assets/cert-generator/asset/package.json dist/lib/lambda-assets/cert-generator/asset/package.json && cp lib/resources/aws/compute/lifecycleHookLambda.source.cjs dist/lib/resources/aws/compute/lifecycleHookLambda.source.cjs && cp lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs dist/lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs && cp lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs dist/lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs",
     "watch": "tsc -w",
     "watch:only": "tsc -w",
     "test": "vitest run",
@@ -49,6 +50,7 @@
   },
   "devDependencies": {
     "@aws-sdk/client-elastic-load-balancing-v2": "^3.1045.0",
+    "@peculiar/x509": "1.14.0",
     "@types/aws-lambda": "^8.10.161",
     "@types/node": "^25.6.0",
     "@types/uuid": "^11.0.0",
@@ -61,8 +63,8 @@
   },
   "dependencies": {
     "@aws-sdk/client-organizations": "^3.1038.0",
-    "@fjall/generator": "^0.102.0",
-    "@fjall/util": "^0.102.0",
+    "@fjall/generator": "^1.1.0",
+    "@fjall/util": "^1.1.0",
     "constructs": "^10.0.0",
     "uuid": "^14.0.0"
   },
@@ -77,5 +79,5 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "gitHead": "04a4f13181c261cc063786eae527fa82c90a610e"
+  "gitHead": "437ec726425bd7610b83a57c12c1a4e1980bbb01"
 }

package/dist/lib/config/aws/__t17fixture.js

@@ -1,3 +0,0 @@
-import { Rule } from "aws-cdk-lib/aws-events";
-import { LambdaFunction } from "aws-cdk-lib/aws-events-targets";
-console.log(Rule, LambdaFunction);

package/dist/lib/config/aws/__t17fixtureType.d.ts

@@ -1,2 +0,0 @@
-import { type IRule } from "aws-cdk-lib/aws-events";
-export type T = IRule;

package/dist/lib/config/aws/__t17fixtureType.js

@@ -1 +0,0 @@
-export {};

package/dist/lib/config/aws/eventBus.d.ts

@@ -1,7 +0,0 @@
-import { CfnOutput } from "aws-cdk-lib";
-import { Construct } from "constructs";
-export declare class DefaultEventBus extends Construct {
-    readonly defaultEventBusName: CfnOutput;
-    readonly defaultEventBusArn: CfnOutput;
-    constructor(scope: Construct, id: string);
-}

package/dist/lib/config/aws/eventBus.js

@@ -1,21 +0,0 @@
-import { CfnOutput } from "aws-cdk-lib";
-import * as Events from "aws-cdk-lib/aws-events";
-import { Construct } from "constructs";
-export class DefaultEventBus extends Construct {
-    defaultEventBusName;
-    defaultEventBusArn;
-    constructor(scope, id) {
-        super(scope, id);
-        const eventBridge = Events.EventBus.fromEventBusName(this, "defaultEventBus", "default");
-        this.defaultEventBusName = new CfnOutput(this, "defaultEventBusName", {
-            key: `defaultEventBusName`,
-            value: eventBridge.eventBusName,
-            exportName: "defaultEventBusName"
-        });
-        this.defaultEventBusArn = new CfnOutput(this, "defaultEventBusArn", {
-            key: `defaultEventBusArn`,
-            value: eventBridge.eventBusArn,
-            exportName: "defaultEventBusArn"
-        });
-    }
-}

package/dist/lib/config/aws/identityCenterGroupMembership.d.ts

@@ -1,10 +0,0 @@
-import { NestedStack, type StackProps } from "aws-cdk-lib";
-import { type Construct } from "constructs";
-interface IdentityCenterGroupMembershipProps extends StackProps {
-    groupName: string;
-    groupMembers: string[];
-}
-export declare class IdentityCenterGroupMembership extends NestedStack {
-    constructor(scope: Construct, id: string, props: IdentityCenterGroupMembershipProps);
-}
-export {};

package/dist/lib/config/aws/identityCenterGroupMembership.js

@@ -1,102 +0,0 @@
-import { Fn, NestedStack } from "aws-cdk-lib";
-import * as customResources from "aws-cdk-lib/custom-resources";
-import { AwsCustomResource } from "../../resources/aws/utilities/awsCustomResource.js";
-const IDENTITY_STORE_SERVICE = "identityStore";
-const IDENTITY_CENTER_USERS_RESOURCE_TYPE = "Custom::IdentityCenterUsers";
-// TODO: This requires a deletion and recreation to update
-export class IdentityCenterGroupMembership extends NestedStack {
-    constructor(scope, id, props) {
-        super(scope, id);
-        const identityStoreId = Fn.importValue("identityStoreId");
-        const groupId = Fn.importValue(`${props.groupName}GroupId`);
-        for (const member of props.groupMembers) {
-            const memberSuffix = (member.split("@")[0] ?? member)
-                .split(/[^a-zA-Z0-9]/)
-                .filter((part) => part.length > 0)
-                .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
-                .join("") +
-                props.groupName.charAt(0).toUpperCase() +
-                props.groupName.slice(1);
-            const listUsersCall = {
-                service: IDENTITY_STORE_SERVICE,
-                action: "listUsers",
-                parameters: {
-                    IdentityStoreId: identityStoreId,
-                    Filters: [
-                        {
-                            AttributePath: "UserName",
-                            AttributeValue: member
-                        }
-                    ]
-                },
-                physicalResourceId: customResources.PhysicalResourceId.of(`listUsers${memberSuffix}`)
-            };
-            const listUser = new AwsCustomResource(this, `ListUsersResource${memberSuffix}`, {
-                onCreate: listUsersCall,
-                onUpdate: listUsersCall
-            });
-            const userId = listUser.getResponseField("Users.0.UserId");
-            const groupMembershipId = new AwsCustomResource(this, `CreateGroupMembershipResource${memberSuffix}`, {
-                onCreate: {
-                    service: IDENTITY_STORE_SERVICE,
-                    action: "createGroupMembership",
-                    parameters: {
-                        GroupId: groupId,
-                        IdentityStoreId: identityStoreId,
-                        MemberId: {
-                            UserId: userId
-                        }
-                    },
-                    physicalResourceId: customResources.PhysicalResourceId.of(`createGroupMembership${memberSuffix}`)
-                },
-                resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
-            });
-            const refreshMembership = new AwsCustomResource(this, `RefreshMembershipResource${memberSuffix}`, {
-                onUpdate: {
-                    service: IDENTITY_STORE_SERVICE,
-                    action: "deleteGroupMembership",
-                    parameters: {
-                        IdentityStoreId: identityStoreId,
-                        MembershipId: groupMembershipId.getResponseField("MembershipId")
-                    },
-                    physicalResourceId: customResources.PhysicalResourceId.of(`refreshGroupMembership${memberSuffix}`)
-                },
-                resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
-            });
-            const recreateMembership = new AwsCustomResource(this, `RecreateGroupMembershipResource${memberSuffix}`, {
-                onUpdate: {
-                    service: IDENTITY_STORE_SERVICE,
-                    action: "createGroupMembership",
-                    parameters: {
-                        GroupId: groupId,
-                        IdentityStoreId: identityStoreId,
-                        MemberId: {
-                            UserId: userId
-                        }
-                    },
-                    physicalResourceId: customResources.PhysicalResourceId.of(`recreateGroupMembership${memberSuffix}`),
-                    // createGroupMembership throws ConflictException when the
-                    // membership already exists — keeps onUpdate idempotent.
-                    ignoreErrorCodesMatching: "ConflictException"
-                },
-                resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
-            });
-            refreshMembership.node.addDependency(recreateMembership);
-            const deleteMembership = new AwsCustomResource(this, `DeleteGroupMembershipResource${memberSuffix}`, {
-                onDelete: {
-                    service: IDENTITY_STORE_SERVICE,
-                    action: "deleteGroupMembership",
-                    parameters: {
-                        IdentityStoreId: identityStoreId,
-                        MembershipId: groupMembershipId.getResponseField("MembershipId")
-                    },
-                    // deleteGroupMembership throws ResourceNotFoundException when
-                    // the membership is already gone — keeps onDelete idempotent.
-                    ignoreErrorCodesMatching: "ResourceNotFoundException"
-                },
-                resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
-            });
-            deleteMembership.node.addDependency(groupMembershipId);
-        }
-    }
-}

package/dist/lib/config/aws/securityBaseline.d.ts

@@ -1,15 +0,0 @@
-import { Construct } from "constructs";
-export interface SecurityBaselineProps {
-    /** Controls which services are instantiated. "off" creates nothing. */
-    level: "off" | "baseline" | "compliance";
-}
-/**
- * Convenience orchestrator for per-account security services.
- * Instantiates child constructs based on the selected level.
- *
- * Does NOT include ConfigRulePreset -- Config Rules are applied independently
- * at the Account stack level with environment-aware presets.
- */
-export declare class SecurityBaseline extends Construct {
-    constructor(scope: Construct, id: string, props: SecurityBaselineProps);
-}

package/dist/lib/config/aws/securityBaseline.js

@@ -1,27 +0,0 @@
-import { Construct } from "constructs";
-import { GuardDutyDetector } from "./guardDutyDetector.js";
-import { SecurityHubHub } from "./securityHubHub.js";
-import { ConfigRecorder } from "./configRecorder.js";
-import { AccountAccessAnalyser } from "./accessAnalyser.js";
-import { InspectorEnablement } from "./inspectorEnablement.js";
-/**
- * Convenience orchestrator for per-account security services.
- * Instantiates child constructs based on the selected level.
- *
- * Does NOT include ConfigRulePreset -- Config Rules are applied independently
- * at the Account stack level with environment-aware presets.
- */
-export class SecurityBaseline extends Construct {
-    constructor(scope, id, props) {
-        super(scope, id);
-        if (props.level === "off")
-            return;
-        new GuardDutyDetector(this, "GuardDuty");
-        new SecurityHubHub(this, "SecurityHub");
-        new ConfigRecorder(this, "Config");
-        new AccountAccessAnalyser(this, "AccessAnalyser");
-        if (props.level === "compliance") {
-            new InspectorEnablement(this, "Inspector");
-        }
-    }
-}

package/dist/lib/patterns/aws/_eslint_test_tmp/leak.d.ts

@@ -1 +0,0 @@
-export {};

package/dist/lib/patterns/aws/_eslint_test_tmp/leak.js

@@ -1,4 +0,0 @@
-import { Port } from "aws-cdk-lib/aws-ec2";
-import { PrivateDnsNamespace } from "aws-cdk-lib/aws-servicediscovery";
-const _x = Port.tcp(9000);
-const _y = PrivateDnsNamespace;

package/dist/lib/patterns/aws/managedIdentityCenter.d.ts

@@ -1,4 +0,0 @@
-import { Stack } from "aws-cdk-lib";
-export declare class ManagedIdentityCenter extends Stack {
-    constructor(id: string);
-}

package/dist/lib/patterns/aws/managedIdentityCenter.js

@@ -1,19 +0,0 @@
-import { Stack } from "aws-cdk-lib";
-import * as fs from "fs";
-import App from "../../app.js";
-import { IdentityCenterGroupMembership } from "../../config/aws/identityCenterGroupMembership.js";
-export class ManagedIdentityCenter extends Stack {
-    constructor(id) {
-        super(App.getInstance(), id);
-        const configFile = fs.readFileSync("../identity-center-config.json", {
-            encoding: "utf8"
-        });
-        const identityCenterConfig = JSON.parse(configFile);
-        identityCenterConfig.forEach((config) => {
-            new IdentityCenterGroupMembership(this, `Managed${config.group}Group`, {
-                groupName: config.group,
-                groupMembers: config.members
-            });
-        });
-    }
-}

package/dist/lib/patterns/aws/subdomainHostedZone.d.ts

@@ -1,9 +0,0 @@
-import { Stack } from "aws-cdk-lib";
-export interface subdomainHostedZoneProps {
-    delegatedZone: string;
-    parentHostedZoneName: string;
-    parentAccountName: string;
-}
-export declare class SubdomainHostedZone extends Stack {
-    constructor(id: string, props: subdomainHostedZoneProps);
-}

package/dist/lib/patterns/aws/subdomainHostedZone.js

@@ -1,34 +0,0 @@
-import * as route53 from "aws-cdk-lib/aws-route53";
-import { CfnOutput, Stack } from "aws-cdk-lib";
-import { Role } from "../../resources/aws/iam/index.js";
-import getAccountId from "../../utils/getAccountId.js";
-import App from "../../app.js";
-export class SubdomainHostedZone extends Stack {
-    constructor(id, props) {
-        super(App.getInstance(), id);
-        // DelegationRoleArn
-        const delegationRoleArn = Stack.of(this).formatArn({
-            account: getAccountId(props.parentAccountName),
-            region: "",
-            resource: "role",
-            resourceName: `${props.parentHostedZoneName.split(".", 1)}DelegateHostedZoneRole`,
-            service: "iam"
-        });
-        // Delegate Hosted Zone Role
-        const hostedZoneDelegationRole = Role.fromRoleArn(this, "hostedZoneDelegationRole", delegationRoleArn);
-        // Subdomains
-        const delegatedHostedZone = new route53.HostedZone(this, `${props.delegatedZone}HostedZone`, {
-            zoneName: props.delegatedZone
-        });
-        new route53.CrossAccountZoneDelegationRecord(this, `${props.delegatedZone}DelegationRole`, {
-            delegationRole: hostedZoneDelegationRole,
-            delegatedZone: delegatedHostedZone,
-            parentHostedZoneName: props.parentHostedZoneName
-        });
-        new CfnOutput(this, `${props.delegatedZone.split(".").join("")}HostedZoneId`, {
-            key: `${props.delegatedZone.split(".").join("")}HostedZoneId`,
-            value: delegatedHostedZone.hostedZoneId,
-            exportName: `${props.delegatedZone.split(".").join("")}HostedZoneId`
-        });
-    }
-}

package/dist/lib/resources/aws/analytics/clickhouse.d.ts

@@ -1,15 +0,0 @@
-import { Connections, type IConnectable } from "aws-cdk-lib/aws-ec2";
-import { Construct } from "constructs";
-import type { ClickHouseProps, ClickHouseOutputs } from "./clickhouseTypes.js";
-/**
- * ClickHouse analytics infrastructure.
- *
- * Creates a single-node ClickHouse instance on ECS EC2 with a dedicated
- * gp3 EBS volume for data persistence. Designed for analytical workloads
- * (cost aggregation, deployment metrics, audit logs) rather than OLTP.
- */
-export default class ClickHouse extends Construct implements IConnectable {
-    readonly connections: Connections;
-    readonly outputs: ClickHouseOutputs;
-    constructor(scope: Construct, id: string, props: ClickHouseProps);
-}