@fjall/components-infrastructure 0.102.0 → 1.1.0

package/dist/lib/resources/aws/analytics/clickhouseSecurityGroup.d.ts

@@ -1,13 +0,0 @@
-import { type ISecurityGroup, type IVpc } from "aws-cdk-lib/aws-ec2";
-import type { Construct } from "constructs";
-import { SecurityGroup } from "../networking/securityGroup.js";
-/**
- * Creates the ClickHouse security group.
- *
- * Inbound:
- *   - TCP 8123 from webapp ECS service SG (HTTP queries)
- *
- * Outbound:
- *   - HTTPS 443 to 0.0.0.0/0 (R2 endpoint + Secrets Manager)
- */
-export declare function createClickHouseSecurityGroup(scope: Construct, vpc: IVpc, webappSecurityGroup: ISecurityGroup): SecurityGroup;

package/dist/lib/resources/aws/analytics/clickhouseSecurityGroup.js

@@ -1,28 +0,0 @@
-import { Peer, Port } from "aws-cdk-lib/aws-ec2";
-import { SecurityGroup } from "../networking/securityGroup.js";
-import { CLICKHOUSE_HTTP_PORT, CLICKHOUSE_NATIVE_PORT } from "./clickhouseConstants.js";
-/**
- * Creates the ClickHouse security group.
- *
- * Inbound:
- *   - TCP 8123 from webapp ECS service SG (HTTP queries)
- *
- * Outbound:
- *   - HTTPS 443 to 0.0.0.0/0 (R2 endpoint + Secrets Manager)
- */
-export function createClickHouseSecurityGroup(scope, vpc, webappSecurityGroup) {
-    const sg = new SecurityGroup(scope, "ClickHouseSecurityGroup", {
-        vpc,
-        description: "Security group for ClickHouse analytics instance",
-        allowAllOutbound: false
-    });
-    // Inbound: HTTP API from webapp
-    sg.addIngressRule(webappSecurityGroup, Port.tcp(CLICKHOUSE_HTTP_PORT), "ClickHouse HTTP API from webapp ECS service");
-    // Inbound: Native protocol from optimise scheduled task (same SG, self-referencing)
-    sg.addIngressRule(sg, Port.tcp(CLICKHOUSE_NATIVE_PORT), "ClickHouse native protocol from optimise task");
-    // Outbound: HTTPS for R2 cold storage and Secrets Manager
-    sg.addEgressRule(Peer.anyIpv4(), Port.tcp(443), "HTTPS to R2 and Secrets Manager endpoints");
-    // Outbound: Native protocol to ClickHouse (optimise task connection)
-    sg.addEgressRule(sg, Port.tcp(CLICKHOUSE_NATIVE_PORT), "ClickHouse native protocol for optimise task");
-    return sg;
-}

package/dist/lib/resources/aws/analytics/clickhouseTypes.d.ts

@@ -1,59 +0,0 @@
-import type { IVpc, ISecurityGroup } from "aws-cdk-lib/aws-ec2";
-import type { ILogGroup } from "aws-cdk-lib/aws-logs";
-import type { IBucket } from "aws-cdk-lib/aws-s3";
-import type { ISecret } from "aws-cdk-lib/aws-secretsmanager";
-import type { ITopic } from "aws-cdk-lib/aws-sns";
-/** Props for the ClickHouse CDK construct. */
-export interface ClickHouseProps {
-    /** VPC to deploy into. */
-    vpc: IVpc;
-    /**
-     * EC2 instance type for ClickHouse.
-     * Overridden by CDK context parameter `clickhouseInstanceType` if set.
-     * Default: t4g.medium (4 GB RAM).
-     */
-    instanceType?: string;
-    /**
-     * Security group of the webapp ECS service.
-     * Used to allow inbound HTTP (8123) from the webapp.
-     */
-    webappSecurityGroup: ISecurityGroup;
-    /**
-     * R2 configuration for cold storage.
-     * If omitted, tiered storage is disabled (local-only).
-     */
-    r2Config?: ClickHouseR2Config;
-    /**
-     * SNS topic for CloudWatch alarms (CPU, memory, disk, stuck merges).
-     * If omitted, posture alarms are not created.
-     */
-    alarmTopic?: ITopic;
-    /**
-     * Webapp log group, required when `alarmTopic` is set so the stuck-merge
-     * metric filter can read the structured warning emitted by `client.ts`.
-     */
-    webappLogGroup?: ILogGroup;
-}
-/** Cloudflare R2 configuration for tiered storage and backups. */
-export interface ClickHouseR2Config {
-    /** Cloudflare account ID. */
-    accountId: string;
-    /** R2 access key (stored in Secrets Manager). */
-    accessKeySecret: ISecret;
-    /** R2 secret key (stored in Secrets Manager). */
-    secretKeySecret: ISecret;
-}
-/** Outputs from the ClickHouse construct for use by other constructs. */
-export interface ClickHouseOutputs {
-    /** Security group for the ClickHouse instance (for connection rules). */
-    securityGroup: ISecurityGroup;
-    /** S3 bucket for weekly automated backups (for restore operations). */
-    backupBucket: IBucket;
-    /** Secrets Manager secrets for ClickHouse passwords. */
-    secrets: {
-        appPassword: ISecret;
-        auditPassword: ISecret;
-        backupPassword: ISecret;
-        schemaPassword: ISecret;
-    };
-}

package/dist/lib/resources/aws/analytics/clickhouseTypes.js

@@ -1 +0,0 @@
-export {};

package/dist/lib/resources/aws/analytics/clickhouseUserData.d.ts

@@ -1,6 +0,0 @@
-export interface ClickHouseUserDataOptions {
-    /** Cloudflare account ID for R2 cold storage. If omitted, local-only storage is used. */
-    cfAccountId?: string;
-}
-export declare const USERS_CONFIG_XML = "<clickhouse>\n    <users>\n        <default>\n            <networks>\n                <ip>127.0.0.1</ip>\n                <ip>::1</ip>\n            </networks>\n        </default>\n    </users>\n    <profiles>\n        <default>\n            <optimize_move_to_prewhere>1</optimize_move_to_prewhere>\n            <!-- ALTER TABLE ... MODIFY TTL on a 30-day-partitioned table would otherwise\n                 trigger an immediate full-table rewrite (default = 1). On the t4g.medium\n                 box that's a merge-pool starvation event. Keep TTL changes lazy: parts\n                 re-evaluate TTL on their next natural merge, no forced rewrite. -->\n            <materialize_ttl_after_modify>0</materialize_ttl_after_modify>\n        </default>\n        <app_writer>\n            <max_threads>2</max_threads>\n            <max_insert_threads>1</max_insert_threads>\n            <max_concurrent_queries_for_user>4</max_concurrent_queries_for_user>\n            <log_queries_min_query_duration_ms>100</log_queries_min_query_duration_ms>\n            <optimize_move_to_prewhere>1</optimize_move_to_prewhere>\n            <use_query_condition_cache>1</use_query_condition_cache>\n            <!-- Re-enable skip indexes under FINAL (tenantQuery auto-FINALs RMT tables;\n                 default disables idx_aws_account, idx_application, idx_dedup, idx_fingerprint). -->\n            <use_skip_indexes_if_final>1</use_skip_indexes_if_final>\n            <!-- Tenant-isolation guards (ClickHouse PR #91065 fix). Belt-and-braces with the\n                 per-user SQL SETTINGS in 002-users.sql \u2014 keep both so `CREATE OR REPLACE USER`\n                 cannot regress this. Without these flags, FINAL queries on un-merged\n                 ReplacingMergeTree parts can leak across tenants. -->\n            <apply_row_policy_after_final>1</apply_row_policy_after_final>\n            <apply_prewhere_after_final>1</apply_prewhere_after_final>\n            <do_not_merge_across_partitions_select_final>1</do_not_merge_across_partitions_select_final>\n            <async_insert>1</async_insert>\n            <wait_for_async_insert>1</wait_for_async_insert>\n            <async_insert_max_data_size>10000000</async_insert_max_data_size>\n            <!-- Adaptive batching: tune flush window between 50 ms (low-latency rare inserts)\n                 and 2 s (absorbs bursts). A single fixed value is silently overridden by the\n                 adaptive algorithm. -->\n            <async_insert_busy_timeout_min_ms>50</async_insert_busy_timeout_min_ms>\n            <async_insert_busy_timeout_max_ms>2000</async_insert_busy_timeout_max_ms>\n            <async_insert_use_adaptive_busy_timeout>1</async_insert_use_adaptive_busy_timeout>\n            <!-- Server-side deduplication of async inserts. Latent retry safety net:\n                 if a producer retries the same insert window (network hiccup, lambda re-run,\n                 SQS redelivery), the second attempt collapses against the first. As of CH 26.1\n                 this also propagates end-to-end through dependent materialised views \u2014 without\n                 it, a retried insert could double-count in metrics_hourly_mv / log_severity_hourly_mv\n                 even if the base table dedups. CH pin is 26.3 so the propagation fix is in. -->\n            <async_insert_deduplicate>1</async_insert_deduplicate>\n            <input_format_parallel_parsing>0</input_format_parallel_parsing>\n            <output_format_parallel_formatting>0</output_format_parallel_formatting>\n            <!-- Lazy materialisation (CH 25.4+): for `SELECT * ... LIMIT N` shapes the planner\n                 reads only the columns needed to evaluate ORDER BY / WHERE, then fetches the\n                 remaining columns for the surviving N rows. Order-of-magnitude I/O reduction\n                 on dashboard queries (e.g. getLatestMetrics LIMIT 1 BY application_id). -->\n            <query_plan_optimize_lazy_materialization>1</query_plan_optimize_lazy_materialization>\n            <!-- Per-query memory cap (overrides server-wide max_memory_usage of 1 GB\n                 to give app_writer 2 GB headroom). Belt-and-braces with the inline\n                 SETTINGS in 002-users.sql so neither layer can drift alone. -->\n            <max_memory_usage>2000000000</max_memory_usage>\n            <max_memory_usage_for_user>2684354560</max_memory_usage_for_user>\n            <max_bytes_before_external_sort>536870912</max_bytes_before_external_sort>\n            <max_bytes_before_external_group_by>536870912</max_bytes_before_external_group_by>\n            <!-- Per-query caps. Belt-and-braces with the inline SETTINGS in\n                 002-users.sql so `CREATE OR REPLACE USER` cannot regress the bound. -->\n            <max_execution_time>30</max_execution_time>\n            <max_rows_to_read>10000000</max_rows_to_read>\n        </app_writer>\n        <audit_writer>\n            <max_threads>1</max_threads>\n            <max_insert_threads>1</max_insert_threads>\n            <max_concurrent_queries_for_user>2</max_concurrent_queries_for_user>\n            <max_memory_usage>500000000</max_memory_usage>\n            <max_execution_time>10</max_execution_time>\n            <async_insert>1</async_insert>\n            <wait_for_async_insert>1</wait_for_async_insert>\n        </audit_writer>\n        <backup_reader>\n            <max_threads>2</max_threads>\n            <max_concurrent_queries_for_user>1</max_concurrent_queries_for_user>\n            <max_memory_usage>1000000000</max_memory_usage>\n            <max_execution_time>3600</max_execution_time>\n        </backup_reader>\n        <schema_admin>\n            <max_threads>2</max_threads>\n            <max_concurrent_queries_for_user>1</max_concurrent_queries_for_user>\n            <max_memory_usage>1000000000</max_memory_usage>\n            <max_execution_time>1800</max_execution_time>\n        </schema_admin>\n    </profiles>\n    <quotas>\n        <tenant_default>\n            <interval>\n                <duration>3600</duration>\n                <queries>1000</queries>\n                <result_rows>10000000</result_rows>\n            </interval>\n        </tenant_default>\n    </quotas>\n</clickhouse>";
-export declare function generateClickHouseUserData(options?: ClickHouseUserDataOptions): string;

package/dist/lib/resources/aws/analytics/clickhouseUserData.js

@@ -1,299 +0,0 @@
-import { CLICKHOUSE_DATA_MOUNT_PATH, CLICKHOUSE_EBS_DEVICE_NAME, CLICKHOUSE_CONFIG_SUBDIR, CLICKHOUSE_USERS_SUBDIR, CLICKHOUSE_HTTP_PORT, CLICKHOUSE_PROMETHEUS_PORT } from "./clickhouseConstants.js";
-function generateServerConfigXml(cfAccountId) {
-    if (cfAccountId !== undefined && !/^[a-f0-9]{32}$/.test(cfAccountId)) {
-        throw new Error(`Invalid Cloudflare account ID format: expected 32-char hex, got "${cfAccountId}"`);
-    }
-    const storageBlock = cfAccountId !== undefined
-        ? `    <storage_configuration>
-        <disks>
-            <local_ssd>
-                <type>local</type>
-                <path>/var/lib/clickhouse/</path>
-            </local_ssd>
-            <r2_cold>
-                <type>s3</type>
-                <endpoint>https://${cfAccountId}.r2.cloudflarestorage.com/fjall-clickhouse-cold/data/</endpoint>
-                <access_key_id from_env="R2_ACCESS_KEY" />
-                <secret_access_key from_env="R2_SECRET_KEY" />
-                <region>auto</region>
-                <support_batch_delete>false</support_batch_delete>
-                <metadata_path>/var/lib/clickhouse/disks/r2_cold/</metadata_path>
-            </r2_cold>
-        </disks>
-        <policies>
-            <tiered>
-                <volumes>
-                    <hot>
-                        <disk>local_ssd</disk>
-                    </hot>
-                    <cold>
-                        <disk>r2_cold</disk>
-                    </cold>
-                </volumes>
-                <move_factor>0.05</move_factor>
-            </tiered>
-            <local_only>
-                <volumes>
-                    <default>
-                        <disk>local_ssd</disk>
-                    </default>
-                </volumes>
-            </local_only>
-        </policies>
-    </storage_configuration>`
-        : `    <storage_configuration>
-        <disks>
-            <default>
-                <keep_free_space_bytes>1073741824</keep_free_space_bytes>
-            </default>
-        </disks>
-        <policies>
-            <tiered>
-                <volumes>
-                    <hot>
-                        <disk>default</disk>
-                    </hot>
-                    <cold>
-                        <disk>default</disk>
-                    </cold>
-                </volumes>
-            </tiered>
-            <local_only>
-                <volumes>
-                    <default>
-                        <disk>default</disk>
-                    </default>
-                </volumes>
-            </local_only>
-        </policies>
-    </storage_configuration>`;
-    return `<clickhouse>
-    <logger>
-        <level>warning</level>
-        <log>/var/log/clickhouse-server/clickhouse-server.log</log>
-        <errorlog>/var/log/clickhouse-server/clickhouse-server.err.log</errorlog>
-        <size>100M</size>
-        <count>3</count>
-    </logger>
-    <max_server_memory_usage>2684354560</max_server_memory_usage>
-    <max_memory_usage>1000000000</max_memory_usage>
-    <max_bytes_before_external_sort>536870912</max_bytes_before_external_sort>
-    <max_bytes_before_external_group_by>536870912</max_bytes_before_external_group_by>
-    <mark_cache_size>268435456</mark_cache_size>
-    <index_mark_cache_size>67108864</index_mark_cache_size>
-    <uncompressed_cache_size>0</uncompressed_cache_size>
-    <max_concurrent_queries>10</max_concurrent_queries>
-    <background_pool_size>2</background_pool_size>
-    <background_schedule_pool_size>2</background_schedule_pool_size>
-    <background_merges_mutations_concurrency_ratio>2</background_merges_mutations_concurrency_ratio>
-    <background_move_pool_size>1</background_move_pool_size>
-    <background_fetches_pool_size>1</background_fetches_pool_size>
-    <background_message_broker_schedule_pool_size>1</background_message_broker_schedule_pool_size>
-    <merge_tree>
-        <max_suspicious_broken_parts>5</max_suspicious_broken_parts>
-        <parts_to_delay_insert>150</parts_to_delay_insert>
-        <parts_to_throw_insert>300</parts_to_throw_insert>
-    </merge_tree>
-    <http_port>${CLICKHOUSE_HTTP_PORT}</http_port>
-    <custom_settings_prefixes>current_</custom_settings_prefixes>
-    <!-- HTTP keep-alive window. Must exceed @clickhouse/client idle_socket_ttl (15 s)
-         so the client always closes the socket first. Prevents ECONNRESET on reuse. -->
-    <keep_alive_timeout>30</keep_alive_timeout>
-    <query_log>
-        <database>system</database>
-        <table>query_log</table>
-        <flush_interval_milliseconds>7500</flush_interval_milliseconds>
-        <ttl>event_date + INTERVAL 14 DAY DELETE</ttl>
-    </query_log>
-    <!-- All system log tables need bounded retention on 80GB EBS (mirror query_log's 14-day policy). -->
-    <asynchronous_metric_log>
-        <database>system</database>
-        <table>asynchronous_metric_log</table>
-        <ttl>event_date + INTERVAL 14 DAY DELETE</ttl>
-    </asynchronous_metric_log>
-    <metric_log>
-        <database>system</database>
-        <table>metric_log</table>
-        <ttl>event_date + INTERVAL 14 DAY DELETE</ttl>
-    </metric_log>
-    <part_log>
-        <database>system</database>
-        <table>part_log</table>
-        <ttl>event_date + INTERVAL 14 DAY DELETE</ttl>
-    </part_log>
-    <error_log>
-        <database>system</database>
-        <table>error_log</table>
-        <ttl>event_date + INTERVAL 14 DAY DELETE</ttl>
-    </error_log>
-${storageBlock}
-    <query_cache>
-        <max_size_in_bytes>104857600</max_size_in_bytes>
-        <max_entries>1024</max_entries>
-        <max_entry_size_in_bytes>1048576</max_entry_size_in_bytes>
-    </query_cache>
-    <prometheus>
-        <endpoint>/metrics</endpoint>
-        <port>${CLICKHOUSE_PROMETHEUS_PORT}</port>
-        <metrics>true</metrics>
-        <events>true</events>
-        <asynchronous_metrics>true</asynchronous_metrics>
-    </prometheus>
-    <query_thread_log remove="1"/>
-    <opentelemetry_span_log remove="1"/>
-    <processors_profile_log remove="1"/>
-</clickhouse>`;
-}
-export const USERS_CONFIG_XML = `<clickhouse>
-    <users>
-        <default>
-            <networks>
-                <ip>127.0.0.1</ip>
-                <ip>::1</ip>
-            </networks>
-        </default>
-    </users>
-    <profiles>
-        <default>
-            <optimize_move_to_prewhere>1</optimize_move_to_prewhere>
-            <!-- ALTER TABLE ... MODIFY TTL on a 30-day-partitioned table would otherwise
-                 trigger an immediate full-table rewrite (default = 1). On the t4g.medium
-                 box that's a merge-pool starvation event. Keep TTL changes lazy: parts
-                 re-evaluate TTL on their next natural merge, no forced rewrite. -->
-            <materialize_ttl_after_modify>0</materialize_ttl_after_modify>
-        </default>
-        <app_writer>
-            <max_threads>2</max_threads>
-            <max_insert_threads>1</max_insert_threads>
-            <max_concurrent_queries_for_user>4</max_concurrent_queries_for_user>
-            <log_queries_min_query_duration_ms>100</log_queries_min_query_duration_ms>
-            <optimize_move_to_prewhere>1</optimize_move_to_prewhere>
-            <use_query_condition_cache>1</use_query_condition_cache>
-            <!-- Re-enable skip indexes under FINAL (tenantQuery auto-FINALs RMT tables;
-                 default disables idx_aws_account, idx_application, idx_dedup, idx_fingerprint). -->
-            <use_skip_indexes_if_final>1</use_skip_indexes_if_final>
-            <!-- Tenant-isolation guards (ClickHouse PR #91065 fix). Belt-and-braces with the
-                 per-user SQL SETTINGS in 002-users.sql — keep both so \`CREATE OR REPLACE USER\`
-                 cannot regress this. Without these flags, FINAL queries on un-merged
-                 ReplacingMergeTree parts can leak across tenants. -->
-            <apply_row_policy_after_final>1</apply_row_policy_after_final>
-            <apply_prewhere_after_final>1</apply_prewhere_after_final>
-            <do_not_merge_across_partitions_select_final>1</do_not_merge_across_partitions_select_final>
-            <async_insert>1</async_insert>
-            <wait_for_async_insert>1</wait_for_async_insert>
-            <async_insert_max_data_size>10000000</async_insert_max_data_size>
-            <!-- Adaptive batching: tune flush window between 50 ms (low-latency rare inserts)
-                 and 2 s (absorbs bursts). A single fixed value is silently overridden by the
-                 adaptive algorithm. -->
-            <async_insert_busy_timeout_min_ms>50</async_insert_busy_timeout_min_ms>
-            <async_insert_busy_timeout_max_ms>2000</async_insert_busy_timeout_max_ms>
-            <async_insert_use_adaptive_busy_timeout>1</async_insert_use_adaptive_busy_timeout>
-            <!-- Server-side deduplication of async inserts. Latent retry safety net:
-                 if a producer retries the same insert window (network hiccup, lambda re-run,
-                 SQS redelivery), the second attempt collapses against the first. As of CH 26.1
-                 this also propagates end-to-end through dependent materialised views — without
-                 it, a retried insert could double-count in metrics_hourly_mv / log_severity_hourly_mv
-                 even if the base table dedups. CH pin is 26.3 so the propagation fix is in. -->
-            <async_insert_deduplicate>1</async_insert_deduplicate>
-            <input_format_parallel_parsing>0</input_format_parallel_parsing>
-            <output_format_parallel_formatting>0</output_format_parallel_formatting>
-            <!-- Lazy materialisation (CH 25.4+): for \`SELECT * ... LIMIT N\` shapes the planner
-                 reads only the columns needed to evaluate ORDER BY / WHERE, then fetches the
-                 remaining columns for the surviving N rows. Order-of-magnitude I/O reduction
-                 on dashboard queries (e.g. getLatestMetrics LIMIT 1 BY application_id). -->
-            <query_plan_optimize_lazy_materialization>1</query_plan_optimize_lazy_materialization>
-            <!-- Per-query memory cap (overrides server-wide max_memory_usage of 1 GB
-                 to give app_writer 2 GB headroom). Belt-and-braces with the inline
-                 SETTINGS in 002-users.sql so neither layer can drift alone. -->
-            <max_memory_usage>2000000000</max_memory_usage>
-            <max_memory_usage_for_user>2684354560</max_memory_usage_for_user>
-            <max_bytes_before_external_sort>536870912</max_bytes_before_external_sort>
-            <max_bytes_before_external_group_by>536870912</max_bytes_before_external_group_by>
-            <!-- Per-query caps. Belt-and-braces with the inline SETTINGS in
-                 002-users.sql so \`CREATE OR REPLACE USER\` cannot regress the bound. -->
-            <max_execution_time>30</max_execution_time>
-            <max_rows_to_read>10000000</max_rows_to_read>
-        </app_writer>
-        <audit_writer>
-            <max_threads>1</max_threads>
-            <max_insert_threads>1</max_insert_threads>
-            <max_concurrent_queries_for_user>2</max_concurrent_queries_for_user>
-            <max_memory_usage>500000000</max_memory_usage>
-            <max_execution_time>10</max_execution_time>
-            <async_insert>1</async_insert>
-            <wait_for_async_insert>1</wait_for_async_insert>
-        </audit_writer>
-        <backup_reader>
-            <max_threads>2</max_threads>
-            <max_concurrent_queries_for_user>1</max_concurrent_queries_for_user>
-            <max_memory_usage>1000000000</max_memory_usage>
-            <max_execution_time>3600</max_execution_time>
-        </backup_reader>
-        <schema_admin>
-            <max_threads>2</max_threads>
-            <max_concurrent_queries_for_user>1</max_concurrent_queries_for_user>
-            <max_memory_usage>1000000000</max_memory_usage>
-            <max_execution_time>1800</max_execution_time>
-        </schema_admin>
-    </profiles>
-    <quotas>
-        <tenant_default>
-            <interval>
-                <duration>3600</duration>
-                <queries>1000</queries>
-                <result_rows>10000000</result_rows>
-            </interval>
-        </tenant_default>
-    </quotas>
-</clickhouse>`;
-export function generateClickHouseUserData(options) {
-    const serverConfigXml = generateServerConfigXml(options?.cfAccountId);
-    return `#!/bin/bash
-set -euo pipefail
-
-DEVICE="${CLICKHOUSE_EBS_DEVICE_NAME}"
-MOUNT_POINT="${CLICKHOUSE_DATA_MOUNT_PATH}"
-
-# Wait for the EBS volume to be attached (up to 60 seconds)
-for i in $(seq 1 60); do
-  if [ -b "$DEVICE" ]; then
-    break
-  fi
-  sleep 1
-done
-
-if [ ! -b "$DEVICE" ]; then
-  echo "ERROR: EBS volume $DEVICE not found after 60 seconds" >&2
-  exit 1
-fi
-
-# Format only if not already formatted (idempotent)
-if ! blkid "$DEVICE" | grep -q ext4; then
-  mkfs.ext4 -m 0 "$DEVICE"
-fi
-
-# Mount
-mkdir -p "$MOUNT_POINT"
-mount "$DEVICE" "$MOUNT_POINT"
-
-# Persist across reboots
-if ! grep -q "$MOUNT_POINT" /etc/fstab; then
-  echo "$DEVICE $MOUNT_POINT ext4 defaults,nofail 0 2" >> /etc/fstab
-fi
-
-# Write ClickHouse server config (memory limits, storage policies, Prometheus)
-mkdir -p "$MOUNT_POINT/${CLICKHOUSE_CONFIG_SUBDIR}"
-cat > "$MOUNT_POINT/${CLICKHOUSE_CONFIG_SUBDIR}/fjall.xml" << 'CONFIGEOF'
-${serverConfigXml}
-CONFIGEOF
-
-# Write ClickHouse users config (profiles, quotas, default user restrictions)
-mkdir -p "$MOUNT_POINT/${CLICKHOUSE_USERS_SUBDIR}"
-cat > "$MOUNT_POINT/${CLICKHOUSE_USERS_SUBDIR}/fjall.xml" << 'USERSEOF'
-${USERS_CONFIG_XML}
-USERSEOF
-
-# ClickHouse alpine image runs as uid 101, gid 101
-chown -R 101:101 "$MOUNT_POINT"
-`;
-}

package/dist/lib/resources/aws/analytics/index.d.ts

@@ -1,4 +0,0 @@
-export { default as ClickHouse } from "./clickhouse.js";
-export type { ClickHouseProps, ClickHouseR2Config, ClickHouseOutputs } from "./clickhouseTypes.js";
-export { createClickHouseAlarms } from "./clickhouseAlarms.js";
-export type { ClickHouseAlarmThresholds, ClickHouseAlarmsProps } from "./clickhouseAlarms.js";

package/dist/lib/resources/aws/analytics/index.js

@@ -1,2 +0,0 @@
-export { default as ClickHouse } from "./clickhouse.js";
-export { createClickHouseAlarms } from "./clickhouseAlarms.js";

package/dist/lib/resources/aws/compute/__tmp__/regression-shape.d.ts

@@ -1,2 +0,0 @@
-import { AutoScalingGroup } from "aws-cdk-lib/aws-autoscaling";
-export declare function regression(asg: AutoScalingGroup, queue: any, id: string): void;

package/dist/lib/resources/aws/compute/__tmp__/regression-shape.js

@@ -1,11 +0,0 @@
-import { DefaultResult, LifecycleTransition } from "aws-cdk-lib/aws-autoscaling";
-import { QueueHook } from "aws-cdk-lib/aws-autoscaling-hooktargets";
-import { Duration } from "aws-cdk-lib";
-export function regression(asg, queue, id) {
-    asg.addLifecycleHook(`${id}LaunchingHook`, {
-        lifecycleTransition: LifecycleTransition.INSTANCE_LAUNCHING,
-        defaultResult: DefaultResult.ABANDON,
-        heartbeatTimeout: Duration.seconds(300),
-        notificationTarget: new QueueHook(queue)
-    });
-}

package/dist/lib/resources/aws/messaging/defaultEventBus.d.ts

@@ -1,7 +0,0 @@
-import { CfnOutput } from "aws-cdk-lib";
-import { Construct } from "constructs";
-export declare class DefaultEventBus extends Construct {
-    readonly defaultEventBusName: CfnOutput;
-    readonly defaultEventBusArn: CfnOutput;
-    constructor(scope: Construct, id: string);
-}

package/dist/lib/resources/aws/messaging/defaultEventBus.js

@@ -1,21 +0,0 @@
-import { CfnOutput } from "aws-cdk-lib";
-import { EventBus } from "aws-cdk-lib/aws-events";
-import { Construct } from "constructs";
-export class DefaultEventBus extends Construct {
-    defaultEventBusName;
-    defaultEventBusArn;
-    constructor(scope, id) {
-        super(scope, id);
-        const eventBridge = EventBus.fromEventBusName(this, "DefaultEventBus", "default");
-        this.defaultEventBusName = new CfnOutput(this, "DefaultEventBusNameOutput", {
-            key: "DefaultEventBusName",
-            value: eventBridge.eventBusName,
-            exportName: "DefaultEventBusName"
-        });
-        this.defaultEventBusArn = new CfnOutput(this, "DefaultEventBusArnOutput", {
-            key: "DefaultEventBusArn",
-            value: eventBridge.eventBusArn,
-            exportName: "DefaultEventBusArn"
-        });
-    }
-}

package/dist/lib/resources/aws/networking/domain.d.ts

@@ -1,13 +0,0 @@
-import { Construct } from "constructs";
-import { type IHostedZone } from "aws-cdk-lib/aws-route53";
-import type { DomainApexProps } from "../../../utils/domainTypes.js";
-export declare class Domain extends Construct {
-    readonly hostedZoneId: string;
-    readonly hostedZone: IHostedZone;
-    private readonly zoneName;
-    constructor(scope: Construct, id: string, props: DomainApexProps);
-    private addDelegationRole;
-    private addZoneIdOutput;
-    private addNameserverOutput;
-    private addCertificates;
-}

package/dist/lib/resources/aws/networking/domain.js

@@ -1,100 +0,0 @@
-import { Construct } from "constructs";
-import { CfnOutput, Fn } from "aws-cdk-lib";
-import { toPascalCase, getSafeZoneName } from "../../../utils/capitaliseString.js";
-import { Role } from "../iam/index.js";
-import { OrganizationPrincipal, PolicyDocument, PolicyStatement } from "aws-cdk-lib/aws-iam";
-import { HostedZone as AWSHostedZone } from "aws-cdk-lib/aws-route53";
-import { getDomainExportNames, addDnsRecords } from "../../../utils/domainTypes.js";
-import { DomainCertificate } from "./domainCertificate.js";
-export class Domain extends Construct {
-    hostedZoneId;
-    hostedZone;
-    zoneName;
-    constructor(scope, id, props) {
-        super(scope, id);
-        this.zoneName = props.zoneName;
-        if (!props.hostedZoneId) {
-            const createdZone = new AWSHostedZone(this, `${getSafeZoneName(props.zoneName)}HostedZone`, {
-                zoneName: props.zoneName,
-                comment: `Hosted Zone for ${props.zoneName}`
-            });
-            this.hostedZone = createdZone;
-            this.hostedZoneId = createdZone.hostedZoneId;
-            this.addDelegationRole(createdZone);
-            this.addNameserverOutput(createdZone);
-        }
-        else {
-            this.hostedZoneId = props.hostedZoneId;
-            this.hostedZone = AWSHostedZone.fromHostedZoneAttributes(this, `${getSafeZoneName(props.zoneName)}ImportedHostedZone`, {
-                hostedZoneId: props.hostedZoneId,
-                zoneName: props.zoneName
-            });
-        }
-        this.addZoneIdOutput();
-        if (props.records) {
-            addDnsRecords(this, this.hostedZone, this.zoneName, props.records);
-        }
-        if (props.certificates) {
-            this.addCertificates(props.certificates);
-        }
-    }
-    addDelegationRole(zone) {
-        const domainLabel = this.zoneName.split(".")[0] ?? "default";
-        const safeDomainLabel = toPascalCase(domainLabel);
-        const role = new Role(this, `${safeDomainLabel}DelegateHostedZoneRole`, {
-            assumedBy: new OrganizationPrincipal(Fn.importValue("OrganisationId")),
-            roleName: `${domainLabel}DelegateHostedZoneRole`,
-            inlinePolicies: {
-                ["listHostedZones"]: new PolicyDocument({
-                    statements: [
-                        new PolicyStatement({
-                            actions: ["route53:ListHostedZonesByName"],
-                            resources: ["*"]
-                        })
-                    ]
-                }),
-                ["changeResourceRecordSets"]: new PolicyDocument({
-                    statements: [
-                        new PolicyStatement({
-                            actions: ["route53:ChangeResourceRecordSets"],
-                            resources: [`arn:aws:route53:::hostedzone/${zone.hostedZoneId}`]
-                        })
-                    ]
-                })
-            }
-        });
-        zone.grantDelegation(role);
-        new CfnOutput(this, `${safeDomainLabel}DelegateHostedZoneRoleArn`, {
-            key: `${safeDomainLabel}DelegateHostedZoneRoleArn`,
-            value: role.roleArn,
-            exportName: `${domainLabel}DelegateHostedZoneRoleArn`
-        });
-    }
-    addZoneIdOutput() {
-        const safeKey = toPascalCase(getSafeZoneName(this.zoneName));
-        const exports = getDomainExportNames(this.zoneName);
-        new CfnOutput(this, `${safeKey}HostedZoneId`, {
-            key: `${safeKey}HostedZoneId`,
-            value: this.hostedZoneId,
-            exportName: exports.hostedZoneId
-        });
-    }
-    addNameserverOutput(zone) {
-        const safeKey = toPascalCase(getSafeZoneName(this.zoneName));
-        new CfnOutput(this, `${safeKey}Nameservers`, {
-            key: `${safeKey}Nameservers`,
-            value: Fn.join(",", zone.hostedZoneNameServers ?? [])
-        });
-    }
-    addCertificates(certificates) {
-        const safeZone = toPascalCase(getSafeZoneName(this.zoneName));
-        certificates.forEach((cert, index) => {
-            const safeCertName = toPascalCase(cert.domainName.split(".").join(""));
-            new DomainCertificate(this, `${safeZone}${safeCertName}Cert${index}`, {
-                domainName: cert.domainName,
-                subjectAlternativeNames: cert.subjectAlternativeNames,
-                hostedZone: this.hostedZone
-            });
-        });
-    }
-}

package/dist/lib/synth_dump.d.ts

@@ -1 +0,0 @@
-export {};

package/dist/lib/synth_dump.js

@@ -1,42 +0,0 @@
-import { App, Stack } from "aws-cdk-lib";
-import { Template } from "aws-cdk-lib/assertions";
-import { Vpc } from "aws-cdk-lib/aws-ec2";
-import { Repository } from "aws-cdk-lib/aws-ecr";
-import { mkdtempSync, mkdirSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-import { EcsCompute } from "./patterns/aws/computeEcs.js";
-import { RelationalDatabase } from "./patterns/aws/database.js";
-const root = mkdtempSync(join(tmpdir(), "ds-"));
-mkdirSync(join(root, "20260512000000_init"));
-const app = new App();
-const stack = new Stack(app, "S", { env: { account: "123456789012", region: "us-east-1" } });
-const vpc = new Vpc(stack, "Vpc");
-const db = new RelationalDatabase(stack, "Db", {
-    type: "Instance", vpc, databaseName: "appdata",
-    migrations: { tool: "prisma", dir: root }
-});
-new EcsCompute(stack, "Cluster", {
-    type: "ecs",
-    ecrRepository: new Repository(stack, "Ecr"),
-    services: [{
-            name: "web", capacityProvider: "FARGATE",
-            containers: [{ name: "app", image: "nginx:latest", port: 3000 }],
-            connections: [db],
-            migrations: {
-                mode: "lifecycle-hook", command: ["node", "migrate.mjs"], entryPoint: ["/usr/bin/tini", "--"],
-                separateTaskDef: { cpu: 512, memoryLimitMiB: 1024 }
-            }
-        }]
-});
-const t = Template.fromStack(stack);
-const ing = t.findResources("AWS::EC2::SecurityGroupIngress");
-for (const [name, res] of Object.entries(ing)) {
-    console.log("INGRESS:", name);
-    console.log("  props:", JSON.stringify(res.Properties));
-}
-const eg = t.findResources("AWS::EC2::SecurityGroupEgress");
-for (const [name, res] of Object.entries(eg)) {
-    console.log("EGRESS:", name);
-    console.log("  props:", JSON.stringify(res.Properties));
-}

package/dist/lib/utils/bastionFactory.d.ts

@@ -1,10 +0,0 @@
-import { type IVpc } from "aws-cdk-lib/aws-ec2";
-import { Ec2Instance } from "../resources/aws/compute/ec2.js";
-import { type AwsStack } from "../resources/index.js";
-export interface BastionConfig {
-    instanceType?: string;
-}
-export interface BastionResult {
-    bastion: Ec2Instance;
-}
-export declare function createBastion(networkStack: AwsStack, appName: string, stackPrefix: string, vpc: IVpc, config: BastionConfig | true): BastionResult;