@fjall/components-infrastructure 0.102.0 → 2.1.1

package/dist/lib/resources/aws/database/clickhouseUserData.js

@@ -1,7 +1,8 @@
-import { CLICKHOUSE_DATA_MOUNT_PATH, CLICKHOUSE_EBS_DEVICE_NAME, CLICKHOUSE_CONFIG_SUBDIR, CLICKHOUSE_USERS_SUBDIR, CLICKHOUSE_HTTP_PORT, CLICKHOUSE_PROMETHEUS_PORT, clickHousePasswordSha256Snippet } from "./clickhouseConstants.js";
+import { CLICKHOUSE_DATA_MOUNT_PATH, CLICKHOUSE_EBS_DEVICE_NAME, CLICKHOUSE_CONFIG_SUBDIR, CLICKHOUSE_USERS_SUBDIR, CLICKHOUSE_HTTP_PORT, CLICKHOUSE_HTTPS_PORT, CLICKHOUSE_TCP_SECURE_PORT, CLICKHOUSE_TLS_CERT_MOUNT_PATH, CLICKHOUSE_PROMETHEUS_PORT, clickHousePasswordSha256Snippet } from "./clickhouseConstants.js";
 import { renderUsersXml } from "./clickhouseXmlRenderer.js";
 export function generateServerConfigXml(options) {
     const { backupBucketName, backupBucketRegion, coldTier } = options;
+    const tlsActive = options.tlsActive ?? false;
     const storageBlock = coldTier !== undefined
         ? `    <storage_configuration>
         <!-- Same CH 26 rule as the no-cold-tier branch: a <local_ssd> disk
@@ -145,7 +146,19 @@ export function generateServerConfigXml(options) {
         <number_of_free_entries_in_pool_to_lower_max_size_of_merge>1</number_of_free_entries_in_pool_to_lower_max_size_of_merge>
         <number_of_free_entries_in_pool_to_execute_optimize_entire_partition>1</number_of_free_entries_in_pool_to_execute_optimize_entire_partition>
     </merge_tree>
-    <http_port>${CLICKHOUSE_HTTP_PORT}</http_port>
+${tlsActive
+        ? `    <https_port>${CLICKHOUSE_HTTPS_PORT}</https_port>
+    <tcp_port_secure>${CLICKHOUSE_TCP_SECURE_PORT}</tcp_port_secure>
+    <openSSL>
+        <server>
+            <certificateFile>${CLICKHOUSE_TLS_CERT_MOUNT_PATH}/server.crt</certificateFile>
+            <privateKeyFile>${CLICKHOUSE_TLS_CERT_MOUNT_PATH}/server.key</privateKeyFile>
+            <verificationMode>relaxed</verificationMode>
+            <disableProtocols>sslv2,sslv3,tlsv1,tlsv1_1</disableProtocols>
+            <preferServerCiphers>true</preferServerCiphers>
+        </server>
+    </openSSL>`
+        : `    <http_port>${CLICKHOUSE_HTTP_PORT}</http_port>`}
     <custom_settings_prefixes>current_</custom_settings_prefixes>
     <!-- HTTP keep-alive window. Must exceed @clickhouse/client idle_socket_ttl (15 s)
          so the client always closes the socket first. Prevents ECONNRESET on reuse. -->
@@ -247,6 +260,58 @@ function compactUserDataScript(script) {
  */
 export function buildClickHouseUserData(options) {
     const serverConfigXml = generateServerConfigXml(options);
+    const tlsActive = options.tlsActive ?? false;
+    if (tlsActive &&
+        (options.caSecretArn === undefined || options.serverSecretArn === undefined)) {
+        throw new Error("buildClickHouseUserData: tlsActive=true requires both caSecretArn and serverSecretArn");
+    }
+    const tlsBootstrap = tlsActive
+        ? `
+# Materialise TLS certs from Secrets Manager. The EC2 instance role carries
+# the secretsmanager:GetSecretValue grant; certs land on the EBS-backed mount
+# at \`$MOUNT_POINT/server-certs/\` and are bind-mounted read-only into the
+# CH container at /etc/clickhouse-server/certs. Cert rotation triggers task
+# replacement via the CA_CERT_SHA256 env on dependent services (the cert
+# generator emits the digest as a CFN Data attribute).
+mkdir -p "$MOUNT_POINT/server-certs"
+
+# jq is needed to extract cert + key fields from the server bundle JSON.
+# AL2023 ECS-optimised AMIs ship without jq; install it if missing.
+command -v jq >/dev/null 2>&1 || dnf install -y jq || yum install -y jq
+
+# Fetch CA (raw PEM SecretString). Quoting prevents word-splitting on multi-line PEM.
+CA_PEM=$(aws secretsmanager get-secret-value --secret-id "${options.caSecretArn ?? ""}" --query SecretString --output text)
+printf '%s\\n' "$CA_PEM" > "$MOUNT_POINT/server-certs/ca.crt"
+
+# Fetch server bundle (JSON { "cert": "<pem>", "key": "<pem>" }).
+SERVER_JSON=$(aws secretsmanager get-secret-value --secret-id "${options.serverSecretArn ?? ""}" --query SecretString --output text)
+printf '%s' "$SERVER_JSON" | jq -r .cert > "$MOUNT_POINT/server-certs/server.crt"
+printf '%s' "$SERVER_JSON" | jq -r .key > "$MOUNT_POINT/server-certs/server.key"
+
+# Strict-verify client config consumed by docker-exec reload SSM script and any
+# in-container clickhouse-client invocation. RejectCertificateHandler + strict
+# verificationMode together close the trust-anchor-skipped class.
+cat > "$MOUNT_POINT/server-certs/client.xml" <<'CLIENTXML'
+<?xml version="1.0"?>
+<config>
+  <openSSL>
+    <client>
+      <caConfig>/etc/clickhouse-server/certs/ca.crt</caConfig>
+      <verificationMode>strict</verificationMode>
+      <loadDefaultCAFile>false</loadDefaultCAFile>
+      <invalidCertificateHandler>
+        <name>RejectCertificateHandler</name>
+      </invalidCertificateHandler>
+    </client>
+  </openSSL>
+</config>
+CLIENTXML
+
+chown -R 101:101 "$MOUNT_POINT/server-certs"
+chmod 600 "$MOUNT_POINT/server-certs/server.key"
+chmod 644 "$MOUNT_POINT/server-certs/client.xml"
+`
+        : "";
     const script = `#!/bin/bash
 set -euo pipefail
 
@@ -333,7 +398,7 @@ if [ "$USERS_CONFIG_RETRIEVED" != "1" ]; then
 fi
 
 chown -R 101:101 "$MOUNT_POINT"
-`;
+${tlsBootstrap}`;
     return compactUserDataScript(script);
 }
 /**

package/dist/lib/resources/aws/database/clickhouseXmlRenderer.d.ts

@@ -45,7 +45,7 @@ export interface RenderUsersXmlOptions {
  *
  * **Schema-admin-only emission.** Only the schema admin lands in the XML.
  * Managed-password workload users are created at runtime by the migration
- * helper (`@fjall/clickhouse-migrations § provisionUsersFromEnv`) — they
+ * helper (`@fjall/clickhouse § provisionUsersFromEnv`) — they
  * authenticate via plaintext from `USER_<NAME>_PASSWORD` env vars at runtime
  * and bind their profiles via customer SQL.
  *

package/dist/lib/resources/aws/database/clickhouseXmlRenderer.js

@@ -73,7 +73,7 @@ ${body}
  *
  * **Schema-admin-only emission.** Only the schema admin lands in the XML.
  * Managed-password workload users are created at runtime by the migration
- * helper (`@fjall/clickhouse-migrations § provisionUsersFromEnv`) — they
+ * helper (`@fjall/clickhouse § provisionUsersFromEnv`) — they
  * authenticate via plaintext from `USER_<NAME>_PASSWORD` env vars at runtime
  * and bind their profiles via customer SQL.
  *

package/dist/lib/resources/aws/secrets/index.d.ts

@@ -2,3 +2,5 @@ export * from "./alias.js";
 export * from "./kms.js";
 export * from "./parameter.js";
 export * from "./secret.js";
+export * from "./tlsCaSecret.js";
+export * from "./tlsServerSecret.js";

package/dist/lib/resources/aws/secrets/index.js

@@ -2,3 +2,5 @@ export * from "./alias.js";
 export * from "./kms.js";
 export * from "./parameter.js";
 export * from "./secret.js";
+export * from "./tlsCaSecret.js";
+export * from "./tlsServerSecret.js";

package/dist/lib/resources/aws/secrets/tlsCaSecret.d.ts

@@ -0,0 +1,13 @@
+import type { Construct } from "constructs";
+import { Secret } from "./secret.js";
+export interface TlsCaSecretProps {
+    /** Drives the deterministic secret name `fjall-<appName>-clickhouse-tls-ca`. */
+    readonly appName: string;
+}
+/**
+ * ClickHouse TLS CA cert (public — clients pin against this). Retained on
+ * delete so client-side trust anchors survive accidental stack teardown.
+ */
+export declare class TlsCaSecret extends Secret {
+    constructor(scope: Construct, id: string, props: TlsCaSecretProps);
+}

package/dist/lib/resources/aws/secrets/tlsCaSecret.js

@@ -0,0 +1,15 @@
+import { RemovalPolicy } from "aws-cdk-lib";
+import { Secret } from "./secret.js";
+/**
+ * ClickHouse TLS CA cert (public — clients pin against this). Retained on
+ * delete so client-side trust anchors survive accidental stack teardown.
+ */
+export class TlsCaSecret extends Secret {
+    constructor(scope, id, props) {
+        super(scope, id, {
+            secretName: `fjall-${props.appName}-clickhouse-tls-ca`,
+            description: "ClickHouse TLS CA cert (public — clients pin against this)"
+        });
+        this.secret.applyRemovalPolicy(RemovalPolicy.RETAIN);
+    }
+}

package/dist/lib/resources/aws/secrets/tlsServerSecret.d.ts

@@ -0,0 +1,15 @@
+import type { Construct } from "constructs";
+import { Secret } from "./secret.js";
+export interface TlsServerSecretProps {
+    /** Drives the deterministic secret name `fjall-<appName>-clickhouse-tls-server`. */
+    readonly appName: string;
+}
+/**
+ * ClickHouse TLS server cert + key (JSON: `{ cert, key }`). Retained on
+ * delete so cert material survives accidental stack teardown; the private
+ * key only leaves Secrets Manager via ECS executionRole + the TLS init
+ * container that materialises it onto the shared volume.
+ */
+export declare class TlsServerSecret extends Secret {
+    constructor(scope: Construct, id: string, props: TlsServerSecretProps);
+}

package/dist/lib/resources/aws/secrets/tlsServerSecret.js

@@ -0,0 +1,17 @@
+import { RemovalPolicy } from "aws-cdk-lib";
+import { Secret } from "./secret.js";
+/**
+ * ClickHouse TLS server cert + key (JSON: `{ cert, key }`). Retained on
+ * delete so cert material survives accidental stack teardown; the private
+ * key only leaves Secrets Manager via ECS executionRole + the TLS init
+ * container that materialises it onto the shared volume.
+ */
+export class TlsServerSecret extends Secret {
+    constructor(scope, id, props) {
+        super(scope, id, {
+            secretName: `fjall-${props.appName}-clickhouse-tls-server`,
+            description: "ClickHouse TLS server cert + key (JSON: { cert, key })"
+        });
+        this.secret.applyRemovalPolicy(RemovalPolicy.RETAIN);
+    }
+}

package/dist/lib/resources/aws/utilities/index.d.ts

@@ -3,3 +3,4 @@ export * from "./codeBuild.js";
 export * from "./customResource.js";
 export * from "./customResourceProvider.js";
 export * from "./resourceShare.js";
+export * from "./tlsCertGenerator.js";

package/dist/lib/resources/aws/utilities/index.js

@@ -3,3 +3,4 @@ export * from "./codeBuild.js";
 export * from "./customResource.js";
 export * from "./customResourceProvider.js";
 export * from "./resourceShare.js";
+export * from "./tlsCertGenerator.js";

package/dist/lib/resources/aws/utilities/tlsCertGenerator.d.ts

@@ -0,0 +1,33 @@
+import { Construct } from "constructs";
+import { TlsCaSecret } from "../secrets/tlsCaSecret.js";
+import { TlsServerSecret } from "../secrets/tlsServerSecret.js";
+export interface TlsCertGeneratorProps {
+    /** Drives the deterministic Secrets Manager names of the two cert secrets. */
+    readonly appName: string;
+    /**
+     * Hostname embedded as CN + SAN dns entry on the leaf cert. Typically the
+     * Cloud Map SRV name the ClickHouse service answers on.
+     */
+    readonly hostname: string;
+    /** CA cert validity in years (default 10). Bumping forces re-issuance on next deploy. */
+    readonly caValidityYears?: number;
+    /** Leaf cert validity in years (default 5). Bumping forces re-issuance on next deploy. */
+    readonly leafValidityYears?: number;
+}
+/**
+ * Custom-resource Lambda that mints a self-signed CA + leaf cert on stack
+ * deploy and persists them to Secrets Manager. The CA secret carries the
+ * raw PEM (public — clients pin against it); the server secret carries a
+ * JSON `{ cert, key }` payload consumed by the TLS init container.
+ *
+ * `caCertSha256` is exposed for downstream consumers to wire into their
+ * container `environment` block as `CA_CERT_SHA256` — its CFN value
+ * changes whenever the cert regenerates, forcing task-def replacement so
+ * services pick up the new trust anchor.
+ */
+export declare class TlsCertGenerator extends Construct {
+    readonly caSecret: TlsCaSecret;
+    readonly serverSecret: TlsServerSecret;
+    readonly caCertSha256: string;
+    constructor(scope: Construct, id: string, props: TlsCertGeneratorProps);
+}

package/dist/lib/resources/aws/utilities/tlsCertGenerator.js

@@ -0,0 +1,67 @@
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { Duration, Stack } from "aws-cdk-lib";
+import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { Runtime } from "aws-cdk-lib/aws-lambda";
+import { Construct } from "constructs";
+import { TlsCaSecret } from "../secrets/tlsCaSecret.js";
+import { TlsServerSecret } from "../secrets/tlsServerSecret.js";
+import { CustomResource } from "./customResource.js";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+/**
+ * Resolves relative to the compiled location too — the build step copies
+ * the asset directory into dist/lib/lambda-assets/cert-generator/asset/,
+ * mirroring the source tree, so the same relative walk works post-build.
+ */
+const LAMBDA_ASSET_DIR = join(__dirname, "../../../lambda-assets/cert-generator/asset");
+const DEFAULT_CA_VALIDITY_YEARS = 10;
+const DEFAULT_LEAF_VALIDITY_YEARS = 5;
+const LAMBDA_TIMEOUT = Duration.minutes(2);
+/**
+ * Custom-resource Lambda that mints a self-signed CA + leaf cert on stack
+ * deploy and persists them to Secrets Manager. The CA secret carries the
+ * raw PEM (public — clients pin against it); the server secret carries a
+ * JSON `{ cert, key }` payload consumed by the TLS init container.
+ *
+ * `caCertSha256` is exposed for downstream consumers to wire into their
+ * container `environment` block as `CA_CERT_SHA256` — its CFN value
+ * changes whenever the cert regenerates, forcing task-def replacement so
+ * services pick up the new trust anchor.
+ */
+export class TlsCertGenerator extends Construct {
+    caSecret;
+    serverSecret;
+    caCertSha256;
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.caSecret = new TlsCaSecret(this, "Ca", { appName: props.appName });
+        this.serverSecret = new TlsServerSecret(this, "Server", {
+            appName: props.appName
+        });
+        const stack = Stack.of(this);
+        const caSecretArnPattern = `arn:${stack.partition}:secretsmanager:${stack.region}:${stack.account}:secret:fjall-${props.appName}-clickhouse-tls-ca-*`;
+        const serverSecretArnPattern = `arn:${stack.partition}:secretsmanager:${stack.region}:${stack.account}:secret:fjall-${props.appName}-clickhouse-tls-server-*`;
+        const writePolicy = new PolicyStatement({
+            effect: Effect.ALLOW,
+            actions: ["secretsmanager:PutSecretValue"],
+            resources: [caSecretArnPattern, serverSecretArnPattern]
+        });
+        const cr = new CustomResource(this, "Generator", {
+            runtime: Runtime.NODEJS_22_X,
+            timeout: LAMBDA_TIMEOUT,
+            codePath: LAMBDA_ASSET_DIR,
+            handler: "index.handler",
+            lambdaDescription: `${id} ClickHouse TLS cert generator`,
+            roleDescription: `Execution role for ${id} cert generator (PutSecretValue on two cert secrets)`,
+            inlinePolicy: [writePolicy],
+            properties: {
+                caSecretArn: this.caSecret.secret.secretArn,
+                serverSecretArn: this.serverSecret.secret.secretArn,
+                hostname: props.hostname,
+                caValidityYears: String(props.caValidityYears ?? DEFAULT_CA_VALIDITY_YEARS),
+                leafValidityYears: String(props.leafValidityYears ?? DEFAULT_LEAF_VALIDITY_YEARS)
+            }
+        });
+        this.caCertSha256 = cr.resource.getAttString("CaCertSha256");
+    }
+}

package/dist/lib/utils/manifestWriter.js

@@ -17,7 +17,7 @@ import { writeFileSync, readFileSync, existsSync, readdirSync, renameSync, unlin
 import { join, basename } from "path";
 import { createHash } from "crypto";
 import { buildConstructMap, constructMapToRecord, ACCOUNT_CONSTRUCT_GROUPS } from "@fjall/util/constructMap";
-import { maskSensitiveOutput } from "@fjall/util";
+import { getErrorMessage, maskSensitiveOutput } from "@fjall/util";
 import { FJALL_MANIFEST_FILENAME, MANIFEST_SCHEMA_VERSION, FjallManifestSchema } from "@fjall/util/manifest/schemas";
 import { FjallLogger } from "./validationLogger.js";
 /**
@@ -117,7 +117,7 @@ function computeTemplateHash(templatePath) {
         return createHash("sha256").update(normalised).digest("hex");
     }
     catch (error) {
-        const maskedMessage = maskSensitiveOutput(error instanceof Error ? error.message : String(error));
+        const maskedMessage = maskSensitiveOutput(getErrorMessage(error));
         FjallLogger.warn(`Failed to compute hash for ${templatePath}: ${maskedMessage}`);
         return null;
     }
@@ -144,7 +144,7 @@ function computeStackHashes(cdkOutPath) {
         }
     }
     catch (error) {
-        const maskedMessage = maskSensitiveOutput(error instanceof Error ? error.message : String(error));
+        const maskedMessage = maskSensitiveOutput(getErrorMessage(error));
         FjallLogger.warn(`Failed to read cdk.out for hash computation: ${maskedMessage}`);
     }
     return stacks;
@@ -194,16 +194,10 @@ export function writeManifest(assembly, collector) {
                 unlinkSync(tmpPath);
             }
             catch (cleanupError) {
-                const cleanupMessage = cleanupError instanceof Error
-                    ? cleanupError.message
-                    : String(cleanupError);
-                FjallLogger.warn(`Failed to clean up tmp manifest at ${tmpPath}: ${maskSensitiveOutput(cleanupMessage)}`);
+                FjallLogger.warn(`Failed to clean up tmp manifest at ${tmpPath}: ${maskSensitiveOutput(getErrorMessage(cleanupError))}`);
             }
         }
-        const errorMessage = error instanceof Error ? error.message : String(error);
-        throw new Error(`Failed to write Fjall manifest: ${errorMessage}`, {
-            cause: error
-        });
+        throw new Error(`Failed to write Fjall manifest: ${getErrorMessage(error)}`, { cause: error });
     }
 }
 /**
@@ -224,8 +218,7 @@ export function readExistingManifest(cdkOutPath) {
         return result.data;
     }
     catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        FjallLogger.warn(`Failed to parse existing manifest: ${maskSensitiveOutput(message)}`);
+        FjallLogger.warn(`Failed to parse existing manifest: ${maskSensitiveOutput(getErrorMessage(error))}`);
         return null;
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/components-infrastructure",
-  "version": "0.102.0",
+  "version": "2.1.1",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
   "bin": {
@@ -33,7 +33,8 @@
   "scripts": {
     "clean": "rm -rf ./dist",
     "clean:node": "rm -rf ./node_modules",
-    "build": "tsc && cp -r lib/layers dist/lib/layers && cp lib/resources/aws/compute/lifecycleHookLambda.source.cjs dist/lib/resources/aws/compute/lifecycleHookLambda.source.cjs && cp lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs dist/lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs && cp lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs dist/lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs",
+    "build:cert-gen-lambda": "node lib/lambda-assets/cert-generator/src/build.mjs",
+    "build": "npm run build:cert-gen-lambda && tsc && cp -r lib/layers dist/lib/layers && mkdir -p dist/lib/lambda-assets/cert-generator/asset && cp lib/lambda-assets/cert-generator/asset/index.js dist/lib/lambda-assets/cert-generator/asset/index.js && cp lib/lambda-assets/cert-generator/asset/package.json dist/lib/lambda-assets/cert-generator/asset/package.json && cp lib/resources/aws/compute/lifecycleHookLambda.source.cjs dist/lib/resources/aws/compute/lifecycleHookLambda.source.cjs && cp lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs dist/lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs && cp lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs dist/lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs",
     "watch": "tsc -w",
     "watch:only": "tsc -w",
     "test": "vitest run",
@@ -49,6 +50,7 @@
   },
   "devDependencies": {
     "@aws-sdk/client-elastic-load-balancing-v2": "^3.1045.0",
+    "@peculiar/x509": "1.14.0",
     "@types/aws-lambda": "^8.10.161",
     "@types/node": "^25.6.0",
     "@types/uuid": "^11.0.0",
@@ -57,12 +59,12 @@
     "eslint": "^10.2.1",
     "prettier": "^3.8.3",
     "typescript": "^6.0.3",
-    "vitest": "^4.1.5"
+    "vitest": "^4.1.7"
   },
   "dependencies": {
     "@aws-sdk/client-organizations": "^3.1038.0",
-    "@fjall/generator": "^0.102.0",
-    "@fjall/util": "^0.102.0",
+    "@fjall/generator": "^2.1.1",
+    "@fjall/util": "^2.1.1",
     "constructs": "^10.0.0",
     "uuid": "^14.0.0"
   },
@@ -77,5 +79,5 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "gitHead": "04a4f13181c261cc063786eae527fa82c90a610e"
+  "gitHead": "971d9ed50c6a21d24e67c9c83b9c471a632bf284"
 }

package/dist/lib/config/aws/__t17fixture.js

@@ -1,3 +0,0 @@
-import { Rule } from "aws-cdk-lib/aws-events";
-import { LambdaFunction } from "aws-cdk-lib/aws-events-targets";
-console.log(Rule, LambdaFunction);

package/dist/lib/config/aws/__t17fixtureType.d.ts

@@ -1,2 +0,0 @@
-import { type IRule } from "aws-cdk-lib/aws-events";
-export type T = IRule;

package/dist/lib/config/aws/__t17fixtureType.js

@@ -1 +0,0 @@
-export {};

package/dist/lib/config/aws/eventBus.d.ts

@@ -1,7 +0,0 @@
-import { CfnOutput } from "aws-cdk-lib";
-import { Construct } from "constructs";
-export declare class DefaultEventBus extends Construct {
-    readonly defaultEventBusName: CfnOutput;
-    readonly defaultEventBusArn: CfnOutput;
-    constructor(scope: Construct, id: string);
-}

package/dist/lib/config/aws/eventBus.js

@@ -1,21 +0,0 @@
-import { CfnOutput } from "aws-cdk-lib";
-import * as Events from "aws-cdk-lib/aws-events";
-import { Construct } from "constructs";
-export class DefaultEventBus extends Construct {
-    defaultEventBusName;
-    defaultEventBusArn;
-    constructor(scope, id) {
-        super(scope, id);
-        const eventBridge = Events.EventBus.fromEventBusName(this, "defaultEventBus", "default");
-        this.defaultEventBusName = new CfnOutput(this, "defaultEventBusName", {
-            key: `defaultEventBusName`,
-            value: eventBridge.eventBusName,
-            exportName: "defaultEventBusName"
-        });
-        this.defaultEventBusArn = new CfnOutput(this, "defaultEventBusArn", {
-            key: `defaultEventBusArn`,
-            value: eventBridge.eventBusArn,
-            exportName: "defaultEventBusArn"
-        });
-    }
-}

package/dist/lib/config/aws/identityCenterGroupMembership.d.ts

@@ -1,10 +0,0 @@
-import { NestedStack, type StackProps } from "aws-cdk-lib";
-import { type Construct } from "constructs";
-interface IdentityCenterGroupMembershipProps extends StackProps {
-    groupName: string;
-    groupMembers: string[];
-}
-export declare class IdentityCenterGroupMembership extends NestedStack {
-    constructor(scope: Construct, id: string, props: IdentityCenterGroupMembershipProps);
-}
-export {};

package/dist/lib/config/aws/identityCenterGroupMembership.js

@@ -1,102 +0,0 @@
-import { Fn, NestedStack } from "aws-cdk-lib";
-import * as customResources from "aws-cdk-lib/custom-resources";
-import { AwsCustomResource } from "../../resources/aws/utilities/awsCustomResource.js";
-const IDENTITY_STORE_SERVICE = "identityStore";
-const IDENTITY_CENTER_USERS_RESOURCE_TYPE = "Custom::IdentityCenterUsers";
-// TODO: This requires a deletion and recreation to update
-export class IdentityCenterGroupMembership extends NestedStack {
-    constructor(scope, id, props) {
-        super(scope, id);
-        const identityStoreId = Fn.importValue("identityStoreId");
-        const groupId = Fn.importValue(`${props.groupName}GroupId`);
-        for (const member of props.groupMembers) {
-            const memberSuffix = (member.split("@")[0] ?? member)
-                .split(/[^a-zA-Z0-9]/)
-                .filter((part) => part.length > 0)
-                .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
-                .join("") +
-                props.groupName.charAt(0).toUpperCase() +
-                props.groupName.slice(1);
-            const listUsersCall = {
-                service: IDENTITY_STORE_SERVICE,
-                action: "listUsers",
-                parameters: {
-                    IdentityStoreId: identityStoreId,
-                    Filters: [
-                        {
-                            AttributePath: "UserName",
-                            AttributeValue: member
-                        }
-                    ]
-                },
-                physicalResourceId: customResources.PhysicalResourceId.of(`listUsers${memberSuffix}`)
-            };
-            const listUser = new AwsCustomResource(this, `ListUsersResource${memberSuffix}`, {
-                onCreate: listUsersCall,
-                onUpdate: listUsersCall
-            });
-            const userId = listUser.getResponseField("Users.0.UserId");
-            const groupMembershipId = new AwsCustomResource(this, `CreateGroupMembershipResource${memberSuffix}`, {
-                onCreate: {
-                    service: IDENTITY_STORE_SERVICE,
-                    action: "createGroupMembership",
-                    parameters: {
-                        GroupId: groupId,
-                        IdentityStoreId: identityStoreId,
-                        MemberId: {
-                            UserId: userId
-                        }
-                    },
-                    physicalResourceId: customResources.PhysicalResourceId.of(`createGroupMembership${memberSuffix}`)
-                },
-                resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
-            });
-            const refreshMembership = new AwsCustomResource(this, `RefreshMembershipResource${memberSuffix}`, {
-                onUpdate: {
-                    service: IDENTITY_STORE_SERVICE,
-                    action: "deleteGroupMembership",
-                    parameters: {
-                        IdentityStoreId: identityStoreId,
-                        MembershipId: groupMembershipId.getResponseField("MembershipId")
-                    },
-                    physicalResourceId: customResources.PhysicalResourceId.of(`refreshGroupMembership${memberSuffix}`)
-                },
-                resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
-            });
-            const recreateMembership = new AwsCustomResource(this, `RecreateGroupMembershipResource${memberSuffix}`, {
-                onUpdate: {
-                    service: IDENTITY_STORE_SERVICE,
-                    action: "createGroupMembership",
-                    parameters: {
-                        GroupId: groupId,
-                        IdentityStoreId: identityStoreId,
-                        MemberId: {
-                            UserId: userId
-                        }
-                    },
-                    physicalResourceId: customResources.PhysicalResourceId.of(`recreateGroupMembership${memberSuffix}`),
-                    // createGroupMembership throws ConflictException when the
-                    // membership already exists — keeps onUpdate idempotent.
-                    ignoreErrorCodesMatching: "ConflictException"
-                },
-                resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
-            });
-            refreshMembership.node.addDependency(recreateMembership);
-            const deleteMembership = new AwsCustomResource(this, `DeleteGroupMembershipResource${memberSuffix}`, {
-                onDelete: {
-                    service: IDENTITY_STORE_SERVICE,
-                    action: "deleteGroupMembership",
-                    parameters: {
-                        IdentityStoreId: identityStoreId,
-                        MembershipId: groupMembershipId.getResponseField("MembershipId")
-                    },
-                    // deleteGroupMembership throws ResourceNotFoundException when
-                    // the membership is already gone — keeps onDelete idempotent.
-                    ignoreErrorCodesMatching: "ResourceNotFoundException"
-                },
-                resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
-            });
-            deleteMembership.node.addDependency(groupMembershipId);
-        }
-    }
-}

package/dist/lib/config/aws/securityBaseline.d.ts

@@ -1,15 +0,0 @@
-import { Construct } from "constructs";
-export interface SecurityBaselineProps {
-    /** Controls which services are instantiated. "off" creates nothing. */
-    level: "off" | "baseline" | "compliance";
-}
-/**
- * Convenience orchestrator for per-account security services.
- * Instantiates child constructs based on the selected level.
- *
- * Does NOT include ConfigRulePreset -- Config Rules are applied independently
- * at the Account stack level with environment-aware presets.
- */
-export declare class SecurityBaseline extends Construct {
-    constructor(scope: Construct, id: string, props: SecurityBaselineProps);
-}

package/dist/lib/config/aws/securityBaseline.js

@@ -1,27 +0,0 @@
-import { Construct } from "constructs";
-import { GuardDutyDetector } from "./guardDutyDetector.js";
-import { SecurityHubHub } from "./securityHubHub.js";
-import { ConfigRecorder } from "./configRecorder.js";
-import { AccountAccessAnalyser } from "./accessAnalyser.js";
-import { InspectorEnablement } from "./inspectorEnablement.js";
-/**
- * Convenience orchestrator for per-account security services.
- * Instantiates child constructs based on the selected level.
- *
- * Does NOT include ConfigRulePreset -- Config Rules are applied independently
- * at the Account stack level with environment-aware presets.
- */
-export class SecurityBaseline extends Construct {
-    constructor(scope, id, props) {
-        super(scope, id);
-        if (props.level === "off")
-            return;
-        new GuardDutyDetector(this, "GuardDuty");
-        new SecurityHubHub(this, "SecurityHub");
-        new ConfigRecorder(this, "Config");
-        new AccountAccessAnalyser(this, "AccessAnalyser");
-        if (props.level === "compliance") {
-            new InspectorEnablement(this, "Inspector");
-        }
-    }
-}

package/dist/lib/patterns/aws/_eslint_test_tmp/leak.d.ts

@@ -1 +0,0 @@
-export {};

package/dist/lib/patterns/aws/_eslint_test_tmp/leak.js

@@ -1,4 +0,0 @@
-import { Port } from "aws-cdk-lib/aws-ec2";
-import { PrivateDnsNamespace } from "aws-cdk-lib/aws-servicediscovery";
-const _x = Port.tcp(9000);
-const _y = PrivateDnsNamespace;

package/dist/lib/patterns/aws/managedIdentityCenter.d.ts

@@ -1,4 +0,0 @@
-import { Stack } from "aws-cdk-lib";
-export declare class ManagedIdentityCenter extends Stack {
-    constructor(id: string);
-}