@fjall/components-infrastructure 0.81.2 → 0.83.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/lib/app.d.ts +5 -0
- package/dist/lib/app.js +31 -1
- package/dist/lib/config/aws/ecrDefaultImage.js +23 -21
- package/dist/lib/patterns/aws/cicdRole.d.ts +67 -0
- package/dist/lib/patterns/aws/cicdRole.js +68 -0
- package/dist/lib/patterns/aws/compute.d.ts +29 -21
- package/dist/lib/patterns/aws/compute.js +10 -3
- package/dist/lib/patterns/aws/database.d.ts +1 -0
- package/dist/lib/patterns/aws/database.js +33 -3
- package/dist/lib/patterns/aws/storage.d.ts +1 -0
- package/dist/lib/patterns/aws/storage.js +23 -1
- package/dist/lib/resources/aws/cicd/cicdRole.d.ts +65 -0
- package/dist/lib/resources/aws/cicd/cicdRole.js +191 -0
- package/dist/lib/resources/aws/compute/ecs.d.ts +50 -2
- package/dist/lib/resources/aws/compute/ecs.js +134 -18
- package/dist/lib/resources/aws/monitoring/monitoringRole.js +61 -4
- package/package.json +3 -3
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.S3Storage = exports.StorageFactory = void 0;
|
|
4
4
|
const constructs_1 = require("constructs");
|
|
5
|
+
const aws_cdk_lib_1 = require("aws-cdk-lib");
|
|
5
6
|
const storage_1 = require("../../resources/aws/storage");
|
|
6
7
|
class StorageFactory {
|
|
7
8
|
static build(id, props) {
|
|
@@ -45,6 +46,7 @@ class S3Storage extends constructs_1.Construct {
|
|
|
45
46
|
encryptionKey: props.kmsKeyArn ? undefined : undefined, // KMS key handling
|
|
46
47
|
publicReadAccess: props.publicReadAccess
|
|
47
48
|
});
|
|
49
|
+
this.addOutputs();
|
|
48
50
|
}
|
|
49
51
|
addWebsiteBucket(props) {
|
|
50
52
|
this.bucket = new storage_1.S3WebsiteBucket(this, `${this.id}Bucket`, {
|
|
@@ -55,6 +57,7 @@ class S3Storage extends constructs_1.Construct {
|
|
|
55
57
|
websiteErrorDocument: props.websiteErrorDocument,
|
|
56
58
|
cors: props.cors
|
|
57
59
|
});
|
|
60
|
+
this.addOutputs();
|
|
58
61
|
}
|
|
59
62
|
addPublicReadBucket(props) {
|
|
60
63
|
this.bucket = new storage_1.S3PublicReadBucket(this, `${this.id}Bucket`, {
|
|
@@ -62,6 +65,25 @@ class S3Storage extends constructs_1.Construct {
|
|
|
62
65
|
versioned: props.versioned,
|
|
63
66
|
encryption: props.encryption
|
|
64
67
|
});
|
|
68
|
+
this.addOutputs();
|
|
69
|
+
}
|
|
70
|
+
addOutputs() {
|
|
71
|
+
const stackName = aws_cdk_lib_1.Stack.of(this).stackName;
|
|
72
|
+
// Export bucket ARN for monitoring
|
|
73
|
+
// Use stack name prefix to ensure uniqueness across apps in same region
|
|
74
|
+
new aws_cdk_lib_1.CfnOutput(this, `${this.id}BucketArn`, {
|
|
75
|
+
key: `${stackName}${this.id}BucketArn`,
|
|
76
|
+
exportName: `${stackName}${this.id}BucketArn`,
|
|
77
|
+
value: this.bucket.bucketArn,
|
|
78
|
+
description: `S3 Bucket ARN for ${this.id}`
|
|
79
|
+
});
|
|
80
|
+
// Export bucket name for convenience
|
|
81
|
+
new aws_cdk_lib_1.CfnOutput(this, `${this.id}BucketName`, {
|
|
82
|
+
key: `${stackName}${this.id}BucketName`,
|
|
83
|
+
exportName: `${stackName}${this.id}BucketName`,
|
|
84
|
+
value: this.bucket.bucketName,
|
|
85
|
+
description: `S3 Bucket Name for ${this.id}`
|
|
86
|
+
});
|
|
65
87
|
}
|
|
66
88
|
getBucket() {
|
|
67
89
|
return this.bucket;
|
|
@@ -77,4 +99,4 @@ class S3Storage extends constructs_1.Construct {
|
|
|
77
99
|
}
|
|
78
100
|
}
|
|
79
101
|
exports.S3Storage = S3Storage;
|
|
80
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
102
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic3RvcmFnZS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL2xpYi9wYXR0ZXJucy9hd3Mvc3RvcmFnZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSwyQ0FBdUM7QUFFdkMsNkNBQStDO0FBRy9DLHlEQUtxQztBQWdDckMsTUFBYSxjQUFjO0lBQ3pCLE1BQU0sQ0FBQyxLQUFLLENBQXFCLEVBQVUsRUFBRSxLQUFRO1FBQ25ELE9BQU8sQ0FBQyxHQUFRLEVBQUUsS0FBZ0IsRUFBRSxFQUFFO1lBQ3BDLE9BQU8sSUFBSSxTQUFTLENBQUMsS0FBSyxFQUFFLEVBQUUsRUFBRSxLQUFLLENBQUMsQ0FBQztRQUN6QyxDQUFDLENBQUM7SUFDSixDQUFDO0NBQ0Y7QUFORCx3Q0FNQztBQUVELE1BQWEsU0FBVSxTQUFRLHNCQUFTO0lBT3RDLFlBQVksS0FBZ0IsRUFBRSxFQUFVLEVBQUUsS0FBZTtRQUN2RCxLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1FBQ2pCLElBQUksQ0FBQyxFQUFFLEdBQUcsRUFBRSxDQUFDO1FBQ2IsSUFBSSxDQUFDLEtBQUssR0FBRyxLQUFLLENBQUM7UUFDbkIsSUFBSSxDQUFDLFVBQVUsR0FBRyxLQUFLLENBQUMsVUFBVSxDQUFDO1FBRW5DLElBQUksQ0FBQyxXQUFXLENBQUMsS0FBSyxDQUFDLENBQUM7SUFDMUIsQ0FBQztJQUVELFdBQVcsQ0FBQyxLQUFlO1FBQ3pCLFFBQVEsS0FBSyxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQ3pCLEtBQUssU0FBUztnQkFDWixJQUFJLENBQUMsZ0JBQWdCLENBQUMsS0FBSyxDQUFDLENBQUM7Z0JBQzdCLE1BQU07WUFDUixLQUFLLFNBQVM7Z0JBQ1osSUFBSSxDQUFDLGdCQUFnQixDQUFDLEtBQUssQ0FBQyxDQUFDO2dCQUM3QixNQUFNO1lBQ1IsS0FBSyxZQUFZO2dCQUNmLElBQUksQ0FBQyxtQkFBbUIsQ0FBQyxLQUFLLENBQUMsQ0FBQztnQkFDaEMsTUFBTTtZQUNSLE9BQU8sQ0FBQyxDQUFDLENBQUM7Z0JBQ1IsdUJBQXVCO2dCQUN2QixNQUFNLFdBQVcsR0FBVSxLQUFLLENBQUM7Z0JBQ2pDLE1BQU0sSUFBSSxLQUFLLENBQ2IsOEJBQStCLEtBQWEsQ0FBQyxVQUFVLEVBQUUsQ0FDMUQsQ0FBQztZQUNKLENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztJQUVPLGdCQUFnQixDQUFDLEtBQXFCO1FBQzVDLElBQUksQ0FBQyxNQUFNLEdBQUcsSUFBSSxrQkFBUSxDQUFDLElBQUksRUFBRSxHQUFHLElBQUksQ0FBQyxFQUFFLFFBQVEsRUFBRTtZQUNuRCxlQUFlLEVBQUUsS0FBSyxDQUFDLGVBQWU7WUFDdEMsU0FBUyxFQUFFLEtBQUssQ0FBQyxTQUFTO1lBQzFCLFVBQVUsRUFBRSxLQUFLLENBQUMsVUFBaUI7WUFDbkMsYUFBYSxFQUFFLEtBQUssQ0FBQyxTQUFTLENBQUMsQ0FBQyxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsU0FBUyxFQUFFLG1CQUFtQjtZQUMzRSxnQkFBZ0IsRUFBRSxLQUFLLENBQUMsZ0JBQWdCO1NBQ3pDLENBQUMsQ0FBQztRQUNILElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztJQUNwQixDQUFDO0lBRU8sZ0JBQWdCLENBQUMsS0FBcUI7UUFDNUMsSUFBSSxDQUFDLE1BQU0sR0FBRyxJQUFJLHlCQUFlLENBQUMsSUFBSSxFQUFFLEdBQUcsSUFBSSxDQUFDLEVBQUUsUUFBUSxFQUFFO1lBQzFELGVBQWUsRUFBRSxLQUFLLENBQUMsZUFBZTtZQUN0QyxTQUFTLEVBQUUsS0FBSyxDQUFDLFNBQVM7WUFDMUIsVUFBVSxFQUFFLEtBQUssQ0FBQyxVQUFpQjtZQUNuQyxvQkFBb0IsRUFBRSxLQUFLLENBQUMsb0JBQW9CO1lBQ2hELG9CQUFvQixFQUFFLEtBQUssQ0FBQyxvQkFBb0I7WUFDaEQsSUFBSSxFQUFFLEtBQUssQ0FBQyxJQUFXO1NBQ3hCLENBQUMsQ0FBQztRQUNILElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztJQUNwQixDQUFDO0lBRU8sbUJBQW1CLENBQUMsS0FBd0I7UUFDbEQsSUFBSSxDQUFDLE1BQU0sR0FBRyxJQUFJLDRCQUFrQixDQUFDLElBQUksRUFBRSxHQUFHLElBQUksQ0FBQyxFQUFFLFFBQVEsRUFBRTtZQUM3RCxlQUFlLEVBQUUsS0FBSyxDQUFDLGVBQWU7WUFDdEMsU0FBUyxFQUFFLEtBQUssQ0FBQyxTQUFTO1lBQzFCLFVBQVUsRUFBRSxLQUFLLENBQUMsVUFBaUI7U0FDcEMsQ0FBQyxDQUFDO1FBQ0gsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO0lBQ3BCLENBQUM7SUFFTyxVQUFVO1FBQ2hCLE1BQU0sU0FBUyxHQUFHLG1CQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLFNBQVMsQ0FBQztRQUUzQyxtQ0FBbUM7UUFDbkMsd0VBQXdFO1FBQ3hFLElBQUksdUJBQVMsQ0FBQyxJQUFJLEVBQUUsR0FBRyxJQUFJLENBQUMsRUFBRSxXQUFXLEVBQUU7WUFDekMsR0FBRyxFQUFFLEdBQUcsU0FBUyxHQUFHLElBQUksQ0FBQyxFQUFFLFdBQVc7WUFDdEMsVUFBVSxFQUFFLEdBQUcsU0FBUyxHQUFHLElBQUksQ0FBQyxFQUFFLFdBQVc7WUFDN0MsS0FBSyxFQUFFLElBQUksQ0FBQyxNQUFNLENBQUMsU0FBUztZQUM1QixXQUFXLEVBQUUscUJBQXFCLElBQUksQ0FBQyxFQUFFLEVBQUU7U0FDNUMsQ0FBQyxDQUFDO1FBRUgscUNBQXFDO1FBQ3JDLElBQUksdUJBQVMsQ0FBQyxJQUFJLEVBQUUsR0FBRyxJQUFJLENBQUMsRUFBRSxZQUFZLEVBQUU7WUFDMUMsR0FBRyxFQUFFLEdBQUcsU0FBUyxHQUFHLElBQUksQ0FBQyxFQUFFLFlBQVk7WUFDdkMsVUFBVSxFQUFFLEdBQUcsU0FBUyxHQUFHLElBQUksQ0FBQyxFQUFFLFlBQVk7WUFDOUMsS0FBSyxFQUFFLElBQUksQ0FBQyxNQUFNLENBQUMsVUFBVTtZQUM3QixXQUFXLEVBQUUsc0JBQXNCLElBQUksQ0FBQyxFQUFFLEVBQUU7U0FDN0MsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVELFNBQVM7UUFDUCxPQUFPLElBQUksQ0FBQyxNQUFNLENBQUM7SUFDckIsQ0FBQztJQUVELGFBQWE7UUFDWCxPQUFPLElBQUksQ0FBQyxNQUFNLENBQUMsVUFBVSxDQUFDO0lBQ2hDLENBQUM7SUFFRCxZQUFZO1FBQ1YsT0FBTyxJQUFJLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQztJQUMvQixDQUFDO0lBRUQsYUFBYTtRQUNYLE9BQU8sSUFBSSxDQUFDLFVBQVUsQ0FBQztJQUN6QixDQUFDO0NBQ0Y7QUF6R0QsOEJBeUdDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgQ29uc3RydWN0IH0gZnJvbSBcImNvbnN0cnVjdHNcIjtcbmltcG9ydCB7IHR5cGUgSUJ1Y2tldCB9IGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtczNcIjtcbmltcG9ydCB7IENmbk91dHB1dCwgU3RhY2sgfSBmcm9tIFwiYXdzLWNkay1saWJcIjtcblxuaW1wb3J0IHR5cGUgQXBwIGZyb20gXCIuLi8uLi9hcHBcIjtcbmltcG9ydCB7XG4gIFMzQnVja2V0LFxuICBTM1dlYnNpdGVCdWNrZXQsXG4gIFMzUHVibGljUmVhZEJ1Y2tldCxcbiAgdHlwZSBCYWNrdXBWYXVsdFRpZXJcbn0gZnJvbSBcIi4uLy4uL3Jlc291cmNlcy9hd3Mvc3RvcmFnZVwiO1xuXG50eXBlIFMzQnVja2V0VHlwZSA9IFwicHJpdmF0ZVwiIHwgXCJ3ZWJzaXRlXCIgfCBcInB1YmxpY1JlYWRcIjtcblxudHlwZSBCYXNlUzNQcm9wcyA9IHtcbiAgYmFja3VwVmF1bHRUaWVyPzogQmFja3VwVmF1bHRUaWVyO1xuICB2ZXJzaW9uZWQ/OiBib29sZWFuO1xuICBlbmNyeXB0aW9uPzogXCJBRVMyNTZcIiB8IFwiS01TXCI7XG4gIGttc0tleUFybj86IHN0cmluZztcbn07XG5cbmV4cG9ydCBpbnRlcmZhY2UgUHJpdmF0ZVMzUHJvcHMgZXh0ZW5kcyBCYXNlUzNQcm9wcyB7XG4gIGJ1Y2tldFR5cGU6IFwicHJpdmF0ZVwiO1xuICBwdWJsaWNSZWFkQWNjZXNzPzogYm9vbGVhbjtcbn1cblxuZXhwb3J0IGludGVyZmFjZSBXZWJzaXRlUzNQcm9wcyBleHRlbmRzIEJhc2VTM1Byb3BzIHtcbiAgYnVja2V0VHlwZTogXCJ3ZWJzaXRlXCI7XG4gIHdlYnNpdGVJbmRleERvY3VtZW50Pzogc3RyaW5nO1xuICB3ZWJzaXRlRXJyb3JEb2N1bWVudD86IHN0cmluZztcbiAgY29ycz86IEFycmF5PHtcbiAgICBhbGxvd2VkT3JpZ2luczogc3RyaW5nW107XG4gICAgYWxsb3dlZE1ldGhvZHM6IHN0cmluZ1tdO1xuICB9Pjtcbn1cblxuZXhwb3J0IGludGVyZmFjZSBQdWJsaWNSZWFkUzNQcm9wcyBleHRlbmRzIEJhc2VTM1Byb3BzIHtcbiAgYnVja2V0VHlwZTogXCJwdWJsaWNSZWFkXCI7XG59XG5cbmV4cG9ydCB0eXBlIElTM1Byb3BzID0gUHJpdmF0ZVMzUHJvcHMgfCBXZWJzaXRlUzNQcm9wcyB8IFB1YmxpY1JlYWRTM1Byb3BzO1xuXG5leHBvcnQgY2xhc3MgU3RvcmFnZUZhY3Rvcnkge1xuICBzdGF0aWMgYnVpbGQ8VCBleHRlbmRzIElTM1Byb3BzPihpZDogc3RyaW5nLCBwcm9wczogVCkge1xuICAgIHJldHVybiAoYXBwOiBBcHAsIHNjb3BlOiBDb25zdHJ1Y3QpID0+IHtcbiAgICAgIHJldHVybiBuZXcgUzNTdG9yYWdlKHNjb3BlLCBpZCwgcHJvcHMpO1xuICAgIH07XG4gIH1cbn1cblxuZXhwb3J0IGNsYXNzIFMzU3RvcmFnZSBleHRlbmRzIENvbnN0cnVjdCB7XG4gIHB1YmxpYyBpZDogc3RyaW5nO1xuICBwdWJsaWMgc2NvcGU6IENvbnN0cnVjdDtcblxuICBwcml2YXRlIGJ1Y2tldDogUzNCdWNrZXQgfCBTM1dlYnNpdGVCdWNrZXQgfCBTM1B1YmxpY1JlYWRCdWNrZXQ7XG4gIHByaXZhdGUgYnVja2V0VHlwZTogUzNCdWNrZXRUeXBlO1xuXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBDb25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzOiBJUzNQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZCk7XG4gICAgdGhpcy5pZCA9IGlkO1xuICAgIHRoaXMuc2NvcGUgPSBzY29wZTtcbiAgICB0aGlzLmJ1Y2tldFR5cGUgPSBwcm9wcy5idWNrZXRUeXBlO1xuXG4gICAgdGhpcy5hZGRTM0J1Y2tldChwcm9wcyk7XG4gIH1cblxuICBhZGRTM0J1Y2tldChwcm9wczogSVMzUHJvcHMpIHtcbiAgICBzd2l0Y2ggKHByb3BzLmJ1Y2tldFR5cGUpIHtcbiAgICAgIGNhc2UgXCJwcml2YXRlXCI6XG4gICAgICAgIHRoaXMuYWRkUHJpdmF0ZUJ1Y2tldChwcm9wcyk7XG4gICAgICAgIGJyZWFrO1xuICAgICAgY2FzZSBcIndlYnNpdGVcIjpcbiAgICAgICAgdGhpcy5hZGRXZWJzaXRlQnVja2V0KHByb3BzKTtcbiAgICAgICAgYnJlYWs7XG4gICAgICBjYXNlIFwicHVibGljUmVhZFwiOlxuICAgICAgICB0aGlzLmFkZFB1YmxpY1JlYWRCdWNrZXQocHJvcHMpO1xuICAgICAgICBicmVhaztcbiAgICAgIGRlZmF1bHQ6IHtcbiAgICAgICAgLy8gRXhoYXVzdGl2ZW5lc3MgY2hlY2tcbiAgICAgICAgY29uc3QgX2V4aGF1c3RpdmU6IG5ldmVyID0gcHJvcHM7XG4gICAgICAgIHRocm93IG5ldyBFcnJvcihcbiAgICAgICAgICBgVW5zdXBwb3J0ZWQgUzMgYnVja2V0IHR5cGUgJHsocHJvcHMgYXMgYW55KS5idWNrZXRUeXBlfWBcbiAgICAgICAgKTtcbiAgICAgIH1cbiAgICB9XG4gIH1cblxuICBwcml2YXRlIGFkZFByaXZhdGVCdWNrZXQocHJvcHM6IFByaXZhdGVTM1Byb3BzKSB7XG4gICAgdGhpcy5idWNrZXQgPSBuZXcgUzNCdWNrZXQodGhpcywgYCR7dGhpcy5pZH1CdWNrZXRgLCB7XG4gICAgICBiYWNrdXBWYXVsdFRpZXI6IHByb3BzLmJhY2t1cFZhdWx0VGllcixcbiAgICAgIHZlcnNpb25lZDogcHJvcHMudmVyc2lvbmVkLFxuICAgICAgZW5jcnlwdGlvbjogcHJvcHMuZW5jcnlwdGlvbiBhcyBhbnksXG4gICAgICBlbmNyeXB0aW9uS2V5OiBwcm9wcy5rbXNLZXlBcm4gPyB1bmRlZmluZWQgOiB1bmRlZmluZWQsIC8vIEtNUyBrZXkgaGFuZGxpbmdcbiAgICAgIHB1YmxpY1JlYWRBY2Nlc3M6IHByb3BzLnB1YmxpY1JlYWRBY2Nlc3NcbiAgICB9KTtcbiAgICB0aGlzLmFkZE91dHB1dHMoKTtcbiAgfVxuXG4gIHByaXZhdGUgYWRkV2Vic2l0ZUJ1Y2tldChwcm9wczogV2Vic2l0ZVMzUHJvcHMpIHtcbiAgICB0aGlzLmJ1Y2tldCA9IG5ldyBTM1dlYnNpdGVCdWNrZXQodGhpcywgYCR7dGhpcy5pZH1CdWNrZXRgLCB7XG4gICAgICBiYWNrdXBWYXVsdFRpZXI6IHByb3BzLmJhY2t1cFZhdWx0VGllcixcbiAgICAgIHZlcnNpb25lZDogcHJvcHMudmVyc2lvbmVkLFxuICAgICAgZW5jcnlwdGlvbjogcHJvcHMuZW5jcnlwdGlvbiBhcyBhbnksXG4gICAgICB3ZWJzaXRlSW5kZXhEb2N1bWVudDogcHJvcHMud2Vic2l0ZUluZGV4RG9jdW1lbnQsXG4gICAgICB3ZWJzaXRlRXJyb3JEb2N1bWVudDogcHJvcHMud2Vic2l0ZUVycm9yRG9jdW1lbnQsXG4gICAgICBjb3JzOiBwcm9wcy5jb3JzIGFzIGFueVxuICAgIH0pO1xuICAgIHRoaXMuYWRkT3V0cHV0cygpO1xuICB9XG5cbiAgcHJpdmF0ZSBhZGRQdWJsaWNSZWFkQnVja2V0KHByb3BzOiBQdWJsaWNSZWFkUzNQcm9wcykge1xuICAgIHRoaXMuYnVja2V0ID0gbmV3IFMzUHVibGljUmVhZEJ1Y2tldCh0aGlzLCBgJHt0aGlzLmlkfUJ1Y2tldGAsIHtcbiAgICAgIGJhY2t1cFZhdWx0VGllcjogcHJvcHMuYmFja3VwVmF1bHRUaWVyLFxuICAgICAgdmVyc2lvbmVkOiBwcm9wcy52ZXJzaW9uZWQsXG4gICAgICBlbmNyeXB0aW9uOiBwcm9wcy5lbmNyeXB0aW9uIGFzIGFueVxuICAgIH0pO1xuICAgIHRoaXMuYWRkT3V0cHV0cygpO1xuICB9XG5cbiAgcHJpdmF0ZSBhZGRPdXRwdXRzKCkge1xuICAgIGNvbnN0IHN0YWNrTmFtZSA9IFN0YWNrLm9mKHRoaXMpLnN0YWNrTmFtZTtcblxuICAgIC8vIEV4cG9ydCBidWNrZXQgQVJOIGZvciBtb25pdG9yaW5nXG4gICAgLy8gVXNlIHN0YWNrIG5hbWUgcHJlZml4IHRvIGVuc3VyZSB1bmlxdWVuZXNzIGFjcm9zcyBhcHBzIGluIHNhbWUgcmVnaW9uXG4gICAgbmV3IENmbk91dHB1dCh0aGlzLCBgJHt0aGlzLmlkfUJ1Y2tldEFybmAsIHtcbiAgICAgIGtleTogYCR7c3RhY2tOYW1lfSR7dGhpcy5pZH1CdWNrZXRBcm5gLFxuICAgICAgZXhwb3J0TmFtZTogYCR7c3RhY2tOYW1lfSR7dGhpcy5pZH1CdWNrZXRBcm5gLFxuICAgICAgdmFsdWU6IHRoaXMuYnVja2V0LmJ1Y2tldEFybixcbiAgICAgIGRlc2NyaXB0aW9uOiBgUzMgQnVja2V0IEFSTiBmb3IgJHt0aGlzLmlkfWBcbiAgICB9KTtcblxuICAgIC8vIEV4cG9ydCBidWNrZXQgbmFtZSBmb3IgY29udmVuaWVuY2VcbiAgICBuZXcgQ2ZuT3V0cHV0KHRoaXMsIGAke3RoaXMuaWR9QnVja2V0TmFtZWAsIHtcbiAgICAgIGtleTogYCR7c3RhY2tOYW1lfSR7dGhpcy5pZH1CdWNrZXROYW1lYCxcbiAgICAgIGV4cG9ydE5hbWU6IGAke3N0YWNrTmFtZX0ke3RoaXMuaWR9QnVja2V0TmFtZWAsXG4gICAgICB2YWx1ZTogdGhpcy5idWNrZXQuYnVja2V0TmFtZSxcbiAgICAgIGRlc2NyaXB0aW9uOiBgUzMgQnVja2V0IE5hbWUgZm9yICR7dGhpcy5pZH1gXG4gICAgfSk7XG4gIH1cblxuICBnZXRCdWNrZXQoKTogSUJ1Y2tldCB7XG4gICAgcmV0dXJuIHRoaXMuYnVja2V0O1xuICB9XG5cbiAgZ2V0QnVja2V0TmFtZSgpOiBzdHJpbmcge1xuICAgIHJldHVybiB0aGlzLmJ1Y2tldC5idWNrZXROYW1lO1xuICB9XG5cbiAgZ2V0QnVja2V0QXJuKCk6IHN0cmluZyB7XG4gICAgcmV0dXJuIHRoaXMuYnVja2V0LmJ1Y2tldEFybjtcbiAgfVxuXG4gIGdldEJ1Y2tldFR5cGUoKTogUzNCdWNrZXRUeXBlIHtcbiAgICByZXR1cm4gdGhpcy5idWNrZXRUeXBlO1xuICB9XG59XG4iXX0=
|
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
import { Role, PolicyStatement } from "aws-cdk-lib/aws-iam";
|
|
2
|
+
import { type Construct } from "constructs";
|
|
3
|
+
/**
|
|
4
|
+
* Supported CI/CD providers
|
|
5
|
+
*/
|
|
6
|
+
export type CICDProvider = "github-actions" | "buildkite" | "gitlab-ci";
|
|
7
|
+
/**
|
|
8
|
+
* Configuration for creating a CI/CD deploy role
|
|
9
|
+
*/
|
|
10
|
+
export interface CICDRoleConfig {
|
|
11
|
+
/**
|
|
12
|
+
* The CI/CD provider (github-actions, buildkite, gitlab-ci)
|
|
13
|
+
*/
|
|
14
|
+
provider: CICDProvider;
|
|
15
|
+
/**
|
|
16
|
+
* The application name to scope the role's permissions to
|
|
17
|
+
*/
|
|
18
|
+
appName: string;
|
|
19
|
+
/**
|
|
20
|
+
* For GitHub Actions: repository (org/repo)
|
|
21
|
+
* For Buildkite: organization slug
|
|
22
|
+
* For GitLab CI: project path (group/project)
|
|
23
|
+
*/
|
|
24
|
+
repositoryOrOrg: string;
|
|
25
|
+
/**
|
|
26
|
+
* Optional role name. Defaults to "FjallDeploy-{provider}-{appName}"
|
|
27
|
+
*/
|
|
28
|
+
roleName?: string;
|
|
29
|
+
/**
|
|
30
|
+
* Optional IAM path for the role. Defaults to "/"
|
|
31
|
+
*/
|
|
32
|
+
rolePath?: string;
|
|
33
|
+
/**
|
|
34
|
+
* Optional custom permissions. If not provided, default deployment permissions will be used.
|
|
35
|
+
*/
|
|
36
|
+
customPermissions?: PolicyStatement[];
|
|
37
|
+
/**
|
|
38
|
+
* Whether to use existing OIDC provider or create a new one
|
|
39
|
+
* If true, will look for existing provider by URL
|
|
40
|
+
*/
|
|
41
|
+
useExistingProvider?: boolean;
|
|
42
|
+
/**
|
|
43
|
+
* Optional ARN of existing OIDC provider (skips creation)
|
|
44
|
+
*/
|
|
45
|
+
existingProviderArn?: string;
|
|
46
|
+
}
|
|
47
|
+
/**
|
|
48
|
+
* Factory to build a CI/CD deploy IAM role with OIDC authentication.
|
|
49
|
+
* Creates both the OIDC provider (if needed) and the deploy role with appropriate permissions.
|
|
50
|
+
*/
|
|
51
|
+
export declare class CICDRoleFactory {
|
|
52
|
+
/**
|
|
53
|
+
* Build a CI/CD deploy role with OIDC authentication
|
|
54
|
+
*/
|
|
55
|
+
static build(id: string, config: CICDRoleConfig): (app: Construct, scope: Construct) => Role;
|
|
56
|
+
/**
|
|
57
|
+
* Build trust policy conditions based on CI/CD provider
|
|
58
|
+
*/
|
|
59
|
+
private static buildTrustConditions;
|
|
60
|
+
/**
|
|
61
|
+
* Add default deployment permissions to the role
|
|
62
|
+
*/
|
|
63
|
+
private static addDefaultDeployPermissions;
|
|
64
|
+
}
|
|
65
|
+
export default CICDRoleFactory;
|
|
@@ -0,0 +1,191 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.CICDRoleFactory = void 0;
|
|
4
|
+
const aws_cdk_lib_1 = require("aws-cdk-lib");
|
|
5
|
+
const aws_iam_1 = require("aws-cdk-lib/aws-iam");
|
|
6
|
+
/**
|
|
7
|
+
* OIDC provider configurations for different CI/CD systems
|
|
8
|
+
*/
|
|
9
|
+
const OIDC_CONFIGS = {
|
|
10
|
+
"github-actions": {
|
|
11
|
+
url: "https://token.actions.githubusercontent.com",
|
|
12
|
+
clientIds: ["sts.amazonaws.com"],
|
|
13
|
+
thumbprints: [
|
|
14
|
+
"6938fd4d98bab03faadb97b34396831e3780aea1",
|
|
15
|
+
"1c58a3a8518e8759bf075b76b750d4f2df264fcd"
|
|
16
|
+
]
|
|
17
|
+
},
|
|
18
|
+
buildkite: {
|
|
19
|
+
url: "https://agent.buildkite.com",
|
|
20
|
+
clientIds: ["sts.amazonaws.com"],
|
|
21
|
+
thumbprints: ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
|
|
22
|
+
},
|
|
23
|
+
"gitlab-ci": {
|
|
24
|
+
url: "https://gitlab.com",
|
|
25
|
+
clientIds: ["https://gitlab.com"],
|
|
26
|
+
thumbprints: ["b3dd7606d2b5a8b4a13771dbecc9ee1cecafa38a"]
|
|
27
|
+
}
|
|
28
|
+
};
|
|
29
|
+
/**
|
|
30
|
+
* Factory to build a CI/CD deploy IAM role with OIDC authentication.
|
|
31
|
+
* Creates both the OIDC provider (if needed) and the deploy role with appropriate permissions.
|
|
32
|
+
*/
|
|
33
|
+
class CICDRoleFactory {
|
|
34
|
+
/**
|
|
35
|
+
* Build a CI/CD deploy role with OIDC authentication
|
|
36
|
+
*/
|
|
37
|
+
static build(id, config) {
|
|
38
|
+
return (_app, scope) => {
|
|
39
|
+
const providerConfig = OIDC_CONFIGS[config.provider];
|
|
40
|
+
const roleName = config.roleName || `FjallDeploy-${config.provider}-${config.appName}`;
|
|
41
|
+
// Create or reference OIDC provider
|
|
42
|
+
let oidcProvider;
|
|
43
|
+
if (config.existingProviderArn) {
|
|
44
|
+
// Use existing provider by ARN
|
|
45
|
+
oidcProvider = aws_iam_1.OpenIdConnectProvider.fromOpenIdConnectProviderArn(scope, `${id}OidcProvider`, config.existingProviderArn);
|
|
46
|
+
}
|
|
47
|
+
else {
|
|
48
|
+
// Create new OIDC provider
|
|
49
|
+
oidcProvider = new aws_iam_1.OpenIdConnectProvider(scope, `${id}OidcProvider`, {
|
|
50
|
+
url: providerConfig.url,
|
|
51
|
+
clientIds: providerConfig.clientIds,
|
|
52
|
+
thumbprints: providerConfig.thumbprints
|
|
53
|
+
});
|
|
54
|
+
}
|
|
55
|
+
// Build trust policy conditions based on provider
|
|
56
|
+
const conditions = this.buildTrustConditions(config.provider, config.repositoryOrOrg, oidcProvider.openIdConnectProviderIssuer);
|
|
57
|
+
// Create the role with OIDC web identity principal
|
|
58
|
+
const role = new aws_iam_1.Role(scope, id, {
|
|
59
|
+
roleName: roleName,
|
|
60
|
+
path: config.rolePath || "/",
|
|
61
|
+
assumedBy: new aws_iam_1.WebIdentityPrincipal(oidcProvider.openIdConnectProviderArn, conditions),
|
|
62
|
+
description: `CI/CD deploy role for ${config.provider} - ${config.appName}`
|
|
63
|
+
});
|
|
64
|
+
// Add permissions
|
|
65
|
+
if (config.customPermissions) {
|
|
66
|
+
config.customPermissions.forEach((statement) => {
|
|
67
|
+
role.addToPolicy(statement);
|
|
68
|
+
});
|
|
69
|
+
}
|
|
70
|
+
else {
|
|
71
|
+
this.addDefaultDeployPermissions(role);
|
|
72
|
+
}
|
|
73
|
+
// Export the role ARN
|
|
74
|
+
new aws_cdk_lib_1.CfnOutput(scope, `${id}Arn`, {
|
|
75
|
+
value: role.roleArn,
|
|
76
|
+
description: `ARN of the CI/CD deploy role for ${config.appName}`,
|
|
77
|
+
exportName: `${config.appName}-CICDRoleArn`
|
|
78
|
+
});
|
|
79
|
+
// Export the OIDC provider ARN
|
|
80
|
+
new aws_cdk_lib_1.CfnOutput(scope, `${id}ProviderArn`, {
|
|
81
|
+
value: oidcProvider.openIdConnectProviderArn,
|
|
82
|
+
description: `ARN of the OIDC provider for ${config.provider}`,
|
|
83
|
+
exportName: `${config.appName}-CICDProviderArn`
|
|
84
|
+
});
|
|
85
|
+
return role;
|
|
86
|
+
};
|
|
87
|
+
}
|
|
88
|
+
/**
|
|
89
|
+
* Build trust policy conditions based on CI/CD provider
|
|
90
|
+
*/
|
|
91
|
+
static buildTrustConditions(provider, repositoryOrOrg, issuer) {
|
|
92
|
+
const conditions = {
|
|
93
|
+
StringEquals: {
|
|
94
|
+
[`${issuer}:aud`]: OIDC_CONFIGS[provider].clientIds[0]
|
|
95
|
+
}
|
|
96
|
+
};
|
|
97
|
+
// Add provider-specific subject claim conditions
|
|
98
|
+
switch (provider) {
|
|
99
|
+
case "github-actions":
|
|
100
|
+
conditions.StringLike = {
|
|
101
|
+
[`${issuer}:sub`]: `repo:${repositoryOrOrg}:*`
|
|
102
|
+
};
|
|
103
|
+
break;
|
|
104
|
+
case "buildkite":
|
|
105
|
+
conditions.StringLike = {
|
|
106
|
+
[`${issuer}:sub`]: `organization:${repositoryOrOrg}:*`
|
|
107
|
+
};
|
|
108
|
+
break;
|
|
109
|
+
case "gitlab-ci":
|
|
110
|
+
conditions.StringLike = {
|
|
111
|
+
[`${issuer}:sub`]: `project_path:${repositoryOrOrg}:*`
|
|
112
|
+
};
|
|
113
|
+
break;
|
|
114
|
+
}
|
|
115
|
+
return conditions;
|
|
116
|
+
}
|
|
117
|
+
/**
|
|
118
|
+
* Add default deployment permissions to the role
|
|
119
|
+
*/
|
|
120
|
+
static addDefaultDeployPermissions(role) {
|
|
121
|
+
// CloudFormation permissions for CDK deployments
|
|
122
|
+
role.addToPolicy(new aws_iam_1.PolicyStatement({
|
|
123
|
+
effect: aws_iam_1.Effect.ALLOW,
|
|
124
|
+
actions: ["cloudformation:*"],
|
|
125
|
+
resources: ["*"]
|
|
126
|
+
}));
|
|
127
|
+
// S3 permissions for CDK assets
|
|
128
|
+
role.addToPolicy(new aws_iam_1.PolicyStatement({
|
|
129
|
+
effect: aws_iam_1.Effect.ALLOW,
|
|
130
|
+
actions: ["s3:*"],
|
|
131
|
+
resources: ["*"]
|
|
132
|
+
}));
|
|
133
|
+
// ECR permissions for container images
|
|
134
|
+
role.addToPolicy(new aws_iam_1.PolicyStatement({
|
|
135
|
+
effect: aws_iam_1.Effect.ALLOW,
|
|
136
|
+
actions: ["ecr:*"],
|
|
137
|
+
resources: ["*"]
|
|
138
|
+
}));
|
|
139
|
+
// ECS permissions for service deployments
|
|
140
|
+
role.addToPolicy(new aws_iam_1.PolicyStatement({
|
|
141
|
+
effect: aws_iam_1.Effect.ALLOW,
|
|
142
|
+
actions: ["ecs:*"],
|
|
143
|
+
resources: ["*"]
|
|
144
|
+
}));
|
|
145
|
+
// CloudWatch Logs permissions
|
|
146
|
+
role.addToPolicy(new aws_iam_1.PolicyStatement({
|
|
147
|
+
effect: aws_iam_1.Effect.ALLOW,
|
|
148
|
+
actions: ["logs:*"],
|
|
149
|
+
resources: ["*"]
|
|
150
|
+
}));
|
|
151
|
+
// IAM permissions for role management
|
|
152
|
+
role.addToPolicy(new aws_iam_1.PolicyStatement({
|
|
153
|
+
effect: aws_iam_1.Effect.ALLOW,
|
|
154
|
+
actions: [
|
|
155
|
+
"iam:PassRole",
|
|
156
|
+
"iam:GetRole",
|
|
157
|
+
"iam:CreateRole",
|
|
158
|
+
"iam:DeleteRole",
|
|
159
|
+
"iam:AttachRolePolicy",
|
|
160
|
+
"iam:DetachRolePolicy",
|
|
161
|
+
"iam:PutRolePolicy",
|
|
162
|
+
"iam:DeleteRolePolicy"
|
|
163
|
+
],
|
|
164
|
+
resources: ["*"]
|
|
165
|
+
}));
|
|
166
|
+
// SSM and Secrets Manager for runtime configuration
|
|
167
|
+
role.addToPolicy(new aws_iam_1.PolicyStatement({
|
|
168
|
+
effect: aws_iam_1.Effect.ALLOW,
|
|
169
|
+
actions: [
|
|
170
|
+
"ssm:GetParameter",
|
|
171
|
+
"ssm:GetParameters",
|
|
172
|
+
"secretsmanager:GetSecretValue"
|
|
173
|
+
],
|
|
174
|
+
resources: ["*"]
|
|
175
|
+
}));
|
|
176
|
+
// EC2 permissions for VPC/networking queries
|
|
177
|
+
role.addToPolicy(new aws_iam_1.PolicyStatement({
|
|
178
|
+
effect: aws_iam_1.Effect.ALLOW,
|
|
179
|
+
actions: [
|
|
180
|
+
"ec2:DescribeAvailabilityZones",
|
|
181
|
+
"ec2:DescribeVpcs",
|
|
182
|
+
"ec2:DescribeSubnets",
|
|
183
|
+
"ec2:DescribeSecurityGroups"
|
|
184
|
+
],
|
|
185
|
+
resources: ["*"]
|
|
186
|
+
}));
|
|
187
|
+
}
|
|
188
|
+
}
|
|
189
|
+
exports.CICDRoleFactory = CICDRoleFactory;
|
|
190
|
+
exports.default = CICDRoleFactory;
|
|
191
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2ljZFJvbGUuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi8uLi9saWIvcmVzb3VyY2VzL2F3cy9jaWNkL2NpY2RSb2xlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLDZDQUF3QztBQUN4QyxpREFNNkI7QUFpRTdCOztHQUVHO0FBQ0gsTUFBTSxZQUFZLEdBQTZDO0lBQzdELGdCQUFnQixFQUFFO1FBQ2hCLEdBQUcsRUFBRSw2Q0FBNkM7UUFDbEQsU0FBUyxFQUFFLENBQUMsbUJBQW1CLENBQUM7UUFDaEMsV0FBVyxFQUFFO1lBQ1gsMENBQTBDO1lBQzFDLDBDQUEwQztTQUMzQztLQUNGO0lBQ0QsU0FBUyxFQUFFO1FBQ1QsR0FBRyxFQUFFLDZCQUE2QjtRQUNsQyxTQUFTLEVBQUUsQ0FBQyxtQkFBbUIsQ0FBQztRQUNoQyxXQUFXLEVBQUUsQ0FBQywwQ0FBMEMsQ0FBQztLQUMxRDtJQUNELFdBQVcsRUFBRTtRQUNYLEdBQUcsRUFBRSxvQkFBb0I7UUFDekIsU0FBUyxFQUFFLENBQUMsb0JBQW9CLENBQUM7UUFDakMsV0FBVyxFQUFFLENBQUMsMENBQTBDLENBQUM7S0FDMUQ7Q0FDRixDQUFDO0FBRUY7OztHQUdHO0FBQ0gsTUFBYSxlQUFlO0lBQzFCOztPQUVHO0lBQ0ksTUFBTSxDQUFDLEtBQUssQ0FDakIsRUFBVSxFQUNWLE1BQXNCO1FBRXRCLE9BQU8sQ0FBQyxJQUFlLEVBQUUsS0FBZ0IsRUFBRSxFQUFFO1lBQzNDLE1BQU0sY0FBYyxHQUFHLFlBQVksQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLENBQUM7WUFDckQsTUFBTSxRQUFRLEdBQ1osTUFBTSxDQUFDLFFBQVEsSUFBSSxlQUFlLE1BQU0sQ0FBQyxRQUFRLElBQUksTUFBTSxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBRXhFLG9DQUFvQztZQUNwQyxJQUFJLFlBQW1DLENBQUM7WUFFeEMsSUFBSSxNQUFNLENBQUMsbUJBQW1CLEVBQUUsQ0FBQztnQkFDL0IsK0JBQStCO2dCQUMvQixZQUFZLEdBQUcsK0JBQXFCLENBQUMsNEJBQTRCLENBQy9ELEtBQUssRUFDTCxHQUFHLEVBQUUsY0FBYyxFQUNuQixNQUFNLENBQUMsbUJBQW1CLENBQzNCLENBQUM7WUFDSixDQUFDO2lCQUFNLENBQUM7Z0JBQ04sMkJBQTJCO2dCQUMzQixZQUFZLEdBQUcsSUFBSSwrQkFBcUIsQ0FBQyxLQUFLLEVBQUUsR0FBRyxFQUFFLGNBQWMsRUFBRTtvQkFDbkUsR0FBRyxFQUFFLGNBQWMsQ0FBQyxHQUFHO29CQUN2QixTQUFTLEVBQUUsY0FBYyxDQUFDLFNBQVM7b0JBQ25DLFdBQVcsRUFBRSxjQUFjLENBQUMsV0FBVztpQkFDeEMsQ0FBQyxDQUFDO1lBQ0wsQ0FBQztZQUVELGtEQUFrRDtZQUNsRCxNQUFNLFVBQVUsR0FBRyxJQUFJLENBQUMsb0JBQW9CLENBQzFDLE1BQU0sQ0FBQyxRQUFRLEVBQ2YsTUFBTSxDQUFDLGVBQWUsRUFDdEIsWUFBWSxDQUFDLDJCQUEyQixDQUN6QyxDQUFDO1lBRUYsbURBQW1EO1lBQ25ELE1BQU0sSUFBSSxHQUFHLElBQUksY0FBSSxDQUFDLEtBQUssRUFBRSxFQUFFLEVBQUU7Z0JBQy9CLFFBQVEsRUFBRSxRQUFRO2dCQUNsQixJQUFJLEVBQUUsTUFBTSxDQUFDLFFBQVEsSUFBSSxHQUFHO2dCQUM1QixTQUFTLEVBQUUsSUFBSSw4QkFBb0IsQ0FDakMsWUFBWSxDQUFDLHdCQUF3QixFQUNyQyxVQUFVLENBQ1g7Z0JBQ0QsV0FBVyxFQUFFLHlCQUF5QixNQUFNLENBQUMsUUFBUSxNQUFNLE1BQU0sQ0FBQyxPQUFPLEVBQUU7YUFDNUUsQ0FBQyxDQUFDO1lBRUgsa0JBQWtCO1lBQ2xCLElBQUksTUFBTSxDQUFDLGlCQUFpQixFQUFFLENBQUM7Z0JBQzdCLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQyxPQUFPLENBQUMsQ0FBQyxTQUFTLEVBQUUsRUFBRTtvQkFDN0MsSUFBSSxDQUFDLFdBQVcsQ0FBQyxTQUFTLENBQUMsQ0FBQztnQkFDOUIsQ0FBQyxDQUFDLENBQUM7WUFDTCxDQUFDO2lCQUFNLENBQUM7Z0JBQ04sSUFBSSxDQUFDLDJCQUEyQixDQUFDLElBQUksQ0FBQyxDQUFDO1lBQ3pDLENBQUM7WUFFRCxzQkFBc0I7WUFDdEIsSUFBSSx1QkFBUyxDQUFDLEtBQUssRUFBRSxHQUFHLEVBQUUsS0FBSyxFQUFFO2dCQUMvQixLQUFLLEVBQUUsSUFBSSxDQUFDLE9BQU87Z0JBQ25CLFdBQVcsRUFBRSxvQ0FBb0MsTUFBTSxDQUFDLE9BQU8sRUFBRTtnQkFDakUsVUFBVSxFQUFFLEdBQUcsTUFBTSxDQUFDLE9BQU8sY0FBYzthQUM1QyxDQUFDLENBQUM7WUFFSCwrQkFBK0I7WUFDL0IsSUFBSSx1QkFBUyxDQUFDLEtBQUssRUFBRSxHQUFHLEVBQUUsYUFBYSxFQUFFO2dCQUN2QyxLQUFLLEVBQUUsWUFBWSxDQUFDLHdCQUF3QjtnQkFDNUMsV0FBVyxFQUFFLGdDQUFnQyxNQUFNLENBQUMsUUFBUSxFQUFFO2dCQUM5RCxVQUFVLEVBQUUsR0FBRyxNQUFNLENBQUMsT0FBTyxrQkFBa0I7YUFDaEQsQ0FBQyxDQUFDO1lBRUgsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDLENBQUM7SUFDSixDQUFDO0lBRUQ7O09BRUc7SUFDSyxNQUFNLENBQUMsb0JBQW9CLENBQ2pDLFFBQXNCLEVBQ3RCLGVBQXVCLEVBQ3ZCLE1BQWM7UUFFZCxNQUFNLFVBQVUsR0FBNEI7WUFDMUMsWUFBWSxFQUFFO2dCQUNaLENBQUMsR0FBRyxNQUFNLE1BQU0sQ0FBQyxFQUFFLFlBQVksQ0FBQyxRQUFRLENBQUMsQ0FBQyxTQUFTLENBQUMsQ0FBQyxDQUFDO2FBQ3ZEO1NBQ0YsQ0FBQztRQUVGLGlEQUFpRDtRQUNqRCxRQUFRLFFBQVEsRUFBRSxDQUFDO1lBQ2pCLEtBQUssZ0JBQWdCO2dCQUNuQixVQUFVLENBQUMsVUFBVSxHQUFHO29CQUN0QixDQUFDLEdBQUcsTUFBTSxNQUFNLENBQUMsRUFBRSxRQUFRLGVBQWUsSUFBSTtpQkFDL0MsQ0FBQztnQkFDRixNQUFNO1lBRVIsS0FBSyxXQUFXO2dCQUNkLFVBQVUsQ0FBQyxVQUFVLEdBQUc7b0JBQ3RCLENBQUMsR0FBRyxNQUFNLE1BQU0sQ0FBQyxFQUFFLGdCQUFnQixlQUFlLElBQUk7aUJBQ3ZELENBQUM7Z0JBQ0YsTUFBTTtZQUVSLEtBQUssV0FBVztnQkFDZCxVQUFVLENBQUMsVUFBVSxHQUFHO29CQUN0QixDQUFDLEdBQUcsTUFBTSxNQUFNLENBQUMsRUFBRSxnQkFBZ0IsZUFBZSxJQUFJO2lCQUN2RCxDQUFDO2dCQUNGLE1BQU07UUFDVixDQUFDO1FBRUQsT0FBTyxVQUFVLENBQUM7SUFDcEIsQ0FBQztJQUVEOztPQUVHO0lBQ0ssTUFBTSxDQUFDLDJCQUEyQixDQUFDLElBQVU7UUFDbkQsaURBQWlEO1FBQ2pELElBQUksQ0FBQyxXQUFXLENBQ2QsSUFBSSx5QkFBZSxDQUFDO1lBQ2xCLE1BQU0sRUFBRSxnQkFBTSxDQUFDLEtBQUs7WUFDcEIsT0FBTyxFQUFFLENBQUMsa0JBQWtCLENBQUM7WUFDN0IsU0FBUyxFQUFFLENBQUMsR0FBRyxDQUFDO1NBQ2pCLENBQUMsQ0FDSCxDQUFDO1FBRUYsZ0NBQWdDO1FBQ2hDLElBQUksQ0FBQyxXQUFXLENBQ2QsSUFBSSx5QkFBZSxDQUFDO1lBQ2xCLE1BQU0sRUFBRSxnQkFBTSxDQUFDLEtBQUs7WUFDcEIsT0FBTyxFQUFFLENBQUMsTUFBTSxDQUFDO1lBQ2pCLFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztTQUNqQixDQUFDLENBQ0gsQ0FBQztRQUVGLHVDQUF1QztRQUN2QyxJQUFJLENBQUMsV0FBVyxDQUNkLElBQUkseUJBQWUsQ0FBQztZQUNsQixNQUFNLEVBQUUsZ0JBQU0sQ0FBQyxLQUFLO1lBQ3BCLE9BQU8sRUFBRSxDQUFDLE9BQU8sQ0FBQztZQUNsQixTQUFTLEVBQUUsQ0FBQyxHQUFHLENBQUM7U0FDakIsQ0FBQyxDQUNILENBQUM7UUFFRiwwQ0FBMEM7UUFDMUMsSUFBSSxDQUFDLFdBQVcsQ0FDZCxJQUFJLHlCQUFlLENBQUM7WUFDbEIsTUFBTSxFQUFFLGdCQUFNLENBQUMsS0FBSztZQUNwQixPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUM7WUFDbEIsU0FBUyxFQUFFLENBQUMsR0FBRyxDQUFDO1NBQ2pCLENBQUMsQ0FDSCxDQUFDO1FBRUYsOEJBQThCO1FBQzlCLElBQUksQ0FBQyxXQUFXLENBQ2QsSUFBSSx5QkFBZSxDQUFDO1lBQ2xCLE1BQU0sRUFBRSxnQkFBTSxDQUFDLEtBQUs7WUFDcEIsT0FBTyxFQUFFLENBQUMsUUFBUSxDQUFDO1lBQ25CLFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztTQUNqQixDQUFDLENBQ0gsQ0FBQztRQUVGLHNDQUFzQztRQUN0QyxJQUFJLENBQUMsV0FBVyxDQUNkLElBQUkseUJBQWUsQ0FBQztZQUNsQixNQUFNLEVBQUUsZ0JBQU0sQ0FBQyxLQUFLO1lBQ3BCLE9BQU8sRUFBRTtnQkFDUCxjQUFjO2dCQUNkLGFBQWE7Z0JBQ2IsZ0JBQWdCO2dCQUNoQixnQkFBZ0I7Z0JBQ2hCLHNCQUFzQjtnQkFDdEIsc0JBQXNCO2dCQUN0QixtQkFBbUI7Z0JBQ25CLHNCQUFzQjthQUN2QjtZQUNELFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztTQUNqQixDQUFDLENBQ0gsQ0FBQztRQUVGLG9EQUFvRDtRQUNwRCxJQUFJLENBQUMsV0FBVyxDQUNkLElBQUkseUJBQWUsQ0FBQztZQUNsQixNQUFNLEVBQUUsZ0JBQU0sQ0FBQyxLQUFLO1lBQ3BCLE9BQU8sRUFBRTtnQkFDUCxrQkFBa0I7Z0JBQ2xCLG1CQUFtQjtnQkFDbkIsK0JBQStCO2FBQ2hDO1lBQ0QsU0FBUyxFQUFFLENBQUMsR0FBRyxDQUFDO1NBQ2pCLENBQUMsQ0FDSCxDQUFDO1FBRUYsNkNBQTZDO1FBQzdDLElBQUksQ0FBQyxXQUFXLENBQ2QsSUFBSSx5QkFBZSxDQUFDO1lBQ2xCLE1BQU0sRUFBRSxnQkFBTSxDQUFDLEtBQUs7WUFDcEIsT0FBTyxFQUFFO2dCQUNQLCtCQUErQjtnQkFDL0Isa0JBQWtCO2dCQUNsQixxQkFBcUI7Z0JBQ3JCLDRCQUE0QjthQUM3QjtZQUNELFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztTQUNqQixDQUFDLENBQ0gsQ0FBQztJQUNKLENBQUM7Q0FDRjtBQWpORCwwQ0FpTkM7QUFFRCxrQkFBZSxlQUFlLENBQUMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgeyBDZm5PdXRwdXQgfSBmcm9tIFwiYXdzLWNkay1saWJcIjtcbmltcG9ydCB7XG4gIFJvbGUsXG4gIFdlYklkZW50aXR5UHJpbmNpcGFsLFxuICBPcGVuSWRDb25uZWN0UHJvdmlkZXIsXG4gIFBvbGljeVN0YXRlbWVudCxcbiAgRWZmZWN0XG59IGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtaWFtXCI7XG5pbXBvcnQgeyB0eXBlIENvbnN0cnVjdCB9IGZyb20gXCJjb25zdHJ1Y3RzXCI7XG5cbi8qKlxuICogU3VwcG9ydGVkIENJL0NEIHByb3ZpZGVyc1xuICovXG5leHBvcnQgdHlwZSBDSUNEUHJvdmlkZXIgPSBcImdpdGh1Yi1hY3Rpb25zXCIgfCBcImJ1aWxka2l0ZVwiIHwgXCJnaXRsYWItY2lcIjtcblxuLyoqXG4gKiBPSURDIHByb3ZpZGVyIGNvbmZpZ3VyYXRpb25cbiAqL1xuaW50ZXJmYWNlIE9JRENQcm92aWRlckNvbmZpZyB7XG4gIHVybDogc3RyaW5nO1xuICBjbGllbnRJZHM6IHN0cmluZ1tdO1xuICB0aHVtYnByaW50czogc3RyaW5nW107XG59XG5cbi8qKlxuICogQ29uZmlndXJhdGlvbiBmb3IgY3JlYXRpbmcgYSBDSS9DRCBkZXBsb3kgcm9sZVxuICovXG5leHBvcnQgaW50ZXJmYWNlIENJQ0RSb2xlQ29uZmlnIHtcbiAgLyoqXG4gICAqIFRoZSBDSS9DRCBwcm92aWRlciAoZ2l0aHViLWFjdGlvbnMsIGJ1aWxka2l0ZSwgZ2l0bGFiLWNpKVxuICAgKi9cbiAgcHJvdmlkZXI6IENJQ0RQcm92aWRlcjtcblxuICAvKipcbiAgICogVGhlIGFwcGxpY2F0aW9uIG5hbWUgdG8gc2NvcGUgdGhlIHJvbGUncyBwZXJtaXNzaW9ucyB0b1xuICAgKi9cbiAgYXBwTmFtZTogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBGb3IgR2l0SHViIEFjdGlvbnM6IHJlcG9zaXRvcnkgKG9yZy9yZXBvKVxuICAgKiBGb3IgQnVpbGRraXRlOiBvcmdhbml6YXRpb24gc2x1Z1xuICAgKiBGb3IgR2l0TGFiIENJOiBwcm9qZWN0IHBhdGggKGdyb3VwL3Byb2plY3QpXG4gICAqL1xuICByZXBvc2l0b3J5T3JPcmc6IHN0cmluZztcblxuICAvKipcbiAgICogT3B0aW9uYWwgcm9sZSBuYW1lLiBEZWZhdWx0cyB0byBcIkZqYWxsRGVwbG95LXtwcm92aWRlcn0te2FwcE5hbWV9XCJcbiAgICovXG4gIHJvbGVOYW1lPzogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBPcHRpb25hbCBJQU0gcGF0aCBmb3IgdGhlIHJvbGUuIERlZmF1bHRzIHRvIFwiL1wiXG4gICAqL1xuICByb2xlUGF0aD86IHN0cmluZztcblxuICAvKipcbiAgICogT3B0aW9uYWwgY3VzdG9tIHBlcm1pc3Npb25zLiBJZiBub3QgcHJvdmlkZWQsIGRlZmF1bHQgZGVwbG95bWVudCBwZXJtaXNzaW9ucyB3aWxsIGJlIHVzZWQuXG4gICAqL1xuICBjdXN0b21QZXJtaXNzaW9ucz86IFBvbGljeVN0YXRlbWVudFtdO1xuXG4gIC8qKlxuICAgKiBXaGV0aGVyIHRvIHVzZSBleGlzdGluZyBPSURDIHByb3ZpZGVyIG9yIGNyZWF0ZSBhIG5ldyBvbmVcbiAgICogSWYgdHJ1ZSwgd2lsbCBsb29rIGZvciBleGlzdGluZyBwcm92aWRlciBieSBVUkxcbiAgICovXG4gIHVzZUV4aXN0aW5nUHJvdmlkZXI/OiBib29sZWFuO1xuXG4gIC8qKlxuICAgKiBPcHRpb25hbCBBUk4gb2YgZXhpc3RpbmcgT0lEQyBwcm92aWRlciAoc2tpcHMgY3JlYXRpb24pXG4gICAqL1xuICBleGlzdGluZ1Byb3ZpZGVyQXJuPzogc3RyaW5nO1xufVxuXG4vKipcbiAqIE9JREMgcHJvdmlkZXIgY29uZmlndXJhdGlvbnMgZm9yIGRpZmZlcmVudCBDSS9DRCBzeXN0ZW1zXG4gKi9cbmNvbnN0IE9JRENfQ09ORklHUzogUmVjb3JkPENJQ0RQcm92aWRlciwgT0lEQ1Byb3ZpZGVyQ29uZmlnPiA9IHtcbiAgXCJnaXRodWItYWN0aW9uc1wiOiB7XG4gICAgdXJsOiBcImh0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb21cIixcbiAgICBjbGllbnRJZHM6IFtcInN0cy5hbWF6b25hd3MuY29tXCJdLFxuICAgIHRodW1icHJpbnRzOiBbXG4gICAgICBcIjY5MzhmZDRkOThiYWIwM2ZhYWRiOTdiMzQzOTY4MzFlMzc4MGFlYTFcIixcbiAgICAgIFwiMWM1OGEzYTg1MThlODc1OWJmMDc1Yjc2Yjc1MGQ0ZjJkZjI2NGZjZFwiXG4gICAgXVxuICB9LFxuICBidWlsZGtpdGU6IHtcbiAgICB1cmw6IFwiaHR0cHM6Ly9hZ2VudC5idWlsZGtpdGUuY29tXCIsXG4gICAgY2xpZW50SWRzOiBbXCJzdHMuYW1hem9uYXdzLmNvbVwiXSxcbiAgICB0aHVtYnByaW50czogW1wiOWU5OWE0OGE5OTYwYjE0OTI2YmI3ZjNiMDJlMjJkYTJiMGFiNzI4MFwiXVxuICB9LFxuICBcImdpdGxhYi1jaVwiOiB7XG4gICAgdXJsOiBcImh0dHBzOi8vZ2l0bGFiLmNvbVwiLFxuICAgIGNsaWVudElkczogW1wiaHR0cHM6Ly9naXRsYWIuY29tXCJdLFxuICAgIHRodW1icHJpbnRzOiBbXCJiM2RkNzYwNmQyYjVhOGI0YTEzNzcxZGJlY2M5ZWUxY2VjYWZhMzhhXCJdXG4gIH1cbn07XG5cbi8qKlxuICogRmFjdG9yeSB0byBidWlsZCBhIENJL0NEIGRlcGxveSBJQU0gcm9sZSB3aXRoIE9JREMgYXV0aGVudGljYXRpb24uXG4gKiBDcmVhdGVzIGJvdGggdGhlIE9JREMgcHJvdmlkZXIgKGlmIG5lZWRlZCkgYW5kIHRoZSBkZXBsb3kgcm9sZSB3aXRoIGFwcHJvcHJpYXRlIHBlcm1pc3Npb25zLlxuICovXG5leHBvcnQgY2xhc3MgQ0lDRFJvbGVGYWN0b3J5IHtcbiAgLyoqXG4gICAqIEJ1aWxkIGEgQ0kvQ0QgZGVwbG95IHJvbGUgd2l0aCBPSURDIGF1dGhlbnRpY2F0aW9uXG4gICAqL1xuICBwdWJsaWMgc3RhdGljIGJ1aWxkKFxuICAgIGlkOiBzdHJpbmcsXG4gICAgY29uZmlnOiBDSUNEUm9sZUNvbmZpZ1xuICApOiAoYXBwOiBDb25zdHJ1Y3QsIHNjb3BlOiBDb25zdHJ1Y3QpID0+IFJvbGUge1xuICAgIHJldHVybiAoX2FwcDogQ29uc3RydWN0LCBzY29wZTogQ29uc3RydWN0KSA9PiB7XG4gICAgICBjb25zdCBwcm92aWRlckNvbmZpZyA9IE9JRENfQ09ORklHU1tjb25maWcucHJvdmlkZXJdO1xuICAgICAgY29uc3Qgcm9sZU5hbWUgPVxuICAgICAgICBjb25maWcucm9sZU5hbWUgfHwgYEZqYWxsRGVwbG95LSR7Y29uZmlnLnByb3ZpZGVyfS0ke2NvbmZpZy5hcHBOYW1lfWA7XG5cbiAgICAgIC8vIENyZWF0ZSBvciByZWZlcmVuY2UgT0lEQyBwcm92aWRlclxuICAgICAgbGV0IG9pZGNQcm92aWRlcjogT3BlbklkQ29ubmVjdFByb3ZpZGVyO1xuXG4gICAgICBpZiAoY29uZmlnLmV4aXN0aW5nUHJvdmlkZXJBcm4pIHtcbiAgICAgICAgLy8gVXNlIGV4aXN0aW5nIHByb3ZpZGVyIGJ5IEFSTlxuICAgICAgICBvaWRjUHJvdmlkZXIgPSBPcGVuSWRDb25uZWN0UHJvdmlkZXIuZnJvbU9wZW5JZENvbm5lY3RQcm92aWRlckFybihcbiAgICAgICAgICBzY29wZSxcbiAgICAgICAgICBgJHtpZH1PaWRjUHJvdmlkZXJgLFxuICAgICAgICAgIGNvbmZpZy5leGlzdGluZ1Byb3ZpZGVyQXJuXG4gICAgICAgICk7XG4gICAgICB9IGVsc2Uge1xuICAgICAgICAvLyBDcmVhdGUgbmV3IE9JREMgcHJvdmlkZXJcbiAgICAgICAgb2lkY1Byb3ZpZGVyID0gbmV3IE9wZW5JZENvbm5lY3RQcm92aWRlcihzY29wZSwgYCR7aWR9T2lkY1Byb3ZpZGVyYCwge1xuICAgICAgICAgIHVybDogcHJvdmlkZXJDb25maWcudXJsLFxuICAgICAgICAgIGNsaWVudElkczogcHJvdmlkZXJDb25maWcuY2xpZW50SWRzLFxuICAgICAgICAgIHRodW1icHJpbnRzOiBwcm92aWRlckNvbmZpZy50aHVtYnByaW50c1xuICAgICAgICB9KTtcbiAgICAgIH1cblxuICAgICAgLy8gQnVpbGQgdHJ1c3QgcG9saWN5IGNvbmRpdGlvbnMgYmFzZWQgb24gcHJvdmlkZXJcbiAgICAgIGNvbnN0IGNvbmRpdGlvbnMgPSB0aGlzLmJ1aWxkVHJ1c3RDb25kaXRpb25zKFxuICAgICAgICBjb25maWcucHJvdmlkZXIsXG4gICAgICAgIGNvbmZpZy5yZXBvc2l0b3J5T3JPcmcsXG4gICAgICAgIG9pZGNQcm92aWRlci5vcGVuSWRDb25uZWN0UHJvdmlkZXJJc3N1ZXJcbiAgICAgICk7XG5cbiAgICAgIC8vIENyZWF0ZSB0aGUgcm9sZSB3aXRoIE9JREMgd2ViIGlkZW50aXR5IHByaW5jaXBhbFxuICAgICAgY29uc3Qgcm9sZSA9IG5ldyBSb2xlKHNjb3BlLCBpZCwge1xuICAgICAgICByb2xlTmFtZTogcm9sZU5hbWUsXG4gICAgICAgIHBhdGg6IGNvbmZpZy5yb2xlUGF0aCB8fCBcIi9cIixcbiAgICAgICAgYXNzdW1lZEJ5OiBuZXcgV2ViSWRlbnRpdHlQcmluY2lwYWwoXG4gICAgICAgICAgb2lkY1Byb3ZpZGVyLm9wZW5JZENvbm5lY3RQcm92aWRlckFybixcbiAgICAgICAgICBjb25kaXRpb25zXG4gICAgICAgICksXG4gICAgICAgIGRlc2NyaXB0aW9uOiBgQ0kvQ0QgZGVwbG95IHJvbGUgZm9yICR7Y29uZmlnLnByb3ZpZGVyfSAtICR7Y29uZmlnLmFwcE5hbWV9YFxuICAgICAgfSk7XG5cbiAgICAgIC8vIEFkZCBwZXJtaXNzaW9uc1xuICAgICAgaWYgKGNvbmZpZy5jdXN0b21QZXJtaXNzaW9ucykge1xuICAgICAgICBjb25maWcuY3VzdG9tUGVybWlzc2lvbnMuZm9yRWFjaCgoc3RhdGVtZW50KSA9PiB7XG4gICAgICAgICAgcm9sZS5hZGRUb1BvbGljeShzdGF0ZW1lbnQpO1xuICAgICAgICB9KTtcbiAgICAgIH0gZWxzZSB7XG4gICAgICAgIHRoaXMuYWRkRGVmYXVsdERlcGxveVBlcm1pc3Npb25zKHJvbGUpO1xuICAgICAgfVxuXG4gICAgICAvLyBFeHBvcnQgdGhlIHJvbGUgQVJOXG4gICAgICBuZXcgQ2ZuT3V0cHV0KHNjb3BlLCBgJHtpZH1Bcm5gLCB7XG4gICAgICAgIHZhbHVlOiByb2xlLnJvbGVBcm4sXG4gICAgICAgIGRlc2NyaXB0aW9uOiBgQVJOIG9mIHRoZSBDSS9DRCBkZXBsb3kgcm9sZSBmb3IgJHtjb25maWcuYXBwTmFtZX1gLFxuICAgICAgICBleHBvcnROYW1lOiBgJHtjb25maWcuYXBwTmFtZX0tQ0lDRFJvbGVBcm5gXG4gICAgICB9KTtcblxuICAgICAgLy8gRXhwb3J0IHRoZSBPSURDIHByb3ZpZGVyIEFSTlxuICAgICAgbmV3IENmbk91dHB1dChzY29wZSwgYCR7aWR9UHJvdmlkZXJBcm5gLCB7XG4gICAgICAgIHZhbHVlOiBvaWRjUHJvdmlkZXIub3BlbklkQ29ubmVjdFByb3ZpZGVyQXJuLFxuICAgICAgICBkZXNjcmlwdGlvbjogYEFSTiBvZiB0aGUgT0lEQyBwcm92aWRlciBmb3IgJHtjb25maWcucHJvdmlkZXJ9YCxcbiAgICAgICAgZXhwb3J0TmFtZTogYCR7Y29uZmlnLmFwcE5hbWV9LUNJQ0RQcm92aWRlckFybmBcbiAgICAgIH0pO1xuXG4gICAgICByZXR1cm4gcm9sZTtcbiAgICB9O1xuICB9XG5cbiAgLyoqXG4gICAqIEJ1aWxkIHRydXN0IHBvbGljeSBjb25kaXRpb25zIGJhc2VkIG9uIENJL0NEIHByb3ZpZGVyXG4gICAqL1xuICBwcml2YXRlIHN0YXRpYyBidWlsZFRydXN0Q29uZGl0aW9ucyhcbiAgICBwcm92aWRlcjogQ0lDRFByb3ZpZGVyLFxuICAgIHJlcG9zaXRvcnlPck9yZzogc3RyaW5nLFxuICAgIGlzc3Vlcjogc3RyaW5nXG4gICk6IFJlY29yZDxzdHJpbmcsIHVua25vd24+IHtcbiAgICBjb25zdCBjb25kaXRpb25zOiBSZWNvcmQ8c3RyaW5nLCB1bmtub3duPiA9IHtcbiAgICAgIFN0cmluZ0VxdWFsczoge1xuICAgICAgICBbYCR7aXNzdWVyfTphdWRgXTogT0lEQ19DT05GSUdTW3Byb3ZpZGVyXS5jbGllbnRJZHNbMF1cbiAgICAgIH1cbiAgICB9O1xuXG4gICAgLy8gQWRkIHByb3ZpZGVyLXNwZWNpZmljIHN1YmplY3QgY2xhaW0gY29uZGl0aW9uc1xuICAgIHN3aXRjaCAocHJvdmlkZXIpIHtcbiAgICAgIGNhc2UgXCJnaXRodWItYWN0aW9uc1wiOlxuICAgICAgICBjb25kaXRpb25zLlN0cmluZ0xpa2UgPSB7XG4gICAgICAgICAgW2Ake2lzc3Vlcn06c3ViYF06IGByZXBvOiR7cmVwb3NpdG9yeU9yT3JnfToqYFxuICAgICAgICB9O1xuICAgICAgICBicmVhaztcblxuICAgICAgY2FzZSBcImJ1aWxka2l0ZVwiOlxuICAgICAgICBjb25kaXRpb25zLlN0cmluZ0xpa2UgPSB7XG4gICAgICAgICAgW2Ake2lzc3Vlcn06c3ViYF06IGBvcmdhbml6YXRpb246JHtyZXBvc2l0b3J5T3JPcmd9OipgXG4gICAgICAgIH07XG4gICAgICAgIGJyZWFrO1xuXG4gICAgICBjYXNlIFwiZ2l0bGFiLWNpXCI6XG4gICAgICAgIGNvbmRpdGlvbnMuU3RyaW5nTGlrZSA9IHtcbiAgICAgICAgICBbYCR7aXNzdWVyfTpzdWJgXTogYHByb2plY3RfcGF0aDoke3JlcG9zaXRvcnlPck9yZ306KmBcbiAgICAgICAgfTtcbiAgICAgICAgYnJlYWs7XG4gICAgfVxuXG4gICAgcmV0dXJuIGNvbmRpdGlvbnM7XG4gIH1cblxuICAvKipcbiAgICogQWRkIGRlZmF1bHQgZGVwbG95bWVudCBwZXJtaXNzaW9ucyB0byB0aGUgcm9sZVxuICAgKi9cbiAgcHJpdmF0ZSBzdGF0aWMgYWRkRGVmYXVsdERlcGxveVBlcm1pc3Npb25zKHJvbGU6IFJvbGUpOiB2b2lkIHtcbiAgICAvLyBDbG91ZEZvcm1hdGlvbiBwZXJtaXNzaW9ucyBmb3IgQ0RLIGRlcGxveW1lbnRzXG4gICAgcm9sZS5hZGRUb1BvbGljeShcbiAgICAgIG5ldyBQb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBlZmZlY3Q6IEVmZmVjdC5BTExPVyxcbiAgICAgICAgYWN0aW9uczogW1wiY2xvdWRmb3JtYXRpb246KlwiXSxcbiAgICAgICAgcmVzb3VyY2VzOiBbXCIqXCJdXG4gICAgICB9KVxuICAgICk7XG5cbiAgICAvLyBTMyBwZXJtaXNzaW9ucyBmb3IgQ0RLIGFzc2V0c1xuICAgIHJvbGUuYWRkVG9Qb2xpY3koXG4gICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgZWZmZWN0OiBFZmZlY3QuQUxMT1csXG4gICAgICAgIGFjdGlvbnM6IFtcInMzOipcIl0sXG4gICAgICAgIHJlc291cmNlczogW1wiKlwiXVxuICAgICAgfSlcbiAgICApO1xuXG4gICAgLy8gRUNSIHBlcm1pc3Npb25zIGZvciBjb250YWluZXIgaW1hZ2VzXG4gICAgcm9sZS5hZGRUb1BvbGljeShcbiAgICAgIG5ldyBQb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBlZmZlY3Q6IEVmZmVjdC5BTExPVyxcbiAgICAgICAgYWN0aW9uczogW1wiZWNyOipcIl0sXG4gICAgICAgIHJlc291cmNlczogW1wiKlwiXVxuICAgICAgfSlcbiAgICApO1xuXG4gICAgLy8gRUNTIHBlcm1pc3Npb25zIGZvciBzZXJ2aWNlIGRlcGxveW1lbnRzXG4gICAgcm9sZS5hZGRUb1BvbGljeShcbiAgICAgIG5ldyBQb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBlZmZlY3Q6IEVmZmVjdC5BTExPVyxcbiAgICAgICAgYWN0aW9uczogW1wiZWNzOipcIl0sXG4gICAgICAgIHJlc291cmNlczogW1wiKlwiXVxuICAgICAgfSlcbiAgICApO1xuXG4gICAgLy8gQ2xvdWRXYXRjaCBMb2dzIHBlcm1pc3Npb25zXG4gICAgcm9sZS5hZGRUb1BvbGljeShcbiAgICAgIG5ldyBQb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBlZmZlY3Q6IEVmZmVjdC5BTExPVyxcbiAgICAgICAgYWN0aW9uczogW1wibG9nczoqXCJdLFxuICAgICAgICByZXNvdXJjZXM6IFtcIipcIl1cbiAgICAgIH0pXG4gICAgKTtcblxuICAgIC8vIElBTSBwZXJtaXNzaW9ucyBmb3Igcm9sZSBtYW5hZ2VtZW50XG4gICAgcm9sZS5hZGRUb1BvbGljeShcbiAgICAgIG5ldyBQb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBlZmZlY3Q6IEVmZmVjdC5BTExPVyxcbiAgICAgICAgYWN0aW9uczogW1xuICAgICAgICAgIFwiaWFtOlBhc3NSb2xlXCIsXG4gICAgICAgICAgXCJpYW06R2V0Um9sZVwiLFxuICAgICAgICAgIFwiaWFtOkNyZWF0ZVJvbGVcIixcbiAgICAgICAgICBcImlhbTpEZWxldGVSb2xlXCIsXG4gICAgICAgICAgXCJpYW06QXR0YWNoUm9sZVBvbGljeVwiLFxuICAgICAgICAgIFwiaWFtOkRldGFjaFJvbGVQb2xpY3lcIixcbiAgICAgICAgICBcImlhbTpQdXRSb2xlUG9saWN5XCIsXG4gICAgICAgICAgXCJpYW06RGVsZXRlUm9sZVBvbGljeVwiXG4gICAgICAgIF0sXG4gICAgICAgIHJlc291cmNlczogW1wiKlwiXVxuICAgICAgfSlcbiAgICApO1xuXG4gICAgLy8gU1NNIGFuZCBTZWNyZXRzIE1hbmFnZXIgZm9yIHJ1bnRpbWUgY29uZmlndXJhdGlvblxuICAgIHJvbGUuYWRkVG9Qb2xpY3koXG4gICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgZWZmZWN0OiBFZmZlY3QuQUxMT1csXG4gICAgICAgIGFjdGlvbnM6IFtcbiAgICAgICAgICBcInNzbTpHZXRQYXJhbWV0ZXJcIixcbiAgICAgICAgICBcInNzbTpHZXRQYXJhbWV0ZXJzXCIsXG4gICAgICAgICAgXCJzZWNyZXRzbWFuYWdlcjpHZXRTZWNyZXRWYWx1ZVwiXG4gICAgICAgIF0sXG4gICAgICAgIHJlc291cmNlczogW1wiKlwiXVxuICAgICAgfSlcbiAgICApO1xuXG4gICAgLy8gRUMyIHBlcm1pc3Npb25zIGZvciBWUEMvbmV0d29ya2luZyBxdWVyaWVzXG4gICAgcm9sZS5hZGRUb1BvbGljeShcbiAgICAgIG5ldyBQb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBlZmZlY3Q6IEVmZmVjdC5BTExPVyxcbiAgICAgICAgYWN0aW9uczogW1xuICAgICAgICAgIFwiZWMyOkRlc2NyaWJlQXZhaWxhYmlsaXR5Wm9uZXNcIixcbiAgICAgICAgICBcImVjMjpEZXNjcmliZVZwY3NcIixcbiAgICAgICAgICBcImVjMjpEZXNjcmliZVN1Ym5ldHNcIixcbiAgICAgICAgICBcImVjMjpEZXNjcmliZVNlY3VyaXR5R3JvdXBzXCJcbiAgICAgICAgXSxcbiAgICAgICAgcmVzb3VyY2VzOiBbXCIqXCJdXG4gICAgICB9KVxuICAgICk7XG4gIH1cbn1cblxuZXhwb3J0IGRlZmF1bHQgQ0lDRFJvbGVGYWN0b3J5O1xuIl19
|
|
@@ -27,10 +27,12 @@ export interface Ec2CapacityConfig {
|
|
|
27
27
|
instanceType?: string;
|
|
28
28
|
/** AMI hardware type. Default: "ARM" (Graviton - better cost/performance) */
|
|
29
29
|
amiHardwareType?: "ARM" | "STANDARD";
|
|
30
|
-
/** Minimum number of instances. Default:
|
|
30
|
+
/** Minimum number of instances. Default: 1 */
|
|
31
31
|
minCapacity?: number;
|
|
32
32
|
/** Maximum number of instances. Default: 3 */
|
|
33
33
|
maxCapacity?: number;
|
|
34
|
+
/** Desired number of EC2 instances. Default: 2 (for availability) */
|
|
35
|
+
desiredCount?: number;
|
|
34
36
|
/** Memory limit in MiB for the container. Default: 1024 */
|
|
35
37
|
memoryLimitMiB?: number;
|
|
36
38
|
}
|
|
@@ -87,10 +89,18 @@ export interface EcsClusterContainerConfig {
|
|
|
87
89
|
port?: number;
|
|
88
90
|
/** Environment variables */
|
|
89
91
|
environment?: Record<string, string>;
|
|
90
|
-
/** Secrets imported from other resources */
|
|
92
|
+
/** Secrets imported from other resources (AWS Secrets Manager) */
|
|
91
93
|
secretsImport?: {
|
|
92
94
|
[key: string]: SecretImport;
|
|
93
95
|
};
|
|
96
|
+
/**
|
|
97
|
+
* Secrets from AWS SSM Parameter Store.
|
|
98
|
+
* Array of secret names that will be fetched from the service's SSM namespace.
|
|
99
|
+
*
|
|
100
|
+
* @example
|
|
101
|
+
* ssmSecrets: ["API_KEY", "DB_PASSWORD"]
|
|
102
|
+
*/
|
|
103
|
+
ssmSecrets?: string[];
|
|
94
104
|
/** Command to run in the container */
|
|
95
105
|
command?: string[];
|
|
96
106
|
/** Entry point for the container */
|
|
@@ -221,6 +231,15 @@ export interface EcsServiceProps {
|
|
|
221
231
|
* Services with matching ec2Config share an ASG for efficiency.
|
|
222
232
|
*/
|
|
223
233
|
ec2Config?: Ec2CapacityConfig;
|
|
234
|
+
/**
|
|
235
|
+
* SSM Parameter Store path for secrets.
|
|
236
|
+
* If containers have ssmSecrets defined, this path is used as the base path.
|
|
237
|
+
* Format: /<app>/<cluster>/<service>
|
|
238
|
+
*
|
|
239
|
+
* @example
|
|
240
|
+
* ssmSecretsPath: "/myapp/api-cluster/users"
|
|
241
|
+
*/
|
|
242
|
+
ssmSecretsPath?: string;
|
|
224
243
|
}
|
|
225
244
|
/**
|
|
226
245
|
* Props for creating an ECS cluster with multiple services.
|
|
@@ -228,6 +247,12 @@ export interface EcsServiceProps {
|
|
|
228
247
|
export type EcsClusterProps = {
|
|
229
248
|
/** Cluster name */
|
|
230
249
|
clusterName: string;
|
|
250
|
+
/**
|
|
251
|
+
* Application name for SSM secrets namespace.
|
|
252
|
+
* Required when any container uses ssmSecrets without explicit ssmSecretsPath.
|
|
253
|
+
* Used to build the path: /<appName>/<clusterName>/<serviceName>
|
|
254
|
+
*/
|
|
255
|
+
appName?: string;
|
|
231
256
|
/** VPC to deploy into */
|
|
232
257
|
vpc?: IVpc;
|
|
233
258
|
/** Default ECR repository or container image */
|
|
@@ -373,6 +398,29 @@ export default class EcsCluster extends Construct implements IConnectable {
|
|
|
373
398
|
* Checks if a service uses an EC2 capacity provider.
|
|
374
399
|
*/
|
|
375
400
|
private isServiceEc2;
|
|
401
|
+
/**
|
|
402
|
+
* Validates an SSM path component for correctness.
|
|
403
|
+
* SSM parameter paths have specific constraints that must be enforced.
|
|
404
|
+
*
|
|
405
|
+
* @param component - The path component to validate
|
|
406
|
+
* @param fieldName - Name of the field for error messages
|
|
407
|
+
* @throws Error if the component is invalid
|
|
408
|
+
*/
|
|
409
|
+
private validateSsmPathComponent;
|
|
410
|
+
/**
|
|
411
|
+
* Derives the SSM secrets path for a service.
|
|
412
|
+
* Uses explicit path if provided, otherwise derives from app/cluster/service names.
|
|
413
|
+
*
|
|
414
|
+
* @param serviceName - The service name
|
|
415
|
+
* @param explicitPath - Optional explicit path override
|
|
416
|
+
* @returns The SSM secrets path (e.g., /myapp/ApiCluster/users)
|
|
417
|
+
*/
|
|
418
|
+
/**
|
|
419
|
+
* Collects all Secrets Manager secret names from secretsImport across all services.
|
|
420
|
+
* Used to scope IAM permissions for least-privilege access.
|
|
421
|
+
*/
|
|
422
|
+
private collectSecretsManagerSecretNames;
|
|
423
|
+
private deriveSsmSecretsPath;
|
|
376
424
|
/**
|
|
377
425
|
* Generates a unique key for EC2 config (for ASG deduplication).
|
|
378
426
|
* Services with matching keys share an ASG.
|