@fjall/components-infrastructure 0.89.5 → 0.89.6

package/dist/lib/patterns/aws/account.js

@@ -1,44 +1,53 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.Account = void 0;
-const aws_cdk_lib_1 = require("aws-cdk-lib");
-const aws_1 = require("../../config/aws");
-const cloudTrail_1 = require("../../config/aws/cloudTrail");
-const oidcConnector_1 = require("../../config/aws/oidcConnector");
-const accountMonitoringRole_1 = require("../../config/aws/accountMonitoringRole");
-const accountAuditRole_1 = require("../../config/aws/accountAuditRole");
-const getConfig_1 = require("../../utils/getConfig");
-const disasterRecovery_1 = require("../../config/aws/disasterRecovery");
-class Account extends aws_cdk_lib_1.Stack {
+import { CfnOutput, Stack } from "aws-cdk-lib";
+import { EcrDefaultImage, DefaultEventBus, SharedAlarmTopic } from "../../config/aws/index.js";
+import { ManagementEventsTrail } from "../../config/aws/cloudTrail.js";
+import { OidcConnector } from "../../config/aws/oidcConnector.js";
+import { AccountMonitoringRole } from "../../config/aws/accountMonitoringRole.js";
+import { AccountAuditRole } from "../../config/aws/accountAuditRole.js";
+import { getConfig } from "../../utils/getConfig.js";
+import { DisasterRecovery } from "../../config/aws/disasterRecovery.js";
+import { S3BlockPublicAccess } from "../../config/aws/s3BlockPublicAccess.js";
+import { EbsDefaultEncryption } from "../../config/aws/ebsDefaultEncryption.js";
+import { ConfigRulePreset } from "../../config/aws/configRulePreset.js";
+import { GuardDutyDetector } from "../../config/aws/guardDutyDetector.js";
+import { SecurityHubHub } from "../../config/aws/securityHubHub.js";
+import { ConfigRecorder } from "../../config/aws/configRecorder.js";
+import { AccountAccessAnalyser } from "../../config/aws/accessAnalyser.js";
+import { InspectorEnablement } from "../../config/aws/inspectorEnablement.js";
+export class Account extends Stack {
+    organisationType = "account";
+    resolvedRegion;
     constructor(scope, id, props) {
-        const config = (0, getConfig_1.getConfig)();
+        const config = getConfig();
         const accountId = props.accountId ?? config.accountId;
         const region = props.region ?? config.region;
         if (!accountId) {
             throw new Error("Account requires an account ID. Provide it via accountId or ensure CDK context includes accountId.");
         }
-        super(scope, id, props);
-        this.organisationType = "account";
-        this.resolvedRegion = region;
+        const env = props.env ?? { region, account: accountId };
+        super(scope, id, { ...props, env });
+        this.resolvedRegion = region ?? this.region;
         const orgId = this.node.tryGetContext("orgId");
         if (orgId) {
-            new aws_cdk_lib_1.CfnOutput(this, "OrganisationIdOutput", {
+            new CfnOutput(this, "OrganisationIdOutput", {
                 key: "OrganisationId",
                 value: orgId,
                 exportName: "OrganisationId"
             });
         }
-        new aws_cdk_lib_1.CfnOutput(this, "AccountIdOutput", {
+        new CfnOutput(this, "AccountIdOutput", {
             key: "AccountId",
             value: this.account,
             exportName: "AccountId",
             description: "AWS Account ID for this account"
         });
-        const eventBus = new aws_1.DefaultEventBus(this, "EventBus");
+        const eventBus = new DefaultEventBus(this, "EventBus");
+        new SharedAlarmTopic(this, "AlarmTopic");
+        const isStandaloneAccount = this.constructor === Account;
         const ipamPoolId = this.node.tryGetContext("ipamPoolId");
-        if (id === "Account" && ipamPoolId) {
-            const regionSuffix = region.replace(/-/g, "");
-            new aws_cdk_lib_1.CfnOutput(this, "IpamPoolIdOutput", {
+        if (isStandaloneAccount && ipamPoolId && this.resolvedRegion) {
+            const regionSuffix = this.resolvedRegion.replace(/-/g, "");
+            new CfnOutput(this, "IpamPoolIdOutput", {
                 key: `IpamPoolId${accountId}${regionSuffix}`,
                 value: ipamPoolId,
                 exportName: `IpamPoolId${accountId}${regionSuffix}`
@@ -46,41 +55,59 @@ class Account extends aws_cdk_lib_1.Stack {
         }
         const fjallOrgId = this.node.tryGetContext("fjallOrgId");
         const oidcAlreadyConfigured = this.node.tryGetContext("fjallOidcConfigured") === "true";
-        if (id === "Account" && fjallOrgId && !oidcAlreadyConfigured) {
-            new oidcConnector_1.OidcConnector(this, "OidcConnector", { fjallOrgId });
+        if (isStandaloneAccount && fjallOrgId && !oidcAlreadyConfigured) {
+            new OidcConnector(this, "OidcConnector", { fjallOrgId });
         }
         // Per-account monitoring role (unconditional; ExternalId added when orgId known)
-        new accountMonitoringRole_1.AccountMonitoringRole(this, "MonitoringRole", fjallOrgId ? { fjallOrgId } : undefined);
+        new AccountMonitoringRole(this, "MonitoringRole", fjallOrgId ? { fjallOrgId } : undefined);
         // Per-account audit role (conditional on fjallOrgId)
         if (fjallOrgId) {
-            new accountAuditRole_1.AccountAuditRole(this, "AuditRole", { fjallOrgId });
+            new AccountAuditRole(this, "AuditRole", { fjallOrgId });
         }
-        new cloudTrail_1.ManagementEventsTrail(this, "CloudTrail", {
+        new ManagementEventsTrail(this, "CloudTrail", {
             accountId: this.account,
             region
         });
-        new aws_1.EcrDefaultImage(this, "EcrDefaultImage", {
+        new EcrDefaultImage(this, "EcrDefaultImage", {
             region,
             accountId: this.account,
             eventBusArn: eventBus.defaultEventBusArn.value
         });
-        const environment = config.environment || "unknown";
+        const environment = config.environment ?? "unknown";
         if (config.disasterRecoveryRegion) {
             const isComplianceAccount = environment === "compliance";
             if (environment === "production" || isComplianceAccount) {
-                new disasterRecovery_1.DisasterRecovery(this, "DisasterRecovery", {
+                new DisasterRecovery(this, "DisasterRecovery", {
                     region,
                     accountId
                 });
             }
         }
-        new aws_cdk_lib_1.CfnOutput(this, "Environment", {
+        new CfnOutput(this, "Environment", {
             key: "Environment",
             value: environment,
             exportName: "Environment",
             description: "Environment type for this account (e.g., production, staging, development)"
         });
+        new S3BlockPublicAccess(this, "S3BlockPublicAccess");
+        new EbsDefaultEncryption(this, "EbsDefaultEncryption");
+    }
+    enableGuardDuty(props) {
+        return new GuardDutyDetector(this, "GuardDuty", props);
+    }
+    enableSecurityHub(props) {
+        return new SecurityHubHub(this, "SecurityHub", props);
+    }
+    enableConfigRecorder(props) {
+        return new ConfigRecorder(this, "ConfigRecorder", props);
+    }
+    enableAccessAnalyser() {
+        return new AccountAccessAnalyser(this, "AccessAnalyser");
+    }
+    enableInspector() {
+        return new InspectorEnablement(this, "Inspector");
+    }
+    enableConfigRules(props) {
+        return new ConfigRulePreset(this, "ConfigRules", props);
     }
 }
-exports.Account = Account;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWNjb3VudC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL2xpYi9wYXR0ZXJucy9hd3MvYWNjb3VudC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSw2Q0FBZ0U7QUFDaEUsMENBQW9FO0FBRXBFLDREQUFvRTtBQUNwRSxrRUFBK0Q7QUFDL0Qsa0ZBQStFO0FBQy9FLHdFQUFxRTtBQUNyRSxxREFBa0Q7QUFDbEQsd0VBQXFFO0FBUXJFLE1BQWEsT0FBUSxTQUFRLG1CQUFLO0lBSWhDLFlBQVksS0FBZ0IsRUFBRSxFQUFVLEVBQUUsS0FBbUI7UUFDM0QsTUFBTSxNQUFNLEdBQUcsSUFBQSxxQkFBUyxHQUFFLENBQUM7UUFDM0IsTUFBTSxTQUFTLEdBQUcsS0FBSyxDQUFDLFNBQVMsSUFBSSxNQUFNLENBQUMsU0FBUyxDQUFDO1FBQ3RELE1BQU0sTUFBTSxHQUFHLEtBQUssQ0FBQyxNQUFNLElBQUksTUFBTSxDQUFDLE1BQU0sQ0FBQztRQUU3QyxJQUFJLENBQUMsU0FBUyxFQUFFLENBQUM7WUFDZixNQUFNLElBQUksS0FBSyxDQUNiLG9HQUFvRyxDQUNyRyxDQUFDO1FBQ0osQ0FBQztRQUVELEtBQUssQ0FBQyxLQUFLLEVBQUUsRUFBRSxFQUFFLEtBQUssQ0FBQyxDQUFDO1FBZFYscUJBQWdCLEdBQXFCLFNBQVMsQ0FBQztRQWdCN0QsSUFBSSxDQUFDLGNBQWMsR0FBRyxNQUFNLENBQUM7UUFFN0IsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDL0MsSUFBSSxLQUFLLEVBQUUsQ0FBQztZQUNWLElBQUksdUJBQVMsQ0FBQyxJQUFJLEVBQUUsc0JBQXNCLEVBQUU7Z0JBQzFDLEdBQUcsRUFBRSxnQkFBZ0I7Z0JBQ3JCLEtBQUssRUFBRSxLQUFLO2dCQUNaLFVBQVUsRUFBRSxnQkFBZ0I7YUFDN0IsQ0FBQyxDQUFDO1FBQ0wsQ0FBQztRQUVELElBQUksdUJBQVMsQ0FBQyxJQUFJLEVBQUUsaUJBQWlCLEVBQUU7WUFDckMsR0FBRyxFQUFFLFdBQVc7WUFDaEIsS0FBSyxFQUFFLElBQUksQ0FBQyxPQUFPO1lBQ25CLFVBQVUsRUFBRSxXQUFXO1lBQ3ZCLFdBQVcsRUFBRSxpQ0FBaUM7U0FDL0MsQ0FBQyxDQUFDO1FBRUgsTUFBTSxRQUFRLEdBQUcsSUFBSSxxQkFBZSxDQUFDLElBQUksRUFBRSxVQUFVLENBQUMsQ0FBQztRQUV2RCxNQUFNLFVBQVUsR0FBRyxJQUFJLENBQUMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUN6RCxJQUFJLEVBQUUsS0FBSyxTQUFTLElBQUksVUFBVSxFQUFFLENBQUM7WUFDbkMsTUFBTSxZQUFZLEdBQUcsTUFBTSxDQUFDLE9BQU8sQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDOUMsSUFBSSx1QkFBUyxDQUFDLElBQUksRUFBRSxrQkFBa0IsRUFBRTtnQkFDdEMsR0FBRyxFQUFFLGFBQWEsU0FBUyxHQUFHLFlBQVksRUFBRTtnQkFDNUMsS0FBSyxFQUFFLFVBQVU7Z0JBQ2pCLFVBQVUsRUFBRSxhQUFhLFNBQVMsR0FBRyxZQUFZLEVBQUU7YUFDcEQsQ0FBQyxDQUFDO1FBQ0wsQ0FBQztRQUVELE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLFlBQVksQ0FBQyxDQUFDO1FBQ3pELE1BQU0scUJBQXFCLEdBQ3pCLElBQUksQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLHFCQUFxQixDQUFDLEtBQUssTUFBTSxDQUFDO1FBQzVELElBQUksRUFBRSxLQUFLLFNBQVMsSUFBSSxVQUFVLElBQUksQ0FBQyxxQkFBcUIsRUFBRSxDQUFDO1lBQzdELElBQUksNkJBQWEsQ0FBQyxJQUFJLEVBQUUsZUFBZSxFQUFFLEVBQUUsVUFBVSxFQUFFLENBQUMsQ0FBQztRQUMzRCxDQUFDO1FBRUQsaUZBQWlGO1FBQ2pGLElBQUksNkNBQXFCLENBQ3ZCLElBQUksRUFDSixnQkFBZ0IsRUFDaEIsVUFBVSxDQUFDLENBQUMsQ0FBQyxFQUFFLFVBQVUsRUFBRSxDQUFDLENBQUMsQ0FBQyxTQUFTLENBQ3hDLENBQUM7UUFFRixxREFBcUQ7UUFDckQsSUFBSSxVQUFVLEVBQUUsQ0FBQztZQUNmLElBQUksbUNBQWdCLENBQUMsSUFBSSxFQUFFLFdBQVcsRUFBRSxFQUFFLFVBQVUsRUFBRSxDQUFDLENBQUM7UUFDMUQsQ0FBQztRQUVELElBQUksa0NBQXFCLENBQUMsSUFBSSxFQUFFLFlBQVksRUFBRTtZQUM1QyxTQUFTLEVBQUUsSUFBSSxDQUFDLE9BQU87WUFDdkIsTUFBTTtTQUNQLENBQUMsQ0FBQztRQUVILElBQUkscUJBQWUsQ0FBQyxJQUFJLEVBQUUsaUJBQWlCLEVBQUU7WUFDM0MsTUFBTTtZQUNOLFNBQVMsRUFBRSxJQUFJLENBQUMsT0FBTztZQUN2QixXQUFXLEVBQUUsUUFBUSxDQUFDLGtCQUFrQixDQUFDLEtBQUs7U0FDL0MsQ0FBQyxDQUFDO1FBRUgsTUFBTSxXQUFXLEdBQUcsTUFBTSxDQUFDLFdBQVcsSUFBSSxTQUFTLENBQUM7UUFFcEQsSUFBSSxNQUFNLENBQUMsc0JBQXNCLEVBQUUsQ0FBQztZQUNsQyxNQUFNLG1CQUFtQixHQUFHLFdBQVcsS0FBSyxZQUFZLENBQUM7WUFFekQsSUFBSSxXQUFXLEtBQUssWUFBWSxJQUFJLG1CQUFtQixFQUFFLENBQUM7Z0JBQ3hELElBQUksbUNBQWdCLENBQUMsSUFBSSxFQUFFLGtCQUFrQixFQUFFO29CQUM3QyxNQUFNO29CQUNOLFNBQVM7aUJBQ1YsQ0FBQyxDQUFDO1lBQ0wsQ0FBQztRQUNILENBQUM7UUFFRCxJQUFJLHVCQUFTLENBQUMsSUFBSSxFQUFFLGFBQWEsRUFBRTtZQUNqQyxHQUFHLEVBQUUsYUFBYTtZQUNsQixLQUFLLEVBQUUsV0FBVztZQUNsQixVQUFVLEVBQUUsYUFBYTtZQUN6QixXQUFXLEVBQ1QsNEVBQTRFO1NBQy9FLENBQUMsQ0FBQztJQUNMLENBQUM7Q0FDRjtBQWxHRCwwQkFrR0MiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgeyBDZm5PdXRwdXQsIFN0YWNrLCB0eXBlIFN0YWNrUHJvcHMgfSBmcm9tIFwiYXdzLWNkay1saWJcIjtcbmltcG9ydCB7IEVjckRlZmF1bHRJbWFnZSwgRGVmYXVsdEV2ZW50QnVzIH0gZnJvbSBcIi4uLy4uL2NvbmZpZy9hd3NcIjtcbmltcG9ydCB7IHR5cGUgQ29uc3RydWN0IH0gZnJvbSBcImNvbnN0cnVjdHNcIjtcbmltcG9ydCB7IE1hbmFnZW1lbnRFdmVudHNUcmFpbCB9IGZyb20gXCIuLi8uLi9jb25maWcvYXdzL2Nsb3VkVHJhaWxcIjtcbmltcG9ydCB7IE9pZGNDb25uZWN0b3IgfSBmcm9tIFwiLi4vLi4vY29uZmlnL2F3cy9vaWRjQ29ubmVjdG9yXCI7XG5pbXBvcnQgeyBBY2NvdW50TW9uaXRvcmluZ1JvbGUgfSBmcm9tIFwiLi4vLi4vY29uZmlnL2F3cy9hY2NvdW50TW9uaXRvcmluZ1JvbGVcIjtcbmltcG9ydCB7IEFjY291bnRBdWRpdFJvbGUgfSBmcm9tIFwiLi4vLi4vY29uZmlnL2F3cy9hY2NvdW50QXVkaXRSb2xlXCI7XG5pbXBvcnQgeyBnZXRDb25maWcgfSBmcm9tIFwiLi4vLi4vdXRpbHMvZ2V0Q29uZmlnXCI7XG5pbXBvcnQgeyBEaXNhc3RlclJlY292ZXJ5IH0gZnJvbSBcIi4uLy4uL2NvbmZpZy9hd3MvZGlzYXN0ZXJSZWNvdmVyeVwiO1xuaW1wb3J0IHR5cGUgeyBPcmdhbmlzYXRpb25UeXBlIH0gZnJvbSBcIi4vaW50ZXJmYWNlcy9vcmdhbmlzYXRpb25cIjtcblxuZXhwb3J0IGludGVyZmFjZSBBY2NvdW50UHJvcHMgZXh0ZW5kcyBTdGFja1Byb3BzIHtcbiAgYWNjb3VudElkPzogc3RyaW5nO1xuICByZWdpb24/OiBzdHJpbmc7XG59XG5cbmV4cG9ydCBjbGFzcyBBY2NvdW50IGV4dGVuZHMgU3RhY2sge1xuICBwdWJsaWMgcmVhZG9ubHkgb3JnYW5pc2F0aW9uVHlwZTogT3JnYW5pc2F0aW9uVHlwZSA9IFwiYWNjb3VudFwiO1xuICBwcm90ZWN0ZWQgcmVhZG9ubHkgcmVzb2x2ZWRSZWdpb246IHN0cmluZztcblxuICBjb25zdHJ1Y3RvcihzY29wZTogQ29uc3RydWN0LCBpZDogc3RyaW5nLCBwcm9wczogQWNjb3VudFByb3BzKSB7XG4gICAgY29uc3QgY29uZmlnID0gZ2V0Q29uZmlnKCk7XG4gICAgY29uc3QgYWNjb3VudElkID0gcHJvcHMuYWNjb3VudElkID8/IGNvbmZpZy5hY2NvdW50SWQ7XG4gICAgY29uc3QgcmVnaW9uID0gcHJvcHMucmVnaW9uID8/IGNvbmZpZy5yZWdpb247XG5cbiAgICBpZiAoIWFjY291bnRJZCkge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKFxuICAgICAgICBcIkFjY291bnQgcmVxdWlyZXMgYW4gYWNjb3VudCBJRC4gUHJvdmlkZSBpdCB2aWEgYWNjb3VudElkIG9yIGVuc3VyZSBDREsgY29udGV4dCBpbmNsdWRlcyBhY2NvdW50SWQuXCJcbiAgICAgICk7XG4gICAgfVxuXG4gICAgc3VwZXIoc2NvcGUsIGlkLCBwcm9wcyk7XG5cbiAgICB0aGlzLnJlc29sdmVkUmVnaW9uID0gcmVnaW9uO1xuXG4gICAgY29uc3Qgb3JnSWQgPSB0aGlzLm5vZGUudHJ5R2V0Q29udGV4dChcIm9yZ0lkXCIpO1xuICAgIGlmIChvcmdJZCkge1xuICAgICAgbmV3IENmbk91dHB1dCh0aGlzLCBcIk9yZ2FuaXNhdGlvbklkT3V0cHV0XCIsIHtcbiAgICAgICAga2V5OiBcIk9yZ2FuaXNhdGlvbklkXCIsXG4gICAgICAgIHZhbHVlOiBvcmdJZCxcbiAgICAgICAgZXhwb3J0TmFtZTogXCJPcmdhbmlzYXRpb25JZFwiXG4gICAgICB9KTtcbiAgICB9XG5cbiAgICBuZXcgQ2ZuT3V0cHV0KHRoaXMsIFwiQWNjb3VudElkT3V0cHV0XCIsIHtcbiAgICAgIGtleTogXCJBY2NvdW50SWRcIixcbiAgICAgIHZhbHVlOiB0aGlzLmFjY291bnQsXG4gICAgICBleHBvcnROYW1lOiBcIkFjY291bnRJZFwiLFxuICAgICAgZGVzY3JpcHRpb246IFwiQVdTIEFjY291bnQgSUQgZm9yIHRoaXMgYWNjb3VudFwiXG4gICAgfSk7XG5cbiAgICBjb25zdCBldmVudEJ1cyA9IG5ldyBEZWZhdWx0RXZlbnRCdXModGhpcywgXCJFdmVudEJ1c1wiKTtcblxuICAgIGNvbnN0IGlwYW1Qb29sSWQgPSB0aGlzLm5vZGUudHJ5R2V0Q29udGV4dChcImlwYW1Qb29sSWRcIik7XG4gICAgaWYgKGlkID09PSBcIkFjY291bnRcIiAmJiBpcGFtUG9vbElkKSB7XG4gICAgICBjb25zdCByZWdpb25TdWZmaXggPSByZWdpb24ucmVwbGFjZSgvLS9nLCBcIlwiKTtcbiAgICAgIG5ldyBDZm5PdXRwdXQodGhpcywgXCJJcGFtUG9vbElkT3V0cHV0XCIsIHtcbiAgICAgICAga2V5OiBgSXBhbVBvb2xJZCR7YWNjb3VudElkfSR7cmVnaW9uU3VmZml4fWAsXG4gICAgICAgIHZhbHVlOiBpcGFtUG9vbElkLFxuICAgICAgICBleHBvcnROYW1lOiBgSXBhbVBvb2xJZCR7YWNjb3VudElkfSR7cmVnaW9uU3VmZml4fWBcbiAgICAgIH0pO1xuICAgIH1cblxuICAgIGNvbnN0IGZqYWxsT3JnSWQgPSB0aGlzLm5vZGUudHJ5R2V0Q29udGV4dChcImZqYWxsT3JnSWRcIik7XG4gICAgY29uc3Qgb2lkY0FscmVhZHlDb25maWd1cmVkID1cbiAgICAgIHRoaXMubm9kZS50cnlHZXRDb250ZXh0KFwiZmphbGxPaWRjQ29uZmlndXJlZFwiKSA9PT0gXCJ0cnVlXCI7XG4gICAgaWYgKGlkID09PSBcIkFjY291bnRcIiAmJiBmamFsbE9yZ0lkICYmICFvaWRjQWxyZWFkeUNvbmZpZ3VyZWQpIHtcbiAgICAgIG5ldyBPaWRjQ29ubmVjdG9yKHRoaXMsIFwiT2lkY0Nvbm5lY3RvclwiLCB7IGZqYWxsT3JnSWQgfSk7XG4gICAgfVxuXG4gICAgLy8gUGVyLWFjY291bnQgbW9uaXRvcmluZyByb2xlICh1bmNvbmRpdGlvbmFsOyBFeHRlcm5hbElkIGFkZGVkIHdoZW4gb3JnSWQga25vd24pXG4gICAgbmV3IEFjY291bnRNb25pdG9yaW5nUm9sZShcbiAgICAgIHRoaXMsXG4gICAgICBcIk1vbml0b3JpbmdSb2xlXCIsXG4gICAgICBmamFsbE9yZ0lkID8geyBmamFsbE9yZ0lkIH0gOiB1bmRlZmluZWRcbiAgICApO1xuXG4gICAgLy8gUGVyLWFjY291bnQgYXVkaXQgcm9sZSAoY29uZGl0aW9uYWwgb24gZmphbGxPcmdJZClcbiAgICBpZiAoZmphbGxPcmdJZCkge1xuICAgICAgbmV3IEFjY291bnRBdWRpdFJvbGUodGhpcywgXCJBdWRpdFJvbGVcIiwgeyBmamFsbE9yZ0lkIH0pO1xuICAgIH1cblxuICAgIG5ldyBNYW5hZ2VtZW50RXZlbnRzVHJhaWwodGhpcywgXCJDbG91ZFRyYWlsXCIsIHtcbiAgICAgIGFjY291bnRJZDogdGhpcy5hY2NvdW50LFxuICAgICAgcmVnaW9uXG4gICAgfSk7XG5cbiAgICBuZXcgRWNyRGVmYXVsdEltYWdlKHRoaXMsIFwiRWNyRGVmYXVsdEltYWdlXCIsIHtcbiAgICAgIHJlZ2lvbixcbiAgICAgIGFjY291bnRJZDogdGhpcy5hY2NvdW50LFxuICAgICAgZXZlbnRCdXNBcm46IGV2ZW50QnVzLmRlZmF1bHRFdmVudEJ1c0Fybi52YWx1ZVxuICAgIH0pO1xuXG4gICAgY29uc3QgZW52aXJvbm1lbnQgPSBjb25maWcuZW52aXJvbm1lbnQgfHwgXCJ1bmtub3duXCI7XG5cbiAgICBpZiAoY29uZmlnLmRpc2FzdGVyUmVjb3ZlcnlSZWdpb24pIHtcbiAgICAgIGNvbnN0IGlzQ29tcGxpYW5jZUFjY291bnQgPSBlbnZpcm9ubWVudCA9PT0gXCJjb21wbGlhbmNlXCI7XG5cbiAgICAgIGlmIChlbnZpcm9ubWVudCA9PT0gXCJwcm9kdWN0aW9uXCIgfHwgaXNDb21wbGlhbmNlQWNjb3VudCkge1xuICAgICAgICBuZXcgRGlzYXN0ZXJSZWNvdmVyeSh0aGlzLCBcIkRpc2FzdGVyUmVjb3ZlcnlcIiwge1xuICAgICAgICAgIHJlZ2lvbixcbiAgICAgICAgICBhY2NvdW50SWRcbiAgICAgICAgfSk7XG4gICAgICB9XG4gICAgfVxuXG4gICAgbmV3IENmbk91dHB1dCh0aGlzLCBcIkVudmlyb25tZW50XCIsIHtcbiAgICAgIGtleTogXCJFbnZpcm9ubWVudFwiLFxuICAgICAgdmFsdWU6IGVudmlyb25tZW50LFxuICAgICAgZXhwb3J0TmFtZTogXCJFbnZpcm9ubWVudFwiLFxuICAgICAgZGVzY3JpcHRpb246XG4gICAgICAgIFwiRW52aXJvbm1lbnQgdHlwZSBmb3IgdGhpcyBhY2NvdW50IChlLmcuLCBwcm9kdWN0aW9uLCBzdGFnaW5nLCBkZXZlbG9wbWVudClcIlxuICAgIH0pO1xuICB9XG59XG4iXX0=

package/dist/lib/patterns/aws/apexDomainPattern.d.ts

@@ -0,0 +1,26 @@
+import type { Construct } from "constructs";
+import type { IHostedZone } from "aws-cdk-lib/aws-route53";
+import type { ICertificate } from "aws-cdk-lib/aws-certificatemanager";
+import type { ManualRecord, Route53ApexProps, SubdomainDelegation } from "./interfaces/domain.js";
+export interface ApexDomainPatternResult {
+    readonly hostedZone: IHostedZone;
+    readonly certificates: Map<string, ICertificate>;
+    readonly nameServers: string[] | undefined;
+    readonly manualRecords: ManualRecord[];
+    readonly delegations: SubdomainDelegation[];
+}
+/**
+ * Composition for `registrar: "route53"`. Creates (or imports) the apex
+ * `HostedZone`, wires child-account delegations via `NsRecord` (pointing at
+ * each child's nameservers published as exports), and composes all user
+ * records + certificates.
+ *
+ * Delegation mechanism: the child Fjall account scaffolds its own
+ * `HostedZone`, and the parent simply writes NS records pointing at the
+ * child's nameservers (Fn.importValue of the child stack's nameservers
+ * output). This differs from the legacy `DomainDelegation` pattern, which
+ * uses `CrossAccountZoneDelegationRecord` to create the child HZ from the
+ * parent via IAM assume-role. Both patterns are valid for their respective
+ * semantics — see R10 in the Phase 1 plan.
+ */
+export declare function composeApexDomain(scope: Construct, props: Route53ApexProps): ApexDomainPatternResult;

package/dist/lib/patterns/aws/apexDomainPattern.js

@@ -0,0 +1,91 @@
+import { Fn } from "aws-cdk-lib";
+import { getDomainExportNames } from "@fjall/util";
+import { HostedZone } from "../../resources/aws/networking/hostedZone.js";
+import { DomainCertificate } from "../../resources/aws/networking/domainCertificate.js";
+import { NsRecord } from "../../resources/aws/networking/dnsRecord/index.js";
+import { composeTypedDnsRecords } from "./dnsRecordComposer.js";
+import { toPascalCase, getSafeZoneName } from "../../utils/capitaliseString.js";
+/**
+ * Composition for `registrar: "route53"`. Creates (or imports) the apex
+ * `HostedZone`, wires child-account delegations via `NsRecord` (pointing at
+ * each child's nameservers published as exports), and composes all user
+ * records + certificates.
+ *
+ * Delegation mechanism: the child Fjall account scaffolds its own
+ * `HostedZone`, and the parent simply writes NS records pointing at the
+ * child's nameservers (Fn.importValue of the child stack's nameservers
+ * output). This differs from the legacy `DomainDelegation` pattern, which
+ * uses `CrossAccountZoneDelegationRecord` to create the child HZ from the
+ * parent via IAM assume-role. Both patterns are valid for their respective
+ * semantics — see R10 in the Phase 1 plan.
+ */
+export function composeApexDomain(scope, props) {
+    const safeZone = toPascalCase(getSafeZoneName(props.zoneName));
+    const hostedZoneConstruct = new HostedZone(scope, `${safeZone}HostedZone`, {
+        zoneName: props.zoneName,
+        hostedZoneId: props.hostedZoneId,
+        // Only create the delegation role on the create path; imported zones do
+        // not manage IAM themselves.
+        createDelegationRole: props.hostedZoneId === undefined,
+        costAllocationEnvironment: props.costAllocationEnvironment,
+        costAllocationDomain: props.zoneName
+    });
+    const certificates = new Map();
+    (props.certificates ?? []).forEach((cert, index) => {
+        const normalised = normaliseCertificate(cert);
+        const safeCertName = toPascalCase(normalised.domainName.split(".").join(""));
+        const dc = new DomainCertificate(scope, `${safeZone}${safeCertName}Cert${index}`, {
+            domainName: normalised.domainName,
+            subjectAlternativeNames: normalised.subjectAlternativeNames,
+            transparencyLogging: normalised.transparencyLogging,
+            hostedZone: hostedZoneConstruct.hostedZone,
+            costAllocationEnvironment: props.costAllocationEnvironment,
+            costAllocationDomain: props.zoneName
+        });
+        certificates.set(normalised.domainName, dc.certificate);
+    });
+    if (props.records && props.records.length > 0) {
+        composeTypedDnsRecords(scope, hostedZoneConstruct.hostedZone, props.zoneName, props.records);
+    }
+    const delegations = props.delegations ?? [];
+    delegations.forEach((delegation, index) => {
+        const childZoneName = `${delegation.subdomain}.${props.zoneName}`;
+        const safeChild = toPascalCase(getSafeZoneName(childZoneName));
+        const childExports = getDomainExportNames(childZoneName);
+        // The child account's stack publishes the hosted-zone nameservers under a
+        // predictable output key (Phase 0 HostedZone emits `{safeZone}Nameservers`
+        // as a joined comma-separated string — we split it back at deploy time
+        // via Fn.split). The child HZ id import is declared as a cross-phase
+        // dependency — if the child stack has not deployed, CFN fails at deploy.
+        const nameserversExportName = childExports.hostedZoneId.replace(/-hosted-zone-id$/, "-nameservers");
+        const nameserversToken = Fn.importValue(nameserversExportName);
+        new NsRecord(scope, `${safeZone}Delegation${safeChild}${index}`, {
+            zone: hostedZoneConstruct.hostedZone,
+            zoneName: props.zoneName,
+            recordName: delegation.subdomain,
+            // Fn.split returns a list token suitable for a multi-value NS record.
+            values: Fn.split(",", nameserversToken)
+        });
+    });
+    return {
+        hostedZone: hostedZoneConstruct.hostedZone,
+        certificates,
+        // Name servers are only available on the create path — imported zones
+        // were pre-provisioned and CDK has no view of their NS set at synth.
+        nameServers: hostedZoneConstruct.isImported
+            ? undefined
+            : (hostedZoneConstruct.nameServers ?? undefined),
+        manualRecords: [],
+        delegations
+    };
+}
+function normaliseCertificate(cert) {
+    if (typeof cert === "string") {
+        return { domainName: cert };
+    }
+    return {
+        domainName: cert.domainName,
+        subjectAlternativeNames: cert.subjectAlternativeNames,
+        transparencyLogging: cert.transparencyLogging
+    };
+}

package/dist/lib/patterns/aws/auditRole.js

@@ -1,10 +1,7 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuditRole = void 0;
-const constructs_1 = require("constructs");
-const app_1 = require("../../app");
-const auditRole_1 = require("../../resources/aws/audit/auditRole");
-const audit_1 = require("../../config/audit");
+import { Construct } from "constructs";
+import App from "../../app.js";
+import AuditRoleFactory from "../../resources/aws/audit/auditRole.js";
+import { FJALL_AUDIT_CONFIG } from "../../config/audit.js";
 /**
  * High-level pattern for adding CloudQuery audit capabilities to an application.
  *
@@ -24,21 +21,23 @@ const audit_1 = require("../../config/audit");
  * app.addCompute(/* ... *\/);
  * ```
  */
-class AuditRole extends constructs_1.Construct {
+export class AuditRole extends Construct {
+    role;
+    externalId;
     constructor(scope, id, props) {
         super(scope, id);
         // Get the App instance to access the network stack
-        const app = scope instanceof app_1.default ? scope : app_1.default.getInstance();
+        const app = scope instanceof App ? scope : App.getInstance();
         const networkStack = app.getDefaultNetworkStack();
         // Generate or use provided external ID
         this.externalId = props?.externalId || this.generateExternalId(app);
         // Create the audit role using the factory
-        this.role = auditRole_1.default.build(`${app["name"]}AuditRole`, {
-            webappAccountId: props?.webappAccountId || audit_1.FJALL_AUDIT_CONFIG.webappAwsAccountId,
+        this.role = AuditRoleFactory.build(`${app["name"]}AuditRole`, {
+            webappAccountId: props?.webappAccountId || FJALL_AUDIT_CONFIG.webappAwsAccountId,
             appName: app["name"],
             externalId: this.externalId,
-            roleNamePrefix: audit_1.FJALL_AUDIT_CONFIG.roleNamePrefix,
-            rolePath: audit_1.FJALL_AUDIT_CONFIG.rolePath
+            roleNamePrefix: FJALL_AUDIT_CONFIG.roleNamePrefix,
+            rolePath: FJALL_AUDIT_CONFIG.rolePath
         })(app, networkStack.getStack());
         // Register the role with the network stack
         networkStack.addConstruct(this.role);
@@ -53,6 +52,4 @@ class AuditRole extends constructs_1.Construct {
         return `fjall-audit-${appName.toLowerCase()}-${timestamp}`;
     }
 }
-exports.AuditRole = AuditRole;
-exports.default = AuditRole;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXVkaXRSb2xlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vbGliL3BhdHRlcm5zL2F3cy9hdWRpdFJvbGUudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsMkNBQXVDO0FBRXZDLG1DQUE0QjtBQUM1QixtRUFBbUU7QUFDbkUsOENBQXdEO0FBZ0J4RDs7Ozs7Ozs7Ozs7Ozs7Ozs7O0dBa0JHO0FBQ0gsTUFBYSxTQUFVLFNBQVEsc0JBQVM7SUFJdEMsWUFBWSxLQUFnQixFQUFFLEVBQVUsRUFBRSxLQUFzQjtRQUM5RCxLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1FBRWpCLG1EQUFtRDtRQUNuRCxNQUFNLEdBQUcsR0FBRyxLQUFLLFlBQVksYUFBRyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLGFBQUcsQ0FBQyxXQUFXLEVBQUUsQ0FBQztRQUM3RCxNQUFNLFlBQVksR0FBRyxHQUFHLENBQUMsc0JBQXNCLEVBQUUsQ0FBQztRQUVsRCx1Q0FBdUM7UUFDdkMsSUFBSSxDQUFDLFVBQVUsR0FBRyxLQUFLLEVBQUUsVUFBVSxJQUFJLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUVwRSwwQ0FBMEM7UUFDMUMsSUFBSSxDQUFDLElBQUksR0FBRyxtQkFBZ0IsQ0FBQyxLQUFLLENBQUMsR0FBRyxHQUFHLENBQUMsTUFBTSxDQUFDLFdBQVcsRUFBRTtZQUM1RCxlQUFlLEVBQ2IsS0FBSyxFQUFFLGVBQWUsSUFBSSwwQkFBa0IsQ0FBQyxrQkFBa0I7WUFDakUsT0FBTyxFQUFFLEdBQUcsQ0FBQyxNQUFNLENBQUM7WUFDcEIsVUFBVSxFQUFFLElBQUksQ0FBQyxVQUFVO1lBQzNCLGNBQWMsRUFBRSwwQkFBa0IsQ0FBQyxjQUFjO1lBQ2pELFFBQVEsRUFBRSwwQkFBa0IsQ0FBQyxRQUFRO1NBQ3RDLENBQUMsQ0FBQyxHQUFHLEVBQUUsWUFBWSxDQUFDLFFBQVEsRUFBRSxDQUFDLENBQUM7UUFFakMsMkNBQTJDO1FBQzNDLFlBQVksQ0FBQyxZQUFZLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxDQUFDO0lBQ3ZDLENBQUM7SUFFRDs7O09BR0c7SUFDSyxrQkFBa0IsQ0FBQyxHQUFRO1FBQ2pDLE1BQU0sT0FBTyxHQUFHLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUM1QixNQUFNLFNBQVMsR0FBRyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7UUFDN0IsT0FBTyxlQUFlLE9BQU8sQ0FBQyxXQUFXLEVBQUUsSUFBSSxTQUFTLEVBQUUsQ0FBQztJQUM3RCxDQUFDO0NBQ0Y7QUFyQ0QsOEJBcUNDO0FBRUQsa0JBQWUsU0FBUyxDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgQ29uc3RydWN0IH0gZnJvbSBcImNvbnN0cnVjdHNcIjtcbmltcG9ydCB7IHR5cGUgUm9sZSB9IGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtaWFtXCI7XG5pbXBvcnQgQXBwIGZyb20gXCIuLi8uLi9hcHBcIjtcbmltcG9ydCBBdWRpdFJvbGVGYWN0b3J5IGZyb20gXCIuLi8uLi9yZXNvdXJjZXMvYXdzL2F1ZGl0L2F1ZGl0Um9sZVwiO1xuaW1wb3J0IHsgRkpBTExfQVVESVRfQ09ORklHIH0gZnJvbSBcIi4uLy4uL2NvbmZpZy9hdWRpdFwiO1xuXG5leHBvcnQgaW50ZXJmYWNlIEF1ZGl0Um9sZVByb3BzIHtcbiAgLyoqXG4gICAqIE92ZXJyaWRlIHRoZSBkZWZhdWx0IEZqYWxsIHdlYmFwcCBhY2NvdW50IElEXG4gICAqIERlZmF1bHRzIHRvIHRoZSBhY2NvdW50IElEIHNwZWNpZmllZCBpbiBGSkFMTF9BVURJVF9DT05GSUdcbiAgICovXG4gIHdlYmFwcEFjY291bnRJZD86IHN0cmluZztcblxuICAvKipcbiAgICogRXh0ZXJuYWwgSUQgZm9yIGFkZGl0aW9uYWwgc2VjdXJpdHkgd2hlbiBhc3N1bWluZyB0aGUgcm9sZVxuICAgKiBJZiBub3QgcHJvdmlkZWQsIGEgdW5pcXVlIGV4dGVybmFsIElEIHdpbGwgYmUgZ2VuZXJhdGVkXG4gICAqL1xuICBleHRlcm5hbElkPzogc3RyaW5nO1xufVxuXG4vKipcbiAqIEhpZ2gtbGV2ZWwgcGF0dGVybiBmb3IgYWRkaW5nIENsb3VkUXVlcnkgYXVkaXQgY2FwYWJpbGl0aWVzIHRvIGFuIGFwcGxpY2F0aW9uLlxuICpcbiAqIFRoaXMgY3JlYXRlcyBhIGNyb3NzLWFjY291bnQgSUFNIHJvbGUgdGhhdCBncmFudHMgdGhlIEZqYWxsIHBsYXRmb3JtIHJlYWQtb25seVxuICogYWNjZXNzIHRvIGFsbCBBV1MgcmVzb3VyY2VzIGZvciBzZWN1cml0eSBhdWRpdGluZyB2aWEgQ2xvdWRRdWVyeS5cbiAqXG4gKiBAZXhhbXBsZVxuICogYGBgdHlwZXNjcmlwdFxuICogaW1wb3J0IHsgQXBwLCBBdWRpdFJvbGUgfSBmcm9tIFwiQGZqYWxsL2NvbXBvbmVudHMtaW5mcmFzdHJ1Y3R1cmVcIjtcbiAqXG4gKiBjb25zdCBhcHAgPSBBcHAuZ2V0QXBwKFwiTXlBcHBcIik7XG4gKlxuICogLy8gRXhwbGljaXQgb3B0LWluIHRvIGF1ZGl0IGNhcGFiaWxpdGllc1xuICogY29uc3QgYXVkaXRSb2xlID0gbmV3IEF1ZGl0Um9sZShhcHAsIFwiQXVkaXRSb2xlXCIpO1xuICpcbiAqIC8vIENvbnRpbnVlIHdpdGggbm9ybWFsIGFwcGxpY2F0aW9uIHNldHVwXG4gKiBhcHAuYWRkQ29tcHV0ZSgvKiAuLi4gKlxcLyk7XG4gKiBgYGBcbiAqL1xuZXhwb3J0IGNsYXNzIEF1ZGl0Um9sZSBleHRlbmRzIENvbnN0cnVjdCB7XG4gIHB1YmxpYyByZWFkb25seSByb2xlOiBSb2xlO1xuICBwdWJsaWMgcmVhZG9ubHkgZXh0ZXJuYWxJZDogc3RyaW5nO1xuXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBDb25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzPzogQXVkaXRSb2xlUHJvcHMpIHtcbiAgICBzdXBlcihzY29wZSwgaWQpO1xuXG4gICAgLy8gR2V0IHRoZSBBcHAgaW5zdGFuY2UgdG8gYWNjZXNzIHRoZSBuZXR3b3JrIHN0YWNrXG4gICAgY29uc3QgYXBwID0gc2NvcGUgaW5zdGFuY2VvZiBBcHAgPyBzY29wZSA6IEFwcC5nZXRJbnN0YW5jZSgpO1xuICAgIGNvbnN0IG5ldHdvcmtTdGFjayA9IGFwcC5nZXREZWZhdWx0TmV0d29ya1N0YWNrKCk7XG5cbiAgICAvLyBHZW5lcmF0ZSBvciB1c2UgcHJvdmlkZWQgZXh0ZXJuYWwgSURcbiAgICB0aGlzLmV4dGVybmFsSWQgPSBwcm9wcz8uZXh0ZXJuYWxJZCB8fCB0aGlzLmdlbmVyYXRlRXh0ZXJuYWxJZChhcHApO1xuXG4gICAgLy8gQ3JlYXRlIHRoZSBhdWRpdCByb2xlIHVzaW5nIHRoZSBmYWN0b3J5XG4gICAgdGhpcy5yb2xlID0gQXVkaXRSb2xlRmFjdG9yeS5idWlsZChgJHthcHBbXCJuYW1lXCJdfUF1ZGl0Um9sZWAsIHtcbiAgICAgIHdlYmFwcEFjY291bnRJZDpcbiAgICAgICAgcHJvcHM/LndlYmFwcEFjY291bnRJZCB8fCBGSkFMTF9BVURJVF9DT05GSUcud2ViYXBwQXdzQWNjb3VudElkLFxuICAgICAgYXBwTmFtZTogYXBwW1wibmFtZVwiXSxcbiAgICAgIGV4dGVybmFsSWQ6IHRoaXMuZXh0ZXJuYWxJZCxcbiAgICAgIHJvbGVOYW1lUHJlZml4OiBGSkFMTF9BVURJVF9DT05GSUcucm9sZU5hbWVQcmVmaXgsXG4gICAgICByb2xlUGF0aDogRkpBTExfQVVESVRfQ09ORklHLnJvbGVQYXRoXG4gICAgfSkoYXBwLCBuZXR3b3JrU3RhY2suZ2V0U3RhY2soKSk7XG5cbiAgICAvLyBSZWdpc3RlciB0aGUgcm9sZSB3aXRoIHRoZSBuZXR3b3JrIHN0YWNrXG4gICAgbmV0d29ya1N0YWNrLmFkZENvbnN0cnVjdCh0aGlzLnJvbGUpO1xuICB9XG5cbiAgLyoqXG4gICAqIEdlbmVyYXRlIGEgdW5pcXVlIGV4dGVybmFsIElEIGZvciB0aGlzIGFwcGxpY2F0aW9uXG4gICAqIEZvcm1hdDogZmphbGwtYXVkaXQte2FwcE5hbWV9LXt0aW1lc3RhbXB9XG4gICAqL1xuICBwcml2YXRlIGdlbmVyYXRlRXh0ZXJuYWxJZChhcHA6IEFwcCk6IHN0cmluZyB7XG4gICAgY29uc3QgYXBwTmFtZSA9IGFwcFtcIm5hbWVcIl07XG4gICAgY29uc3QgdGltZXN0YW1wID0gRGF0ZS5ub3coKTtcbiAgICByZXR1cm4gYGZqYWxsLWF1ZGl0LSR7YXBwTmFtZS50b0xvd2VyQ2FzZSgpfS0ke3RpbWVzdGFtcH1gO1xuICB9XG59XG5cbmV4cG9ydCBkZWZhdWx0IEF1ZGl0Um9sZTtcbiJdfQ==
+export default AuditRole;

package/dist/lib/patterns/aws/buildkite.d.ts

@@ -1,7 +1,7 @@
 import { type StackProps, Stack } from "aws-cdk-lib";
 import { InstanceType } from "aws-cdk-lib/aws-ec2";
 import { type Construct } from "constructs";
-import { type KeyValue } from "../../types";
+import { type KeyValue } from "../../types.js";
 declare enum agentRelease {
     STABLE = "stable",
     BETA = "beta",