npm - @fjall/components-infrastructure - Versions diffs - 0.94.1 → 0.96.0 - Mend

@fjall/components-infrastructure 0.94.1 → 0.96.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (67) hide show

package/dist/lib/patterns/aws/vpcPeerAccepter.js ADDED Viewed

@@ -0,0 +1,196 @@
+import { Annotations, Stack } from "aws-cdk-lib";
+import { Peer, Port, SubnetType } from "aws-cdk-lib/aws-ec2";
+import { CfnResourcePolicy, StringListParameter, StringParameter } from "aws-cdk-lib/aws-ssm";
+import { CIDR_REGEX, VALIDATION_PATTERNS } from "@fjall/generator";
+import { buildSsmPrefix, DEFAULT_ORG_ID, resolveOrgId } from "../../utils/cdkContext.js";
+import { VpcPeeringAccepterRole } from "../../resources/aws/networking/vpcPeeringAccepterRole.js";
+import { isDatabase, isRelationalDatabase } from "./interfaces/database.js";
+import { isCompute, isEcsCompute } from "./interfaces/compute.js";
+export class VpcPeerAccepterFactory {
+    static build(id, props) {
+        return (app, scope) => {
+            if (props.requesterAccountIds.length === 0) {
+                throw new Error("VpcPeerAccepterFactory requires at least one requester account ID.");
+            }
+            for (const accountId of props.requesterAccountIds) {
+                if (!VALIDATION_PATTERNS.AWS_ACCOUNT_ID.test(accountId)) {
+                    throw new Error(`Invalid requester account ID "${accountId}". Must be a 12-digit AWS account ID.`);
+                }
+            }
+            const localVpc = app.getVpc(props.localVpcName);
+            const accepterRole = new VpcPeeringAccepterRole(scope, id, {
+                requesterAccountIds: props.requesterAccountIds,
+                localVpc,
+                costAllocationEnvironment: props.costAllocationEnvironment,
+                costAllocationDomain: props.costAllocationDomain
+            });
+            const orgId = resolveOrgId(app.node, DEFAULT_ORG_ID);
+            const ssmPrefix = buildSsmPrefix(orgId, app.getName());
+            const publishVpcMetadata = props.publishToSsm ?? true;
+            const vpcMetadataParams = [];
+            if (publishVpcMetadata) {
+                const vpcIdParam = new StringParameter(scope, `${id}VpcIdParam`, {
+                    parameterName: `${ssmPrefix}/vpc-id`,
+                    stringValue: localVpc.vpcId
+                });
+                const vpcCidrParam = new StringParameter(scope, `${id}VpcCidrParam`, {
+                    parameterName: `${ssmPrefix}/vpc-cidr`,
+                    stringValue: localVpc.vpcCidrBlock
+                });
+                const roleArnParam = new StringParameter(scope, `${id}PeeringRoleArnParam`, {
+                    parameterName: `${ssmPrefix}/peering-role-arn`,
+                    stringValue: accepterRole.roleArn
+                });
+                const privateSubnets = localVpc.selectSubnets({
+                    subnetType: SubnetType.PRIVATE_WITH_EGRESS
+                });
+                const routeTableIds = privateSubnets.subnets.map((s) => s.routeTable.routeTableId);
+                const routeTableIdsParam = new StringListParameter(scope, `${id}RouteTableIdsParam`, {
+                    parameterName: `${ssmPrefix}/route-table-ids`,
+                    stringListValue: routeTableIds
+                });
+                vpcMetadataParams.push(vpcIdParam, vpcCidrParam, roleArnParam, routeTableIdsParam);
+            }
+            if (vpcMetadataParams.length > 0) {
+                attachCrossAccountReadPolicy(scope, id, props.requesterAccountIds, vpcMetadataParams);
+            }
+            applyExposedResources(scope, id, ssmPrefix, props.requesterAccountIds, props.exposedResources ?? []);
+            return accepterRole;
+        };
+    }
+}
+function applyExposedResources(accepterScope, id, ssmPrefix, requesterAccountIds, entries) {
+    const seenNames = new Set();
+    for (const entry of entries) {
+        if (seenNames.has(entry.name)) {
+            throw new Error(`Duplicate exposedResource name '${entry.name}' — each exposed resource must have a unique name.`);
+        }
+        seenNames.add(entry.name);
+        for (const cidr of entry.allowedFromCidrs) {
+            if (!CIDR_REGEX.test(cidr)) {
+                throw new Error(`exposedResource '${entry.name}' has malformed CIDR '${cidr}' — expected dotted-quad/prefix-length form (e.g. 10.0.0.0/16).`);
+            }
+        }
+        const resourcePrefix = `${ssmPrefix}/resources/${entry.name}`;
+        const constructPrefix = `${id}Exposed${entry.name}`;
+        const { params, scope: resourceScope } = resolveExposedResource(accepterScope, constructPrefix, resourcePrefix, entry);
+        if (params.length > 0) {
+            attachCrossAccountReadPolicy(resourceScope, constructPrefix, requesterAccountIds, params);
+        }
+    }
+}
+function resolveExposedResource(accepterScope, constructPrefix, resourcePrefix, entry) {
+    if ("serviceName" in entry) {
+        const resource = entry.resource;
+        if (!isCompute(resource) || !isEcsCompute(resource)) {
+            throw new Error(`exposedResource '${entry.name}' carries 'serviceName' (ECS variant) but its resource is not IEcsCompute.`);
+        }
+        const scope = stackOfNode(resource.node);
+        const params = applyEcsServiceExposure(scope, constructPrefix, resourcePrefix, entry);
+        return { params, scope };
+    }
+    const resource = entry.resource;
+    if (!isDatabase(resource) || !isRelationalDatabase(resource)) {
+        throw new Error(`exposedResource '${entry.name}' has no 'serviceName' (database variant) but its resource is not IRelationalDatabase.`);
+    }
+    const scope = stackOfNode(resource.node);
+    const params = applyDatabaseExposure(scope, constructPrefix, resourcePrefix, {
+        ...entry,
+        resource
+    });
+    return { params, scope };
+}
+function applyDatabaseExposure(scope, constructPrefix, resourcePrefix, entry) {
+    const port = parseInt(entry.resource.getHostPort(), 10);
+    if (!Number.isInteger(port) || port < 1 || port > 65535) {
+        throw new Error(`exposedResource '${entry.name}' resolved an out-of-range port from getHostPort() (must be 1-65535); cannot open ingress.`);
+    }
+    if (entry.allowedFromCidrs.length === 0) {
+        Annotations.of(scope).addWarning(`exposedResource '${entry.name}' has no allowed CIDRs; consumers will not be able to reach it.`);
+        return [];
+    }
+    for (const cidr of entry.allowedFromCidrs) {
+        entry.resource.connections.allowFrom(Peer.ipv4(cidr), Port.tcp(port), `fjall:peer:${cidr}`);
+    }
+    return publishExposedResourceParams(scope, constructPrefix, resourcePrefix, {
+        kind: "relational-db",
+        endpoint: entry.resource.getHostEndpoint(),
+        port: String(port),
+        access: entry.access
+    });
+}
+function applyEcsServiceExposure(scope, constructPrefix, resourcePrefix, entry) {
+    const loadBalancer = entry.resource.getLoadBalancer();
+    if (!loadBalancer) {
+        throw new Error(`exposedResource '${entry.name}' targets ECS service '${entry.serviceName}' but the cluster has no load balancer (cluster.loadBalancer: false). Enable an internal ALB to expose this service.`);
+    }
+    const resolvedListenerPort = entry.port === undefined
+        ? entry.resource.getPrimaryListenerPort()
+        : undefined;
+    const port = entry.port ?? resolvedListenerPort ?? 443;
+    if (entry.port === undefined && resolvedListenerPort !== undefined) {
+        Annotations.of(scope).addInfo(`exposedResource '${entry.name}' defaulted to listener port ${resolvedListenerPort}`);
+    }
+    if (entry.allowedFromCidrs.length === 0) {
+        Annotations.of(scope).addWarning(`exposedResource '${entry.name}' has no allowed CIDRs; consumers will not be able to reach it.`);
+        return [];
+    }
+    for (const cidr of entry.allowedFromCidrs) {
+        loadBalancer.connections.allowFrom(Peer.ipv4(cidr), Port.tcp(port), `fjall:peer:${cidr}`);
+    }
+    return publishExposedResourceParams(scope, constructPrefix, resourcePrefix, {
+        kind: "ecs-service",
+        endpoint: loadBalancer.loadBalancerDnsName,
+        port: String(port)
+    });
+}
+function publishExposedResourceParams(scope, constructPrefix, resourcePrefix, values) {
+    const kindParam = new StringParameter(scope, `${constructPrefix}KindParam`, {
+        parameterName: `${resourcePrefix}/kind`,
+        stringValue: values.kind
+    });
+    const endpointParam = new StringParameter(scope, `${constructPrefix}EndpointParam`, {
+        parameterName: `${resourcePrefix}/endpoint`,
+        stringValue: values.endpoint
+    });
+    const portParam = new StringParameter(scope, `${constructPrefix}PortParam`, {
+        parameterName: `${resourcePrefix}/port`,
+        stringValue: values.port
+    });
+    const params = [kindParam, endpointParam, portParam];
+    if (values.access !== undefined) {
+        const accessParam = new StringParameter(scope, `${constructPrefix}AccessParam`, {
+            parameterName: `${resourcePrefix}/access`,
+            stringValue: values.access
+        });
+        params.push(accessParam);
+    }
+    return params;
+}
+function attachCrossAccountReadPolicy(scope, id, requesterAccountIds, parameters) {
+    const partition = Stack.of(scope).partition;
+    const principals = requesterAccountIds.map((accountId) => `arn:${partition}:iam::${accountId}:root`);
+    for (const [index, parameter] of parameters.entries()) {
+        new CfnResourcePolicy(scope, `${id}ReadPolicy${index}`, {
+            resourceArn: parameter.parameterArn,
+            policy: {
+                Version: "2012-10-17",
+                Statement: [
+                    {
+                        Effect: "Allow",
+                        Principal: { AWS: principals },
+                        Action: ["ssm:GetParameter"],
+                        Resource: parameter.parameterArn
+                    }
+                ]
+            }
+        });
+    }
+}
+function stackOfNode(node) {
+    const stack = node.scopes.find((a) => Stack.isStack(a));
+    if (!stack) {
+        throw new Error("exposedResource resource is not bound to a CDK Stack — cannot derive scope for SSM publishing.");
+    }
+    return stack;
+}

package/dist/lib/resources/aws/analytics/clickhouse.js CHANGED Viewed

@@ -12,6 +12,7 @@ import { vpcHasNatGateways } from "../../../utils/vpcUtils.js";
 import { inferAmiHardwareType } from "../compute/ecsConstants.js";
 import { createClickHouseSecurityGroup } from "./clickhouseSecurityGroup.js";
 import { generateClickHouseUserData } from "./clickhouseUserData.js";
+import { createClickHouseAlarms } from "./clickhouseAlarms.js";
 import { CLICKHOUSE_CLUSTER_NAME, DEFAULT_CLICKHOUSE_INSTANCE_TYPE, CLICKHOUSE_IMAGE, CLICKHOUSE_EBS_VOLUME_SIZE_GB, CLICKHOUSE_EBS_IOPS, CLICKHOUSE_EBS_THROUGHPUT_MBPS, CLICKHOUSE_TASK_MEMORY_MIB, CLICKHOUSE_TASK_CPU_UNITS, CLICKHOUSE_HTTP_PORT, CLICKHOUSE_NATIVE_PORT, CLICKHOUSE_PROMETHEUS_PORT, CLICKHOUSE_DATA_MOUNT_PATH, CLICKHOUSE_SECRETS_PREFIX, CLICKHOUSE_SECRET_NAMES, CLICKHOUSE_SECRET_OPTIONS, CLICKHOUSE_HEALTH_CHECK, CLICKHOUSE_EBS_DEVICE_NAME, CLICKHOUSE_CONFIG_SUBDIR, CLICKHOUSE_USERS_SUBDIR, OPTIMISE_FINAL_SCHEDULE, REPLACING_MERGE_TREE_TABLES, OPTIMISE_MV_TABLES, CLICKHOUSE_CLOUDMAP_NAMESPACE, CLICKHOUSE_CLOUDMAP_SERVICE_NAME, OPTIMISE_TASK_MEMORY_MIB, OPTIMISE_TASK_CPU_UNITS, BACKUP_SCHEDULE, BACKUP_TASK_MEMORY_MIB, BACKUP_TASK_CPU_UNITS, BACKUP_RETENTION_DAYS } from "./clickhouseConstants.js";
 function createClickHouseSecret(scope, id, secretKey, description) {
     return new Secret(scope, id, {
@@ -273,7 +274,15 @@ export default class ClickHouse extends Construct {
         auditPasswordSecret.secret.grantRead(executionRole);
         backupPasswordSecret.secret.grantRead(executionRole);
         schemaPasswordSecret.secret.grantRead(executionRole);
-        // 14. Connections and outputs
+        // 14. CloudWatch alarms (CPU, memory, disk) — wired only when an SNS topic is supplied
+        if (props.alarmTopic) {
+            createClickHouseAlarms({
+                scope: this,
+                asg,
+                alarmTopic: props.alarmTopic
+            });
+        }
+        // 15. Connections and outputs
         this.connections = new Connections({
             securityGroups: [securityGroup],
             defaultPort: Port.tcp(CLICKHOUSE_HTTP_PORT)

package/dist/lib/resources/aws/analytics/clickhouseAlarms.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import { Alarm } from "aws-cdk-lib/aws-cloudwatch";
+import type { AutoScalingGroup } from "aws-cdk-lib/aws-autoscaling";
+import type { ITopic } from "aws-cdk-lib/aws-sns";
+import type { Construct } from "constructs";
+export interface ClickHouseAlarmThresholds {
+    /** EC2 host CPU % over 5 min. Default 90. */
+    cpuThreshold?: number;
+    /** EC2 host memory % over 5 min (requires CWAgent). Default 80. */
+    memoryThreshold?: number;
+    /** EBS root-volume disk % used. Default 70 (warn) — paired with critical at 85. */
+    diskWarnThreshold?: number;
+    /** EBS root-volume disk % used. Default 85. */
+    diskCriticalThreshold?: number;
+}
+export interface ClickHouseAlarmsProps {
+    scope: Construct;
+    asg: AutoScalingGroup;
+    alarmTopic: ITopic;
+    config?: ClickHouseAlarmThresholds;
+}
+/**
+ * Single-node ClickHouse posture alarms. Covers host-level CPU + (optional)
+ * memory and disk via the CloudWatch Agent metric namespace `CWAgent`.
+ *
+ * Engine-level alarms (parts count, failed inserts) require the Prometheus
+ * exporter to be scraped into CW custom metrics. The Prometheus endpoint is
+ * enabled in the user-data XML (port 9363); the scraper is a follow-up.
+ *
+ * Stuck merges are detected app-side: `client.ts` queries `system.merges`
+ * every 5 min and logs `serverLogger.warn("ClickHouse", "Stuck merge detected")`
+ * when elapsed > 30 min. A CW Logs metric filter on that pattern + alarm
+ * completes the circuit once the webapp log group ARN is available here.
+ */
+export declare function createClickHouseAlarms(props: ClickHouseAlarmsProps): Alarm[];

package/dist/lib/resources/aws/analytics/clickhouseAlarms.js ADDED Viewed

@@ -0,0 +1,89 @@
+import { Duration } from "aws-cdk-lib";
+import { Alarm, ComparisonOperator, TreatMissingData } from "aws-cdk-lib/aws-cloudwatch";
+import { SnsAction } from "aws-cdk-lib/aws-cloudwatch-actions";
+import { Metric } from "aws-cdk-lib/aws-cloudwatch";
+import { ALARM_DEFAULTS, registerAlarm, buildAlarmDescription } from "../monitoring/alarmDefaults.js";
+/**
+ * Single-node ClickHouse posture alarms. Covers host-level CPU + (optional)
+ * memory and disk via the CloudWatch Agent metric namespace `CWAgent`.
+ *
+ * Engine-level alarms (parts count, failed inserts) require the Prometheus
+ * exporter to be scraped into CW custom metrics. The Prometheus endpoint is
+ * enabled in the user-data XML (port 9363); the scraper is a follow-up.
+ *
+ * Stuck merges are detected app-side: `client.ts` queries `system.merges`
+ * every 5 min and logs `serverLogger.warn("ClickHouse", "Stuck merge detected")`
+ * when elapsed > 30 min. A CW Logs metric filter on that pattern + alarm
+ * completes the circuit once the webapp log group ARN is available here.
+ */
+export function createClickHouseAlarms(props) {
+    const { scope, asg, alarmTopic, config = {} } = props;
+    const alarms = [];
+    const snsAction = new SnsAction(alarmTopic);
+    const asgName = asg.autoScalingGroupName;
+    const cpuAlarm = new Alarm(scope, "ClickHouseCpuAlarm", {
+        alarmDescription: buildAlarmDescription("ClickHouse host CPU utilisation exceeds threshold", undefined),
+        metric: new Metric({
+            namespace: "AWS/EC2",
+            metricName: "CPUUtilization",
+            dimensionsMap: { AutoScalingGroupName: asgName },
+            period: ALARM_DEFAULTS.EVALUATION_PERIOD,
+            statistic: "Average"
+        }),
+        threshold: config.cpuThreshold ?? 90,
+        evaluationPeriods: 3,
+        datapointsToAlarm: 2,
+        comparisonOperator: ComparisonOperator.GREATER_THAN_THRESHOLD,
+        treatMissingData: TreatMissingData.NOT_BREACHING
+    });
+    registerAlarm(cpuAlarm, snsAction, alarms);
+    const memoryAlarm = new Alarm(scope, "ClickHouseMemoryAlarm", {
+        alarmDescription: buildAlarmDescription("ClickHouse host memory utilisation exceeds threshold (CWAgent)", undefined),
+        metric: new Metric({
+            namespace: "CWAgent",
+            metricName: "mem_used_percent",
+            dimensionsMap: { AutoScalingGroupName: asgName },
+            period: ALARM_DEFAULTS.EVALUATION_PERIOD,
+            statistic: "Average"
+        }),
+        threshold: config.memoryThreshold ?? 80,
+        evaluationPeriods: 3,
+        datapointsToAlarm: 2,
+        comparisonOperator: ComparisonOperator.GREATER_THAN_THRESHOLD,
+        treatMissingData: TreatMissingData.NOT_BREACHING
+    });
+    registerAlarm(memoryAlarm, snsAction, alarms);
+    const diskWarnAlarm = new Alarm(scope, "ClickHouseDiskWarnAlarm", {
+        alarmDescription: buildAlarmDescription("ClickHouse data volume above 70% used — plan growth response", undefined),
+        metric: new Metric({
+            namespace: "CWAgent",
+            metricName: "disk_used_percent",
+            dimensionsMap: { AutoScalingGroupName: asgName },
+            period: Duration.minutes(15),
+            statistic: "Average"
+        }),
+        threshold: config.diskWarnThreshold ?? 70,
+        evaluationPeriods: 2,
+        datapointsToAlarm: 2,
+        comparisonOperator: ComparisonOperator.GREATER_THAN_THRESHOLD,
+        treatMissingData: TreatMissingData.NOT_BREACHING
+    });
+    registerAlarm(diskWarnAlarm, snsAction, alarms);
+    const diskCriticalAlarm = new Alarm(scope, "ClickHouseDiskCriticalAlarm", {
+        alarmDescription: buildAlarmDescription("ClickHouse data volume above 85% used — imminent insert failures", undefined),
+        metric: new Metric({
+            namespace: "CWAgent",
+            metricName: "disk_used_percent",
+            dimensionsMap: { AutoScalingGroupName: asgName },
+            period: Duration.minutes(5),
+            statistic: "Average"
+        }),
+        threshold: config.diskCriticalThreshold ?? 85,
+        evaluationPeriods: 2,
+        datapointsToAlarm: 2,
+        comparisonOperator: ComparisonOperator.GREATER_THAN_THRESHOLD,
+        treatMissingData: TreatMissingData.NOT_BREACHING
+    });
+    registerAlarm(diskCriticalAlarm, snsAction, alarms);
+    return alarms;
+}

package/dist/lib/resources/aws/analytics/clickhouseConstants.d.ts CHANGED Viewed

@@ -60,7 +60,7 @@ export declare const CLICKHOUSE_CLOUDMAP_SERVICE_NAME = "clickhouse";
 /** Materialised views that benefit from periodic OPTIMIZE to reduce part count at read time.
  *  These are not ReplacingMergeTree (no dedup needed) but un-merged parts force
  *  read-time aggregation which degrades query performance. */
-export declare const OPTIMISE_MV_TABLES: readonly ["metrics_hourly_mv", "metrics_daily_mv", "response_time_quantiles_hourly_mv", "deployment_duration_quantiles_daily_mv", "log_severity_hourly_mv", "compliance_score_daily_mv", "ai_usage_daily_mv"];
+export declare const OPTIMISE_MV_TABLES: readonly ["metrics_hourly_mv", "metrics_daily_mv", "response_time_quantiles_hourly_mv", "deployment_duration_quantiles_daily_mv", "log_severity_hourly_mv", "compliance_score_daily_mv", "ai_usage_daily_mv", "finding_daily_aggregate", "insight_pattern_dismissals"];
 /** Resource allocation for the lightweight optimise task. */
 export declare const OPTIMISE_TASK_MEMORY_MIB = 256;
 export declare const OPTIMISE_TASK_CPU_UNITS = 256;

package/dist/lib/resources/aws/analytics/clickhouseConstants.js CHANGED Viewed

@@ -73,7 +73,9 @@ export const OPTIMISE_MV_TABLES = [
     "deployment_duration_quantiles_daily_mv",
     "log_severity_hourly_mv",
     "compliance_score_daily_mv",
-    "ai_usage_daily_mv"
+    "ai_usage_daily_mv",
+    "finding_daily_aggregate",
+    "insight_pattern_dismissals"
 ];
 /** Resource allocation for the lightweight optimise task. */
 export const OPTIMISE_TASK_MEMORY_MIB = 256;

package/dist/lib/resources/aws/analytics/clickhouseTypes.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { IVpc, ISecurityGroup } from "aws-cdk-lib/aws-ec2";
 import type { IBucket } from "aws-cdk-lib/aws-s3";
 import type { ISecret } from "aws-cdk-lib/aws-secretsmanager";
+import type { ITopic } from "aws-cdk-lib/aws-sns";
 /** Props for the ClickHouse CDK construct. */
 export interface ClickHouseProps {
     /** VPC to deploy into. */
@@ -21,6 +22,11 @@ export interface ClickHouseProps {
      * If omitted, tiered storage is disabled (local-only).
      */
     r2Config?: ClickHouseR2Config;
+    /**
+     * SNS topic for CloudWatch alarms (CPU, memory, disk).
+     * If omitted, posture alarms are not created.
+     */
+    alarmTopic?: ITopic;
 }
 /** Cloudflare R2 configuration for tiered storage and backups. */
 export interface ClickHouseR2Config {

package/dist/lib/resources/aws/analytics/clickhouseUserData.d.ts CHANGED Viewed

@@ -2,4 +2,5 @@ export interface ClickHouseUserDataOptions {
     /** Cloudflare account ID for R2 cold storage. If omitted, local-only storage is used. */
     cfAccountId?: string;
 }
+export declare const USERS_CONFIG_XML = "<clickhouse>\n    <users>\n        <default>\n            <networks>\n                <ip>127.0.0.1</ip>\n                <ip>::1</ip>\n            </networks>\n        </default>\n    </users>\n    <profiles>\n        <default>\n            <optimize_move_to_prewhere>1</optimize_move_to_prewhere>\n        </default>\n        <app_writer>\n            <max_threads>2</max_threads>\n            <max_insert_threads>1</max_insert_threads>\n            <max_concurrent_queries_for_user>4</max_concurrent_queries_for_user>\n            <log_queries_min_query_duration_ms>100</log_queries_min_query_duration_ms>\n            <optimize_move_to_prewhere>1</optimize_move_to_prewhere>\n            <use_query_condition_cache>1</use_query_condition_cache>\n            <!-- Re-enable skip indexes under FINAL (tenantQuery auto-FINALs RMT tables;\n                 default disables idx_aws_account, idx_application, idx_dedup, idx_fingerprint). -->\n            <use_skip_indexes_if_final>1</use_skip_indexes_if_final>\n            <async_insert>1</async_insert>\n            <wait_for_async_insert>1</wait_for_async_insert>\n            <async_insert_max_data_size>10000000</async_insert_max_data_size>\n            <!-- Adaptive batching: tune flush window between 50 ms (low-latency rare inserts)\n                 and 2 s (absorbs bursts). A single fixed value is silently overridden by the\n                 adaptive algorithm. -->\n            <async_insert_busy_timeout_min_ms>50</async_insert_busy_timeout_min_ms>\n            <async_insert_busy_timeout_max_ms>2000</async_insert_busy_timeout_max_ms>\n            <async_insert_use_adaptive_busy_timeout>1</async_insert_use_adaptive_busy_timeout>\n            <input_format_parallel_parsing>0</input_format_parallel_parsing>\n            <output_format_parallel_formatting>0</output_format_parallel_formatting>\n            <max_memory_usage_for_user>2684354560</max_memory_usage_for_user>\n            <max_bytes_before_external_sort>536870912</max_bytes_before_external_sort>\n            <max_bytes_before_external_group_by>536870912</max_bytes_before_external_group_by>\n        </app_writer>\n        <readonly>\n            <readonly>1</readonly>\n        </readonly>\n    </profiles>\n    <quotas>\n        <tenant_default>\n            <interval>\n                <duration>3600</duration>\n                <queries>1000</queries>\n                <result_rows>10000000</result_rows>\n            </interval>\n        </tenant_default>\n    </quotas>\n</clickhouse>";
 export declare function generateClickHouseUserData(options?: ClickHouseUserDataOptions): string;

package/dist/lib/resources/aws/analytics/clickhouseUserData.js CHANGED Viewed

@@ -96,7 +96,6 @@ function generateServerConfigXml(cfAccountId) {
     </merge_tree>
     <http_port>${CLICKHOUSE_HTTP_PORT}</http_port>
     <custom_settings_prefixes>current_</custom_settings_prefixes>
-    <allow_experimental_full_text_index>1</allow_experimental_full_text_index>
     <!-- HTTP keep-alive window. Must exceed @clickhouse/client idle_socket_ttl (15 s)
          so the client always closes the socket first. Prevents ECONNRESET on reuse. -->
     <keep_alive_timeout>30</keep_alive_timeout>
@@ -145,7 +144,7 @@ ${storageBlock}
     <processors_profile_log remove="1"/>
 </clickhouse>`;
 }
-const USERS_CONFIG_XML = `<clickhouse>
+export const USERS_CONFIG_XML = `<clickhouse>
     <users>
         <default>
             <networks>
@@ -161,6 +160,8 @@ const USERS_CONFIG_XML = `<clickhouse>
         <app_writer>
             <max_threads>2</max_threads>
             <max_insert_threads>1</max_insert_threads>
+            <max_concurrent_queries_for_user>4</max_concurrent_queries_for_user>
+            <log_queries_min_query_duration_ms>100</log_queries_min_query_duration_ms>
             <optimize_move_to_prewhere>1</optimize_move_to_prewhere>
             <use_query_condition_cache>1</use_query_condition_cache>
             <!-- Re-enable skip indexes under FINAL (tenantQuery auto-FINALs RMT tables;

package/dist/lib/resources/aws/analytics/index.d.ts CHANGED Viewed

@@ -1,2 +1,4 @@
 export { default as ClickHouse } from "./clickhouse.js";
 export type { ClickHouseProps, ClickHouseR2Config, ClickHouseOutputs } from "./clickhouseTypes.js";
+export { createClickHouseAlarms } from "./clickhouseAlarms.js";
+export type { ClickHouseAlarmThresholds, ClickHouseAlarmsProps } from "./clickhouseAlarms.js";

package/dist/lib/resources/aws/analytics/index.js CHANGED Viewed

	@@ -1 +1,2 @@
1 1	export { default as ClickHouse } from "./clickhouse.js";
2	+ export { createClickHouseAlarms } from "./clickhouseAlarms.js";

package/dist/lib/resources/aws/compute/ecsRemoteConnections.d.ts ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * Synth-time resolver for ECS `remoteConnections` — turns each declared
+ * cross-app resource into a pair of `${PREFIX}_HOST` / `${PREFIX}_PORT` env
+ * vars resolved from SSM (`StringParameter.valueForStringParameter`) and
+ * indexed by service name for downstream merge into container environments.
+ *
+ * SSM path layout (matches the accepter side's publishing layout in
+ * `vpcPeerAccepter.ts`):
+ *   /fjall/{orgId ?? "default"}/{peer.peerAppName}/resources/{resource}/endpoint
+ *   /fjall/{orgId ?? "default"}/{peer.peerAppName}/resources/{resource}/port
+ *
+ * Default env-var prefix: `${toScreamingSnake(peer.peerAppName)}_${toScreamingSnake(resource)}`.
+ * Override via `RemoteConnectionSpec.envPrefix`.
+ */
+import { type Construct } from "constructs";
+import { type IVpcPeer } from "../../../utils/vpcPeerInterface.js";
+export interface RemoteConnectionSpec {
+    peer: IVpcPeer;
+    resource: string;
+    envPrefix?: string;
+}
+interface ServiceWithRemoteConnections {
+    name: string;
+    remoteConnections?: RemoteConnectionSpec[];
+}
+/**
+ * Resolve `remoteConnections` for every service into a per-service env-var
+ * bag. Returns `Record<serviceName, Record<envVarName, value>>`.
+ *
+ * Validates each `RemoteConnectionSpec` at synth time:
+ * - `resource` matches `RESOURCE_NAME_PATTERN` (PascalCase).
+ * - `envPrefix` (when supplied) matches `ENV_PREFIX_PATTERN`.
+ * - `peer.peerAppName` is defined and is not a CFN token — token-derived app
+ *   names produce `${Token[…]}` literals in env-var names, breaking ECS task
+ *   definitions silently.
+ */
+export declare function resolveRemoteConnections(services: ServiceWithRemoteConnections[], scope: Construct, orgId: string | undefined): Record<string, Record<string, string>>;
+export {};

package/dist/lib/resources/aws/compute/ecsRemoteConnections.js ADDED Viewed

@@ -0,0 +1,80 @@
+/**
+ * Synth-time resolver for ECS `remoteConnections` — turns each declared
+ * cross-app resource into a pair of `${PREFIX}_HOST` / `${PREFIX}_PORT` env
+ * vars resolved from SSM (`StringParameter.valueForStringParameter`) and
+ * indexed by service name for downstream merge into container environments.
+ *
+ * SSM path layout (matches the accepter side's publishing layout in
+ * `vpcPeerAccepter.ts`):
+ *   /fjall/{orgId ?? "default"}/{peer.peerAppName}/resources/{resource}/endpoint
+ *   /fjall/{orgId ?? "default"}/{peer.peerAppName}/resources/{resource}/port
+ *
+ * Default env-var prefix: `${toScreamingSnake(peer.peerAppName)}_${toScreamingSnake(resource)}`.
+ * Override via `RemoteConnectionSpec.envPrefix`.
+ */
+import { Token } from "aws-cdk-lib";
+import { StringParameter } from "aws-cdk-lib/aws-ssm";
+import { VALIDATION_PATTERNS } from "@fjall/generator";
+import { buildSsmPrefix, DEFAULT_ORG_ID } from "../../../utils/cdkContext.js";
+import { toScreamingSnake } from "../../../utils/capitaliseString.js";
+const RESOURCE_NAME_PATTERN = VALIDATION_PATTERNS.RESOURCE_NAME;
+/** SCREAMING_SNAKE_CASE env-var prefix (digits allowed, must start with letter). */
+const ENV_PREFIX_PATTERN = /^[A-Z][A-Z0-9_]*$/;
+/**
+ * Resolve `remoteConnections` for every service into a per-service env-var
+ * bag. Returns `Record<serviceName, Record<envVarName, value>>`.
+ *
+ * Validates each `RemoteConnectionSpec` at synth time:
+ * - `resource` matches `RESOURCE_NAME_PATTERN` (PascalCase).
+ * - `envPrefix` (when supplied) matches `ENV_PREFIX_PATTERN`.
+ * - `peer.peerAppName` is defined and is not a CFN token — token-derived app
+ *   names produce `${Token[…]}` literals in env-var names, breaking ECS task
+ *   definitions silently.
+ */
+export function resolveRemoteConnections(services, scope, orgId) {
+    const byService = {};
+    for (const service of services) {
+        const specs = service.remoteConnections ?? [];
+        if (specs.length === 0)
+            continue;
+        const envVars = {};
+        const seenPrefixes = new Set();
+        for (const spec of specs) {
+            const peerAppName = validateSpec(service.name, spec);
+            const peerOrgId = spec.peer.peerOrgId ?? orgId ?? DEFAULT_ORG_ID;
+            const ssmPrefix = `${buildSsmPrefix(peerOrgId, peerAppName)}/resources/${spec.resource}`;
+            const endpoint = StringParameter.valueForStringParameter(scope, `${ssmPrefix}/endpoint`);
+            const port = StringParameter.valueForStringParameter(scope, `${ssmPrefix}/port`);
+            const prefix = spec.envPrefix ??
+                `${toScreamingSnake(peerAppName)}_${toScreamingSnake(spec.resource)}`;
+            if (seenPrefixes.has(prefix)) {
+                throw new Error(`remoteConnections on service '${service.name}': duplicate env-var prefix '${prefix}' — set distinct envPrefix on each spec to avoid silently clobbering ${prefix}_HOST and ${prefix}_PORT.`);
+            }
+            seenPrefixes.add(prefix);
+            envVars[`${prefix}_HOST`] = endpoint;
+            envVars[`${prefix}_PORT`] = port;
+        }
+        byService[service.name] = envVars;
+    }
+    return byService;
+}
+function validateSpec(serviceName, spec) {
+    if (!RESOURCE_NAME_PATTERN.test(spec.resource)) {
+        throw new Error(`remoteConnections on service '${serviceName}': resource '${spec.resource}' is not a valid PascalCase resource name (must match ${RESOURCE_NAME_PATTERN.source}).`);
+    }
+    if (spec.envPrefix !== undefined &&
+        !ENV_PREFIX_PATTERN.test(spec.envPrefix)) {
+        throw new Error(`remoteConnections on service '${serviceName}': envPrefix '${spec.envPrefix}' is not SCREAMING_SNAKE_CASE (must match ${ENV_PREFIX_PATTERN.source}).`);
+    }
+    const peerAppName = spec.peer.peerAppName;
+    if (peerAppName === undefined) {
+        throw new Error(`remoteConnections on service '${serviceName}': peer.peerAppName is undefined — pass a peer built via VpcPeerFactory.build() so the SSM path can be resolved at synth.`);
+    }
+    if (typeof peerAppName === "string" && peerAppName.length === 0) {
+        throw new Error(`remoteConnections on service '${serviceName}': peer.peerAppName is an empty string, which would produce malformed env-var names and an invalid SSM path. Pass a literal app name (typically the Fjall app's name string).`);
+    }
+    if (Token.isUnresolved(peerAppName)) {
+        throw new Error(`remoteConnections on service '${serviceName}': peer.peerAppName is a CFN token, which would corrupt env-var names. Pass a literal app name (typically the Fjall app's name string).`);
+    }
+    return peerAppName;
+}

package/dist/lib/resources/aws/compute/ecsTaskDefinition.js CHANGED Viewed

@@ -3,9 +3,11 @@ import { Duration } from "aws-cdk-lib";
 import { Secret as EcsSecret } from "aws-cdk-lib/aws-ecs";
 import { Secret } from "aws-cdk-lib/aws-secretsmanager";
 import { StringParameter } from "aws-cdk-lib/aws-ssm";
+import { resolveOrgId } from "../../../utils/cdkContext.js";
 import { validateSsmPathComponent } from "./ecsValidation.js";
 import { DEFAULT_LOG_RETENTION_DAYS } from "./ecsConstants.js";
 import { getContainerImage } from "./ecsImages.js";
+import { resolveRemoteConnections } from "./ecsRemoteConnections.js";
 // Re-export extracted functions so existing consumers are not broken
 export { createExecutionRole, createTaskRole } from "./ecsRoles.js";
 export { getContainerImage } from "./ecsImages.js";
@@ -91,6 +93,9 @@ export function createTaskDefinition(ctx, serviceName, serviceProps, executionRo
 export function addContainersToTask(ctx, serviceName, serviceProps, taskDefinition) {
     const containers = [];
     let primaryContainer;
+    const orgId = resolveOrgId(ctx.scope.node);
+    const remoteEnvByService = resolveRemoteConnections([serviceProps], ctx.scope, orgId);
+    const remoteEnv = remoteEnvByService[serviceName] ?? {};
     for (const containerConfig of serviceProps.containers) {
         const image = getContainerImage(ctx, serviceName, containerConfig, serviceProps);
         const isFirstWithPort = !primaryContainer && containerConfig.port !== undefined;
@@ -125,8 +130,11 @@ export function addContainersToTask(ctx, serviceName, serviceProps, taskDefiniti
                 streamPrefix: `/ecs/${ctx.props.clusterName}/${serviceName}`,
                 logRetention: DEFAULT_LOG_RETENTION_DAYS
             }),
+            // remoteEnv (cross-app `${PREFIX}_HOST/_PORT`) intentionally overrides user
+            // values — a stale manual setting must not mask the resolved peer.
             environment: {
                 ...containerConfig.environment,
+                ...remoteEnv,
                 ...(containerConfig.port
                     ? { PORT: String(containerConfig.port) }
                     : {})

package/dist/lib/resources/aws/compute/ecsTypes.d.ts CHANGED Viewed

@@ -10,6 +10,7 @@ import { type Role } from "aws-cdk-lib/aws-iam";
 import { type HostedZone as FjallHostedZone } from "../networking/hostedZone.js";
 import { type Certificate } from "aws-cdk-lib/aws-certificatemanager";
 import { type ConnectionSpec } from "../../../utils/connector.js";
+import { type RemoteConnectionSpec } from "./ecsRemoteConnections.js";
 import { type SecretImport } from "../secrets/index.js";
 import type { ManagedDomainExports } from "../../../utils/domainTypes.js";
 import type { ITopic } from "aws-cdk-lib/aws-sns";
@@ -249,6 +250,12 @@ export interface EcsServiceProps {
      * ]
      */
     connections?: ConnectionSpec[];
+    /**
+     * Cross-app resources reachable via VPC peering. Resolved at synth time
+     * into `${PREFIX}_HOST` / `${PREFIX}_PORT` env vars merged into every
+     * container in this service's task definition.
+     */
+    remoteConnections?: RemoteConnectionSpec[];
     /**
      * Capacity provider for this service. REQUIRED.
      * Each service specifies its own capacity provider.