@fjall/components-infrastructure 0.94.1 → 0.96.0

package/dist/lib/resources/aws/iam/delegationRole.js

@@ -1,9 +1,10 @@
 import { Construct } from "constructs";
-import { CfnOutput, Fn, Tags } from "aws-cdk-lib";
+import { ArnFormat, CfnOutput, Fn, Stack, Tags } from "aws-cdk-lib";
 import { OrganizationPrincipal, PolicyDocument, PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { getDomainExportNames } from "@fjall/util";
 import { Role } from "./role.js";
 import { toPascalCase, getSafeZoneName } from "../../../utils/capitaliseString.js";
+import { DEFAULT_COST_ALLOCATION_ENVIRONMENT } from "../../../utils/costAllocationTags.js";
 export class DelegationRole extends Construct {
     role;
     roleArn;
@@ -14,7 +15,6 @@ export class DelegationRole extends Construct {
         const firstLabel = props.zoneName.split(".")[0] ?? "default";
         const safeFirstLabel = toPascalCase(firstLabel);
         const safeZone = toPascalCase(getSafeZoneName(props.zoneName));
-        const _kebabZone = props.zoneName.replace(/\./g, "-");
         this.description =
             props.description ??
                 `Fjall-managed cross-account delegation role for ${props.zoneName}`;
@@ -36,7 +36,14 @@ export class DelegationRole extends Construct {
                         new PolicyStatement({
                             actions: ["route53:ChangeResourceRecordSets"],
                             resources: [
-                                `arn:aws:route53:::hostedzone/${props.hostedZone.hostedZoneId}`
+                                Stack.of(this).formatArn({
+                                    service: "route53",
+                                    region: "",
+                                    account: "",
+                                    resource: "hostedzone",
+                                    resourceName: props.hostedZone.hostedZoneId,
+                                    arnFormat: ArnFormat.SLASH_RESOURCE_NAME
+                                })
                             ]
                         })
                     ]
@@ -46,7 +53,7 @@ export class DelegationRole extends Construct {
         props.hostedZone.grantDelegation(role);
         this.role = role;
         this.roleArn = role.roleArn;
-        Tags.of(this).add("fjall:costAllocation:environment", props.costAllocationEnvironment ?? "management");
+        Tags.of(this).add("fjall:costAllocation:environment", props.costAllocationEnvironment ?? DEFAULT_COST_ALLOCATION_ENVIRONMENT);
         Tags.of(this).add("fjall:costAllocation:service", "delegationRole");
         Tags.of(this).add("fjall:costAllocation:domain", props.costAllocationDomain ?? props.zoneName);
         const exportName = getDomainExportNames(props.zoneName).delegationRoleArn;

package/dist/lib/resources/aws/networking/crossAccountDelegationRecord.js

@@ -1,6 +1,7 @@
 import { Construct } from "constructs";
 import { Tags } from "aws-cdk-lib";
 import { CrossAccountZoneDelegationRecord as CdkCrossAccountZoneDelegationRecord } from "aws-cdk-lib/aws-route53";
+import { DEFAULT_COST_ALLOCATION_ENVIRONMENT } from "../../../utils/costAllocationTags.js";
 // CDK's CrossAccountZoneDelegationRecord is a custom-resource Lambda: user-level tags
 // on the record itself may not reach AWS. We tag the wrapping Fjall Construct for
 // assertion purposes; create-path tags still propagate to child resources (Lambda,
@@ -19,7 +20,7 @@ export class CrossAccountDelegationRecord extends Construct {
             parentHostedZoneName: props.parentHostedZoneName
         });
         Tags.of(this).add("fjall:description", this.description);
-        Tags.of(this).add("fjall:costAllocation:environment", props.costAllocationEnvironment ?? "management");
+        Tags.of(this).add("fjall:costAllocation:environment", props.costAllocationEnvironment ?? DEFAULT_COST_ALLOCATION_ENVIRONMENT);
         Tags.of(this).add("fjall:costAllocation:service", "crossAccountDelegation");
         Tags.of(this).add("fjall:costAllocation:domain", props.costAllocationDomain ?? props.delegatedZoneName);
     }

package/dist/lib/resources/aws/networking/crossAccountReturnRoutes.d.ts

@@ -0,0 +1,40 @@
+import { Construct } from "constructs";
+import { CustomResource } from "../utilities/customResource.js";
+/**
+ * Properties for {@link CrossAccountReturnRoutes}.
+ *
+ * The route-table IDs are passed as a comma-joined string because CloudFormation
+ * custom-resource properties are flat strings. Inside the handler (which runs
+ * after CFN token resolution) the string is split back into an array.
+ */
+export interface CrossAccountReturnRoutesProps {
+    /** ARN of the accepter-account role the Lambda assumes to make EC2 calls. */
+    readonly peerRoleArn: string;
+    /** Region of the accepter VPC (so the EC2 client targets the correct region). */
+    readonly peerRegion: string;
+    /** Route-table IDs in the accepter VPC that should receive return routes. */
+    readonly routeTableIds: string[];
+    /** Local VPC CIDR — destination of the return routes in the accepter's tables. */
+    readonly localVpcCidr: string;
+    /** The peering connection ID (the target of the return routes). */
+    readonly peeringConnectionId: string;
+    /** Whether to also set `AccepterPeeringConnectionOptions.AllowDnsResolutionFromRemoteVpc`. */
+    readonly enableDns?: boolean;
+}
+/**
+ * Cross-account return-route manager for a VPC peering connection.
+ *
+ * Uses the shared {@link CustomResource} wrapper with an inline Lambda handler.
+ * The Lambda's execution role is local to the requester account — it holds only
+ * `sts:AssumeRole` on the accepter role. All EC2 calls happen under the assumed
+ * credentials in the accepter account.
+ *
+ * Create paths add `CreateRouteCommand` entries per route-table ID; delete
+ * paths reverse them via `DeleteRouteCommand`. When `enableDns` is true the
+ * handler additionally calls `ModifyVpcPeeringConnectionOptionsCommand` on the
+ * accepter side so DNS resolution works bidirectionally.
+ */
+export declare class CrossAccountReturnRoutes extends Construct {
+    readonly customResource: CustomResource;
+    constructor(scope: Construct, id: string, props: CrossAccountReturnRoutesProps);
+}

package/dist/lib/resources/aws/networking/crossAccountReturnRoutes.js

@@ -0,0 +1,154 @@
+import { Construct } from "constructs";
+import { Duration } from "aws-cdk-lib";
+import { Runtime } from "aws-cdk-lib/aws-lambda";
+import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { CustomResource } from "../utilities/customResource.js";
+/**
+ * Cross-account return-route manager for a VPC peering connection.
+ *
+ * Uses the shared {@link CustomResource} wrapper with an inline Lambda handler.
+ * The Lambda's execution role is local to the requester account — it holds only
+ * `sts:AssumeRole` on the accepter role. All EC2 calls happen under the assumed
+ * credentials in the accepter account.
+ *
+ * Create paths add `CreateRouteCommand` entries per route-table ID; delete
+ * paths reverse them via `DeleteRouteCommand`. When `enableDns` is true the
+ * handler additionally calls `ModifyVpcPeeringConnectionOptionsCommand` on the
+ * accepter side so DNS resolution works bidirectionally.
+ */
+export class CrossAccountReturnRoutes extends Construct {
+    customResource;
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.customResource = new CustomResource(this, "Handler", {
+            runtime: Runtime.NODEJS_22_X,
+            timeout: Duration.minutes(5),
+            lambdaDescription: `${id} cross-account return-route manager`,
+            roleDescription: `${id} return-route Lambda execution role`,
+            inlinePolicy: [
+                new PolicyStatement({
+                    effect: Effect.ALLOW,
+                    actions: ["sts:AssumeRole"],
+                    resources: [props.peerRoleArn]
+                })
+            ],
+            properties: {
+                PeerRoleArn: props.peerRoleArn,
+                PeerRegion: props.peerRegion,
+                RouteTableIds: props.routeTableIds.join(","),
+                LocalVpcCidr: props.localVpcCidr,
+                PeeringConnectionId: props.peeringConnectionId,
+                EnableDns: props.enableDns === false ? "false" : "true"
+            },
+            inlineCode: HANDLER_SOURCE
+        });
+    }
+}
+// Handler source. Inline because the CustomResource utility expects a string;
+// extracting to its own file would require switching to a bundled asset.
+const HANDLER_SOURCE = `
+const { STSClient, AssumeRoleCommand } = require("@aws-sdk/client-sts");
+const {
+  EC2Client,
+  CreateRouteCommand,
+  DeleteRouteCommand,
+  ModifyVpcPeeringConnectionOptionsCommand
+} = require("@aws-sdk/client-ec2");
+
+async function buildAccepterClient(props) {
+  const sts = new STSClient({});
+  const assumed = await sts.send(new AssumeRoleCommand({
+    RoleArn: props.PeerRoleArn,
+    RoleSessionName: "fjall-vpc-peer-return-routes"
+  }));
+  const creds = assumed.Credentials;
+  if (!creds || !creds.AccessKeyId || !creds.SecretAccessKey || !creds.SessionToken) {
+    throw new Error("AssumeRole returned no credentials");
+  }
+  return new EC2Client({
+    region: props.PeerRegion,
+    credentials: {
+      accessKeyId: creds.AccessKeyId,
+      secretAccessKey: creds.SecretAccessKey,
+      sessionToken: creds.SessionToken
+    }
+  });
+}
+
+function parseRouteTableIds(value) {
+  if (!value) return [];
+  return value.split(",").map((s) => s.trim()).filter(Boolean);
+}
+
+exports.handler = async (event) => {
+  const props = event.ResourceProperties || {};
+  const physicalResourceId = event.PhysicalResourceId || event.LogicalResourceId || "return-routes";
+  const routeTableIds = parseRouteTableIds(props.RouteTableIds);
+  const ec2 = await buildAccepterClient(props);
+
+  if (event.RequestType === "Delete") {
+    for (const routeTableId of routeTableIds) {
+      try {
+        await ec2.send(new DeleteRouteCommand({
+          RouteTableId: routeTableId,
+          DestinationCidrBlock: props.LocalVpcCidr
+        }));
+      } catch (err) {
+        const name = err && err.name;
+        if (name === "InvalidRoute.NotFound" || name === "InvalidRouteTableID.NotFound") {
+          continue;
+        }
+        throw err;
+      }
+    }
+    return { PhysicalResourceId: physicalResourceId };
+  }
+
+  if (event.RequestType === "Update") {
+    const oldProps = event.OldResourceProperties || {};
+    const oldRouteTableIds = parseRouteTableIds(oldProps.RouteTableIds);
+    const currentSet = new Set(routeTableIds);
+    const removedIds = oldRouteTableIds.filter((id) => !currentSet.has(id));
+    for (const routeTableId of removedIds) {
+      try {
+        await ec2.send(new DeleteRouteCommand({
+          RouteTableId: routeTableId,
+          DestinationCidrBlock: oldProps.LocalVpcCidr || props.LocalVpcCidr
+        }));
+      } catch (err) {
+        const name = err && err.name;
+        if (name === "InvalidRoute.NotFound" || name === "InvalidRouteTableID.NotFound") {
+          continue;
+        }
+        throw err;
+      }
+    }
+  }
+
+  for (const routeTableId of routeTableIds) {
+    try {
+      await ec2.send(new CreateRouteCommand({
+        RouteTableId: routeTableId,
+        DestinationCidrBlock: props.LocalVpcCidr,
+        VpcPeeringConnectionId: props.PeeringConnectionId
+      }));
+    } catch (err) {
+      const name = err && err.name;
+      if (name !== "RouteAlreadyExists") {
+        throw err;
+      }
+    }
+  }
+
+  if (props.EnableDns === "true") {
+    await ec2.send(new ModifyVpcPeeringConnectionOptionsCommand({
+      VpcPeeringConnectionId: props.PeeringConnectionId,
+      AccepterPeeringConnectionOptions: {
+        AllowDnsResolutionFromRemoteVpc: true
+      }
+    }));
+  }
+
+  return { PhysicalResourceId: physicalResourceId };
+};
+`.trim();

package/dist/lib/resources/aws/networking/dnsRecord/dnsRecordBase.js

@@ -1,5 +1,6 @@
 import { Duration, Tags } from "aws-cdk-lib";
 import { DNS_APEX } from "@fjall/util";
+import { DEFAULT_COST_ALLOCATION_ENVIRONMENT } from "../../../../utils/costAllocationTags.js";
 export const DEFAULT_DNS_TTL_SECONDS = 300;
 export function resolveFqdn(zoneName, recordName) {
     return recordName === DNS_APEX ? zoneName : `${recordName}.${zoneName}`;
@@ -11,7 +12,7 @@ export function defaultDnsComment(recordType, fqdn) {
     return `Fjall-managed ${recordType} record for ${fqdn}`;
 }
 export function applyDnsRecordTags(construct, props) {
-    Tags.of(construct).add("fjall:costAllocation:environment", props.costAllocationEnvironment ?? "management");
+    Tags.of(construct).add("fjall:costAllocation:environment", props.costAllocationEnvironment ?? DEFAULT_COST_ALLOCATION_ENVIRONMENT);
     Tags.of(construct).add("fjall:costAllocation:service", "dnsRecord");
     Tags.of(construct).add("fjall:costAllocation:domain", props.costAllocationDomain ?? props.zoneName);
 }

package/dist/lib/resources/aws/networking/domainCertificate.js

@@ -3,6 +3,7 @@ import { CfnOutput, Tags } from "aws-cdk-lib";
 import { Certificate, CertificateValidation } from "aws-cdk-lib/aws-certificatemanager";
 import { getDomainExportNames } from "@fjall/util";
 import { toPascalCase } from "../../../utils/capitaliseString.js";
+import { DEFAULT_COST_ALLOCATION_ENVIRONMENT } from "../../../utils/costAllocationTags.js";
 export class DomainCertificate extends Construct {
     certificate;
     certificateArn;
@@ -20,7 +21,7 @@ export class DomainCertificate extends Construct {
         });
         this.certificateArn = this.certificate.certificateArn;
         Tags.of(this).add("fjall:description", this.description);
-        Tags.of(this).add("fjall:costAllocation:environment", props.costAllocationEnvironment ?? "management");
+        Tags.of(this).add("fjall:costAllocation:environment", props.costAllocationEnvironment ?? DEFAULT_COST_ALLOCATION_ENVIRONMENT);
         Tags.of(this).add("fjall:costAllocation:service", "certificate");
         Tags.of(this).add("fjall:costAllocation:domain", props.costAllocationDomain ?? props.domainName);
         const safeKey = toPascalCase(props.domainName.split(".").join(""));

package/dist/lib/resources/aws/networking/hostedZone.js

@@ -4,6 +4,7 @@ import { HostedZone as AWSHostedZone } from "aws-cdk-lib/aws-route53";
 import { getDomainExportNames } from "@fjall/util";
 import { toPascalCase, getSafeZoneName } from "../../../utils/capitaliseString.js";
 import { DelegationRole } from "../iam/delegationRole.js";
+import { DEFAULT_COST_ALLOCATION_ENVIRONMENT } from "../../../utils/costAllocationTags.js";
 export class HostedZoneFactory {
     static import(stack, hostedZoneId, zoneName, opts) {
         const safeZone = toPascalCase(getSafeZoneName(zoneName));
@@ -71,7 +72,7 @@ export class HostedZone extends Construct {
             Tags.of(this).add("fjall:description", this.description);
         }
         // Cost allocation tags applied uniformly on both create and import paths.
-        Tags.of(this).add("fjall:costAllocation:environment", props.costAllocationEnvironment ?? "management");
+        Tags.of(this).add("fjall:costAllocation:environment", props.costAllocationEnvironment ?? DEFAULT_COST_ALLOCATION_ENVIRONMENT);
         Tags.of(this).add("fjall:costAllocation:service", "hostedZone");
         Tags.of(this).add("fjall:costAllocation:domain", props.costAllocationDomain ?? props.zoneName);
         new CfnOutput(this, `${safeZone}HostedZoneId`, {

package/dist/lib/resources/aws/networking/index.d.ts

@@ -1,4 +1,5 @@
 export * from "./crossAccountDelegationRecord.js";
+export * from "./crossAccountReturnRoutes.js";
 export * from "./dnsRecord/index.js";
 export * from "./domainCertificate.js";
 export * from "./hostedZone.js";
@@ -6,3 +7,5 @@ export * from "./ipam.js";
 export * from "./ipamPool.js";
 export * from "./securityGroup.js";
 export * from "./vpc.js";
+export * from "./vpcPeeringAccepterRole.js";
+export * from "./vpcPeeringConnection.js";

package/dist/lib/resources/aws/networking/index.js

@@ -1,4 +1,5 @@
 export * from "./crossAccountDelegationRecord.js";
+export * from "./crossAccountReturnRoutes.js";
 export * from "./dnsRecord/index.js";
 export * from "./domainCertificate.js";
 export * from "./hostedZone.js";
@@ -6,3 +7,5 @@ export * from "./ipam.js";
 export * from "./ipamPool.js";
 export * from "./securityGroup.js";
 export * from "./vpc.js";
+export * from "./vpcPeeringAccepterRole.js";
+export * from "./vpcPeeringConnection.js";

package/dist/lib/resources/aws/networking/vpc.js

@@ -1,4 +1,4 @@
-import { Duration, RemovalPolicy, Stack } from "aws-cdk-lib";
+import { CfnOutput, Duration, RemovalPolicy, Stack } from "aws-cdk-lib";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
 import * as s3 from "aws-cdk-lib/aws-s3";
 import { LogGroup } from "../logging/logGroup.js";
@@ -12,7 +12,7 @@ export class Vpc extends ec2.Vpc {
         const maxAzs = maxAzsFromProps ?? 3;
         const natGateways = Vpc.resolveNatGateways(props);
         const vpcName = explicitName ?? id;
-        super(scope, `vpc-${id}`, {
+        super(scope, `Vpc${id}`, {
             ...restProps,
             vpcName,
             natGateways,
@@ -23,6 +23,10 @@ export class Vpc extends ec2.Vpc {
         });
         this.hasNatGateways = natGateways !== 0;
         this.addInterfaceEndpoints(id, props, this.hasNatGateways);
+        new CfnOutput(this, "VpcCidrBlock", {
+            value: this.vpcCidrBlock,
+            exportName: `${Stack.of(this).stackName}-vpc-cidr`
+        });
     }
     static gatewayEndpoints(props) {
         if (props?.endpointsConfig === false) {

package/dist/lib/resources/aws/networking/vpcPeeringAccepterRole.d.ts

@@ -0,0 +1,18 @@
+import { Construct } from "constructs";
+import { Role } from "aws-cdk-lib/aws-iam";
+import { type IVpc } from "aws-cdk-lib/aws-ec2";
+export interface VpcPeeringAccepterRoleProps {
+    /** AWS account IDs allowed to initiate peering and manage return routes. */
+    readonly requesterAccountIds: string[];
+    /** The local VPC this role is scoped to. */
+    readonly localVpc: IVpc;
+    /** Cost-allocation override — defaults to `"management"`. */
+    readonly costAllocationEnvironment?: string;
+    /** Cost-allocation override — defaults to the local VPC's construct id. */
+    readonly costAllocationDomain?: string;
+}
+export declare class VpcPeeringAccepterRole extends Construct {
+    readonly role: Role;
+    readonly roleArn: string;
+    constructor(scope: Construct, id: string, props: VpcPeeringAccepterRoleProps);
+}

package/dist/lib/resources/aws/networking/vpcPeeringAccepterRole.js

@@ -0,0 +1,61 @@
+import { Construct } from "constructs";
+import { ArnFormat, Stack, Tags } from "aws-cdk-lib";
+import { AccountPrincipal, CompositePrincipal, PolicyDocument, PolicyStatement, Role } from "aws-cdk-lib/aws-iam";
+import { COST_ALLOCATION_TAGS, DEFAULT_COST_ALLOCATION_ENVIRONMENT } from "../../../utils/costAllocationTags.js";
+export class VpcPeeringAccepterRole extends Construct {
+    role;
+    roleArn;
+    constructor(scope, id, props) {
+        super(scope, id);
+        const vpcArnPattern = Stack.of(this).formatArn({
+            service: "ec2",
+            region: "*",
+            account: "*",
+            resource: "vpc",
+            resourceName: props.localVpc.vpcId,
+            arnFormat: ArnFormat.SLASH_RESOURCE_NAME
+        });
+        this.role = new Role(this, "Role", {
+            assumedBy: new CompositePrincipal(...props.requesterAccountIds.map((accountId) => new AccountPrincipal(accountId))),
+            inlinePolicies: {
+                allowPeering: new PolicyDocument({
+                    statements: [
+                        new PolicyStatement({
+                            actions: [
+                                "ec2:AcceptVpcPeeringConnection",
+                                "ec2:ModifyVpcPeeringConnectionOptions"
+                            ],
+                            resources: ["*"],
+                            conditions: {
+                                StringEquals: {
+                                    "ec2:AccepterVpc": vpcArnPattern
+                                }
+                            }
+                        }),
+                        new PolicyStatement({
+                            actions: ["ec2:CreateRoute", "ec2:DeleteRoute"],
+                            resources: ["*"],
+                            conditions: {
+                                StringEquals: {
+                                    "ec2:Vpc": vpcArnPattern
+                                }
+                            }
+                        }),
+                        new PolicyStatement({
+                            actions: [
+                                "ec2:DescribeRouteTables",
+                                "ec2:DescribeVpcPeeringConnections"
+                            ],
+                            resources: ["*"]
+                        })
+                    ]
+                })
+            }
+        });
+        this.roleArn = this.role.roleArn;
+        Tags.of(this).add("fjall:resource:type", "vpc-peering-accepter");
+        Tags.of(this).add(COST_ALLOCATION_TAGS.ENVIRONMENT, props.costAllocationEnvironment ?? DEFAULT_COST_ALLOCATION_ENVIRONMENT);
+        Tags.of(this).add(COST_ALLOCATION_TAGS.SERVICE, "vpcPeeringAccepter");
+        Tags.of(this).add(COST_ALLOCATION_TAGS.DOMAIN, props.costAllocationDomain ?? props.localVpc.node.id);
+    }
+}

package/dist/lib/resources/aws/networking/vpcPeeringConnection.d.ts

@@ -0,0 +1,49 @@
+import { Construct } from "constructs";
+import { CfnVPCPeeringConnection, type IVpc, type SubnetSelection } from "aws-cdk-lib/aws-ec2";
+export interface VpcPeeringConnectionProps {
+    /** The local VPC to peer from. */
+    readonly localVpc: IVpc;
+    /** The local VPC CIDR (destination of the accepter's return routes). */
+    readonly localVpcCidr: string;
+    /** The remote VPC ID. */
+    readonly peerVpcId: string;
+    /** The remote VPC CIDR (destination of the local routes). */
+    readonly peerVpcCidr: string;
+    /** Remote account ID — required for cross-account peering. */
+    readonly peerAccountId?: string;
+    /** Remote region — required for cross-region peering. */
+    readonly peerRegion?: string;
+    /** ARN of the accepter role (for auto-accept and cross-account route management). */
+    readonly peerRoleArn?: string;
+    /** Route-table IDs in the accepter VPC (for cross-account return routes). */
+    readonly peerRouteTableIds?: string[];
+    /** Local subnet selection for routes. Defaults to `PRIVATE_WITH_EGRESS`. */
+    readonly routeSubnets?: SubnetSelection;
+    /** Enable DNS resolution across the peering on both sides. Defaults to true. */
+    readonly enableDnsResolution?: boolean;
+    /**
+     * Optional cross-app label — when present, added as the `fjall:peering:peer-app`
+     * tag and used as the default cost-allocation domain.
+     */
+    readonly peerAppName?: string;
+    /**
+     * Optional organisation ID of the remote app — surfaced as a public-readonly
+     * property on the construct for downstream consumers (ECS `remoteConnections`)
+     * that need to build cross-app SSM paths.
+     */
+    readonly peerOrgId?: string;
+    /** Cost-allocation override — defaults to `"management"`. */
+    readonly costAllocationEnvironment?: string;
+    /**
+     * Cost-allocation override — defaults to `peerAppName` if provided, otherwise
+     * the peer VPC ID.
+     */
+    readonly costAllocationDomain?: string;
+}
+export declare class VpcPeeringConnection extends Construct {
+    readonly peeringConnectionId: string;
+    readonly peering: CfnVPCPeeringConnection;
+    readonly peerAppName: string | undefined;
+    readonly peerOrgId: string | undefined;
+    constructor(scope: Construct, id: string, props: VpcPeeringConnectionProps);
+}

package/dist/lib/resources/aws/networking/vpcPeeringConnection.js

@@ -0,0 +1,88 @@
+import { Construct } from "constructs";
+import { Stack, Tags } from "aws-cdk-lib";
+import { CfnRoute, CfnVPCPeeringConnection, SubnetType } from "aws-cdk-lib/aws-ec2";
+import { PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from "aws-cdk-lib/custom-resources";
+import { COST_ALLOCATION_TAGS, DEFAULT_COST_ALLOCATION_ENVIRONMENT } from "../../../utils/costAllocationTags.js";
+import { CrossAccountReturnRoutes } from "./crossAccountReturnRoutes.js";
+export class VpcPeeringConnection extends Construct {
+    peeringConnectionId;
+    peering;
+    peerAppName;
+    peerOrgId;
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.peerAppName = props.peerAppName;
+        this.peerOrgId = props.peerOrgId;
+        this.peering = new CfnVPCPeeringConnection(this, "Peering", {
+            vpcId: props.localVpc.vpcId,
+            peerVpcId: props.peerVpcId,
+            peerOwnerId: props.peerAccountId,
+            peerRegion: props.peerRegion,
+            peerRoleArn: props.peerRoleArn
+        });
+        this.peeringConnectionId = this.peering.attrId;
+        const subnets = props.localVpc.selectSubnets(props.routeSubnets ?? { subnetType: SubnetType.PRIVATE_WITH_EGRESS });
+        for (const subnet of subnets.subnets) {
+            new CfnRoute(this, `Route${subnet.node.id}`, {
+                routeTableId: subnet.routeTable.routeTableId,
+                destinationCidrBlock: props.peerVpcCidr,
+                vpcPeeringConnectionId: this.peering.attrId
+            });
+        }
+        const enableDnsResolution = props.enableDnsResolution !== false;
+        // Requester-side DNS runs in the local account, so a plain AwsCustomResource
+        // is sufficient. The accepter side is delegated to the cross-account Lambda.
+        if (enableDnsResolution) {
+            new AwsCustomResource(this, "EnableRequesterDns", {
+                onCreate: {
+                    service: "EC2",
+                    action: "modifyVpcPeeringConnectionOptions",
+                    parameters: {
+                        VpcPeeringConnectionId: this.peering.attrId,
+                        RequesterPeeringConnectionOptions: {
+                            AllowDnsResolutionFromRemoteVpc: true
+                        }
+                    },
+                    physicalResourceId: PhysicalResourceId.of(`${id}-requester-dns`)
+                },
+                policy: AwsCustomResourcePolicy.fromStatements([
+                    new PolicyStatement({
+                        actions: ["ec2:ModifyVpcPeeringConnectionOptions"],
+                        resources: [
+                            Stack.of(this).formatArn({
+                                service: "ec2",
+                                resource: "vpc-peering-connection",
+                                resourceName: this.peering.attrId
+                            })
+                        ]
+                    })
+                ])
+            });
+        }
+        if (props.peerRoleArn &&
+            props.peerRegion &&
+            props.peerRouteTableIds &&
+            props.peerRouteTableIds.length > 0) {
+            new CrossAccountReturnRoutes(this, "ReturnRoutes", {
+                peerRoleArn: props.peerRoleArn,
+                peerRegion: props.peerRegion,
+                routeTableIds: props.peerRouteTableIds,
+                localVpcCidr: props.localVpcCidr,
+                peeringConnectionId: this.peering.attrId,
+                enableDns: enableDnsResolution
+            });
+        }
+        Tags.of(this).add("fjall:resource:type", "vpc-peering");
+        Tags.of(this).add("fjall:peering:peer-vpc", props.peerVpcId);
+        if (props.peerAccountId) {
+            Tags.of(this).add("fjall:peering:peer-account", props.peerAccountId);
+        }
+        if (props.peerAppName) {
+            Tags.of(this).add("fjall:peering:peer-app", props.peerAppName);
+        }
+        Tags.of(this).add(COST_ALLOCATION_TAGS.ENVIRONMENT, props.costAllocationEnvironment ?? DEFAULT_COST_ALLOCATION_ENVIRONMENT);
+        Tags.of(this).add(COST_ALLOCATION_TAGS.SERVICE, "vpcPeering");
+        Tags.of(this).add(COST_ALLOCATION_TAGS.DOMAIN, props.costAllocationDomain ?? props.peerAppName ?? props.peerVpcId);
+    }
+}

package/dist/lib/utils/bastionFactory.d.ts

@@ -0,0 +1,10 @@
+import { type IVpc } from "aws-cdk-lib/aws-ec2";
+import { Ec2Instance } from "../resources/aws/compute/ec2.js";
+import { type AwsStack } from "../resources/index.js";
+export interface BastionConfig {
+    instanceType?: string;
+}
+export interface BastionResult {
+    bastion: Ec2Instance;
+}
+export declare function createBastion(networkStack: AwsStack, appName: string, stackPrefix: string, vpc: IVpc, config: BastionConfig | true): BastionResult;

package/dist/lib/utils/bastionFactory.js

@@ -0,0 +1,29 @@
+import { CfnOutput } from "aws-cdk-lib";
+import { Ec2Instance } from "../resources/aws/compute/ec2.js";
+import { toPascalCase } from "./capitaliseString.js";
+export function createBastion(networkStack, appName, stackPrefix, vpc, config) {
+    const instanceType = typeof config === "object" && config.instanceType
+        ? config.instanceType
+        : "t4g.micro";
+    const bastionId = `${stackPrefix}Bastion`;
+    const scope = networkStack.getStack();
+    const bastion = new Ec2Instance(scope, bastionId, {
+        serviceName: `${stackPrefix}Bastion`,
+        instanceType,
+        vpc,
+        enableSSH: false,
+        minCapacity: 1,
+        maxCapacity: 1
+    });
+    networkStack.addConstruct(bastion);
+    const outputPrefix = toPascalCase(appName);
+    new CfnOutput(scope, `${outputPrefix}BastionInstanceId`, {
+        value: bastion.getAutoScalingGroup().autoScalingGroupName,
+        description: "Bastion ASG name for SSM tunnel discovery"
+    });
+    new CfnOutput(scope, `${outputPrefix}BastionSecurityGroupId`, {
+        value: bastion.asgSecurityGroup.securityGroupId,
+        description: "Bastion security group ID"
+    });
+    return { bastion };
+}

package/dist/lib/utils/capitaliseString.d.ts

@@ -1 +1 @@
-export { capitalise as capitaliseString, toPascalCase, toKebab, toValidDatabaseName, getSafeZoneName } from "@fjall/util";
+export { capitalise as capitaliseString, toPascalCase, toKebab, toValidDatabaseName, toScreamingSnake, getSafeZoneName } from "@fjall/util";

package/dist/lib/utils/capitaliseString.js

@@ -1 +1 @@
-export { capitalise as capitaliseString, toPascalCase, toKebab, toValidDatabaseName, getSafeZoneName } from "@fjall/util";
+export { capitalise as capitaliseString, toPascalCase, toKebab, toValidDatabaseName, toScreamingSnake, getSafeZoneName } from "@fjall/util";

package/dist/lib/utils/cdkContext.d.ts

@@ -0,0 +1,8 @@
+import type { Node } from "constructs";
+export declare const CDK_CONTEXT_KEYS: {
+    readonly ORG_ID: "orgId";
+};
+export declare const DEFAULT_ORG_ID: "default";
+export declare function resolveOrgId(node: Node, fallback: string): string;
+export declare function resolveOrgId(node: Node): string | undefined;
+export declare function buildSsmPrefix(orgId: string, appName: string): string;

package/dist/lib/utils/cdkContext.js

@@ -0,0 +1,11 @@
+export const CDK_CONTEXT_KEYS = {
+    ORG_ID: "orgId"
+};
+export const DEFAULT_ORG_ID = "default";
+export function resolveOrgId(node, fallback) {
+    const raw = node.tryGetContext(CDK_CONTEXT_KEYS.ORG_ID);
+    return typeof raw === "string" ? raw : fallback;
+}
+export function buildSsmPrefix(orgId, appName) {
+    return `/fjall/${orgId}/${appName}`;
+}