npm - @fjall/components-infrastructure - Versions diffs - 0.95.0 → 0.99.1 - Mend

@fjall/components-infrastructure 0.95.0 → 0.99.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (234) hide show

package/dist/lib/resources/aws/compute/ecsTypes.d.ts CHANGED Viewed

@@ -1,6 +1,9 @@
-import { type ContainerDefinition, type RepositoryImage } from "aws-cdk-lib/aws-ecs";
-import { type IVpc } from "aws-cdk-lib/aws-ec2";
+import { type ContainerDefinition, type NetworkMode, type PortMapping, type RepositoryImage } from "aws-cdk-lib/aws-ecs";
+import { type BlockDevice, type IMachineImage, type ISecurityGroup, type IVpc, type UserData } from "aws-cdk-lib/aws-ec2";
+import { type Monitoring } from "aws-cdk-lib/aws-autoscaling";
+import { type IService } from "aws-cdk-lib/aws-servicediscovery";
 import { type IManagedPolicy, type PolicyDocument } from "aws-cdk-lib/aws-iam";
+import type { DockerBuild } from "@fjall/util/manifest/schemas";
 import { type TargetTrackingScalingPolicy } from "aws-cdk-lib/aws-applicationautoscaling";
 import { type GeoLocation } from "aws-cdk-lib/aws-route53";
 import { type Repository } from "aws-cdk-lib/aws-ecr";
@@ -10,10 +13,12 @@ import { type Role } from "aws-cdk-lib/aws-iam";
 import { type HostedZone as FjallHostedZone } from "../networking/hostedZone.js";
 import { type Certificate } from "aws-cdk-lib/aws-certificatemanager";
 import { type ConnectionSpec } from "../../../utils/connector.js";
+import { type RemoteConnectionSpec } from "./ecsRemoteConnections.js";
 import { type SecretImport } from "../secrets/index.js";
 import type { ManagedDomainExports } from "../../../utils/domainTypes.js";
 import type { ITopic } from "aws-cdk-lib/aws-sns";
 import type { EcsServiceAlarmThresholds } from "../monitoring/index.js";
+import { type Ec2InstancePersistentDataVolumeConfig } from "./ec2.js";
 export declare enum Protocol {
     HTTP = 0,
     HTTPS = 1
@@ -22,7 +27,8 @@ export declare enum ScalingType {
     CPU = "ECSServiceAverageCPUUtilization",
     MEMORY = "ECSServiceAverageMemoryUtilization"
 }
-export type EcsCapacityProvider = "FARGATE" | "FARGATE_SPOT" | "EC2";
+import type { EcsCapacityProvider } from "@fjall/generator";
+export type { EcsCapacityProvider };
 /**
  * EC2 capacity configuration for ECS EC2-backed clusters.
  * Only used when capacityProvider is "EC2".
@@ -46,6 +52,52 @@ export interface Ec2CapacityConfig {
         /** Return instances to the pool on scale-in instead of terminating. Default: true */
         reuseOnScaleIn?: boolean;
     };
+    /** CDK `AutoScalingGroupProps.desiredCapacity` — initial instance count. */
+    desiredCapacity?: number;
+    /**
+     * CDK `LaunchTemplateProps.machineImage`. When provided, overrides the
+     * default `EcsOptimizedImage.amazonLinux2023(amiHardwareType)`. Use for
+     * stateful workloads requiring a custom AMI.
+     */
+    machineImage?: IMachineImage;
+    /**
+     * CDK `aws-cdk-lib/aws-autoscaling.Monitoring`. Routes through the
+     * LaunchTemplate's `detailedMonitoring` field. Default: `Monitoring.BASIC`.
+     */
+    instanceMonitoring?: Monitoring;
+    /** CDK `LaunchTemplateProps.blockDevices`. Use for EBS attachments. */
+    blockDevices?: BlockDevice[];
+    /**
+     * CDK `LaunchTemplateProps.userData`. When provided, overrides the
+     * default empty `UserData.forLinux()`.
+     */
+    userData?: UserData;
+    /** CDK `LaunchTemplateProps.associatePublicIpAddress`. */
+    associatePublicIpAddress?: boolean;
+    /**
+     * Pin the ASG to a specific set of availability zones. When
+     * `persistentDataVolume` is set, MUST contain exactly one entry matching
+     * `persistentDataVolume.availabilityZone` — the standalone EBS volume is
+     * AZ-local and cannot follow a multi-AZ ASG. Merged into `vpcSubnets` at
+     * the `Ec2Instance` boundary.
+     */
+    availabilityZones?: string[];
+    /**
+     * Pairs the EC2 capacity ASG with a standalone EBS data volume that
+     * re-attaches across instance refreshes. Forwarded to `Ec2Instance` which
+     * locates and detaches the volume via TERMINATING/LAUNCHING lifecycle
+     * hooks. Implies a singleton service — do not share an ASG across
+     * services when this is set (`getEc2ConfigKey` adds a discriminator to
+     * keep them apart).
+     */
+    persistentDataVolume?: Ec2InstancePersistentDataVolumeConfig;
+    /**
+     * Tags applied to the underlying ASG with `applyToLaunchedInstances: true`
+     * so every launched EC2 instance carries the tags. Used for tag-based SSM
+     * `SendCommand` targeting (`Targets: [{ Key: "tag:<name>", Values: […] }]`).
+     * Empty-string keys or values are rejected at the resources layer.
+     */
+    tags?: Record<string, string>;
 }
 /**
  * Domain configuration for HTTPS and DNS.
@@ -68,6 +120,17 @@ export interface GeoLocationDomainConfig extends DomainBaseConfig {
     geoLocation: GeoLocation;
 }
 export type DomainConfig = DomainBaseConfig | LatencyDomainConfig | WeightedDomainConfig | GeoLocationDomainConfig;
+/**
+ * A dependency on another container in the same task definition.
+ * Maps directly to ECS `ContainerDependency`. See `ContainerDependency` in
+ * the factory layer (`computeEcsTypes.ts`) for the public-facing variant.
+ *
+ * @internal
+ */
+export interface EcsContainerDependency {
+    container: string;
+    condition: "START" | "COMPLETE" | "SUCCESS" | "HEALTHY";
+}
 /**
  * Internal configuration for a container in a multi-container ECS task.
  *
@@ -135,6 +198,32 @@ export interface EcsClusterContainerConfig {
         retries?: number;
         startPeriod?: number;
     };
+    /**
+     * Containers in the same service that must reach a given state before this
+     * container starts. Resolved at synth time against the service's container names.
+     */
+    dependsOn?: EcsContainerDependency[];
+    /**
+     * Multi-port containers (CDK `PortMapping[]`). Mutually exclusive with
+     * `port` — supplying both throws at synth (AC30).
+     */
+    portMappings?: PortMapping[];
+    /**
+     * Host-bind volumes mounted into this container. Each entry produces a
+     * matching `taskDefinition.addVolume(...)` + `container.addMountPoints(...)`
+     * pair (AC31).
+     */
+    volumes?: Array<{
+        name: string;
+        hostSourcePath?: string;
+        mountPath: string;
+        readOnly?: boolean;
+    }>;
+    /**
+     * Time (seconds) ECS waits for the container to exit gracefully after
+     * SIGTERM before sending SIGKILL. Range 1–120. Default: ECS default (30s).
+     */
+    stopTimeout?: number;
 }
 /**
  * Cluster-level configuration.
@@ -166,6 +255,12 @@ export interface EcsClusterClusterConfig {
      * Only used when domain is specified.
      */
     domainConfig?: DomainConfig;
+    /**
+     * Externally-supplied EC2 capacity security group. When provided, the ECS
+     * service factory uses this SG instead of constructing its own. Pre-resolved
+     * by the patterns layer (AC26 — `EcsClusterConfig.securityGroup`).
+     */
+    securityGroup?: ISecurityGroup;
 }
 /**
  * Routing configuration for path/host-based routing on the ALB.
@@ -205,11 +300,23 @@ export interface EcsServiceProps {
     memoryLimitMiB?: number;
     /** Desired number of tasks. Default: 2 */
     desiredCount?: number;
-    /** Scaling type (CPU or MEMORY). Omit to disable auto-scaling. */
+    /**
+     * Scaling type (CPU or MEMORY). Omit to disable auto-scaling — no
+     * `ScalableTarget` is registered, and `minCapacity`/`maxCapacity` below have
+     * no effect. The `desiredCount: 0 + minCapacity > 0` validation throw still
+     * fires regardless, so operator-intent contradictions surface at synth even
+     * when scaling is disabled.
+     */
     scalingType?: ScalingType;
-    /** Minimum number of tasks for auto-scaling. Default: 2 */
+    /**
+     * Minimum number of tasks for auto-scaling. Default: tracks `desiredCount`.
+     * Only consulted when `scalingType` is set.
+     */
     minCapacity?: number;
-    /** Maximum number of tasks for auto-scaling. Default: 10 */
+    /**
+     * Maximum number of tasks for auto-scaling. Default: `Math.max(desiredCount + 1, 3)`.
+     * Only consulted when `scalingType` is set.
+     */
     maxCapacity?: number;
     /**
      * Routing rules for this service on the cluster's ALB.
@@ -249,6 +356,12 @@ export interface EcsServiceProps {
      * ]
      */
     connections?: ConnectionSpec[];
+    /**
+     * Cross-app resources reachable via VPC peering. Resolved at synth time
+     * into `${PREFIX}_HOST` / `${PREFIX}_PORT` env vars merged into every
+     * container in this service's task definition.
+     */
+    remoteConnections?: RemoteConnectionSpec[];
     /**
      * Capacity provider for this service. REQUIRED.
      * Each service specifies its own capacity provider.
@@ -270,14 +383,11 @@ export interface EcsServiceProps {
      */
     ssmSecretsPath?: string;
     /**
-     * Docker build target stage for multi-stage Dockerfiles.
-     * When specified, appends `-<target>` to the image tag.
-     *
-     * @example
-     * // With dockerTarget: "api", image tag becomes: myservice-api-latest
-     * dockerTarget: "api"
+     * Dockerfile build configuration for this service. When `target` is set,
+     * the image tag suffix becomes `<service>-<target>-latest`.
+     * Mutually exclusive with `image` (pre-built URI).
      */
-    dockerTarget?: string;
+    docker?: DockerBuild;
     /**
      * Per-service alarm configuration.
      * - undefined: use defaults (CPU, memory, running tasks, 5xx if ALB)
@@ -285,6 +395,63 @@ export interface EcsServiceProps {
      * - object: override specific thresholds
      */
     alarms?: EcsServiceAlarmThresholds | false;
+    /**
+     * Deployment circuit breaker policy.
+     * - undefined (default): `{ enable: true, rollback: true }`
+     * - `false`: disabled entirely (no breaker)
+     * - `{ rollback: boolean }`: override rollback behaviour
+     *
+     * @see https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-circuit-breaker.html
+     */
+    circuitBreaker?: false | {
+        rollback?: boolean;
+    };
+    /**
+     * Rolling-deploy capacity bounds. Overrides the default
+     * `{ minHealthyPercent: 100, maxHealthyPercent: 200 }`. Singletons backed
+     * by an EBS volume that only one task can attach to (e.g. ClickHouse) need
+     * `{ minHealthyPercent: 0, maxHealthyPercent: 100 }` so the old task
+     * detaches before the new one starts.
+     *
+     * Bounds enforced by `validateEcsClusterProps`: `minHealthyPercent` must be
+     * 0–100, `maxHealthyPercent` must be 100–200, and the two cannot both be
+     * `100` (no capacity to drain or expand — deploys would never roll forward).
+     */
+    deployment?: {
+        minHealthyPercent?: number;
+        maxHealthyPercent?: number;
+    };
+    /**
+     * Pre-registered Cloud Map service. When provided, the underlying
+     * `Ec2Service`/`FargateService` calls `associateCloudMapService(...)` after
+     * construction. The patterns layer registers the service via
+     * `app.getNamespace().registerService({ name })` and threads the resulting
+     * `IService` here — keeping the resources layer free of namespace lookup.
+     */
+    cloudMapService?: IService;
+    /**
+     * DNS record type registered against `cloudMapService`. Default: `"A"`
+     * (matches CDK's default and works under `awsvpc`). Set to `"SRV"` when
+     * the service runs under `host` or `bridge` network mode — CDK's
+     * `Ec2Service.associateCloudMapService(...)` rejects A records there and
+     * requires `containerName` + `containerPort`, derived from the primary
+     * container.
+     */
+    cloudMapDnsRecordType?: "A" | "SRV";
+    /**
+     * Override the task definition's `NetworkMode`. Default for EC2 services
+     * is `AWS_VPC` (or `HOST` when `cluster.directAccess`); set to `BRIDGE`
+     * for dynamic-port-mapping ALB integration or when ENI quota is a concern.
+     */
+    networkMode?: NetworkMode;
+    /**
+     * Pre-existing security groups to attach to the service's task ENIs (AWS_VPC
+     * mode) instead of letting CDK auto-generate a default service SG. Used by
+     * stateful consumers (e.g. `ClickHouseDatabase`) that own a wrapper SG and
+     * need `this.connections.securityGroups[0]` to be the SG actually arbitrating
+     * inbound traffic to the task. Empty/omitted → CDK auto-creates one.
+     */
+    securityGroups?: ISecurityGroup[];
 }
 /**
  * Props for creating an ECS cluster with multiple services.

package/dist/lib/resources/aws/compute/ecsValidation.d.ts CHANGED Viewed

@@ -3,6 +3,15 @@ import type { EcsClusterProps } from "./ecsTypes.js";
  * Validates ECS cluster props before construction.
  * Pure function — does not depend on class state.
  *
+ * Note: `service.migrations` and `service.migrations.separateTaskDef` are
+ * intentionally validated only at the patterns layer (`validateEcsProps`
+ * in `lib/patterns/aws/computeEcs.ts`). The migrations sugar is a
+ * patterns-layer concept — it is translated into `service.containers`
+ * (init-container mode) or a separate Fargate task definition + lifecycle
+ * hook (lifecycle-hook mode) BEFORE reaching `EcsClusterProps`. Resources-
+ * layer consumers never see a `migrations` field, so duplicating the
+ * validation here would be unreachable.
+ *
  * @param props - The cluster props to validate
  * @throws Error if validation fails
  */

package/dist/lib/resources/aws/compute/ecsValidation.js CHANGED Viewed

@@ -1,7 +1,17 @@
+import { NetworkMode } from "aws-cdk-lib/aws-ecs";
 /**
  * Validates ECS cluster props before construction.
  * Pure function — does not depend on class state.
  *
+ * Note: `service.migrations` and `service.migrations.separateTaskDef` are
+ * intentionally validated only at the patterns layer (`validateEcsProps`
+ * in `lib/patterns/aws/computeEcs.ts`). The migrations sugar is a
+ * patterns-layer concept — it is translated into `service.containers`
+ * (init-container mode) or a separate Fargate task definition + lifecycle
+ * hook (lifecycle-hook mode) BEFORE reaching `EcsClusterProps`. Resources-
+ * layer consumers never see a `migrations` field, so duplicating the
+ * validation here would be unreachable.
+ *
  * @param props - The cluster props to validate
  * @throws Error if validation fails
  */
@@ -47,6 +57,59 @@ export function validateEcsClusterProps(props) {
             throw new Error(`Service '${service.name}': Duplicate container names: ` +
                 `${[...new Set(duplicateContainers)].join(", ")}`);
         }
+        for (const container of service.containers) {
+            if (container.stopTimeout !== undefined) {
+                if (!Number.isInteger(container.stopTimeout) ||
+                    container.stopTimeout < 1 ||
+                    container.stopTimeout > 120) {
+                    throw new Error(`Service '${service.name}', container '${container.name ?? "(default)"}': ` +
+                        `stopTimeout must be an integer between 1 and 120 seconds (got ${container.stopTimeout}).`);
+                }
+            }
+        }
+        if (service.capacityProvider === "EC2" && !service.ec2Config) {
+            throw new Error(`Service '${service.name}' uses EC2 capacity provider but no ec2Config is defined. ` +
+                "Provide ec2Config on the service.");
+        }
+        if (service.deployment !== undefined) {
+            const min = service.deployment.minHealthyPercent;
+            const max = service.deployment.maxHealthyPercent;
+            if (min !== undefined && (min < 0 || min > 100)) {
+                throw new Error(`Service '${service.name}': deployment.minHealthyPercent must be between 0 and 100 (got ${min}).`);
+            }
+            if (max !== undefined && (max < 100 || max > 200)) {
+                throw new Error(`Service '${service.name}': deployment.maxHealthyPercent must be between 100 and 200 (got ${max}).`);
+            }
+            if (min === 100 && max === 100) {
+                throw new Error(`Service '${service.name}': deployment.minHealthyPercent and maxHealthyPercent cannot both be 100 ` +
+                    "(no capacity to drain or expand — deploys would never roll forward).");
+            }
+        }
+        if (service.cloudMapDnsRecordType !== undefined &&
+            service.cloudMapService === undefined) {
+            throw new Error(`Service '${service.name}': cloudMapDnsRecordType is set but cloudMapService is not. ` +
+                "Service discovery cannot be registered without a Cloud Map namespace.");
+        }
+        if (service.desiredCount === 0 &&
+            service.minCapacity !== undefined &&
+            service.minCapacity > 0) {
+            throw new Error(`Service '${service.name}': scaling.minCapacity (${service.minCapacity}) cannot exceed desiredCount when desiredCount is 0. ` +
+                "Application Auto Scaling would immediately scale the service back up, defeating the desiredCount: 0 toggle. " +
+                "Either set scaling.minCapacity to 0 (placeholder service) or raise desiredCount to match scaling.minCapacity.");
+        }
+        if (service.capacityProvider === "EC2" &&
+            service.securityGroups !== undefined &&
+            service.securityGroups.length > 0) {
+            const directAccessForceHost = props.cluster?.directAccess === true;
+            const effectiveMode = service.networkMode ??
+                (directAccessForceHost ? NetworkMode.HOST : NetworkMode.AWS_VPC);
+            if (effectiveMode !== NetworkMode.AWS_VPC) {
+                throw new Error(`Service '${service.name}': securityGroups is only valid with networkMode AWS_VPC ` +
+                    `(effective networkMode is '${effectiveMode}'). HOST/BRIDGE services share ` +
+                    `the EC2 instance ENI, which is governed by the cluster-level securityGroup ` +
+                    `on EcsClusterConfig.`);
+            }
+        }
     }
 }
 /**

package/dist/lib/resources/aws/compute/index.d.ts CHANGED Viewed

@@ -1,3 +1,5 @@
+export * from "./blockDeviceVolume.js";
 export * from "./ec2.js";
 export * from "./ecs.js";
 export * from "./lambda.js";
+export * from "./samApplication.js";

package/dist/lib/resources/aws/compute/index.js CHANGED Viewed

@@ -1,3 +1,5 @@
+export * from "./blockDeviceVolume.js";
 export * from "./ec2.js";
 export * from "./ecs.js";
 export * from "./lambda.js";
+export * from "./samApplication.js";

package/dist/lib/resources/aws/compute/lambda.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { SingletonFunction as singletonFunction, Function, Code, type Runtime, A
 import { type Bucket } from "aws-cdk-lib/aws-s3";
 import { PolicyStatement, type IRole } from "aws-cdk-lib/aws-iam";
 import { type IVpc } from "aws-cdk-lib/aws-ec2";
-import { Rule, type EventPattern } from "aws-cdk-lib/aws-events";
+import { RetentionDays } from "aws-cdk-lib/aws-logs";
 import { type IQueue } from "aws-cdk-lib/aws-sqs";
 import { type ITable } from "aws-cdk-lib/aws-dynamodb";
 import { type Construct } from "constructs";
@@ -23,6 +23,12 @@ export interface LambdaFunctionProps {
     memorySize?: number;
     /** Ephemeral storage size in MiB */
     ephemeralStorageSize?: number;
+    /**
+     * Log retention for the auto-created LogGroup. Defaults to one week.
+     * Override for Lambdas whose logs back operational debugging beyond the
+     * default window (e.g. deployment lifecycle hooks).
+     */
+    logGroupRetention?: RetentionDays;
     inlinePolicy: PolicyStatement[];
     enableFunctionUrl?: boolean;
     functionUrlAuthType?: FunctionUrlAuthType;
@@ -30,8 +36,6 @@ export interface LambdaFunctionProps {
     /** Invoke mode for Function URL. Use RESPONSE_STREAM for Lambda streaming. */
     functionUrlInvokeMode?: InvokeMode;
     environment?: KeyValue;
-    tags?: KeyValue;
-    scheduleExpression?: string;
     secrets?: string[];
     ssmSecretsPath?: string;
     secretsImport?: Record<string, SecretImport>;
@@ -100,16 +104,6 @@ export declare class LambdaFunction extends Function {
             suffix?: string;
         }>;
     }): void;
-    /**
-     * Add an EventBridge rule as an event source for this Lambda function.
-     * This will trigger the Lambda when events matching the pattern are published.
-     * Useful for scheduled jobs, cross-service event handling, and custom event patterns.
-     */
-    addEventBridgeEventSource(ruleId: string, options: {
-        schedule?: string;
-        eventPattern?: EventPattern;
-        description?: string;
-    }): Rule;
     /**
      * Add secrets support using AWS Parameters and Secrets Lambda Extension.
      *

package/dist/lib/resources/aws/compute/lambda.js CHANGED Viewed

@@ -6,9 +6,8 @@ import { fileURLToPath } from "node:url";
 import { SqsEventSource, DynamoEventSource, S3EventSource } from "aws-cdk-lib/aws-lambda-event-sources";
 import { EventType } from "aws-cdk-lib/aws-s3";
 import { PolicyStatement, Effect } from "aws-cdk-lib/aws-iam";
-import { Rule, Schedule } from "aws-cdk-lib/aws-events";
-import { LambdaFunction as LambdaTarget } from "aws-cdk-lib/aws-events-targets";
-import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs";
+import { RetentionDays } from "aws-cdk-lib/aws-logs";
+import { LogGroup } from "../logging/logGroup.js";
 import { Secret } from "aws-cdk-lib/aws-secretsmanager";
 import { v4 as uuid } from "uuid";
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
@@ -20,6 +19,18 @@ function addPoliciesToRole(target, statements) {
         target.addToRolePolicy(statement);
     }
 }
+/**
+ * CDK's auto-generated Lambda execution role does not accept a description
+ * through FunctionProps; reach for the L1 CfnRole and set it directly so
+ * SOC2 audits see a meaningful purpose on every role.
+ */
+function applyRoleDescription(fn, description) {
+    if (description === undefined)
+        return;
+    const cfnRole = fn.role?.node.defaultChild;
+    if (cfnRole !== undefined)
+        cfnRole.description = description;
+}
 /**
  * AWS Parameters and Secrets Lambda Extension configuration.
  * @see https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html
@@ -30,19 +41,26 @@ const SECRETS_EXTENSION = {
     /** Cache TTL in seconds - 60s supports secret rotation while reducing API calls */
     CACHE_TTL_SECONDS: "60"
 };
+/**
+ * Default Lambda timeout in seconds. Coupled across the singleton constructor,
+ * the standard constructor, and the alarm wiring — drift would silently
+ * mis-tune alarms relative to runtime behaviour.
+ */
+const LAMBDA_DEFAULT_TIMEOUT_SECONDS = 300;
 export class SingletonFunction extends singletonFunction {
     constructor(scope, id, props) {
         super(scope, id, {
             ...props,
             uuid: props.uuid ?? uuid(),
-            timeout: Duration.seconds(300),
-            description: props.lambdaDescription || `${id} singleton lambda`,
+            timeout: Duration.seconds(props.timeout ?? LAMBDA_DEFAULT_TIMEOUT_SECONDS),
+            description: props.lambdaDescription ?? `${id} singleton lambda`,
             runtime: props.runtime,
             ephemeralStorageSize: props.ephemeralStorageSize
                 ? Size.mebibytes(props.ephemeralStorageSize)
                 : undefined
         });
         addPoliciesToRole(this, props.inlinePolicy);
+        applyRoleDescription(this, props.roleDescription);
     }
     /**
      * The Lambda's execution role (auto-generated by CDK)
@@ -60,26 +78,25 @@ export class LambdaFunction extends Function {
         super(scope, id, {
             ...props,
             vpcSubnets,
-            timeout: props.timeout
-                ? Duration.seconds(props.timeout)
-                : Duration.seconds(300),
-            memorySize: props.memorySize || 128,
+            timeout: Duration.seconds(props.timeout ?? LAMBDA_DEFAULT_TIMEOUT_SECONDS),
+            memorySize: props.memorySize ?? 128,
             ephemeralStorageSize: props.ephemeralStorageSize
                 ? Size.mebibytes(props.ephemeralStorageSize)
                 : undefined,
-            description: props.lambdaDescription || `${id} Lambda`,
+            description: props.lambdaDescription ?? `${id} Lambda`,
             environment: props.environment,
             logGroup: new LogGroup(scope, `${id}LogGroup`, {
-                retention: RetentionDays.ONE_WEEK
+                retention: props.logGroupRetention ?? RetentionDays.ONE_WEEK
             })
         });
         addPoliciesToRole(this, props.inlinePolicy);
+        applyRoleDescription(this, props.roleDescription);
         this.addSecretsSupport(props.secrets, props.ssmSecretsPath, props.secretsImport, props.appName, props.functionName, props.architecture);
         // Sanitise id for CloudFormation output keys (must be alphanumeric)
         const outputName = toPascalCase(id);
         if (props.enableFunctionUrl) {
             const functionUrl = this.addFunctionUrl({
-                authType: props.functionUrlAuthType || FunctionUrlAuthType.AWS_IAM,
+                authType: props.functionUrlAuthType ?? FunctionUrlAuthType.AWS_IAM,
                 cors: props.functionUrlCors,
                 invokeMode: props.functionUrlInvokeMode
             });
@@ -95,14 +112,8 @@ export class LambdaFunction extends Function {
             value: this.functionArn,
             description: `${id} Function ARN`
         });
-        if (props.scheduleExpression) {
-            const rule = new Rule(this, `${id}ScheduleRule`, {
-                schedule: Schedule.expression(props.scheduleExpression)
-            });
-            rule.addTarget(new LambdaTarget(this));
-        }
         if (props.alertsTopic && props.alarms !== false) {
-            const timeoutSeconds = props.timeout ?? 300;
+            const timeoutSeconds = props.timeout ?? LAMBDA_DEFAULT_TIMEOUT_SECONDS;
             createLambdaAlarms({
                 scope: this,
                 functionName: id,
@@ -194,25 +205,6 @@ export class LambdaFunction extends Function {
         const eventSource = new S3EventSource(bucket, s3EventSourceProps);
         this.addEventSource(eventSource);
     }
-    /**
-     * Add an EventBridge rule as an event source for this Lambda function.
-     * This will trigger the Lambda when events matching the pattern are published.
-     * Useful for scheduled jobs, cross-service event handling, and custom event patterns.
-     */
-    addEventBridgeEventSource(ruleId, options) {
-        if (!options.schedule && !options.eventPattern) {
-            throw new Error("EventBridge rule requires either schedule or eventPattern");
-        }
-        const rule = new Rule(this, ruleId, {
-            schedule: options.schedule
-                ? Schedule.expression(options.schedule)
-                : undefined,
-            eventPattern: options.eventPattern,
-            description: options.description
-        });
-        rule.addTarget(new LambdaTarget(this));
-        return rule;
-    }
     /**
      * Add secrets support using AWS Parameters and Secrets Lambda Extension.
      *