@fjall/components-infrastructure 0.95.0 → 0.99.1

package/dist/lib/resources/aws/networking/serviceDiscovery.d.ts

@@ -0,0 +1,96 @@
+import { Construct } from "constructs";
+import { Duration } from "aws-cdk-lib";
+import { type IVpc } from "aws-cdk-lib/aws-ec2";
+import { type IPrivateDnsNamespace, type IService } from "aws-cdk-lib/aws-servicediscovery";
+/**
+ * Plumbing-only base resource wrapping `aws-cdk-lib/aws-servicediscovery`'s
+ * `PrivateDnsNamespace`. Per D7 + D29 of the ClickHouse Database Factory
+ * promotion design, the only consumer entry point is `App.getNamespace()` —
+ * this class is NOT re-exported from `lib/index.ts`.
+ *
+ * No `static fromXxx(...)` factory is exposed: cross-stack consumption is
+ * single-stack-only for v1 per D29. If/when cross-stack arises, a `fromXxx`
+ * factory lands then, not now.
+ */
+export interface ServiceDiscoveryNamespaceProps {
+    vpc: IVpc;
+    name: string;
+    /** Override the default description (`"ServiceDiscovery <name> — Fjall private DNS namespace"`). */
+    description?: string;
+    /**
+     * Removal policy. Default resolves via the `env()` helper (production →
+     * RETAIN; non-prod → DESTROY) — matches the convention codified in D17 of
+     * the EventBridge promotion design. NODE_ENV is intentionally NOT consulted
+     * because it is unset during CDK synth in Fjall's deployment paths.
+     */
+    removalPolicy?: "DESTROY" | "RETAIN";
+}
+/**
+ * Properties for registering a Cloud Map service inside the namespace via
+ * `registerService(...)`. Single source of truth for the second-tier wrapper
+ * around `AWS::ServiceDiscovery::Service`. Per D7(d), this method is
+ * internal-only — never consumed directly from user infrastructure code.
+ */
+export interface ServiceRegistrationProps {
+    /** Service name within the namespace (forms the leftmost label of the FQDN). */
+    name: string;
+    /**
+     * Description override. Default: `"Fjall internal service: <name>"`.
+     * Operators see this in the Cloud Map console; explicit overrides are
+     * preferred when the service name alone is ambiguous (e.g. `"clickhouse"`
+     * is fine; `"web"` benefits from a description naming the role).
+     */
+    description?: string;
+    /**
+     * DNS TTL applied to the A records returned for this service. Default:
+     * 60 seconds — matches CDK's implicit ECS default. Raise for stable
+     * services (cuts query volume); lower for rapidly-changing instance sets.
+     */
+    dnsTtl?: Duration;
+    /**
+     * DNS record type. Default `"A"` — appropriate for `awsvpc` ECS services
+     * where each task has its own ENI IP. Set to `"SRV"` when the consumer is
+     * an ECS service running under `host` or `bridge` network mode: SRV records
+     * carry both the host IP and the published port, which `A` records cannot.
+     * CDK's `Ec2Service.associateCloudMapService(...)` requires SRV (and a
+     * `containerName` + `containerPort`) under those modes.
+     */
+    dnsRecordType?: "A" | "SRV";
+}
+export declare class ServiceDiscoveryNamespace extends Construct {
+    #private;
+    readonly id: string;
+    constructor(scope: Construct, id: string, props: ServiceDiscoveryNamespaceProps);
+    /**
+     * Get the underlying CDK private DNS namespace as the `IPrivateDnsNamespace`
+     * interface. Per D18(a), the public surface is the interface, never the
+     * concrete `PrivateDnsNamespace` class.
+     */
+    getNamespace(): IPrivateDnsNamespace;
+    getNamespaceArn(): string;
+    getNamespaceName(): string;
+    /**
+     * Register a Cloud Map service inside this namespace. Creates an
+     * `AWS::ServiceDiscovery::Service` resource via the underlying CDK
+     * `PrivateDnsNamespace.createService(...)` with Fjall description discipline
+     * applied. Internal-only per D7(d) — Fjall resources call this from inside
+     * their construct bodies; user code never invokes it directly.
+     *
+     * Throws on duplicate registration: a single namespace cannot host two
+     * services with the same DNS name. Caught at synth time, not deploy time.
+     */
+    registerService(props: ServiceRegistrationProps): IService;
+    /**
+     * True if a service with this name has been registered in the namespace.
+     * Cheap registry lookup; does NOT consult AWS — only counts services
+     * registered via `registerService(...)` on this construct.
+     */
+    hasService(name: string): boolean;
+    /**
+     * Build the FQDN for a previously-registered service:
+     * `<serviceName>.<namespaceName>` (e.g. `clickhouse.acme.local`). Throws if
+     * the service has not been registered — prevents typos that would silently
+     * resolve to NXDOMAIN at runtime.
+     */
+    getEndpoint(serviceName: string): string;
+}

package/dist/lib/resources/aws/networking/serviceDiscovery.js

@@ -0,0 +1,96 @@
+import { Construct } from "constructs";
+import { CfnOutput, Duration } from "aws-cdk-lib";
+import { PrivateDnsNamespace, DnsRecordType } from "aws-cdk-lib/aws-servicediscovery";
+import { env } from "../../../utils/env.js";
+import { toRemovalPolicy } from "../../../utils/removalPolicy.js";
+export class ServiceDiscoveryNamespace extends Construct {
+    id;
+    #namespace;
+    #services = new Map();
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.id = id;
+        const description = props.description ??
+            `ServiceDiscovery ${props.name} — Fjall private DNS namespace`;
+        const removalPolicyValue = props.removalPolicy ?? env({ default: "DESTROY", production: "RETAIN" });
+        const namespace = new PrivateDnsNamespace(this, `${id}Namespace`, {
+            vpc: props.vpc,
+            name: props.name,
+            description
+        });
+        this.#namespace = namespace;
+        namespace.applyRemovalPolicy(toRemovalPolicy(removalPolicyValue));
+        new CfnOutput(this, `${id}NamespaceArn`, {
+            key: `${id}NamespaceArn`,
+            value: namespace.namespaceArn,
+            description: `Cloud Map private DNS namespace ARN for ${id}`
+        });
+        new CfnOutput(this, `${id}NamespaceName`, {
+            key: `${id}NamespaceName`,
+            value: namespace.namespaceName,
+            description: `Cloud Map private DNS namespace name for ${id}`
+        });
+    }
+    /**
+     * Get the underlying CDK private DNS namespace as the `IPrivateDnsNamespace`
+     * interface. Per D18(a), the public surface is the interface, never the
+     * concrete `PrivateDnsNamespace` class.
+     */
+    getNamespace() {
+        return this.#namespace;
+    }
+    getNamespaceArn() {
+        return this.#namespace.namespaceArn;
+    }
+    getNamespaceName() {
+        return this.#namespace.namespaceName;
+    }
+    /**
+     * Register a Cloud Map service inside this namespace. Creates an
+     * `AWS::ServiceDiscovery::Service` resource via the underlying CDK
+     * `PrivateDnsNamespace.createService(...)` with Fjall description discipline
+     * applied. Internal-only per D7(d) — Fjall resources call this from inside
+     * their construct bodies; user code never invokes it directly.
+     *
+     * Throws on duplicate registration: a single namespace cannot host two
+     * services with the same DNS name. Caught at synth time, not deploy time.
+     */
+    registerService(props) {
+        if (this.#services.has(props.name)) {
+            throw new Error(`ServiceDiscoveryNamespace '${this.#namespace.namespaceName}': ` +
+                `service '${props.name}' is already registered. Each service name ` +
+                `must be unique within a namespace.`);
+        }
+        const description = props.description ?? `Fjall internal service: ${props.name}`;
+        const service = this.#namespace.createService(`Service-${props.name}`, {
+            name: props.name,
+            description,
+            dnsTtl: props.dnsTtl ?? Duration.seconds(60),
+            dnsRecordType: props.dnsRecordType === "SRV" ? DnsRecordType.SRV : DnsRecordType.A
+        });
+        this.#services.set(props.name, service);
+        return service;
+    }
+    /**
+     * True if a service with this name has been registered in the namespace.
+     * Cheap registry lookup; does NOT consult AWS — only counts services
+     * registered via `registerService(...)` on this construct.
+     */
+    hasService(name) {
+        return this.#services.has(name);
+    }
+    /**
+     * Build the FQDN for a previously-registered service:
+     * `<serviceName>.<namespaceName>` (e.g. `clickhouse.acme.local`). Throws if
+     * the service has not been registered — prevents typos that would silently
+     * resolve to NXDOMAIN at runtime.
+     */
+    getEndpoint(serviceName) {
+        if (!this.#services.has(serviceName)) {
+            throw new Error(`ServiceDiscoveryNamespace '${this.#namespace.namespaceName}': ` +
+                `service '${serviceName}' has not been registered. Call ` +
+                `registerService({ name: '${serviceName}' }) before resolving its endpoint.`);
+        }
+        return `${serviceName}.${this.#namespace.namespaceName}`;
+    }
+}

package/dist/lib/resources/aws/networking/vpc.d.ts

@@ -1,10 +1,13 @@
 import { type Construct } from "constructs";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
 import { type StackBuilder } from "../base/awsStack.js";
+export declare const FLOW_LOG_TRAFFIC_TYPES: readonly ["ALL", "ACCEPT", "REJECT"];
+export type FlowLogTrafficType = (typeof FLOW_LOG_TRAFFIC_TYPES)[number];
+export declare const DEFAULT_MAX_AZS = 3;
 export interface VpcFlowLogConfig {
     destination?: "cloudwatch" | "s3";
     retentionDays?: number;
-    trafficType?: "ALL" | "ACCEPT" | "REJECT";
+    trafficType?: FlowLogTrafficType;
 }
 export interface VpcNatConfig {
     count?: number;

package/dist/lib/resources/aws/networking/vpc.js

@@ -1,18 +1,21 @@
-import { Duration, RemovalPolicy, Stack } from "aws-cdk-lib";
+import { CfnOutput, Duration, RemovalPolicy, Stack } from "aws-cdk-lib";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
 import * as s3 from "aws-cdk-lib/aws-s3";
 import { LogGroup } from "../logging/logGroup.js";
 import { S3Bucket } from "../storage/index.js";
+export const FLOW_LOG_TRAFFIC_TYPES = ["ALL", "ACCEPT", "REJECT"];
+// Read at two sites (resources-layer constructor default + patterns-layer natGateways guard) that must agree.
+export const DEFAULT_MAX_AZS = 3;
 export class Vpc extends ec2.Vpc {
     gatewayEndpoints = [];
     interfaceEndpoints = [];
     hasNatGateways;
     constructor(scope, id, props) {
         const { maxAzs: maxAzsFromProps, vpcName: explicitName, ...restProps } = props ?? {};
-        const maxAzs = maxAzsFromProps ?? 3;
+        const maxAzs = maxAzsFromProps ?? DEFAULT_MAX_AZS;
         const natGateways = Vpc.resolveNatGateways(props);
         const vpcName = explicitName ?? id;
-        super(scope, `vpc-${id}`, {
+        super(scope, `Vpc${id}`, {
             ...restProps,
             vpcName,
             natGateways,
@@ -23,6 +26,10 @@ export class Vpc extends ec2.Vpc {
         });
         this.hasNatGateways = natGateways !== 0;
         this.addInterfaceEndpoints(id, props, this.hasNatGateways);
+        new CfnOutput(this, "VpcCidrBlock", {
+            value: this.vpcCidrBlock,
+            exportName: `${Stack.of(this).stackName}-vpc-cidr`
+        });
     }
     static gatewayEndpoints(props) {
         if (props?.endpointsConfig === false) {

package/dist/lib/resources/aws/networking/vpcPeeringAccepterRole.d.ts

@@ -0,0 +1,18 @@
+import { Construct } from "constructs";
+import { Role } from "aws-cdk-lib/aws-iam";
+import { type IVpc } from "aws-cdk-lib/aws-ec2";
+export interface VpcPeeringAccepterRoleProps {
+    /** AWS account IDs allowed to initiate peering and manage return routes. */
+    readonly requesterAccountIds: string[];
+    /** The local VPC this role is scoped to. */
+    readonly localVpc: IVpc;
+    /** Cost-allocation override — defaults to `"management"`. */
+    readonly costAllocationEnvironment?: string;
+    /** Cost-allocation override — defaults to the local VPC's construct id. */
+    readonly costAllocationDomain?: string;
+}
+export declare class VpcPeeringAccepterRole extends Construct {
+    readonly role: Role;
+    readonly roleArn: string;
+    constructor(scope: Construct, id: string, props: VpcPeeringAccepterRoleProps);
+}

package/dist/lib/resources/aws/networking/vpcPeeringAccepterRole.js

@@ -0,0 +1,61 @@
+import { Construct } from "constructs";
+import { ArnFormat, Stack, Tags } from "aws-cdk-lib";
+import { AccountPrincipal, CompositePrincipal, PolicyDocument, PolicyStatement, Role } from "aws-cdk-lib/aws-iam";
+import { COST_ALLOCATION_TAGS, DEFAULT_COST_ALLOCATION_ENVIRONMENT } from "../../../utils/costAllocationTags.js";
+export class VpcPeeringAccepterRole extends Construct {
+    role;
+    roleArn;
+    constructor(scope, id, props) {
+        super(scope, id);
+        const vpcArnPattern = Stack.of(this).formatArn({
+            service: "ec2",
+            region: "*",
+            account: "*",
+            resource: "vpc",
+            resourceName: props.localVpc.vpcId,
+            arnFormat: ArnFormat.SLASH_RESOURCE_NAME
+        });
+        this.role = new Role(this, "Role", {
+            assumedBy: new CompositePrincipal(...props.requesterAccountIds.map((accountId) => new AccountPrincipal(accountId))),
+            inlinePolicies: {
+                allowPeering: new PolicyDocument({
+                    statements: [
+                        new PolicyStatement({
+                            actions: [
+                                "ec2:AcceptVpcPeeringConnection",
+                                "ec2:ModifyVpcPeeringConnectionOptions"
+                            ],
+                            resources: ["*"],
+                            conditions: {
+                                StringEquals: {
+                                    "ec2:AccepterVpc": vpcArnPattern
+                                }
+                            }
+                        }),
+                        new PolicyStatement({
+                            actions: ["ec2:CreateRoute", "ec2:DeleteRoute"],
+                            resources: ["*"],
+                            conditions: {
+                                StringEquals: {
+                                    "ec2:Vpc": vpcArnPattern
+                                }
+                            }
+                        }),
+                        new PolicyStatement({
+                            actions: [
+                                "ec2:DescribeRouteTables",
+                                "ec2:DescribeVpcPeeringConnections"
+                            ],
+                            resources: ["*"]
+                        })
+                    ]
+                })
+            }
+        });
+        this.roleArn = this.role.roleArn;
+        Tags.of(this).add("fjall:resource:type", "vpc-peering-accepter");
+        Tags.of(this).add(COST_ALLOCATION_TAGS.ENVIRONMENT, props.costAllocationEnvironment ?? DEFAULT_COST_ALLOCATION_ENVIRONMENT);
+        Tags.of(this).add(COST_ALLOCATION_TAGS.SERVICE, "vpcPeeringAccepter");
+        Tags.of(this).add(COST_ALLOCATION_TAGS.DOMAIN, props.costAllocationDomain ?? props.localVpc.node.id);
+    }
+}

package/dist/lib/resources/aws/networking/vpcPeeringConnection.d.ts

@@ -0,0 +1,49 @@
+import { Construct } from "constructs";
+import { CfnVPCPeeringConnection, type IVpc, type SubnetSelection } from "aws-cdk-lib/aws-ec2";
+export interface VpcPeeringConnectionProps {
+    /** The local VPC to peer from. */
+    readonly localVpc: IVpc;
+    /** The local VPC CIDR (destination of the accepter's return routes). */
+    readonly localVpcCidr: string;
+    /** The remote VPC ID. */
+    readonly peerVpcId: string;
+    /** The remote VPC CIDR (destination of the local routes). */
+    readonly peerVpcCidr: string;
+    /** Remote account ID — required for cross-account peering. */
+    readonly peerAccountId?: string;
+    /** Remote region — required for cross-region peering. */
+    readonly peerRegion?: string;
+    /** ARN of the accepter role (for auto-accept and cross-account route management). */
+    readonly peerRoleArn?: string;
+    /** Route-table IDs in the accepter VPC (for cross-account return routes). */
+    readonly peerRouteTableIds?: string[];
+    /** Local subnet selection for routes. Defaults to `PRIVATE_WITH_EGRESS`. */
+    readonly routeSubnets?: SubnetSelection;
+    /** Enable DNS resolution across the peering on both sides. Defaults to true. */
+    readonly enableDnsResolution?: boolean;
+    /**
+     * Optional cross-app label — when present, added as the `fjall:peering:peer-app`
+     * tag and used as the default cost-allocation domain.
+     */
+    readonly peerAppName?: string;
+    /**
+     * Optional organisation ID of the remote app — surfaced as a public-readonly
+     * property on the construct for downstream consumers (ECS `remoteConnections`)
+     * that need to build cross-app SSM paths.
+     */
+    readonly peerOrgId?: string;
+    /** Cost-allocation override — defaults to `"management"`. */
+    readonly costAllocationEnvironment?: string;
+    /**
+     * Cost-allocation override — defaults to `peerAppName` if provided, otherwise
+     * the peer VPC ID.
+     */
+    readonly costAllocationDomain?: string;
+}
+export declare class VpcPeeringConnection extends Construct {
+    readonly peeringConnectionId: string;
+    readonly peering: CfnVPCPeeringConnection;
+    readonly peerAppName: string | undefined;
+    readonly peerOrgId: string | undefined;
+    constructor(scope: Construct, id: string, props: VpcPeeringConnectionProps);
+}

package/dist/lib/resources/aws/networking/vpcPeeringConnection.js

@@ -0,0 +1,106 @@
+import { Construct } from "constructs";
+import { Stack, Tags } from "aws-cdk-lib";
+import { CfnRoute, CfnVPCPeeringConnection, SubnetType } from "aws-cdk-lib/aws-ec2";
+import { PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from "aws-cdk-lib/custom-resources";
+import { COST_ALLOCATION_TAGS, DEFAULT_COST_ALLOCATION_ENVIRONMENT } from "../../../utils/costAllocationTags.js";
+import { CrossAccountReturnRoutes } from "./crossAccountReturnRoutes.js";
+export class VpcPeeringConnection extends Construct {
+    peeringConnectionId;
+    peering;
+    peerAppName;
+    peerOrgId;
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.peerAppName = props.peerAppName;
+        this.peerOrgId = props.peerOrgId;
+        this.peering = new CfnVPCPeeringConnection(this, "Peering", {
+            vpcId: props.localVpc.vpcId,
+            peerVpcId: props.peerVpcId,
+            peerOwnerId: props.peerAccountId,
+            peerRegion: props.peerRegion,
+            peerRoleArn: props.peerRoleArn
+        });
+        this.peeringConnectionId = this.peering.attrId;
+        const subnets = props.localVpc.selectSubnets(props.routeSubnets ?? { subnetType: SubnetType.PRIVATE_WITH_EGRESS });
+        for (const subnet of subnets.subnets) {
+            new CfnRoute(this, `Route${subnet.node.id}`, {
+                routeTableId: subnet.routeTable.routeTableId,
+                destinationCidrBlock: props.peerVpcCidr,
+                vpcPeeringConnectionId: this.peering.attrId
+            });
+        }
+        const enableDnsResolution = props.enableDnsResolution !== false;
+        // Requester-side DNS runs in the local account, so a plain AwsCustomResource
+        // is sufficient. The accepter side is delegated to the cross-account Lambda.
+        if (enableDnsResolution) {
+            new AwsCustomResource(this, "EnableRequesterDns", {
+                onCreate: {
+                    service: "EC2",
+                    action: "modifyVpcPeeringConnectionOptions",
+                    parameters: {
+                        VpcPeeringConnectionId: this.peering.attrId,
+                        RequesterPeeringConnectionOptions: {
+                            AllowDnsResolutionFromRemoteVpc: true
+                        }
+                    },
+                    physicalResourceId: PhysicalResourceId.of(`${id}-requester-dns`)
+                },
+                policy: AwsCustomResourcePolicy.fromStatements([
+                    new PolicyStatement({
+                        actions: ["ec2:ModifyVpcPeeringConnectionOptions"],
+                        resources: [
+                            Stack.of(this).formatArn({
+                                service: "ec2",
+                                resource: "vpc-peering-connection",
+                                resourceName: this.peering.attrId
+                            })
+                        ]
+                    })
+                ])
+            });
+        }
+        const hasPeerRoleArn = props.peerRoleArn !== undefined;
+        const hasPeerRegion = props.peerRegion !== undefined;
+        const hasPeerRouteTableIds = props.peerRouteTableIds !== undefined &&
+            props.peerRouteTableIds.length > 0;
+        const presentCount = Number(hasPeerRoleArn) +
+            Number(hasPeerRegion) +
+            Number(hasPeerRouteTableIds);
+        if (presentCount > 0 && presentCount < 3) {
+            const missing = [];
+            if (!hasPeerRoleArn)
+                missing.push("peerRoleArn");
+            if (!hasPeerRegion)
+                missing.push("peerRegion");
+            if (!hasPeerRouteTableIds)
+                missing.push("peerRouteTableIds");
+            throw new Error(`VpcPeeringConnection: cross-account return routes require all of ` +
+                `peerRoleArn, peerRegion, and peerRouteTableIds (non-empty). Missing: ${missing.join(", ")}.`);
+        }
+        if (props.peerRoleArn !== undefined &&
+            props.peerRegion !== undefined &&
+            props.peerRouteTableIds !== undefined &&
+            props.peerRouteTableIds.length > 0) {
+            new CrossAccountReturnRoutes(this, "ReturnRoutes", {
+                peerRoleArn: props.peerRoleArn,
+                peerRegion: props.peerRegion,
+                routeTableIds: props.peerRouteTableIds,
+                localVpcCidr: props.localVpcCidr,
+                peeringConnectionId: this.peering.attrId,
+                enableDns: enableDnsResolution
+            });
+        }
+        Tags.of(this).add("fjall:resource:type", "vpc-peering");
+        Tags.of(this).add("fjall:peering:peer-vpc", props.peerVpcId);
+        if (props.peerAccountId) {
+            Tags.of(this).add("fjall:peering:peer-account", props.peerAccountId);
+        }
+        if (props.peerAppName) {
+            Tags.of(this).add("fjall:peering:peer-app", props.peerAppName);
+        }
+        Tags.of(this).add(COST_ALLOCATION_TAGS.ENVIRONMENT, props.costAllocationEnvironment ?? DEFAULT_COST_ALLOCATION_ENVIRONMENT);
+        Tags.of(this).add(COST_ALLOCATION_TAGS.SERVICE, "vpcPeering");
+        Tags.of(this).add(COST_ALLOCATION_TAGS.DOMAIN, props.costAllocationDomain ?? props.peerAppName ?? props.peerVpcId);
+    }
+}

package/dist/lib/resources/aws/organisation/costAllocationTagActivator.d.ts

@@ -1,17 +1,28 @@
 import { Construct } from "constructs";
+import { type IFunction } from "aws-cdk-lib/aws-lambda";
 import { LambdaFunction } from "../compute/lambda.js";
-export interface CostAllocationTagActivatorProps {
-    /** EventBridge schedule expression. Default: "rate(24 hours)" */
-    scheduleExpression?: string;
-}
 /**
  * Deploys a Lambda that auto-discovers and activates cost allocation tags.
  *
  * Runs daily in the management account. Any non-AWS tag applied to resources
  * (via app.addTags() or CDK aspects) is automatically activated in Cost
  * Explorer within 24 hours — no manual intervention required.
+ *
+ * The schedule is NOT wired by this construct — callers wire the cadence via
+ * `app.addSchedule(...)` so the EventBridge rule lives in the App's messaging
+ * stack alongside every other Fjall schedule (D9). The activator implements
+ * the structural `LambdaComputeShape` (duck-typed by `eventTargets.ts`), so it
+ * can be passed directly as `target` to `app.addSchedule(...)` without a
+ * `LambdaCompute` wrapper.
  */
 export declare class CostAllocationTagActivator extends Construct {
+    /** Marks this construct as a structural Lambda target for `eventTargets.ts`. */
+    readonly computeType: "lambda";
     readonly lambda: LambdaFunction;
-    constructor(scope: Construct, id: string, props?: CostAllocationTagActivatorProps);
+    constructor(scope: Construct, id: string);
+    /**
+     * Structural `LambdaComputeShape` accessor — returns the activator's Lambda
+     * so `eventTargets.ts#resolveTarget` can wire it as an EventBridge target.
+     */
+    getFunction(): IFunction;
 }

package/dist/lib/resources/aws/organisation/costAllocationTagActivator.js

@@ -8,12 +8,20 @@ import { LambdaFunction } from "../compute/lambda.js";
  * Runs daily in the management account. Any non-AWS tag applied to resources
  * (via app.addTags() or CDK aspects) is automatically activated in Cost
  * Explorer within 24 hours — no manual intervention required.
+ *
+ * The schedule is NOT wired by this construct — callers wire the cadence via
+ * `app.addSchedule(...)` so the EventBridge rule lives in the App's messaging
+ * stack alongside every other Fjall schedule (D9). The activator implements
+ * the structural `LambdaComputeShape` (duck-typed by `eventTargets.ts`), so it
+ * can be passed directly as `target` to `app.addSchedule(...)` without a
+ * `LambdaCompute` wrapper.
  */
 export class CostAllocationTagActivator extends Construct {
+    /** Marks this construct as a structural Lambda target for `eventTargets.ts`. */
+    computeType = "lambda";
     lambda;
-    constructor(scope, id, props) {
+    constructor(scope, id) {
         super(scope, id);
-        const schedule = props?.scheduleExpression ?? "rate(24 hours)";
         this.lambda = new LambdaFunction(this, "TagActivatorFunction", {
             runtime: Runtime.NODEJS_22_X,
             handler: "index.handler",
@@ -21,7 +29,6 @@ export class CostAllocationTagActivator extends Construct {
             lambdaDescription: "Auto-discovers and activates cost allocation tags in Cost Explorer",
             memorySize: 128,
             timeout: 60,
-            scheduleExpression: schedule,
             inlinePolicy: [
                 new PolicyStatement({
                     effect: Effect.ALLOW,
@@ -34,6 +41,13 @@ export class CostAllocationTagActivator extends Construct {
             ]
         });
     }
+    /**
+     * Structural `LambdaComputeShape` accessor — returns the activator's Lambda
+     * so `eventTargets.ts#resolveTarget` can wire it as an EventBridge target.
+     */
+    getFunction() {
+        return this.lambda;
+    }
 }
 const HANDLER_CODE = `
 const { CostExplorerClient, ListCostAllocationTagsCommand, UpdateCostAllocationTagsStatusCommand } = require("@aws-sdk/client-cost-explorer");

package/dist/lib/resources/aws/organisation/index.d.ts

@@ -2,4 +2,4 @@ export { Organisation as OrganisationResource, type OrganisationProps as Organis
 export { type OrganisationalUnitProps } from "./organisationalUnit.js";
 export { OrganisationAccount, type OrganisationAccountProps } from "./organisationAccount.js";
 export { OrganisationPolicy, type OrganisationPolicyProps, type OrganisationPolicyType } from "./organisationPolicy.js";
-export { CostAllocationTagActivator, type CostAllocationTagActivatorProps } from "./costAllocationTagActivator.js";
+export { CostAllocationTagActivator } from "./costAllocationTagActivator.js";

package/dist/lib/resources/aws/organisation/organisationPolicy.d.ts

@@ -1,4 +1,5 @@
 import { Construct } from "constructs";
+import { type KeyValue } from "../../../types.js";
 export type OrganisationPolicyType = "SERVICE_CONTROL_POLICY" | "TAG_POLICY" | "BACKUP_POLICY" | "AISERVICES_OPT_OUT_POLICY";
 export interface OrganisationPolicyProps {
     name: string;
@@ -6,6 +7,7 @@ export interface OrganisationPolicyProps {
     content: string | Record<string, unknown>;
     description?: string;
     targetIds?: string[];
+    tags?: KeyValue[];
 }
 export declare class OrganisationPolicy extends Construct {
     readonly policyId: string;

package/dist/lib/resources/aws/organisation/organisationPolicy.js

@@ -10,7 +10,7 @@ export class OrganisationPolicy extends Construct {
                 content = JSON.parse(props.content);
             }
             catch {
-                throw new Error(`Invalid JSON in organisation policy "${props.name}": ${props.content.slice(0, 100)}`);
+                throw new Error(`Invalid JSON in organisation policy "${props.name}"`);
             }
         }
         else {
@@ -21,7 +21,8 @@ export class OrganisationPolicy extends Construct {
             type: props.policyType,
             content,
             description: props.description,
-            targetIds: props.targetIds
+            targetIds: props.targetIds,
+            tags: props.tags?.map((t) => ({ key: t.key, value: t.value }))
         });
         this.policyId = policy.attrId;
     }

package/dist/lib/resources/aws/secrets/secret.d.ts

@@ -8,6 +8,13 @@ interface SecretProps {
     secretObjectValue?: {
         [key: string]: SecretValue;
     };
+    /**
+     * Plain-text secret value. WARNING: embedded in the CloudFormation template
+     * via `SecretValue.unsafePlainText` — anyone with read access to the synth
+     * output, the deploy artefact, or the CFN stack template can recover it.
+     * Prefer `generateSecretString` (server-generated, never leaves AWS) or
+     * `secretObjectValue` with `SecretValue.ssmSecure(...)` for inputs.
+     */
     secretStringValue?: string;
     description?: string;
     aliasName?: string;

package/dist/lib/resources/aws/secrets/secret.js

@@ -17,15 +17,16 @@ export class Secret extends Construct {
             return;
         }
         // Create KMS key for new secrets only
-        this.secretsCustomerManagedKey = new CustomerManagedKey(this, `${id}CustomerManagedKey`, {
+        const customerManagedKey = new CustomerManagedKey(this, `${id}CustomerManagedKey`, {
             aliasName: `cmk/${id}`
         });
+        this.secretsCustomerManagedKey = customerManagedKey;
         /**
          * If a secretStringValue is provided, use it to create the secret.
          */
         const secretStringValue = props.secretStringValue
             ? {
-                secretStringValue: SecretValue.unsafePlainText(props.secretStringValue || "")
+                secretStringValue: SecretValue.unsafePlainText(props.secretStringValue)
             }
             : {};
         /**
@@ -47,7 +48,7 @@ export class Secret extends Construct {
         const secretOptions = {
             secretName: props.secretName,
             secretObjectValue: props.secretObjectValue,
-            encryptionKey: this.secretsCustomerManagedKey.key,
+            encryptionKey: customerManagedKey.key,
             description: props.description,
             ...secretStringValue,
             ...generateSecretString,