@fjall/components-infrastructure 0.95.0 → 0.99.1

package/dist/lib/patterns/aws/compute.js

@@ -1,14 +1,15 @@
 import { Runtime } from "aws-cdk-lib/aws-lambda";
 import { isCompute, isEcsCompute, isLambdaCompute, isEc2Compute } from "./interfaces/compute.js";
 import { warnIfPropertiesIgnored } from "../../utils/validationLogger.js";
+import { DEFAULT_ECS_FALLBACK_IMAGE, DEFAULT_EC2_INSTANCE_TYPE } from "../../resources/aws/compute/ecsConstants.js";
 // Import and re-export from per-pattern files
-import { EcsCompute, ECS_CAPACITY_PROVIDER_CONFIG, getEcsCapacityProviderConfig, ScalingType, validateEcsProps, buildContainerConfigs, resolveScalingConfig } from "./computeEcs.js";
+import { EcsCompute, ECS_CAPACITY_PROVIDER_CONFIG, getEcsCapacityProviderConfig, ScalingType, validateEcsProps, buildContainerConfigs, expandMigrationsSugar, resolveScalingConfig } from "./computeEcs.js";
 import { LambdaCompute, resolveLambdaDeployment, Architecture, HttpMethod, InvokeMode } from "./computeLambda.js";
 import { Ec2Compute } from "./computeEc2.js";
 // Re-export everything from per-pattern files
 export { 
 // ECS
-EcsCompute, ECS_CAPACITY_PROVIDER_CONFIG, getEcsCapacityProviderConfig, ScalingType, validateEcsProps, buildContainerConfigs, resolveScalingConfig, 
+EcsCompute, ECS_CAPACITY_PROVIDER_CONFIG, getEcsCapacityProviderConfig, ScalingType, validateEcsProps, buildContainerConfigs, expandMigrationsSugar, resolveScalingConfig, 
 // Lambda
 LambdaCompute, resolveLambdaDeployment, Architecture, HttpMethod, InvokeMode, 
 // EC2
@@ -36,14 +37,12 @@ export const COMPUTE_TYPE_CONFIG = {
  */
 export const COMPUTE_DEFAULTS = {
     EC2: {
-        INSTANCE_TYPE: "t4g.micro",
+        INSTANCE_TYPE: DEFAULT_EC2_INSTANCE_TYPE,
         MIN_CAPACITY: 1,
         MAX_CAPACITY: 1
     },
     ECS: {
-        /** AWS sample image used when no ECR repository is provided */
-        FALLBACK_IMAGE: "amazon/amazon-ecs-sample",
-        /** Default tag for ECR images */
+        FALLBACK_IMAGE: DEFAULT_ECS_FALLBACK_IMAGE,
         IMAGE_TAG: "latest"
     },
     LAMBDA: {
@@ -140,13 +139,8 @@ export class ComputeFactory {
                             name: service.name,
                             clusterName
                         };
-                        // Include dockerfilePath if specified (metadata for CLI)
-                        if (service.dockerfilePath) {
-                            manifestService.dockerfilePath = service.dockerfilePath;
-                        }
-                        // Include dockerTarget if specified (metadata for CLI)
-                        if (service.dockerTarget) {
-                            manifestService.dockerTarget = service.dockerTarget;
+                        if (service.docker !== undefined) {
+                            manifestService.docker = service.docker;
                         }
                         // Find container port from first container with a port
                         const containerWithPort = service.containers?.find((c) => c.port !== undefined);

package/dist/lib/patterns/aws/computeEcs.d.ts

@@ -1,416 +1,54 @@
-import { type RepositoryImage, type ICluster, type IBaseService } from "aws-cdk-lib/aws-ecs";
-import { type Repository } from "aws-cdk-lib/aws-ecr";
-import { type Connections, type IVpc, type ISecurityGroup } from "aws-cdk-lib/aws-ec2";
-import { type PolicyDocument, type IManagedPolicy, type IGrantable, Grant } from "aws-cdk-lib/aws-iam";
+import { type ICluster, type IBaseService, type TaskDefinition, type FargateTaskDefinition } from "aws-cdk-lib/aws-ecs";
+import { type Connections, type ISecurityGroup } from "aws-cdk-lib/aws-ec2";
+import { type IGrantable, type IRole, Grant } from "aws-cdk-lib/aws-iam";
 import { type IApplicationLoadBalancer, type ApplicationListener } from "aws-cdk-lib/aws-elasticloadbalancingv2";
 import { Construct } from "constructs";
-import type { ITopic } from "aws-cdk-lib/aws-sns";
 import { type IEcsCompute } from "./interfaces/compute.js";
-import { type ConnectionSpec } from "./interfaces/connector.js";
-import EcsCluster, { type EcsClusterProps, ScalingType, type DomainConfig, type EcsCapacityProvider, type Ec2CapacityConfig } from "../../resources/aws/compute/ecs.js";
-import type { EcsServiceAlarmThresholds } from "../../resources/aws/monitoring/index.js";
-import { type SecretImport } from "../../resources/aws/secrets/index.js";
-export { ScalingType };
-export type { EcsCapacityProvider, Ec2CapacityConfig };
-/**
- * Configuration for ECS capacity providers.
- */
-export interface EcsCapacityProviderConfig {
-    /** Whether this uses Spot pricing */
-    usesSpot: boolean;
-    /** Whether this runs on EC2 instances (vs serverless Fargate) */
-    usesEc2Instances: boolean;
-}
+import EcsCluster, { type EcsClusterProps } from "../../resources/aws/compute/ecs.js";
+export { ScalingType } from "./computeEcsTypes.js";
+export type { EcsCapacityProvider, Ec2CapacityConfig, RemoteConnectionSpec, EcsCapacityProviderConfig, EcsContainerConfig, ContainerDependency, ContainerVolume, EcsScheduledTaskConfig, EcsLifecycleHookMigrationsConfig, EcsPostDeployMigrationsConfig, EcsHookMigrationsConfig, EcsMigrationsConfig, EcsMigrationsMode, EcsCircuitBreakerConfig, EcsScalingConfig, EcsClusterConfig, EcsRoutingConfig, EcsServiceConfig, EcsComputeProps } from "./computeEcsTypes.js";
+import { ScalingType, type EcsCapacityProviderConfig, type EcsCapacityProvider, type EcsContainerConfig, type EcsScalingConfig, type EcsServiceConfig, type EcsComputeProps } from "./computeEcsTypes.js";
 export declare const ECS_CAPACITY_PROVIDER_CONFIG: Record<EcsCapacityProvider, EcsCapacityProviderConfig>;
 export declare function getEcsCapacityProviderConfig(provider: EcsCapacityProvider): EcsCapacityProviderConfig;
 /**
- * Configuration for a container in an ECS task.
- *
- * For single-container services, `name` is optional and defaults to `${serviceName}Container`.
- * For multi-container tasks, the first container with a `port` is the **primary container**
- * that receives load balancer traffic.
- *
- * @example
- * // Single container (name auto-generated)
- * containers: [{ port: 3000 }]
- *
- * @example
- * // Multi-container with sidecars
- * containers: [
- *   { name: "app", port: 3000 },                    // Primary - receives ALB traffic
- *   { name: "datadog", image: "datadog/agent" }     // Sidecar - monitoring
- * ]
- */
-export interface EcsContainerConfig {
-    /** Container name. Optional for single-container services. */
-    name?: string;
-    /**
-     * Container image. Options:
-     * - Omit: Uses app's default ECR repository (primary container only)
-     * - string: ECR repository name or public image URL
-     * - Repository: CDK ECR Repository construct
-     */
-    image?: string | Repository;
-    /**
-     * Port the container listens on.
-     * The first container with a port becomes the **primary container**
-     * and is registered with the load balancer.
-     */
-    port?: number;
-    /** Environment variables */
-    environment?: Record<string, string>;
-    /**
-     * Secrets from AWS SSM Parameter Store.
-     * Array of secret names that will be fetched from the service's SSM namespace.
-     * The namespace path is auto-determined from app/cluster/service names.
-     *
-     * @example
-     * // Secrets at /myapp/api-cluster/users/API_KEY and /myapp/api-cluster/users/DB_PASSWORD
-     * secrets: ["API_KEY", "DB_PASSWORD"]
-     */
-    secrets?: string[];
-    /** Secrets imported from other CDK resources (AWS Secrets Manager) */
-    secretsImport?: Record<string, SecretImport>;
-    /** Command to run in the container */
-    command?: string[];
-    /** Entry point for the container */
-    entryPoint?: string[];
-    /**
-     * Whether this container is essential.
-     * If an essential container stops, all containers in the task stop.
-     * Default: true
-     */
-    essential?: boolean;
-    /**
-     * Health check configuration.
-     * Default: For primary container with port, uses curl health check.
-     */
-    healthCheck?: {
-        command: string[];
-        interval?: number;
-        timeout?: number;
-        retries?: number;
-        startPeriod?: number;
-    };
-}
-/**
- * ECS scaling configuration.
- * - Omit: enabled with defaults
- * - `{}`: enabled with defaults
- * - `{ minCapacity: 2, maxCapacity: 10 }`: custom scaling
- * - `false`: explicitly disabled
- */
-export interface EcsScalingConfig {
-    minCapacity?: number;
-    maxCapacity?: number;
-    scalingType?: ScalingType;
-}
-/**
- * Cluster-level configuration.
- * Controls the shared ALB for all services in this cluster.
- */
-export interface EcsClusterConfig {
-    /**
-     * Domain for HTTPS access.
-     * - Omit: ALB created with default DNS (*.elb.amazonaws.com)
-     * - Specified: Creates ACM certificate + Route53 DNS A record
-     */
-    domain?: string;
-    /**
-     * Load balancer configuration.
-     * - Omit or "public": Internet-facing ALB (default)
-     * - "internal": VPC-only ALB
-     * - false: No ALB (for workers/background processors)
-     */
-    loadBalancer?: false | "public" | "internal";
-    /**
-     * Enable direct EC2 access without ALB.
-     * Uses host network mode for predictable ports.
-     * Access via EC2 public IP at container port.
-     */
-    directAccess?: boolean;
-    /**
-     * Advanced domain configuration for routing policies (latency, weighted, geo).
-     * Only used when domain is specified.
-     * Allows for multi-region deployments with advanced DNS routing.
-     */
-    domainConfig?: DomainConfig;
-}
-/**
- * Routing configuration for path/host-based routing on the ALB.
- * Required when cluster has multiple services with ports.
- * Optional for single service (gets all traffic automatically).
- */
-export interface EcsRoutingConfig {
-    /**
-     * Path pattern for routing (e.g., "/api/*", "/users/*").
-     * Uses ALB path-based routing.
-     */
-    path?: string;
-    /**
-     * Host header for routing (e.g., "api.example.com").
-     * Uses ALB host-based routing.
-     */
-    host?: string;
-    /**
-     * Priority for this routing rule (1-50000).
-     * Lower number = higher priority.
-     * Auto-assigned if omitted.
-     */
-    priority?: number;
-    /**
-     * Health check path for this service's target group.
-     * Default: "/"
-     */
-    healthCheckPath?: string;
-}
-/**
- * Configuration for a service in an ECS cluster.
- * Each service gets its own task definition, scaling config, and target group.
- *
- * @example
- * // Simple service
- * { name: "api", containers: [{ port: 3000 }] }
- *
- * @example
- * // Service with routing (for multi-service clusters)
- * { name: "users", containers: [{ port: 3000 }], routing: { path: "/users/*", priority: 100 } }
- *
- * @example
- * // Service with multiple routing rules (same target group)
- * { name: "web", containers: [{ port: 3000 }], routing: [
- *   { path: "/api/v2/*", priority: 50 },
- *   { path: "/*", priority: 200 },
- * ]}
- *
- * @example
- * // Service with sidecars
- * {
- *   name: "api",
- *   containers: [
- *     { name: "app", port: 3000 },
- *     { name: "datadog", image: "datadog/agent" }
- *   ]
- * }
+ * Validates ECS-specific props.
+ * Extracted for clarity and detail parity with database/network patterns.
  */
-export interface EcsServiceConfig {
-    /** Service name (unique within cluster) */
-    name: string;
-    /**
-     * Container image for this service (applies to first container without explicit image).
-     * - Omit: Uses app's default ECR repository
-     * - string: ECR repository name or public image URL
-     * - Repository: CDK ECR Repository construct
-     */
-    image?: string | Repository;
-    /**
-     * Container configuration(s) for this service.
-     * For single-container services, container name is optional and auto-generated.
-     * For multi-container services, the first container with a port is the primary container.
-     */
-    containers?: EcsContainerConfig[];
-    /**
-     * Routing rules for this service on the cluster's ALB.
-     * Required when cluster has multiple services with ports.
-     * Optional for single service (gets /* automatically).
-     * Can be a single rule or an array of rules pointing to the same target group.
-     *
-     * @example
-     * // Multiple routes for the same service
-     * routing: [
-     *   { path: "/api/v2/*", priority: 50 },
-     *   { path: "/*", priority: 200 },
-     * ]
-     */
-    routing?: EcsRoutingConfig | EcsRoutingConfig[];
-    /** CPU units for this service's tasks (256-4096) */
-    cpu?: number;
-    /** Memory in MiB for this service's tasks (512-30720) */
-    memoryLimitMiB?: number;
-    /** Desired number of tasks. Default: 2 */
-    desiredCount?: number;
-    /**
-     * Scaling configuration.
-     * - Omit: enabled with defaults
-     * - false: disabled
-     */
-    scaling?: EcsScalingConfig | false;
-    /**
-     * Path to Dockerfile for building this service's image.
-     * Metadata for CLI build process, not used during CDK synthesis.
-     */
-    dockerfilePath?: string;
-    /**
-     * Docker build target stage for multi-stage Dockerfiles.
-     * When specified, the CLI builds with `--target <dockerTarget>`.
-     * The image tag suffix is also updated: `<service>-<target>-latest`.
-     *
-     * @example
-     * // Dockerfile: FROM node AS base ... FROM base AS api ... FROM base AS worker
-     * { name: "api", dockerTarget: "api" }   // builds: myapp-api-api-latest
-     * { name: "worker", dockerTarget: "worker" }  // builds: myapp-worker-worker-latest
-     */
-    dockerTarget?: string;
-    /**
-     * Additional inline policies for this service's task role.
-     * Added on top of the default ECS Exec permissions.
-     * Use for service-specific AWS permissions (S3, DynamoDB, SQS, etc.).
-     */
-    taskRoleInlinePolicies?: Record<string, PolicyDocument>;
-    /**
-     * Additional managed policies for this service's task role.
-     * Added on top of the default ECS Exec permissions.
-     */
-    taskRoleManagedPolicies?: IManagedPolicy[];
-    /**
-     * Resources this service needs to connect to (e.g., databases, S3 buckets, SQS queues).
-     * Creates security group rules for IConnectable resources and IAM grants for IAM resources.
-     * Follows least-privilege - only this service gets access, not all services in the cluster.
-     *
-     * Supports:
-     * - IConnectable: Security group resources (RDS, ECS, etc.)
-     * - IStorageConnector: S3 buckets (IAM grants)
-     * - IDynamoDBConnector: DynamoDB tables (IAM grants)
-     * - IQueueConnector: SQS queues (IAM grants)
-     * - ConnectionConfig: Explicit access level configuration
-     *
-     * @example
-     * // Simple connections (default permissions)
-     * connections: [database, bucket, cache, queue]
-     *
-     * @example
-     * // Explicit access levels
-     * connections: [
-     *   database,                              // Security group (RDS)
-     *   { resource: cache, access: "read" },   // Read-only DynamoDB
-     *   { resource: bucket, access: "write" }, // Write-only S3
-     *   { resource: queue, access: "consume" } // Consume-only SQS
-     * ]
-     */
-    connections?: ConnectionSpec[];
-    /**
-     * Capacity provider for this service. REQUIRED.
-     * Each service specifies its own capacity provider.
-     *
-     * @example
-     * // Mixed FARGATE and EC2 services in same cluster
-     * {
-     *   services: [
-     *     { name: "api", capacityProvider: "FARGATE" },
-     *     { name: "worker", capacityProvider: "EC2", ec2Config: { instanceType: "t4g.micro" } }
-     *   ]
-     * }
-     */
-    capacityProvider: EcsCapacityProvider;
-    /**
-     * EC2 capacity configuration for this service.
-     * Only used when service capacityProvider is "EC2".
-     * Services with matching ec2Config share an ASG for efficiency.
-     */
-    ec2Config?: Ec2CapacityConfig;
-    /**
-     * SSM Parameter Store path for secrets.
-     * If not specified, secrets are fetched from /<app>/<cluster>/<service>.
-     * Use this to override the default convention.
-     *
-     * @example
-     * // Override default path
-     * ssmSecretsPath: "/custom/path/to/secrets"
-     */
-    ssmSecretsPath?: string;
-    /**
-     * Per-service alarm configuration.
-     * - undefined: use defaults (CPU, memory, running tasks, 5xx if ALB)
-     * - false: disable alarms for this service
-     * - object: override specific thresholds
-     */
-    alarms?: EcsServiceAlarmThresholds | false;
-}
+export declare function validateEcsProps(props: EcsComputeProps): void;
 /**
- * ECS compute configuration.
- * Creates an ECS cluster with one or more services sharing a load balancer.
+ * Expand a service's `migrations` sugar into a synthetic init container plus
+ * auto-injected `dependsOn` entries on every other container.
  *
- * @example
- * // Single service
- * app.addCompute(ComputeFactory.build("WebApp", {
- *   type: "ecs",
- *   cluster: { domain: "app.example.com" },
- *   services: [{ name: "web", containers: [{ port: 3000 }] }]
- * }));
+ * - Synthesises a non-essential container that runs the migration command and exits.
+ * - Inherits image / environment / secrets / secretsImport from the primary container
+ *   (first container with a port, or first container if none have a port).
+ * - Auto-wires every other container to wait on the migrate container's `SUCCESS`,
+ *   skipping containers that already declare the dependency to keep user overrides intact.
+ * - Throws on name collision when a user-defined container shares the migrate name.
  *
- * @example
- * // Multi-service cluster with routing
- * app.addCompute(ComputeFactory.build("ApiCluster", {
- *   type: "ecs",
- *   cluster: { domain: "api.example.com" },
- *   services: [
- *     { name: "users", containers: [{ port: 3000 }], routing: { path: "/users/*" } },
- *     { name: "orders", containers: [{ port: 3001 }], routing: { path: "/orders/*" } }
- *   ]
- * }));
+ * When `migrations.mode` is a lambda-hook variant (`"lifecycle-hook"` /
+ * `"post-deploy"`), this helper is a no-op: the task
+ * definition stays unmodified and the migration is run by a deployment lifecycle
+ * hook synthesised separately at the pattern layer.
  *
- * @example
- * // Internal workers (no ALB)
- * app.addCompute(ComputeFactory.build("Workers", {
- *   type: "ecs",
- *   cluster: { loadBalancer: false },
- *   services: [{ name: "processor" }, { name: "emailer" }]
- * }));
- */
-export interface EcsComputeProps {
-    type: "ecs";
-    vpc?: IVpc;
-    /**
-     * Application name for SSM secrets namespace.
-     * When containers use secrets, the path is derived as: /<appName>/<clusterName>/<serviceName>
-     * Auto-derived from App.getName() if not specified.
-     */
-    appName?: string;
-    /**
-     * Cluster configuration.
-     * Controls the shared ALB for all services in this cluster.
-     * - Omit: ALB created with default settings
-     * - `{ domain: "..." }`: ALB with HTTPS + DNS
-     * - `{ loadBalancer: false }`: No ALB (internal workers)
-     */
-    cluster?: EcsClusterConfig;
-    /**
-     * Services in this cluster.
-     * Each service gets its own task definition, scaling, and target group.
-     * Each service MUST specify its own capacityProvider.
-     * All services share the cluster's ALB (unless disabled).
-     */
-    services: EcsServiceConfig[];
-    /**
-     * ECR repository for all services (default image).
-     * Individual services can override with their own `image` property.
-     */
-    ecrRepository?: Repository | RepositoryImage;
-    /**
-     * Path to Dockerfile for building custom image.
-     * Note: This is metadata for the CLI build process,
-     * not used during CDK synthesis.
-     */
-    dockerfilePath?: string;
-    /**
-     * SNS topic for alarm notifications. Resolved to ITopic and passed to EcsCluster.
-     * Accepts either an ITopic directly or a topic ARN string (resolved internally).
-     */
-    alertsTopic?: ITopic | string;
-    /** Application ID for alarm tagging (used by webhook to map alarms to applications). */
-    applicationId?: string;
-}
-/**
- * Validates ECS-specific props.
- * Extracted for clarity and detail parity with database/network patterns.
+ * @internal Exported for testing only
  */
-export declare function validateEcsProps(props: EcsComputeProps): void;
+export declare function expandMigrationsSugar(service: EcsServiceConfig, userContainers: EcsContainerConfig[] | undefined): EcsContainerConfig[];
 /**
  * Build container configurations for an ECS service.
  * Converts user-facing EcsContainerConfig to internal EcsClusterProps format.
+ *
+ * @param service       Service config from EcsComputeProps.
+ * @param schemaVersionEnv Pre-resolved `{ EXPECTED_SCHEMA_VERSION: <ver> }`
+ *                      from a connected database's `migrations:` config, or
+ *                      `undefined` when the service has no migrated DB or
+ *                      opted out via `schemaGate: false`.
+ * @param annotationsScope Construct used as the source for synth-time
+ *                      warnings when the author has set `EXPECTED_SCHEMA_VERSION`
+ *                      themselves and the resolved value differs.
  * @internal Exported for testing only
  */
-export declare function buildContainerConfigs(service: EcsServiceConfig): EcsClusterProps["services"][number]["containers"];
+export declare function buildContainerConfigs(service: EcsServiceConfig, schemaVersionEnv?: Record<string, string>, annotationsScope?: Construct): EcsClusterProps["services"][number]["containers"];
 /**
  * Resolved scaling configuration for an ECS service.
  * @internal Exported for testing only
@@ -434,7 +72,46 @@ export declare class EcsCompute extends Construct implements IEcsCompute {
     readonly computeType: "ecs";
     readonly connections: Connections;
     private readonly ecsCluster;
+    private readonly clusterId;
+    private readonly appName;
+    private readonly migrationTaskDefinitions;
     constructor(scope: Construct, id: string, props: EcsComputeProps);
+    /**
+     * Walks a service's `connections:` for a relational database carrying a
+     * `migrations:` config. Returns the schema-version gate env entries to
+     * thread into the service's containers, or `undefined` when the service is
+     * not gated.
+     *
+     * - `schemaGate: false` → returns `undefined` (auditable opt-out)
+     * - No migrated DB in connections → returns `undefined`
+     * - Exactly one migrated DB → returns `{ EXPECTED_SCHEMA_VERSION, EXPECTED_SCHEMA_VERSION_TOOL }`
+     * - Two or more migrated DBs → throws via `resolveMigrationDatabaseForService`
+     *
+     * Both envs always emit together. The tool sibling lets the runtime gate
+     * dispatch to the matching resolver (or refuse on unknown tool) instead of
+     * hardcoding one.
+     */
+    private resolveSchemaVersionEnv;
+    private materialiseScheduledTasks;
+    private buildScheduledTaskDefinition;
+    /**
+     * For each service whose `migrations.mode` is a lambda-hook variant
+     * (`"lifecycle-hook"` for PRE_SCALE_UP, `"post-deploy"` for POST_SCALE_UP),
+     * synthesise the Lambda + IAM role + log group that backs the deployment
+     * lifecycle hook. The init-container path is unaffected — services without
+     * `mode` (or with `mode: "init-container"`) still get the synthetic
+     * migrate container injected by `expandMigrationsSugar`.
+     */
+    private wireLifecycleHookMigrations;
+    /**
+     * Synthesise a dedicated migration task definition for a lifecycle-hook
+     * migration when `separateTaskDef` is set. Creates the migration's own
+     * execution + task roles, log group, security group (when `egressTo` is
+     * present, else reuses the service's SGs), and the Fargate task definition
+     * with the migration container baked in.
+     */
+    private synthesiseMigrationTaskDef;
+    private resolveMigrationSecrets;
     /** Get the ECS cluster. */
     getCluster(): ICluster;
     /** Get the Application Load Balancer if one was created. */
@@ -443,12 +120,21 @@ export declare class EcsCompute extends Construct implements IEcsCompute {
     getService(name: string): IBaseService | undefined;
     /** Get all services in the cluster. */
     getAllServices(): IBaseService[];
+    getTaskDefinition(serviceName: string): TaskDefinition | undefined;
+    /**
+     * Get the migration task definition for a service. Returns `undefined` when
+     * the service has no `migrations: { mode: "lifecycle-hook", separateTaskDef }`
+     * configured — escape hatch for callers that need to attach grants (e.g.
+     * `bucket.grantReadWrite(td.taskRole)`) to the migration task role.
+     */
+    getMigrationTaskDefinition(serviceName: string): FargateTaskDefinition | undefined;
     /** Get the security group for the cluster. */
     getSecurityGroup(): ISecurityGroup;
     /**
      * Get the ALB listener if this is an ECS compute with ALB.
      */
     getListener(): ApplicationListener | undefined;
+    getPrimaryListenerPort(): number | undefined;
     /**
      * Get the underlying ECS cluster construct.
      */
@@ -459,4 +145,17 @@ export declare class EcsCompute extends Construct implements IEcsCompute {
      * which are not known until runtime (tasks are ephemeral).
      */
     grantExecuteCommand(grantee: IGrantable): Grant;
+    /**
+     * Get the EC2 instance role for the cluster's underlying ASG. EC2-mode
+     * clusters return the ASG instance role; Fargate-only clusters return
+     * `undefined`. Use to attach S3 grants etc. that must reach the host
+     * process (D10 — single accessor; no separate `getAutoScalingGroup()`).
+     */
+    getInstanceRole(): IRole | undefined;
+    /**
+     * Get the underlying ASG's `autoScalingGroupName` token. String-only —
+     * D10 forbids exposing the ASG construct itself. Used by alarm helpers
+     * that need a CloudWatch dimension value.
+     */
+    getAutoScalingGroupName(): string | undefined;
 }