npm - @fjall/components-infrastructure - Versions diffs - 0.96.0 → 0.99.1 - Mend

@fjall/components-infrastructure 0.96.0 → 0.99.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (209) hide show

package/dist/lib/app.d.ts CHANGED Viewed

@@ -10,7 +10,11 @@ import { type INetworkProps, type Network } from "./patterns/aws/network.js";
 import { type Cdn } from "./patterns/aws/cdn.js";
 import { type VpcPeer } from "./patterns/aws/vpcPeer.js";
 import { type VpcPeerAccepter } from "./patterns/aws/vpcPeerAccepter.js";
-import { type AnyMessaging } from "./patterns/aws/messaging.js";
+import { type AnyMessaging, type EventBusMessaging } from "./patterns/aws/messaging.js";
+import { Schedule, type ScheduleProps } from "./resources/aws/messaging/schedule.js";
+import { type RemovalPolicyString } from "./resources/aws/messaging/utils.js";
+import { type ServiceRegistrationProps } from "./resources/aws/networking/serviceDiscovery.js";
+import { type IPrivateDnsNamespace, type IService } from "aws-cdk-lib/aws-servicediscovery";
 import { type AnyCompute } from "./patterns/aws/compute.js";
 import { type Storage, type StorageFactoryFn } from "./patterns/aws/storage.js";
 import { type AnyPattern } from "./patterns/aws/pattern.js";
@@ -63,6 +67,20 @@ export interface IAppOptions {
     tunnel?: {
         instanceType?: string;
     } | boolean;
+    /**
+     * EventBridge default-bus override (T7a, D2 + D17).
+     *
+     * - `name?` overrides the AWS `EventBus.Name` (defaults to the app name).
+     * - `removalPolicy?` overrides the env-resolved default. Default resolves
+     *   via `env({ default: "DESTROY", production: "RETAIN" })` per D17 — NOT
+     *   `process.env.NODE_ENV` (which is not set during CDK synth in Fjall's
+     *   deployment paths). The shape is the normalised string union per
+     *   D18(d), NOT the raw CDK `RemovalPolicy` enum.
+     */
+    eventBus?: {
+        name?: string;
+        removalPolicy?: RemovalPolicyString;
+    };
 }
 /**
  * The basic corner-stone of all Fjall-hosted applications.
@@ -78,6 +96,9 @@ export declare class App extends CdkApp {
     private vpc?;
     private additionalVpcs;
     private defaultEcr;
+    private defaultEventBus?;
+    private eventBusOverride?;
+    private defaultNamespace?;
     private defaultAuditRole;
     private auditRoleExternalId?;
     private bastion?;
@@ -148,6 +169,37 @@ export declare class App extends CdkApp {
     getVpc(name?: string): IVpc;
     getVpcNames(): string[];
     getDefaultContainerRegistry(): Ecr;
+    /**
+     * Lazy getter for the per-app default custom EventBridge bus (D2).
+     *
+     * Buses are recreatable in non-prod; the env-resolved default keeps prod
+     * history. The override (`App.getApp({ eventBus: { name?, removalPolicy? } })`)
+     * is consulted first; absent override falls back to the app name and the
+     * `env({ default: "DESTROY", production: "RETAIN" })` resolution per D17.
+     * NODE_ENV is not consulted — it is not set during CDK synth in Fjall's
+     * deployment paths.
+     */
+    getEventBus(): EventBusMessaging;
+    /**
+     * Lazy getter for the per-app Cloud Map private DNS namespace (D7 + D29 of
+     * the ClickHouse Database Factory promotion design).
+     *
+     * The namespace is constructed in the network stack on first call and
+     * reused thereafter — `app.getNamespace() === app.getNamespace()`. Default
+     * name is `${toKebab(appName)}.local` per the implementation-defined
+     * derivation rule; v1 has no override config option (D29). Returns the
+     * `IPrivateDnsNamespace` interface per D18(a), never the concrete class.
+     */
+    getNamespace(): IPrivateDnsNamespace;
+    /**
+     * Register a Cloud Map service against the per-app namespace. Lazily creates
+     * the namespace on first call (same construct as `getNamespace()`) and
+     * delegates to the `ServiceDiscoveryNamespace` wrapper's `registerService`
+     * — keeping both halves of Cloud Map (namespace + services) routed through
+     * the wrapper layer per § Wrapper Routing Discipline.
+     */
+    registerService(props: ServiceRegistrationProps): IService;
+    private ensureNamespace;
     /**
      * Create a cross-account audit role in the Network stack that allows
      * the Fjall platform to use CloudQuery for comprehensive AWS resource auditing.
@@ -288,6 +340,21 @@ export declare class App extends CdkApp {
      * }));
      */
     addMessaging<T extends AnyMessaging & Construct>(fn: (app: App, scope: Construct) => T): T;
+    /**
+     * Register an EventBridge schedule against a Fjall wrapper target.
+     *
+     * Defaults to the messaging stack; set `props.stackPlacement = "compute"`
+     * when the schedule's target lives in the compute stack and cross-stack
+     * output churn is undesired. `applicationId` is threaded automatically
+     * from `app.getName()` for alarm webhook routing per D13.
+     *
+     * @example
+     * app.addSchedule("MetricsCollection", {
+     *   schedule: "rate(5 minutes)",
+     *   target: notificationsQueue
+     * });
+     */
+    addSchedule(id: string, props: Omit<ScheduleProps, "applicationId">): Schedule;
     /**
      * Add a high-level infrastructure pattern to the application.
      *

package/dist/lib/app.js CHANGED Viewed

@@ -1,9 +1,13 @@
 import { App as CdkApp, Aspects, Tags } from "aws-cdk-lib";
+import { maskSensitiveOutput } from "@fjall/util";
 import { Vpc } from "./resources/aws/networking/vpc.js";
-import { createBastion } from "./utils/bastionFactory.js";
+import { createBastion } from "./patterns/aws/bastionFactory.js";
 import { AwsStack } from "./resources/index.js";
 import { EcrFactory } from "./resources/aws/storage/ecr.js";
 import { NetworkFactory } from "./patterns/aws/network.js";
+import { MessagingFactory } from "./patterns/aws/messaging.js";
+import { Schedule } from "./resources/aws/messaging/schedule.js";
+import { ServiceDiscoveryNamespace } from "./resources/aws/networking/serviceDiscovery.js";
 import { StandardTagsAspect } from "./utils/standardTagsAspect.js";
 import { BACKUP_TIER_TAG_KEY, BACKUP_TIER_TAG_MAP } from "./utils/backupTierMapping.js";
 import { randomBytes } from "crypto";
@@ -28,6 +32,9 @@ export class App extends CdkApp {
     vpc;
     additionalVpcs = new Map();
     defaultEcr;
+    defaultEventBus;
+    eventBusOverride;
+    defaultNamespace;
     defaultAuditRole;
     auditRoleExternalId;
     bastion;
@@ -59,6 +66,9 @@ export class App extends CdkApp {
         if (options?.tunnel) {
             this.initialiseTunnel(options.tunnel);
         }
+        if (options?.eventBus !== undefined) {
+            this.eventBusOverride = options.eventBus;
+        }
     }
     applyBackupTag(tier) {
         this.globalTags[BACKUP_TIER_TAG_KEY] = BACKUP_TIER_TAG_MAP[tier];
@@ -128,6 +138,19 @@ export class App extends CdkApp {
             if (options?.tunnel && !App.instance.bastion) {
                 App.instance.initialiseTunnel(options.tunnel);
             }
+            if (options?.eventBus !== undefined) {
+                if (App.instance.eventBusOverride === undefined &&
+                    App.instance.defaultEventBus === undefined) {
+                    App.instance.eventBusOverride = options.eventBus;
+                }
+                else {
+                    const reason = App.instance.defaultEventBus !== undefined
+                        ? "bus was already materialised via getEventBus()"
+                        : "override was already set on a prior App.getApp() call";
+                    FjallLogger.warn(`App.getApp() eventBus override ignored: ${reason}. ` +
+                        `Pass eventBus options to the first App.getApp() call.`);
+                }
+            }
         }
         return App.instance;
     }
@@ -248,6 +271,67 @@ export class App extends CdkApp {
         }
         return this.defaultEcr;
     }
+    /**
+     * Lazy getter for the per-app default custom EventBridge bus (D2).
+     *
+     * Buses are recreatable in non-prod; the env-resolved default keeps prod
+     * history. The override (`App.getApp({ eventBus: { name?, removalPolicy? } })`)
+     * is consulted first; absent override falls back to the app name and the
+     * `env({ default: "DESTROY", production: "RETAIN" })` resolution per D17.
+     * NODE_ENV is not consulted — it is not set during CDK synth in Fjall's
+     * deployment paths.
+     */
+    getEventBus() {
+        if (this.defaultEventBus) {
+            return this.defaultEventBus;
+        }
+        const eventBusName = this.eventBusOverride?.name ?? this.getName();
+        const removalPolicy = this.eventBusOverride?.removalPolicy;
+        const bus = this.addMessaging(MessagingFactory.build(`${this.stackPrefix}EventBus`, {
+            type: "eventBus",
+            eventBusName,
+            appName: this.name,
+            removalPolicy
+        }));
+        this.defaultEventBus = bus;
+        return bus;
+    }
+    /**
+     * Lazy getter for the per-app Cloud Map private DNS namespace (D7 + D29 of
+     * the ClickHouse Database Factory promotion design).
+     *
+     * The namespace is constructed in the network stack on first call and
+     * reused thereafter — `app.getNamespace() === app.getNamespace()`. Default
+     * name is `${toKebab(appName)}.local` per the implementation-defined
+     * derivation rule; v1 has no override config option (D29). Returns the
+     * `IPrivateDnsNamespace` interface per D18(a), never the concrete class.
+     */
+    getNamespace() {
+        return this.ensureNamespace().getNamespace();
+    }
+    /**
+     * Register a Cloud Map service against the per-app namespace. Lazily creates
+     * the namespace on first call (same construct as `getNamespace()`) and
+     * delegates to the `ServiceDiscoveryNamespace` wrapper's `registerService`
+     * — keeping both halves of Cloud Map (namespace + services) routed through
+     * the wrapper layer per § Wrapper Routing Discipline.
+     */
+    registerService(props) {
+        return this.ensureNamespace().registerService(props);
+    }
+    ensureNamespace() {
+        if (this.defaultNamespace) {
+            return this.defaultNamespace;
+        }
+        const networkStack = this.getDefaultNetworkStack();
+        const namespace = new ServiceDiscoveryNamespace(networkStack.getStack(), `${this.stackPrefix}Namespace`, {
+            vpc: this.getVpc(),
+            name: `${toKebab(this.name)}.local`
+        });
+        networkStack.addConstruct(namespace);
+        this.defaultNamespace = namespace;
+        return namespace;
+    }
     /**
      * Create a cross-account audit role in the Network stack that allows
      * the Fjall platform to use CloudQuery for comprehensive AWS resource auditing.
@@ -467,6 +551,32 @@ export class App extends CdkApp {
         messagingStack.addConstruct(messaging);
         return messaging;
     }
+    /**
+     * Register an EventBridge schedule against a Fjall wrapper target.
+     *
+     * Defaults to the messaging stack; set `props.stackPlacement = "compute"`
+     * when the schedule's target lives in the compute stack and cross-stack
+     * output churn is undesired. `applicationId` is threaded automatically
+     * from `app.getName()` for alarm webhook routing per D13.
+     *
+     * @example
+     * app.addSchedule("MetricsCollection", {
+     *   schedule: "rate(5 minutes)",
+     *   target: notificationsQueue
+     * });
+     */
+    addSchedule(id, props) {
+        const stack = props.stackPlacement === "compute"
+            ? this.getDefaultComputeStack()
+            : this.getDefaultMessagingStack();
+        const schedule = new Schedule(stack.getStack(), id, {
+            ...props,
+            applicationId: this.getName(),
+            appName: props.appName ?? this.getName()
+        });
+        stack.addConstruct(schedule);
+        return schedule;
+    }
     /**
      * Add a high-level infrastructure pattern to the application.
      *
@@ -590,9 +700,8 @@ export class App extends CdkApp {
             writeManifest(assembly, this.manifestCollector);
         }
         catch (error) {
-            // Don't fail synth if manifest export fails
-            const errorMessage = error instanceof Error ? error.message : String(error);
-            FjallLogger.warn(`Failed to export Fjall manifest: ${errorMessage}`);
+            const maskedMessage = maskSensitiveOutput(error instanceof Error ? error.message : String(error));
+            FjallLogger.warn(`Failed to export Fjall manifest: ${maskedMessage}`);
         }
         return assembly;
     }

package/dist/lib/config/aws/__t17fixture.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/lib/config/aws/__t17fixture.js ADDED Viewed

@@ -0,0 +1,3 @@
+import { Rule } from "aws-cdk-lib/aws-events";
+import { LambdaFunction } from "aws-cdk-lib/aws-events-targets";
+console.log(Rule, LambdaFunction);

package/dist/lib/config/aws/__t17fixtureType.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { type IRule } from "aws-cdk-lib/aws-events";
2	+ export type T = IRule;

package/dist/lib/config/aws/__t17fixtureType.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/lib/config/aws/alarmTopic.js CHANGED Viewed

@@ -1,18 +1,22 @@
 import { CfnOutput } from "aws-cdk-lib";
-import * as sns from "aws-cdk-lib/aws-sns";
 import { Construct } from "constructs";
+import { SNSTopic } from "../../resources/aws/messaging/sns.js";
 export class SharedAlarmTopic extends Construct {
     topic;
     topicArn;
     constructor(scope, id) {
         super(scope, id);
-        const topic = new sns.Topic(this, "AlarmNotifications", {
+        const wrapped = new SNSTopic(this, "AlarmNotifications", {
             displayName: "Fjall CloudWatch Alarm Notifications"
         });
-        this.topic = topic;
+        this.topic = wrapped.getTopic();
+        // SharedAlarmTopicArn is a well-known cross-stack export consumed via
+        // Fn.importValue (see resolveAlertsTopic + its tests). Do not delete
+        // thinking it duplicates the wrapper's AlarmNotificationsTopicArn —
+        // the wrapper's auto-output has no exportName and cannot be imported.
         this.topicArn = new CfnOutput(this, "SharedAlarmTopicArn", {
             key: "SharedAlarmTopicArn",
-            value: topic.topicArn,
+            value: wrapped.getTopicArn(),
             exportName: "SharedAlarmTopicArn"
         });
     }

package/dist/lib/config/aws/cloudTrail.js CHANGED Viewed

@@ -3,7 +3,7 @@ import { Trail } from "../../resources/aws/logging/cloudTrail.js";
 export class ManagementEventsTrail extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        new Trail(this, "managementEventsTrail", {
+        new Trail(this, "ManagementEventsTrail", {
             bucketName: `cloudtrail-management-events-${props.accountId}-${props.region}`,
             trailName: "managementEvents",
             isMultiRegionTrail: true

package/dist/lib/config/aws/disasterRecovery.js CHANGED Viewed

@@ -2,10 +2,10 @@ import { CfnOutput, Duration, RemovalPolicy } from "aws-cdk-lib";
 import { Construct } from "constructs";
 import { BackupVault, BackupPlan } from "../../resources/aws/backup/index.js";
 import { BackupPlanRule, BackupVault as Vault } from "aws-cdk-lib/aws-backup";
-import * as events from "aws-cdk-lib/aws-events";
+import { cronSchedule } from "../../resources/aws/messaging/index.js";
 import { AccountPrincipal, Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
-import App from "../../app.js";
-import { parseOrgConfig } from "../../utils/orgConfigParser.js";
+import { getConfig } from "../../utils/getConfig.js";
+import { toPascalCase } from "../../utils/capitaliseString.js";
 // Backup retention constants (in days)
 const RETENTION_PERIODS = {
     STANDARD: 90,
@@ -34,16 +34,11 @@ export class DisasterRecovery extends Construct {
     customBackupPlans;
     constructor(scope, id, props) {
         super(scope, id);
-        // Read org config from CDK context
-        const app = App.getInstance();
-        const orgConfigRaw = app.node.tryGetContext("orgConfig");
-        const orgConfig = parseOrgConfig(typeof orgConfigRaw === "string" ? orgConfigRaw : undefined);
-        const providerAccounts = orgConfig.providerAccounts;
-        // Determine if this is a compliance account
+        const config = getConfig();
+        const providerAccounts = config.providerAccounts;
         const account = providerAccounts.find((pa) => pa.id === props.accountId);
         const isComplianceAccount = account?.environment === "compliance";
-        // Get DR configuration
-        const disasterRecoveryRegion = orgConfig.disasterRecoveryRegion;
+        const disasterRecoveryRegion = config.disasterRecoveryRegion;
         // Look up compliance account for cross-account replication
         // Skip if the compliance account (prevent self-replication)
         const disasterRecoveryAccount = isComplianceAccount
@@ -110,7 +105,7 @@ export class DisasterRecovery extends Construct {
         // Create custom backup plans if provided
         if (props.customBackupPlans && props.customBackupPlans.length > 0) {
             this.customBackupPlans = props.customBackupPlans.map((config) => {
-                return new BackupPlan(this, `CustomBackupPlan-${config.planName}`, {
+                return new BackupPlan(this, `CustomBackupPlan${toPascalCase(config.planName)}`, {
                     planName: config.planName,
                     rules: config.rules,
                     tagValue: config.tagValue,
@@ -143,7 +138,7 @@ export class DisasterRecovery extends Construct {
         return [
             new BackupPlanRule({
                 ruleName: `${planName}Daily`,
-                scheduleExpression: events.Schedule.cron({ hour: "2", minute: "0" }), // 2 AM daily
+                scheduleExpression: cronSchedule({ hour: "2", minute: "0" }), // 2 AM daily
                 deleteAfter: Duration.days(RETENTION_PERIODS.STANDARD),
                 startWindow: BACKUP_WINDOWS.START,
                 completionWindow: BACKUP_WINDOWS.COMPLETION
@@ -155,7 +150,7 @@ export class DisasterRecovery extends Construct {
         return [
             new BackupPlanRule({
                 ruleName: `${planName}Daily`,
-                scheduleExpression: events.Schedule.cron({ hour: "2", minute: "0" }), // 2 AM daily
+                scheduleExpression: cronSchedule({ hour: "2", minute: "0" }), // 2 AM daily
                 deleteAfter: Duration.days(RETENTION_PERIODS.ENTERPRISE_CONTINUOUS),
                 enableContinuousBackup: true,
                 startWindow: BACKUP_WINDOWS.START,
@@ -171,7 +166,7 @@ export class DisasterRecovery extends Construct {
             // Continuous backup (35-day max PITR window)
             new BackupPlanRule({
                 ruleName: `${planName}Continuous`,
-                scheduleExpression: events.Schedule.cron({ hour: "2", minute: "0" }), // Daily for continuous backup
+                scheduleExpression: cronSchedule({ hour: "2", minute: "0" }), // Daily for continuous backup
                 deleteAfter: Duration.days(RETENTION_PERIODS.ENTERPRISE_CONTINUOUS),
                 enableContinuousBackup: true,
                 startWindow: BACKUP_WINDOWS.START,
@@ -181,7 +176,7 @@ export class DisasterRecovery extends Construct {
             // Hourly snapshots for long-term compliance (7 years)
             new BackupPlanRule({
                 ruleName: `${planName}HourlyCompliance`,
-                scheduleExpression: events.Schedule.cron({ minute: "0" }), // Every hour
+                scheduleExpression: cronSchedule({ minute: "0" }), // Every hour
                 deleteAfter: Duration.days(RETENTION_PERIODS.ENTERPRISE_COMPLIANCE),
                 moveToColdStorageAfter: Duration.days(RETENTION_PERIODS.COLD_STORAGE_ONE_YEAR),
                 startWindow: BACKUP_WINDOWS.START,

package/dist/lib/config/aws/ecrDefaultImage.d.ts CHANGED Viewed

@@ -3,7 +3,6 @@ import { type StackProps } from "aws-cdk-lib";
 interface EcrDefaultImageProps extends StackProps {
     region: string;
     accountId: string;
-    eventBusArn: string;
 }
 export declare class EcrDefaultImage extends Construct {
     constructor(scope: Construct, id: string, props: EcrDefaultImageProps);

package/dist/lib/config/aws/ecrDefaultImage.js CHANGED Viewed

@@ -5,8 +5,7 @@ import { LogGroup } from "../../resources/aws/logging/logGroup.js";
 import { RemovalPolicy } from "aws-cdk-lib";
 import { Role } from "../../resources/aws/iam/role.js";
 import { PolicyDocument, PolicyStatement, ServicePrincipal } from "aws-cdk-lib/aws-iam";
-import { EventBus, EventField, Rule, RuleTargetInput } from "aws-cdk-lib/aws-events";
-import * as Targets from "aws-cdk-lib/aws-events-targets";
+import { EventBusMessaging, EventField } from "../../patterns/aws/messaging.js";
 export class EcrDefaultImage extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
@@ -86,23 +85,10 @@ export class EcrDefaultImage extends Construct {
             },
             role: ecrDefaultImageRole
         });
-        const eventInputMapping = {
-            repositoryUri: EventField.fromPath("$.detail.responseElements.repository.repositoryUri")
-        };
-        const eventInputTemplate = {
-            environmentVariablesOverride: [
-                {
-                    name: "ECR_REPOSITORY",
-                    value: eventInputMapping.repositoryUri
-                }
-            ]
-        };
-        new Rule(this, `${id}EventRule`, {
-            ruleName: "ecrCreationRule",
+        const awsServiceBus = EventBusMessaging.fromAwsServiceBus(this, `${id}EventBus`, props.region, props.accountId);
+        awsServiceBus.subscribe(`${id}EventRule`, {
             description: "Trigger the default ECR image build when a new repository is created",
-            enabled: true,
-            eventBus: EventBus.fromEventBusArn(this, `${id}EventBus`, props.eventBusArn),
-            eventPattern: {
+            pattern: {
                 source: ["aws.ecr"],
                 detailType: ["AWS API Call via CloudTrail"],
                 detail: {
@@ -110,11 +96,15 @@ export class EcrDefaultImage extends Construct {
                     eventName: ["CreateRepository"]
                 }
             },
-            targets: [
-                new Targets.CodeBuildProject(codeBuildProject.project, {
-                    event: RuleTargetInput.fromObject(eventInputTemplate)
-                })
-            ]
+            target: codeBuildProject,
+            payload: {
+                environmentVariablesOverride: [
+                    {
+                        name: "ECR_REPOSITORY",
+                        value: EventField.fromPath("$.detail.responseElements.repository.repositoryUri")
+                    }
+                ]
+            }
         });
     }
 }

package/dist/lib/config/aws/identityCenter.d.ts CHANGED Viewed

@@ -6,16 +6,23 @@ interface IdentityCenterProps extends NestedStackProps {
     tags?: KeyValue[];
 }
 export interface PermissionSetConfig {
-    Policy: string;
-    Description?: string;
+    managedPolicies: string[];
+    description?: string;
+    sessionDuration?: string;
 }
+export type CustomPermissionSets = Record<string, PermissionSetConfig>;
 export declare class IdentityCenter extends NestedStack {
     identityStoreId: string;
     identityCenterArn: string;
     private listInstancesRole;
+    private accountsConfig;
+    private customTags?;
+    private groupIds;
     constructor(scope: Construct, id: string, props: IdentityCenterProps);
+    declarePermissionSets(customs: CustomPermissionSets): void;
+    assignGroupMembers(members: Record<string, string[]>): void;
     private createListInstancesRole;
     private listIdentityCenterInstance;
-    private createPermissionSets;
+    private createPermissionSetAndAssignments;
 }
 export {};