npm - @fjall/components-infrastructure - Versions diffs - 0.96.0 → 0.99.1 - Mend

@fjall/components-infrastructure 0.96.0 → 0.99.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (209) hide show

package/dist/lib/config/aws/identityCenter.js CHANGED Viewed

@@ -5,6 +5,7 @@ import { AwsCustomResource } from "../../resources/aws/utilities/awsCustomResour
 import { stripAndCamelCase } from "../../utils/stripAndCamelCase.js";
 import { Group, PermissionSet, Assignment } from "../../resources/aws/iam/identityCenter/index.js";
 import { ManagedPolicy, Role } from "../../resources/aws/iam/index.js";
+import { IdentityCenterMembership } from "./identityCenterMembership.js";
 const defaultPermissionSets = {
     AdministratorAccess: {
         Policy: "arn:aws:iam::aws:policy/AdministratorAccess",
@@ -19,15 +20,64 @@ const defaultPermissionSets = {
         Description: "Permission set for associated Billing policy"
     }
 };
+// CreateAccountAssignment has a 15-outstanding-async limit. Batching at 8
+// keeps headroom for CFN's internal retries within the same backoff window.
+const ASSIGNMENT_BATCH_SIZE = 8;
 export class IdentityCenter extends NestedStack {
     identityStoreId;
     identityCenterArn;
     listInstancesRole;
+    accountsConfig;
+    customTags;
+    groupIds = {};
     constructor(scope, id, props) {
         super(scope, id, props);
+        this.accountsConfig = props.accounts;
+        this.customTags = props.tags;
         this.createListInstancesRole();
         this.listIdentityCenterInstance();
-        this.createPermissionSets(props);
+        for (const [name, config] of Object.entries(defaultPermissionSets)) {
+            this.createPermissionSetAndAssignments(name, config, {
+                managedPolicies: [config.Policy]
+            });
+        }
+    }
+    declarePermissionSets(customs) {
+        for (const [name, config] of Object.entries(customs)) {
+            if (this.groupIds[name] !== undefined) {
+                throw new Error(`Permission set "${name}" already declared (collision with default or prior declaration)`);
+            }
+            const primaryPolicy = config.managedPolicies[0];
+            if (primaryPolicy === undefined) {
+                throw new Error(`Permission set "${name}" must declare at least one managed policy.`);
+            }
+            this.createPermissionSetAndAssignments(name, {
+                Policy: primaryPolicy,
+                ...(config.description !== undefined && {
+                    Description: config.description
+                })
+            }, {
+                managedPolicies: config.managedPolicies,
+                ...(config.sessionDuration !== undefined && {
+                    sessionDuration: config.sessionDuration
+                })
+            });
+        }
+    }
+    assignGroupMembers(members) {
+        for (const [groupName, emails] of Object.entries(members)) {
+            if (emails.length === 0)
+                continue;
+            const groupId = this.groupIds[groupName];
+            if (groupId === undefined) {
+                throw new Error(`Cannot assign members to undeclared group "${groupName}". Declare via declarePermissionSets() first, or use one of the defaults: AdministratorAccess, ReadOnlyAccess, Billing.`);
+            }
+            new IdentityCenterMembership(this, `${groupName}Members`, {
+                identityStoreId: this.identityStoreId,
+                groupId,
+                groupMembers: emails
+            });
+        }
     }
     createListInstancesRole() {
         this.listInstancesRole = new Role(this, "IdentityCenterCustomResourceRole", {
@@ -49,15 +99,17 @@ export class IdentityCenter extends NestedStack {
         });
     }
     listIdentityCenterInstance() {
-        const customResource = new AwsCustomResource(this, "ListIdentityCenterInstanceResource", {
-            onCreate: {
-                service: "sso-admin",
-                action: "ListInstancesCommand",
-                parameters: {
-                    MaxResults: 1
-                },
-                physicalResourceId: customResources.PhysicalResourceId.of("listIdentityCenterInstance")
+        const listInstancesCall = {
+            service: "sso-admin",
+            action: "listInstances",
+            parameters: {
+                MaxResults: 1
             },
+            physicalResourceId: customResources.PhysicalResourceId.of("listIdentityCenterInstance")
+        };
+        const customResource = new AwsCustomResource(this, "ListIdentityCenterInstanceResource", {
+            onCreate: listInstancesCall,
+            onUpdate: listInstancesCall,
             role: this.listInstancesRole,
             resourceType: "Custom::IamIdentityCenter"
         });
@@ -74,37 +126,49 @@ export class IdentityCenter extends NestedStack {
             exportName: "identityStoreId"
         });
     }
-    createPermissionSets(props) {
-        for (const [name, config] of Object.entries(defaultPermissionSets)) {
-            const group = new Group(this, `${name}Group`, {
-                displayName: name,
-                identityStoreId: this.identityStoreId,
-                description: `Group for associated ${name} permission set`
-            });
-            const permissionSet = new PermissionSet(this, `PermissionSet${name}`, {
-                name: name,
+    createPermissionSetAndAssignments(name, config, permissionSetOverrides) {
+        const group = new Group(this, `${name}Group`, {
+            displayName: name,
+            identityStoreId: this.identityStoreId,
+            description: `Group for associated ${name} permission set`
+        });
+        this.groupIds[name] = group.getGroupId();
+        const permissionSet = new PermissionSet(this, `PermissionSet${name}`, {
+            name: name,
+            instanceArn: this.identityCenterArn,
+            ...(config.Description !== undefined && {
+                description: config.Description
+            }),
+            managedPolicies: permissionSetOverrides.managedPolicies,
+            ...(permissionSetOverrides.sessionDuration !== undefined && {
+                sessionDuration: permissionSetOverrides.sessionDuration
+            }),
+            ...(this.customTags !== undefined && { tags: this.customTags })
+        });
+        permissionSet.node.addDependency(group);
+        new CfnOutput(this, `${name}GroupId`, {
+            key: `${name}GroupId`,
+            value: group.getGroupId(),
+            exportName: `${name}GroupId`
+        });
+        const assignments = [];
+        for (const [accountName, accountId] of Object.entries(this.accountsConfig)) {
+            const assignment = new Assignment(this, `${stripAndCamelCase(accountName)}${name}Assignment`, {
                 instanceArn: this.identityCenterArn,
-                description: config.Description,
-                managedPolicies: [config.Policy],
-                tags: props.tags
-            });
-            permissionSet.node.addDependency(group);
-            new CfnOutput(this, `${name}GroupId`, {
-                key: `${name}GroupId`,
-                value: group.getGroupId(),
-                exportName: `${name}GroupId`
+                permissionSetArn: permissionSet.getPermissionSetArn(),
+                principalType: "GROUP",
+                principalId: group.getGroupId(),
+                targetType: "AWS_ACCOUNT",
+                targetId: accountId
             });
-            for (const [accountName, accountId] of Object.entries(props.accounts)) {
-                const assignment = new Assignment(this, `${stripAndCamelCase(accountName)}${name}Assignment`, {
-                    instanceArn: this.identityCenterArn,
-                    permissionSetArn: permissionSet.getPermissionSetArn(),
-                    principalType: "GROUP",
-                    principalId: group.getGroupId(),
-                    targetType: "AWS_ACCOUNT",
-                    targetId: accountId
-                });
-                assignment.node.addDependency(permissionSet);
+            assignment.node.addDependency(permissionSet);
+            if (assignments.length >= ASSIGNMENT_BATCH_SIZE) {
+                const dependency = assignments[assignments.length - ASSIGNMENT_BATCH_SIZE];
+                if (dependency !== undefined) {
+                    assignment.node.addDependency(dependency);
+                }
             }
+            assignments.push(assignment);
         }
     }
 }

package/dist/lib/config/aws/identityCenterGroupMembership.js CHANGED Viewed

@@ -74,7 +74,10 @@ export class IdentityCenterGroupMembership extends NestedStack {
                             UserId: userId
                         }
                     },
-                    physicalResourceId: customResources.PhysicalResourceId.of(`recreateGroupMembership${memberSuffix}`)
+                    physicalResourceId: customResources.PhysicalResourceId.of(`recreateGroupMembership${memberSuffix}`),
+                    // createGroupMembership throws ConflictException when the
+                    // membership already exists — keeps onUpdate idempotent.
+                    ignoreErrorCodesMatching: "ConflictException"
                 },
                 resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
             });
@@ -86,7 +89,10 @@ export class IdentityCenterGroupMembership extends NestedStack {
                     parameters: {
                         IdentityStoreId: identityStoreId,
                         MembershipId: groupMembershipId.getResponseField("MembershipId")
-                    }
+                    },
+                    // deleteGroupMembership throws ResourceNotFoundException when
+                    // the membership is already gone — keeps onDelete idempotent.
+                    ignoreErrorCodesMatching: "ResourceNotFoundException"
                 },
                 resourceType: IDENTITY_CENTER_USERS_RESOURCE_TYPE
             });

package/dist/lib/config/aws/identityCenterMembership.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { NestedStack, type NestedStackProps } from "aws-cdk-lib";
+import { type Construct } from "constructs";
+export interface IdentityCenterMembershipProps extends NestedStackProps {
+    identityStoreId: string;
+    groupId: string;
+    groupMembers: string[];
+}
+export declare function validateIdentityCenterMembershipProps(props: IdentityCenterMembershipProps): void;
+export declare class IdentityCenterMembership extends NestedStack {
+    constructor(scope: Construct, id: string, props: IdentityCenterMembershipProps);
+}

package/dist/lib/config/aws/identityCenterMembership.js ADDED Viewed

@@ -0,0 +1,61 @@
+import * as customResources from "aws-cdk-lib/custom-resources";
+import { NestedStack } from "aws-cdk-lib";
+import { AwsCustomResource } from "../../resources/aws/utilities/awsCustomResource.js";
+import { GroupMembership } from "../../resources/aws/iam/identityCenter/groupMembership.js";
+import { stripAndCamelCase } from "../../utils/stripAndCamelCase.js";
+const IDENTITY_STORE_SERVICE = "identityStore";
+export function validateIdentityCenterMembershipProps(props) {
+    if (!props.identityStoreId) {
+        throw new Error("IdentityCenterMembership requires identityStoreId from the parent IdentityCenter construct.");
+    }
+    if (!props.groupId) {
+        throw new Error("IdentityCenterMembership requires groupId from a Group construct.");
+    }
+    if (props.groupMembers.length === 0) {
+        throw new Error("IdentityCenterMembership requires at least one member email. Empty groups should be skipped at the caller.");
+    }
+    const seen = new Set();
+    for (const member of props.groupMembers) {
+        if (!member.includes("@")) {
+            throw new Error(`IdentityCenterMembership: "${member}" is not a valid email — Identity Center memberships look up users by UserName (email)`);
+        }
+        if (seen.has(member)) {
+            throw new Error(`Duplicate member "${member}" in IdentityCenterMembership groupMembers.`);
+        }
+        seen.add(member);
+    }
+}
+export class IdentityCenterMembership extends NestedStack {
+    constructor(scope, id, props) {
+        super(scope, id, props);
+        validateIdentityCenterMembershipProps(props);
+        for (const member of props.groupMembers) {
+            const [localPart] = member.split("@");
+            const suffix = stripAndCamelCase(localPart ?? member);
+            const listUsersCall = {
+                service: IDENTITY_STORE_SERVICE,
+                action: "listUsers",
+                parameters: {
+                    IdentityStoreId: props.identityStoreId,
+                    Filters: [
+                        {
+                            AttributePath: "UserName",
+                            AttributeValue: member
+                        }
+                    ]
+                },
+                physicalResourceId: customResources.PhysicalResourceId.of(`listUsers${suffix}`)
+            };
+            const userLookup = new AwsCustomResource(this, `User${suffix}`, {
+                onCreate: listUsersCall,
+                onUpdate: listUsersCall
+            });
+            const userId = userLookup.getResponseField("Users.0.UserId");
+            new GroupMembership(this, `Membership${suffix}`, {
+                identityStoreId: props.identityStoreId,
+                groupId: props.groupId,
+                userId
+            });
+        }
+    }
+}

package/dist/lib/config/aws/index.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 export * from "./identityCenter.js";
+export * from "./identityCenterMembership.js";
 export * from "./ipam.js";
 export * from "./ecrDefaultImage.js";
-export * from "./eventBus.js";
 export * from "./oidcConnector.js";
 export * from "./platform.js";
 export * from "./accountMonitoringRole.js";

package/dist/lib/config/aws/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
 export * from "./identityCenter.js";
+export * from "./identityCenterMembership.js";
 export * from "./ipam.js";
 export * from "./ecrDefaultImage.js";
-export * from "./eventBus.js";
 export * from "./oidcConnector.js";
 export * from "./platform.js";
 export * from "./accountMonitoringRole.js";

package/dist/lib/config/aws/ipam.js CHANGED Viewed

@@ -2,13 +2,6 @@ import { CfnOutput } from "aws-cdk-lib";
 import { Construct } from "constructs";
 import { Ipam as IpamClass } from "../../resources/aws/networking/ipam.js";
 import { getConfig } from "../../utils/getConfig.js";
-function operatingRegions(regions) {
-    const operationRegionArray = [];
-    for (const region of regions) {
-        operationRegionArray.push({ regionName: region });
-    }
-    return operationRegionArray;
-}
 export class Ipam extends Construct {
     privateDefaultScopeId;
     constructor(scope, id, props) {
@@ -18,8 +11,10 @@ export class Ipam extends Construct {
         const regions = props?.regions || config.allRegions;
         // Fallback to at least the current region if no regions configured
         const operationalRegions = regions.length > 0 ? regions : [config.region];
-        const ipam = new IpamClass(this, "ipam", {
-            operatingRegions: operatingRegions(operationalRegions),
+        const ipam = new IpamClass(this, "Ipam", {
+            operatingRegions: operationalRegions.map((regionName) => ({
+                regionName
+            })),
             tags: [
                 {
                     key: "fjall:costAllocation:environment",
@@ -28,8 +23,8 @@ export class Ipam extends Construct {
             ]
         });
         this.privateDefaultScopeId = ipam.attrPrivateDefaultScopeId;
-        new CfnOutput(this, "privateDefaultScopeId", {
-            key: "privateDefaultScopeId",
+        new CfnOutput(this, "IpamPrivateDefaultScopeId", {
+            key: "IpamPrivateDefaultScopeId",
             value: ipam.attrPrivateDefaultScopeId,
             exportName: "IpamPrivateDefaultScopeId"
         });

package/dist/lib/config/aws/oidcConnector.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { CfnOutput, Duration } from "aws-cdk-lib";
 import * as iam from "aws-cdk-lib/aws-iam";
 import { Construct } from "constructs";
+import { Role } from "../../resources/aws/iam/role.js";
 export class OidcConnector extends Construct {
     deployRoleArn;
     constructor(scope, id, props) {
@@ -10,10 +11,13 @@ export class OidcConnector extends Construct {
         const provider = new iam.OpenIdConnectProvider(this, "OidcProvider", {
             url: issuerUrl,
             clientIds: ["sts.amazonaws.com"],
+            // Placeholder thumbprint. CDK auto-resolves at deploy time for known IdPs;
+            // STS trust is enforced via the OIDC issuer URL + `:sub` / `:aud` match.
             thumbprints: ["0000000000000000000000000000000000000000"]
         });
-        const deployRole = new iam.Role(this, "DeployRole", {
+        const deployRole = new Role(this, "DeployRole", {
             roleName: `FjallDeploy${props.fjallOrgId}`,
+            path: "/fjall/",
             maxSessionDuration: Duration.hours(1),
             assumedBy: new iam.FederatedPrincipal(provider.openIdConnectProviderArn, {
                 StringEquals: { [`${issuerDomain}:aud`]: "sts.amazonaws.com" },

package/dist/lib/config/aws/scpPreset.js CHANGED Viewed

@@ -1,7 +1,10 @@
 import { Construct } from "constructs";
 import { OrganisationPolicy } from "../../resources/aws/organisation/organisationPolicy.js";
+// Path prefix `/fjall/` is load-bearing: without it, a member-account admin
+// could bypass protect-* SCPs by creating a `FjallDeploy*` role at the
+// default path.
 const EXEMPT_ROLE_PATTERNS = [
-    "arn:aws:iam::*:role/FjallDeploy*",
+    "arn:aws:iam::*:role/fjall/FjallDeploy*",
     "arn:aws:iam::*:role/OrganizationAccountAccessRole"
 ];
 const SCP_BYTE_LIMIT = 5120;

package/dist/lib/patterns/aws/_eslint_test_tmp/leak.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/lib/patterns/aws/_eslint_test_tmp/leak.js ADDED Viewed

@@ -0,0 +1,4 @@
+import { Port } from "aws-cdk-lib/aws-ec2";
+import { PrivateDnsNamespace } from "aws-cdk-lib/aws-servicediscovery";
+const _x = Port.tcp(9000);
+const _y = PrivateDnsNamespace;

package/dist/lib/patterns/aws/account.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import { CfnOutput, Stack } from "aws-cdk-lib";
-import { EcrDefaultImage, DefaultEventBus, SharedAlarmTopic } from "../../config/aws/index.js";
+import { EcrDefaultImage, SharedAlarmTopic } from "../../config/aws/index.js";
 import { ManagementEventsTrail } from "../../config/aws/cloudTrail.js";
 import { OidcConnector } from "../../config/aws/oidcConnector.js";
 import { AccountMonitoringRole } from "../../config/aws/accountMonitoringRole.js";
@@ -42,7 +42,6 @@ export class Account extends Stack {
             exportName: "AccountId",
             description: "AWS Account ID for this account"
         });
-        const eventBus = new DefaultEventBus(this, "EventBus");
         new SharedAlarmTopic(this, "AlarmTopic");
         const isStandaloneAccount = this.constructor === Account;
         const ipamPoolId = this.node.tryGetContext("ipamPoolId");
@@ -71,8 +70,7 @@ export class Account extends Stack {
         });
         new EcrDefaultImage(this, "EcrDefaultImage", {
             region: this.resolvedRegion,
-            accountId: this.account,
-            eventBusArn: eventBus.defaultEventBusArn.value
+            accountId: this.account
         });
         const environment = config.environment ?? "unknown";
         if (config.disasterRecoveryRegion) {

package/dist/lib/patterns/aws/apexDomainPattern.js CHANGED Viewed

@@ -5,6 +5,7 @@ import { DomainCertificate } from "../../resources/aws/networking/domainCertific
 import { NsRecord } from "../../resources/aws/networking/dnsRecord/index.js";
 import { composeTypedDnsRecords } from "./dnsRecordComposer.js";
 import { toPascalCase, getSafeZoneName } from "../../utils/capitaliseString.js";
+import { resolveOrgId } from "../../utils/cdkContext.js";
 /**
  * Composition for `registrar: "route53"`. Creates (or imports) the apex
  * `HostedZone`, wires child-account delegations via `NsRecord` (pointing at
@@ -21,12 +22,15 @@ import { toPascalCase, getSafeZoneName } from "../../utils/capitaliseString.js";
  */
 export function composeApexDomain(scope, props) {
     const safeZone = toPascalCase(getSafeZoneName(props.zoneName));
+    // Gotcha: the cross-account DelegationRole imports CFN export `OrganisationId`
+    // from the org/account stack — only published when an `orgId` CDK context
+    // value is set. Single-account deploys would roll back at synth without
+    // this gate.
+    const inOrganisation = resolveOrgId(scope.node) !== undefined;
     const hostedZoneConstruct = new HostedZone(scope, `${safeZone}HostedZone`, {
         zoneName: props.zoneName,
         hostedZoneId: props.hostedZoneId,
-        // Only create the delegation role on the create path; imported zones do
-        // not manage IAM themselves.
-        createDelegationRole: props.hostedZoneId === undefined,
+        createDelegationRole: props.hostedZoneId === undefined && inOrganisation,
         costAllocationEnvironment: props.costAllocationEnvironment,
         costAllocationDomain: props.zoneName
     });
@@ -52,13 +56,9 @@ export function composeApexDomain(scope, props) {
         const childZoneName = `${delegation.subdomain}.${props.zoneName}`;
         const safeChild = toPascalCase(getSafeZoneName(childZoneName));
         const childExports = getDomainExportNames(childZoneName);
-        // The child account's stack publishes the hosted-zone nameservers under a
-        // predictable output key (Phase 0 HostedZone emits `{safeZone}Nameservers`
-        // as a joined comma-separated string — we split it back at deploy time
-        // via Fn.split). The child HZ id import is declared as a cross-phase
-        // dependency — if the child stack has not deployed, CFN fails at deploy.
-        const nameserversExportName = childExports.hostedZoneId.replace(/-hosted-zone-id$/, "-nameservers");
-        const nameserversToken = Fn.importValue(nameserversExportName);
+        // Cross-phase dependency: child stack must deploy first; CFN fails here
+        // at deploy if the nameservers export does not yet exist.
+        const nameserversToken = Fn.importValue(childExports.nameservers);
         new NsRecord(scope, `${safeZone}Delegation${safeChild}${index}`, {
             zone: hostedZoneConstruct.hostedZone,
             zoneName: props.zoneName,

package/dist/lib/patterns/aws/bastionFactory.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { type IVpc } from "aws-cdk-lib/aws-ec2";
+import { Ec2Instance } from "../../resources/aws/compute/ec2.js";
+import { type AwsStack } from "../../resources/index.js";
+export interface BastionConfig {
+    instanceType?: string;
+}
+export interface BastionResult {
+    bastion: Ec2Instance;
+}
+export declare function createBastion(networkStack: AwsStack, appName: string, stackPrefix: string, vpc: IVpc, config: BastionConfig | true): BastionResult;

package/dist/lib/patterns/aws/bastionFactory.js ADDED Viewed

@@ -0,0 +1,29 @@
+import { CfnOutput } from "aws-cdk-lib";
+import { Ec2Instance } from "../../resources/aws/compute/ec2.js";
+import { toPascalCase } from "../../utils/capitaliseString.js";
+export function createBastion(networkStack, appName, stackPrefix, vpc, config) {
+    const instanceType = typeof config === "object" && config.instanceType
+        ? config.instanceType
+        : "t4g.micro";
+    const bastionId = `${stackPrefix}Bastion`;
+    const scope = networkStack.getStack();
+    const bastion = new Ec2Instance(scope, bastionId, {
+        serviceName: `${stackPrefix}Bastion`,
+        instanceType,
+        vpc,
+        enableSSH: false,
+        minCapacity: 1,
+        maxCapacity: 1
+    });
+    networkStack.addConstruct(bastion);
+    const outputPrefix = toPascalCase(appName);
+    new CfnOutput(scope, `${outputPrefix}BastionInstanceId`, {
+        value: bastion.getAutoScalingGroup().autoScalingGroupName,
+        description: "Bastion ASG name for SSM tunnel discovery"
+    });
+    new CfnOutput(scope, `${outputPrefix}BastionSecurityGroupId`, {
+        value: bastion.asgSecurityGroup.securityGroupId,
+        description: "Bastion security group ID"
+    });
+    return { bastion };
+}

package/dist/lib/patterns/aws/buildkite.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { type StackProps, Stack } from "aws-cdk-lib";
 import { InstanceType } from "aws-cdk-lib/aws-ec2";
 import { type Construct } from "constructs";
 import { type KeyValue } from "../../types.js";
-declare enum agentRelease {
+export declare enum AgentRelease {
     STABLE = "stable",
     BETA = "beta",
     EDGE = "edge"
@@ -11,7 +11,7 @@ export interface BuildkiteProps extends StackProps {
     accountId?: string;
     elasticStackVersion: string;
     keyName: string;
-    buildkiteAgentRelease: agentRelease;
+    buildkiteAgentRelease: AgentRelease;
     buildkiteAgentTags: string;
     buildkiteAgentTimestampLines: boolean;
     buildkiteAgentExperiments: string;