@fjall/components-infrastructure 0.96.0 → 0.99.1

package/dist/lib/resources/aws/database/rdsProxyOutput.d.ts

@@ -4,4 +4,4 @@ import type { DatabaseProxy } from "aws-cdk-lib/aws-rds";
  * Add a CfnOutput for the RDS proxy endpoint.
  * Shared by RdsAurora and RdsInstance constructs.
  */
-export declare function addProxyCfnOutput(scope: Construct, constructId: string, databaseName: string | undefined, proxy: DatabaseProxy): void;
+export declare function addProxyCfnOutput(scope: Construct, constructId: string, databaseName: string, proxy: DatabaseProxy): void;

package/dist/lib/resources/aws/database/rdsProxyOutput.js

@@ -5,7 +5,7 @@ import { toPascalCase } from "../../../utils/capitaliseString.js";
  * Shared by RdsAurora and RdsInstance constructs.
  */
 export function addProxyCfnOutput(scope, constructId, databaseName, proxy) {
-    const outputName = toPascalCase(databaseName || constructId);
+    const outputName = toPascalCase(databaseName);
     new CfnOutput(scope, `${outputName}ProxyEndpointOutput`, {
         key: `${outputName}ProxyEndpoint`,
         exportName: `${outputName}ProxyEndpoint`,

package/dist/lib/resources/aws/iam/delegationRole.js

@@ -12,7 +12,7 @@ export class DelegationRole extends Construct {
     exportName;
     constructor(scope, id, props) {
         super(scope, id);
-        const firstLabel = props.zoneName.split(".")[0] ?? "default";
+        const firstLabel = props.zoneName.split(".")[0];
         const safeFirstLabel = toPascalCase(firstLabel);
         const safeZone = toPascalCase(getSafeZoneName(props.zoneName));
         this.description =

package/dist/lib/resources/aws/iam/identityCenter/groupMembership.d.ts

@@ -0,0 +1,9 @@
+import { Construct } from "constructs";
+export interface GroupMembershipProps {
+    identityStoreId: string;
+    groupId: string;
+    userId: string;
+}
+export declare class GroupMembership extends Construct {
+    constructor(scope: Construct, id: string, props: GroupMembershipProps);
+}

package/dist/lib/resources/aws/iam/identityCenter/groupMembership.js

@@ -0,0 +1,12 @@
+import { Construct } from "constructs";
+import { CfnGroupMembership } from "aws-cdk-lib/aws-identitystore";
+export class GroupMembership extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        new CfnGroupMembership(this, "Membership", {
+            identityStoreId: props.identityStoreId,
+            groupId: props.groupId,
+            memberId: { userId: props.userId }
+        });
+    }
+}

package/dist/lib/resources/aws/iam/identityCenter/index.d.ts

@@ -1,3 +1,4 @@
 export * from "./assignment.js";
 export * from "./group.js";
+export * from "./groupMembership.js";
 export * from "./permissionSet.js";

package/dist/lib/resources/aws/iam/identityCenter/index.js

@@ -1,3 +1,4 @@
 export * from "./assignment.js";
 export * from "./group.js";
+export * from "./groupMembership.js";
 export * from "./permissionSet.js";

package/dist/lib/resources/aws/iam/identityCenter/permissionSet.d.ts

@@ -7,6 +7,7 @@ export declare class PermissionSet extends Construct {
         instanceArn: string;
         description?: string;
         managedPolicies?: string[];
+        sessionDuration?: string;
         tags?: KeyValue[];
     });
     getPermissionSetArn(): string;

package/dist/lib/resources/aws/iam/identityCenter/permissionSet.js

@@ -9,6 +9,7 @@ export class PermissionSet extends Construct {
             instanceArn: props.instanceArn,
             description: props.description,
             managedPolicies: props.managedPolicies,
+            sessionDuration: props.sessionDuration,
             tags: props.tags?.map((t) => ({ key: t.key, value: t.value }))
         });
     }

package/dist/lib/resources/aws/logging/logGroup.d.ts

@@ -1,13 +1,5 @@
-import { Stack, type StackProps } from "aws-cdk-lib";
 import * as Logs from "aws-cdk-lib/aws-logs";
 import { type Construct } from "constructs";
-interface LogGroupStackProps extends StackProps {
-    logGroupName: string;
-}
 export declare class LogGroup extends Logs.LogGroup {
     constructor(scope: Construct, id: string, props?: Logs.LogGroupProps);
 }
-export declare class LogGroupStack extends Stack {
-    constructor(scope: Construct, id: string, props: LogGroupStackProps);
-}
-export {};

package/dist/lib/resources/aws/logging/logGroup.js

@@ -1,17 +1,6 @@
-import { Stack } from "aws-cdk-lib";
 import * as Logs from "aws-cdk-lib/aws-logs";
 export class LogGroup extends Logs.LogGroup {
-    constructor(scope, id, props) {
-        super(scope, id, {
-            ...props // https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup
-        });
-    }
-}
-export class LogGroupStack extends Stack {
     constructor(scope, id, props) {
         super(scope, id, props);
-        new LogGroup(this, id, {
-            logGroupName: props.logGroupName
-        });
     }
 }

package/dist/lib/resources/aws/messaging/defaultEventBus.d.ts

@@ -0,0 +1,7 @@
+import { CfnOutput } from "aws-cdk-lib";
+import { Construct } from "constructs";
+export declare class DefaultEventBus extends Construct {
+    readonly defaultEventBusName: CfnOutput;
+    readonly defaultEventBusArn: CfnOutput;
+    constructor(scope: Construct, id: string);
+}

package/dist/lib/resources/aws/messaging/defaultEventBus.js

@@ -0,0 +1,21 @@
+import { CfnOutput } from "aws-cdk-lib";
+import { EventBus } from "aws-cdk-lib/aws-events";
+import { Construct } from "constructs";
+export class DefaultEventBus extends Construct {
+    defaultEventBusName;
+    defaultEventBusArn;
+    constructor(scope, id) {
+        super(scope, id);
+        const eventBridge = EventBus.fromEventBusName(this, "DefaultEventBus", "default");
+        this.defaultEventBusName = new CfnOutput(this, "DefaultEventBusNameOutput", {
+            key: "DefaultEventBusName",
+            value: eventBridge.eventBusName,
+            exportName: "DefaultEventBusName"
+        });
+        this.defaultEventBusArn = new CfnOutput(this, "DefaultEventBusArnOutput", {
+            key: "DefaultEventBusArn",
+            value: eventBridge.eventBusArn,
+            exportName: "DefaultEventBusArn"
+        });
+    }
+}

package/dist/lib/resources/aws/messaging/eventBridgeRule.d.ts

@@ -0,0 +1,96 @@
+import { Construct } from "constructs";
+import { Duration } from "aws-cdk-lib";
+import { type IRule, type Schedule, type EventPattern, type IEventBus } from "aws-cdk-lib/aws-events";
+import { type IRole } from "aws-cdk-lib/aws-iam";
+import type { ITopic } from "aws-cdk-lib/aws-sns";
+import { SQSQueue } from "./sqs.js";
+import { type EventBridgeTarget } from "./eventTargets.js";
+import { type ScheduleAlarmThresholds } from "../monitoring/scheduleAlarms.js";
+export type { ScheduleAlarmThresholds } from "../monitoring/scheduleAlarms.js";
+/**
+ * Retry policy applied to the rule's target. Shared between Schedule and
+ * Subscription — exported so users constructing overrides have a typed entry.
+ */
+export interface EventBridgeRetryPolicy {
+    maxEventAge?: Duration;
+    retryAttempts?: number;
+}
+/**
+ * Construction-time props for the shared EventBridgeRule base. Plumbing
+ * surface only — Schedule and Subscription wrap this with their own
+ * user-facing prop shape. Internal-only per D3 (not re-exported from
+ * the package entry).
+ */
+export interface EventBridgeRuleProps {
+    /** Mutually exclusive with `eventPattern`. */
+    schedule?: Schedule;
+    /** Mutually exclusive with `schedule`. */
+    eventPattern?: EventPattern;
+    /** Drives default retry policy and description prefix. */
+    kind: "schedule" | "subscription";
+    /** Selected target (wrapper instance). The helper resolves the underlying CDK adapter. */
+    target: EventBridgeTarget;
+    /** SQS FIFO message group id; threaded down to `resolveTarget(...)`. */
+    messageGroupId?: string;
+    description?: string;
+    /**
+     * When `{ enabled: true }` provisions a sibling DLQ; otherwise honour the
+     * supplied queue. Typed against the resource-layer `SQSQueue` so the
+     * patterns-layer `QueueMessaging` (which extends `SQSQueue`) is still
+     * accepted without crossing the layer boundary.
+     */
+    deadLetterQueue?: {
+        enabled: true;
+        queue?: SQSQueue;
+    } | {
+        enabled: false;
+    } | SQSQueue;
+    retryPolicy?: EventBridgeRetryPolicy;
+    enabled?: boolean;
+    /** Custom IAM role for the rule's target. */
+    role?: IRole;
+    /** Cross-stack scope for the rule (deliberate D18(h) exception). */
+    crossStackScope?: Construct;
+    /** Bind the rule to a specific event bus (custom buses, not default). */
+    eventBus?: IEventBus;
+    /** Optional SNS topic for D13 alarms (FailedInvocations / ThrottledRules / DLQ failure / missed-tick). */
+    alertsTopic?: ITopic;
+    /** Suppress alarms even when `alertsTopic` is supplied. */
+    alarms?: boolean;
+    /** Tunable alarm thresholds (see `ScheduleAlarmThresholds`). */
+    alarmConfig?: ScheduleAlarmThresholds;
+    /** Application id for alarm tagging. */
+    applicationId?: string;
+    /** Cadence in ticks/hour for the missed-tick alarm; only for `kind: "schedule"` with rate expressions. */
+    expectedTicksPerHour?: number;
+    /**
+     * Optional JSON payload for the target adapter (D5 — typed as
+     * `Record<string, unknown>` at the EventBridge boundary). Threaded through
+     * `resolveTarget(...)` to the SDK adapter via `RuleTargetInput.fromObject(...)`.
+     * For schedule kinds, `scheduledAt: EventField.time` is auto-injected.
+     */
+    payload?: Record<string, unknown>;
+}
+/**
+ * Build the default description for a Schedule.
+ */
+export declare function buildScheduleDescription(appName: string, id: string, scheduleExpression: string): string;
+/**
+ * Build the default description for a Subscription.
+ */
+export declare function buildSubscriptionDescription(appName: string, id: string): string;
+/**
+ * Shared base wrapper for `aws-cdk-lib/aws-events.Rule`. Owns description,
+ * DLQ provisioning, KMS-grant on CMK-encrypted DLQs, retry-policy defaults,
+ * and RuleProps pass-through. Plumbing — never user-facing. Schedule and
+ * Subscription compose this; the public re-export carve-out withholds it
+ * from the package entry per D3.
+ */
+export declare class EventBridgeRule extends Construct {
+    #private;
+    readonly id: string;
+    readonly deadLetterQueue?: SQSQueue;
+    constructor(scope: Construct, id: string, props: EventBridgeRuleProps);
+    getRule(): IRule;
+    getRuleArn(): string;
+}

package/dist/lib/resources/aws/messaging/eventBridgeRule.js

@@ -0,0 +1,110 @@
+import { Construct } from "constructs";
+import { Duration } from "aws-cdk-lib";
+import { Rule } from "aws-cdk-lib/aws-events";
+import { ServicePrincipal } from "aws-cdk-lib/aws-iam";
+import { SQSQueue } from "./sqs.js";
+import { resolveTarget } from "./eventTargets.js";
+import { createScheduleAlarms } from "../monitoring/scheduleAlarms.js";
+/**
+ * Build the default description for a Schedule.
+ */
+export function buildScheduleDescription(appName, id, scheduleExpression) {
+    return `Schedule ${id} for ${appName} — fires ${scheduleExpression}`;
+}
+/**
+ * Build the default description for a Subscription.
+ */
+export function buildSubscriptionDescription(appName, id) {
+    return `Subscription ${id} for ${appName}`;
+}
+/**
+ * Shared base wrapper for `aws-cdk-lib/aws-events.Rule`. Owns description,
+ * DLQ provisioning, KMS-grant on CMK-encrypted DLQs, retry-policy defaults,
+ * and RuleProps pass-through. Plumbing — never user-facing. Schedule and
+ * Subscription compose this; the public re-export carve-out withholds it
+ * from the package entry per D3.
+ */
+export class EventBridgeRule extends Construct {
+    id;
+    deadLetterQueue;
+    #rule;
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.id = id;
+        const dlq = this.#resolveOrProvisionDlq(id, props.deadLetterQueue);
+        if (dlq !== undefined)
+            this.deadLetterQueue = dlq;
+        grantKmsDecryptToEventBridge(dlq);
+        const retryPolicy = resolveRetryPolicy(props.kind, props.retryPolicy);
+        const targetAdapter = resolveTarget(props.target, {
+            retryPolicy,
+            deadLetterQueue: dlq?.getQueue(),
+            messageGroupId: props.messageGroupId,
+            payload: props.payload,
+            kind: props.kind
+        });
+        this.#rule = new Rule(this, `${id}Rule`, {
+            schedule: props.schedule,
+            eventPattern: props.eventPattern,
+            description: props.description,
+            enabled: props.enabled,
+            eventBus: props.eventBus,
+            role: props.role,
+            crossStackScope: props.crossStackScope,
+            targets: [targetAdapter]
+        });
+        provisionAlarms(this, id, props, this.#rule, dlq);
+    }
+    #resolveOrProvisionDlq(id, prop) {
+        if (prop === undefined)
+            return undefined;
+        if (prop instanceof SQSQueue)
+            return prop;
+        if (prop.enabled === false)
+            return undefined;
+        if ("queue" in prop && prop.queue !== undefined)
+            return prop.queue;
+        return new SQSQueue(this, `${id}Dlq`, {
+            queueType: "standard"
+        });
+    }
+    getRule() {
+        return this.#rule;
+    }
+    getRuleArn() {
+        return this.#rule.ruleArn;
+    }
+}
+function grantKmsDecryptToEventBridge(dlq) {
+    if (dlq === undefined)
+        return;
+    const key = dlq.getQueue().encryptionMasterKey;
+    if (key === undefined)
+        return;
+    key.grant(new ServicePrincipal("events.amazonaws.com"), "kms:Decrypt", "kms:GenerateDataKey");
+}
+function resolveRetryPolicy(kind, override) {
+    if (override !== undefined)
+        return override;
+    if (kind === "schedule") {
+        return { maxEventAge: Duration.minutes(15), retryAttempts: 2 };
+    }
+    return undefined;
+}
+function provisionAlarms(scope, id, props, rule, dlq) {
+    if (props.alertsTopic === undefined)
+        return;
+    if (props.alarms === false)
+        return;
+    createScheduleAlarms({
+        scope,
+        ruleName: id,
+        rule,
+        kind: props.kind,
+        expectedTicksPerHour: props.expectedTicksPerHour,
+        config: props.alarmConfig,
+        alarmTopic: props.alertsTopic,
+        applicationId: props.applicationId,
+        dlqEnabled: dlq !== undefined
+    });
+}

package/dist/lib/resources/aws/messaging/eventTargets.d.ts

@@ -0,0 +1,84 @@
+import { type IRuleTarget } from "aws-cdk-lib/aws-events";
+import type { IQueue } from "aws-cdk-lib/aws-sqs";
+import type { IFunction } from "aws-cdk-lib/aws-lambda";
+import type { ICluster, TaskDefinition } from "aws-cdk-lib/aws-ecs";
+import { SQSQueue } from "./sqs.js";
+import { EventBridgeBus } from "./eventbridge.js";
+import { CodeBuildProject } from "../utilities/codeBuild.js";
+import type { EventBridgeRetryPolicy } from "./eventBridgeRule.js";
+interface LambdaComputeShape {
+    readonly computeType: "lambda";
+    getFunction(): IFunction | undefined;
+}
+interface EcsComputeShape {
+    getCluster(): ICluster;
+    getTaskDefinition(serviceName: string): TaskDefinition | undefined;
+}
+/**
+ * Small target-shape for ECS — callers pass the `EcsCompute` wrapper plus the
+ * service name (used to resolve the underlying task definition via the T3
+ * accessor at `ecs.ts:237`). `taskCount?` defaults to 1.
+ */
+export interface EcsScheduleTarget {
+    ecs: EcsComputeShape;
+    serviceName: string;
+    taskCount?: number;
+}
+/**
+ * Public input type for `Schedule.target`. Callers pass wrapper INSTANCES
+ * directly (D2 dispatch convention) — no discriminator key. ECS uses the
+ * small shape above so the service name can be threaded through.
+ */
+export type ScheduleTargetInput = SQSQueue | LambdaComputeShape | EcsScheduleTarget | EventBridgeBus;
+/**
+ * Public input type for `Subscription.target`. Same dispatch convention as
+ * `ScheduleTargetInput`. Subscriptions accept `CodeBuildProject` (used by
+ * `EcrDefaultImage`) but not `EventBridgeBus` — bus-to-bus replication is
+ * not a subscription shape.
+ */
+export type SubscriptionTargetInput = SQSQueue | LambdaComputeShape | EcsScheduleTarget | CodeBuildProject;
+/**
+ * Internal resolve input — the union of every shape `resolveTarget(...)` can
+ * dispatch over. `Schedule` and `Subscription` narrow this at the public
+ * boundary before passing it down.
+ */
+export type EventBridgeTarget = ScheduleTargetInput | SubscriptionTargetInput;
+/**
+ * Options applied to every target adapter (retry policy, DLQ, FIFO message
+ * group). FIFO `messageGroupId` validation lives here so it cannot disagree
+ * between Schedule and Subscription (D14, single source). `IQueueMessaging`
+ * does not expose `fifo` directly — we reach through `target` to the raw
+ * `sqs.IQueue.fifo` as a deliberate plumbing leak per D18(i).
+ */
+export interface ResolveTargetOptions {
+    retryPolicy?: EventBridgeRetryPolicy;
+    /** Already-resolved DLQ queue from the base wrapper. */
+    deadLetterQueue?: IQueue;
+    /** SQS FIFO message group id. Required for FIFO queue targets per D14. */
+    messageGroupId?: string;
+    /**
+     * Optional JSON payload for the target adapter (D5 — typed as
+     * `Record<string, unknown>` at the EventBridge boundary). Translates to
+     * `message` (SQS), `event` (Lambda / EventBus / CodeBuild), or `input`
+     * (ECS task) on the underlying adapter via `RuleTargetInput.fromObject(...)`.
+     * Values may be `EventField.*` tokens for payload-template substitution.
+     * For schedule-kind rules, `scheduledAt: EventField.time` is auto-injected
+     * unless the caller already provided a `scheduledAt` key.
+     */
+    payload?: Record<string, unknown>;
+    /**
+     * Drives schedule-only behaviour — currently the `scheduledAt: EventField.time`
+     * auto-injection on payload. Threaded down from `EventBridgeRuleProps.kind`.
+     */
+    kind?: "schedule" | "subscription";
+}
+/**
+ * Single source of truth for `aws-cdk-lib/aws-events-targets` adapter
+ * construction. Dispatches via `instanceof` against lower-layer Fjall wrapper
+ * classes (`SQSQueue`, `EventBridgeBus`, `CodeBuildProject`) and structural
+ * checks against the patterns-layer wrappers that would otherwise close an
+ * initialisation cycle. Internal helper — never exported from the package
+ * entry per D3.
+ */
+export declare function resolveTarget(target: EventBridgeTarget, options: ResolveTargetOptions): IRuleTarget;
+export {};

package/dist/lib/resources/aws/messaging/eventTargets.js

@@ -0,0 +1,152 @@
+import { EventField, RuleTargetInput } from "aws-cdk-lib/aws-events";
+import { SqsQueue as SqsTarget, LambdaFunction as LambdaTarget, EventBus as EventBusTarget, CodeBuildProject as CodeBuildTarget, EcsTask as EcsTaskTarget } from "aws-cdk-lib/aws-events-targets";
+import { SQSQueue } from "./sqs.js";
+import { EventBridgeBus } from "./eventbridge.js";
+import { CodeBuildProject } from "../utilities/codeBuild.js";
+function isEcsScheduleTarget(target) {
+    return (typeof target === "object" &&
+        target !== null &&
+        "ecs" in target &&
+        target.ecs !== null &&
+        typeof target.ecs === "object" &&
+        typeof target.ecs.getCluster === "function" &&
+        typeof target.ecs.getTaskDefinition ===
+            "function");
+}
+function isLambdaCompute(target) {
+    return (typeof target === "object" &&
+        target !== null &&
+        "computeType" in target &&
+        target.computeType === "lambda" &&
+        typeof target.getFunction === "function");
+}
+/**
+ * Build the `RuleTargetInput` that wraps the adapter-specific payload. For
+ * schedule-kind rules, auto-injects `scheduledAt: EventField.time` so consumers
+ * receive the actual EventBridge delivery timestamp without having to import
+ * `EventField` themselves. Subscriptions don't get the injection — the
+ * triggering event already carries timing, and `scheduledAt` would be
+ * misleading.
+ */
+function buildTargetInput(payload, kind) {
+    if (kind === "schedule" && !("scheduledAt" in payload)) {
+        return RuleTargetInput.fromObject({
+            ...payload,
+            scheduledAt: EventField.time
+        });
+    }
+    return RuleTargetInput.fromObject(payload);
+}
+/**
+ * Single source of truth for `aws-cdk-lib/aws-events-targets` adapter
+ * construction. Dispatches via `instanceof` against lower-layer Fjall wrapper
+ * classes (`SQSQueue`, `EventBridgeBus`, `CodeBuildProject`) and structural
+ * checks against the patterns-layer wrappers that would otherwise close an
+ * initialisation cycle. Internal helper — never exported from the package
+ * entry per D3.
+ */
+export function resolveTarget(target, options) {
+    const baseProps = {
+        retryAttempts: options.retryPolicy?.retryAttempts,
+        maxEventAge: options.retryPolicy?.maxEventAge,
+        deadLetterQueue: options.deadLetterQueue
+    };
+    const targetInput = options.payload !== undefined
+        ? buildTargetInput(options.payload, options.kind)
+        : undefined;
+    if (target instanceof SQSQueue) {
+        return resolveQueueTarget(target, options.messageGroupId, baseProps, targetInput);
+    }
+    if (target instanceof EventBridgeBus) {
+        return resolveEventBusTarget(target, options.messageGroupId, baseProps, targetInput);
+    }
+    if (target instanceof CodeBuildProject) {
+        return resolveCodeBuildTarget(target, options.messageGroupId, baseProps, targetInput);
+    }
+    if (isEcsScheduleTarget(target)) {
+        return resolveEcsTarget(target, options.messageGroupId, baseProps, targetInput);
+    }
+    if (isLambdaCompute(target)) {
+        return resolveLambdaTarget(target, options.messageGroupId, baseProps, targetInput);
+    }
+    throw new Error(`Unsupported event target: expected SQSQueue/QueueMessaging, LambdaCompute, EventBridgeBus/EventBusMessaging, CodeBuildProject, or { ecs: EcsCompute, serviceName }; received ${describeTarget(target)}`);
+}
+function resolveQueueTarget(target, messageGroupId, baseProps, targetInput) {
+    const queue = target.getQueue();
+    const isFifo = queue.fifo === true;
+    if (isFifo && messageGroupId === undefined) {
+        throw new Error("FIFO queue target requires messageGroupId; received undefined");
+    }
+    if (!isFifo && messageGroupId !== undefined) {
+        throw new Error("messageGroupId only applies to FIFO queue targets");
+    }
+    return new SqsTarget(queue, {
+        ...baseProps,
+        messageGroupId,
+        ...(targetInput !== undefined && { message: targetInput })
+    });
+}
+function resolveLambdaTarget(target, messageGroupId, baseProps, targetInput) {
+    rejectMessageGroupIdOnNonQueue("lambda", messageGroupId);
+    const fn = target.getFunction();
+    if (fn === undefined) {
+        throw new Error("LambdaCompute target has no function to wire; pass a LambdaCompute with a default function.");
+    }
+    return new LambdaTarget(fn, {
+        ...baseProps,
+        ...(targetInput !== undefined && { event: targetInput })
+    });
+}
+function resolveEcsTarget(target, messageGroupId, baseProps, targetInput) {
+    rejectMessageGroupIdOnNonQueue("ecs", messageGroupId);
+    // CDK's `EcsTask` event-target builds its own input from `containerOverrides`
+    // and silently ignores any caller-supplied `input` field on its props
+    // (`aws-cdk-lib/aws-events-targets/lib/ecs-task.js#bind` reassigns the local
+    //  `input` variable from `this.createInput(rule)` before constructing the
+    //  return value). Surface this as a clear error rather than a silent drop.
+    if (targetInput !== undefined) {
+        throw new Error("payload is not supported on ECS event targets — CDK's EcsTask adapter " +
+            "ignores arbitrary input. Use container command/environment overrides on " +
+            "the task definition instead.");
+    }
+    const cluster = target.ecs.getCluster();
+    const taskDefinition = target.ecs.getTaskDefinition(target.serviceName);
+    if (taskDefinition === undefined) {
+        throw new Error(`EcsCompute target has no service named '${target.serviceName}'`);
+    }
+    return new EcsTaskTarget({
+        ...baseProps,
+        cluster,
+        taskDefinition,
+        taskCount: target.taskCount
+    });
+}
+function resolveEventBusTarget(target, messageGroupId, baseProps, targetInput) {
+    rejectMessageGroupIdOnNonQueue("eventBus", messageGroupId);
+    return new EventBusTarget(target.getEventBus(), {
+        ...baseProps,
+        ...(targetInput !== undefined && { event: targetInput })
+    });
+}
+function resolveCodeBuildTarget(target, messageGroupId, baseProps, targetInput) {
+    rejectMessageGroupIdOnNonQueue("codeBuild", messageGroupId);
+    return new CodeBuildTarget(target.project, {
+        ...baseProps,
+        ...(targetInput !== undefined && { event: targetInput })
+    });
+}
+function rejectMessageGroupIdOnNonQueue(kind, messageGroupId) {
+    if (messageGroupId !== undefined) {
+        throw new Error(`messageGroupId only applies to FIFO queue targets; received on '${kind}' target`);
+    }
+}
+function describeTarget(target) {
+    if (target === null || target === undefined)
+        return String(target);
+    if (typeof target === "object") {
+        const ctor = target.constructor
+            ?.name;
+        return ctor ?? "object";
+    }
+    return typeof target;
+}

package/dist/lib/resources/aws/messaging/eventbridge.d.ts

@@ -1,13 +1,36 @@
 import { Construct } from "constructs";
 import { type IEventBus } from "aws-cdk-lib/aws-events";
 import { type IGrantable, type Grant } from "aws-cdk-lib/aws-iam";
+import { type RemovalPolicyString } from "./utils.js";
 export interface EventBridgeBusProps {
     eventBusName?: string;
-    removalPolicy?: "DESTROY" | "RETAIN";
+    /**
+     * App name used to build the default description when `description` is not
+     * supplied. Injected by `App.getEventBus()` (T7) — the wrapper does not
+     * derive this from `Stack.of(this).stackName` because stack names like
+     * `WebAppMessaging` don't match the app identity.
+     */
+    appName?: string;
+    /** Override the default description ("EventBus <appName> — Fjall app event bus"). */
+    description?: string;
+    /**
+     * Removal policy. Default resolves via the `env()` helper (production →
+     * RETAIN; non-prod → DESTROY) — D17 explicitly rejects `process.env.NODE_ENV`
+     * because it is not set during CDK synth in Fjall's deployment paths.
+     * Buses are recreatable in non-prod; production keeps history.
+     */
+    removalPolicy?: RemovalPolicyString;
+    /**
+     * Internal: when set, the wrapper holds the supplied imported bus as the
+     * underlying handle and does NOT create a new `AWS::Events::EventBus`
+     * resource. Bus-level mutations (description, removalPolicy, CfnOutputs)
+     * are skipped. Used by `EventBusMessaging.fromEventBusArn(...)` per D19.
+     */
+    importedBus?: IEventBus;
 }
 export declare class EventBridgeBus extends Construct {
+    #private;
     readonly id: string;
-    private eventBus;
     constructor(scope: Construct, id: string, props: EventBridgeBusProps);
     /**
      * Get the event bus ARN.