@fjall/components-infrastructure 0.96.0 → 0.99.3

package/dist/lib/resources/aws/compute/ecsTaskDefinition.js

@@ -1,11 +1,11 @@
-import { AwsLogDriver, FargateTaskDefinition, Ec2TaskDefinition, NetworkMode, CpuArchitecture, OperatingSystemFamily } from "aws-cdk-lib/aws-ecs";
+import { AwsLogDriver, ContainerDependencyCondition, FargateTaskDefinition, Ec2TaskDefinition, NetworkMode, CpuArchitecture, OperatingSystemFamily } from "aws-cdk-lib/aws-ecs";
 import { Duration } from "aws-cdk-lib";
 import { Secret as EcsSecret } from "aws-cdk-lib/aws-ecs";
 import { Secret } from "aws-cdk-lib/aws-secretsmanager";
 import { StringParameter } from "aws-cdk-lib/aws-ssm";
 import { resolveOrgId } from "../../../utils/cdkContext.js";
 import { validateSsmPathComponent } from "./ecsValidation.js";
-import { DEFAULT_LOG_RETENTION_DAYS } from "./ecsConstants.js";
+import { DEFAULT_LOG_RETENTION_DAYS, DEFAULT_FARGATE_CPU, DEFAULT_FARGATE_MEMORY_MIB, DEFAULT_EC2_CONTAINER_MEMORY_MIB } from "./ecsConstants.js";
 import { getContainerImage } from "./ecsImages.js";
 import { resolveRemoteConnections } from "./ecsRemoteConnections.js";
 // Re-export extracted functions so existing consumers are not broken
@@ -66,8 +66,8 @@ export function deriveSsmSecretsPath(props, serviceName, explicitPath) {
     return `/${appName}/${props.clusterName}/${serviceName}`;
 }
 export function createTaskDefinition(ctx, serviceName, serviceProps, executionRole, taskRole) {
-    const cpu = serviceProps.cpu ?? 256;
-    const memoryLimitMiB = serviceProps.memoryLimitMiB ?? 512;
+    const cpu = serviceProps.cpu ?? DEFAULT_FARGATE_CPU;
+    const memoryLimitMiB = serviceProps.memoryLimitMiB ?? DEFAULT_FARGATE_MEMORY_MIB;
     if (isServiceFargate(serviceProps)) {
         return new FargateTaskDefinition(ctx.scope, `${serviceName}TaskDefinition`, {
             family: `${ctx.props.clusterName}-${serviceName}`,
@@ -82,16 +82,62 @@ export function createTaskDefinition(ctx, serviceName, serviceProps, executionRo
         });
     }
     else {
+        const networkMode = serviceProps.networkMode ??
+            (ctx.directAccessEnabled ? NetworkMode.HOST : NetworkMode.AWS_VPC);
         return new Ec2TaskDefinition(ctx.scope, `${serviceName}TaskDefinition`, {
             family: `${ctx.props.clusterName}-${serviceName}`,
             executionRole,
             taskRole,
-            ...(ctx.directAccessEnabled && { networkMode: NetworkMode.HOST })
+            ...(networkMode !== undefined && { networkMode })
         });
     }
 }
+/**
+ * Routing point for `Ec2TaskDefinition`s used by EventBridge-triggered scheduled
+ * tasks (per `EcsClusterConfig.scheduledTasks`). Pattern-layer callers MUST
+ * reach `Ec2TaskDefinition` through this wrapper rather than instantiating the
+ * raw CDK class — a future SOC2-relevant default (encryption, retention,
+ * uniform tags) added here propagates to every scheduled-task task def at once.
+ *
+ * Compare with `createTaskDefinition()` above, which is the per-service path;
+ * this is the per-schedule path and intentionally kept narrow (no execution /
+ * task roles — scheduled tasks use task-definition defaults).
+ */
+export function createScheduledTaskDefinition(scope, id, props) {
+    return new Ec2TaskDefinition(scope, id, {
+        family: props.family,
+        ...(props.networkMode !== undefined && { networkMode: props.networkMode })
+    });
+}
+/**
+ * Routing point for `FargateTaskDefinition`s used by the lifecycle-hook
+ * migration runner when `migrations.separateTaskDef` is set. Synthesises a
+ * dedicated Fargate task definition with caller-supplied CPU/memory and the
+ * supplied execution + task roles. Runtime platform pinned to ARM64/Linux to
+ * match the service task def default.
+ */
+export function createMigrationTaskDefinition(scope, id, props) {
+    return new FargateTaskDefinition(scope, id, {
+        family: props.family,
+        cpu: props.cpu,
+        memoryLimitMiB: props.memoryLimitMiB,
+        executionRole: props.executionRole,
+        taskRole: props.taskRole,
+        runtimePlatform: {
+            cpuArchitecture: CpuArchitecture.ARM64,
+            operatingSystemFamily: OperatingSystemFamily.LINUX
+        }
+    });
+}
+const CONTAINER_DEPENDENCY_CONDITIONS = {
+    START: ContainerDependencyCondition.START,
+    COMPLETE: ContainerDependencyCondition.COMPLETE,
+    SUCCESS: ContainerDependencyCondition.SUCCESS,
+    HEALTHY: ContainerDependencyCondition.HEALTHY
+};
 export function addContainersToTask(ctx, serviceName, serviceProps, taskDefinition) {
     const containers = [];
+    const containerByName = new Map();
     let primaryContainer;
     const orgId = resolveOrgId(ctx.scope.node);
     const remoteEnvByService = resolveRemoteConnections([serviceProps], ctx.scope, orgId);
@@ -158,19 +204,69 @@ export function addContainersToTask(ctx, serviceName, serviceProps, taskDefiniti
                         : undefined
                 }
                 : undefined,
+            stopTimeout: containerConfig.stopTimeout !== undefined
+                ? Duration.seconds(containerConfig.stopTimeout)
+                : undefined,
             ...(isServiceEc2(serviceProps) && {
-                memoryLimitMiB: serviceProps.ec2Config?.memoryLimitMiB ?? 1024
+                memoryLimitMiB: serviceProps.ec2Config?.memoryLimitMiB ??
+                    DEFAULT_EC2_CONTAINER_MEMORY_MIB
             })
         });
+        if (containerConfig.port !== undefined &&
+            containerConfig.portMappings !== undefined &&
+            containerConfig.portMappings.length > 0) {
+            throw new Error(`Container '${containerConfig.name}' in service '${serviceName}': ` +
+                `"port" and "portMappings" are mutually exclusive on EcsContainerConfig — supply one or the other, not both.`);
+        }
         if (containerConfig.port) {
             container.addPortMappings({
                 containerPort: containerConfig.port
             });
         }
+        else if (containerConfig.portMappings &&
+            containerConfig.portMappings.length > 0) {
+            container.addPortMappings(...containerConfig.portMappings);
+        }
+        if (containerConfig.volumes && containerConfig.volumes.length > 0) {
+            for (const volume of containerConfig.volumes) {
+                taskDefinition.addVolume({
+                    name: volume.name,
+                    ...(volume.hostSourcePath !== undefined && {
+                        host: { sourcePath: volume.hostSourcePath }
+                    })
+                });
+                container.addMountPoints({
+                    sourceVolume: volume.name,
+                    containerPath: volume.mountPath,
+                    readOnly: volume.readOnly ?? false
+                });
+            }
+        }
         if (isFirstWithPort) {
             primaryContainer = container;
         }
         containers.push(container);
+        containerByName.set(containerConfig.name, container);
+    }
+    for (const containerConfig of serviceProps.containers) {
+        if (!containerConfig.dependsOn || containerConfig.dependsOn.length === 0) {
+            continue;
+        }
+        const dependent = containerByName.get(containerConfig.name);
+        if (!dependent)
+            continue;
+        for (const dep of containerConfig.dependsOn) {
+            const target = containerByName.get(dep.container);
+            if (!target) {
+                const available = [...containerByName.keys()].join(", ");
+                throw new Error(`Service '${serviceName}': container '${containerConfig.name}' dependsOn ` +
+                    `unknown container '${dep.container}'. Available containers: ${available}.`);
+            }
+            dependent.addContainerDependencies({
+                container: target,
+                condition: CONTAINER_DEPENDENCY_CONDITIONS[dep.condition]
+            });
+        }
     }
     return { containers, primaryContainer };
 }

package/dist/lib/resources/aws/compute/ecsTypes.d.ts

@@ -1,6 +1,9 @@
-import { type ContainerDefinition, type RepositoryImage } from "aws-cdk-lib/aws-ecs";
-import { type IVpc } from "aws-cdk-lib/aws-ec2";
+import { type ContainerDefinition, type NetworkMode, type PortMapping, type RepositoryImage } from "aws-cdk-lib/aws-ecs";
+import { type BlockDevice, type IMachineImage, type ISecurityGroup, type IVpc, type UserData } from "aws-cdk-lib/aws-ec2";
+import { type Monitoring } from "aws-cdk-lib/aws-autoscaling";
+import { type IService } from "aws-cdk-lib/aws-servicediscovery";
 import { type IManagedPolicy, type PolicyDocument } from "aws-cdk-lib/aws-iam";
+import type { DockerBuild } from "@fjall/util/manifest/schemas";
 import { type TargetTrackingScalingPolicy } from "aws-cdk-lib/aws-applicationautoscaling";
 import { type GeoLocation } from "aws-cdk-lib/aws-route53";
 import { type Repository } from "aws-cdk-lib/aws-ecr";
@@ -15,6 +18,7 @@ import { type SecretImport } from "../secrets/index.js";
 import type { ManagedDomainExports } from "../../../utils/domainTypes.js";
 import type { ITopic } from "aws-cdk-lib/aws-sns";
 import type { EcsServiceAlarmThresholds } from "../monitoring/index.js";
+import { type Ec2InstancePersistentDataVolumeConfig } from "./ec2.js";
 export declare enum Protocol {
     HTTP = 0,
     HTTPS = 1
@@ -23,7 +27,8 @@ export declare enum ScalingType {
     CPU = "ECSServiceAverageCPUUtilization",
     MEMORY = "ECSServiceAverageMemoryUtilization"
 }
-export type EcsCapacityProvider = "FARGATE" | "FARGATE_SPOT" | "EC2";
+import type { EcsCapacityProvider } from "@fjall/generator";
+export type { EcsCapacityProvider };
 /**
  * EC2 capacity configuration for ECS EC2-backed clusters.
  * Only used when capacityProvider is "EC2".
@@ -47,6 +52,52 @@ export interface Ec2CapacityConfig {
         /** Return instances to the pool on scale-in instead of terminating. Default: true */
         reuseOnScaleIn?: boolean;
     };
+    /** CDK `AutoScalingGroupProps.desiredCapacity` — initial instance count. */
+    desiredCapacity?: number;
+    /**
+     * CDK `LaunchTemplateProps.machineImage`. When provided, overrides the
+     * default `EcsOptimizedImage.amazonLinux2023(amiHardwareType)`. Use for
+     * stateful workloads requiring a custom AMI.
+     */
+    machineImage?: IMachineImage;
+    /**
+     * CDK `aws-cdk-lib/aws-autoscaling.Monitoring`. Routes through the
+     * LaunchTemplate's `detailedMonitoring` field. Default: `Monitoring.BASIC`.
+     */
+    instanceMonitoring?: Monitoring;
+    /** CDK `LaunchTemplateProps.blockDevices`. Use for EBS attachments. */
+    blockDevices?: BlockDevice[];
+    /**
+     * CDK `LaunchTemplateProps.userData`. When provided, overrides the
+     * default empty `UserData.forLinux()`.
+     */
+    userData?: UserData;
+    /** CDK `LaunchTemplateProps.associatePublicIpAddress`. */
+    associatePublicIpAddress?: boolean;
+    /**
+     * Pin the ASG to a specific set of availability zones. When
+     * `persistentDataVolume` is set, MUST contain exactly one entry matching
+     * `persistentDataVolume.availabilityZone` — the standalone EBS volume is
+     * AZ-local and cannot follow a multi-AZ ASG. Merged into `vpcSubnets` at
+     * the `Ec2Instance` boundary.
+     */
+    availabilityZones?: string[];
+    /**
+     * Pairs the EC2 capacity ASG with a standalone EBS data volume that
+     * re-attaches across instance refreshes. Forwarded to `Ec2Instance` which
+     * locates and detaches the volume via TERMINATING/LAUNCHING lifecycle
+     * hooks. Implies a singleton service — do not share an ASG across
+     * services when this is set (`getEc2ConfigKey` adds a discriminator to
+     * keep them apart).
+     */
+    persistentDataVolume?: Ec2InstancePersistentDataVolumeConfig;
+    /**
+     * Tags applied to the underlying ASG with `applyToLaunchedInstances: true`
+     * so every launched EC2 instance carries the tags. Used for tag-based SSM
+     * `SendCommand` targeting (`Targets: [{ Key: "tag:<name>", Values: […] }]`).
+     * Empty-string keys or values are rejected at the resources layer.
+     */
+    tags?: Record<string, string>;
 }
 /**
  * Domain configuration for HTTPS and DNS.
@@ -69,6 +120,17 @@ export interface GeoLocationDomainConfig extends DomainBaseConfig {
     geoLocation: GeoLocation;
 }
 export type DomainConfig = DomainBaseConfig | LatencyDomainConfig | WeightedDomainConfig | GeoLocationDomainConfig;
+/**
+ * A dependency on another container in the same task definition.
+ * Maps directly to ECS `ContainerDependency`. See `ContainerDependency` in
+ * the factory layer (`computeEcsTypes.ts`) for the public-facing variant.
+ *
+ * @internal
+ */
+export interface EcsContainerDependency {
+    container: string;
+    condition: "START" | "COMPLETE" | "SUCCESS" | "HEALTHY";
+}
 /**
  * Internal configuration for a container in a multi-container ECS task.
  *
@@ -136,6 +198,32 @@ export interface EcsClusterContainerConfig {
         retries?: number;
         startPeriod?: number;
     };
+    /**
+     * Containers in the same service that must reach a given state before this
+     * container starts. Resolved at synth time against the service's container names.
+     */
+    dependsOn?: EcsContainerDependency[];
+    /**
+     * Multi-port containers (CDK `PortMapping[]`). Mutually exclusive with
+     * `port` — supplying both throws at synth (AC30).
+     */
+    portMappings?: PortMapping[];
+    /**
+     * Host-bind volumes mounted into this container. Each entry produces a
+     * matching `taskDefinition.addVolume(...)` + `container.addMountPoints(...)`
+     * pair (AC31).
+     */
+    volumes?: Array<{
+        name: string;
+        hostSourcePath?: string;
+        mountPath: string;
+        readOnly?: boolean;
+    }>;
+    /**
+     * Time (seconds) ECS waits for the container to exit gracefully after
+     * SIGTERM before sending SIGKILL. Range 1–120. Default: ECS default (30s).
+     */
+    stopTimeout?: number;
 }
 /**
  * Cluster-level configuration.
@@ -167,6 +255,12 @@ export interface EcsClusterClusterConfig {
      * Only used when domain is specified.
      */
     domainConfig?: DomainConfig;
+    /**
+     * Externally-supplied EC2 capacity security group. When provided, the ECS
+     * service factory uses this SG instead of constructing its own. Pre-resolved
+     * by the patterns layer (AC26 — `EcsClusterConfig.securityGroup`).
+     */
+    securityGroup?: ISecurityGroup;
 }
 /**
  * Routing configuration for path/host-based routing on the ALB.
@@ -206,11 +300,23 @@ export interface EcsServiceProps {
     memoryLimitMiB?: number;
     /** Desired number of tasks. Default: 2 */
     desiredCount?: number;
-    /** Scaling type (CPU or MEMORY). Omit to disable auto-scaling. */
+    /**
+     * Scaling type (CPU or MEMORY). Omit to disable auto-scaling — no
+     * `ScalableTarget` is registered, and `minCapacity`/`maxCapacity` below have
+     * no effect. The `desiredCount: 0 + minCapacity > 0` validation throw still
+     * fires regardless, so operator-intent contradictions surface at synth even
+     * when scaling is disabled.
+     */
     scalingType?: ScalingType;
-    /** Minimum number of tasks for auto-scaling. Default: 2 */
+    /**
+     * Minimum number of tasks for auto-scaling. Default: tracks `desiredCount`.
+     * Only consulted when `scalingType` is set.
+     */
     minCapacity?: number;
-    /** Maximum number of tasks for auto-scaling. Default: 10 */
+    /**
+     * Maximum number of tasks for auto-scaling. Default: `Math.max(desiredCount + 1, 3)`.
+     * Only consulted when `scalingType` is set.
+     */
     maxCapacity?: number;
     /**
      * Routing rules for this service on the cluster's ALB.
@@ -277,14 +383,11 @@ export interface EcsServiceProps {
      */
     ssmSecretsPath?: string;
     /**
-     * Docker build target stage for multi-stage Dockerfiles.
-     * When specified, appends `-<target>` to the image tag.
-     *
-     * @example
-     * // With dockerTarget: "api", image tag becomes: myservice-api-latest
-     * dockerTarget: "api"
+     * Dockerfile build configuration for this service. When `target` is set,
+     * the image tag suffix becomes `<service>-<target>-latest`.
+     * Mutually exclusive with `image` (pre-built URI).
      */
-    dockerTarget?: string;
+    docker?: DockerBuild;
     /**
      * Per-service alarm configuration.
      * - undefined: use defaults (CPU, memory, running tasks, 5xx if ALB)
@@ -292,6 +395,63 @@ export interface EcsServiceProps {
      * - object: override specific thresholds
      */
     alarms?: EcsServiceAlarmThresholds | false;
+    /**
+     * Deployment circuit breaker policy.
+     * - undefined (default): `{ enable: true, rollback: true }`
+     * - `false`: disabled entirely (no breaker)
+     * - `{ rollback: boolean }`: override rollback behaviour
+     *
+     * @see https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-circuit-breaker.html
+     */
+    circuitBreaker?: false | {
+        rollback?: boolean;
+    };
+    /**
+     * Rolling-deploy capacity bounds. Overrides the default
+     * `{ minHealthyPercent: 100, maxHealthyPercent: 200 }`. Singletons backed
+     * by an EBS volume that only one task can attach to (e.g. ClickHouse) need
+     * `{ minHealthyPercent: 0, maxHealthyPercent: 100 }` so the old task
+     * detaches before the new one starts.
+     *
+     * Bounds enforced by `validateEcsClusterProps`: `minHealthyPercent` must be
+     * 0–100, `maxHealthyPercent` must be 100–200, and the two cannot both be
+     * `100` (no capacity to drain or expand — deploys would never roll forward).
+     */
+    deployment?: {
+        minHealthyPercent?: number;
+        maxHealthyPercent?: number;
+    };
+    /**
+     * Pre-registered Cloud Map service. When provided, the underlying
+     * `Ec2Service`/`FargateService` calls `associateCloudMapService(...)` after
+     * construction. The patterns layer registers the service via
+     * `app.getNamespace().registerService({ name })` and threads the resulting
+     * `IService` here — keeping the resources layer free of namespace lookup.
+     */
+    cloudMapService?: IService;
+    /**
+     * DNS record type registered against `cloudMapService`. Default: `"A"`
+     * (matches CDK's default and works under `awsvpc`). Set to `"SRV"` when
+     * the service runs under `host` or `bridge` network mode — CDK's
+     * `Ec2Service.associateCloudMapService(...)` rejects A records there and
+     * requires `containerName` + `containerPort`, derived from the primary
+     * container.
+     */
+    cloudMapDnsRecordType?: "A" | "SRV";
+    /**
+     * Override the task definition's `NetworkMode`. Default for EC2 services
+     * is `AWS_VPC` (or `HOST` when `cluster.directAccess`); set to `BRIDGE`
+     * for dynamic-port-mapping ALB integration or when ENI quota is a concern.
+     */
+    networkMode?: NetworkMode;
+    /**
+     * Pre-existing security groups to attach to the service's task ENIs (AWS_VPC
+     * mode) instead of letting CDK auto-generate a default service SG. Used by
+     * stateful consumers (e.g. `ClickHouseDatabase`) that own a wrapper SG and
+     * need `this.connections.securityGroups[0]` to be the SG actually arbitrating
+     * inbound traffic to the task. Empty/omitted → CDK auto-creates one.
+     */
+    securityGroups?: ISecurityGroup[];
 }
 /**
  * Props for creating an ECS cluster with multiple services.

package/dist/lib/resources/aws/compute/ecsValidation.d.ts

@@ -3,6 +3,15 @@ import type { EcsClusterProps } from "./ecsTypes.js";
  * Validates ECS cluster props before construction.
  * Pure function — does not depend on class state.
  *
+ * Note: `service.migrations` and `service.migrations.separateTaskDef` are
+ * intentionally validated only at the patterns layer (`validateEcsProps`
+ * in `lib/patterns/aws/computeEcs.ts`). The migrations sugar is a
+ * patterns-layer concept — it is translated into `service.containers`
+ * (init-container mode) or a separate Fargate task definition + lifecycle
+ * hook (lifecycle-hook mode) BEFORE reaching `EcsClusterProps`. Resources-
+ * layer consumers never see a `migrations` field, so duplicating the
+ * validation here would be unreachable.
+ *
  * @param props - The cluster props to validate
  * @throws Error if validation fails
  */

package/dist/lib/resources/aws/compute/ecsValidation.js

@@ -1,7 +1,17 @@
+import { NetworkMode } from "aws-cdk-lib/aws-ecs";
 /**
  * Validates ECS cluster props before construction.
  * Pure function — does not depend on class state.
  *
+ * Note: `service.migrations` and `service.migrations.separateTaskDef` are
+ * intentionally validated only at the patterns layer (`validateEcsProps`
+ * in `lib/patterns/aws/computeEcs.ts`). The migrations sugar is a
+ * patterns-layer concept — it is translated into `service.containers`
+ * (init-container mode) or a separate Fargate task definition + lifecycle
+ * hook (lifecycle-hook mode) BEFORE reaching `EcsClusterProps`. Resources-
+ * layer consumers never see a `migrations` field, so duplicating the
+ * validation here would be unreachable.
+ *
  * @param props - The cluster props to validate
  * @throws Error if validation fails
  */
@@ -47,6 +57,59 @@ export function validateEcsClusterProps(props) {
             throw new Error(`Service '${service.name}': Duplicate container names: ` +
                 `${[...new Set(duplicateContainers)].join(", ")}`);
         }
+        for (const container of service.containers) {
+            if (container.stopTimeout !== undefined) {
+                if (!Number.isInteger(container.stopTimeout) ||
+                    container.stopTimeout < 1 ||
+                    container.stopTimeout > 120) {
+                    throw new Error(`Service '${service.name}', container '${container.name ?? "(default)"}': ` +
+                        `stopTimeout must be an integer between 1 and 120 seconds (got ${container.stopTimeout}).`);
+                }
+            }
+        }
+        if (service.capacityProvider === "EC2" && !service.ec2Config) {
+            throw new Error(`Service '${service.name}' uses EC2 capacity provider but no ec2Config is defined. ` +
+                "Provide ec2Config on the service.");
+        }
+        if (service.deployment !== undefined) {
+            const min = service.deployment.minHealthyPercent;
+            const max = service.deployment.maxHealthyPercent;
+            if (min !== undefined && (min < 0 || min > 100)) {
+                throw new Error(`Service '${service.name}': deployment.minHealthyPercent must be between 0 and 100 (got ${min}).`);
+            }
+            if (max !== undefined && (max < 100 || max > 200)) {
+                throw new Error(`Service '${service.name}': deployment.maxHealthyPercent must be between 100 and 200 (got ${max}).`);
+            }
+            if (min === 100 && max === 100) {
+                throw new Error(`Service '${service.name}': deployment.minHealthyPercent and maxHealthyPercent cannot both be 100 ` +
+                    "(no capacity to drain or expand — deploys would never roll forward).");
+            }
+        }
+        if (service.cloudMapDnsRecordType !== undefined &&
+            service.cloudMapService === undefined) {
+            throw new Error(`Service '${service.name}': cloudMapDnsRecordType is set but cloudMapService is not. ` +
+                "Service discovery cannot be registered without a Cloud Map namespace.");
+        }
+        if (service.desiredCount === 0 &&
+            service.minCapacity !== undefined &&
+            service.minCapacity > 0) {
+            throw new Error(`Service '${service.name}': scaling.minCapacity (${service.minCapacity}) cannot exceed desiredCount when desiredCount is 0. ` +
+                "Application Auto Scaling would immediately scale the service back up, defeating the desiredCount: 0 toggle. " +
+                "Either set scaling.minCapacity to 0 (placeholder service) or raise desiredCount to match scaling.minCapacity.");
+        }
+        if (service.capacityProvider === "EC2" &&
+            service.securityGroups !== undefined &&
+            service.securityGroups.length > 0) {
+            const directAccessForceHost = props.cluster?.directAccess === true;
+            const effectiveMode = service.networkMode ??
+                (directAccessForceHost ? NetworkMode.HOST : NetworkMode.AWS_VPC);
+            if (effectiveMode !== NetworkMode.AWS_VPC) {
+                throw new Error(`Service '${service.name}': securityGroups is only valid with networkMode AWS_VPC ` +
+                    `(effective networkMode is '${effectiveMode}'). HOST/BRIDGE services share ` +
+                    `the EC2 instance ENI, which is governed by the cluster-level securityGroup ` +
+                    `on EcsClusterConfig.`);
+            }
+        }
     }
 }
 /**

package/dist/lib/resources/aws/compute/index.d.ts

@@ -1,3 +1,5 @@
+export * from "./blockDeviceVolume.js";
 export * from "./ec2.js";
 export * from "./ecs.js";
 export * from "./lambda.js";
+export * from "./samApplication.js";

package/dist/lib/resources/aws/compute/index.js

@@ -1,3 +1,5 @@
+export * from "./blockDeviceVolume.js";
 export * from "./ec2.js";
 export * from "./ecs.js";
 export * from "./lambda.js";
+export * from "./samApplication.js";

package/dist/lib/resources/aws/compute/lambda.d.ts

@@ -2,7 +2,7 @@ import { SingletonFunction as singletonFunction, Function, Code, type Runtime, A
 import { type Bucket } from "aws-cdk-lib/aws-s3";
 import { PolicyStatement, type IRole } from "aws-cdk-lib/aws-iam";
 import { type IVpc } from "aws-cdk-lib/aws-ec2";
-import { Rule, type EventPattern } from "aws-cdk-lib/aws-events";
+import { RetentionDays } from "aws-cdk-lib/aws-logs";
 import { type IQueue } from "aws-cdk-lib/aws-sqs";
 import { type ITable } from "aws-cdk-lib/aws-dynamodb";
 import { type Construct } from "constructs";
@@ -23,6 +23,12 @@ export interface LambdaFunctionProps {
     memorySize?: number;
     /** Ephemeral storage size in MiB */
     ephemeralStorageSize?: number;
+    /**
+     * Log retention for the auto-created LogGroup. Defaults to one week.
+     * Override for Lambdas whose logs back operational debugging beyond the
+     * default window (e.g. deployment lifecycle hooks).
+     */
+    logGroupRetention?: RetentionDays;
     inlinePolicy: PolicyStatement[];
     enableFunctionUrl?: boolean;
     functionUrlAuthType?: FunctionUrlAuthType;
@@ -30,8 +36,6 @@ export interface LambdaFunctionProps {
     /** Invoke mode for Function URL. Use RESPONSE_STREAM for Lambda streaming. */
     functionUrlInvokeMode?: InvokeMode;
     environment?: KeyValue;
-    tags?: KeyValue;
-    scheduleExpression?: string;
     secrets?: string[];
     ssmSecretsPath?: string;
     secretsImport?: Record<string, SecretImport>;
@@ -100,16 +104,6 @@ export declare class LambdaFunction extends Function {
             suffix?: string;
         }>;
     }): void;
-    /**
-     * Add an EventBridge rule as an event source for this Lambda function.
-     * This will trigger the Lambda when events matching the pattern are published.
-     * Useful for scheduled jobs, cross-service event handling, and custom event patterns.
-     */
-    addEventBridgeEventSource(ruleId: string, options: {
-        schedule?: string;
-        eventPattern?: EventPattern;
-        description?: string;
-    }): Rule;
     /**
      * Add secrets support using AWS Parameters and Secrets Lambda Extension.
      *