@fjall/components-infrastructure 0.96.0 → 0.99.3

package/dist/lib/patterns/aws/buildkite.js

@@ -1,27 +1,27 @@
-import { Duration, Stack, Tags } from "aws-cdk-lib";
+import { Stack, Tags } from "aws-cdk-lib";
 import { CompositePrincipal, ServicePrincipal, PolicyDocument, PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { FjallLogger } from "../../utils/validationLogger.js";
-import { BlockDeviceVolume, InstanceClass, InstanceSize, InstanceType, LaunchTemplate, LaunchTemplateHttpTokens, MachineImage, MultipartBody, MultipartUserData, SubnetType, UserData } from "aws-cdk-lib/aws-ec2";
-import { AutoScalingGroup, GroupMetrics, SpotAllocationStrategy, TerminationPolicy, UpdatePolicy } from "aws-cdk-lib/aws-autoscaling";
-import { CfnApplication } from "aws-cdk-lib/aws-sam";
-import { PhysicalResourceId } from "aws-cdk-lib/custom-resources";
-import { BucketDeployment, Source } from "aws-cdk-lib/aws-s3-deployment";
+import { InstanceClass, InstanceSize, InstanceType, MachineImage, MultipartBody, MultipartUserData, SubnetType, UserData } from "aws-cdk-lib/aws-ec2";
+import { safeEbs } from "../../resources/aws/compute/blockDeviceVolume.js";
+import { Source } from "aws-cdk-lib/aws-s3-deployment";
 import { Vpc } from "../../resources/aws/networking/vpc.js";
 import { Policy, Role } from "../../resources/aws/iam/index.js";
-import { S3Bucket } from "../../resources/aws/storage/index.js";
+import { BucketDeployment, S3Bucket } from "../../resources/aws/storage/index.js";
 import { SecureStringParameter } from "../../resources/aws/secrets/index.js";
-import { AwsCustomResource } from "../../resources/aws/utilities/awsCustomResource.js";
-var agentRelease;
-(function (agentRelease) {
-    agentRelease["STABLE"] = "stable";
-    agentRelease["BETA"] = "beta";
-    agentRelease["EDGE"] = "edge";
-})(agentRelease || (agentRelease = {}));
+import { Ec2Instance } from "../../resources/aws/compute/ec2.js";
+import { SamApplication } from "../../resources/aws/compute/samApplication.js";
+import { applyCostAllocationTags } from "../../utils/costAllocationTags.js";
+export var AgentRelease;
+(function (AgentRelease) {
+    AgentRelease["STABLE"] = "stable";
+    AgentRelease["BETA"] = "beta";
+    AgentRelease["EDGE"] = "edge";
+})(AgentRelease || (AgentRelease = {}));
 export const BuildkiteDefaultProps = {
     // Buildkite Agent Configuration
     elasticStackVersion: "v6.30.0",
     keyName: "",
-    buildkiteAgentRelease: agentRelease.STABLE,
+    buildkiteAgentRelease: AgentRelease.STABLE,
     buildkiteAgentTags: "",
     buildkiteAgentTimestampLines: false,
     buildkiteAgentExperiments: "",
@@ -66,13 +66,13 @@ export const BuildkiteDefaultProps = {
 export class Buildkite extends Stack {
     constructor(scope, id, props) {
         super(scope, id, props);
-        // TODO: Make this immutable and enforce the tags being set
-        const tags = {
-            ...props.tags,
-            "fjall:costAllocation:environment": props.environment || "platform",
-            "fjall:costAllocation:service": "buildkite",
-            "fjall:costAllocation:owner": props.owner || "engineer" // TODO: this will have to be the platform account name?
-        };
+        applyCostAllocationTags(this, {
+            service: "buildkite",
+            domain: "platform",
+            environment: props.environment || "platform",
+            owner: props.owner ?? "engineer"
+        });
+        const tags = { ...props.tags };
         // VPC
         const vpc = new Vpc(this, `${id}Vpc`, {
             accountId: props.accountId,
@@ -85,25 +85,29 @@ export class Buildkite extends Stack {
         });
         // Artifacts Bucket
         const artifactBucket = new S3Bucket(this, `${id}ArtifactBucket`);
-        // Managed Secrets
         const managedSecretsBucket = new S3Bucket(this, `${id}ManagedSecretsBucket`);
-        if (process.env.BUILDKITE_PRIVATE_SSH_KEY) {
+        const buildkitePrivateSshKey = process.env.BUILDKITE_PRIVATE_SSH_KEY;
+        const hasBuildkitePrivateSshKey = buildkitePrivateSshKey !== undefined && buildkitePrivateSshKey !== "";
+        if (hasBuildkitePrivateSshKey) {
+            // Synth-time secret bake: Source.data() inlines the env var into the
+            // CDK asset bundle uploaded to the bootstrap S3 staging bucket. The
+            // synth host MUST hold the secret in env, and the CDK staging bucket
+            // inherits the secret's blast radius. Treat as Buildkite-only opt-in.
             new BucketDeployment(this, `${id}SshKeyDeployment`, {
-                sources: [
-                    Source.data("private_ssh_key", process.env.BUILDKITE_PRIVATE_SSH_KEY)
-                ],
+                sources: [Source.data("private_ssh_key", buildkitePrivateSshKey)],
                 destinationBucket: managedSecretsBucket
             });
         }
         else {
             FjallLogger.warn("'BUILDKITE_PRIVATE_SSH_KEY' environment variable not declared. Skipping upload of private SSH key.");
         }
-        // Encrypted Buildkite Agent Token
+        const buildkiteAgentToken = process.env.BUILDKITE_AGENT_TOKEN;
+        const hasBuildkiteAgentToken = buildkiteAgentToken !== undefined && buildkiteAgentToken !== "";
         const agentToken = new SecureStringParameter(this, `${id}AgentToken`, {
             name: `/buildkite/agentToken`,
             aliasName: `buildkiteAgentToken`,
-            value: process.env.BUILDKITE_AGENT_TOKEN,
-            overwrite: process.env.BUILDKITE_AGENT_TOKEN ? true : false,
+            value: buildkiteAgentToken,
+            overwrite: hasBuildkiteAgentToken,
             tags: tags,
             accountId: this.account,
             region: this.region
@@ -241,10 +245,11 @@ export class Buildkite extends Stack {
         installElasticStackUserData.addCommands(`BUILDKITE_STACK_NAME='${id}' \\`, `BUILDKITE_STACK_VERSION='${props.elasticStackVersion}' \\`, `BUILDKITE_SCALE_IN_IDLE_PERIOD='${props.scaleInIdlePeriod}' \\`, `BUILDKITE_SECRETS_BUCKET='${managedSecretsBucket.bucketName}' \\`, `BUILDKITE_SECRETS_BUCKET_REGION='${props.env?.region}' \\`, `BUILDKITE_AGENT_TOKEN_PATH='${agentToken.name}' \\`, `BUILDKITE_AGENTS_PER_INSTANCE='${props.agentsPerInstance}' \\`, `BUILDKITE_AGENT_TAGS='${props.buildkiteAgentTags}' \\`, `BUILDKITE_AGENT_TIMESTAMP_LINES='${props.buildkiteAgentTimestampLines}' \\`, `BUILDKITE_AGENT_EXPERIMENTS='${props.buildkiteAgentExperiments}' \\`, `BUILDKITE_AGENT_TRACING_BACKEND='${props.buildkiteAgentTracingBackend}' \\`, `BUILDKITE_AGENT_RELEASE='${props.buildkiteAgentRelease}' \\`, `BUILDKITE_AGENT_CANCEL_GRACE_PERIOD='${props.buildkiteAgentCancelGracePeriod}' \\`, `BUILDKITE_AGENT_SIGNING_KMS_KEY='${props.pipelineSigningKMSKey}' \\`, `BUILDKITE_AGENT_SIGNING_FAILURE_BEHAVIOR='${props.pipelineSigningVerificationFailureBehavior}' \\`, `BUILDKITE_QUEUE='${props.buildkiteQueue}' \\`, `BUILDKITE_AGENT_ENABLE_GIT_MIRRORS='${props.buildkiteAgentEnableGitMirrors}' \\`, `BUILDKITE_ELASTIC_BOOTSTRAP_SCRIPT='${props.bootstrapScriptUrl}' \\`, `BUILDKITE_ENV_FILE_URL='${props.agentEnvFileUrl}' \\`, `BUILDKITE_ENABLE_INSTANCE_STORAGE='${props.enableInstanceStorage}' \\`, `BUILDKITE_AUTHORIZED_USERS_URL='${props.authorizedUsersUrl}' \\`, `BUILDKITE_ECR_POLICY='${props.ecrAccessPolicy}' \\`, `BUILDKITE_TERMINATE_INSTANCE_AFTER_JOB='${props.buildkiteTerminateInstanceAfterJob}' \\`, `BUILDKITE_ADDITIONAL_SUDO_PERMISSIONS='${props.buildkiteAdditionalSudoPermissions}' \\`, `AWS_DEFAULT_REGION='${props.env?.region}' \\`, `SECRETS_PLUGIN_ENABLED='${props.enableSecretsPlugin}' \\`, `ECR_PLUGIN_ENABLED='${props.enableEcrPlugin}' \\`, `DOCKER_LOGIN_PLUGIN_ENABLED='${props.enableDockerLoginPlugin}' \\`, `DOCKER_EXPERIMENTAL='${props.enableDockerExperimental}' \\`, `DOCKER_USERNS_REMAP='${props.enableDockerUserNamespaceRemap}' \\`, `AWS_REGION='${props.env?.region}' \\`, "/usr/local/bin/bk-install-elastic-stack.sh");
         // Merge User Data
         multipartUserData.addPart(MultipartBody.fromUserData(installElasticStackUserData, "text/x-shellscript; charset='us-ascii'"));
-        // Launch Template
-        const launchTemplate = new LaunchTemplate(this, `${id}AgentLaunchTemplate`, {
-            launchTemplateName: `buildkiteLaunchTemplate`,
-            instanceType: props.agentInstanceType,
+        const ec2Instance = new Ec2Instance(this, `${id}Agent`, {
+            serviceName: `${id}Agent`,
+            vpc,
+            vpcSubnets: { subnetType: SubnetType.PUBLIC },
+            instanceType: props.agentInstanceType.toString(),
             machineImage: MachineImage.lookup({
                 name: "buildkite-stack-linux-x86_64-*",
                 owners: ["172840064832"],
@@ -257,46 +262,17 @@ export class Buildkite extends Stack {
             blockDevices: [
                 {
                     deviceName: "/dev/xvda",
-                    volume: BlockDeviceVolume.ebs(props.agentVolumeSize)
+                    volume: safeEbs(props.agentVolumeSize)
                 }
             ],
-            detailedMonitoring: true,
-            requireImdsv2: false,
-            httpPutResponseHopLimit: 2,
-            httpTokens: LaunchTemplateHttpTokens.REQUIRED,
-            instanceMetadataTags: true
-        });
-        // Functional tags for buildkite agent identification
-        Tags.of(launchTemplate).add("Role", "buildkiteAgent");
-        Tags.of(launchTemplate).add("BuildkiteAgentRelease", agentRelease.STABLE);
-        Tags.of(launchTemplate).add("BuildkiteQueue", props.buildkiteQueue);
-        // Autoscaling Group
-        const autoScalingGroup = new AutoScalingGroup(this, `${id}AgentAutoScalingGroup`, {
-            vpc: vpc,
-            mixedInstancesPolicy: {
-                launchTemplate: launchTemplate,
-                instancesDistribution: {
-                    onDemandPercentageAboveBaseCapacity: props.spotCapacityPercentage,
-                    spotAllocationStrategy: SpotAllocationStrategy.CAPACITY_OPTIMIZED
-                },
-                launchTemplateOverrides: [
-                    {
-                        instanceType: props.agentInstanceType
-                    }
-                ]
-            },
             minCapacity: props.agentMinInstances,
             maxCapacity: props.agentMaxInstances,
-            cooldown: Duration.seconds(60),
-            groupMetrics: [GroupMetrics.all()],
-            updatePolicy: UpdatePolicy.replacingUpdate(),
-            newInstancesProtectedFromScaleIn: true,
-            terminationPolicies: [
-                TerminationPolicy.OLDEST_LAUNCH_CONFIGURATION,
-                TerminationPolicy.CLOSEST_TO_NEXT_INSTANCE_HOUR
-            ],
-            ssmSessionPermissions: true
+            spotCapacityPercentage: props.spotCapacityPercentage
         });
+        Tags.of(ec2Instance).add("Role", "buildkiteAgent");
+        Tags.of(ec2Instance).add("BuildkiteAgentRelease", props.buildkiteAgentRelease);
+        Tags.of(ec2Instance).add("BuildkiteQueue", props.buildkiteQueue);
+        const autoScalingGroup = ec2Instance.getAutoScalingGroup();
         agentRole.attachInlinePolicy(new Policy(this, `${id}UpdateAutoScalingGroupPolicy`, {
             statements: [
                 new PolicyStatement({
@@ -308,33 +284,9 @@ export class Buildkite extends Stack {
                 })
             ]
         }));
-        // Buildkite Suspend Austoscaling Group Custom Resource
-        new AwsCustomResource(this, `${id}SuspendAutoscalingProcess`, {
-            onCreate: {
-                service: "AutoScaling",
-                action: "suspendProcesses",
-                parameters: {
-                    AutoScalingGroupName: autoScalingGroup.autoScalingGroupName,
-                    ScalingProcesses: ["AZRebalance"]
-                },
-                physicalResourceId: PhysicalResourceId.of("suspendAutoScalingProcessess")
-            },
-            onUpdate: {
-                service: "AutoScaling",
-                action: "suspendProcesses",
-                parameters: {
-                    AutoScalingGroupName: autoScalingGroup.autoScalingGroupName,
-                    ScalingProcesses: ["AZRebalance"]
-                },
-                physicalResourceId: PhysicalResourceId.of("suspendAutoScalingProcessess")
-            },
-            resourceType: "Custom::buildkiteSuspendAutoscaling"
-        });
-        new CfnApplication(this, `${id}AgentScaler`, {
-            location: {
-                applicationId: "arn:aws:serverlessrepo:us-east-1:172840064832:applications/buildkite-agent-scaler",
-                semanticVersion: props.buildkiteAgentScalerVersion
-            },
+        new SamApplication(this, `${id}AgentScaler`, {
+            applicationId: "arn:aws:serverlessrepo:us-east-1:172840064832:applications/buildkite-agent-scaler",
+            semanticVersion: props.buildkiteAgentScalerVersion,
             parameters: {
                 BuildkiteAgentTokenParameter: `${agentToken.name}`,
                 BuildkiteAgentTokenParameterStoreKMSKey: agentToken.cmk.key.keyId,
@@ -349,7 +301,9 @@ export class Buildkite extends Stack {
                 EventSchedulePeriod: props.scalerEventSchedulePeriod,
                 MinPollInterval: props.scalerMinPollInterval,
                 LogRetentionDays: `${props.logRetentionDays}`
-            }
+            },
+            costAllocationService: "buildkite",
+            costAllocationDomain: "buildkite-agent-scaler"
         });
     }
 }

package/dist/lib/patterns/aws/cdn.js

@@ -57,6 +57,7 @@ function validateCdnProps(props) {
  */
 export class Cdn extends CloudFrontDistribution {
     constructor(scope, id, props) {
+        validateCdnProps(props);
         const resolvedProps = Cdn.resolveProps(scope, id, props);
         super(scope, id, resolvedProps);
     }
@@ -247,7 +248,6 @@ export class CdnFactory {
      */
     static build(id, props) {
         return (_app, scope) => {
-            validateCdnProps(props);
             return new Cdn(scope, id, props);
         };
     }

package/dist/lib/patterns/aws/clickhouseDatabase.d.ts

@@ -0,0 +1,173 @@
+import { Connections, type IConnectable, type IVpc } from "aws-cdk-lib/aws-ec2";
+import { type TaskDefinition } from "aws-cdk-lib/aws-ecs";
+import { type IBucket } from "aws-cdk-lib/aws-s3";
+import { Construct } from "constructs";
+import { Secret } from "../../resources/aws/secrets/secret.js";
+import { type ClickHouseSchemaAdmin, type ProfileSpec } from "../../resources/aws/database/clickhouseSchemas.js";
+import { type IClickHouseDatabase } from "./interfaces/database.js";
+import { type ISecurityGroupConnector } from "./interfaces/connector.js";
+import { type MigrationContributions } from "./interfaces/migrationContributor.js";
+/**
+ * ClickHouse analytics database configuration properties (D8 + D12 + D16).
+ */
+export interface ClickHouseDatabaseProps {
+    type: "ClickHouse";
+    /** VPC to deploy into. Falls back to `app.getVpc()` via the factory. */
+    vpc?: IVpc;
+    /** EC2 instance type. Default: `m7g.medium` (1 vCPU sustained, 4 GiB).
+     *  CH user-data is tuned for 1 vCPU; raise per-user `max_threads` and
+     *  `max_concurrent_queries` if bumping to a >=2 vCPU host. */
+    instanceType?: string;
+    /**
+     * ECS service desired task count. Defaults to 1 (single-node, single-task
+     * by design). Override to 0 via the `clickhouseDesiredCount` CDK context
+     * (`cdk deploy -c clickhouseDesiredCount=0 …`) to deploy the cluster + ASG
+     * without scheduling a CH task — useful when bringing up a fresh stack so
+     * a failed task placement does not trigger CFN circuit-breaker rollback
+     * before the operator can inspect logs.
+     *
+     * Once the stack is stable, redeploy without the context flag (or set it
+     * back to 1) to schedule the CH task.
+     *
+     * Numeric context-value parsing handles both string ("0" via `--context`)
+     * and number (0 via `cdk.json`) shapes. */
+    desiredCount?: number;
+    /**
+     * Cold-tier configuration (D27 + D12).
+     * - omitted/undefined: cold tier ENABLED (S3 bucket provisioned).
+     * - `false`: cold tier DISABLED (single-tier hot storage on EBS only).
+     * - `{ mode: "s3" }`: cold tier ENABLED (explicit).
+     */
+    coldTier?: false | {
+        mode: "s3";
+    };
+    /** Tier 4 escape hatch (D16): bring-your-own backup bucket. */
+    backupBucket?: IBucket;
+    /** Tier 4 escape hatch (D16): bring-your-own cold-tier bucket. */
+    coldTierBucket?: IBucket;
+    /**
+     * OPTIMIZE TABLE FINAL schedule (D19). Schedule string validated by CDK
+     * `Schedule.expression(...)` at synth time. `false` disables the sidecar.
+     * Default: `OPTIMISE_FINAL_SCHEDULE` from `clickhouseConstants.ts`.
+     */
+    optimiseSchedule?: string | false;
+    /**
+     * BACKUP DATABASE TO S3 schedule (D19). Schedule string validated by CDK
+     * `Schedule.expression(...)` at synth time. `false` disables the sidecar
+     * (and skips the backup-task log group).
+     * Default: `BACKUP_SCHEDULE` from `clickhouseConstants.ts`.
+     */
+    backupSchedule?: string | false;
+    /**
+     * Backup-bucket lifecycle expiration in days for both current and noncurrent
+     * versions. Default: `BACKUP_RETENTION_DAYS` from `clickhouseConstants.ts`.
+     * Ignored when `backupBucket` is supplied (caller-owned lifecycle).
+     */
+    backupRetentionDays?: number;
+    /**
+     * Bootstrap-privileged user. Owns DDL + GRANTs, runs customer SQL
+     * migrations. Rendered into `users.d/fjall.xml` with
+     * `<access_management>1</access_management>` so it can manage GRANT /
+     * CREATE USER from SQL. `profile` MUST name a key in `profiles:` (or
+     * `ClickHouseDefaultProfiles`) and is bound directly via the XML config.
+     * Scheduled tasks (OPTIMIZE FINAL, BACKUP DATABASE) authenticate as this
+     * user — one set of credentials, one IAM grant chain.
+     */
+    schemaAdmin: ClickHouseSchemaAdmin;
+    /**
+     * Workload user names. The framework mints a Secret for each, grants the
+     * EC2 instance role read on it, and the migration helper issues
+     * `CREATE USER … IDENTIFIED WITH sha256_password …` at runtime. Profile
+     * binding and GRANTs flow via customer SQL — the framework owns identity
+     * + password material only.
+     *
+     * Names MUST be lowercase snake_case (`^[a-z][a-z0-9_]*$`), unique, and
+     * not overlap with `schemaAdmin.name`. Default: empty.
+     */
+    managedPasswords?: string[];
+    /**
+     * Per-profile resource caps. Profile keys MUST match lowercase snake_case
+     * (`^[a-z][a-z0-9_]*$`). Defaults to `ClickHouseDefaultProfiles` when
+     * omitted — four workload-class profiles
+     * (`high_throughput_ingest`, `audit_append`, `read_only`, `ddl_admin`).
+     *
+     * Throws `Error` on validation failure — unknown profile fields,
+     * non-snake_case names.
+     */
+    profiles?: Record<string, ProfileSpec>;
+}
+/**
+ * ClickHouse analytics database wrapper implementing IClickHouseDatabase.
+ *
+ * Composes `EcsCompute` directly per Phase 5e D7 — one EC2-pinned service
+ * (single-instance, AWS_VPC mode, Cloud Map registered) plus two scheduled
+ * tasks (optimise + backup). Per-role secrets, dual S3 buckets, and 10
+ * CfnOutputs are owned by `ClickHouseDatabase` itself; every taggable
+ * resource routes through its Fjall wrapper (AC45d-g).
+ */
+export declare class ClickHouseDatabase extends Construct implements IClickHouseDatabase, ISecurityGroupConnector {
+    #private;
+    readonly databaseType: "ClickHouse";
+    readonly connectorType: "relational";
+    readonly additionalTcpPorts: number[];
+    readonly id: string;
+    readonly connections: Connections;
+    constructor(scope: Construct, id: string, props: ClickHouseDatabaseProps);
+    /**
+     * Returns the Fjall `Secret` wrapper for the named user. Throws with a
+     * `Known users:` list if the name is not present in the construct's
+     * `schemaAdmin:` / `managedPasswords:` props.
+     */
+    getUser(name: string): Secret;
+    /**
+     * Non-throwing sibling of `getUser`. Returns the Fjall `Secret` wrapper for
+     * the named user, or `undefined` when no such user is declared. Used by
+     * `getMigrationContributions()` to gracefully skip credential wiring when the
+     * caller did not declare a `migrationUser:` on the database.
+     */
+    tryGetUser(name: string): Secret | undefined;
+    getHttpPort(): number;
+    getNativePort(): number;
+    getHostEndpoint(): string;
+    getHttpUrl(): string;
+    getNativeUrl(): string;
+    getDatabaseName(): string;
+    getBackupBucket(): IBucket;
+    getColdTierBucket(): IBucket | undefined;
+    grantConnect(grantee: IConnectable): void;
+    /**
+     * Migration contributions for a task connecting to this ClickHouse cluster
+     * via `service.connections:`. Contributes env (`CLICKHOUSE_URL`,
+     * `CLICKHOUSE_DATABASE`, plus the managed-user manifest under
+     * `CLICKHOUSE_MANAGED_USERS`) and egress to the cluster's HTTP port.
+     *
+     * **Schema admin.** The bootstrap-privileged user's password is imported as
+     * `SCHEMA_ADMIN_PASSWORD` so customer SQL migrations can authenticate. The
+     * schema admin is defined in `users.d/fjall.xml` (users_xml storage =
+     * read-only); its password syncs via XML reload on EC2 boot or via the
+     * Custom::AWS SYSTEM RELOAD USERS resource on stack updates — NOT via the
+     * migration helper. The admin is therefore NOT included in the manifest.
+     *
+     * **Managed-password workload users.** Every entry in `managedPasswords` is
+     * added to the manifest (name only — profile binding is customer SQL's
+     * concern) AND its `password` secret is imported as `USER_<NAME>_PASSWORD`
+     * so the migration container boots with each plaintext already in
+     * `process.env`. The helper reads the env vars directly — no runtime
+     * `secretsmanager:GetSecretValue` SDK call is needed; ECS executionRole
+     * carries the IAM grant via the standard `secretsImport` framework path.
+     */
+    getMigrationContributions(): MigrationContributions;
+    /**
+     * Wires a task definition to connect to ClickHouse as `opts.user` (if
+     * supplied). Adds `CLICKHOUSE_URL` / `CLICKHOUSE_DATABASE` env vars to the
+     * task's default container; when `opts.user` is set, also adds
+     * `CLICKHOUSE_USER` (plain env) and `CLICKHOUSE_PASSWORD` (Secrets
+     * Manager-backed env var resolved from the user's secret). Throws if the
+     * user is unknown. Callers separately call `grantConnect(service)` on the
+     * resulting ECS service for the network grant — `TaskDefinition` itself
+     * isn't `IConnectable`.
+     */
+    connectFromTask(task: TaskDefinition, opts?: {
+        user?: string;
+    }): void;
+}