@fjall/components-infrastructure 1.1.0 → 2.2.0

package/dist/lib/lambda-assets/cert-generator/asset/index.js

@@ -3436,7 +3436,7 @@ ${values.join("\n")}` : `${blockName} :`;
     };
     LocalBooleanValueBlock.NAME = "BooleanValueBlock";
     var _a$s;
-    var Boolean = class extends BaseBlock {
+    var Boolean2 = class extends BaseBlock {
       getValue() {
         return this.valueBlock.value;
       }
@@ -3452,11 +3452,11 @@ ${values.join("\n")}` : `${blockName} :`;
         return `${this.constructor.NAME} : ${this.getValue}`;
       }
     };
-    _a$s = Boolean;
+    _a$s = Boolean2;
     (() => {
       typeStore.Boolean = _a$s;
     })();
-    Boolean.NAME = "BOOLEAN";
+    Boolean2.NAME = "BOOLEAN";
     var LocalOctetStringValueBlock = class extends HexBlock(LocalConstructedValueBlock) {
       constructor({ isConstructed = false, ...parameters } = {}) {
         super(parameters);
@@ -5420,7 +5420,7 @@ ${values.join("\n")}` : `${blockName} :`;
     exports2.BaseStringBlock = BaseStringBlock;
     exports2.BitString = BitString;
     exports2.BmpString = BmpString;
-    exports2.Boolean = Boolean;
+    exports2.Boolean = Boolean2;
     exports2.CharacterString = CharacterString;
     exports2.Choice = Choice;
     exports2.Constructed = Constructed;
@@ -17814,7 +17814,8 @@ var { webcrypto: crypto2, createHash } = require("node:crypto");
 var x509 = require_x509_cjs();
 var {
   SecretsManagerClient,
-  PutSecretValueCommand
+  PutSecretValueCommand,
+  DeleteSecretCommand
 } = require("@aws-sdk/client-secrets-manager");
 x509.cryptoProvider.set(crypto2);
 var ECDSA_P256 = Object.freeze({
@@ -17898,6 +17899,27 @@ ${body}
 }
 exports.handler = async (event) => {
   if (event.RequestType === "Delete") {
+    const props2 = event.ResourceProperties || {};
+    const arns = [props2.caSecretArn, props2.serverSecretArn].filter(Boolean);
+    if (arns.length > 0) {
+      const sm2 = new SecretsManagerClient({});
+      for (const SecretId of arns) {
+        try {
+          await sm2.send(
+            new DeleteSecretCommand({
+              SecretId,
+              ForceDeleteWithoutRecovery: true
+            })
+          );
+        } catch (err) {
+          console.warn("TlsCertGenerator: force-DeleteSecret failed", {
+            SecretId,
+            name: err && err.name,
+            message: err && err.message
+          });
+        }
+      }
+    }
     return { PhysicalResourceId: event.PhysicalResourceId || "tls-cert" };
   }
   const props = event.ResourceProperties || {};

package/dist/lib/patterns/aws/clickhouseDatabase.d.ts

@@ -2,7 +2,7 @@ import { Connections, type IConnectable, type IVpc } from "aws-cdk-lib/aws-ec2";
 import { type TaskDefinition } from "aws-cdk-lib/aws-ecs";
 import { type IBucket } from "aws-cdk-lib/aws-s3";
 import { Construct } from "constructs";
-import { Secret } from "../../resources/aws/secrets/secret.js";
+import { Secret, type SecretImport } from "../../resources/aws/secrets/secret.js";
 import { type ClickHouseSchemaAdmin, type ProfileSpec } from "../../resources/aws/database/clickhouseSchemas.js";
 import { type ISecret } from "aws-cdk-lib/aws-secretsmanager";
 import type { ClickHouseTlsOptions } from "./clickhouseTls/index.js";
@@ -174,8 +174,14 @@ export declare class ClickHouseDatabase extends Construct implements IClickHouse
      * Port matches: HTTPS (8443) under TLS, HTTP (8123) otherwise.
      */
     getUrl(): string;
-    /** @deprecated Alias for {@link getUrl}. Removed in a follow-up landing. */
-    getHttpUrl(): string;
+    /**
+     * SecretImport for the CA certificate secret, or `undefined` when TLS is
+     * disabled (`tls: { mode: "none", … }`). Consumers wire this into their
+     * `secretsImport:` block under `CLICKHOUSE_CA_CERT` so `@fjall/clickhouse`
+     * `createFjallClickHouseClient()` picks it up from `process.env`. The secret
+     * holds raw PEM (no JSON field) so `field` is `undefined`.
+     */
+    getTlsCaCertImport(): SecretImport | undefined;
     getNativeUrl(): string;
     getDatabaseName(): string;
     getBackupBucket(): IBucket;
@@ -205,6 +211,10 @@ export declare class ClickHouseDatabase extends Construct implements IClickHouse
      * carries the IAM grant via the standard `secretsImport` framework path.
      */
     getMigrationContributions(): MigrationContributions;
+    getSchemaGateContribution(): {
+        readonly environment: Record<string, string>;
+        readonly secretsImport: Record<string, SecretImport>;
+    } | undefined;
     /**
      * Wires a task definition to connect to ClickHouse as `opts.user` (if
      * supplied). Adds `CLICKHOUSE_URL` / `CLICKHOUSE_DATABASE` env vars to the

package/dist/lib/patterns/aws/clickhouseDatabase.js

@@ -1,4 +1,4 @@
-import { CLICKHOUSE_MANAGED_USERS_ENV, pickLatestClickHouseMigration } from "@fjall/util/migration";
+import { CLICKHOUSE_MANAGED_USERS_ENV, pickLatestClickHouseMigration, SCHEMA_ADMIN_PASSWORD_ENV, SCHEMA_ADMIN_USER_ENV } from "@fjall/util/migration";
 import { Annotations, CfnOutput, Duration, Fn, Stack } from "aws-cdk-lib";
 import { Connections, Port, UserData } from "aws-cdk-lib/aws-ec2";
 import { Monitoring } from "aws-cdk-lib/aws-autoscaling";
@@ -262,12 +262,13 @@ export class ClickHouseDatabase extends Construct {
                     region: Stack.of(this).region
                 }
             }),
-            tlsActive,
             ...(tlsActive &&
                 tlsCaSecret !== undefined &&
                 tlsServerSecret !== undefined && {
-                caSecretArn: tlsCaSecret.secretArn,
-                serverSecretArn: tlsServerSecret.secretArn
+                tls: {
+                    caSecretArn: tlsCaSecret.secretArn,
+                    serverSecretArn: tlsServerSecret.secretArn
+                }
             })
         }));
         // Source.data wraps the content in a zip; the default `extract: true`
@@ -294,6 +295,15 @@ export class ClickHouseDatabase extends Construct {
             ...OPTIMISE_MV_TABLES.map((table) => `OPTIMIZE TABLE ${CLICKHOUSE_DATABASE_NAME}.${table}`)
         ].join("; ");
         const adminSecret = expectDefined(userSecrets.get(schemaAdmin.name), `schemaAdmin '${schemaAdmin.name}' secret not minted.`);
+        const sidecarTlsPreamble = tlsActive
+            ? `set -eu && printf '%s\\n' "$CLICKHOUSE_CA_CERT" > /tmp/ca.crt && printf '%s' '<?xml version="1.0"?><config><openSSL><client><caConfig>/tmp/ca.crt</caConfig><verificationMode>strict</verificationMode><loadDefaultCAFile>false</loadDefaultCAFile><invalidCertificateHandler><name>RejectCertificateHandler</name></invalidCertificateHandler></client></openSSL></config>' > /tmp/clickhouse-client.xml && `
+            : "";
+        const sidecarTlsClientArgs = tlsActive
+            ? " --config-file=/tmp/clickhouse-client.xml --secure"
+            : "";
+        const sidecarTlsSecrets = tlsActive && tlsCaSecret !== undefined
+            ? { CLICKHOUSE_CA_CERT: EcsSecret.fromSecretsManager(tlsCaSecret) }
+            : {};
         const scheduledTasks = [];
         if (optimiseEnabled) {
             scheduledTasks.push({
@@ -303,19 +313,13 @@ export class ClickHouseDatabase extends Construct {
                 cpu: OPTIMISE_TASK_CPU_UNITS,
                 memoryLimitMiB: OPTIMISE_TASK_MEMORY_MIB,
                 command: [
-                    "clickhouse-client",
-                    "--host",
-                    clickHouseHost,
-                    "--port",
-                    String(nativePort),
-                    "--user",
-                    schemaAdmin.name,
-                    ...(tlsActive ? ["--secure", "--accept-invalid-certificate"] : []),
-                    "--query",
-                    `${optimiseQuery};`
+                    "sh",
+                    "-c",
+                    `${sidecarTlsPreamble}clickhouse-client --host ${clickHouseHost} --port ${nativePort} --user ${schemaAdmin.name}${sidecarTlsClientArgs} --query "${optimiseQuery};"`
                 ],
                 secrets: {
-                    CLICKHOUSE_PASSWORD: EcsSecret.fromSecretsManager(adminSecret.secret, "password")
+                    CLICKHOUSE_PASSWORD: EcsSecret.fromSecretsManager(adminSecret.secret, "password"),
+                    ...sidecarTlsSecrets
                 },
                 logRetention: RetentionDays.ONE_WEEK,
                 securityGroups: [securityGroup]
@@ -332,10 +336,11 @@ export class ClickHouseDatabase extends Construct {
                     "sh",
                     "-c",
                     // Password via CLICKHOUSE_PASSWORD env, not --password on argv (argv → /proc/<pid>/cmdline).
-                    `STAMP=$(date +%Y%m%d-%H%M%S) && clickhouse-client --host ${clickHouseHost} --port ${nativePort} --user ${schemaAdmin.name}${tlsActive ? " --secure --accept-invalid-certificate" : ""} --query "BACKUP DATABASE ${CLICKHOUSE_DATABASE_NAME} TO S3('${backupDestUrl}weekly-$STAMP/')"`
+                    `${sidecarTlsPreamble}STAMP=$(date +%Y%m%d-%H%M%S) && clickhouse-client --host ${clickHouseHost} --port ${nativePort} --user ${schemaAdmin.name}${sidecarTlsClientArgs} --query "BACKUP DATABASE ${CLICKHOUSE_DATABASE_NAME} TO S3('${backupDestUrl}weekly-$STAMP/')"`
                 ],
                 secrets: {
-                    CLICKHOUSE_PASSWORD: EcsSecret.fromSecretsManager(adminSecret.secret, "password")
+                    CLICKHOUSE_PASSWORD: EcsSecret.fromSecretsManager(adminSecret.secret, "password"),
+                    ...sidecarTlsSecrets
                 },
                 logGroup: backupTaskLogGroup,
                 securityGroups: [securityGroup]
@@ -445,7 +450,7 @@ export class ClickHouseDatabase extends Construct {
                                 command: [
                                     "CMD-SHELL",
                                     tlsActive
-                                        ? `wget -q --no-check-certificate -O /dev/null https://127.0.0.1:${httpPort}/ping || exit 1`
+                                        ? `wget -q --ca-certificate=${CLICKHOUSE_TLS_CERT_MOUNT_PATH}/ca.crt -O /dev/null https://127.0.0.1:${httpPort}/ping || exit 1`
                                         : `wget -q -O /dev/null http://127.0.0.1:${httpPort}/ping || exit 1`
                                 ],
                                 interval: CLICKHOUSE_HEALTH_CHECK.INTERVAL_SECONDS,
@@ -489,7 +494,7 @@ export class ClickHouseDatabase extends Construct {
             `ADMIN_PASSWORD=$(aws secretsmanager get-secret-value --secret-id "${adminSecretName}" --query SecretString --output text | jq -r .password)`,
             `if [ -z "$ADMIN_PASSWORD" ] || [ "$ADMIN_PASSWORD" = "null" ]; then echo "fjall:reload:status=failed reason=password-fetch" >&2; exit 1; fi`,
             `mv /var/lib/clickhouse/users.d/fjall.xml.new /var/lib/clickhouse/users.d/fjall.xml`,
-            `docker exec -i -e CLICKHOUSE_CLIENT_PASSWORD="$ADMIN_PASSWORD" "$CONTAINER" clickhouse-client${tlsActive ? " --secure --accept-invalid-certificate" : ""} --port ${nativePort} --user ${schemaAdmin.name} -q "SYSTEM RELOAD USERS"`
+            `docker exec -i -e CLICKHOUSE_CLIENT_PASSWORD="$ADMIN_PASSWORD" "$CONTAINER" clickhouse-client${tlsActive ? ` --config-file=${CLICKHOUSE_TLS_CERT_MOUNT_PATH}/client.xml --secure --host localhost` : ""} --port ${nativePort} --user ${schemaAdmin.name} -q "SYSTEM RELOAD USERS"`
         ].join("\n");
         const region = Stack.of(this).region;
         const account = Stack.of(this).account;
@@ -605,9 +610,21 @@ export class ClickHouseDatabase extends Construct {
         const scheme = this.tlsCaSecret !== undefined ? "https" : "http";
         return `${scheme}://${this.getHostEndpoint()}:${this.#httpPort}`;
     }
-    /** @deprecated Alias for {@link getUrl}. Removed in a follow-up landing. */
-    getHttpUrl() {
-        return this.getUrl();
+    /**
+     * SecretImport for the CA certificate secret, or `undefined` when TLS is
+     * disabled (`tls: { mode: "none", … }`). Consumers wire this into their
+     * `secretsImport:` block under `CLICKHOUSE_CA_CERT` so `@fjall/clickhouse`
+     * `createFjallClickHouseClient()` picks it up from `process.env`. The secret
+     * holds raw PEM (no JSON field) so `field` is `undefined`.
+     */
+    getTlsCaCertImport() {
+        if (this.tlsCaSecret === undefined)
+            return undefined;
+        return {
+            id: `${this.node.id}TlsCaCertImport`,
+            name: this.tlsCaSecret.secretName,
+            field: undefined
+        };
     }
     getNativeUrl() {
         return `tcp://${this.getHostEndpoint()}:${this.#nativePort}`;
@@ -637,7 +654,7 @@ export class ClickHouseDatabase extends Construct {
     }
     grantConnect(grantee) {
         this.connections.allowDefaultPortFrom(grantee);
-        this.connections.allowFrom(grantee, Port.tcp(CLICKHOUSE_NATIVE_PORT));
+        this.connections.allowFrom(grantee, Port.tcp(this.#nativePort));
     }
     /**
      * Migration contributions for a task connecting to this ClickHouse cluster
@@ -662,12 +679,21 @@ export class ClickHouseDatabase extends Construct {
      */
     getMigrationContributions() {
         const environment = {
-            CLICKHOUSE_URL: this.getHttpUrl(),
-            CLICKHOUSE_DATABASE: this.getDatabaseName()
+            CLICKHOUSE_URL: this.getUrl(),
+            CLICKHOUSE_DATABASE: this.getDatabaseName(),
+            [SCHEMA_ADMIN_USER_ENV]: this.#schemaAdmin.name
         };
         const secretsImport = {};
         const adminSecret = this.getUser(this.#schemaAdmin.name);
-        secretsImport.SCHEMA_ADMIN_PASSWORD = adminSecret.getImport("password");
+        secretsImport[SCHEMA_ADMIN_PASSWORD_ENV] =
+            adminSecret.getImport("password");
+        const caCertImport = this.getTlsCaCertImport();
+        if (caCertImport !== undefined) {
+            secretsImport.CLICKHOUSE_CA_CERT = caCertImport;
+        }
+        if (this.caCertSha256 !== undefined) {
+            environment.CLICKHOUSE_CA_CERT_SHA256 = this.caCertSha256;
+        }
         for (const name of this.#managedPasswordNames) {
             const userSecret = this.getUser(name);
             secretsImport[userPasswordEnvName(name)] =
@@ -692,6 +718,19 @@ export class ClickHouseDatabase extends Construct {
         }
         return { environment, secretsImport, egress };
     }
+    getSchemaGateContribution() {
+        if (this.#migrationsConfig === undefined)
+            return undefined;
+        const adminSecret = this.getUser(this.#schemaAdmin.name);
+        return {
+            environment: {
+                [SCHEMA_ADMIN_USER_ENV]: this.#schemaAdmin.name
+            },
+            secretsImport: {
+                [SCHEMA_ADMIN_PASSWORD_ENV]: adminSecret.getImport("password")
+            }
+        };
+    }
     /**
      * Wires a task definition to connect to ClickHouse as `opts.user` (if
      * supplied). Adds `CLICKHOUSE_URL` / `CLICKHOUSE_DATABASE` env vars to the
@@ -707,7 +746,7 @@ export class ClickHouseDatabase extends Construct {
         if (container === undefined) {
             throw new Error("ClickHouseDatabase.connectFromTask: task has no default container");
         }
-        container.addEnvironment("CLICKHOUSE_URL", this.getHttpUrl());
+        container.addEnvironment("CLICKHOUSE_URL", this.getUrl());
         container.addEnvironment("CLICKHOUSE_DATABASE", CLICKHOUSE_DATABASE_NAME);
         if (opts?.user !== undefined) {
             const userSecret = this.getUser(opts.user);

package/dist/lib/patterns/aws/clickhouseTls/types.d.ts

@@ -35,6 +35,14 @@ export interface ClickHouseNoTls {
     readonly acknowledgement: "I understand plaintext-only ClickHouse fails SOC2 DP5";
 }
 export type ClickHouseTlsOptions = ClickHouseSelfSignedTls | ClickHouseImportedTls | ClickHouseNoTls;
+/**
+ * Canonical fixture for the plaintext-only escape hatch. Spelling the
+ * acknowledgement literal once and importing it everywhere prevents drift
+ * between the type definition and consumers. Pass via `tls:` to opt out of
+ * TLS-by-default; the construct still requires the explicit acknowledgement
+ * for the same reason the type does — silent plaintext is the SOC2 trap.
+ */
+export declare const CLICKHOUSE_TLS_NONE: ClickHouseNoTls;
 /**
  * The resolved TLS surface a `ClickHouseDatabase` carries after dispatch.
  * Every field is `undefined` in `mode: "none"`. `certGeneratorFunction`

package/dist/lib/patterns/aws/clickhouseTls/types.js

@@ -1 +1,11 @@
-export {};
+/**
+ * Canonical fixture for the plaintext-only escape hatch. Spelling the
+ * acknowledgement literal once and importing it everywhere prevents drift
+ * between the type definition and consumers. Pass via `tls:` to opt out of
+ * TLS-by-default; the construct still requires the explicit acknowledgement
+ * for the same reason the type does — silent plaintext is the SOC2 trap.
+ */
+export const CLICKHOUSE_TLS_NONE = {
+    mode: "none",
+    acknowledgement: "I understand plaintext-only ClickHouse fails SOC2 DP5"
+};

package/dist/lib/patterns/aws/computeEcs.d.ts

@@ -4,6 +4,7 @@ import { type IGrantable, type IRole, Grant } from "aws-cdk-lib/aws-iam";
 import { type IApplicationLoadBalancer, type ApplicationListener } from "aws-cdk-lib/aws-elasticloadbalancingv2";
 import { Construct } from "constructs";
 import { type IEcsCompute } from "./interfaces/compute.js";
+import { type SecretImport } from "../../resources/aws/secrets/index.js";
 import EcsCluster, { type EcsClusterProps } from "../../resources/aws/compute/ecs.js";
 export { ScalingType } from "./computeEcsTypes.js";
 export type { EcsCapacityProvider, Ec2CapacityConfig, RemoteConnectionSpec, EcsCapacityProviderConfig, EcsContainerConfig, ContainerDependency, ContainerVolume, EcsScheduledTaskConfig, EcsLifecycleHookMigrationsConfig, EcsPostDeployMigrationsConfig, EcsHookMigrationsConfig, EcsMigrationsConfig, EcsMigrationsMode, EcsCircuitBreakerConfig, EcsScalingConfig, EcsClusterConfig, EcsRoutingConfig, EcsServiceConfig, EcsComputeProps } from "./computeEcsTypes.js";
@@ -48,7 +49,10 @@ export declare function expandMigrationsSugar(service: EcsServiceConfig, userCon
  *                      themselves and the resolved value differs.
  * @internal Exported for testing only
  */
-export declare function buildContainerConfigs(service: EcsServiceConfig, schemaVersionEnv?: Record<string, string>, annotationsScope?: Construct, chSchemaVersionEnv?: Record<string, string>): EcsClusterProps["services"][number]["containers"];
+export declare function buildContainerConfigs(service: EcsServiceConfig, schemaVersionEnv?: Record<string, string>, annotationsScope?: Construct, chGate?: {
+    environment: Record<string, string>;
+    secretsImport: Record<string, SecretImport>;
+}): EcsClusterProps["services"][number]["containers"];
 /**
  * Resolved scaling configuration for an ECS service.
  * @internal Exported for testing only
@@ -94,13 +98,17 @@ export declare class EcsCompute extends Construct implements IEcsCompute {
     private resolveSchemaVersionEnv;
     /**
      * ClickHouse mirror of `resolveSchemaVersionEnv`. Returns the
-     * `EXPECTED_CH_SCHEMA_VERSION` env entry, or `undefined` when the service is
-     * not gated.
+     * `EXPECTED_CH_SCHEMA_VERSION` env entry alongside the schema-admin
+     * credentials the boot gate needs to authenticate against
+     * `_schema_migrations`, or `undefined` when the service is not gated.
      *
      * - `schemaGate: false` → returns `undefined` (auditable opt-out — same flag
      *   covers BOTH PG and CH gates)
      * - No migrated CH in connections → returns `undefined`
-     * - Exactly one migrated CH → returns `{ EXPECTED_CH_SCHEMA_VERSION }`
+     * - Exactly one migrated CH → returns env `EXPECTED_CH_SCHEMA_VERSION` +
+     *   `SCHEMA_ADMIN_USER`, plus `secretsImport.SCHEMA_ADMIN_PASSWORD`. The
+     *   creds piggyback on the same gate resolution so adding the gate to a
+     *   service can't ship without the creds it needs to use it.
      * - Two or more migrated CHs → throws via `resolveClickHouseDatabaseForService`
      */
     private resolveClickHouseSchemaVersionEnv;

package/dist/lib/patterns/aws/computeEcs.js

@@ -16,6 +16,7 @@ import { createScheduledTaskDefinition, createMigrationTaskDefinition } from "..
 import { EcsLifecycleHookMigration } from "../../resources/aws/compute/ecsLifecycleHookMigration.js";
 import { Role } from "../../resources/aws/iam/role.js";
 import { LogGroup } from "../../resources/aws/logging/logGroup.js";
+import { Schedule } from "../../resources/aws/messaging/schedule.js";
 import { SecurityGroup } from "../../resources/aws/networking/securityGroup.js";
 import { vpcHasNatGateways } from "../../utils/vpcUtils.js";
 import { toPascalCase } from "../../utils/capitaliseString.js";
@@ -467,13 +468,15 @@ function mergeContributionsIntoSeparateTaskDef(separateTaskDef, contributions) {
  *                      themselves and the resolved value differs.
  * @internal Exported for testing only
  */
-export function buildContainerConfigs(service, schemaVersionEnv, annotationsScope, chSchemaVersionEnv) {
+export function buildContainerConfigs(service, schemaVersionEnv, annotationsScope, chGate) {
     const userContainers = service.containers && service.containers.length > 0
         ? service.containers
         : undefined;
     const expanded = service.migrations
         ? expandMigrationsSugar(service, userContainers)
         : userContainers;
+    const chSchemaVersionEnv = chGate?.environment;
+    const chGateSecretsImport = chGate?.secretsImport;
     const mergeSchemaEnv = (authored) => {
         if (schemaVersionEnv === undefined)
             return authored;
@@ -517,12 +520,29 @@ export function buildContainerConfigs(service, schemaVersionEnv, annotationsScop
                     `ClickHouse database's \`migrations:\` config ('${resolvedValue}'). The ` +
                     `author value wins; set \`schemaGate: false\` to silence this warning.`);
             }
+            return mergeAuthorWins(authored, chSchemaVersionEnv);
+        }
+        return mergeAuthorWins(authored, chSchemaVersionEnv);
+    };
+    const mergeAuthorWins = (authored, framework) => {
+        const merged = { ...(authored ?? {}) };
+        for (const [k, v] of Object.entries(framework)) {
+            if (merged[k] === undefined)
+                merged[k] = v;
+        }
+        return merged;
+    };
+    const mergeChGateSecretsImport = (authored) => {
+        if (chGateSecretsImport === undefined)
             return authored;
+        if (Object.keys(chGateSecretsImport).length === 0)
+            return authored;
+        const merged = { ...(authored ?? {}) };
+        for (const [k, v] of Object.entries(chGateSecretsImport)) {
+            if (merged[k] === undefined)
+                merged[k] = v;
         }
-        return {
-            ...(authored ?? {}),
-            [EXPECTED_CH_SCHEMA_VERSION_ENV]: resolvedValue
-        };
+        return merged;
     };
     const mergeAllSchemaEnv = (authored) => mergeChSchemaEnv(mergeSchemaEnv(authored));
     if (expanded) {
@@ -533,7 +553,7 @@ export function buildContainerConfigs(service, schemaVersionEnv, annotationsScop
                 port: c.port,
                 environment: mergeAllSchemaEnv(c.environment),
                 secrets: c.secrets,
-                secretsImport: c.secretsImport,
+                secretsImport: mergeChGateSecretsImport(c.secretsImport),
                 command: c.command,
                 entryPoint: c.entryPoint,
                 essential: c.essential,
@@ -546,10 +566,14 @@ export function buildContainerConfigs(service, schemaVersionEnv, annotationsScop
         });
     }
     const fallbackEnv = mergeAllSchemaEnv(undefined);
+    const fallbackSecretsImport = mergeChGateSecretsImport(undefined);
     return [
         {
             name: `${service.name}Container`,
-            ...(fallbackEnv !== undefined && { environment: fallbackEnv })
+            ...(fallbackEnv !== undefined && { environment: fallbackEnv }),
+            ...(fallbackSecretsImport !== undefined && {
+                secretsImport: fallbackSecretsImport
+            })
         }
     ];
 }
@@ -617,8 +641,8 @@ export class EcsCompute extends Construct {
         this.appName = props.appName;
         const services = props.services.map((service) => {
             const schemaVersionEnv = this.resolveSchemaVersionEnv(service);
-            const chSchemaVersionEnv = this.resolveClickHouseSchemaVersionEnv(service);
-            const containers = buildContainerConfigs(service, schemaVersionEnv, this, chSchemaVersionEnv);
+            const chGate = this.resolveClickHouseSchemaVersionEnv(service);
+            const containers = buildContainerConfigs(service, schemaVersionEnv, this, chGate);
             const { scalingType, minCapacity, maxCapacity } = resolveScalingConfig(service.scaling);
             const cloudMapService = service.serviceDiscovery !== undefined
                 ? App.getInstance().registerService({
@@ -728,13 +752,17 @@ export class EcsCompute extends Construct {
     }
     /**
      * ClickHouse mirror of `resolveSchemaVersionEnv`. Returns the
-     * `EXPECTED_CH_SCHEMA_VERSION` env entry, or `undefined` when the service is
-     * not gated.
+     * `EXPECTED_CH_SCHEMA_VERSION` env entry alongside the schema-admin
+     * credentials the boot gate needs to authenticate against
+     * `_schema_migrations`, or `undefined` when the service is not gated.
      *
      * - `schemaGate: false` → returns `undefined` (auditable opt-out — same flag
      *   covers BOTH PG and CH gates)
      * - No migrated CH in connections → returns `undefined`
-     * - Exactly one migrated CH → returns `{ EXPECTED_CH_SCHEMA_VERSION }`
+     * - Exactly one migrated CH → returns env `EXPECTED_CH_SCHEMA_VERSION` +
+     *   `SCHEMA_ADMIN_USER`, plus `secretsImport.SCHEMA_ADMIN_PASSWORD`. The
+     *   creds piggyback on the same gate resolution so adding the gate to a
+     *   service can't ship without the creds it needs to use it.
      * - Two or more migrated CHs → throws via `resolveClickHouseDatabaseForService`
      */
     resolveClickHouseSchemaVersionEnv(service) {
@@ -746,9 +774,16 @@ export class EcsCompute extends Construct {
         const version = db.getExpectedSchemaVersion();
         if (version === undefined)
             return undefined;
-        return {
+        const environment = {
             [EXPECTED_CH_SCHEMA_VERSION_ENV]: version
         };
+        const secretsImport = {};
+        const gateContribution = db.getSchemaGateContribution();
+        if (gateContribution !== undefined) {
+            Object.assign(environment, gateContribution.environment);
+            Object.assign(secretsImport, gateContribution.secretsImport);
+        }
+        return { environment, secretsImport };
     }
     materialiseScheduledTasks(id, props) {
         const scheduledTasks = props.cluster?.scheduledTasks;
@@ -758,14 +793,18 @@ export class EcsCompute extends Construct {
         for (const entry of scheduledTasks) {
             const taskDef = this.buildScheduledTaskDefinition(id, entry);
             this.ecsCluster.registerScheduledTaskDefinition(entry.name, taskDef);
-            app.addSchedule(`${id}${toPascalCase(entry.name)}Schedule`, {
+            // Construct under `this` (NOT app.addSchedule) so the schedule lives
+            // in EcsCompute's stack. Crossing stacks (e.g. when this EcsCompute is
+            // nested in ClickHouseDatabase) forces a CFN export-update freeze on
+            // task-def replacement.
+            new Schedule(this, `${id}${toPascalCase(entry.name)}Schedule`, {
                 schedule: entry.schedule,
                 target: {
                     ecs: this,
                     serviceName: entry.name,
                     taskCount: 1
                 },
-                stackPlacement: "compute"
+                applicationId: app.getName()
             });
         }
     }

package/dist/lib/patterns/aws/index.d.ts

@@ -22,3 +22,4 @@ export * from "./messaging.js";
 export * from "./pattern.js";
 export * from "./vpcPeer.js";
 export * from "./vpcPeerAccepter.js";
+export * from "./clickhouseTls/index.js";

package/dist/lib/patterns/aws/index.js

@@ -29,3 +29,4 @@ export * from "./messaging.js";
 export * from "./pattern.js";
 export * from "./vpcPeer.js";
 export * from "./vpcPeerAccepter.js";
+export * from "./clickhouseTls/index.js";

package/dist/lib/patterns/aws/interfaces/database.d.ts

@@ -19,11 +19,11 @@ import { type TaskDefinition } from "aws-cdk-lib/aws-ecs";
 import { type IGrantable, type Grant, type PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { type IBucket } from "aws-cdk-lib/aws-s3";
 import { type Construct } from "constructs";
-import { type Secret } from "../../../resources/aws/secrets/index.js";
+import { type Secret, type SecretImport } from "../../../resources/aws/secrets/index.js";
 import { type SnapshotTarget } from "../../../utils/databaseTypes.js";
 import { type IMigrationContributor } from "./migrationContributor.js";
 export { type SnapshotTarget } from "../../../utils/databaseTypes.js";
-export { MIGRATION_SNAPSHOT_NAME_PREFIX, EXPECTED_SCHEMA_VERSION_ENV, EXPECTED_SCHEMA_VERSION_TOOL_ENV, EXPECTED_CH_SCHEMA_VERSION_ENV } from "@fjall/util";
+export { MIGRATION_SNAPSHOT_NAME_PREFIX, EXPECTED_SCHEMA_VERSION_ENV, EXPECTED_SCHEMA_VERSION_TOOL_ENV, EXPECTED_CH_SCHEMA_VERSION_ENV, SCHEMA_ADMIN_USER_ENV, SCHEMA_ADMIN_PASSWORD_ENV } from "@fjall/util";
 /**
  * Declarative migration configuration on a relational database. Drives:
  *  - the schema-version resolver at synth (filesystem scan of `dir`)
@@ -263,12 +263,14 @@ export interface IClickHouseDatabase extends IDatabase, IConnectable, IMigration
     /** Native TCP port (typically 9000). */
     getNativePort(): number;
     /**
-     * HTTP URL for clickhouse-client / chproxy (`http://<host>:<httpPort>`).
-     * No credentials in the URL — ClickHouse HTTP uses Basic Auth headers or
-     * `X-ClickHouse-User`/`X-ClickHouse-Key` headers. Compose creds at runtime
-     * via `getUser(name).getImport(...)`.
+     * Canonical URL for the HTTP(S) interface. Scheme is `https` when TLS is
+     * active (default), `http` only when `tls: { mode: "none", … }` is set.
+     * Port matches: HTTPS (8443) under TLS, HTTP (8123) otherwise. No
+     * credentials in the URL — ClickHouse HTTP uses Basic Auth headers or
+     * `X-ClickHouse-User`/`X-ClickHouse-Key` headers. Compose creds at
+     * runtime via `getUser(name).getImport(...)`.
      */
-    getHttpUrl(): string;
+    getUrl(): string;
     /**
      * Native TCP URL (`tcp://<host>:<nativePort>`).
      * No credentials in the URL — the native protocol handshake carries them.
@@ -298,6 +300,25 @@ export interface IClickHouseDatabase extends IDatabase, IConnectable, IMigration
      * loud, never silent.
      */
     getExpectedSchemaVersion(): string | undefined;
+    /**
+     * Schema-admin credentials for the boot-time schema-version gate run by
+     * every container that connects to this database. Returns the username
+     * (plaintext env) and the password-secret import (Secrets-Manager-backed
+     * env) so callers can authenticate against `_schema_migrations`. Returns
+     * `undefined` when no `migrations:` config is declared on this database —
+     * the gate is the only consumer, so without migrations there's nothing
+     * for it to verify.
+     *
+     * Distinct from `getMigrationContributions()`: that's the per-migration
+     * task contract (env + secrets + IAM + egress for running migrations);
+     * this is the narrower per-runtime-service contract (env + secret only)
+     * needed by the boot gate. Both contributions name the same secret —
+     * synth-time merging is the caller's concern.
+     */
+    getSchemaGateContribution(): {
+        readonly environment: Record<string, string>;
+        readonly secretsImport: Record<string, SecretImport>;
+    } | undefined;
     /**
      * Grant connect permissions to a grantee.
      * Adds the grantee to the database security group on both ports.

package/dist/lib/patterns/aws/interfaces/database.js

@@ -13,7 +13,7 @@
  * dynamo.getTableName(); // ✓ Available on IDynamoDBDatabase
  * dynamo.getHostEndpoint(); // ✗ Compile error - not on IDynamoDBDatabase
  */
-export { MIGRATION_SNAPSHOT_NAME_PREFIX, EXPECTED_SCHEMA_VERSION_ENV, EXPECTED_SCHEMA_VERSION_TOOL_ENV, EXPECTED_CH_SCHEMA_VERSION_ENV } from "@fjall/util";
+export { MIGRATION_SNAPSHOT_NAME_PREFIX, EXPECTED_SCHEMA_VERSION_ENV, EXPECTED_SCHEMA_VERSION_TOOL_ENV, EXPECTED_CH_SCHEMA_VERSION_ENV, SCHEMA_ADMIN_USER_ENV, SCHEMA_ADMIN_PASSWORD_ENV } from "@fjall/util";
 /**
  * Relational database type discriminator.
  */

package/dist/lib/resources/aws/compute/ecsNetworking.js

@@ -110,7 +110,9 @@ export function addLoadBalancerListener(ctx, loadBalancer, certificate) {
                     : [];
             return rules.length > 1;
         });
-    const defaultAction = willHaveMultipleRoutes
+    // CDK rejects listeners with neither a default action nor target groups.
+    const noServicePorts = servicesWithPorts.length === 0;
+    const defaultAction = willHaveMultipleRoutes || noServicePorts
         ? ListenerAction.fixedResponse(404, {
             contentType: "text/plain",
             messageBody: "Not Found"

package/dist/lib/resources/aws/database/clickhouseUserData.d.ts

@@ -20,26 +20,30 @@ export interface BuildClickHouseUserDataOptions {
         region: string;
     };
     /**
-     * When true, the server config emits `<https_port>`, `<tcp_port_secure>`,
-     * and an `<openSSL><server>` block referencing the cert files materialised
-     * at `CLICKHOUSE_TLS_CERT_MOUNT_PATH` by the user-data bootstrap step.
-     * Plaintext `<http_port>` is omitted to avoid mixed-protocol exposure.
-     * Default: false. When true, `caSecretArn` and `serverSecretArn` MUST be
-     * supplied so the bootstrap step can materialise the cert PEMs.
+     * TLS bootstrap configuration. When provided, the server config emits
+     * `<https_port>`, `<tcp_port_secure>`, and an `<openSSL><server>` block
+     * referencing the cert files materialised at `CLICKHOUSE_TLS_CERT_MOUNT_PATH`
+     * by the user-data bootstrap step (plaintext `<http_port>` is omitted to
+     * avoid mixed-protocol exposure). When absent, plaintext `<http_port>` is
+     * emitted and no cert materialisation runs.
+     *
+     * Both ARNs are required together (CA + server) — there is no half-TLS
+     * mode. The discriminated shape makes the "TLS-on but one ARN missing"
+     * misuse type-unrepresentable.
      */
-    tlsActive?: boolean;
-    /**
-     * Secrets Manager ARN holding the CA cert as raw PEM. Required when
-     * `tlsActive` is true. Fetched at instance boot via the EC2 instance role
-     * and written to `${dataMount}/server-certs/ca.crt`.
-     */
-    caSecretArn?: string;
-    /**
-     * Secrets Manager ARN holding the server cert + key as JSON
-     * `{ "cert": "<pem>", "key": "<pem>" }`. Required when `tlsActive` is true.
-     * Fetched at instance boot and written to `${dataMount}/server-certs/server.{crt,key}`.
-     */
-    serverSecretArn?: string;
+    tls?: {
+        /**
+         * Secrets Manager ARN holding the CA cert as raw PEM. Fetched at instance
+         * boot via the EC2 instance role and written to `${dataMount}/server-certs/ca.crt`.
+         */
+        caSecretArn: string;
+        /**
+         * Secrets Manager ARN holding the server cert + key as JSON
+         * `{ "cert": "<pem>", "key": "<pem>" }`. Fetched at instance boot and
+         * written to `${dataMount}/server-certs/server.{crt,key}`.
+         */
+        serverSecretArn: string;
+    };
 }
 export declare function generateServerConfigXml(options: BuildClickHouseUserDataOptions): string;
 export interface GenerateUsersConfigXmlOptions {

package/dist/lib/resources/aws/database/clickhouseUserData.js

@@ -2,7 +2,7 @@ import { CLICKHOUSE_DATA_MOUNT_PATH, CLICKHOUSE_EBS_DEVICE_NAME, CLICKHOUSE_CONF
 import { renderUsersXml } from "./clickhouseXmlRenderer.js";
 export function generateServerConfigXml(options) {
     const { backupBucketName, backupBucketRegion, coldTier } = options;
-    const tlsActive = options.tlsActive ?? false;
+    const tlsActive = options.tls !== undefined;
     const storageBlock = coldTier !== undefined
         ? `    <storage_configuration>
         <!-- Same CH 26 rule as the no-cold-tier branch: a <local_ssd> disk
@@ -260,12 +260,8 @@ function compactUserDataScript(script) {
  */
 export function buildClickHouseUserData(options) {
     const serverConfigXml = generateServerConfigXml(options);
-    const tlsActive = options.tlsActive ?? false;
-    if (tlsActive &&
-        (options.caSecretArn === undefined || options.serverSecretArn === undefined)) {
-        throw new Error("buildClickHouseUserData: tlsActive=true requires both caSecretArn and serverSecretArn");
-    }
-    const tlsBootstrap = tlsActive
+    const tls = options.tls;
+    const tlsBootstrap = tls !== undefined
         ? `
 # Materialise TLS certs from Secrets Manager. The EC2 instance role carries
 # the secretsmanager:GetSecretValue grant; certs land on the EBS-backed mount
@@ -280,16 +276,50 @@ mkdir -p "$MOUNT_POINT/server-certs"
 command -v jq >/dev/null 2>&1 || dnf install -y jq || yum install -y jq
 
 # Fetch CA (raw PEM SecretString). Quoting prevents word-splitting on multi-line PEM.
-CA_PEM=$(aws secretsmanager get-secret-value --secret-id "${options.caSecretArn ?? ""}" --query SecretString --output text)
-printf '%s\\n' "$CA_PEM" > "$MOUNT_POINT/server-certs/ca.crt"
+# tmp + mv matches the in-file users.d/fjall.xml pattern below. Even though
+# pipefail plus the container starting only after this script exits means
+# there is no concurrent reader at write time today, a future change that
+# introduces a watcher or moves cert materialisation closer to container
+# start would silently regress to partial-write exposure. Atomic-replace
+# preserves the invariant by construction.
+CA_PEM=$(aws secretsmanager get-secret-value --secret-id "${tls.caSecretArn}" --query SecretString --output text)
+printf '%s\\n' "$CA_PEM" > "$MOUNT_POINT/server-certs/ca.crt.new"
+mv "$MOUNT_POINT/server-certs/ca.crt.new" "$MOUNT_POINT/server-certs/ca.crt"
 
 # Fetch server bundle (JSON { "cert": "<pem>", "key": "<pem>" }).
-SERVER_JSON=$(aws secretsmanager get-secret-value --secret-id "${options.serverSecretArn ?? ""}" --query SecretString --output text)
-printf '%s' "$SERVER_JSON" | jq -r .cert > "$MOUNT_POINT/server-certs/server.crt"
-printf '%s' "$SERVER_JSON" | jq -r .key > "$MOUNT_POINT/server-certs/server.key"
+SERVER_JSON=$(aws secretsmanager get-secret-value --secret-id "${tls.serverSecretArn}" --query SecretString --output text)
+printf '%s' "$SERVER_JSON" | jq -r .cert > "$MOUNT_POINT/server-certs/server.crt.new"
+mv "$MOUNT_POINT/server-certs/server.crt.new" "$MOUNT_POINT/server-certs/server.crt"
+# chmod BEFORE mv so the private key is 0600 the instant it lands at its
+# final path. Without this, server.key briefly carries the umask-default mode
+# (0644) between mv and the trailing \`chmod 600\` below — short window but
+# observable to any non-root reader on the host during user-data execution.
+printf '%s' "$SERVER_JSON" | jq -r .key > "$MOUNT_POINT/server-certs/server.key.new"
+chmod 600 "$MOUNT_POINT/server-certs/server.key.new"
+mv "$MOUNT_POINT/server-certs/server.key.new" "$MOUNT_POINT/server-certs/server.key"
+
+# Strict-verify client config consumed by docker-exec reload SSM script and any
+# in-container clickhouse-client invocation. RejectCertificateHandler + strict
+# verificationMode together close the trust-anchor-skipped class.
+cat > "$MOUNT_POINT/server-certs/client.xml" <<'CLIENTXML'
+<?xml version="1.0"?>
+<config>
+  <openSSL>
+    <client>
+      <caConfig>/etc/clickhouse-server/certs/ca.crt</caConfig>
+      <verificationMode>strict</verificationMode>
+      <loadDefaultCAFile>false</loadDefaultCAFile>
+      <invalidCertificateHandler>
+        <name>RejectCertificateHandler</name>
+      </invalidCertificateHandler>
+    </client>
+  </openSSL>
+</config>
+CLIENTXML
 
 chown -R 101:101 "$MOUNT_POINT/server-certs"
 chmod 600 "$MOUNT_POINT/server-certs/server.key"
+chmod 644 "$MOUNT_POINT/server-certs/client.xml"
 `
         : "";
     const script = `#!/bin/bash

package/dist/lib/resources/aws/organisation/costAllocationTagActivator.js

@@ -1,4 +1,5 @@
 import { Construct } from "constructs";
+import { PhysicalName } from "aws-cdk-lib";
 import { Code, Runtime } from "aws-cdk-lib/aws-lambda";
 import { PolicyStatement, Effect } from "aws-cdk-lib/aws-iam";
 import { LambdaFunction } from "../compute/lambda.js";
@@ -23,6 +24,8 @@ export class CostAllocationTagActivator extends Construct {
     constructor(scope, id) {
         super(scope, id);
         this.lambda = new LambdaFunction(this, "TagActivatorFunction", {
+            // Referenced cross-environment by the App messaging stack's schedule rule.
+            functionName: PhysicalName.GENERATE_IF_NEEDED,
             runtime: Runtime.NODEJS_22_X,
             handler: "index.handler",
             code: Code.fromInline(HANDLER_CODE),

package/dist/lib/resources/aws/secrets/tlsCaSecret.d.ts

@@ -5,8 +5,11 @@ export interface TlsCaSecretProps {
     readonly appName: string;
 }
 /**
- * ClickHouse TLS CA cert (public — clients pin against this). Retained on
- * delete so client-side trust anchors survive accidental stack teardown.
+ * ClickHouse TLS CA cert (public — clients pin against this). The cert-generator
+ * Lambda mints a fresh CA on each create and force-deletes on stack-delete
+ * (bypassing the AWS recovery window) so the deterministic name is reusable
+ * immediately on redeploy. Use CFN stack termination protection to guard
+ * production teardown.
  */
 export declare class TlsCaSecret extends Secret {
     constructor(scope: Construct, id: string, props: TlsCaSecretProps);

package/dist/lib/resources/aws/secrets/tlsCaSecret.js

@@ -1,8 +1,10 @@
-import { RemovalPolicy } from "aws-cdk-lib";
 import { Secret } from "./secret.js";
 /**
- * ClickHouse TLS CA cert (public — clients pin against this). Retained on
- * delete so client-side trust anchors survive accidental stack teardown.
+ * ClickHouse TLS CA cert (public — clients pin against this). The cert-generator
+ * Lambda mints a fresh CA on each create and force-deletes on stack-delete
+ * (bypassing the AWS recovery window) so the deterministic name is reusable
+ * immediately on redeploy. Use CFN stack termination protection to guard
+ * production teardown.
  */
 export class TlsCaSecret extends Secret {
     constructor(scope, id, props) {
@@ -10,6 +12,5 @@ export class TlsCaSecret extends Secret {
             secretName: `fjall-${props.appName}-clickhouse-tls-ca`,
             description: "ClickHouse TLS CA cert (public — clients pin against this)"
         });
-        this.secret.applyRemovalPolicy(RemovalPolicy.RETAIN);
     }
 }

package/dist/lib/resources/aws/secrets/tlsServerSecret.d.ts

@@ -5,10 +5,12 @@ export interface TlsServerSecretProps {
     readonly appName: string;
 }
 /**
- * ClickHouse TLS server cert + key (JSON: `{ cert, key }`). Retained on
- * delete so cert material survives accidental stack teardown; the private
- * key only leaves Secrets Manager via ECS executionRole + the TLS init
- * container that materialises it onto the shared volume.
+ * ClickHouse TLS server cert + key (JSON: `{ cert, key }`). The cert-generator
+ * Lambda mints a fresh leaf on each create and force-deletes on stack-delete
+ * (bypassing the AWS recovery window) so the deterministic name is reusable
+ * immediately on redeploy. The private key only leaves Secrets Manager via
+ * ECS executionRole + the TLS init container that materialises it onto the
+ * shared volume.
  */
 export declare class TlsServerSecret extends Secret {
     constructor(scope: Construct, id: string, props: TlsServerSecretProps);

package/dist/lib/resources/aws/secrets/tlsServerSecret.js

@@ -1,10 +1,11 @@
-import { RemovalPolicy } from "aws-cdk-lib";
 import { Secret } from "./secret.js";
 /**
- * ClickHouse TLS server cert + key (JSON: `{ cert, key }`). Retained on
- * delete so cert material survives accidental stack teardown; the private
- * key only leaves Secrets Manager via ECS executionRole + the TLS init
- * container that materialises it onto the shared volume.
+ * ClickHouse TLS server cert + key (JSON: `{ cert, key }`). The cert-generator
+ * Lambda mints a fresh leaf on each create and force-deletes on stack-delete
+ * (bypassing the AWS recovery window) so the deterministic name is reusable
+ * immediately on redeploy. The private key only leaves Secrets Manager via
+ * ECS executionRole + the TLS init container that materialises it onto the
+ * shared volume.
  */
 export class TlsServerSecret extends Secret {
     constructor(scope, id, props) {
@@ -12,6 +13,5 @@ export class TlsServerSecret extends Secret {
             secretName: `fjall-${props.appName}-clickhouse-tls-server`,
             description: "ClickHouse TLS server cert + key (JSON: { cert, key })"
         });
-        this.secret.applyRemovalPolicy(RemovalPolicy.RETAIN);
     }
 }

package/dist/lib/resources/aws/utilities/tlsCertGenerator.d.ts

@@ -20,6 +20,13 @@ export interface TlsCertGeneratorProps {
  * raw PEM (public — clients pin against it); the server secret carries a
  * JSON `{ cert, key }` payload consumed by the TLS init container.
  *
+ * On stack-delete, the Lambda force-deletes both secrets via
+ * `DeleteSecret(ForceDeleteWithoutRecovery=true)` so the deterministic names
+ * (`fjall-<app>-clickhouse-tls-{ca,server}`) become reusable immediately on
+ * redeploy. AWS's default 7-30 day recovery window would otherwise block
+ * recreation under the same name. CFN exposes no lever for this — the
+ * AWS::SecretsManager::Secret resource has no `RecoveryWindowInDays` field.
+ *
  * `caCertSha256` is exposed for downstream consumers to wire into their
  * container `environment` block as `CA_CERT_SHA256` — its CFN value
  * changes whenever the cert regenerates, forcing task-def replacement so

package/dist/lib/resources/aws/utilities/tlsCertGenerator.js

@@ -23,6 +23,13 @@ const LAMBDA_TIMEOUT = Duration.minutes(2);
  * raw PEM (public — clients pin against it); the server secret carries a
  * JSON `{ cert, key }` payload consumed by the TLS init container.
  *
+ * On stack-delete, the Lambda force-deletes both secrets via
+ * `DeleteSecret(ForceDeleteWithoutRecovery=true)` so the deterministic names
+ * (`fjall-<app>-clickhouse-tls-{ca,server}`) become reusable immediately on
+ * redeploy. AWS's default 7-30 day recovery window would otherwise block
+ * recreation under the same name. CFN exposes no lever for this — the
+ * AWS::SecretsManager::Secret resource has no `RecoveryWindowInDays` field.
+ *
  * `caCertSha256` is exposed for downstream consumers to wire into their
  * container `environment` block as `CA_CERT_SHA256` — its CFN value
  * changes whenever the cert regenerates, forcing task-def replacement so
@@ -43,17 +50,29 @@ export class TlsCertGenerator extends Construct {
         const serverSecretArnPattern = `arn:${stack.partition}:secretsmanager:${stack.region}:${stack.account}:secret:fjall-${props.appName}-clickhouse-tls-server-*`;
         const writePolicy = new PolicyStatement({
             effect: Effect.ALLOW,
-            actions: ["secretsmanager:PutSecretValue"],
+            actions: ["secretsmanager:PutSecretValue", "secretsmanager:DeleteSecret"],
             resources: [caSecretArnPattern, serverSecretArnPattern]
         });
+        // PutSecretValue against a CMK-encrypted secret needs kms:GenerateDataKey
+        // on the CMK — Secrets Manager calls KMS server-side as the caller.
+        const caCmk = this.caSecret.secretsCustomerManagedKey;
+        const serverCmk = this.serverSecret.secretsCustomerManagedKey;
+        if (caCmk === undefined || serverCmk === undefined) {
+            throw new Error("TlsCertGenerator: TlsCaSecret/TlsServerSecret must expose their CMK; importExisting=true is not supported here");
+        }
+        const kmsPolicy = new PolicyStatement({
+            effect: Effect.ALLOW,
+            actions: ["kms:GenerateDataKey", "kms:Decrypt"],
+            resources: [caCmk.key.keyArn, serverCmk.key.keyArn]
+        });
         const cr = new CustomResource(this, "Generator", {
             runtime: Runtime.NODEJS_22_X,
             timeout: LAMBDA_TIMEOUT,
             codePath: LAMBDA_ASSET_DIR,
             handler: "index.handler",
             lambdaDescription: `${id} ClickHouse TLS cert generator`,
-            roleDescription: `Execution role for ${id} cert generator (PutSecretValue on two cert secrets)`,
-            inlinePolicy: [writePolicy],
+            roleDescription: `Execution role for ${id} cert generator (PutSecretValue + force-DeleteSecret on two cert secrets)`,
+            inlinePolicy: [writePolicy, kmsPolicy],
             properties: {
                 caSecretArn: this.caSecret.secret.secretArn,
                 serverSecretArn: this.serverSecret.secret.secretArn,

package/dist/lib/utils/manifestWriter.js

@@ -17,7 +17,7 @@ import { writeFileSync, readFileSync, existsSync, readdirSync, renameSync, unlin
 import { join, basename } from "path";
 import { createHash } from "crypto";
 import { buildConstructMap, constructMapToRecord, ACCOUNT_CONSTRUCT_GROUPS } from "@fjall/util/constructMap";
-import { maskSensitiveOutput } from "@fjall/util";
+import { getErrorMessage, maskSensitiveOutput } from "@fjall/util";
 import { FJALL_MANIFEST_FILENAME, MANIFEST_SCHEMA_VERSION, FjallManifestSchema } from "@fjall/util/manifest/schemas";
 import { FjallLogger } from "./validationLogger.js";
 /**
@@ -117,7 +117,7 @@ function computeTemplateHash(templatePath) {
         return createHash("sha256").update(normalised).digest("hex");
     }
     catch (error) {
-        const maskedMessage = maskSensitiveOutput(error instanceof Error ? error.message : String(error));
+        const maskedMessage = maskSensitiveOutput(getErrorMessage(error));
         FjallLogger.warn(`Failed to compute hash for ${templatePath}: ${maskedMessage}`);
         return null;
     }
@@ -144,7 +144,7 @@ function computeStackHashes(cdkOutPath) {
         }
     }
     catch (error) {
-        const maskedMessage = maskSensitiveOutput(error instanceof Error ? error.message : String(error));
+        const maskedMessage = maskSensitiveOutput(getErrorMessage(error));
         FjallLogger.warn(`Failed to read cdk.out for hash computation: ${maskedMessage}`);
     }
     return stacks;
@@ -194,16 +194,10 @@ export function writeManifest(assembly, collector) {
                 unlinkSync(tmpPath);
             }
             catch (cleanupError) {
-                const cleanupMessage = cleanupError instanceof Error
-                    ? cleanupError.message
-                    : String(cleanupError);
-                FjallLogger.warn(`Failed to clean up tmp manifest at ${tmpPath}: ${maskSensitiveOutput(cleanupMessage)}`);
+                FjallLogger.warn(`Failed to clean up tmp manifest at ${tmpPath}: ${maskSensitiveOutput(getErrorMessage(cleanupError))}`);
             }
         }
-        const errorMessage = error instanceof Error ? error.message : String(error);
-        throw new Error(`Failed to write Fjall manifest: ${errorMessage}`, {
-            cause: error
-        });
+        throw new Error(`Failed to write Fjall manifest: ${getErrorMessage(error)}`, { cause: error });
     }
 }
 /**
@@ -224,8 +218,7 @@ export function readExistingManifest(cdkOutPath) {
         return result.data;
     }
     catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        FjallLogger.warn(`Failed to parse existing manifest: ${maskSensitiveOutput(message)}`);
+        FjallLogger.warn(`Failed to parse existing manifest: ${maskSensitiveOutput(getErrorMessage(error))}`);
         return null;
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/components-infrastructure",
-  "version": "1.1.0",
+  "version": "2.2.0",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
   "bin": {
@@ -59,12 +59,12 @@
     "eslint": "^10.2.1",
     "prettier": "^3.8.3",
     "typescript": "^6.0.3",
-    "vitest": "^4.1.5"
+    "vitest": "^4.1.7"
   },
   "dependencies": {
     "@aws-sdk/client-organizations": "^3.1038.0",
-    "@fjall/generator": "^1.1.0",
-    "@fjall/util": "^1.1.0",
+    "@fjall/generator": "^2.2.0",
+    "@fjall/util": "^2.2.0",
     "constructs": "^10.0.0",
     "uuid": "^14.0.0"
   },
@@ -79,5 +79,5 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "gitHead": "437ec726425bd7610b83a57c12c1a4e1980bbb01"
+  "gitHead": "cd83079d6ed53b131e4c97b5966dc0d8715c8735"
 }