@fjall/components-infrastructure 2.11.1 → 2.12.0

package/dist/lib/config/aws/s3BlockPublicAccess.d.ts

@@ -1,9 +1,27 @@
 import { Construct } from "constructs";
+export interface S3BlockPublicAccessProps {
+    /**
+     * Account whose account-level S3 Block Public Access is managed. Taken as a
+     * prop rather than read from `Stack.of(this).account` — that is a synth token
+     * that never matches a provider-account id when looking up config.
+     */
+    accountId: string;
+}
 /**
- * Enables S3 Block Public Access at the account level via a Custom Resource.
- * All four public access flags are set to true (block all public access).
- * Stack deletion does NOT revert this setting — security features are preserved.
+ * Manages account-level S3 Block Public Access via a Custom Resource.
+ *
+ * Off by default: Fjall observes-and-flags exposed buckets through the posture
+ * layer rather than hard-blocking at the account level. Set
+ * `s3BlockPublicAccess: "enforced"` on a provider account to switch all four
+ * flags on. The flags ride in the custom resource's properties (not hardcoded
+ * in the handler) so a config change reconciles on the next deploy. Stack
+ * deletion is a no-op — the account-level setting is left as-is.
+ *
+ * The handler runs under a fixed `/fjall/FjallS3BpaManager` role so the
+ * DenyS3PublicAccessChanges SCP can exempt its PutAccountPublicAccessBlock by
+ * ARN pattern. The role name is account-global, so this construct is created
+ * only in an account's home region (see Account's accountGlobals gate).
  */
 export declare class S3BlockPublicAccess extends Construct {
-    constructor(scope: Construct, id: string);
+    constructor(scope: Construct, id: string, props: S3BlockPublicAccessProps);
 }

package/dist/lib/config/aws/s3BlockPublicAccess.js

@@ -1,23 +1,41 @@
 import { Duration } from "aws-cdk-lib";
 import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { Runtime } from "aws-cdk-lib/aws-lambda";
-import { Stack } from "aws-cdk-lib";
 import { Construct } from "constructs";
 import { CustomResource } from "../../resources/aws/utilities/customResource.js";
+import { getConfig } from "../../utils/getConfig.js";
 /**
- * Enables S3 Block Public Access at the account level via a Custom Resource.
- * All four public access flags are set to true (block all public access).
- * Stack deletion does NOT revert this setting — security features are preserved.
+ * Manages account-level S3 Block Public Access via a Custom Resource.
+ *
+ * Off by default: Fjall observes-and-flags exposed buckets through the posture
+ * layer rather than hard-blocking at the account level. Set
+ * `s3BlockPublicAccess: "enforced"` on a provider account to switch all four
+ * flags on. The flags ride in the custom resource's properties (not hardcoded
+ * in the handler) so a config change reconciles on the next deploy. Stack
+ * deletion is a no-op — the account-level setting is left as-is.
+ *
+ * The handler runs under a fixed `/fjall/FjallS3BpaManager` role so the
+ * DenyS3PublicAccessChanges SCP can exempt its PutAccountPublicAccessBlock by
+ * ARN pattern. The role name is account-global, so this construct is created
+ * only in an account's home region (see Account's accountGlobals gate).
  */
 export class S3BlockPublicAccess extends Construct {
-    constructor(scope, id) {
+    constructor(scope, id, props) {
         super(scope, id);
+        const account = getConfig().providerAccounts.find((pa) => pa.id === props.accountId);
+        const enforce = (account?.s3BlockPublicAccess ?? "off") === "enforced";
         new CustomResource(this, "S3BlockPublicAccess", {
             runtime: Runtime.NODEJS_22_X,
             timeout: Duration.minutes(5),
-            lambdaDescription: "Enables S3 Block Public Access at account level",
+            lambdaDescription: "Manages S3 Block Public Access at account level",
+            rolePath: "/fjall/",
+            roleName: "FjallS3BpaManager",
             properties: {
-                AccountId: Stack.of(this).account
+                AccountId: props.accountId,
+                BlockPublicAcls: String(enforce),
+                IgnorePublicAcls: String(enforce),
+                BlockPublicPolicy: String(enforce),
+                RestrictPublicBuckets: String(enforce)
             },
             inlinePolicy: [
                 new PolicyStatement({
@@ -32,20 +50,22 @@ export class S3BlockPublicAccess extends Construct {
             inlineCode: `
 const { S3ControlClient, PutPublicAccessBlockCommand } = require('@aws-sdk/client-s3-control');
 
+const toBool = (v) => v === 'true' || v === true;
+
 exports.handler = async (event) => {
   const physicalResourceId = event.PhysicalResourceId || event.LogicalResourceId || 's3-block-public-access';
   if (event.RequestType === 'Delete') {
     return { PhysicalResourceId: physicalResourceId };
   }
-  const accountId = event.ResourceProperties.AccountId;
+  const props = event.ResourceProperties;
   const client = new S3ControlClient({});
   await client.send(new PutPublicAccessBlockCommand({
-    AccountId: accountId,
+    AccountId: props.AccountId,
     PublicAccessBlockConfiguration: {
-      BlockPublicAcls: true,
-      IgnorePublicAcls: true,
-      BlockPublicPolicy: true,
-      RestrictPublicBuckets: true
+      BlockPublicAcls: toBool(props.BlockPublicAcls),
+      IgnorePublicAcls: toBool(props.IgnorePublicAcls),
+      BlockPublicPolicy: toBool(props.BlockPublicPolicy),
+      RestrictPublicBuckets: toBool(props.RestrictPublicBuckets)
     }
   }));
   return { PhysicalResourceId: physicalResourceId };

package/dist/lib/config/aws/scpPreset.js

@@ -5,7 +5,12 @@ import { OrganisationPolicy } from "../../resources/aws/organisation/organisatio
 // default path.
 const EXEMPT_ROLE_PATTERNS = [
     "arn:aws:iam::*:role/fjall/FjallDeploy*",
-    "arn:aws:iam::*:role/OrganizationAccountAccessRole"
+    "arn:aws:iam::*:role/OrganizationAccountAccessRole",
+    // The account-level S3 Block Public Access manager Lambda re-applies BPA on
+    // every deploy; its PutAccountPublicAccessBlock must survive
+    // DenyS3PublicAccessChanges. Pathed under /fjall/ so a member admin cannot
+    // forge an exempt role at the default path.
+    "arn:aws:iam::*:role/fjall/FjallS3BpaManager*"
 ];
 const SCP_BYTE_LIMIT = 5120;
 const IAM_POLICY_VERSION = "2012-10-17";

package/dist/lib/patterns/aws/account.d.ts

@@ -27,6 +27,13 @@ export declare class Account extends Stack {
      * independent, and Platform must take one but not the other.
      */
     protected receivesDeployRole(): boolean;
+    /**
+     * Whether this account creates the default-ECR-image helper (the CodeBuild
+     * project that seeds a placeholder application image). App-hosting accounts
+     * need it; the organisation root runs no workloads and overrides to `false`.
+     * Deliberately separate from the OIDC/IPAM gates — the axes are independent.
+     */
+    protected createsEcrDefaultImage(): boolean;
     enableGuardDuty(props?: GuardDutyDetectorProps): GuardDutyDetector;
     enableSecurityHub(props?: SecurityHubHubProps): SecurityHubHub;
     enableConfigRecorder(props?: ConfigRecorderProps): ConfigRecorder;

package/dist/lib/patterns/aws/account.js

@@ -75,10 +75,12 @@ export class Account extends Stack {
             accountId: this.account,
             region: this.resolvedRegion
         });
-        new EcrDefaultImage(this, "EcrDefaultImage", {
-            region: this.resolvedRegion,
-            accountId: this.account
-        });
+        if (this.createsEcrDefaultImage()) {
+            new EcrDefaultImage(this, "EcrDefaultImage", {
+                region: this.resolvedRegion,
+                accountId: this.account
+            });
+        }
         const environment = config.environment ?? "unknown";
         if (config.disasterRecoveryRegion) {
             const isComplianceAccount = environment === "compliance";
@@ -95,7 +97,12 @@ export class Account extends Stack {
             exportName: "Environment",
             description: "Environment type for this account (e.g., production, staging, development)"
         });
-        new S3BlockPublicAccess(this, "S3BlockPublicAccess");
+        // Account-level S3 Block Public Access is account-global and runs under a
+        // fixed-name role, so (like the OIDC/Monitoring/Audit globals above) it is
+        // created only in the home region to avoid a cross-region role collision.
+        if (!accountGlobalsConfigured) {
+            new S3BlockPublicAccess(this, "S3BlockPublicAccess", { accountId });
+        }
         new EbsDefaultEncryption(this, "EbsDefaultEncryption");
     }
     /**
@@ -108,6 +115,15 @@ export class Account extends Stack {
     receivesDeployRole() {
         return this.constructor === Account;
     }
+    /**
+     * Whether this account creates the default-ECR-image helper (the CodeBuild
+     * project that seeds a placeholder application image). App-hosting accounts
+     * need it; the organisation root runs no workloads and overrides to `false`.
+     * Deliberately separate from the OIDC/IPAM gates — the axes are independent.
+     */
+    createsEcrDefaultImage() {
+        return true;
+    }
     enableGuardDuty(props) {
         return new GuardDutyDetector(this, "GuardDuty", props);
     }

package/dist/lib/patterns/aws/organisation.d.ts

@@ -1,21 +1,21 @@
-import { type Environment, Stack, type StackProps } from "aws-cdk-lib";
+import { type Environment } from "aws-cdk-lib";
+import { type Construct } from "constructs";
+import { Account, type AccountProps } from "./account.js";
 import { type CustomPermissionSets } from "../../config/aws/identityCenter.js";
 import { ScpPreset } from "../../config/aws/scpPreset.js";
 import type { ScpPresetProps } from "../../config/aws/scpPreset.js";
 import { OrganisationResource } from "../../resources/aws/organisation/index.js";
-type ExtendedStackProps = Omit<StackProps, "env"> & {
-    env?: Required<Pick<Environment, "region" | "account">> & Partial<Omit<Environment, "region" | "account">>;
-};
 export type AccountsConfig = {
     readonly [key: string]: readonly string[] | string | AccountsConfig;
 };
-export interface OrganisationProps extends ExtendedStackProps {
+export interface OrganisationProps extends AccountProps {
     organisationName: string;
     accounts: AccountsConfig;
     orgEmail: string;
     accountIds?: Record<string, string>;
     identityCenter?: boolean;
     allowedRegions?: string[];
+    env?: Required<Pick<Environment, "region" | "account">> & Partial<Omit<Environment, "region" | "account">>;
 }
 /**
  * Organisation CDK stack.
@@ -27,14 +27,26 @@ export interface OrganisationProps extends ExtendedStackProps {
  * - Identity Centre configuration
  * - Cost allocation tag auto-activation (daily Lambda)
  */
-export declare class Organisation extends Stack {
+export declare class Organisation extends Account {
     readonly organisationType: "organisation";
     private org;
     private accountRefs;
     private accountMap;
     private accountsConfig;
     private identityCenter?;
-    constructor(id: string, props: OrganisationProps);
+    constructor(scope: Construct, id: string, props: OrganisationProps);
+    /**
+     * The organisation root's OIDC deploy connector is owned by the customer-run
+     * Quick-Create CloudFormation stack, never the inherited Account connector.
+     * Returning `false` is also the short-circuit first clause of Account's OIDC
+     * gate, so no `OidcConnector` is synthesised on the root stack.
+     */
+    protected receivesDeployRole(): boolean;
+    /**
+     * The organisation root runs no application workloads, so it needs no
+     * default-ECR-image helper.
+     */
+    protected createsEcrDefaultImage(): boolean;
     private createAccountReferences;
     private setupOrganisationFeatures;
     private setupCostAllocationTagActivator;
@@ -45,4 +57,3 @@ export declare class Organisation extends Stack {
     getAccounts(): Record<string, string>;
     enableScps(props: ScpPresetProps): ScpPreset;
 }
-export {};

package/dist/lib/patterns/aws/organisation.js

@@ -1,5 +1,5 @@
-import { Stack } from "aws-cdk-lib";
 import App from "../../app.js";
+import { Account } from "./account.js";
 import { IdentityCenter } from "../../config/aws/identityCenter.js";
 import { ScpPreset } from "../../config/aws/scpPreset.js";
 import { OrganisationResource, OrganisationAccount, CostAllocationTagActivator } from "../../resources/aws/organisation/index.js";
@@ -17,23 +17,20 @@ import { extractAccountNames } from "../../utils/accountsUtils.js";
  * - Identity Centre configuration
  * - Cost allocation tag auto-activation (daily Lambda)
  */
-export class Organisation extends Stack {
+export class Organisation extends Account {
     organisationType = "organisation";
     org;
     accountRefs = [];
     accountMap;
     accountsConfig;
     identityCenter;
-    constructor(id, props) {
+    constructor(scope, id, props) {
         const config = getConfig();
-        const env = props.env ?? {
-            region: config.region,
-            account: config.accountId ?? ""
-        };
-        if (!env.account) {
-            throw new Error("Organisation requires an account ID. Provide it via env.account or ensure CDK context includes accountId.");
+        const accountId = props.accountId ?? props.env?.account ?? config.accountId;
+        if (!accountId) {
+            throw new Error("Organisation requires an account ID. Provide it via env.account, accountId, or ensure CDK context includes accountId.");
         }
-        super(App.getInstance(), id, { ...props, env });
+        super(scope, id, { ...props, accountId });
         // Normalise account map keys to lowercase for case-insensitive lookups.
         // providerAccounts stores names as lowercase; ACCOUNTS config uses PascalCase.
         const rawMap = props.accountIds ?? config.accountIds ?? {};
@@ -57,6 +54,22 @@ export class Organisation extends Stack {
         this.createAccountReferences(props);
         this.setupOrganisationFeatures(props.identityCenter ?? true, managementAccountId);
     }
+    /**
+     * The organisation root's OIDC deploy connector is owned by the customer-run
+     * Quick-Create CloudFormation stack, never the inherited Account connector.
+     * Returning `false` is also the short-circuit first clause of Account's OIDC
+     * gate, so no `OidcConnector` is synthesised on the root stack.
+     */
+    receivesDeployRole() {
+        return false;
+    }
+    /**
+     * The organisation root runs no application workloads, so it needs no
+     * default-ECR-image helper.
+     */
+    createsEcrDefaultImage() {
+        return false;
+    }
     createAccountReferences(props) {
         const allNames = extractAccountNames(props.accounts);
         for (const accountName of allNames) {

package/dist/lib/patterns/aws/organisationFactory.js

@@ -1,3 +1,4 @@
+import App from "../../app.js";
 import { Organisation } from "./organisation.js";
 import { Platform } from "./platform.js";
 import { Account } from "./account.js";
@@ -5,7 +6,7 @@ export class OrganisationFactory {
     static build(id, props) {
         switch (props.type) {
             case "organisation":
-                return new Organisation(id, props);
+                return new Organisation(App.getInstance(), id, props);
             case "platform":
                 return (scope) => new Platform(scope, id, props);
             case "account":

package/dist/lib/resources/aws/compute/lambda.d.ts

@@ -15,6 +15,17 @@ export interface LambdaFunctionProps {
     handler: string;
     lambdaDescription?: string;
     roleDescription?: string;
+    /**
+     * Fixed IAM path for the auto-generated execution role (e.g. "/fjall/").
+     * Used with roleName to produce an SCP-exemptable ARN.
+     */
+    rolePath?: string;
+    /**
+     * Fixed name for the auto-generated execution role. Account-global — only set
+     * on a Lambda confined to one (account, region) stack, else regional
+     * duplicates collide on the role name.
+     */
+    roleName?: string;
     runtime: Runtime;
     /** Lambda CPU architecture. Default: x86_64 */
     architecture?: Architecture;

package/dist/lib/resources/aws/compute/lambda.js

@@ -31,6 +31,24 @@ function applyRoleDescription(fn, description) {
     if (cfnRole !== undefined)
         cfnRole.description = description;
 }
+/**
+ * Pin a fixed IAM path and/or name onto CDK's auto-generated Lambda execution
+ * role. Reaches the L1 CfnRole (FunctionProps exposes neither) so a stable,
+ * predictable ARN can be matched by an SCP exemption pattern. A fixed name is
+ * account-global, so only set one on a Lambda that lives in a single
+ * (account, region) stack — never one duplicated across regions.
+ */
+function applyRolePathAndName(fn, rolePath, roleName) {
+    if (rolePath === undefined && roleName === undefined)
+        return;
+    const cfnRole = fn.role?.node.defaultChild;
+    if (cfnRole === undefined)
+        return;
+    if (rolePath !== undefined)
+        cfnRole.path = rolePath;
+    if (roleName !== undefined)
+        cfnRole.roleName = roleName;
+}
 /**
  * AWS Parameters and Secrets Lambda Extension configuration.
  * @see https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html
@@ -61,6 +79,7 @@ export class SingletonFunction extends singletonFunction {
         });
         addPoliciesToRole(this, props.inlinePolicy);
         applyRoleDescription(this, props.roleDescription);
+        applyRolePathAndName(this, props.rolePath, props.roleName);
     }
     /**
      * The Lambda's execution role (auto-generated by CDK)
@@ -91,6 +110,7 @@ export class LambdaFunction extends Function {
         });
         addPoliciesToRole(this, props.inlinePolicy);
         applyRoleDescription(this, props.roleDescription);
+        applyRolePathAndName(this, props.rolePath, props.roleName);
         this.addSecretsSupport(props.secrets, props.ssmSecretsPath, props.secretsImport, props.appName, props.functionName, props.architecture);
         // Sanitise id for CloudFormation output keys (must be alphanumeric)
         const outputName = toPascalCase(id);

package/dist/lib/resources/aws/utilities/customResource.d.ts

@@ -7,6 +7,10 @@ interface CustomResourceProps {
     runtime: Runtime;
     roleDescription?: string;
     lambdaDescription?: string;
+    /** Fixed IAM path for the handler's execution role (e.g. "/fjall/"). */
+    rolePath?: string;
+    /** Fixed name for the handler's execution role (account-global — see LambdaFunctionProps). */
+    roleName?: string;
     inlinePolicy: PolicyStatement[];
     properties?: {
         [key: string]: string;

package/dist/lib/resources/aws/utilities/customResource.js

@@ -39,6 +39,8 @@ export class CustomResource extends Construct {
                 timeout,
                 lambdaDescription: props.lambdaDescription ?? `${id} lambda`,
                 roleDescription: props.roleDescription ?? `${id} custom resource lambda`,
+                rolePath: props.rolePath,
+                roleName: props.roleName,
                 inlinePolicy: props.inlinePolicy
             })
             : new SingletonFunction(this, `${id}Lambda`, {
@@ -47,6 +49,8 @@ export class CustomResource extends Construct {
                 runtime: props.runtime,
                 lambdaDescription: props.lambdaDescription ?? `${id} lambda`,
                 roleDescription: props.roleDescription ?? `${id} custom resource lambda`,
+                rolePath: props.rolePath,
+                roleName: props.roleName,
                 inlinePolicy: props.inlinePolicy
             });
         const provider = new Provider(this, `${id}Provider`, {

package/dist/lib/utils/env.js

@@ -99,12 +99,12 @@ function getProviderAccountsFromContext() {
  */
 function resolveEnvironmentFromAccountId(accountId) {
     const accounts = getProviderAccountsFromContext();
-    return accounts.find((pa) => pa.id === accountId)?.environment;
+    return accounts.find((pa) => pa.id === accountId)?.environment ?? undefined;
 }
 /**
  * Look up environment from account name via orgConfig CDK context.
  */
 function resolveEnvironmentFromAccountName(accountName) {
     const accounts = getProviderAccountsFromContext();
-    return accounts.find((pa) => pa.name === accountName)?.environment;
+    return (accounts.find((pa) => pa.name === accountName)?.environment ?? undefined);
 }

package/dist/lib/utils/getConfig.js

@@ -63,7 +63,7 @@ export function getConfig(accountName) {
         if (providerAccount) {
             config.accountId = providerAccount.id;
             config.accountName = providerAccount.name;
-            config.environment = providerAccount.environment;
+            config.environment = providerAccount.environment ?? "unknown";
         }
     }
     // If we still don't have an account name - try to retrieve accountId from context
@@ -75,7 +75,7 @@ export function getConfig(accountName) {
             const providerAccount = providerAccounts.find((pa) => pa.id === accountId);
             if (providerAccount) {
                 config.accountName = providerAccount.name;
-                config.environment = providerAccount.environment;
+                config.environment = providerAccount.environment ?? "unknown";
             }
         }
     }

package/dist/lib/utils/orgConfigParser.js

@@ -1,4 +1,4 @@
-import { VAULT_LOCK_MODES } from "@fjall/util/config";
+import { VAULT_LOCK_MODES, S3_BPA_MODES } from "@fjall/util/config";
 import { maskSensitiveOutput } from "@fjall/util";
 import { FjallLogger } from "./validationLogger.js";
 /**
@@ -24,7 +24,10 @@ export function parseOrgConfig(raw) {
                 item !== null &&
                 typeof item.id === "string" &&
                 typeof item.name === "string" &&
-                typeof item.environment === "string" &&
+                // null environment (structural accounts) must survive — rejecting it drops the account at synth.
+                (typeof item.environment ===
+                    "string" ||
+                    item.environment === null) &&
                 (item.managed === undefined ||
                     typeof item.managed === "boolean") &&
                 (item.oidcRoleArn === undefined ||
@@ -32,6 +35,9 @@ export function parseOrgConfig(raw) {
                         "string") &&
                 (item.vaultLock === undefined ||
                     VAULT_LOCK_MODES.includes(item.vaultLock)) &&
+                (item.s3BlockPublicAccess ===
+                    undefined ||
+                    S3_BPA_MODES.includes(item.s3BlockPublicAccess)) &&
                 (item.acknowledgeImmutableVaultLock ===
                     undefined ||
                     typeof item

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/components-infrastructure",
-  "version": "2.11.1",
+  "version": "2.12.0",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
   "bin": {
@@ -63,8 +63,8 @@
   },
   "dependencies": {
     "@aws-sdk/client-organizations": "^3.1038.0",
-    "@fjall/generator": "^2.11.1",
-    "@fjall/util": "^2.11.1",
+    "@fjall/generator": "^2.12.0",
+    "@fjall/util": "^2.12.0",
     "constructs": "^10.0.0",
     "uuid": "^14.0.0"
   },
@@ -79,5 +79,5 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "gitHead": "69823c3d7f2eacba419657464381119c5b5b5fd6"
+  "gitHead": "dca39a47da956d3d94c689dd782fe285d711d25e"
 }