@fjall/components-infrastructure 2.12.0 → 2.14.0

package/dist/lib/utils/orgConfigParser.d.ts

@@ -5,6 +5,16 @@ export interface ParsedOrgConfig {
     secondaryRegions: string[];
     disasterRecoveryRegion?: string;
 }
+/**
+ * Resolve a provider account's synth-time environment. The tier/stage
+ * separation (decisions/2026-06-07-account-tier-vs-stage-separation.md) nulls
+ * the wire `environment` for organisation-tier accounts, but scaffolded org
+ * entry points gate on `config.environment === "root"` — decode the tier back
+ * to the historical "root" marker via the sanctioned `accountTier()` decoder.
+ * Workload stages pass through verbatim; a null stage on any other tier stays
+ * unresolved (callers fall back to "unknown").
+ */
+export declare function resolveSynthEnvironment(account: Pick<ProviderAccount, "environment" | "tier">): string | undefined;
 /**
  * Parse orgConfig JSON from CDK context into a validated structure.
  *

package/dist/lib/utils/orgConfigParser.js

@@ -1,6 +1,46 @@
 import { VAULT_LOCK_MODES, S3_BPA_MODES } from "@fjall/util/config";
-import { maskSensitiveOutput } from "@fjall/util";
+import { ACCOUNT_TIERS, STRUCTURAL_ENVIRONMENTS, accountTier, maskSensitiveOutput } from "@fjall/util";
 import { FjallLogger } from "./validationLogger.js";
+function isProviderAccount(item) {
+    if (typeof item !== "object" || item === null)
+        return false;
+    const rec = item;
+    return (typeof rec.id === "string" &&
+        typeof rec.name === "string" &&
+        // null environment (structural accounts) must survive — rejecting it drops the account at synth.
+        (typeof rec.environment === "string" || rec.environment === null) &&
+        (rec.tier === undefined || ACCOUNT_TIERS.includes(rec.tier)) &&
+        (rec.managed === undefined || typeof rec.managed === "boolean") &&
+        (rec.oidcRoleArn === undefined || typeof rec.oidcRoleArn === "string") &&
+        (rec.vaultLock === undefined ||
+            VAULT_LOCK_MODES.includes(rec.vaultLock)) &&
+        (rec.s3BlockPublicAccess === undefined ||
+            S3_BPA_MODES.includes(rec.s3BlockPublicAccess)) &&
+        (rec.acknowledgeImmutableVaultLock === undefined ||
+            typeof rec.acknowledgeImmutableVaultLock === "boolean"));
+}
+/**
+ * Resolve a provider account's synth-time environment. The tier/stage
+ * separation (decisions/2026-06-07-account-tier-vs-stage-separation.md) nulls
+ * the wire `environment` for organisation-tier accounts, but scaffolded org
+ * entry points gate on `config.environment === "root"` — decode the tier back
+ * to the historical "root" marker via the sanctioned `accountTier()` decoder.
+ * Workload stages pass through verbatim; a null stage on any other tier stays
+ * unresolved (callers fall back to "unknown").
+ */
+export function resolveSynthEnvironment(account) {
+    if (accountTier(account) === "organisation") {
+        return STRUCTURAL_ENVIRONMENTS.ROOT;
+    }
+    return account.environment ?? undefined;
+}
+function describeRejectedAccount(item) {
+    if (typeof item !== "object" || item === null)
+        return "<unidentifiable>";
+    const rec = item;
+    const parts = [rec.id, rec.name].filter((v) => typeof v === "string");
+    return parts.length > 0 ? parts.join(" / ") : "<unidentifiable>";
+}
 /**
  * Parse orgConfig JSON from CDK context into a validated structure.
  *
@@ -20,28 +60,12 @@ export function parseOrgConfig(raw) {
             return empty;
         const obj = parsed;
         const providerAccounts = Array.isArray(obj.providerAccounts)
-            ? obj.providerAccounts.filter((item) => typeof item === "object" &&
-                item !== null &&
-                typeof item.id === "string" &&
-                typeof item.name === "string" &&
-                // null environment (structural accounts) must survive — rejecting it drops the account at synth.
-                (typeof item.environment ===
-                    "string" ||
-                    item.environment === null) &&
-                (item.managed === undefined ||
-                    typeof item.managed === "boolean") &&
-                (item.oidcRoleArn === undefined ||
-                    typeof item.oidcRoleArn ===
-                        "string") &&
-                (item.vaultLock === undefined ||
-                    VAULT_LOCK_MODES.includes(item.vaultLock)) &&
-                (item.s3BlockPublicAccess ===
-                    undefined ||
-                    S3_BPA_MODES.includes(item.s3BlockPublicAccess)) &&
-                (item.acknowledgeImmutableVaultLock ===
-                    undefined ||
-                    typeof item
-                        .acknowledgeImmutableVaultLock === "boolean"))
+            ? obj.providerAccounts.filter((item) => {
+                if (isProviderAccount(item))
+                    return true;
+                FjallLogger.warn(`[fjall] Ignoring malformed provider account in orgConfig context: ${describeRejectedAccount(item)}`);
+                return false;
+            })
             : [];
         const primaryRegion = typeof obj.primaryRegion === "string" ? obj.primaryRegion : undefined;
         const secondaryRegions = Array.isArray(obj.secondaryRegions)

package/dist/lib/utils/removalPolicy.d.ts

@@ -1,2 +1,17 @@
 import { RemovalPolicy } from "aws-cdk-lib";
 export declare function toRemovalPolicy(value?: "DESTROY" | "RETAIN" | "SNAPSHOT"): RemovalPolicy;
+/**
+ * Resolve the env-aware removal-policy default (D17): production → RETAIN,
+ * every other recognised environment → DESTROY.
+ *
+ * Unlike the generic `env()` resolver (where unrecognised → default is
+ * benign), an unrecognised value here throws at synth: silently landing a
+ * typo like `ENVIRONMENT=prod` on DESTROY deletes data when the stack is
+ * deleted. The accept-set derives from `ACCOUNT_STAGES_WITH_ROOT` so a new
+ * stage added in `@fjall/util` widens it automatically. The no-signal
+ * sentinel keeps the historical warn-and-DESTROY behaviour — raw `cdk synth`
+ * without context and null-stage cascade synths rely on it. An explicitly
+ * supplied `ENVIRONMENT=unknown` collides with the sentinel string and would
+ * otherwise ride the silent-DESTROY path, so it is treated as unrecognised.
+ */
+export declare function envAwareRemovalPolicyDefault(): "DESTROY" | "RETAIN";

package/dist/lib/utils/removalPolicy.js

@@ -1,4 +1,6 @@
+import { ACCOUNT_STAGES_WITH_ROOT } from "@fjall/util";
 import { RemovalPolicy } from "aws-cdk-lib";
+import { getEnvironment, hasExplicitEnvironmentSignal, UNKNOWN_ENVIRONMENT } from "./env.js";
 export function toRemovalPolicy(value) {
     switch (value) {
         case "DESTROY":
@@ -10,3 +12,33 @@ export function toRemovalPolicy(value) {
             return RemovalPolicy.RETAIN;
     }
 }
+const REMOVAL_DEFAULT_ENVIRONMENTS = new Set(ACCOUNT_STAGES_WITH_ROOT);
+/**
+ * Resolve the env-aware removal-policy default (D17): production → RETAIN,
+ * every other recognised environment → DESTROY.
+ *
+ * Unlike the generic `env()` resolver (where unrecognised → default is
+ * benign), an unrecognised value here throws at synth: silently landing a
+ * typo like `ENVIRONMENT=prod` on DESTROY deletes data when the stack is
+ * deleted. The accept-set derives from `ACCOUNT_STAGES_WITH_ROOT` so a new
+ * stage added in `@fjall/util` widens it automatically. The no-signal
+ * sentinel keeps the historical warn-and-DESTROY behaviour — raw `cdk synth`
+ * without context and null-stage cascade synths rely on it. An explicitly
+ * supplied `ENVIRONMENT=unknown` collides with the sentinel string and would
+ * otherwise ride the silent-DESTROY path, so it is treated as unrecognised.
+ */
+export function envAwareRemovalPolicyDefault() {
+    const environment = getEnvironment();
+    if (environment === UNKNOWN_ENVIRONMENT && !hasExplicitEnvironmentSignal()) {
+        return "DESTROY";
+    }
+    if (!REMOVAL_DEFAULT_ENVIRONMENTS.has(environment)) {
+        throw new Error(`Unrecognised environment "${environment}" — refusing to resolve the ` +
+            `env-aware removal-policy default (non-production environments ` +
+            `default to DESTROY, which deletes data when the stack is deleted). ` +
+            `Valid values: ${ACCOUNT_STAGES_WITH_ROOT.join(", ")}. ` +
+            `Set ENVIRONMENT or pass -c environment=<value>, or set an explicit ` +
+            `removalPolicy on the construct.`);
+    }
+    return environment === "production" ? "RETAIN" : "DESTROY";
+}

package/dist/lib/utils/standardTagsAspect.js

@@ -1,5 +1,6 @@
 import { CfnResource, Stack, Tags } from "aws-cdk-lib";
 import { BACKUP_TIER_TAG_KEY, BACKUP_TIER_TAG_MAP } from "./backupTierMapping.js";
+import { formatIpamPairTagValue, IPAM_OPERATIONS_POOL_TAG_KEY } from "@fjall/util/aws";
 /**
  * Aspect to apply special Fjall tags to specific resource types.
  *
@@ -49,7 +50,7 @@ export class StandardTagsAspect {
             process.env.CDK_DEFAULT_ACCOUNT;
         const region = stack.region || process.env.CDK_DEFAULT_REGION;
         if (accountId && region) {
-            Tags.of(vpc).add("fjall:operations:pool", `${accountId}-${region}`);
+            Tags.of(vpc).add(IPAM_OPERATIONS_POOL_TAG_KEY, formatIpamPairTagValue(accountId, region));
         }
     }
     /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/components-infrastructure",
-  "version": "2.12.0",
+  "version": "2.14.0",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
   "bin": {
@@ -63,8 +63,8 @@
   },
   "dependencies": {
     "@aws-sdk/client-organizations": "^3.1038.0",
-    "@fjall/generator": "^2.12.0",
-    "@fjall/util": "^2.12.0",
+    "@fjall/generator": "^2.14.0",
+    "@fjall/util": "^2.14.0",
     "constructs": "^10.0.0",
     "uuid": "^14.0.0"
   },
@@ -79,5 +79,5 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "gitHead": "dca39a47da956d3d94c689dd782fe285d711d25e"
+  "gitHead": "ce434478f9e3d5e5ccf979c152a237c81e4acee5"
 }