@fjall/components-infrastructure 2.14.0 → 2.16.0

package/dist/lib/config/aws/scpPreset.js

@@ -32,6 +32,12 @@ function buildFoundationGuardrails(allowedRegions) {
                 // Deny + NotAction denies everything except the policy-management
                 // scopes a root-task unlock session needs; the AWS root-task policies
                 // constrain those sessions further.
+                // iam:CreateLoginProfile/GetLoginProfile (root-credential recovery on
+                // assume-root sessions) are deliberately NOT carved out — recovery on
+                // this tier is a break-glass SCP detach, not a standing carve-out. Do
+                // not add them without revisiting the decision:
+                // aiDocs/troubleshooting/centralised-root-access-break-glass-runbook.md
+                // § Scenario 3.
                 NotAction: [
                     "s3:GetBucketPolicy",
                     "s3:PutBucketPolicy",
@@ -214,6 +220,9 @@ function buildEncryptionAndAccess() {
             {
                 Sid: "DenyIamUserCreation",
                 Effect: "Deny",
+                // Also blocks iam:CreateLoginProfile for assume-root recovery
+                // sessions (they match none of EXEMPT_ROLE_PATTERNS) — deliberate;
+                // see the DenyRootUserActions note + break-glass runbook § Scenario 3.
                 Action: [
                     "iam:CreateUser",
                     "iam:CreateAccessKey",

package/dist/lib/patterns/aws/storage.d.ts

@@ -2,12 +2,12 @@ import { Construct } from "constructs";
 import { type IBucket, type EventType, type IBucketNotificationDestination, type NotificationKeyFilter } from "aws-cdk-lib/aws-s3";
 import { type IGrantable, type Grant } from "aws-cdk-lib/aws-iam";
 import type App from "../../app.js";
-import { BucketDeployment, type WebsiteHostingConfig } from "../../resources/aws/storage/index.js";
+import { BucketDeployment, type ResourcePolicyStatement, type WebsiteHostingConfig } from "../../resources/aws/storage/index.js";
 import { type BackupTier } from "../../utils/backupTierMapping.js";
 import { type IStorage } from "./interfaces/storage.js";
 import { type IStorageConnector } from "./interfaces/connector.js";
 export { type IStorage, isStorage } from "./interfaces/storage.js";
-export { type WebsiteHostingConfig } from "../../resources/aws/storage/index.js";
+export { type ResourcePolicyStatement, type WebsiteHostingConfig } from "../../resources/aws/storage/index.js";
 export interface CorsRule {
     readonly allowedOrigins: string[];
     readonly allowedMethods: string[];
@@ -40,6 +40,8 @@ export interface S3Props {
     readonly deployment?: S3DeploymentConfig;
     /** When true, sets RemovalPolicy.RETAIN (overriding the env-aware default). Used for imported buckets. */
     readonly retain?: boolean;
+    /** Declarative bucket-policy statements appended to the bucket's resource policy. */
+    readonly resourcePolicyStatements?: ResourcePolicyStatement[];
 }
 export interface StorageBuildProps extends S3Props {
     readonly stackPlacement?: "storage" | "cdn" | "compute";

package/dist/lib/patterns/aws/storage.js

@@ -66,6 +66,7 @@ export class Storage extends Construct {
             backupVaultTier: props.backupVaultTier,
             publicReadAccess: props.publicReadAccess,
             websiteHosting: props.websiteHosting,
+            resourcePolicyStatements: props.resourcePolicyStatements,
             ...(props.cors && { cors: toCorsRules(props.cors) }),
             ...(props.retain && { removalPolicy: RemovalPolicy.RETAIN })
         });

package/dist/lib/resources/aws/compute/ecsImages.js

@@ -1,14 +1,14 @@
 import { CfnParameter, Stack } from "aws-cdk-lib";
 import { ContainerImage } from "aws-cdk-lib/aws-ecs";
 import { Repository } from "aws-cdk-lib/aws-ecr";
+import { imageTagParameterName } from "@fjall/util";
 import { DEFAULT_ECS_FALLBACK_IMAGE } from "./ecsConstants.js";
-import { toPascalCase } from "../../../utils/capitaliseString.js";
 function buildImageTagDescription(serviceName) {
     return `Image tag for ECS service ${serviceName}. Set by fjall deploy to the content-hash tag.`;
 }
 function getOrCreateImageTagParameter(ctx, serviceName) {
     const stack = Stack.of(ctx.scope);
-    const paramLogicalId = `${toPascalCase(serviceName)}ImageTag`;
+    const paramLogicalId = imageTagParameterName(serviceName);
     const description = buildImageTagDescription(serviceName);
     const existing = stack.node.tryFindChild(paramLogicalId);
     if (existing instanceof CfnParameter) {

package/dist/lib/resources/aws/networking/hostedZone.js

@@ -5,6 +5,7 @@ import { getDomainExportNames } from "@fjall/util";
 import { toPascalCase, getSafeZoneName } from "../../../utils/capitaliseString.js";
 import { DelegationRole } from "../iam/delegationRole.js";
 import { applyCostAllocationTags } from "../../../utils/costAllocationTags.js";
+import { resolveOrgId } from "../../../utils/cdkContext.js";
 export class HostedZoneFactory {
     static import(stack, hostedZoneId, zoneName, opts) {
         const safeZone = toPascalCase(getSafeZoneName(zoneName));
@@ -49,7 +50,17 @@ export class HostedZone extends Construct {
                 value: Fn.join(",", created.hostedZoneNameServers ?? []),
                 exportName: exportNames.nameservers
             });
-            if (props.createDelegationRole !== false) {
+            // Org-gate: a single account has no OrganisationId export, so an org-trusting
+            // delegation role would leave an unresolved Fn::ImportValue and roll the stack
+            // back. Default follows org presence; explicit `true` opts in (and fails fast).
+            const inOrganisation = resolveOrgId(this.node) !== undefined;
+            if (props.createDelegationRole === true && !inOrganisation) {
+                throw new Error(`HostedZone "${props.zoneName}": createDelegationRole was requested but ` +
+                    `this account is not part of an AWS Organization (no "orgId" context). ` +
+                    `Cross-account DNS delegation requires an organisation — omit ` +
+                    `createDelegationRole for single-account setups, or connect an organisation.`);
+            }
+            if (props.createDelegationRole ?? inOrganisation) {
                 this.delegationRole = new DelegationRole(this, `${safeZone}DelegationRole`, {
                     zoneName: props.zoneName,
                     hostedZone: created,

package/dist/lib/resources/aws/storage/s3.d.ts

@@ -6,6 +6,25 @@ export interface WebsiteHostingConfig {
     readonly indexDocument: string;
     readonly errorDocument?: string;
 }
+/**
+ * A single bucket-policy statement expressed declaratively. {@link S3Bucket}
+ * turns each entry into an `addToResourcePolicy` call at synth.
+ *
+ * Principals are either `"*"` (anonymous / public) or an IAM ARN (account root,
+ * role, or user). Service and Federated principals are not yet modelled — a
+ * remediation that meets one must fall back to report-only rather than dropping
+ * it silently. Mirrors the codemod's `S3ResourcePlanSchema.resourcePolicyStatements`
+ * in `@fjall/generator` — the two shapes must move together.
+ */
+export interface ResourcePolicyStatement {
+    readonly sid?: string;
+    readonly effect: "Allow" | "Deny";
+    readonly principals: string[];
+    readonly actions: string[];
+    /** Defaults to the bucket itself and its objects when omitted. */
+    readonly resources?: string[];
+    readonly conditions?: Record<string, Record<string, string | string[]>>;
+}
 /**
  * Props for {@link S3Bucket}.
  *
@@ -17,6 +36,12 @@ export interface S3BucketProps extends BucketProps {
     backupVaultTier?: BackupTier;
     publicReadAccess?: boolean;
     websiteHosting?: WebsiteHostingConfig;
+    /**
+     * Declarative bucket-policy statements, each appended via
+     * `addToResourcePolicy`. The TLS-only `enforceSSL` deny is always applied
+     * separately and must NOT be listed here.
+     */
+    resourcePolicyStatements?: ResourcePolicyStatement[];
 }
 export declare class S3Bucket extends Bucket {
     readonly backupVaultTier?: BackupTier;

package/dist/lib/resources/aws/storage/s3.js

@@ -1,6 +1,7 @@
 import { SDK_PRE_EMPTY_TAG_KEY } from "@fjall/util/aws";
 import { Annotations, CfnOutput, Duration, RemovalPolicy, Tags } from "aws-cdk-lib";
 import { BlockPublicAccess, Bucket } from "aws-cdk-lib/aws-s3";
+import { ArnPrincipal, Effect, PolicyStatement, StarPrincipal } from "aws-cdk-lib/aws-iam";
 import { RegionInfo } from "aws-cdk-lib/region-info";
 import { toPascalCase } from "../../../utils/capitaliseString.js";
 import { envAwareRemovalPolicyDefault, toRemovalPolicy } from "../../../utils/removalPolicy.js";
@@ -8,10 +9,15 @@ export { SDK_PRE_EMPTY_TAG_KEY } from "@fjall/util/aws";
 function shouldAutoVersion(tier) {
     return tier === "resilient" || tier === "enterprise";
 }
+function toResourcePolicyPrincipal(identifier) {
+    return identifier === "*"
+        ? new StarPrincipal()
+        : new ArnPrincipal(identifier);
+}
 export class S3Bucket extends Bucket {
     backupVaultTier;
     constructor(scope, id, props = {}) {
-        const { websiteHosting, backupVaultTier, ...cdkProps } = props;
+        const { websiteHosting, backupVaultTier, resourcePolicyStatements, ...cdkProps } = props;
         const isPublic = props.publicReadAccess === true || websiteHosting !== undefined;
         const versioned = props.versioned ?? shouldAutoVersion(backupVaultTier);
         const removalPolicy = props.removalPolicy ?? toRemovalPolicy(envAwareRemovalPolicyDefault());
@@ -42,6 +48,21 @@ export class S3Bucket extends Bucket {
                 : props.lifecycleRules
         });
         this.backupVaultTier = backupVaultTier;
+        for (const statement of resourcePolicyStatements ?? []) {
+            this.addToResourcePolicy(new PolicyStatement({
+                ...(statement.sid !== undefined && { sid: statement.sid }),
+                effect: statement.effect === "Deny" ? Effect.DENY : Effect.ALLOW,
+                principals: statement.principals.map(toResourcePolicyPrincipal),
+                actions: statement.actions,
+                resources: statement.resources ?? [
+                    this.bucketArn,
+                    this.arnForObjects("*")
+                ],
+                ...(statement.conditions !== undefined && {
+                    conditions: statement.conditions
+                })
+            }));
+        }
         if (props.autoDeleteObjects === true) {
             Annotations.of(this).addWarningV2("@fjall/components-infrastructure:s3:autoDeleteObjectsIgnored", "autoDeleteObjects: true is ignored — the CDK auto-delete custom " +
                 "resource is retired (ADR D4.3). DESTROY buckets are emptied " +

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/components-infrastructure",
-  "version": "2.14.0",
+  "version": "2.16.0",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
   "bin": {
@@ -63,8 +63,8 @@
   },
   "dependencies": {
     "@aws-sdk/client-organizations": "^3.1038.0",
-    "@fjall/generator": "^2.14.0",
-    "@fjall/util": "^2.14.0",
+    "@fjall/generator": "^2.16.0",
+    "@fjall/util": "^2.16.0",
     "constructs": "^10.0.0",
     "uuid": "^14.0.0"
   },
@@ -79,5 +79,5 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "gitHead": "ce434478f9e3d5e5ccf979c152a237c81e4acee5"
+  "gitHead": "2383b19f1e7db980ae603a6c75dca2c61b7a1d42"
 }