@fjall/components-infrastructure 2.5.0 → 2.7.0

package/dist/lib/patterns/aws/account.js

@@ -55,13 +55,20 @@ export class Account extends Stack {
         }
         const fjallOrgId = this.node.tryGetContext("fjallOrgId");
         const oidcAlreadyConfigured = this.node.tryGetContext("fjallOidcConfigured") === "true";
-        if (isStandaloneAccount && fjallOrgId && !oidcAlreadyConfigured) {
+        // True for non-home-region cascade stacks: the org-global IAM resources
+        // (OIDC provider/role, FjallMonitoring, FjallAudit) have fixed names that
+        // collide across regions, so they are created only in the home region.
+        const accountGlobalsConfigured = this.node.tryGetContext("fjallAccountGlobalsConfigured") === "true";
+        if (isStandaloneAccount &&
+            fjallOrgId &&
+            !oidcAlreadyConfigured &&
+            !accountGlobalsConfigured) {
             new OidcConnector(this, "OidcConnector", { fjallOrgId });
         }
-        // Per-account monitoring role (unconditional; ExternalId added when orgId known)
-        new AccountMonitoringRole(this, "MonitoringRole", fjallOrgId ? { fjallOrgId } : undefined);
-        // Per-account audit role (conditional on fjallOrgId)
-        if (fjallOrgId) {
+        if (!accountGlobalsConfigured) {
+            new AccountMonitoringRole(this, "MonitoringRole", fjallOrgId ? { fjallOrgId } : undefined);
+        }
+        if (fjallOrgId && !accountGlobalsConfigured) {
             new AccountAuditRole(this, "AuditRole", { fjallOrgId });
         }
         new ManagementEventsTrail(this, "CloudTrail", {

package/dist/lib/resources/aws/networking/ipamPool.js

@@ -6,6 +6,7 @@ import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { ResourceShare } from "../utilities/resourceShare.js";
 import { CustomResource } from "../utilities/customResource.js";
 import getAccountId from "../../../utils/getAccountId.js";
+import { accountConstructKey, findAccountNameCollision } from "../../../utils/capitaliseString.js";
 import { FjallLogger } from "../../../utils/validationLogger.js";
 const IPAM_TAGS = {
     OPERATIONS_POOL: "fjall:operations:pool",
@@ -21,6 +22,19 @@ export class IpamPool extends Construct {
         if (!regions || regions.length === 0) {
             throw new Error("At least one region must be specified for IPAM pools");
         }
+        // Reject name collisions here — the single convergence point all callers
+        // reach (Platform's props.accounts, IpamPoolStack, direct instantiation).
+        // Two names with the same construct key mint duplicate construct IDs and
+        // crash synth with a cryptic CDK message; an empty key has no construct
+        // identity. Scan the original (pre-lowercase) names so the message keeps
+        // the user's casing — findAccountNameCollision normalises internally.
+        const collision = findAccountNameCollision(props.orgAccounts);
+        if (collision) {
+            if (collision.kind === "empty-construct-key") {
+                throw new Error(`IpamPool: org account name "${collision.name}" normalises to an empty construct key — account names must contain at least one alphanumeric character`);
+            }
+            throw new Error(`IpamPool: org account names "${collision.existingName}" and "${collision.name}" collide on construct key "${collision.constructKey}" — account names must be unique ignoring case and separators`);
+        }
         const organisationAccounts = props.orgAccounts.map((account) => account.toLowerCase());
         // Determine the child-pool CIDR size (defaults to /20)
         const defaultNetmaskLength = props.allocationDefaultNetmaskLength ?? 20;
@@ -107,7 +121,10 @@ export class IpamPool extends Construct {
             let previousAccountCidr;
             for (const account of organisationAccounts) {
                 const accountId = getAccountId(account);
-                const ipamPool = new IpamPoolClass(this, `${account}IpamPool${regionSuffix}`, {
+                // Construct IDs only: strips separators so case/format variants can't mint
+                // distinct constructs. `account` still feeds tags, descriptions, physical names.
+                const constructKey = accountConstructKey(account);
+                const ipamPool = new IpamPoolClass(this, `${constructKey}IpamPool${regionSuffix}`, {
                     description: `${account} - IPAM pool - ${region}`,
                     addressFamily: "ipv4",
                     ipamScopeId,
@@ -138,14 +155,14 @@ export class IpamPool extends Construct {
                 if (previousAccountCidr) {
                     ipamPool.addDependency(previousAccountCidr);
                 }
-                const cidrAllocation = new CfnIPAMPoolCidr(this, `${account}PoolCidr${provisionedNetmaskLength}${regionSuffix}`, {
+                const cidrAllocation = new CfnIPAMPoolCidr(this, `${constructKey}PoolCidr${provisionedNetmaskLength}${regionSuffix}`, {
                     ipamPoolId: ipamPool.attrIpamPoolId,
                     netmaskLength: provisionedNetmaskLength
                 });
                 previousAccountCidr = cidrAllocation;
                 // On stack deletion, VPC allocations (not managed by CloudFormation)
                 // block CIDR deprovisioning. This custom resource releases them first.
-                const allocationCleanup = new CustomResource(this, `${account}IpamCleanup${regionSuffix}`, {
+                const allocationCleanup = new CustomResource(this, `${constructKey}IpamCleanup${regionSuffix}`, {
                     runtime: Runtime.NODEJS_22_X,
                     timeout: Duration.minutes(5),
                     lambdaDescription: `${account} IPAM pool allocation cleanup - ${region}`,
@@ -204,7 +221,7 @@ exports.handler = async (event) => {
                 });
                 allocationCleanup.node.addDependency(cidrAllocation);
                 // Share the pool with the target account so that VPCs can allocate
-                const share = new ResourceShare(this, `${account}IpamResourceShare${regionSuffix}`, {
+                const share = new ResourceShare(this, `${constructKey}IpamResourceShare${regionSuffix}`, {
                     name: `${account}IpamResourceShare.${region}`,
                     allowExternalPrincipals: false,
                     principals: [accountId],

package/dist/lib/resources/aws/networking/vpc.js

@@ -215,13 +215,18 @@ export class Vpc extends ec2.Vpc {
         }
     }
     static ipAddresses(scope, id, props) {
-        if (!props?.accountId || !props?.ipv4IpamPoolId) {
+        // A non-empty pool id is the SOLE signal of IPAM intent: do NOT gate on
+        // accountId (awsIpamAllocation never consumes it), or an IPAM-intended VPC
+        // whose ambient accountId failed to resolve silently takes CDK's default
+        // 10.0.0.0/16 and collides with its org siblings. No pool id = standalone.
+        const poolId = props?.ipv4IpamPoolId;
+        if (poolId === undefined || poolId === "") {
             return undefined;
         }
-        const vpcCidrMask = props.vpcCidrMask ?? 20;
-        const subnetCidrMask = props.subnetCidrMask ?? 23;
+        const vpcCidrMask = props?.vpcCidrMask ?? 20;
+        const subnetCidrMask = props?.subnetCidrMask ?? 23;
         return ec2.IpAddresses.awsIpamAllocation({
-            ipv4IpamPoolId: props.ipv4IpamPoolId,
+            ipv4IpamPoolId: poolId,
             ipv4NetmaskLength: vpcCidrMask,
             defaultSubnetIpv4NetmaskLength: subnetCidrMask
         });

package/dist/lib/utils/capitaliseString.d.ts

@@ -1 +1 @@
-export { capitalise as capitaliseString, toPascalCase, toKebab, toValidDatabaseName, toScreamingSnake, getSafeZoneName } from "@fjall/util";
+export { capitalise as capitaliseString, toPascalCase, toKebab, toValidDatabaseName, toScreamingSnake, getSafeZoneName, accountConstructKey, findAccountNameCollision, type AccountNameCollision } from "@fjall/util";

package/dist/lib/utils/capitaliseString.js

@@ -1 +1 @@
-export { capitalise as capitaliseString, toPascalCase, toKebab, toValidDatabaseName, toScreamingSnake, getSafeZoneName } from "@fjall/util";
+export { capitalise as capitaliseString, toPascalCase, toKebab, toValidDatabaseName, toScreamingSnake, getSafeZoneName, accountConstructKey, findAccountNameCollision } from "@fjall/util";

package/dist/lib/utils/getAccountId.d.ts

@@ -1 +1,15 @@
-export default function getAccountId(environment: string): string;
+/**
+ * Resolve an account name to its AWS account ID via the org config's
+ * name→id map. Matched via `accountConstructKey` (case-insensitive, strips
+ * separators too), because provider account names arrive verbatim from AWS
+ * Organizations (TitleCase) through reconciliation while callers (e.g. IpamPool)
+ * normalise them for construct-ID safety. Matching case-sensitively here would
+ * miss every account and silently fall back to the ambient context accountId —
+ * producing colliding `IpamPoolId<accountId>` outputs. Collisions across config
+ * names are rejected upstream in getConfig, so the normalised key is unambiguous.
+ *
+ * Throws on no-match rather than returning a sentinel: an unresolvable account
+ * named in the org config is a configuration error, and a sentinel id would
+ * itself collide across multiple unresolved names.
+ */
+export default function getAccountId(accountName: string): string;

package/dist/lib/utils/getAccountId.js

@@ -1,9 +1,26 @@
 import { getConfig } from "./getConfig.js";
-export default function getAccountId(environment) {
-    //TODO: in the use cases of getAccountId, we are currently passing in accountName
-    const config = getConfig(environment);
-    // TODO: need to fix how we handle this in the VPC module
-    if (!config || !config.accountId)
-        return "error";
-    return config.accountId;
+import { accountConstructKey } from "./capitaliseString.js";
+/**
+ * Resolve an account name to its AWS account ID via the org config's
+ * name→id map. Matched via `accountConstructKey` (case-insensitive, strips
+ * separators too), because provider account names arrive verbatim from AWS
+ * Organizations (TitleCase) through reconciliation while callers (e.g. IpamPool)
+ * normalise them for construct-ID safety. Matching case-sensitively here would
+ * miss every account and silently fall back to the ambient context accountId —
+ * producing colliding `IpamPoolId<accountId>` outputs. Collisions across config
+ * names are rejected upstream in getConfig, so the normalised key is unambiguous.
+ *
+ * Throws on no-match rather than returning a sentinel: an unresolvable account
+ * named in the org config is a configuration error, and a sentinel id would
+ * itself collide across multiple unresolved names.
+ */
+export default function getAccountId(accountName) {
+    const config = getConfig();
+    const target = accountConstructKey(accountName);
+    for (const [name, id] of Object.entries(config.accountIds ?? {})) {
+        if (accountConstructKey(name) === target)
+            return id;
+    }
+    const known = Object.keys(config.accountIds ?? {}).join(", ") || "(none)";
+    throw new Error(`getAccountId: no provider account named "${accountName}" in org config — known accounts: ${known}`);
 }

package/dist/lib/utils/getConfig.js

@@ -1,5 +1,6 @@
 import App from "../app.js";
 import { parseOrgConfig } from "./orgConfigParser.js";
+import { findAccountNameCollision } from "./capitaliseString.js";
 import { FjallLogger } from "./validationLogger.js";
 export function getConfig(accountName) {
     const app = App.getInstance();
@@ -32,6 +33,16 @@ export function getConfig(accountName) {
     if (config.disasterRecoveryRegion)
         regions.add(config.disasterRecoveryRegion);
     config.allRegions = [...regions];
+    // Reject name collisions here, before synth turns them into a cryptic
+    // duplicate-construct-ID crash. Two names with the same construct key are the
+    // same account; an empty key has no construct identity.
+    const collision = findAccountNameCollision(providerAccounts.map((pa) => pa.name));
+    if (collision) {
+        if (collision.kind === "empty-construct-key") {
+            throw new Error(`getConfig: provider account name "${collision.name}" normalises to an empty construct key — account names must contain at least one alphanumeric character`);
+        }
+        throw new Error(`getConfig: provider account names "${collision.existingName}" and "${collision.name}" collide on construct key "${collision.constructKey}" — account names must be unique ignoring case and separators`);
+    }
     // Build account IDs map from provider accounts (name → id)
     if (providerAccounts.length > 0) {
         config.accountIds = {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/components-infrastructure",
-  "version": "2.5.0",
+  "version": "2.7.0",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
   "bin": {
@@ -63,8 +63,8 @@
   },
   "dependencies": {
     "@aws-sdk/client-organizations": "^3.1038.0",
-    "@fjall/generator": "^2.5.0",
-    "@fjall/util": "^2.5.0",
+    "@fjall/generator": "^2.7.0",
+    "@fjall/util": "^2.7.0",
     "constructs": "^10.0.0",
     "uuid": "^14.0.0"
   },
@@ -79,5 +79,5 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "gitHead": "5c8f0e004f5520c692f2ee2063c3558c2451f2cf"
+  "gitHead": "cfcfbb9f546974d62756e257fce012f629db79ce"
 }