@fjall/components-infrastructure 2.9.1 → 2.11.1

package/dist/lib/config/aws/disasterRecovery.js

@@ -54,14 +54,33 @@ export class DisasterRecovery extends Construct {
         const disasterRecoveryVaultArn = disasterRecoveryAccount && disasterRecoveryRegion
             ? `arn:aws:backup:${disasterRecoveryRegion}:${disasterRecoveryAccount.id}:backup-vault:${BACKUP_VAULT_NAME}`
             : undefined;
-        // Compliance accounts get vault locks for protection
-        const lockConfiguration = isComplianceAccount
+        // Compliance accounts default to governance (removable), NOT the
+        // permanently-immutable compliance lock. See
+        // decisions/2026-06-03-backup-vault-lock-mode-by-intent.md.
+        const vaultLock = account?.vaultLock ?? (isComplianceAccount ? "governance" : "none");
+        // Adopt-mode references an already-locked vault and applies no lock config,
+        // so it is exempt from the acknowledgement gate.
+        if (!adoptExistingVault &&
+            vaultLock === "compliance" &&
+            account?.acknowledgeImmutableVaultLock !== true) {
+            throw new Error(`Account "${account?.name ?? props.accountId}" requests vaultLock: ` +
+                `"compliance" (a permanently immutable backup vault) without ` +
+                `acknowledgeImmutableVaultLock: true. After a 3-day cooling-off a ` +
+                `compliance lock cannot be removed by anyone, including AWS or the ` +
+                `root user. Set the acknowledgement explicitly to proceed.`);
+        }
+        const lockConfiguration = vaultLock === "compliance"
             ? {
                 minRetention: VAULT_LOCK.MIN_RETENTION,
                 maxRetention: VAULT_LOCK.MAX_RETENTION,
                 changeableFor: VAULT_LOCK.GRACE_PERIOD
             }
-            : undefined;
+            : vaultLock === "governance"
+                ? {
+                    minRetention: VAULT_LOCK.MIN_RETENTION,
+                    maxRetention: VAULT_LOCK.MAX_RETENTION
+                }
+                : undefined;
         if (adoptExistingVault) {
             this.vaultRef = Vault.fromBackupVaultName(this, "BackupVault", BACKUP_VAULT_NAME);
         }
@@ -138,7 +157,7 @@ export class DisasterRecovery extends Construct {
                 exportName: `${id}ReplicationRegion`
             });
         }
-        if (isComplianceAccount) {
+        if (vaultLock !== "none") {
             new CfnOutput(this, "VaultLockEnabled", {
                 key: "VaultLockEnabled",
                 value: "true",

package/dist/lib/config/aws/ecrDefaultImage.js

@@ -2,7 +2,7 @@ import { Construct } from "constructs";
 import { CodeBuildProject } from "../../resources/aws/utilities/codeBuild.js";
 import { BuildSpec } from "aws-cdk-lib/aws-codebuild";
 import { LogGroup } from "../../resources/aws/logging/logGroup.js";
-import { RemovalPolicy } from "aws-cdk-lib";
+import { RemovalPolicy, Stack } from "aws-cdk-lib";
 import { Role } from "../../resources/aws/iam/role.js";
 import { PolicyDocument, PolicyStatement, ServicePrincipal } from "aws-cdk-lib/aws-iam";
 import { EventBusMessaging, EventField } from "../../patterns/aws/messaging.js";
@@ -35,7 +35,7 @@ export class EcrDefaultImage extends Construct {
                                 "ecr:PutImage"
                             ],
                             resources: [
-                                `arn:aws:ecr:${props.region}:${props.accountId}:repository/*`
+                                `arn:${Stack.of(this).partition}:ecr:${props.region}:${props.accountId}:repository/*`
                             ]
                         })
                     ]

package/dist/lib/patterns/aws/account.d.ts

@@ -19,6 +19,14 @@ export declare class Account extends Stack {
     readonly organisationType: OrganisationType;
     protected readonly resolvedRegion: string;
     constructor(scope: Construct, id: string, props: AccountProps);
+    /**
+     * Whether this account receives the OIDC deploy connector (provider +
+     * FjallDeploy role) and so can be a deploy target. Standalone/member accounts
+     * do; Platform overrides to opt in. Deliberately separate from the
+     * IPAM-output gate (which stays `this.constructor === Account`) — the two are
+     * independent, and Platform must take one but not the other.
+     */
+    protected receivesDeployRole(): boolean;
     enableGuardDuty(props?: GuardDutyDetectorProps): GuardDutyDetector;
     enableSecurityHub(props?: SecurityHubHubProps): SecurityHubHub;
     enableConfigRecorder(props?: ConfigRecorderProps): ConfigRecorder;

package/dist/lib/patterns/aws/account.js

@@ -59,7 +59,7 @@ export class Account extends Stack {
         // (OIDC provider/role, FjallMonitoring, FjallAudit) have fixed names that
         // collide across regions, so they are created only in the home region.
         const accountGlobalsConfigured = this.node.tryGetContext("fjallAccountGlobalsConfigured") === "true";
-        if (isStandaloneAccount &&
+        if (this.receivesDeployRole() &&
             fjallOrgId &&
             !oidcAlreadyConfigured &&
             !accountGlobalsConfigured) {
@@ -98,6 +98,16 @@ export class Account extends Stack {
         new S3BlockPublicAccess(this, "S3BlockPublicAccess");
         new EbsDefaultEncryption(this, "EbsDefaultEncryption");
     }
+    /**
+     * Whether this account receives the OIDC deploy connector (provider +
+     * FjallDeploy role) and so can be a deploy target. Standalone/member accounts
+     * do; Platform overrides to opt in. Deliberately separate from the
+     * IPAM-output gate (which stays `this.constructor === Account`) — the two are
+     * independent, and Platform must take one but not the other.
+     */
+    receivesDeployRole() {
+        return this.constructor === Account;
+    }
     enableGuardDuty(props) {
         return new GuardDutyDetector(this, "GuardDuty", props);
     }

package/dist/lib/patterns/aws/buildkite.js

@@ -130,7 +130,7 @@ export class Buildkite extends Stack {
                         new PolicyStatement({
                             actions: ["ssm:GetParameter"],
                             resources: [
-                                `arn:aws:ssm:${props.env?.region}:${props.env?.account}:parameter${agentToken.name}`
+                                `arn:${this.partition}:ssm:${this.region}:${this.account}:parameter${agentToken.name}`
                             ]
                         })
                     ]

package/dist/lib/patterns/aws/clickhouseDatabase.js

@@ -498,6 +498,7 @@ export class ClickHouseDatabase extends Construct {
         ].join("\n");
         const region = Stack.of(this).region;
         const account = Stack.of(this).account;
+        const partition = Stack.of(this).partition;
         const reloadParameters = {
             DocumentName: "AWS-RunShellScript",
             Targets: [
@@ -528,13 +529,15 @@ export class ClickHouseDatabase extends Construct {
             policy: AwsCustomResourcePolicy.fromStatements([
                 new PolicyStatement({
                     actions: ["ssm:SendCommand"],
-                    resources: [`arn:aws:ssm:${region}::document/AWS-RunShellScript`]
+                    resources: [
+                        `arn:${partition}:ssm:${region}::document/AWS-RunShellScript`
+                    ]
                 }),
                 // Keep this statement separate — merging into the document statement
                 // would drop the tag condition (IAM conditions are per-statement).
                 new PolicyStatement({
                     actions: ["ssm:SendCommand"],
-                    resources: [`arn:aws:ec2:${region}:${account}:instance/*`],
+                    resources: [`arn:${partition}:ec2:${region}:${account}:instance/*`],
                     conditions: {
                         StringEquals: {
                             [`aws:ResourceTag/${CLICKHOUSE_SERVER_ROLE_TAG.key}`]: CLICKHOUSE_SERVER_ROLE_TAG.value

package/dist/lib/patterns/aws/compute.d.ts

@@ -1,5 +1,6 @@
 import { Runtime } from "aws-cdk-lib/aws-lambda";
 import { type Construct } from "constructs";
+import { type SecretImport } from "../../resources/aws/secrets/index.js";
 import { type ComputeType, type IEcsCompute, type ILambdaCompute, type IEc2Compute, type AnyCompute, isCompute, isEcsCompute, isLambdaCompute, isEc2Compute } from "./interfaces/compute.js";
 import type App from "../../app.js";
 import { EcsCompute, type EcsComputeProps, type EcsServiceConfig, type EcsContainerConfig, type EcsScalingConfig, type EcsClusterConfig, type EcsRoutingConfig, type EcsCapacityProviderConfig, type ContainerDependency, type EcsMigrationsConfig, ECS_CAPACITY_PROVIDER_CONFIG, getEcsCapacityProviderConfig, ScalingType, type EcsCapacityProvider, type Ec2CapacityConfig, validateEcsProps, buildContainerConfigs, expandMigrationsSugar, type ResolvedScalingConfig, resolveScalingConfig } from "./computeEcs.js";
@@ -22,6 +23,27 @@ export interface ComputeTypeConfig {
     requiresVpc: boolean;
 }
 export declare const COMPUTE_TYPE_CONFIG: Record<ComputeType, ComputeTypeConfig>;
+/**
+ * Collect literal externally-managed Secrets Manager import names from a
+ * `secretsImport` map into `acc`, for the manifest's `importedSecretNames`.
+ *
+ * Excludes two shapes deploy-core must NOT DescribeSecret-resolve:
+ *   - the `{ arn }` escape hatch (already a complete ARN, possibly cross-account,
+ *     which the fail-closed resolver would abort on);
+ *   - CDK-managed token names (a `getImport()` of a managed/cross-stack secret),
+ *     which render as an intrinsic, not a literal `fromSecretNameV2` import, and
+ *     cannot be resolved by name at deploy time.
+ * What remains is the literal-name set of the passed `secretsImport` map. NB this is
+ * narrower than the deleted template scanner, which walked every
+ * `AWS::ECS::TaskDefinition`: a secret declared via raw `EcsSecret.fromSecretsManager(...)`
+ * outside a `secretsImport` block (e.g. a scheduled task) is not collected here. No
+ * current consumer constructs one — revisit if that changes.
+ *
+ * Shared with computeEcs.ts: the contributor-merge outage guard reconstructs the
+ * service's emitted manifest name-set with this same helper so its "is this literal
+ * deploy-resolvable?" test stays byte-identical to what the factory actually wrote.
+ */
+export declare function collectImportedSecretNames(secretsImport: Record<string, SecretImport> | undefined, acc: Set<string>): void;
 /**
  * Default values for compute resource configuration.
  * Centralised constants to ensure consistency across the codebase.

package/dist/lib/patterns/aws/compute.js

@@ -1,3 +1,4 @@
+import { Token } from "aws-cdk-lib";
 import { Runtime } from "aws-cdk-lib/aws-lambda";
 import { isCompute, isEcsCompute, isLambdaCompute, isEc2Compute } from "./interfaces/compute.js";
 import { warnIfPropertiesIgnored } from "../../utils/validationLogger.js";
@@ -31,6 +32,33 @@ export const COMPUTE_TYPE_CONFIG = {
         requiresVpc: false
     }
 };
+/**
+ * Collect literal externally-managed Secrets Manager import names from a
+ * `secretsImport` map into `acc`, for the manifest's `importedSecretNames`.
+ *
+ * Excludes two shapes deploy-core must NOT DescribeSecret-resolve:
+ *   - the `{ arn }` escape hatch (already a complete ARN, possibly cross-account,
+ *     which the fail-closed resolver would abort on);
+ *   - CDK-managed token names (a `getImport()` of a managed/cross-stack secret),
+ *     which render as an intrinsic, not a literal `fromSecretNameV2` import, and
+ *     cannot be resolved by name at deploy time.
+ * What remains is the literal-name set of the passed `secretsImport` map. NB this is
+ * narrower than the deleted template scanner, which walked every
+ * `AWS::ECS::TaskDefinition`: a secret declared via raw `EcsSecret.fromSecretsManager(...)`
+ * outside a `secretsImport` block (e.g. a scheduled task) is not collected here. No
+ * current consumer constructs one — revisit if that changes.
+ *
+ * Shared with computeEcs.ts: the contributor-merge outage guard reconstructs the
+ * service's emitted manifest name-set with this same helper so its "is this literal
+ * deploy-resolvable?" test stays byte-identical to what the factory actually wrote.
+ */
+export function collectImportedSecretNames(secretsImport, acc) {
+    for (const si of Object.values(secretsImport ?? {})) {
+        if (si.name !== undefined && !Token.isUnresolved(si.name)) {
+            acc.add(si.name);
+        }
+    }
+}
 /**
  * Default values for compute resource configuration.
  * Centralised constants to ensure consistency across the codebase.
@@ -149,16 +177,25 @@ export class ComputeFactory {
                         }
                         // Aggregate secrets from all containers (deduplicated)
                         const allSecrets = new Set();
+                        const importedSecretNames = new Set();
                         for (const container of service.containers ?? []) {
                             if (container.secrets) {
                                 for (const secret of container.secrets) {
                                     allSecrets.add(secret);
                                 }
                             }
+                            collectImportedSecretNames(container.secretsImport, importedSecretNames);
                         }
+                        // The synthetic migrate container resolves imports from its own
+                        // `migrations.secretsImport` (the primary's are collected above).
+                        collectImportedSecretNames(service.migrations?.secretsImport, importedSecretNames);
                         if (allSecrets.size > 0) {
                             manifestService.secrets = Array.from(allSecrets);
                         }
+                        if (importedSecretNames.size > 0) {
+                            manifestService.importedSecretNames =
+                                Array.from(importedSecretNames);
+                        }
                         // Include ssmSecretsPath (explicit or derived)
                         manifestService.ssmSecretsPath =
                             service.ssmSecretsPath ??
@@ -186,6 +223,11 @@ export class ComputeFactory {
                         lambdaComputeProps.secrets.length > 0) {
                         manifestLambda.secrets = lambdaComputeProps.secrets;
                     }
+                    const lambdaImportedSecretNames = new Set();
+                    collectImportedSecretNames(lambdaComputeProps.secretsImport, lambdaImportedSecretNames);
+                    if (lambdaImportedSecretNames.size > 0) {
+                        manifestLambda.importedSecretNames = Array.from(lambdaImportedSecretNames);
+                    }
                     collector.addLambda(manifestLambda);
                     return new LambdaCompute(scope, id, lambdaComputeProps);
                 }

package/dist/lib/patterns/aws/computeEcs.d.ts

@@ -8,7 +8,7 @@ import { type SecretImport } from "../../resources/aws/secrets/index.js";
 import EcsCluster, { type EcsClusterProps } from "../../resources/aws/compute/ecs.js";
 export { ScalingType } from "./computeEcsTypes.js";
 export type { EcsCapacityProvider, Ec2CapacityConfig, RemoteConnectionSpec, EcsCapacityProviderConfig, EcsContainerConfig, ContainerDependency, ContainerVolume, EcsScheduledTaskConfig, EcsLifecycleHookMigrationsConfig, EcsPostDeployMigrationsConfig, EcsHookMigrationsConfig, EcsMigrationsConfig, EcsMigrationsMode, EcsCircuitBreakerConfig, EcsScalingConfig, EcsClusterConfig, EcsRoutingConfig, EcsServiceConfig, EcsComputeProps } from "./computeEcsTypes.js";
-import { ScalingType, type EcsCapacityProviderConfig, type EcsCapacityProvider, type EcsContainerConfig, type EcsScalingConfig, type EcsServiceConfig, type EcsComputeProps } from "./computeEcsTypes.js";
+import { ScalingType, type EcsCapacityProviderConfig, type EcsCapacityProvider, type EcsContainerConfig, type EcsScalingConfig, type EcsServiceConfig, type EcsComputeProps, type QueueScalingConfig } from "./computeEcsTypes.js";
 export declare const ECS_CAPACITY_PROVIDER_CONFIG: Record<EcsCapacityProvider, EcsCapacityProviderConfig>;
 export declare function getEcsCapacityProviderConfig(provider: EcsCapacityProvider): EcsCapacityProviderConfig;
 /**
@@ -61,6 +61,7 @@ export interface ResolvedScalingConfig {
     scalingType: ScalingType | undefined;
     minCapacity: number | undefined;
     maxCapacity: number | undefined;
+    queueScaling: QueueScalingConfig | undefined;
 }
 /**
  * Resolve scaling configuration from service props.

package/dist/lib/patterns/aws/computeEcs.js

@@ -1,15 +1,15 @@
 import { AwsLogDriver, ContainerImage, DeploymentLifecycleStage, Secret as EcsSecret } from "aws-cdk-lib/aws-ecs";
 import { Peer, Port, SubnetType } from "aws-cdk-lib/aws-ec2";
 import { Effect, Grant, PolicyStatement, ServicePrincipal } from "aws-cdk-lib/aws-iam";
-import { Annotations, Stack } from "aws-cdk-lib";
+import { Annotations, Stack, Token } from "aws-cdk-lib";
 import { RetentionDays } from "aws-cdk-lib/aws-logs";
-import { Secret } from "aws-cdk-lib/aws-secretsmanager";
 import { StringParameter } from "aws-cdk-lib/aws-ssm";
 import { Construct } from "constructs";
 import { resolveAlertsTopic } from "../../utils/resolveAlertsTopic.js";
 import { EXPECTED_SCHEMA_VERSION_ENV, EXPECTED_SCHEMA_VERSION_TOOL_ENV, EXPECTED_CH_SCHEMA_VERSION_ENV, isClickHouseDatabase, isDatabase, isRelationalDatabase } from "./interfaces/database.js";
 import { isConnectionConfig } from "../../utils/connector.js";
 import { isMigrationContributor } from "./interfaces/migrationContributor.js";
+import { resolveImportedSecret } from "../../resources/aws/secrets/index.js";
 import App from "../../app.js";
 import EcsCluster from "../../resources/aws/compute/ecs.js";
 import { createScheduledTaskDefinition, createMigrationTaskDefinition } from "../../resources/aws/compute/ecsTaskDefinition.js";
@@ -22,7 +22,7 @@ import { vpcHasNatGateways } from "../../utils/vpcUtils.js";
 import { toPascalCase } from "../../utils/capitaliseString.js";
 import { FjallLogger } from "../../utils/validationLogger.js";
 import { VALIDATION_PATTERNS } from "@fjall/generator";
-import { COMPUTE_DEFAULTS } from "./compute.js";
+import { COMPUTE_DEFAULTS, collectImportedSecretNames } from "./compute.js";
 import { isHookMigrations } from "./computeEcsTypes.js";
 export { ScalingType } from "./computeEcsTypes.js";
 import { ScalingType } from "./computeEcsTypes.js";
@@ -373,6 +373,13 @@ function collectMigrationContributions(service) {
         }
         if (contribution.secretsImport !== undefined) {
             for (const [key, value] of Object.entries(contribution.secretsImport)) {
+                // The literal-external-name outage guard runs POST-merge in
+                // `wireLifecycleHookMigrations`, not here: a literal a contributor supplies
+                // can be legitimately overridden by the author (`migrations.secretsImport.<key>
+                // = { arn }`) or coincide with a manifest-collected service import, both of
+                // which deploy fine. Throwing pre-merge here would pre-empt those escapes
+                // (the 2026-06-04 outage shape is only reachable if the merged literal is
+                // ALSO absent from the deploy manifest — checked once the merge has settled).
                 const prior = secretOrigin.get(key);
                 if (prior !== undefined &&
                     merged.secretsImport[key]?.name !== value.name) {
@@ -454,6 +461,45 @@ function mergeContributionsIntoSeparateTaskDef(separateTaskDef, contributions) {
         ...(mergedEgress.length > 0 && { egressTo: mergedEgress })
     };
 }
+/**
+ * Outage guard (2026-06-04): a literal (non-token) secret NAME in the migrate task's
+ * merged `secretsImport` renders a suffixless partial ARN that AccessDenies at task
+ * launch UNLESS @fjall/deploy-core resolves it to a complete ARN. deploy-core resolves
+ * exactly the names the build manifest carries in `importedSecretNames` — which the
+ * factory (compute.ts) collects from the service's own container + author-declared
+ * `migrations.secretsImport`, but NOT from contributor-derived credentials (merged AFTER
+ * the manifest was written). So a merged literal absent from that name-set is
+ * unresolvable and would ship the outage shape; fail loud at synth instead.
+ *
+ * Passes (correctly): an author `{ arn }` override (complete ARN, no name to resolve), a
+ * managed `getImport()` token (`Token.isUnresolved`), and a contributor literal that
+ * COINCIDES with a manifest-collected service import (deploy-core resolves it anyway).
+ * The reconstruction here reuses the factory's own `collectImportedSecretNames`, so the
+ * name-set stays identical to what was actually written.
+ */
+function assertMigrationSecretsResolvable(service, effectiveMigrations) {
+    const manifestResolvableNames = new Set();
+    for (const container of service.containers ?? []) {
+        collectImportedSecretNames(container.secretsImport, manifestResolvableNames);
+    }
+    collectImportedSecretNames(service.migrations?.secretsImport, manifestResolvableNames);
+    for (const [key, value] of Object.entries(effectiveMigrations.secretsImport ?? {})) {
+        if (value.name !== undefined &&
+            !Token.isUnresolved(value.name) &&
+            !manifestResolvableNames.has(value.name)) {
+            throw new Error(`Service '${service.name}': migration secretsImport '${key}' resolves to the ` +
+                `literal external secret name '${value.name}', contributed by a connected ` +
+                `database but neither declared on the service nor present in the deploy ` +
+                `manifest — deploy-core never resolves it to a complete ARN, so it renders a ` +
+                `suffixless partial ARN that AccessDenies at task launch (the 2026-06-04 ` +
+                `outage shape). This usually means the migration task targets a database whose ` +
+                `credentials are an imported/replicated secret (e.g. a GlobalAurora read-only ` +
+                `secondary). Run migrations against the primary region (a read-only secondary ` +
+                `cannot accept schema migrations), or pin the credential on the service: ` +
+                `migrations.secretsImport.${key} = { arn: "<complete-secret-arn>" }.`);
+        }
+    }
+}
 /**
  * Build container configurations for an ECS service.
  * Converts user-facing EcsContainerConfig to internal EcsClusterProps format.
@@ -607,20 +653,23 @@ export function resolveScalingConfig(scaling) {
         return {
             scalingType: undefined,
             minCapacity: undefined,
-            maxCapacity: undefined
+            maxCapacity: undefined,
+            queueScaling: undefined
         };
     }
     if (scaling === undefined) {
         return {
             scalingType: ScalingType.CPU,
             minCapacity: undefined,
-            maxCapacity: undefined
+            maxCapacity: undefined,
+            queueScaling: undefined
         };
     }
     return {
         scalingType: scaling.scalingType ?? ScalingType.CPU,
         minCapacity: scaling.minCapacity,
-        maxCapacity: scaling.maxCapacity
+        maxCapacity: scaling.maxCapacity,
+        queueScaling: scaling.queueScaling
     };
 }
 /**
@@ -643,7 +692,7 @@ export class EcsCompute extends Construct {
             const schemaVersionEnv = this.resolveSchemaVersionEnv(service);
             const chGate = this.resolveClickHouseSchemaVersionEnv(service);
             const containers = buildContainerConfigs(service, schemaVersionEnv, this, chGate);
-            const { scalingType, minCapacity, maxCapacity } = resolveScalingConfig(service.scaling);
+            const { scalingType, minCapacity, maxCapacity, queueScaling } = resolveScalingConfig(service.scaling);
             const cloudMapService = service.serviceDiscovery !== undefined
                 ? App.getInstance().registerService({
                     name: service.serviceDiscovery.name,
@@ -662,6 +711,7 @@ export class EcsCompute extends Construct {
                 scalingType,
                 minCapacity,
                 maxCapacity,
+                ...(queueScaling !== undefined && { queueScaling }),
                 routing: service.routing,
                 taskRoleInlinePolicies: service.taskRoleInlinePolicies,
                 taskRoleManagedPolicies: service.taskRoleManagedPolicies,
@@ -894,6 +944,7 @@ export class EcsCompute extends Construct {
             }
             const contributions = collectMigrationContributions(svcConfig);
             const effectiveMigrations = mergeContributionsIntoMigrations(migrations, contributions, this, svcConfig.name);
+            assertMigrationSecretsResolvable(svcConfig, effectiveMigrations);
             const effectiveSeparateTaskDef = migrations.separateTaskDef !== undefined
                 ? mergeContributionsIntoSeparateTaskDef(migrations.separateTaskDef, contributions)
                 : undefined;
@@ -1001,7 +1052,7 @@ export class EcsCompute extends Construct {
             executionRole,
             taskRole
         });
-        const { secretsResolved, secretArns, ssmPath } = this.resolveMigrationSecrets(svcConfig, migrations, idPrefix);
+        const { secretsResolved, hasSecretsManagerSecrets, ssmPath } = this.resolveMigrationSecrets(svcConfig, migrations, idPrefix);
         const authoredEnvironment = migrations.environment ?? {};
         const containerEnvironment = {
             ...authoredEnvironment
@@ -1027,16 +1078,9 @@ export class EcsCompute extends Construct {
                 logGroup
             })
         });
-        if (secretArns.length > 0) {
-            executionRole.addToPolicy(new PolicyStatement({
-                effect: Effect.ALLOW,
-                actions: [
-                    "secretsmanager:GetSecretValue",
-                    "secretsmanager:DescribeSecret"
-                ],
-                resources: secretArns
-            }));
-        }
+        // Gotcha: no manual `secretsImport` grant — `addContainer({ secrets })` auto-grants
+        // `secret.grantRead(executionRole)` on the resolved complete ARN (exact, no wildcard).
+        // A manual bare/`-*` statement is the 2026-06-04 outage shape; do not re-add it.
         if (ssmPath !== undefined) {
             executionRole.addToPolicy(new PolicyStatement({
                 effect: Effect.ALLOW,
@@ -1046,7 +1090,7 @@ export class EcsCompute extends Construct {
                 ]
             }));
         }
-        if (secretArns.length > 0 || ssmPath !== undefined) {
+        if (hasSecretsManagerSecrets || ssmPath !== undefined) {
             executionRole.addToPolicy(new PolicyStatement({
                 effect: Effect.ALLOW,
                 actions: ["kms:Decrypt"],
@@ -1095,14 +1139,13 @@ export class EcsCompute extends Construct {
         };
     }
     resolveMigrationSecrets(svcConfig, migrations, idPrefix) {
-        const stack = Stack.of(this);
         const secretsResolved = {};
-        const secretArns = [];
+        const hasSecretsManagerSecrets = migrations.secretsImport !== undefined &&
+            Object.keys(migrations.secretsImport).length > 0;
         if (migrations.secretsImport) {
             for (const [key, secretImport] of Object.entries(migrations.secretsImport)) {
-                const secret = Secret.fromSecretNameV2(this, `${idPrefix}${key}Secret`, secretImport.name);
+                const secret = resolveImportedSecret(this, `${idPrefix}${key}Secret`, secretImport);
                 secretsResolved[key] = EcsSecret.fromSecretsManager(secret, secretImport.field);
-                secretArns.push(`arn:${stack.partition}:secretsmanager:${stack.region}:${stack.account}:secret:${secretImport.name}-*`);
             }
         }
         let ssmPath;
@@ -1123,7 +1166,7 @@ export class EcsCompute extends Construct {
                 secretsResolved[secretName] = EcsSecret.fromSsmParameter(param);
             }
         }
-        return { secretsResolved, secretArns, ssmPath };
+        return { secretsResolved, hasSecretsManagerSecrets, ssmPath };
     }
     /** Get the ECS cluster. */
     getCluster() {

package/dist/lib/patterns/aws/computeEcsTypes.d.ts

@@ -7,13 +7,13 @@ import type { ITopic } from "aws-cdk-lib/aws-sns";
 import { type ConnectionSpec } from "./interfaces/connector.js";
 import { type RemoteConnectionSpec } from "../../resources/aws/compute/ecsRemoteConnections.js";
 import { type EcsRoutingConfig, type EcsContainerDependency } from "../../resources/aws/compute/ecsTypes.js";
-import { ScalingType, type DomainConfig, type EcsCapacityProvider, type Ec2CapacityConfig } from "../../resources/aws/compute/ecs.js";
+import { ScalingType, type DomainConfig, type EcsCapacityProvider, type Ec2CapacityConfig, type QueueScalingConfig } from "../../resources/aws/compute/ecs.js";
 import type { EcsServiceAlarmThresholds } from "../../resources/aws/monitoring/index.js";
 import { type SecretImport } from "../../resources/aws/secrets/index.js";
 import type { DockerBuild } from "@fjall/util/manifest/schemas";
 export type { RemoteConnectionSpec };
 export { ScalingType };
-export type { EcsCapacityProvider, Ec2CapacityConfig };
+export type { EcsCapacityProvider, Ec2CapacityConfig, QueueScalingConfig };
 /**
  * Configuration for ECS capacity providers.
  */
@@ -450,6 +450,12 @@ export interface EcsScalingConfig {
     minCapacity?: number;
     maxCapacity?: number;
     scalingType?: ScalingType;
+    /**
+     * Queue-depth scaling config. REQUIRED when `scalingType` is
+     * `ScalingType.QUEUE`. Lets a `desiredCount: 0` service wake from zero on
+     * SQS backlog (the only scaling mode that does).
+     */
+    queueScaling?: QueueScalingConfig;
 }
 /**
  * Host-bind volume mounted into one or more containers in the same task.

package/dist/lib/patterns/aws/platform.d.ts

@@ -10,5 +10,6 @@ export interface PlatformProps extends AccountProps {
 export declare class Platform extends Account {
     readonly organisationType: OrganisationType;
     constructor(scope: Construct, id: string, props: PlatformProps);
+    protected receivesDeployRole(): boolean;
     enableSecurityServicesAdmin(props: SecurityServicesAdminProps): SecurityServicesAdmin;
 }

package/dist/lib/patterns/aws/platform.js

@@ -23,6 +23,9 @@ export class Platform extends Account {
             ipamScope: ipam.privateDefaultScopeId
         });
     }
+    receivesDeployRole() {
+        return true;
+    }
     enableSecurityServicesAdmin(props) {
         return new SecurityServicesAdmin(this, "SecurityServicesAdmin", props);
     }

package/dist/lib/resources/aws/backup/backupVault.js

@@ -8,19 +8,21 @@ export class BackupVault extends Construct {
     vaultName;
     constructor(scope, id, props) {
         super(scope, id);
+        // RETAIN default: a DESTROY-policy vault is silently deleted with the stack.
+        // Callers opt into DESTROY explicitly for ephemeral/dev vaults.
+        const removalPolicy = props.removalPolicy ?? RemovalPolicy.RETAIN;
         const encryptionKey = props.encryptionKey ||
             new CustomerManagedKey(this, `${props.vaultName}Key`, {
                 description: `Encryption key for backup vault ${props.vaultName}`,
                 aliasName: `cmk/backupVault/${props.vaultName}`,
-                removalPolicy: props.removalPolicy
+                removalPolicy
             });
         this.vault = new Vault(this, `${props.vaultName}Vault`, {
             backupVaultName: props.vaultName,
             encryptionKey: encryptionKey.key,
             accessPolicy: props.accessPolicy,
             lockConfiguration: props.lockConfiguration,
-            // TODO: Revert to RemovalPolicy.RETAIN for production
-            removalPolicy: props.removalPolicy || RemovalPolicy.DESTROY
+            removalPolicy
         });
         this.vaultArn = new CfnOutput(this, `${props.vaultName}VaultArn`, {
             key: `${props.vaultName}VaultArn`,

package/dist/lib/resources/aws/compute/ecsConstants.d.ts

@@ -1,7 +1,7 @@
 import { AmiHardwareType } from "aws-cdk-lib/aws-ecs";
 export declare const DEFAULT_EC2_INSTANCE_TYPE = "t4g.micro";
 export declare const DEFAULT_WARM_POOL_MIN_SIZE = 1;
-export declare const DEFAULT_WARM_POOL_REUSE_ON_SCALE_IN = true;
+export declare const DEFAULT_WARM_POOL_REUSE_ON_SCALE_IN = false;
 export declare const DEFAULT_LOG_RETENTION_DAYS = 14;
 export declare const DEFAULT_FARGATE_CPU = 256;
 export declare const DEFAULT_FARGATE_MEMORY_MIB = 512;

package/dist/lib/resources/aws/compute/ecsConstants.js

@@ -2,7 +2,10 @@ import { AmiHardwareType } from "aws-cdk-lib/aws-ecs";
 // Canonical source: @fjall/generator schemas/constants.ts — keep in sync
 export const DEFAULT_EC2_INSTANCE_TYPE = "t4g.micro";
 export const DEFAULT_WARM_POOL_MIN_SIZE = 1;
-export const DEFAULT_WARM_POOL_REUSE_ON_SCALE_IN = true;
+// reuseOnScaleIn: true returns scaled-in instances to the warm pool Stopped,
+// which can strand ECS tasks DRAINING indefinitely (the 2026-06-04 outage).
+// Default false — terminate on scale-in. Mirrors the @fjall/generator twin.
+export const DEFAULT_WARM_POOL_REUSE_ON_SCALE_IN = false;
 // 14 days balances cost against retaining enough history for post-mortem debugging
 export const DEFAULT_LOG_RETENTION_DAYS = 14;
 // Smallest valid (cpu, memory) pair on the Fargate matrix — must move together.

package/dist/lib/resources/aws/compute/ecsLifecycleHookMigration.js

@@ -30,10 +30,10 @@ export class EcsLifecycleHookMigration extends Construct {
         const migrationTaskDef = props.migrationTaskDef;
         const targetTaskDefinitionArn = migrationTaskDef?.definitionArn ?? props.taskDefinitionArn;
         const runTaskResources = [
-            `arn:aws:ecs:${stack.region}:${stack.account}:task-definition/${props.taskDefinitionFamily}:*`
+            `arn:${stack.partition}:ecs:${stack.region}:${stack.account}:task-definition/${props.taskDefinitionFamily}:*`
         ];
         if (migrationTaskDef !== undefined) {
-            runTaskResources.push(`arn:aws:ecs:${stack.region}:${stack.account}:task-definition/${migrationTaskDef.family}:*`);
+            runTaskResources.push(`arn:${stack.partition}:ecs:${stack.region}:${stack.account}:task-definition/${migrationTaskDef.family}:*`);
         }
         const passRoleResources = [props.taskExecutionRoleArn, props.taskRoleArn];
         if (migrationTaskDef !== undefined) {

package/dist/lib/resources/aws/compute/ecsRoles.js

@@ -1,6 +1,6 @@
 import { Stack } from "aws-cdk-lib";
 import { Effect, Policy, PolicyStatement, Role, ServicePrincipal } from "aws-cdk-lib/aws-iam";
-import { collectSecretsManagerSecretNames, deriveSsmSecretsPath } from "./ecsTaskDefinition.js";
+import { deriveSsmSecretsPath } from "./ecsTaskDefinition.js";
 /**
  * Creates the execution role for ECS infrastructure operations.
  * Used by the ECS agent to pull images, write logs, and inject secrets.
@@ -34,18 +34,9 @@ export function createExecutionRole(ctx, serviceName) {
         ],
         resources: [logGroupArn, `${logGroupArn}:*`]
     }));
-    const secretNames = collectSecretsManagerSecretNames(ctx.props, serviceName);
-    if (secretNames.length > 0) {
-        const secretArns = secretNames.map((secretName) => `arn:${partition}:secretsmanager:${region}:${account}:secret:${secretName}-*`);
-        executionRole.addToPolicy(new PolicyStatement({
-            effect: Effect.ALLOW,
-            actions: [
-                "secretsmanager:GetSecretValue",
-                "secretsmanager:DescribeSecret"
-            ],
-            resources: secretArns
-        }));
-    }
+    // Gotcha: do NOT add a manual `secretsImport` grant here. `addContainer({ secrets })`
+    // auto-grants `secret.grantRead(executionRole)` on the resolved complete ARN (exact, no
+    // wildcard). A manual bare/`-*` statement is the 2026-06-04 outage shape and is dead.
     const serviceProps = ctx.props.services.find((s) => s.name === serviceName);
     const hasSsmSecrets = serviceProps?.containers.some((container) => container.secrets && container.secrets.length > 0) ?? false;
     if (hasSsmSecrets && serviceProps) {

package/dist/lib/resources/aws/compute/ecsServiceFactory.d.ts

@@ -1,7 +1,7 @@
 import { FargateService, Ec2Service, AsgCapacityProvider, type DeploymentCircuitBreaker } from "aws-cdk-lib/aws-ecs";
 import type { FargateTaskDefinition, Ec2TaskDefinition } from "aws-cdk-lib/aws-ecs";
 import { type ISecurityGroup } from "aws-cdk-lib/aws-ec2";
-import { TargetTrackingScalingPolicy } from "aws-cdk-lib/aws-applicationautoscaling";
+import { TargetTrackingScalingPolicy, type StepScalingPolicy } from "aws-cdk-lib/aws-applicationautoscaling";
 import { type AutoScalingGroup } from "aws-cdk-lib/aws-autoscaling";
 import { type EcsServiceProps, type Ec2CapacityConfig } from "./ecsTypes.js";
 import type { EcsConstructContext } from "./ecsContext.js";
@@ -37,6 +37,8 @@ export declare function getOrCreateAsgCapacityProvider(ctx: EcsConstructContext,
  */
 export declare function createService(ctx: EcsConstructContext, serviceName: string, serviceProps: EcsServiceProps, taskDefinition: FargateTaskDefinition | Ec2TaskDefinition, asgState: AsgCapacityState): FargateService | Ec2Service;
 /**
- * Adds auto-scaling to an ECS service based on CPU or memory utilisation.
+ * Adds auto-scaling to an ECS service. `CPU`/`MEMORY` emit a target-tracking
+ * policy on utilisation; `QUEUE` emits a step-scaling policy on SQS backlog
+ * that can wake the service from `desiredCount: 0`.
  */
-export declare function addServiceScaling(ctx: EcsConstructContext, serviceName: string, serviceProps: EcsServiceProps, service: FargateService | Ec2Service): TargetTrackingScalingPolicy;
+export declare function addServiceScaling(ctx: EcsConstructContext, serviceName: string, serviceProps: EcsServiceProps, service: FargateService | Ec2Service): TargetTrackingScalingPolicy | StepScalingPolicy;

package/dist/lib/resources/aws/compute/ecsServiceFactory.js

@@ -3,7 +3,8 @@ import { Peer, Port, SubnetType, UserData } from "aws-cdk-lib/aws-ec2";
 import { ServicePrincipal } from "aws-cdk-lib/aws-iam";
 import { Role } from "../iam/role.js";
 import { CfnOutput, Duration, Token } from "aws-cdk-lib";
-import { PredefinedMetric, ScalableTarget, ServiceNamespace, TargetTrackingScalingPolicy } from "aws-cdk-lib/aws-applicationautoscaling";
+import { AdjustmentType, PredefinedMetric, ScalableTarget, ServiceNamespace, TargetTrackingScalingPolicy } from "aws-cdk-lib/aws-applicationautoscaling";
+import { MathExpression } from "aws-cdk-lib/aws-cloudwatch";
 import { Monitoring } from "aws-cdk-lib/aws-autoscaling";
 import { SecurityGroup } from "../networking/securityGroup.js";
 import { Ec2Instance } from "./ec2.js";
@@ -282,17 +283,39 @@ export function createService(ctx, serviceName, serviceProps, taskDefinition, as
     return service;
 }
 /**
- * Adds auto-scaling to an ECS service based on CPU or memory utilisation.
+ * Step-scaling intervals on the queue-backlog metric, with
+ * `AdjustmentType.EXACT_CAPACITY` (`change` is the absolute DesiredCount).
+ * Backlog 0 → 0 tasks (wake-to-zero); ≥1 → 1; ≥100 → 2; ≥500 → 3. Capacities
+ * are clamped to the service's `maxCapacity` at build time.
+ */
+const DEFAULT_QUEUE_SCALING_STEPS = [
+    { lower: 0, upper: 1, capacity: 0 },
+    { lower: 1, upper: 100, capacity: 1 },
+    { lower: 100, upper: 500, capacity: 2 },
+    { lower: 500, capacity: 3 }
+];
+const DEFAULT_QUEUE_SCALE_COOLDOWN = Duration.minutes(5);
+/**
+ * Adds auto-scaling to an ECS service. `CPU`/`MEMORY` emit a target-tracking
+ * policy on utilisation; `QUEUE` emits a step-scaling policy on SQS backlog
+ * that can wake the service from `desiredCount: 0`.
  */
 export function addServiceScaling(ctx, serviceName, serviceProps, service) {
     const desiredCount = serviceProps.desiredCount ?? DEFAULT_DESIRED_COUNT;
+    const maxCapacity = serviceProps.maxCapacity ?? Math.max(desiredCount + 1, 3);
     const scalableTarget = new ScalableTarget(ctx.scope, `${serviceName}ScalableTarget`, {
         serviceNamespace: ServiceNamespace.ECS,
         resourceId: `service/${ctx.cluster.clusterName}/${service.serviceName}`,
         scalableDimension: "ecs:service:DesiredCount",
         minCapacity: serviceProps.minCapacity ?? desiredCount,
-        maxCapacity: serviceProps.maxCapacity ?? Math.max(desiredCount + 1, 3)
+        maxCapacity
     });
+    // QUEUE must branch BEFORE the CPU/MEMORY path: it is a mode discriminator
+    // with no predefined metric — falling through would silently emit a CPU
+    // policy on a service that meant to scale on backlog.
+    if (serviceProps.scalingType === ScalingType.QUEUE) {
+        return buildQueueScalingPolicy(serviceName, serviceProps.queueScaling, scalableTarget, maxCapacity);
+    }
     return new TargetTrackingScalingPolicy(ctx.scope, `${serviceName}ScalingPolicy`, {
         scalingTarget: scalableTarget,
         predefinedMetric: serviceProps.scalingType === ScalingType.MEMORY
@@ -303,3 +326,53 @@ export function addServiceScaling(ctx, serviceName, serviceProps, service) {
         scaleOutCooldown: Duration.seconds(60)
     });
 }
+/**
+ * Builds the step-scaling policy for `ScalingType.QUEUE`. The alarm metric is a
+ * `MathExpression` SUM of `ApproximateNumberOfMessagesVisible`
+ * (+`…NotVisible` when `includeInFlight`) across the consumed queues, sampled at
+ * `Maximum` over 1-minute periods — published independent of running-task count,
+ * so the policy fires (and DesiredCount rises from 0) on backlog alone.
+ */
+function buildQueueScalingPolicy(serviceName, config, scalableTarget, maxCapacity) {
+    if (config === undefined || config.queues.length === 0) {
+        throw new Error(`ECS service '${serviceName}' uses ScalingType.QUEUE but provides no queueScaling.queues — at least one queue is required to compute backlog.`);
+    }
+    const includeInFlight = config.includeInFlight ?? true;
+    const usingMetrics = {};
+    const expressionTerms = [];
+    config.queues.forEach((queue, index) => {
+        const visibleId = `visible${index}`;
+        usingMetrics[visibleId] = queue.metricApproximateNumberOfMessagesVisible({
+            statistic: "Maximum",
+            period: Duration.minutes(1)
+        });
+        expressionTerms.push(visibleId);
+        if (includeInFlight) {
+            const inflightId = `inflight${index}`;
+            usingMetrics[inflightId] =
+                queue.metricApproximateNumberOfMessagesNotVisible({
+                    statistic: "Maximum",
+                    period: Duration.minutes(1)
+                });
+            expressionTerms.push(inflightId);
+        }
+    });
+    const backlogMetric = new MathExpression({
+        expression: expressionTerms.join(" + "),
+        usingMetrics,
+        period: Duration.minutes(1),
+        label: `${serviceName}QueueBacklog`
+    });
+    return scalableTarget.scaleOnMetric(`${serviceName}QueueScaling`, {
+        metric: backlogMetric,
+        adjustmentType: AdjustmentType.EXACT_CAPACITY,
+        scalingSteps: DEFAULT_QUEUE_SCALING_STEPS.map((step) => ({
+            lower: step.lower,
+            ...(step.upper !== undefined && { upper: step.upper }),
+            change: Math.min(step.capacity, maxCapacity)
+        })),
+        cooldown: config.cooldown ?? DEFAULT_QUEUE_SCALE_COOLDOWN,
+        evaluationPeriods: 1,
+        datapointsToAlarm: 1
+    });
+}

package/dist/lib/resources/aws/compute/ecsTaskDefinition.d.ts

@@ -14,11 +14,6 @@ export declare function getServiceCapacityProvider(serviceProps: EcsServiceProps
 export declare function isServiceFargate(serviceProps: EcsServiceProps): boolean;
 /** Checks if a service uses an EC2 capacity provider. */
 export declare function isServiceEc2(serviceProps: EcsServiceProps): boolean;
-/**
- * Collects Secrets Manager secret names from secretsImport for a specific service.
- * Scoped per service to enforce least-privilege on execution roles.
- */
-export declare function collectSecretsManagerSecretNames(props: EcsClusterProps, serviceName: string): string[];
 /**
  * Derives the SSM secrets path for a service.
  * Uses explicit path if provided, otherwise derives from app/cluster/service names.

package/dist/lib/resources/aws/compute/ecsTaskDefinition.js

@@ -1,13 +1,13 @@
 import { AwsLogDriver, ContainerDependencyCondition, FargateTaskDefinition, Ec2TaskDefinition, NetworkMode, CpuArchitecture, OperatingSystemFamily } from "aws-cdk-lib/aws-ecs";
 import { Duration } from "aws-cdk-lib";
 import { Secret as EcsSecret } from "aws-cdk-lib/aws-ecs";
-import { Secret } from "aws-cdk-lib/aws-secretsmanager";
 import { StringParameter } from "aws-cdk-lib/aws-ssm";
 import { resolveOrgId } from "../../../utils/cdkContext.js";
 import { validateSsmPathComponent } from "./ecsValidation.js";
 import { DEFAULT_LOG_RETENTION_DAYS, DEFAULT_FARGATE_CPU, DEFAULT_FARGATE_MEMORY_MIB, DEFAULT_EC2_CONTAINER_MEMORY_MIB } from "./ecsConstants.js";
 import { getContainerImage } from "./ecsImages.js";
 import { resolveRemoteConnections } from "./ecsRemoteConnections.js";
+import { resolveImportedSecret } from "../secrets/index.js";
 // Re-export extracted functions so existing consumers are not broken
 export { createExecutionRole, createTaskRole } from "./ecsRoles.js";
 export { getContainerImage } from "./ecsImages.js";
@@ -27,24 +27,6 @@ export function isServiceFargate(serviceProps) {
 export function isServiceEc2(serviceProps) {
     return getServiceCapacityProvider(serviceProps) === "EC2";
 }
-/**
- * Collects Secrets Manager secret names from secretsImport for a specific service.
- * Scoped per service to enforce least-privilege on execution roles.
- */
-export function collectSecretsManagerSecretNames(props, serviceName) {
-    const service = props.services.find((s) => s.name === serviceName);
-    if (!service)
-        return [];
-    const secretNames = new Set();
-    for (const container of service.containers) {
-        if (container.secretsImport) {
-            for (const secretImport of Object.values(container.secretsImport)) {
-                secretNames.add(secretImport.name);
-            }
-        }
-    }
-    return Array.from(secretNames);
-}
 /**
  * Derives the SSM secrets path for a service.
  * Uses explicit path if provided, otherwise derives from app/cluster/service names.
@@ -148,7 +130,7 @@ export function addContainersToTask(ctx, serviceName, serviceProps, taskDefiniti
         const secrets = {};
         if (containerConfig.secretsImport) {
             for (const [key, secretImport] of Object.entries(containerConfig.secretsImport)) {
-                const secret = Secret.fromSecretNameV2(ctx.scope, `${ctx.props.clusterName}${serviceName}${containerConfig.name}${key}Secret`, secretImport.name);
+                const secret = resolveImportedSecret(ctx.scope, `${ctx.props.clusterName}${serviceName}${containerConfig.name}${key}Secret`, secretImport);
                 secrets[key] = EcsSecret.fromSecretsManager(secret, secretImport.field);
             }
         }

package/dist/lib/resources/aws/compute/ecsTypes.d.ts

@@ -4,7 +4,9 @@ import { type Monitoring } from "aws-cdk-lib/aws-autoscaling";
 import { type IService } from "aws-cdk-lib/aws-servicediscovery";
 import { type IManagedPolicy, type PolicyDocument } from "aws-cdk-lib/aws-iam";
 import type { DockerBuild } from "@fjall/util/manifest/schemas";
-import { type TargetTrackingScalingPolicy } from "aws-cdk-lib/aws-applicationautoscaling";
+import { type TargetTrackingScalingPolicy, type StepScalingPolicy } from "aws-cdk-lib/aws-applicationautoscaling";
+import { type IQueue } from "aws-cdk-lib/aws-sqs";
+import { type Duration } from "aws-cdk-lib";
 import { type GeoLocation } from "aws-cdk-lib/aws-route53";
 import { type Repository } from "aws-cdk-lib/aws-ecr";
 import { type FargateService, type Ec2Service, type FargateTaskDefinition, type Ec2TaskDefinition } from "aws-cdk-lib/aws-ecs";
@@ -23,9 +25,42 @@ export declare enum Protocol {
     HTTP = 0,
     HTTPS = 1
 }
+/**
+ * Auto-scaling MODE for an ECS service.
+ *
+ * `CPU`/`MEMORY` double as their CDK `PredefinedMetric` value (target-tracking
+ * on utilisation). `QUEUE` is a pure mode discriminator — it has no predefined
+ * metric and drives a step-scaling policy on SQS backlog instead (see
+ * `addServiceScaling` → `buildQueueScalingPolicy`). Treat this as a scaling-MODE
+ * enum, NOT a `PredefinedMetric` alias: a new member must be branched on
+ * explicitly, never fall through the CPU/MEMORY utilisation path.
+ */
 export declare enum ScalingType {
     CPU = "ECSServiceAverageCPUUtilization",
-    MEMORY = "ECSServiceAverageMemoryUtilization"
+    MEMORY = "ECSServiceAverageMemoryUtilization",
+    QUEUE = "QueueBacklog"
+}
+/**
+ * Queue-depth (backlog) scaling configuration for `ScalingType.QUEUE`.
+ *
+ * Drives a step-scaling policy with `AdjustmentType.EXACT_CAPACITY` alarmed on
+ * a `MathExpression` SUM of `ApproximateNumberOfMessagesVisible`
+ * (+`…NotVisible` when `includeInFlight`) across `queues`. The queue-depth
+ * metric publishes every minute independent of running-task count, so the
+ * service wakes from `desiredCount: 0` on backlog — unlike CPU/MEMORY
+ * target-tracking, which has no datapoint at zero tasks.
+ */
+export interface QueueScalingConfig {
+    /** Queues whose combined backlog drives DesiredCount. At least one required. */
+    queues: IQueue[];
+    /**
+     * Include in-flight (received-but-not-deleted) messages in the backlog sum.
+     * Default: true — an in-flight message is still work the service is doing,
+     * so scaling in to zero while messages are in flight would strand them.
+     */
+    includeInFlight?: boolean;
+    /** Cooldown after a scale action. Default: 5 minutes. */
+    cooldown?: Duration;
 }
 import type { EcsCapacityProvider } from "@fjall/generator";
 export type { EcsCapacityProvider };
@@ -301,11 +336,12 @@ export interface EcsServiceProps {
     /** Desired number of tasks. Default: 2 */
     desiredCount?: number;
     /**
-     * Scaling type (CPU or MEMORY). Omit to disable auto-scaling — no
-     * `ScalableTarget` is registered, and `minCapacity`/`maxCapacity` below have
-     * no effect. The `desiredCount: 0 + minCapacity > 0` validation throw still
-     * fires regardless, so operator-intent contradictions surface at synth even
-     * when scaling is disabled.
+     * Scaling mode (`CPU`, `MEMORY`, or `QUEUE`). Omit to disable auto-scaling —
+     * no `ScalableTarget` is registered, and `minCapacity`/`maxCapacity` below
+     * have no effect. The `desiredCount: 0 + minCapacity > 0` validation throw
+     * still fires regardless, so operator-intent contradictions surface at synth
+     * even when scaling is disabled. `QUEUE` additionally requires `queueScaling`
+     * and is the only mode that wakes a `desiredCount: 0` service from zero.
      */
     scalingType?: ScalingType;
     /**
@@ -318,6 +354,12 @@ export interface EcsServiceProps {
      * Only consulted when `scalingType` is set.
      */
     maxCapacity?: number;
+    /**
+     * Queue-depth scaling config. REQUIRED when `scalingType` is
+     * `ScalingType.QUEUE`; ignored otherwise. Lets a `desiredCount: 0` service
+     * wake from zero on SQS backlog.
+     */
+    queueScaling?: QueueScalingConfig;
     /**
      * Routing rules for this service on the cluster's ALB.
      * Required when cluster has multiple services with ports.
@@ -500,5 +542,5 @@ export interface ServiceData {
     containers: ContainerDefinition[];
     primaryContainer?: ContainerDefinition;
     targetGroup?: IApplicationTargetGroup;
-    scalingPolicy?: TargetTrackingScalingPolicy;
+    scalingPolicy?: TargetTrackingScalingPolicy | StepScalingPolicy;
 }

package/dist/lib/resources/aws/compute/ecsTypes.js

@@ -3,8 +3,19 @@ export var Protocol;
     Protocol[Protocol["HTTP"] = 0] = "HTTP";
     Protocol[Protocol["HTTPS"] = 1] = "HTTPS";
 })(Protocol || (Protocol = {}));
+/**
+ * Auto-scaling MODE for an ECS service.
+ *
+ * `CPU`/`MEMORY` double as their CDK `PredefinedMetric` value (target-tracking
+ * on utilisation). `QUEUE` is a pure mode discriminator — it has no predefined
+ * metric and drives a step-scaling policy on SQS backlog instead (see
+ * `addServiceScaling` → `buildQueueScalingPolicy`). Treat this as a scaling-MODE
+ * enum, NOT a `PredefinedMetric` alias: a new member must be branched on
+ * explicitly, never fall through the CPU/MEMORY utilisation path.
+ */
 export var ScalingType;
 (function (ScalingType) {
     ScalingType["CPU"] = "ECSServiceAverageCPUUtilization";
     ScalingType["MEMORY"] = "ECSServiceAverageMemoryUtilization";
+    ScalingType["QUEUE"] = "QueueBacklog";
 })(ScalingType || (ScalingType = {}));

package/dist/lib/resources/aws/compute/ecsValidation.js

@@ -1,4 +1,5 @@
 import { NetworkMode } from "aws-cdk-lib/aws-ecs";
+import { ScalingType } from "./ecsTypes.js";
 /**
  * Validates ECS cluster props before construction.
  * Pure function — does not depend on class state.
@@ -66,6 +67,19 @@ export function validateEcsClusterProps(props) {
                         `stopTimeout must be an integer between 1 and 120 seconds (got ${container.stopTimeout}).`);
                 }
             }
+            // A host-bind volume silently no-ops on Fargate (no host filesystem),
+            // so a /var/run/docker.sock bind for `docker buildx` would fail at
+            // runtime with no synth error. Reject the un-mountable shape at synth.
+            if (service.capacityProvider !== "EC2" && container.volumes) {
+                const hostBind = container.volumes.find((v) => v.hostSourcePath !== undefined);
+                if (hostBind !== undefined) {
+                    throw new Error(`Service '${service.name}', container '${container.name ?? "(default)"}': ` +
+                        `volume '${hostBind.name}' sets hostSourcePath ('${hostBind.hostSourcePath}') but the service uses ` +
+                        `capacityProvider '${service.capacityProvider}'. Host-bind mounts require the EC2 launch type — ` +
+                        "Fargate has no host filesystem, so the mount is silently dropped at deploy (a /var/run/docker.sock " +
+                        "bind for in-container Docker builds would never appear). Set capacityProvider: 'EC2' or remove hostSourcePath.");
+                }
+            }
         }
         if (service.capacityProvider === "EC2" && !service.ec2Config) {
             throw new Error(`Service '${service.name}' uses EC2 capacity provider but no ec2Config is defined. ` +
@@ -97,6 +111,29 @@ export function validateEcsClusterProps(props) {
                 "Application Auto Scaling would immediately scale the service back up, defeating the desiredCount: 0 toggle. " +
                 "Either set scaling.minCapacity to 0 (placeholder service) or raise desiredCount to match scaling.minCapacity.");
         }
+        // A service that starts at zero can only ever come up again on QUEUE
+        // backlog scaling — CPU/MEMORY target-tracking produces no datapoint at
+        // zero running tasks, so DesiredCount never rises (the 2026-06-04
+        // asset-discovery outage). Reject the un-wakeable shape at synth.
+        if (service.desiredCount === 0 &&
+            service.scalingType !== ScalingType.QUEUE) {
+            throw new Error(`Service '${service.name}': desiredCount is 0 but scalingType is ` +
+                `${service.scalingType ?? "unset"} — a service that starts at zero can ` +
+                "only wake on queue backlog. Use ScalingType.QUEUE with queueScaling.queues " +
+                "so it scales up from 0, or raise desiredCount to keep at least one task running. " +
+                "CPU/MEMORY target-tracking produces no datapoint at zero tasks and never scales up.");
+        }
+        if (service.scalingType === ScalingType.QUEUE) {
+            if (service.queueScaling === undefined ||
+                service.queueScaling.queues.length === 0) {
+                throw new Error(`Service '${service.name}': scalingType is ScalingType.QUEUE but provides no ` +
+                    "queueScaling.queues — at least one queue is required to compute backlog.");
+            }
+        }
+        else if (service.queueScaling !== undefined) {
+            throw new Error(`Service '${service.name}': queueScaling is set but scalingType is not ` +
+                "ScalingType.QUEUE — queueScaling only applies to the QUEUE scaling mode.");
+        }
         if (service.capacityProvider === "EC2" &&
             service.securityGroups !== undefined &&
             service.securityGroups.length > 0) {

package/dist/lib/resources/aws/compute/lambda.js

@@ -8,9 +8,9 @@ import { EventType } from "aws-cdk-lib/aws-s3";
 import { PolicyStatement, Effect } from "aws-cdk-lib/aws-iam";
 import { RetentionDays } from "aws-cdk-lib/aws-logs";
 import { LogGroup } from "../logging/logGroup.js";
-import { Secret } from "aws-cdk-lib/aws-secretsmanager";
 import { v4 as uuid } from "uuid";
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
+import { resolveImportedSecret } from "../secrets/index.js";
 import { toPascalCase } from "../../../utils/capitaliseString.js";
 import { resolvePrivateSubnetType } from "../../../utils/vpcUtils.js";
 import { createLambdaAlarms } from "../monitoring/index.js";
@@ -250,7 +250,7 @@ export class LambdaFunction extends Function {
      */
     addSecretsManagerSupport(secretsImport) {
         for (const [key, secretImport] of Object.entries(secretsImport)) {
-            const secret = Secret.fromSecretNameV2(this, `${this.node.id}ImportedSecret${key}`, secretImport.name);
+            const secret = resolveImportedSecret(this, `${this.node.id}ImportedSecret${key}`, secretImport);
             this.addEnvironment(`${key}_SECRET_ARN`, secret.secretArn);
             if (secretImport.field) {
                 this.addEnvironment(`${key}_SECRET_FIELD`, secretImport.field);
@@ -281,7 +281,7 @@ export class LambdaFunction extends Function {
             effect: Effect.ALLOW,
             actions: ["ssm:GetParameter", "ssm:GetParameters"],
             resources: [
-                `arn:aws:ssm:${Stack.of(this).region}:*:parameter${scopedPath}`
+                `arn:${Stack.of(this).partition}:ssm:${Stack.of(this).region}:${Stack.of(this).account}:parameter${scopedPath}`
             ]
         }));
         this.addToRolePolicy(new PolicyStatement({

package/dist/lib/resources/aws/secrets/parameter.js

@@ -1,4 +1,4 @@
-import { aws_ssm as ssm } from "aws-cdk-lib";
+import { aws_ssm as ssm, Stack } from "aws-cdk-lib";
 import { PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { AwsCustomResourcePolicy, PhysicalResourceId } from "aws-cdk-lib/custom-resources";
 import { Construct } from "constructs";
@@ -73,7 +73,7 @@ export class SecureStringParameter extends Construct {
                 new PolicyStatement({
                     actions: ["kms:Encrypt"],
                     resources: [
-                        `arn:aws:kms:${props.region}:${props.accountId}:key/${this.cmk.key.keyId}`
+                        `arn:${Stack.of(this).partition}:kms:${props.region}:${props.accountId}:key/${this.cmk.key.keyId}`
                     ]
                 }),
                 new PolicyStatement({
@@ -85,7 +85,7 @@ export class SecureStringParameter extends Construct {
                         "logs:PutRetentionPolicy"
                     ],
                     resources: [
-                        `arn:aws:ssm:${props.region}:${props.accountId}:parameter${props.name}`
+                        `arn:${Stack.of(this).partition}:ssm:${props.region}:${props.accountId}:parameter${props.name}`
                     ]
                 })
             ])

package/dist/lib/resources/aws/secrets/secret.d.ts

@@ -24,20 +24,41 @@ interface SecretProps {
     /** Set to true to import an existing secret instead of creating a new one (for replicated secrets) */
     importExisting?: boolean;
 }
+/**
+ * Reference to an existing (externally-managed) Secrets Manager secret.
+ *
+ * Provide EXACTLY ONE of `name` (the common case — resolved to its complete ARN at
+ * deploy time, see {@link resolveImportedSecret}) or `arn` (a complete-ARN escape
+ * hatch for cross-account/region secrets the deploy identity cannot DescribeSecret).
+ */
 export type SecretImport = {
-    /**
-     * Secret ID
-     */
+    /** Construct ID for the imported secret. */
     id: string;
-    /**
-     * Secret name
-     */
-    name: string;
-    /**
-     * Optional - may be used to import a specific field from the secret
-     */
+    /** Optional — import a single JSON field from the secret. */
     field?: string;
-};
+} & ({
+    name: string;
+    arn?: undefined;
+} | {
+    arn: string;
+    name?: undefined;
+});
+/**
+ * Resolves an imported (externally-managed) Secrets Manager secret to an `ISecret`
+ * whose ARN is COMPLETE (with the AWS 6-char suffix) wherever possible.
+ *
+ * `Secret.fromSecretNameV2` renders a SUFFIXLESS partial ARN into the ECS container
+ * `valueFrom`, which real Secrets Manager rejects with AccessDenied at task launch (the
+ * 2026-06-04 outage). `fromSecretCompleteArn` renders the full ARN AND an exact-ARN
+ * `grantRead`, which authorises. The full ARN is obtained three ways, in order:
+ *   1. an explicit `arn` on the import (cross-account/region escape hatch);
+ *   2. the `fjallResolvedSecretArns` context map injected by @fjall/deploy-core, which
+ *      DescribeSecret-resolves every name -> full ARN at deploy time;
+ *   3. fallback to `fromSecretNameV2` ONLY when neither is present — i.e. offline
+ *      `cdk synth` for template generation. A real deploy ALWAYS runs deploy-core's
+ *      resolution, so the suffixless shape never reaches a deployed task-def.
+ */
+export declare function resolveImportedSecret(scope: Construct, id: string, secretImport: SecretImport): ISecret;
 export declare class Secret extends Construct {
     id: string;
     readonly secret: ISecret;

package/dist/lib/resources/aws/secrets/secret.js

@@ -2,6 +2,59 @@ import { SecretValue } from "aws-cdk-lib";
 import { Secret as CdkSecret } from "aws-cdk-lib/aws-secretsmanager";
 import { Construct } from "constructs";
 import { CustomerManagedKey } from "./kms.js";
+/**
+ * Context key carrying the deploy-time `secretName -> completeArn` map. Written by
+ * @fjall/deploy-core (`CdkArgumentBuilder.buildContextArgs` emits
+ * `-c fjallResolvedSecretArns=<json>`); read here. Keep the literal in sync with that
+ * canonical writer — matches the `ipamPoolId` / `orgConfig` literal-key house style.
+ */
+const RESOLVED_SECRET_ARNS_CONTEXT_KEY = "fjallResolvedSecretArns";
+function isStringRecord(value) {
+    return (typeof value === "object" &&
+        value !== null &&
+        !Array.isArray(value) &&
+        Object.values(value).every((entry) => typeof entry === "string"));
+}
+function readResolvedSecretArn(scope, secretName) {
+    const raw = scope.node.tryGetContext(RESOLVED_SECRET_ARNS_CONTEXT_KEY);
+    if (typeof raw !== "string" || raw === "")
+        return undefined;
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        return undefined;
+    }
+    if (!isStringRecord(parsed))
+        return undefined;
+    return parsed[secretName];
+}
+/**
+ * Resolves an imported (externally-managed) Secrets Manager secret to an `ISecret`
+ * whose ARN is COMPLETE (with the AWS 6-char suffix) wherever possible.
+ *
+ * `Secret.fromSecretNameV2` renders a SUFFIXLESS partial ARN into the ECS container
+ * `valueFrom`, which real Secrets Manager rejects with AccessDenied at task launch (the
+ * 2026-06-04 outage). `fromSecretCompleteArn` renders the full ARN AND an exact-ARN
+ * `grantRead`, which authorises. The full ARN is obtained three ways, in order:
+ *   1. an explicit `arn` on the import (cross-account/region escape hatch);
+ *   2. the `fjallResolvedSecretArns` context map injected by @fjall/deploy-core, which
+ *      DescribeSecret-resolves every name -> full ARN at deploy time;
+ *   3. fallback to `fromSecretNameV2` ONLY when neither is present — i.e. offline
+ *      `cdk synth` for template generation. A real deploy ALWAYS runs deploy-core's
+ *      resolution, so the suffixless shape never reaches a deployed task-def.
+ */
+export function resolveImportedSecret(scope, id, secretImport) {
+    if (secretImport.arn !== undefined) {
+        return CdkSecret.fromSecretCompleteArn(scope, id, secretImport.arn);
+    }
+    const resolvedArn = readResolvedSecretArn(scope, secretImport.name);
+    if (resolvedArn !== undefined) {
+        return CdkSecret.fromSecretCompleteArn(scope, id, resolvedArn);
+    }
+    return CdkSecret.fromSecretNameV2(scope, id, secretImport.name);
+}
 export class Secret extends Construct {
     id;
     secret;

package/dist/lib/utils/orgConfigParser.js

@@ -1,3 +1,4 @@
+import { VAULT_LOCK_MODES } from "@fjall/util/config";
 import { maskSensitiveOutput } from "@fjall/util";
 import { FjallLogger } from "./validationLogger.js";
 /**
@@ -27,7 +28,14 @@ export function parseOrgConfig(raw) {
                 (item.managed === undefined ||
                     typeof item.managed === "boolean") &&
                 (item.oidcRoleArn === undefined ||
-                    typeof item.oidcRoleArn === "string"))
+                    typeof item.oidcRoleArn ===
+                        "string") &&
+                (item.vaultLock === undefined ||
+                    VAULT_LOCK_MODES.includes(item.vaultLock)) &&
+                (item.acknowledgeImmutableVaultLock ===
+                    undefined ||
+                    typeof item
+                        .acknowledgeImmutableVaultLock === "boolean"))
             : [];
         const primaryRegion = typeof obj.primaryRegion === "string" ? obj.primaryRegion : undefined;
         const secondaryRegions = Array.isArray(obj.secondaryRegions)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/components-infrastructure",
-  "version": "2.9.1",
+  "version": "2.11.1",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
   "bin": {
@@ -63,8 +63,8 @@
   },
   "dependencies": {
     "@aws-sdk/client-organizations": "^3.1038.0",
-    "@fjall/generator": "^2.9.1",
-    "@fjall/util": "^2.9.1",
+    "@fjall/generator": "^2.11.1",
+    "@fjall/util": "^2.11.1",
     "constructs": "^10.0.0",
     "uuid": "^14.0.0"
   },
@@ -79,5 +79,5 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "gitHead": "a97423cf3df727994364a0907fa2b5c544a86b0d"
+  "gitHead": "69823c3d7f2eacba419657464381119c5b5b5fd6"
 }