@fjall/components-infrastructure 2.9.1 → 2.12.0

package/dist/lib/config/aws/disasterRecovery.js

@@ -54,14 +54,33 @@ export class DisasterRecovery extends Construct {
         const disasterRecoveryVaultArn = disasterRecoveryAccount && disasterRecoveryRegion
             ? `arn:aws:backup:${disasterRecoveryRegion}:${disasterRecoveryAccount.id}:backup-vault:${BACKUP_VAULT_NAME}`
             : undefined;
-        // Compliance accounts get vault locks for protection
-        const lockConfiguration = isComplianceAccount
+        // Compliance accounts default to governance (removable), NOT the
+        // permanently-immutable compliance lock. See
+        // decisions/2026-06-03-backup-vault-lock-mode-by-intent.md.
+        const vaultLock = account?.vaultLock ?? (isComplianceAccount ? "governance" : "none");
+        // Adopt-mode references an already-locked vault and applies no lock config,
+        // so it is exempt from the acknowledgement gate.
+        if (!adoptExistingVault &&
+            vaultLock === "compliance" &&
+            account?.acknowledgeImmutableVaultLock !== true) {
+            throw new Error(`Account "${account?.name ?? props.accountId}" requests vaultLock: ` +
+                `"compliance" (a permanently immutable backup vault) without ` +
+                `acknowledgeImmutableVaultLock: true. After a 3-day cooling-off a ` +
+                `compliance lock cannot be removed by anyone, including AWS or the ` +
+                `root user. Set the acknowledgement explicitly to proceed.`);
+        }
+        const lockConfiguration = vaultLock === "compliance"
             ? {
                 minRetention: VAULT_LOCK.MIN_RETENTION,
                 maxRetention: VAULT_LOCK.MAX_RETENTION,
                 changeableFor: VAULT_LOCK.GRACE_PERIOD
             }
-            : undefined;
+            : vaultLock === "governance"
+                ? {
+                    minRetention: VAULT_LOCK.MIN_RETENTION,
+                    maxRetention: VAULT_LOCK.MAX_RETENTION
+                }
+                : undefined;
         if (adoptExistingVault) {
             this.vaultRef = Vault.fromBackupVaultName(this, "BackupVault", BACKUP_VAULT_NAME);
         }
@@ -138,7 +157,7 @@ export class DisasterRecovery extends Construct {
                 exportName: `${id}ReplicationRegion`
             });
         }
-        if (isComplianceAccount) {
+        if (vaultLock !== "none") {
             new CfnOutput(this, "VaultLockEnabled", {
                 key: "VaultLockEnabled",
                 value: "true",

package/dist/lib/config/aws/ecrDefaultImage.js

@@ -2,7 +2,7 @@ import { Construct } from "constructs";
 import { CodeBuildProject } from "../../resources/aws/utilities/codeBuild.js";
 import { BuildSpec } from "aws-cdk-lib/aws-codebuild";
 import { LogGroup } from "../../resources/aws/logging/logGroup.js";
-import { RemovalPolicy } from "aws-cdk-lib";
+import { RemovalPolicy, Stack } from "aws-cdk-lib";
 import { Role } from "../../resources/aws/iam/role.js";
 import { PolicyDocument, PolicyStatement, ServicePrincipal } from "aws-cdk-lib/aws-iam";
 import { EventBusMessaging, EventField } from "../../patterns/aws/messaging.js";
@@ -35,7 +35,7 @@ export class EcrDefaultImage extends Construct {
                                 "ecr:PutImage"
                             ],
                             resources: [
-                                `arn:aws:ecr:${props.region}:${props.accountId}:repository/*`
+                                `arn:${Stack.of(this).partition}:ecr:${props.region}:${props.accountId}:repository/*`
                             ]
                         })
                     ]

package/dist/lib/config/aws/s3BlockPublicAccess.d.ts

@@ -1,9 +1,27 @@
 import { Construct } from "constructs";
+export interface S3BlockPublicAccessProps {
+    /**
+     * Account whose account-level S3 Block Public Access is managed. Taken as a
+     * prop rather than read from `Stack.of(this).account` — that is a synth token
+     * that never matches a provider-account id when looking up config.
+     */
+    accountId: string;
+}
 /**
- * Enables S3 Block Public Access at the account level via a Custom Resource.
- * All four public access flags are set to true (block all public access).
- * Stack deletion does NOT revert this setting — security features are preserved.
+ * Manages account-level S3 Block Public Access via a Custom Resource.
+ *
+ * Off by default: Fjall observes-and-flags exposed buckets through the posture
+ * layer rather than hard-blocking at the account level. Set
+ * `s3BlockPublicAccess: "enforced"` on a provider account to switch all four
+ * flags on. The flags ride in the custom resource's properties (not hardcoded
+ * in the handler) so a config change reconciles on the next deploy. Stack
+ * deletion is a no-op — the account-level setting is left as-is.
+ *
+ * The handler runs under a fixed `/fjall/FjallS3BpaManager` role so the
+ * DenyS3PublicAccessChanges SCP can exempt its PutAccountPublicAccessBlock by
+ * ARN pattern. The role name is account-global, so this construct is created
+ * only in an account's home region (see Account's accountGlobals gate).
  */
 export declare class S3BlockPublicAccess extends Construct {
-    constructor(scope: Construct, id: string);
+    constructor(scope: Construct, id: string, props: S3BlockPublicAccessProps);
 }

package/dist/lib/config/aws/s3BlockPublicAccess.js

@@ -1,23 +1,41 @@
 import { Duration } from "aws-cdk-lib";
 import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { Runtime } from "aws-cdk-lib/aws-lambda";
-import { Stack } from "aws-cdk-lib";
 import { Construct } from "constructs";
 import { CustomResource } from "../../resources/aws/utilities/customResource.js";
+import { getConfig } from "../../utils/getConfig.js";
 /**
- * Enables S3 Block Public Access at the account level via a Custom Resource.
- * All four public access flags are set to true (block all public access).
- * Stack deletion does NOT revert this setting — security features are preserved.
+ * Manages account-level S3 Block Public Access via a Custom Resource.
+ *
+ * Off by default: Fjall observes-and-flags exposed buckets through the posture
+ * layer rather than hard-blocking at the account level. Set
+ * `s3BlockPublicAccess: "enforced"` on a provider account to switch all four
+ * flags on. The flags ride in the custom resource's properties (not hardcoded
+ * in the handler) so a config change reconciles on the next deploy. Stack
+ * deletion is a no-op — the account-level setting is left as-is.
+ *
+ * The handler runs under a fixed `/fjall/FjallS3BpaManager` role so the
+ * DenyS3PublicAccessChanges SCP can exempt its PutAccountPublicAccessBlock by
+ * ARN pattern. The role name is account-global, so this construct is created
+ * only in an account's home region (see Account's accountGlobals gate).
  */
 export class S3BlockPublicAccess extends Construct {
-    constructor(scope, id) {
+    constructor(scope, id, props) {
         super(scope, id);
+        const account = getConfig().providerAccounts.find((pa) => pa.id === props.accountId);
+        const enforce = (account?.s3BlockPublicAccess ?? "off") === "enforced";
         new CustomResource(this, "S3BlockPublicAccess", {
             runtime: Runtime.NODEJS_22_X,
             timeout: Duration.minutes(5),
-            lambdaDescription: "Enables S3 Block Public Access at account level",
+            lambdaDescription: "Manages S3 Block Public Access at account level",
+            rolePath: "/fjall/",
+            roleName: "FjallS3BpaManager",
             properties: {
-                AccountId: Stack.of(this).account
+                AccountId: props.accountId,
+                BlockPublicAcls: String(enforce),
+                IgnorePublicAcls: String(enforce),
+                BlockPublicPolicy: String(enforce),
+                RestrictPublicBuckets: String(enforce)
             },
             inlinePolicy: [
                 new PolicyStatement({
@@ -32,20 +50,22 @@ export class S3BlockPublicAccess extends Construct {
             inlineCode: `
 const { S3ControlClient, PutPublicAccessBlockCommand } = require('@aws-sdk/client-s3-control');
 
+const toBool = (v) => v === 'true' || v === true;
+
 exports.handler = async (event) => {
   const physicalResourceId = event.PhysicalResourceId || event.LogicalResourceId || 's3-block-public-access';
   if (event.RequestType === 'Delete') {
     return { PhysicalResourceId: physicalResourceId };
   }
-  const accountId = event.ResourceProperties.AccountId;
+  const props = event.ResourceProperties;
   const client = new S3ControlClient({});
   await client.send(new PutPublicAccessBlockCommand({
-    AccountId: accountId,
+    AccountId: props.AccountId,
     PublicAccessBlockConfiguration: {
-      BlockPublicAcls: true,
-      IgnorePublicAcls: true,
-      BlockPublicPolicy: true,
-      RestrictPublicBuckets: true
+      BlockPublicAcls: toBool(props.BlockPublicAcls),
+      IgnorePublicAcls: toBool(props.IgnorePublicAcls),
+      BlockPublicPolicy: toBool(props.BlockPublicPolicy),
+      RestrictPublicBuckets: toBool(props.RestrictPublicBuckets)
     }
   }));
   return { PhysicalResourceId: physicalResourceId };

package/dist/lib/config/aws/scpPreset.js

@@ -5,7 +5,12 @@ import { OrganisationPolicy } from "../../resources/aws/organisation/organisatio
 // default path.
 const EXEMPT_ROLE_PATTERNS = [
     "arn:aws:iam::*:role/fjall/FjallDeploy*",
-    "arn:aws:iam::*:role/OrganizationAccountAccessRole"
+    "arn:aws:iam::*:role/OrganizationAccountAccessRole",
+    // The account-level S3 Block Public Access manager Lambda re-applies BPA on
+    // every deploy; its PutAccountPublicAccessBlock must survive
+    // DenyS3PublicAccessChanges. Pathed under /fjall/ so a member admin cannot
+    // forge an exempt role at the default path.
+    "arn:aws:iam::*:role/fjall/FjallS3BpaManager*"
 ];
 const SCP_BYTE_LIMIT = 5120;
 const IAM_POLICY_VERSION = "2012-10-17";

package/dist/lib/patterns/aws/account.d.ts

@@ -19,6 +19,21 @@ export declare class Account extends Stack {
     readonly organisationType: OrganisationType;
     protected readonly resolvedRegion: string;
     constructor(scope: Construct, id: string, props: AccountProps);
+    /**
+     * Whether this account receives the OIDC deploy connector (provider +
+     * FjallDeploy role) and so can be a deploy target. Standalone/member accounts
+     * do; Platform overrides to opt in. Deliberately separate from the
+     * IPAM-output gate (which stays `this.constructor === Account`) — the two are
+     * independent, and Platform must take one but not the other.
+     */
+    protected receivesDeployRole(): boolean;
+    /**
+     * Whether this account creates the default-ECR-image helper (the CodeBuild
+     * project that seeds a placeholder application image). App-hosting accounts
+     * need it; the organisation root runs no workloads and overrides to `false`.
+     * Deliberately separate from the OIDC/IPAM gates — the axes are independent.
+     */
+    protected createsEcrDefaultImage(): boolean;
     enableGuardDuty(props?: GuardDutyDetectorProps): GuardDutyDetector;
     enableSecurityHub(props?: SecurityHubHubProps): SecurityHubHub;
     enableConfigRecorder(props?: ConfigRecorderProps): ConfigRecorder;

package/dist/lib/patterns/aws/account.js

@@ -59,7 +59,7 @@ export class Account extends Stack {
         // (OIDC provider/role, FjallMonitoring, FjallAudit) have fixed names that
         // collide across regions, so they are created only in the home region.
         const accountGlobalsConfigured = this.node.tryGetContext("fjallAccountGlobalsConfigured") === "true";
-        if (isStandaloneAccount &&
+        if (this.receivesDeployRole() &&
             fjallOrgId &&
             !oidcAlreadyConfigured &&
             !accountGlobalsConfigured) {
@@ -75,10 +75,12 @@ export class Account extends Stack {
             accountId: this.account,
             region: this.resolvedRegion
         });
-        new EcrDefaultImage(this, "EcrDefaultImage", {
-            region: this.resolvedRegion,
-            accountId: this.account
-        });
+        if (this.createsEcrDefaultImage()) {
+            new EcrDefaultImage(this, "EcrDefaultImage", {
+                region: this.resolvedRegion,
+                accountId: this.account
+            });
+        }
         const environment = config.environment ?? "unknown";
         if (config.disasterRecoveryRegion) {
             const isComplianceAccount = environment === "compliance";
@@ -95,9 +97,33 @@ export class Account extends Stack {
             exportName: "Environment",
             description: "Environment type for this account (e.g., production, staging, development)"
         });
-        new S3BlockPublicAccess(this, "S3BlockPublicAccess");
+        // Account-level S3 Block Public Access is account-global and runs under a
+        // fixed-name role, so (like the OIDC/Monitoring/Audit globals above) it is
+        // created only in the home region to avoid a cross-region role collision.
+        if (!accountGlobalsConfigured) {
+            new S3BlockPublicAccess(this, "S3BlockPublicAccess", { accountId });
+        }
         new EbsDefaultEncryption(this, "EbsDefaultEncryption");
     }
+    /**
+     * Whether this account receives the OIDC deploy connector (provider +
+     * FjallDeploy role) and so can be a deploy target. Standalone/member accounts
+     * do; Platform overrides to opt in. Deliberately separate from the
+     * IPAM-output gate (which stays `this.constructor === Account`) — the two are
+     * independent, and Platform must take one but not the other.
+     */
+    receivesDeployRole() {
+        return this.constructor === Account;
+    }
+    /**
+     * Whether this account creates the default-ECR-image helper (the CodeBuild
+     * project that seeds a placeholder application image). App-hosting accounts
+     * need it; the organisation root runs no workloads and overrides to `false`.
+     * Deliberately separate from the OIDC/IPAM gates — the axes are independent.
+     */
+    createsEcrDefaultImage() {
+        return true;
+    }
     enableGuardDuty(props) {
         return new GuardDutyDetector(this, "GuardDuty", props);
     }

package/dist/lib/patterns/aws/buildkite.js

@@ -130,7 +130,7 @@ export class Buildkite extends Stack {
                         new PolicyStatement({
                             actions: ["ssm:GetParameter"],
                             resources: [
-                                `arn:aws:ssm:${props.env?.region}:${props.env?.account}:parameter${agentToken.name}`
+                                `arn:${this.partition}:ssm:${this.region}:${this.account}:parameter${agentToken.name}`
                             ]
                         })
                     ]

package/dist/lib/patterns/aws/clickhouseDatabase.js

@@ -498,6 +498,7 @@ export class ClickHouseDatabase extends Construct {
         ].join("\n");
         const region = Stack.of(this).region;
         const account = Stack.of(this).account;
+        const partition = Stack.of(this).partition;
         const reloadParameters = {
             DocumentName: "AWS-RunShellScript",
             Targets: [
@@ -528,13 +529,15 @@ export class ClickHouseDatabase extends Construct {
             policy: AwsCustomResourcePolicy.fromStatements([
                 new PolicyStatement({
                     actions: ["ssm:SendCommand"],
-                    resources: [`arn:aws:ssm:${region}::document/AWS-RunShellScript`]
+                    resources: [
+                        `arn:${partition}:ssm:${region}::document/AWS-RunShellScript`
+                    ]
                 }),
                 // Keep this statement separate — merging into the document statement
                 // would drop the tag condition (IAM conditions are per-statement).
                 new PolicyStatement({
                     actions: ["ssm:SendCommand"],
-                    resources: [`arn:aws:ec2:${region}:${account}:instance/*`],
+                    resources: [`arn:${partition}:ec2:${region}:${account}:instance/*`],
                     conditions: {
                         StringEquals: {
                             [`aws:ResourceTag/${CLICKHOUSE_SERVER_ROLE_TAG.key}`]: CLICKHOUSE_SERVER_ROLE_TAG.value

package/dist/lib/patterns/aws/compute.d.ts

@@ -1,5 +1,6 @@
 import { Runtime } from "aws-cdk-lib/aws-lambda";
 import { type Construct } from "constructs";
+import { type SecretImport } from "../../resources/aws/secrets/index.js";
 import { type ComputeType, type IEcsCompute, type ILambdaCompute, type IEc2Compute, type AnyCompute, isCompute, isEcsCompute, isLambdaCompute, isEc2Compute } from "./interfaces/compute.js";
 import type App from "../../app.js";
 import { EcsCompute, type EcsComputeProps, type EcsServiceConfig, type EcsContainerConfig, type EcsScalingConfig, type EcsClusterConfig, type EcsRoutingConfig, type EcsCapacityProviderConfig, type ContainerDependency, type EcsMigrationsConfig, ECS_CAPACITY_PROVIDER_CONFIG, getEcsCapacityProviderConfig, ScalingType, type EcsCapacityProvider, type Ec2CapacityConfig, validateEcsProps, buildContainerConfigs, expandMigrationsSugar, type ResolvedScalingConfig, resolveScalingConfig } from "./computeEcs.js";
@@ -22,6 +23,27 @@ export interface ComputeTypeConfig {
     requiresVpc: boolean;
 }
 export declare const COMPUTE_TYPE_CONFIG: Record<ComputeType, ComputeTypeConfig>;
+/**
+ * Collect literal externally-managed Secrets Manager import names from a
+ * `secretsImport` map into `acc`, for the manifest's `importedSecretNames`.
+ *
+ * Excludes two shapes deploy-core must NOT DescribeSecret-resolve:
+ *   - the `{ arn }` escape hatch (already a complete ARN, possibly cross-account,
+ *     which the fail-closed resolver would abort on);
+ *   - CDK-managed token names (a `getImport()` of a managed/cross-stack secret),
+ *     which render as an intrinsic, not a literal `fromSecretNameV2` import, and
+ *     cannot be resolved by name at deploy time.
+ * What remains is the literal-name set of the passed `secretsImport` map. NB this is
+ * narrower than the deleted template scanner, which walked every
+ * `AWS::ECS::TaskDefinition`: a secret declared via raw `EcsSecret.fromSecretsManager(...)`
+ * outside a `secretsImport` block (e.g. a scheduled task) is not collected here. No
+ * current consumer constructs one — revisit if that changes.
+ *
+ * Shared with computeEcs.ts: the contributor-merge outage guard reconstructs the
+ * service's emitted manifest name-set with this same helper so its "is this literal
+ * deploy-resolvable?" test stays byte-identical to what the factory actually wrote.
+ */
+export declare function collectImportedSecretNames(secretsImport: Record<string, SecretImport> | undefined, acc: Set<string>): void;
 /**
  * Default values for compute resource configuration.
  * Centralised constants to ensure consistency across the codebase.

package/dist/lib/patterns/aws/compute.js

@@ -1,3 +1,4 @@
+import { Token } from "aws-cdk-lib";
 import { Runtime } from "aws-cdk-lib/aws-lambda";
 import { isCompute, isEcsCompute, isLambdaCompute, isEc2Compute } from "./interfaces/compute.js";
 import { warnIfPropertiesIgnored } from "../../utils/validationLogger.js";
@@ -31,6 +32,33 @@ export const COMPUTE_TYPE_CONFIG = {
         requiresVpc: false
     }
 };
+/**
+ * Collect literal externally-managed Secrets Manager import names from a
+ * `secretsImport` map into `acc`, for the manifest's `importedSecretNames`.
+ *
+ * Excludes two shapes deploy-core must NOT DescribeSecret-resolve:
+ *   - the `{ arn }` escape hatch (already a complete ARN, possibly cross-account,
+ *     which the fail-closed resolver would abort on);
+ *   - CDK-managed token names (a `getImport()` of a managed/cross-stack secret),
+ *     which render as an intrinsic, not a literal `fromSecretNameV2` import, and
+ *     cannot be resolved by name at deploy time.
+ * What remains is the literal-name set of the passed `secretsImport` map. NB this is
+ * narrower than the deleted template scanner, which walked every
+ * `AWS::ECS::TaskDefinition`: a secret declared via raw `EcsSecret.fromSecretsManager(...)`
+ * outside a `secretsImport` block (e.g. a scheduled task) is not collected here. No
+ * current consumer constructs one — revisit if that changes.
+ *
+ * Shared with computeEcs.ts: the contributor-merge outage guard reconstructs the
+ * service's emitted manifest name-set with this same helper so its "is this literal
+ * deploy-resolvable?" test stays byte-identical to what the factory actually wrote.
+ */
+export function collectImportedSecretNames(secretsImport, acc) {
+    for (const si of Object.values(secretsImport ?? {})) {
+        if (si.name !== undefined && !Token.isUnresolved(si.name)) {
+            acc.add(si.name);
+        }
+    }
+}
 /**
  * Default values for compute resource configuration.
  * Centralised constants to ensure consistency across the codebase.
@@ -149,16 +177,25 @@ export class ComputeFactory {
                         }
                         // Aggregate secrets from all containers (deduplicated)
                         const allSecrets = new Set();
+                        const importedSecretNames = new Set();
                         for (const container of service.containers ?? []) {
                             if (container.secrets) {
                                 for (const secret of container.secrets) {
                                     allSecrets.add(secret);
                                 }
                             }
+                            collectImportedSecretNames(container.secretsImport, importedSecretNames);
                         }
+                        // The synthetic migrate container resolves imports from its own
+                        // `migrations.secretsImport` (the primary's are collected above).
+                        collectImportedSecretNames(service.migrations?.secretsImport, importedSecretNames);
                         if (allSecrets.size > 0) {
                             manifestService.secrets = Array.from(allSecrets);
                         }
+                        if (importedSecretNames.size > 0) {
+                            manifestService.importedSecretNames =
+                                Array.from(importedSecretNames);
+                        }
                         // Include ssmSecretsPath (explicit or derived)
                         manifestService.ssmSecretsPath =
                             service.ssmSecretsPath ??
@@ -186,6 +223,11 @@ export class ComputeFactory {
                         lambdaComputeProps.secrets.length > 0) {
                         manifestLambda.secrets = lambdaComputeProps.secrets;
                     }
+                    const lambdaImportedSecretNames = new Set();
+                    collectImportedSecretNames(lambdaComputeProps.secretsImport, lambdaImportedSecretNames);
+                    if (lambdaImportedSecretNames.size > 0) {
+                        manifestLambda.importedSecretNames = Array.from(lambdaImportedSecretNames);
+                    }
                     collector.addLambda(manifestLambda);
                     return new LambdaCompute(scope, id, lambdaComputeProps);
                 }

package/dist/lib/patterns/aws/computeEcs.d.ts

@@ -8,7 +8,7 @@ import { type SecretImport } from "../../resources/aws/secrets/index.js";
 import EcsCluster, { type EcsClusterProps } from "../../resources/aws/compute/ecs.js";
 export { ScalingType } from "./computeEcsTypes.js";
 export type { EcsCapacityProvider, Ec2CapacityConfig, RemoteConnectionSpec, EcsCapacityProviderConfig, EcsContainerConfig, ContainerDependency, ContainerVolume, EcsScheduledTaskConfig, EcsLifecycleHookMigrationsConfig, EcsPostDeployMigrationsConfig, EcsHookMigrationsConfig, EcsMigrationsConfig, EcsMigrationsMode, EcsCircuitBreakerConfig, EcsScalingConfig, EcsClusterConfig, EcsRoutingConfig, EcsServiceConfig, EcsComputeProps } from "./computeEcsTypes.js";
-import { ScalingType, type EcsCapacityProviderConfig, type EcsCapacityProvider, type EcsContainerConfig, type EcsScalingConfig, type EcsServiceConfig, type EcsComputeProps } from "./computeEcsTypes.js";
+import { ScalingType, type EcsCapacityProviderConfig, type EcsCapacityProvider, type EcsContainerConfig, type EcsScalingConfig, type EcsServiceConfig, type EcsComputeProps, type QueueScalingConfig } from "./computeEcsTypes.js";
 export declare const ECS_CAPACITY_PROVIDER_CONFIG: Record<EcsCapacityProvider, EcsCapacityProviderConfig>;
 export declare function getEcsCapacityProviderConfig(provider: EcsCapacityProvider): EcsCapacityProviderConfig;
 /**
@@ -61,6 +61,7 @@ export interface ResolvedScalingConfig {
     scalingType: ScalingType | undefined;
     minCapacity: number | undefined;
     maxCapacity: number | undefined;
+    queueScaling: QueueScalingConfig | undefined;
 }
 /**
  * Resolve scaling configuration from service props.

package/dist/lib/patterns/aws/computeEcs.js

@@ -1,15 +1,15 @@
 import { AwsLogDriver, ContainerImage, DeploymentLifecycleStage, Secret as EcsSecret } from "aws-cdk-lib/aws-ecs";
 import { Peer, Port, SubnetType } from "aws-cdk-lib/aws-ec2";
 import { Effect, Grant, PolicyStatement, ServicePrincipal } from "aws-cdk-lib/aws-iam";
-import { Annotations, Stack } from "aws-cdk-lib";
+import { Annotations, Stack, Token } from "aws-cdk-lib";
 import { RetentionDays } from "aws-cdk-lib/aws-logs";
-import { Secret } from "aws-cdk-lib/aws-secretsmanager";
 import { StringParameter } from "aws-cdk-lib/aws-ssm";
 import { Construct } from "constructs";
 import { resolveAlertsTopic } from "../../utils/resolveAlertsTopic.js";
 import { EXPECTED_SCHEMA_VERSION_ENV, EXPECTED_SCHEMA_VERSION_TOOL_ENV, EXPECTED_CH_SCHEMA_VERSION_ENV, isClickHouseDatabase, isDatabase, isRelationalDatabase } from "./interfaces/database.js";
 import { isConnectionConfig } from "../../utils/connector.js";
 import { isMigrationContributor } from "./interfaces/migrationContributor.js";
+import { resolveImportedSecret } from "../../resources/aws/secrets/index.js";
 import App from "../../app.js";
 import EcsCluster from "../../resources/aws/compute/ecs.js";
 import { createScheduledTaskDefinition, createMigrationTaskDefinition } from "../../resources/aws/compute/ecsTaskDefinition.js";
@@ -22,7 +22,7 @@ import { vpcHasNatGateways } from "../../utils/vpcUtils.js";
 import { toPascalCase } from "../../utils/capitaliseString.js";
 import { FjallLogger } from "../../utils/validationLogger.js";
 import { VALIDATION_PATTERNS } from "@fjall/generator";
-import { COMPUTE_DEFAULTS } from "./compute.js";
+import { COMPUTE_DEFAULTS, collectImportedSecretNames } from "./compute.js";
 import { isHookMigrations } from "./computeEcsTypes.js";
 export { ScalingType } from "./computeEcsTypes.js";
 import { ScalingType } from "./computeEcsTypes.js";
@@ -373,6 +373,13 @@ function collectMigrationContributions(service) {
         }
         if (contribution.secretsImport !== undefined) {
             for (const [key, value] of Object.entries(contribution.secretsImport)) {
+                // The literal-external-name outage guard runs POST-merge in
+                // `wireLifecycleHookMigrations`, not here: a literal a contributor supplies
+                // can be legitimately overridden by the author (`migrations.secretsImport.<key>
+                // = { arn }`) or coincide with a manifest-collected service import, both of
+                // which deploy fine. Throwing pre-merge here would pre-empt those escapes
+                // (the 2026-06-04 outage shape is only reachable if the merged literal is
+                // ALSO absent from the deploy manifest — checked once the merge has settled).
                 const prior = secretOrigin.get(key);
                 if (prior !== undefined &&
                     merged.secretsImport[key]?.name !== value.name) {
@@ -454,6 +461,45 @@ function mergeContributionsIntoSeparateTaskDef(separateTaskDef, contributions) {
         ...(mergedEgress.length > 0 && { egressTo: mergedEgress })
     };
 }
+/**
+ * Outage guard (2026-06-04): a literal (non-token) secret NAME in the migrate task's
+ * merged `secretsImport` renders a suffixless partial ARN that AccessDenies at task
+ * launch UNLESS @fjall/deploy-core resolves it to a complete ARN. deploy-core resolves
+ * exactly the names the build manifest carries in `importedSecretNames` — which the
+ * factory (compute.ts) collects from the service's own container + author-declared
+ * `migrations.secretsImport`, but NOT from contributor-derived credentials (merged AFTER
+ * the manifest was written). So a merged literal absent from that name-set is
+ * unresolvable and would ship the outage shape; fail loud at synth instead.
+ *
+ * Passes (correctly): an author `{ arn }` override (complete ARN, no name to resolve), a
+ * managed `getImport()` token (`Token.isUnresolved`), and a contributor literal that
+ * COINCIDES with a manifest-collected service import (deploy-core resolves it anyway).
+ * The reconstruction here reuses the factory's own `collectImportedSecretNames`, so the
+ * name-set stays identical to what was actually written.
+ */
+function assertMigrationSecretsResolvable(service, effectiveMigrations) {
+    const manifestResolvableNames = new Set();
+    for (const container of service.containers ?? []) {
+        collectImportedSecretNames(container.secretsImport, manifestResolvableNames);
+    }
+    collectImportedSecretNames(service.migrations?.secretsImport, manifestResolvableNames);
+    for (const [key, value] of Object.entries(effectiveMigrations.secretsImport ?? {})) {
+        if (value.name !== undefined &&
+            !Token.isUnresolved(value.name) &&
+            !manifestResolvableNames.has(value.name)) {
+            throw new Error(`Service '${service.name}': migration secretsImport '${key}' resolves to the ` +
+                `literal external secret name '${value.name}', contributed by a connected ` +
+                `database but neither declared on the service nor present in the deploy ` +
+                `manifest — deploy-core never resolves it to a complete ARN, so it renders a ` +
+                `suffixless partial ARN that AccessDenies at task launch (the 2026-06-04 ` +
+                `outage shape). This usually means the migration task targets a database whose ` +
+                `credentials are an imported/replicated secret (e.g. a GlobalAurora read-only ` +
+                `secondary). Run migrations against the primary region (a read-only secondary ` +
+                `cannot accept schema migrations), or pin the credential on the service: ` +
+                `migrations.secretsImport.${key} = { arn: "<complete-secret-arn>" }.`);
+        }
+    }
+}
 /**
  * Build container configurations for an ECS service.
  * Converts user-facing EcsContainerConfig to internal EcsClusterProps format.
@@ -607,20 +653,23 @@ export function resolveScalingConfig(scaling) {
         return {
             scalingType: undefined,
             minCapacity: undefined,
-            maxCapacity: undefined
+            maxCapacity: undefined,
+            queueScaling: undefined
         };
     }
     if (scaling === undefined) {
         return {
             scalingType: ScalingType.CPU,
             minCapacity: undefined,
-            maxCapacity: undefined
+            maxCapacity: undefined,
+            queueScaling: undefined
         };
     }
     return {
         scalingType: scaling.scalingType ?? ScalingType.CPU,
         minCapacity: scaling.minCapacity,
-        maxCapacity: scaling.maxCapacity
+        maxCapacity: scaling.maxCapacity,
+        queueScaling: scaling.queueScaling
     };
 }
 /**
@@ -643,7 +692,7 @@ export class EcsCompute extends Construct {
             const schemaVersionEnv = this.resolveSchemaVersionEnv(service);
             const chGate = this.resolveClickHouseSchemaVersionEnv(service);
             const containers = buildContainerConfigs(service, schemaVersionEnv, this, chGate);
-            const { scalingType, minCapacity, maxCapacity } = resolveScalingConfig(service.scaling);
+            const { scalingType, minCapacity, maxCapacity, queueScaling } = resolveScalingConfig(service.scaling);
             const cloudMapService = service.serviceDiscovery !== undefined
                 ? App.getInstance().registerService({
                     name: service.serviceDiscovery.name,
@@ -662,6 +711,7 @@ export class EcsCompute extends Construct {
                 scalingType,
                 minCapacity,
                 maxCapacity,
+                ...(queueScaling !== undefined && { queueScaling }),
                 routing: service.routing,
                 taskRoleInlinePolicies: service.taskRoleInlinePolicies,
                 taskRoleManagedPolicies: service.taskRoleManagedPolicies,
@@ -894,6 +944,7 @@ export class EcsCompute extends Construct {
             }
             const contributions = collectMigrationContributions(svcConfig);
             const effectiveMigrations = mergeContributionsIntoMigrations(migrations, contributions, this, svcConfig.name);
+            assertMigrationSecretsResolvable(svcConfig, effectiveMigrations);
             const effectiveSeparateTaskDef = migrations.separateTaskDef !== undefined
                 ? mergeContributionsIntoSeparateTaskDef(migrations.separateTaskDef, contributions)
                 : undefined;
@@ -1001,7 +1052,7 @@ export class EcsCompute extends Construct {
             executionRole,
             taskRole
         });
-        const { secretsResolved, secretArns, ssmPath } = this.resolveMigrationSecrets(svcConfig, migrations, idPrefix);
+        const { secretsResolved, hasSecretsManagerSecrets, ssmPath } = this.resolveMigrationSecrets(svcConfig, migrations, idPrefix);
         const authoredEnvironment = migrations.environment ?? {};
         const containerEnvironment = {
             ...authoredEnvironment
@@ -1027,16 +1078,9 @@ export class EcsCompute extends Construct {
                 logGroup
             })
         });
-        if (secretArns.length > 0) {
-            executionRole.addToPolicy(new PolicyStatement({
-                effect: Effect.ALLOW,
-                actions: [
-                    "secretsmanager:GetSecretValue",
-                    "secretsmanager:DescribeSecret"
-                ],
-                resources: secretArns
-            }));
-        }
+        // Gotcha: no manual `secretsImport` grant — `addContainer({ secrets })` auto-grants
+        // `secret.grantRead(executionRole)` on the resolved complete ARN (exact, no wildcard).
+        // A manual bare/`-*` statement is the 2026-06-04 outage shape; do not re-add it.
         if (ssmPath !== undefined) {
             executionRole.addToPolicy(new PolicyStatement({
                 effect: Effect.ALLOW,
@@ -1046,7 +1090,7 @@ export class EcsCompute extends Construct {
                 ]
             }));
         }
-        if (secretArns.length > 0 || ssmPath !== undefined) {
+        if (hasSecretsManagerSecrets || ssmPath !== undefined) {
             executionRole.addToPolicy(new PolicyStatement({
                 effect: Effect.ALLOW,
                 actions: ["kms:Decrypt"],
@@ -1095,14 +1139,13 @@ export class EcsCompute extends Construct {
         };
     }
     resolveMigrationSecrets(svcConfig, migrations, idPrefix) {
-        const stack = Stack.of(this);
         const secretsResolved = {};
-        const secretArns = [];
+        const hasSecretsManagerSecrets = migrations.secretsImport !== undefined &&
+            Object.keys(migrations.secretsImport).length > 0;
         if (migrations.secretsImport) {
             for (const [key, secretImport] of Object.entries(migrations.secretsImport)) {
-                const secret = Secret.fromSecretNameV2(this, `${idPrefix}${key}Secret`, secretImport.name);
+                const secret = resolveImportedSecret(this, `${idPrefix}${key}Secret`, secretImport);
                 secretsResolved[key] = EcsSecret.fromSecretsManager(secret, secretImport.field);
-                secretArns.push(`arn:${stack.partition}:secretsmanager:${stack.region}:${stack.account}:secret:${secretImport.name}-*`);
             }
         }
         let ssmPath;
@@ -1123,7 +1166,7 @@ export class EcsCompute extends Construct {
                 secretsResolved[secretName] = EcsSecret.fromSsmParameter(param);
             }
         }
-        return { secretsResolved, secretArns, ssmPath };
+        return { secretsResolved, hasSecretsManagerSecrets, ssmPath };
     }
     /** Get the ECS cluster. */
     getCluster() {