@fjall/components-infrastructure 2.9.1 → 2.12.0

package/dist/lib/resources/aws/compute/lambda.d.ts

@@ -15,6 +15,17 @@ export interface LambdaFunctionProps {
     handler: string;
     lambdaDescription?: string;
     roleDescription?: string;
+    /**
+     * Fixed IAM path for the auto-generated execution role (e.g. "/fjall/").
+     * Used with roleName to produce an SCP-exemptable ARN.
+     */
+    rolePath?: string;
+    /**
+     * Fixed name for the auto-generated execution role. Account-global — only set
+     * on a Lambda confined to one (account, region) stack, else regional
+     * duplicates collide on the role name.
+     */
+    roleName?: string;
     runtime: Runtime;
     /** Lambda CPU architecture. Default: x86_64 */
     architecture?: Architecture;

package/dist/lib/resources/aws/compute/lambda.js

@@ -8,9 +8,9 @@ import { EventType } from "aws-cdk-lib/aws-s3";
 import { PolicyStatement, Effect } from "aws-cdk-lib/aws-iam";
 import { RetentionDays } from "aws-cdk-lib/aws-logs";
 import { LogGroup } from "../logging/logGroup.js";
-import { Secret } from "aws-cdk-lib/aws-secretsmanager";
 import { v4 as uuid } from "uuid";
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
+import { resolveImportedSecret } from "../secrets/index.js";
 import { toPascalCase } from "../../../utils/capitaliseString.js";
 import { resolvePrivateSubnetType } from "../../../utils/vpcUtils.js";
 import { createLambdaAlarms } from "../monitoring/index.js";
@@ -31,6 +31,24 @@ function applyRoleDescription(fn, description) {
     if (cfnRole !== undefined)
         cfnRole.description = description;
 }
+/**
+ * Pin a fixed IAM path and/or name onto CDK's auto-generated Lambda execution
+ * role. Reaches the L1 CfnRole (FunctionProps exposes neither) so a stable,
+ * predictable ARN can be matched by an SCP exemption pattern. A fixed name is
+ * account-global, so only set one on a Lambda that lives in a single
+ * (account, region) stack — never one duplicated across regions.
+ */
+function applyRolePathAndName(fn, rolePath, roleName) {
+    if (rolePath === undefined && roleName === undefined)
+        return;
+    const cfnRole = fn.role?.node.defaultChild;
+    if (cfnRole === undefined)
+        return;
+    if (rolePath !== undefined)
+        cfnRole.path = rolePath;
+    if (roleName !== undefined)
+        cfnRole.roleName = roleName;
+}
 /**
  * AWS Parameters and Secrets Lambda Extension configuration.
  * @see https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html
@@ -61,6 +79,7 @@ export class SingletonFunction extends singletonFunction {
         });
         addPoliciesToRole(this, props.inlinePolicy);
         applyRoleDescription(this, props.roleDescription);
+        applyRolePathAndName(this, props.rolePath, props.roleName);
     }
     /**
      * The Lambda's execution role (auto-generated by CDK)
@@ -91,6 +110,7 @@ export class LambdaFunction extends Function {
         });
         addPoliciesToRole(this, props.inlinePolicy);
         applyRoleDescription(this, props.roleDescription);
+        applyRolePathAndName(this, props.rolePath, props.roleName);
         this.addSecretsSupport(props.secrets, props.ssmSecretsPath, props.secretsImport, props.appName, props.functionName, props.architecture);
         // Sanitise id for CloudFormation output keys (must be alphanumeric)
         const outputName = toPascalCase(id);
@@ -250,7 +270,7 @@ export class LambdaFunction extends Function {
      */
     addSecretsManagerSupport(secretsImport) {
         for (const [key, secretImport] of Object.entries(secretsImport)) {
-            const secret = Secret.fromSecretNameV2(this, `${this.node.id}ImportedSecret${key}`, secretImport.name);
+            const secret = resolveImportedSecret(this, `${this.node.id}ImportedSecret${key}`, secretImport);
             this.addEnvironment(`${key}_SECRET_ARN`, secret.secretArn);
             if (secretImport.field) {
                 this.addEnvironment(`${key}_SECRET_FIELD`, secretImport.field);
@@ -281,7 +301,7 @@ export class LambdaFunction extends Function {
             effect: Effect.ALLOW,
             actions: ["ssm:GetParameter", "ssm:GetParameters"],
             resources: [
-                `arn:aws:ssm:${Stack.of(this).region}:*:parameter${scopedPath}`
+                `arn:${Stack.of(this).partition}:ssm:${Stack.of(this).region}:${Stack.of(this).account}:parameter${scopedPath}`
             ]
         }));
         this.addToRolePolicy(new PolicyStatement({

package/dist/lib/resources/aws/secrets/parameter.js

@@ -1,4 +1,4 @@
-import { aws_ssm as ssm } from "aws-cdk-lib";
+import { aws_ssm as ssm, Stack } from "aws-cdk-lib";
 import { PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { AwsCustomResourcePolicy, PhysicalResourceId } from "aws-cdk-lib/custom-resources";
 import { Construct } from "constructs";
@@ -73,7 +73,7 @@ export class SecureStringParameter extends Construct {
                 new PolicyStatement({
                     actions: ["kms:Encrypt"],
                     resources: [
-                        `arn:aws:kms:${props.region}:${props.accountId}:key/${this.cmk.key.keyId}`
+                        `arn:${Stack.of(this).partition}:kms:${props.region}:${props.accountId}:key/${this.cmk.key.keyId}`
                     ]
                 }),
                 new PolicyStatement({
@@ -85,7 +85,7 @@ export class SecureStringParameter extends Construct {
                         "logs:PutRetentionPolicy"
                     ],
                     resources: [
-                        `arn:aws:ssm:${props.region}:${props.accountId}:parameter${props.name}`
+                        `arn:${Stack.of(this).partition}:ssm:${props.region}:${props.accountId}:parameter${props.name}`
                     ]
                 })
             ])

package/dist/lib/resources/aws/secrets/secret.d.ts

@@ -24,20 +24,41 @@ interface SecretProps {
     /** Set to true to import an existing secret instead of creating a new one (for replicated secrets) */
     importExisting?: boolean;
 }
+/**
+ * Reference to an existing (externally-managed) Secrets Manager secret.
+ *
+ * Provide EXACTLY ONE of `name` (the common case — resolved to its complete ARN at
+ * deploy time, see {@link resolveImportedSecret}) or `arn` (a complete-ARN escape
+ * hatch for cross-account/region secrets the deploy identity cannot DescribeSecret).
+ */
 export type SecretImport = {
-    /**
-     * Secret ID
-     */
+    /** Construct ID for the imported secret. */
     id: string;
-    /**
-     * Secret name
-     */
-    name: string;
-    /**
-     * Optional - may be used to import a specific field from the secret
-     */
+    /** Optional — import a single JSON field from the secret. */
     field?: string;
-};
+} & ({
+    name: string;
+    arn?: undefined;
+} | {
+    arn: string;
+    name?: undefined;
+});
+/**
+ * Resolves an imported (externally-managed) Secrets Manager secret to an `ISecret`
+ * whose ARN is COMPLETE (with the AWS 6-char suffix) wherever possible.
+ *
+ * `Secret.fromSecretNameV2` renders a SUFFIXLESS partial ARN into the ECS container
+ * `valueFrom`, which real Secrets Manager rejects with AccessDenied at task launch (the
+ * 2026-06-04 outage). `fromSecretCompleteArn` renders the full ARN AND an exact-ARN
+ * `grantRead`, which authorises. The full ARN is obtained three ways, in order:
+ *   1. an explicit `arn` on the import (cross-account/region escape hatch);
+ *   2. the `fjallResolvedSecretArns` context map injected by @fjall/deploy-core, which
+ *      DescribeSecret-resolves every name -> full ARN at deploy time;
+ *   3. fallback to `fromSecretNameV2` ONLY when neither is present — i.e. offline
+ *      `cdk synth` for template generation. A real deploy ALWAYS runs deploy-core's
+ *      resolution, so the suffixless shape never reaches a deployed task-def.
+ */
+export declare function resolveImportedSecret(scope: Construct, id: string, secretImport: SecretImport): ISecret;
 export declare class Secret extends Construct {
     id: string;
     readonly secret: ISecret;

package/dist/lib/resources/aws/secrets/secret.js

@@ -2,6 +2,59 @@ import { SecretValue } from "aws-cdk-lib";
 import { Secret as CdkSecret } from "aws-cdk-lib/aws-secretsmanager";
 import { Construct } from "constructs";
 import { CustomerManagedKey } from "./kms.js";
+/**
+ * Context key carrying the deploy-time `secretName -> completeArn` map. Written by
+ * @fjall/deploy-core (`CdkArgumentBuilder.buildContextArgs` emits
+ * `-c fjallResolvedSecretArns=<json>`); read here. Keep the literal in sync with that
+ * canonical writer — matches the `ipamPoolId` / `orgConfig` literal-key house style.
+ */
+const RESOLVED_SECRET_ARNS_CONTEXT_KEY = "fjallResolvedSecretArns";
+function isStringRecord(value) {
+    return (typeof value === "object" &&
+        value !== null &&
+        !Array.isArray(value) &&
+        Object.values(value).every((entry) => typeof entry === "string"));
+}
+function readResolvedSecretArn(scope, secretName) {
+    const raw = scope.node.tryGetContext(RESOLVED_SECRET_ARNS_CONTEXT_KEY);
+    if (typeof raw !== "string" || raw === "")
+        return undefined;
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        return undefined;
+    }
+    if (!isStringRecord(parsed))
+        return undefined;
+    return parsed[secretName];
+}
+/**
+ * Resolves an imported (externally-managed) Secrets Manager secret to an `ISecret`
+ * whose ARN is COMPLETE (with the AWS 6-char suffix) wherever possible.
+ *
+ * `Secret.fromSecretNameV2` renders a SUFFIXLESS partial ARN into the ECS container
+ * `valueFrom`, which real Secrets Manager rejects with AccessDenied at task launch (the
+ * 2026-06-04 outage). `fromSecretCompleteArn` renders the full ARN AND an exact-ARN
+ * `grantRead`, which authorises. The full ARN is obtained three ways, in order:
+ *   1. an explicit `arn` on the import (cross-account/region escape hatch);
+ *   2. the `fjallResolvedSecretArns` context map injected by @fjall/deploy-core, which
+ *      DescribeSecret-resolves every name -> full ARN at deploy time;
+ *   3. fallback to `fromSecretNameV2` ONLY when neither is present — i.e. offline
+ *      `cdk synth` for template generation. A real deploy ALWAYS runs deploy-core's
+ *      resolution, so the suffixless shape never reaches a deployed task-def.
+ */
+export function resolveImportedSecret(scope, id, secretImport) {
+    if (secretImport.arn !== undefined) {
+        return CdkSecret.fromSecretCompleteArn(scope, id, secretImport.arn);
+    }
+    const resolvedArn = readResolvedSecretArn(scope, secretImport.name);
+    if (resolvedArn !== undefined) {
+        return CdkSecret.fromSecretCompleteArn(scope, id, resolvedArn);
+    }
+    return CdkSecret.fromSecretNameV2(scope, id, secretImport.name);
+}
 export class Secret extends Construct {
     id;
     secret;

package/dist/lib/resources/aws/utilities/customResource.d.ts

@@ -7,6 +7,10 @@ interface CustomResourceProps {
     runtime: Runtime;
     roleDescription?: string;
     lambdaDescription?: string;
+    /** Fixed IAM path for the handler's execution role (e.g. "/fjall/"). */
+    rolePath?: string;
+    /** Fixed name for the handler's execution role (account-global — see LambdaFunctionProps). */
+    roleName?: string;
     inlinePolicy: PolicyStatement[];
     properties?: {
         [key: string]: string;

package/dist/lib/resources/aws/utilities/customResource.js

@@ -39,6 +39,8 @@ export class CustomResource extends Construct {
                 timeout,
                 lambdaDescription: props.lambdaDescription ?? `${id} lambda`,
                 roleDescription: props.roleDescription ?? `${id} custom resource lambda`,
+                rolePath: props.rolePath,
+                roleName: props.roleName,
                 inlinePolicy: props.inlinePolicy
             })
             : new SingletonFunction(this, `${id}Lambda`, {
@@ -47,6 +49,8 @@ export class CustomResource extends Construct {
                 runtime: props.runtime,
                 lambdaDescription: props.lambdaDescription ?? `${id} lambda`,
                 roleDescription: props.roleDescription ?? `${id} custom resource lambda`,
+                rolePath: props.rolePath,
+                roleName: props.roleName,
                 inlinePolicy: props.inlinePolicy
             });
         const provider = new Provider(this, `${id}Provider`, {

package/dist/lib/utils/env.js

@@ -99,12 +99,12 @@ function getProviderAccountsFromContext() {
  */
 function resolveEnvironmentFromAccountId(accountId) {
     const accounts = getProviderAccountsFromContext();
-    return accounts.find((pa) => pa.id === accountId)?.environment;
+    return accounts.find((pa) => pa.id === accountId)?.environment ?? undefined;
 }
 /**
  * Look up environment from account name via orgConfig CDK context.
  */
 function resolveEnvironmentFromAccountName(accountName) {
     const accounts = getProviderAccountsFromContext();
-    return accounts.find((pa) => pa.name === accountName)?.environment;
+    return (accounts.find((pa) => pa.name === accountName)?.environment ?? undefined);
 }

package/dist/lib/utils/getConfig.js

@@ -63,7 +63,7 @@ export function getConfig(accountName) {
         if (providerAccount) {
             config.accountId = providerAccount.id;
             config.accountName = providerAccount.name;
-            config.environment = providerAccount.environment;
+            config.environment = providerAccount.environment ?? "unknown";
         }
     }
     // If we still don't have an account name - try to retrieve accountId from context
@@ -75,7 +75,7 @@ export function getConfig(accountName) {
             const providerAccount = providerAccounts.find((pa) => pa.id === accountId);
             if (providerAccount) {
                 config.accountName = providerAccount.name;
-                config.environment = providerAccount.environment;
+                config.environment = providerAccount.environment ?? "unknown";
             }
         }
     }

package/dist/lib/utils/orgConfigParser.js

@@ -1,3 +1,4 @@
+import { VAULT_LOCK_MODES, S3_BPA_MODES } from "@fjall/util/config";
 import { maskSensitiveOutput } from "@fjall/util";
 import { FjallLogger } from "./validationLogger.js";
 /**
@@ -23,11 +24,24 @@ export function parseOrgConfig(raw) {
                 item !== null &&
                 typeof item.id === "string" &&
                 typeof item.name === "string" &&
-                typeof item.environment === "string" &&
+                // null environment (structural accounts) must survive — rejecting it drops the account at synth.
+                (typeof item.environment ===
+                    "string" ||
+                    item.environment === null) &&
                 (item.managed === undefined ||
                     typeof item.managed === "boolean") &&
                 (item.oidcRoleArn === undefined ||
-                    typeof item.oidcRoleArn === "string"))
+                    typeof item.oidcRoleArn ===
+                        "string") &&
+                (item.vaultLock === undefined ||
+                    VAULT_LOCK_MODES.includes(item.vaultLock)) &&
+                (item.s3BlockPublicAccess ===
+                    undefined ||
+                    S3_BPA_MODES.includes(item.s3BlockPublicAccess)) &&
+                (item.acknowledgeImmutableVaultLock ===
+                    undefined ||
+                    typeof item
+                        .acknowledgeImmutableVaultLock === "boolean"))
             : [];
         const primaryRegion = typeof obj.primaryRegion === "string" ? obj.primaryRegion : undefined;
         const secondaryRegions = Array.isArray(obj.secondaryRegions)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/components-infrastructure",
-  "version": "2.9.1",
+  "version": "2.12.0",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
   "bin": {
@@ -63,8 +63,8 @@
   },
   "dependencies": {
     "@aws-sdk/client-organizations": "^3.1038.0",
-    "@fjall/generator": "^2.9.1",
-    "@fjall/util": "^2.9.1",
+    "@fjall/generator": "^2.12.0",
+    "@fjall/util": "^2.12.0",
     "constructs": "^10.0.0",
     "uuid": "^14.0.0"
   },
@@ -79,5 +79,5 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "gitHead": "a97423cf3df727994364a0907fa2b5c544a86b0d"
+  "gitHead": "dca39a47da956d3d94c689dd782fe285d711d25e"
 }