@fjall/deploy-core 0.89.5 → 0.89.6

package/dist/src/aws/organisations/organisationalUnits.js

@@ -1,18 +1,19 @@
 import { CreateOrganizationalUnitCommand, ListOrganizationalUnitsForParentCommand, ListParentsCommand, MoveAccountCommand } from "@aws-sdk/client-organizations";
 import { success, failure } from "@fjall/generator";
-import { extractErrorName } from "./types.js";
+import { extractErrorName, isOULeaf, SDK_TIMEOUT_MS, AWS_ERROR_NAMES } from "./types.js";
+import { getErrorMessage } from "@fjall/util";
 /**
  * List all OUs under a parent, handling pagination.
  */
 async function listOUsForParent(client, parentId) {
-    const response = await client.send(new ListOrganizationalUnitsForParentCommand({ ParentId: parentId }));
+    const response = await client.send(new ListOrganizationalUnitsForParentCommand({ ParentId: parentId }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
     let ous = response.OrganizationalUnits ?? [];
     let nextToken = response.NextToken;
     while (nextToken) {
         const nextResponse = await client.send(new ListOrganizationalUnitsForParentCommand({
             ParentId: parentId,
             NextToken: nextToken
-        }));
+        }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
         ous = ous.concat(nextResponse.OrganizationalUnits ?? []);
         nextToken = nextResponse.NextToken;
     }
@@ -23,61 +24,173 @@ async function listOUsForParent(client, parentId) {
  */
 async function getParentId(client, childId) {
     try {
-        const response = await client.send(new ListParentsCommand({ ChildId: childId }));
+        const response = await client.send(new ListParentsCommand({ ChildId: childId }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
         return response.Parents?.[0]?.Id;
     }
     catch (error) {
         const errorName = extractErrorName(error);
-        if (errorName === "ChildNotFoundException") {
+        if (errorName === AWS_ERROR_NAMES.CHILD_NOT_FOUND) {
             return undefined;
         }
         throw error;
     }
 }
 /**
- * Ensure the specified organisational units exist under the root.
- * Creates any missing OUs. Returns a map of OU name (lowercase) → OU ID.
+ * Find or create an OU by name under a parent. Searches the provided
+ * `existingOUs` list first to avoid duplicate creation.
+ */
+async function findOrCreateOU(client, parentId, ouName, existingOUs) {
+    const match = existingOUs.find((ou) => ou.Name === ouName);
+    if (match?.Id) {
+        return success(match.Id);
+    }
+    try {
+        const response = await client.send(new CreateOrganizationalUnitCommand({
+            Name: ouName,
+            ParentId: parentId
+        }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
+        const ou = response.OrganizationalUnit;
+        if (!ou?.Id) {
+            return failure(new Error(`OU "${ouName}" was created but has no ID`));
+        }
+        return success(ou.Id);
+    }
+    catch (error) {
+        return failure(new Error(`Failed to create OU "${ouName}": ${getErrorMessage(error)}`));
+    }
+}
+/**
+ * Ensure flat OUs exist directly under root. Original logic, extracted.
+ */
+async function ensureFlatOUs(client, rootId, ouNames) {
+    const ouMap = {};
+    if (ouNames.length === 0) {
+        return success(ouMap);
+    }
+    // Fetch existing OUs once for the root level
+    const existing = await listOUsForParent(client, rootId);
+    for (const ouName of ouNames) {
+        const capitalised = ouName.charAt(0).toUpperCase() + ouName.slice(1);
+        const result = await findOrCreateOU(client, rootId, capitalised, existing);
+        if (!result.success) {
+            return failure(result.error);
+        }
+        ouMap[ouName.toLowerCase()] = result.data;
+        // Add to existing list so subsequent iterations can see it
+        existing.push({ Id: result.data, Name: capitalised });
+    }
+    return success(ouMap);
+}
+/**
+ * Recursively ensure nested OUs exist. Populates `ouMap` with:
+ * - Dotted keys for nested OUs (e.g., "workloads.production")
+ * - Shorthand leaf-name keys when they don't collide with top-level keys
+ *
+ * When a shorthand key collides with a top-level key, only the dotted
+ * key is stored for the nested OU.
+ */
+async function ensureNestedOUs(client, parentId, tree, ouMap, prefix, topLevelKeys) {
+    // Fetch existing OUs once per parent level
+    const existing = await listOUsForParent(client, parentId);
+    for (const [ouName, children] of Object.entries(tree)) {
+        const result = await findOrCreateOU(client, parentId, ouName, existing);
+        if (!result.success) {
+            return failure(result.error);
+        }
+        const ouId = result.data;
+        const dottedKey = prefix
+            ? `${prefix}.${ouName.toLowerCase()}`
+            : ouName.toLowerCase();
+        ouMap[dottedKey] = ouId;
+        // Add shorthand key if not colliding with a top-level key
+        if (prefix) {
+            const shorthand = ouName.toLowerCase();
+            if (!topLevelKeys.has(shorthand)) {
+                ouMap[shorthand] = ouId;
+            }
+        }
+        // Add to existing list so subsequent iterations can see it
+        existing.push({ Id: ouId, Name: ouName });
+        if (!isOULeaf(children)) {
+            const recurseResult = await ensureNestedOUs(client, ouId, children, ouMap, dottedKey, topLevelKeys);
+            if (!recurseResult.success) {
+                return recurseResult;
+            }
+        }
+    }
+    return success(undefined);
+}
+/**
+ * Ensure the specified organisational units exist. Accepts either:
+ * - `string[]` (flat): creates OUs directly under root (original behaviour)
+ * - `OUTree` (nested): creates a recursive OU hierarchy
+ *
+ * Returns a map of OU key (lowercase) to OU ID. For nested trees, keys
+ * use dot notation (e.g., "workloads.production") with shorthand aliases
+ * for leaf names that don't collide with top-level keys.
  *
  * Idempotent — existing OUs are adopted, not duplicated.
  *
- * @param ouNames Array of OU names to ensure exist (will be capitalised)
+ * AWS cannot move OUs between parents. Migrating from flat to nested
+ * creates new OUs under new parents; old empty OUs remain at root.
  */
-export async function ensureOrganisationalUnitsExist(client, rootId, ouNames) {
+export async function ensureOrganisationalUnitsExist(client, rootId, ouConfig) {
     try {
+        if (Array.isArray(ouConfig)) {
+            return await ensureFlatOUs(client, rootId, ouConfig);
+        }
         const ouMap = {};
-        for (const ouName of ouNames) {
-            const capitalised = ouName.charAt(0).toUpperCase() + ouName.slice(1);
-            // Check if OU already exists
-            const existing = await listOUsForParent(client, rootId);
-            const match = existing.find((ou) => ou.Name === capitalised);
-            if (match?.Id) {
-                ouMap[ouName.toLowerCase()] = match.Id;
-                continue;
-            }
-            // Create the OU
-            const response = await client.send(new CreateOrganizationalUnitCommand({
-                Name: capitalised,
-                ParentId: rootId
-            }));
-            const ou = response.OrganizationalUnit;
-            if (!ou?.Id) {
-                return failure(new Error(`OU "${capitalised}" was created but has no ID`));
-            }
-            ouMap[ouName.toLowerCase()] = ou.Id;
+        const topLevelKeys = new Set(Object.keys(ouConfig).map((k) => k.toLowerCase()));
+        const result = await ensureNestedOUs(client, rootId, ouConfig, ouMap, "", topLevelKeys);
+        if (!result.success) {
+            return failure(result.error);
         }
         return success(ouMap);
     }
     catch (error) {
-        return failure(new Error(`Failed to ensure OUs exist: ${error instanceof Error ? error.message : String(error)}`));
+        return failure(new Error(`Failed to ensure OUs exist: ${getErrorMessage(error)}`));
     }
 }
+/**
+ * Build a flat map of accountName (lowercase) to OU ID from an OUTree
+ * and its resolved OUMap.
+ *
+ * Walks the tree recursively. For each leaf (string[]), maps each account
+ * name to the parent OU's ID using the dotted OUMap key.
+ *
+ * Callers must pass account names that match the tree leaf values.
+ */
+export function buildAccountToOUMap(tree, ouMap, prefix = "") {
+    const result = {};
+    for (const [ouName, children] of Object.entries(tree)) {
+        const dottedKey = prefix
+            ? `${prefix}.${ouName.toLowerCase()}`
+            : ouName.toLowerCase();
+        const ouId = ouMap[dottedKey];
+        if (isOULeaf(children)) {
+            if (ouId) {
+                for (const accountName of children) {
+                    result[accountName.toLowerCase()] = ouId;
+                }
+            }
+        }
+        else {
+            Object.assign(result, buildAccountToOUMap(children, ouMap, dottedKey));
+        }
+    }
+    return result;
+}
 /**
  * Place accounts into the correct organisational units.
  * Skips accounts with environment "root" and accounts already in the target OU.
  *
+ * When `accountToOU` is provided, looks up the target OU by account name
+ * (lowercase) instead of by environment. This supports tree-based placement
+ * where the OU is determined by which leaf the account appears in.
+ *
  * Idempotent — accounts already in the correct OU are counted but not moved.
  */
-export async function placeAccountsInOUs(client, ouMap, accounts) {
+export async function placeAccountsInOUs(client, ouMap, accounts, accountToOU) {
     try {
         if (accounts.length === 0) {
             return success({ moved: 0, alreadyPlaced: 0 });
@@ -88,13 +201,14 @@ export async function placeAccountsInOUs(client, ouMap, accounts) {
             if (account.environment === "root") {
                 continue;
             }
-            const targetOuId = ouMap[account.environment.toLowerCase()];
+            const targetOuId = accountToOU
+                ? accountToOU[account.name.toLowerCase()]
+                : ouMap[account.environment.toLowerCase()];
             if (!targetOuId) {
                 continue;
             }
             const currentParentId = await getParentId(client, account.id);
             if (!currentParentId) {
-                // Account not found in organisation
                 continue;
             }
             if (currentParentId === targetOuId) {
@@ -106,12 +220,12 @@ export async function placeAccountsInOUs(client, ouMap, accounts) {
                     AccountId: account.id,
                     SourceParentId: currentParentId,
                     DestinationParentId: targetOuId
-                }));
+                }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
                 moved++;
             }
             catch (error) {
                 const errorName = extractErrorName(error);
-                if (errorName === "AccountNotFoundException") {
+                if (errorName === AWS_ERROR_NAMES.ACCOUNT_NOT_FOUND) {
                     continue;
                 }
                 throw error;
@@ -120,6 +234,6 @@ export async function placeAccountsInOUs(client, ouMap, accounts) {
         return success({ moved, alreadyPlaced });
     }
     catch (error) {
-        return failure(new Error(`Failed to place accounts in OUs: ${error instanceof Error ? error.message : String(error)}`));
+        return failure(new Error(`Failed to place accounts in OUs: ${getErrorMessage(error)}`));
     }
 }

package/dist/src/aws/organisations/policies.js

@@ -1,6 +1,7 @@
 import { EnablePolicyTypeCommand, PolicyType } from "@aws-sdk/client-organizations";
 import { success, failure } from "@fjall/generator";
-import { extractErrorName } from "./types.js";
+import { getErrorMessage } from "@fjall/util";
+import { extractErrorName, SDK_TIMEOUT_MS } from "./types.js";
 const POLICY_TYPES = [
     PolicyType.SERVICE_CONTROL_POLICY,
     PolicyType.TAG_POLICY,
@@ -18,7 +19,7 @@ export async function enablePolicyTypes(client, rootId) {
                 await client.send(new EnablePolicyTypeCommand({
                     RootId: rootId,
                     PolicyType: policyType
-                }));
+                }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
             }
             catch (error) {
                 const errorName = extractErrorName(error);
@@ -31,6 +32,6 @@ export async function enablePolicyTypes(client, rootId) {
         return success(undefined);
     }
     catch (error) {
-        return failure(new Error(`Failed to enable policy types: ${error instanceof Error ? error.message : String(error)}`));
+        return failure(new Error(`Failed to enable policy types: ${getErrorMessage(error)}`));
     }
 }

package/dist/src/aws/organisations/ram.js

@@ -1,15 +1,19 @@
 import { EnableSharingWithAwsOrganizationCommand } from "@aws-sdk/client-ram";
 import { success, failure } from "@fjall/generator";
+import { getErrorMessage } from "@fjall/util";
+import { SDK_TIMEOUT_MS } from "./types.js";
 /**
  * Enable RAM sharing with the AWS Organisation.
  * Idempotent — calling when already enabled is a no-op.
  */
 export async function enableRamSharing(client) {
     try {
-        await client.send(new EnableSharingWithAwsOrganizationCommand({}));
+        await client.send(new EnableSharingWithAwsOrganizationCommand({}), {
+            abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS)
+        });
         return success(undefined);
     }
     catch (error) {
-        return failure(new Error(`Failed to enable RAM sharing: ${error instanceof Error ? error.message : String(error)}`));
+        return failure(new Error(`Failed to enable RAM sharing: ${getErrorMessage(error)}`));
     }
 }

package/dist/src/aws/organisations/serviceAccess.js

@@ -1,13 +1,19 @@
 import { EnableAWSServiceAccessCommand } from "@aws-sdk/client-organizations";
 import { success, failure } from "@fjall/generator";
-import { extractErrorName } from "./types.js";
+import { extractErrorName, SDK_TIMEOUT_MS, AWS_ERROR_NAMES } from "./types.js";
+import { getErrorMessage } from "@fjall/util";
 const SERVICE_PRINCIPALS = [
     "account.amazonaws.com",
     "sso.amazonaws.com",
     "ipam.amazonaws.com",
     "ram.amazonaws.com",
     "backup.amazonaws.com",
-    "member.org.stacksets.cloudformation.amazonaws.com"
+    "member.org.stacksets.cloudformation.amazonaws.com",
+    "guardduty.amazonaws.com",
+    "securityhub.amazonaws.com",
+    "config.amazonaws.com",
+    "inspector2.amazonaws.com",
+    "access-analyzer.amazonaws.com"
 ];
 /**
  * Enable AWS service access for all required service principals.
@@ -19,20 +25,20 @@ export async function enableServiceAccess(client) {
             try {
                 await client.send(new EnableAWSServiceAccessCommand({
                     ServicePrincipal: principal
-                }));
+                }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
             }
             catch (error) {
                 const errorName = extractErrorName(error);
-                if (errorName === "AccessDeniedException") {
+                if (errorName === AWS_ERROR_NAMES.ACCESS_DENIED) {
                     return failure(new Error(`Access denied when enabling service access for ${principal}. ` +
                         "Ensure your credentials have organizations:EnableAWSServiceAccess permission."));
                 }
-                throw error;
+                throw new Error(`Service principal ${principal}: ${getErrorMessage(error)}`);
             }
         }
         return success(undefined);
     }
     catch (error) {
-        return failure(new Error(`Failed to enable service access: ${error instanceof Error ? error.message : String(error)}`));
+        return failure(new Error(`Failed to enable service access: ${getErrorMessage(error)}`));
     }
 }

package/dist/src/aws/organisations/trustedAccess.js

@@ -1,15 +1,19 @@
 import { ActivateOrganizationsAccessCommand } from "@aws-sdk/client-cloudformation";
 import { success, failure } from "@fjall/generator";
+import { getErrorMessage } from "@fjall/util";
+import { SDK_TIMEOUT_MS } from "./types.js";
 /**
  * Activate trusted access for CloudFormation StackSets.
  * Idempotent — calling when already activated is a no-op.
  */
 export async function activateTrustedAccess(client) {
     try {
-        await client.send(new ActivateOrganizationsAccessCommand({}));
+        await client.send(new ActivateOrganizationsAccessCommand({}), {
+            abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS)
+        });
         return success(undefined);
     }
     catch (error) {
-        return failure(new Error(`Failed to activate trusted access: ${error instanceof Error ? error.message : String(error)}`));
+        return failure(new Error(`Failed to activate trusted access: ${getErrorMessage(error)}`));
     }
 }

package/dist/src/aws/organisations/types.d.ts

@@ -1,6 +1,14 @@
 /**
- * Shared types for AWS Organisation setup primitives.
+ * Shared types and constants for AWS Organisation setup primitives.
  */
+export declare const SDK_TIMEOUT_MS = 30000;
+export declare const AWS_ERROR_NAMES: {
+    readonly ACCESS_DENIED: "AccessDeniedException";
+    readonly ACCOUNT_ALREADY_REGISTERED: "AccountAlreadyRegisteredException";
+    readonly ACCOUNT_NOT_FOUND: "AccountNotFoundException";
+    readonly CHILD_NOT_FOUND: "ChildNotFoundException";
+    readonly ORGS_NOT_IN_USE: "AWSOrganizationsNotInUseException";
+};
 export interface OrgDetails {
     orgId: string;
     rootId: string;
@@ -22,6 +30,20 @@ export interface IdentityCentreStatus {
     enabled: boolean;
     instanceCount: number;
 }
+/**
+ * Recursive OU hierarchy. Each key is an OU name.
+ * - string[] value = account names to place in that OU (leaf node)
+ * - OUTree value = child OUs (branch node, no direct accounts)
+ *
+ * AWS cannot move OUs between parents. Migrating from a flat string[]
+ * to a nested OUTree creates new OUs under new parents; old empty OUs
+ * at the root level remain and must be removed manually.
+ */
+export type OUTree = {
+    [ouName: string]: string[] | OUTree;
+};
+/** Returns true if the value is a list of account names (leaf node). */
+export declare function isOULeaf(value: string[] | OUTree): value is string[];
 /**
  * Extract the error name from an AWS SDK error.
  * AWS SDK v3 errors have a `name` property that identifies the error type.

package/dist/src/aws/organisations/types.js

@@ -1,16 +1 @@
-/**
- * Shared types for AWS Organisation setup primitives.
- */
-/**
- * Extract the error name from an AWS SDK error.
- * AWS SDK v3 errors have a `name` property that identifies the error type.
- */
-export function extractErrorName(error) {
-    if (typeof error === "object" &&
-        error !== null &&
-        "name" in error &&
-        typeof error.name === "string") {
-        return error.name;
-    }
-    return "UnknownError";
-}
+const t=3e4,e={ACCESS_DENIED:"AccessDeniedException",ACCOUNT_ALREADY_REGISTERED:"AccountAlreadyRegisteredException",ACCOUNT_NOT_FOUND:"AccountNotFoundException",CHILD_NOT_FOUND:"ChildNotFoundException",ORGS_NOT_IN_USE:"AWSOrganizationsNotInUseException"};function o(n){return Array.isArray(n)}function E(n){return typeof n=="object"&&n!==null&&"name"in n&&typeof n.name=="string"?n.name:"UnknownError"}export{e as AWS_ERROR_NAMES,t as SDK_TIMEOUT_MS,E as extractErrorName,o as isOULeaf};

package/dist/src/aws/utils/__tests__/cloudformationTestHelpers.d.ts

@@ -0,0 +1,6 @@
+import { vi } from "vitest";
+import type { EventLogWriter } from "../cloudformationEventTypes.js";
+export declare function createMockEventLogger(): EventLogWriter;
+export declare function createMockAwsClient(sendFn: ReturnType<typeof vi.fn>): {
+    getClient: import("vitest").Mock<(...args: any[]) => any>;
+};

package/dist/src/aws/utils/__tests__/cloudformationTestHelpers.js

@@ -0,0 +1 @@
+import{vi as e}from"vitest";function r(){return{writeEvent:e.fn(),writeDeploymentEnd:e.fn(),writeFailureSummary:e.fn(),writeFailureAnalysis:e.fn(),writeCdkOutput:e.fn(),getLogPath:e.fn(),getLogSummary:e.fn()}}function i(t){return{getClient:e.fn().mockReturnValue({send:t})}}export{i as createMockAwsClient,r as createMockEventLogger};

package/dist/src/aws/utils/cloudformationEventHelpers.d.ts

@@ -0,0 +1,48 @@
+import type { ResourceEvent } from "@fjall/util/aws";
+import { type EventLogWriter, type EventFailureAnalyser, type AwsClientLike } from "./cloudformationEventTypes.js";
+import type { FailureAnalysis } from "@fjall/util/aws";
+export declare function isTerminalState(status: string): boolean;
+export declare function isSuccessState(status: string): boolean;
+export declare function isIpamResource(resourceType: string): boolean;
+/** Tracks in-progress IPAM resources for concurrency diagnostics */
+export declare class IpamConcurrencyTracker {
+    private inProgress;
+    get size(): number;
+    clear(): void;
+    /**
+     * Process an IPAM resource event — logs concurrency info and writes
+     * diagnostic metadata to the event logger when provided.
+     */
+    trackEvent(event: ResourceEvent, eventLogger: EventLogWriter | null): void;
+}
+/** Mutable state passed into pollStackEvents from the monitor class */
+export interface PollContext {
+    aws: AwsClientLike;
+    seenEventIds: Set<string>;
+    activeNestedStacks: Map<string, string>;
+    failureReasons: Map<string, string>;
+    eventHistory: Map<string, ResourceEvent[]>;
+    maxHistorySize: number;
+    ipamTracker: IpamConcurrencyTracker;
+    eventLogger: EventLogWriter | null;
+}
+/** Poll CloudFormation for new stack events and dispatch them to the callback */
+export declare function pollStackEvents(ctx: PollContext, stackName: string, onResourceUpdate: (event: ResourceEvent) => void): Promise<boolean | "throttled">;
+/** Result of handling stack completion */
+export interface StackCompletionResult {
+    success: boolean;
+    failureMessage?: string;
+    analysis: FailureAnalysis | null;
+}
+/**
+ * Handle stack completion — determines success/failure, logs results,
+ * and runs failure analysis. Called after pollEvents detects a terminal state.
+ */
+export declare function handleStackCompletion(aws: AwsClientLike, stackName: string, failureReasons: Map<string, string>, eventLogger: EventLogWriter | null, failureAnalyser: EventFailureAnalyser | null, eventHistory: Map<string, ResourceEvent[]>): Promise<StackCompletionResult>;
+/** Fetch the current status of a CloudFormation stack */
+export declare function fetchStackStatus(aws: AwsClientLike, stackName: string): Promise<{
+    status: string;
+    statusReason?: string;
+} | null>;
+/** Fetch the latest event for each resource in a stack */
+export declare function fetchCurrentResources(aws: AwsClientLike, stackName: string): Promise<ResourceEvent[]>;

package/dist/src/aws/utils/cloudformationEventHelpers.js

@@ -0,0 +1 @@
+import{CloudFormationClient as g,DescribeStackEventsCommand as y,DescribeStacksCommand as A}from"@aws-sdk/client-cloudformation";import{logger as m}from"@fjall/util/logger";import{getErrorMessage as S,maskSensitiveOutput as C}from"@fjall/util";import{STACK_NOT_FOUND_PATTERN as f}from"@fjall/util/aws";import{CF_STACK_RESOURCE_TYPE as I}from"./cloudformationEventTypes.js";import{extractErrorName as P}from"../organisations/types.js";const L=["CREATE_COMPLETE","CREATE_FAILED","DELETE_COMPLETE","DELETE_FAILED","UPDATE_COMPLETE","UPDATE_FAILED","UPDATE_ROLLBACK_COMPLETE","UPDATE_ROLLBACK_FAILED","ROLLBACK_COMPLETE","ROLLBACK_FAILED","IMPORT_COMPLETE","IMPORT_ROLLBACK_COMPLETE","IMPORT_ROLLBACK_FAILED"],h=["CREATE_COMPLETE","UPDATE_COMPLETE","DELETE_COMPLETE","IMPORT_COMPLETE"];function k(s){return L.includes(s)}function K(s){return h.includes(s)}const O=new Set(["AWS::EC2::IPAMPool","AWS::EC2::IPAMPoolCidr","AWS::EC2::IPAM"]);function M(s){return O.has(s)}class b{inProgress=new Map;get size(){return this.inProgress.size}clear(){this.inProgress.clear()}trackEvent(e,i){if(e.status.includes("IN_PROGRESS")){this.inProgress.set(e.logicalId,{resourceType:e.resourceType,startTime:e.timestamp});const o=Array.from(this.inProgress.entries()).map(([a,r])=>`${a} (${r.resourceType.split("::").pop()}, started ${r.startTime.toISOString()})`);m.debug("CloudFormation","IPAM resource started",{logicalId:e.logicalId,resourceType:e.resourceType,concurrentIpamCount:this.inProgress.size,concurrentIpamResources:o}),i&&i.writeEvent(e,{phase:"ipam_concurrency",isMainStack:!0,parentStack:`concurrent=${this.inProgress.size}: ${o.join(", ")}`})}else if(e.status.includes("COMPLETE")||e.status.includes("FAILED")){const o=this.inProgress.has(e.logicalId),a=this.inProgress.get(e.logicalId);this.inProgress.delete(e.logicalId);const r=a?e.timestamp.getTime()-a.startTime.getTime():void 0;if(m.debug("CloudFormation",`IPAM resource ${e.status}`,{logicalId:e.logicalId,resourceType:e.resourceType,status:e.status,statusReason:e.statusReason,durationMs:r,wasTracked:o,remainingIpamCount:this.inProgress.size,remainingIpamResources:Array.from(this.inProgress.keys())}),e.status.includes("FAILED")&&i){const l=Array.from(this.inProgress.entries()).map(([n,c])=>({logicalId:n,resourceType:c.resourceType,startTime:c.startTime.toISOString(),inFlightDurationMs:e.timestamp.getTime()-c.startTime.getTime()}));i.writeEvent(e,{phase:"ipam_failure_snapshot",isMainStack:!0,parentStack:JSON.stringify({failedResource:e.logicalId,reason:e.statusReason,durationMs:r,concurrentIpamAtFailure:l})})}}}}async function v(s,e,i){try{const o=s.aws.getClient(g);let a,r=!1,l=!1;do{const n=new y({StackName:e,...a?{NextToken:a}:{}}),c=await o.send(n);if(!c.StackEvents)break;for(const t of c.StackEvents){const d=`${t.EventId}`;if(s.seenEventIds.has(d)){l=!0;continue}if(s.seenEventIds.add(d),t.ResourceType===I&&t.LogicalResourceId!==e){const E=t.ResourceStatus||"",T=t.LogicalResourceId||"";E.includes("IN_PROGRESS")?s.activeNestedStacks.set(T,E):(E.includes("COMPLETE")||E.includes("FAILED"))&&s.activeNestedStacks.delete(T)}if(t.LogicalResourceId===e&&t.ResourceType===I){const E=t.ResourceStatus||"";k(E)&&(r=!0)}t.ResourceStatus&&t.ResourceStatus.includes("FAILED")&&t.ResourceStatusReason&&(s.failureReasons.set(t.LogicalResourceId||"unknown",t.ResourceStatusReason),m.debug("CloudFormation",`Captured failure: ${t.LogicalResourceId} - ${t.ResourceStatusReason}`));const u={logicalId:t.LogicalResourceId||"",physicalId:t.PhysicalResourceId,resourceType:t.ResourceType||"",status:t.ResourceStatus||"",statusReason:t.ResourceStatusReason,timestamp:t.Timestamp||new Date},p=u.logicalId,R=s.eventHistory.get(p)??[];if(R.push(u),s.eventHistory.set(p,R),s.eventHistory.size>s.maxHistorySize){const E=[...s.eventHistory.keys()].slice(0,s.eventHistory.size-s.maxHistorySize);for(const T of E)s.eventHistory.delete(T)}M(u.resourceType)&&s.ipamTracker.trackEvent(u,s.eventLogger),s.eventLogger&&s.eventLogger.writeEvent(u),m.debug("CloudFormation","pollEvents delivering event",{stackName:e,logicalId:u.logicalId,status:u.status,resourceType:u.resourceType}),i(u)}a=l?void 0:c.NextToken}while(a);return r&&s.activeNestedStacks.size>0?!1:r}catch(o){const a=P(o),r=S(o);return a==="ValidationError"&&r.includes(f)?!1:a==="Throttling"||a==="TooManyRequestsException"||a==="ThrottlingException"?"throttled":(r.includes(f)||m.error("CloudFormation","Unexpected polling error",{error:C(r)}),!1)}}async function $(s,e,i,o,a,r){const l=await _(s,e),n=l?.status||"UNKNOWN",c=n.endsWith("_COMPLETE")&&!n.includes("ROLLBACK")&&!n.includes("FAILED");let t=l?.statusReason;!c&&i.size>0&&(t=(Array.from(i.values())[0]??t)||t);let d=null;return o&&(o.writeDeploymentEnd(c,n,t),!c&&i.size>0&&o.writeFailureSummary(Array.from(i.entries()).map(([u,p])=>({logicalId:u,reason:p}))),!c&&a&&(d=a.analyseFailure(r),d&&o.writeFailureAnalysis({rootCause:d.rootCause.reason,failedResources:d.affectedResources.map(u=>({logicalId:u.logicalId,resourceType:u.resourceType,reason:u.statusReason||"Unknown reason"})),dependencyChain:d.dependencyChain,remediation:d.remediation}))),{success:c,failureMessage:t,analysis:d}}async function _(s,e){try{const i=new A({StackName:e}),r=(await s.getClient(g).send(i)).Stacks?.[0];return r?{status:r.StackStatus||"UNKNOWN",statusReason:r.StackStatusReason}:null}catch(i){return m.debug("CloudFormation","getStackStatus failed",{error:S(i)}),null}}async function H(s,e){const i=[];try{const o=new y({StackName:e}),r=await s.getClient(g).send(o);if(!r.StackEvents)return i;const l=new Map;for(const n of r.StackEvents){const c=n.LogicalResourceId||"";if(c===e&&n.ResourceType===I)continue;const t=l.get(c);(!t||n.Timestamp&&t.timestamp<n.Timestamp)&&l.set(c,{logicalId:c,physicalId:n.PhysicalResourceId,resourceType:n.ResourceType||"",status:n.ResourceStatus||"",statusReason:n.ResourceStatusReason,timestamp:n.Timestamp||new Date})}return Array.from(l.values())}catch(o){const a=P(o),r=S(o);return a==="ValidationError"&&r.includes(f)||r.includes(f)||m.error("CloudFormation","Error getting current resources",{error:C(S(o))}),i}}export{b as IpamConcurrencyTracker,H as fetchCurrentResources,_ as fetchStackStatus,$ as handleStackCompletion,M as isIpamResource,K as isSuccessState,k as isTerminalState,v as pollStackEvents};

package/dist/src/aws/utils/cloudformationEventTypes.d.ts

@@ -0,0 +1,45 @@
+import type { AwsSdkClientConstructor } from "../AwsProvider.js";
+import type { ResourceEvent, FailureAnalysis } from "@fjall/util/aws";
+/** Minimal AWS interface — only getClient() is needed for event monitoring */
+export interface AwsClientLike {
+    getClient<T>(ClientClass: AwsSdkClientConstructor<T>): T;
+}
+/** Interface for event logging — decouples from concrete CloudFormationEventLogger */
+export interface EventLogWriter {
+    writeEvent(event: ResourceEvent, metadata?: {
+        phase?: string;
+        isMainStack?: boolean;
+        parentStack?: string;
+    }): void;
+    writeDeploymentEnd(success: boolean, finalStatus: string, failureMessage?: string): void;
+    writeFailureSummary(failures: Array<{
+        logicalId: string;
+        reason: string;
+    }>): void;
+    writeFailureAnalysis(analysis: {
+        rootCause: string;
+        failedResources: Array<{
+            logicalId: string;
+            resourceType: string;
+            reason: string;
+        }>;
+        dependencyChain?: string[];
+        remediation?: string[];
+    }): void;
+    writeCdkOutput(stream: "stdout" | "stderr", chunk: string): void;
+    getLogPath(): string;
+    getLogSummary(): string;
+}
+/** Interface for failure analysis — decouples from concrete CloudFormationFailureAnalyser */
+export interface EventFailureAnalyser {
+    analyseFailure(eventHistory: Map<string, ResourceEvent[]>): FailureAnalysis | null;
+}
+/** Factory to create an EventLogWriter for a specific deployment */
+export type EventLogWriterFactory = (deploymentId: string, stackName: string, region: string, deploymentName?: string) => EventLogWriter;
+/** Dependencies injected into CloudFormationEventMonitor */
+export interface EventMonitorDeps {
+    failureAnalyser?: EventFailureAnalyser;
+    eventLogWriterFactory?: EventLogWriterFactory;
+}
+/** CloudFormation resource type for nested stacks */
+export declare const CF_STACK_RESOURCE_TYPE = "AWS::CloudFormation::Stack";

package/dist/src/aws/utils/cloudformationEventTypes.js

@@ -0,0 +1 @@
+const o="AWS::CloudFormation::Stack";export{o as CF_STACK_RESOURCE_TYPE};

package/dist/src/aws/utils/cloudformationEvents.d.ts

@@ -1,53 +1,7 @@
-import type { AwsProvider } from "../AwsProvider.js";
-import type { FailureAnalysis } from "./CloudFormationFailureAnalyser.js";
-export declare const STACK_NOT_FOUND_PATTERN = "does not exist";
-export declare const CDK_NO_STACKS_MATCH = "No stacks match the name(s)";
-export interface ResourceEvent {
-    logicalId: string;
-    physicalId?: string;
-    resourceType: string;
-    status: string;
-    statusReason?: string;
-    timestamp: Date;
-}
-export declare function isResourceEvent(event: unknown): event is ResourceEvent;
-/** Interface for event logging — decouples from concrete CloudFormationEventLogger */
-export interface EventLogWriter {
-    writeEvent(event: ResourceEvent, metadata?: {
-        phase?: string;
-        isMainStack?: boolean;
-        parentStack?: string;
-    }): void;
-    writeDeploymentEnd(success: boolean, finalStatus: string, failureMessage?: string): void;
-    writeFailureSummary(failures: Array<{
-        logicalId: string;
-        reason: string;
-    }>): void;
-    writeFailureAnalysis(analysis: {
-        rootCause: string;
-        failedResources: Array<{
-            logicalId: string;
-            resourceType: string;
-            reason: string;
-        }>;
-        dependencyChain?: string[];
-        remediation?: string[];
-    }): void;
-    writeCdkOutput(stream: "stdout" | "stderr", chunk: string): void;
-    getLogPath(): string;
-    getLogSummary(): string;
-}
-/** Interface for failure analysis — decouples from concrete CloudFormationFailureAnalyser */
-export interface EventFailureAnalyser {
-    analyseFailure(eventHistory: Map<string, ResourceEvent[]>): FailureAnalysis | null;
-}
-/** Factory to create an EventLogWriter for a specific deployment */
-export type EventLogWriterFactory = (deploymentId: string, stackName: string, region: string, deploymentName?: string) => EventLogWriter;
-/** Dependencies injected into CloudFormationEventMonitor */
-export interface EventMonitorDeps {
-    failureAnalyser?: EventFailureAnalyser;
-    eventLogWriterFactory?: EventLogWriterFactory;
-}
+import { type ResourceEvent, type FailureAnalysis } from "@fjall/util/aws";
+export { type ResourceEvent, isResourceEvent, STACK_NOT_FOUND_PATTERN, CDK_NO_STACKS_MATCH, type FailureAnalysis } from "@fjall/util/aws";
+export type { AwsClientLike, EventLogWriter, EventFailureAnalyser, EventLogWriterFactory, EventMonitorDeps } from "./cloudformationEventTypes.js";
+import { type AwsClientLike, type EventLogWriter, type EventMonitorDeps } from "./cloudformationEventTypes.js";
 export declare class CloudFormationEventMonitor {
     private aws;
     private seenEventIds;
@@ -63,12 +17,13 @@ export declare class CloudFormationEventMonitor {
     private deploymentStartTime;
     private maxHistorySize;
     private maxSeenEventIds;
-    private ipamInProgress;
-    constructor(aws: AwsProvider, deps?: EventMonitorDeps);
+    private ipamTracker;
+    constructor(aws: AwsClientLike, deps?: EventMonitorDeps);
     enableLogging(deploymentId: string, stackName: string, region: string, deploymentName?: string): void;
     startMonitoring(stackName: string, onResourceUpdate: (event: ResourceEvent) => void, onStackComplete?: (success: boolean, message?: string) => void): Promise<void>;
     stopMonitoring(): void;
     private cleanup;
+    private handleStackComplete;
     getResourceHistory(logicalId: string): ResourceEvent[];
     getEventHistory(): Map<string, ResourceEvent[]>;
     getFailureAnalysis(): FailureAnalysis | null;
@@ -87,8 +42,7 @@ export declare class CloudFormationEventMonitor {
         failureReason?: string;
         logPath?: string;
     }>;
-    private isTerminalState;
-    private isSuccessState;
+    private pollContext;
     private pollEvents;
     getStackStatus(stackName: string): Promise<{
         status: string;