@flipboxlabs/aws-audit-cdk 1.1.0 → 1.1.2

package/README.md

@@ -1,6 +1,6 @@
 # @flipboxlabs/aws-audit-cdk
 
-AWS Audit CDK - CDK constructs for AWS audit infrastructure.
+AWS Audit CDK - CDK constructs for AWS audit infrastructure
 
 ## Installation
 
@@ -13,18 +13,101 @@ pnpm add @flipboxlabs/aws-audit-cdk
 ## Usage
 
 ```typescript
-import { CloudWatchConstruct } from '@flipboxlabs/aws-audit-cdk/cloudwatch';
-import { DynamoDBConstruct } from '@flipboxlabs/aws-audit-cdk/dynamodb';
-import { EventBridgeConstruct } from '@flipboxlabs/aws-audit-cdk/eventbridge';
-import { RestApiConstruct } from '@flipboxlabs/aws-audit-cdk/rest-api';
+import * as cdk from "aws-cdk-lib";
+import type { Construct } from "constructs";
+import type { CDKConfig } from "@flipboxlabs/aws-audit-cdk";
+import { AuditConfigLayer } from "@flipboxlabs/aws-audit-cdk/lambda";
+import { CloudWatchConstruct as CloudWatch } from "@flipboxlabs/aws-audit-cdk/cloudwatch";
+import { DynamoDBConstruct as DynamoDB } from "@flipboxlabs/aws-audit-cdk/dynamodb";
+import { EventBridgeConstruct as EventBridge } from "@flipboxlabs/aws-audit-cdk/eventbridge";
+import { RestApiConstruct as RestAPI } from "@flipboxlabs/aws-audit-cdk/rest-api";
+
+interface Props {
+  config: CDKConfig;
+}
+
+export class AuditStack extends cdk.NestedStack {
+  constructor(scope: Construct, id: string, props: Props) {
+    super(scope, id, { description: "Audit" });
+
+    // Create audit config layer with your apps and resource types
+    const auditConfigLayer = new AuditConfigLayer(this, "AuditConfigLayer", {
+      apps: ["Orders", "Inventory"],
+      resourceTypes: ["Order", "Product"],
+    });
+
+    // DynamoDB (storage)
+    const { table } = new DynamoDB(this, "DynamoDB", { config: props.config });
+
+    // EventBridge (events)
+    const { eventBus } = new EventBridge(this, "EventBridge", {
+      config: props.config,
+    });
+
+    // CloudWatch (logging subscription)
+    new CloudWatch(this, "CloudWatch", {
+      config: props.config,
+      lambda: { layers: [auditConfigLayer.layer] },
+      table,
+      eventBus,
+    });
+
+    // REST API (optional)
+    new RestAPI(this, "RestAPI", {
+      config: props.config,
+      lambda: { layers: [auditConfigLayer.layer] },
+      table,
+      eventBus,
+    });
+  }
+}
 ```
 
 ## Constructs
 
-- **CloudWatchConstruct** - CloudWatch log subscription for audit capture
-- **DynamoDBConstruct** - DynamoDB table for audit storage
-- **EventBridgeConstruct** - EventBridge bus for audit events
-- **RestApiConstruct** - REST API for querying audits
+### AuditConfigLayer
+
+Creates a Lambda layer containing your audit configuration (apps and resource types). This layer is required by all other constructs.
+
+```typescript
+import { AuditConfigLayer } from "@flipboxlabs/aws-audit-cdk/lambda";
+
+const auditConfigLayer = new AuditConfigLayer(this, "AuditConfigLayer", {
+  apps: ["Orders", "Inventory"],
+  resourceTypes: ["Order", "Product"],
+});
+```
+
+### CloudWatchConstruct
+
+CloudWatch log subscription that captures audit logs and stores them in DynamoDB.
+
+### DynamoDBConstruct
+
+DynamoDB table for audit storage with optimized indexes for querying by app, resource, and trace.
+
+### EventBridgeConstruct
+
+EventBridge bus for audit events, enabling event-driven architectures.
+
+### RestApiConstruct
+
+REST API for querying audits by resource or trace ID.
+
+## CDKConfig
+
+The `CDKConfig` type defines the configuration passed to constructs:
+
+```typescript
+type CDKConfig = {
+  env: string;           // Environment name (e.g., "prod", "staging")
+  aws: {
+    account: string;     // AWS account ID
+    region: string;      // AWS region
+  };
+  service?: string;      // Optional service name
+};
+```
 
 ## Peer Dependencies
 

package/dist/audit-config.d.ts

@@ -1,14 +1,13 @@
 /**
- * Shared audit configuration for the CDK.
+ * Audit configuration loaded from the Lambda layer.
  *
- * Defines the valid apps and resource types used across all handlers and schemas.
- * This config provides:
- * - Type-safe app and resourceType values
- * - Zod schemas for validation via `auditConfig.schemas`
+ * The `apps` and `resourceTypes` arrays are provided by the AuditConfigLayer
+ * construct at deploy time. This file creates the typed configuration object
+ * that handlers use.
  *
  * @example
  * ```typescript
- * import { auditConfig } from '../../audit-config.js';
+ * import { auditConfig, type App, type ResourceType } from '../../audit-config.js';
  *
  * // Use in handlers
  * const service = new AuditService(logger, auditConfig);
@@ -23,8 +22,8 @@
 export declare const auditConfig: {
     service: string | undefined;
 } & {
-    readonly apps: readonly [];
-    readonly resourceTypes: readonly [];
+    readonly apps: readonly string[];
+    readonly resourceTypes: readonly string[];
 } & {
     schemas: {
         app: import("zod").ZodEnum<{
@@ -44,16 +43,18 @@ export declare const auditConfig: {
         }, import("zod/v4/core").$strip>;
     };
     _types: {
-        App: never;
-        ResourceType: never;
+        App: string;
+        ResourceType: string;
     };
 };
 /**
  * Type alias for the App union type from the audit config.
+ * Note: At compile time this is `string` since the actual values come from the layer.
  */
 export type App = (typeof auditConfig)["_types"]["App"];
 /**
  * Type alias for the ResourceType union type from the audit config.
+ * Note: At compile time this is `string` since the actual values come from the layer.
  */
 export type ResourceType = (typeof auditConfig)["_types"]["ResourceType"];
 //# sourceMappingURL=audit-config.d.ts.map

package/dist/audit-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit-config.d.ts","sourceRoot":"","sources":["../src/audit-config.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;CAGtB,CAAC;AAEH;;GAEG;AACH,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC;AAExD;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,QAAQ,CAAC,CAAC,cAAc,CAAC,CAAC"}
+{"version":3,"file":"audit-config.d.ts","sourceRoot":"","sources":["../src/audit-config.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,WAAW;;;mBACT,SAAS,MAAM,EAAE;4BACC,SAAS,MAAM,EAAE;;;;;;;;;;;;;;;;;;;;;;;CAChD,CAAC;AAEH;;;GAGG;AACH,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC;AAExD;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,QAAQ,CAAC,CAAC,cAAc,CAAC,CAAC"}

package/dist/audit-config.js

@@ -1,15 +1,16 @@
 import { defineAuditConfig } from "@flipboxlabs/aws-audit-sdk";
+// @ts-expect-error - This import is resolved at runtime from the Lambda layer
+import { apps, resourceTypes } from "/opt/nodejs/audit-config.js";
 /**
- * Shared audit configuration for the CDK.
+ * Audit configuration loaded from the Lambda layer.
  *
- * Defines the valid apps and resource types used across all handlers and schemas.
- * This config provides:
- * - Type-safe app and resourceType values
- * - Zod schemas for validation via `auditConfig.schemas`
+ * The `apps` and `resourceTypes` arrays are provided by the AuditConfigLayer
+ * construct at deploy time. This file creates the typed configuration object
+ * that handlers use.
  *
  * @example
  * ```typescript
- * import { auditConfig } from '../../audit-config.js';
+ * import { auditConfig, type App, type ResourceType } from '../../audit-config.js';
  *
  * // Use in handlers
  * const service = new AuditService(logger, auditConfig);
@@ -22,6 +23,6 @@ import { defineAuditConfig } from "@flipboxlabs/aws-audit-sdk";
  * ```
  */
 export const auditConfig = defineAuditConfig({
-    apps: [],
-    resourceTypes: [],
+    apps: apps,
+    resourceTypes: resourceTypes,
 });

package/dist/cloudwatch/construct.d.ts

@@ -1,11 +1,17 @@
 import type { CDKConfig } from "@flipboxlabs/aws-audit-cdk";
 import type * as dynamodb from "aws-cdk-lib/aws-dynamodb";
 import type * as events from "aws-cdk-lib/aws-events";
+import type * as lambda from "aws-cdk-lib/aws-lambda";
 import { Construct } from "constructs";
 type Props = {
     config: CDKConfig;
     table: dynamodb.ITable;
     eventBus: events.IEventBus;
+    /** Lambda configuration */
+    lambda: {
+        /** Lambda layers to attach to the function */
+        layers: lambda.ILayerVersion[];
+    };
     subscriptionFilter?: {
         /** Scope of the subscription filter policy. Defaults to "ALL". */
         scope?: string;

package/dist/cloudwatch/construct.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../src/cloudwatch/construct.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAE5D,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AAGtD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAGvC,KAAK,KAAK,GAAG;IACZ,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC;IAE3B,kBAAkB,CAAC,EAAE;QACpB,kEAAkE;QAClE,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,oGAAoG;QACpG,iBAAiB,CAAC,EAAE,MAAM,CAAC;KAC3B,CAAC;CACF,CAAC;AAEF,qBAAa,mBAAoB,SAAQ,SAAS;gBACrC,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CAoDtD"}
+{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../src/cloudwatch/construct.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAE5D,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AAEtD,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AAEtD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAGvC,KAAK,KAAK,GAAG;IACZ,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC;IAC3B,2BAA2B;IAC3B,MAAM,EAAE;QACP,8CAA8C;QAC9C,MAAM,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC;KAC/B,CAAC;IAEF,kBAAkB,CAAC,EAAE;QACpB,kEAAkE;QAClE,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,oGAAoG;QACpG,iBAAiB,CAAC,EAAE,MAAM,CAAC;KAC3B,CAAC;CACF,CAAC;AAEF,qBAAa,mBAAoB,SAAQ,SAAS;gBACrC,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CAyDtD"}

package/dist/cloudwatch/construct.js

@@ -3,25 +3,26 @@ import { AUDIT_LOG_IDENTIFIER } from "@flipboxlabs/aws-audit-sdk";
 import { ServicePrincipal } from "aws-cdk-lib/aws-iam";
 import * as logs from "aws-cdk-lib/aws-logs";
 import { Construct } from "constructs";
-import { ESMNodeFunctionFactory } from "../lib/index.js";
+import { ESMNodeFunctionFactory } from "../lambda/nodejs.function.js";
 export class CloudWatchConstruct extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
         const ref = `${[props.config.env.toUpperCase(), "Account", "CloudWatch", "Subscription"].join("-")}`;
         // Lambda Function
-        const lambda = ESMNodeFunctionFactory(props.config)(this, "subscription", {
+        const lambdaFn = ESMNodeFunctionFactory(props.config)(this, "subscription", {
             functionName: ref,
             entry: url.fileURLToPath(new URL("subscription.handler.ts", import.meta.url).toString()),
+            layers: props.lambda.layers,
             currentVersionOptions: {
                 retryAttempts: 2,
             },
         });
         // Allow writes to DynamoDB
-        props.table.grantWriteData(lambda);
+        props.table.grantWriteData(lambdaFn);
         // Allow puts to EventBridge
-        props.eventBus.grantPutEventsTo(lambda);
+        props.eventBus.grantPutEventsTo(lambdaFn);
         // Permissions
-        lambda.addPermission("LogProcessorPermission", {
+        lambdaFn.addPermission("LogProcessorPermission", {
             principal: new ServicePrincipal("logs.amazonaws.com"),
             action: "lambda:InvokeFunction",
             sourceArn: `arn:aws:logs:${props.config.aws.region}:${props.config.aws.account}:log-group:*`,
@@ -32,15 +33,15 @@ export class CloudWatchConstruct extends Construct {
             policyName: `${props.config.env.toUpperCase()}AccountLevelSubscriptionPolicy`,
             policyType: "SUBSCRIPTION_FILTER_POLICY",
             policyDocument: JSON.stringify({
-                DestinationArn: lambda.functionArn,
+                DestinationArn: lambdaFn.functionArn,
                 Distribution: "Random",
                 FilterPattern: `{ $.${AUDIT_LOG_IDENTIFIER}.operation = * }`,
             }),
             scope: props.subscriptionFilter?.scope ?? "ALL",
             selectionCriteria: props.subscriptionFilter?.selectionCriteria ??
-                `LogGroupName NOT IN ["/aws/lambda/${lambda.functionName}"]`,
+                `LogGroupName NOT IN ["/aws/lambda/${lambdaFn.functionName}"]`,
         });
         // Add explicit dependency on the Lambda function
-        accountPolicy.node.addDependency(lambda);
+        accountPolicy.node.addDependency(lambdaFn);
     }
 }

package/dist/index.d.ts

@@ -4,50 +4,9 @@
  * Provides constructs for deploying audit infrastructure. Import and compose
  * the constructs in your own stack as needed.
  *
- * @example
- * ```typescript
- * import * as cdk from "aws-cdk-lib";
- * import type { Construct } from "constructs";
- * import type { CDKConfig } from "@flipboxlabs/aws-audit-cdk";
+ * See the README for full usage examples.
  *
- * // Import constructs from the bootstrap directory
- * import { CloudWatchConstruct as CloudWatch } from "@flipboxlabs/aws-audit-cdk/cloudwatch";
- * import { DynamoDBConstruct as DynamoDB } from "@flipboxlabs/aws-audit-cdk/dynamodb";
- * import { EventBridgeConstruct as EventBridge } from "@flipboxlabs/aws-audit-cdk/eventbridge";
- * import { RestApiConstruct as RestAPI } from "@flipboxlabs/aws-audit-cdk/rest-api";
- *
- * interface Props {
- *   config: CDKConfig;
- * }
- *
- * export class AuditStack extends cdk.NestedStack {
- *   constructor(scope: Construct, id: string, props: Props) {
- *     super(scope, id, { description: "Audit" });
- *
- *     // DynamoDB (storage)
- *     const { table } = new DynamoDB(this, "DynamoDB", { config: props.config });
- *
- *     // EventBridge (events)
- *     const { eventBus } = new EventBridge(this, "EventBridge", {
- *       config: props.config,
- *     });
- *
- *     // CloudWatch (logging subscription)
- *     new CloudWatch(this, "CloudWatch", {
- *       config: props.config,
- *       table,
- *       eventBus,
- *     });
- *
- *     // REST API (optional)
- *     new RestAPI(this, "RestAPI", {
- *       config: props.config,
- *       table,
- *       eventBus,
- *     });
- *   }
- * }
- * ```
+ * @packageDocumentation
  */
 export * from "./constants.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AAEH,cAAc,gBAAgB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,cAAc,gBAAgB,CAAC"}

package/dist/index.js

@@ -4,49 +4,8 @@
  * Provides constructs for deploying audit infrastructure. Import and compose
  * the constructs in your own stack as needed.
  *
- * @example
- * ```typescript
- * import * as cdk from "aws-cdk-lib";
- * import type { Construct } from "constructs";
- * import type { CDKConfig } from "@flipboxlabs/aws-audit-cdk";
+ * See the README for full usage examples.
  *
- * // Import constructs from the bootstrap directory
- * import { CloudWatchConstruct as CloudWatch } from "@flipboxlabs/aws-audit-cdk/cloudwatch";
- * import { DynamoDBConstruct as DynamoDB } from "@flipboxlabs/aws-audit-cdk/dynamodb";
- * import { EventBridgeConstruct as EventBridge } from "@flipboxlabs/aws-audit-cdk/eventbridge";
- * import { RestApiConstruct as RestAPI } from "@flipboxlabs/aws-audit-cdk/rest-api";
- *
- * interface Props {
- *   config: CDKConfig;
- * }
- *
- * export class AuditStack extends cdk.NestedStack {
- *   constructor(scope: Construct, id: string, props: Props) {
- *     super(scope, id, { description: "Audit" });
- *
- *     // DynamoDB (storage)
- *     const { table } = new DynamoDB(this, "DynamoDB", { config: props.config });
- *
- *     // EventBridge (events)
- *     const { eventBus } = new EventBridge(this, "EventBridge", {
- *       config: props.config,
- *     });
- *
- *     // CloudWatch (logging subscription)
- *     new CloudWatch(this, "CloudWatch", {
- *       config: props.config,
- *       table,
- *       eventBus,
- *     });
- *
- *     // REST API (optional)
- *     new RestAPI(this, "RestAPI", {
- *       config: props.config,
- *       table,
- *       eventBus,
- *     });
- *   }
- * }
- * ```
+ * @packageDocumentation
  */
 export * from "./constants.js";

package/dist/lambda/audit-config-layer.d.ts

@@ -0,0 +1,40 @@
+import * as lambda from "aws-cdk-lib/aws-lambda";
+import { Construct } from "constructs";
+/**
+ * Input configuration for the audit config layer.
+ * Contains the apps and resource types that will be available to Lambda handlers.
+ */
+export interface AuditConfigLayerProps {
+    /** List of valid application identifiers */
+    readonly apps: readonly string[];
+    /** List of valid resource type identifiers */
+    readonly resourceTypes: readonly string[];
+}
+/**
+ * Path where handlers should import the audit config from.
+ * This is the standard Lambda layer path for Node.js.
+ */
+export declare const AUDIT_CONFIG_LAYER_PATH = "/opt/nodejs/audit-config.js";
+/**
+ * Creates a Lambda layer containing the audit configuration.
+ *
+ * The layer exports raw `apps` and `resourceTypes` arrays that handlers
+ * can use with `defineAuditConfig` from the SDK.
+ *
+ * @example
+ * ```typescript
+ * import { AuditConfigLayer } from "@flipboxlabs/aws-audit-cdk";
+ *
+ * const auditLayer = new AuditConfigLayer(this, "AuditConfigLayer", {
+ *   apps: ["Orders", "Inventory"],
+ *   resourceTypes: ["Order", "Product"],
+ * });
+ *
+ * // Pass auditLayer.layer to constructs that need it
+ * ```
+ */
+export declare class AuditConfigLayer extends Construct {
+    readonly layer: lambda.LayerVersion;
+    constructor(scope: Construct, id: string, props: AuditConfigLayerProps);
+}
+//# sourceMappingURL=audit-config-layer.d.ts.map

package/dist/lambda/audit-config-layer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-config-layer.d.ts","sourceRoot":"","sources":["../../src/lambda/audit-config-layer.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACrC,4CAA4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;IACjC,8CAA8C;IAC9C,QAAQ,CAAC,aAAa,EAAE,SAAS,MAAM,EAAE,CAAC;CAC1C;AAED;;;GAGG;AACH,eAAO,MAAM,uBAAuB,gCAAgC,CAAC;AAErE;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,gBAAiB,SAAQ,SAAS;IAC9C,SAAgB,KAAK,EAAE,MAAM,CAAC,YAAY,CAAC;gBAE/B,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,qBAAqB;CAuBtE"}

package/dist/lambda/audit-config-layer.js

@@ -0,0 +1,50 @@
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import * as lambda from "aws-cdk-lib/aws-lambda";
+import { Construct } from "constructs";
+/**
+ * Path where handlers should import the audit config from.
+ * This is the standard Lambda layer path for Node.js.
+ */
+export const AUDIT_CONFIG_LAYER_PATH = "/opt/nodejs/audit-config.js";
+/**
+ * Creates a Lambda layer containing the audit configuration.
+ *
+ * The layer exports raw `apps` and `resourceTypes` arrays that handlers
+ * can use with `defineAuditConfig` from the SDK.
+ *
+ * @example
+ * ```typescript
+ * import { AuditConfigLayer } from "@flipboxlabs/aws-audit-cdk";
+ *
+ * const auditLayer = new AuditConfigLayer(this, "AuditConfigLayer", {
+ *   apps: ["Orders", "Inventory"],
+ *   resourceTypes: ["Order", "Product"],
+ * });
+ *
+ * // Pass auditLayer.layer to constructs that need it
+ * ```
+ */
+export class AuditConfigLayer extends Construct {
+    layer;
+    constructor(scope, id, props) {
+        super(scope, id);
+        // Generate config file content - exports raw data
+        // Handlers will call defineAuditConfig themselves
+        const configCode = `// Auto-generated audit configuration
+export const apps = ${JSON.stringify(props.apps)};
+export const resourceTypes = ${JSON.stringify(props.resourceTypes)};
+`;
+        // Create temp directory with proper layer structure
+        const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "audit-config-"));
+        const nodejsDir = path.join(tempDir, "nodejs");
+        fs.mkdirSync(nodejsDir);
+        fs.writeFileSync(path.join(nodejsDir, "audit-config.js"), configCode);
+        this.layer = new lambda.LayerVersion(this, "Layer", {
+            code: lambda.Code.fromAsset(tempDir),
+            compatibleRuntimes: [lambda.Runtime.NODEJS_20_X],
+            description: "Audit configuration layer containing apps and resourceTypes",
+        });
+    }
+}

package/dist/lambda/construct.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Lambda layer constructs for AWS Audit CDK.
+ *
+ * @packageDocumentation
+ */
+export * from "./audit-config-layer.js";
+//# sourceMappingURL=construct.d.ts.map

package/dist/lambda/construct.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../src/lambda/construct.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,yBAAyB,CAAC"}

package/dist/lambda/construct.js

@@ -0,0 +1,6 @@
+/**
+ * Lambda layer constructs for AWS Audit CDK.
+ *
+ * @packageDocumentation
+ */
+export * from "./audit-config-layer.js";

package/dist/lambda/nodejs.function.d.ts

@@ -0,0 +1,16 @@
+import * as cdk from "aws-cdk-lib";
+import * as nodejs from "aws-cdk-lib/aws-lambda-nodejs";
+import type { Construct } from "constructs";
+import type { CDKConfig } from "../constants.js";
+/**
+ * Factory function that creates ESM Node.js Lambda functions with standard configuration.
+ *
+ * The audit config layer should be passed via the `layers` prop in NodejsFunctionProps.
+ *
+ * @param config - CDK configuration for environment variables
+ * @returns A function that creates configured NodejsFunction instances
+ *
+ * @internal
+ */
+export declare const ESMNodeFunctionFactory: (config: CDKConfig) => (scope: Construct, id: string, props: nodejs.NodejsFunctionProps) => cdk.aws_lambda_nodejs.NodejsFunction;
+//# sourceMappingURL=nodejs.function.d.ts.map

package/dist/lambda/nodejs.function.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nodejs.function.d.ts","sourceRoot":"","sources":["../../src/lambda/nodejs.function.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,GAAG,MAAM,aAAa,CAAC;AAGnC,OAAO,KAAK,MAAM,MAAM,+BAA+B,CAAC;AAExD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAGjD;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,GACjC,QAAQ,SAAS,MACjB,OAAO,SAAS,EAAE,IAAI,MAAM,EAAE,OAAO,MAAM,CAAC,mBAAmB,yCA2D/D,CAAC"}

package/dist/{lib → lambda}/nodejs.function.js

@@ -3,6 +3,17 @@ import * as iam from "aws-cdk-lib/aws-iam";
 import * as lambda from "aws-cdk-lib/aws-lambda";
 import * as nodejs from "aws-cdk-lib/aws-lambda-nodejs";
 import * as logs from "aws-cdk-lib/aws-logs";
+import { AUDIT_CONFIG_LAYER_PATH } from "./audit-config-layer.js";
+/**
+ * Factory function that creates ESM Node.js Lambda functions with standard configuration.
+ *
+ * The audit config layer should be passed via the `layers` prop in NodejsFunctionProps.
+ *
+ * @param config - CDK configuration for environment variables
+ * @returns A function that creates configured NodejsFunction instances
+ *
+ * @internal
+ */
 export const ESMNodeFunctionFactory = (config) => (scope, id, props) => {
     const nodejsFunction = new nodejs.NodejsFunction(scope, id, {
         tracing: lambda.Tracing.ACTIVE,
@@ -14,7 +25,8 @@ export const ESMNodeFunctionFactory = (config) => (scope, id, props) => {
         bundling: {
             minify: true,
             metafile: false,
-            externalModules: ["aws-sdk", "@aws-sdk/*"],
+            // Mark audit config layer path as external so esbuild doesn't try to bundle it
+            externalModules: ["aws-sdk", "@aws-sdk/*", AUDIT_CONFIG_LAYER_PATH],
             format: nodejs.OutputFormat.ESM,
             platform: "node",
             target: "esnext",
@@ -43,6 +55,7 @@ export const ESMNodeFunctionFactory = (config) => (scope, id, props) => {
     if (config.service) {
         nodejsFunction.addEnvironment("SERVICE", config.service);
     }
+    // Add Lambda Insights layer
     nodejsFunction.addLayers(lambda.LayerVersion.fromLayerVersionArn(scope, `${id}InsightLayer`, `arn:aws:lambda:${cdk.Stack.of(scope).region}:580247275435:layer:LambdaInsightsExtension-Arm64:2`));
     return nodejsFunction;
 };

package/dist/rest-api/construct.d.ts

@@ -2,11 +2,17 @@ import type { CDKConfig } from "@flipboxlabs/aws-audit-cdk";
 import * as apigateway from "aws-cdk-lib/aws-apigateway";
 import type * as dynamodb from "aws-cdk-lib/aws-dynamodb";
 import type * as events from "aws-cdk-lib/aws-events";
+import type * as lambda from "aws-cdk-lib/aws-lambda";
 import { Construct } from "constructs";
 type Props = {
     config: CDKConfig;
     table: dynamodb.ITable;
     eventBus: events.IEventBus;
+    /** Lambda configuration */
+    lambda: {
+        /** Lambda layers to attach to the function */
+        layers: lambda.ILayerVersion[];
+    };
     /** Override REST API props. */
     restApi?: Partial<apigateway.RestApiProps>;
 };

package/dist/rest-api/construct.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../src/rest-api/construct.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,KAAK,UAAU,MAAM,4BAA4B,CAAC;AACzD,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAGvC,KAAK,KAAK,GAAG;IACZ,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC;IAC3B,+BAA+B;IAC/B,OAAO,CAAC,EAAE,OAAO,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;CAC3C,CAAC;AAIF,qBAAa,gBAAiB,SAAQ,SAAS;IAC9C,SAAgB,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC;gBAEhC,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CA6BtD"}
+{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../src/rest-api/construct.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,KAAK,UAAU,MAAM,4BAA4B,CAAC;AACzD,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAGvC,KAAK,KAAK,GAAG;IACZ,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC;IAC3B,2BAA2B;IAC3B,MAAM,EAAE;QACP,8CAA8C;QAC9C,MAAM,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC;KAC/B,CAAC;IACF,+BAA+B;IAC/B,OAAO,CAAC,EAAE,OAAO,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;CAC3C,CAAC;AAIF,qBAAa,gBAAiB,SAAQ,SAAS;IAC9C,SAAgB,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC;gBAEhC,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CA6BtD"}

package/dist/rest-api/resources/app/construct.d.ts

@@ -2,11 +2,17 @@ import type { CDKConfig } from "@flipboxlabs/aws-audit-cdk";
 import type * as apigateway from "aws-cdk-lib/aws-apigateway";
 import type * as dynamodb from "aws-cdk-lib/aws-dynamodb";
 import type * as events from "aws-cdk-lib/aws-events";
+import type * as lambda from "aws-cdk-lib/aws-lambda";
 import { Construct } from "constructs";
 type Props = {
     config: CDKConfig;
     table: dynamodb.ITable;
     eventBus: events.IEventBus;
+    /** Lambda configuration */
+    lambda: {
+        /** Lambda layers to attach to the function */
+        layers: lambda.ILayerVersion[];
+    };
     restApi: {
         resource: apigateway.IResource;
     };

package/dist/rest-api/resources/app/construct.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../../../src/rest-api/resources/app/construct.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,KAAK,KAAK,UAAU,MAAM,4BAA4B,CAAC;AAC9D,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvC,KAAK,KAAK,GAAG;IACZ,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC;IAC3B,OAAO,EAAE;QACR,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC;KAC/B,CAAC;CACF,CAAC;AAEF,MAAM,CAAC,OAAO,MAAO,SAAQ,SAAS;gBACzB,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CActD"}
+{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../../../src/rest-api/resources/app/construct.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,KAAK,KAAK,UAAU,MAAM,4BAA4B,CAAC;AAC9D,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvC,KAAK,KAAK,GAAG;IACZ,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC;IAC3B,2BAA2B;IAC3B,MAAM,EAAE;QACP,8CAA8C;QAC9C,MAAM,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE;QACR,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC;KAC/B,CAAC;CACF,CAAC;AAEF,MAAM,CAAC,OAAO,MAAO,SAAQ,SAAS;gBACzB,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CAetD"}

package/dist/rest-api/resources/app/construct.js

@@ -8,6 +8,7 @@ export default class extends Construct {
             config: props.config,
             table: props.table,
             eventBus: props.eventBus,
+            lambda: props.lambda,
             restApi: {
                 resource: props.restApi.resource
                     .addResource(API_RESOURCE.RESOURCE)

package/dist/rest-api/resources/app/resources/objects/construct.d.ts

@@ -2,11 +2,17 @@ import type { CDKConfig } from "@flipboxlabs/aws-audit-cdk";
 import * as apigateway from "aws-cdk-lib/aws-apigateway";
 import type * as dynamodb from "aws-cdk-lib/aws-dynamodb";
 import type * as events from "aws-cdk-lib/aws-events";
+import type * as lambda from "aws-cdk-lib/aws-lambda";
 import { Construct } from "constructs";
 type Props = {
     config: CDKConfig;
     table: dynamodb.ITable;
     eventBus: events.IEventBus;
+    /** Lambda configuration */
+    lambda: {
+        /** Lambda layers to attach to the function */
+        layers: lambda.ILayerVersion[];
+    };
     restApi: {
         resource: apigateway.IResource;
     };

package/dist/rest-api/resources/app/resources/objects/construct.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../../../../../src/rest-api/resources/app/resources/objects/construct.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,KAAK,UAAU,MAAM,4BAA4B,CAAC;AACzD,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAKvC,KAAK,KAAK,GAAG;IACZ,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC;IAC3B,OAAO,EAAE;QACR,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC;KAC/B,CAAC;CACF,CAAC;AAEF,MAAM,CAAC,OAAO,MAAO,SAAQ,SAAS;gBACzB,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CAuDtD"}
+{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../../../../../src/rest-api/resources/app/resources/objects/construct.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,KAAK,UAAU,MAAM,4BAA4B,CAAC;AACzD,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAKvC,KAAK,KAAK,GAAG;IACZ,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC;IAC3B,2BAA2B;IAC3B,MAAM,EAAE;QACP,8CAA8C;QAC9C,MAAM,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE;QACR,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC;KAC/B,CAAC;CACF,CAAC;AAEF,MAAM,CAAC,OAAO,MAAO,SAAQ,SAAS;gBACzB,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CA6DtD"}

package/dist/rest-api/resources/app/resources/objects/construct.js

@@ -1,7 +1,7 @@
 import * as url from "node:url";
 import * as apigateway from "aws-cdk-lib/aws-apigateway";
 import { Construct } from "constructs";
-import { ESMNodeFunctionFactory } from "../../../../../lib/index.js";
+import { ESMNodeFunctionFactory } from "../../../../../lambda/nodejs.function.js";
 import { API_RESOURCE } from "./constants.js";
 import ReRun from "./resources/rerun/construct.js";
 export default class extends Construct {
@@ -14,19 +14,20 @@ export default class extends Construct {
             "Resources",
         ].join("-");
         // Lambda
-        const lambda = ESMNodeFunctionFactory(props.config)(this, "NodeFunction", {
+        const lambdaFn = ESMNodeFunctionFactory(props.config)(this, "NodeFunction", {
             functionName: ref,
             entry: url.fileURLToPath(new URL("handler.ts", import.meta.url).toString()),
+            layers: props.lambda.layers,
             currentVersionOptions: {
                 retryAttempts: 1,
             },
         });
         // Logger / Metrics / Tracing
-        lambda.addEnvironment("POWERTOOLS_SERVICE_NAME", "Resource");
+        lambdaFn.addEnvironment("POWERTOOLS_SERVICE_NAME", "Resource");
         // Audit
-        props.table.grantReadWriteData(lambda);
+        props.table.grantReadWriteData(lambdaFn);
         // Integration
-        const integration = new apigateway.LambdaIntegration(lambda);
+        const integration = new apigateway.LambdaIntegration(lambdaFn);
         const RESOURCE = props.restApi.resource
             .addResource(API_RESOURCE.RESOURCE)
             .addResource(`{${API_RESOURCE.RESOURCE_WILDCARD}}`);
@@ -40,6 +41,7 @@ export default class extends Construct {
             config: props.config,
             table: props.table,
             eventBus: props.eventBus,
+            lambda: props.lambda,
             restApi: {
                 resource: ITEM_RESOURCE.addResource(`{${API_RESOURCE.RESOURCE_WILDCARD_ITEM_AUDIT}}`),
             },

package/dist/rest-api/resources/app/resources/objects/resources/rerun/construct.d.ts

@@ -2,11 +2,17 @@ import type { CDKConfig } from "@flipboxlabs/aws-audit-cdk";
 import * as apigateway from "aws-cdk-lib/aws-apigateway";
 import type * as dynamodb from "aws-cdk-lib/aws-dynamodb";
 import type * as events from "aws-cdk-lib/aws-events";
+import type * as lambda from "aws-cdk-lib/aws-lambda";
 import { Construct } from "constructs";
 type Props = {
     config: CDKConfig;
     table: dynamodb.ITable;
     eventBus: events.IEventBus;
+    /** Lambda configuration */
+    lambda: {
+        /** Lambda layers to attach to the function */
+        layers: lambda.ILayerVersion[];
+    };
     restApi: {
         resource: apigateway.IResource;
     };

package/dist/rest-api/resources/app/resources/objects/resources/rerun/construct.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../../../../../../../src/rest-api/resources/app/resources/objects/resources/rerun/construct.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,KAAK,UAAU,MAAM,4BAA4B,CAAC;AACzD,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvC,KAAK,KAAK,GAAG;IACZ,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC;IAC3B,OAAO,EAAE;QACR,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC;KAC/B,CAAC;CACF,CAAC;AAEF,MAAM,CAAC,OAAO,MAAO,SAAQ,SAAS;gBACzB,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CAyCtD"}
+{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../../../../../../../src/rest-api/resources/app/resources/objects/resources/rerun/construct.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,KAAK,UAAU,MAAM,4BAA4B,CAAC;AACzD,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvC,KAAK,KAAK,GAAG;IACZ,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC;IAC3B,2BAA2B;IAC3B,MAAM,EAAE;QACP,8CAA8C;QAC9C,MAAM,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE;QACR,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC;KAC/B,CAAC;CACF,CAAC;AAEF,MAAM,CAAC,OAAO,MAAO,SAAQ,SAAS;gBACzB,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CA8CtD"}

package/dist/rest-api/resources/app/resources/objects/resources/rerun/construct.js

@@ -1,7 +1,7 @@
 import * as url from "node:url";
 import * as apigateway from "aws-cdk-lib/aws-apigateway";
 import { Construct } from "constructs";
-import { ESMNodeFunctionFactory } from "../../../../../../../lib/index.js";
+import { ESMNodeFunctionFactory } from "../../../../../../../lambda/nodejs.function.js";
 import { API_RESOURCE } from "./constants.js";
 export default class extends Construct {
     constructor(scope, id, props) {
@@ -13,21 +13,22 @@ export default class extends Construct {
             "Resource-Rerun",
         ].join("-");
         // Lambda
-        const lambda = ESMNodeFunctionFactory(props.config)(this, "NodeFunction", {
+        const lambdaFn = ESMNodeFunctionFactory(props.config)(this, "NodeFunction", {
             functionName: ref,
             entry: url.fileURLToPath(new URL("handler.ts", import.meta.url).toString()),
+            layers: props.lambda.layers,
             currentVersionOptions: {
                 retryAttempts: 1,
             },
         });
         // Logger / Metrics / Tracing
-        lambda.addEnvironment("POWERTOOLS_SERVICE_NAME", "ResourceRerun");
+        lambdaFn.addEnvironment("POWERTOOLS_SERVICE_NAME", "ResourceRerun");
         // Audit
-        props.table.grantReadWriteData(lambda);
+        props.table.grantReadWriteData(lambdaFn);
         // Put events
-        props.eventBus.grantPutEventsTo(lambda);
+        props.eventBus.grantPutEventsTo(lambdaFn);
         // Integration
-        const integration = new apigateway.LambdaIntegration(lambda);
+        const integration = new apigateway.LambdaIntegration(lambdaFn);
         const RESOURCE = props.restApi.resource.addResource(API_RESOURCE.RESOURCE);
         // /apps/{app}/objects/{object}/{item}/{audit}/rerun
         RESOURCE.addMethod("POST", integration, {

package/dist/rest-api/resources/construct.d.ts

@@ -2,11 +2,17 @@ import type { CDKConfig } from "@flipboxlabs/aws-audit-cdk";
 import type * as apigateway from "aws-cdk-lib/aws-apigateway";
 import type * as dynamodb from "aws-cdk-lib/aws-dynamodb";
 import type * as events from "aws-cdk-lib/aws-events";
+import type * as lambda from "aws-cdk-lib/aws-lambda";
 import { Construct } from "constructs";
 interface Props {
     config: CDKConfig;
     table: dynamodb.ITable;
     eventBus: events.IEventBus;
+    /** Lambda configuration */
+    lambda: {
+        /** Lambda layers to attach to the function */
+        layers: lambda.ILayerVersion[];
+    };
     restApi: {
         resource: apigateway.IResource;
     };

package/dist/rest-api/resources/construct.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../../src/rest-api/resources/construct.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,KAAK,KAAK,UAAU,MAAM,4BAA4B,CAAC;AAC9D,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvC,UAAU,KAAK;IACd,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC;IAC3B,OAAO,EAAE;QACR,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC;KAE/B,CAAC;CACF;AAED,qBAAa,yBAA0B,SAAQ,SAAS;gBAC3C,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CAOtD"}
+{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../../src/rest-api/resources/construct.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,KAAK,KAAK,UAAU,MAAM,4BAA4B,CAAC;AAC9D,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvC,UAAU,KAAK;IACd,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC;IAC3B,2BAA2B;IAC3B,MAAM,EAAE;QACP,8CAA8C;QAC9C,MAAM,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE;QACR,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC;KAE/B,CAAC;CACF;AAED,qBAAa,yBAA0B,SAAQ,SAAS;gBAC3C,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CAOtD"}

package/dist/rest-api/resources/trace/construct.d.ts

@@ -1,10 +1,16 @@
 import type { CDKConfig } from "@flipboxlabs/aws-audit-cdk";
 import * as apigateway from "aws-cdk-lib/aws-apigateway";
 import type * as dynamodb from "aws-cdk-lib/aws-dynamodb";
+import type * as lambda from "aws-cdk-lib/aws-lambda";
 import { Construct } from "constructs";
 type Props = {
     config: CDKConfig;
     table: dynamodb.ITable;
+    /** Lambda configuration */
+    lambda: {
+        /** Lambda layers to attach to the function */
+        layers: lambda.ILayerVersion[];
+    };
     restApi: {
         resource: apigateway.IResource;
     };

package/dist/rest-api/resources/trace/construct.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../../../src/rest-api/resources/trace/construct.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,KAAK,UAAU,MAAM,4BAA4B,CAAC;AACzD,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvC,KAAK,KAAK,GAAG;IACZ,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,OAAO,EAAE;QACR,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC;KAC/B,CAAC;CACF,CAAC;AAEF,MAAM,CAAC,OAAO,MAAO,SAAQ,SAAS;gBACzB,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CAwCtD"}
+{"version":3,"file":"construct.d.ts","sourceRoot":"","sources":["../../../../src/rest-api/resources/trace/construct.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,KAAK,UAAU,MAAM,4BAA4B,CAAC;AACzD,OAAO,KAAK,KAAK,QAAQ,MAAM,0BAA0B,CAAC;AAC1D,OAAO,KAAK,KAAK,MAAM,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvC,KAAK,KAAK,GAAG;IACZ,MAAM,EAAE,SAAS,CAAC;IAClB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACvB,2BAA2B;IAC3B,MAAM,EAAE;QACP,8CAA8C;QAC9C,MAAM,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE;QACR,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC;KAC/B,CAAC;CACF,CAAC;AAEF,MAAM,CAAC,OAAO,MAAO,SAAQ,SAAS;gBACzB,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;CA6CtD"}

package/dist/rest-api/resources/trace/construct.js

@@ -1,7 +1,7 @@
 import * as url from "node:url";
 import * as apigateway from "aws-cdk-lib/aws-apigateway";
 import { Construct } from "constructs";
-import { ESMNodeFunctionFactory } from "../../../lib/index.js";
+import { ESMNodeFunctionFactory } from "../../../lambda/nodejs.function.js";
 import { API_RESOURCE } from "./constants.js";
 export default class extends Construct {
     constructor(scope, id, props) {
@@ -13,19 +13,20 @@ export default class extends Construct {
             "Trace",
         ].join("-");
         // Lambda
-        const lambda = ESMNodeFunctionFactory(props.config)(this, "NodeFunction", {
+        const lambdaFn = ESMNodeFunctionFactory(props.config)(this, "NodeFunction", {
             functionName: ref,
             entry: url.fileURLToPath(new URL("handler.ts", import.meta.url).toString()),
+            layers: props.lambda.layers,
             currentVersionOptions: {
                 retryAttempts: 1,
             },
         });
         // Logger / Metrics / Tracing
-        lambda.addEnvironment("POWERTOOLS_SERVICE_NAME", "Trace");
+        lambdaFn.addEnvironment("POWERTOOLS_SERVICE_NAME", "Trace");
         // DynamoDB
-        props.table.grantReadWriteData(lambda);
+        props.table.grantReadWriteData(lambdaFn);
         // Integration
-        const integration = new apigateway.LambdaIntegration(lambda);
+        const integration = new apigateway.LambdaIntegration(lambdaFn);
         const RESOURCE = props.restApi.resource
             .addResource(API_RESOURCE.RESOURCE)
             .addResource(`{${API_RESOURCE.RESOURCE}}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flipboxlabs/aws-audit-cdk",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "AWS Audit CDK - CDK constructs for AWS audit infrastructure",
   "type": "module",
   "main": "./dist/index.js",
@@ -9,9 +9,9 @@
       "types": "./dist/index.d.ts",
       "import": "./dist/index.js"
     },
-    "./lib": {
-      "types": "./dist/lib/index.d.ts",
-      "import": "./dist/lib/index.js"
+    "./lambda": {
+      "types": "./dist/lambda/construct.d.ts",
+      "import": "./dist/lambda/construct.js"
     },
     "./cloudwatch": {
       "types": "./dist/cloudwatch/construct.d.ts",
@@ -42,7 +42,7 @@
     "@middy/core": "^6.4.5",
     "qs": "^6.14.0",
     "zod": "^4.0.0",
-    "@flipboxlabs/aws-audit-sdk": "^1.0.0"
+    "@flipboxlabs/aws-audit-sdk": "^1.1.1"
   },
   "devDependencies": {
     "@tsconfig/node22": "^22.0.1",

package/dist/lib/index.d.ts

@@ -1,53 +0,0 @@
-/**
- * AWS Audit CDK Library
- *
- * Provides constructs for deploying audit infrastructure. Import and compose
- * the constructs in your own stack as needed.
- *
- * @example
- * ```typescript
- * import * as cdk from "aws-cdk-lib";
- * import type { Construct } from "constructs";
- * import type { CDKConfig } from "@flipboxlabs/aws-audit-cdk";
- *
- * // Import constructs from the bootstrap directory
- * import CloudWatch from "@flipboxlabs/aws-audit-cdk/bootstrap/cloudwatch/construct";
- * import DynamoDB from "@flipboxlabs/aws-audit-cdk/bootstrap/dynamodb/construct";
- * import EventBridge from "@flipboxlabs/aws-audit-cdk/bootstrap/eventbridge/construct";
- * import RestAPI from "@flipboxlabs/aws-audit-cdk/bootstrap/rest-api/construct";
- *
- * interface Props {
- *   config: CDKConfig;
- * }
- *
- * export class AuditStack extends cdk.NestedStack {
- *   constructor(scope: Construct, id: string, props: Props) {
- *     super(scope, id, { description: "Audit" });
- *
- *     // DynamoDB (storage)
- *     const { table } = new DynamoDB(this, "DynamoDB", { config: props.config });
- *
- *     // EventBridge (events)
- *     const { eventBus } = new EventBridge(this, "EventBridge", {
- *       config: props.config,
- *     });
- *
- *     // CloudWatch (logging subscription)
- *     new CloudWatch(this, "CloudWatch", {
- *       config: props.config,
- *       table,
- *       eventBus,
- *     });
- *
- *     // REST API (optional)
- *     new RestAPI(this, "RestAPI", {
- *       config: props.config,
- *       table,
- *       eventBus,
- *     });
- *   }
- * }
- * ```
- */
-export * from "./nodejs.function.js";
-//# sourceMappingURL=index.d.ts.map

package/dist/lib/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AAEH,cAAc,sBAAsB,CAAC"}

package/dist/lib/index.js

@@ -1,52 +0,0 @@
-/**
- * AWS Audit CDK Library
- *
- * Provides constructs for deploying audit infrastructure. Import and compose
- * the constructs in your own stack as needed.
- *
- * @example
- * ```typescript
- * import * as cdk from "aws-cdk-lib";
- * import type { Construct } from "constructs";
- * import type { CDKConfig } from "@flipboxlabs/aws-audit-cdk";
- *
- * // Import constructs from the bootstrap directory
- * import CloudWatch from "@flipboxlabs/aws-audit-cdk/bootstrap/cloudwatch/construct";
- * import DynamoDB from "@flipboxlabs/aws-audit-cdk/bootstrap/dynamodb/construct";
- * import EventBridge from "@flipboxlabs/aws-audit-cdk/bootstrap/eventbridge/construct";
- * import RestAPI from "@flipboxlabs/aws-audit-cdk/bootstrap/rest-api/construct";
- *
- * interface Props {
- *   config: CDKConfig;
- * }
- *
- * export class AuditStack extends cdk.NestedStack {
- *   constructor(scope: Construct, id: string, props: Props) {
- *     super(scope, id, { description: "Audit" });
- *
- *     // DynamoDB (storage)
- *     const { table } = new DynamoDB(this, "DynamoDB", { config: props.config });
- *
- *     // EventBridge (events)
- *     const { eventBus } = new EventBridge(this, "EventBridge", {
- *       config: props.config,
- *     });
- *
- *     // CloudWatch (logging subscription)
- *     new CloudWatch(this, "CloudWatch", {
- *       config: props.config,
- *       table,
- *       eventBus,
- *     });
- *
- *     // REST API (optional)
- *     new RestAPI(this, "RestAPI", {
- *       config: props.config,
- *       table,
- *       eventBus,
- *     });
- *   }
- * }
- * ```
- */
-export * from "./nodejs.function.js";

package/dist/lib/nodejs.function.d.ts

@@ -1,6 +0,0 @@
-import type { CDKConfig } from "@flipboxlabs/aws-audit-cdk";
-import * as cdk from "aws-cdk-lib";
-import * as nodejs from "aws-cdk-lib/aws-lambda-nodejs";
-import type { Construct } from "constructs";
-export declare const ESMNodeFunctionFactory: (config: CDKConfig) => (scope: Construct, id: string, props: nodejs.NodejsFunctionProps) => cdk.aws_lambda_nodejs.NodejsFunction;
-//# sourceMappingURL=nodejs.function.d.ts.map

package/dist/lib/nodejs.function.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"nodejs.function.d.ts","sourceRoot":"","sources":["../../src/lib/nodejs.function.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,KAAK,GAAG,MAAM,aAAa,CAAC;AAGnC,OAAO,KAAK,MAAM,MAAM,+BAA+B,CAAC;AAExD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE5C,eAAO,MAAM,sBAAsB,GACjC,QAAQ,SAAS,MACjB,OAAO,SAAS,EAAE,IAAI,MAAM,EAAE,OAAO,MAAM,CAAC,mBAAmB,yCAyD/D,CAAC"}