@gradientedge/cdk-utils 8.125.0 → 8.127.0

package/dist/src/lib/aws/services/lambda/main.d.ts

@@ -1,7 +1,7 @@
 import { ISecurityGroup, IVpc, SubnetSelection } from 'aws-cdk-lib/aws-ec2';
 import { IAccessPoint } from 'aws-cdk-lib/aws-efs';
 import { CfnRole, Role } from 'aws-cdk-lib/aws-iam';
-import { Alias, AssetCode, DockerImageCode, DockerImageFunction, Function, ILayerVersion, IVersion, LayerVersion } from 'aws-cdk-lib/aws-lambda';
+import { Alias, Architecture, AssetCode, DockerImageCode, DockerImageFunction, Function, ILayerVersion, IVersion, LayerVersion } from 'aws-cdk-lib/aws-lambda';
 import { CommonConstruct } from '../../common';
 import { LambdaAliasProps, LambdaEdgeProps, LambdaProps } from './types';
 /**
@@ -26,8 +26,10 @@ export declare class LambdaManager {
      * @param id scoped id of the resource
      * @param scope scope in which this resource is defined
      * @param code
+     * @param architectures
      */
-    createLambdaLayer(id: string, scope: CommonConstruct, code: AssetCode): LayerVersion;
+    createLambdaLayer(id: string, scope: CommonConstruct, code: AssetCode, architectures?: Architecture[]): LayerVersion;
+    createWebAdapterLayer(id: string, scope: CommonConstruct): ILayerVersion[];
     /**
      * @summary Method to create a lambda function (nodejs)
      * @param id scoped id of the resource

package/dist/src/lib/aws/services/lambda/main.js

@@ -35,10 +35,12 @@ class LambdaManager {
      * @param id scoped id of the resource
      * @param scope scope in which this resource is defined
      * @param code
+     * @param architectures
      */
-    createLambdaLayer(id, scope, code) {
+    createLambdaLayer(id, scope, code, architectures) {
         const lambdaLayer = new aws_lambda_1.LayerVersion(scope, `${id}`, {
             code: code,
+            compatibleArchitectures: architectures ?? [aws_lambda_1.Architecture.ARM_64],
             compatibleRuntimes: [scope.props.nodejsRuntime ?? common_1.CommonStack.NODEJS_RUNTIME],
             description: `${id}`,
             layerVersionName: `${id}-${scope.props.stage}`,
@@ -46,6 +48,12 @@ class LambdaManager {
         (0, utils_1.createCfnOutput)(`${id}-lambdaLayerArn`, scope, lambdaLayer.layerVersionArn);
         return lambdaLayer;
     }
+    createWebAdapterLayer(id, scope) {
+        return [
+            aws_lambda_1.LayerVersion.fromLayerVersionArn(scope, `${id}-${aws_lambda_1.Architecture.X86_64}`, `arn:aws:lambda:${scope.props.region}:753240598075:layer:LambdaAdapterLayerX86:17`),
+            aws_lambda_1.LayerVersion.fromLayerVersionArn(scope, `${id}-${aws_lambda_1.Architecture.ARM_64}`, `arn:aws:lambda:${scope.props.region}:753240598075:layer:LambdaAdapterLayerArm64:17`),
+        ];
+    }
     /**
      * @summary Method to create a lambda function (nodejs)
      * @param id scoped id of the resource

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gradientedge/cdk-utils",
-  "version": "8.125.0",
+  "version": "8.127.0",
   "description": "Utilities for AWS CDK provisioning",
   "main": "dist/index.js",
   "engines": {
@@ -46,15 +46,15 @@
     }
   },
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.414.0",
-    "@aws-sdk/credential-providers": "^3.414.0",
-    "@aws-sdk/types": "^3.413.0",
-    "@cdktf/provider-azurerm": "^10.0.3",
-    "@types/lodash": "^4.14.198",
-    "@types/node": "^20.6.2",
+    "@aws-sdk/client-secrets-manager": "^3.421.0",
+    "@aws-sdk/credential-providers": "^3.421.0",
+    "@aws-sdk/types": "^3.418.0",
+    "@cdktf/provider-azurerm": "^10.0.5",
+    "@types/lodash": "^4.14.199",
+    "@types/node": "^20.8.0",
     "@types/uuid": "^9.0.4",
     "app-root-path": "^3.1.0",
-    "aws-cdk-lib": "^2.96.2",
+    "aws-cdk-lib": "^2.99.1",
     "cdktf": "^0.18.0",
     "constructs": "^10.2.70",
     "lodash": "^4.17.21",
@@ -65,22 +65,22 @@
     "uuid": "^9.0.1"
   },
   "devDependencies": {
-    "@babel/core": "^7.22.20",
+    "@babel/core": "^7.23.0",
     "@babel/eslint-parser": "^7.22.15",
     "@babel/plugin-proposal-class-properties": "^7.18.6",
     "@types/jest": "^29.5.5",
-    "@typescript-eslint/eslint-plugin": "^6.7.0",
-    "@typescript-eslint/parser": "^6.7.0",
-    "aws-cdk": "^2.96.2",
+    "@typescript-eslint/eslint-plugin": "^6.7.3",
+    "@typescript-eslint/parser": "^6.7.3",
+    "aws-cdk": "^2.99.1",
     "better-docs": "^2.7.2",
     "codecov": "^3.8.3",
     "commitizen": "^4.3.0",
     "docdash": "^2.0.2",
     "dotenv": "^16.3.1",
-    "eslint": "^8.49.0",
+    "eslint": "^8.50.0",
     "eslint-config-prettier": "^9.0.0",
     "eslint-plugin-import": "^2.28.1",
-    "eslint-plugin-jsdoc": "^46.8.1",
+    "eslint-plugin-jsdoc": "^46.8.2",
     "husky": "^8.0.3",
     "jest": "^29.7.0",
     "jest-extended": "^4.0.1",
@@ -92,8 +92,8 @@
     "jsdoc-to-markdown": "^8.0.0",
     "prettier": "^3.0.3",
     "prettier-plugin-organize-imports": "^3.2.3",
-    "rimraf": "^5.0.1",
-    "semantic-release": "^22.0.0",
+    "rimraf": "^5.0.5",
+    "semantic-release": "^22.0.5",
     "taffydb": "^2.7.3",
     "ts-jest": "^29.1.1",
     "ts-node": "^10.9.1",

package/src/lib/aws/construct/index.ts

@@ -9,5 +9,6 @@ export * from './lambda-with-iam-access'
 export * from './rest-api-lambda'
 export * from './rest-api-lambda-with-cache'
 export * from './site-with-ecs-backend'
+export * from './site-with-lambda-backend'
 export * from './static-asset-deployment'
 export * from './static-site'

package/src/lib/aws/construct/site-with-lambda-backend/constants.ts

@@ -0,0 +1,6 @@
+export enum SiteWithLambdaBackendResponseHeaderPolicyType {
+  ORIGIN = 'origin',
+  STATIC = 'static',
+}
+
+export const LAMBDA_ALIAS_NAME_CURRENT = 'current'

package/src/lib/aws/construct/site-with-lambda-backend/index.ts

@@ -0,0 +1,3 @@
+export * from './constants'
+export * from './main'
+export * from './types'

package/src/lib/aws/construct/site-with-lambda-backend/main.ts

@@ -0,0 +1,433 @@
+import { Duration, Fn } from 'aws-cdk-lib'
+import { ICertificate } from 'aws-cdk-lib/aws-certificatemanager'
+import {
+  CachePolicy,
+  IFunction as CfIFunction,
+  Distribution,
+  FunctionAssociation,
+  FunctionEventType,
+  OriginProtocolPolicy,
+  OriginRequestPolicy,
+  ResponseHeadersPolicy,
+} from 'aws-cdk-lib/aws-cloudfront'
+import { HttpOrigin } from 'aws-cdk-lib/aws-cloudfront-origins'
+import { AnyPrincipal, Effect, PolicyDocument, PolicyStatement, Role } from 'aws-cdk-lib/aws-iam'
+import { AssetCode, Function, FunctionUrl, FunctionUrlAuthType, IFunction, ILayerVersion } from 'aws-cdk-lib/aws-lambda'
+import { IHostedZone } from 'aws-cdk-lib/aws-route53'
+import { IBucket } from 'aws-cdk-lib/aws-s3'
+import { BucketDeployment } from 'aws-cdk-lib/aws-s3-deployment'
+import { Construct } from 'constructs'
+import _ from 'lodash'
+import { CommonConstruct } from '../../common'
+import { LAMBDA_ALIAS_NAME_CURRENT } from './constants'
+import {
+  SiteWithLambdaBackendCachePolicyProps,
+  SiteWithLambdaBackendProps,
+  SiteWithLambdaBackendResponseHeadersPolicyProps,
+} from './types'
+
+/**
+ * @classdesc Provides a construct to create and deploy a site hosted with an clustered ECS/ELB backend
+ * @example
+ * import { SiteWithLambdaBackend, SiteWithLambdaBackendProps } '@gradientedge/cdk-utils'
+ * import { Construct } from 'constructs'
+ *
+ * class CustomConstruct extends SiteWithLambdaBackend {
+ *   constructor(parent: Construct, id: string, props: SiteWithLambdaBackendProps) {
+ *     super(parent, id, props)
+ *     this.props = props
+ *     this.id = id
+ *     this.initResources()
+ *   }
+ * }
+ */
+export class SiteWithLambdaBackend extends CommonConstruct {
+  /* site properties */
+  props: SiteWithLambdaBackendProps
+  id: string
+
+  /* site resources */
+  siteHostedZone: IHostedZone
+  siteCertificate: ICertificate
+  siteRegionalCertificate: ICertificate
+  siteSecrets: any
+  siteLogBucket: IBucket
+  siteOrigin: HttpOrigin
+  siteDistribution: Distribution
+  siteInternalDomainName: string
+  siteExternalDomainName: string
+  siteDomainNames: string[]
+  siteCloudfrontFunction: CfIFunction
+  siteFunctionAssociations: FunctionAssociation[]
+  siteOriginRequestPolicy: OriginRequestPolicy
+  siteOriginResponseHeadersPolicy?: ResponseHeadersPolicy
+  siteCachePolicy: CachePolicy
+  siteStaticAssetDeployment: BucketDeployment
+  siteLambdaPolicy: PolicyDocument
+  siteLambdaRole: Role
+  siteLambdaEnvironment: any
+  siteLambdaLayers: ILayerVersion[]
+  siteLambdaApplication: AssetCode
+  siteLambdaFunction: IFunction
+  siteLambdaUrl: FunctionUrl
+
+  constructor(parent: Construct, id: string, props: SiteWithLambdaBackendProps) {
+    super(parent, id, props)
+    this.props = props
+    this.id = id
+  }
+
+  /**
+   * @summary Initialise and provision resources
+   */
+  protected initResources() {
+    this.resolveHostedZone()
+    this.resolveCertificate()
+    this.resolveSiteSecrets()
+    this.resolveSiteDomainNames()
+    this.createSiteLogBucket()
+    this.createSiteOriginCachePolicy()
+    this.createSiteOriginRequestPolicy()
+    this.createSiteOriginResponseHeadersPolicy()
+    this.createSiteOrigin()
+    this.createSiteCloudfrontFunction()
+    this.resolveSiteFunctionAssociations()
+    this.createDistribution()
+    this.createNetworkMappings()
+    this.invalidateDistributionCache()
+  }
+
+  /**
+   * @summary Method to resolve a hosted zone based on domain attributes
+   */
+  protected resolveHostedZone() {
+    this.siteHostedZone = this.route53Manager.withHostedZoneFromFullyQualifiedDomainName(
+      `${this.id}-hosted-zone`,
+      this,
+      this.props.useExistingHostedZone
+    )
+  }
+
+  /**
+   * @summary Method to resolve a certificate based on attributes
+   */
+  protected resolveCertificate() {
+    this.resolveGlobalCertificate()
+    this.resolveRegionalCertificate()
+  }
+
+  protected resolveGlobalCertificate() {
+    if (
+      this.props.siteCertificate.useExistingCertificate &&
+      this.props.siteCertificate.certificateSsmName &&
+      this.props.siteCertificate.certificateRegion
+    ) {
+      this.props.siteCertificate.certificateArn = this.ssmManager.readStringParameterFromRegion(
+        `${this.id}-certificate-parameter`,
+        this,
+        this.props.siteCertificate.certificateSsmName,
+        this.props.siteCertificate.certificateRegion
+      )
+    }
+    this.siteCertificate = this.acmManager.resolveCertificate(
+      `${this.id}-certificate`,
+      this,
+      this.props.siteCertificate
+    )
+  }
+
+  protected resolveRegionalCertificate() {
+    if (
+      this.props.siteRegionalCertificate.useExistingCertificate &&
+      this.props.siteRegionalCertificate.certificateSsmName &&
+      this.props.siteRegionalCertificate.certificateRegion
+    ) {
+      this.props.siteRegionalCertificate.certificateArn = this.ssmManager.readStringParameterFromRegion(
+        `${this.id}-regional-certificate-parameter`,
+        this,
+        this.props.siteRegionalCertificate.certificateSsmName,
+        this.props.siteRegionalCertificate.certificateRegion
+      )
+    }
+    this.siteRegionalCertificate = this.acmManager.resolveCertificate(
+      `${this.id}-regional-certificate`,
+      this,
+      this.props.siteRegionalCertificate,
+      this.siteHostedZone
+    )
+  }
+
+  /**
+   * @summary Method to resolve secrets from SecretsManager
+   * - To be implemented in the overriding method in the implementation class
+   */
+  protected resolveSiteSecrets() {}
+
+  /**
+   * @summary Method to resolve site domain names
+   */
+  protected resolveSiteDomainNames() {
+    /* the internal domain name used by ELB */
+    this.siteInternalDomainName =
+      this.isProductionStage() || this.props.skipStageForARecords
+        ? `${this.props.siteSubDomain}-internal.${this.fullyQualifiedDomainName}`
+        : `${this.props.siteSubDomain}-internal-${this.props.stage}.${this.fullyQualifiedDomainName}`
+
+    /* the external domain name exposed to CloudFront */
+    this.siteExternalDomainName =
+      this.isProductionStage() || this.props.skipStageForARecords
+        ? `${this.props.siteSubDomain}.${this.fullyQualifiedDomainName}`
+        : `${this.props.siteSubDomain}-${this.props.stage}.${this.fullyQualifiedDomainName}`
+
+    this.siteDomainNames = [this.siteExternalDomainName]
+  }
+
+  /**
+   * Method to create log bucket for site distribution
+   */
+  protected createSiteLogBucket() {
+    this.siteLogBucket = this.s3Manager.createS3Bucket(`${this.id}-site-logs`, this, this.props.siteLogBucket)
+  }
+
+  protected createSiteCachePolicy(id: string, siteCachePolicy: SiteWithLambdaBackendCachePolicyProps) {
+    return new CachePolicy(this, `${id}`, {
+      cachePolicyName: `${this.id}-${siteCachePolicy.cachePolicyName}`,
+      comment: `Policy for ${this.id}-distribution - ${this.props.stage} stage`,
+      cookieBehavior: siteCachePolicy.cookieBehavior,
+      enableAcceptEncodingBrotli: siteCachePolicy.enableAcceptEncodingBrotli,
+      enableAcceptEncodingGzip: siteCachePolicy.enableAcceptEncodingGzip,
+      headerBehavior: siteCachePolicy.headerBehavior,
+      maxTtl: Duration.seconds(siteCachePolicy.maxTtlInSeconds),
+      minTtl: Duration.seconds(siteCachePolicy.minTtlInSeconds),
+      queryStringBehavior: siteCachePolicy.queryStringBehavior,
+    })
+  }
+
+  protected createSiteOriginCachePolicy() {
+    if (!this.props.siteCachePolicy) return
+    this.siteCachePolicy = this.createSiteCachePolicy(`${this.id}-site-cache-policy`, this.props.siteCachePolicy)
+    _.assign(this.props.siteDistribution.defaultBehavior, {
+      cachePolicy: this.siteCachePolicy,
+    })
+  }
+
+  protected createSiteOriginRequestPolicy() {
+    if (!this.props.siteOriginRequestPolicy) return
+    this.siteOriginRequestPolicy = new OriginRequestPolicy(this, `${this.id}-sorp`, {
+      comment: `Request Policy for ${this.id}-distribution - ${this.props.stage} stage`,
+      cookieBehavior: this.props.siteOriginRequestPolicy.cookieBehavior,
+      headerBehavior: this.props.siteOriginRequestPolicy.headerBehavior,
+      originRequestPolicyName: `${this.id}-origin-request`,
+      queryStringBehavior: this.props.siteOriginRequestPolicy.queryStringBehavior,
+    })
+
+    _.assign(this.props.siteDistribution.defaultBehavior, {
+      originRequestPolicy: this.siteOriginRequestPolicy,
+    })
+  }
+
+  protected createResponseHeaderPolicy(props: SiteWithLambdaBackendResponseHeadersPolicyProps) {
+    if (!props) return undefined
+    return new ResponseHeadersPolicy(this, `${this.id}-${props.type}-srhp`, {
+      ...props,
+      comment: `Response Header Policy for ${props.type} for ${this.id}-distribution - ${this.props.stage} stage`,
+      responseHeadersPolicyName: `${this.id}-${props.type}-response`,
+      securityHeadersBehavior: {
+        ...props.securityHeadersBehavior,
+        strictTransportSecurity: {
+          ...props.securityHeadersBehavior?.strictTransportSecurity,
+          accessControlMaxAge: Duration.seconds(
+            props.securityHeadersBehavior?.strictTransportSecurity?.accessControlMaxAgeInSeconds
+          ),
+        },
+      },
+    })
+  }
+
+  protected createSiteOriginResponseHeadersPolicy() {
+    if (!this.props.siteOriginResponseHeadersPolicy) return
+    this.siteOriginResponseHeadersPolicy = this.createResponseHeaderPolicy(this.props.siteOriginResponseHeadersPolicy)
+    _.assign(this.props.siteDistribution.defaultBehavior, {
+      responseHeadersPolicy: this.siteOriginResponseHeadersPolicy,
+    })
+  }
+
+  protected createSiteOrigin() {
+    this.createSiteOriginResources()
+    this.siteOrigin = new HttpOrigin(Fn.select(2, Fn.split('/', this.siteLambdaUrl.url)), {
+      httpPort: 443,
+      originId: `${this.id}-server`,
+      protocolPolicy: OriginProtocolPolicy.HTTPS_ONLY,
+    })
+  }
+
+  protected createSiteOriginResources() {
+    this.createSiteStaticAssetDeployment()
+    this.createSiteLambdaPolicy()
+    this.createSiteLambdaRole()
+    this.createSiteLambdaEnvironment()
+    this.createSiteLambdaLayers()
+    this.createSiteLambdaApplication()
+    this.createSiteLambda()
+    this.createSiteLambdaUrl()
+  }
+
+  protected createSiteStaticAssetDeployment() {}
+
+  protected createSiteLambdaPolicy() {
+    this.siteLambdaPolicy = new PolicyDocument({
+      statements: [
+        new PolicyStatement({
+          actions: ['lambda:InvokeFunctionUrl'],
+          effect: Effect.ALLOW,
+          resources: ['*'],
+        }),
+      ],
+    })
+  }
+
+  protected createSiteLambdaRole() {
+    this.siteLambdaRole = this.iamManager.createRoleForLambda(`${this.id}-role`, this, this.siteLambdaPolicy)
+  }
+
+  protected createSiteLambdaEnvironment() {
+    this.siteLambdaEnvironment = {
+      AWS_LAMBDA_EXEC_WRAPPER: this.props.siteExecWrapperPath ?? '/opt/bootstrap',
+      LOG_LEVEL: this.props.logLevel,
+      NODE_ENV: this.props.nodeEnv,
+      PORT: this.props.sitePort,
+      READINESS_CHECK_PATH: this.props.siteHealthEndpoint,
+      READINESS_CHECK_PORT: this.props.sitePort,
+      STAGE: this.props.stage,
+      TZ: this.props.timezone,
+    }
+  }
+
+  protected createSiteLambdaLayers() {
+    this.siteLambdaLayers = this.lambdaManager.createWebAdapterLayer(`${this.id}-web-adapter`, this)
+  }
+
+  protected createSiteLambdaApplication() {}
+
+  protected createSiteLambda() {
+    this.siteLambdaFunction = this.lambdaManager.createLambdaFunction(
+      `${this.id}-lambda`,
+      this,
+      this.props.siteLambda,
+      this.siteLambdaRole,
+      this.siteLambdaLayers,
+      this.siteLambdaApplication,
+      this.props.siteLambda.handler,
+      this.siteLambdaEnvironment
+    )
+  }
+
+  protected createSiteLambdaUrl() {
+    const lambdaAlias = _.find(
+      this.props.siteLambda.lambdaAliases,
+      alias => alias.aliasName === LAMBDA_ALIAS_NAME_CURRENT
+    )
+
+    const lambdaFn = lambdaAlias
+      ? Function.fromFunctionAttributes(this, `${this.id}-fn-alias`, {
+          functionArn: `${this.siteLambdaFunction.functionArn}:${lambdaAlias.aliasName}`,
+          sameEnvironment: true,
+        })
+      : this.siteLambdaFunction
+    lambdaFn.node.addDependency(this.siteLambdaFunction)
+
+    this.siteLambdaUrl = lambdaFn.addFunctionUrl({
+      authType: FunctionUrlAuthType.NONE,
+    })
+    this.siteLambdaUrl.node.addDependency(this.siteLambdaFunction)
+    this.siteLambdaUrl.node.addDependency(lambdaFn)
+
+    const principal = new AnyPrincipal()
+    principal.addToPolicy(
+      new PolicyStatement({
+        actions: ['lambda:InvokeFunctionUrl'],
+        conditions: { StringEquals: { 'lambda:FunctionUrlAuthType': FunctionUrlAuthType.NONE } },
+        effect: Effect.ALLOW,
+        resources: ['*'],
+      })
+    )
+
+    lambdaFn.grantInvokeUrl({ grantPrincipal: principal })
+
+    this.addCfnOutput(`${this.id}-url`, this.siteLambdaUrl.url)
+  }
+
+  /**
+   * @summary Method to create a site cloudfront function
+   */
+  protected createSiteCloudfrontFunction() {
+    if (this.props.siteCloudfrontFunctionProps) {
+      this.siteCloudfrontFunction = this.cloudFrontManager.createCloudfrontFunction(
+        `${this.id}-function`,
+        this,
+        this.props.siteCloudfrontFunctionProps
+      )
+    }
+  }
+
+  /**
+   * @summary Method to create a site cloudfront function associations
+   */
+  protected resolveSiteFunctionAssociations() {
+    if (this.props.siteCloudfrontFunctionProps) {
+      this.siteFunctionAssociations = [
+        {
+          eventType: FunctionEventType.VIEWER_REQUEST,
+          function: this.siteCloudfrontFunction,
+        },
+      ]
+    }
+  }
+
+  /**
+   * Method to create Site distribution
+   */
+  protected createDistribution() {
+    this.siteDistribution = this.cloudFrontManager.createDistributionWithHttpOrigin(
+      `${this.id}-distribution`,
+      this,
+      this.props.siteDistribution,
+      this.siteOrigin,
+      this.siteDomainNames,
+      this.siteLogBucket,
+      this.siteCertificate,
+      this.siteFunctionAssociations,
+      this.props.siteDistribution.defaultBehavior.responseHeadersPolicy
+    )
+    this.siteDistribution.node.addDependency(this.siteLambdaFunction)
+    this.siteDistribution.node.addDependency(this.siteLambdaUrl)
+  }
+
+  /**
+   * Method to create Route53 records for distribution
+   */
+  protected createNetworkMappings() {
+    this.route53Manager.createCloudFrontTargetARecord(
+      `${this.id}-a-record`,
+      this,
+      this.siteDistribution,
+      this.siteHostedZone,
+      this.props.siteRecordName,
+      this.props.skipStageForARecords
+    )
+  }
+
+  /**
+   * Method to invalidation the cloudfront distribution cache after a deployment
+   */
+  protected invalidateDistributionCache() {
+    if (this.props.siteCacheInvalidationDockerFilePath) {
+      this.cloudFrontManager.invalidateCache(
+        `${this.id}-cache-invalidation`,
+        this,
+        this.props.siteCacheInvalidationDockerFilePath,
+        this.siteDistribution.distributionId
+      )
+    }
+  }
+}

package/src/lib/aws/construct/site-with-lambda-backend/types.ts

@@ -0,0 +1,64 @@
+import {
+  CachePolicyProps,
+  OriginRequestPolicyProps,
+  ResponseHeadersPolicyProps,
+  ResponseHeadersStrictTransportSecurity,
+  ResponseSecurityHeadersBehavior,
+} from 'aws-cdk-lib/aws-cloudfront'
+import { CommonStackProps } from '../../common'
+import {
+  AcmProps,
+  CloudfrontFunctionProps,
+  DistributionProps,
+  LambdaProps,
+  LogProps,
+  S3BucketProps,
+} from '../../services'
+import { SiteWithLambdaBackendResponseHeaderPolicyType } from './constants'
+
+/**
+ */
+export interface SiteWithLambdaBackendProps extends CommonStackProps {
+  logLevel: string
+  nodeEnv: string
+  siteCacheInvalidationDockerFilePath?: string
+  siteCertificate: AcmProps
+  siteCloudfrontFunctionProps?: CloudfrontFunctionProps
+  siteDistribution: DistributionProps
+  siteExecWrapperPath: string
+  siteFunctionFilePath?: string
+  siteHealthEndpoint: string
+  siteLambda: LambdaProps
+  siteLog: LogProps
+  siteLogBucket: S3BucketProps
+  sitePort: string
+  siteCachePolicy?: SiteWithLambdaBackendCachePolicyProps
+  siteOriginRequestPolicy: OriginRequestPolicyProps
+  siteOriginResponseHeadersPolicy: SiteWithLambdaBackendResponseHeadersPolicyProps
+  siteRecordName?: string
+  siteRegionalCertificate: AcmProps
+  siteSubDomain: string
+  timezone: string
+  useExistingHostedZone: boolean
+  useExistingVpc: boolean
+}
+
+export interface SiteWithLambdaBackendResponseHeadersStrictTransportSecurity
+  extends ResponseHeadersStrictTransportSecurity {
+  accessControlMaxAgeInSeconds: number
+}
+
+export interface SiteWithLambdaBackendSecurityHeadersBehavior extends ResponseSecurityHeadersBehavior {
+  strictTransportSecurity: SiteWithLambdaBackendResponseHeadersStrictTransportSecurity
+}
+
+export interface SiteWithLambdaBackendResponseHeadersPolicyProps extends ResponseHeadersPolicyProps {
+  securityHeadersBehavior: SiteWithLambdaBackendSecurityHeadersBehavior
+  type: SiteWithLambdaBackendResponseHeaderPolicyType
+}
+
+export interface SiteWithLambdaBackendCachePolicyProps extends CachePolicyProps {
+  defaultTtlInSeconds: number
+  minTtlInSeconds: number
+  maxTtlInSeconds: number
+}