@gradientedge/cdk-utils 8.97.0 → 8.99.0

package/dist/src/lib/construct/site-with-ecs-backend/constants.d.ts

@@ -0,0 +1,4 @@
+export declare enum SiteResponseHeaderPolicyType {
+    ORIGIN = "origin",
+    STATIC = "static"
+}

package/dist/src/lib/construct/site-with-ecs-backend/constants.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SiteResponseHeaderPolicyType = void 0;
+var SiteResponseHeaderPolicyType;
+(function (SiteResponseHeaderPolicyType) {
+    SiteResponseHeaderPolicyType["ORIGIN"] = "origin";
+    SiteResponseHeaderPolicyType["STATIC"] = "static";
+})(SiteResponseHeaderPolicyType || (exports.SiteResponseHeaderPolicyType = SiteResponseHeaderPolicyType = {}));

package/dist/src/lib/construct/site-with-ecs-backend/index.d.ts

@@ -1,2 +1,3 @@
+export * from './constants';
 export * from './main';
 export * from './types';

package/dist/src/lib/construct/site-with-ecs-backend/index.js

@@ -14,5 +14,6 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./constants"), exports);
 __exportStar(require("./main"), exports);
 __exportStar(require("./types"), exports);

package/dist/src/lib/construct/site-with-ecs-backend/main.d.ts

@@ -1,3 +1,4 @@
+import * as cdk from 'aws-cdk-lib';
 import * as certificateManager from 'aws-cdk-lib/aws-certificatemanager';
 import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
 import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
@@ -11,7 +12,7 @@ import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as efs from 'aws-cdk-lib/aws-efs';
 import { Construct } from 'constructs';
 import { CommonConstruct } from '../../common';
-import { SiteWithEcsBackendProps } from './types';
+import { SiteWithEcsBackendProps, SiteResponseHeadersPolicyProps } from './types';
 /**
  * @classdesc Provides a construct to create and deploy a site hosted with an clustered ECS/ELB backend
  * @example
@@ -58,6 +59,8 @@ export declare class SiteWithEcsBackend extends CommonConstruct {
     siteDomainNames: string[];
     siteCloudfrontFunction: cloudfront.Function;
     siteFunctionAssociations: cloudfront.FunctionAssociation[];
+    siteOriginRequestPolicy: cloudfront.OriginRequestPolicy;
+    siteOriginResponseHeadersPolicy?: cloudfront.ResponseHeadersPolicy;
     constructor(parent: Construct, id: string, props: SiteWithEcsBackendProps);
     /**
      * @summary Initialise and provision resources
@@ -122,6 +125,9 @@ export declare class SiteWithEcsBackend extends CommonConstruct {
      * Method to create log bucket for site distribution
      */
     protected createSiteLogBucket(): void;
+    protected createSiteOriginRequestPolicy(): void;
+    protected createResponseHeaderPolicy(props: SiteResponseHeadersPolicyProps): cdk.aws_cloudfront.ResponseHeadersPolicy | undefined;
+    protected createSiteOriginResponseHeadersPolicy(): void;
     protected createSiteOrigin(): void;
     /**
      * @summary Method to create a site cloudfront function

package/dist/src/lib/construct/site-with-ecs-backend/main.js

@@ -24,6 +24,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SiteWithEcsBackend = void 0;
+const _ = __importStar(require("lodash"));
 const cdk = __importStar(require("aws-cdk-lib"));
 const cloudfront = __importStar(require("aws-cdk-lib/aws-cloudfront"));
 const origins = __importStar(require("aws-cdk-lib/aws-cloudfront-origins"));
@@ -77,6 +78,8 @@ class SiteWithEcsBackend extends common_1.CommonConstruct {
     siteDomainNames;
     siteCloudfrontFunction;
     siteFunctionAssociations;
+    siteOriginRequestPolicy;
+    siteOriginResponseHeadersPolicy;
     constructor(parent, id, props) {
         super(parent, id, props);
         this.props = props;
@@ -100,6 +103,8 @@ class SiteWithEcsBackend extends common_1.CommonConstruct {
         this.createEcsBuildArgs();
         this.createEcsContainerImage();
         this.createEcsService();
+        this.createSiteOriginRequestPolicy();
+        this.createSiteOriginResponseHeadersPolicy();
         this.createSiteOrigin();
         this.createSiteCloudfrontFunction();
         this.resolveSiteFunctionAssociations();
@@ -340,9 +345,47 @@ class SiteWithEcsBackend extends common_1.CommonConstruct {
     createSiteLogBucket() {
         this.siteLogBucket = this.s3Manager.createS3Bucket(`${this.id}-site-logs`, this, this.props.siteLogBucket);
     }
+    createSiteOriginRequestPolicy() {
+        if (!this.props.siteOriginRequestPolicy)
+            return;
+        this.siteOriginRequestPolicy = new cloudfront.OriginRequestPolicy(this, `${this.id}-sorp`, {
+            comment: `Request Policy for ${this.id}-distribution - ${this.props.stage} stage`,
+            cookieBehavior: this.props.siteOriginRequestPolicy.cookieBehavior,
+            headerBehavior: this.props.siteOriginRequestPolicy.headerBehavior,
+            originRequestPolicyName: `${this.id}-origin-request`,
+            queryStringBehavior: this.props.siteOriginRequestPolicy.queryStringBehavior,
+        });
+        _.assign(this.props.siteDistribution.defaultBehavior, {
+            originRequestPolicy: this.siteOriginRequestPolicy,
+        });
+    }
+    createResponseHeaderPolicy(props) {
+        if (!props)
+            return undefined;
+        return new cloudfront.ResponseHeadersPolicy(this, `${this.id}-${props.type}-srhp`, {
+            ...props,
+            comment: `Response Header Policy for ${props.type} for ${this.id}-distribution - ${this.props.stage} stage`,
+            responseHeadersPolicyName: `${this.id}-${props.type}-response`,
+            securityHeadersBehavior: {
+                strictTransportSecurity: {
+                    ...props.securityHeadersBehavior?.strictTransportSecurity,
+                    accessControlMaxAge: cdk.Duration.seconds(props.securityHeadersBehavior?.strictTransportSecurity?.accessControlMaxAgeInSeconds),
+                },
+            },
+        });
+    }
+    createSiteOriginResponseHeadersPolicy() {
+        if (!this.props.siteOriginResponseHeadersPolicy)
+            return;
+        this.siteOriginResponseHeadersPolicy = this.createResponseHeaderPolicy(this.props.siteOriginResponseHeadersPolicy);
+        _.assign(this.props.siteDistribution.defaultBehavior, {
+            responseHeadersPolicy: this.siteOriginResponseHeadersPolicy,
+        });
+    }
     createSiteOrigin() {
         this.siteOrigin = new origins.HttpOrigin(this.siteInternalDomainName, {
             httpPort: this.props.siteTask.listenerPort,
+            originId: `${this.id}-server`,
             protocolPolicy: cloudfront.OriginProtocolPolicy.HTTPS_ONLY,
         });
     }

package/dist/src/lib/construct/site-with-ecs-backend/types.d.ts

@@ -1,6 +1,8 @@
 import { CommonStackProps } from '../../common';
 import { AcmProps, CloudfrontFunctionProps, DistributionProps, EcsApplicationLoadBalancedFargateServiceProps, EcsClusterProps, EfsAccessPointOptions, EfsFileSystemProps, HealthCheck, LogProps, S3BucketProps } from '../../services';
 import { VpcProps } from 'aws-cdk-lib/aws-ec2';
+import { OriginRequestPolicyProps, ResponseHeadersStrictTransportSecurity, ResponseSecurityHeadersBehavior, ResponseHeadersPolicyProps } from 'aws-cdk-lib/aws-cloudfront';
+import { SiteResponseHeaderPolicyType } from './constants';
 /**
  */
 export interface SiteWithEcsBackendProps extends CommonStackProps {
@@ -18,6 +20,8 @@ export interface SiteWithEcsBackendProps extends CommonStackProps {
     siteHealthCheck: HealthCheck;
     siteLog: LogProps;
     siteLogBucket: S3BucketProps;
+    siteOriginRequestPolicy: OriginRequestPolicyProps;
+    siteOriginResponseHeadersPolicy: SiteResponseHeadersPolicyProps;
     siteRecordName?: string;
     siteRegionalCertificate: AcmProps;
     siteSubDomain: string;
@@ -27,3 +31,13 @@ export interface SiteWithEcsBackendProps extends CommonStackProps {
     useExistingHostedZone: boolean;
     useExistingVpc: boolean;
 }
+export interface SiteResponseHeadersStrictTransportSecurity extends ResponseHeadersStrictTransportSecurity {
+    accessControlMaxAgeInSeconds: number;
+}
+export interface SiteSecurityHeadersBehavior extends ResponseSecurityHeadersBehavior {
+    strictTransportSecurity: SiteResponseHeadersStrictTransportSecurity;
+}
+export interface SiteResponseHeadersPolicyProps extends ResponseHeadersPolicyProps {
+    securityHeadersBehavior: SiteSecurityHeadersBehavior;
+    type: SiteResponseHeaderPolicyType;
+}

package/dist/src/lib/services/aws/secrets-manager/main.d.ts

@@ -1,5 +1,3 @@
-import { SecretsManager as SM } from '@aws-sdk/client-secrets-manager';
-import * as cdk from 'aws-cdk-lib';
 import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager';
 import { CommonConstruct } from '../../../common';
 /**
@@ -19,30 +17,18 @@ import { CommonConstruct } from '../../../common';
  * @see [CDK Secrets Manager Module]{@link https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager-readme.html}
  */
 export declare class SecretsManager {
-    /**
-     *
-     * @param region
-     */
-    getAwsSecretsManager(region: string): SM;
-    /**
-     * @summary Method to load a secret from secrets manager
-     * @param secretName
-     * @param region
-     */
-    loadSecret(secretName: string, region: string): Promise<any>;
-    /**
-     * @summary Method to retrieve a secret from secrets manager with a cloudformation export
-     * @param id
-     * @param scope
-     * @param stackName
-     * @param exportName
-     */
-    retrieveSecretFromSecretsManager(id: string, scope: CommonConstruct, stackName: string, exportName: string): cdk.aws_secretsmanager.ISecret;
     /**
      * @summary Method to create a secret
      * @param id scoped id of the resource
      * @param scope scope in which this resource is defined
      * @param props the secret properties
      */
-    createSecret(id: string, scope: CommonConstruct, props: secretsManager.SecretProps): cdk.aws_secretsmanager.Secret;
+    createSecret(id: string, scope: CommonConstruct, props: secretsManager.SecretProps): secretsManager.Secret;
+    /**
+     * @summary Method to resolve secret value from a secret using AWS SDK
+     * @param scope scope in which this resource is defined
+     * @param secretId the secret name/ARN
+     * @param secretKey the secret key to resolve the value for
+     */
+    resolveSecretValue(scope: CommonConstruct, secretId: string, secretKey: string): Promise<any>;
 }

package/dist/src/lib/services/aws/secrets-manager/main.js

@@ -25,7 +25,6 @@ var __importStar = (this && this.__importStar) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SecretsManager = void 0;
 const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
-const cdk = __importStar(require("aws-cdk-lib"));
 const secretsManager = __importStar(require("aws-cdk-lib/aws-secretsmanager"));
 const utils = __importStar(require("../../../utils"));
 /**
@@ -45,33 +44,6 @@ const utils = __importStar(require("../../../utils"));
  * @see [CDK Secrets Manager Module]{@link https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager-readme.html}
  */
 class SecretsManager {
-    /**
-     *
-     * @param region
-     */
-    getAwsSecretsManager(region) {
-        return new client_secrets_manager_1.SecretsManager({ region: region });
-    }
-    /**
-     * @summary Method to load a secret from secrets manager
-     * @param secretName
-     * @param region
-     */
-    async loadSecret(secretName, region) {
-        const secretsManager = this.getAwsSecretsManager(region);
-        const secret = await Promise.all([secretsManager.getSecretValue({ SecretId: secretName })]);
-        return secret ? JSON.parse(secret[0].SecretString) : {};
-    }
-    /**
-     * @summary Method to retrieve a secret from secrets manager with a cloudformation export
-     * @param id
-     * @param scope
-     * @param stackName
-     * @param exportName
-     */
-    retrieveSecretFromSecretsManager(id, scope, stackName, exportName) {
-        return secretsManager.Secret.fromSecretNameV2(scope, `${id}`, cdk.Fn.importValue(`${stackName}-${scope.props.stage}-${exportName}`));
-    }
     /**
      * @summary Method to create a secret
      * @param id scoped id of the resource
@@ -87,5 +59,25 @@ class SecretsManager {
         utils.createCfnOutput(`${id}-secretArn`, scope, secret.secretArn);
         return secret;
     }
+    /**
+     * @summary Method to resolve secret value from a secret using AWS SDK
+     * @param scope scope in which this resource is defined
+     * @param secretId the secret name/ARN
+     * @param secretKey the secret key to resolve the value for
+     */
+    async resolveSecretValue(scope, secretId, secretKey) {
+        const client = new client_secrets_manager_1.SecretsManagerClient({
+            credentials: utils.determineCredentials(),
+            region: scope.props.region,
+        });
+        const command = new client_secrets_manager_1.GetSecretValueCommand({
+            SecretId: secretId,
+        });
+        const response = await client.send(command);
+        if (!response.SecretString)
+            throw `Unable to resolve secret for ${secretId}`;
+        const secretString = JSON.parse(response.SecretString);
+        return secretString[secretKey];
+    }
 }
 exports.SecretsManager = SecretsManager;

package/dist/src/lib/utils/aws/index.d.ts

@@ -1,5 +1,6 @@
 import * as cdk from 'aws-cdk-lib';
 import { CommonConstruct } from '../../common';
+import { AwsCredentialIdentityProvider } from '@aws-sdk/types';
 /**
  * @summary Helper method to add CloudFormation outputs from the construct
  * @param id scoped id of the resource
@@ -10,3 +11,4 @@ import { CommonConstruct } from '../../common';
  * @returns The CloudFormation output
  */
 export declare function createCfnOutput(id: string, scope: CommonConstruct, value?: string, description?: string, overrideId?: boolean): cdk.CfnOutput;
+export declare function determineCredentials(): AwsCredentialIdentityProvider;

package/dist/src/lib/utils/aws/index.js

@@ -23,9 +23,10 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createCfnOutput = void 0;
+exports.determineCredentials = exports.createCfnOutput = void 0;
 const cdk = __importStar(require("aws-cdk-lib"));
 const _ = __importStar(require("lodash"));
+const credential_providers_1 = require("@aws-sdk/credential-providers");
 /**
  * @summary Helper method to add CloudFormation outputs from the construct
  * @param id scoped id of the resource
@@ -48,3 +49,9 @@ function createCfnOutput(id, scope, value, description, overrideId = true) {
     return output;
 }
 exports.createCfnOutput = createCfnOutput;
+function determineCredentials() {
+    if (process.env.AWS_PROFILE)
+        return (0, credential_providers_1.fromIni)();
+    return (0, credential_providers_1.fromEnv)();
+}
+exports.determineCredentials = determineCredentials;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gradientedge/cdk-utils",
-  "version": "8.97.0",
+  "version": "8.99.0",
   "description": "Utilities for AWS CDK provisioning",
   "main": "dist/index.js",
   "engines": {
@@ -30,10 +30,10 @@
     "build:production": "rimraf dist/ && npx tsc -p tsconfig.prd.json && pnpm -r build",
     "ci": "pnpm install --frozen-lockfile && pnpm build && pnpm validate && pnpm run docs",
     "cz": "npx cz",
-    "override:plugin:docs": "cp theme/type-converter.js node_modules/better-docs/typescript",
     "docs": "npx rimraf api-docs && pnpm override:plugin:docs  && npx jsdoc --pedantic -c jsdoc.json .",
-    "lint": "pnpm prettify && eslint **/*.ts --cache --max-warnings=0",
     "fix": "pnpm prettify && eslint --fix **/*.ts",
+    "lint": "pnpm prettify && eslint **/*.ts --cache --max-warnings=0",
+    "override:plugin:docs": "cp theme/type-converter.js node_modules/better-docs/typescript",
     "prettier": "npx prettier --cache --check \"**/*.{ts,json,md}\"",
     "prettify": "npx prettier --cache --write \"**/*.{ts,json,md}\"",
     "test": "npx rimraf coverage && npx jest --ci --maxWorkers=100%",
@@ -46,13 +46,15 @@
     }
   },
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.354.0",
+    "@aws-sdk/client-secrets-manager": "^3.357.0",
+    "@aws-sdk/credential-providers": "^3.357.0",
+    "@aws-sdk/types": "^3.357.0",
     "@types/lodash": "^4.14.195",
     "@types/node": "^20.3.1",
     "@types/uuid": "^9.0.2",
     "app-root-path": "^3.1.0",
-    "aws-cdk-lib": "^2.84.0",
-    "constructs": "^10.2.54",
+    "aws-cdk-lib": "^2.85.0",
+    "constructs": "^10.2.56",
     "lodash": "^4.17.21",
     "moment": "^2.29.4",
     "nconf": "^0.12.0",
@@ -65,9 +67,9 @@
     "@babel/eslint-parser": "^7.22.5",
     "@babel/plugin-proposal-class-properties": "^7.18.6",
     "@types/jest": "^29.5.2",
-    "@typescript-eslint/eslint-plugin": "^5.59.11",
-    "@typescript-eslint/parser": "^5.59.11",
-    "aws-cdk": "^2.84.0",
+    "@typescript-eslint/eslint-plugin": "^5.60.0",
+    "@typescript-eslint/parser": "^5.60.0",
+    "aws-cdk": "^2.85.0",
     "better-docs": "^2.7.2",
     "codecov": "^3.8.3",
     "commitizen": "^4.3.0",
@@ -84,8 +86,8 @@
     "jsdoc": "^4.0.2",
     "jsdoc-babel": "^0.5.0",
     "jsdoc-mermaid": "^1.0.0",
-    "jsdoc-to-markdown": "^8.0.0",
     "jsdoc-plugin-typescript": "^2.2.1",
+    "jsdoc-to-markdown": "^8.0.0",
     "prettier": "^2.8.8",
     "prettier-plugin-organize-imports": "^3.2.2",
     "rimraf": "^5.0.1",

package/src/lib/construct/site-with-ecs-backend/constants.ts

@@ -0,0 +1,4 @@
+export enum SiteResponseHeaderPolicyType {
+  ORIGIN = 'origin',
+  STATIC = 'static',
+}

package/src/lib/construct/site-with-ecs-backend/index.ts

@@ -1,2 +1,3 @@
+export * from './constants'
 export * from './main'
 export * from './types'

package/src/lib/construct/site-with-ecs-backend/main.ts

@@ -1,3 +1,4 @@
+import * as _ from 'lodash'
 import * as cdk from 'aws-cdk-lib'
 import * as certificateManager from 'aws-cdk-lib/aws-certificatemanager'
 import * as cloudfront from 'aws-cdk-lib/aws-cloudfront'
@@ -13,7 +14,7 @@ import * as s3 from 'aws-cdk-lib/aws-s3'
 import * as efs from 'aws-cdk-lib/aws-efs'
 import { Construct } from 'constructs'
 import { CommonConstruct } from '../../common'
-import { SiteWithEcsBackendProps } from './types'
+import { SiteWithEcsBackendProps, SiteResponseHeadersPolicyProps } from './types'
 
 /**
  * @classdesc Provides a construct to create and deploy a site hosted with an clustered ECS/ELB backend
@@ -62,6 +63,8 @@ export class SiteWithEcsBackend extends CommonConstruct {
   siteDomainNames: string[]
   siteCloudfrontFunction: cloudfront.Function
   siteFunctionAssociations: cloudfront.FunctionAssociation[]
+  siteOriginRequestPolicy: cloudfront.OriginRequestPolicy
+  siteOriginResponseHeadersPolicy?: cloudfront.ResponseHeadersPolicy
 
   constructor(parent: Construct, id: string, props: SiteWithEcsBackendProps) {
     super(parent, id, props)
@@ -88,6 +91,8 @@ export class SiteWithEcsBackend extends CommonConstruct {
     this.createEcsBuildArgs()
     this.createEcsContainerImage()
     this.createEcsService()
+    this.createSiteOriginRequestPolicy()
+    this.createSiteOriginResponseHeadersPolicy()
     this.createSiteOrigin()
     this.createSiteCloudfrontFunction()
     this.resolveSiteFunctionAssociations()
@@ -402,9 +407,50 @@ export class SiteWithEcsBackend extends CommonConstruct {
     this.siteLogBucket = this.s3Manager.createS3Bucket(`${this.id}-site-logs`, this, this.props.siteLogBucket)
   }
 
+  protected createSiteOriginRequestPolicy() {
+    if (!this.props.siteOriginRequestPolicy) return
+    this.siteOriginRequestPolicy = new cloudfront.OriginRequestPolicy(this, `${this.id}-sorp`, {
+      comment: `Request Policy for ${this.id}-distribution - ${this.props.stage} stage`,
+      cookieBehavior: this.props.siteOriginRequestPolicy.cookieBehavior,
+      headerBehavior: this.props.siteOriginRequestPolicy.headerBehavior,
+      originRequestPolicyName: `${this.id}-origin-request`,
+      queryStringBehavior: this.props.siteOriginRequestPolicy.queryStringBehavior,
+    })
+
+    _.assign(this.props.siteDistribution.defaultBehavior, {
+      originRequestPolicy: this.siteOriginRequestPolicy,
+    })
+  }
+
+  protected createResponseHeaderPolicy(props: SiteResponseHeadersPolicyProps) {
+    if (!props) return undefined
+    return new cloudfront.ResponseHeadersPolicy(this, `${this.id}-${props.type}-srhp`, {
+      ...props,
+      comment: `Response Header Policy for ${props.type} for ${this.id}-distribution - ${this.props.stage} stage`,
+      responseHeadersPolicyName: `${this.id}-${props.type}-response`,
+      securityHeadersBehavior: {
+        strictTransportSecurity: {
+          ...props.securityHeadersBehavior?.strictTransportSecurity,
+          accessControlMaxAge: cdk.Duration.seconds(
+            props.securityHeadersBehavior?.strictTransportSecurity?.accessControlMaxAgeInSeconds
+          ),
+        },
+      },
+    })
+  }
+
+  protected createSiteOriginResponseHeadersPolicy() {
+    if (!this.props.siteOriginResponseHeadersPolicy) return
+    this.siteOriginResponseHeadersPolicy = this.createResponseHeaderPolicy(this.props.siteOriginResponseHeadersPolicy)
+    _.assign(this.props.siteDistribution.defaultBehavior, {
+      responseHeadersPolicy: this.siteOriginResponseHeadersPolicy,
+    })
+  }
+
   protected createSiteOrigin() {
     this.siteOrigin = new origins.HttpOrigin(this.siteInternalDomainName, {
       httpPort: this.props.siteTask.listenerPort,
+      originId: `${this.id}-server`,
       protocolPolicy: cloudfront.OriginProtocolPolicy.HTTPS_ONLY,
     })
   }

package/src/lib/construct/site-with-ecs-backend/types.ts

@@ -12,6 +12,13 @@ import {
   S3BucketProps,
 } from '../../services'
 import { VpcProps } from 'aws-cdk-lib/aws-ec2'
+import {
+  OriginRequestPolicyProps,
+  ResponseHeadersStrictTransportSecurity,
+  ResponseSecurityHeadersBehavior,
+  ResponseHeadersPolicyProps,
+} from 'aws-cdk-lib/aws-cloudfront'
+import { SiteResponseHeaderPolicyType } from './constants'
 
 /**
  */
@@ -30,6 +37,8 @@ export interface SiteWithEcsBackendProps extends CommonStackProps {
   siteHealthCheck: HealthCheck
   siteLog: LogProps
   siteLogBucket: S3BucketProps
+  siteOriginRequestPolicy: OriginRequestPolicyProps
+  siteOriginResponseHeadersPolicy: SiteResponseHeadersPolicyProps
   siteRecordName?: string
   siteRegionalCertificate: AcmProps
   siteSubDomain: string
@@ -39,3 +48,16 @@ export interface SiteWithEcsBackendProps extends CommonStackProps {
   useExistingHostedZone: boolean
   useExistingVpc: boolean
 }
+
+export interface SiteResponseHeadersStrictTransportSecurity extends ResponseHeadersStrictTransportSecurity {
+  accessControlMaxAgeInSeconds: number
+}
+
+export interface SiteSecurityHeadersBehavior extends ResponseSecurityHeadersBehavior {
+  strictTransportSecurity: SiteResponseHeadersStrictTransportSecurity
+}
+
+export interface SiteResponseHeadersPolicyProps extends ResponseHeadersPolicyProps {
+  securityHeadersBehavior: SiteSecurityHeadersBehavior
+  type: SiteResponseHeaderPolicyType
+}

package/src/lib/services/aws/secrets-manager/main.ts

@@ -1,5 +1,4 @@
-import { SecretsManager as SM } from '@aws-sdk/client-secrets-manager'
-import * as cdk from 'aws-cdk-lib'
+import { GetSecretValueCommand, SecretsManagerClient } from '@aws-sdk/client-secrets-manager'
 import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager'
 import * as utils from '../../../utils'
 import { CommonConstruct } from '../../../common'
@@ -21,40 +20,6 @@ import { CommonConstruct } from '../../../common'
  * @see [CDK Secrets Manager Module]{@link https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager-readme.html}
  */
 export class SecretsManager {
-  /**
-   *
-   * @param region
-   */
-  public getAwsSecretsManager(region: string) {
-    return new SM({ region: region })
-  }
-
-  /**
-   * @summary Method to load a secret from secrets manager
-   * @param secretName
-   * @param region
-   */
-  public async loadSecret(secretName: string, region: string) {
-    const secretsManager = this.getAwsSecretsManager(region)
-    const secret: any = await Promise.all([secretsManager.getSecretValue({ SecretId: secretName })])
-    return secret ? JSON.parse(secret[0].SecretString) : {}
-  }
-
-  /**
-   * @summary Method to retrieve a secret from secrets manager with a cloudformation export
-   * @param id
-   * @param scope
-   * @param stackName
-   * @param exportName
-   */
-  public retrieveSecretFromSecretsManager(id: string, scope: CommonConstruct, stackName: string, exportName: string) {
-    return secretsManager.Secret.fromSecretNameV2(
-      scope,
-      `${id}`,
-      cdk.Fn.importValue(`${stackName}-${scope.props.stage}-${exportName}`)
-    )
-  }
-
   /**
    * @summary Method to create a secret
    * @param id scoped id of the resource
@@ -72,4 +37,25 @@ export class SecretsManager {
 
     return secret
   }
+
+  /**
+   * @summary Method to resolve secret value from a secret using AWS SDK
+   * @param scope scope in which this resource is defined
+   * @param secretId the secret name/ARN
+   * @param secretKey the secret key to resolve the value for
+   */
+  public async resolveSecretValue(scope: CommonConstruct, secretId: string, secretKey: string) {
+    const client = new SecretsManagerClient({
+      credentials: utils.determineCredentials(),
+      region: scope.props.region,
+    })
+    const command = new GetSecretValueCommand({
+      SecretId: secretId,
+    })
+    const response = await client.send(command)
+    if (!response.SecretString) throw `Unable to resolve secret for ${secretId}`
+    const secretString = JSON.parse(response.SecretString)
+
+    return secretString[secretKey]
+  }
 }

package/src/lib/utils/aws/index.ts

@@ -1,6 +1,8 @@
 import * as cdk from 'aws-cdk-lib'
 import * as _ from 'lodash'
 import { CommonConstruct } from '../../common'
+import { fromEnv, fromIni } from '@aws-sdk/credential-providers'
+import { AwsCredentialIdentityProvider } from '@aws-sdk/types'
 
 /**
  * @summary Helper method to add CloudFormation outputs from the construct
@@ -29,3 +31,8 @@ export function createCfnOutput(
   }
   return output
 }
+
+export function determineCredentials(): AwsCredentialIdentityProvider {
+  if (process.env.AWS_PROFILE) return fromIni()
+  return fromEnv()
+}