@granite-js/pulumi-aws 0.1.19 → 0.1.21

package/dist/dist-es-SUPEA6VE-3B5JSW5C.js

@@ -0,0 +1,368 @@
+import {
+  loadConfig,
+  parseUrl
+} from "./chunk-X6XO7USX.js";
+import "./chunk-TJ744C2T.js";
+import "./chunk-XLUI7RQ4.js";
+import {
+  CredentialsProviderError,
+  ProviderError,
+  init_esm_shims
+} from "./chunk-JBVMOFGH.js";
+import "./chunk-JSBRDJBE.js";
+
+// ../deployment-manager/dist/dist-es-SUPEA6VE.js
+import { parse } from "url";
+import { Buffer } from "buffer";
+import { request } from "http";
+init_esm_shims();
+init_esm_shims();
+init_esm_shims();
+function httpRequest(options) {
+  return new Promise((resolve, reject) => {
+    const req = request({
+      method: "GET",
+      ...options,
+      hostname: options.hostname?.replace(/^\[(.+)\]$/, "$1")
+    });
+    req.on("error", (err) => {
+      reject(Object.assign(new ProviderError("Unable to connect to instance metadata service"), err));
+      req.destroy();
+    });
+    req.on("timeout", () => {
+      reject(new ProviderError("TimeoutError from instance metadata service"));
+      req.destroy();
+    });
+    req.on("response", (res) => {
+      const { statusCode = 400 } = res;
+      if (statusCode < 200 || 300 <= statusCode) {
+        reject(Object.assign(new ProviderError("Error response received from instance metadata service"), { statusCode }));
+        req.destroy();
+      }
+      const chunks = [];
+      res.on("data", (chunk) => {
+        chunks.push(chunk);
+      });
+      res.on("end", () => {
+        resolve(Buffer.concat(chunks));
+        req.destroy();
+      });
+    });
+    req.end();
+  });
+}
+init_esm_shims();
+var isImdsCredentials = (arg) => Boolean(arg) && typeof arg === "object" && typeof arg.AccessKeyId === "string" && typeof arg.SecretAccessKey === "string" && typeof arg.Token === "string" && typeof arg.Expiration === "string";
+var fromImdsCredentials = (creds) => ({
+  accessKeyId: creds.AccessKeyId,
+  secretAccessKey: creds.SecretAccessKey,
+  sessionToken: creds.Token,
+  expiration: new Date(creds.Expiration),
+  ...creds.AccountId && { accountId: creds.AccountId }
+});
+init_esm_shims();
+var DEFAULT_TIMEOUT = 1e3;
+var DEFAULT_MAX_RETRIES = 0;
+var providerConfigFromInit = ({ maxRetries = DEFAULT_MAX_RETRIES, timeout = DEFAULT_TIMEOUT }) => ({ maxRetries, timeout });
+init_esm_shims();
+var retry = (toRetry, maxRetries) => {
+  let promise = toRetry();
+  for (let i = 0; i < maxRetries; i++) {
+    promise = promise.catch(toRetry);
+  }
+  return promise;
+};
+var ENV_CMDS_FULL_URI = "AWS_CONTAINER_CREDENTIALS_FULL_URI";
+var ENV_CMDS_RELATIVE_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
+var ENV_CMDS_AUTH_TOKEN = "AWS_CONTAINER_AUTHORIZATION_TOKEN";
+var fromContainerMetadata = (init = {}) => {
+  const { timeout, maxRetries } = providerConfigFromInit(init);
+  return () => retry(async () => {
+    const requestOptions = await getCmdsUri({ logger: init.logger });
+    const credsResponse = JSON.parse(await requestFromEcsImds(timeout, requestOptions));
+    if (!isImdsCredentials(credsResponse)) {
+      throw new CredentialsProviderError("Invalid response received from instance metadata service.", {
+        logger: init.logger
+      });
+    }
+    return fromImdsCredentials(credsResponse);
+  }, maxRetries);
+};
+var requestFromEcsImds = async (timeout, options) => {
+  if (process.env[ENV_CMDS_AUTH_TOKEN]) {
+    options.headers = {
+      ...options.headers,
+      Authorization: process.env[ENV_CMDS_AUTH_TOKEN]
+    };
+  }
+  const buffer = await httpRequest({
+    ...options,
+    timeout
+  });
+  return buffer.toString();
+};
+var CMDS_IP = "169.254.170.2";
+var GREENGRASS_HOSTS = {
+  localhost: true,
+  "127.0.0.1": true
+};
+var GREENGRASS_PROTOCOLS = {
+  "http:": true,
+  "https:": true
+};
+var getCmdsUri = async ({ logger }) => {
+  if (process.env[ENV_CMDS_RELATIVE_URI]) {
+    return {
+      hostname: CMDS_IP,
+      path: process.env[ENV_CMDS_RELATIVE_URI]
+    };
+  }
+  if (process.env[ENV_CMDS_FULL_URI]) {
+    const parsed = parse(process.env[ENV_CMDS_FULL_URI]);
+    if (!parsed.hostname || !(parsed.hostname in GREENGRASS_HOSTS)) {
+      throw new CredentialsProviderError(`${parsed.hostname} is not a valid container metadata service hostname`, {
+        tryNextLink: false,
+        logger
+      });
+    }
+    if (!parsed.protocol || !(parsed.protocol in GREENGRASS_PROTOCOLS)) {
+      throw new CredentialsProviderError(`${parsed.protocol} is not a valid container metadata service protocol`, {
+        tryNextLink: false,
+        logger
+      });
+    }
+    return {
+      ...parsed,
+      port: parsed.port ? parseInt(parsed.port, 10) : void 0
+    };
+  }
+  throw new CredentialsProviderError(`The container metadata credential provider cannot be used unless the ${ENV_CMDS_RELATIVE_URI} or ${ENV_CMDS_FULL_URI} environment variable is set`, {
+    tryNextLink: false,
+    logger
+  });
+};
+init_esm_shims();
+init_esm_shims();
+var InstanceMetadataV1FallbackError = class _InstanceMetadataV1FallbackError extends CredentialsProviderError {
+  constructor(message, tryNextLink = true) {
+    super(message, tryNextLink);
+    this.tryNextLink = tryNextLink;
+    this.name = "InstanceMetadataV1FallbackError";
+    Object.setPrototypeOf(this, _InstanceMetadataV1FallbackError.prototype);
+  }
+};
+init_esm_shims();
+init_esm_shims();
+var Endpoint;
+(function(Endpoint2) {
+  Endpoint2["IPv4"] = "http://169.254.169.254";
+  Endpoint2["IPv6"] = "http://[fd00:ec2::254]";
+})(Endpoint || (Endpoint = {}));
+init_esm_shims();
+var ENV_ENDPOINT_NAME = "AWS_EC2_METADATA_SERVICE_ENDPOINT";
+var CONFIG_ENDPOINT_NAME = "ec2_metadata_service_endpoint";
+var ENDPOINT_CONFIG_OPTIONS = {
+  environmentVariableSelector: (env) => env[ENV_ENDPOINT_NAME],
+  configFileSelector: (profile) => profile[CONFIG_ENDPOINT_NAME],
+  default: void 0
+};
+init_esm_shims();
+var EndpointMode;
+(function(EndpointMode2) {
+  EndpointMode2["IPv4"] = "IPv4";
+  EndpointMode2["IPv6"] = "IPv6";
+})(EndpointMode || (EndpointMode = {}));
+init_esm_shims();
+var ENV_ENDPOINT_MODE_NAME = "AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE";
+var CONFIG_ENDPOINT_MODE_NAME = "ec2_metadata_service_endpoint_mode";
+var ENDPOINT_MODE_CONFIG_OPTIONS = {
+  environmentVariableSelector: (env) => env[ENV_ENDPOINT_MODE_NAME],
+  configFileSelector: (profile) => profile[CONFIG_ENDPOINT_MODE_NAME],
+  default: EndpointMode.IPv4
+};
+var getInstanceMetadataEndpoint = async () => parseUrl(await getFromEndpointConfig() || await getFromEndpointModeConfig());
+var getFromEndpointConfig = async () => loadConfig(ENDPOINT_CONFIG_OPTIONS)();
+var getFromEndpointModeConfig = async () => {
+  const endpointMode = await loadConfig(ENDPOINT_MODE_CONFIG_OPTIONS)();
+  switch (endpointMode) {
+    case EndpointMode.IPv4:
+      return Endpoint.IPv4;
+    case EndpointMode.IPv6:
+      return Endpoint.IPv6;
+    default:
+      throw new Error(`Unsupported endpoint mode: ${endpointMode}. Select from ${Object.values(EndpointMode)}`);
+  }
+};
+init_esm_shims();
+init_esm_shims();
+var STATIC_STABILITY_REFRESH_INTERVAL_SECONDS = 5 * 60;
+var STATIC_STABILITY_REFRESH_INTERVAL_JITTER_WINDOW_SECONDS = 5 * 60;
+var STATIC_STABILITY_DOC_URL = "https://docs.aws.amazon.com/sdkref/latest/guide/feature-static-credentials.html";
+var getExtendedInstanceMetadataCredentials = (credentials, logger) => {
+  const refreshInterval = STATIC_STABILITY_REFRESH_INTERVAL_SECONDS + Math.floor(Math.random() * STATIC_STABILITY_REFRESH_INTERVAL_JITTER_WINDOW_SECONDS);
+  const newExpiration = new Date(Date.now() + refreshInterval * 1e3);
+  logger.warn(`Attempting credential expiration extension due to a credential service availability issue. A refresh of these credentials will be attempted after ${new Date(newExpiration)}.
+For more information, please visit: ` + STATIC_STABILITY_DOC_URL);
+  const originalExpiration = credentials.originalExpiration ?? credentials.expiration;
+  return {
+    ...credentials,
+    ...originalExpiration ? { originalExpiration } : {},
+    expiration: newExpiration
+  };
+};
+var staticStabilityProvider = (provider, options = {}) => {
+  const logger = options?.logger || console;
+  let pastCredentials;
+  return async () => {
+    let credentials;
+    try {
+      credentials = await provider();
+      if (credentials.expiration && credentials.expiration.getTime() < Date.now()) {
+        credentials = getExtendedInstanceMetadataCredentials(credentials, logger);
+      }
+    } catch (e) {
+      if (pastCredentials) {
+        logger.warn("Credential renew failed: ", e);
+        credentials = getExtendedInstanceMetadataCredentials(pastCredentials, logger);
+      } else {
+        throw e;
+      }
+    }
+    pastCredentials = credentials;
+    return credentials;
+  };
+};
+var IMDS_PATH = "/latest/meta-data/iam/security-credentials/";
+var IMDS_TOKEN_PATH = "/latest/api/token";
+var AWS_EC2_METADATA_V1_DISABLED = "AWS_EC2_METADATA_V1_DISABLED";
+var PROFILE_AWS_EC2_METADATA_V1_DISABLED = "ec2_metadata_v1_disabled";
+var X_AWS_EC2_METADATA_TOKEN = "x-aws-ec2-metadata-token";
+var fromInstanceMetadata = (init = {}) => staticStabilityProvider(getInstanceMetadataProvider(init), { logger: init.logger });
+var getInstanceMetadataProvider = (init = {}) => {
+  let disableFetchToken = false;
+  const { logger, profile } = init;
+  const { timeout, maxRetries } = providerConfigFromInit(init);
+  const getCredentials = async (maxRetries2, options) => {
+    const isImdsV1Fallback = disableFetchToken || options.headers?.[X_AWS_EC2_METADATA_TOKEN] == null;
+    if (isImdsV1Fallback) {
+      let fallbackBlockedFromProfile = false;
+      let fallbackBlockedFromProcessEnv = false;
+      const configValue = await loadConfig({
+        environmentVariableSelector: (env) => {
+          const envValue = env[AWS_EC2_METADATA_V1_DISABLED];
+          fallbackBlockedFromProcessEnv = !!envValue && envValue !== "false";
+          if (envValue === void 0) {
+            throw new CredentialsProviderError(`${AWS_EC2_METADATA_V1_DISABLED} not set in env, checking config file next.`, { logger: init.logger });
+          }
+          return fallbackBlockedFromProcessEnv;
+        },
+        configFileSelector: (profile2) => {
+          const profileValue = profile2[PROFILE_AWS_EC2_METADATA_V1_DISABLED];
+          fallbackBlockedFromProfile = !!profileValue && profileValue !== "false";
+          return fallbackBlockedFromProfile;
+        },
+        default: false
+      }, {
+        profile
+      })();
+      if (init.ec2MetadataV1Disabled || configValue) {
+        const causes = [];
+        if (init.ec2MetadataV1Disabled)
+          causes.push("credential provider initialization (runtime option ec2MetadataV1Disabled)");
+        if (fallbackBlockedFromProfile)
+          causes.push(`config file profile (${PROFILE_AWS_EC2_METADATA_V1_DISABLED})`);
+        if (fallbackBlockedFromProcessEnv)
+          causes.push(`process environment variable (${AWS_EC2_METADATA_V1_DISABLED})`);
+        throw new InstanceMetadataV1FallbackError(`AWS EC2 Metadata v1 fallback has been blocked by AWS SDK configuration in the following: [${causes.join(", ")}].`);
+      }
+    }
+    const imdsProfile = (await retry(async () => {
+      let profile2;
+      try {
+        profile2 = await getProfile(options);
+      } catch (err) {
+        if (err.statusCode === 401) {
+          disableFetchToken = false;
+        }
+        throw err;
+      }
+      return profile2;
+    }, maxRetries2)).trim();
+    return retry(async () => {
+      let creds;
+      try {
+        creds = await getCredentialsFromProfile(imdsProfile, options, init);
+      } catch (err) {
+        if (err.statusCode === 401) {
+          disableFetchToken = false;
+        }
+        throw err;
+      }
+      return creds;
+    }, maxRetries2);
+  };
+  return async () => {
+    const endpoint = await getInstanceMetadataEndpoint();
+    if (disableFetchToken) {
+      logger?.debug("AWS SDK Instance Metadata", "using v1 fallback (no token fetch)");
+      return getCredentials(maxRetries, { ...endpoint, timeout });
+    } else {
+      let token;
+      try {
+        token = (await getMetadataToken({ ...endpoint, timeout })).toString();
+      } catch (error) {
+        if (error?.statusCode === 400) {
+          throw Object.assign(error, {
+            message: "EC2 Metadata token request returned error"
+          });
+        } else if (error.message === "TimeoutError" || [403, 404, 405].includes(error.statusCode)) {
+          disableFetchToken = true;
+        }
+        logger?.debug("AWS SDK Instance Metadata", "using v1 fallback (initial)");
+        return getCredentials(maxRetries, { ...endpoint, timeout });
+      }
+      return getCredentials(maxRetries, {
+        ...endpoint,
+        headers: {
+          [X_AWS_EC2_METADATA_TOKEN]: token
+        },
+        timeout
+      });
+    }
+  };
+};
+var getMetadataToken = async (options) => httpRequest({
+  ...options,
+  path: IMDS_TOKEN_PATH,
+  method: "PUT",
+  headers: {
+    "x-aws-ec2-metadata-token-ttl-seconds": "21600"
+  }
+});
+var getProfile = async (options) => (await httpRequest({ ...options, path: IMDS_PATH })).toString();
+var getCredentialsFromProfile = async (profile, options, init) => {
+  const credentialsResponse = JSON.parse((await httpRequest({
+    ...options,
+    path: IMDS_PATH + profile
+  })).toString());
+  if (!isImdsCredentials(credentialsResponse)) {
+    throw new CredentialsProviderError("Invalid response received from instance metadata service.", {
+      logger: init.logger
+    });
+  }
+  return fromImdsCredentials(credentialsResponse);
+};
+init_esm_shims();
+export {
+  DEFAULT_MAX_RETRIES,
+  DEFAULT_TIMEOUT,
+  ENV_CMDS_AUTH_TOKEN,
+  ENV_CMDS_FULL_URI,
+  ENV_CMDS_RELATIVE_URI,
+  Endpoint,
+  fromContainerMetadata,
+  fromInstanceMetadata,
+  getInstanceMetadataEndpoint,
+  httpRequest,
+  providerConfigFromInit
+};

package/dist/dist-es-WQHDOVD7.js

@@ -0,0 +1,21 @@
+import {
+  ENV_ACCOUNT_ID,
+  ENV_CREDENTIAL_SCOPE,
+  ENV_EXPIRATION,
+  ENV_KEY,
+  ENV_SECRET,
+  ENV_SESSION,
+  fromEnv
+} from "./chunk-B7OAPHPY.js";
+import "./chunk-ITI6QA2Q.js";
+import "./chunk-W3VXP3A3.js";
+import "./chunk-JSBRDJBE.js";
+export {
+  ENV_ACCOUNT_ID,
+  ENV_CREDENTIAL_SCOPE,
+  ENV_EXPIRATION,
+  ENV_KEY,
+  ENV_SECRET,
+  ENV_SESSION,
+  fromEnv
+};

package/dist/dist-es-XQME5F6W.js

@@ -0,0 +1,67 @@
+import {
+  setCredentialFeature
+} from "./chunk-ITI6QA2Q.js";
+import {
+  CredentialsProviderError
+} from "./chunk-W3VXP3A3.js";
+import "./chunk-JSBRDJBE.js";
+
+// ../../.yarn/cache/@aws-sdk-credential-provider-web-identity-npm-3.817.0-d71feb8cb7-880321e3d7.zip/node_modules/@aws-sdk/credential-provider-web-identity/dist-es/fromTokenFile.js
+import { readFileSync } from "fs";
+
+// ../../.yarn/cache/@aws-sdk-credential-provider-web-identity-npm-3.817.0-d71feb8cb7-880321e3d7.zip/node_modules/@aws-sdk/credential-provider-web-identity/dist-es/fromWebToken.js
+var fromWebToken = (init) => async (awsIdentityProperties) => {
+  init.logger?.debug("@aws-sdk/credential-provider-web-identity - fromWebToken");
+  const { roleArn, roleSessionName, webIdentityToken, providerId, policyArns, policy, durationSeconds } = init;
+  let { roleAssumerWithWebIdentity } = init;
+  if (!roleAssumerWithWebIdentity) {
+    const { getDefaultRoleAssumerWithWebIdentity } = await import("./sts-OPF4H3GL.js");
+    roleAssumerWithWebIdentity = getDefaultRoleAssumerWithWebIdentity({
+      ...init.clientConfig,
+      credentialProviderLogger: init.logger,
+      parentClientConfig: {
+        ...awsIdentityProperties?.callerClientConfig,
+        ...init.parentClientConfig
+      }
+    }, init.clientPlugins);
+  }
+  return roleAssumerWithWebIdentity({
+    RoleArn: roleArn,
+    RoleSessionName: roleSessionName ?? `aws-sdk-js-session-${Date.now()}`,
+    WebIdentityToken: webIdentityToken,
+    ProviderId: providerId,
+    PolicyArns: policyArns,
+    Policy: policy,
+    DurationSeconds: durationSeconds
+  });
+};
+
+// ../../.yarn/cache/@aws-sdk-credential-provider-web-identity-npm-3.817.0-d71feb8cb7-880321e3d7.zip/node_modules/@aws-sdk/credential-provider-web-identity/dist-es/fromTokenFile.js
+var ENV_TOKEN_FILE = "AWS_WEB_IDENTITY_TOKEN_FILE";
+var ENV_ROLE_ARN = "AWS_ROLE_ARN";
+var ENV_ROLE_SESSION_NAME = "AWS_ROLE_SESSION_NAME";
+var fromTokenFile = (init = {}) => async () => {
+  init.logger?.debug("@aws-sdk/credential-provider-web-identity - fromTokenFile");
+  const webIdentityTokenFile = init?.webIdentityTokenFile ?? process.env[ENV_TOKEN_FILE];
+  const roleArn = init?.roleArn ?? process.env[ENV_ROLE_ARN];
+  const roleSessionName = init?.roleSessionName ?? process.env[ENV_ROLE_SESSION_NAME];
+  if (!webIdentityTokenFile || !roleArn) {
+    throw new CredentialsProviderError("Web identity configuration not specified", {
+      logger: init.logger
+    });
+  }
+  const credentials = await fromWebToken({
+    ...init,
+    webIdentityToken: readFileSync(webIdentityTokenFile, { encoding: "ascii" }),
+    roleArn,
+    roleSessionName
+  })();
+  if (webIdentityTokenFile === process.env[ENV_TOKEN_FILE]) {
+    setCredentialFeature(credentials, "CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN", "h");
+  }
+  return credentials;
+};
+export {
+  fromTokenFile,
+  fromWebToken
+};

package/dist/dist-es-Y7VN37H5-WQ3GYROF.js

@@ -0,0 +1,196 @@
+import {
+  getProfileName,
+  parseKnownFiles
+} from "./chunk-TJ744C2T.js";
+import {
+  setCredentialFeature
+} from "./chunk-64IS37V6.js";
+import "./chunk-XLUI7RQ4.js";
+import {
+  CredentialsProviderError,
+  chain,
+  init_esm_shims
+} from "./chunk-JBVMOFGH.js";
+import "./chunk-JSBRDJBE.js";
+
+// ../deployment-manager/dist/dist-es-Y7VN37H5.js
+init_esm_shims();
+init_esm_shims();
+init_esm_shims();
+init_esm_shims();
+init_esm_shims();
+var resolveCredentialSource = (credentialSource, profileName, logger) => {
+  const sourceProvidersMap = {
+    EcsContainer: async (options) => {
+      const { fromHttp } = await import("./dist-es-OCQVKISC-TNAJ62WG.js");
+      const { fromContainerMetadata } = await import("./dist-es-SUPEA6VE-3B5JSW5C.js");
+      logger?.debug("@aws-sdk/credential-provider-ini - credential_source is EcsContainer");
+      return async () => chain(fromHttp(options ?? {}), fromContainerMetadata(options))().then(setNamedProvider);
+    },
+    Ec2InstanceMetadata: async (options) => {
+      logger?.debug("@aws-sdk/credential-provider-ini - credential_source is Ec2InstanceMetadata");
+      const { fromInstanceMetadata } = await import("./dist-es-SUPEA6VE-3B5JSW5C.js");
+      return async () => fromInstanceMetadata(options)().then(setNamedProvider);
+    },
+    Environment: async (options) => {
+      logger?.debug("@aws-sdk/credential-provider-ini - credential_source is Environment");
+      const { fromEnv } = await import("./dist-es-PRWCVZGQ-HTTVI42T.js");
+      return async () => fromEnv(options)().then(setNamedProvider);
+    }
+  };
+  if (credentialSource in sourceProvidersMap) {
+    return sourceProvidersMap[credentialSource];
+  } else {
+    throw new CredentialsProviderError(`Unsupported credential source in profile ${profileName}. Got ${credentialSource}, expected EcsContainer or Ec2InstanceMetadata or Environment.`, { logger });
+  }
+};
+var setNamedProvider = (creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_NAMED_PROVIDER", "p");
+var isAssumeRoleProfile = (arg, { profile = "default", logger } = {}) => {
+  return Boolean(arg) && typeof arg === "object" && typeof arg.role_arn === "string" && ["undefined", "string"].indexOf(typeof arg.role_session_name) > -1 && ["undefined", "string"].indexOf(typeof arg.external_id) > -1 && ["undefined", "string"].indexOf(typeof arg.mfa_serial) > -1 && (isAssumeRoleWithSourceProfile(arg, { profile, logger }) || isCredentialSourceProfile(arg, { profile, logger }));
+};
+var isAssumeRoleWithSourceProfile = (arg, { profile, logger }) => {
+  const withSourceProfile = typeof arg.source_profile === "string" && typeof arg.credential_source === "undefined";
+  if (withSourceProfile) {
+    logger?.debug?.(`    ${profile} isAssumeRoleWithSourceProfile source_profile=${arg.source_profile}`);
+  }
+  return withSourceProfile;
+};
+var isCredentialSourceProfile = (arg, { profile, logger }) => {
+  const withProviderProfile = typeof arg.credential_source === "string" && typeof arg.source_profile === "undefined";
+  if (withProviderProfile) {
+    logger?.debug?.(`    ${profile} isCredentialSourceProfile credential_source=${arg.credential_source}`);
+  }
+  return withProviderProfile;
+};
+var resolveAssumeRoleCredentials = async (profileName, profiles, options, visitedProfiles = {}) => {
+  options.logger?.debug("@aws-sdk/credential-provider-ini - resolveAssumeRoleCredentials (STS)");
+  const profileData = profiles[profileName];
+  const { source_profile, region } = profileData;
+  if (!options.roleAssumer) {
+    const { getDefaultRoleAssumer } = await import("./sts-P7Q3MYTS-BKGWHQE4.js");
+    options.roleAssumer = getDefaultRoleAssumer({
+      ...options.clientConfig,
+      credentialProviderLogger: options.logger,
+      parentClientConfig: {
+        ...options?.parentClientConfig,
+        region: region ?? options?.parentClientConfig?.region
+      }
+    }, options.clientPlugins);
+  }
+  if (source_profile && source_profile in visitedProfiles) {
+    throw new CredentialsProviderError(`Detected a cycle attempting to resolve credentials for profile ${getProfileName(options)}. Profiles visited: ` + Object.keys(visitedProfiles).join(", "), { logger: options.logger });
+  }
+  options.logger?.debug(`@aws-sdk/credential-provider-ini - finding credential resolver using ${source_profile ? `source_profile=[${source_profile}]` : `profile=[${profileName}]`}`);
+  const sourceCredsProvider = source_profile ? resolveProfileData(source_profile, profiles, options, {
+    ...visitedProfiles,
+    [source_profile]: true
+  }, isCredentialSourceWithoutRoleArn(profiles[source_profile] ?? {})) : (await resolveCredentialSource(profileData.credential_source, profileName, options.logger)(options))();
+  if (isCredentialSourceWithoutRoleArn(profileData)) {
+    return sourceCredsProvider.then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_SOURCE_PROFILE", "o"));
+  } else {
+    const params = {
+      RoleArn: profileData.role_arn,
+      RoleSessionName: profileData.role_session_name || `aws-sdk-js-${Date.now()}`,
+      ExternalId: profileData.external_id,
+      DurationSeconds: parseInt(profileData.duration_seconds || "3600", 10)
+    };
+    const { mfa_serial } = profileData;
+    if (mfa_serial) {
+      if (!options.mfaCodeProvider) {
+        throw new CredentialsProviderError(`Profile ${profileName} requires multi-factor authentication, but no MFA code callback was provided.`, { logger: options.logger, tryNextLink: false });
+      }
+      params.SerialNumber = mfa_serial;
+      params.TokenCode = await options.mfaCodeProvider(mfa_serial);
+    }
+    const sourceCreds = await sourceCredsProvider;
+    return options.roleAssumer(sourceCreds, params).then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_SOURCE_PROFILE", "o"));
+  }
+};
+var isCredentialSourceWithoutRoleArn = (section) => {
+  return !section.role_arn && !!section.credential_source;
+};
+init_esm_shims();
+var isProcessProfile = (arg) => Boolean(arg) && typeof arg === "object" && typeof arg.credential_process === "string";
+var resolveProcessCredentials = async (options, profile) => import("./dist-es-HJVOMDYC-PIAMWMAL.js").then(({ fromProcess }) => fromProcess({
+  ...options,
+  profile
+})().then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_PROCESS", "v")));
+init_esm_shims();
+var resolveSsoCredentials = async (profile, profileData, options = {}) => {
+  const { fromSSO } = await import("./dist-es-IDBDK36G-Y6TQMRO5.js");
+  return fromSSO({
+    profile,
+    logger: options.logger,
+    parentClientConfig: options.parentClientConfig,
+    clientConfig: options.clientConfig
+  })().then((creds) => {
+    if (profileData.sso_session) {
+      return setCredentialFeature(creds, "CREDENTIALS_PROFILE_SSO", "r");
+    } else {
+      return setCredentialFeature(creds, "CREDENTIALS_PROFILE_SSO_LEGACY", "t");
+    }
+  });
+};
+var isSsoProfile = (arg) => arg && (typeof arg.sso_start_url === "string" || typeof arg.sso_account_id === "string" || typeof arg.sso_session === "string" || typeof arg.sso_region === "string" || typeof arg.sso_role_name === "string");
+init_esm_shims();
+var isStaticCredsProfile = (arg) => Boolean(arg) && typeof arg === "object" && typeof arg.aws_access_key_id === "string" && typeof arg.aws_secret_access_key === "string" && ["undefined", "string"].indexOf(typeof arg.aws_session_token) > -1 && ["undefined", "string"].indexOf(typeof arg.aws_account_id) > -1;
+var resolveStaticCredentials = async (profile, options) => {
+  options?.logger?.debug("@aws-sdk/credential-provider-ini - resolveStaticCredentials");
+  const credentials = {
+    accessKeyId: profile.aws_access_key_id,
+    secretAccessKey: profile.aws_secret_access_key,
+    sessionToken: profile.aws_session_token,
+    ...profile.aws_credential_scope && { credentialScope: profile.aws_credential_scope },
+    ...profile.aws_account_id && { accountId: profile.aws_account_id }
+  };
+  return setCredentialFeature(credentials, "CREDENTIALS_PROFILE", "n");
+};
+init_esm_shims();
+var isWebIdentityProfile = (arg) => Boolean(arg) && typeof arg === "object" && typeof arg.web_identity_token_file === "string" && typeof arg.role_arn === "string" && ["undefined", "string"].indexOf(typeof arg.role_session_name) > -1;
+var resolveWebIdentityCredentials = async (profile, options) => import("./dist-es-ADTONJUN-RVFWNZHO.js").then(({ fromTokenFile }) => fromTokenFile({
+  webIdentityTokenFile: profile.web_identity_token_file,
+  roleArn: profile.role_arn,
+  roleSessionName: profile.role_session_name,
+  roleAssumerWithWebIdentity: options.roleAssumerWithWebIdentity,
+  logger: options.logger,
+  parentClientConfig: options.parentClientConfig
+})().then((creds) => setCredentialFeature(creds, "CREDENTIALS_PROFILE_STS_WEB_ID_TOKEN", "q")));
+var resolveProfileData = async (profileName, profiles, options, visitedProfiles = {}, isAssumeRoleRecursiveCall = false) => {
+  const data = profiles[profileName];
+  if (Object.keys(visitedProfiles).length > 0 && isStaticCredsProfile(data)) {
+    return resolveStaticCredentials(data, options);
+  }
+  if (isAssumeRoleRecursiveCall || isAssumeRoleProfile(data, { profile: profileName, logger: options.logger })) {
+    return resolveAssumeRoleCredentials(profileName, profiles, options, visitedProfiles);
+  }
+  if (isStaticCredsProfile(data)) {
+    return resolveStaticCredentials(data, options);
+  }
+  if (isWebIdentityProfile(data)) {
+    return resolveWebIdentityCredentials(data, options);
+  }
+  if (isProcessProfile(data)) {
+    return resolveProcessCredentials(options, profileName);
+  }
+  if (isSsoProfile(data)) {
+    return await resolveSsoCredentials(profileName, data, options);
+  }
+  throw new CredentialsProviderError(`Could not resolve credentials using profile: [${profileName}] in configuration/credentials file(s).`, { logger: options.logger });
+};
+var fromIni = (_init = {}) => async ({ callerClientConfig } = {}) => {
+  const init = {
+    ..._init,
+    parentClientConfig: {
+      ...callerClientConfig,
+      ..._init.parentClientConfig
+    }
+  };
+  init.logger?.debug("@aws-sdk/credential-provider-ini - fromIni");
+  const profiles = await parseKnownFiles(init);
+  return resolveProfileData(getProfileName({
+    profile: _init.profile ?? callerClientConfig?.profile
+  }), profiles, init);
+};
+export {
+  fromIni
+};

package/dist/lambda/auto-cache-removal.d.cts

@@ -0,0 +1,17 @@
+import { S3Event, Context, Callback, S3EventRecord } from 'aws-lambda';
+
+/**
+ * Lambda handler function that processes S3 events and creates CloudFront invalidations
+ */
+declare const handler: (event: S3Event, _: Context, callback: Callback) => Promise<void>;
+/**
+ * Process individual S3 event record
+ */
+declare function processRecord(record: S3EventRecord, distributionId: string): Promise<{
+    key: string;
+    invalidated: boolean;
+    paths?: string[];
+    invalidationId?: string;
+}>;
+
+export { handler, processRecord };

package/dist/lambda/auto-cache-removal.d.ts

@@ -0,0 +1,17 @@
+import { S3Event, Context, Callback, S3EventRecord } from 'aws-lambda';
+
+/**
+ * Lambda handler function that processes S3 events and creates CloudFront invalidations
+ */
+declare const handler: (event: S3Event, _: Context, callback: Callback) => Promise<void>;
+/**
+ * Process individual S3 event record
+ */
+declare function processRecord(record: S3EventRecord, distributionId: string): Promise<{
+    key: string;
+    invalidated: boolean;
+    paths?: string[];
+    invalidationId?: string;
+}>;
+
+export { handler, processRecord };