@infoxchange/make-it-so-sst-v2 1.0.0-internal-testing-disambiguate-release-id-bc6e5bb.1

package/dist/deployConfig.d.ts

@@ -0,0 +1,72 @@
+declare const _default: {
+    isIxDeploy: true;
+    appName: string;
+    environment: "dev" | "test" | "uat" | "prod";
+    workloadGroup: "ds" | "srs";
+    primaryAwsRegion: "ap-southeast-2";
+    siteDomains: string[];
+    siteDomainAliases: string[];
+    isInternalApp: boolean;
+    deploymentType: "docker" | "serverless";
+    sourceCommitRef: string;
+    sourceCommitHash: string;
+    deployTriggeredBy: string;
+    smtpHost: string;
+    smtpPort: number;
+    clamAVUrl: string;
+    vpcHttpProxy: string;
+} | {
+    isIxDeploy: false;
+    appName: string;
+    environment: string;
+    workloadGroup: string;
+    primaryAwsRegion: string;
+    siteDomains: string[];
+    siteDomainAliases: string[];
+    deploymentType: string;
+    sourceCommitRef: string;
+    sourceCommitHash: string;
+    deployTriggeredBy: string;
+    smtpHost: string;
+    clamAVUrl: string;
+    vpcHttpProxy: string;
+    isInternalApp?: boolean | undefined;
+    smtpPort?: number | undefined;
+};
+export default _default;
+export declare const getDeployConfig: () => {
+    isIxDeploy: true;
+    appName: string;
+    environment: "dev" | "test" | "uat" | "prod";
+    workloadGroup: "ds" | "srs";
+    primaryAwsRegion: "ap-southeast-2";
+    siteDomains: string[];
+    siteDomainAliases: string[];
+    isInternalApp: boolean;
+    deploymentType: "docker" | "serverless";
+    sourceCommitRef: string;
+    sourceCommitHash: string;
+    deployTriggeredBy: string;
+    smtpHost: string;
+    smtpPort: number;
+    clamAVUrl: string;
+    vpcHttpProxy: string;
+} | {
+    isIxDeploy: false;
+    appName: string;
+    environment: string;
+    workloadGroup: string;
+    primaryAwsRegion: string;
+    siteDomains: string[];
+    siteDomainAliases: string[];
+    deploymentType: string;
+    sourceCommitRef: string;
+    sourceCommitHash: string;
+    deployTriggeredBy: string;
+    smtpHost: string;
+    clamAVUrl: string;
+    vpcHttpProxy: string;
+    isInternalApp?: boolean | undefined;
+    smtpPort?: number | undefined;
+};
+//# sourceMappingURL=deployConfig.d.ts.map

package/dist/deployConfig.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deployConfig.d.ts","sourceRoot":"","sources":["../src/deployConfig.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmFA,wBAA0C;AAG1C,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAAmC,CAAC"}

package/dist/deployConfig.js

@@ -0,0 +1,78 @@
+import { z } from "zod";
+const getEnvVars = () => ({
+    isIxDeploy: process.env.IX_DEPLOYMENT?.toLowerCase() === "true", // This needs to start as a bool for the discriminated union
+    appName: process.env.IX_APP_NAME ?? "",
+    environment: process.env.IX_ENVIRONMENT ?? "",
+    workloadGroup: process.env.IX_WORKLOAD_GROUP ?? "",
+    primaryAwsRegion: process.env.IX_PRIMARY_AWS_REGION ?? "",
+    siteDomains: process.env.IX_SITE_DOMAINS ?? "",
+    siteDomainAliases: process.env.IX_SITE_DOMAIN_ALIASES ?? "",
+    isInternalApp: process.env.IX_INTERNAL_APP ?? "",
+    deploymentType: process.env.IX_DEPLOYMENT_TYPE ?? "",
+    sourceCommitRef: process.env.IX_SOURCE_COMMIT_REF ?? "",
+    sourceCommitHash: process.env.IX_SOURCE_COMMIT_HASH ?? "",
+    deployTriggeredBy: process.env.IX_DEPLOY_TRIGGERED_BY ?? "",
+    smtpHost: process.env.SMTP_HOST ?? "",
+    smtpPort: process.env.SMTP_PORT ?? "",
+    clamAVUrl: process.env.CLAMAV_URL ?? "",
+    vpcHttpProxy: process.env.VPC_HTTP_PROXY ?? "",
+});
+const ixDeployConfigSchema = z
+    .object({
+    isIxDeploy: z.literal(true),
+    appName: z.string().min(1),
+    environment: z.enum(["dev", "test", "uat", "prod"]),
+    workloadGroup: z.enum(["ds", "srs"]),
+    primaryAwsRegion: z.literal("ap-southeast-2"),
+    siteDomains: z
+        .string()
+        .transform((val) => val.split(",").map((domain) => domain.trim())),
+    siteDomainAliases: z
+        .string()
+        .transform((val) => val.split(",").map((domain) => domain.trim())),
+    isInternalApp: z.coerce.boolean(),
+    deploymentType: z.enum(["docker", "serverless"]),
+    sourceCommitRef: z.string().min(1),
+    sourceCommitHash: z.string().min(1),
+    deployTriggeredBy: z.string().min(1),
+    smtpHost: z.string().min(1),
+    smtpPort: z.coerce.number().int(),
+    clamAVUrl: z.string().url(),
+    vpcHttpProxy: z.string().url(),
+})
+    .strip();
+const nonIxDeployConfigSchema = z
+    .object({
+    isIxDeploy: z.literal(false),
+    appName: z.string(),
+    environment: z.string(),
+    workloadGroup: z.string(),
+    primaryAwsRegion: z.string(),
+    siteDomains: z
+        .string()
+        .transform((val) => val.split(",").map((domain) => domain.trim())),
+    siteDomainAliases: z
+        .string()
+        .transform((val) => val.split(",").map((domain) => domain.trim())),
+    isInternalApp: z
+        .string()
+        .transform((val) => (val ? val.toLowerCase() === "true" : undefined)),
+    deploymentType: z.string(),
+    sourceCommitRef: z.string(),
+    sourceCommitHash: z.string(),
+    deployTriggeredBy: z.string(),
+    smtpHost: z.string(),
+    smtpPort: z
+        .string()
+        .transform((val) => isNaN(parseInt(val, 10)) ? undefined : parseInt(val, 10)),
+    clamAVUrl: z.string(),
+    vpcHttpProxy: z.string(),
+})
+    .strip();
+const schema = z.discriminatedUnion("isIxDeploy", [
+    ixDeployConfigSchema,
+    nonIxDeployConfigSchema,
+]);
+export default schema.parse(getEnvVars());
+// process.env values can change at runtime so we provide a way to re-parse the config as needed
+export const getDeployConfig = () => schema.parse(getEnvVars());

package/dist/lib/auth/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./oidc.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC"}

package/dist/lib/auth/index.js

@@ -0,0 +1 @@
+export * from "./oidc.js";

package/dist/lib/auth/oidc.d.ts

@@ -0,0 +1,26 @@
+import { JWTPayload } from "jose";
+type VerifyAccessTokenParams<SafeVerify extends boolean = false> = {
+    token: string;
+    issuerUrl: string;
+    audience: string;
+    safeVerify?: SafeVerify;
+};
+/**
+ * Checks an OIDC access token against the issuer's details to determine if it's valid.
+ *
+ * @param params - The parameters for verifying the access token.
+ * @param params.token - The JWT access token to verify.
+ * @param params.issuerUrl - The OIDC issuer URL to discover JWKS and metadata.
+ * @param params.audience - The expected audience value to match against the token's claims.
+ * @param params.safeVerify - If true, returns a result object with error and payload fields instead of throwing on error.
+ * @returns If `safeVerify` is true, returns an object with either the verified payload or an error. Otherwise, returns the verified JWT payload or throws an error.
+ */
+export declare function verifyAccessToken<SafeVerify extends boolean = false>({ token, issuerUrl, audience, safeVerify, }: VerifyAccessTokenParams<SafeVerify>): Promise<SafeVerify extends true ? {
+    error: Error | unknown;
+    payload: null;
+} | {
+    error: null;
+    payload: JWTPayload;
+} : JWTPayload>;
+export {};
+//# sourceMappingURL=oidc.d.ts.map

package/dist/lib/auth/oidc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/oidc.ts"],"names":[],"mappings":"AACA,OAAO,EAAsB,UAAU,EAAa,MAAM,MAAM,CAAC;AAEjE,KAAK,uBAAuB,CAAC,UAAU,SAAS,OAAO,GAAG,KAAK,IAAI;IACjE,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,UAAU,CAAC;CACzB,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,SAAS,OAAO,GAAG,KAAK,EAAE,EAC1E,KAAK,EACL,SAAS,EACT,QAAQ,EACR,UAAU,GACX,EAAE,uBAAuB,CAAC,UAAU,CAAC,GAAG,OAAO,CAC9C,UAAU,SAAS,IAAI,GAEf;IAAE,KAAK,EAAE,KAAK,GAAG,OAAO,CAAC;IAAC,OAAO,EAAE,IAAI,CAAA;CAAE,GACzC;IAAE,KAAK,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,GACxC,UAAU,CACf,CAyCA"}

package/dist/lib/auth/oidc.js

@@ -0,0 +1,48 @@
+import { Issuer } from "openid-client";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+/**
+ * Checks an OIDC access token against the issuer's details to determine if it's valid.
+ *
+ * @param params - The parameters for verifying the access token.
+ * @param params.token - The JWT access token to verify.
+ * @param params.issuerUrl - The OIDC issuer URL to discover JWKS and metadata.
+ * @param params.audience - The expected audience value to match against the token's claims.
+ * @param params.safeVerify - If true, returns a result object with error and payload fields instead of throwing on error.
+ * @returns If `safeVerify` is true, returns an object with either the verified payload or an error. Otherwise, returns the verified JWT payload or throws an error.
+ */
+export async function verifyAccessToken({ token, issuerUrl, audience, safeVerify, }) {
+    try {
+        const issuer = await Issuer.discover(issuerUrl);
+        const jwksUri = issuer.metadata.jwks_uri;
+        if (!jwksUri) {
+            throw new Error("JWKS URI not found in issuer metadata");
+        }
+        const JWKS = createRemoteJWKSet(new URL(jwksUri));
+        // Verify the signature and basic claims
+        const { payload } = await jwtVerify(token, JWKS, {
+            issuer: issuer.metadata.issuer,
+        });
+        const tokenAud = payload.aud ?? payload.client_id;
+        let audienceMatches = false;
+        for (const aud of Array.isArray(tokenAud) ? tokenAud : [tokenAud]) {
+            if (aud === audience) {
+                audienceMatches = true;
+                break;
+            }
+        }
+        if (!audienceMatches) {
+            console.info("Token data:", payload);
+            throw new Error(`Token audience does not match expected audience ${audience}`);
+        }
+        if (safeVerify) {
+            return { payload, error: null };
+        }
+        return payload;
+    }
+    catch (err) {
+        if (safeVerify) {
+            return { error: err, payload: null };
+        }
+        throw err;
+    }
+}

package/dist/lib/proxy/fetch.d.ts

@@ -0,0 +1,4 @@
+import { fetch as undiciFetch } from "undici";
+export declare function setupProxyGlobally(): void;
+export declare function getProxiedFetch(): typeof undiciFetch;
+//# sourceMappingURL=fetch.d.ts.map

package/dist/lib/proxy/fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../../../src/lib/proxy/fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,KAAK,IAAI,WAAW,EACrB,MAAM,QAAQ,CAAC;AAGhB,wBAAgB,kBAAkB,SAmBjC;AAED,wBAAgB,eAAe,uBAW9B"}

package/dist/lib/proxy/fetch.js

@@ -0,0 +1,31 @@
+import { setGlobalDispatcher, getGlobalDispatcher, EnvHttpProxyAgent, fetch as undiciFetch, } from "undici";
+import { bootstrap } from "global-agent";
+export function setupProxyGlobally() {
+    // Make operation idempotent
+    if (getGlobalDispatcher() instanceof EnvHttpProxyAgent)
+        return;
+    if (!process.env.HTTP_PROXY || !process.env.HTTPS_PROXY)
+        return;
+    // To cover libraries that use fetch
+    // See https://nodejs.org/api/globals.html#custom-dispatcher
+    // This might stop being needed at some point: https://github.com/actions/create-github-app-token/pull/143#discussion_r1747641337
+    const envHttpProxyAgent = new EnvHttpProxyAgent();
+    setGlobalDispatcher(envHttpProxyAgent);
+    // To cover libraries that use the http/https object
+    if (!process.env.GLOBAL_AGENT_HTTP_PROXY) {
+        process.env.GLOBAL_AGENT_HTTP_PROXY = process.env.HTTP_PROXY;
+        process.env.GLOBAL_AGENT_HTTPS_PROXY =
+            process.env.HTTPS_PROXY ?? process.env.HTTP_PROXY;
+    }
+    bootstrap();
+}
+export function getProxiedFetch() {
+    const fetch = (input, init = {}) => {
+        if (init.dispatcher) {
+            console.warn("A custom dispatcher was provided to fetch but this is ignored as a proxy agent is being used.");
+        }
+        const envHttpProxyAgent = new EnvHttpProxyAgent();
+        return undiciFetch(input, { ...init, dispatcher: envHttpProxyAgent });
+    };
+    return fetch;
+}

package/dist/lib/proxy/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./fetch.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/proxy/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/proxy/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC"}

package/dist/lib/proxy/index.js

@@ -0,0 +1 @@
+export * from "./fetch.js";

package/dist/lib/site/support.d.ts

@@ -0,0 +1,71 @@
+import { Construct } from "constructs";
+import { NextjsSite, NextjsSiteProps, Stack, StaticSite, StaticSiteProps } from "sst/constructs";
+import { type DistributionDomainProps } from "sst/constructs/Distribution.js";
+import { type AddToSiteProps as SiteOidcAuthAddToSiteProps } from "../../cdk-constructs/SiteOidcAuth/index.js";
+type SharedExtendedSiteProps = {
+    customDomain?: string | ExtendedCustomDomains;
+    auth?: {
+        oidc: {
+            issuerUrl: string;
+            clientId: string;
+            scope: string;
+        };
+    } & SiteOidcAuthAddToSiteProps;
+};
+export type ExtendedCustomDomains = DistributionDomainProps & {
+    isIxManagedDomain?: boolean;
+    additionalDomainAliases?: string[];
+};
+export type ExtendedNextjsSiteProps = Omit<NextjsSiteProps, "customDomain" | "environment"> & SharedExtendedSiteProps & {
+    /**
+     * An object with the key being the environment variable name. The value can either be the environment variable value
+     * as a string or as an object with `buildtime` and/or `runtime` properties where the values of `buildtime` and
+     * `runtime` is the environment variable value that will be used during that step.
+     *
+     * @example
+     * ```js
+     * environment: {
+     *   USER_POOL_CLIENT: auth.cognitoUserPoolClient.userPoolClientId,
+     *   NODE_OPTIONS: {
+     *     buildtime: "--max-old-space-size=4096",
+     *   },
+     *   API_URL: {
+     *     buildtime: "https://external.domain",
+     *     runtime: "https://internal.domain",
+     *   },
+     * },
+     * ```
+     */
+    environment?: Record<string, string | {
+        buildtime?: string;
+        runtime?: string;
+    }>;
+};
+export type ExtendedStaticSiteProps = Omit<StaticSiteProps, "customDomain"> & SharedExtendedSiteProps;
+export declare function setupCustomDomain<Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(scope: Construct, id: string, props: Readonly<Props>): Props;
+export declare function setupCertificate<Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(scope: Construct, id: string, props: Readonly<Props>): Props;
+export declare function setupDomainAliasRedirect<Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(scope: Construct, id: string, props: Readonly<Props>): Props;
+export declare function setupVpcDetails<Props extends ExtendedNextjsSiteProps>(scope: Construct, id: string, props: Readonly<Props>): Props;
+/**
+ * Ensures environment variables that are conditionally included for buildtime or runtime are only used during the
+ * appropriate phase.
+ */
+export declare function applyConditionalEnvironmentVariables<Props extends ExtendedNextjsSiteProps>(scope: Construct, id: string, props: Readonly<Props>): Props;
+/**
+ * Before props reach this function they should have already been converted into something compatible with the parent
+ * SST construct. This function verifies that's the case and updates the type if so.
+ */
+export declare function parentCompatibleSsrProps<Props extends ExtendedNextjsSiteProps, ResultProps = Omit<Props, "environment"> & {
+    environment?: Record<string, string>;
+}>(props: Readonly<Props>): ResultProps;
+export declare function setupDefaultEnvVars<Props extends ExtendedNextjsSiteProps>(scope: Construct | Stack, id: string, props: Readonly<Props>): Props;
+export declare function setupDnsRecords<Instance extends NextjsSite | StaticSite, Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(instance: Instance, scope: Construct, id: string, props: Readonly<Props>): void;
+export declare function getCustomDomains<Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(props: Readonly<Props>): string[];
+export declare function getPrimaryDomain<Instance extends NextjsSite | StaticSite, Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(instance: Instance, props: Readonly<Props>): string | null;
+export declare function getPrimaryOrigin<Instance extends NextjsSite | StaticSite, Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(instance: Instance, props: Readonly<Props>): string | null;
+export declare function getPrimaryCustomDomain<Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(props: Readonly<Props>): string | null;
+export declare function getAliasDomain<Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(props: Readonly<Props>): string | null;
+export declare function getAlternativeDomains<Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(props: Readonly<Props>): string[];
+export declare function processAuthProps<SiteType extends "StaticSite" | "SsrSite", Props extends SiteType extends "StaticSite" ? ExtendedStaticSiteProps : ExtendedNextjsSiteProps>(scope: Construct, id: string, siteType: SiteType, props: Readonly<Props>): Props;
+export {};
+//# sourceMappingURL=support.d.ts.map

package/dist/lib/site/support.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"support.d.ts","sourceRoot":"","sources":["../../../src/lib/site/support.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,EACL,UAAU,EACV,eAAe,EACf,KAAK,EACL,UAAU,EACV,eAAe,EAChB,MAAM,gBAAgB,CAAC;AAQxB,OAAO,EAAE,KAAK,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAE9E,OAAO,EAEL,KAAK,cAAc,IAAI,0BAA0B,EAClD,MAAM,4CAA4C,CAAC;AAEpD,KAAK,uBAAuB,GAAG;IAC7B,YAAY,CAAC,EAAE,MAAM,GAAG,qBAAqB,CAAC;IAC9C,IAAI,CAAC,EAAE;QACL,IAAI,EAAE;YACJ,SAAS,EAAE,MAAM,CAAC;YAClB,QAAQ,EAAE,MAAM,CAAC;YACjB,KAAK,EAAE,MAAM,CAAC;SACf,CAAC;KACH,GAAG,0BAA0B,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG,uBAAuB,GAAG;IAC5D,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC,CAAC;AACF,MAAM,MAAM,uBAAuB,GAAG,IAAI,CACxC,eAAe,EACf,cAAc,GAAG,aAAa,CAC/B,GACC,uBAAuB,GAAG;IACxB;;;;;;;;;;;;;;;;;;OAkBG;IACH,WAAW,CAAC,EAAE,MAAM,CAClB,MAAM,EACN,MAAM,GAAG;QAAE,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAClD,CAAC;CACH,CAAC;AAEJ,MAAM,MAAM,uBAAuB,GAAG,IAAI,CAAC,eAAe,EAAE,cAAc,CAAC,GACzE,uBAAuB,CAAC;AAE1B,wBAAgB,iBAAiB,CAC/B,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,KAAK,CAiB7D;AAED,wBAAgB,gBAAgB,CAC9B,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,KAAK,CAyB7D;AAED,wBAAgB,wBAAwB,CACtC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,KAAK,CA2B7D;AAED,wBAAgB,eAAe,CAAC,KAAK,SAAS,uBAAuB,EACnE,KAAK,EAAE,SAAS,EAChB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GACrB,KAAK,CAwCP;AAED;;;GAGG;AACH,wBAAgB,oCAAoC,CAClD,KAAK,SAAS,uBAAuB,EACrC,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,KAAK,CAiE7D;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,SAAS,uBAAuB,EACrC,WAAW,GAAG,IAAI,CAAC,KAAK,EAAE,aAAa,CAAC,GAAG;IACzC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC,EACD,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,WAAW,CASrC;AAED,wBAAgB,mBAAmB,CAAC,KAAK,SAAS,uBAAuB,EACvE,KAAK,EAAE,SAAS,GAAG,KAAK,EACxB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GACrB,KAAK,CAeP;AAED,wBAAgB,eAAe,CAC7B,QAAQ,SAAS,UAAU,GAAG,UAAU,EACxC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAE/D,QAAQ,EAAE,QAAQ,EAClB,KAAK,EAAE,SAAS,EAChB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GACrB,IAAI,CAmBN;AAED,wBAAgB,gBAAgB,CAC9B,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE,CAWlC;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,SAAS,UAAU,GAAG,UAAU,EACxC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,GAAG,IAAI,CAM3D;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,SAAS,UAAU,GAAG,UAAU,EACxC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,GAAG,IAAI,CAG3D;AAED,wBAAgB,sBAAsB,CACpC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,GAAG,IAAI,CAOvC;AAED,wBAAgB,cAAc,CAC5B,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,GAAG,IAAI,CAKvC;AAED,wBAAgB,qBAAqB,CACnC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE,CAKlC;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,SAAS,YAAY,GAAG,SAAS,EACzC,KAAK,SAAS,QAAQ,SAAS,YAAY,GACvC,uBAAuB,GACvB,uBAAuB,EAE3B,KAAK,EAAE,SAAS,EAChB,EAAE,EAAE,MAAM,EACV,QAAQ,EAAE,QAAQ,EAClB,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GACrB,KAAK,CAyBP"}

package/dist/lib/site/support.js

@@ -0,0 +1,262 @@
+import ixDeployConfig from "../../deployConfig.js";
+import { IxCertificate } from "../../cdk-constructs/IxCertificate.js";
+import { IxWebsiteRedirect } from "../../cdk-constructs/IxWebsiteRedirect.js";
+import { IxVpcDetails } from "../../cdk-constructs/IxVpcDetails.js";
+import { IxDnsRecord } from "../../cdk-constructs/IxDnsRecord.js";
+import { CloudFrontTarget } from "aws-cdk-lib/aws-route53-targets";
+import { convertToBase62Hash } from "../utils/hash.js";
+import { SiteOidcAuth, } from "../../cdk-constructs/SiteOidcAuth/index.js";
+export function setupCustomDomain(scope, id, props) {
+    let updatedProps = props;
+    // Default to using domains names passed in by the pipeline as the custom domain
+    if (ixDeployConfig.isIxDeploy && !("customDomain" in updatedProps)) {
+        updatedProps = {
+            ...updatedProps,
+            customDomain: {
+                isIxManagedDomain: true,
+                isExternalDomain: true,
+                domainName: ixDeployConfig.siteDomains[0],
+                alternateNames: ixDeployConfig.siteDomains.slice(1),
+                domainAlias: ixDeployConfig.siteDomainAliases[0],
+                additionalDomainAliases: ixDeployConfig.siteDomainAliases.slice(1),
+            },
+        };
+    }
+    return updatedProps;
+}
+export function setupCertificate(scope, id, props) {
+    const updatedProps = { ...props };
+    if (!updatedProps?.customDomain)
+        return updatedProps;
+    if (typeof updatedProps.customDomain === "string") {
+        updatedProps.customDomain = { domainName: updatedProps.customDomain };
+    }
+    // No cert creation required if isIxManagedDomain is false or a cert is already provided
+    if (!updatedProps.customDomain.isIxManagedDomain &&
+        updatedProps.customDomain.cdk?.certificate) {
+        return updatedProps;
+    }
+    const domainCert = new IxCertificate(scope, id + "-IxCertificate", {
+        domainName: updatedProps.customDomain.domainName,
+        subjectAlternativeNames: updatedProps.customDomain.alternateNames,
+        region: "us-east-1", // CloudFront will only use certificates in us-east-1
+    });
+    updatedProps.customDomain.cdk = updatedProps.customDomain.cdk ?? {};
+    updatedProps.customDomain.cdk.certificate = domainCert.acmCertificate;
+    return updatedProps;
+}
+export function setupDomainAliasRedirect(scope, id, props) {
+    if (typeof props.customDomain !== "object" ||
+        !(props.customDomain.domainAlias ||
+            props.customDomain.additionalDomainAliases?.length) ||
+        !props.customDomain.isIxManagedDomain ||
+        !props.customDomain.cdk?.certificate) {
+        return props;
+    }
+    const domainsToRedirectFrom = [
+        ...(props.customDomain.domainAlias ? [props.customDomain.domainAlias] : []),
+        ...(props.customDomain.additionalDomainAliases ?? []),
+    ];
+    new IxWebsiteRedirect(scope, id + "-IxWebsiteRedirect", {
+        recordNames: domainsToRedirectFrom,
+        targetDomain: props.customDomain.domainName,
+    });
+    return {
+        ...props,
+        customDomain: {
+            ...props.customDomain,
+            domainAlias: undefined, // SST's site constructs will complain if domainAlias is set while isExternalDomain is true
+        },
+    };
+}
+export function setupVpcDetails(scope, id, props) {
+    const updatedProps = { ...props };
+    // Don't make any changes if the user has set the VPC manually in any place
+    if ("vpc" in (updatedProps.cdk?.server || {}) ||
+        "vpc" in (updatedProps.cdk?.revalidation || {})) {
+        return updatedProps;
+    }
+    const vpcDetails = new IxVpcDetails(scope, id + "-IxVpcDetails");
+    updatedProps.cdk = updatedProps.cdk ?? {};
+    updatedProps.cdk.server = {
+        ...updatedProps.cdk.server,
+        vpc: vpcDetails.vpc,
+    };
+    updatedProps.cdk.revalidation = {
+        ...updatedProps.cdk.revalidation,
+        vpc: vpcDetails.vpc,
+    };
+    if (!ixDeployConfig.vpcHttpProxy) {
+        console.warn(`Attempting to add HTTP proxy environment variables to ${id} but the VPC_HTTP_PROXY env var is not configured.`);
+    }
+    // If we're using the AWS runner then the build stage will already be inside the VPC and required the proxy but
+    // the HTTP proxy environment variables will be already set in the environment by the pipeline and so the build
+    // stage will inherit that.
+    updatedProps.environment = {
+        HTTP_PROXY: { runtime: ixDeployConfig.vpcHttpProxy },
+        HTTPS_PROXY: { runtime: ixDeployConfig.vpcHttpProxy },
+        http_proxy: { runtime: ixDeployConfig.vpcHttpProxy },
+        https_proxy: { runtime: ixDeployConfig.vpcHttpProxy },
+        ...updatedProps.environment,
+    };
+    return updatedProps;
+}
+/**
+ * Ensures environment variables that are conditionally included for buildtime or runtime are only used during the
+ * appropriate phase.
+ */
+export function applyConditionalEnvironmentVariables(scope, id, props) {
+    const updatedProps = { ...props };
+    if (!updatedProps.environment)
+        return updatedProps;
+    const buildtimeSpecificEnvVars = Object.fromEntries(Object.entries(updatedProps.environment)
+        .filter(([, value]) => typeof value === "object")
+        .map(([varName, value]) => [
+        varName,
+        typeof value === "object" && "buildtime" in value
+            ? value.buildtime
+            : undefined,
+    ]));
+    const runtimeSpecificEnvVars = Object.fromEntries(Object.entries(updatedProps.environment)
+        .filter(([, value]) => typeof value === "object")
+        .map(([varName, value]) => [
+        varName,
+        typeof value === "object" && "runtime" in value
+            ? value.runtime
+            : undefined,
+    ]));
+    // Remove runtime excluded env vars from lambda
+    updatedProps.cdk = updatedProps.cdk ?? {};
+    const oldTransform = updatedProps.cdk.transform;
+    updatedProps.cdk.transform = (plan) => {
+        oldTransform?.(plan);
+        for (const origin of Object.values(plan.origins)) {
+            if (!("function" in origin) || !origin.function.environment) {
+                continue;
+            }
+            for (const [envVarName, envVarValue] of Object.entries(runtimeSpecificEnvVars)) {
+                if (envVarValue !== undefined) {
+                    origin.function.environment[envVarName] = envVarValue;
+                }
+                else {
+                    // @ts-expect-error - Environment values should generally only be strings but we need to set it to undefined
+                    // as a workaround to override any environment variables that are mixed in during function creation which are
+                    // only meant to be included at build time.
+                    // https://github.com/sst/v2/blob/d0c9d5c1cbf8016b2a2b7ed2e247c27546b40387/packages/sst/src/constructs/SsrSite.ts#L1029
+                    origin.function.environment[envVarName] = undefined;
+                }
+            }
+        }
+    };
+    // Remove buildtime excluded env vars from environment object which is used during build
+    for (const [envVarName, envVarValue] of Object.entries(buildtimeSpecificEnvVars)) {
+        if (envVarValue !== undefined) {
+            updatedProps.environment[envVarName] = envVarValue;
+        }
+        else {
+            delete updatedProps.environment[envVarName];
+        }
+    }
+    return updatedProps;
+}
+/**
+ * Before props reach this function they should have already been converted into something compatible with the parent
+ * SST construct. This function verifies that's the case and updates the type if so.
+ */
+export function parentCompatibleSsrProps(props) {
+    for (const value of Object.values(props.environment ?? {})) {
+        if (typeof value !== "string") {
+            throw new Error("Internal make-it-so error: The environment prop contains buildtime/runtime specific environment variables which cannot be passed to the parent NextjsSite construct. Please use the applyConditionalEnvironmentVariables function to ensure only appropriate environment variables are included.");
+        }
+    }
+    return props;
+}
+export function setupDefaultEnvVars(scope, id, props) {
+    const updatedProps = { ...props };
+    // NextjsSite functions to not use default env var unfortunately so we have to
+    // explicitly set them ourselves https://github.com/sst/sst/issues/2359
+    if ("defaultFunctionProps" in scope) {
+        for (const funcProps of scope.defaultFunctionProps) {
+            const defaultFunctionEnvVars = { ...funcProps.environment };
+            updatedProps.environment = {
+                ...defaultFunctionEnvVars,
+                ...updatedProps.environment,
+            };
+        }
+    }
+    return updatedProps;
+}
+export function setupDnsRecords(instance, scope, id, props) {
+    if (!instance.cdk?.distribution ||
+        typeof props.customDomain !== "object" ||
+        !props.customDomain.isIxManagedDomain)
+        return;
+    for (const domainName of getCustomDomains(props)) {
+        const domainNameLogicalId = convertToBase62Hash(domainName);
+        new IxDnsRecord(scope, `DnsRecord-${domainNameLogicalId}`, {
+            type: "ALIAS",
+            name: domainName,
+            value: instance.cdk.distribution.distributionDomainName,
+            aliasZoneId: CloudFrontTarget.getHostedZoneId(scope),
+            ttl: 900,
+        });
+    }
+}
+export function getCustomDomains(props) {
+    const domainNames = new Set();
+    const primaryCustomDomain = getPrimaryCustomDomain(props);
+    const alternativeDomains = getAlternativeDomains(props);
+    if (primaryCustomDomain)
+        domainNames.add(primaryCustomDomain);
+    if (alternativeDomains.length)
+        alternativeDomains.forEach((domain) => domainNames.add(domain));
+    return Array.from(domainNames);
+}
+export function getPrimaryDomain(instance, props) {
+    return (getPrimaryCustomDomain(props) ??
+        instance.cdk?.distribution?.distributionDomainName ??
+        null);
+}
+export function getPrimaryOrigin(instance, props) {
+    const primaryDomain = getPrimaryDomain(instance, props);
+    return primaryDomain ? `https://${primaryDomain}` : null;
+}
+export function getPrimaryCustomDomain(props) {
+    if (typeof props.customDomain === "string") {
+        return props.customDomain;
+    }
+    else if (typeof props.customDomain === "object") {
+        return props.customDomain.domainName ?? null;
+    }
+    return null;
+}
+export function getAliasDomain(props) {
+    if (typeof props.customDomain === "object") {
+        return props.customDomain.domainAlias ?? null;
+    }
+    return null;
+}
+export function getAlternativeDomains(props) {
+    if (typeof props.customDomain === "object") {
+        return props.customDomain.alternateNames ?? [];
+    }
+    return [];
+}
+export function processAuthProps(scope, id, siteType, props) {
+    if (!props.auth)
+        return props;
+    const { oidc, ...otherAuthProps } = props.auth;
+    const auth = new SiteOidcAuth(scope, `${id}-SiteOidcAuth`, {
+        oidcIssuerUrl: oidc.issuerUrl,
+        oidcClientId: oidc.clientId,
+        oidcScope: oidc.scope,
+    });
+    if (siteType === "StaticSite") {
+        return auth.addToStaticSiteProps(scope, props, otherAuthProps);
+    }
+    else if (siteType === "SsrSite") {
+        return auth.addToSsrSiteProps(scope, props, otherAuthProps);
+    }
+    siteType;
+    throw new Error(`Unsupported site type ${siteType} when processing auth prop.`);
+}

package/dist/lib/utils/hash.d.ts

@@ -0,0 +1,2 @@
+export declare function convertToBase62Hash(string: string): string;
+//# sourceMappingURL=hash.d.ts.map

package/dist/lib/utils/hash.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../../src/lib/utils/hash.ts"],"names":[],"mappings":"AAAA,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAa1D"}

package/dist/lib/utils/hash.js

@@ -0,0 +1,13 @@
+export function convertToBase62Hash(string) {
+    const base62Chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+    let hash = "";
+    let num = 0;
+    for (let i = 0; i < string.length; i++) {
+        num += string.charCodeAt(i);
+    }
+    while (num > 0) {
+        hash = base62Chars[num % 62] + hash;
+        num = Math.floor(num / 62);
+    }
+    return hash;
+}