@intentius/chant-lexicon-aws 0.0.13 → 0.0.14

package/dist/skills/chant-eks.md

@@ -0,0 +1,175 @@
+---
+skill: chant-eks
+description: End-to-end EKS workflow bridging AWS infrastructure and Kubernetes workloads
+user-invocable: true
+---
+
+# EKS End-to-End Workflow
+
+## Overview
+
+This skill bridges two lexicons:
+- **`@intentius/chant-lexicon-aws`** — EKS cluster, node groups, IAM roles, OIDC provider (CloudFormation)
+- **`@intentius/chant-lexicon-k8s`** — Kubernetes workloads, IRSA, ALB Ingress, storage, observability (K8s YAML)
+
+## Architecture
+
+```
+AWS Lexicon (CloudFormation)          K8s Lexicon (kubectl apply)
+┌────────────────────────┐           ┌────────────────────────────┐
+│ VPC + Subnets          │           │ NamespaceEnv (quotas)      │
+│ EKS Cluster            │           │ AutoscaledService (app)    │
+│ Managed Node Group     │──ARNs──→  │ IrsaServiceAccount (IRSA)  │
+│ OIDC Provider          │           │ AlbIngress (ALB)           │
+│ IAM Roles (IRSA)       │           │ EbsStorageClass (gp3)      │
+│ EKS Add-ons            │           │ FluentBitAgent (logs)      │
+└────────────────────────┘           │ ExternalDnsAgent (DNS)     │
+                                     └────────────────────────────┘
+```
+
+## Step 1: Provision AWS Infrastructure
+
+```bash
+# Build CloudFormation template
+chant build src/infra/ --output infra.json
+
+# Deploy
+aws cloudformation deploy \
+  --template-file infra.json \
+  --stack-name my-eks-cluster \
+  --capabilities CAPABILITY_NAMED_IAM
+```
+
+Key AWS resources:
+- **EKS Cluster** — control plane
+- **Managed Node Group** — EC2 worker nodes
+- **OIDC Provider** — enables IRSA (IAM Roles for Service Accounts)
+- **IAM Roles** — node role, app IRSA roles, ALB controller role
+
+## Step 2: Configure kubectl
+
+```bash
+aws eks update-kubeconfig --name my-cluster --region us-east-1
+kubectl get nodes  # verify connectivity
+```
+
+## Step 3: Deploy K8s Workloads
+
+```bash
+# Build K8s manifests
+chant build src/k8s/ --output manifests.yaml
+
+# Apply
+kubectl apply -f manifests.yaml
+```
+
+### Key K8s composites for EKS
+
+```typescript
+import {
+  NamespaceEnv,
+  AutoscaledService,
+  IrsaServiceAccount,
+  AlbIngress,
+  EbsStorageClass,
+  FluentBitAgent,
+  ExternalDnsAgent,
+} from "@intentius/chant-lexicon-k8s";
+
+// 1. Namespace with quotas and network isolation
+const ns = NamespaceEnv({
+  name: "prod",
+  cpuQuota: "16",
+  memoryQuota: "32Gi",
+  defaultCpuRequest: "100m",
+  defaultMemoryRequest: "128Mi",
+  defaultDenyIngress: true,
+});
+
+// 2. IRSA ServiceAccount (use IAM Role ARN from CloudFormation outputs)
+const irsa = IrsaServiceAccount({
+  name: "app-sa",
+  iamRoleArn: "arn:aws:iam::123456789012:role/app-role",  // from CF output
+  namespace: "prod",
+});
+
+// 3. Application with autoscaling
+const app = AutoscaledService({
+  name: "api",
+  image: "api:1.0",
+  port: 8080,
+  maxReplicas: 10,
+  cpuRequest: "200m",
+  memoryRequest: "256Mi",
+  namespace: "prod",
+});
+
+// 4. ALB Ingress (use ACM cert ARN from CloudFormation outputs)
+const ingress = AlbIngress({
+  name: "api-ingress",
+  hosts: [{ hostname: "api.example.com", paths: [{ path: "/", serviceName: "api", servicePort: 80 }] }],
+  certificateArn: "arn:aws:acm:us-east-1:123456789012:certificate/abc",  // from CF output
+  namespace: "prod",
+});
+
+// 5. Storage
+const storage = EbsStorageClass({ name: "gp3-encrypted", type: "gp3", encrypted: true });
+
+// 6. Observability
+const logging = FluentBitAgent({
+  logGroup: "/aws/eks/my-cluster/containers",
+  region: "us-east-1",
+  clusterName: "my-cluster",
+});
+
+// 7. DNS
+const dns = ExternalDnsAgent({
+  iamRoleArn: "arn:aws:iam::123456789012:role/external-dns-role",
+  domainFilters: ["example.com"],
+});
+```
+
+## Step 4: Verify
+
+```bash
+kubectl get pods -n prod
+kubectl get ingress -n prod
+kubectl logs -n amazon-cloudwatch -l app.kubernetes.io/name=fluent-bit
+```
+
+## Cleanup
+
+```bash
+# Delete K8s workloads first
+kubectl delete -f manifests.yaml
+
+# Then delete AWS infrastructure
+aws cloudformation delete-stack --stack-name my-eks-cluster
+aws cloudformation wait stack-delete-complete --stack-name my-eks-cluster
+```
+
+## Cross-Lexicon Value Flow
+
+CloudFormation outputs flow into K8s composite props:
+
+| CloudFormation Output | K8s Composite Prop |
+|----------------------|-------------------|
+| App IAM Role ARN | `IrsaServiceAccount.iamRoleArn` |
+| ALB Controller Role ARN | `IrsaServiceAccount.iamRoleArn` (for ALB controller SA) |
+| ACM Certificate ARN | `AlbIngress.certificateArn` |
+| ExternalDNS Role ARN | `ExternalDnsAgent.iamRoleArn` |
+| EKS Cluster Name | `FluentBitAgent.clusterName`, `AdotCollector.clusterName` |
+| EFS Filesystem ID | `EfsStorageClass.fileSystemId` |
+
+## EKS Init Template
+
+Scaffold a dual-lexicon EKS project:
+
+```bash
+chant init --lexicon aws --template eks
+```
+
+This creates:
+- `src/infra/` — EKS cluster, node group, IAM (AWS lexicon)
+- `src/k8s/` — namespace, app, ingress, storage (K8s lexicon)
+- `package.json` with both `@intentius/chant-lexicon-aws` and `@intentius/chant-lexicon-k8s`

package/dist/types/index.d.ts

@@ -8251,7 +8251,8 @@ export declare class DbCluster {
  Valid for Cluster Type: Aurora DB clusters only */
     EngineMode?: string;
     /** The version number of the database engine to use.
- To list all of the available engine versions for Aurora MySQL version 2 (5.7-compatible) and version 3 (8.0-compatible), use the following command:
+  Don't use this property if your DB cluster is a member of a global database cluster. Instead, specify the ``EngineVersion`` property on the [AWS::RDS::GlobalCluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-globalcluster.html) resource. Major version upgrades aren't supported for individual members of a global cluster. Use ``ModifyGlobalCluster`` to upgrade all members of the global cluster.
+  To list all of the available engine versions for Aurora MySQL version 2 (5.7-compatible) and version 3 (8.0-compatible), use the following command:
   ``aws rds describe-db-engine-versions --engine aurora-mysql --query "DBEngineVersions[].EngineVersion"`` 
  You can supply either ``5.7`` or ``8.0`` to use the default engine version for Aurora MySQL version 2 or version 3, respectively.
  To list all of the available engine versions for Aurora PostgreSQL, use the following command:
@@ -8997,7 +8998,14 @@ export declare class DbInstance {
     /** The AWS KMS key identifier for encryption of Performance Insights data.
  The KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
  If you do not specify a value for ``PerformanceInsightsKMSKeyId``, then Amazon RDS uses your default KMS key. There is a default KMS key for your AWS account. Your AWS account has a different default KMS key for each AWS Region.
- For information about enabling Performance Insights, see [EnablePerformanceInsights](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-enableperformanceinsights). */
+  *Update behavior:* Once Performance Insights is enabled with a KMS key, you cannot change to a different physical KMS key without replacing the DB instance. However, the following updates do not require replacement:
+  +  Enabling or disabling Performance Insights using the ``EnablePerformanceInsights`` property
+  +  Changing between different identifier formats (key ARN, key ID, alias ARN, alias name) of the same physical KMS key
+  +  Removing the ``PerformanceInsightsKMSKeyId`` property from your template
+  
+   *Drift behavior:* If you specify ``PerformanceInsightsKMSKeyId`` while ``EnablePerformanceInsights`` is set to ``false``, CloudFormation will report drift. This occurs because the RDS API does not allow setting a KMS key when Performance Insights is disabled. CloudFormation ignores the ``PerformanceInsightsKMSKeyId`` value during instance creation to avoid API errors, resulting in a mismatch between your template and the actual instance configuration.
+ To avoid drift, omit both ``EnablePerformanceInsights`` and ``PerformanceInsightsKMSKeyId`` during initial instance creation, then set both properties together when you're ready to enable Performance Insights.
+  For information about enabling Performance Insights, see [EnablePerformanceInsights](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-enableperformanceinsights). */
     PerformanceInsightsKMSKeyId?: string;
     /** The number of days to retain Performance Insights data. When creating a DB instance without enabling Performance Insights, you can't specify the parameter ``PerformanceInsightsRetentionPeriod``.
  This setting doesn't apply to RDS Custom DB instances.
@@ -17793,23 +17801,20 @@ export declare class LambdaAlias {
 
 export declare class LambdaCapacityProvider {
   constructor(props: {
-    /** IAM permissions configuration for the capacity provider. */
+    /** The permissions configuration for the capacity provider. */
     PermissionsConfig: LambdaCapacityProvider_CapacityProviderPermissionsConfig;
-    /** VPC configuration for the capacity provider. */
+    /** The VPC configuration for the capacity provider. */
     VpcConfig: LambdaCapacityProvider_CapacityProviderVpcConfig;
-    /** The Amazon Resource Name (ARN) of the capacity provider. This is a read-only property that is automatically generated when the capacity provider is created. */
     Arn?: string;
-    /** The name of the capacity provider. The name must be unique within your AWS account and region. If you don't specify a name, CloudFormation generates one. */
     CapacityProviderName?: string;
     /** The scaling configuration for the capacity provider. */
     CapacityProviderScalingConfig?: LambdaCapacityProvider_CapacityProviderScalingConfig;
-    /** Specifications for the types of EC2 instances that the capacity provider can use. */
+    /** The instance requirements for compute resources managed by the capacity provider. */
     InstanceRequirements?: LambdaCapacityProvider_InstanceRequirements;
-    /** The ARN of the AWS Key Management Service (KMS) key used by the capacity provider. */
+    /** The ARN of the KMS key used to encrypt the capacity provider's resources. */
     KmsKeyArn?: string;
-    /** The current state of the capacity provider. */
     State?: LambdaCapacityProvider_CapacityProviderState;
-    /** A list of tags to apply to the capacity provider. */
+    /** A key-value pair that provides metadata for the capacity provider. */
     Tags?: LambdaCapacityProvider_Tag[];
   }, attributes?: CFResourceAttributes);
   readonly Arn: string;
@@ -19590,20 +19595,32 @@ export declare class MailManagerTrafficPolicy {
 
 export declare class MaintenanceWindow {
   constructor(props: {
+    /** Enables a maintenance window task to run on managed instances, even if you have not registered those instances as targets. If enabled, then you must specify the unregistered instances (by instance ID) when you register a task with the maintenance window. */
     AllowUnassociatedTargets: boolean;
+    /** The number of hours before the end of the maintenance window that AWS Systems Manager stops scheduling new tasks for execution. */
     Cutoff: number;
+    /** The duration of the maintenance window in hours. */
     Duration: number;
+    /** The name of the maintenance window. */
     Name: string;
+    /** The schedule of the maintenance window in the form of a cron or rate expression. */
     Schedule: string;
+    /** A description of the maintenance window. */
     Description?: string;
+    /** The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become inactive. */
     EndDate?: string;
-    Id?: string;
+    /** The number of days to wait to run a maintenance window after the scheduled cron expression date and time. */
     ScheduleOffset?: number;
+    /** The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format. */
     ScheduleTimezone?: string;
+    /** The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. StartDate allows you to delay activation of the maintenance window until the specified future date. */
     StartDate?: string;
+    /** Optional metadata that you assign to a resource in the form of an arbitrary set of tags (key-value pairs). Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a maintenance window to identify the type of tasks it will run, the types of targets, and the environment it will run in. */
     Tags?: MaintenanceWindow_Tag[];
+    /** The ID of the maintenance window. */
+    WindowId?: string;
   }, attributes?: CFResourceAttributes);
-  readonly Id: string;
+  readonly WindowId: string;
 }
 
 export declare class MaintenanceWindowTarget {
@@ -22595,6 +22612,8 @@ export declare class OpenSearchServiceApplication {
     IamIdentityCenterOptions?: Record<string, unknown>;
     /** The identifier of the application. */
     Id?: string;
+    /** The ARN of the KMS key used to encrypt the application. */
+    KmsKeyArn?: string;
     /** An arbitrary set of tags (key-value pairs) for this application. */
     Tags?: OpenSearchServiceApplication_Tag[];
   }, attributes?: CFResourceAttributes);
@@ -54633,15 +54652,16 @@ export declare class CapacityProviderConfig {
 
 export declare class CapacityProviderPermissionsConfig {
   constructor(props: {
-    /** The ARN of the IAM role that Lambda assumes to manage the capacity provider. */
+    /** The ARN of the IAM role that the capacity provider uses to manage compute instances and other AWS resources. */
     CapacityProviderOperatorRoleArn: string;
   });
 }
 
 export declare class CapacityProviderScalingConfig {
   constructor(props: {
-    /** The maximum number of EC2 instances that the capacity provider can scale up to. */
+    /** The maximum number of vCPUs that the capacity provider can provision across all compute instances. */
     MaxVCpuCount?: number;
+    /** The scaling mode that determines how the capacity provider responds to changes in demand. */
     ScalingMode?: LambdaCapacityProvider_CapacityProviderScalingMode;
     /** A list of target tracking scaling policies for the capacity provider. */
     ScalingPolicies?: LambdaCapacityProvider_TargetTrackingScalingPolicy[];
@@ -54658,9 +54678,9 @@ export declare class CapacityProviderStrategy {
 
 export declare class CapacityProviderVpcConfig {
   constructor(props: {
-    /** A list of security group IDs to associate with EC2 instances. */
+    /** A list of security group IDs that control network access for compute instances managed by the capacity provider. */
     SecurityGroupIds: string[];
-    /** A list of subnet IDs where the capacity provider can launch EC2 instances. */
+    /** A list of subnet IDs where the capacity provider launches compute instances. */
     SubnetIds: string[];
   });
 }
@@ -54711,6 +54731,13 @@ export declare class CapacityReservationOptionsRequest {
   });
 }
 
+export declare class CapacityReservationRequest {
+  constructor(props: {
+    ReservationGroupArn?: string;
+    ReservationPreference?: "RESERVATIONS_EXCLUDED" | "RESERVATIONS_FIRST" | "RESERVATIONS_ONLY";
+  });
+}
+
 export declare class CapacitySize {
   constructor(props: {
     /** Specifies whether the `Value` is an instance count or a capacity unit. */
@@ -74098,11 +74125,19 @@ export declare class ECSCapacityProvider_BaselineEbsBandwidthMbpsRequest {
   });
 }
 
+export declare class ECSCapacityProvider_CapacityReservationRequest {
+  constructor(props: {
+    ReservationGroupArn?: string;
+    ReservationPreference?: "RESERVATIONS_EXCLUDED" | "RESERVATIONS_FIRST" | "RESERVATIONS_ONLY";
+  });
+}
+
 export declare class ECSCapacityProvider_InstanceLaunchTemplate {
   constructor(props: {
     Ec2InstanceProfileArn: string;
     NetworkConfiguration: ECSCapacityProvider_ManagedInstancesNetworkConfiguration;
-    CapacityOptionType?: "ON_DEMAND" | "SPOT";
+    CapacityOptionType?: "ON_DEMAND" | "RESERVED" | "SPOT";
+    CapacityReservations?: ECSCapacityProvider_CapacityReservationRequest;
     FipsEnabled?: boolean;
     InstanceRequirements?: ECSCapacityProvider_InstanceRequirementsRequest;
     Monitoring?: ECSCapacityProvider_ManagedInstancesMonitoringOptions;
@@ -90276,7 +90311,8 @@ export declare class InstanceLaunchTemplate {
   constructor(props: {
     Ec2InstanceProfileArn: string;
     NetworkConfiguration: ECSCapacityProvider_ManagedInstancesNetworkConfiguration;
-    CapacityOptionType?: "ON_DEMAND" | "SPOT";
+    CapacityOptionType?: "ON_DEMAND" | "RESERVED" | "SPOT";
+    CapacityReservations?: ECSCapacityProvider_CapacityReservationRequest;
     FipsEnabled?: boolean;
     InstanceRequirements?: ECSCapacityProvider_InstanceRequirementsRequest;
     Monitoring?: ECSCapacityProvider_ManagedInstancesMonitoringOptions;
@@ -94879,15 +94915,16 @@ export declare class LambdaAlias_VersionWeight {
 
 export declare class LambdaCapacityProvider_CapacityProviderPermissionsConfig {
   constructor(props: {
-    /** The ARN of the IAM role that Lambda assumes to manage the capacity provider. */
+    /** The ARN of the IAM role that the capacity provider uses to manage compute instances and other AWS resources. */
     CapacityProviderOperatorRoleArn: string;
   });
 }
 
 export declare class LambdaCapacityProvider_CapacityProviderScalingConfig {
   constructor(props: {
-    /** The maximum number of EC2 instances that the capacity provider can scale up to. */
+    /** The maximum number of vCPUs that the capacity provider can provision across all compute instances. */
     MaxVCpuCount?: number;
+    /** The scaling mode that determines how the capacity provider responds to changes in demand. */
     ScalingMode?: LambdaCapacityProvider_CapacityProviderScalingMode;
     /** A list of target tracking scaling policies for the capacity provider. */
     ScalingPolicies?: LambdaCapacityProvider_TargetTrackingScalingPolicy[];
@@ -94896,20 +94933,20 @@ export declare class LambdaCapacityProvider_CapacityProviderScalingConfig {
 
 export declare class LambdaCapacityProvider_CapacityProviderVpcConfig {
   constructor(props: {
-    /** A list of security group IDs to associate with EC2 instances. */
+    /** A list of security group IDs that control network access for compute instances managed by the capacity provider. */
     SecurityGroupIds: string[];
-    /** A list of subnet IDs where the capacity provider can launch EC2 instances. */
+    /** A list of subnet IDs where the capacity provider launches compute instances. */
     SubnetIds: string[];
   });
 }
 
 export declare class LambdaCapacityProvider_InstanceRequirements {
   constructor(props: {
-    /** A list of instance types that the capacity provider can use. Supports wildcards (for example, m5.*). */
+    /** A list of EC2 instance types that the capacity provider is allowed to use. If not specified, all compatible instance types are allowed. */
     AllowedInstanceTypes?: string[];
-    /** The instruction set architecture for EC2 instances. Specify either x86_64 or arm64. */
+    /** A list of supported CPU architectures for compute instances. Valid values include ``x86_64`` and ``arm64``. */
     Architectures?: LambdaCapacityProvider_Architecture[];
-    /** A list of instance types that the capacity provider should not use. Takes precedence over AllowedInstanceTypes. */
+    /** A list of EC2 instance types that the capacity provider should not use, even if they meet other requirements. */
     ExcludedInstanceTypes?: string[];
   });
 }
@@ -94925,8 +94962,9 @@ export declare class LambdaCapacityProvider_Tag {
 
 export declare class LambdaCapacityProvider_TargetTrackingScalingPolicy {
   constructor(props: {
+    /** The predefined metric type to track for scaling decisions. */
     PredefinedMetricType: LambdaCapacityProvider_CapacityProviderPredefinedMetricType;
-    /** The target value for the metric as a percentage (for example, 70.0 for 70%). */
+    /** The target value for the metric that the scaling policy attempts to maintain through scaling actions. */
     TargetValue: number;
   });
 }
@@ -99160,7 +99198,9 @@ export declare class MaintenanceStrategies {
 
 export declare class MaintenanceWindow_Tag {
   constructor(props: {
+    /** The name of the tag. */
     Key: string;
+    /** The value of the tag. */
     Value: string;
   });
 }
@@ -143418,8 +143458,9 @@ export declare class TargetTrackingScalingConfiguration {
 
 export declare class TargetTrackingScalingPolicy {
   constructor(props: {
+    /** The predefined metric type to track for scaling decisions. */
     PredefinedMetricType: LambdaCapacityProvider_CapacityProviderPredefinedMetricType;
-    /** The target value for the metric as a percentage (for example, 70.0 for 70%). */
+    /** The target value for the metric that the scaling policy attempts to maintain through scaling actions. */
     TargetValue: number;
   });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intentius/chant-lexicon-aws",
-  "version": "0.0.13",
+  "version": "0.0.14",
   "license": "Apache-2.0",
   "type": "module",
   "files": ["src/", "dist/"],
@@ -22,7 +22,7 @@
   "prepack": "bun run bundle && bun run validate"
 },
 "dependencies": {
-  "@intentius/chant": "0.0.12",
+  "@intentius/chant": "0.0.13",
   "fflate": "^0.8.2",
   "js-yaml": "^4.1.0"
 },

package/src/codegen/docs.ts

@@ -149,22 +149,23 @@ When you reference a resource or attribute from another file (e.g. \`dataBucket.
 
 CloudFormation parameters let you customize a stack at deploy time. Export a \`Parameter\` to add it to the template's \`Parameters\` section:
 
-{{file:docs-snippets/src/parameter-ref.ts}}
+{{file:docs-snippets/src/parameter-declaration.ts}}
 
 Produces:
 
 \`\`\`json
 "Parameters": {
-  "Name": {
+  "Environment": {
     "Type": "String",
-    "Description": "Project name used in resource naming"
+    "Default": "dev",
+    "Description": "Deployment environment"
   }
 }
 \`\`\`
 
 Reference parameters with \`Ref\`:
 
-{{file:docs-snippets/src/parameter-ref.ts}}
+{{file:docs-snippets/src/parameter-cross-file-ref.ts}}
 
 ## Outputs
 
@@ -201,7 +202,7 @@ Runtime context values available in every template, accessed via the \`AWS\` nam
 
 ## Intrinsic functions
 
-The lexicon provides 8 intrinsic functions (\`Sub\`, \`Ref\`, \`GetAtt\`, \`If\`, \`Join\`, \`Select\`, \`Split\`, \`Base64\`) that map directly to CloudFormation \`Fn::\` calls. See [Intrinsic Functions](../intrinsics/) for full usage examples.
+The lexicon provides 9 intrinsic functions (\`Sub\`, \`Ref\`, \`GetAtt\`, \`If\`, \`Join\`, \`Select\`, \`Split\`, \`Base64\`, \`GetAZs\`) that map directly to CloudFormation \`Fn::\` calls. See [Intrinsic Functions](../intrinsics/) for full usage examples.
 
 ## Dependencies
 
@@ -369,7 +370,13 @@ Splits a string by a delimiter:
 
 Encodes a string to Base64, commonly used for EC2 user data:
 
-{{file:docs-snippets/src/intrinsics-detail.ts:23-27}}`,
+{{file:docs-snippets/src/intrinsics-detail.ts:23-27}}
+
+## \`GetAZs\` — availability zones
+
+Returns the list of Availability Zones for a region:
+
+{{file:docs-snippets/src/intrinsics-detail.ts:29-31}}`,
       },
       {
         slug: "composites",
@@ -750,6 +757,72 @@ WAW030: API Gateway Deployment "MyDeployment" has no DependsOn on any Method
 WAW030: ScalableTarget "MyTarget" targets DynamoDB but has no DependsOn on any Table
 \`\`\`
 
+### WAW018 — S3 Bucket Missing Public Access Block
+
+**Severity:** error | **Category:** security
+
+Flags S3 buckets without a \`PublicAccessBlockConfiguration\`. Without an explicit public access block, the bucket may be publicly accessible. Always set \`BlockPublicAcls\`, \`BlockPublicPolicy\`, \`IgnorePublicAcls\`, and \`RestrictPublicBuckets\` to \`true\`.
+
+### WAW019 — Security Group Unrestricted Ingress on Sensitive Ports
+
+**Severity:** error | **Category:** security
+
+Flags security group ingress rules that allow unrestricted access (\`0.0.0.0/0\` or \`::/0\`) on sensitive ports (22, 3389, 3306, 5432, 1433, 6379, 27017). Restrict ingress to known CIDR ranges or security groups.
+
+### WAW020 — IAM Policy Uses Wildcard Action
+
+**Severity:** warning | **Category:** security
+
+Flags IAM policy statements that use wildcard actions (\`"Action": "*"\` or \`"Action": "s3:*"\`). Use specific action names following the principle of least privilege.
+
+### WAW021 — RDS Storage Not Encrypted
+
+**Severity:** error | **Category:** security
+
+Flags RDS instances without \`StorageEncrypted: true\`. All RDS instances should encrypt data at rest to meet compliance and security requirements.
+
+### WAW022 — Lambda Not in VPC
+
+**Severity:** warning | **Category:** security
+
+Flags Lambda functions without a \`VpcConfig\`. Functions that access internal resources (databases, caches, internal APIs) should run inside a VPC. Functions that only call public APIs can safely skip VPC configuration.
+
+### WAW023 — CloudFront Without WAF
+
+**Severity:** warning | **Category:** security
+
+Flags CloudFront distributions without a \`WebACLId\`. Attaching a WAF web ACL protects your distribution from common web exploits and bots.
+
+### WAW024 — ALB Without Access Logging
+
+**Severity:** warning | **Category:** best practice
+
+Flags Application Load Balancers without access logging enabled. Enable \`access_logs.s3.enabled\` to capture request logs for debugging and compliance.
+
+### WAW025 — SNS Topic Not Encrypted
+
+**Severity:** warning | **Category:** security
+
+Flags SNS topics without \`KmsMasterKeyId\`. Encrypting topics at rest protects sensitive notification payloads.
+
+### WAW026 — SQS Queue Not Encrypted
+
+**Severity:** warning | **Category:** security
+
+Flags SQS queues without \`KmsMasterKeyId\` or \`SqsManagedSseEnabled\`. Encrypting queues at rest protects sensitive message payloads.
+
+### WAW027 — DynamoDB Missing Point-in-Time Recovery
+
+**Severity:** info | **Category:** best practice
+
+Flags DynamoDB tables without \`PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled\` set to \`true\`. Point-in-time recovery provides continuous backups and protects against accidental writes or deletes.
+
+### WAW028 — EBS Volume Not Encrypted
+
+**Severity:** warning | **Category:** security
+
+Flags EBS volumes without \`Encrypted: true\`. All EBS volumes should encrypt data at rest for compliance and security.
+
 ## Running lint
 
 \`\`\`bash
@@ -954,7 +1027,19 @@ src/
 - **Composite presets** — \`SecureApi\` (low memory, short timeout) and \`HighMemoryApi\` (high memory, longer timeout)
 - **Custom lint rule** — \`api-timeout.ts\` enforces API Gateway's 29-second timeout limit (see [Custom Lint Rules](../custom-rules/))
 
-The example produces 10 CloudFormation resources: 1 S3 bucket + 3 composites × 3 members each.`,
+The example produces 10 CloudFormation resources: 1 S3 bucket + 3 composites × 3 members each.
+
+## RDS Instance
+
+\`examples/rds-postgres/\` — production RDS PostgreSQL instance using the \`RdsInstance\` composite with VPC networking and SSM parameter references.
+
+{{file:rds-postgres/src/params.ts}}
+
+{{file:rds-postgres/src/network.ts}}
+
+{{file:rds-postgres/src/database.ts}}
+
+Produces a complete RDS stack: VPC infrastructure (from \`VpcDefault\`), DB subnet group, security group, and RDS instance with encrypted storage.`,
       },
       {
         slug: "skills",