@intentius/chant-lexicon-aws 0.0.6 → 0.0.9

package/src/composites/fargate-alb.ts

@@ -0,0 +1,253 @@
+import { Composite } from "@intentius/chant";
+import {
+  EcsCluster,
+  EcsService,
+  EcsService_LoadBalancer,
+  EcsService_NetworkConfiguration,
+  EcsService_AwsVpcConfiguration,
+  TaskDefinition,
+  TaskDefinition_ContainerDefinition,
+  TaskDefinition_PortMapping,
+  TaskDefinition_LogConfiguration,
+  TaskDefinition_KeyValuePair,
+  LoadBalancer,
+  TargetGroup,
+  Listener,
+  Listener_Action,
+  SecurityGroup,
+  SecurityGroup_Ingress,
+  LogGroup,
+  Role,
+  Role_Policy,
+} from "../generated";
+import { Sub } from "../intrinsics";
+import { ECRActions } from "../actions/ecr";
+import { LogsActions } from "../actions/logs";
+
+export interface FargateAlbProps {
+  image: string;
+  containerPort?: number;
+  cpu?: string;
+  memory?: string;
+  desiredCount?: number;
+  vpcId: string;
+  publicSubnetIds: string[];
+  privateSubnetIds: string[];
+  healthCheckPath?: string;
+  listenerPort?: number;
+  environment?: Record<string, string>;
+  command?: string[];
+  ManagedPolicyArns?: string[];
+  Policies?: InstanceType<typeof Role_Policy>[];
+  logRetentionDays?: number;
+}
+
+const ecsTrustPolicy = {
+  Version: "2012-10-17" as const,
+  Statement: [
+    {
+      Effect: "Allow" as const,
+      Principal: { Service: "ecs-tasks.amazonaws.com" },
+      Action: "sts:AssumeRole",
+    },
+  ],
+};
+
+export const FargateAlb = Composite<FargateAlbProps>((props) => {
+  const containerPort = props.containerPort ?? 80;
+  const cpu = props.cpu ?? "256";
+  const memory = props.memory ?? "512";
+  const desiredCount = props.desiredCount ?? 2;
+  const healthCheckPath = props.healthCheckPath ?? "/";
+  const listenerPort = props.listenerPort ?? 80;
+  const logRetentionDays = props.logRetentionDays ?? 30;
+
+  // ECS Cluster
+  const cluster = new EcsCluster({});
+
+  // Execution role — ECR pull + CloudWatch Logs write
+  const executionPolicyDocument = {
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Action: ECRActions.Pull,
+        Resource: "*",
+      },
+      {
+        Effect: "Allow",
+        Action: LogsActions.Write,
+        Resource: "*",
+      },
+    ],
+  };
+
+  const executionPolicy = new Role_Policy({
+    PolicyName: "ExecutionPolicy",
+    PolicyDocument: executionPolicyDocument,
+  });
+
+  const executionRole = new Role({
+    AssumeRolePolicyDocument: ecsTrustPolicy,
+    Policies: [executionPolicy],
+  });
+
+  // Task role — app permissions
+  const taskRole = new Role({
+    AssumeRolePolicyDocument: ecsTrustPolicy,
+    ManagedPolicyArns: props.ManagedPolicyArns,
+    Policies: props.Policies,
+  });
+
+  // Log group
+  const logGroup = new LogGroup({
+    RetentionInDays: logRetentionDays,
+  });
+
+  // Container definition
+  const portMapping = new TaskDefinition_PortMapping({
+    ContainerPort: containerPort,
+    Protocol: "tcp",
+  });
+
+  const logConfiguration = new TaskDefinition_LogConfiguration({
+    LogDriver: "awslogs",
+    Options: {
+      "awslogs-group": logGroup as any,
+      "awslogs-region": Sub`\${AWS::Region}`,
+      "awslogs-stream-prefix": "ecs",
+    },
+  });
+
+  const environmentVars: InstanceType<typeof TaskDefinition_KeyValuePair>[] = [];
+  if (props.environment) {
+    for (const [name, value] of Object.entries(props.environment)) {
+      environmentVars.push(
+        new TaskDefinition_KeyValuePair({ Name: name, Value: value }),
+      );
+    }
+  }
+
+  const container = new TaskDefinition_ContainerDefinition({
+    Name: "app",
+    Image: props.image,
+    Essential: true,
+    PortMappings: [portMapping],
+    LogConfiguration: logConfiguration,
+    Environment: environmentVars.length > 0 ? environmentVars : undefined,
+    Command: props.command,
+  });
+
+  // Task definition
+  const taskDef = new TaskDefinition({
+    NetworkMode: "awsvpc",
+    RequiresCompatibilities: ["FARGATE"],
+    Cpu: cpu,
+    Memory: memory,
+    ExecutionRoleArn: executionRole.Arn,
+    TaskRoleArn: taskRole.Arn,
+    ContainerDefinitions: [container],
+  });
+
+  // ALB security group — ingress on listener port from anywhere
+  const albIngress = new SecurityGroup_Ingress({
+    IpProtocol: "tcp",
+    FromPort: listenerPort,
+    ToPort: listenerPort,
+    CidrIp: "0.0.0.0/0",
+  });
+
+  const albSg = new SecurityGroup({
+    GroupDescription: "ALB security group",
+    VpcId: props.vpcId,
+    SecurityGroupIngress: [albIngress],
+  });
+
+  // Task security group — ingress on container port from ALB SG
+  const taskIngress = new SecurityGroup_Ingress({
+    IpProtocol: "tcp",
+    FromPort: containerPort,
+    ToPort: containerPort,
+    SourceSecurityGroupId: albSg.GroupId,
+  });
+
+  const taskSg = new SecurityGroup({
+    GroupDescription: "Fargate task security group",
+    VpcId: props.vpcId,
+    SecurityGroupIngress: [taskIngress],
+  });
+
+  // Application Load Balancer
+  const alb = new LoadBalancer({
+    Type: "application",
+    Scheme: "internet-facing",
+    Subnets: props.publicSubnetIds,
+    SecurityGroups: [albSg.GroupId],
+  });
+
+  // Target group
+  const targetGroup = new TargetGroup({
+    TargetType: "ip",
+    Protocol: "HTTP",
+    Port: containerPort,
+    VpcId: props.vpcId,
+    HealthCheckPath: healthCheckPath,
+  });
+
+  // Listener
+  const defaultAction = new Listener_Action({
+    Type: "forward",
+    TargetGroupArn: targetGroup.TargetGroupArn,
+  });
+
+  const listener = new Listener({
+    LoadBalancerArn: alb.LoadBalancerArn,
+    Port: listenerPort,
+    Protocol: "HTTP",
+    DefaultActions: [defaultAction],
+  });
+
+  // ECS Service
+  const serviceLoadBalancer = new EcsService_LoadBalancer({
+    ContainerName: "app",
+    ContainerPort: containerPort,
+    TargetGroupArn: targetGroup.TargetGroupArn,
+  });
+
+  const awsVpcConfig = new EcsService_AwsVpcConfiguration({
+    Subnets: props.privateSubnetIds,
+    SecurityGroups: [taskSg.GroupId],
+    AssignPublicIp: "DISABLED",
+  });
+
+  const networkConfig = new EcsService_NetworkConfiguration({
+    AwsvpcConfiguration: awsVpcConfig,
+  });
+
+  const service = new EcsService(
+    {
+      Cluster: cluster.Arn,
+      TaskDefinition: taskDef.TaskDefinitionArn,
+      LaunchType: "FARGATE",
+      DesiredCount: desiredCount,
+      HealthCheckGracePeriodSeconds: 60,
+      LoadBalancers: [serviceLoadBalancer],
+      NetworkConfiguration: networkConfig,
+    },
+    { DependsOn: [listener] },
+  );
+
+  return {
+    cluster,
+    executionRole,
+    taskRole,
+    logGroup,
+    taskDef,
+    albSg,
+    taskSg,
+    alb,
+    targetGroup,
+    listener,
+    service,
+  };
+}, "FargateAlb");

package/src/composites/index.ts

@@ -0,0 +1,20 @@
+export { LambdaFunction, LambdaNode, LambdaPython, NodeLambda, PythonLambda } from "./lambda-function";
+export type { LambdaFunctionProps } from "./lambda-function";
+export { LambdaApi } from "./lambda-api";
+export type { LambdaApiProps } from "./lambda-api";
+export { LambdaScheduled, ScheduledLambda } from "./scheduled-lambda";
+export type { ScheduledLambdaProps } from "./scheduled-lambda";
+export { LambdaSqs } from "./lambda-sqs";
+export type { LambdaSqsProps } from "./lambda-sqs";
+export { LambdaEventBridge } from "./lambda-eventbridge";
+export type { LambdaEventBridgeProps } from "./lambda-eventbridge";
+export { LambdaDynamoDB } from "./lambda-dynamodb";
+export type { LambdaDynamoDBProps } from "./lambda-dynamodb";
+export { LambdaS3 } from "./lambda-s3";
+export type { LambdaS3Props } from "./lambda-s3";
+export { LambdaSns } from "./lambda-sns";
+export type { LambdaSnsProps } from "./lambda-sns";
+export { VpcDefault } from "./vpc-default";
+export type { VpcDefaultProps } from "./vpc-default";
+export { FargateAlb } from "./fargate-alb";
+export type { FargateAlbProps } from "./fargate-alb";

package/src/composites/lambda-api.ts

@@ -0,0 +1,20 @@
+import { Composite } from "@intentius/chant";
+import { Permission } from "../generated";
+import { LambdaFunction, type LambdaFunctionProps } from "./lambda-function";
+
+export interface LambdaApiProps extends LambdaFunctionProps {
+  sourceArn?: string;
+}
+
+export const LambdaApi = Composite<LambdaApiProps>((props) => {
+  const { role, func } = LambdaFunction(props);
+
+  const permission = new Permission({
+    FunctionName: func.Arn,
+    Action: "lambda:InvokeFunction",
+    Principal: "apigateway.amazonaws.com",
+    SourceArn: props.sourceArn,
+  });
+
+  return { role, func, permission };
+}, "LambdaApi");

package/src/composites/lambda-dynamodb.ts

@@ -0,0 +1,64 @@
+import { Composite } from "@intentius/chant";
+import { Table, Table_AttributeDefinition, Table_KeySchema, Role_Policy } from "../generated";
+import { DynamoDBActions } from "../actions/dynamodb";
+import { LambdaFunction, type LambdaFunctionProps } from "./lambda-function";
+
+export interface LambdaDynamoDBProps extends LambdaFunctionProps {
+  tableName?: string;
+  partitionKey: string;
+  sortKey?: string;
+  access?: "ReadOnly" | "ReadWrite" | "Full";
+}
+
+export const LambdaDynamoDB = Composite<LambdaDynamoDBProps>((props) => {
+  const attributeDefinitions = [
+    new Table_AttributeDefinition({ AttributeName: props.partitionKey, AttributeType: "S" }),
+  ];
+  const keySchema: InstanceType<typeof Table_KeySchema>[] = [
+    new Table_KeySchema({ AttributeName: props.partitionKey, KeyType: "HASH" }),
+  ];
+
+  if (props.sortKey) {
+    attributeDefinitions.push(
+      new Table_AttributeDefinition({ AttributeName: props.sortKey, AttributeType: "S" }),
+    );
+    keySchema.push(
+      new Table_KeySchema({ AttributeName: props.sortKey, KeyType: "RANGE" }),
+    );
+  }
+
+  const table = new Table({
+    TableName: props.tableName,
+    BillingMode: "PAY_PER_REQUEST",
+    AttributeDefinitions: attributeDefinitions,
+    KeySchema: keySchema,
+  });
+
+  const access = props.access ?? "ReadWrite";
+  const dynamoPolicyDocument = {
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Action: DynamoDBActions[access],
+        Resource: table.Arn,
+      },
+    ],
+  };
+
+  const dynamoPolicy = new Role_Policy({
+    PolicyName: `DynamoDB${access}`,
+    PolicyDocument: dynamoPolicyDocument,
+  });
+
+  const policies = props.Policies ? [dynamoPolicy, ...props.Policies] : [dynamoPolicy];
+  const env = props.Environment ?? { Variables: {} };
+  const variables = { ...((env as any).Variables ?? {}), TABLE_NAME: table.Ref };
+  const { role, func } = LambdaFunction({
+    ...props,
+    Policies: policies,
+    Environment: { Variables: variables },
+  });
+
+  return { table, role, func };
+}, "LambdaDynamoDB");

package/src/composites/lambda-eventbridge.ts

@@ -0,0 +1,36 @@
+import { Composite } from "@intentius/chant";
+import { EventRule, EventRule_Target, Permission } from "../generated";
+import { LambdaFunction, type LambdaFunctionProps } from "./lambda-function";
+
+export interface LambdaEventBridgeProps extends LambdaFunctionProps {
+  ruleName?: string;
+  schedule?: string;
+  eventPattern?: Record<string, unknown>;
+  enabled?: boolean;
+}
+
+export const LambdaEventBridge = Composite<LambdaEventBridgeProps>((props) => {
+  const { role, func } = LambdaFunction(props);
+
+  const rule = new EventRule({
+    Name: props.ruleName,
+    ScheduleExpression: props.schedule,
+    EventPattern: props.eventPattern,
+    State: (props.enabled ?? true) ? "ENABLED" : "DISABLED",
+    Targets: [
+      new EventRule_Target({
+        Arn: func.Arn,
+        Id: "Target0",
+      }),
+    ],
+  });
+
+  const permission = new Permission({
+    FunctionName: func.Arn,
+    Action: "lambda:InvokeFunction",
+    Principal: "events.amazonaws.com",
+    SourceArn: rule.Arn,
+  });
+
+  return { rule, role, func, permission };
+}, "LambdaEventBridge");

package/src/composites/lambda-function.ts

@@ -0,0 +1,76 @@
+import { Composite, withDefaults } from "@intentius/chant";
+import { Role, Function, Function_VpcConfig, Role_Policy } from "../generated";
+
+const lambdaTrustPolicy = {
+  Version: "2012-10-17" as const,
+  Statement: [
+    {
+      Effect: "Allow" as const,
+      Principal: { Service: "lambda.amazonaws.com" },
+      Action: "sts:AssumeRole",
+    },
+  ],
+};
+
+const BASIC_EXECUTION_ARN =
+  "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole";
+const VPC_ACCESS_ARN =
+  "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole";
+
+export interface LambdaFunctionProps {
+  name: string;
+  Runtime: string;
+  Handler: string;
+  Code: ConstructorParameters<typeof Function>[0]["Code"];
+  Timeout?: number;
+  MemorySize?: number;
+  Environment?: ConstructorParameters<typeof Function>[0]["Environment"];
+  ManagedPolicyArns?: string[];
+  Policies?: InstanceType<typeof Role_Policy>[];
+  VpcConfig?: ConstructorParameters<typeof Function_VpcConfig>[0];
+}
+
+export const LambdaFunction = Composite<LambdaFunctionProps>((props) => {
+  const managedPolicies = [BASIC_EXECUTION_ARN];
+  if (props.VpcConfig) {
+    managedPolicies.push(VPC_ACCESS_ARN);
+  }
+  if (props.ManagedPolicyArns) {
+    managedPolicies.push(...props.ManagedPolicyArns);
+  }
+
+  const role = new Role({
+    AssumeRolePolicyDocument: lambdaTrustPolicy,
+    ManagedPolicyArns: managedPolicies,
+    Policies: props.Policies,
+  });
+
+  const func = new Function({
+    FunctionName: props.name,
+    Runtime: props.Runtime as any,
+    Handler: props.Handler,
+    Code: props.Code,
+    Role: role.Arn,
+    Timeout: props.Timeout ?? 30,
+    MemorySize: props.MemorySize,
+    Environment: props.Environment,
+    VpcConfig: props.VpcConfig ? new Function_VpcConfig(props.VpcConfig) : undefined,
+  });
+
+  return { role, func };
+}, "LambdaFunction");
+
+export const LambdaNode = withDefaults(LambdaFunction, {
+  Runtime: "nodejs20.x",
+  Handler: "index.handler",
+});
+
+export const LambdaPython = withDefaults(LambdaFunction, {
+  Runtime: "python3.12",
+  Handler: "handler.handler",
+});
+
+/** @deprecated Use `LambdaNode` instead */
+export const NodeLambda = LambdaNode;
+/** @deprecated Use `LambdaPython` instead */
+export const PythonLambda = LambdaPython;

package/src/composites/lambda-s3.ts

@@ -0,0 +1,72 @@
+import { Composite } from "@intentius/chant";
+import {
+  Bucket,
+  Bucket_BucketEncryption,
+  Bucket_ServerSideEncryptionRule,
+  Bucket_ServerSideEncryptionByDefault,
+  Bucket_PublicAccessBlockConfiguration,
+  Role_Policy,
+} from "../generated";
+import { Sub } from "../intrinsics";
+import { S3Actions } from "../actions/s3";
+import { LambdaFunction, type LambdaFunctionProps } from "./lambda-function";
+
+export interface LambdaS3Props extends LambdaFunctionProps {
+  bucketName?: string;
+  access?: "ReadOnly" | "ReadWrite" | "Full";
+}
+
+export const LambdaS3 = Composite<LambdaS3Props>((props) => {
+  const encryptionDefault = new Bucket_ServerSideEncryptionByDefault({
+    SSEAlgorithm: "AES256",
+  });
+
+  const encryptionRule = new Bucket_ServerSideEncryptionRule({
+    ServerSideEncryptionByDefault: encryptionDefault,
+  });
+
+  const bucketEncryption = new Bucket_BucketEncryption({
+    ServerSideEncryptionConfiguration: [encryptionRule],
+  });
+
+  const publicAccessBlock = new Bucket_PublicAccessBlockConfiguration({
+    BlockPublicAcls: true,
+    BlockPublicPolicy: true,
+    IgnorePublicAcls: true,
+    RestrictPublicBuckets: true,
+  });
+
+  const bucket = new Bucket({
+    BucketName: props.bucketName,
+    BucketEncryption: bucketEncryption,
+    PublicAccessBlockConfiguration: publicAccessBlock,
+  });
+
+  const access = props.access ?? "ReadWrite";
+  const s3PolicyDocument = {
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Action: S3Actions[access],
+        Resource: [bucket.Arn, Sub`${bucket.Arn}/*`],
+      },
+    ],
+  };
+
+  const s3Policy = new Role_Policy({
+    PolicyName: `S3${access}`,
+    PolicyDocument: s3PolicyDocument,
+  });
+
+  const policies = props.Policies ? [s3Policy, ...props.Policies] : [s3Policy];
+  const env = props.Environment ?? { Variables: {} };
+  const variables = { ...((env as any).Variables ?? {}), BUCKET_NAME: bucket.Ref };
+  const { role, func } = LambdaFunction({
+    ...props,
+    Policies: policies,
+    Environment: { Variables: variables },
+  });
+
+  return { bucket, role, func };
+}, "LambdaS3");

package/src/composites/lambda-sns.ts

@@ -0,0 +1,30 @@
+import { Composite } from "@intentius/chant";
+import { Topic, Subscription, Permission } from "../generated";
+import { LambdaFunction, type LambdaFunctionProps } from "./lambda-function";
+
+export interface LambdaSnsProps extends LambdaFunctionProps {
+  topicName?: string;
+}
+
+export const LambdaSns = Composite<LambdaSnsProps>((props) => {
+  const { role, func } = LambdaFunction(props);
+
+  const topic = new Topic({
+    TopicName: props.topicName,
+  });
+
+  const subscription = new Subscription({
+    TopicArn: topic.TopicArn,
+    Protocol: "lambda",
+    Endpoint: func.Arn,
+  });
+
+  const permission = new Permission({
+    FunctionName: func.Arn,
+    Action: "lambda:InvokeFunction",
+    Principal: "sns.amazonaws.com",
+    SourceArn: topic.TopicArn,
+  });
+
+  return { topic, role, func, subscription, permission };
+}, "LambdaSns");

package/src/composites/lambda-sqs.ts

@@ -0,0 +1,44 @@
+import { Composite } from "@intentius/chant";
+import { Queue, EventSourceMapping, Role_Policy } from "../generated";
+import { SQSActions } from "../actions/sqs";
+import { LambdaFunction, type LambdaFunctionProps } from "./lambda-function";
+
+export interface LambdaSqsProps extends LambdaFunctionProps {
+  queueName?: string;
+  batchSize?: number;
+  maxBatchingWindow?: number;
+}
+
+export const LambdaSqs = Composite<LambdaSqsProps>((props) => {
+  const queue = new Queue({
+    QueueName: props.queueName,
+  });
+
+  const sqsPolicyDocument = {
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Action: SQSActions.ReceiveMessage,
+        Resource: queue.Arn,
+      },
+    ],
+  };
+
+  const sqsPolicy = new Role_Policy({
+    PolicyName: "SQSReceive",
+    PolicyDocument: sqsPolicyDocument,
+  });
+
+  const policies = props.Policies ? [sqsPolicy, ...props.Policies] : [sqsPolicy];
+  const { role, func } = LambdaFunction({ ...props, Policies: policies });
+
+  new EventSourceMapping({
+    EventSourceArn: queue.Arn,
+    FunctionName: func.Arn,
+    BatchSize: props.batchSize ?? 10,
+    MaximumBatchingWindowInSeconds: props.maxBatchingWindow,
+  });
+
+  return { queue, role, func };
+}, "LambdaSqs");

package/src/composites/scheduled-lambda.ts

@@ -0,0 +1,37 @@
+import { Composite } from "@intentius/chant";
+import { EventRule, EventRule_Target, Permission } from "../generated";
+import { LambdaFunction, type LambdaFunctionProps } from "./lambda-function";
+
+export interface ScheduledLambdaProps extends LambdaFunctionProps {
+  ruleName?: string;
+  schedule: string;
+  enabled?: boolean;
+}
+
+export const LambdaScheduled = Composite<ScheduledLambdaProps>((props) => {
+  const { role, func } = LambdaFunction(props);
+
+  const rule = new EventRule({
+    Name: props.ruleName,
+    ScheduleExpression: props.schedule,
+    State: (props.enabled ?? true) ? "ENABLED" : "DISABLED",
+    Targets: [
+      new EventRule_Target({
+        Arn: func.Arn,
+        Id: "Target0",
+      }),
+    ],
+  });
+
+  const permission = new Permission({
+    FunctionName: func.Arn,
+    Action: "lambda:InvokeFunction",
+    Principal: "events.amazonaws.com",
+    SourceArn: rule.Arn,
+  });
+
+  return { role, func, rule, permission };
+}, "LambdaScheduled");
+
+/** @deprecated Use `LambdaScheduled` instead */
+export const ScheduledLambda = LambdaScheduled;