@intentius/chant-lexicon-aws 0.0.6 → 0.0.9

package/src/import/generator.test.ts

@@ -35,7 +35,7 @@ describe("CFGenerator", () => {
 
     expect(files[0].content).toContain("import { Bucket }");
     expect(files[0].content).toContain("export const MyBucket = new Bucket({");
-    expect(files[0].content).toContain('bucketName: "my-bucket"');
+    expect(files[0].content).toContain('BucketName: "my-bucket"');
   });
 
   test("generates Lambda Function", () => {
@@ -58,8 +58,8 @@ describe("CFGenerator", () => {
 
     expect(files[0].content).toContain("import { Function }");
     expect(files[0].content).toContain("export const MyFunction = new Function({");
-    expect(files[0].content).toContain('functionName: "my-function"');
-    expect(files[0].content).toContain('runtime: "nodejs18.x"');
+    expect(files[0].content).toContain('FunctionName: "my-function"');
+    expect(files[0].content).toContain('Runtime: "nodejs18.x"');
   });
 
   test("generates Ref as variable reference", () => {
@@ -78,7 +78,7 @@ describe("CFGenerator", () => {
 
     const files = generator.generate(ir);
 
-    expect(files[0].content).toContain("bucketName: Ref(BucketName)");
+    expect(files[0].content).toContain("BucketName: Ref(BucketName)");
   });
 
   test("generates GetAtt as property access", () => {
@@ -102,7 +102,7 @@ describe("CFGenerator", () => {
 
     const files = generator.generate(ir);
 
-    expect(files[0].content).toContain("sourceArn: SourceBucket.arn");
+    expect(files[0].content).toContain("SourceArn: SourceBucket.Arn");
   });
 
   test("generates Sub as tagged template", () => {

package/src/import/generator.ts

@@ -1,4 +1,6 @@
+import { createRequire } from "module";
 import type { TemplateIR, ResourceIR, ParameterIR } from "@intentius/chant/import/parser";
+const require = createRequire(import.meta.url);
 import type { TypeScriptGenerator, GeneratedFile } from "@intentius/chant/import/generator";
 import { topoSort } from "@intentius/chant/codegen/topo-sort";
 import { hasIntrinsicInValue, irUsesIntrinsic, collectDependencies } from "@intentius/chant/import/ir-utils";
@@ -455,11 +457,9 @@ export class CFGenerator implements TypeScriptGenerator {
   }
 
   /**
-   * Convert a property name to camelCase (lowercase first char).
-   * Used for resource property access (e.g., GetAtt attribute names)
-   * which matches chant's camelCase property convention.
+   * Property names use spec-native casing (PascalCase for CloudFormation).
    */
   private toPropName(name: string): string {
-    return name.charAt(0).toLowerCase() + name.slice(1);
+    return name;
   }
 }

package/src/import/roundtrip-fixtures.test.ts

@@ -5,7 +5,8 @@ import { CFParser } from "./parser";
 import { CFGenerator } from "./generator";
 import { build } from "@intentius/chant/build";
 import { awsSerializer } from "../serializer";
-import * as awsLexicon from "../index";
+// Dynamic import to get all export keys for validation (not a runtime re-export)
+const awsLexicon = await import("../index");
 
 const parser = new CFParser();
 const generator = new CFGenerator();

package/src/import/roundtrip.test.ts

@@ -24,7 +24,7 @@ describe("CloudFormation round-trip", () => {
     const files = generator.generate(ir);
 
     expect(files[0].content).toContain("Bucket");
-    expect(files[0].content).toContain('bucketName: "my-bucket"');
+    expect(files[0].content).toContain('BucketName: "my-bucket"');
     expect(files[0].content).toContain("export const MyBucket");
   });
 
@@ -53,7 +53,7 @@ describe("CloudFormation round-trip", () => {
 
     expect(files[0].content).toContain("Parameter");
     expect(files[0].content).toContain("Environment");
-    expect(files[0].content).toContain("bucketName: Ref(Environment)");
+    expect(files[0].content).toContain("BucketName: Ref(Environment)");
   });
 
   test("round-trips template with Fn::Sub", () => {
@@ -115,7 +115,7 @@ describe("CloudFormation round-trip", () => {
 
     expect(files[0].content).toContain("Role");
     expect(files[0].content).toContain("Function");
-    expect(files[0].content).toContain("LambdaRole.arn");
+    expect(files[0].content).toContain("LambdaRole.Arn");
   });
 
   test("round-trips complex nested properties", () => {
@@ -148,8 +148,8 @@ describe("CloudFormation round-trip", () => {
     const files = generator.generate(ir);
 
     expect(files[0].content).toContain("Function");
-    expect(files[0].content).toContain("environment:");
-    expect(files[0].content).toContain("vpcConfig:");
+    expect(files[0].content).toContain("Environment:");
+    expect(files[0].content).toContain("VpcConfig:");
   });
 
   test("round-trips empty template", () => {

package/src/index.ts

@@ -1,6 +1,10 @@
 // Parameter
 export { Parameter } from "./parameter";
 
+// Default Tags
+export { defaultTags, isDefaultTags, DEFAULT_TAGS_MARKER } from "./default-tags";
+export type { DefaultTags, TagEntry } from "./default-tags";
+
 // Serializer
 export { awsSerializer } from "./serializer";
 
@@ -64,6 +68,23 @@ export type { CFNSchema, SchemaProperty, SchemaDefinition } from "./spec/fetch";
 export { parseCFNSchema, cfnShortName, cfnServiceName } from "./spec/parse";
 export type { SchemaParseResult, ParsedResource, ParsedProperty, ParsedAttribute, ParsedPropertyType, ParsedEnum, PropertyConstraints } from "./spec/parse";
 
+// Action constants
+export { S3Actions, LambdaActions, DynamoDBActions, SQSActions, SNSActions, IAMActions, ECRActions, LogsActions, ECSActions } from "./actions/index";
+
+// Built-in composites
+export {
+  LambdaFunction, LambdaNode, LambdaPython, NodeLambda, PythonLambda,
+  LambdaApi,
+  LambdaScheduled, ScheduledLambda,
+  LambdaSqs, LambdaEventBridge, LambdaDynamoDB, LambdaS3, LambdaSns,
+  VpcDefault, FargateAlb,
+} from "./composites/index";
+export type {
+  LambdaFunctionProps, LambdaApiProps, ScheduledLambdaProps,
+  LambdaSqsProps, LambdaEventBridgeProps, LambdaDynamoDBProps, LambdaS3Props, LambdaSnsProps,
+  VpcDefaultProps, FargateAlbProps,
+} from "./composites/index";
+
 // Code generation pipeline
 export { generate, writeGeneratedFiles } from "./codegen/generate";
 export { packageLexicon } from "./codegen/package";

package/src/integration.test.ts

@@ -17,7 +17,7 @@ describe("AWS Integration", () => {
 
     test("serializes S3 bucket with properties", () => {
       const bucket = new (Bucket as any)({
-        bucketName: "my-bucket",
+        BucketName: "my-bucket",
       });
 
       const entities = new Map<string, Declarable>();
@@ -61,12 +61,12 @@ describe("AWS Integration", () => {
 
   describe("Cross-resource references", () => {
     test("GetAtt for bucket ARN", () => {
-      const bucket = new (Bucket as any)({ bucketName: "source" });
+      const bucket = new (Bucket as any)({ BucketName: "source" });
       // Set logical name for the AttrRef
-      (bucket.arn as Record<string, unknown>)._setLogicalName("SourceBucket");
+      (bucket.Arn as Record<string, unknown>)._setLogicalName("SourceBucket");
 
-      expect(bucket.arn.getLogicalName()).toBe("SourceBucket");
-      expect(bucket.arn.attribute).toBe("Arn");
+      expect(bucket.Arn.getLogicalName()).toBe("SourceBucket");
+      expect(bucket.Arn.attribute).toBe("Arn");
     });
   });
 
@@ -79,10 +79,10 @@ describe("AWS Integration", () => {
 
     test("Lambda Function has correct entity type", () => {
       const fn = new (Function as any)({
-        runtime: "nodejs18.x",
-        handler: "index.handler",
-        code: { s3Bucket: "my-bucket", s3Key: "code.zip" },
-        role: "arn:aws:iam::123456789012:role/lambda-role",
+        Runtime: "nodejs18.x",
+        Handler: "index.handler",
+        Code: { S3Bucket: "my-bucket", S3Key: "code.zip" },
+        Role: "arn:aws:iam::123456789012:role/lambda-role",
       });
       expect(fn.entityType).toBe("AWS::Lambda::Function");
       expect(fn[DECLARABLE_MARKER]).toBe(true);
@@ -90,7 +90,7 @@ describe("AWS Integration", () => {
 
     test("IAM Role has correct entity type", () => {
       const role = new (Role as any)({
-        assumeRolePolicyDocument: {
+        AssumeRolePolicyDocument: {
           Version: "2012-10-17",
           Statement: [],
         },
@@ -100,30 +100,101 @@ describe("AWS Integration", () => {
     });
   });
 
+  describe("Resource-level attributes (second constructor arg)", () => {
+    test("DependsOn with Declarable reference in real generated class", () => {
+      const bucket = new (Bucket as any)({ BucketName: "data" });
+      const fn = new (Function as any)(
+        {
+          Runtime: "nodejs20.x",
+          Handler: "index.handler",
+          Code: { S3Bucket: "my-bucket", S3Key: "code.zip" },
+          Role: "arn:aws:iam::123456789012:role/role",
+        },
+        { DependsOn: [bucket] },
+      );
+
+      expect(fn.attributes).toBeDefined();
+      expect(fn.attributes.DependsOn).toEqual([bucket]);
+
+      const entities = new Map<string, Declarable>();
+      entities.set("DataBucket", bucket);
+      entities.set("Handler", fn);
+
+      const output = awsSerializer.serialize(entities);
+      const template = JSON.parse(output);
+      expect(template.Resources.Handler.DependsOn).toBe("DataBucket");
+    });
+
+    test("DeletionPolicy and Condition on real generated class", () => {
+      const bucket = new (Bucket as any)(
+        { BucketName: "important-data" },
+        { DeletionPolicy: "Retain", Condition: "CreateBucket" },
+      );
+
+      const entities = new Map<string, Declarable>();
+      entities.set("DataBucket", bucket);
+
+      const output = awsSerializer.serialize(entities);
+      const template = JSON.parse(output);
+
+      expect(template.Resources.DataBucket.DeletionPolicy).toBe("Retain");
+      expect(template.Resources.DataBucket.Condition).toBe("CreateBucket");
+    });
+
+    test("resource without attributes works unchanged", () => {
+      const bucket = new (Bucket as any)({ BucketName: "simple" });
+      expect(bucket.attributes).toEqual({});
+
+      const entities = new Map<string, Declarable>();
+      entities.set("SimpleBucket", bucket);
+
+      const output = awsSerializer.serialize(entities);
+      const template = JSON.parse(output);
+      expect(template.Resources.SimpleBucket.DeletionPolicy).toBeUndefined();
+      expect(template.Resources.SimpleBucket.Condition).toBeUndefined();
+    });
+
+    test("Metadata with intrinsics resolves correctly", () => {
+      const bucket = new (Bucket as any)(
+        { BucketName: "meta" },
+        { Metadata: { DeployedWith: Sub`${AWS.StackName}-chant` } },
+      );
+
+      const entities = new Map<string, Declarable>();
+      entities.set("MetaBucket", bucket);
+
+      const output = awsSerializer.serialize(entities);
+      const template = JSON.parse(output);
+      expect(template.Resources.MetaBucket.Metadata.DeployedWith).toEqual({
+        "Fn::Sub": "${AWS::StackName}-chant",
+      });
+    });
+  });
+
   describe("AttrRefs", () => {
     test("Bucket has expected AttrRefs", () => {
       const bucket = new (Bucket as any)({});
-      expect(bucket.arn).toBeDefined();
-      expect(bucket.domainName).toBeDefined();
-      expect(bucket.websiteURL).toBeDefined();
+      expect(bucket.Arn).toBeDefined();
+      expect(bucket.DomainName).toBeDefined();
+      expect(bucket.WebsiteURL).toBeDefined();
     });
 
     test("Lambda Function has expected AttrRefs", () => {
       const fn = new (Function as any)({
-        runtime: "nodejs18.x",
-        handler: "index.handler",
-        code: { s3Bucket: "bucket", s3Key: "key" },
-        role: "role-arn",
+        Runtime: "nodejs18.x",
+        Handler: "index.handler",
+        Code: { S3Bucket: "bucket", S3Key: "key" },
+        Role: "role-arn",
       });
-      expect(fn.arn).toBeDefined();
+      expect(fn.Arn).toBeDefined();
     });
 
     test("IAM Role has expected AttrRefs", () => {
       const role = new (Role as any)({
-        assumeRolePolicyDocument: {},
+        AssumeRolePolicyDocument: {},
       });
-      expect(role.arn).toBeDefined();
-      expect(role.roleId).toBeDefined();
+      expect(role.Arn).toBeDefined();
+      expect(role.RoleId).toBeDefined();
     });
   });
 });

package/src/intrinsics.ts

@@ -1,5 +1,7 @@
 import { INTRINSIC_MARKER, resolveIntrinsicValue, type Intrinsic } from "@intentius/chant/intrinsic";
 import { buildInterpolatedString, defaultInterpolationSerializer } from "@intentius/chant/intrinsic-interpolation";
+import { type Declarable } from "@intentius/chant/declarable";
+import { getLogicalName } from "@intentius/chant/utils";
 
 /**
  * Fn::Sub intrinsic function implementation
@@ -37,26 +39,32 @@ export function Sub(
 
 /**
  * Ref intrinsic function
- * References a parameter or resource by logical name
+ * References a parameter or resource by logical name.
+ * Accepts either a string name or a Declarable entity (e.g. Parameter).
+ * When given a Declarable, the logical name is resolved at serialization time.
  */
 export class RefIntrinsic implements Intrinsic {
   readonly [INTRINSIC_MARKER] = true as const;
-  private name: string;
+  private target: string | Declarable;
 
-  constructor(name: string) {
-    this.name = name;
+  constructor(target: string | Declarable) {
+    this.target = target;
   }
 
   toJSON(): { Ref: string } {
-    return { Ref: this.name };
+    if (typeof this.target === "string") {
+      return { Ref: this.target };
+    }
+    return { Ref: getLogicalName(this.target) };
   }
 }
 
 /**
- * Create a Ref intrinsic
+ * Create a Ref intrinsic.
+ * Pass a string for direct parameter/resource names, or a Declarable (e.g. Parameter) for type-safe references.
  */
-export function Ref(name: string): RefIntrinsic {
-  return new RefIntrinsic(name);
+export function Ref(target: string | Declarable): RefIntrinsic {
+  return new RefIntrinsic(target);
 }
 
 /**
@@ -147,22 +155,25 @@ export function Join(delimiter: string, values: unknown[]): JoinIntrinsic {
 export class SelectIntrinsic implements Intrinsic {
   readonly [INTRINSIC_MARKER] = true as const;
   private index: number;
-  private values: unknown[];
+  private values: unknown[] | Intrinsic;
 
-  constructor(index: number, values: unknown[]) {
+  constructor(index: number, values: unknown[] | Intrinsic) {
     this.index = index;
     this.values = values;
   }
 
-  toJSON(): { "Fn::Select": [string, unknown[]] } {
-    return { "Fn::Select": [String(this.index), this.values.map(resolveIntrinsicValue)] };
+  toJSON(): { "Fn::Select": [string, unknown] } {
+    const resolvedValues = Array.isArray(this.values)
+      ? this.values.map(resolveIntrinsicValue)
+      : (this.values as Intrinsic & { toJSON(): unknown }).toJSON();
+    return { "Fn::Select": [String(this.index), resolvedValues] };
   }
 }
 
 /**
  * Create a Select intrinsic
  */
-export function Select(index: number, values: unknown[]): SelectIntrinsic {
+export function Select(index: number, values: unknown[] | Intrinsic): SelectIntrinsic {
   return new SelectIntrinsic(index, values);
 }
 

package/src/lint/post-synth/cf-refs.ts

@@ -50,6 +50,105 @@ export function findResourceRefs(value: unknown): Set<string> {
   return refs;
 }
 
+/**
+ * Check if a value is a CloudFormation intrinsic function (Ref, Fn::*, etc.)
+ * that cannot be statically evaluated.
+ */
+export function isIntrinsic(value: unknown): boolean {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) return false;
+  const obj = value as Record<string, unknown>;
+  return "Ref" in obj || Object.keys(obj).some((k) => k.startsWith("Fn::"));
+}
+
+/**
+ * Walk IAM policy statements from a resource's properties.
+ * Handles IAM::Policy, IAM::Role, and IAM::ManagedPolicy layouts.
+ */
+export function walkPolicyStatements(
+  resource: CFResource,
+): Array<Record<string, unknown>> {
+  const statements: Array<Record<string, unknown>> = [];
+  const props = resource.Properties ?? {};
+
+  // PolicyDocument.Statement (IAM::Policy, IAM::ManagedPolicy)
+  collectStatements(props.PolicyDocument, statements);
+
+  // AssumeRolePolicyDocument.Statement (IAM::Role)
+  collectStatements(props.AssumeRolePolicyDocument, statements);
+
+  // Policies[].PolicyDocument.Statement (IAM::Role inline policies)
+  if (Array.isArray(props.Policies)) {
+    for (const policy of props.Policies) {
+      if (typeof policy === "object" && policy !== null) {
+        collectStatements((policy as Record<string, unknown>).PolicyDocument, statements);
+      }
+    }
+  }
+
+  return statements;
+}
+
+function collectStatements(
+  policyDoc: unknown,
+  out: Array<Record<string, unknown>>,
+): void {
+  if (typeof policyDoc !== "object" || policyDoc === null) return;
+  const doc = policyDoc as Record<string, unknown>;
+  if (Array.isArray(doc.Statement)) {
+    for (const stmt of doc.Statement) {
+      if (typeof stmt === "object" && stmt !== null) {
+        out.push(stmt as Record<string, unknown>);
+      }
+    }
+  }
+}
+
+/**
+ * Normalize security group ingress rules from inline SecurityGroupIngress
+ * property and standalone SecurityGroupIngress resources.
+ */
+export function getSecurityGroupIngress(
+  resource: CFResource,
+): Array<Record<string, unknown>> {
+  const rules: Array<Record<string, unknown>> = [];
+  const props = resource.Properties ?? {};
+
+  if (Array.isArray(props.SecurityGroupIngress)) {
+    for (const rule of props.SecurityGroupIngress) {
+      if (typeof rule === "object" && rule !== null) {
+        rules.push(rule as Record<string, unknown>);
+      }
+    }
+  }
+
+  return rules;
+}
+
+/**
+ * Check if a port range [fromPort, toPort] contains any of the sensitive ports.
+ */
+export function portRangeContainsSensitive(
+  fromPort: unknown,
+  toPort: unknown,
+  sensitivePorts: number[],
+): boolean {
+  // Missing ports means all ports
+  if (fromPort === undefined && toPort === undefined) return true;
+
+  const from = typeof fromPort === "number" ? fromPort : -1;
+  const to = typeof toPort === "number" ? toPort : -1;
+
+  // If either is an intrinsic, we can't statically verify
+  if (isIntrinsic(fromPort) || isIntrinsic(toPort)) return false;
+
+  if (from === -1 && to === -1) return true;
+
+  for (const port of sensitivePorts) {
+    if (from <= port && port <= to) return true;
+  }
+  return false;
+}
+
 function walkValue(value: unknown, refs: Set<string>): void {
   if (value === null || value === undefined) return;
   if (typeof value !== "object") return;