@intentius/chant-lexicon-aws 0.0.8 → 0.0.9

package/src/import/roundtrip-fixtures.test.ts

@@ -5,7 +5,7 @@ import { CFParser } from "./parser";
 import { CFGenerator } from "./generator";
 import { build } from "@intentius/chant/build";
 import { awsSerializer } from "../serializer";
-// Dynamic import to get all export keys for validation (not a runtime barrel import)
+// Dynamic import to get all export keys for validation (not a runtime re-export)
 const awsLexicon = await import("../index");
 
 const parser = new CFParser();

package/src/index.ts

@@ -1,6 +1,10 @@
 // Parameter
 export { Parameter } from "./parameter";
 
+// Default Tags
+export { defaultTags, isDefaultTags, DEFAULT_TAGS_MARKER } from "./default-tags";
+export type { DefaultTags, TagEntry } from "./default-tags";
+
 // Serializer
 export { awsSerializer } from "./serializer";
 
@@ -64,6 +68,23 @@ export type { CFNSchema, SchemaProperty, SchemaDefinition } from "./spec/fetch";
 export { parseCFNSchema, cfnShortName, cfnServiceName } from "./spec/parse";
 export type { SchemaParseResult, ParsedResource, ParsedProperty, ParsedAttribute, ParsedPropertyType, ParsedEnum, PropertyConstraints } from "./spec/parse";
 
+// Action constants
+export { S3Actions, LambdaActions, DynamoDBActions, SQSActions, SNSActions, IAMActions, ECRActions, LogsActions, ECSActions } from "./actions/index";
+
+// Built-in composites
+export {
+  LambdaFunction, LambdaNode, LambdaPython, NodeLambda, PythonLambda,
+  LambdaApi,
+  LambdaScheduled, ScheduledLambda,
+  LambdaSqs, LambdaEventBridge, LambdaDynamoDB, LambdaS3, LambdaSns,
+  VpcDefault, FargateAlb,
+} from "./composites/index";
+export type {
+  LambdaFunctionProps, LambdaApiProps, ScheduledLambdaProps,
+  LambdaSqsProps, LambdaEventBridgeProps, LambdaDynamoDBProps, LambdaS3Props, LambdaSnsProps,
+  VpcDefaultProps, FargateAlbProps,
+} from "./composites/index";
+
 // Code generation pipeline
 export { generate, writeGeneratedFiles } from "./codegen/generate";
 export { packageLexicon } from "./codegen/package";

package/src/integration.test.ts

@@ -100,6 +100,77 @@ describe("AWS Integration", () => {
     });
   });
 
+  describe("Resource-level attributes (second constructor arg)", () => {
+    test("DependsOn with Declarable reference in real generated class", () => {
+      const bucket = new (Bucket as any)({ BucketName: "data" });
+      const fn = new (Function as any)(
+        {
+          Runtime: "nodejs20.x",
+          Handler: "index.handler",
+          Code: { S3Bucket: "my-bucket", S3Key: "code.zip" },
+          Role: "arn:aws:iam::123456789012:role/role",
+        },
+        { DependsOn: [bucket] },
+      );
+
+      expect(fn.attributes).toBeDefined();
+      expect(fn.attributes.DependsOn).toEqual([bucket]);
+
+      const entities = new Map<string, Declarable>();
+      entities.set("DataBucket", bucket);
+      entities.set("Handler", fn);
+
+      const output = awsSerializer.serialize(entities);
+      const template = JSON.parse(output);
+      expect(template.Resources.Handler.DependsOn).toBe("DataBucket");
+    });
+
+    test("DeletionPolicy and Condition on real generated class", () => {
+      const bucket = new (Bucket as any)(
+        { BucketName: "important-data" },
+        { DeletionPolicy: "Retain", Condition: "CreateBucket" },
+      );
+
+      const entities = new Map<string, Declarable>();
+      entities.set("DataBucket", bucket);
+
+      const output = awsSerializer.serialize(entities);
+      const template = JSON.parse(output);
+
+      expect(template.Resources.DataBucket.DeletionPolicy).toBe("Retain");
+      expect(template.Resources.DataBucket.Condition).toBe("CreateBucket");
+    });
+
+    test("resource without attributes works unchanged", () => {
+      const bucket = new (Bucket as any)({ BucketName: "simple" });
+      expect(bucket.attributes).toEqual({});
+
+      const entities = new Map<string, Declarable>();
+      entities.set("SimpleBucket", bucket);
+
+      const output = awsSerializer.serialize(entities);
+      const template = JSON.parse(output);
+      expect(template.Resources.SimpleBucket.DeletionPolicy).toBeUndefined();
+      expect(template.Resources.SimpleBucket.Condition).toBeUndefined();
+    });
+
+    test("Metadata with intrinsics resolves correctly", () => {
+      const bucket = new (Bucket as any)(
+        { BucketName: "meta" },
+        { Metadata: { DeployedWith: Sub`${AWS.StackName}-chant` } },
+      );
+
+      const entities = new Map<string, Declarable>();
+      entities.set("MetaBucket", bucket);
+
+      const output = awsSerializer.serialize(entities);
+      const template = JSON.parse(output);
+      expect(template.Resources.MetaBucket.Metadata.DeployedWith).toEqual({
+        "Fn::Sub": "${AWS::StackName}-chant",
+      });
+    });
+  });
+
   describe("AttrRefs", () => {
     test("Bucket has expected AttrRefs", () => {
       const bucket = new (Bucket as any)({});

package/src/intrinsics.ts

@@ -1,5 +1,7 @@
 import { INTRINSIC_MARKER, resolveIntrinsicValue, type Intrinsic } from "@intentius/chant/intrinsic";
 import { buildInterpolatedString, defaultInterpolationSerializer } from "@intentius/chant/intrinsic-interpolation";
+import { type Declarable } from "@intentius/chant/declarable";
+import { getLogicalName } from "@intentius/chant/utils";
 
 /**
  * Fn::Sub intrinsic function implementation
@@ -37,26 +39,32 @@ export function Sub(
 
 /**
  * Ref intrinsic function
- * References a parameter or resource by logical name
+ * References a parameter or resource by logical name.
+ * Accepts either a string name or a Declarable entity (e.g. Parameter).
+ * When given a Declarable, the logical name is resolved at serialization time.
  */
 export class RefIntrinsic implements Intrinsic {
   readonly [INTRINSIC_MARKER] = true as const;
-  private name: string;
+  private target: string | Declarable;
 
-  constructor(name: string) {
-    this.name = name;
+  constructor(target: string | Declarable) {
+    this.target = target;
   }
 
   toJSON(): { Ref: string } {
-    return { Ref: this.name };
+    if (typeof this.target === "string") {
+      return { Ref: this.target };
+    }
+    return { Ref: getLogicalName(this.target) };
   }
 }
 
 /**
- * Create a Ref intrinsic
+ * Create a Ref intrinsic.
+ * Pass a string for direct parameter/resource names, or a Declarable (e.g. Parameter) for type-safe references.
  */
-export function Ref(name: string): RefIntrinsic {
-  return new RefIntrinsic(name);
+export function Ref(target: string | Declarable): RefIntrinsic {
+  return new RefIntrinsic(target);
 }
 
 /**
@@ -147,22 +155,25 @@ export function Join(delimiter: string, values: unknown[]): JoinIntrinsic {
 export class SelectIntrinsic implements Intrinsic {
   readonly [INTRINSIC_MARKER] = true as const;
   private index: number;
-  private values: unknown[];
+  private values: unknown[] | Intrinsic;
 
-  constructor(index: number, values: unknown[]) {
+  constructor(index: number, values: unknown[] | Intrinsic) {
     this.index = index;
     this.values = values;
   }
 
-  toJSON(): { "Fn::Select": [string, unknown[]] } {
-    return { "Fn::Select": [String(this.index), this.values.map(resolveIntrinsicValue)] };
+  toJSON(): { "Fn::Select": [string, unknown] } {
+    const resolvedValues = Array.isArray(this.values)
+      ? this.values.map(resolveIntrinsicValue)
+      : (this.values as Intrinsic & { toJSON(): unknown }).toJSON();
+    return { "Fn::Select": [String(this.index), resolvedValues] };
   }
 }
 
 /**
  * Create a Select intrinsic
  */
-export function Select(index: number, values: unknown[]): SelectIntrinsic {
+export function Select(index: number, values: unknown[] | Intrinsic): SelectIntrinsic {
   return new SelectIntrinsic(index, values);
 }
 

package/src/lint/post-synth/cf-refs.ts

@@ -50,6 +50,105 @@ export function findResourceRefs(value: unknown): Set<string> {
   return refs;
 }
 
+/**
+ * Check if a value is a CloudFormation intrinsic function (Ref, Fn::*, etc.)
+ * that cannot be statically evaluated.
+ */
+export function isIntrinsic(value: unknown): boolean {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) return false;
+  const obj = value as Record<string, unknown>;
+  return "Ref" in obj || Object.keys(obj).some((k) => k.startsWith("Fn::"));
+}
+
+/**
+ * Walk IAM policy statements from a resource's properties.
+ * Handles IAM::Policy, IAM::Role, and IAM::ManagedPolicy layouts.
+ */
+export function walkPolicyStatements(
+  resource: CFResource,
+): Array<Record<string, unknown>> {
+  const statements: Array<Record<string, unknown>> = [];
+  const props = resource.Properties ?? {};
+
+  // PolicyDocument.Statement (IAM::Policy, IAM::ManagedPolicy)
+  collectStatements(props.PolicyDocument, statements);
+
+  // AssumeRolePolicyDocument.Statement (IAM::Role)
+  collectStatements(props.AssumeRolePolicyDocument, statements);
+
+  // Policies[].PolicyDocument.Statement (IAM::Role inline policies)
+  if (Array.isArray(props.Policies)) {
+    for (const policy of props.Policies) {
+      if (typeof policy === "object" && policy !== null) {
+        collectStatements((policy as Record<string, unknown>).PolicyDocument, statements);
+      }
+    }
+  }
+
+  return statements;
+}
+
+function collectStatements(
+  policyDoc: unknown,
+  out: Array<Record<string, unknown>>,
+): void {
+  if (typeof policyDoc !== "object" || policyDoc === null) return;
+  const doc = policyDoc as Record<string, unknown>;
+  if (Array.isArray(doc.Statement)) {
+    for (const stmt of doc.Statement) {
+      if (typeof stmt === "object" && stmt !== null) {
+        out.push(stmt as Record<string, unknown>);
+      }
+    }
+  }
+}
+
+/**
+ * Normalize security group ingress rules from inline SecurityGroupIngress
+ * property and standalone SecurityGroupIngress resources.
+ */
+export function getSecurityGroupIngress(
+  resource: CFResource,
+): Array<Record<string, unknown>> {
+  const rules: Array<Record<string, unknown>> = [];
+  const props = resource.Properties ?? {};
+
+  if (Array.isArray(props.SecurityGroupIngress)) {
+    for (const rule of props.SecurityGroupIngress) {
+      if (typeof rule === "object" && rule !== null) {
+        rules.push(rule as Record<string, unknown>);
+      }
+    }
+  }
+
+  return rules;
+}
+
+/**
+ * Check if a port range [fromPort, toPort] contains any of the sensitive ports.
+ */
+export function portRangeContainsSensitive(
+  fromPort: unknown,
+  toPort: unknown,
+  sensitivePorts: number[],
+): boolean {
+  // Missing ports means all ports
+  if (fromPort === undefined && toPort === undefined) return true;
+
+  const from = typeof fromPort === "number" ? fromPort : -1;
+  const to = typeof toPort === "number" ? toPort : -1;
+
+  // If either is an intrinsic, we can't statically verify
+  if (isIntrinsic(fromPort) || isIntrinsic(toPort)) return false;
+
+  if (from === -1 && to === -1) return true;
+
+  for (const port of sensitivePorts) {
+    if (from <= port && port <= to) return true;
+  }
+  return false;
+}
+
 function walkValue(value: unknown, refs: Set<string>): void {
   if (value === null || value === undefined) return;
   if (typeof value !== "object") return;

package/src/lint/post-synth/ext001.test.ts

@@ -1,68 +1,251 @@
 import { describe, test, expect } from "bun:test";
-import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
 import { createPostSynthContext } from "@intentius/chant-test-utils";
-import { ext001 } from "./ext001";
+import { ext001, checkExtensionConstraints, type ExtensionConstraint } from "./ext001";
 
 function makeCtx(template: object) {
   return createPostSynthContext({ aws: template });
 }
 
+/** Synthetic constraint map — no disk dependency. */
+function fakeConstraints(): Map<string, ExtensionConstraint[]> {
+  return new Map([
+    ["AWS::EC2::Instance", [
+      {
+        name: "SubnetRequired",
+        type: "if_then",
+        condition: { required: ["InstanceType"] },
+        requirement: { required: ["SubnetId"] },
+      },
+      {
+        name: "SpotExcludesPlacement",
+        type: "dependent_excluded",
+        requirement: { InstanceMarketOptions: ["PlacementGroup"] },
+      },
+    ]],
+    ["AWS::ECS::Service", [
+      {
+        name: "LaunchTypeOrCapacity",
+        type: "required_xor",
+        requirement: ["LaunchType", "CapacityProviderStrategy"],
+      },
+    ]],
+    ["AWS::S3::Bucket", [
+      {
+        name: "EncryptionOrNotification",
+        type: "required_or",
+        requirement: ["BucketEncryption", "NotificationConfiguration"],
+      },
+    ]],
+  ]);
+}
+
 describe("EXT001: Extension Constraint Violation", () => {
   test("check metadata", () => {
     expect(ext001.id).toBe("EXT001");
     expect(ext001.description).toContain("constraint");
   });
 
-  test("no diagnostics on empty template", () => {
-    const ctx = makeCtx({ Resources: {} });
-    const diags = ext001.check(ctx);
+  // --- if_then ---
+
+  test("if_then: flags when condition matches and requirement missing", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyInstance: {
+          Type: "AWS::EC2::Instance",
+          Properties: { InstanceType: "t3.micro" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("EXT001");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("SubnetRequired");
+    expect(diags[0].message).toContain("SubnetId");
+    expect(diags[0].entity).toBe("MyInstance");
+  });
+
+  test("if_then: no diagnostic when requirement satisfied", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyInstance: {
+          Type: "AWS::EC2::Instance",
+          Properties: { InstanceType: "t3.micro", SubnetId: "subnet-123" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    // SubnetRequired satisfied; SpotExcludesPlacement not triggered (no InstanceMarketOptions)
+    expect(diags).toHaveLength(0);
+  });
+
+  test("if_then: no diagnostic when condition does not match", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyInstance: {
+          Type: "AWS::EC2::Instance",
+          Properties: { ImageId: "ami-123" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
     expect(diags).toHaveLength(0);
   });
 
-  test("no diagnostics on unknown resource type", () => {
+  // --- dependent_excluded ---
+
+  test("dependent_excluded: flags when both present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyInstance: {
+          Type: "AWS::EC2::Instance",
+          Properties: {
+            InstanceMarketOptions: { MarketType: "spot" },
+            PlacementGroup: "my-group",
+            SubnetId: "subnet-123",
+            InstanceType: "t3.micro",
+          },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    const excluded = diags.filter((d) => d.message.includes("excludes"));
+    expect(excluded).toHaveLength(1);
+    expect(excluded[0].message).toContain("InstanceMarketOptions");
+    expect(excluded[0].message).toContain("PlacementGroup");
+  });
+
+  test("dependent_excluded: no diagnostic when excluded prop absent", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyInstance: {
+          Type: "AWS::EC2::Instance",
+          Properties: {
+            InstanceMarketOptions: { MarketType: "spot" },
+            SubnetId: "subnet-123",
+            InstanceType: "t3.micro",
+          },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    const excluded = diags.filter((d) => d.message.includes("excludes"));
+    expect(excluded).toHaveLength(0);
+  });
+
+  // --- required_xor ---
+
+  test("required_xor: flags when neither present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySvc: {
+          Type: "AWS::ECS::Service",
+          Properties: { ServiceName: "my-svc" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("exactly one of");
+    expect(diags[0].message).toContain("found 0");
+  });
+
+  test("required_xor: flags when both present", () => {
     const ctx = makeCtx({
       Resources: {
-        MyCustom: {
-          Type: "Custom::MyResource",
-          Properties: { Foo: "bar" },
+        MySvc: {
+          Type: "AWS::ECS::Service",
+          Properties: {
+            LaunchType: "FARGATE",
+            CapacityProviderStrategy: [{}],
+          },
         },
       },
     });
-    const diags = ext001.check(ctx);
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("found 2");
+  });
+
+  test("required_xor: no diagnostic when exactly one present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySvc: {
+          Type: "AWS::ECS::Service",
+          Properties: { LaunchType: "FARGATE" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
     expect(diags).toHaveLength(0);
   });
 
-  // The following tests exercise the constraint validation logic directly
-  // by testing the check function. Whether diagnostics fire depends on
-  // the lexicon having constraints for the resource types used.
-  // Since we may not have the lexicon JSON in test environments,
-  // we verify the function at least runs without errors.
-  test("handles resource with no properties gracefully", () => {
+  // --- required_or ---
+
+  test("required_or: flags when none present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "test" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("at least one of");
+  });
+
+  test("required_or: no diagnostic when one present", () => {
     const ctx = makeCtx({
       Resources: {
         MyBucket: {
           Type: "AWS::S3::Bucket",
+          Properties: { BucketEncryption: {} },
         },
       },
     });
-    // Should not throw, diagnostics depend on lexicon data
-    const diags = ext001.check(ctx);
-    expect(Array.isArray(diags)).toBe(true);
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(0);
+  });
+
+  // --- Edge cases ---
+
+  test("no diagnostics for resource type not in constraints", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyRole: {
+          Type: "AWS::IAM::Role",
+          Properties: { RoleName: "test" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostics on empty template", () => {
+    const ctx = makeCtx({ Resources: {} });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("returns empty when constraint map is empty", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyInstance: {
+          Type: "AWS::EC2::Instance",
+          Properties: { InstanceType: "t3.micro" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, new Map());
+    expect(diags).toHaveLength(0);
   });
 
   test("handles invalid JSON output gracefully", () => {
-    const ctx: PostSynthContext = {
-      outputs: new Map([["aws", "not json"]]),
-      entities: new Map(),
-      buildResult: {
-        outputs: new Map([["aws", "not json"]]),
-        entities: new Map(),
-        warnings: [],
-        errors: [],
-        sourceFileCount: 0,
-      },
-    };
-    const diags = ext001.check(ctx);
+    const ctx = createPostSynthContext({ aws: "not json" as unknown as object });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
     expect(diags).toHaveLength(0);
   });
 });

package/src/lint/post-synth/ext001.ts

@@ -16,7 +16,7 @@ import { join } from "path";
 import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
 import { parseCFTemplate, type CFResource } from "./cf-refs";
 
-interface ExtensionConstraint {
+export interface ExtensionConstraint {
   name: string;
   type: "if_then" | "dependent_excluded" | "required_or" | "required_xor";
   condition?: unknown;
@@ -25,7 +25,7 @@ interface ExtensionConstraint {
 
 interface LexiconEntry {
   kind: string;
-  cfn?: string;
+  resourceType: string;
   constraints?: ExtensionConstraint[];
   [key: string]: unknown;
 }
@@ -43,8 +43,8 @@ function loadLexiconConstraints(): Map<string, ExtensionConstraint[]> {
     const data = JSON.parse(content) as Record<string, LexiconEntry>;
 
     for (const [_name, entry] of Object.entries(data)) {
-      if (entry.kind === "resource" && entry.cfn && entry.constraints && entry.constraints.length > 0) {
-        map.set(entry.cfn, entry.constraints);
+      if (entry.kind === "resource" && entry.resourceType && entry.constraints && entry.constraints.length > 0) {
+        map.set(entry.resourceType, entry.constraints);
       }
     }
   } catch {
@@ -193,28 +193,37 @@ function validateResource(
   return diagnostics;
 }
 
-export const ext001: PostSynthCheck = {
-  id: "EXT001",
-  description: "Extension constraint violation — cross-property validation from cfn-lint extension schemas",
-
-  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
-    const lexiconConstraints = loadLexiconConstraints();
-    if (lexiconConstraints.size === 0) return [];
+/**
+ * Core detection logic — exported for direct testing with synthetic data.
+ */
+export function checkExtensionConstraints(
+  ctx: PostSynthContext,
+  constraintMap: Map<string, ExtensionConstraint[]>,
+): PostSynthDiagnostic[] {
+  if (constraintMap.size === 0) return [];
 
-    const diagnostics: PostSynthDiagnostic[] = [];
+  const diagnostics: PostSynthDiagnostic[] = [];
 
-    for (const [_lexicon, output] of ctx.outputs) {
-      const template = parseCFTemplate(output);
-      if (!template?.Resources) continue;
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
 
-      for (const [logicalId, resource] of Object.entries(template.Resources)) {
-        const constraints = lexiconConstraints.get(resource.Type);
-        if (!constraints) continue;
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      const constraints = constraintMap.get(resource.Type);
+      if (!constraints) continue;
 
-        diagnostics.push(...validateResource(logicalId, resource, constraints));
-      }
+      diagnostics.push(...validateResource(logicalId, resource, constraints));
     }
+  }
 
-    return diagnostics;
+  return diagnostics;
+}
+
+export const ext001: PostSynthCheck = {
+  id: "EXT001",
+  description: "Extension constraint violation — cross-property validation from cfn-lint extension schemas",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkExtensionConstraints(ctx, loadLexiconConstraints());
   },
 };