@intentius/chant-lexicon-aws 0.0.9 → 0.0.11

package/dist/integrity.json

@@ -1,7 +1,7 @@
 {
   "algorithm": "xxhash64",
   "artifacts": {
-    "manifest.json": "b8414e7d59388707",
+    "manifest.json": "d04788f6043e2c1d",
     "meta.json": "db2d39f47dd623e2",
     "types/index.d.ts": "8ae8b196e3f4585d",
     "rules/s3-encryption.ts": "678cd3d490eae38",
@@ -32,5 +32,5 @@
     "rules/waw025.ts": "5929f7e3e3e3b859",
     "skills/chant-aws.md": "de8d9ccfe4dcf4bc"
   },
-  "composite": "a541078dad6b79c2"
+  "composite": "bccf35bdfbacd863"
 }

package/dist/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "aws",
-  "version": "0.0.9",
+  "version": "0.0.11",
   "chantVersion": ">=0.1.0",
   "namespace": "AWS",
   "intrinsics": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intentius/chant-lexicon-aws",
-  "version": "0.0.9",
+  "version": "0.0.11",
   "license": "Apache-2.0",
   "type": "module",
   "files": ["src/", "dist/"],
@@ -22,7 +22,7 @@
   "prepack": "bun run bundle && bun run validate"
 },
 "dependencies": {
-  "@intentius/chant": "0.0.9",
+  "@intentius/chant": "0.0.10",
   "fflate": "^0.8.2",
   "js-yaml": "^4.1.0"
 },

package/src/codegen/docs.ts

@@ -405,6 +405,8 @@ The AWS lexicon ships ready-to-use composites for common patterns. Import them f
 | \`LambdaSns\` | \`topic\`, \`role\`, \`func\`, \`subscription\`, \`permission\` | SNS Topic + Lambda via Subscription. Auto-attaches invoke permission for SNS. |
 | \`VpcDefault\` | \`vpc\`, \`igw\`, \`igwAttachment\`, \`publicSubnet1\`, \`publicSubnet2\`, \`privateSubnet1\`, \`privateSubnet2\`, \`publicRouteTable\`, \`publicRoute\`, \`publicRta1\`, \`publicRta2\`, \`privateRouteTable\`, \`privateRta1\`, \`privateRta2\`, \`natEip\`, \`natGateway\`, \`privateRoute\` | Production-ready VPC: 2 public + 2 private subnets across 2 AZs, internet gateway, single NAT gateway. |
 | \`FargateAlb\` | \`cluster\`, \`executionRole\`, \`taskRole\`, \`logGroup\`, \`taskDef\`, \`albSg\`, \`taskSg\`, \`alb\`, \`targetGroup\`, \`listener\`, \`service\` | Fargate service behind an ALB. Accepts VPC outputs as props. |
+| \`AlbShared\` | \`cluster\`, \`executionRole\`, \`albSg\`, \`alb\`, \`listener\` | Shared ALB infrastructure (ECS cluster, execution role, ALB, listener with 404 default). Created once, consumed by multiple \`FargateService\` instances. |
+| \`FargateService\` | \`taskRole\`, \`logGroup\`, \`taskDef\`, \`taskSg\`, \`targetGroup\`, \`rule\`, \`service\` | Per-service Fargate resources with listener rule routing. Wire to an \`AlbShared\` instance for multi-service ALB patterns. |
 
 All built-in composites accept \`ManagedPolicyArns\` and \`Policies\` for adding IAM permissions to the auto-created role.
 
@@ -888,6 +890,46 @@ Produces 17 CloudFormation resources: VPC, Internet Gateway, 2 public + 2 privat
 
 Produces 28 CloudFormation resources: 17 from VpcDefault + 11 from FargateAlb (ECS Cluster, execution/task roles, log group, task definition, security groups, ALB, target group, listener, and ECS service).
 
+## Multi-Service ALB
+
+\`examples/multi-service-alb/\` — multiple Fargate services behind a single shared ALB using \`AlbShared\` + \`FargateService\`.
+
+{{file:multi-service-alb/src/shared.ts}}
+
+{{file:multi-service-alb/src/services.ts}}
+
+Produces 36 CloudFormation resources: 17 from VpcDefault + 5 from AlbShared + 7×2 from FargateService (task role, log group, task definition, task security group, target group, listener rule, and ECS service per service).
+
+## Shared ALB (Separate Projects)
+
+\`examples/shared-alb/\`, \`examples/shared-alb-api/\`, \`examples/shared-alb-ui/\` — the same multi-service ALB pattern as above, but split across separate CloudFormation stacks for independent deployment.
+
+### Infra stack
+
+The shared-alb stack contains VPC, ALB, ECS cluster, and ECR repositories. It exports outputs that service stacks consume as parameters:
+
+{{file:shared-alb/src/alb.ts}}
+
+{{file:shared-alb/src/ecr.ts}}
+
+{{file:shared-alb/src/outputs.ts}}
+
+### Service stacks
+
+Each service stack receives shared infrastructure as parameters and deploys a single Fargate service:
+
+{{file:shared-alb-api/src/params.ts}}
+
+{{file:shared-alb-api/src/service.ts}}
+
+**Deployment pattern:**
+
+1. Deploy the infra stack first — creates VPC, ALB, ECS cluster, and ECR repos
+2. Deploy each service stack independently with \`--parameter-overrides\` mapping infra outputs to service parameters
+3. Each service gets its own \`image\` parameter for CI/CD pipelines to inject the container image URI
+
+The separate-project pattern enables independent team ownership and deployment cadences. See the [GitLab CI/CD lexicon examples](/chant/lexicons/gitlab/examples/) for pipeline definitions that automate this workflow.
+
 ## Lambda API (Custom Composite)
 
 \`examples/lambda-api/\` — demonstrates building your own composite factory with presets and a custom lint rule. This is the only example that teaches custom composite authoring.

package/src/composites/alb-shared.ts

@@ -0,0 +1,117 @@
+import { Composite } from "@intentius/chant";
+import {
+  EcsCluster,
+  LoadBalancer,
+  Listener,
+  Listener_Action,
+  Listener_FixedResponseConfig,
+  Listener_Certificate,
+  SecurityGroup,
+  SecurityGroup_Ingress,
+  Role,
+  Role_Policy,
+} from "../generated";
+import { ECRActions } from "../actions/ecr";
+import { LogsActions } from "../actions/logs";
+import { ecsTrustPolicy } from "./ecs-trust-policy";
+
+export interface AlbSharedProps {
+  vpcId: string;
+  publicSubnetIds: string[];
+  listenerPort?: number;
+  protocol?: "HTTP" | "HTTPS";
+  certificateArn?: string;
+}
+
+export const AlbShared = Composite<AlbSharedProps>((props) => {
+  const listenerPort = props.listenerPort ?? 80;
+  const protocol = props.protocol ?? "HTTP";
+
+  // ECS Cluster
+  const cluster = new EcsCluster({});
+
+  // Execution role — ECR pull + CloudWatch Logs write
+  const executionPolicyDocument = {
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Action: ECRActions.Pull,
+        Resource: "*",
+      },
+      {
+        Effect: "Allow",
+        Action: LogsActions.Write,
+        Resource: "*",
+      },
+    ],
+  };
+
+  const executionPolicy = new Role_Policy({
+    PolicyName: "ExecutionPolicy",
+    PolicyDocument: executionPolicyDocument,
+  });
+
+  const executionRole = new Role({
+    AssumeRolePolicyDocument: ecsTrustPolicy,
+    Policies: [executionPolicy],
+  });
+
+  // ALB security group — ingress on listener port from anywhere
+  const albIngress = new SecurityGroup_Ingress({
+    IpProtocol: "tcp",
+    FromPort: listenerPort,
+    ToPort: listenerPort,
+    CidrIp: "0.0.0.0/0",
+  });
+
+  const albSg = new SecurityGroup({
+    GroupDescription: "ALB security group",
+    VpcId: props.vpcId,
+    SecurityGroupIngress: [albIngress],
+  });
+
+  // Application Load Balancer
+  const alb = new LoadBalancer({
+    Type: "application",
+    Scheme: "internet-facing",
+    Subnets: props.publicSubnetIds,
+    SecurityGroups: [albSg.GroupId],
+  });
+
+  // Listener — default action is fixed-response 404
+  const fixedResponse = new Listener_FixedResponseConfig({
+    StatusCode: "404",
+    ContentType: "text/plain",
+    MessageBody: "Not Found",
+  });
+
+  const defaultAction = new Listener_Action({
+    Type: "fixed-response",
+    FixedResponseConfig: fixedResponse,
+  });
+
+  const listenerProps: Record<string, unknown> = {
+    LoadBalancerArn: alb.LoadBalancerArn,
+    Port: listenerPort,
+    Protocol: protocol,
+    DefaultActions: [defaultAction],
+  };
+
+  if (protocol === "HTTPS" && props.certificateArn) {
+    const cert = new Listener_Certificate({
+      CertificateArn: props.certificateArn,
+    });
+    listenerProps.Certificates = [cert];
+  }
+
+  const listener = new Listener(listenerProps);
+
+  return {
+    cluster,
+    executionRole,
+    albSg,
+    alb,
+    listener,
+  };
+}, "AlbShared");

package/src/composites/composites.test.ts

@@ -11,6 +11,8 @@ import { LambdaS3 } from "./lambda-s3";
 import { LambdaSns } from "./lambda-sns";
 import { VpcDefault } from "./vpc-default";
 import { FargateAlb } from "./fargate-alb";
+import { AlbShared } from "./alb-shared";
+import { FargateService } from "./fargate-service";
 
 const baseProps = {
   name: "TestFunc",
@@ -440,3 +442,194 @@ describe("FargateAlb", () => {
     expect(ingress.ToPort).toBe(8080);
   });
 });
+
+describe("AlbShared", () => {
+  const sharedProps = {
+    vpcId: "vpc-123",
+    publicSubnetIds: ["subnet-pub1", "subnet-pub2"],
+  };
+
+  test("returns 5 members with correct names", () => {
+    const instance = AlbShared(sharedProps);
+    const names = Object.keys(instance.members);
+    expect(names).toEqual(["cluster", "executionRole", "albSg", "alb", "listener"]);
+  });
+
+  test("expandComposite produces correct logical names", () => {
+    const expanded = expandComposite("shared", AlbShared(sharedProps));
+    expect(expanded.has("sharedCluster")).toBe(true);
+    expect(expanded.has("sharedExecutionRole")).toBe(true);
+    expect(expanded.has("sharedAlbSg")).toBe(true);
+    expect(expanded.has("sharedAlb")).toBe(true);
+    expect(expanded.has("sharedListener")).toBe(true);
+    expect(expanded.size).toBe(5);
+  });
+
+  test("listener default action is fixed-response 404", () => {
+    const instance = AlbShared(sharedProps);
+    const listenerProps = (instance.listener as any).props;
+    expect(listenerProps.DefaultActions).toHaveLength(1);
+    const action = (listenerProps.DefaultActions[0] as any).props;
+    expect(action.Type).toBe("fixed-response");
+    const fixedResponse = (action.FixedResponseConfig as any).props;
+    expect(fixedResponse.StatusCode).toBe("404");
+    expect(fixedResponse.ContentType).toBe("text/plain");
+    expect(fixedResponse.MessageBody).toBe("Not Found");
+  });
+
+  test("ALB SG allows ingress on listener port (default 80)", () => {
+    const instance = AlbShared(sharedProps);
+    const sgProps = (instance.albSg as any).props;
+    expect(sgProps.SecurityGroupIngress).toHaveLength(1);
+    const ingress = (sgProps.SecurityGroupIngress[0] as any).props;
+    expect(ingress.FromPort).toBe(80);
+    expect(ingress.ToPort).toBe(80);
+    expect(ingress.CidrIp).toBe("0.0.0.0/0");
+  });
+
+  test("custom listener port is applied", () => {
+    const instance = AlbShared({ ...sharedProps, listenerPort: 443 });
+    const sgProps = (instance.albSg as any).props;
+    const ingress = (sgProps.SecurityGroupIngress[0] as any).props;
+    expect(ingress.FromPort).toBe(443);
+    expect(ingress.ToPort).toBe(443);
+  });
+
+  test("execution role has ECR + Logs policies", () => {
+    const instance = AlbShared(sharedProps);
+    const roleProps = (instance.executionRole as any).props;
+    expect(roleProps.Policies).toHaveLength(1);
+    const policyDoc = (roleProps.Policies[0] as any).props.PolicyDocument;
+    expect(policyDoc.Statement).toHaveLength(2);
+    expect(policyDoc.Statement[0].Action).toContain("ecr:GetAuthorizationToken");
+    expect(policyDoc.Statement[1].Action).toContain("logs:CreateLogStream");
+  });
+
+  test("HTTPS adds certificate to listener", () => {
+    const instance = AlbShared({
+      ...sharedProps,
+      protocol: "HTTPS",
+      certificateArn: "arn:aws:acm:us-east-1:123:certificate/abc",
+    });
+    const listenerProps = (instance.listener as any).props;
+    expect(listenerProps.Protocol).toBe("HTTPS");
+    expect(listenerProps.Certificates).toHaveLength(1);
+    const cert = (listenerProps.Certificates[0] as any).props;
+    expect(cert.CertificateArn).toBe("arn:aws:acm:us-east-1:123:certificate/abc");
+  });
+});
+
+describe("FargateService", () => {
+  const serviceProps = {
+    clusterArn: "arn:aws:ecs:us-east-1:123:cluster/my-cluster",
+    listenerArn: "arn:aws:elasticloadbalancing:us-east-1:123:listener/app/my-alb/abc/def",
+    albSecurityGroupId: "sg-alb123",
+    executionRoleArn: "arn:aws:iam::123:role/execution-role",
+    image: "nginx:latest",
+    priority: 100,
+    pathPatterns: ["/api/*"],
+    vpcId: "vpc-123",
+    privateSubnetIds: ["subnet-priv1", "subnet-priv2"],
+  };
+
+  test("returns 7 members with correct names", () => {
+    const instance = FargateService(serviceProps);
+    const names = Object.keys(instance.members);
+    expect(names).toEqual(["taskRole", "logGroup", "taskDef", "taskSg", "targetGroup", "rule", "service"]);
+  });
+
+  test("expandComposite produces correct logical names", () => {
+    const expanded = expandComposite("api", FargateService(serviceProps));
+    expect(expanded.has("apiTaskRole")).toBe(true);
+    expect(expanded.has("apiLogGroup")).toBe(true);
+    expect(expanded.has("apiTaskDef")).toBe(true);
+    expect(expanded.has("apiTaskSg")).toBe(true);
+    expect(expanded.has("apiTargetGroup")).toBe(true);
+    expect(expanded.has("apiRule")).toBe(true);
+    expect(expanded.has("apiService")).toBe(true);
+    expect(expanded.size).toBe(7);
+  });
+
+  test("ListenerRule has correct priority and path conditions", () => {
+    const instance = FargateService(serviceProps);
+    const ruleProps = (instance.rule as any).props;
+    expect(ruleProps.Priority).toBe(100);
+    expect(ruleProps.Conditions).toHaveLength(1);
+    const condition = (ruleProps.Conditions[0] as any).props;
+    expect(condition.Field).toBe("path-pattern");
+    const pathConfig = (condition.PathPatternConfig as any).props;
+    expect(pathConfig.Values).toEqual(["/api/*"]);
+  });
+
+  test("host-header routing produces HostHeaderConfig condition", () => {
+    const instance = FargateService({
+      ...serviceProps,
+      pathPatterns: undefined,
+      hostHeaders: ["api.example.com"],
+    });
+    const ruleProps = (instance.rule as any).props;
+    expect(ruleProps.Conditions).toHaveLength(1);
+    const condition = (ruleProps.Conditions[0] as any).props;
+    expect(condition.Field).toBe("host-header");
+    const hostConfig = (condition.HostHeaderConfig as any).props;
+    expect(hostConfig.Values).toEqual(["api.example.com"]);
+  });
+
+  test("combined path + host conditions both present", () => {
+    const instance = FargateService({
+      ...serviceProps,
+      hostHeaders: ["api.example.com"],
+    });
+    const ruleProps = (instance.rule as any).props;
+    expect(ruleProps.Conditions).toHaveLength(2);
+    const fields = ruleProps.Conditions.map((c: any) => c.props.Field);
+    expect(fields).toContain("path-pattern");
+    expect(fields).toContain("host-header");
+  });
+
+  test("task SG references ALB SG via SourceSecurityGroupId", () => {
+    const instance = FargateService(serviceProps);
+    const sgProps = (instance.taskSg as any).props;
+    const ingress = (sgProps.SecurityGroupIngress[0] as any).props;
+    expect(ingress.SourceSecurityGroupId).toBe("sg-alb123");
+  });
+
+  test("service has DependsOn on rule", () => {
+    const instance = FargateService(serviceProps);
+    const serviceAttributes = (instance.service as any).attributes;
+    expect(serviceAttributes.DependsOn).toBeDefined();
+    expect(serviceAttributes.DependsOn).toContain(instance.rule);
+  });
+
+  test("throws if neither pathPatterns nor hostHeaders provided", () => {
+    expect(() =>
+      FargateService({
+        ...serviceProps,
+        pathPatterns: undefined,
+      }),
+    ).toThrow("FargateService requires at least one of pathPatterns or hostHeaders");
+  });
+
+  test("throws if priority is out of range", () => {
+    expect(() =>
+      FargateService({ ...serviceProps, priority: 0 }),
+    ).toThrow("FargateService priority must be between 1 and 50000");
+    expect(() =>
+      FargateService({ ...serviceProps, priority: 50001 }),
+    ).toThrow("FargateService priority must be between 1 and 50000");
+  });
+
+  test("default values (cpu, memory, containerPort, desiredCount)", () => {
+    const instance = FargateService(serviceProps);
+    const tdProps = (instance.taskDef as any).props;
+    expect(tdProps.Cpu).toBe("256");
+    expect(tdProps.Memory).toBe("512");
+
+    const containerDef = (tdProps.ContainerDefinitions[0] as any).props;
+    const portMapping = (containerDef.PortMappings[0] as any).props;
+    expect(portMapping.ContainerPort).toBe(80);
+
+    const svcProps = (instance.service as any).props;
+    expect(svcProps.DesiredCount).toBe(2);
+  });
+});

package/src/composites/ecs-trust-policy.ts

@@ -0,0 +1,10 @@
+export const ecsTrustPolicy = {
+  Version: "2012-10-17" as const,
+  Statement: [
+    {
+      Effect: "Allow" as const,
+      Principal: { Service: "ecs-tasks.amazonaws.com" },
+      Action: "sts:AssumeRole",
+    },
+  ],
+};

package/src/composites/fargate-alb.ts

@@ -23,6 +23,7 @@ import {
 import { Sub } from "../intrinsics";
 import { ECRActions } from "../actions/ecr";
 import { LogsActions } from "../actions/logs";
+import { ecsTrustPolicy } from "./ecs-trust-policy";
 
 export interface FargateAlbProps {
   image: string;
@@ -42,17 +43,6 @@ export interface FargateAlbProps {
   logRetentionDays?: number;
 }
 
-const ecsTrustPolicy = {
-  Version: "2012-10-17" as const,
-  Statement: [
-    {
-      Effect: "Allow" as const,
-      Principal: { Service: "ecs-tasks.amazonaws.com" },
-      Action: "sts:AssumeRole",
-    },
-  ],
-};
-
 export const FargateAlb = Composite<FargateAlbProps>((props) => {
   const containerPort = props.containerPort ?? 80;
   const cpu = props.cpu ?? "256";

package/src/composites/fargate-service.ts

@@ -0,0 +1,233 @@
+import { Composite } from "@intentius/chant";
+import {
+  EcsService,
+  EcsService_LoadBalancer,
+  EcsService_NetworkConfiguration,
+  EcsService_AwsVpcConfiguration,
+  TaskDefinition,
+  TaskDefinition_ContainerDefinition,
+  TaskDefinition_PortMapping,
+  TaskDefinition_LogConfiguration,
+  TaskDefinition_KeyValuePair,
+  TargetGroup,
+  ListenerRule,
+  ListenerRule_Action,
+  ListenerRule_RuleCondition,
+  ListenerRule_PathPatternConfig,
+  ListenerRule_HostHeaderConfig,
+  SecurityGroup,
+  SecurityGroup_Ingress,
+  LogGroup,
+  Role,
+  Role_Policy,
+} from "../generated";
+import { Sub } from "../intrinsics";
+import { ecsTrustPolicy } from "./ecs-trust-policy";
+
+export interface FargateServiceProps {
+  // Wiring to shared ALB
+  clusterArn: string;
+  listenerArn: string;
+  albSecurityGroupId: string;
+  executionRoleArn: string;
+
+  // Routing — at least one required
+  priority: number;
+  pathPatterns?: string[];
+  hostHeaders?: string[];
+
+  // Container
+  image: string;
+  containerPort?: number;
+  cpu?: string;
+  memory?: string;
+  desiredCount?: number;
+  environment?: Record<string, string>;
+  command?: string[];
+
+  // Networking
+  vpcId: string;
+  privateSubnetIds: string[];
+  healthCheckPath?: string;
+
+  // IAM
+  ManagedPolicyArns?: string[];
+  Policies?: InstanceType<typeof Role_Policy>[];
+  logRetentionDays?: number;
+}
+
+export const FargateService = Composite<FargateServiceProps>((props) => {
+  if (!props.pathPatterns && !props.hostHeaders) {
+    throw new Error("FargateService requires at least one of pathPatterns or hostHeaders");
+  }
+  if (props.priority < 1 || props.priority > 50000) {
+    throw new Error("FargateService priority must be between 1 and 50000");
+  }
+
+  const containerPort = props.containerPort ?? 80;
+  const cpu = props.cpu ?? "256";
+  const memory = props.memory ?? "512";
+  const desiredCount = props.desiredCount ?? 2;
+  const healthCheckPath = props.healthCheckPath ?? "/";
+  const logRetentionDays = props.logRetentionDays ?? 30;
+
+  // Task role — app permissions
+  const taskRole = new Role({
+    AssumeRolePolicyDocument: ecsTrustPolicy,
+    ManagedPolicyArns: props.ManagedPolicyArns,
+    Policies: props.Policies,
+  });
+
+  // Log group
+  const logGroup = new LogGroup({
+    RetentionInDays: logRetentionDays,
+  });
+
+  // Container definition
+  const portMapping = new TaskDefinition_PortMapping({
+    ContainerPort: containerPort,
+    Protocol: "tcp",
+  });
+
+  const logConfiguration = new TaskDefinition_LogConfiguration({
+    LogDriver: "awslogs",
+    Options: {
+      "awslogs-group": logGroup as any,
+      "awslogs-region": Sub`\${AWS::Region}`,
+      "awslogs-stream-prefix": "ecs",
+    },
+  });
+
+  const environmentVars: InstanceType<typeof TaskDefinition_KeyValuePair>[] = [];
+  if (props.environment) {
+    for (const [name, value] of Object.entries(props.environment)) {
+      environmentVars.push(
+        new TaskDefinition_KeyValuePair({ Name: name, Value: value }),
+      );
+    }
+  }
+
+  const container = new TaskDefinition_ContainerDefinition({
+    Name: "app",
+    Image: props.image,
+    Essential: true,
+    PortMappings: [portMapping],
+    LogConfiguration: logConfiguration,
+    Environment: environmentVars.length > 0 ? environmentVars : undefined,
+    Command: props.command,
+  });
+
+  // Task definition
+  const taskDef = new TaskDefinition({
+    NetworkMode: "awsvpc",
+    RequiresCompatibilities: ["FARGATE"],
+    Cpu: cpu,
+    Memory: memory,
+    ExecutionRoleArn: props.executionRoleArn,
+    TaskRoleArn: taskRole.Arn,
+    ContainerDefinitions: [container],
+  });
+
+  // Task security group — ingress on container port from ALB SG
+  const taskIngress = new SecurityGroup_Ingress({
+    IpProtocol: "tcp",
+    FromPort: containerPort,
+    ToPort: containerPort,
+    SourceSecurityGroupId: props.albSecurityGroupId,
+  });
+
+  const taskSg = new SecurityGroup({
+    GroupDescription: "Fargate task security group",
+    VpcId: props.vpcId,
+    SecurityGroupIngress: [taskIngress],
+  });
+
+  // Target group
+  const targetGroup = new TargetGroup({
+    TargetType: "ip",
+    Protocol: "HTTP",
+    Port: containerPort,
+    VpcId: props.vpcId,
+    HealthCheckPath: healthCheckPath,
+  });
+
+  // Listener rule conditions
+  const conditions: InstanceType<typeof ListenerRule_RuleCondition>[] = [];
+
+  if (props.pathPatterns) {
+    const pathConfig = new ListenerRule_PathPatternConfig({
+      Values: props.pathPatterns,
+    });
+    conditions.push(
+      new ListenerRule_RuleCondition({
+        Field: "path-pattern",
+        PathPatternConfig: pathConfig,
+      }),
+    );
+  }
+
+  if (props.hostHeaders) {
+    const hostConfig = new ListenerRule_HostHeaderConfig({
+      Values: props.hostHeaders,
+    });
+    conditions.push(
+      new ListenerRule_RuleCondition({
+        Field: "host-header",
+        HostHeaderConfig: hostConfig,
+      }),
+    );
+  }
+
+  // Listener rule
+  const ruleAction = new ListenerRule_Action({
+    Type: "forward",
+    TargetGroupArn: targetGroup.TargetGroupArn,
+  });
+
+  const rule = new ListenerRule({
+    ListenerArn: props.listenerArn,
+    Priority: props.priority,
+    Actions: [ruleAction],
+    Conditions: conditions,
+  });
+
+  // ECS Service
+  const serviceLoadBalancer = new EcsService_LoadBalancer({
+    ContainerName: "app",
+    ContainerPort: containerPort,
+    TargetGroupArn: targetGroup.TargetGroupArn,
+  });
+
+  const awsVpcConfig = new EcsService_AwsVpcConfiguration({
+    Subnets: props.privateSubnetIds,
+    SecurityGroups: [taskSg.GroupId],
+    AssignPublicIp: "DISABLED",
+  });
+
+  const networkConfig = new EcsService_NetworkConfiguration({
+    AwsvpcConfiguration: awsVpcConfig,
+  });
+
+  const service = new EcsService(
+    {
+      Cluster: props.clusterArn,
+      TaskDefinition: taskDef.TaskDefinitionArn,
+      LaunchType: "FARGATE",
+      DesiredCount: desiredCount,
+      HealthCheckGracePeriodSeconds: 60,
+      LoadBalancers: [serviceLoadBalancer],
+      NetworkConfiguration: networkConfig,
+    },
+    { DependsOn: [rule] },
+  );
+
+  return {
+    taskRole,
+    logGroup,
+    taskDef,
+    taskSg,
+    targetGroup,
+    rule,
+    service,
+  };
+}, "FargateService");

package/src/composites/index.ts

@@ -18,3 +18,7 @@ export { VpcDefault } from "./vpc-default";
 export type { VpcDefaultProps } from "./vpc-default";
 export { FargateAlb } from "./fargate-alb";
 export type { FargateAlbProps } from "./fargate-alb";
+export { AlbShared } from "./alb-shared";
+export type { AlbSharedProps } from "./alb-shared";
+export { FargateService } from "./fargate-service";
+export type { FargateServiceProps } from "./fargate-service";

package/src/index.ts

@@ -77,12 +77,12 @@ export {
   LambdaApi,
   LambdaScheduled, ScheduledLambda,
   LambdaSqs, LambdaEventBridge, LambdaDynamoDB, LambdaS3, LambdaSns,
-  VpcDefault, FargateAlb,
+  VpcDefault, FargateAlb, AlbShared, FargateService,
 } from "./composites/index";
 export type {
   LambdaFunctionProps, LambdaApiProps, ScheduledLambdaProps,
   LambdaSqsProps, LambdaEventBridgeProps, LambdaDynamoDBProps, LambdaS3Props, LambdaSnsProps,
-  VpcDefaultProps, FargateAlbProps,
+  VpcDefaultProps, FargateAlbProps, AlbSharedProps, FargateServiceProps,
 } from "./composites/index";
 
 // Code generation pipeline