npm - @intentius/chant-lexicon-aws - Versions diffs - 0.1.0 → 0.1.4 - Mend

@intentius/chant-lexicon-aws 0.1.0 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/dist/integrity.json +25 -19
package/dist/manifest.json +1 -1
package/dist/meta.json +734 -435
package/dist/rules/waw032.ts +52 -0
package/dist/rules/waw033.ts +86 -0
package/dist/rules/waw034.ts +63 -0
package/dist/rules/waw035.ts +71 -0
package/dist/rules/waw036.ts +88 -0
package/dist/rules/waw037.ts +81 -0
package/dist/types/index.d.ts +991 -59
package/package.json +2 -2
package/src/codegen/docs.ts +9 -1
package/src/composites/composites.test.ts +65 -0
package/src/composites/ec2-instance-role.ts +39 -0
package/src/composites/efs-with-access-point.ts +90 -0
package/src/composites/fargate-service.ts +102 -2
package/src/composites/index.ts +8 -0
package/src/composites/lambda-dynamodb.ts +66 -17
package/src/composites/lambda-function.ts +2 -1
package/src/composites/lambda-s3.ts +66 -20
package/src/composites/minimal-vpc.ts +71 -0
package/src/composites/solr-fargate-service.ts +42 -0
package/src/generated/index.d.ts +991 -59
package/src/generated/index.ts +34 -5
package/src/generated/lexicon-aws.json +734 -435
package/src/index.ts +4 -0
package/src/lint/post-synth/waw032.test.ts +83 -0
package/src/lint/post-synth/waw032.ts +52 -0
package/src/lint/post-synth/waw033.test.ts +68 -0
package/src/lint/post-synth/waw033.ts +86 -0
package/src/lint/post-synth/waw034.test.ts +54 -0
package/src/lint/post-synth/waw034.ts +63 -0
package/src/lint/post-synth/waw035.test.ts +74 -0
package/src/lint/post-synth/waw035.ts +71 -0
package/src/lint/post-synth/waw036.test.ts +217 -0
package/src/lint/post-synth/waw036.ts +88 -0
package/src/lint/post-synth/waw037.test.ts +155 -0
package/src/lint/post-synth/waw037.ts +81 -0
package/src/serializer.ts +1 -3

package/src/composites/lambda-s3.ts CHANGED Viewed

@@ -5,33 +5,36 @@ import {
   Bucket_ServerSideEncryptionRule,
   Bucket_ServerSideEncryptionByDefault,
   Bucket_PublicAccessBlockConfiguration,
+  Bucket_NotificationConfiguration,
+  Bucket_LambdaConfiguration,
+  Permission,
   Role_Policy,
 } from "../generated";
-import { Sub } from "../intrinsics";
+import { Sub, Join } from "../intrinsics";
 import { S3Actions } from "../actions/s3";
 import { LambdaFunction, type LambdaFunctionProps } from "./lambda-function";
 export interface LambdaS3Props extends LambdaFunctionProps {
   bucketName?: string;
   access?: "ReadOnly" | "ReadWrite" | "Full";
+  trigger?: {
+    events?: string[];
+    prefix?: string;
+    suffix?: string;
+  };
   defaults?: LambdaFunctionProps["defaults"] & {
     bucket?: Partial<ConstructorParameters<typeof Bucket>[0]>;
   };
 }
 export const LambdaS3 = Composite<LambdaS3Props>((props) => {
-  const encryptionDefault = new Bucket_ServerSideEncryptionByDefault({
-    SSEAlgorithm: "AES256",
-  });
+  const encryptionDefault = new Bucket_ServerSideEncryptionByDefault({ SSEAlgorithm: "AES256" });
   const encryptionRule = new Bucket_ServerSideEncryptionRule({
     ServerSideEncryptionByDefault: encryptionDefault,
   });
   const bucketEncryption = new Bucket_BucketEncryption({
     ServerSideEncryptionConfiguration: [encryptionRule],
   });
   const publicAccessBlock = new Bucket_PublicAccessBlockConfiguration({
     BlockPublicAcls: true,
     BlockPublicPolicy: true,
@@ -40,30 +43,73 @@ export const LambdaS3 = Composite<LambdaS3Props>((props) => {
   });
   const { defaults } = props;
+  const access = props.access ?? "ReadWrite";
+  if (props.trigger) {
+    // Create Lambda first to break the circular CFN dependency.
+    // Compute bucket ARN from name (no GetAtt on bucket → no resource dep).
+    const name = props.bucketName ?? Sub`\${AWS::StackName}-bucket`;
+    const bucketArnBase = Join("", ["arn:aws:s3:::", name]);
+    const bucketArnWildcard = Join("", ["arn:aws:s3:::", name, "/*"]);
+    const s3Policy = new Role_Policy({
+      PolicyName: `S3${access}`,
+      PolicyDocument: {
+        Version: "2012-10-17",
+        Statement: [{ Effect: "Allow", Action: S3Actions[access], Resource: [bucketArnBase, bucketArnWildcard] }],
+      },
+    });
+    const policies = props.Policies ? [s3Policy, ...props.Policies] : [s3Policy];
+    const env = props.Environment ?? { Variables: {} };
+    const variables = { ...((env as any).Variables ?? {}), BUCKET_NAME: name };
+    const { role, func } = LambdaFunction({ ...props, Policies: policies, Environment: { Variables: variables } });
+    const permission = new Permission({
+      FunctionName: func.Arn,
+      Action: "lambda:InvokeFunction",
+      Principal: "s3.amazonaws.com",
+      SourceArn: bucketArnBase,
+    });
+    const { events = ["s3:ObjectCreated:*"], prefix, suffix } = props.trigger;
+    const rules: Array<{ Name: string; Value: string }> = [];
+    if (prefix) rules.push({ Name: "prefix", Value: prefix });
+    if (suffix) rules.push({ Name: "suffix", Value: suffix });
+    const lambdaConfigs = events.map((event) => new Bucket_LambdaConfiguration({
+      Event: event,
+      Function: func.Arn,
+      ...(rules.length > 0 && { Filter: { S3Key: { Rules: rules } } }),
+    }));
+    const notificationConfig = new Bucket_NotificationConfiguration({
+      LambdaConfigurations: lambdaConfigs,
+    });
+    const bucket = new Bucket(mergeDefaults({
+      BucketName: props.bucketName,
+      BucketEncryption: bucketEncryption,
+      PublicAccessBlockConfiguration: publicAccessBlock,
+      NotificationConfiguration: notificationConfig,
+    }, defaults?.bucket), { DependsOn: [permission] });
+    return { bucket, role, func, permission };
+  }
+  // Non-trigger path: original flow
   const bucket = new Bucket(mergeDefaults({
     BucketName: props.bucketName,
     BucketEncryption: bucketEncryption,
     PublicAccessBlockConfiguration: publicAccessBlock,
   }, defaults?.bucket));
-  const access = props.access ?? "ReadWrite";
   const s3PolicyDocument = {
     Version: "2012-10-17",
-    Statement: [
-      {
-        Effect: "Allow",
-        Action: S3Actions[access],
-        Resource: [bucket.Arn, Sub`${bucket.Arn}/*`],
-      },
-    ],
+    Statement: [{ Effect: "Allow", Action: S3Actions[access], Resource: [bucket.Arn, Sub`${bucket.Arn}/*`] }],
   };
-  const s3Policy = new Role_Policy({
-    PolicyName: `S3${access}`,
-    PolicyDocument: s3PolicyDocument,
-  });
+  const s3Policy = new Role_Policy({ PolicyName: `S3${access}`, PolicyDocument: s3PolicyDocument });
   const policies = props.Policies ? [s3Policy, ...props.Policies] : [s3Policy];
   const env = props.Environment ?? { Variables: {} };
   const variables = { ...((env as any).Variables ?? {}), BUCKET_NAME: bucket.Ref };

package/src/composites/minimal-vpc.ts ADDED Viewed

@@ -0,0 +1,71 @@
+import { Composite, mergeDefaults } from "@intentius/chant";
+import {
+  Vpc,
+  Subnet,
+  InternetGateway,
+  VPCGatewayAttachment,
+  RouteTable,
+  EC2Route,
+  SubnetRouteTableAssociation,
+  SecurityGroup,
+} from "../generated";
+import { Select, GetAZs } from "../intrinsics";
+export interface MinimalVpcProps {
+  cidr?: string;
+  subnetCidr?: string;
+  defaults?: {
+    vpc?: Partial<ConstructorParameters<typeof Vpc>[0]>;
+    subnet?: Partial<ConstructorParameters<typeof Subnet>[0]>;
+    securityGroup?: Partial<ConstructorParameters<typeof SecurityGroup>[0]>;
+  };
+}
+export const MinimalVpc = Composite<MinimalVpcProps>((props) => {
+  const { defaults } = props;
+  const cidr = props.cidr ?? "10.0.0.0/24";
+  const subnetCidr = props.subnetCidr ?? "10.0.0.0/25";
+  const vpc = new Vpc(mergeDefaults({
+    CidrBlock: cidr,
+    EnableDnsHostnames: true,
+    EnableDnsSupport: true,
+  }, defaults?.vpc));
+  const subnet = new Subnet(mergeDefaults({
+    VpcId: vpc.VpcId,
+    CidrBlock: subnetCidr,
+    AvailabilityZone: Select(0, GetAZs("")),
+    MapPublicIpOnLaunch: true,
+  }, defaults?.subnet));
+  const igw = new InternetGateway({});
+  const igwAttachment = new VPCGatewayAttachment({
+    VpcId: vpc.VpcId,
+    InternetGatewayId: igw.InternetGatewayId,
+  });
+  const routeTable = new RouteTable({ VpcId: vpc.VpcId });
+  const defaultRoute = new EC2Route(
+    {
+      RouteTableId: routeTable.RouteTableId,
+      DestinationCidrBlock: "0.0.0.0/0",
+      GatewayId: igw.InternetGatewayId,
+    },
+    { DependsOn: [igwAttachment] },
+  );
+  const subnetRta = new SubnetRouteTableAssociation({
+    SubnetId: subnet.SubnetId,
+    RouteTableId: routeTable.RouteTableId,
+  });
+  const securityGroup = new SecurityGroup(mergeDefaults({
+    GroupDescription: "MinimalVpc default security group",
+    VpcId: vpc.VpcId,
+  }, defaults?.securityGroup));
+  return { vpc, subnet, igw, igwAttachment, routeTable, defaultRoute, subnetRta, securityGroup };
+}, "MinimalVpc");

package/src/composites/solr-fargate-service.ts ADDED Viewed

@@ -0,0 +1,42 @@
+import { Composite } from "@intentius/chant";
+import { FargateService, FargateServiceProps } from "./fargate-service";
+export interface SolrFargateServiceProps extends FargateServiceProps {
+  /**
+   * JVM heap size passed as SOLR_HEAP. Defaults to 45% of task memory.
+   * Examples: "1843m", "4g". Must not exceed 50% of task memory.
+   */
+  solrHeap?: string;
+  /**
+   * GC tuning string passed as GC_TUNE.
+   * Default: "-XX:+UseG1GC -XX:MaxGCPauseMillis=200"
+   */
+  gcOpts?: string;
+}
+export const SolrFargateService = Composite<SolrFargateServiceProps>((props) => {
+  const memoryMb = parseInt(props.memory ?? "4096");
+  const solrHeap = props.solrHeap ?? `${Math.floor(memoryMb * 0.45)}m`;
+  const gcOpts = props.gcOpts ?? "-XX:+UseG1GC -XX:MaxGCPauseMillis=200";
+  // Solr env defaults — user-supplied environment entries override these
+  const solrEnv: Record<string, string> = {
+    SOLR_HEAP: solrHeap,
+    GC_TUNE: gcOpts,
+    SOLR_OPTS: "-XX:-UseLargePages",
+    ...props.environment,
+  };
+  // Solr-specific ulimit default — user-supplied ulimits override
+  const solrUlimits = props.ulimits ?? [
+    { name: "nofile", softLimit: 65535, hardLimit: 65535 },
+  ];
+  return FargateService({
+    containerPort: 8983,
+    healthCheckPath: "/solr/admin/info/health",
+    ...props,
+    environment: solrEnv,
+    ulimits: solrUlimits,
+  });
+}, "SolrFargateService");