@jaypie/constructs 1.1.52 → 1.1.54

package/dist/esm/index.js

@@ -1,8 +1,8 @@
-import { CDK as CDK$2, ConfigurationError, mergeDomain, isValidSubdomain, isValidHostname as isValidHostname$1 } from '@jaypie/cdk';
-export { CDK } from '@jaypie/cdk';
-import { Construct } from 'constructs';
 import * as cdk from 'aws-cdk-lib';
-import { Tags, Stack, Duration, RemovalPolicy, Fn, CfnOutput, SecretValue } from 'aws-cdk-lib';
+import { Tags, Stack, Duration, RemovalPolicy, CfnStack, Fn, CfnOutput, SecretValue } from 'aws-cdk-lib';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import { Bucket, StorageClass, BucketAccessControl, EventType } from 'aws-cdk-lib/aws-s3';
+import { Construct } from 'constructs';
 import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 import * as apiGateway from 'aws-cdk-lib/aws-apigateway';
 import * as route53 from 'aws-cdk-lib/aws-route53';
@@ -10,20 +10,242 @@ import { TxtRecord, NsRecord, MxRecord, CnameRecord, ARecord, RecordTarget, Host
 import * as route53Targets from 'aws-cdk-lib/aws-route53-targets';
 import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
 import { DatadogLambda } from 'datadog-cdk-constructs-v2';
+import { ConfigurationError } from '@jaypie/errors';
+import { Role, PolicyStatement, Policy, FederatedPrincipal, Effect, ServicePrincipal, ManagedPolicy } from 'aws-cdk-lib/aws-iam';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import * as logDestinations from 'aws-cdk-lib/aws-logs-destinations';
-import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as s3n from 'aws-cdk-lib/aws-s3-notifications';
+import { LambdaDestination } from 'aws-cdk-lib/aws-s3-notifications';
 import * as sqs from 'aws-cdk-lib/aws-sqs';
 import * as lambdaEventSources from 'aws-cdk-lib/aws-lambda-event-sources';
-import { Role, FederatedPrincipal, PolicyStatement, Effect, ServicePrincipal, ManagedPolicy } from 'aws-cdk-lib/aws-iam';
+import { Rule, RuleTargetInput } from 'aws-cdk-lib/aws-events';
+import { LambdaFunction } from 'aws-cdk-lib/aws-events-targets';
 import { LogGroup, RetentionDays, FilterPattern } from 'aws-cdk-lib/aws-logs';
+import { Trail, ReadWriteType } from 'aws-cdk-lib/aws-cloudtrail';
 import { CfnPermissionSet, CfnAssignment } from 'aws-cdk-lib/aws-sso';
 import { CfnApplication } from 'aws-cdk-lib/aws-sam';
-import { ConfigurationError as ConfigurationError$1 } from '@jaypie/errors';
 import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
 import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
 
+const CDK$2 = {
+    ACCOUNT: {
+        DEVELOPMENT: "development",
+        MANAGEMENT: "management",
+        OPERATIONS: "operations",
+        PRODUCTION: "production",
+        SANDBOX: "sandbox",
+        SECURITY: "security",
+        STAGE: "stage",
+    },
+    BUILD: {
+        CONFIG: {
+            ALL: "all",
+            API: "api",
+            INFRASTRUCTURE: "infrastructure",
+            NONE: "none",
+            WEB: "web",
+        },
+        PERSONAL: "personal",
+        /**
+         * @deprecated rename "ephemeral" to "personal" (since 2/24/2025)
+         */
+        EPHEMERAL: "ephemeral",
+        /**
+         * @deprecated as even "ephemeral" builds have static assets (since 7/6/2024)
+         */
+        STATIC: "static",
+    },
+    CREATION: {
+        CDK: "cdk",
+        CLOUDFORMATION_TEMPLATE: "template",
+        MANUAL: "manual",
+    },
+    DATADOG: {
+        SITE: "datadoghq.com",
+        LAYER: {
+            // https://docs.datadoghq.com/serverless/aws_lambda/installation/nodejs/?tab=awscdk
+            NODE: 127, // 127 on 9/12/2025
+            EXTENSION: 86, // 86 on 9/12/2025
+        },
+    },
+    DEFAULT: {
+        REGION: "us-east-1",
+    },
+    DNS: {
+        CONFIG: {
+            TTL: 300, // 5 minutes in seconds for Route53
+        },
+        RECORD: {
+            A: "A",
+            CNAME: "CNAME",
+            MX: "MX",
+            NS: "NS",
+            TXT: "TXT",
+        },
+    },
+    DURATION: {
+        EXPRESS_API: 30,
+        LAMBDA_MAXIMUM: 900,
+        LAMBDA_WORKER: 900,
+    },
+    ENV: {
+        DEMO: "demo", // Mirror of production
+        DEVELOPMENT: "development", // Internal most stable development space
+        /** @deprecated */ EPHEMERAL: "ephemeral", // Alias for "build"
+        LOCAL: "local",
+        /** @deprecated */ MAIN: "main", // Alias for development
+        META: "meta", // For non-environment/infrastructure stacks
+        PERSONAL: "personal", // Personal builds using resources provided by sandbox
+        PREVIEW: "preview", // External next thing to be released
+        PRODUCTION: "production",
+        RELEASE: "release", // Internal next thing to be released
+        REVIEW: "review", // Internal place to collaborate on issues
+        SANDBOX: "sandbox", // Internal build space with no guaranteed longevity
+        TRAINING: "training", // aka "test"; mirror of production for external audiences
+    },
+    HOST: {
+        APEX: "@",
+    },
+    IMPORT: {
+        DATADOG_LOG_FORWARDER: "account-datadog-forwarder",
+        DATADOG_ROLE: "account-datadog-role",
+        DATADOG_SECRET: "account-datadog-secret",
+        LOG_BUCKET: "account-log-bucket",
+        OIDC_PROVIDER: "github-oidc-provider",
+    },
+    LAMBDA: {
+        LOG_RETENTION: 90,
+        MEMORY_SIZE: 1024,
+    },
+    PRINCIPAL: {
+        ROUTE53: "route53.amazonaws.com",
+    },
+    PRINCIPAL_TYPE: {
+        GROUP: "GROUP",
+        USER: "USER",
+    },
+    PROJECT: {
+        INFRASTRUCTURE: "infrastructure",
+    },
+    ROLE: {
+        API: "api",
+        DEPLOY: "deploy",
+        HOSTING: "hosting",
+        MONITORING: "monitoring",
+        NETWORKING: "networking",
+        PROCESSING: "processing",
+        SECURITY: "security",
+        STACK: "stack",
+        STORAGE: "storage",
+        TOY: "toy",
+    },
+    SERVICE: {
+        DATADOG: "datadog",
+        INFRASTRUCTURE: "infrastructure",
+        LIBRARIES: "libraries",
+        NONE: "none",
+        SSO: "sso",
+        TRACE: "trace",
+    },
+    TAG: {
+        BUILD_DATE: "buildDate",
+        BUILD_HEX: "buildHex",
+        BUILD_NUMBER: "buildNumber",
+        BUILD_TIME: "buildTime",
+        BUILD_TYPE: "buildType",
+        COMMIT: "commit",
+        CREATION: "creation",
+        ENV: "env",
+        NONCE: "nonce",
+        PROJECT: "project",
+        ROLE: "role",
+        SERVICE: "service",
+        SPONSOR: "sponsor",
+        STACK: "stack",
+        STACK_SHA: "stackSha",
+        VENDOR: "vendor",
+        VERSION: "version",
+    },
+    TARGET_TYPE: {
+        AWS_ACCOUNT: "AWS_ACCOUNT",
+    },
+    VENDOR: {
+        ANTHROPIC: "anthropic",
+        AUTH0: "auth0",
+        DATADOG: "datadog",
+        KNOWTRACE: "knowtrace",
+        MONGODB: "mongodb",
+        OPENAI: "openai",
+        SPLINTERLANDS: "splinterlands",
+    },
+};
+
+class JaypieAccountLoggingBucket extends Construct {
+    /**
+     * Create a new account-wide logging S3 bucket with lifecycle policies and export
+     */
+    constructor(scope, idOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrProps === "string") {
+            // First param is ID, second is props
+            props = propsOrUndefined || {};
+            id = idOrProps;
+        }
+        else {
+            // First param is props
+            props = idOrProps || {};
+            id = props.id || "AccountLoggingBucket";
+        }
+        super(scope, id);
+        // Generate default bucket name with PROJECT_NONCE
+        const defaultBucketName = process.env.PROJECT_NONCE
+            ? `account-logging-stack-${process.env.PROJECT_NONCE.toLowerCase()}`
+            : "account-logging-stack";
+        // Extract Jaypie-specific options
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        const { bucketName = defaultBucketName, createOutput = true, expirationDays = 365, exportName = CDK$2.IMPORT.LOG_BUCKET, glacierTransitionDays = 180, id: _id, infrequentAccessTransitionDays = 30, outputDescription = "Account-wide logging bucket", project, service = CDK$2.SERVICE.INFRASTRUCTURE, ...bucketProps } = props;
+        // Create the bucket with lifecycle rules
+        this.bucket = new Bucket(this, "Bucket", {
+            accessControl: BucketAccessControl.LOG_DELIVERY_WRITE,
+            bucketName,
+            lifecycleRules: [
+                {
+                    expiration: cdk.Duration.days(expirationDays),
+                    transitions: [
+                        {
+                            storageClass: StorageClass.INFREQUENT_ACCESS,
+                            transitionAfter: cdk.Duration.days(infrequentAccessTransitionDays),
+                        },
+                        {
+                            storageClass: StorageClass.GLACIER,
+                            transitionAfter: cdk.Duration.days(glacierTransitionDays),
+                        },
+                    ],
+                },
+            ],
+            ...bucketProps,
+        });
+        // Add tags
+        cdk.Tags.of(this.bucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        if (service) {
+            cdk.Tags.of(this.bucket).add(CDK$2.TAG.SERVICE, service);
+        }
+        if (project) {
+            cdk.Tags.of(this.bucket).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Create CloudFormation output if enabled
+        if (createOutput) {
+            new cdk.CfnOutput(this, "BucketNameOutput", {
+                description: outputDescription,
+                exportName,
+                value: this.bucket.bucketName,
+            });
+        }
+    }
+}
+
 function addDatadogLayers(lambdaFunction, options = {}) {
     const datadogApiKeyArn = options?.datadogApiKeyArn;
     const resolvedDatadogApiKeyArn = datadogApiKeyArn ||
@@ -146,6 +368,55 @@ function envHostname({ component, domain, env, subdomain, } = {}) {
     return parts.join(".");
 }
 
+/**
+ * Extends the Datadog IAM role with additional permissions
+ *
+ * Checks for CDK_ENV_DATADOG_ROLE_ARN environment variable.
+ * If found, creates a custom policy with:
+ * - budgets:ViewBudget
+ * - logs:DescribeLogGroups
+ *
+ * @param scope - The construct scope
+ * @param options - Configuration options
+ * @returns The created Policy, or undefined if CDK_ENV_DATADOG_ROLE_ARN is not set
+ */
+function extendDatadogRole(scope, options) {
+    const datadogRoleArn = process.env.CDK_ENV_DATADOG_ROLE_ARN;
+    // Early return if no Datadog role ARN is configured
+    if (!datadogRoleArn) {
+        return undefined;
+    }
+    const { id = "DatadogCustomPolicy", project, service = CDK$2.SERVICE.DATADOG, } = options || {};
+    // Lookup the Datadog role
+    const datadogRole = Role.fromRoleArn(scope, "DatadogRole", datadogRoleArn);
+    // Build policy statements
+    const statements = [
+        // Allow view budget
+        new PolicyStatement({
+            actions: ["budgets:ViewBudget"],
+            resources: ["*"],
+        }),
+        // Allow describe log groups
+        new PolicyStatement({
+            actions: ["logs:DescribeLogGroups"],
+            resources: ["*"],
+        }),
+    ];
+    // Create the custom policy
+    const datadogCustomPolicy = new Policy(scope, id, {
+        roles: [datadogRole],
+        statements,
+    });
+    // Add tags
+    cdk.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.SERVICE, service);
+    cdk.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+    cdk.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
+    if (project) {
+        cdk.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.PROJECT, project);
+    }
+    return datadogCustomPolicy;
+}
+
 /**
  * Check if the current environment matches the given environment
  */
@@ -165,6 +436,79 @@ function isSandboxEnv() {
     return isEnv(CDK$2.ENV.SANDBOX);
 }
 
+// In short the RFC 1035 standard for valid hostnames is:
+// 1. Must be less than 253 characters
+// 2. Must start with a letter
+// 3. Must end with a letter or number
+// 4. Can only contain letters, numbers, and hyphens
+// 5. Last part of the domain must be at least 2 characters
+function validPart$1(part) {
+    if (!part.match(/^[a-z]/))
+        return false;
+    if (!part.match(/[a-z0-9]$/))
+        return false;
+    return /^[a-zA-Z0-9-]+$/.test(part);
+}
+function isValidHostname$1(hostname) {
+    // Check hostname is a string
+    if (typeof hostname !== "string")
+        return false;
+    // Convert hostname to lowercase
+    const check = hostname.toString().toLowerCase();
+    // Check hostname is less than 253 characters
+    if (check.length > 253)
+        return false;
+    // Split on dots
+    const parts = check.split(".");
+    // Check each part is validPart
+    const validParts = parts.map(validPart$1);
+    // Confirm all parts are valid
+    if (!validParts.every((part) => part))
+        return false;
+    // Confirm last part is at least 2 characters
+    const lastPart = parts[parts.length - 1];
+    if (lastPart.length < 2)
+        return false;
+    // Confirm last part is all letters
+    if (!lastPart.match(/^[a-z]+$/))
+        return false;
+    // This is a valid hostname
+    return true;
+}
+
+function validPart(part) {
+    if (!part.match(/^[a-z]/))
+        return false;
+    if (!part.match(/[a-z0-9]$/))
+        return false;
+    return /^[a-zA-Z0-9-]+$/.test(part);
+}
+function isValidSubdomain(subdomain) {
+    // Check subdomain is a string
+    if (typeof subdomain !== "string")
+        return false;
+    // Special case for apex
+    if (subdomain === CDK$2.HOST.APEX)
+        return true;
+    // Convert subdomain to lowercase
+    const check = subdomain.toString().toLowerCase();
+    // Check subdomain is less than 250 characters
+    // We use 250 instead of 253 because we need to leave room for the dot top-level domain
+    if (check.length > 250)
+        return false;
+    // Split on dots
+    const parts = check.split(".");
+    // Check each part is validPart
+    const validParts = parts.map(validPart);
+    // Confirm all parts are valid
+    if (!validParts.every((part) => part))
+        return false;
+    // Do not care if last part is at least 2 characters
+    // Do not care if last part is all letters
+    // This is a valid subdomain
+    return true;
+}
+
 function jaypieLambdaEnv(options = {}) {
     const { initialEnvironment = {} } = options;
     // Start with empty environment - we'll only add valid values
@@ -219,6 +563,21 @@ function jaypieLambdaEnv(options = {}) {
     return environment;
 }
 
+function mergeDomain(subDomain, hostedZone) {
+    if (!hostedZone) {
+        throw new ConfigurationError("hostedZone is required");
+    }
+    if (!subDomain) {
+        // Return hostedZone if subDomain is not passed
+        // Pass CDK.HOST.APEX to explicitly indicate apex domain
+        return hostedZone;
+    }
+    if (subDomain === CDK$2.HOST.APEX) {
+        return hostedZone;
+    }
+    return `${subDomain}.${hostedZone}`;
+}
+
 const DEFAULT_FUNCTION_NAME$1 = "DatadogForwarderFunction";
 // Cache to store resolved functions
 // Using nested structure to support multiple functions per scope with automatic GC
@@ -1097,6 +1456,175 @@ class JaypieBucketQueuedLambda extends JaypieQueuedLambda {
     }
 }
 
+class JaypieDatadogBucket extends Construct {
+    /**
+     * Create a new S3 bucket for Datadog log archiving with automatic IAM permissions
+     */
+    constructor(scope, idOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrProps === "string") {
+            // First param is ID, second is props
+            props = propsOrUndefined || {};
+            id = idOrProps;
+        }
+        else {
+            // First param is props
+            props = idOrProps || {};
+            id = props.id || "DatadogArchiveBucket";
+        }
+        super(scope, id);
+        // Extract Jaypie-specific options
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        const { grantDatadogAccess = true, id: _id, project, service = CDK$2.SERVICE.DATADOG, ...bucketProps } = props;
+        // Create the bucket
+        this.bucket = new Bucket(this, "Bucket", bucketProps);
+        // Add tags to bucket
+        cdk.Tags.of(this.bucket).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(this.bucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        if (project) {
+            cdk.Tags.of(this.bucket).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Grant Datadog role access to bucket if enabled
+        if (grantDatadogAccess) {
+            this.policy = this.grantDatadogRoleBucketAccess({ project, service });
+        }
+    }
+    /**
+     * Grants the Datadog IAM role access to this bucket
+     *
+     * Checks for CDK_ENV_DATADOG_ROLE_ARN environment variable.
+     * If found, creates a custom policy with:
+     * - s3:ListBucket on bucket
+     * - s3:GetObject and s3:PutObject on bucket/*
+     *
+     * @param options - Configuration options
+     * @returns The created Policy, or undefined if CDK_ENV_DATADOG_ROLE_ARN is not set
+     */
+    grantDatadogRoleBucketAccess(options) {
+        const datadogRoleArn = process.env.CDK_ENV_DATADOG_ROLE_ARN;
+        // Early return if no Datadog role ARN is configured
+        if (!datadogRoleArn) {
+            return undefined;
+        }
+        const { project, service = CDK$2.SERVICE.DATADOG } = options || {};
+        // Lookup the Datadog role
+        const datadogRole = Role.fromRoleArn(this, "DatadogRole", datadogRoleArn);
+        // Build policy statements for bucket access
+        const statements = [
+            // Allow list bucket
+            new PolicyStatement({
+                actions: ["s3:ListBucket"],
+                resources: [this.bucket.bucketArn],
+            }),
+            // Allow read and write to the bucket
+            new PolicyStatement({
+                actions: ["s3:GetObject", "s3:PutObject"],
+                resources: [`${this.bucket.bucketArn}/*`],
+            }),
+        ];
+        // Create the custom policy
+        const datadogBucketPolicy = new Policy(this, "DatadogBucketPolicy", {
+            roles: [datadogRole],
+            statements,
+        });
+        // Add tags
+        cdk.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        cdk.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
+        if (project) {
+            cdk.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.PROJECT, project);
+        }
+        return datadogBucketPolicy;
+    }
+}
+
+const DATADOG_FORWARDER_TEMPLATE_URL = "https://datadog-cloudformation-template.s3.amazonaws.com/aws/forwarder/latest.yaml";
+const DEFAULT_RESERVED_CONCURRENCY = "10";
+class JaypieDatadogForwarder extends Construct {
+    /**
+     * Create a new Datadog forwarder with CloudFormation nested stack
+     */
+    constructor(scope, idOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrProps === "string") {
+            // First param is ID, second is props
+            props = propsOrUndefined || {};
+            id = idOrProps;
+        }
+        else {
+            // First param is props
+            props = idOrProps || {};
+            id = props.id || "DatadogForwarder";
+        }
+        super(scope, id);
+        // Resolve options with defaults
+        const { account = process.env.CDK_ENV_ACCOUNT, additionalTags, createOutput = true, datadogApiKey = process.env.CDK_ENV_DATADOG_API_KEY, enableCloudFormationEvents = true, enableRoleExtension = true, exportName = CDK$2.IMPORT.DATADOG_LOG_FORWARDER, project, reservedConcurrency = DEFAULT_RESERVED_CONCURRENCY, service = CDK$2.VENDOR.DATADOG, templateUrl = DATADOG_FORWARDER_TEMPLATE_URL, } = props;
+        // Validate required parameters
+        if (!datadogApiKey) {
+            throw new Error("Datadog API key is required. Provide via datadogApiKey prop or CDK_ENV_DATADOG_API_KEY environment variable.");
+        }
+        // Build Datadog tags
+        let ddTags = account ? `account:${account}` : "";
+        if (additionalTags) {
+            ddTags = ddTags ? `${ddTags},${additionalTags}` : additionalTags;
+        }
+        // Deploy Datadog CloudFormation stack
+        this.cfnStack = new CfnStack(this, "Stack", {
+            parameters: {
+                DdApiKey: datadogApiKey,
+                DdTags: ddTags,
+                ReservedConcurrency: reservedConcurrency,
+            },
+            templateUrl,
+        });
+        // Add tags to stack
+        cdk.Tags.of(this.cfnStack).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        cdk.Tags.of(this.cfnStack).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(this.cfnStack).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
+        if (project) {
+            cdk.Tags.of(this.cfnStack).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Extract forwarder function from stack outputs
+        this.forwarderFunction = lambda.Function.fromFunctionArn(this, "Function", this.cfnStack.getAtt("Outputs.DatadogForwarderArn").toString());
+        // Extend Datadog role with custom permissions if enabled
+        if (enableRoleExtension) {
+            extendDatadogRole(this, { project, service });
+        }
+        // Create CloudFormation events rule if enabled
+        if (enableCloudFormationEvents) {
+            this.eventsRule = new Rule(this, "CloudFormationEventsRule", {
+                eventPattern: {
+                    source: ["aws.cloudformation"],
+                },
+                targets: [
+                    new LambdaFunction(this.forwarderFunction, {
+                        event: RuleTargetInput.fromEventPath("$"),
+                    }),
+                ],
+            });
+            // Add tags to events rule
+            cdk.Tags.of(this.eventsRule).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+            cdk.Tags.of(this.eventsRule).add(CDK$2.TAG.SERVICE, service);
+            cdk.Tags.of(this.eventsRule).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
+            if (project) {
+                cdk.Tags.of(this.eventsRule).add(CDK$2.TAG.PROJECT, project);
+            }
+        }
+        // Create CloudFormation output if enabled
+        if (createOutput) {
+            new cdk.CfnOutput(this, "ForwarderArnOutput", {
+                description: "Datadog Log Forwarder Lambda ARN",
+                exportName,
+                value: this.cfnStack.getAtt("Outputs.DatadogForwarderArn").toString(),
+            });
+        }
+    }
+}
+
 // It is a consumer if the environment is ephemeral
 function checkEnvIsConsumer(env = process.env) {
     return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
@@ -1320,6 +1848,86 @@ class JaypieDnsRecord extends Construct {
     }
 }
 
+class JaypieEventsRule extends Construct {
+    /**
+     * Create a new EventBridge rule that targets a Lambda function
+     */
+    constructor(scope, idOrSourceOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrSourceOrProps === "string") {
+            // Check if it looks like an AWS source (starts with "aws.")
+            if (idOrSourceOrProps.startsWith("aws.")) {
+                // First param is source, second is props
+                props = propsOrUndefined || {};
+                props.source = idOrSourceOrProps;
+                // Generate ID from source
+                const sourceName = idOrSourceOrProps
+                    .replace("aws.", "")
+                    .split(".")
+                    .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
+                    .join("");
+                id = props.id || `${sourceName}EventsRule`;
+            }
+            else {
+                // First param is ID, second is props
+                props = propsOrUndefined || {};
+                id = idOrSourceOrProps;
+            }
+        }
+        else {
+            // First param is props
+            props = idOrSourceOrProps || {};
+            if (props.source) {
+                const sourceName = typeof props.source === "string"
+                    ? props.source
+                        .replace("aws.", "")
+                        .split(".")
+                        .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
+                        .join("")
+                    : "Events";
+                id = props.id || `${sourceName}EventsRule`;
+            }
+            else {
+                id = props.id || "EventsRule";
+            }
+        }
+        super(scope, id);
+        // Extract Jaypie-specific options
+        const { id: _id, project, service = CDK$2.SERVICE.DATADOG, source, targetFunction, vendor = CDK$2.VENDOR.DATADOG, ...ruleProps } = props;
+        // Resolve target function
+        this.targetFunction =
+            targetFunction || resolveDatadogForwarderFunction(scope);
+        // Build event pattern if source is specified
+        const eventPattern = source
+            ? {
+                ...ruleProps.eventPattern,
+                source: Array.isArray(source) ? source : [source],
+            }
+            : ruleProps.eventPattern;
+        // Build rule props
+        const finalRuleProps = {
+            ...ruleProps,
+            eventPattern,
+            targets: [
+                new LambdaFunction(this.targetFunction, {
+                    event: RuleTargetInput.fromEventPath("$"),
+                }),
+            ],
+        };
+        // Create the rule
+        this.rule = new Rule(this, "Rule", finalRuleProps);
+        // Add tags
+        cdk.Tags.of(this.rule).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        cdk.Tags.of(this.rule).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(this.rule).add(CDK$2.TAG.VENDOR, vendor);
+        if (project) {
+            cdk.Tags.of(this.rule).add(CDK$2.TAG.PROJECT, project);
+        }
+    }
+}
+
 class JaypieGitHubDeployRole extends Construct {
     constructor(scope, id = "GitHubDeployRole", props = {}) {
         super(scope, id);
@@ -1565,6 +2173,100 @@ class JaypieOpenAiSecret extends JaypieEnvSecret {
     }
 }
 
+class JaypieOrganizationTrail extends Construct {
+    /**
+     * Create a new organization CloudTrail with S3 bucket and lifecycle policies
+     */
+    constructor(scope, idOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrProps === "string") {
+            // First param is ID, second is props
+            props = propsOrUndefined || {};
+            id = idOrProps;
+        }
+        else {
+            // First param is props
+            props = idOrProps || {};
+            const defaultName = process.env.PROJECT_NONCE
+                ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
+                : "organization-cloudtrail";
+            id = props.id || `${props.trailName || defaultName}-Trail`;
+        }
+        super(scope, id);
+        // Resolve options with defaults
+        const { bucketName = process.env.PROJECT_NONCE
+            ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
+            : "organization-cloudtrail", enableDatadogNotifications = true, enableFileValidation = false, expirationDays = 365, glacierTransitionDays = 180, infrequentAccessTransitionDays = 30, project, service = CDK$2.SERVICE.INFRASTRUCTURE, trailName = process.env.PROJECT_NONCE
+            ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
+            : "organization-cloudtrail", } = props;
+        // Create the S3 bucket for CloudTrail logs
+        this.bucket = new Bucket(this, "Bucket", {
+            accessControl: BucketAccessControl.LOG_DELIVERY_WRITE,
+            bucketName,
+            lifecycleRules: [
+                {
+                    expiration: cdk.Duration.days(expirationDays),
+                    transitions: [
+                        {
+                            storageClass: StorageClass.INFREQUENT_ACCESS,
+                            transitionAfter: cdk.Duration.days(infrequentAccessTransitionDays),
+                        },
+                        {
+                            storageClass: StorageClass.GLACIER,
+                            transitionAfter: cdk.Duration.days(glacierTransitionDays),
+                        },
+                    ],
+                },
+            ],
+        });
+        // Add CloudTrail bucket policies
+        this.bucket.addToResourcePolicy(new PolicyStatement({
+            actions: ["s3:GetBucketAcl"],
+            effect: Effect.ALLOW,
+            principals: [new ServicePrincipal("cloudtrail.amazonaws.com")],
+            resources: [this.bucket.bucketArn],
+        }));
+        this.bucket.addToResourcePolicy(new PolicyStatement({
+            actions: ["s3:PutObject"],
+            conditions: {
+                StringEquals: {
+                    "s3:x-amz-acl": "bucket-owner-full-control",
+                },
+            },
+            effect: Effect.ALLOW,
+            principals: [new ServicePrincipal("cloudtrail.amazonaws.com")],
+            resources: [`${this.bucket.bucketArn}/*`],
+        }));
+        // Add tags to bucket
+        cdk.Tags.of(this.bucket).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(this.bucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        if (project) {
+            cdk.Tags.of(this.bucket).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Add Datadog notifications if enabled
+        if (enableDatadogNotifications) {
+            const datadogForwarderFunction = resolveDatadogForwarderFunction(scope);
+            this.bucket.addEventNotification(EventType.OBJECT_CREATED, new LambdaDestination(datadogForwarderFunction));
+        }
+        // Create the organization trail
+        this.trail = new Trail(this, "Trail", {
+            bucket: this.bucket,
+            enableFileValidation,
+            isOrganizationTrail: true,
+            managementEvents: ReadWriteType.ALL,
+            trailName,
+        });
+        // Add tags to trail
+        cdk.Tags.of(this.trail).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(this.trail).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        if (project) {
+            cdk.Tags.of(this.trail).add(CDK$2.TAG.PROJECT, project);
+        }
+    }
+}
+
 /**
  * JaypieSsoPermissions Construct
  *
@@ -1879,7 +2581,7 @@ class JaypieSsoSyncApplication extends Construct {
             missingParams.push(`scimEndpointUrl or ${scimEndpointUrlEnvKey} environment variable`);
         }
         if (missingParams.length > 0) {
-            throw new ConfigurationError$1(`JaypieSsoSyncApplication missing required configuration: ${missingParams.join(", ")}`);
+            throw new ConfigurationError(`JaypieSsoSyncApplication missing required configuration: ${missingParams.join(", ")}`);
         }
         // Create the SSO Sync Application
         // Type assertion is safe because we validated all required values above
@@ -2178,5 +2880,5 @@ class JaypieWebDeploymentBucket extends Construct {
     }
 }
 
-export { JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieDatadogSecret, JaypieDnsRecord, JaypieEnvSecret, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMongoDbSecret, JaypieOpenAiSecret, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, addDatadogLayers, constructEnvName, constructStackName, constructTagger, envHostname, isEnv, isProductionEnv, isSandboxEnv, jaypieLambdaEnv, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveHostedZone, resolveParamsAndSecrets };
+export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDnsRecord, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMongoDbSecret, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, addDatadogLayers, constructEnvName, constructStackName, constructTagger, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveHostedZone, resolveParamsAndSecrets };
 //# sourceMappingURL=index.js.map