@jaypie/constructs 1.1.60 → 1.1.62-rc.0

package/dist/cjs/JaypieDistribution.d.ts

@@ -0,0 +1,65 @@
+import { RemovalPolicy, Stack } from "aws-cdk-lib";
+import * as acm from "aws-cdk-lib/aws-certificatemanager";
+import * as cloudfront from "aws-cdk-lib/aws-cloudfront";
+import * as lambda from "aws-cdk-lib/aws-lambda";
+import * as route53 from "aws-cdk-lib/aws-route53";
+import { Construct } from "constructs";
+export interface JaypieDistributionProps extends Omit<cloudfront.DistributionProps, "certificate" | "defaultBehavior"> {
+    /**
+     * SSL certificate for the CloudFront distribution
+     * @default true (creates a new certificate)
+     */
+    certificate?: boolean | acm.ICertificate;
+    /**
+     * Override default behavior (optional if handler is provided)
+     */
+    defaultBehavior?: cloudfront.BehaviorOptions;
+    /**
+     * The origin handler - can be an IOrigin, IFunctionUrl, or IFunction
+     * If IFunction, a FunctionUrl will be created with auth NONE
+     */
+    handler?: cloudfront.IOrigin | lambda.IFunctionUrl | lambda.IFunction;
+    /**
+     * The domain name for the distribution
+     * @default mergeDomain(CDK_ENV_API_SUBDOMAIN, CDK_ENV_API_HOSTED_ZONE || CDK_ENV_HOSTED_ZONE)
+     */
+    host?: string;
+    /**
+     * Invoke mode for Lambda Function URLs
+     * @default InvokeMode.BUFFERED
+     */
+    invokeMode?: lambda.InvokeMode;
+    /**
+     * Role tag for tagging resources
+     * @default CDK.ROLE.HOSTING
+     */
+    roleTag?: string;
+    /**
+     * The hosted zone for DNS records
+     * @default CDK_ENV_API_HOSTED_ZONE || CDK_ENV_HOSTED_ZONE
+     */
+    zone?: string | route53.IHostedZone;
+}
+export declare class JaypieDistribution extends Construct implements cloudfront.IDistribution {
+    readonly certificate?: acm.ICertificate;
+    readonly distribution: cloudfront.Distribution;
+    readonly distributionArn: string;
+    readonly distributionDomainName: string;
+    readonly distributionId: string;
+    readonly domainName: string;
+    readonly functionUrl?: lambda.FunctionUrl;
+    readonly host?: string;
+    constructor(scope: Construct, id: string, props: JaypieDistributionProps);
+    private isIOrigin;
+    private isIFunctionUrl;
+    private isIFunction;
+    get env(): {
+        account: string;
+        region: string;
+    };
+    get stack(): Stack;
+    applyRemovalPolicy(policy: RemovalPolicy): void;
+    grant(identity: import("aws-cdk-lib/aws-iam").IGrantable, ...actions: string[]): import("aws-cdk-lib/aws-iam").Grant;
+    grantCreateInvalidation(identity: import("aws-cdk-lib/aws-iam").IGrantable): import("aws-cdk-lib/aws-iam").Grant;
+    get distributionRef(): cloudfront.DistributionReference;
+}

package/dist/cjs/JaypieEnvSecret.d.ts

@@ -17,7 +17,7 @@ export interface JaypieEnvSecretProps {
 export declare class JaypieEnvSecret extends Construct implements ISecret {
     private readonly _envKey?;
     private readonly _secret;
-    constructor(scope: Construct, id: string, props?: JaypieEnvSecretProps);
+    constructor(scope: Construct, idOrEnvKey: string, props?: JaypieEnvSecretProps);
     get stack(): Stack;
     get env(): {
         account: string;

package/dist/cjs/JaypieSsoGroups.d.ts

@@ -0,0 +1,121 @@
+import { Construct } from "constructs";
+import * as sso from "aws-cdk-lib/aws-sso";
+/**
+ * Account categories for SSO group assignments
+ */
+export interface JaypieSsoAccountMap {
+    development: string[];
+    management: string[];
+    operations: string[];
+    production: string[];
+    sandbox: string[];
+    security: string[];
+    stage: string[];
+}
+/**
+ * Mapping of group types to Google Workspace group GUIDs
+ */
+export interface JaypieSsoGroupMap {
+    administrators: string;
+    analysts: string;
+    developers: string;
+}
+/**
+ * IAM Policy Statement structure for inline policies
+ */
+export interface PolicyStatement {
+    Effect: "Allow" | "Deny";
+    Action: string[] | string;
+    Resource: string[] | string;
+    Condition?: Record<string, unknown>;
+}
+/**
+ * Properties for the JaypieSsoGroups construct
+ */
+export interface JaypieSsoGroupsProps {
+    /**
+     * ARN of the IAM Identity Center instance
+     */
+    instanceArn: string;
+    /**
+     * Mapping of account categories to AWS account IDs
+     */
+    accountMap: JaypieSsoAccountMap;
+    /**
+     * Mapping of group types to Google Workspace group GUIDs
+     */
+    groupMap: JaypieSsoGroupMap;
+    /**
+     * Additional inline policy statements to append to each group's permission set
+     * Each group can have its own set of policy statements that will be merged
+     * with the default policies.
+     */
+    inlinePolicyStatements?: {
+        administrators?: PolicyStatement[];
+        analysts?: PolicyStatement[];
+        developers?: PolicyStatement[];
+    };
+}
+/**
+ * Permission set types with corresponding AWS managed policies
+ */
+export declare enum PermissionSetType {
+    ADMINISTRATOR = "Administrator",
+    ANALYST = "Analyst",
+    DEVELOPER = "Developer"
+}
+/**
+ * Construct to simplify AWS SSO group management.
+ * This construct encapsulates the complexity of creating permission sets
+ * and assigning them to groups across multiple AWS accounts.
+ */
+export declare class JaypieSsoGroups extends Construct {
+    private readonly permissionSets;
+    private readonly instanceArn;
+    private readonly props;
+    constructor(scope: Construct, id: string, props: JaypieSsoGroupsProps);
+    /**
+     * Creates the Administrator permission set with AdministratorAccess policy
+     * and billing access
+     */
+    private createAdministratorPermissionSet;
+    /**
+     * Creates the Analyst permission set with ReadOnlyAccess policy
+     * and limited write access
+     */
+    private createAnalystPermissionSet;
+    /**
+     * Creates the Developer permission set with SystemAdministrator policy
+     * and expanded write access
+     */
+    private createDeveloperPermissionSet;
+    /**
+     * Gets the permission set for the specified type
+     */
+    getPermissionSet(type: PermissionSetType): sso.CfnPermissionSet;
+    /**
+     * Merges default inline policies with additional user-provided policy statements
+     *
+     * @param defaultPolicy - The default policy object with Version and Statement properties
+     * @param additionalStatements - Optional additional policy statements to merge
+     * @returns The merged policy object
+     */
+    private mergeInlinePolicies;
+    /**
+     * Creates assignments between permission sets, groups, and accounts
+     * based on the provided configuration
+     */
+    private createPermissionSetAssignments;
+    /**
+     * Assigns Administrator permissions to appropriate accounts
+     */
+    private assignAdministratorPermissions;
+    /**
+     * Assigns Analyst permissions to appropriate accounts
+     */
+    private assignAnalystPermissions;
+    /**
+     * Assigns Developer permissions to appropriate accounts
+     */
+    private assignDeveloperPermissions;
+}

package/dist/cjs/__tests__/JaypieDistribution.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/cjs/__tests__/JaypieSsoGroups.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/cjs/helpers/addDatadogLayer.d.ts

@@ -0,0 +1,5 @@
+import * as lambda from "aws-cdk-lib/aws-lambda";
+export interface AddDatadogLayerOptions {
+    datadogApiKeyArn?: string;
+}
+export declare function addDatadogLayer(lambdaFunction: lambda.Function, options?: AddDatadogLayerOptions): boolean;

package/dist/cjs/helpers/addParamsAndSecrets.d.ts

@@ -0,0 +1,12 @@
+import { Duration } from "aws-cdk-lib";
+import * as lambda from "aws-cdk-lib/aws-lambda";
+export interface AddParamsAndSecretsOptions {
+    paramsAndSecrets?: lambda.ParamsAndSecretsLayerVersion | boolean;
+    paramsAndSecretsOptions?: {
+        cacheSize?: number;
+        logLevel?: lambda.ParamsAndSecretsLogLevel;
+        parameterStoreTtl?: Duration;
+        secretsManagerTtl?: Duration;
+    };
+}
+export declare function addParamsAndSecrets(lambdaFunction: lambda.Function, options?: AddParamsAndSecretsOptions): boolean;

package/dist/cjs/helpers/projectEnvName.d.ts

@@ -0,0 +1,5 @@
+export declare function projectEnvName(name: string, opts?: {
+    env?: string;
+    key?: string;
+    nonce?: string;
+}): string;

package/dist/cjs/helpers/stackTagger.d.ts

@@ -0,0 +1,4 @@
+import { Stack } from "aws-cdk-lib";
+export declare function stackTagger(stack: Stack, { name }?: {
+    name?: string;
+}): boolean;

package/dist/cjs/index.cjs

@@ -18,14 +18,14 @@ var sqs = require('aws-cdk-lib/aws-sqs');
 var lambdaEventSources = require('aws-cdk-lib/aws-lambda-event-sources');
 var awsEvents = require('aws-cdk-lib/aws-events');
 var awsEventsTargets = require('aws-cdk-lib/aws-events-targets');
+var cloudfront = require('aws-cdk-lib/aws-cloudfront');
+var origins = require('aws-cdk-lib/aws-cloudfront-origins');
 var awsLogs = require('aws-cdk-lib/aws-logs');
 var cdkNextjsStandalone = require('cdk-nextjs-standalone');
 var path = require('path');
 var awsCloudtrail = require('aws-cdk-lib/aws-cloudtrail');
 var awsSso = require('aws-cdk-lib/aws-sso');
 var awsSam = require('aws-cdk-lib/aws-sam');
-var cloudfront = require('aws-cdk-lib/aws-cloudfront');
-var origins = require('aws-cdk-lib/aws-cloudfront-origins');
 
 function _interopNamespaceDefault(e) {
     var n = Object.create(null);
@@ -56,9 +56,9 @@ var logDestinations__namespace = /*#__PURE__*/_interopNamespaceDefault(logDestin
 var s3n__namespace = /*#__PURE__*/_interopNamespaceDefault(s3n);
 var sqs__namespace = /*#__PURE__*/_interopNamespaceDefault(sqs);
 var lambdaEventSources__namespace = /*#__PURE__*/_interopNamespaceDefault(lambdaEventSources);
-var path__namespace = /*#__PURE__*/_interopNamespaceDefault(path);
 var cloudfront__namespace = /*#__PURE__*/_interopNamespaceDefault(cloudfront);
 var origins__namespace = /*#__PURE__*/_interopNamespaceDefault(origins);
+var path__namespace = /*#__PURE__*/_interopNamespaceDefault(path);
 
 const CDK$2 = {
     ACCOUNT: {
@@ -1659,6 +1659,180 @@ class JaypieDatadogForwarder extends constructs.Construct {
     }
 }
 
+class JaypieDistribution extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { certificate: certificateProp = true, handler, host: propsHost, invokeMode = lambda__namespace.InvokeMode.BUFFERED, roleTag = CDK$2.ROLE.HOSTING, zone: propsZone, defaultBehavior: propsDefaultBehavior, ...distributionProps } = props;
+        // Validate environment variables
+        if (process.env.CDK_ENV_API_SUBDOMAIN &&
+            !isValidSubdomain(process.env.CDK_ENV_API_SUBDOMAIN)) {
+            throw new Error("CDK_ENV_API_SUBDOMAIN is not a valid subdomain");
+        }
+        if (process.env.CDK_ENV_API_HOSTED_ZONE &&
+            !isValidHostname$1(process.env.CDK_ENV_API_HOSTED_ZONE)) {
+            throw new Error("CDK_ENV_API_HOSTED_ZONE is not a valid hostname");
+        }
+        if (process.env.CDK_ENV_HOSTED_ZONE &&
+            !isValidHostname$1(process.env.CDK_ENV_HOSTED_ZONE)) {
+            throw new Error("CDK_ENV_HOSTED_ZONE is not a valid hostname");
+        }
+        // Determine host from props or environment
+        let host = propsHost;
+        if (!host) {
+            try {
+                if (process.env.CDK_ENV_API_HOST_NAME) {
+                    host = process.env.CDK_ENV_API_HOST_NAME;
+                }
+                else if (process.env.CDK_ENV_API_SUBDOMAIN) {
+                    host = mergeDomain(process.env.CDK_ENV_API_SUBDOMAIN, process.env.CDK_ENV_API_HOSTED_ZONE ||
+                        process.env.CDK_ENV_HOSTED_ZONE ||
+                        "");
+                }
+            }
+            catch {
+                host = undefined;
+            }
+        }
+        if (host && !isValidHostname$1(host)) {
+            throw new Error("Host is not a valid hostname");
+        }
+        this.host = host;
+        // Determine zone from props or environment
+        const zone = propsZone ||
+            process.env.CDK_ENV_API_HOSTED_ZONE ||
+            process.env.CDK_ENV_HOSTED_ZONE;
+        // Resolve the origin from handler
+        // Check order matters: IFunctionUrl before IOrigin (FunctionUrl also has bind method)
+        // IFunction before IFunctionUrl (IFunction doesn't have functionUrlId)
+        let origin;
+        if (handler) {
+            if (this.isIFunction(handler)) {
+                // Create FunctionUrl for the Lambda function
+                const functionUrl = new lambda__namespace.FunctionUrl(this, "FunctionUrl", {
+                    function: handler,
+                    authType: lambda__namespace.FunctionUrlAuthType.NONE,
+                    invokeMode,
+                });
+                this.functionUrl = functionUrl;
+                origin = new origins__namespace.FunctionUrlOrigin(functionUrl);
+            }
+            else if (this.isIFunctionUrl(handler)) {
+                origin = new origins__namespace.FunctionUrlOrigin(handler);
+            }
+            else if (this.isIOrigin(handler)) {
+                origin = handler;
+            }
+        }
+        // Build default behavior
+        let defaultBehavior;
+        if (propsDefaultBehavior) {
+            defaultBehavior = propsDefaultBehavior;
+        }
+        else if (origin) {
+            defaultBehavior = {
+                cachePolicy: cloudfront__namespace.CachePolicy.CACHING_DISABLED,
+                origin,
+                originRequestPolicy: cloudfront__namespace.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
+                viewerProtocolPolicy: cloudfront__namespace.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+            };
+        }
+        else {
+            throw new Error("Either handler or defaultBehavior must be provided to JaypieDistribution");
+        }
+        // Resolve hosted zone and certificate
+        // Only resolve zone when we need it (for certificate or DNS)
+        let hostedZone;
+        let certificateToUse;
+        if (host && zone && certificateProp !== false) {
+            hostedZone = resolveHostedZone(this, { zone });
+            if (certificateProp === true) {
+                certificateToUse = new acm__namespace.Certificate(this, constructEnvName("Certificate"), {
+                    domainName: host,
+                    validation: acm__namespace.CertificateValidation.fromDns(hostedZone),
+                });
+                cdk.Tags.of(certificateToUse).add(CDK$2.TAG.ROLE, roleTag);
+            }
+            else if (typeof certificateProp === "object") {
+                certificateToUse = certificateProp;
+            }
+            this.certificate = certificateToUse;
+        }
+        // Create the CloudFront distribution
+        this.distribution = new cloudfront__namespace.Distribution(this, constructEnvName("Distribution"), {
+            defaultBehavior,
+            ...(host && certificateToUse
+                ? {
+                    certificate: certificateToUse,
+                    domainNames: [host],
+                }
+                : {}),
+            ...distributionProps,
+        });
+        cdk.Tags.of(this.distribution).add(CDK$2.TAG.ROLE, roleTag);
+        this.distributionArn = `arn:aws:cloudfront::${cdk.Stack.of(this).account}:distribution/${this.distribution.distributionId}`;
+        this.distributionDomainName = this.distribution.distributionDomainName;
+        this.distributionId = this.distribution.distributionId;
+        this.domainName = this.distribution.domainName;
+        // Create DNS record if we have host and zone
+        if (host && hostedZone) {
+            const record = new route53__namespace.ARecord(this, "AliasRecord", {
+                recordName: host,
+                target: route53__namespace.RecordTarget.fromAlias(new route53Targets__namespace.CloudFrontTarget(this.distribution)),
+                zone: hostedZone,
+            });
+            cdk.Tags.of(record).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
+        }
+    }
+    // Type guards for handler types
+    isIOrigin(handler) {
+        return (typeof handler === "object" &&
+            handler !== null &&
+            "bind" in handler &&
+            typeof handler.bind === "function");
+    }
+    isIFunctionUrl(handler) {
+        // FunctionUrl has 'url' property which is the function URL string
+        // IFunction does not have 'url' property
+        return (typeof handler === "object" &&
+            handler !== null &&
+            "url" in handler &&
+            "functionArn" in handler);
+    }
+    isIFunction(handler) {
+        // IFunction has functionArn and functionName but NOT 'url'
+        // (FunctionUrl also has functionArn but also has 'url')
+        return (typeof handler === "object" &&
+            handler !== null &&
+            "functionArn" in handler &&
+            "functionName" in handler &&
+            !("url" in handler));
+    }
+    // Implement IDistribution interface
+    get env() {
+        return {
+            account: cdk.Stack.of(this).account,
+            region: cdk.Stack.of(this).region,
+        };
+    }
+    get stack() {
+        return this.distribution.stack;
+    }
+    applyRemovalPolicy(policy) {
+        this.distribution.applyRemovalPolicy(policy);
+    }
+    grant(identity, ...actions) {
+        return this.distribution.grant(identity, ...actions);
+    }
+    grantCreateInvalidation(identity) {
+        return this.distribution.grantCreateInvalidation(identity);
+    }
+    get distributionRef() {
+        return {
+            distributionId: this.distribution.distributionId,
+        };
+    }
+}
+
 // It is a consumer if the environment is ephemeral
 function checkEnvIsConsumer(env = process.env) {
     return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
@@ -1690,9 +1864,17 @@ function exportEnvName(name, env = process.env) {
     return cleanName(rawName);
 }
 class JaypieEnvSecret extends constructs.Construct {
-    constructor(scope, id, props) {
+    constructor(scope, idOrEnvKey, props) {
+        // Check if idOrEnvKey should be treated as envKey:
+        // - No props provided OR props.envKey is not set
+        // - AND idOrEnvKey exists as a non-empty string in process.env
+        const treatAsEnvKey = (!props || props.envKey === undefined) &&
+            typeof process.env[idOrEnvKey] === "string" &&
+            process.env[idOrEnvKey] !== "";
+        const id = treatAsEnvKey ? `EnvSecret_${idOrEnvKey}` : idOrEnvKey;
         super(scope, id);
-        const { consumer = checkEnvIsConsumer(), envKey, export: exportParam, generateSecretString, provider = checkEnvIsProvider(), roleTag, vendorTag, value, } = props || {};
+        const { consumer = checkEnvIsConsumer(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider(), roleTag, vendorTag, value, } = props || {};
+        const envKey = treatAsEnvKey ? idOrEnvKey : envKeyProp;
         this._envKey = envKey;
         let exportName;
         if (!exportParam) {
@@ -3012,6 +3194,7 @@ exports.JaypieBucketQueuedLambda = JaypieBucketQueuedLambda;
 exports.JaypieDatadogBucket = JaypieDatadogBucket;
 exports.JaypieDatadogForwarder = JaypieDatadogForwarder;
 exports.JaypieDatadogSecret = JaypieDatadogSecret;
+exports.JaypieDistribution = JaypieDistribution;
 exports.JaypieDnsRecord = JaypieDnsRecord;
 exports.JaypieEnvSecret = JaypieEnvSecret;
 exports.JaypieEventsRule = JaypieEventsRule;