@jaypie/constructs 1.1.61 → 1.1.62-rc.0

package/dist/cjs/index.d.ts

@@ -5,6 +5,7 @@ export { JaypieAppStack } from "./JaypieAppStack";
 export { JaypieBucketQueuedLambda } from "./JaypieBucketQueuedLambda";
 export { JaypieDatadogBucket, JaypieDatadogBucketProps, } from "./JaypieDatadogBucket";
 export { JaypieDatadogForwarder, JaypieDatadogForwarderProps, } from "./JaypieDatadogForwarder";
+export { JaypieDistribution, JaypieDistributionProps, } from "./JaypieDistribution";
 export { JaypieDatadogSecret } from "./JaypieDatadogSecret";
 export { JaypieDnsRecord, JaypieDnsRecordProps } from "./JaypieDnsRecord";
 export { JaypieEnvSecret } from "./JaypieEnvSecret";

package/dist/esm/JaypieDistribution.d.ts

@@ -0,0 +1,65 @@
+import { RemovalPolicy, Stack } from "aws-cdk-lib";
+import * as acm from "aws-cdk-lib/aws-certificatemanager";
+import * as cloudfront from "aws-cdk-lib/aws-cloudfront";
+import * as lambda from "aws-cdk-lib/aws-lambda";
+import * as route53 from "aws-cdk-lib/aws-route53";
+import { Construct } from "constructs";
+export interface JaypieDistributionProps extends Omit<cloudfront.DistributionProps, "certificate" | "defaultBehavior"> {
+    /**
+     * SSL certificate for the CloudFront distribution
+     * @default true (creates a new certificate)
+     */
+    certificate?: boolean | acm.ICertificate;
+    /**
+     * Override default behavior (optional if handler is provided)
+     */
+    defaultBehavior?: cloudfront.BehaviorOptions;
+    /**
+     * The origin handler - can be an IOrigin, IFunctionUrl, or IFunction
+     * If IFunction, a FunctionUrl will be created with auth NONE
+     */
+    handler?: cloudfront.IOrigin | lambda.IFunctionUrl | lambda.IFunction;
+    /**
+     * The domain name for the distribution
+     * @default mergeDomain(CDK_ENV_API_SUBDOMAIN, CDK_ENV_API_HOSTED_ZONE || CDK_ENV_HOSTED_ZONE)
+     */
+    host?: string;
+    /**
+     * Invoke mode for Lambda Function URLs
+     * @default InvokeMode.BUFFERED
+     */
+    invokeMode?: lambda.InvokeMode;
+    /**
+     * Role tag for tagging resources
+     * @default CDK.ROLE.HOSTING
+     */
+    roleTag?: string;
+    /**
+     * The hosted zone for DNS records
+     * @default CDK_ENV_API_HOSTED_ZONE || CDK_ENV_HOSTED_ZONE
+     */
+    zone?: string | route53.IHostedZone;
+}
+export declare class JaypieDistribution extends Construct implements cloudfront.IDistribution {
+    readonly certificate?: acm.ICertificate;
+    readonly distribution: cloudfront.Distribution;
+    readonly distributionArn: string;
+    readonly distributionDomainName: string;
+    readonly distributionId: string;
+    readonly domainName: string;
+    readonly functionUrl?: lambda.FunctionUrl;
+    readonly host?: string;
+    constructor(scope: Construct, id: string, props: JaypieDistributionProps);
+    private isIOrigin;
+    private isIFunctionUrl;
+    private isIFunction;
+    get env(): {
+        account: string;
+        region: string;
+    };
+    get stack(): Stack;
+    applyRemovalPolicy(policy: RemovalPolicy): void;
+    grant(identity: import("aws-cdk-lib/aws-iam").IGrantable, ...actions: string[]): import("aws-cdk-lib/aws-iam").Grant;
+    grantCreateInvalidation(identity: import("aws-cdk-lib/aws-iam").IGrantable): import("aws-cdk-lib/aws-iam").Grant;
+    get distributionRef(): cloudfront.DistributionReference;
+}

package/dist/esm/JaypieSsoGroups.d.ts

@@ -0,0 +1,121 @@
+import { Construct } from "constructs";
+import * as sso from "aws-cdk-lib/aws-sso";
+/**
+ * Account categories for SSO group assignments
+ */
+export interface JaypieSsoAccountMap {
+    development: string[];
+    management: string[];
+    operations: string[];
+    production: string[];
+    sandbox: string[];
+    security: string[];
+    stage: string[];
+}
+/**
+ * Mapping of group types to Google Workspace group GUIDs
+ */
+export interface JaypieSsoGroupMap {
+    administrators: string;
+    analysts: string;
+    developers: string;
+}
+/**
+ * IAM Policy Statement structure for inline policies
+ */
+export interface PolicyStatement {
+    Effect: "Allow" | "Deny";
+    Action: string[] | string;
+    Resource: string[] | string;
+    Condition?: Record<string, unknown>;
+}
+/**
+ * Properties for the JaypieSsoGroups construct
+ */
+export interface JaypieSsoGroupsProps {
+    /**
+     * ARN of the IAM Identity Center instance
+     */
+    instanceArn: string;
+    /**
+     * Mapping of account categories to AWS account IDs
+     */
+    accountMap: JaypieSsoAccountMap;
+    /**
+     * Mapping of group types to Google Workspace group GUIDs
+     */
+    groupMap: JaypieSsoGroupMap;
+    /**
+     * Additional inline policy statements to append to each group's permission set
+     * Each group can have its own set of policy statements that will be merged
+     * with the default policies.
+     */
+    inlinePolicyStatements?: {
+        administrators?: PolicyStatement[];
+        analysts?: PolicyStatement[];
+        developers?: PolicyStatement[];
+    };
+}
+/**
+ * Permission set types with corresponding AWS managed policies
+ */
+export declare enum PermissionSetType {
+    ADMINISTRATOR = "Administrator",
+    ANALYST = "Analyst",
+    DEVELOPER = "Developer"
+}
+/**
+ * Construct to simplify AWS SSO group management.
+ * This construct encapsulates the complexity of creating permission sets
+ * and assigning them to groups across multiple AWS accounts.
+ */
+export declare class JaypieSsoGroups extends Construct {
+    private readonly permissionSets;
+    private readonly instanceArn;
+    private readonly props;
+    constructor(scope: Construct, id: string, props: JaypieSsoGroupsProps);
+    /**
+     * Creates the Administrator permission set with AdministratorAccess policy
+     * and billing access
+     */
+    private createAdministratorPermissionSet;
+    /**
+     * Creates the Analyst permission set with ReadOnlyAccess policy
+     * and limited write access
+     */
+    private createAnalystPermissionSet;
+    /**
+     * Creates the Developer permission set with SystemAdministrator policy
+     * and expanded write access
+     */
+    private createDeveloperPermissionSet;
+    /**
+     * Gets the permission set for the specified type
+     */
+    getPermissionSet(type: PermissionSetType): sso.CfnPermissionSet;
+    /**
+     * Merges default inline policies with additional user-provided policy statements
+     *
+     * @param defaultPolicy - The default policy object with Version and Statement properties
+     * @param additionalStatements - Optional additional policy statements to merge
+     * @returns The merged policy object
+     */
+    private mergeInlinePolicies;
+    /**
+     * Creates assignments between permission sets, groups, and accounts
+     * based on the provided configuration
+     */
+    private createPermissionSetAssignments;
+    /**
+     * Assigns Administrator permissions to appropriate accounts
+     */
+    private assignAdministratorPermissions;
+    /**
+     * Assigns Analyst permissions to appropriate accounts
+     */
+    private assignAnalystPermissions;
+    /**
+     * Assigns Developer permissions to appropriate accounts
+     */
+    private assignDeveloperPermissions;
+}

package/dist/esm/__tests__/JaypieDistribution.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/esm/__tests__/JaypieSsoGroups.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/esm/helpers/addDatadogLayer.d.ts

@@ -0,0 +1,5 @@
+import * as lambda from "aws-cdk-lib/aws-lambda";
+export interface AddDatadogLayerOptions {
+    datadogApiKeyArn?: string;
+}
+export declare function addDatadogLayer(lambdaFunction: lambda.Function, options?: AddDatadogLayerOptions): boolean;

package/dist/esm/helpers/addParamsAndSecrets.d.ts

@@ -0,0 +1,12 @@
+import { Duration } from "aws-cdk-lib";
+import * as lambda from "aws-cdk-lib/aws-lambda";
+export interface AddParamsAndSecretsOptions {
+    paramsAndSecrets?: lambda.ParamsAndSecretsLayerVersion | boolean;
+    paramsAndSecretsOptions?: {
+        cacheSize?: number;
+        logLevel?: lambda.ParamsAndSecretsLogLevel;
+        parameterStoreTtl?: Duration;
+        secretsManagerTtl?: Duration;
+    };
+}
+export declare function addParamsAndSecrets(lambdaFunction: lambda.Function, options?: AddParamsAndSecretsOptions): boolean;

package/dist/esm/helpers/projectEnvName.d.ts

@@ -0,0 +1,5 @@
+export declare function projectEnvName(name: string, opts?: {
+    env?: string;
+    key?: string;
+    nonce?: string;
+}): string;

package/dist/esm/helpers/stackTagger.d.ts

@@ -0,0 +1,4 @@
+import { Stack } from "aws-cdk-lib";
+export declare function stackTagger(stack: Stack, { name }?: {
+    name?: string;
+}): boolean;

package/dist/esm/index.d.ts

@@ -5,6 +5,7 @@ export { JaypieAppStack } from "./JaypieAppStack";
 export { JaypieBucketQueuedLambda } from "./JaypieBucketQueuedLambda";
 export { JaypieDatadogBucket, JaypieDatadogBucketProps, } from "./JaypieDatadogBucket";
 export { JaypieDatadogForwarder, JaypieDatadogForwarderProps, } from "./JaypieDatadogForwarder";
+export { JaypieDistribution, JaypieDistributionProps, } from "./JaypieDistribution";
 export { JaypieDatadogSecret } from "./JaypieDatadogSecret";
 export { JaypieDnsRecord, JaypieDnsRecordProps } from "./JaypieDnsRecord";
 export { JaypieEnvSecret } from "./JaypieEnvSecret";

package/dist/esm/index.js

@@ -20,14 +20,14 @@ import * as sqs from 'aws-cdk-lib/aws-sqs';
 import * as lambdaEventSources from 'aws-cdk-lib/aws-lambda-event-sources';
 import { Rule, RuleTargetInput } from 'aws-cdk-lib/aws-events';
 import { LambdaFunction } from 'aws-cdk-lib/aws-events-targets';
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
 import { LogGroup, RetentionDays, FilterPattern } from 'aws-cdk-lib/aws-logs';
 import { Nextjs } from 'cdk-nextjs-standalone';
 import * as path from 'path';
 import { Trail, ReadWriteType } from 'aws-cdk-lib/aws-cloudtrail';
 import { CfnPermissionSet, CfnAssignment } from 'aws-cdk-lib/aws-sso';
 import { CfnApplication } from 'aws-cdk-lib/aws-sam';
-import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
-import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
 
 const CDK$2 = {
     ACCOUNT: {
@@ -1628,6 +1628,180 @@ class JaypieDatadogForwarder extends Construct {
     }
 }
 
+class JaypieDistribution extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { certificate: certificateProp = true, handler, host: propsHost, invokeMode = lambda.InvokeMode.BUFFERED, roleTag = CDK$2.ROLE.HOSTING, zone: propsZone, defaultBehavior: propsDefaultBehavior, ...distributionProps } = props;
+        // Validate environment variables
+        if (process.env.CDK_ENV_API_SUBDOMAIN &&
+            !isValidSubdomain(process.env.CDK_ENV_API_SUBDOMAIN)) {
+            throw new Error("CDK_ENV_API_SUBDOMAIN is not a valid subdomain");
+        }
+        if (process.env.CDK_ENV_API_HOSTED_ZONE &&
+            !isValidHostname$1(process.env.CDK_ENV_API_HOSTED_ZONE)) {
+            throw new Error("CDK_ENV_API_HOSTED_ZONE is not a valid hostname");
+        }
+        if (process.env.CDK_ENV_HOSTED_ZONE &&
+            !isValidHostname$1(process.env.CDK_ENV_HOSTED_ZONE)) {
+            throw new Error("CDK_ENV_HOSTED_ZONE is not a valid hostname");
+        }
+        // Determine host from props or environment
+        let host = propsHost;
+        if (!host) {
+            try {
+                if (process.env.CDK_ENV_API_HOST_NAME) {
+                    host = process.env.CDK_ENV_API_HOST_NAME;
+                }
+                else if (process.env.CDK_ENV_API_SUBDOMAIN) {
+                    host = mergeDomain(process.env.CDK_ENV_API_SUBDOMAIN, process.env.CDK_ENV_API_HOSTED_ZONE ||
+                        process.env.CDK_ENV_HOSTED_ZONE ||
+                        "");
+                }
+            }
+            catch {
+                host = undefined;
+            }
+        }
+        if (host && !isValidHostname$1(host)) {
+            throw new Error("Host is not a valid hostname");
+        }
+        this.host = host;
+        // Determine zone from props or environment
+        const zone = propsZone ||
+            process.env.CDK_ENV_API_HOSTED_ZONE ||
+            process.env.CDK_ENV_HOSTED_ZONE;
+        // Resolve the origin from handler
+        // Check order matters: IFunctionUrl before IOrigin (FunctionUrl also has bind method)
+        // IFunction before IFunctionUrl (IFunction doesn't have functionUrlId)
+        let origin;
+        if (handler) {
+            if (this.isIFunction(handler)) {
+                // Create FunctionUrl for the Lambda function
+                const functionUrl = new lambda.FunctionUrl(this, "FunctionUrl", {
+                    function: handler,
+                    authType: lambda.FunctionUrlAuthType.NONE,
+                    invokeMode,
+                });
+                this.functionUrl = functionUrl;
+                origin = new origins.FunctionUrlOrigin(functionUrl);
+            }
+            else if (this.isIFunctionUrl(handler)) {
+                origin = new origins.FunctionUrlOrigin(handler);
+            }
+            else if (this.isIOrigin(handler)) {
+                origin = handler;
+            }
+        }
+        // Build default behavior
+        let defaultBehavior;
+        if (propsDefaultBehavior) {
+            defaultBehavior = propsDefaultBehavior;
+        }
+        else if (origin) {
+            defaultBehavior = {
+                cachePolicy: cloudfront.CachePolicy.CACHING_DISABLED,
+                origin,
+                originRequestPolicy: cloudfront.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
+                viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+            };
+        }
+        else {
+            throw new Error("Either handler or defaultBehavior must be provided to JaypieDistribution");
+        }
+        // Resolve hosted zone and certificate
+        // Only resolve zone when we need it (for certificate or DNS)
+        let hostedZone;
+        let certificateToUse;
+        if (host && zone && certificateProp !== false) {
+            hostedZone = resolveHostedZone(this, { zone });
+            if (certificateProp === true) {
+                certificateToUse = new acm.Certificate(this, constructEnvName("Certificate"), {
+                    domainName: host,
+                    validation: acm.CertificateValidation.fromDns(hostedZone),
+                });
+                Tags.of(certificateToUse).add(CDK$2.TAG.ROLE, roleTag);
+            }
+            else if (typeof certificateProp === "object") {
+                certificateToUse = certificateProp;
+            }
+            this.certificate = certificateToUse;
+        }
+        // Create the CloudFront distribution
+        this.distribution = new cloudfront.Distribution(this, constructEnvName("Distribution"), {
+            defaultBehavior,
+            ...(host && certificateToUse
+                ? {
+                    certificate: certificateToUse,
+                    domainNames: [host],
+                }
+                : {}),
+            ...distributionProps,
+        });
+        Tags.of(this.distribution).add(CDK$2.TAG.ROLE, roleTag);
+        this.distributionArn = `arn:aws:cloudfront::${Stack.of(this).account}:distribution/${this.distribution.distributionId}`;
+        this.distributionDomainName = this.distribution.distributionDomainName;
+        this.distributionId = this.distribution.distributionId;
+        this.domainName = this.distribution.domainName;
+        // Create DNS record if we have host and zone
+        if (host && hostedZone) {
+            const record = new route53.ARecord(this, "AliasRecord", {
+                recordName: host,
+                target: route53.RecordTarget.fromAlias(new route53Targets.CloudFrontTarget(this.distribution)),
+                zone: hostedZone,
+            });
+            Tags.of(record).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
+        }
+    }
+    // Type guards for handler types
+    isIOrigin(handler) {
+        return (typeof handler === "object" &&
+            handler !== null &&
+            "bind" in handler &&
+            typeof handler.bind === "function");
+    }
+    isIFunctionUrl(handler) {
+        // FunctionUrl has 'url' property which is the function URL string
+        // IFunction does not have 'url' property
+        return (typeof handler === "object" &&
+            handler !== null &&
+            "url" in handler &&
+            "functionArn" in handler);
+    }
+    isIFunction(handler) {
+        // IFunction has functionArn and functionName but NOT 'url'
+        // (FunctionUrl also has functionArn but also has 'url')
+        return (typeof handler === "object" &&
+            handler !== null &&
+            "functionArn" in handler &&
+            "functionName" in handler &&
+            !("url" in handler));
+    }
+    // Implement IDistribution interface
+    get env() {
+        return {
+            account: Stack.of(this).account,
+            region: Stack.of(this).region,
+        };
+    }
+    get stack() {
+        return this.distribution.stack;
+    }
+    applyRemovalPolicy(policy) {
+        this.distribution.applyRemovalPolicy(policy);
+    }
+    grant(identity, ...actions) {
+        return this.distribution.grant(identity, ...actions);
+    }
+    grantCreateInvalidation(identity) {
+        return this.distribution.grantCreateInvalidation(identity);
+    }
+    get distributionRef() {
+        return {
+            distributionId: this.distribution.distributionId,
+        };
+    }
+}
+
 // It is a consumer if the environment is ephemeral
 function checkEnvIsConsumer(env = process.env) {
     return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
@@ -2981,5 +3155,5 @@ class JaypieWebDeploymentBucket extends Construct {
     }
 }
 
-export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDnsRecord, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, addDatadogLayers, constructEnvName, constructStackName, constructTagger, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveHostedZone, resolveParamsAndSecrets };
+export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, addDatadogLayers, constructEnvName, constructStackName, constructTagger, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveHostedZone, resolveParamsAndSecrets };
 //# sourceMappingURL=index.js.map