@jaypie/constructs 1.1.62-rc.0 → 1.1.62-rc.1

package/dist/cjs/JaypieLambda.d.ts

@@ -1,9 +1,10 @@
 import { Construct } from "constructs";
 import { Duration, Stack, RemovalPolicy } from "aws-cdk-lib";
 import * as lambda from "aws-cdk-lib/aws-lambda";
-import * as iam from "aws-cdk-lib/aws-iam";
 import * as cloudwatch from "aws-cdk-lib/aws-cloudwatch";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
+import * as iam from "aws-cdk-lib/aws-iam";
+import * as logs from "aws-cdk-lib/aws-logs";
 import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";
 import { JaypieEnvSecret } from "./JaypieEnvSecret.js";
 export interface JaypieLambdaProps {
@@ -27,9 +28,8 @@ export interface JaypieLambdaProps {
     handler: string;
     initialPolicy?: iam.PolicyStatement[];
     layers?: lambda.ILayerVersion[];
-    logRetention?: number;
-    logRetentionRole?: iam.IRole;
-    logRetentionRetryOptions?: lambda.LogRetentionRetryOptions;
+    logGroup?: logs.ILogGroup;
+    logRetention?: logs.RetentionDays | number;
     maxEventAge?: Duration;
     memorySize?: number;
     paramsAndSecrets?: lambda.ParamsAndSecretsLayerVersion | boolean;

package/dist/cjs/index.cjs

@@ -16,11 +16,11 @@ var logDestinations = require('aws-cdk-lib/aws-logs-destinations');
 var s3n = require('aws-cdk-lib/aws-s3-notifications');
 var sqs = require('aws-cdk-lib/aws-sqs');
 var lambdaEventSources = require('aws-cdk-lib/aws-lambda-event-sources');
+var logs = require('aws-cdk-lib/aws-logs');
 var awsEvents = require('aws-cdk-lib/aws-events');
 var awsEventsTargets = require('aws-cdk-lib/aws-events-targets');
 var cloudfront = require('aws-cdk-lib/aws-cloudfront');
 var origins = require('aws-cdk-lib/aws-cloudfront-origins');
-var awsLogs = require('aws-cdk-lib/aws-logs');
 var cdkNextjsStandalone = require('cdk-nextjs-standalone');
 var path = require('path');
 var awsCloudtrail = require('aws-cdk-lib/aws-cloudtrail');
@@ -56,6 +56,7 @@ var logDestinations__namespace = /*#__PURE__*/_interopNamespaceDefault(logDestin
 var s3n__namespace = /*#__PURE__*/_interopNamespaceDefault(s3n);
 var sqs__namespace = /*#__PURE__*/_interopNamespaceDefault(sqs);
 var lambdaEventSources__namespace = /*#__PURE__*/_interopNamespaceDefault(lambdaEventSources);
+var logs__namespace = /*#__PURE__*/_interopNamespaceDefault(logs);
 var cloudfront__namespace = /*#__PURE__*/_interopNamespaceDefault(cloudfront);
 var origins__namespace = /*#__PURE__*/_interopNamespaceDefault(origins);
 var path__namespace = /*#__PURE__*/_interopNamespaceDefault(path);
@@ -900,7 +901,7 @@ class JaypieAppStack extends JaypieStack {
 class JaypieLambda extends constructs.Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { allowAllOutbound, allowPublicSubnet, architecture = lambda__namespace.Architecture.X86_64, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment: initialEnvironment = {}, envSecrets = {}, ephemeralStorageSize, filesystem, handler = "index.handler", initialPolicy, layers = [], logRetention = CDK$2.LAMBDA.LOG_RETENTION, logRetentionRole, logRetentionRetryOptions, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag = CDK$2.ROLE.PROCESSING, runtime = lambda__namespace.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = cdk.Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
+        const { allowAllOutbound, allowPublicSubnet, architecture = lambda__namespace.Architecture.X86_64, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment: initialEnvironment = {}, envSecrets = {}, ephemeralStorageSize, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag = CDK$2.ROLE.PROCESSING, runtime = lambda__namespace.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = cdk.Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
         // Get base environment with defaults
         const environment = jaypieLambdaEnv({ initialEnvironment });
         const codeAsset = typeof code === "string" ? lambda__namespace.Code.fromAsset(code) : code;
@@ -926,6 +927,12 @@ class JaypieLambda extends constructs.Construct {
             paramsAndSecrets,
             options: paramsAndSecretsOptions,
         });
+        // Create LogGroup if not provided
+        const resolvedLogGroup = logGroup ??
+            new logs__namespace.LogGroup(this, "LogGroup", {
+                retention: logRetention,
+                removalPolicy: cdk.RemovalPolicy.DESTROY,
+            });
         // Create Lambda Function
         this._lambda = new lambda__namespace.Function(this, "Function", {
             allowAllOutbound,
@@ -946,9 +953,7 @@ class JaypieLambda extends constructs.Construct {
             handler,
             initialPolicy,
             layers: resolvedLayers,
-            logRetention,
-            logRetentionRole,
-            logRetentionRetryOptions,
+            logGroup: resolvedLogGroup,
             maxEventAge,
             memorySize,
             paramsAndSecrets: resolvedParamsAndSecrets,
@@ -1119,7 +1124,7 @@ class JaypieLambda extends constructs.Construct {
 class JaypieQueuedLambda extends constructs.Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { allowAllOutbound, allowPublicSubnet, architecture, batchSize = 1, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment = {}, envSecrets = {}, ephemeralStorageSize, fifo = true, filesystem, handler = "index.handler", initialPolicy, layers = [], logRetention = CDK$2.LAMBDA.LOG_RETENTION, logRetentionRole, logRetentionRetryOptions, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag, runtime = lambda__namespace.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = cdk.Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, visibilityTimeout = cdk.Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), vpc, vpcSubnets, } = props;
+        const { allowAllOutbound, allowPublicSubnet, architecture, batchSize = 1, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment = {}, envSecrets = {}, ephemeralStorageSize, fifo = true, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag, runtime = lambda__namespace.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = cdk.Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, visibilityTimeout = cdk.Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), vpc, vpcSubnets, } = props;
         // Create SQS Queue
         this._queue = new sqs__namespace.Queue(this, "Queue", {
             fifo,
@@ -1154,9 +1159,8 @@ class JaypieQueuedLambda extends constructs.Construct {
             handler,
             initialPolicy,
             layers,
+            logGroup,
             logRetention,
-            logRetentionRole,
-            logRetentionRetryOptions,
             maxEventAge,
             memorySize,
             paramsAndSecrets,
@@ -1662,7 +1666,7 @@ class JaypieDatadogForwarder extends constructs.Construct {
 class JaypieDistribution extends constructs.Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { certificate: certificateProp = true, handler, host: propsHost, invokeMode = lambda__namespace.InvokeMode.BUFFERED, roleTag = CDK$2.ROLE.HOSTING, zone: propsZone, defaultBehavior: propsDefaultBehavior, ...distributionProps } = props;
+        const { certificate: certificateProp = true, handler, host: propsHost, invokeMode = lambda__namespace.InvokeMode.BUFFERED, roleTag = CDK$2.ROLE.API, zone: propsZone, defaultBehavior: propsDefaultBehavior, ...distributionProps } = props;
         // Validate environment variables
         if (process.env.CDK_ENV_API_SUBDOMAIN &&
             !isValidSubdomain(process.env.CDK_ENV_API_SUBDOMAIN)) {
@@ -1698,9 +1702,7 @@ class JaypieDistribution extends constructs.Construct {
         }
         this.host = host;
         // Determine zone from props or environment
-        const zone = propsZone ||
-            process.env.CDK_ENV_API_HOSTED_ZONE ||
-            process.env.CDK_ENV_HOSTED_ZONE;
+        const zone = propsZone || process.env.CDK_ENV_HOSTED_ZONE;
         // Resolve the origin from handler
         // Check order matters: IFunctionUrl before IOrigin (FunctionUrl also has bind method)
         // IFunction before IFunctionUrl (IFunction doesn't have functionUrlId)
@@ -1732,7 +1734,7 @@ class JaypieDistribution extends constructs.Construct {
             defaultBehavior = {
                 cachePolicy: cloudfront__namespace.CachePolicy.CACHING_DISABLED,
                 origin,
-                originRequestPolicy: cloudfront__namespace.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
+                originRequestPolicy: cloudfront__namespace.OriginRequestPolicy.ALL_VIEWER,
                 viewerProtocolPolicy: cloudfront__namespace.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
             };
         }
@@ -2292,11 +2294,11 @@ class JaypieHostedZone extends constructs.Construct {
         const destination = props.destination ?? true;
         const service = props.service || CDK$2.SERVICE.INFRASTRUCTURE;
         // Create the log group
-        this.logGroup = new awsLogs.LogGroup(this, "LogGroup", {
+        this.logGroup = new logs.LogGroup(this, "LogGroup", {
             logGroupName: process.env.PROJECT_NONCE
                 ? `/aws/route53/${zoneName}-${process.env.PROJECT_NONCE}`
                 : `/aws/route53/${zoneName}`,
-            retention: awsLogs.RetentionDays.ONE_WEEK,
+            retention: logs.RetentionDays.ONE_WEEK,
         });
         // Add tags
         cdk__namespace.Tags.of(this.logGroup).add(CDK$2.TAG.SERVICE, service);
@@ -2313,7 +2315,7 @@ class JaypieHostedZone extends constructs.Construct {
                 : destination;
             this.logGroup.addSubscriptionFilter("DatadogLambdaDestination", {
                 destination: lambdaDestination,
-                filterPattern: awsLogs.FilterPattern.allEvents(),
+                filterPattern: logs.FilterPattern.allEvents(),
             });
         }
         // Create the hosted zone
@@ -2974,7 +2976,7 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
         this.bucket = new s3__namespace.Bucket(this, "DestinationBucket", {
             accessControl: s3__namespace.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,
             autoDeleteObjects: true,
-            blockPublicAccess: s3__namespace.BlockPublicAccess.BLOCK_ACLS,
+            blockPublicAccess: s3__namespace.BlockPublicAccess.BLOCK_ACLS_ONLY,
             bucketName: props.name || constructEnvName("web"),
             publicReadAccess: true,
             removalPolicy: cdk.RemovalPolicy.DESTROY,
@@ -3027,11 +3029,14 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
                 actions: ["s3:ListBucket"],
                 resources: [this.bucket.bucketArn],
             }));
-            // Allow the role to deploy CDK apps
+            // Allow the role to describe the current stack
+            const stack = cdk.Stack.of(this);
             bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
                 actions: ["cloudformation:DescribeStacks"],
                 effect: awsIam.Effect.ALLOW,
-                resources: ["*"], // TODO: restrict to this stack
+                resources: [
+                    `arn:aws:cloudformation:${stack.region}:${stack.account}:stack/${stack.stackName}/*`,
+                ],
             }));
             this.deployRoleArn = bucketDeployRole.roleArn;
             // Output the deploy role ARN
@@ -3064,7 +3069,7 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
             this.distribution = new cloudfront__namespace.Distribution(this, "Distribution", {
                 defaultBehavior: {
                     cachePolicy: cloudfront__namespace.CachePolicy.CACHING_DISABLED,
-                    origin: new origins__namespace.S3Origin(this.bucket),
+                    origin: new origins__namespace.S3StaticWebsiteOrigin(this.bucket),
                     viewerProtocolPolicy: cloudfront__namespace.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
                 },
                 certificate: this.certificate,
@@ -3073,7 +3078,7 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
             cdk.Tags.of(this.distribution).add(CDK$2.TAG.ROLE, roleTag);
             // If this is production, enable caching on everything but index.html
             if (isProductionEnv()) {
-                this.distribution.addBehavior("/*", new origins__namespace.S3Origin(this.bucket), {
+                this.distribution.addBehavior("/*", new origins__namespace.S3StaticWebsiteOrigin(this.bucket), {
                     viewerProtocolPolicy: cloudfront__namespace.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
                     cachePolicy: cloudfront__namespace.CachePolicy.CACHING_OPTIMIZED,
                 });