@jaypie/constructs 1.1.62-rc.0 → 1.1.62-rc.1

package/dist/esm/JaypieLambda.d.ts

@@ -1,9 +1,10 @@
 import { Construct } from "constructs";
 import { Duration, Stack, RemovalPolicy } from "aws-cdk-lib";
 import * as lambda from "aws-cdk-lib/aws-lambda";
-import * as iam from "aws-cdk-lib/aws-iam";
 import * as cloudwatch from "aws-cdk-lib/aws-cloudwatch";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
+import * as iam from "aws-cdk-lib/aws-iam";
+import * as logs from "aws-cdk-lib/aws-logs";
 import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";
 import { JaypieEnvSecret } from "./JaypieEnvSecret.js";
 export interface JaypieLambdaProps {
@@ -27,9 +28,8 @@ export interface JaypieLambdaProps {
     handler: string;
     initialPolicy?: iam.PolicyStatement[];
     layers?: lambda.ILayerVersion[];
-    logRetention?: number;
-    logRetentionRole?: iam.IRole;
-    logRetentionRetryOptions?: lambda.LogRetentionRetryOptions;
+    logGroup?: logs.ILogGroup;
+    logRetention?: logs.RetentionDays | number;
     maxEventAge?: Duration;
     memorySize?: number;
     paramsAndSecrets?: lambda.ParamsAndSecretsLayerVersion | boolean;

package/dist/esm/index.js

@@ -18,11 +18,12 @@ import * as s3n from 'aws-cdk-lib/aws-s3-notifications';
 import { LambdaDestination } from 'aws-cdk-lib/aws-s3-notifications';
 import * as sqs from 'aws-cdk-lib/aws-sqs';
 import * as lambdaEventSources from 'aws-cdk-lib/aws-lambda-event-sources';
+import * as logs from 'aws-cdk-lib/aws-logs';
+import { LogGroup, RetentionDays, FilterPattern } from 'aws-cdk-lib/aws-logs';
 import { Rule, RuleTargetInput } from 'aws-cdk-lib/aws-events';
 import { LambdaFunction } from 'aws-cdk-lib/aws-events-targets';
 import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
 import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
-import { LogGroup, RetentionDays, FilterPattern } from 'aws-cdk-lib/aws-logs';
 import { Nextjs } from 'cdk-nextjs-standalone';
 import * as path from 'path';
 import { Trail, ReadWriteType } from 'aws-cdk-lib/aws-cloudtrail';
@@ -869,7 +870,7 @@ class JaypieAppStack extends JaypieStack {
 class JaypieLambda extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { allowAllOutbound, allowPublicSubnet, architecture = lambda.Architecture.X86_64, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment: initialEnvironment = {}, envSecrets = {}, ephemeralStorageSize, filesystem, handler = "index.handler", initialPolicy, layers = [], logRetention = CDK$2.LAMBDA.LOG_RETENTION, logRetentionRole, logRetentionRetryOptions, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag = CDK$2.ROLE.PROCESSING, runtime = lambda.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
+        const { allowAllOutbound, allowPublicSubnet, architecture = lambda.Architecture.X86_64, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment: initialEnvironment = {}, envSecrets = {}, ephemeralStorageSize, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag = CDK$2.ROLE.PROCESSING, runtime = lambda.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
         // Get base environment with defaults
         const environment = jaypieLambdaEnv({ initialEnvironment });
         const codeAsset = typeof code === "string" ? lambda.Code.fromAsset(code) : code;
@@ -895,6 +896,12 @@ class JaypieLambda extends Construct {
             paramsAndSecrets,
             options: paramsAndSecretsOptions,
         });
+        // Create LogGroup if not provided
+        const resolvedLogGroup = logGroup ??
+            new logs.LogGroup(this, "LogGroup", {
+                retention: logRetention,
+                removalPolicy: RemovalPolicy.DESTROY,
+            });
         // Create Lambda Function
         this._lambda = new lambda.Function(this, "Function", {
             allowAllOutbound,
@@ -915,9 +922,7 @@ class JaypieLambda extends Construct {
             handler,
             initialPolicy,
             layers: resolvedLayers,
-            logRetention,
-            logRetentionRole,
-            logRetentionRetryOptions,
+            logGroup: resolvedLogGroup,
             maxEventAge,
             memorySize,
             paramsAndSecrets: resolvedParamsAndSecrets,
@@ -1088,7 +1093,7 @@ class JaypieLambda extends Construct {
 class JaypieQueuedLambda extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { allowAllOutbound, allowPublicSubnet, architecture, batchSize = 1, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment = {}, envSecrets = {}, ephemeralStorageSize, fifo = true, filesystem, handler = "index.handler", initialPolicy, layers = [], logRetention = CDK$2.LAMBDA.LOG_RETENTION, logRetentionRole, logRetentionRetryOptions, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag, runtime = lambda.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, visibilityTimeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), vpc, vpcSubnets, } = props;
+        const { allowAllOutbound, allowPublicSubnet, architecture, batchSize = 1, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment = {}, envSecrets = {}, ephemeralStorageSize, fifo = true, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag, runtime = lambda.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, visibilityTimeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), vpc, vpcSubnets, } = props;
         // Create SQS Queue
         this._queue = new sqs.Queue(this, "Queue", {
             fifo,
@@ -1123,9 +1128,8 @@ class JaypieQueuedLambda extends Construct {
             handler,
             initialPolicy,
             layers,
+            logGroup,
             logRetention,
-            logRetentionRole,
-            logRetentionRetryOptions,
             maxEventAge,
             memorySize,
             paramsAndSecrets,
@@ -1631,7 +1635,7 @@ class JaypieDatadogForwarder extends Construct {
 class JaypieDistribution extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { certificate: certificateProp = true, handler, host: propsHost, invokeMode = lambda.InvokeMode.BUFFERED, roleTag = CDK$2.ROLE.HOSTING, zone: propsZone, defaultBehavior: propsDefaultBehavior, ...distributionProps } = props;
+        const { certificate: certificateProp = true, handler, host: propsHost, invokeMode = lambda.InvokeMode.BUFFERED, roleTag = CDK$2.ROLE.API, zone: propsZone, defaultBehavior: propsDefaultBehavior, ...distributionProps } = props;
         // Validate environment variables
         if (process.env.CDK_ENV_API_SUBDOMAIN &&
             !isValidSubdomain(process.env.CDK_ENV_API_SUBDOMAIN)) {
@@ -1667,9 +1671,7 @@ class JaypieDistribution extends Construct {
         }
         this.host = host;
         // Determine zone from props or environment
-        const zone = propsZone ||
-            process.env.CDK_ENV_API_HOSTED_ZONE ||
-            process.env.CDK_ENV_HOSTED_ZONE;
+        const zone = propsZone || process.env.CDK_ENV_HOSTED_ZONE;
         // Resolve the origin from handler
         // Check order matters: IFunctionUrl before IOrigin (FunctionUrl also has bind method)
         // IFunction before IFunctionUrl (IFunction doesn't have functionUrlId)
@@ -1701,7 +1703,7 @@ class JaypieDistribution extends Construct {
             defaultBehavior = {
                 cachePolicy: cloudfront.CachePolicy.CACHING_DISABLED,
                 origin,
-                originRequestPolicy: cloudfront.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
+                originRequestPolicy: cloudfront.OriginRequestPolicy.ALL_VIEWER,
                 viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
             };
         }
@@ -2943,7 +2945,7 @@ class JaypieWebDeploymentBucket extends Construct {
         this.bucket = new s3.Bucket(this, "DestinationBucket", {
             accessControl: s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,
             autoDeleteObjects: true,
-            blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS,
+            blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS_ONLY,
             bucketName: props.name || constructEnvName("web"),
             publicReadAccess: true,
             removalPolicy: RemovalPolicy.DESTROY,
@@ -2996,11 +2998,14 @@ class JaypieWebDeploymentBucket extends Construct {
                 actions: ["s3:ListBucket"],
                 resources: [this.bucket.bucketArn],
             }));
-            // Allow the role to deploy CDK apps
+            // Allow the role to describe the current stack
+            const stack = Stack.of(this);
             bucketDeployRole.addToPolicy(new PolicyStatement({
                 actions: ["cloudformation:DescribeStacks"],
                 effect: Effect.ALLOW,
-                resources: ["*"], // TODO: restrict to this stack
+                resources: [
+                    `arn:aws:cloudformation:${stack.region}:${stack.account}:stack/${stack.stackName}/*`,
+                ],
             }));
             this.deployRoleArn = bucketDeployRole.roleArn;
             // Output the deploy role ARN
@@ -3033,7 +3038,7 @@ class JaypieWebDeploymentBucket extends Construct {
             this.distribution = new cloudfront.Distribution(this, "Distribution", {
                 defaultBehavior: {
                     cachePolicy: cloudfront.CachePolicy.CACHING_DISABLED,
-                    origin: new origins.S3Origin(this.bucket),
+                    origin: new origins.S3StaticWebsiteOrigin(this.bucket),
                     viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
                 },
                 certificate: this.certificate,
@@ -3042,7 +3047,7 @@ class JaypieWebDeploymentBucket extends Construct {
             Tags.of(this.distribution).add(CDK$2.TAG.ROLE, roleTag);
             // If this is production, enable caching on everything but index.html
             if (isProductionEnv()) {
-                this.distribution.addBehavior("/*", new origins.S3Origin(this.bucket), {
+                this.distribution.addBehavior("/*", new origins.S3StaticWebsiteOrigin(this.bucket), {
                     viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
                     cachePolicy: cloudfront.CachePolicy.CACHING_OPTIMIZED,
                 });