@jaypie/constructs 1.2.0-rc.1 → 1.2.0-rc.2

package/dist/esm/index.js

@@ -1,5 +1,5 @@
 import * as cdk from 'aws-cdk-lib';
-import { Tags, Stack, Duration, RemovalPolicy, CfnStack, Fn, CfnOutput, SecretValue } from 'aws-cdk-lib';
+import { Tags, Stack, Fn, CfnOutput, SecretValue, Duration, RemovalPolicy, CfnStack } from 'aws-cdk-lib';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import { Bucket, StorageClass, BucketAccessControl, EventType } from 'aws-cdk-lib/aws-s3';
 import { Construct } from 'constructs';
@@ -656,6 +656,66 @@ function resolveDatadogLoggingDestination(scope, options) {
     return datadogLoggingDestination;
 }
 
+/**
+ * Resolves environment input to a plain object.
+ *
+ * When environment is an object (legacy syntax), returns it as-is.
+ * When environment is an array:
+ *   - Strings are treated as keys to lookup in process.env
+ *   - Objects have their key-value pairs merged in
+ *
+ * @example
+ * // Legacy object syntax
+ * resolveEnvironment({ FOO: "bar" })
+ * // => { FOO: "bar" }
+ *
+ * @example
+ * // Array syntax with process.env lookup
+ * // Given process.env.MY_VAR = "hello"
+ * resolveEnvironment(["MY_VAR"])
+ * // => { MY_VAR: "hello" }
+ *
+ * @example
+ * // Array syntax with objects
+ * resolveEnvironment([{ FOO: "bar", BAZ: "qux" }])
+ * // => { FOO: "bar", BAZ: "qux" }
+ *
+ * @example
+ * // Mixed array syntax
+ * // Given process.env.MY_VAR = "hello"
+ * resolveEnvironment(["MY_VAR", { FOO: "bar" }])
+ * // => { MY_VAR: "hello", FOO: "bar" }
+ */
+function resolveEnvironment(environment, env = process.env) {
+    if (!environment) {
+        return {};
+    }
+    // Legacy object syntax - return as-is
+    if (!Array.isArray(environment)) {
+        return environment;
+    }
+    // Array syntax - process each item
+    return environment.reduce((acc, item) => {
+        if (typeof item === "string") {
+            // String: lookup in process.env
+            const value = env[item];
+            if (value !== undefined) {
+                return {
+                    ...acc,
+                    [item]: value,
+                };
+            }
+            // Skip if not found in process.env
+            return acc;
+        }
+        // Object: merge key-value pairs
+        return {
+            ...acc,
+            ...item,
+        };
+    }, {});
+}
+
 function resolveHostedZone(scope, { name = "HostedZone", zone = process.env.CDK_ENV_HOSTED_ZONE, } = {}) {
     if (!zone) {
         throw new ConfigurationError("No `zone` provided. Set CDK_ENV_HOSTED_ZONE to use environment zone");
@@ -688,6 +748,246 @@ const resolveParamsAndSecrets = ({ paramsAndSecrets, options, } = {}) => {
     return resolvedParamsAndSecrets;
 };
 
+// It is a consumer if the environment is ephemeral
+function checkEnvIsConsumer(env = process.env) {
+    return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
+        !!env.CDK_ENV_PERSONAL ||
+        /** @deprecated */ env.PROJECT_ENV === "ephemeral" ||
+        /** @deprecated */ !!env.CDK_ENV_EPHEMERAL);
+}
+function checkEnvIsProvider(env = process.env) {
+    return env.PROJECT_ENV === CDK$2.ENV.SANDBOX;
+}
+function cleanName(name) {
+    return name.replace(/[^a-zA-Z0-9:-]/g, "");
+}
+function exportEnvName(name, env = process.env) {
+    let rawName;
+    if (checkEnvIsProvider(env)) {
+        rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
+        // Clean the entire name to only allow alphanumeric, colons, and hyphens
+        return cleanName(rawName);
+    }
+    else {
+        if (checkEnvIsConsumer(env)) {
+            rawName = `env-${CDK$2.ENV.SANDBOX}-${env.PROJECT_KEY}-${name}`;
+        }
+        else {
+            rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
+        }
+    }
+    return cleanName(rawName);
+}
+class JaypieEnvSecret extends Construct {
+    constructor(scope, idOrEnvKey, props) {
+        // Check if idOrEnvKey should be treated as envKey:
+        // - No props provided OR props.envKey is not set
+        // - AND idOrEnvKey exists as a non-empty string in process.env
+        const treatAsEnvKey = (!props || props.envKey === undefined) &&
+            typeof process.env[idOrEnvKey] === "string" &&
+            process.env[idOrEnvKey] !== "";
+        const id = treatAsEnvKey ? `EnvSecret_${idOrEnvKey}` : idOrEnvKey;
+        super(scope, id);
+        const { consumer = checkEnvIsConsumer(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider(), roleTag, vendorTag, value, } = props || {};
+        const envKey = treatAsEnvKey ? idOrEnvKey : envKeyProp;
+        this._envKey = envKey;
+        let exportName;
+        if (!exportParam) {
+            exportName = exportEnvName(id);
+        }
+        else {
+            exportName = cleanName(exportParam);
+        }
+        if (consumer) {
+            const secretName = Fn.importValue(exportName);
+            this._secret = secretsmanager.Secret.fromSecretNameV2(this, id, secretName);
+            // Add CfnOutput for consumer secrets
+            new CfnOutput(this, `ConsumedName`, {
+                value: this._secret.secretName,
+            });
+        }
+        else {
+            const secretValue = envKey && process.env[envKey] ? process.env[envKey] : value;
+            const secretProps = {
+                generateSecretString,
+                secretStringValue: !generateSecretString && secretValue
+                    ? SecretValue.unsafePlainText(secretValue)
+                    : undefined,
+            };
+            this._secret = new secretsmanager.Secret(this, id, secretProps);
+            if (roleTag) {
+                Tags.of(this._secret).add(CDK$2.TAG.ROLE, roleTag);
+            }
+            if (vendorTag) {
+                Tags.of(this._secret).add(CDK$2.TAG.VENDOR, vendorTag);
+            }
+            if (provider) {
+                new CfnOutput(this, `ProvidedName`, {
+                    value: this._secret.secretName,
+                    exportName,
+                });
+            }
+            else {
+                new CfnOutput(this, `CreatedName`, {
+                    value: this._secret.secretName,
+                });
+            }
+        }
+    }
+    // IResource implementation
+    get stack() {
+        return Stack.of(this);
+    }
+    get env() {
+        return {
+            account: Stack.of(this).account,
+            region: Stack.of(this).region,
+        };
+    }
+    applyRemovalPolicy(policy) {
+        this._secret.applyRemovalPolicy(policy);
+    }
+    // ISecret implementation
+    get secretArn() {
+        return this._secret.secretArn;
+    }
+    get secretName() {
+        return this._secret.secretName;
+    }
+    get secretFullArn() {
+        return this._secret.secretFullArn;
+    }
+    get encryptionKey() {
+        return this._secret.encryptionKey;
+    }
+    get secretValue() {
+        return this._secret.secretValue;
+    }
+    secretValueFromJson(key) {
+        return this._secret.secretValueFromJson(key);
+    }
+    grantRead(grantee, versionStages) {
+        return this._secret.grantRead(grantee, versionStages);
+    }
+    grantWrite(grantee) {
+        return this._secret.grantWrite(grantee);
+    }
+    addRotationSchedule(id, options) {
+        return this._secret.addRotationSchedule(id, options);
+    }
+    addToResourcePolicy(statement) {
+        return this._secret.addToResourcePolicy(statement);
+    }
+    denyAccountRootDelete() {
+        this._secret.denyAccountRootDelete();
+    }
+    attach(target) {
+        return this._secret.attach(target);
+    }
+    cfnDynamicReferenceKey(options) {
+        return this._secret.cfnDynamicReferenceKey(options);
+    }
+    get envKey() {
+        return this._envKey;
+    }
+}
+
+/**
+ * Cache for secrets by scope to avoid creating duplicates.
+ * Uses WeakMap to allow garbage collection when scopes are no longer referenced.
+ */
+const secretsByScope = new WeakMap();
+/**
+ * Gets or creates the secrets cache for a given scope.
+ */
+function getSecretsCache(scope) {
+    let cache = secretsByScope.get(scope);
+    if (!cache) {
+        cache = new Map();
+        secretsByScope.set(scope, cache);
+    }
+    return cache;
+}
+/**
+ * Gets an existing secret from the cache or creates a new one.
+ * This ensures that multiple constructs within the same scope share secrets.
+ */
+function getOrCreateSecret(scope, envKey, props) {
+    const cache = getSecretsCache(scope);
+    const existingSecret = cache.get(envKey);
+    if (existingSecret) {
+        return existingSecret;
+    }
+    // Create new secret - JaypieEnvSecret's smart constructor handles envKey detection
+    const secret = new JaypieEnvSecret(scope, envKey, {
+        ...props,
+        envKey,
+    });
+    cache.set(envKey, secret);
+    return secret;
+}
+/**
+ * Resolves secrets input to an array of JaypieEnvSecret instances.
+ *
+ * When an item is already a JaypieEnvSecret, it's passed through as-is.
+ * When an item is a string, a JaypieEnvSecret is created (or reused from cache)
+ * with the string as the envKey.
+ *
+ * Secrets are cached per scope to avoid creating duplicate secrets when
+ * multiple constructs in the same scope reference the same secret.
+ *
+ * @example
+ * // JaypieEnvSecret instances pass through
+ * const secret = new JaypieEnvSecret(scope, "MySecret", { envKey: "MY_KEY" });
+ * resolveSecrets(scope, [secret])
+ * // => [secret]
+ *
+ * @example
+ * // Strings create JaypieEnvSecret instances
+ * resolveSecrets(scope, ["AUTH0_SECRET", "MONGODB_URI"])
+ * // => [JaypieEnvSecret(envKey: "AUTH0_SECRET"), JaypieEnvSecret(envKey: "MONGODB_URI")]
+ *
+ * @example
+ * // Mixed input
+ * const existingSecret = new JaypieEnvSecret(scope, "Existing", { envKey: "EXISTING" });
+ * resolveSecrets(scope, [existingSecret, "NEW_SECRET"])
+ * // => [existingSecret, JaypieEnvSecret(envKey: "NEW_SECRET")]
+ *
+ * @example
+ * // Secrets are shared across calls with the same scope
+ * const secrets1 = resolveSecrets(scope, ["SHARED_SECRET"]);
+ * const secrets2 = resolveSecrets(scope, ["SHARED_SECRET"]);
+ * // secrets1[0] === secrets2[0] (same instance)
+ */
+function resolveSecrets(scope, secrets) {
+    if (!secrets || secrets.length === 0) {
+        return [];
+    }
+    return secrets.map((item) => {
+        if (typeof item === "string") {
+            return getOrCreateSecret(scope, item);
+        }
+        // Already a JaypieEnvSecret instance
+        return item;
+    });
+}
+/**
+ * Clears the secrets cache for a given scope.
+ * Primarily useful for testing.
+ */
+function clearSecretsCache(scope) {
+    secretsByScope.delete(scope);
+}
+/**
+ * Clears all secrets caches.
+ * Primarily useful for testing.
+ */
+function clearAllSecretsCaches() {
+    // WeakMap doesn't have a clear() method, so we create a new one
+    // This relies on the module being reloaded or the function being called
+    // between test runs. For testing, use clearSecretsCache(scope) instead.
+}
+
 class JaypieApiGateway extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
@@ -869,11 +1169,15 @@ class JaypieAppStack extends JaypieStack {
 class JaypieLambda extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { allowAllOutbound, allowPublicSubnet, architecture = lambda.Architecture.X86_64, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment: initialEnvironment = {}, envSecrets = {}, ephemeralStorageSize, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag = CDK$2.ROLE.PROCESSING, runtime = new lambda.Runtime("nodejs24.x", lambda.RuntimeFamily.NODEJS, {
+        const { allowAllOutbound, allowPublicSubnet, architecture = lambda.Architecture.X86_64, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment: environmentInput, envSecrets = {}, ephemeralStorageSize, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag = CDK$2.ROLE.PROCESSING, runtime = new lambda.Runtime("nodejs24.x", lambda.RuntimeFamily.NODEJS, {
             supportsInlineCode: true,
-        }), runtimeManagementMode, secrets = [], securityGroups, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
+        }), runtimeManagementMode, secrets: secretsInput = [], securityGroups, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
+        // Resolve environment from array or object syntax
+        const initialEnvironment = resolveEnvironment(environmentInput);
         // Get base environment with defaults
         const environment = jaypieLambdaEnv({ initialEnvironment });
+        // Resolve secrets from mixed array (strings and JaypieEnvSecret instances)
+        const secrets = resolveSecrets(scope, secretsInput);
         const codeAsset = typeof code === "string" ? lambda.Code.fromAsset(code) : code;
         // Create a working copy of layers
         const resolvedLayers = [...layers];
@@ -1854,150 +2158,6 @@ class JaypieDistribution extends Construct {
     }
 }
 
-// It is a consumer if the environment is ephemeral
-function checkEnvIsConsumer(env = process.env) {
-    return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
-        !!env.CDK_ENV_PERSONAL ||
-        /** @deprecated */ env.PROJECT_ENV === "ephemeral" ||
-        /** @deprecated */ !!env.CDK_ENV_EPHEMERAL);
-}
-function checkEnvIsProvider(env = process.env) {
-    return env.PROJECT_ENV === CDK$2.ENV.SANDBOX;
-}
-function cleanName(name) {
-    return name.replace(/[^a-zA-Z0-9:-]/g, "");
-}
-function exportEnvName(name, env = process.env) {
-    let rawName;
-    if (checkEnvIsProvider(env)) {
-        rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
-        // Clean the entire name to only allow alphanumeric, colons, and hyphens
-        return cleanName(rawName);
-    }
-    else {
-        if (checkEnvIsConsumer(env)) {
-            rawName = `env-${CDK$2.ENV.SANDBOX}-${env.PROJECT_KEY}-${name}`;
-        }
-        else {
-            rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
-        }
-    }
-    return cleanName(rawName);
-}
-class JaypieEnvSecret extends Construct {
-    constructor(scope, idOrEnvKey, props) {
-        // Check if idOrEnvKey should be treated as envKey:
-        // - No props provided OR props.envKey is not set
-        // - AND idOrEnvKey exists as a non-empty string in process.env
-        const treatAsEnvKey = (!props || props.envKey === undefined) &&
-            typeof process.env[idOrEnvKey] === "string" &&
-            process.env[idOrEnvKey] !== "";
-        const id = treatAsEnvKey ? `EnvSecret_${idOrEnvKey}` : idOrEnvKey;
-        super(scope, id);
-        const { consumer = checkEnvIsConsumer(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider(), roleTag, vendorTag, value, } = props || {};
-        const envKey = treatAsEnvKey ? idOrEnvKey : envKeyProp;
-        this._envKey = envKey;
-        let exportName;
-        if (!exportParam) {
-            exportName = exportEnvName(id);
-        }
-        else {
-            exportName = cleanName(exportParam);
-        }
-        if (consumer) {
-            const secretName = Fn.importValue(exportName);
-            this._secret = secretsmanager.Secret.fromSecretNameV2(this, id, secretName);
-            // Add CfnOutput for consumer secrets
-            new CfnOutput(this, `ConsumedName`, {
-                value: this._secret.secretName,
-            });
-        }
-        else {
-            const secretValue = envKey && process.env[envKey] ? process.env[envKey] : value;
-            const secretProps = {
-                generateSecretString,
-                secretStringValue: !generateSecretString && secretValue
-                    ? SecretValue.unsafePlainText(secretValue)
-                    : undefined,
-            };
-            this._secret = new secretsmanager.Secret(this, id, secretProps);
-            if (roleTag) {
-                Tags.of(this._secret).add(CDK$2.TAG.ROLE, roleTag);
-            }
-            if (vendorTag) {
-                Tags.of(this._secret).add(CDK$2.TAG.VENDOR, vendorTag);
-            }
-            if (provider) {
-                new CfnOutput(this, `ProvidedName`, {
-                    value: this._secret.secretName,
-                    exportName,
-                });
-            }
-            else {
-                new CfnOutput(this, `CreatedName`, {
-                    value: this._secret.secretName,
-                });
-            }
-        }
-    }
-    // IResource implementation
-    get stack() {
-        return Stack.of(this);
-    }
-    get env() {
-        return {
-            account: Stack.of(this).account,
-            region: Stack.of(this).region,
-        };
-    }
-    applyRemovalPolicy(policy) {
-        this._secret.applyRemovalPolicy(policy);
-    }
-    // ISecret implementation
-    get secretArn() {
-        return this._secret.secretArn;
-    }
-    get secretName() {
-        return this._secret.secretName;
-    }
-    get secretFullArn() {
-        return this._secret.secretFullArn;
-    }
-    get encryptionKey() {
-        return this._secret.encryptionKey;
-    }
-    get secretValue() {
-        return this._secret.secretValue;
-    }
-    secretValueFromJson(key) {
-        return this._secret.secretValueFromJson(key);
-    }
-    grantRead(grantee, versionStages) {
-        return this._secret.grantRead(grantee, versionStages);
-    }
-    grantWrite(grantee) {
-        return this._secret.grantWrite(grantee);
-    }
-    addRotationSchedule(id, options) {
-        return this._secret.addRotationSchedule(id, options);
-    }
-    addToResourcePolicy(statement) {
-        return this._secret.addToResourcePolicy(statement);
-    }
-    denyAccountRootDelete() {
-        this._secret.denyAccountRootDelete();
-    }
-    attach(target) {
-        return this._secret.attach(target);
-    }
-    cfnDynamicReferenceKey(options) {
-        return this._secret.cfnDynamicReferenceKey(options);
-    }
-    get envKey() {
-        return this._envKey;
-    }
-}
-
 class JaypieDatadogSecret extends JaypieEnvSecret {
     constructor(scope, id = "MongoConnectionString", props) {
         const defaultProps = {
@@ -2409,12 +2569,15 @@ class JaypieNextJs extends Construct {
         const domainNameSanitized = domainName
             .replace(/\./g, "-")
             .replace(/[^a-zA-Z0-9]/g, "_");
+        // Resolve environment from array or object syntax
+        const environment = resolveEnvironment(props?.environment);
         const envSecrets = props?.envSecrets || {};
         const nextjsPath = props?.nextjsPath?.startsWith("..")
             ? path.join(process.cwd(), props.nextjsPath)
             : props?.nextjsPath || path.join(process.cwd(), "..", "nextjs");
         const paramsAndSecrets = resolveParamsAndSecrets();
-        const secrets = props?.secrets || [];
+        // Resolve secrets from mixed array (strings and JaypieEnvSecret instances)
+        const secrets = resolveSecrets(scope, props?.secrets);
         // Process secrets environment variables
         const secretsEnvironment = Object.entries(envSecrets).reduce((acc, [key, secret]) => ({
             ...acc,
@@ -2450,6 +2613,7 @@ class JaypieNextJs extends Construct {
             },
             environment: {
                 ...jaypieLambdaEnv(),
+                ...environment,
                 ...secretsEnvironment,
                 ...jaypieSecretsEnvironment,
                 ...nextPublicEnv,
@@ -3254,5 +3418,5 @@ class JaypieTraceSigningKeySecret extends JaypieEnvSecret {
     }
 }
 
-export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, addDatadogLayers, constructEnvName, constructStackName, constructTagger, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveHostedZone, resolveParamsAndSecrets };
+export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, addDatadogLayers, clearAllSecretsCaches, clearSecretsCache, constructEnvName, constructStackName, constructTagger, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
 //# sourceMappingURL=index.js.map