@jaypie/constructs 1.2.28 → 1.2.30

package/dist/cjs/index.d.ts

@@ -7,7 +7,7 @@ export { JaypieCertificate, JaypieCertificateProps } from "./JaypieCertificate";
 export { JaypieDatadogBucket, JaypieDatadogBucketProps, } from "./JaypieDatadogBucket";
 export { JaypieDatadogForwarder, JaypieDatadogForwarderProps, } from "./JaypieDatadogForwarder";
 export { JaypieDatadogSecret } from "./JaypieDatadogSecret";
-export { JaypieDistribution, JaypieDistributionProps, } from "./JaypieDistribution";
+export { JaypieDistribution, JaypieDistributionProps, SecurityHeadersOverrides, } from "./JaypieDistribution";
 export { JaypieDnsRecord, JaypieDnsRecordProps } from "./JaypieDnsRecord";
 export { JaypieDynamoDb, JaypieDynamoDbProps } from "./JaypieDynamoDb";
 export type { IndexDefinition } from "@jaypie/fabric";

package/dist/esm/JaypieDistribution.d.ts

@@ -7,6 +7,14 @@ import * as s3 from "aws-cdk-lib/aws-s3";
 import { LambdaDestination } from "aws-cdk-lib/aws-s3-notifications";
 import { Construct } from "constructs";
 import { HostConfig } from "./helpers";
+export interface SecurityHeadersOverrides {
+    contentSecurityPolicy?: string;
+    frameOption?: cloudfront.HeadersFrameOption;
+    hstsIncludeSubdomains?: boolean;
+    hstsMaxAge?: number;
+    permissionsPolicy?: string;
+    referrerPolicy?: cloudfront.HeadersReferrerPolicy;
+}
 export interface JaypieDistributionProps extends Omit<cloudfront.DistributionProps, "certificate" | "defaultBehavior" | "logBucket"> {
     /**
      * SSL certificate for the CloudFront distribution
@@ -73,6 +81,19 @@ export interface JaypieDistributionProps extends Omit<cloudfront.DistributionPro
      * @max Duration.seconds(120)
      */
     originReadTimeout?: Duration;
+    /**
+     * Full override for the response headers policy.
+     * When provided, bypasses all default security header logic.
+     */
+    responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
+    /**
+     * Security headers configuration.
+     * - true/undefined: apply sensible defaults (HSTS, X-Frame-Options, CSP, etc.)
+     * - false: disable security headers entirely
+     * - SecurityHeadersOverrides object: merge overrides with defaults
+     * @default true
+     */
+    securityHeaders?: boolean | SecurityHeadersOverrides;
     /**
      * Role tag for tagging resources
      * @default CDK.ROLE.HOSTING
@@ -94,6 +115,7 @@ export declare class JaypieDistribution extends Construct implements cloudfront.
     readonly functionUrl?: lambda.FunctionUrl;
     readonly host?: string;
     readonly logBucket?: s3.IBucket;
+    readonly responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
     constructor(scope: Construct, id: string, props: JaypieDistributionProps);
     private isIOrigin;
     private isIFunctionUrl;

package/dist/esm/JaypieDynamoDb.d.ts

@@ -8,19 +8,11 @@ export interface JaypieDynamoDbProps extends Omit<dynamodb.TablePropsV2, "global
      * - `undefined`: No GSIs (default)
      * - Array of IndexDefinition: Use the specified indexes
      *
-     * Use `JaypieDynamoDb.DEFAULT_INDEXES` for the standard Jaypie GSIs.
-     *
      * @example
      * // No GSIs (default)
      * new JaypieDynamoDb(this, "myTable");
      *
      * @example
-     * // With default Jaypie indexes
-     * new JaypieDynamoDb(this, "myTable", {
-     *   indexes: JaypieDynamoDb.DEFAULT_INDEXES,
-     * });
-     *
-     * @example
      * // With custom indexes
      * new JaypieDynamoDb(this, "myTable", {
      *   indexes: [
@@ -73,12 +65,6 @@ export interface JaypieDynamoDbProps extends Omit<dynamodb.TablePropsV2, "global
  * const table = new JaypieDynamoDb(this, "myApp");
  *
  * @example
- * // With default Jaypie indexes
- * const table = new JaypieDynamoDb(this, "myApp", {
- *   indexes: JaypieDynamoDb.DEFAULT_INDEXES,
- * });
- *
- * @example
  * // With explicit table name (overrides CDK-generated name)
  * const table = new JaypieDynamoDb(this, "MyTable", {
  *   tableName: "custom-table-name",
@@ -89,11 +75,6 @@ export interface JaypieDynamoDbProps extends Omit<dynamodb.TablePropsV2, "global
  * });
  */
 export declare class JaypieDynamoDb extends Construct implements dynamodb.ITableV2 {
-    /**
-     * Default Jaypie GSI definitions from @jaypie/fabric.
-     * Pass to `indexes` prop to create all standard GSIs.
-     */
-    static readonly DEFAULT_INDEXES: IndexDefinition[];
     private readonly _table;
     constructor(scope: Construct, id: string, props?: JaypieDynamoDbProps);
     /**

package/dist/esm/constants.d.ts

@@ -98,6 +98,11 @@ export declare const CDK: {
     PROJECT: {
         INFRASTRUCTURE: string;
     };
+    SECURITY_HEADERS: {
+        CONTENT_SECURITY_POLICY: string;
+        HSTS_MAX_AGE: number;
+        PERMISSIONS_POLICY: string;
+    };
     ROLE: {
         API: string;
         DEPLOY: string;

package/dist/esm/index.d.ts

@@ -7,7 +7,7 @@ export { JaypieCertificate, JaypieCertificateProps } from "./JaypieCertificate";
 export { JaypieDatadogBucket, JaypieDatadogBucketProps, } from "./JaypieDatadogBucket";
 export { JaypieDatadogForwarder, JaypieDatadogForwarderProps, } from "./JaypieDatadogForwarder";
 export { JaypieDatadogSecret } from "./JaypieDatadogSecret";
-export { JaypieDistribution, JaypieDistributionProps, } from "./JaypieDistribution";
+export { JaypieDistribution, JaypieDistributionProps, SecurityHeadersOverrides, } from "./JaypieDistribution";
 export { JaypieDnsRecord, JaypieDnsRecordProps } from "./JaypieDnsRecord";
 export { JaypieDynamoDb, JaypieDynamoDbProps } from "./JaypieDynamoDb";
 export type { IndexDefinition } from "@jaypie/fabric";

package/dist/esm/index.js

@@ -25,7 +25,7 @@ import { LambdaFunction } from 'aws-cdk-lib/aws-events-targets';
 import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
 import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
 import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
-import { DEFAULT_INDEXES, generateIndexName, DEFAULT_SORT_KEY } from '@jaypie/fabric';
+import { generateIndexName, DEFAULT_SORT_KEY } from '@jaypie/fabric';
 import { Nextjs } from 'cdk-nextjs-standalone';
 import * as path from 'path';
 import { Trail, ReadWriteType } from 'aws-cdk-lib/aws-cloudtrail';
@@ -135,6 +135,11 @@ const CDK$2 = {
     PROJECT: {
         INFRASTRUCTURE: "infrastructure",
     },
+    SECURITY_HEADERS: {
+        CONTENT_SECURITY_POLICY: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self';",
+        HSTS_MAX_AGE: 63072000, // 2 years
+        PERMISSIONS_POLICY: "camera=(), microphone=(), geolocation=(), payment=()",
+    },
     ROLE: {
         API: "api",
         DEPLOY: "deploy",
@@ -2330,7 +2335,7 @@ class JaypieDatadogSecret extends JaypieEnvSecret {
 class JaypieDistribution extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { certificate: certificateProp = true, defaultBehavior: propsDefaultBehavior, destination: destinationProp = true, handler, host: propsHost, logBucket: logBucketProp, originReadTimeout = Duration.seconds(CDK$2.DURATION.CLOUDFRONT_API), roleTag = CDK$2.ROLE.API, streaming = false, zone: propsZone, ...distributionProps } = props;
+        const { certificate: certificateProp = true, defaultBehavior: propsDefaultBehavior, destination: destinationProp = true, handler, host: propsHost, logBucket: logBucketProp, originReadTimeout = Duration.seconds(CDK$2.DURATION.CLOUDFRONT_API), responseHeadersPolicy: responseHeadersPolicyProp, roleTag = CDK$2.ROLE.API, securityHeaders: securityHeadersProp, streaming = false, zone: propsZone, ...distributionProps } = props;
         // Validate environment variables
         if (process.env.CDK_ENV_API_SUBDOMAIN &&
             !isValidSubdomain(process.env.CDK_ENV_API_SUBDOMAIN)) {
@@ -2412,6 +2417,62 @@ class JaypieDistribution extends Construct {
                 handler.addEnvironment("PROJECT_BASE_URL", `https://${host}`);
             }
         }
+        // Resolve response headers policy for security headers
+        let resolvedResponseHeadersPolicy;
+        if (responseHeadersPolicyProp) {
+            resolvedResponseHeadersPolicy = responseHeadersPolicyProp;
+        }
+        else if (securityHeadersProp !== false) {
+            const overrides = typeof securityHeadersProp === "object" ? securityHeadersProp : {};
+            resolvedResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, "SecurityHeaders", {
+                customHeadersBehavior: {
+                    customHeaders: [
+                        {
+                            header: "Cross-Origin-Opener-Policy",
+                            override: true,
+                            value: "same-origin",
+                        },
+                        {
+                            header: "Cross-Origin-Resource-Policy",
+                            override: true,
+                            value: "same-origin",
+                        },
+                        {
+                            header: "Permissions-Policy",
+                            override: true,
+                            value: overrides.permissionsPolicy ??
+                                CDK$2.SECURITY_HEADERS.PERMISSIONS_POLICY,
+                        },
+                    ],
+                },
+                removeHeaders: ["Server"],
+                securityHeadersBehavior: {
+                    contentSecurityPolicy: {
+                        contentSecurityPolicy: overrides.contentSecurityPolicy ??
+                            CDK$2.SECURITY_HEADERS.CONTENT_SECURITY_POLICY,
+                        override: true,
+                    },
+                    contentTypeOptions: { override: true },
+                    frameOptions: {
+                        frameOption: overrides.frameOption ?? cloudfront.HeadersFrameOption.DENY,
+                        override: true,
+                    },
+                    referrerPolicy: {
+                        referrerPolicy: overrides.referrerPolicy ??
+                            cloudfront.HeadersReferrerPolicy
+                                .STRICT_ORIGIN_WHEN_CROSS_ORIGIN,
+                        override: true,
+                    },
+                    strictTransportSecurity: {
+                        accessControlMaxAge: Duration.seconds(overrides.hstsMaxAge ?? CDK$2.SECURITY_HEADERS.HSTS_MAX_AGE),
+                        includeSubdomains: overrides.hstsIncludeSubdomains ?? true,
+                        override: true,
+                        preload: true,
+                    },
+                },
+            });
+        }
+        this.responseHeadersPolicy = resolvedResponseHeadersPolicy;
         // Build default behavior
         let defaultBehavior;
         if (propsDefaultBehavior) {
@@ -2423,6 +2484,9 @@ class JaypieDistribution extends Construct {
                 cachePolicy: cloudfront.CachePolicy.CACHING_DISABLED,
                 origin,
                 originRequestPolicy: cloudfront.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
+                ...(resolvedResponseHeadersPolicy
+                    ? { responseHeadersPolicy: resolvedResponseHeadersPolicy }
+                    : {}),
                 viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
             };
         }
@@ -2730,12 +2794,6 @@ function indexesToGsi(indexes) {
  * const table = new JaypieDynamoDb(this, "myApp");
  *
  * @example
- * // With default Jaypie indexes
- * const table = new JaypieDynamoDb(this, "myApp", {
- *   indexes: JaypieDynamoDb.DEFAULT_INDEXES,
- * });
- *
- * @example
  * // With explicit table name (overrides CDK-generated name)
  * const table = new JaypieDynamoDb(this, "MyTable", {
  *   tableName: "custom-table-name",
@@ -2874,11 +2932,6 @@ class JaypieDynamoDb extends Construct {
         return this._table.metricUserErrors(props);
     }
 }
-/**
- * Default Jaypie GSI definitions from @jaypie/fabric.
- * Pass to `indexes` prop to create all standard GSIs.
- */
-JaypieDynamoDb.DEFAULT_INDEXES = DEFAULT_INDEXES;
 
 class JaypieEventsRule extends Construct {
     /**
@@ -3661,6 +3714,7 @@ class JaypieSsoPermissions extends Construct {
                             "servicecatalog:*",
                             "sns:*",
                             "sqs:*",
+                            "ssm:*",
                             "states:*",
                             "tag:*",
                             "uxc:*",
@@ -3888,8 +3942,9 @@ class JaypieWebDeploymentBucket extends Construct {
         if (process.env.CDK_ENV_REPO) {
             repo = `repo:${process.env.CDK_ENV_REPO}:*`;
         }
+        let bucketDeployRole;
         if (repo) {
-            const bucketDeployRole = new Role(this, "DestinationBucketDeployRole", {
+            bucketDeployRole = new Role(this, "DestinationBucketDeployRole", {
                 assumedBy: new FederatedPrincipal(Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), {
                     StringLike: {
                         "token.actions.githubusercontent.com:sub": repo,
@@ -3989,6 +4044,16 @@ class JaypieWebDeploymentBucket extends Construct {
             new CfnOutput(this, "DistributionId", {
                 value: this.distribution.distributionId,
             });
+            // Add CloudFront invalidation permission to deploy role if it exists
+            if (bucketDeployRole) {
+                bucketDeployRole.addToPolicy(new PolicyStatement({
+                    effect: Effect.ALLOW,
+                    actions: ["cloudfront:CreateInvalidation"],
+                    resources: [
+                        `arn:aws:cloudfront::${Stack.of(this).account}:distribution/${this.distribution.distributionId}`,
+                    ],
+                }));
+            }
         }
     }
     // Implement remaining IBucket methods by delegating to the bucket