@jaypie/constructs 1.2.31 → 1.2.33

package/dist/cjs/JaypieDistribution.d.ts

@@ -5,8 +5,38 @@ import * as lambda from "aws-cdk-lib/aws-lambda";
 import * as route53 from "aws-cdk-lib/aws-route53";
 import * as s3 from "aws-cdk-lib/aws-s3";
 import { LambdaDestination } from "aws-cdk-lib/aws-s3-notifications";
+import * as wafv2 from "aws-cdk-lib/aws-wafv2";
 import { Construct } from "constructs";
 import { HostConfig } from "./helpers";
+export interface JaypieWafConfig {
+    /**
+     * Whether WAF is enabled
+     * @default true
+     */
+    enabled?: boolean;
+    /**
+     * WAF logging bucket.
+     * - true/undefined: create a logging bucket with Datadog forwarding (default)
+     * - false: disable WAF logging
+     * - IBucket: use an existing bucket (must have "aws-waf-logs-" prefix)
+     * @default true
+     */
+    logBucket?: boolean | s3.IBucket;
+    /**
+     * Managed rule group names to apply
+     * @default ["AWSManagedRulesCommonRuleSet", "AWSManagedRulesKnownBadInputsRuleSet"]
+     */
+    managedRules?: string[];
+    /**
+     * Rate limit per IP per 5-minute window
+     * @default 2000
+     */
+    rateLimitPerIp?: number;
+    /**
+     * Use an existing WebACL ARN instead of creating one
+     */
+    webAclArn?: string;
+}
 export interface SecurityHeadersOverrides {
     contentSecurityPolicy?: string;
     frameOption?: cloudfront.HeadersFrameOption;
@@ -99,6 +129,14 @@ export interface JaypieDistributionProps extends Omit<cloudfront.DistributionPro
      * @default CDK.ROLE.HOSTING
      */
     roleTag?: string;
+    /**
+     * WAF WebACL configuration for the CloudFront distribution.
+     * - true/undefined: create and attach a WebACL with sensible defaults
+     * - false: disable WAF
+     * - JaypieWafConfig: customize WAF behavior
+     * @default true
+     */
+    waf?: boolean | JaypieWafConfig;
     /**
      * The hosted zone for DNS records
      * @default CDK_ENV_API_HOSTED_ZONE || CDK_ENV_HOSTED_ZONE
@@ -116,11 +154,14 @@ export declare class JaypieDistribution extends Construct implements cloudfront.
     readonly host?: string;
     readonly logBucket?: s3.IBucket;
     readonly responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
+    readonly wafLogBucket?: s3.IBucket;
+    readonly webAcl?: wafv2.CfnWebACL;
     constructor(scope: Construct, id: string, props: JaypieDistributionProps);
     private isIOrigin;
     private isIFunctionUrl;
     private isIFunction;
     private isExportNameObject;
+    private resolveWafConfig;
     private resolveLogBucket;
     get env(): {
         account: string;

package/dist/cjs/JaypieEnvSecret.d.ts

@@ -10,6 +10,7 @@ export interface JaypieEnvSecretProps {
     export?: string;
     generateSecretString?: secretsmanager.SecretStringGenerator;
     provider?: boolean;
+    removalPolicy?: boolean | RemovalPolicy;
     roleTag?: string;
     vendorTag?: string;
     value?: string;

package/dist/cjs/JaypieOrganizationTrail.d.ts

@@ -1,4 +1,5 @@
 import { IBucket } from "aws-cdk-lib/aws-s3";
+import { CfnAnalyzer } from "aws-cdk-lib/aws-accessanalyzer";
 import { Trail } from "aws-cdk-lib/aws-cloudtrail";
 import { Construct } from "constructs";
 export interface JaypieOrganizationTrailProps {
@@ -26,11 +27,26 @@ export interface JaypieOrganizationTrailProps {
      * Optional project tag value
      */
     project?: string;
+    /**
+     * Whether to enable IAM Access Analyzer (organization-level)
+     * @default true
+     */
+    enableAccessAnalyzer?: boolean;
     /**
      * Whether to enable file validation for the trail
-     * @default false
+     * @default true
      */
     enableFileValidation?: boolean;
+    /**
+     * Whether to enable Lambda data events in CloudTrail
+     * @default true
+     */
+    enableLambdaDataEvents?: boolean;
+    /**
+     * Whether to enable S3 data events in CloudTrail
+     * @default false (opt-in due to potential high volume/cost)
+     */
+    enableS3DataEvents?: boolean;
     /**
      * Number of days before logs expire
      * @default 365
@@ -53,6 +69,7 @@ export interface JaypieOrganizationTrailProps {
     enableDatadogNotifications?: boolean;
 }
 export declare class JaypieOrganizationTrail extends Construct {
+    readonly analyzer?: CfnAnalyzer;
     readonly bucket: IBucket;
     readonly trail: Trail;
     /**

package/dist/cjs/__tests__/JaypieOrganizationTrail.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/cjs/index.cjs

@@ -21,10 +21,12 @@ var awsEvents = require('aws-cdk-lib/aws-events');
 var awsEventsTargets = require('aws-cdk-lib/aws-events-targets');
 var cloudfront = require('aws-cdk-lib/aws-cloudfront');
 var origins = require('aws-cdk-lib/aws-cloudfront-origins');
+var wafv2 = require('aws-cdk-lib/aws-wafv2');
 var dynamodb = require('aws-cdk-lib/aws-dynamodb');
 var fabric = require('@jaypie/fabric');
 var cdkNextjsStandalone = require('cdk-nextjs-standalone');
 var path = require('path');
+var awsAccessanalyzer = require('aws-cdk-lib/aws-accessanalyzer');
 var awsCloudtrail = require('aws-cdk-lib/aws-cloudtrail');
 var awsSso = require('aws-cdk-lib/aws-sso');
 var awsSam = require('aws-cdk-lib/aws-sam');
@@ -63,6 +65,7 @@ var lambdaEventSources__namespace = /*#__PURE__*/_interopNamespaceDefault(lambda
 var logs__namespace = /*#__PURE__*/_interopNamespaceDefault(logs);
 var cloudfront__namespace = /*#__PURE__*/_interopNamespaceDefault(cloudfront);
 var origins__namespace = /*#__PURE__*/_interopNamespaceDefault(origins);
+var wafv2__namespace = /*#__PURE__*/_interopNamespaceDefault(wafv2);
 var dynamodb__namespace = /*#__PURE__*/_interopNamespaceDefault(dynamodb);
 var path__namespace = /*#__PURE__*/_interopNamespaceDefault(path);
 var apigatewayv2__namespace = /*#__PURE__*/_interopNamespaceDefault(apigatewayv2);
@@ -945,7 +948,7 @@ class JaypieEnvSecret extends constructs.Construct {
             process.env[idOrEnvKey] !== "";
         const id = treatAsEnvKey ? `EnvSecret_${idOrEnvKey}` : idOrEnvKey;
         super(scope, id);
-        const { consumer = checkEnvIsConsumer$1(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider$1(), roleTag, vendorTag, value, } = props || {};
+        const { consumer = checkEnvIsConsumer$1(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider$1(), removalPolicy, roleTag, vendorTag, value, } = props || {};
         const envKey = treatAsEnvKey ? idOrEnvKey : envKeyProp;
         this._envKey = envKey;
         let exportName;
@@ -972,6 +975,14 @@ class JaypieEnvSecret extends constructs.Construct {
                     : undefined,
             };
             this._secret = new secretsmanager__namespace.Secret(this, id, secretProps);
+            if (removalPolicy !== undefined) {
+                const policy = typeof removalPolicy === "boolean"
+                    ? removalPolicy
+                        ? cdk.RemovalPolicy.RETAIN
+                        : cdk.RemovalPolicy.DESTROY
+                    : removalPolicy;
+                this._secret.applyRemovalPolicy(policy);
+            }
             if (roleTag) {
                 cdk.Tags.of(this._secret).add(CDK$2.TAG.ROLE, roleTag);
             }
@@ -2366,10 +2377,15 @@ class JaypieDatadogSecret extends JaypieEnvSecret {
     }
 }
 
+const DEFAULT_RATE_LIMIT = 2000;
+const DEFAULT_MANAGED_RULES = [
+    "AWSManagedRulesCommonRuleSet",
+    "AWSManagedRulesKnownBadInputsRuleSet",
+];
 class JaypieDistribution extends constructs.Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { certificate: certificateProp = true, defaultBehavior: propsDefaultBehavior, destination: destinationProp = true, handler, host: propsHost, logBucket: logBucketProp, originReadTimeout = cdk.Duration.seconds(CDK$2.DURATION.CLOUDFRONT_API), responseHeadersPolicy: responseHeadersPolicyProp, roleTag = CDK$2.ROLE.API, securityHeaders: securityHeadersProp, streaming = false, zone: propsZone, ...distributionProps } = props;
+        const { certificate: certificateProp = true, defaultBehavior: propsDefaultBehavior, destination: destinationProp = true, handler, host: propsHost, logBucket: logBucketProp, originReadTimeout = cdk.Duration.seconds(CDK$2.DURATION.CLOUDFRONT_API), responseHeadersPolicy: responseHeadersPolicyProp, roleTag = CDK$2.ROLE.API, securityHeaders: securityHeadersProp, streaming = false, waf: wafProp = true, zone: propsZone, ...distributionProps } = props;
         // Validate environment variables
         if (process.env.CDK_ENV_API_SUBDOMAIN &&
             !isValidSubdomain(process.env.CDK_ENV_API_SUBDOMAIN)) {
@@ -2612,6 +2628,119 @@ class JaypieDistribution extends constructs.Construct {
         this.distributionDomainName = this.distribution.distributionDomainName;
         this.distributionId = this.distribution.distributionId;
         this.domainName = this.distribution.domainName;
+        // Create and attach WAF WebACL
+        let resolvedWebAclArn;
+        const wafConfig = this.resolveWafConfig(wafProp);
+        if (wafConfig) {
+            if (wafConfig.webAclArn) {
+                // Use existing WebACL
+                resolvedWebAclArn = wafConfig.webAclArn;
+                this.distribution.attachWebAclId(wafConfig.webAclArn);
+            }
+            else {
+                // Create new WebACL
+                const { managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
+                let priority = 0;
+                const rules = [];
+                // Add managed rule groups
+                for (const ruleName of managedRules) {
+                    rules.push({
+                        name: ruleName,
+                        priority: priority++,
+                        overrideAction: { none: {} },
+                        statement: {
+                            managedRuleGroupStatement: {
+                                name: ruleName,
+                                vendorName: "AWS",
+                            },
+                        },
+                        visibilityConfig: {
+                            cloudWatchMetricsEnabled: true,
+                            metricName: ruleName,
+                            sampledRequestsEnabled: true,
+                        },
+                    });
+                }
+                // Add rate-based rule
+                rules.push({
+                    name: "RateLimitPerIp",
+                    priority: priority++,
+                    action: { block: {} },
+                    statement: {
+                        rateBasedStatement: {
+                            aggregateKeyType: "IP",
+                            limit: rateLimitPerIp,
+                        },
+                    },
+                    visibilityConfig: {
+                        cloudWatchMetricsEnabled: true,
+                        metricName: "RateLimitPerIp",
+                        sampledRequestsEnabled: true,
+                    },
+                });
+                const webAcl = new wafv2__namespace.CfnWebACL(this, "WebAcl", {
+                    defaultAction: { allow: {} },
+                    name: constructEnvName("WebAcl"),
+                    rules,
+                    scope: "CLOUDFRONT",
+                    visibilityConfig: {
+                        cloudWatchMetricsEnabled: true,
+                        metricName: constructEnvName("WebAcl"),
+                        sampledRequestsEnabled: true,
+                    },
+                });
+                this.webAcl = webAcl;
+                resolvedWebAclArn = webAcl.attrArn;
+                this.distribution.attachWebAclId(webAcl.attrArn);
+                cdk.Tags.of(webAcl).add(CDK$2.TAG.ROLE, roleTag);
+            }
+        }
+        // Create WAF logging
+        if (resolvedWebAclArn && wafConfig) {
+            const { logBucket: wafLogBucketProp = true } = wafConfig;
+            let wafLogBucket;
+            if (wafLogBucketProp === true) {
+                // Create inline WAF logging bucket with Datadog forwarding
+                const createdBucket = new s3__namespace.Bucket(this, constructEnvName("WafLogBucket"), {
+                    autoDeleteObjects: true,
+                    bucketName: `aws-waf-logs-${constructEnvName("waf").toLowerCase()}`,
+                    lifecycleRules: [
+                        {
+                            expiration: cdk.Duration.days(90),
+                            transitions: [
+                                {
+                                    storageClass: s3__namespace.StorageClass.INFREQUENT_ACCESS,
+                                    transitionAfter: cdk.Duration.days(30),
+                                },
+                            ],
+                        },
+                    ],
+                    objectOwnership: s3__namespace.ObjectOwnership.OBJECT_WRITER,
+                    removalPolicy: cdk.RemovalPolicy.DESTROY,
+                });
+                cdk.Tags.of(createdBucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+                // Add Datadog forwarder notification
+                if (destinationProp !== false) {
+                    const lambdaDestination = destinationProp === true
+                        ? new s3n.LambdaDestination(resolveDatadogForwarderFunction(this))
+                        : destinationProp;
+                    createdBucket.addEventNotification(s3__namespace.EventType.OBJECT_CREATED, lambdaDestination);
+                }
+                wafLogBucket = createdBucket;
+            }
+            else if (typeof wafLogBucketProp === "object") {
+                // Use provided IBucket
+                wafLogBucket = wafLogBucketProp;
+            }
+            // wafLogBucketProp === false → no logging
+            if (wafLogBucket) {
+                this.wafLogBucket = wafLogBucket;
+                new wafv2__namespace.CfnLoggingConfiguration(this, "WafLoggingConfig", {
+                    logDestinationConfigs: [wafLogBucket.bucketArn],
+                    resourceArn: resolvedWebAclArn,
+                });
+            }
+        }
         // Create DNS records if we have host and zone
         if (host && hostedZone) {
             const aRecord = new route53__namespace.ARecord(this, "AliasRecord", {
@@ -2658,6 +2787,15 @@ class JaypieDistribution extends constructs.Construct {
             "exportName" in value &&
             typeof value.exportName === "string");
     }
+    resolveWafConfig(wafProp) {
+        if (wafProp === false)
+            return undefined;
+        if (wafProp === true)
+            return {};
+        if (wafProp.enabled === false)
+            return undefined;
+        return wafProp;
+    }
     resolveLogBucket(logBucketProp) {
         // true = use account logging bucket
         if (logBucketProp === true) {
@@ -3497,7 +3635,7 @@ class JaypieOrganizationTrail extends constructs.Construct {
         // Resolve options with defaults
         const { bucketName = process.env.PROJECT_NONCE
             ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
-            : "organization-cloudtrail", enableDatadogNotifications = true, enableFileValidation = false, expirationDays = 365, glacierTransitionDays = 180, infrequentAccessTransitionDays = 30, project, service = CDK$2.SERVICE.INFRASTRUCTURE, trailName = process.env.PROJECT_NONCE
+            : "organization-cloudtrail", enableAccessAnalyzer = true, enableDatadogNotifications = true, enableFileValidation = true, enableLambdaDataEvents = true, enableS3DataEvents = false, expirationDays = 365, glacierTransitionDays = 180, infrequentAccessTransitionDays = 30, project, service = CDK$2.SERVICE.INFRASTRUCTURE, trailName = process.env.PROJECT_NONCE
             ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
             : "organization-cloudtrail", } = props;
         // Create the S3 bucket for CloudTrail logs
@@ -3557,12 +3695,34 @@ class JaypieOrganizationTrail extends constructs.Construct {
             managementEvents: awsCloudtrail.ReadWriteType.ALL,
             trailName,
         });
+        // Add data event selectors
+        if (enableLambdaDataEvents) {
+            this.trail.logAllLambdaDataEvents();
+        }
+        if (enableS3DataEvents) {
+            this.trail.logAllS3DataEvents();
+        }
         // Add tags to trail
         cdk__namespace.Tags.of(this.trail).add(CDK$2.TAG.SERVICE, service);
         cdk__namespace.Tags.of(this.trail).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
         if (project) {
             cdk__namespace.Tags.of(this.trail).add(CDK$2.TAG.PROJECT, project);
         }
+        // Create IAM Access Analyzer
+        if (enableAccessAnalyzer) {
+            const analyzerName = process.env.PROJECT_NONCE
+                ? `organization-access-analyzer-${process.env.PROJECT_NONCE}`
+                : "organization-access-analyzer";
+            this.analyzer = new awsAccessanalyzer.CfnAnalyzer(this, "AccessAnalyzer", {
+                analyzerName,
+                type: "ORGANIZATION",
+            });
+            cdk__namespace.Tags.of(this.analyzer).add(CDK$2.TAG.SERVICE, service);
+            cdk__namespace.Tags.of(this.analyzer).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+            if (project) {
+                cdk__namespace.Tags.of(this.analyzer).add(CDK$2.TAG.PROJECT, project);
+            }
+        }
     }
 }