npm - @jaypie/constructs - Versions diffs - 1.2.31 → 1.2.33 - Mend

@jaypie/constructs 1.2.31 → 1.2.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/cjs/JaypieDistribution.d.ts +41 -0
package/dist/cjs/JaypieEnvSecret.d.ts +1 -0
package/dist/cjs/JaypieOrganizationTrail.d.ts +18 -1
package/dist/cjs/__tests__/JaypieOrganizationTrail.spec.d.ts +1 -0
package/dist/cjs/index.cjs +163 -3
package/dist/cjs/index.cjs.map +1 -1
package/dist/cjs/index.d.ts +1 -1
package/dist/esm/JaypieDistribution.d.ts +41 -0
package/dist/esm/JaypieEnvSecret.d.ts +1 -0
package/dist/esm/JaypieOrganizationTrail.d.ts +18 -1
package/dist/esm/__tests__/JaypieOrganizationTrail.spec.d.ts +1 -0
package/dist/esm/index.d.ts +1 -1
package/dist/esm/index.js +163 -4
package/dist/esm/index.js.map +1 -1
package/package.json +1 -1

package/dist/cjs/index.d.ts CHANGED Viewed

@@ -7,7 +7,7 @@ export { JaypieCertificate, JaypieCertificateProps } from "./JaypieCertificate";
 export { JaypieDatadogBucket, JaypieDatadogBucketProps, } from "./JaypieDatadogBucket";
 export { JaypieDatadogForwarder, JaypieDatadogForwarderProps, } from "./JaypieDatadogForwarder";
 export { JaypieDatadogSecret } from "./JaypieDatadogSecret";
-export { JaypieDistribution, JaypieDistributionProps, SecurityHeadersOverrides, } from "./JaypieDistribution";
+export { JaypieDistribution, JaypieDistributionProps, JaypieWafConfig, SecurityHeadersOverrides, } from "./JaypieDistribution";
 export { JaypieDnsRecord, JaypieDnsRecordProps } from "./JaypieDnsRecord";
 export { JaypieDynamoDb, JaypieDynamoDbProps } from "./JaypieDynamoDb";
 export type { IndexDefinition } from "@jaypie/fabric";

package/dist/esm/JaypieDistribution.d.ts CHANGED Viewed

@@ -5,8 +5,38 @@ import * as lambda from "aws-cdk-lib/aws-lambda";
 import * as route53 from "aws-cdk-lib/aws-route53";
 import * as s3 from "aws-cdk-lib/aws-s3";
 import { LambdaDestination } from "aws-cdk-lib/aws-s3-notifications";
+import * as wafv2 from "aws-cdk-lib/aws-wafv2";
 import { Construct } from "constructs";
 import { HostConfig } from "./helpers";
+export interface JaypieWafConfig {
+    /**
+     * Whether WAF is enabled
+     * @default true
+     */
+    enabled?: boolean;
+    /**
+     * WAF logging bucket.
+     * - true/undefined: create a logging bucket with Datadog forwarding (default)
+     * - false: disable WAF logging
+     * - IBucket: use an existing bucket (must have "aws-waf-logs-" prefix)
+     * @default true
+     */
+    logBucket?: boolean | s3.IBucket;
+    /**
+     * Managed rule group names to apply
+     * @default ["AWSManagedRulesCommonRuleSet", "AWSManagedRulesKnownBadInputsRuleSet"]
+     */
+    managedRules?: string[];
+    /**
+     * Rate limit per IP per 5-minute window
+     * @default 2000
+     */
+    rateLimitPerIp?: number;
+    /**
+     * Use an existing WebACL ARN instead of creating one
+     */
+    webAclArn?: string;
+}
 export interface SecurityHeadersOverrides {
     contentSecurityPolicy?: string;
     frameOption?: cloudfront.HeadersFrameOption;
@@ -99,6 +129,14 @@ export interface JaypieDistributionProps extends Omit<cloudfront.DistributionPro
      * @default CDK.ROLE.HOSTING
      */
     roleTag?: string;
+    /**
+     * WAF WebACL configuration for the CloudFront distribution.
+     * - true/undefined: create and attach a WebACL with sensible defaults
+     * - false: disable WAF
+     * - JaypieWafConfig: customize WAF behavior
+     * @default true
+     */
+    waf?: boolean | JaypieWafConfig;
     /**
      * The hosted zone for DNS records
      * @default CDK_ENV_API_HOSTED_ZONE || CDK_ENV_HOSTED_ZONE
@@ -116,11 +154,14 @@ export declare class JaypieDistribution extends Construct implements cloudfront.
     readonly host?: string;
     readonly logBucket?: s3.IBucket;
     readonly responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
+    readonly wafLogBucket?: s3.IBucket;
+    readonly webAcl?: wafv2.CfnWebACL;
     constructor(scope: Construct, id: string, props: JaypieDistributionProps);
     private isIOrigin;
     private isIFunctionUrl;
     private isIFunction;
     private isExportNameObject;
+    private resolveWafConfig;
     private resolveLogBucket;
     get env(): {
         account: string;

package/dist/esm/JaypieEnvSecret.d.ts CHANGED Viewed

@@ -10,6 +10,7 @@ export interface JaypieEnvSecretProps {
     export?: string;
     generateSecretString?: secretsmanager.SecretStringGenerator;
     provider?: boolean;
+    removalPolicy?: boolean | RemovalPolicy;
     roleTag?: string;
     vendorTag?: string;
     value?: string;

package/dist/esm/JaypieOrganizationTrail.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { IBucket } from "aws-cdk-lib/aws-s3";
+import { CfnAnalyzer } from "aws-cdk-lib/aws-accessanalyzer";
 import { Trail } from "aws-cdk-lib/aws-cloudtrail";
 import { Construct } from "constructs";
 export interface JaypieOrganizationTrailProps {
@@ -26,11 +27,26 @@ export interface JaypieOrganizationTrailProps {
      * Optional project tag value
      */
     project?: string;
+    /**
+     * Whether to enable IAM Access Analyzer (organization-level)
+     * @default true
+     */
+    enableAccessAnalyzer?: boolean;
     /**
      * Whether to enable file validation for the trail
-     * @default false
+     * @default true
      */
     enableFileValidation?: boolean;
+    /**
+     * Whether to enable Lambda data events in CloudTrail
+     * @default true
+     */
+    enableLambdaDataEvents?: boolean;
+    /**
+     * Whether to enable S3 data events in CloudTrail
+     * @default false (opt-in due to potential high volume/cost)
+     */
+    enableS3DataEvents?: boolean;
     /**
      * Number of days before logs expire
      * @default 365
@@ -53,6 +69,7 @@ export interface JaypieOrganizationTrailProps {
     enableDatadogNotifications?: boolean;
 }
 export declare class JaypieOrganizationTrail extends Construct {
+    readonly analyzer?: CfnAnalyzer;
     readonly bucket: IBucket;
     readonly trail: Trail;
     /**

package/dist/esm/__tests__/JaypieOrganizationTrail.spec.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/esm/index.d.ts CHANGED Viewed

@@ -7,7 +7,7 @@ export { JaypieCertificate, JaypieCertificateProps } from "./JaypieCertificate";
 export { JaypieDatadogBucket, JaypieDatadogBucketProps, } from "./JaypieDatadogBucket";
 export { JaypieDatadogForwarder, JaypieDatadogForwarderProps, } from "./JaypieDatadogForwarder";
 export { JaypieDatadogSecret } from "./JaypieDatadogSecret";
-export { JaypieDistribution, JaypieDistributionProps, SecurityHeadersOverrides, } from "./JaypieDistribution";
+export { JaypieDistribution, JaypieDistributionProps, JaypieWafConfig, SecurityHeadersOverrides, } from "./JaypieDistribution";
 export { JaypieDnsRecord, JaypieDnsRecordProps } from "./JaypieDnsRecord";
 export { JaypieDynamoDb, JaypieDynamoDbProps } from "./JaypieDynamoDb";
 export type { IndexDefinition } from "@jaypie/fabric";

package/dist/esm/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import * as cdk from 'aws-cdk-lib';
-import { Tags, Stack, Fn, CfnOutput, SecretValue, Duration, RemovalPolicy, CfnStack } from 'aws-cdk-lib';
+import { Tags, Stack, Fn, CfnOutput, SecretValue, RemovalPolicy, Duration, CfnStack } from 'aws-cdk-lib';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import { Bucket, StorageClass, BucketAccessControl, EventType } from 'aws-cdk-lib/aws-s3';
 import { Construct } from 'constructs';
@@ -24,10 +24,12 @@ import { Rule, RuleTargetInput } from 'aws-cdk-lib/aws-events';
 import { LambdaFunction } from 'aws-cdk-lib/aws-events-targets';
 import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
 import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
+import * as wafv2 from 'aws-cdk-lib/aws-wafv2';
 import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
 import { generateIndexName, DEFAULT_SORT_KEY } from '@jaypie/fabric';
 import { Nextjs } from 'cdk-nextjs-standalone';
 import * as path from 'path';
+import { CfnAnalyzer } from 'aws-cdk-lib/aws-accessanalyzer';
 import { Trail, ReadWriteType } from 'aws-cdk-lib/aws-cloudtrail';
 import { CfnPermissionSet, CfnAssignment } from 'aws-cdk-lib/aws-sso';
 import { CfnApplication } from 'aws-cdk-lib/aws-sam';
@@ -911,7 +913,7 @@ class JaypieEnvSecret extends Construct {
             process.env[idOrEnvKey] !== "";
         const id = treatAsEnvKey ? `EnvSecret_${idOrEnvKey}` : idOrEnvKey;
         super(scope, id);
-        const { consumer = checkEnvIsConsumer$1(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider$1(), roleTag, vendorTag, value, } = props || {};
+        const { consumer = checkEnvIsConsumer$1(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider$1(), removalPolicy, roleTag, vendorTag, value, } = props || {};
         const envKey = treatAsEnvKey ? idOrEnvKey : envKeyProp;
         this._envKey = envKey;
         let exportName;
@@ -938,6 +940,14 @@ class JaypieEnvSecret extends Construct {
                     : undefined,
             };
             this._secret = new secretsmanager.Secret(this, id, secretProps);
+            if (removalPolicy !== undefined) {
+                const policy = typeof removalPolicy === "boolean"
+                    ? removalPolicy
+                        ? RemovalPolicy.RETAIN
+                        : RemovalPolicy.DESTROY
+                    : removalPolicy;
+                this._secret.applyRemovalPolicy(policy);
+            }
             if (roleTag) {
                 Tags.of(this._secret).add(CDK$2.TAG.ROLE, roleTag);
             }
@@ -2332,10 +2342,15 @@ class JaypieDatadogSecret extends JaypieEnvSecret {
     }
 }
+const DEFAULT_RATE_LIMIT = 2000;
+const DEFAULT_MANAGED_RULES = [
+    "AWSManagedRulesCommonRuleSet",
+    "AWSManagedRulesKnownBadInputsRuleSet",
+];
 class JaypieDistribution extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { certificate: certificateProp = true, defaultBehavior: propsDefaultBehavior, destination: destinationProp = true, handler, host: propsHost, logBucket: logBucketProp, originReadTimeout = Duration.seconds(CDK$2.DURATION.CLOUDFRONT_API), responseHeadersPolicy: responseHeadersPolicyProp, roleTag = CDK$2.ROLE.API, securityHeaders: securityHeadersProp, streaming = false, zone: propsZone, ...distributionProps } = props;
+        const { certificate: certificateProp = true, defaultBehavior: propsDefaultBehavior, destination: destinationProp = true, handler, host: propsHost, logBucket: logBucketProp, originReadTimeout = Duration.seconds(CDK$2.DURATION.CLOUDFRONT_API), responseHeadersPolicy: responseHeadersPolicyProp, roleTag = CDK$2.ROLE.API, securityHeaders: securityHeadersProp, streaming = false, waf: wafProp = true, zone: propsZone, ...distributionProps } = props;
         // Validate environment variables
         if (process.env.CDK_ENV_API_SUBDOMAIN &&
             !isValidSubdomain(process.env.CDK_ENV_API_SUBDOMAIN)) {
@@ -2578,6 +2593,119 @@ class JaypieDistribution extends Construct {
         this.distributionDomainName = this.distribution.distributionDomainName;
         this.distributionId = this.distribution.distributionId;
         this.domainName = this.distribution.domainName;
+        // Create and attach WAF WebACL
+        let resolvedWebAclArn;
+        const wafConfig = this.resolveWafConfig(wafProp);
+        if (wafConfig) {
+            if (wafConfig.webAclArn) {
+                // Use existing WebACL
+                resolvedWebAclArn = wafConfig.webAclArn;
+                this.distribution.attachWebAclId(wafConfig.webAclArn);
+            }
+            else {
+                // Create new WebACL
+                const { managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
+                let priority = 0;
+                const rules = [];
+                // Add managed rule groups
+                for (const ruleName of managedRules) {
+                    rules.push({
+                        name: ruleName,
+                        priority: priority++,
+                        overrideAction: { none: {} },
+                        statement: {
+                            managedRuleGroupStatement: {
+                                name: ruleName,
+                                vendorName: "AWS",
+                            },
+                        },
+                        visibilityConfig: {
+                            cloudWatchMetricsEnabled: true,
+                            metricName: ruleName,
+                            sampledRequestsEnabled: true,
+                        },
+                    });
+                }
+                // Add rate-based rule
+                rules.push({
+                    name: "RateLimitPerIp",
+                    priority: priority++,
+                    action: { block: {} },
+                    statement: {
+                        rateBasedStatement: {
+                            aggregateKeyType: "IP",
+                            limit: rateLimitPerIp,
+                        },
+                    },
+                    visibilityConfig: {
+                        cloudWatchMetricsEnabled: true,
+                        metricName: "RateLimitPerIp",
+                        sampledRequestsEnabled: true,
+                    },
+                });
+                const webAcl = new wafv2.CfnWebACL(this, "WebAcl", {
+                    defaultAction: { allow: {} },
+                    name: constructEnvName("WebAcl"),
+                    rules,
+                    scope: "CLOUDFRONT",
+                    visibilityConfig: {
+                        cloudWatchMetricsEnabled: true,
+                        metricName: constructEnvName("WebAcl"),
+                        sampledRequestsEnabled: true,
+                    },
+                });
+                this.webAcl = webAcl;
+                resolvedWebAclArn = webAcl.attrArn;
+                this.distribution.attachWebAclId(webAcl.attrArn);
+                Tags.of(webAcl).add(CDK$2.TAG.ROLE, roleTag);
+            }
+        }
+        // Create WAF logging
+        if (resolvedWebAclArn && wafConfig) {
+            const { logBucket: wafLogBucketProp = true } = wafConfig;
+            let wafLogBucket;
+            if (wafLogBucketProp === true) {
+                // Create inline WAF logging bucket with Datadog forwarding
+                const createdBucket = new s3.Bucket(this, constructEnvName("WafLogBucket"), {
+                    autoDeleteObjects: true,
+                    bucketName: `aws-waf-logs-${constructEnvName("waf").toLowerCase()}`,
+                    lifecycleRules: [
+                        {
+                            expiration: Duration.days(90),
+                            transitions: [
+                                {
+                                    storageClass: s3.StorageClass.INFREQUENT_ACCESS,
+                                    transitionAfter: Duration.days(30),
+                                },
+                            ],
+                        },
+                    ],
+                    objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
+                    removalPolicy: RemovalPolicy.DESTROY,
+                });
+                Tags.of(createdBucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+                // Add Datadog forwarder notification
+                if (destinationProp !== false) {
+                    const lambdaDestination = destinationProp === true
+                        ? new LambdaDestination(resolveDatadogForwarderFunction(this))
+                        : destinationProp;
+                    createdBucket.addEventNotification(s3.EventType.OBJECT_CREATED, lambdaDestination);
+                }
+                wafLogBucket = createdBucket;
+            }
+            else if (typeof wafLogBucketProp === "object") {
+                // Use provided IBucket
+                wafLogBucket = wafLogBucketProp;
+            }
+            // wafLogBucketProp === false → no logging
+            if (wafLogBucket) {
+                this.wafLogBucket = wafLogBucket;
+                new wafv2.CfnLoggingConfiguration(this, "WafLoggingConfig", {
+                    logDestinationConfigs: [wafLogBucket.bucketArn],
+                    resourceArn: resolvedWebAclArn,
+                });
+            }
+        }
         // Create DNS records if we have host and zone
         if (host && hostedZone) {
             const aRecord = new route53.ARecord(this, "AliasRecord", {
@@ -2624,6 +2752,15 @@ class JaypieDistribution extends Construct {
             "exportName" in value &&
             typeof value.exportName === "string");
     }
+    resolveWafConfig(wafProp) {
+        if (wafProp === false)
+            return undefined;
+        if (wafProp === true)
+            return {};
+        if (wafProp.enabled === false)
+            return undefined;
+        return wafProp;
+    }
     resolveLogBucket(logBucketProp) {
         // true = use account logging bucket
         if (logBucketProp === true) {
@@ -3463,7 +3600,7 @@ class JaypieOrganizationTrail extends Construct {
         // Resolve options with defaults
         const { bucketName = process.env.PROJECT_NONCE
             ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
-            : "organization-cloudtrail", enableDatadogNotifications = true, enableFileValidation = false, expirationDays = 365, glacierTransitionDays = 180, infrequentAccessTransitionDays = 30, project, service = CDK$2.SERVICE.INFRASTRUCTURE, trailName = process.env.PROJECT_NONCE
+            : "organization-cloudtrail", enableAccessAnalyzer = true, enableDatadogNotifications = true, enableFileValidation = true, enableLambdaDataEvents = true, enableS3DataEvents = false, expirationDays = 365, glacierTransitionDays = 180, infrequentAccessTransitionDays = 30, project, service = CDK$2.SERVICE.INFRASTRUCTURE, trailName = process.env.PROJECT_NONCE
             ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
             : "organization-cloudtrail", } = props;
         // Create the S3 bucket for CloudTrail logs
@@ -3523,12 +3660,34 @@ class JaypieOrganizationTrail extends Construct {
             managementEvents: ReadWriteType.ALL,
             trailName,
         });
+        // Add data event selectors
+        if (enableLambdaDataEvents) {
+            this.trail.logAllLambdaDataEvents();
+        }
+        if (enableS3DataEvents) {
+            this.trail.logAllS3DataEvents();
+        }
         // Add tags to trail
         cdk.Tags.of(this.trail).add(CDK$2.TAG.SERVICE, service);
         cdk.Tags.of(this.trail).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
         if (project) {
             cdk.Tags.of(this.trail).add(CDK$2.TAG.PROJECT, project);
         }
+        // Create IAM Access Analyzer
+        if (enableAccessAnalyzer) {
+            const analyzerName = process.env.PROJECT_NONCE
+                ? `organization-access-analyzer-${process.env.PROJECT_NONCE}`
+                : "organization-access-analyzer";
+            this.analyzer = new CfnAnalyzer(this, "AccessAnalyzer", {
+                analyzerName,
+                type: "ORGANIZATION",
+            });
+            cdk.Tags.of(this.analyzer).add(CDK$2.TAG.SERVICE, service);
+            cdk.Tags.of(this.analyzer).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+            if (project) {
+                cdk.Tags.of(this.analyzer).add(CDK$2.TAG.PROJECT, project);
+            }
+        }
     }
 }