npm - @jaypie/constructs - Versions diffs - 1.2.32 → 1.2.34 - Mend

@jaypie/constructs 1.2.32 → 1.2.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/dist/cjs/JaypieDistribution.d.ts +41 -0
package/dist/cjs/JaypieDynamoDb.d.ts +1 -0
package/dist/cjs/JaypieMigration.d.ts +21 -0
package/dist/cjs/JaypieOrganizationTrail.d.ts +18 -1
package/dist/cjs/__tests__/JaypieMigration.spec.d.ts +1 -0
package/dist/cjs/__tests__/JaypieOrganizationTrail.spec.d.ts +1 -0
package/dist/cjs/index.cjs +188 -2
package/dist/cjs/index.cjs.map +1 -1
package/dist/cjs/index.d.ts +2 -1
package/dist/esm/JaypieDistribution.d.ts +41 -0
package/dist/esm/JaypieDynamoDb.d.ts +1 -0
package/dist/esm/JaypieMigration.d.ts +21 -0
package/dist/esm/JaypieOrganizationTrail.d.ts +18 -1
package/dist/esm/__tests__/JaypieMigration.spec.d.ts +1 -0
package/dist/esm/__tests__/JaypieOrganizationTrail.spec.d.ts +1 -0
package/dist/esm/index.d.ts +2 -1
package/dist/esm/index.js +186 -3
package/dist/esm/index.js.map +1 -1
package/package.json +1 -1

package/dist/cjs/JaypieDistribution.d.ts CHANGED Viewed

@@ -5,8 +5,38 @@ import * as lambda from "aws-cdk-lib/aws-lambda";
 import * as route53 from "aws-cdk-lib/aws-route53";
 import * as s3 from "aws-cdk-lib/aws-s3";
 import { LambdaDestination } from "aws-cdk-lib/aws-s3-notifications";
+import * as wafv2 from "aws-cdk-lib/aws-wafv2";
 import { Construct } from "constructs";
 import { HostConfig } from "./helpers";
+export interface JaypieWafConfig {
+    /**
+     * Whether WAF is enabled
+     * @default true
+     */
+    enabled?: boolean;
+    /**
+     * WAF logging bucket.
+     * - true/undefined: create a logging bucket with Datadog forwarding (default)
+     * - false: disable WAF logging
+     * - IBucket: use an existing bucket (must have "aws-waf-logs-" prefix)
+     * @default true
+     */
+    logBucket?: boolean | s3.IBucket;
+    /**
+     * Managed rule group names to apply
+     * @default ["AWSManagedRulesCommonRuleSet", "AWSManagedRulesKnownBadInputsRuleSet"]
+     */
+    managedRules?: string[];
+    /**
+     * Rate limit per IP per 5-minute window
+     * @default 2000
+     */
+    rateLimitPerIp?: number;
+    /**
+     * Use an existing WebACL ARN instead of creating one
+     */
+    webAclArn?: string;
+}
 export interface SecurityHeadersOverrides {
     contentSecurityPolicy?: string;
     frameOption?: cloudfront.HeadersFrameOption;
@@ -99,6 +129,14 @@ export interface JaypieDistributionProps extends Omit<cloudfront.DistributionPro
      * @default CDK.ROLE.HOSTING
      */
     roleTag?: string;
+    /**
+     * WAF WebACL configuration for the CloudFront distribution.
+     * - true/undefined: create and attach a WebACL with sensible defaults
+     * - false: disable WAF
+     * - JaypieWafConfig: customize WAF behavior
+     * @default true
+     */
+    waf?: boolean | JaypieWafConfig;
     /**
      * The hosted zone for DNS records
      * @default CDK_ENV_API_HOSTED_ZONE || CDK_ENV_HOSTED_ZONE
@@ -116,11 +154,14 @@ export declare class JaypieDistribution extends Construct implements cloudfront.
     readonly host?: string;
     readonly logBucket?: s3.IBucket;
     readonly responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
+    readonly wafLogBucket?: s3.IBucket;
+    readonly webAcl?: wafv2.CfnWebACL;
     constructor(scope: Construct, id: string, props: JaypieDistributionProps);
     private isIOrigin;
     private isIFunctionUrl;
     private isIFunction;
     private isExportNameObject;
+    private resolveWafConfig;
     private resolveLogBucket;
     get env(): {
         account: string;

package/dist/cjs/JaypieDynamoDb.d.ts CHANGED Viewed

@@ -89,6 +89,7 @@ export declare class JaypieDynamoDb extends Construct implements dynamodb.ITable
     get tableRef(): dynamodb.TableReference;
     get tableStreamArn(): string | undefined;
     get encryptionKey(): import("aws-cdk-lib/aws-kms").IKey | undefined;
+    get grants(): dynamodb.TableGrants;
     applyRemovalPolicy(policy: RemovalPolicy): void;
     grant(grantee: import("aws-cdk-lib/aws-iam").IGrantable, ...actions: string[]): import("aws-cdk-lib/aws-iam").Grant;
     grantFullAccess(grantee: import("aws-cdk-lib/aws-iam").IGrantable): import("aws-cdk-lib/aws-iam").Grant;

package/dist/cjs/JaypieMigration.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import { Construct } from "constructs";
+import * as dynamodb from "aws-cdk-lib/aws-dynamodb";
+import * as lambda from "aws-cdk-lib/aws-lambda";
+import { JaypieLambda } from "./JaypieLambda";
+import type { SecretsArrayItem } from "./helpers/index.js";
+export interface JaypieMigrationProps {
+    /** Path to the bundled migration code (esbuild output directory) */
+    code: lambda.Code | string;
+    /** Constructs that must be created before the migration runs */
+    dependencies?: Construct[];
+    /** Lambda handler entry point */
+    handler?: string;
+    /** Secrets to make available to the migration Lambda */
+    secrets?: SecretsArrayItem[];
+    /** DynamoDB tables to grant read/write access */
+    tables?: dynamodb.ITable[];
+}
+export declare class JaypieMigration extends Construct {
+    readonly lambda: JaypieLambda;
+    constructor(scope: Construct, id: string, props: JaypieMigrationProps);
+}

package/dist/cjs/JaypieOrganizationTrail.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { IBucket } from "aws-cdk-lib/aws-s3";
+import { CfnAnalyzer } from "aws-cdk-lib/aws-accessanalyzer";
 import { Trail } from "aws-cdk-lib/aws-cloudtrail";
 import { Construct } from "constructs";
 export interface JaypieOrganizationTrailProps {
@@ -26,11 +27,26 @@ export interface JaypieOrganizationTrailProps {
      * Optional project tag value
      */
     project?: string;
+    /**
+     * Whether to enable IAM Access Analyzer (organization-level)
+     * @default true
+     */
+    enableAccessAnalyzer?: boolean;
     /**
      * Whether to enable file validation for the trail
-     * @default false
+     * @default true
      */
     enableFileValidation?: boolean;
+    /**
+     * Whether to enable Lambda data events in CloudTrail
+     * @default true
+     */
+    enableLambdaDataEvents?: boolean;
+    /**
+     * Whether to enable S3 data events in CloudTrail
+     * @default false (opt-in due to potential high volume/cost)
+     */
+    enableS3DataEvents?: boolean;
     /**
      * Number of days before logs expire
      * @default 365
@@ -53,6 +69,7 @@ export interface JaypieOrganizationTrailProps {
     enableDatadogNotifications?: boolean;
 }
 export declare class JaypieOrganizationTrail extends Construct {
+    readonly analyzer?: CfnAnalyzer;
     readonly bucket: IBucket;
     readonly trail: Trail;
     /**

package/dist/cjs/__tests__/JaypieMigration.spec.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/cjs/__tests__/JaypieOrganizationTrail.spec.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/cjs/index.cjs CHANGED Viewed

@@ -21,10 +21,13 @@ var awsEvents = require('aws-cdk-lib/aws-events');
 var awsEventsTargets = require('aws-cdk-lib/aws-events-targets');
 var cloudfront = require('aws-cdk-lib/aws-cloudfront');
 var origins = require('aws-cdk-lib/aws-cloudfront-origins');
+var wafv2 = require('aws-cdk-lib/aws-wafv2');
 var dynamodb = require('aws-cdk-lib/aws-dynamodb');
 var fabric = require('@jaypie/fabric');
+var cr = require('aws-cdk-lib/custom-resources');
 var cdkNextjsStandalone = require('cdk-nextjs-standalone');
 var path = require('path');
+var awsAccessanalyzer = require('aws-cdk-lib/aws-accessanalyzer');
 var awsCloudtrail = require('aws-cdk-lib/aws-cloudtrail');
 var awsSso = require('aws-cdk-lib/aws-sso');
 var awsSam = require('aws-cdk-lib/aws-sam');
@@ -63,7 +66,9 @@ var lambdaEventSources__namespace = /*#__PURE__*/_interopNamespaceDefault(lambda
 var logs__namespace = /*#__PURE__*/_interopNamespaceDefault(logs);
 var cloudfront__namespace = /*#__PURE__*/_interopNamespaceDefault(cloudfront);
 var origins__namespace = /*#__PURE__*/_interopNamespaceDefault(origins);
+var wafv2__namespace = /*#__PURE__*/_interopNamespaceDefault(wafv2);
 var dynamodb__namespace = /*#__PURE__*/_interopNamespaceDefault(dynamodb);
+var cr__namespace = /*#__PURE__*/_interopNamespaceDefault(cr);
 var path__namespace = /*#__PURE__*/_interopNamespaceDefault(path);
 var apigatewayv2__namespace = /*#__PURE__*/_interopNamespaceDefault(apigatewayv2);
 var apigatewayv2Integrations__namespace = /*#__PURE__*/_interopNamespaceDefault(apigatewayv2Integrations);
@@ -2374,10 +2379,15 @@ class JaypieDatadogSecret extends JaypieEnvSecret {
     }
 }
+const DEFAULT_RATE_LIMIT = 2000;
+const DEFAULT_MANAGED_RULES = [
+    "AWSManagedRulesCommonRuleSet",
+    "AWSManagedRulesKnownBadInputsRuleSet",
+];
 class JaypieDistribution extends constructs.Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { certificate: certificateProp = true, defaultBehavior: propsDefaultBehavior, destination: destinationProp = true, handler, host: propsHost, logBucket: logBucketProp, originReadTimeout = cdk.Duration.seconds(CDK$2.DURATION.CLOUDFRONT_API), responseHeadersPolicy: responseHeadersPolicyProp, roleTag = CDK$2.ROLE.API, securityHeaders: securityHeadersProp, streaming = false, zone: propsZone, ...distributionProps } = props;
+        const { certificate: certificateProp = true, defaultBehavior: propsDefaultBehavior, destination: destinationProp = true, handler, host: propsHost, logBucket: logBucketProp, originReadTimeout = cdk.Duration.seconds(CDK$2.DURATION.CLOUDFRONT_API), responseHeadersPolicy: responseHeadersPolicyProp, roleTag = CDK$2.ROLE.API, securityHeaders: securityHeadersProp, streaming = false, waf: wafProp = true, zone: propsZone, ...distributionProps } = props;
         // Validate environment variables
         if (process.env.CDK_ENV_API_SUBDOMAIN &&
             !isValidSubdomain(process.env.CDK_ENV_API_SUBDOMAIN)) {
@@ -2620,6 +2630,118 @@ class JaypieDistribution extends constructs.Construct {
         this.distributionDomainName = this.distribution.distributionDomainName;
         this.distributionId = this.distribution.distributionId;
         this.domainName = this.distribution.domainName;
+        // Create and attach WAF WebACL
+        let resolvedWebAclArn;
+        const wafConfig = this.resolveWafConfig(wafProp);
+        if (wafConfig) {
+            if (wafConfig.webAclArn) {
+                // Use existing WebACL
+                resolvedWebAclArn = wafConfig.webAclArn;
+                this.distribution.attachWebAclId(wafConfig.webAclArn);
+            }
+            else {
+                // Create new WebACL
+                const { managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
+                let priority = 0;
+                const rules = [];
+                // Add managed rule groups
+                for (const ruleName of managedRules) {
+                    rules.push({
+                        name: ruleName,
+                        priority: priority++,
+                        overrideAction: { none: {} },
+                        statement: {
+                            managedRuleGroupStatement: {
+                                name: ruleName,
+                                vendorName: "AWS",
+                            },
+                        },
+                        visibilityConfig: {
+                            cloudWatchMetricsEnabled: true,
+                            metricName: ruleName,
+                            sampledRequestsEnabled: true,
+                        },
+                    });
+                }
+                // Add rate-based rule
+                rules.push({
+                    name: "RateLimitPerIp",
+                    priority: priority++,
+                    action: { block: {} },
+                    statement: {
+                        rateBasedStatement: {
+                            aggregateKeyType: "IP",
+                            limit: rateLimitPerIp,
+                        },
+                    },
+                    visibilityConfig: {
+                        cloudWatchMetricsEnabled: true,
+                        metricName: "RateLimitPerIp",
+                        sampledRequestsEnabled: true,
+                    },
+                });
+                const webAcl = new wafv2__namespace.CfnWebACL(this, "WebAcl", {
+                    defaultAction: { allow: {} },
+                    name: constructEnvName("WebAcl"),
+                    rules,
+                    scope: "CLOUDFRONT",
+                    visibilityConfig: {
+                        cloudWatchMetricsEnabled: true,
+                        metricName: constructEnvName("WebAcl"),
+                        sampledRequestsEnabled: true,
+                    },
+                });
+                this.webAcl = webAcl;
+                resolvedWebAclArn = webAcl.attrArn;
+                this.distribution.attachWebAclId(webAcl.attrArn);
+                cdk.Tags.of(webAcl).add(CDK$2.TAG.ROLE, roleTag);
+            }
+        }
+        // Create WAF logging
+        if (resolvedWebAclArn && wafConfig) {
+            const { logBucket: wafLogBucketProp = true } = wafConfig;
+            let wafLogBucket;
+            if (wafLogBucketProp === true) {
+                // Create inline WAF logging bucket with Datadog forwarding
+                const createdBucket = new s3__namespace.Bucket(this, constructEnvName("WafLogBucket"), {
+                    bucketName: `aws-waf-logs-${constructEnvName("waf").toLowerCase()}`,
+                    lifecycleRules: [
+                        {
+                            expiration: cdk.Duration.days(90),
+                            transitions: [
+                                {
+                                    storageClass: s3__namespace.StorageClass.INFREQUENT_ACCESS,
+                                    transitionAfter: cdk.Duration.days(30),
+                                },
+                            ],
+                        },
+                    ],
+                    objectOwnership: s3__namespace.ObjectOwnership.OBJECT_WRITER,
+                    removalPolicy: cdk.RemovalPolicy.RETAIN,
+                });
+                cdk.Tags.of(createdBucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+                // Add Datadog forwarder notification
+                if (destinationProp !== false) {
+                    const lambdaDestination = destinationProp === true
+                        ? new s3n.LambdaDestination(resolveDatadogForwarderFunction(this))
+                        : destinationProp;
+                    createdBucket.addEventNotification(s3__namespace.EventType.OBJECT_CREATED, lambdaDestination);
+                }
+                wafLogBucket = createdBucket;
+            }
+            else if (typeof wafLogBucketProp === "object") {
+                // Use provided IBucket
+                wafLogBucket = wafLogBucketProp;
+            }
+            // wafLogBucketProp === false → no logging
+            if (wafLogBucket) {
+                this.wafLogBucket = wafLogBucket;
+                new wafv2__namespace.CfnLoggingConfiguration(this, "WafLoggingConfig", {
+                    logDestinationConfigs: [wafLogBucket.bucketArn],
+                    resourceArn: resolvedWebAclArn,
+                });
+            }
+        }
         // Create DNS records if we have host and zone
         if (host && hostedZone) {
             const aRecord = new route53__namespace.ARecord(this, "AliasRecord", {
@@ -2666,6 +2788,15 @@ class JaypieDistribution extends constructs.Construct {
             "exportName" in value &&
             typeof value.exportName === "string");
     }
+    resolveWafConfig(wafProp) {
+        if (wafProp === false)
+            return undefined;
+        if (wafProp === true)
+            return {};
+        if (wafProp.enabled === false)
+            return undefined;
+        return wafProp;
+    }
     resolveLogBucket(logBucketProp) {
         // true = use account logging bucket
         if (logBucketProp === true) {
@@ -2929,6 +3060,9 @@ class JaypieDynamoDb extends constructs.Construct {
     get encryptionKey() {
         return this._table.encryptionKey;
     }
+    get grants() {
+        return this._table.grants;
+    }
     applyRemovalPolicy(policy) {
         this._table.applyRemovalPolicy(policy);
     }
@@ -3287,6 +3421,35 @@ class JaypieInfrastructureStack extends JaypieStack {
     }
 }
+class JaypieMigration extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { code, dependencies = [], handler = "index.handler", secrets = [], tables = [], } = props;
+        // Migration Lambda — 5 minute timeout for long-running migrations
+        this.lambda = new JaypieLambda(this, "MigrationLambda", {
+            code,
+            description: "DynamoDB migration custom resource",
+            handler,
+            roleTag: CDK$2.ROLE.PROCESSING,
+            secrets,
+            tables,
+            timeout: cdk__namespace.Duration.minutes(5),
+        });
+        // Custom Resource provider wrapping the Lambda
+        const provider = new cr__namespace.Provider(this, "MigrationProvider", {
+            onEventHandler: this.lambda,
+        });
+        // Custom Resource that triggers on every deploy
+        const resource = new cdk__namespace.CustomResource(this, "MigrationResource", {
+            serviceToken: provider.serviceToken,
+        });
+        // Ensure dependencies are created before the migration runs
+        for (const dep of dependencies) {
+            resource.node.addDependency(dep);
+        }
+    }
+}
 class JaypieMongoDbSecret extends JaypieEnvSecret {
     constructor(scope, id = "MongoConnectionString", props) {
         const defaultProps = {
@@ -3505,7 +3668,7 @@ class JaypieOrganizationTrail extends constructs.Construct {
         // Resolve options with defaults
         const { bucketName = process.env.PROJECT_NONCE
             ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
-            : "organization-cloudtrail", enableDatadogNotifications = true, enableFileValidation = false, expirationDays = 365, glacierTransitionDays = 180, infrequentAccessTransitionDays = 30, project, service = CDK$2.SERVICE.INFRASTRUCTURE, trailName = process.env.PROJECT_NONCE
+            : "organization-cloudtrail", enableAccessAnalyzer = true, enableDatadogNotifications = true, enableFileValidation = true, enableLambdaDataEvents = true, enableS3DataEvents = false, expirationDays = 365, glacierTransitionDays = 180, infrequentAccessTransitionDays = 30, project, service = CDK$2.SERVICE.INFRASTRUCTURE, trailName = process.env.PROJECT_NONCE
             ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
             : "organization-cloudtrail", } = props;
         // Create the S3 bucket for CloudTrail logs
@@ -3565,12 +3728,34 @@ class JaypieOrganizationTrail extends constructs.Construct {
             managementEvents: awsCloudtrail.ReadWriteType.ALL,
             trailName,
         });
+        // Add data event selectors
+        if (enableLambdaDataEvents) {
+            this.trail.logAllLambdaDataEvents();
+        }
+        if (enableS3DataEvents) {
+            this.trail.logAllS3DataEvents();
+        }
         // Add tags to trail
         cdk__namespace.Tags.of(this.trail).add(CDK$2.TAG.SERVICE, service);
         cdk__namespace.Tags.of(this.trail).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
         if (project) {
             cdk__namespace.Tags.of(this.trail).add(CDK$2.TAG.PROJECT, project);
         }
+        // Create IAM Access Analyzer
+        if (enableAccessAnalyzer) {
+            const analyzerName = process.env.PROJECT_NONCE
+                ? `organization-access-analyzer-${process.env.PROJECT_NONCE}`
+                : "organization-access-analyzer";
+            this.analyzer = new awsAccessanalyzer.CfnAnalyzer(this, "AccessAnalyzer", {
+                analyzerName,
+                type: "ORGANIZATION",
+            });
+            cdk__namespace.Tags.of(this.analyzer).add(CDK$2.TAG.SERVICE, service);
+            cdk__namespace.Tags.of(this.analyzer).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+            if (project) {
+                cdk__namespace.Tags.of(this.analyzer).add(CDK$2.TAG.PROJECT, project);
+            }
+        }
     }
 }
@@ -4633,6 +4818,7 @@ exports.JaypieGitHubDeployRole = JaypieGitHubDeployRole;
 exports.JaypieHostedZone = JaypieHostedZone;
 exports.JaypieInfrastructureStack = JaypieInfrastructureStack;
 exports.JaypieLambda = JaypieLambda;
+exports.JaypieMigration = JaypieMigration;
 exports.JaypieMongoDbSecret = JaypieMongoDbSecret;
 exports.JaypieNextJs = JaypieNextJs;
 exports.JaypieOpenAiSecret = JaypieOpenAiSecret;