@jaypie/constructs 1.2.38 → 1.2.40

package/dist/esm/JaypieDistribution.d.ts

@@ -22,6 +22,17 @@ export interface JaypieWafConfig {
      * @default true
      */
     logBucket?: boolean | s3.IBucket;
+    /**
+     * Override actions for specific rules within managed rule groups.
+     * Key is the managed rule group name; value is an array of rule action overrides.
+     * @example
+     * managedRuleOverrides: {
+     *   AWSManagedRulesCommonRuleSet: [
+     *     { name: "SizeRestrictions_BODY", actionToUse: { count: {} } },
+     *   ],
+     * }
+     */
+    managedRuleOverrides?: Record<string, wafv2.CfnWebACL.RuleActionOverrideProperty[]>;
     /**
      * Managed rule group names to apply
      * @default ["AWSManagedRulesCommonRuleSet", "AWSManagedRulesKnownBadInputsRuleSet"]

package/dist/esm/JaypieMigration.d.ts

@@ -8,6 +8,8 @@ export interface JaypieMigrationProps {
     code: lambda.Code | string;
     /** Constructs that must be created before the migration runs */
     dependencies?: Construct[];
+    /** Environment variables for the migration Lambda */
+    environment?: Record<string, string> | (Record<string, string> | string)[];
     /** Lambda handler entry point */
     handler?: string;
     /** Secrets to make available to the migration Lambda */

package/dist/esm/index.js

@@ -2612,11 +2612,12 @@ class JaypieDistribution extends Construct {
             }
             else {
                 // Create new WebACL
-                const { managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
+                const { managedRuleOverrides, managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
                 let priority = 0;
                 const rules = [];
                 // Add managed rule groups
                 for (const ruleName of managedRules) {
+                    const ruleActionOverrides = managedRuleOverrides?.[ruleName];
                     rules.push({
                         name: ruleName,
                         priority: priority++,
@@ -2625,6 +2626,7 @@ class JaypieDistribution extends Construct {
                             managedRuleGroupStatement: {
                                 name: ruleName,
                                 vendorName: "AWS",
+                                ...(ruleActionOverrides && { ruleActionOverrides }),
                             },
                         },
                         visibilityConfig: {
@@ -3395,11 +3397,12 @@ class JaypieInfrastructureStack extends JaypieStack {
 class JaypieMigration extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { code, dependencies = [], handler = "index.handler", secrets = [], tables = [], } = props;
+        const { code, dependencies = [], environment, handler = "index.handler", secrets = [], tables = [], } = props;
         // Migration Lambda — 5 minute timeout for long-running migrations
         this.lambda = new JaypieLambda(this, "MigrationLambda", {
             code,
             description: "DynamoDB migration custom resource",
+            environment,
             handler,
             roleTag: CDK$2.ROLE.PROCESSING,
             secrets,
@@ -3410,8 +3413,13 @@ class JaypieMigration extends Construct {
         const provider = new cr.Provider(this, "MigrationProvider", {
             onEventHandler: this.lambda,
         });
-        // Custom Resource that triggers on every deploy
+        // Custom Resource that triggers on every deploy.
+        // deployNonce forces CloudFormation to re-invoke the custom resource
+        // even when only Lambda code changes (issue #261).
         const resource = new cdk.CustomResource(this, "MigrationResource", {
+            properties: {
+                deployNonce: Date.now().toString(),
+            },
             serviceToken: provider.serviceToken,
         });
         // Ensure dependencies are created before the migration runs