@jaypie/constructs 1.2.58 → 1.2.60

package/dist/cjs/JaypieEnvSecret.d.ts

@@ -1,43 +1,18 @@
 import { Construct } from "constructs";
-import { SecretValue, RemovalPolicy, Stack } from "aws-cdk-lib";
 import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";
-import { ISecret, ISecretAttachmentTarget, RotationSchedule, RotationScheduleOptions } from "aws-cdk-lib/aws-secretsmanager";
-import { IKey } from "aws-cdk-lib/aws-kms";
-import { Grant, IGrantable, PolicyStatement, AddToResourcePolicyResult } from "aws-cdk-lib/aws-iam";
-export interface JaypieEnvSecretProps {
+import { BuildSecretContext, JaypieSecret, JaypieSecretProps } from "./JaypieSecret";
+export interface JaypieEnvSecretProps extends JaypieSecretProps {
     consumer?: boolean;
-    envKey?: string;
     export?: string;
-    generateSecretString?: secretsmanager.SecretStringGenerator;
     provider?: boolean;
-    removalPolicy?: boolean | RemovalPolicy;
-    roleTag?: string;
-    vendorTag?: string;
-    value?: string;
 }
-export declare class JaypieEnvSecret extends Construct implements ISecret {
-    private readonly _envKey?;
-    private readonly _secret;
+/**
+ * @deprecated Use {@link JaypieSecret}. JaypieEnvSecret layers an
+ * environment-driven provider/consumer cross-stack pattern on top of
+ * JaypieSecret and will be removed in 2.0.
+ */
+export declare class JaypieEnvSecret extends JaypieSecret {
+    protected static readonly shorthandPrefix: string;
     constructor(scope: Construct, idOrEnvKey: string, props?: JaypieEnvSecretProps);
-    get stack(): Stack;
-    get env(): {
-        account: string;
-        region: string;
-    };
-    applyRemovalPolicy(policy: RemovalPolicy): void;
-    get secretArn(): string;
-    get secretFullArn(): string | undefined;
-    get secretName(): string;
-    get secretRef(): secretsmanager.SecretReference;
-    get encryptionKey(): IKey | undefined;
-    get secretValue(): SecretValue;
-    secretValueFromJson(key: string): SecretValue;
-    grantRead(grantee: IGrantable, versionStages?: string[]): Grant;
-    grantWrite(grantee: IGrantable): Grant;
-    addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule;
-    addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult;
-    denyAccountRootDelete(): void;
-    attach(target: ISecretAttachmentTarget): ISecret;
-    cfnDynamicReferenceKey(options?: Parameters<ISecret["cfnDynamicReferenceKey"]>[0]): string;
-    get envKey(): string | undefined;
+    protected buildSecret(context: BuildSecretContext): secretsmanager.ISecret;
 }

package/dist/cjs/JaypieLambda.d.ts

@@ -64,13 +64,14 @@ export interface JaypieLambdaProps {
     /**
      * Secrets to make available to the Lambda function.
      *
-     * Supports both JaypieEnvSecret instances and strings:
-     * - JaypieEnvSecret: used directly
+     * Supports both JaypieSecret instances and strings:
+     * - JaypieSecret (including JaypieEnvSecret): used directly
      * - String: creates a JaypieEnvSecret with the string as envKey
      *   (reuses existing secrets within the same scope)
      */
     secrets?: SecretsArrayItem[];
     securityGroups?: ec2.ISecurityGroup[];
+    serviceTag?: string;
     timeout?: Duration | number;
     tracing?: lambda.Tracing;
     vendorTag?: string;

package/dist/cjs/JaypieNextJs.d.ts

@@ -44,8 +44,8 @@ export interface JaypieNextjsProps {
     /**
      * Secrets to make available to the Next.js application.
      *
-     * Supports both JaypieEnvSecret instances and strings:
-     * - JaypieEnvSecret: used directly
+     * Supports both JaypieSecret instances and strings:
+     * - JaypieSecret (including JaypieEnvSecret): used directly
      * - String: creates a JaypieEnvSecret with the string as envKey
      *   (reuses existing secrets within the same scope)
      */

package/dist/cjs/JaypieSecret.d.ts

@@ -0,0 +1,59 @@
+import { Construct } from "constructs";
+import { RemovalPolicy, SecretValue, Stack } from "aws-cdk-lib";
+import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";
+import { ISecret, ISecretAttachmentTarget, RotationSchedule, RotationScheduleOptions } from "aws-cdk-lib/aws-secretsmanager";
+import { IKey } from "aws-cdk-lib/aws-kms";
+import { AddToResourcePolicyResult, Grant, IGrantable, PolicyStatement } from "aws-cdk-lib/aws-iam";
+export interface JaypieSecretProps {
+    envKey?: string;
+    generateSecretString?: secretsmanager.SecretStringGenerator;
+    removalPolicy?: boolean | RemovalPolicy;
+    roleTag?: string;
+    vendorTag?: string;
+    value?: string;
+}
+/**
+ * Context handed to {@link JaypieSecret.buildSecret} so subclasses can build the
+ * underlying secret differently (e.g. import vs. create) while reusing the
+ * shared id/envKey resolution and the full ISecret passthrough.
+ */
+export interface BuildSecretContext {
+    envKey?: string;
+    id: string;
+    props: JaypieSecretProps;
+    treatAsEnvKey: boolean;
+}
+export declare class JaypieSecret extends Construct implements ISecret {
+    protected static readonly shorthandPrefix: string;
+    protected readonly _envKey?: string;
+    protected readonly _secret: secretsmanager.ISecret;
+    constructor(scope: Construct, idOrEnvKey: string, props?: JaypieSecretProps);
+    /**
+     * Builds the underlying secret. The base implementation always creates a new
+     * Secrets Manager secret from an envKey value, an explicit value, or a
+     * generated string. Subclasses may override to import an existing secret or
+     * emit cross-stack outputs.
+     */
+    protected buildSecret(context: BuildSecretContext): secretsmanager.ISecret;
+    get stack(): Stack;
+    get env(): {
+        account: string;
+        region: string;
+    };
+    applyRemovalPolicy(policy: RemovalPolicy): void;
+    get secretArn(): string;
+    get secretFullArn(): string | undefined;
+    get secretName(): string;
+    get secretRef(): secretsmanager.SecretReference;
+    get encryptionKey(): IKey | undefined;
+    get secretValue(): SecretValue;
+    secretValueFromJson(key: string): SecretValue;
+    grantRead(grantee: IGrantable, versionStages?: string[]): Grant;
+    grantWrite(grantee: IGrantable): Grant;
+    addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule;
+    addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult;
+    denyAccountRootDelete(): void;
+    attach(target: ISecretAttachmentTarget): ISecret;
+    cfnDynamicReferenceKey(options?: Parameters<ISecret["cfnDynamicReferenceKey"]>[0]): string;
+    get envKey(): string | undefined;
+}

package/dist/cjs/__tests__/JaypieSecret.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/cjs/helpers/index.d.ts

@@ -19,3 +19,4 @@ export { resolveEnvironment, EnvironmentArrayItem, EnvironmentInput, } from "./r
 export { resolveHostedZone } from "./resolveHostedZone";
 export { resolveParamsAndSecrets } from "./resolveParamsAndSecrets";
 export { resolveSecrets, SecretsArrayItem, clearSecretsCache, clearAllSecretsCaches, } from "./resolveSecrets";
+export { assertValidWafRuleNames, AWS_MANAGED_RULE_GROUPS, } from "./wafManagedRuleNames";

package/dist/cjs/helpers/resolveSecrets.d.ts

@@ -1,17 +1,17 @@
 import { Construct } from "constructs";
-import { JaypieEnvSecret } from "../JaypieEnvSecret.js";
+import { JaypieSecret } from "../JaypieSecret.js";
 /**
- * Secrets input type that supports both JaypieEnvSecret instances and strings
- * - JaypieEnvSecret: passed through as-is
- * - string: converted to JaypieEnvSecret with the string as envKey
+ * Secrets input type that supports both JaypieSecret instances and strings
+ * - JaypieSecret (including JaypieEnvSecret subclasses): passed through as-is
+ * - string: converted to a JaypieEnvSecret with the string as envKey
  */
-export type SecretsArrayItem = JaypieEnvSecret | string;
+export type SecretsArrayItem = JaypieSecret | string;
 /**
- * Resolves secrets input to an array of JaypieEnvSecret instances.
+ * Resolves secrets input to an array of JaypieSecret instances.
  *
- * When an item is already a JaypieEnvSecret, it's passed through as-is.
- * When an item is a string, a JaypieEnvSecret is created (or reused from cache)
- * with the string as the envKey.
+ * When an item is already a JaypieSecret (including a JaypieEnvSecret), it's
+ * passed through as-is. When an item is a string, a JaypieEnvSecret is created
+ * (or reused from cache) with the string as the envKey.
  *
  * Secrets are cached per scope to avoid creating duplicate secrets when
  * multiple constructs in the same scope reference the same secret.
@@ -39,7 +39,7 @@ export type SecretsArrayItem = JaypieEnvSecret | string;
  * const secrets2 = resolveSecrets(scope, ["SHARED_SECRET"]);
  * // secrets1[0] === secrets2[0] (same instance)
  */
-export declare function resolveSecrets(scope: Construct, secrets?: SecretsArrayItem[]): JaypieEnvSecret[];
+export declare function resolveSecrets(scope: Construct, secrets?: SecretsArrayItem[]): JaypieSecret[];
 /**
  * Clears the secrets cache for a given scope.
  * Primarily useful for testing.

package/dist/cjs/helpers/wafManagedRuleNames.d.ts

@@ -0,0 +1,33 @@
+import * as wafv2 from "aws-cdk-lib/aws-wafv2";
+/**
+ * Canonical sub-rule names for each AWS managed rule group, as published in the
+ * AWS WAF developer guide. Used to validate `waf.allow` and
+ * `waf.managedRuleOverrides` rule names at synth time — AWS WAF matches
+ * `RuleActionOverride` on the exact rule *name* and silently ignores names that
+ * match no rule, so a typo or a label/name casing mismatch (e.g. the label
+ * `…:NoUserAgent_Header` vs the rule name `NoUserAgent_HEADER`) becomes an
+ * undiagnosable no-op.
+ *
+ * Groups absent from this map (custom rule groups, or AWS groups not yet
+ * mirrored here) are not validated.
+ *
+ * @see https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
+ */
+export declare const AWS_MANAGED_RULE_GROUPS: Record<string, readonly string[]>;
+/** One entry in a `waf.allow` list. Mirrors JaypieWafAllowEntry structurally. */
+interface WafAllowEntryLike {
+    path: string | string[];
+    [ruleGroupKey: string]: string | string[] | undefined;
+}
+interface AssertValidWafRuleNamesOptions {
+    allow?: WafAllowEntryLike | WafAllowEntryLike[];
+    managedRuleOverrides?: Record<string, wafv2.CfnWebACL.RuleActionOverrideProperty[]>;
+}
+/**
+ * Throw a ConfigurationError if any `waf.allow` or `waf.managedRuleOverrides`
+ * rule name does not exist in its AWS managed rule group. Groups not present in
+ * AWS_MANAGED_RULE_GROUPS (custom groups) are skipped. A name that matches no
+ * rule would otherwise be silently ignored by AWS WAF.
+ */
+export declare function assertValidWafRuleNames({ allow, managedRuleOverrides, }?: AssertValidWafRuleNamesOptions): void;
+export {};