@jaypie/constructs 1.2.9 → 1.2.10

package/dist/esm/index.js

@@ -3,7 +3,6 @@ import { Tags, Stack, Fn, CfnOutput, SecretValue, Duration, RemovalPolicy, CfnSt
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import { Bucket, StorageClass, BucketAccessControl, EventType } from 'aws-cdk-lib/aws-s3';
 import { Construct } from 'constructs';
-import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 import * as apiGateway from 'aws-cdk-lib/aws-apigateway';
 import * as route53 from 'aws-cdk-lib/aws-route53';
 import { TxtRecord, NsRecord, MxRecord, CnameRecord, ARecord, RecordTarget, HostedZone } from 'aws-cdk-lib/aws-route53';
@@ -12,6 +11,7 @@ import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
 import { DatadogLambda } from 'datadog-cdk-constructs-v2';
 import { ConfigurationError } from '@jaypie/errors';
 import { Role, PolicyStatement, Policy, FederatedPrincipal, Effect, ServicePrincipal, ManagedPolicy } from 'aws-cdk-lib/aws-iam';
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import * as logDestinations from 'aws-cdk-lib/aws-logs-destinations';
 import * as s3n from 'aws-cdk-lib/aws-s3-notifications';
@@ -444,6 +444,111 @@ function extendDatadogRole(scope, options) {
     return datadogCustomPolicy;
 }
 
+// Cache: Stack -> (domain -> certificate)
+// Using WeakMap for automatic garbage collection when stacks are destroyed
+const certificateCache = new WeakMap();
+/**
+ * Resolves a certificate based on input type.
+ *
+ * Key behavior: When certificate is `true`, the certificate is created at the
+ * STACK level (not construct level) and cached by domain name. This allows
+ * swapping between constructs (e.g., JaypieDistribution to JaypieApiGateway)
+ * without recreating the certificate.
+ *
+ * @param scope - The construct scope (used to find the stack)
+ * @param options - Certificate resolution options
+ * @returns The resolved certificate, or undefined if certificate is false
+ *
+ * @example
+ * // Create or get cached certificate at stack level
+ * const cert = resolveCertificate(this, {
+ *   certificate: true,
+ *   domainName: "api.example.com",
+ *   zone: hostedZone,
+ * });
+ *
+ * @example
+ * // Use existing certificate
+ * const cert = resolveCertificate(this, {
+ *   certificate: existingCert,
+ *   domainName: "api.example.com",
+ *   zone: hostedZone,
+ * });
+ *
+ * @example
+ * // Import certificate from ARN
+ * const cert = resolveCertificate(this, {
+ *   certificate: "arn:aws:acm:us-east-1:123456789:certificate/abc-123",
+ *   domainName: "api.example.com",
+ *   zone: hostedZone,
+ * });
+ */
+function resolveCertificate(scope, options) {
+    const { certificate, domainName, name = "Certificate", roleTag = CDK$2.ROLE.API, zone, } = options;
+    // false = no certificate
+    if (certificate === false) {
+        return undefined;
+    }
+    // ICertificate passed directly - use as-is
+    if (typeof certificate === "object" && certificate !== null) {
+        return certificate;
+    }
+    // ARN string - import from ARN
+    if (typeof certificate === "string") {
+        // Sanitize domain for construct ID
+        const sanitizedDomain = sanitizeDomainForId(domainName);
+        return acm.Certificate.fromCertificateArn(scope, `${name}-${sanitizedDomain}`, certificate);
+    }
+    // true (default) = create at STACK level with caching
+    const stack = Stack.of(scope);
+    // Get or create cache for this stack
+    let stackCache = certificateCache.get(stack);
+    if (!stackCache) {
+        stackCache = new Map();
+        certificateCache.set(stack, stackCache);
+    }
+    // Return cached certificate if one exists for this domain
+    const cached = stackCache.get(domainName);
+    if (cached) {
+        return cached;
+    }
+    // Create certificate at STACK level (not construct level!)
+    // This is the key difference - the certificate's lifecycle is tied to the stack,
+    // not to the individual construct that requested it
+    const sanitizedDomain = sanitizeDomainForId(domainName);
+    const cert = new acm.Certificate(stack, `${name}-${sanitizedDomain}`, {
+        domainName,
+        validation: acm.CertificateValidation.fromDns(zone),
+    });
+    Tags.of(cert).add(CDK$2.TAG.ROLE, roleTag);
+    // Cache for future requests
+    stackCache.set(domainName, cert);
+    return cert;
+}
+/**
+ * Sanitizes a domain name for use in CDK construct IDs.
+ * CDK construct IDs can only contain alphanumeric characters and hyphens.
+ */
+function sanitizeDomainForId(domain) {
+    return domain.replace(/\./g, "-").replace(/[^a-zA-Z0-9-]/g, "");
+}
+/**
+ * Clears the certificate cache for a specific stack.
+ * Primarily useful for testing.
+ */
+function clearCertificateCache(stack) {
+    certificateCache.delete(stack);
+}
+/**
+ * Clears all certificate caches.
+ * Primarily useful for testing.
+ */
+function clearAllCertificateCaches() {
+    // WeakMap doesn't have a clear() method, so we create a new one
+    // This is a no-op since we can't actually clear a WeakMap,
+    // but stacks going out of scope will be garbage collected anyway
+}
+
 /**
  * Check if the current environment matches the given environment
  */
@@ -773,34 +878,34 @@ const resolveParamsAndSecrets = ({ paramsAndSecrets, options, } = {}) => {
 };
 
 // It is a consumer if the environment is ephemeral
-function checkEnvIsConsumer(env = process.env) {
+function checkEnvIsConsumer$1(env = process.env) {
     return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
         !!env.CDK_ENV_PERSONAL ||
         /** @deprecated */ env.PROJECT_ENV === "ephemeral" ||
         /** @deprecated */ !!env.CDK_ENV_EPHEMERAL);
 }
-function checkEnvIsProvider(env = process.env) {
+function checkEnvIsProvider$1(env = process.env) {
     return env.PROJECT_ENV === CDK$2.ENV.SANDBOX;
 }
-function cleanName(name) {
+function cleanName$1(name) {
     return name.replace(/[^a-zA-Z0-9:-]/g, "");
 }
-function exportEnvName(name, env = process.env) {
+function exportEnvName$1(name, env = process.env) {
     let rawName;
-    if (checkEnvIsProvider(env)) {
+    if (checkEnvIsProvider$1(env)) {
         rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
         // Clean the entire name to only allow alphanumeric, colons, and hyphens
-        return cleanName(rawName);
+        return cleanName$1(rawName);
     }
     else {
-        if (checkEnvIsConsumer(env)) {
+        if (checkEnvIsConsumer$1(env)) {
             rawName = `env-${CDK$2.ENV.SANDBOX}-${env.PROJECT_KEY}-${name}`;
         }
         else {
             rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
         }
     }
-    return cleanName(rawName);
+    return cleanName$1(rawName);
 }
 class JaypieEnvSecret extends Construct {
     constructor(scope, idOrEnvKey, props) {
@@ -812,15 +917,15 @@ class JaypieEnvSecret extends Construct {
             process.env[idOrEnvKey] !== "";
         const id = treatAsEnvKey ? `EnvSecret_${idOrEnvKey}` : idOrEnvKey;
         super(scope, id);
-        const { consumer = checkEnvIsConsumer(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider(), roleTag, vendorTag, value, } = props || {};
+        const { consumer = checkEnvIsConsumer$1(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider$1(), roleTag, vendorTag, value, } = props || {};
         const envKey = treatAsEnvKey ? idOrEnvKey : envKeyProp;
         this._envKey = envKey;
         let exportName;
         if (!exportParam) {
-            exportName = exportEnvName(id);
+            exportName = exportEnvName$1(id);
         }
         else {
-            exportName = cleanName(exportParam);
+            exportName = cleanName$1(exportParam);
         }
         if (consumer) {
             const secretName = Fn.importValue(exportName);
@@ -1033,22 +1138,18 @@ class JaypieApiGateway extends Construct {
             }
         }
         const apiGatewayName = name || constructEnvName("ApiGateway");
-        const certificateName = constructEnvName("Certificate");
         const apiDomainName = constructEnvName("ApiDomainName");
         let hostedZone;
         let certificateToUse;
         if (host && zone) {
             hostedZone = resolveHostedZone(this, { zone });
-            if (certificate === true) {
-                certificateToUse = new acm.Certificate(this, certificateName, {
-                    domainName: host,
-                    validation: acm.CertificateValidation.fromDns(hostedZone),
-                });
-                Tags.of(certificateToUse).add(CDK$2.TAG.ROLE, CDK$2.ROLE.HOSTING);
-            }
-            else if (typeof certificate === "object") {
-                certificateToUse = certificate;
-            }
+            // Use resolveCertificate to create certificate at stack level (enables reuse when swapping constructs)
+            certificateToUse = resolveCertificate(this, {
+                certificate,
+                domainName: host,
+                roleTag: CDK$2.ROLE.HOSTING,
+                zone: hostedZone,
+            });
             this._certificate = certificateToUse;
             this._host = host;
         }
@@ -1808,6 +1909,238 @@ class JaypieBucketQueuedLambda extends JaypieQueuedLambda {
     }
 }
 
+// Check if environment is a consumer (personal/ephemeral builds import from sandbox)
+function checkEnvIsConsumer(env = process.env) {
+    return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
+        !!env.CDK_ENV_PERSONAL ||
+        env.PROJECT_ENV === "ephemeral" ||
+        !!env.CDK_ENV_EPHEMERAL);
+}
+// Check if environment is a provider (sandbox exports for consumers)
+function checkEnvIsProvider(env = process.env) {
+    return env.PROJECT_ENV === CDK$2.ENV.SANDBOX;
+}
+// Sanitize export name to only allow alphanumeric, colons, and hyphens
+function cleanName(name) {
+    return name.replace(/[^a-zA-Z0-9:-]/g, "");
+}
+// Generate export name based on environment
+function exportEnvName(name, env = process.env) {
+    const projectKey = env.PROJECT_KEY || "default";
+    let rawName;
+    if (checkEnvIsProvider(env)) {
+        rawName = `env-${env.PROJECT_ENV}-${projectKey}-cert-${name}`;
+    }
+    else if (checkEnvIsConsumer(env)) {
+        rawName = `env-${CDK$2.ENV.SANDBOX}-${projectKey}-cert-${name}`;
+    }
+    else {
+        rawName = `env-${env.PROJECT_ENV || "default"}-${projectKey}-cert-${name}`;
+    }
+    return cleanName(rawName);
+}
+// Resolve domain name from props or environment (called before super)
+function resolveDomainNameFromProps(props) {
+    if (props?.domainName) {
+        return props.domainName;
+    }
+    if (process.env.CDK_ENV_API_HOST_NAME) {
+        return process.env.CDK_ENV_API_HOST_NAME;
+    }
+    if (process.env.CDK_ENV_API_SUBDOMAIN) {
+        return mergeDomain(process.env.CDK_ENV_API_SUBDOMAIN, process.env.CDK_ENV_API_HOSTED_ZONE ||
+            process.env.CDK_ENV_HOSTED_ZONE ||
+            "");
+    }
+    return undefined;
+}
+// Sanitize domain for construct ID
+function sanitizeDomain(domain) {
+    return domain.replace(/\./g, "-");
+}
+/**
+ * A standalone certificate construct that can be shared across constructs.
+ *
+ * Key feature: Uses the same `resolveCertificate()` helper as JaypieDistribution,
+ * JaypieApiGateway, etc. This means:
+ * - Certificates are created at the stack level and cached by domain
+ * - You can "take over" a certificate from another construct by using the same domain
+ * - Swapping between JaypieDistribution and JaypieApiGateway won't recreate certs
+ *
+ * Supports flexible constructor signatures:
+ * - `new JaypieCertificate(scope)` - uses environment defaults
+ * - `new JaypieCertificate(scope, props)` - ID auto-generated from domain
+ * - `new JaypieCertificate(scope, id, props)` - explicit ID
+ *
+ * @example
+ * // Minimal - uses environment variables for domain/zone
+ * const cert = new JaypieCertificate(this);
+ *
+ * @example
+ * // With options - ID auto-generated as "JaypieCert-api-example-com"
+ * const cert = new JaypieCertificate(this, {
+ *   domainName: "api.example.com",
+ *   zone: "example.com",
+ * });
+ *
+ * @example
+ * // Explicit ID - useful when you need a specific construct ID
+ * const cert = new JaypieCertificate(this, "MyApiCert", {
+ *   domainName: "api.example.com",
+ *   zone: "example.com",
+ * });
+ *
+ * @example
+ * // Take over from JaypieDistribution (uses same ID format)
+ * // After removing JaypieDistribution with certificate: true
+ * const cert = new JaypieCertificate(this, {
+ *   domainName: "api.example.com",
+ *   zone: "example.com",
+ * });
+ *
+ * @example
+ * // Provider/consumer pattern for cross-stack sharing
+ * // In sandbox stack:
+ * new JaypieCertificate(this, { provider: true });
+ *
+ * // In personal build:
+ * new JaypieCertificate(this, { consumer: true });
+ */
+class JaypieCertificate extends Construct {
+    constructor(scope, idOrProps, maybeProps) {
+        // Resolve constructor arguments
+        let id;
+        let props;
+        if (typeof idOrProps === "string") {
+            // (scope, id, props) pattern
+            id = idOrProps;
+            props = maybeProps || {};
+        }
+        else if (typeof idOrProps === "object" && idOrProps !== null) {
+            // (scope, props) pattern - auto-generate id
+            props = idOrProps;
+            const domainName = resolveDomainNameFromProps(props);
+            if (domainName) {
+                // Use "JaypieCert-" prefix to avoid collision with internal certificate
+                id = props.id || `JaypieCert-${sanitizeDomain(domainName)}`;
+            }
+            else {
+                id = props.id || "JaypieCert";
+            }
+        }
+        else {
+            // (scope) pattern - no id, no props
+            props = {};
+            const domainName = resolveDomainNameFromProps(props);
+            if (domainName) {
+                id = `JaypieCert-${sanitizeDomain(domainName)}`;
+            }
+            else {
+                id = "JaypieCert";
+            }
+        }
+        super(scope, id);
+        const { consumer = checkEnvIsConsumer(), domainName: propsDomainName, export: exportParam, provider = checkEnvIsProvider(), roleTag = CDK$2.ROLE.API, zone: propsZone, } = props;
+        // Validate environment variables
+        if (process.env.CDK_ENV_API_SUBDOMAIN &&
+            !isValidSubdomain(process.env.CDK_ENV_API_SUBDOMAIN)) {
+            throw new Error("CDK_ENV_API_SUBDOMAIN is not a valid subdomain");
+        }
+        if (process.env.CDK_ENV_API_HOSTED_ZONE &&
+            !isValidHostname$1(process.env.CDK_ENV_API_HOSTED_ZONE)) {
+            throw new Error("CDK_ENV_API_HOSTED_ZONE is not a valid hostname");
+        }
+        if (process.env.CDK_ENV_HOSTED_ZONE &&
+            !isValidHostname$1(process.env.CDK_ENV_HOSTED_ZONE)) {
+            throw new Error("CDK_ENV_HOSTED_ZONE is not a valid hostname");
+        }
+        // Determine domain name from props or environment
+        let domainName = propsDomainName;
+        if (!domainName) {
+            if (process.env.CDK_ENV_API_HOST_NAME) {
+                domainName = process.env.CDK_ENV_API_HOST_NAME;
+            }
+            else if (process.env.CDK_ENV_API_SUBDOMAIN) {
+                domainName = mergeDomain(process.env.CDK_ENV_API_SUBDOMAIN, process.env.CDK_ENV_API_HOSTED_ZONE ||
+                    process.env.CDK_ENV_HOSTED_ZONE ||
+                    "");
+            }
+        }
+        if (!domainName) {
+            throw new Error("domainName is required for JaypieCertificate (or set CDK_ENV_API_HOST_NAME / CDK_ENV_API_SUBDOMAIN)");
+        }
+        if (!isValidHostname$1(domainName)) {
+            throw new Error("domainName is not a valid hostname");
+        }
+        this.domainName = domainName;
+        // Determine zone from props or environment
+        const zone = propsZone ||
+            process.env.CDK_ENV_API_HOSTED_ZONE ||
+            process.env.CDK_ENV_HOSTED_ZONE;
+        // Generate export name
+        const sanitizedDomain = domainName.replace(/\./g, "-");
+        const exportName = exportParam
+            ? cleanName(exportParam)
+            : exportEnvName(sanitizedDomain);
+        if (consumer) {
+            // Import certificate ARN from provider stack
+            const certificateArn = Fn.importValue(exportName);
+            this.certificate = acm.Certificate.fromCertificateArn(this, "ImportedCertificate", certificateArn);
+            this.certificateArn = certificateArn;
+            new CfnOutput(this, "ConsumedCertificateArn", {
+                value: this.certificateArn,
+            });
+        }
+        else {
+            // Create or get cached certificate at stack level
+            if (!zone) {
+                throw new Error("zone is required for JaypieCertificate when not consuming (or set CDK_ENV_API_HOSTED_ZONE / CDK_ENV_HOSTED_ZONE)");
+            }
+            const hostedZone = resolveHostedZone(this, { zone });
+            // Use resolveCertificate to create at stack level (enables sharing)
+            const cert = resolveCertificate(this, {
+                certificate: true,
+                domainName,
+                roleTag,
+                zone: hostedZone,
+            });
+            if (!cert) {
+                throw new Error("Failed to create certificate");
+            }
+            this.certificate = cert;
+            this.certificateArn = cert.certificateArn;
+            if (provider) {
+                new CfnOutput(this, "ProvidedCertificateArn", {
+                    value: this.certificateArn,
+                    exportName,
+                });
+            }
+            else {
+                new CfnOutput(this, "CertificateArn", {
+                    value: this.certificateArn,
+                });
+            }
+        }
+    }
+    // IResource implementation
+    get stack() {
+        return Stack.of(this);
+    }
+    get env() {
+        return {
+            account: Stack.of(this).account,
+            region: Stack.of(this).region,
+        };
+    }
+    applyRemovalPolicy(policy) {
+        this.certificate.applyRemovalPolicy(policy);
+    }
+    // ICertificate implementation
+    metricDaysToExpiry(props) {
+        return this.certificate.metricDaysToExpiry(props);
+    }
+}
+
 class JaypieDatadogBucket extends Construct {
     /**
      * Create a new S3 bucket for Datadog log archiving with automatic IAM permissions
@@ -2085,16 +2418,13 @@ class JaypieDistribution extends Construct {
         let certificateToUse;
         if (host && zone && certificateProp !== false) {
             hostedZone = resolveHostedZone(this, { zone });
-            if (certificateProp === true) {
-                certificateToUse = new acm.Certificate(this, constructEnvName("Certificate"), {
-                    domainName: host,
-                    validation: acm.CertificateValidation.fromDns(hostedZone),
-                });
-                Tags.of(certificateToUse).add(CDK$2.TAG.ROLE, roleTag);
-            }
-            else if (typeof certificateProp === "object") {
-                certificateToUse = certificateProp;
-            }
+            // Use resolveCertificate to create certificate at stack level (enables reuse when swapping constructs)
+            certificateToUse = resolveCertificate(this, {
+                certificate: certificateProp,
+                domainName: host,
+                roleTag,
+                zone: hostedZone,
+            });
             this.certificate = certificateToUse;
         }
         // Create log bucket if logging is enabled
@@ -3581,19 +3911,17 @@ class JaypieWebDeploymentBucket extends Construct {
             else {
                 hostedZone = zone;
             }
-            // Create certificate if not provided
-            if (props.certificate !== false) {
-                this.certificate =
-                    typeof props.certificate === "object"
-                        ? props.certificate
-                        : new acm.Certificate(this, "Certificate", {
-                            domainName: host,
-                            validation: acm.CertificateValidation.fromDns(hostedZone),
-                        });
+            // Use resolveCertificate to create certificate at stack level (enables reuse when swapping constructs)
+            this.certificate = resolveCertificate(this, {
+                certificate: props.certificate,
+                domainName: host,
+                roleTag,
+                zone: hostedZone,
+            });
+            if (this.certificate) {
                 new CfnOutput(this, "CertificateArn", {
                     value: this.certificate.certificateArn,
                 });
-                Tags.of(this.certificate).add(CDK$2.TAG.ROLE, roleTag);
             }
             // Create CloudFront distribution
             this.distribution = new cloudfront.Distribution(this, "Distribution", {
@@ -3836,5 +4164,5 @@ class JaypieTraceSigningKeySecret extends JaypieEnvSecret {
     }
 }
 
-export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieStreamingLambda, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, LAMBDA_WEB_ADAPTER, addDatadogLayers, clearAllSecretsCaches, clearSecretsCache, constructEnvName, constructStackName, constructTagger, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
+export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieStreamingLambda, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, LAMBDA_WEB_ADAPTER, addDatadogLayers, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
 //# sourceMappingURL=index.js.map