@liflig/cdk 2.18.4 → 2.18.6

package/lib/cloudtrail-slack-integration/cloudtrail-slack-integration.js

@@ -0,0 +1,211 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CloudTrailSlackIntegration = void 0;
+const constructs = require("constructs");
+const cdk = require("aws-cdk-lib");
+const iam = require("aws-cdk-lib/aws-iam");
+const logs = require("aws-cdk-lib/aws-logs");
+const cloudwatch = require("aws-cdk-lib/aws-cloudwatch");
+const lambda = require("aws-cdk-lib/aws-lambda");
+const events = require("aws-cdk-lib/aws-events");
+const sources = require("aws-cdk-lib/aws-lambda-event-sources");
+const sqs = require("aws-cdk-lib/aws-sqs");
+const targets = require("aws-cdk-lib/aws-events-targets");
+const path = require("path");
+/**
+ * Forward a predefined set of CloudTrail API events to Slack using EventBridge, Lambda
+ * and an optional SQS FIFO queue for deduplicating events.
+ * The API events are limited to monitoring access to the current account's root user and/or specific IAM roles.
+ *
+ * NOTE: The construct needs to be provisioned in us-east-1, and requires an existing CloudTrail set up in that region.
+ */
+class CloudTrailSlackIntegration extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const eventTransformer = new lambda.Function(this, "EventTransformerLambda", {
+            code: lambda.Code.fromAsset(path.join(__dirname, "../../assets/cloudtrail-slack-integration-lambda")),
+            description: "Formats CloudTrail API calls sent through EventBridge, and posts them directly to Slack or first to an SQS FIFO queue for deduplication",
+            handler: "main.handler_event_transformer",
+            runtime: lambda.Runtime.PYTHON_3_9,
+            timeout: cdk.Duration.seconds(15),
+            logRetention: logs.RetentionDays.SIX_MONTHS,
+            environment: {
+                SLACK_CHANNEL: props.slackChannel,
+                DEDUPLICATE_EVENTS: JSON.stringify(!!props.deduplicateEvents),
+                FRIENDLY_NAMES: JSON.stringify(props.friendlyNames || {}),
+                SLACK_WEBHOOK_URL: props.slackWebhookUrl,
+            },
+        });
+        eventTransformer.addToRolePolicy(new iam.PolicyStatement({
+            actions: ["iam:ListAccountAliases"],
+            resources: ["*"],
+        }));
+        if (props.infrastructureAlarmAction) {
+            const eventTransformerAlarm = eventTransformer
+                .metricErrors({
+                period: cdk.Duration.minutes(5),
+                statistic: cloudwatch.Statistic.SUM,
+            })
+                .createAlarm(this, "EventTransformerErrorAlarm", {
+                threshold: 1,
+                evaluationPeriods: 1,
+                alarmDescription: "Triggers if the Lambda function that transforms CloudTrail API calls received through EventBridge fails (e.g., it fails to process the event)",
+                datapointsToAlarm: 1,
+                treatMissingData: cloudwatch.TreatMissingData.IGNORE,
+            });
+            eventTransformerAlarm.addOkAction(props.infrastructureAlarmAction);
+            eventTransformerAlarm.addAlarmAction(props.infrastructureAlarmAction);
+        }
+        if (props.deduplicateEvents) {
+            const deduplicationQueue = new sqs.Queue(this, "Queue", {
+                // We explicitly give the queue a name due to bug https://github.com/aws/aws-cdk/issues/5860
+                queueName: `${this.node.id.substring(0, 33)}${this.node.addr}`.substring(0, 75) +
+                    ".fifo",
+                fifo: true,
+            });
+            eventTransformer.addEnvironment("SQS_QUEUE_URL", deduplicationQueue.queueUrl);
+            deduplicationQueue.grantSendMessages(eventTransformer);
+            const slackForwarder = new lambda.Function(this, "SlackForwarderLambda", {
+                code: lambda.Code.fromAsset(path.join(__dirname, "../../assets/cloudtrail-slack-integration-lambda")),
+                description: "Polls from an SQS FIFO queue containing formatted CloudTrail API calls and sends them to Slack.",
+                handler: "main.handler_slack_forwarder",
+                runtime: lambda.Runtime.PYTHON_3_9,
+                timeout: cdk.Duration.seconds(15),
+                logRetention: logs.RetentionDays.TWO_WEEKS,
+            });
+            if (props.infrastructureAlarmAction) {
+                const slackForwarderAlarm = slackForwarder
+                    .metricErrors({
+                    period: cdk.Duration.minutes(5),
+                    statistic: cloudwatch.Statistic.SUM,
+                })
+                    .createAlarm(this, "SlackForwarderErrorAlarm", {
+                    threshold: 1,
+                    alarmDescription: "Triggers if the Lambda function that polls from SQS and posts deduplicated CloudTrail API calls received through EventBridge to Slack fails (e.g., invalid Slack webhook URL)",
+                    evaluationPeriods: 1,
+                    datapointsToAlarm: 1,
+                    treatMissingData: cloudwatch.TreatMissingData.IGNORE,
+                });
+                slackForwarderAlarm.addOkAction(props.infrastructureAlarmAction);
+                slackForwarderAlarm.addAlarmAction(props.infrastructureAlarmAction);
+            }
+            slackForwarder.addEventSource(new sources.SqsEventSource(deduplicationQueue));
+        }
+        if (props.rolesToMonitor && props.rolesToMonitor.length > 0) {
+            new events.Rule(this, "RuleForAssumeRole", {
+                enabled: true,
+                targets: [new targets.LambdaFunction(eventTransformer)],
+                eventPattern: {
+                    detail: {
+                        eventName: ["AssumeRole"],
+                        requestParameters: {
+                            roleArn: props.rolesToMonitor,
+                        },
+                    },
+                },
+            });
+        }
+        if (props.monitorRootUserActions !== false) {
+            // Triggers when the root password has been changed
+            new events.Rule(this, "RuleForRootUserPasswordChange", {
+                enabled: true,
+                targets: [new targets.LambdaFunction(eventTransformer)],
+                eventPattern: {
+                    detail: {
+                        userIdentity: {
+                            type: ["Root"],
+                        },
+                        eventName: ["PasswordUpdated"],
+                        eventType: ["AwsConsoleSignIn"],
+                    },
+                },
+            });
+            // Triggers when MFA for the root user has been set up
+            new events.Rule(this, "RuleForRootUserMfaChange", {
+                enabled: true,
+                targets: [new targets.LambdaFunction(eventTransformer)],
+                eventPattern: {
+                    detail: {
+                        userIdentity: {
+                            type: ["Root"],
+                        },
+                        eventName: ["EnableMFADevice"],
+                        requestParameters: {
+                            userName: ["AWS ROOT USER"],
+                        },
+                    },
+                },
+            });
+            // Triggers when a root user succesfully logs in to the console
+            new events.Rule(this, "RuleForRootUserSuccessfulLogin", {
+                enabled: true,
+                targets: [new targets.LambdaFunction(eventTransformer)],
+                eventPattern: {
+                    detail: {
+                        userIdentity: {
+                            type: ["Root"],
+                        },
+                        eventName: ["ConsoleLogin"],
+                        eventType: ["AwsConsoleSignIn"],
+                        responseElements: {
+                            ConsoleLogin: ["Success"],
+                        },
+                    },
+                },
+            });
+            // Triggers for bad login attemps for root user (e.g., wrong password)
+            new events.Rule(this, "RuleForRootUserUnsuccessfulLogin", {
+                enabled: true,
+                targets: [new targets.LambdaFunction(eventTransformer)],
+                eventPattern: {
+                    detail: {
+                        userIdentity: {
+                            type: ["Root"],
+                        },
+                        eventName: ["ConsoleLogin"],
+                        eventType: ["AwsConsoleSignIn"],
+                        responseElements: {
+                            ConsoleLogin: ["Failure"],
+                        },
+                    },
+                },
+            });
+            // Triggered when password reset has been requested
+            new events.Rule(this, "RuleForRootUserPasswordRecoveryRequest", {
+                enabled: true,
+                targets: [new targets.LambdaFunction(eventTransformer)],
+                eventPattern: {
+                    detail: {
+                        userIdentity: {
+                            type: ["Root"],
+                        },
+                        eventName: ["PasswordRecoveryRequested"],
+                        eventType: ["AwsConsoleSignIn"],
+                        responseElements: {
+                            PasswordRecoveryRequested: ["Success"],
+                        },
+                    },
+                },
+            });
+            // Triggered when password has been successfully reset
+            new events.Rule(this, "RuleForRootUserPasswordRecoveryComplete", {
+                enabled: true,
+                targets: [new targets.LambdaFunction(eventTransformer)],
+                eventPattern: {
+                    detail: {
+                        userIdentity: {
+                            type: ["Root"],
+                        },
+                        eventName: ["PasswordRecoveryCompleted"],
+                        eventType: ["AwsConsoleSignIn"],
+                        responseElements: {
+                            PasswordRecoveryCompleted: ["Success"],
+                        },
+                    },
+                },
+            });
+        }
+    }
+}
+exports.CloudTrailSlackIntegration = CloudTrailSlackIntegration;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xvdWR0cmFpbC1zbGFjay1pbnRlZ3JhdGlvbi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9jbG91ZHRyYWlsLXNsYWNrLWludGVncmF0aW9uL2Nsb3VkdHJhaWwtc2xhY2staW50ZWdyYXRpb24udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEseUNBQXdDO0FBQ3hDLG1DQUFrQztBQUNsQywyQ0FBMEM7QUFDMUMsNkNBQTRDO0FBQzVDLHlEQUF3RDtBQUN4RCxpREFBZ0Q7QUFDaEQsaURBQWdEO0FBQ2hELGdFQUErRDtBQUMvRCwyQ0FBMEM7QUFDMUMsMERBQXlEO0FBQ3pELDZCQUE0QjtBQXFDNUI7Ozs7OztHQU1HO0FBQ0gsTUFBYSwwQkFBMkIsU0FBUSxVQUFVLENBQUMsU0FBUztJQUNsRSxZQUNFLEtBQTJCLEVBQzNCLEVBQVUsRUFDVixLQUFzQztRQUV0QyxLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFBO1FBRWhCLE1BQU0sZ0JBQWdCLEdBQUcsSUFBSSxNQUFNLENBQUMsUUFBUSxDQUMxQyxJQUFJLEVBQ0osd0JBQXdCLEVBQ3hCO1lBQ0UsSUFBSSxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUN6QixJQUFJLENBQUMsSUFBSSxDQUNQLFNBQVMsRUFDVCxrREFBa0QsQ0FDbkQsQ0FDRjtZQUNELFdBQVcsRUFDVCx5SUFBeUk7WUFDM0ksT0FBTyxFQUFFLGdDQUFnQztZQUN6QyxPQUFPLEVBQUUsTUFBTSxDQUFDLE9BQU8sQ0FBQyxVQUFVO1lBQ2xDLE9BQU8sRUFBRSxHQUFHLENBQUMsUUFBUSxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDakMsWUFBWSxFQUFFLElBQUksQ0FBQyxhQUFhLENBQUMsVUFBVTtZQUMzQyxXQUFXLEVBQUU7Z0JBQ1gsYUFBYSxFQUFFLEtBQUssQ0FBQyxZQUFZO2dCQUNqQyxrQkFBa0IsRUFBRSxJQUFJLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsaUJBQWlCLENBQUM7Z0JBQzdELGNBQWMsRUFBRSxJQUFJLENBQUMsU0FBUyxDQUFDLEtBQUssQ0FBQyxhQUFhLElBQUksRUFBRSxDQUFDO2dCQUN6RCxpQkFBaUIsRUFBRSxLQUFLLENBQUMsZUFBZTthQUN6QztTQUNGLENBQ0YsQ0FBQTtRQUNELGdCQUFnQixDQUFDLGVBQWUsQ0FDOUIsSUFBSSxHQUFHLENBQUMsZUFBZSxDQUFDO1lBQ3RCLE9BQU8sRUFBRSxDQUFDLHdCQUF3QixDQUFDO1lBQ25DLFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztTQUNqQixDQUFDLENBQ0gsQ0FBQTtRQUNELElBQUksS0FBSyxDQUFDLHlCQUF5QixFQUFFLENBQUM7WUFDcEMsTUFBTSxxQkFBcUIsR0FBRyxnQkFBZ0I7aUJBQzNDLFlBQVksQ0FBQztnQkFDWixNQUFNLEVBQUUsR0FBRyxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDO2dCQUMvQixTQUFTLEVBQUUsVUFBVSxDQUFDLFNBQVMsQ0FBQyxHQUFHO2FBQ3BDLENBQUM7aUJBQ0QsV0FBVyxDQUFDLElBQUksRUFBRSw0QkFBNEIsRUFBRTtnQkFDL0MsU0FBUyxFQUFFLENBQUM7Z0JBQ1osaUJBQWlCLEVBQUUsQ0FBQztnQkFDcEIsZ0JBQWdCLEVBQ2QsK0lBQStJO2dCQUNqSixpQkFBaUIsRUFBRSxDQUFDO2dCQUNwQixnQkFBZ0IsRUFBRSxVQUFVLENBQUMsZ0JBQWdCLENBQUMsTUFBTTthQUNyRCxDQUFDLENBQUE7WUFDSixxQkFBcUIsQ0FBQyxXQUFXLENBQUMsS0FBSyxDQUFDLHlCQUF5QixDQUFDLENBQUE7WUFDbEUscUJBQXFCLENBQUMsY0FBYyxDQUFDLEtBQUssQ0FBQyx5QkFBeUIsQ0FBQyxDQUFBO1FBQ3ZFLENBQUM7UUFDRCxJQUFJLEtBQUssQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO1lBQzVCLE1BQU0sa0JBQWtCLEdBQUcsSUFBSSxHQUFHLENBQUMsS0FBSyxDQUFDLElBQUksRUFBRSxPQUFPLEVBQUU7Z0JBQ3RELDRGQUE0RjtnQkFDNUYsU0FBUyxFQUNQLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsU0FBUyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsR0FBRyxJQUFJLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRSxDQUFDLFNBQVMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDO29CQUNwRSxPQUFPO2dCQUNULElBQUksRUFBRSxJQUFJO2FBQ1gsQ0FBQyxDQUFBO1lBQ0YsZ0JBQWdCLENBQUMsY0FBYyxDQUM3QixlQUFlLEVBQ2Ysa0JBQWtCLENBQUMsUUFBUSxDQUM1QixDQUFBO1lBQ0Qsa0JBQWtCLENBQUMsaUJBQWlCLENBQUMsZ0JBQWdCLENBQUMsQ0FBQTtZQUN0RCxNQUFNLGNBQWMsR0FBRyxJQUFJLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxFQUFFLHNCQUFzQixFQUFFO2dCQUN2RSxJQUFJLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQ3pCLElBQUksQ0FBQyxJQUFJLENBQ1AsU0FBUyxFQUNULGtEQUFrRCxDQUNuRCxDQUNGO2dCQUNELFdBQVcsRUFDVCxpR0FBaUc7Z0JBQ25HLE9BQU8sRUFBRSw4QkFBOEI7Z0JBQ3ZDLE9BQU8sRUFBRSxNQUFNLENBQUMsT0FBTyxDQUFDLFVBQVU7Z0JBQ2xDLE9BQU8sRUFBRSxHQUFHLENBQUMsUUFBUSxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7Z0JBQ2pDLFlBQVksRUFBRSxJQUFJLENBQUMsYUFBYSxDQUFDLFNBQVM7YUFDM0MsQ0FBQyxDQUFBO1lBRUYsSUFBSSxLQUFLLENBQUMseUJBQXlCLEVBQUUsQ0FBQztnQkFDcEMsTUFBTSxtQkFBbUIsR0FBRyxjQUFjO3FCQUN2QyxZQUFZLENBQUM7b0JBQ1osTUFBTSxFQUFFLEdBQUcsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQztvQkFDL0IsU0FBUyxFQUFFLFVBQVUsQ0FBQyxTQUFTLENBQUMsR0FBRztpQkFDcEMsQ0FBQztxQkFDRCxXQUFXLENBQUMsSUFBSSxFQUFFLDBCQUEwQixFQUFFO29CQUM3QyxTQUFTLEVBQUUsQ0FBQztvQkFDWixnQkFBZ0IsRUFDZCwrS0FBK0s7b0JBQ2pMLGlCQUFpQixFQUFFLENBQUM7b0JBQ3BCLGlCQUFpQixFQUFFLENBQUM7b0JBQ3BCLGdCQUFnQixFQUFFLFVBQVUsQ0FBQyxnQkFBZ0IsQ0FBQyxNQUFNO2lCQUNyRCxDQUFDLENBQUE7Z0JBQ0osbUJBQW1CLENBQUMsV0FBVyxDQUFDLEtBQUssQ0FBQyx5QkFBeUIsQ0FBQyxDQUFBO2dCQUNoRSxtQkFBbUIsQ0FBQyxjQUFjLENBQUMsS0FBSyxDQUFDLHlCQUF5QixDQUFDLENBQUE7WUFDckUsQ0FBQztZQUNELGNBQWMsQ0FBQyxjQUFjLENBQzNCLElBQUksT0FBTyxDQUFDLGNBQWMsQ0FBQyxrQkFBa0IsQ0FBQyxDQUMvQyxDQUFBO1FBQ0gsQ0FBQztRQUVELElBQUksS0FBSyxDQUFDLGNBQWMsSUFBSSxLQUFLLENBQUMsY0FBYyxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUM1RCxJQUFJLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxFQUFFLG1CQUFtQixFQUFFO2dCQUN6QyxPQUFPLEVBQUUsSUFBSTtnQkFDYixPQUFPLEVBQUUsQ0FBQyxJQUFJLE9BQU8sQ0FBQyxjQUFjLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztnQkFDdkQsWUFBWSxFQUFFO29CQUNaLE1BQU0sRUFBRTt3QkFDTixTQUFTLEVBQUUsQ0FBQyxZQUFZLENBQUM7d0JBQ3pCLGlCQUFpQixFQUFFOzRCQUNqQixPQUFPLEVBQUUsS0FBSyxDQUFDLGNBQWM7eUJBQzlCO3FCQUNGO2lCQUNGO2FBQ0YsQ0FBQyxDQUFBO1FBQ0osQ0FBQztRQUVELElBQUksS0FBSyxDQUFDLHNCQUFzQixLQUFLLEtBQUssRUFBRSxDQUFDO1lBQzNDLG1EQUFtRDtZQUNuRCxJQUFJLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxFQUFFLCtCQUErQixFQUFFO2dCQUNyRCxPQUFPLEVBQUUsSUFBSTtnQkFDYixPQUFPLEVBQUUsQ0FBQyxJQUFJLE9BQU8sQ0FBQyxjQUFjLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztnQkFDdkQsWUFBWSxFQUFFO29CQUNaLE1BQU0sRUFBRTt3QkFDTixZQUFZLEVBQUU7NEJBQ1osSUFBSSxFQUFFLENBQUMsTUFBTSxDQUFDO3lCQUNmO3dCQUNELFNBQVMsRUFBRSxDQUFDLGlCQUFpQixDQUFDO3dCQUM5QixTQUFTLEVBQUUsQ0FBQyxrQkFBa0IsQ0FBQztxQkFDaEM7aUJBQ0Y7YUFDRixDQUFDLENBQUE7WUFFRixzREFBc0Q7WUFDdEQsSUFBSSxNQUFNLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRSwwQkFBMEIsRUFBRTtnQkFDaEQsT0FBTyxFQUFFLElBQUk7Z0JBQ2IsT0FBTyxFQUFFLENBQUMsSUFBSSxPQUFPLENBQUMsY0FBYyxDQUFDLGdCQUFnQixDQUFDLENBQUM7Z0JBQ3ZELFlBQVksRUFBRTtvQkFDWixNQUFNLEVBQUU7d0JBQ04sWUFBWSxFQUFFOzRCQUNaLElBQUksRUFBRSxDQUFDLE1BQU0sQ0FBQzt5QkFDZjt3QkFDRCxTQUFTLEVBQUUsQ0FBQyxpQkFBaUIsQ0FBQzt3QkFDOUIsaUJBQWlCLEVBQUU7NEJBQ2pCLFFBQVEsRUFBRSxDQUFDLGVBQWUsQ0FBQzt5QkFDNUI7cUJBQ0Y7aUJBQ0Y7YUFDRixDQUFDLENBQUE7WUFFRiwrREFBK0Q7WUFDL0QsSUFBSSxNQUFNLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRSxnQ0FBZ0MsRUFBRTtnQkFDdEQsT0FBTyxFQUFFLElBQUk7Z0JBQ2IsT0FBTyxFQUFFLENBQUMsSUFBSSxPQUFPLENBQUMsY0FBYyxDQUFDLGdCQUFnQixDQUFDLENBQUM7Z0JBQ3ZELFlBQVksRUFBRTtvQkFDWixNQUFNLEVBQUU7d0JBQ04sWUFBWSxFQUFFOzRCQUNaLElBQUksRUFBRSxDQUFDLE1BQU0sQ0FBQzt5QkFDZjt3QkFDRCxTQUFTLEVBQUUsQ0FBQyxjQUFjLENBQUM7d0JBQzNCLFNBQVMsRUFBRSxDQUFDLGtCQUFrQixDQUFDO3dCQUMvQixnQkFBZ0IsRUFBRTs0QkFDaEIsWUFBWSxFQUFFLENBQUMsU0FBUyxDQUFDO3lCQUMxQjtxQkFDRjtpQkFDRjthQUNGLENBQUMsQ0FBQTtZQUVGLHNFQUFzRTtZQUN0RSxJQUFJLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxFQUFFLGtDQUFrQyxFQUFFO2dCQUN4RCxPQUFPLEVBQUUsSUFBSTtnQkFDYixPQUFPLEVBQUUsQ0FBQyxJQUFJLE9BQU8sQ0FBQyxjQUFjLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztnQkFDdkQsWUFBWSxFQUFFO29CQUNaLE1BQU0sRUFBRTt3QkFDTixZQUFZLEVBQUU7NEJBQ1osSUFBSSxFQUFFLENBQUMsTUFBTSxDQUFDO3lCQUNmO3dCQUNELFNBQVMsRUFBRSxDQUFDLGNBQWMsQ0FBQzt3QkFDM0IsU0FBUyxFQUFFLENBQUMsa0JBQWtCLENBQUM7d0JBQy9CLGdCQUFnQixFQUFFOzRCQUNoQixZQUFZLEVBQUUsQ0FBQyxTQUFTLENBQUM7eUJBQzFCO3FCQUNGO2lCQUNGO2FBQ0YsQ0FBQyxDQUFBO1lBRUYsbURBQW1EO1lBQ25ELElBQUksTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLEVBQUUsd0NBQXdDLEVBQUU7Z0JBQzlELE9BQU8sRUFBRSxJQUFJO2dCQUNiLE9BQU8sRUFBRSxDQUFDLElBQUksT0FBTyxDQUFDLGNBQWMsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO2dCQUN2RCxZQUFZLEVBQUU7b0JBQ1osTUFBTSxFQUFFO3dCQUNOLFlBQVksRUFBRTs0QkFDWixJQUFJLEVBQUUsQ0FBQyxNQUFNLENBQUM7eUJBQ2Y7d0JBQ0QsU0FBUyxFQUFFLENBQUMsMkJBQTJCLENBQUM7d0JBQ3hDLFNBQVMsRUFBRSxDQUFDLGtCQUFrQixDQUFDO3dCQUMvQixnQkFBZ0IsRUFBRTs0QkFDaEIseUJBQXlCLEVBQUUsQ0FBQyxTQUFTLENBQUM7eUJBQ3ZDO3FCQUNGO2lCQUNGO2FBQ0YsQ0FBQyxDQUFBO1lBRUYsc0RBQXNEO1lBQ3RELElBQUksTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLEVBQUUseUNBQXlDLEVBQUU7Z0JBQy9ELE9BQU8sRUFBRSxJQUFJO2dCQUNiLE9BQU8sRUFBRSxDQUFDLElBQUksT0FBTyxDQUFDLGNBQWMsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO2dCQUN2RCxZQUFZLEVBQUU7b0JBQ1osTUFBTSxFQUFFO3dCQUNOLFlBQVksRUFBRTs0QkFDWixJQUFJLEVBQUUsQ0FBQyxNQUFNLENBQUM7eUJBQ2Y7d0JBQ0QsU0FBUyxFQUFFLENBQUMsMkJBQTJCLENBQUM7d0JBQ3hDLFNBQVMsRUFBRSxDQUFDLGtCQUFrQixDQUFDO3dCQUMvQixnQkFBZ0IsRUFBRTs0QkFDaEIseUJBQXlCLEVBQUUsQ0FBQyxTQUFTLENBQUM7eUJBQ3ZDO3FCQUNGO2lCQUNGO2FBQ0YsQ0FBQyxDQUFBO1FBQ0osQ0FBQztJQUNILENBQUM7Q0FDRjtBQWxPRCxnRUFrT0MiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgKiBhcyBjb25zdHJ1Y3RzIGZyb20gXCJjb25zdHJ1Y3RzXCJcbmltcG9ydCAqIGFzIGNkayBmcm9tIFwiYXdzLWNkay1saWJcIlxuaW1wb3J0ICogYXMgaWFtIGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtaWFtXCJcbmltcG9ydCAqIGFzIGxvZ3MgZnJvbSBcImF3cy1jZGstbGliL2F3cy1sb2dzXCJcbmltcG9ydCAqIGFzIGNsb3Vkd2F0Y2ggZnJvbSBcImF3cy1jZGstbGliL2F3cy1jbG91ZHdhdGNoXCJcbmltcG9ydCAqIGFzIGxhbWJkYSBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWxhbWJkYVwiXG5pbXBvcnQgKiBhcyBldmVudHMgZnJvbSBcImF3cy1jZGstbGliL2F3cy1ldmVudHNcIlxuaW1wb3J0ICogYXMgc291cmNlcyBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWxhbWJkYS1ldmVudC1zb3VyY2VzXCJcbmltcG9ydCAqIGFzIHNxcyBmcm9tIFwiYXdzLWNkay1saWIvYXdzLXNxc1wiXG5pbXBvcnQgKiBhcyB0YXJnZXRzIGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtZXZlbnRzLXRhcmdldHNcIlxuaW1wb3J0ICogYXMgcGF0aCBmcm9tIFwicGF0aFwiXG5cbmV4cG9ydCBpbnRlcmZhY2UgQ2xvdWRUcmFpbFNsYWNrSW50ZWdyYXRpb25Qcm9wcyBleHRlbmRzIGNkay5TdGFja1Byb3BzIHtcbiAgLyoqXG4gICAqIEEga2V5LXZhbHVlIHBhaXIgb2YgdmFsdWVzIHRvIGF1Z21lbnQgKGUuZy4sIEFXUyBhY2NvdW50IElEcywgcHJpbmNpcGFsIElEcykgd2l0aCBmcmllbmRseSBuYW1lc1xuICAgKiB0byB1c2Ugd2hlbiBzZW5kaW5nIG1lc3NhZ2VzIHRvIFNsYWNrLlxuICAgKlxuICAgKiBOT1RFOiBBIHNpbXBsZSBoZXVyaXN0aWMgaXMgdXNlZCB0byBhdm9pZCByZXBsYWNpbmcgdmFsdWVzIGluc2lkZSBvZiBBUk5zIGV0Yy4gYXMgdGhpcyBjYW5cbiAgICogbGVhZCB0byB1bnBsZWFzYW50IGZvcm1hdHRpbmcgb2YgdmFyaW91cyBmaWVsZHMgaW4gdGhlIFNsYWNrIG1lc3NhZ2UuXG4gICAqL1xuICBmcmllbmRseU5hbWVzPzoge1xuICAgIFtrZXk6IHN0cmluZ106IHN0cmluZ1xuICB9XG4gIHNsYWNrV2ViaG9va1VybDogc3RyaW5nXG4gIHNsYWNrQ2hhbm5lbDogc3RyaW5nXG4gIC8qKlxuICAgKiBBIGxpc3Qgb2YgQVJOcyBvZiByb2xlcyBpbiB0aGUgY3VycmVudCBhY2NvdW50IHRvIG1vbml0b3IgdXNhZ2Ugb2YuXG4gICAqL1xuICByb2xlc1RvTW9uaXRvcj86IHN0cmluZ1tdXG4gIC8qKlxuICAgKiBXaGV0aGVyIHRvIG1vbml0b3IgdmFyaW91cyBJQU0gQVBJIGNhbGxzIGFzc29jaWF0ZWQgd2l0aCB0aGUgY3VycmVudCBhY2NvdW50J3Mgcm9vdCB1c2VyIChlLmcuLCBjb25zb2xlIGxvZ2luLCBwYXNzd29yZCByZXNldCwgZXRjLilcbiAgICpcbiAgICogQGRlZmF1bHQgdHJ1ZVxuICAgKi9cbiAgbW9uaXRvclJvb3RVc2VyQWN0aW9ucz86IGJvb2xlYW5cbiAgLyoqXG4gICAqIFdoZXRoZXIgdG8gc2V0IHVwIGFkZGl0aW9uYWwgQVdTIGluZnJhc3RydWN0dXJlIHRvIGRlZHVwbGljYXRlIENsb3VkVHJhaWwgZXZlbnRzIGluIG9yZGVyIHRvIGF2b2lkIGR1cGxpY2F0ZSBTbGFjayBtZXNzYWdlcy4gTWF5IGJlIHVzZWQgdG8gZGVjcmVhc2Ugbm9pc2UuXG4gICAqXG4gICAqIEBkZWZhdWx0IGZhbHNlXG4gICAqL1xuICBkZWR1cGxpY2F0ZUV2ZW50cz86IGJvb2xlYW5cbiAgLyoqXG4gICAqIElmIHN1cHBsaWVkLCBDbG91ZFdhdGNoIGFsYXJtcyB3aWxsIGJlIGNyZWF0ZWQgZm9yIHRoZSBjb25zdHJ1Y3QncyB1bmRlcmx5aW5nIGluZnJhc3RydWN0dXJlIChlLmcuLCBMYW1iZGEgZnVuY3Rpb25zKSBhbmQgdGhlIGFjdGlvbiB3aWxsIGJlIHVzZWQgdG8gbm90aWZ5IG9uIE9LIGFuZCBBTEFSTSBhY3Rpb25zLlxuICAgKi9cbiAgaW5mcmFzdHJ1Y3R1cmVBbGFybUFjdGlvbj86IGNsb3Vkd2F0Y2guSUFsYXJtQWN0aW9uXG59XG5cbi8qKlxuICogRm9yd2FyZCBhIHByZWRlZmluZWQgc2V0IG9mIENsb3VkVHJhaWwgQVBJIGV2ZW50cyB0byBTbGFjayB1c2luZyBFdmVudEJyaWRnZSwgTGFtYmRhXG4gKiBhbmQgYW4gb3B0aW9uYWwgU1FTIEZJRk8gcXVldWUgZm9yIGRlZHVwbGljYXRpbmcgZXZlbnRzLlxuICogVGhlIEFQSSBldmVudHMgYXJlIGxpbWl0ZWQgdG8gbW9uaXRvcmluZyBhY2Nlc3MgdG8gdGhlIGN1cnJlbnQgYWNjb3VudCdzIHJvb3QgdXNlciBhbmQvb3Igc3BlY2lmaWMgSUFNIHJvbGVzLlxuICpcbiAqIE5PVEU6IFRoZSBjb25zdHJ1Y3QgbmVlZHMgdG8gYmUgcHJvdmlzaW9uZWQgaW4gdXMtZWFzdC0xLCBhbmQgcmVxdWlyZXMgYW4gZXhpc3RpbmcgQ2xvdWRUcmFpbCBzZXQgdXAgaW4gdGhhdCByZWdpb24uXG4gKi9cbmV4cG9ydCBjbGFzcyBDbG91ZFRyYWlsU2xhY2tJbnRlZ3JhdGlvbiBleHRlbmRzIGNvbnN0cnVjdHMuQ29uc3RydWN0IHtcbiAgY29uc3RydWN0b3IoXG4gICAgc2NvcGU6IGNvbnN0cnVjdHMuQ29uc3RydWN0LFxuICAgIGlkOiBzdHJpbmcsXG4gICAgcHJvcHM6IENsb3VkVHJhaWxTbGFja0ludGVncmF0aW9uUHJvcHMsXG4gICkge1xuICAgIHN1cGVyKHNjb3BlLCBpZClcblxuICAgIGNvbnN0IGV2ZW50VHJhbnNmb3JtZXIgPSBuZXcgbGFtYmRhLkZ1bmN0aW9uKFxuICAgICAgdGhpcyxcbiAgICAgIFwiRXZlbnRUcmFuc2Zvcm1lckxhbWJkYVwiLFxuICAgICAge1xuICAgICAgICBjb2RlOiBsYW1iZGEuQ29kZS5mcm9tQXNzZXQoXG4gICAgICAgICAgcGF0aC5qb2luKFxuICAgICAgICAgICAgX19kaXJuYW1lLFxuICAgICAgICAgICAgXCIuLi8uLi9hc3NldHMvY2xvdWR0cmFpbC1zbGFjay1pbnRlZ3JhdGlvbi1sYW1iZGFcIixcbiAgICAgICAgICApLFxuICAgICAgICApLFxuICAgICAgICBkZXNjcmlwdGlvbjpcbiAgICAgICAgICBcIkZvcm1hdHMgQ2xvdWRUcmFpbCBBUEkgY2FsbHMgc2VudCB0aHJvdWdoIEV2ZW50QnJpZGdlLCBhbmQgcG9zdHMgdGhlbSBkaXJlY3RseSB0byBTbGFjayBvciBmaXJzdCB0byBhbiBTUVMgRklGTyBxdWV1ZSBmb3IgZGVkdXBsaWNhdGlvblwiLFxuICAgICAgICBoYW5kbGVyOiBcIm1haW4uaGFuZGxlcl9ldmVudF90cmFuc2Zvcm1lclwiLFxuICAgICAgICBydW50aW1lOiBsYW1iZGEuUnVudGltZS5QWVRIT05fM185LFxuICAgICAgICB0aW1lb3V0OiBjZGsuRHVyYXRpb24uc2Vjb25kcygxNSksXG4gICAgICAgIGxvZ1JldGVudGlvbjogbG9ncy5SZXRlbnRpb25EYXlzLlNJWF9NT05USFMsXG4gICAgICAgIGVudmlyb25tZW50OiB7XG4gICAgICAgICAgU0xBQ0tfQ0hBTk5FTDogcHJvcHMuc2xhY2tDaGFubmVsLFxuICAgICAgICAgIERFRFVQTElDQVRFX0VWRU5UUzogSlNPTi5zdHJpbmdpZnkoISFwcm9wcy5kZWR1cGxpY2F0ZUV2ZW50cyksXG4gICAgICAgICAgRlJJRU5ETFlfTkFNRVM6IEpTT04uc3RyaW5naWZ5KHByb3BzLmZyaWVuZGx5TmFtZXMgfHwge30pLFxuICAgICAgICAgIFNMQUNLX1dFQkhPT0tfVVJMOiBwcm9wcy5zbGFja1dlYmhvb2tVcmwsXG4gICAgICAgIH0sXG4gICAgICB9LFxuICAgIClcbiAgICBldmVudFRyYW5zZm9ybWVyLmFkZFRvUm9sZVBvbGljeShcbiAgICAgIG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgYWN0aW9uczogW1wiaWFtOkxpc3RBY2NvdW50QWxpYXNlc1wiXSxcbiAgICAgICAgcmVzb3VyY2VzOiBbXCIqXCJdLFxuICAgICAgfSksXG4gICAgKVxuICAgIGlmIChwcm9wcy5pbmZyYXN0cnVjdHVyZUFsYXJtQWN0aW9uKSB7XG4gICAgICBjb25zdCBldmVudFRyYW5zZm9ybWVyQWxhcm0gPSBldmVudFRyYW5zZm9ybWVyXG4gICAgICAgIC5tZXRyaWNFcnJvcnMoe1xuICAgICAgICAgIHBlcmlvZDogY2RrLkR1cmF0aW9uLm1pbnV0ZXMoNSksXG4gICAgICAgICAgc3RhdGlzdGljOiBjbG91ZHdhdGNoLlN0YXRpc3RpYy5TVU0sXG4gICAgICAgIH0pXG4gICAgICAgIC5jcmVhdGVBbGFybSh0aGlzLCBcIkV2ZW50VHJhbnNmb3JtZXJFcnJvckFsYXJtXCIsIHtcbiAgICAgICAgICB0aHJlc2hvbGQ6IDEsXG4gICAgICAgICAgZXZhbHVhdGlvblBlcmlvZHM6IDEsXG4gICAgICAgICAgYWxhcm1EZXNjcmlwdGlvbjpcbiAgICAgICAgICAgIFwiVHJpZ2dlcnMgaWYgdGhlIExhbWJkYSBmdW5jdGlvbiB0aGF0IHRyYW5zZm9ybXMgQ2xvdWRUcmFpbCBBUEkgY2FsbHMgcmVjZWl2ZWQgdGhyb3VnaCBFdmVudEJyaWRnZSBmYWlscyAoZS5nLiwgaXQgZmFpbHMgdG8gcHJvY2VzcyB0aGUgZXZlbnQpXCIsXG4gICAgICAgICAgZGF0YXBvaW50c1RvQWxhcm06IDEsXG4gICAgICAgICAgdHJlYXRNaXNzaW5nRGF0YTogY2xvdWR3YXRjaC5UcmVhdE1pc3NpbmdEYXRhLklHTk9SRSxcbiAgICAgICAgfSlcbiAgICAgIGV2ZW50VHJhbnNmb3JtZXJBbGFybS5hZGRPa0FjdGlvbihwcm9wcy5pbmZyYXN0cnVjdHVyZUFsYXJtQWN0aW9uKVxuICAgICAgZXZlbnRUcmFuc2Zvcm1lckFsYXJtLmFkZEFsYXJtQWN0aW9uKHByb3BzLmluZnJhc3RydWN0dXJlQWxhcm1BY3Rpb24pXG4gICAgfVxuICAgIGlmIChwcm9wcy5kZWR1cGxpY2F0ZUV2ZW50cykge1xuICAgICAgY29uc3QgZGVkdXBsaWNhdGlvblF1ZXVlID0gbmV3IHNxcy5RdWV1ZSh0aGlzLCBcIlF1ZXVlXCIsIHtcbiAgICAgICAgLy8gV2UgZXhwbGljaXRseSBnaXZlIHRoZSBxdWV1ZSBhIG5hbWUgZHVlIHRvIGJ1ZyBodHRwczovL2dpdGh1Yi5jb20vYXdzL2F3cy1jZGsvaXNzdWVzLzU4NjBcbiAgICAgICAgcXVldWVOYW1lOlxuICAgICAgICAgIGAke3RoaXMubm9kZS5pZC5zdWJzdHJpbmcoMCwgMzMpfSR7dGhpcy5ub2RlLmFkZHJ9YC5zdWJzdHJpbmcoMCwgNzUpICtcbiAgICAgICAgICBcIi5maWZvXCIsXG4gICAgICAgIGZpZm86IHRydWUsXG4gICAgICB9KVxuICAgICAgZXZlbnRUcmFuc2Zvcm1lci5hZGRFbnZpcm9ubWVudChcbiAgICAgICAgXCJTUVNfUVVFVUVfVVJMXCIsXG4gICAgICAgIGRlZHVwbGljYXRpb25RdWV1ZS5xdWV1ZVVybCxcbiAgICAgIClcbiAgICAgIGRlZHVwbGljYXRpb25RdWV1ZS5ncmFudFNlbmRNZXNzYWdlcyhldmVudFRyYW5zZm9ybWVyKVxuICAgICAgY29uc3Qgc2xhY2tGb3J3YXJkZXIgPSBuZXcgbGFtYmRhLkZ1bmN0aW9uKHRoaXMsIFwiU2xhY2tGb3J3YXJkZXJMYW1iZGFcIiwge1xuICAgICAgICBjb2RlOiBsYW1iZGEuQ29kZS5mcm9tQXNzZXQoXG4gICAgICAgICAgcGF0aC5qb2luKFxuICAgICAgICAgICAgX19kaXJuYW1lLFxuICAgICAgICAgICAgXCIuLi8uLi9hc3NldHMvY2xvdWR0cmFpbC1zbGFjay1pbnRlZ3JhdGlvbi1sYW1iZGFcIixcbiAgICAgICAgICApLFxuICAgICAgICApLFxuICAgICAgICBkZXNjcmlwdGlvbjpcbiAgICAgICAgICBcIlBvbGxzIGZyb20gYW4gU1FTIEZJRk8gcXVldWUgY29udGFpbmluZyBmb3JtYXR0ZWQgQ2xvdWRUcmFpbCBBUEkgY2FsbHMgYW5kIHNlbmRzIHRoZW0gdG8gU2xhY2suXCIsXG4gICAgICAgIGhhbmRsZXI6IFwibWFpbi5oYW5kbGVyX3NsYWNrX2ZvcndhcmRlclwiLFxuICAgICAgICBydW50aW1lOiBsYW1iZGEuUnVudGltZS5QWVRIT05fM185LFxuICAgICAgICB0aW1lb3V0OiBjZGsuRHVyYXRpb24uc2Vjb25kcygxNSksXG4gICAgICAgIGxvZ1JldGVudGlvbjogbG9ncy5SZXRlbnRpb25EYXlzLlRXT19XRUVLUyxcbiAgICAgIH0pXG5cbiAgICAgIGlmIChwcm9wcy5pbmZyYXN0cnVjdHVyZUFsYXJtQWN0aW9uKSB7XG4gICAgICAgIGNvbnN0IHNsYWNrRm9yd2FyZGVyQWxhcm0gPSBzbGFja0ZvcndhcmRlclxuICAgICAgICAgIC5tZXRyaWNFcnJvcnMoe1xuICAgICAgICAgICAgcGVyaW9kOiBjZGsuRHVyYXRpb24ubWludXRlcyg1KSxcbiAgICAgICAgICAgIHN0YXRpc3RpYzogY2xvdWR3YXRjaC5TdGF0aXN0aWMuU1VNLFxuICAgICAgICAgIH0pXG4gICAgICAgICAgLmNyZWF0ZUFsYXJtKHRoaXMsIFwiU2xhY2tGb3J3YXJkZXJFcnJvckFsYXJtXCIsIHtcbiAgICAgICAgICAgIHRocmVzaG9sZDogMSxcbiAgICAgICAgICAgIGFsYXJtRGVzY3JpcHRpb246XG4gICAgICAgICAgICAgIFwiVHJpZ2dlcnMgaWYgdGhlIExhbWJkYSBmdW5jdGlvbiB0aGF0IHBvbGxzIGZyb20gU1FTIGFuZCBwb3N0cyBkZWR1cGxpY2F0ZWQgQ2xvdWRUcmFpbCBBUEkgY2FsbHMgcmVjZWl2ZWQgdGhyb3VnaCBFdmVudEJyaWRnZSB0byBTbGFjayBmYWlscyAoZS5nLiwgaW52YWxpZCBTbGFjayB3ZWJob29rIFVSTClcIixcbiAgICAgICAgICAgIGV2YWx1YXRpb25QZXJpb2RzOiAxLFxuICAgICAgICAgICAgZGF0YXBvaW50c1RvQWxhcm06IDEsXG4gICAgICAgICAgICB0cmVhdE1pc3NpbmdEYXRhOiBjbG91ZHdhdGNoLlRyZWF0TWlzc2luZ0RhdGEuSUdOT1JFLFxuICAgICAgICAgIH0pXG4gICAgICAgIHNsYWNrRm9yd2FyZGVyQWxhcm0uYWRkT2tBY3Rpb24ocHJvcHMuaW5mcmFzdHJ1Y3R1cmVBbGFybUFjdGlvbilcbiAgICAgICAgc2xhY2tGb3J3YXJkZXJBbGFybS5hZGRBbGFybUFjdGlvbihwcm9wcy5pbmZyYXN0cnVjdHVyZUFsYXJtQWN0aW9uKVxuICAgICAgfVxuICAgICAgc2xhY2tGb3J3YXJkZXIuYWRkRXZlbnRTb3VyY2UoXG4gICAgICAgIG5ldyBzb3VyY2VzLlNxc0V2ZW50U291cmNlKGRlZHVwbGljYXRpb25RdWV1ZSksXG4gICAgICApXG4gICAgfVxuXG4gICAgaWYgKHByb3BzLnJvbGVzVG9Nb25pdG9yICYmIHByb3BzLnJvbGVzVG9Nb25pdG9yLmxlbmd0aCA+IDApIHtcbiAgICAgIG5ldyBldmVudHMuUnVsZSh0aGlzLCBcIlJ1bGVGb3JBc3N1bWVSb2xlXCIsIHtcbiAgICAgICAgZW5hYmxlZDogdHJ1ZSxcbiAgICAgICAgdGFyZ2V0czogW25ldyB0YXJnZXRzLkxhbWJkYUZ1bmN0aW9uKGV2ZW50VHJhbnNmb3JtZXIpXSxcbiAgICAgICAgZXZlbnRQYXR0ZXJuOiB7XG4gICAgICAgICAgZGV0YWlsOiB7XG4gICAgICAgICAgICBldmVudE5hbWU6IFtcIkFzc3VtZVJvbGVcIl0sXG4gICAgICAgICAgICByZXF1ZXN0UGFyYW1ldGVyczoge1xuICAgICAgICAgICAgICByb2xlQXJuOiBwcm9wcy5yb2xlc1RvTW9uaXRvcixcbiAgICAgICAgICAgIH0sXG4gICAgICAgICAgfSxcbiAgICAgICAgfSxcbiAgICAgIH0pXG4gICAgfVxuXG4gICAgaWYgKHByb3BzLm1vbml0b3JSb290VXNlckFjdGlvbnMgIT09IGZhbHNlKSB7XG4gICAgICAvLyBUcmlnZ2VycyB3aGVuIHRoZSByb290IHBhc3N3b3JkIGhhcyBiZWVuIGNoYW5nZWRcbiAgICAgIG5ldyBldmVudHMuUnVsZSh0aGlzLCBcIlJ1bGVGb3JSb290VXNlclBhc3N3b3JkQ2hhbmdlXCIsIHtcbiAgICAgICAgZW5hYmxlZDogdHJ1ZSxcbiAgICAgICAgdGFyZ2V0czogW25ldyB0YXJnZXRzLkxhbWJkYUZ1bmN0aW9uKGV2ZW50VHJhbnNmb3JtZXIpXSxcbiAgICAgICAgZXZlbnRQYXR0ZXJuOiB7XG4gICAgICAgICAgZGV0YWlsOiB7XG4gICAgICAgICAgICB1c2VySWRlbnRpdHk6IHtcbiAgICAgICAgICAgICAgdHlwZTogW1wiUm9vdFwiXSxcbiAgICAgICAgICAgIH0sXG4gICAgICAgICAgICBldmVudE5hbWU6IFtcIlBhc3N3b3JkVXBkYXRlZFwiXSxcbiAgICAgICAgICAgIGV2ZW50VHlwZTogW1wiQXdzQ29uc29sZVNpZ25JblwiXSxcbiAgICAgICAgICB9LFxuICAgICAgICB9LFxuICAgICAgfSlcblxuICAgICAgLy8gVHJpZ2dlcnMgd2hlbiBNRkEgZm9yIHRoZSByb290IHVzZXIgaGFzIGJlZW4gc2V0IHVwXG4gICAgICBuZXcgZXZlbnRzLlJ1bGUodGhpcywgXCJSdWxlRm9yUm9vdFVzZXJNZmFDaGFuZ2VcIiwge1xuICAgICAgICBlbmFibGVkOiB0cnVlLFxuICAgICAgICB0YXJnZXRzOiBbbmV3IHRhcmdldHMuTGFtYmRhRnVuY3Rpb24oZXZlbnRUcmFuc2Zvcm1lcildLFxuICAgICAgICBldmVudFBhdHRlcm46IHtcbiAgICAgICAgICBkZXRhaWw6IHtcbiAgICAgICAgICAgIHVzZXJJZGVudGl0eToge1xuICAgICAgICAgICAgICB0eXBlOiBbXCJSb290XCJdLFxuICAgICAgICAgICAgfSxcbiAgICAgICAgICAgIGV2ZW50TmFtZTogW1wiRW5hYmxlTUZBRGV2aWNlXCJdLFxuICAgICAgICAgICAgcmVxdWVzdFBhcmFtZXRlcnM6IHtcbiAgICAgICAgICAgICAgdXNlck5hbWU6IFtcIkFXUyBST09UIFVTRVJcIl0sXG4gICAgICAgICAgICB9LFxuICAgICAgICAgIH0sXG4gICAgICAgIH0sXG4gICAgICB9KVxuXG4gICAgICAvLyBUcmlnZ2VycyB3aGVuIGEgcm9vdCB1c2VyIHN1Y2Nlc2Z1bGx5IGxvZ3MgaW4gdG8gdGhlIGNvbnNvbGVcbiAgICAgIG5ldyBldmVudHMuUnVsZSh0aGlzLCBcIlJ1bGVGb3JSb290VXNlclN1Y2Nlc3NmdWxMb2dpblwiLCB7XG4gICAgICAgIGVuYWJsZWQ6IHRydWUsXG4gICAgICAgIHRhcmdldHM6IFtuZXcgdGFyZ2V0cy5MYW1iZGFGdW5jdGlvbihldmVudFRyYW5zZm9ybWVyKV0sXG4gICAgICAgIGV2ZW50UGF0dGVybjoge1xuICAgICAgICAgIGRldGFpbDoge1xuICAgICAgICAgICAgdXNlcklkZW50aXR5OiB7XG4gICAgICAgICAgICAgIHR5cGU6IFtcIlJvb3RcIl0sXG4gICAgICAgICAgICB9LFxuICAgICAgICAgICAgZXZlbnROYW1lOiBbXCJDb25zb2xlTG9naW5cIl0sXG4gICAgICAgICAgICBldmVudFR5cGU6IFtcIkF3c0NvbnNvbGVTaWduSW5cIl0sXG4gICAgICAgICAgICByZXNwb25zZUVsZW1lbnRzOiB7XG4gICAgICAgICAgICAgIENvbnNvbGVMb2dpbjogW1wiU3VjY2Vzc1wiXSxcbiAgICAgICAgICAgIH0sXG4gICAgICAgICAgfSxcbiAgICAgICAgfSxcbiAgICAgIH0pXG5cbiAgICAgIC8vIFRyaWdnZXJzIGZvciBiYWQgbG9naW4gYXR0ZW1wcyBmb3Igcm9vdCB1c2VyIChlLmcuLCB3cm9uZyBwYXNzd29yZClcbiAgICAgIG5ldyBldmVudHMuUnVsZSh0aGlzLCBcIlJ1bGVGb3JSb290VXNlclVuc3VjY2Vzc2Z1bExvZ2luXCIsIHtcbiAgICAgICAgZW5hYmxlZDogdHJ1ZSxcbiAgICAgICAgdGFyZ2V0czogW25ldyB0YXJnZXRzLkxhbWJkYUZ1bmN0aW9uKGV2ZW50VHJhbnNmb3JtZXIpXSxcbiAgICAgICAgZXZlbnRQYXR0ZXJuOiB7XG4gICAgICAgICAgZGV0YWlsOiB7XG4gICAgICAgICAgICB1c2VySWRlbnRpdHk6IHtcbiAgICAgICAgICAgICAgdHlwZTogW1wiUm9vdFwiXSxcbiAgICAgICAgICAgIH0sXG4gICAgICAgICAgICBldmVudE5hbWU6IFtcIkNvbnNvbGVMb2dpblwiXSxcbiAgICAgICAgICAgIGV2ZW50VHlwZTogW1wiQXdzQ29uc29sZVNpZ25JblwiXSxcbiAgICAgICAgICAgIHJlc3BvbnNlRWxlbWVudHM6IHtcbiAgICAgICAgICAgICAgQ29uc29sZUxvZ2luOiBbXCJGYWlsdXJlXCJdLFxuICAgICAgICAgICAgfSxcbiAgICAgICAgICB9LFxuICAgICAgICB9LFxuICAgICAgfSlcblxuICAgICAgLy8gVHJpZ2dlcmVkIHdoZW4gcGFzc3dvcmQgcmVzZXQgaGFzIGJlZW4gcmVxdWVzdGVkXG4gICAgICBuZXcgZXZlbnRzLlJ1bGUodGhpcywgXCJSdWxlRm9yUm9vdFVzZXJQYXNzd29yZFJlY292ZXJ5UmVxdWVzdFwiLCB7XG4gICAgICAgIGVuYWJsZWQ6IHRydWUsXG4gICAgICAgIHRhcmdldHM6IFtuZXcgdGFyZ2V0cy5MYW1iZGFGdW5jdGlvbihldmVudFRyYW5zZm9ybWVyKV0sXG4gICAgICAgIGV2ZW50UGF0dGVybjoge1xuICAgICAgICAgIGRldGFpbDoge1xuICAgICAgICAgICAgdXNlcklkZW50aXR5OiB7XG4gICAgICAgICAgICAgIHR5cGU6IFtcIlJvb3RcIl0sXG4gICAgICAgICAgICB9LFxuICAgICAgICAgICAgZXZlbnROYW1lOiBbXCJQYXNzd29yZFJlY292ZXJ5UmVxdWVzdGVkXCJdLFxuICAgICAgICAgICAgZXZlbnRUeXBlOiBbXCJBd3NDb25zb2xlU2lnbkluXCJdLFxuICAgICAgICAgICAgcmVzcG9uc2VFbGVtZW50czoge1xuICAgICAgICAgICAgICBQYXNzd29yZFJlY292ZXJ5UmVxdWVzdGVkOiBbXCJTdWNjZXNzXCJdLFxuICAgICAgICAgICAgfSxcbiAgICAgICAgICB9LFxuICAgICAgICB9LFxuICAgICAgfSlcblxuICAgICAgLy8gVHJpZ2dlcmVkIHdoZW4gcGFzc3dvcmQgaGFzIGJlZW4gc3VjY2Vzc2Z1bGx5IHJlc2V0XG4gICAgICBuZXcgZXZlbnRzLlJ1bGUodGhpcywgXCJSdWxlRm9yUm9vdFVzZXJQYXNzd29yZFJlY292ZXJ5Q29tcGxldGVcIiwge1xuICAgICAgICBlbmFibGVkOiB0cnVlLFxuICAgICAgICB0YXJnZXRzOiBbbmV3IHRhcmdldHMuTGFtYmRhRnVuY3Rpb24oZXZlbnRUcmFuc2Zvcm1lcildLFxuICAgICAgICBldmVudFBhdHRlcm46IHtcbiAgICAgICAgICBkZXRhaWw6IHtcbiAgICAgICAgICAgIHVzZXJJZGVudGl0eToge1xuICAgICAgICAgICAgICB0eXBlOiBbXCJSb290XCJdLFxuICAgICAgICAgICAgfSxcbiAgICAgICAgICAgIGV2ZW50TmFtZTogW1wiUGFzc3dvcmRSZWNvdmVyeUNvbXBsZXRlZFwiXSxcbiAgICAgICAgICAgIGV2ZW50VHlwZTogW1wiQXdzQ29uc29sZVNpZ25JblwiXSxcbiAgICAgICAgICAgIHJlc3BvbnNlRWxlbWVudHM6IHtcbiAgICAgICAgICAgICAgUGFzc3dvcmRSZWNvdmVyeUNvbXBsZXRlZDogW1wiU3VjY2Vzc1wiXSxcbiAgICAgICAgICAgIH0sXG4gICAgICAgICAgfSxcbiAgICAgICAgfSxcbiAgICAgIH0pXG4gICAgfVxuICB9XG59XG4iXX0=

package/lib/cloudtrail-slack-integration/index.d.ts

@@ -0,0 +1 @@
+export { CloudTrailSlackIntegration, CloudTrailSlackIntegrationProps, } from "./cloudtrail-slack-integration";

package/lib/cloudtrail-slack-integration/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CloudTrailSlackIntegration = void 0;
+var cloudtrail_slack_integration_1 = require("./cloudtrail-slack-integration");
+Object.defineProperty(exports, "CloudTrailSlackIntegration", { enumerable: true, get: function () { return cloudtrail_slack_integration_1.CloudTrailSlackIntegration; } });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvY2xvdWR0cmFpbC1zbGFjay1pbnRlZ3JhdGlvbi9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSwrRUFHdUM7QUFGckMsMElBQUEsMEJBQTBCLE9BQUEiLCJzb3VyY2VzQ29udGVudCI6WyJleHBvcnQge1xuICBDbG91ZFRyYWlsU2xhY2tJbnRlZ3JhdGlvbixcbiAgQ2xvdWRUcmFpbFNsYWNrSW50ZWdyYXRpb25Qcm9wcyxcbn0gZnJvbSBcIi4vY2xvdWR0cmFpbC1zbGFjay1pbnRlZ3JhdGlvblwiXG4iXX0=

package/lib/configure-parameters/configure-parameters.d.ts

@@ -0,0 +1,61 @@
+import * as constructs from "constructs";
+import * as iam from "aws-cdk-lib/aws-iam";
+import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";
+import * as ssm from "aws-cdk-lib/aws-ssm";
+/**
+ * A plain text application parameter that will be stored
+ * in AWS Parameter Store. Only used for non-sensitive values,
+ * typically those commited directly in the IaC code.
+ */
+export interface PlainTextParameter {
+    key: string;
+    value: string;
+}
+/**
+ * An AWS Secret that should hold a JSON object.
+ *
+ * This will provide a secret that liflig-properties can read. The final
+ * parameter seen by the application will be the key given here and the
+ * keys from the secret JSON object appended.
+ */
+export interface SecretParameter {
+    key: string;
+    secret: secretsmanager.ISecret;
+}
+/**
+ * An AWS Secret that should hold a JSON object.
+ *
+ * This will provide a secret that liflig-properties can read. The final
+ * parameter seen by the application will be the key given here and the
+ * keys from the secret JSON object appended.
+ */
+export interface SecretByNameParameter {
+    key: string;
+    secretName: string;
+}
+export type Parameter = PlainTextParameter | SecretParameter | SecretByNameParameter;
+export interface ConfigureParametersProps {
+    /**
+     * Prefix used for parameter names.
+     * Should start with '/' and end without '/'.
+     */
+    ssmPrefix: string;
+    parameters: Parameter[];
+}
+export declare class ConfigureParameters {
+    parameters: ssm.IParameter[];
+    ssmPrefix: string;
+    private secrets;
+    private configParameters;
+    private secretParameters;
+    constructor(scope: constructs.Construct, props: ConfigureParametersProps);
+    grantRead(grantable: iam.IGrantable & constructs.IConstruct): void;
+    /**
+     * Produce a checksum-value that can be used as a kind of
+     * nonce to trigger redeployment on parameter changes.
+     *
+     * Note: If the parameter references a token no change will be visible,
+     * and a manual redeployment might be needed.
+     */
+    get hashValue(): string;
+}

package/lib/configure-parameters/configure-parameters.js

@@ -0,0 +1,94 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConfigureParameters = void 0;
+const iam = require("aws-cdk-lib/aws-iam");
+const secretsmanager = require("aws-cdk-lib/aws-secretsmanager");
+const ssm = require("aws-cdk-lib/aws-ssm");
+const cdk = require("aws-cdk-lib");
+const crypto = require("crypto");
+class ConfigureParameters {
+    constructor(scope, props) {
+        if (!props.ssmPrefix.startsWith("/") || props.ssmPrefix.endsWith("/")) {
+            throw new Error("ssmPrefix should start with '/' and end without '/'");
+        }
+        this.ssmPrefix = props.ssmPrefix;
+        this.configParameters = [];
+        this.secretParameters = [];
+        for (const parameter of props.parameters) {
+            if ("value" in parameter) {
+                this.configParameters.push(parameter);
+            }
+            else if ("secret" in parameter) {
+                this.secretParameters.push(parameter);
+            }
+            else if ("secretName" in parameter) {
+                this.secretParameters.push({
+                    key: parameter.key,
+                    secret: secretsmanager.Secret.fromSecretNameV2(scope, `SecretRef${parameter.key}`, parameter.secretName),
+                });
+            }
+        }
+        const result = [];
+        this.configParameters.forEach((it) => {
+            const param = new ssm.StringParameter(scope, `Config${it.key}`, {
+                stringValue: it.value,
+                parameterName: `${this.ssmPrefix}/config/${it.key}`,
+            });
+            result.push(param);
+        });
+        this.secretParameters.forEach((it) => {
+            const param = new ssm.StringParameter(scope, `Secret${it.key}`, {
+                stringValue: it.secret.secretArn,
+                parameterName: `${this.ssmPrefix}/secrets/${it.key}`,
+            });
+            result.push(param);
+        });
+        this.secrets = this.secretParameters.map((it) => it.secret);
+        this.parameters = result;
+    }
+    grantRead(grantable) {
+        grantable.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
+            effect: iam.Effect.ALLOW,
+            actions: ["ssm:GetParametersByPath"],
+            resources: [
+                `arn:aws:ssm:${cdk.Stack.of(grantable).region}:${cdk.Stack.of(grantable).account}:parameter${this.ssmPrefix}/*`,
+            ],
+        }));
+        for (const secret of this.secrets) {
+            secret.grantRead(grantable);
+        }
+    }
+    /**
+     * Produce a checksum-value that can be used as a kind of
+     * nonce to trigger redeployment on parameter changes.
+     *
+     * Note: If the parameter references a token no change will be visible,
+     * and a manual redeployment might be needed.
+     */
+    get hashValue() {
+        const hash = crypto.createHash("sha256");
+        if (this.configParameters) {
+            this.configParameters.forEach((it) => {
+                hash.update("|");
+                hash.update(it.key);
+                hash.update("|");
+                if (!cdk.Token.isUnresolved(it.value)) {
+                    hash.update(it.value);
+                }
+            });
+        }
+        if (this.secretParameters) {
+            this.secretParameters.forEach((it) => {
+                hash.update("|");
+                hash.update(it.key);
+                hash.update("|");
+                if (!cdk.Token.isUnresolved(it.secret.secretArn)) {
+                    hash.update(it.secret.secretArn);
+                }
+            });
+        }
+        return hash.digest("hex");
+    }
+}
+exports.ConfigureParameters = ConfigureParameters;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlndXJlLXBhcmFtZXRlcnMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvY29uZmlndXJlLXBhcmFtZXRlcnMvY29uZmlndXJlLXBhcmFtZXRlcnMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQ0EsMkNBQTBDO0FBQzFDLGlFQUFnRTtBQUNoRSwyQ0FBMEM7QUFDMUMsbUNBQWtDO0FBQ2xDLGlDQUFnQztBQWtEaEMsTUFBYSxtQkFBbUI7SUFROUIsWUFBWSxLQUEyQixFQUFFLEtBQStCO1FBQ3RFLElBQUksQ0FBQyxLQUFLLENBQUMsU0FBUyxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsSUFBSSxLQUFLLENBQUMsU0FBUyxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQ3RFLE1BQU0sSUFBSSxLQUFLLENBQUMscURBQXFELENBQUMsQ0FBQTtRQUN4RSxDQUFDO1FBRUQsSUFBSSxDQUFDLFNBQVMsR0FBRyxLQUFLLENBQUMsU0FBUyxDQUFBO1FBRWhDLElBQUksQ0FBQyxnQkFBZ0IsR0FBRyxFQUFFLENBQUE7UUFDMUIsSUFBSSxDQUFDLGdCQUFnQixHQUFHLEVBQUUsQ0FBQTtRQUUxQixLQUFLLE1BQU0sU0FBUyxJQUFJLEtBQUssQ0FBQyxVQUFVLEVBQUUsQ0FBQztZQUN6QyxJQUFJLE9BQU8sSUFBSSxTQUFTLEVBQUUsQ0FBQztnQkFDekIsSUFBSSxDQUFDLGdCQUFnQixDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsQ0FBQTtZQUN2QyxDQUFDO2lCQUFNLElBQUksUUFBUSxJQUFJLFNBQVMsRUFBRSxDQUFDO2dCQUNqQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxDQUFBO1lBQ3ZDLENBQUM7aUJBQU0sSUFBSSxZQUFZLElBQUksU0FBUyxFQUFFLENBQUM7Z0JBQ3JDLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUM7b0JBQ3pCLEdBQUcsRUFBRSxTQUFTLENBQUMsR0FBRztvQkFDbEIsTUFBTSxFQUFFLGNBQWMsQ0FBQyxNQUFNLENBQUMsZ0JBQWdCLENBQzVDLEtBQUssRUFDTCxZQUFZLFNBQVMsQ0FBQyxHQUFHLEVBQUUsRUFDM0IsU0FBUyxDQUFDLFVBQVUsQ0FDckI7aUJBQ0YsQ0FBQyxDQUFBO1lBQ0osQ0FBQztRQUNILENBQUM7UUFFRCxNQUFNLE1BQU0sR0FBcUIsRUFBRSxDQUFBO1FBRW5DLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFPLENBQUMsQ0FBQyxFQUFFLEVBQUUsRUFBRTtZQUNuQyxNQUFNLEtBQUssR0FBRyxJQUFJLEdBQUcsQ0FBQyxlQUFlLENBQUMsS0FBSyxFQUFFLFNBQVMsRUFBRSxDQUFDLEdBQUcsRUFBRSxFQUFFO2dCQUM5RCxXQUFXLEVBQUUsRUFBRSxDQUFDLEtBQUs7Z0JBQ3JCLGFBQWEsRUFBRSxHQUFHLElBQUksQ0FBQyxTQUFTLFdBQVcsRUFBRSxDQUFDLEdBQUcsRUFBRTthQUNwRCxDQUFDLENBQUE7WUFDRixNQUFNLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFBO1FBQ3BCLENBQUMsQ0FBQyxDQUFBO1FBRUYsSUFBSSxDQUFDLGdCQUFnQixDQUFDLE9BQU8sQ0FBQyxDQUFDLEVBQUUsRUFBRSxFQUFFO1lBQ25DLE1BQU0sS0FBSyxHQUFHLElBQUksR0FBRyxDQUFDLGVBQWUsQ0FBQyxLQUFLLEVBQUUsU0FBUyxFQUFFLENBQUMsR0FBRyxFQUFFLEVBQUU7Z0JBQzlELFdBQVcsRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLFNBQVM7Z0JBQ2hDLGFBQWEsRUFBRSxHQUFHLElBQUksQ0FBQyxTQUFTLFlBQVksRUFBRSxDQUFDLEdBQUcsRUFBRTthQUNyRCxDQUFDLENBQUE7WUFDRixNQUFNLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFBO1FBQ3BCLENBQUMsQ0FBQyxDQUFBO1FBRUYsSUFBSSxDQUFDLE9BQU8sR0FBRyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLENBQUMsRUFBRSxFQUFFLEVBQUUsQ0FBQyxFQUFFLENBQUMsTUFBTSxDQUFDLENBQUE7UUFFM0QsSUFBSSxDQUFDLFVBQVUsR0FBRyxNQUFNLENBQUE7SUFDMUIsQ0FBQztJQUVELFNBQVMsQ0FBQyxTQUFpRDtRQUN6RCxTQUFTLENBQUMsY0FBYyxDQUFDLG9CQUFvQixDQUMzQyxJQUFJLEdBQUcsQ0FBQyxlQUFlLENBQUM7WUFDdEIsTUFBTSxFQUFFLEdBQUcsQ0FBQyxNQUFNLENBQUMsS0FBSztZQUN4QixPQUFPLEVBQUUsQ0FBQyx5QkFBeUIsQ0FBQztZQUNwQyxTQUFTLEVBQUU7Z0JBQ1QsZUFBZSxHQUFHLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxTQUFTLENBQUMsQ0FBQyxNQUFNLElBQzNDLEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLFNBQVMsQ0FBQyxDQUFDLE9BQzFCLGFBQWEsSUFBSSxDQUFDLFNBQVMsSUFBSTthQUNoQztTQUNGLENBQUMsQ0FDSCxDQUFBO1FBRUQsS0FBSyxNQUFNLE1BQU0sSUFBSSxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDbEMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxTQUFTLENBQUMsQ0FBQTtRQUM3QixDQUFDO0lBQ0gsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNILElBQUksU0FBUztRQUNYLE1BQU0sSUFBSSxHQUFHLE1BQU0sQ0FBQyxVQUFVLENBQUMsUUFBUSxDQUFDLENBQUE7UUFFeEMsSUFBSSxJQUFJLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztZQUMxQixJQUFJLENBQUMsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLENBQUMsRUFBRSxFQUFFLEVBQUU7Z0JBQ25DLElBQUksQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLENBQUE7Z0JBQ2hCLElBQUksQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLEdBQUcsQ0FBQyxDQUFBO2dCQUNuQixJQUFJLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFBO2dCQUVoQixJQUFJLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxZQUFZLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7b0JBQ3RDLElBQUksQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FBQyxDQUFBO2dCQUN2QixDQUFDO1lBQ0gsQ0FBQyxDQUFDLENBQUE7UUFDSixDQUFDO1FBRUQsSUFBSSxJQUFJLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztZQUMxQixJQUFJLENBQUMsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLENBQUMsRUFBRSxFQUFFLEVBQUU7Z0JBQ25DLElBQUksQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLENBQUE7Z0JBQ2hCLElBQUksQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLEdBQUcsQ0FBQyxDQUFBO2dCQUNuQixJQUFJLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFBO2dCQUVoQixJQUFJLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxZQUFZLENBQUMsRUFBRSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsRUFBRSxDQUFDO29CQUNqRCxJQUFJLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLENBQUE7Z0JBQ2xDLENBQUM7WUFDSCxDQUFDLENBQUMsQ0FBQTtRQUNKLENBQUM7UUFFRCxPQUFPLElBQUksQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUE7SUFDM0IsQ0FBQztDQUNGO0FBaEhELGtEQWdIQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCAqIGFzIGNvbnN0cnVjdHMgZnJvbSBcImNvbnN0cnVjdHNcIlxuaW1wb3J0ICogYXMgaWFtIGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtaWFtXCJcbmltcG9ydCAqIGFzIHNlY3JldHNtYW5hZ2VyIGZyb20gXCJhd3MtY2RrLWxpYi9hd3Mtc2VjcmV0c21hbmFnZXJcIlxuaW1wb3J0ICogYXMgc3NtIGZyb20gXCJhd3MtY2RrLWxpYi9hd3Mtc3NtXCJcbmltcG9ydCAqIGFzIGNkayBmcm9tIFwiYXdzLWNkay1saWJcIlxuaW1wb3J0ICogYXMgY3J5cHRvIGZyb20gXCJjcnlwdG9cIlxuXG4vKipcbiAqIEEgcGxhaW4gdGV4dCBhcHBsaWNhdGlvbiBwYXJhbWV0ZXIgdGhhdCB3aWxsIGJlIHN0b3JlZFxuICogaW4gQVdTIFBhcmFtZXRlciBTdG9yZS4gT25seSB1c2VkIGZvciBub24tc2Vuc2l0aXZlIHZhbHVlcyxcbiAqIHR5cGljYWxseSB0aG9zZSBjb21taXRlZCBkaXJlY3RseSBpbiB0aGUgSWFDIGNvZGUuXG4gKi9cbmV4cG9ydCBpbnRlcmZhY2UgUGxhaW5UZXh0UGFyYW1ldGVyIHtcbiAga2V5OiBzdHJpbmdcbiAgdmFsdWU6IHN0cmluZ1xufVxuXG4vKipcbiAqIEFuIEFXUyBTZWNyZXQgdGhhdCBzaG91bGQgaG9sZCBhIEpTT04gb2JqZWN0LlxuICpcbiAqIFRoaXMgd2lsbCBwcm92aWRlIGEgc2VjcmV0IHRoYXQgbGlmbGlnLXByb3BlcnRpZXMgY2FuIHJlYWQuIFRoZSBmaW5hbFxuICogcGFyYW1ldGVyIHNlZW4gYnkgdGhlIGFwcGxpY2F0aW9uIHdpbGwgYmUgdGhlIGtleSBnaXZlbiBoZXJlIGFuZCB0aGVcbiAqIGtleXMgZnJvbSB0aGUgc2VjcmV0IEpTT04gb2JqZWN0IGFwcGVuZGVkLlxuICovXG5leHBvcnQgaW50ZXJmYWNlIFNlY3JldFBhcmFtZXRlciB7XG4gIGtleTogc3RyaW5nXG4gIHNlY3JldDogc2VjcmV0c21hbmFnZXIuSVNlY3JldFxufVxuXG4vKipcbiAqIEFuIEFXUyBTZWNyZXQgdGhhdCBzaG91bGQgaG9sZCBhIEpTT04gb2JqZWN0LlxuICpcbiAqIFRoaXMgd2lsbCBwcm92aWRlIGEgc2VjcmV0IHRoYXQgbGlmbGlnLXByb3BlcnRpZXMgY2FuIHJlYWQuIFRoZSBmaW5hbFxuICogcGFyYW1ldGVyIHNlZW4gYnkgdGhlIGFwcGxpY2F0aW9uIHdpbGwgYmUgdGhlIGtleSBnaXZlbiBoZXJlIGFuZCB0aGVcbiAqIGtleXMgZnJvbSB0aGUgc2VjcmV0IEpTT04gb2JqZWN0IGFwcGVuZGVkLlxuICovXG5leHBvcnQgaW50ZXJmYWNlIFNlY3JldEJ5TmFtZVBhcmFtZXRlciB7XG4gIGtleTogc3RyaW5nXG4gIHNlY3JldE5hbWU6IHN0cmluZ1xufVxuXG5leHBvcnQgdHlwZSBQYXJhbWV0ZXIgPVxuICB8IFBsYWluVGV4dFBhcmFtZXRlclxuICB8IFNlY3JldFBhcmFtZXRlclxuICB8IFNlY3JldEJ5TmFtZVBhcmFtZXRlclxuXG5leHBvcnQgaW50ZXJmYWNlIENvbmZpZ3VyZVBhcmFtZXRlcnNQcm9wcyB7XG4gIC8qKlxuICAgKiBQcmVmaXggdXNlZCBmb3IgcGFyYW1ldGVyIG5hbWVzLlxuICAgKiBTaG91bGQgc3RhcnQgd2l0aCAnLycgYW5kIGVuZCB3aXRob3V0ICcvJy5cbiAgICovXG4gIHNzbVByZWZpeDogc3RyaW5nXG4gIHBhcmFtZXRlcnM6IFBhcmFtZXRlcltdXG59XG5cbmV4cG9ydCBjbGFzcyBDb25maWd1cmVQYXJhbWV0ZXJzIHtcbiAgcHVibGljIHBhcmFtZXRlcnM6IHNzbS5JUGFyYW1ldGVyW11cbiAgcHVibGljIHNzbVByZWZpeDogc3RyaW5nXG4gIHByaXZhdGUgc2VjcmV0czogc2VjcmV0c21hbmFnZXIuSVNlY3JldFtdXG5cbiAgcHJpdmF0ZSBjb25maWdQYXJhbWV0ZXJzOiBQbGFpblRleHRQYXJhbWV0ZXJbXVxuICBwcml2YXRlIHNlY3JldFBhcmFtZXRlcnM6IFNlY3JldFBhcmFtZXRlcltdXG5cbiAgY29uc3RydWN0b3Ioc2NvcGU6IGNvbnN0cnVjdHMuQ29uc3RydWN0LCBwcm9wczogQ29uZmlndXJlUGFyYW1ldGVyc1Byb3BzKSB7XG4gICAgaWYgKCFwcm9wcy5zc21QcmVmaXguc3RhcnRzV2l0aChcIi9cIikgfHwgcHJvcHMuc3NtUHJlZml4LmVuZHNXaXRoKFwiL1wiKSkge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKFwic3NtUHJlZml4IHNob3VsZCBzdGFydCB3aXRoICcvJyBhbmQgZW5kIHdpdGhvdXQgJy8nXCIpXG4gICAgfVxuXG4gICAgdGhpcy5zc21QcmVmaXggPSBwcm9wcy5zc21QcmVmaXhcblxuICAgIHRoaXMuY29uZmlnUGFyYW1ldGVycyA9IFtdXG4gICAgdGhpcy5zZWNyZXRQYXJhbWV0ZXJzID0gW11cblxuICAgIGZvciAoY29uc3QgcGFyYW1ldGVyIG9mIHByb3BzLnBhcmFtZXRlcnMpIHtcbiAgICAgIGlmIChcInZhbHVlXCIgaW4gcGFyYW1ldGVyKSB7XG4gICAgICAgIHRoaXMuY29uZmlnUGFyYW1ldGVycy5wdXNoKHBhcmFtZXRlcilcbiAgICAgIH0gZWxzZSBpZiAoXCJzZWNyZXRcIiBpbiBwYXJhbWV0ZXIpIHtcbiAgICAgICAgdGhpcy5zZWNyZXRQYXJhbWV0ZXJzLnB1c2gocGFyYW1ldGVyKVxuICAgICAgfSBlbHNlIGlmIChcInNlY3JldE5hbWVcIiBpbiBwYXJhbWV0ZXIpIHtcbiAgICAgICAgdGhpcy5zZWNyZXRQYXJhbWV0ZXJzLnB1c2goe1xuICAgICAgICAgIGtleTogcGFyYW1ldGVyLmtleSxcbiAgICAgICAgICBzZWNyZXQ6IHNlY3JldHNtYW5hZ2VyLlNlY3JldC5mcm9tU2VjcmV0TmFtZVYyKFxuICAgICAgICAgICAgc2NvcGUsXG4gICAgICAgICAgICBgU2VjcmV0UmVmJHtwYXJhbWV0ZXIua2V5fWAsXG4gICAgICAgICAgICBwYXJhbWV0ZXIuc2VjcmV0TmFtZSxcbiAgICAgICAgICApLFxuICAgICAgICB9KVxuICAgICAgfVxuICAgIH1cblxuICAgIGNvbnN0IHJlc3VsdDogc3NtLklQYXJhbWV0ZXJbXSA9IFtdXG5cbiAgICB0aGlzLmNvbmZpZ1BhcmFtZXRlcnMuZm9yRWFjaCgoaXQpID0+IHtcbiAgICAgIGNvbnN0IHBhcmFtID0gbmV3IHNzbS5TdHJpbmdQYXJhbWV0ZXIoc2NvcGUsIGBDb25maWcke2l0LmtleX1gLCB7XG4gICAgICAgIHN0cmluZ1ZhbHVlOiBpdC52YWx1ZSxcbiAgICAgICAgcGFyYW1ldGVyTmFtZTogYCR7dGhpcy5zc21QcmVmaXh9L2NvbmZpZy8ke2l0LmtleX1gLFxuICAgICAgfSlcbiAgICAgIHJlc3VsdC5wdXNoKHBhcmFtKVxuICAgIH0pXG5cbiAgICB0aGlzLnNlY3JldFBhcmFtZXRlcnMuZm9yRWFjaCgoaXQpID0+IHtcbiAgICAgIGNvbnN0IHBhcmFtID0gbmV3IHNzbS5TdHJpbmdQYXJhbWV0ZXIoc2NvcGUsIGBTZWNyZXQke2l0LmtleX1gLCB7XG4gICAgICAgIHN0cmluZ1ZhbHVlOiBpdC5zZWNyZXQuc2VjcmV0QXJuLFxuICAgICAgICBwYXJhbWV0ZXJOYW1lOiBgJHt0aGlzLnNzbVByZWZpeH0vc2VjcmV0cy8ke2l0LmtleX1gLFxuICAgICAgfSlcbiAgICAgIHJlc3VsdC5wdXNoKHBhcmFtKVxuICAgIH0pXG5cbiAgICB0aGlzLnNlY3JldHMgPSB0aGlzLnNlY3JldFBhcmFtZXRlcnMubWFwKChpdCkgPT4gaXQuc2VjcmV0KVxuXG4gICAgdGhpcy5wYXJhbWV0ZXJzID0gcmVzdWx0XG4gIH1cblxuICBncmFudFJlYWQoZ3JhbnRhYmxlOiBpYW0uSUdyYW50YWJsZSAmIGNvbnN0cnVjdHMuSUNvbnN0cnVjdCk6IHZvaWQge1xuICAgIGdyYW50YWJsZS5ncmFudFByaW5jaXBhbC5hZGRUb1ByaW5jaXBhbFBvbGljeShcbiAgICAgIG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgZWZmZWN0OiBpYW0uRWZmZWN0LkFMTE9XLFxuICAgICAgICBhY3Rpb25zOiBbXCJzc206R2V0UGFyYW1ldGVyc0J5UGF0aFwiXSxcbiAgICAgICAgcmVzb3VyY2VzOiBbXG4gICAgICAgICAgYGFybjphd3M6c3NtOiR7Y2RrLlN0YWNrLm9mKGdyYW50YWJsZSkucmVnaW9ufToke1xuICAgICAgICAgICAgY2RrLlN0YWNrLm9mKGdyYW50YWJsZSkuYWNjb3VudFxuICAgICAgICAgIH06cGFyYW1ldGVyJHt0aGlzLnNzbVByZWZpeH0vKmAsXG4gICAgICAgIF0sXG4gICAgICB9KSxcbiAgICApXG5cbiAgICBmb3IgKGNvbnN0IHNlY3JldCBvZiB0aGlzLnNlY3JldHMpIHtcbiAgICAgIHNlY3JldC5ncmFudFJlYWQoZ3JhbnRhYmxlKVxuICAgIH1cbiAgfVxuXG4gIC8qKlxuICAgKiBQcm9kdWNlIGEgY2hlY2tzdW0tdmFsdWUgdGhhdCBjYW4gYmUgdXNlZCBhcyBhIGtpbmQgb2ZcbiAgICogbm9uY2UgdG8gdHJpZ2dlciByZWRlcGxveW1lbnQgb24gcGFyYW1ldGVyIGNoYW5nZXMuXG4gICAqXG4gICAqIE5vdGU6IElmIHRoZSBwYXJhbWV0ZXIgcmVmZXJlbmNlcyBhIHRva2VuIG5vIGNoYW5nZSB3aWxsIGJlIHZpc2libGUsXG4gICAqIGFuZCBhIG1hbnVhbCByZWRlcGxveW1lbnQgbWlnaHQgYmUgbmVlZGVkLlxuICAgKi9cbiAgZ2V0IGhhc2hWYWx1ZSgpOiBzdHJpbmcge1xuICAgIGNvbnN0IGhhc2ggPSBjcnlwdG8uY3JlYXRlSGFzaChcInNoYTI1NlwiKVxuXG4gICAgaWYgKHRoaXMuY29uZmlnUGFyYW1ldGVycykge1xuICAgICAgdGhpcy5jb25maWdQYXJhbWV0ZXJzLmZvckVhY2goKGl0KSA9PiB7XG4gICAgICAgIGhhc2gudXBkYXRlKFwifFwiKVxuICAgICAgICBoYXNoLnVwZGF0ZShpdC5rZXkpXG4gICAgICAgIGhhc2gudXBkYXRlKFwifFwiKVxuXG4gICAgICAgIGlmICghY2RrLlRva2VuLmlzVW5yZXNvbHZlZChpdC52YWx1ZSkpIHtcbiAgICAgICAgICBoYXNoLnVwZGF0ZShpdC52YWx1ZSlcbiAgICAgICAgfVxuICAgICAgfSlcbiAgICB9XG5cbiAgICBpZiAodGhpcy5zZWNyZXRQYXJhbWV0ZXJzKSB7XG4gICAgICB0aGlzLnNlY3JldFBhcmFtZXRlcnMuZm9yRWFjaCgoaXQpID0+IHtcbiAgICAgICAgaGFzaC51cGRhdGUoXCJ8XCIpXG4gICAgICAgIGhhc2gudXBkYXRlKGl0LmtleSlcbiAgICAgICAgaGFzaC51cGRhdGUoXCJ8XCIpXG5cbiAgICAgICAgaWYgKCFjZGsuVG9rZW4uaXNVbnJlc29sdmVkKGl0LnNlY3JldC5zZWNyZXRBcm4pKSB7XG4gICAgICAgICAgaGFzaC51cGRhdGUoaXQuc2VjcmV0LnNlY3JldEFybilcbiAgICAgICAgfVxuICAgICAgfSlcbiAgICB9XG5cbiAgICByZXR1cm4gaGFzaC5kaWdlc3QoXCJoZXhcIilcbiAgfVxufVxuIl19

package/lib/configure-parameters/index.d.ts

@@ -0,0 +1 @@
+export { ConfigureParameters, ConfigureParametersProps, PlainTextParameter, SecretParameter, SecretByNameParameter, Parameter, } from "./configure-parameters";

package/lib/configure-parameters/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConfigureParameters = void 0;
+var configure_parameters_1 = require("./configure-parameters");
+Object.defineProperty(exports, "ConfigureParameters", { enumerable: true, get: function () { return configure_parameters_1.ConfigureParameters; } });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvY29uZmlndXJlLXBhcmFtZXRlcnMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsK0RBTytCO0FBTjdCLDJIQUFBLG1CQUFtQixPQUFBIiwic291cmNlc0NvbnRlbnQiOlsiZXhwb3J0IHtcbiAgQ29uZmlndXJlUGFyYW1ldGVycyxcbiAgQ29uZmlndXJlUGFyYW1ldGVyc1Byb3BzLFxuICBQbGFpblRleHRQYXJhbWV0ZXIsXG4gIFNlY3JldFBhcmFtZXRlcixcbiAgU2VjcmV0QnlOYW1lUGFyYW1ldGVyLFxuICBQYXJhbWV0ZXIsXG59IGZyb20gXCIuL2NvbmZpZ3VyZS1wYXJhbWV0ZXJzXCJcbiJdfQ==

package/lib/cross-region-ssm-parameter.d.ts

@@ -0,0 +1,13 @@
+import * as constructs from "constructs";
+interface Props {
+    region: string;
+    name: string;
+    value: string;
+}
+/**
+ * SSM Parameter stored in another region.
+ */
+export declare class CrossRegionSsmParameter extends constructs.Construct {
+    constructor(scope: constructs.Construct, id: string, props: Props);
+}
+export {};

package/lib/cross-region-ssm-parameter.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CrossRegionSsmParameter = void 0;
+const constructs = require("constructs");
+const cr = require("aws-cdk-lib/custom-resources");
+/**
+ * SSM Parameter stored in another region.
+ */
+class CrossRegionSsmParameter extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const physicalResourceId = cr.PhysicalResourceId.of(props.name);
+        // TODO: Can we somehow propagate tags as well?
+        new cr.AwsCustomResource(this, "Resoure", {
+            onUpdate: {
+                service: "SSM",
+                action: "putParameter",
+                parameters: {
+                    Name: props.name,
+                    Value: props.value,
+                    Type: "String",
+                    Overwrite: true,
+                },
+                region: props.region,
+                physicalResourceId,
+            },
+            onDelete: {
+                service: "SSM",
+                action: "deleteParameter",
+                parameters: {
+                    Name: props.name,
+                },
+                region: props.region,
+                physicalResourceId,
+            },
+            policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
+                // We grant the Custom Resource access to write to any
+                // parameter, as this is needed to be able to rename
+                // a parameter later.
+                resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
+            }),
+        });
+    }
+}
+exports.CrossRegionSsmParameter = CrossRegionSsmParameter;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY3Jvc3MtcmVnaW9uLXNzbS1wYXJhbWV0ZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvY3Jvc3MtcmVnaW9uLXNzbS1wYXJhbWV0ZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEseUNBQXdDO0FBQ3hDLG1EQUFrRDtBQVFsRDs7R0FFRztBQUNILE1BQWEsdUJBQXdCLFNBQVEsVUFBVSxDQUFDLFNBQVM7SUFDL0QsWUFBWSxLQUEyQixFQUFFLEVBQVUsRUFBRSxLQUFZO1FBQy9ELEtBQUssQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUE7UUFFaEIsTUFBTSxrQkFBa0IsR0FBRyxFQUFFLENBQUMsa0JBQWtCLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsQ0FBQTtRQUUvRCwrQ0FBK0M7UUFDL0MsSUFBSSxFQUFFLENBQUMsaUJBQWlCLENBQUMsSUFBSSxFQUFFLFNBQVMsRUFBRTtZQUN4QyxRQUFRLEVBQUU7Z0JBQ1IsT0FBTyxFQUFFLEtBQUs7Z0JBQ2QsTUFBTSxFQUFFLGNBQWM7Z0JBQ3RCLFVBQVUsRUFBRTtvQkFDVixJQUFJLEVBQUUsS0FBSyxDQUFDLElBQUk7b0JBQ2hCLEtBQUssRUFBRSxLQUFLLENBQUMsS0FBSztvQkFDbEIsSUFBSSxFQUFFLFFBQVE7b0JBQ2QsU0FBUyxFQUFFLElBQUk7aUJBQ2hCO2dCQUNELE1BQU0sRUFBRSxLQUFLLENBQUMsTUFBTTtnQkFDcEIsa0JBQWtCO2FBQ25CO1lBQ0QsUUFBUSxFQUFFO2dCQUNSLE9BQU8sRUFBRSxLQUFLO2dCQUNkLE1BQU0sRUFBRSxpQkFBaUI7Z0JBQ3pCLFVBQVUsRUFBRTtvQkFDVixJQUFJLEVBQUUsS0FBSyxDQUFDLElBQUk7aUJBQ2pCO2dCQUNELE1BQU0sRUFBRSxLQUFLLENBQUMsTUFBTTtnQkFDcEIsa0JBQWtCO2FBQ25CO1lBQ0QsTUFBTSxFQUFFLEVBQUUsQ0FBQyx1QkFBdUIsQ0FBQyxZQUFZLENBQUM7Z0JBQzlDLHNEQUFzRDtnQkFDdEQsb0RBQW9EO2dCQUNwRCxxQkFBcUI7Z0JBQ3JCLFNBQVMsRUFBRSxFQUFFLENBQUMsdUJBQXVCLENBQUMsWUFBWTthQUNuRCxDQUFDO1NBQ0gsQ0FBQyxDQUFBO0lBQ0osQ0FBQztDQUNGO0FBckNELDBEQXFDQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCAqIGFzIGNvbnN0cnVjdHMgZnJvbSBcImNvbnN0cnVjdHNcIlxuaW1wb3J0ICogYXMgY3IgZnJvbSBcImF3cy1jZGstbGliL2N1c3RvbS1yZXNvdXJjZXNcIlxuXG5pbnRlcmZhY2UgUHJvcHMge1xuICByZWdpb246IHN0cmluZ1xuICBuYW1lOiBzdHJpbmdcbiAgdmFsdWU6IHN0cmluZ1xufVxuXG4vKipcbiAqIFNTTSBQYXJhbWV0ZXIgc3RvcmVkIGluIGFub3RoZXIgcmVnaW9uLlxuICovXG5leHBvcnQgY2xhc3MgQ3Jvc3NSZWdpb25Tc21QYXJhbWV0ZXIgZXh0ZW5kcyBjb25zdHJ1Y3RzLkNvbnN0cnVjdCB7XG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBjb25zdHJ1Y3RzLkNvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6IFByb3BzKSB7XG4gICAgc3VwZXIoc2NvcGUsIGlkKVxuXG4gICAgY29uc3QgcGh5c2ljYWxSZXNvdXJjZUlkID0gY3IuUGh5c2ljYWxSZXNvdXJjZUlkLm9mKHByb3BzLm5hbWUpXG5cbiAgICAvLyBUT0RPOiBDYW4gd2Ugc29tZWhvdyBwcm9wYWdhdGUgdGFncyBhcyB3ZWxsP1xuICAgIG5ldyBjci5Bd3NDdXN0b21SZXNvdXJjZSh0aGlzLCBcIlJlc291cmVcIiwge1xuICAgICAgb25VcGRhdGU6IHtcbiAgICAgICAgc2VydmljZTogXCJTU01cIixcbiAgICAgICAgYWN0aW9uOiBcInB1dFBhcmFtZXRlclwiLFxuICAgICAgICBwYXJhbWV0ZXJzOiB7XG4gICAgICAgICAgTmFtZTogcHJvcHMubmFtZSxcbiAgICAgICAgICBWYWx1ZTogcHJvcHMudmFsdWUsXG4gICAgICAgICAgVHlwZTogXCJTdHJpbmdcIixcbiAgICAgICAgICBPdmVyd3JpdGU6IHRydWUsXG4gICAgICAgIH0sXG4gICAgICAgIHJlZ2lvbjogcHJvcHMucmVnaW9uLFxuICAgICAgICBwaHlzaWNhbFJlc291cmNlSWQsXG4gICAgICB9LFxuICAgICAgb25EZWxldGU6IHtcbiAgICAgICAgc2VydmljZTogXCJTU01cIixcbiAgICAgICAgYWN0aW9uOiBcImRlbGV0ZVBhcmFtZXRlclwiLFxuICAgICAgICBwYXJhbWV0ZXJzOiB7XG4gICAgICAgICAgTmFtZTogcHJvcHMubmFtZSxcbiAgICAgICAgfSxcbiAgICAgICAgcmVnaW9uOiBwcm9wcy5yZWdpb24sXG4gICAgICAgIHBoeXNpY2FsUmVzb3VyY2VJZCxcbiAgICAgIH0sXG4gICAgICBwb2xpY3k6IGNyLkF3c0N1c3RvbVJlc291cmNlUG9saWN5LmZyb21TZGtDYWxscyh7XG4gICAgICAgIC8vIFdlIGdyYW50IHRoZSBDdXN0b20gUmVzb3VyY2UgYWNjZXNzIHRvIHdyaXRlIHRvIGFueVxuICAgICAgICAvLyBwYXJhbWV0ZXIsIGFzIHRoaXMgaXMgbmVlZGVkIHRvIGJlIGFibGUgdG8gcmVuYW1lXG4gICAgICAgIC8vIGEgcGFyYW1ldGVyIGxhdGVyLlxuICAgICAgICByZXNvdXJjZXM6IGNyLkF3c0N1c3RvbVJlc291cmNlUG9saWN5LkFOWV9SRVNPVVJDRSxcbiAgICAgIH0pLFxuICAgIH0pXG4gIH1cbn1cbiJdfQ==

package/lib/ecs/cluster.d.ts

@@ -0,0 +1,25 @@
+import * as constructs from "constructs";
+import * as cloudwatch from "aws-cdk-lib/aws-cloudwatch";
+import * as ec2 from "aws-cdk-lib/aws-ec2";
+import * as ecs from "aws-cdk-lib/aws-ecs";
+import * as logs from "aws-cdk-lib/aws-logs";
+export interface ClusterProps {
+    /**
+     * @default will be generated
+     */
+    clusterName?: string;
+    vpc: ec2.IVpc;
+    /**
+     * @default no alarms will be set up
+     */
+    alarmAction?: cloudwatch.IAlarmAction;
+}
+export declare class Cluster extends constructs.Construct {
+    readonly cluster: ecs.Cluster;
+    readonly clusterEventLogs: logs.LogGroup;
+    constructor(scope: constructs.Construct, id: string, props: ClusterProps);
+    /**
+     * Monitor high number of restarts which typically signal a failing task.
+     */
+    private addRestartFrequencyAlarm;
+}

package/lib/ecs/cluster.js

@@ -0,0 +1,70 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Cluster = void 0;
+const constructs = require("constructs");
+const cloudwatch = require("aws-cdk-lib/aws-cloudwatch");
+const ecs = require("aws-cdk-lib/aws-ecs");
+const events = require("aws-cdk-lib/aws-events");
+const targets = require("aws-cdk-lib/aws-events-targets");
+const logs = require("aws-cdk-lib/aws-logs");
+const cdk = require("aws-cdk-lib");
+class Cluster extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.cluster = new ecs.Cluster(this, "Resource", {
+            clusterName: props.clusterName,
+            vpc: props.vpc,
+            executeCommandConfiguration: {
+                // The default would log to the same awslogs setup as
+                // the tasks, which would produce different types of
+                // outputs in the same log group.
+                // We have not set up specific logging for this.
+                logging: ecs.ExecuteCommandLogging.NONE,
+            },
+        });
+        // The details in ECS console is available only for short time,
+        // so we store it to S3 to improve insight.
+        this.clusterEventLogs = new logs.LogGroup(this, "EventLogs", {
+            retention: logs.RetentionDays.ONE_MONTH,
+            removalPolicy: cdk.RemovalPolicy.DESTROY,
+        });
+        new events.Rule(this, "StateRule", {
+            eventPattern: {
+                source: ["aws.ecs"],
+                detail: {
+                    clusterArn: [this.cluster.clusterArn],
+                },
+            },
+            targets: [new targets.CloudWatchLogGroup(this.clusterEventLogs)],
+        });
+        if (props.alarmAction) {
+            this.addRestartFrequencyAlarm(props.alarmAction);
+        }
+    }
+    /**
+     * Monitor high number of restarts which typically signal a failing task.
+     */
+    addRestartFrequencyAlarm(action) {
+        const errorMetricFilter = this.clusterEventLogs.addMetricFilter("ProvisioningErrorMetricFilter", {
+            filterPattern: logs.FilterPattern.all(logs.FilterPattern.stringValue("$.detail-type", "=", "ECS Task State Change"), logs.FilterPattern.stringValue("$.detail.lastStatus", "=", "PROVISIONING")),
+            metricName: "Provisioning",
+            metricNamespace: `ECS/Cluster/${this.cluster.clusterName}`,
+        });
+        const alarm = errorMetricFilter
+            .metric()
+            .with({
+            statistic: "Sum",
+            period: cdk.Duration.minutes(10),
+        })
+            .createAlarm(this, "RestartFrequencyAlarm", {
+            alarmDescription: `Tasks in ${this.cluster.clusterName} is frequently provisioning`,
+            evaluationPeriods: 1,
+            threshold: 25,
+            treatMissingData: cloudwatch.TreatMissingData.NOT_BREACHING,
+        });
+        alarm.addAlarmAction(action);
+        alarm.addOkAction(action);
+    }
+}
+exports.Cluster = Cluster;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2x1c3Rlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9lY3MvY2x1c3Rlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSx5Q0FBd0M7QUFDeEMseURBQXdEO0FBRXhELDJDQUEwQztBQUMxQyxpREFBZ0Q7QUFDaEQsMERBQXlEO0FBQ3pELDZDQUE0QztBQUM1QyxtQ0FBa0M7QUFjbEMsTUFBYSxPQUFRLFNBQVEsVUFBVSxDQUFDLFNBQVM7SUFJL0MsWUFBWSxLQUEyQixFQUFFLEVBQVUsRUFBRSxLQUFtQjtRQUN0RSxLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFBO1FBRWhCLElBQUksQ0FBQyxPQUFPLEdBQUcsSUFBSSxHQUFHLENBQUMsT0FBTyxDQUFDLElBQUksRUFBRSxVQUFVLEVBQUU7WUFDL0MsV0FBVyxFQUFFLEtBQUssQ0FBQyxXQUFXO1lBQzlCLEdBQUcsRUFBRSxLQUFLLENBQUMsR0FBRztZQUNkLDJCQUEyQixFQUFFO2dCQUMzQixxREFBcUQ7Z0JBQ3JELG9EQUFvRDtnQkFDcEQsaUNBQWlDO2dCQUNqQyxnREFBZ0Q7Z0JBQ2hELE9BQU8sRUFBRSxHQUFHLENBQUMscUJBQXFCLENBQUMsSUFBSTthQUN4QztTQUNGLENBQUMsQ0FBQTtRQUVGLCtEQUErRDtRQUMvRCwyQ0FBMkM7UUFDM0MsSUFBSSxDQUFDLGdCQUFnQixHQUFHLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxJQUFJLEVBQUUsV0FBVyxFQUFFO1lBQzNELFNBQVMsRUFBRSxJQUFJLENBQUMsYUFBYSxDQUFDLFNBQVM7WUFDdkMsYUFBYSxFQUFFLEdBQUcsQ0FBQyxhQUFhLENBQUMsT0FBTztTQUN6QyxDQUFDLENBQUE7UUFFRixJQUFJLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxFQUFFLFdBQVcsRUFBRTtZQUNqQyxZQUFZLEVBQUU7Z0JBQ1osTUFBTSxFQUFFLENBQUMsU0FBUyxDQUFDO2dCQUNuQixNQUFNLEVBQUU7b0JBQ04sVUFBVSxFQUFFLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxVQUFVLENBQUM7aUJBQ3RDO2FBQ0Y7WUFDRCxPQUFPLEVBQUUsQ0FBQyxJQUFJLE9BQU8sQ0FBQyxrQkFBa0IsQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztTQUNqRSxDQUFDLENBQUE7UUFFRixJQUFJLEtBQUssQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUN0QixJQUFJLENBQUMsd0JBQXdCLENBQUMsS0FBSyxDQUFDLFdBQVcsQ0FBQyxDQUFBO1FBQ2xELENBQUM7SUFDSCxDQUFDO0lBRUQ7O09BRUc7SUFDSyx3QkFBd0IsQ0FBQyxNQUErQjtRQUM5RCxNQUFNLGlCQUFpQixHQUFHLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxlQUFlLENBQzdELCtCQUErQixFQUMvQjtZQUNFLGFBQWEsRUFBRSxJQUFJLENBQUMsYUFBYSxDQUFDLEdBQUcsQ0FDbkMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxXQUFXLENBQzVCLGVBQWUsRUFDZixHQUFHLEVBQ0gsdUJBQXVCLENBQ3hCLEVBQ0QsSUFBSSxDQUFDLGFBQWEsQ0FBQyxXQUFXLENBQzVCLHFCQUFxQixFQUNyQixHQUFHLEVBQ0gsY0FBYyxDQUNmLENBQ0Y7WUFDRCxVQUFVLEVBQUUsY0FBYztZQUMxQixlQUFlLEVBQUUsZUFBZSxJQUFJLENBQUMsT0FBTyxDQUFDLFdBQVcsRUFBRTtTQUMzRCxDQUNGLENBQUE7UUFFRCxNQUFNLEtBQUssR0FBRyxpQkFBaUI7YUFDNUIsTUFBTSxFQUFFO2FBQ1IsSUFBSSxDQUFDO1lBQ0osU0FBUyxFQUFFLEtBQUs7WUFDaEIsTUFBTSxFQUFFLEdBQUcsQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztTQUNqQyxDQUFDO2FBQ0QsV0FBVyxDQUFDLElBQUksRUFBRSx1QkFBdUIsRUFBRTtZQUMxQyxnQkFBZ0IsRUFBRSxZQUFZLElBQUksQ0FBQyxPQUFPLENBQUMsV0FBVyw2QkFBNkI7WUFDbkYsaUJBQWlCLEVBQUUsQ0FBQztZQUNwQixTQUFTLEVBQUUsRUFBRTtZQUNiLGdCQUFnQixFQUFFLFVBQVUsQ0FBQyxnQkFBZ0IsQ0FBQyxhQUFhO1NBQzVELENBQUMsQ0FBQTtRQUVKLEtBQUssQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLENBQUE7UUFDNUIsS0FBSyxDQUFDLFdBQVcsQ0FBQyxNQUFNLENBQUMsQ0FBQTtJQUMzQixDQUFDO0NBQ0Y7QUFqRkQsMEJBaUZDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0ICogYXMgY29uc3RydWN0cyBmcm9tIFwiY29uc3RydWN0c1wiXG5pbXBvcnQgKiBhcyBjbG91ZHdhdGNoIGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtY2xvdWR3YXRjaFwiXG5pbXBvcnQgKiBhcyBlYzIgZnJvbSBcImF3cy1jZGstbGliL2F3cy1lYzJcIlxuaW1wb3J0ICogYXMgZWNzIGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtZWNzXCJcbmltcG9ydCAqIGFzIGV2ZW50cyBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWV2ZW50c1wiXG5pbXBvcnQgKiBhcyB0YXJnZXRzIGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtZXZlbnRzLXRhcmdldHNcIlxuaW1wb3J0ICogYXMgbG9ncyBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWxvZ3NcIlxuaW1wb3J0ICogYXMgY2RrIGZyb20gXCJhd3MtY2RrLWxpYlwiXG5cbmV4cG9ydCBpbnRlcmZhY2UgQ2x1c3RlclByb3BzIHtcbiAgLyoqXG4gICAqIEBkZWZhdWx0IHdpbGwgYmUgZ2VuZXJhdGVkXG4gICAqL1xuICBjbHVzdGVyTmFtZT86IHN0cmluZ1xuICB2cGM6IGVjMi5JVnBjXG4gIC8qKlxuICAgKiBAZGVmYXVsdCBubyBhbGFybXMgd2lsbCBiZSBzZXQgdXBcbiAgICovXG4gIGFsYXJtQWN0aW9uPzogY2xvdWR3YXRjaC5JQWxhcm1BY3Rpb25cbn1cblxuZXhwb3J0IGNsYXNzIENsdXN0ZXIgZXh0ZW5kcyBjb25zdHJ1Y3RzLkNvbnN0cnVjdCB7XG4gIHB1YmxpYyByZWFkb25seSBjbHVzdGVyOiBlY3MuQ2x1c3RlclxuICBwdWJsaWMgcmVhZG9ubHkgY2x1c3RlckV2ZW50TG9nczogbG9ncy5Mb2dHcm91cFxuXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBjb25zdHJ1Y3RzLkNvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6IENsdXN0ZXJQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZClcblxuICAgIHRoaXMuY2x1c3RlciA9IG5ldyBlY3MuQ2x1c3Rlcih0aGlzLCBcIlJlc291cmNlXCIsIHtcbiAgICAgIGNsdXN0ZXJOYW1lOiBwcm9wcy5jbHVzdGVyTmFtZSxcbiAgICAgIHZwYzogcHJvcHMudnBjLFxuICAgICAgZXhlY3V0ZUNvbW1hbmRDb25maWd1cmF0aW9uOiB7XG4gICAgICAgIC8vIFRoZSBkZWZhdWx0IHdvdWxkIGxvZyB0byB0aGUgc2FtZSBhd3Nsb2dzIHNldHVwIGFzXG4gICAgICAgIC8vIHRoZSB0YXNrcywgd2hpY2ggd291bGQgcHJvZHVjZSBkaWZmZXJlbnQgdHlwZXMgb2ZcbiAgICAgICAgLy8gb3V0cHV0cyBpbiB0aGUgc2FtZSBsb2cgZ3JvdXAuXG4gICAgICAgIC8vIFdlIGhhdmUgbm90IHNldCB1cCBzcGVjaWZpYyBsb2dnaW5nIGZvciB0aGlzLlxuICAgICAgICBsb2dnaW5nOiBlY3MuRXhlY3V0ZUNvbW1hbmRMb2dnaW5nLk5PTkUsXG4gICAgICB9LFxuICAgIH0pXG5cbiAgICAvLyBUaGUgZGV0YWlscyBpbiBFQ1MgY29uc29sZSBpcyBhdmFpbGFibGUgb25seSBmb3Igc2hvcnQgdGltZSxcbiAgICAvLyBzbyB3ZSBzdG9yZSBpdCB0byBTMyB0byBpbXByb3ZlIGluc2lnaHQuXG4gICAgdGhpcy5jbHVzdGVyRXZlbnRMb2dzID0gbmV3IGxvZ3MuTG9nR3JvdXAodGhpcywgXCJFdmVudExvZ3NcIiwge1xuICAgICAgcmV0ZW50aW9uOiBsb2dzLlJldGVudGlvbkRheXMuT05FX01PTlRILFxuICAgICAgcmVtb3ZhbFBvbGljeTogY2RrLlJlbW92YWxQb2xpY3kuREVTVFJPWSxcbiAgICB9KVxuXG4gICAgbmV3IGV2ZW50cy5SdWxlKHRoaXMsIFwiU3RhdGVSdWxlXCIsIHtcbiAgICAgIGV2ZW50UGF0dGVybjoge1xuICAgICAgICBzb3VyY2U6IFtcImF3cy5lY3NcIl0sXG4gICAgICAgIGRldGFpbDoge1xuICAgICAgICAgIGNsdXN0ZXJBcm46IFt0aGlzLmNsdXN0ZXIuY2x1c3RlckFybl0sXG4gICAgICAgIH0sXG4gICAgICB9LFxuICAgICAgdGFyZ2V0czogW25ldyB0YXJnZXRzLkNsb3VkV2F0Y2hMb2dHcm91cCh0aGlzLmNsdXN0ZXJFdmVudExvZ3MpXSxcbiAgICB9KVxuXG4gICAgaWYgKHByb3BzLmFsYXJtQWN0aW9uKSB7XG4gICAgICB0aGlzLmFkZFJlc3RhcnRGcmVxdWVuY3lBbGFybShwcm9wcy5hbGFybUFjdGlvbilcbiAgICB9XG4gIH1cblxuICAvKipcbiAgICogTW9uaXRvciBoaWdoIG51bWJlciBvZiByZXN0YXJ0cyB3aGljaCB0eXBpY2FsbHkgc2lnbmFsIGEgZmFpbGluZyB0YXNrLlxuICAgKi9cbiAgcHJpdmF0ZSBhZGRSZXN0YXJ0RnJlcXVlbmN5QWxhcm0oYWN0aW9uOiBjbG91ZHdhdGNoLklBbGFybUFjdGlvbik6IHZvaWQge1xuICAgIGNvbnN0IGVycm9yTWV0cmljRmlsdGVyID0gdGhpcy5jbHVzdGVyRXZlbnRMb2dzLmFkZE1ldHJpY0ZpbHRlcihcbiAgICAgIFwiUHJvdmlzaW9uaW5nRXJyb3JNZXRyaWNGaWx0ZXJcIixcbiAgICAgIHtcbiAgICAgICAgZmlsdGVyUGF0dGVybjogbG9ncy5GaWx0ZXJQYXR0ZXJuLmFsbChcbiAgICAgICAgICBsb2dzLkZpbHRlclBhdHRlcm4uc3RyaW5nVmFsdWUoXG4gICAgICAgICAgICBcIiQuZGV0YWlsLXR5cGVcIixcbiAgICAgICAgICAgIFwiPVwiLFxuICAgICAgICAgICAgXCJFQ1MgVGFzayBTdGF0ZSBDaGFuZ2VcIixcbiAgICAgICAgICApLFxuICAgICAgICAgIGxvZ3MuRmlsdGVyUGF0dGVybi5zdHJpbmdWYWx1ZShcbiAgICAgICAgICAgIFwiJC5kZXRhaWwubGFzdFN0YXR1c1wiLFxuICAgICAgICAgICAgXCI9XCIsXG4gICAgICAgICAgICBcIlBST1ZJU0lPTklOR1wiLFxuICAgICAgICAgICksXG4gICAgICAgICksXG4gICAgICAgIG1ldHJpY05hbWU6IFwiUHJvdmlzaW9uaW5nXCIsXG4gICAgICAgIG1ldHJpY05hbWVzcGFjZTogYEVDUy9DbHVzdGVyLyR7dGhpcy5jbHVzdGVyLmNsdXN0ZXJOYW1lfWAsXG4gICAgICB9LFxuICAgIClcblxuICAgIGNvbnN0IGFsYXJtID0gZXJyb3JNZXRyaWNGaWx0ZXJcbiAgICAgIC5tZXRyaWMoKVxuICAgICAgLndpdGgoe1xuICAgICAgICBzdGF0aXN0aWM6IFwiU3VtXCIsXG4gICAgICAgIHBlcmlvZDogY2RrLkR1cmF0aW9uLm1pbnV0ZXMoMTApLFxuICAgICAgfSlcbiAgICAgIC5jcmVhdGVBbGFybSh0aGlzLCBcIlJlc3RhcnRGcmVxdWVuY3lBbGFybVwiLCB7XG4gICAgICAgIGFsYXJtRGVzY3JpcHRpb246IGBUYXNrcyBpbiAke3RoaXMuY2x1c3Rlci5jbHVzdGVyTmFtZX0gaXMgZnJlcXVlbnRseSBwcm92aXNpb25pbmdgLFxuICAgICAgICBldmFsdWF0aW9uUGVyaW9kczogMSxcbiAgICAgICAgdGhyZXNob2xkOiAyNSxcbiAgICAgICAgdHJlYXRNaXNzaW5nRGF0YTogY2xvdWR3YXRjaC5UcmVhdE1pc3NpbmdEYXRhLk5PVF9CUkVBQ0hJTkcsXG4gICAgICB9KVxuXG4gICAgYWxhcm0uYWRkQWxhcm1BY3Rpb24oYWN0aW9uKVxuICAgIGFsYXJtLmFkZE9rQWN0aW9uKGFjdGlvbilcbiAgfVxufVxuIl19