@liflig/cdk 2.18.5 → 2.18.7

package/lib/bastion-host.js

@@ -0,0 +1,86 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BastionHost = void 0;
+const constructs = require("constructs");
+const ec2 = require("aws-cdk-lib/aws-ec2");
+const iam = require("aws-cdk-lib/aws-iam");
+const cdk = require("aws-cdk-lib");
+/**
+ * This creates a EC2 bastion host that can be used to connect
+ * to database instances and other internal resources.
+ *
+ * The instance is supposed to have no open ingress ports, and users
+ * are supposed to connect only through SSM Session Manager.
+ *
+ * The resources that the bastion host should be allowed to access
+ * must have the bastion host security group as allowed ingress.
+ *
+ * For more internal details, see
+ * https://confluence.capraconsulting.no/x/q8UBC
+ */
+class BastionHost extends constructs.Construct {
+    constructor(scope, id, props) {
+        var _a, _b;
+        super(scope, id);
+        const region = cdk.Stack.of(this).region;
+        this.securityGroup =
+            (_a = props.securityGroup) !== null && _a !== void 0 ? _a : new ec2.SecurityGroup(this, "SecurityGroup", {
+                vpc: props.vpc,
+            });
+        const instance = new ec2.Instance(this, "Instance", {
+            vpc: props.vpc,
+            vpcSubnets: (_b = props.subnetSelection) !== null && _b !== void 0 ? _b : {
+                subnetType: ec2.SubnetType.PUBLIC,
+            },
+            securityGroup: this.securityGroup,
+            instanceName: "Bastion",
+            instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.NANO),
+            machineImage: ec2.MachineImage.latestAmazonLinux({
+                generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
+            }),
+        });
+        instance.addUserData(`yum install -y https://amazon-ssm-${region}.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm socat postgresql mariadb`);
+        // SSM support.
+        instance.addToRolePolicy(
+        // This mimics the AmazonEC2RoleforSSM policy
+        // while granting least privileges needed.
+        //
+        // The default AmazonEC2RoleforSSM policy gives read/write access
+        // to all objects in S3, all parameters in Parameter Store, amoung
+        // more. We primarily use the SSM agent for limited remote control,
+        // and the policy here covers that as the primary use case.
+        //
+        // See https://www.cflee.com/posts/aws-ssm-iam-policy-caveats/
+        // See also https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html
+        new iam.PolicyStatement({
+            actions: [
+                // https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
+                // https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html
+                "ssm:ListInstanceAssociations",
+                "ssm:UpdateInstanceInformation",
+                "ssm:GetDocument",
+                "ssm:PutInventory",
+                "ssm:UpdateInstanceAssociationStatus",
+                // https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
+                "ssmmessages:CreateControlChannel",
+                "ssmmessages:CreateDataChannel",
+                "ssmmessages:OpenControlChannel",
+                "ssmmessages:OpenDataChannel",
+                // https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonmessagedeliveryservice.html
+                "ec2messages:AcknowledgeMessage",
+                "ec2messages:DeleteMessage",
+                "ec2messages:FailMessage",
+                "ec2messages:GetEndpoint",
+                "ec2messages:GetMessages",
+                "ec2messages:SendReply",
+            ],
+            // Seems this is needed for the given actions.
+            resources: ["*"],
+        }));
+        new cdk.CfnOutput(this, "BastionInstanceId", {
+            value: instance.instanceId,
+        });
+    }
+}
+exports.BastionHost = BastionHost;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYmFzdGlvbi1ob3N0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vc3JjL2Jhc3Rpb24taG9zdC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSx5Q0FBd0M7QUFDeEMsMkNBQTBDO0FBQzFDLDJDQUEwQztBQUMxQyxtQ0FBa0M7QUF3QmxDOzs7Ozs7Ozs7Ozs7R0FZRztBQUNILE1BQWEsV0FBWSxTQUFRLFVBQVUsQ0FBQyxTQUFTO0lBR25ELFlBQVksS0FBMkIsRUFBRSxFQUFVLEVBQUUsS0FBWTs7UUFDL0QsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQTtRQUVoQixNQUFNLE1BQU0sR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxNQUFNLENBQUE7UUFFeEMsSUFBSSxDQUFDLGFBQWE7WUFDaEIsTUFBQSxLQUFLLENBQUMsYUFBYSxtQ0FDbkIsSUFBSSxHQUFHLENBQUMsYUFBYSxDQUFDLElBQUksRUFBRSxlQUFlLEVBQUU7Z0JBQzNDLEdBQUcsRUFBRSxLQUFLLENBQUMsR0FBRzthQUNmLENBQUMsQ0FBQTtRQUVKLE1BQU0sUUFBUSxHQUFHLElBQUksR0FBRyxDQUFDLFFBQVEsQ0FBQyxJQUFJLEVBQUUsVUFBVSxFQUFFO1lBQ2xELEdBQUcsRUFBRSxLQUFLLENBQUMsR0FBRztZQUNkLFVBQVUsRUFBRSxNQUFBLEtBQUssQ0FBQyxlQUFlLG1DQUFJO2dCQUNuQyxVQUFVLEVBQUUsR0FBRyxDQUFDLFVBQVUsQ0FBQyxNQUFNO2FBQ2xDO1lBQ0QsYUFBYSxFQUFFLElBQUksQ0FBQyxhQUFhO1lBQ2pDLFlBQVksRUFBRSxTQUFTO1lBQ3ZCLFlBQVksRUFBRSxHQUFHLENBQUMsWUFBWSxDQUFDLEVBQUUsQ0FDL0IsR0FBRyxDQUFDLGFBQWEsQ0FBQyxFQUFFLEVBQ3BCLEdBQUcsQ0FBQyxZQUFZLENBQUMsSUFBSSxDQUN0QjtZQUNELFlBQVksRUFBRSxHQUFHLENBQUMsWUFBWSxDQUFDLGlCQUFpQixDQUFDO2dCQUMvQyxVQUFVLEVBQUUsR0FBRyxDQUFDLHFCQUFxQixDQUFDLGNBQWM7YUFDckQsQ0FBQztTQUNILENBQUMsQ0FBQTtRQUVGLFFBQVEsQ0FBQyxXQUFXLENBQ2xCLHFDQUFxQyxNQUFNLG9GQUFvRixDQUNoSSxDQUFBO1FBRUQsZUFBZTtRQUNmLFFBQVEsQ0FBQyxlQUFlO1FBQ3RCLDZDQUE2QztRQUM3QywwQ0FBMEM7UUFDMUMsRUFBRTtRQUNGLGlFQUFpRTtRQUNqRSxrRUFBa0U7UUFDbEUsbUVBQW1FO1FBQ25FLDJEQUEyRDtRQUMzRCxFQUFFO1FBQ0YsOERBQThEO1FBQzlELG9HQUFvRztRQUNwRyxJQUFJLEdBQUcsQ0FBQyxlQUFlLENBQUM7WUFDdEIsT0FBTyxFQUFFO2dCQUNQLDJHQUEyRztnQkFDM0csK0VBQStFO2dCQUMvRSw4QkFBOEI7Z0JBQzlCLCtCQUErQjtnQkFDL0IsaUJBQWlCO2dCQUNqQixrQkFBa0I7Z0JBQ2xCLHFDQUFxQztnQkFDckMsMkdBQTJHO2dCQUMzRyxrQ0FBa0M7Z0JBQ2xDLCtCQUErQjtnQkFDL0IsZ0NBQWdDO2dCQUNoQyw2QkFBNkI7Z0JBQzdCLDBGQUEwRjtnQkFDMUYsZ0NBQWdDO2dCQUNoQywyQkFBMkI7Z0JBQzNCLHlCQUF5QjtnQkFDekIseUJBQXlCO2dCQUN6Qix5QkFBeUI7Z0JBQ3pCLHVCQUF1QjthQUN4QjtZQUNELDhDQUE4QztZQUM5QyxTQUFTLEVBQUUsQ0FBQyxHQUFHLENBQUM7U0FDakIsQ0FBQyxDQUNILENBQUE7UUFFRCxJQUFJLEdBQUcsQ0FBQyxTQUFTLENBQUMsSUFBSSxFQUFFLG1CQUFtQixFQUFFO1lBQzNDLEtBQUssRUFBRSxRQUFRLENBQUMsVUFBVTtTQUMzQixDQUFDLENBQUE7SUFDSixDQUFDO0NBQ0Y7QUE3RUQsa0NBNkVDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0ICogYXMgY29uc3RydWN0cyBmcm9tIFwiY29uc3RydWN0c1wiXG5pbXBvcnQgKiBhcyBlYzIgZnJvbSBcImF3cy1jZGstbGliL2F3cy1lYzJcIlxuaW1wb3J0ICogYXMgaWFtIGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtaWFtXCJcbmltcG9ydCAqIGFzIGNkayBmcm9tIFwiYXdzLWNkay1saWJcIlxuXG5pbnRlcmZhY2UgUHJvcHMge1xuICB2cGM6IGVjMi5JVnBjXG4gIC8qKlxuICAgKiBUaGUgc2VjdXJpdHkgZ3JvdXAgdXNlZCBmb3IgdGhlIEVDMiBpbnN0YW5jZS5cbiAgICpcbiAgICogQGRlZmF1bHQgLSBhIHNlY3VyaXR5IGdyb3VwIHdpbGwgYmUgY3JlYXRlZFxuICAgKi9cbiAgc2VjdXJpdHlHcm91cD86IGVjMi5JU2VjdXJpdHlHcm91cFxuICAvKipcbiAgICogVGhlIHN1Ym5ldHMgdG8gcGxhY2UgdGhlIGJhc3Rpb24gaG9zdC5cbiAgICpcbiAgICogTm90ZSB0aGF0IGlmIHBsYWNlZCBpbnNpZGUgcHJpdmF0ZSBzdWJuZXQsIHRoZSBWUEMgbXVzdCBoYXZlXG4gICAqIFZQQyBlbmRwb2ludHMgdG8gYWNjZXNzIHJlbGV2YW50IEFXUyBzZXJ2aWNlcyBmb3IgU3lzdGVtcyBNYW5hZ2VyXG4gICAqIHRvIHdvcmsgaW4gb3JkZXIgdG8gYmUgYWJsZSB0byBjb25uZWN0IHRvIHRoZSBpbnN0YW5jZS5cbiAgICpcbiAgICogU2VlIGh0dHBzOi8vYXdzLmFtYXpvbi5jb20vcHJlbWl1bXN1cHBvcnQva25vd2xlZGdlLWNlbnRlci9lYzItc3lzdGVtcy1tYW5hZ2VyLXZwYy1lbmRwb2ludHMvXG4gICAqXG4gICAqIEBkZWZhdWx0IC0gcHVibGljIHN1Ym5ldHNcbiAgICovXG4gIHN1Ym5ldFNlbGVjdGlvbj86IGVjMi5TdWJuZXRTZWxlY3Rpb25cbn1cblxuLyoqXG4gKiBUaGlzIGNyZWF0ZXMgYSBFQzIgYmFzdGlvbiBob3N0IHRoYXQgY2FuIGJlIHVzZWQgdG8gY29ubmVjdFxuICogdG8gZGF0YWJhc2UgaW5zdGFuY2VzIGFuZCBvdGhlciBpbnRlcm5hbCByZXNvdXJjZXMuXG4gKlxuICogVGhlIGluc3RhbmNlIGlzIHN1cHBvc2VkIHRvIGhhdmUgbm8gb3BlbiBpbmdyZXNzIHBvcnRzLCBhbmQgdXNlcnNcbiAqIGFyZSBzdXBwb3NlZCB0byBjb25uZWN0IG9ubHkgdGhyb3VnaCBTU00gU2Vzc2lvbiBNYW5hZ2VyLlxuICpcbiAqIFRoZSByZXNvdXJjZXMgdGhhdCB0aGUgYmFzdGlvbiBob3N0IHNob3VsZCBiZSBhbGxvd2VkIHRvIGFjY2Vzc1xuICogbXVzdCBoYXZlIHRoZSBiYXN0aW9uIGhvc3Qgc2VjdXJpdHkgZ3JvdXAgYXMgYWxsb3dlZCBpbmdyZXNzLlxuICpcbiAqIEZvciBtb3JlIGludGVybmFsIGRldGFpbHMsIHNlZVxuICogaHR0cHM6Ly9jb25mbHVlbmNlLmNhcHJhY29uc3VsdGluZy5uby94L3E4VUJDXG4gKi9cbmV4cG9ydCBjbGFzcyBCYXN0aW9uSG9zdCBleHRlbmRzIGNvbnN0cnVjdHMuQ29uc3RydWN0IHtcbiAgcHVibGljIHJlYWRvbmx5IHNlY3VyaXR5R3JvdXA6IGVjMi5JU2VjdXJpdHlHcm91cFxuXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBjb25zdHJ1Y3RzLkNvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6IFByb3BzKSB7XG4gICAgc3VwZXIoc2NvcGUsIGlkKVxuXG4gICAgY29uc3QgcmVnaW9uID0gY2RrLlN0YWNrLm9mKHRoaXMpLnJlZ2lvblxuXG4gICAgdGhpcy5zZWN1cml0eUdyb3VwID1cbiAgICAgIHByb3BzLnNlY3VyaXR5R3JvdXAgPz9cbiAgICAgIG5ldyBlYzIuU2VjdXJpdHlHcm91cCh0aGlzLCBcIlNlY3VyaXR5R3JvdXBcIiwge1xuICAgICAgICB2cGM6IHByb3BzLnZwYyxcbiAgICAgIH0pXG5cbiAgICBjb25zdCBpbnN0YW5jZSA9IG5ldyBlYzIuSW5zdGFuY2UodGhpcywgXCJJbnN0YW5jZVwiLCB7XG4gICAgICB2cGM6IHByb3BzLnZwYyxcbiAgICAgIHZwY1N1Ym5ldHM6IHByb3BzLnN1Ym5ldFNlbGVjdGlvbiA/PyB7XG4gICAgICAgIHN1Ym5ldFR5cGU6IGVjMi5TdWJuZXRUeXBlLlBVQkxJQyxcbiAgICAgIH0sXG4gICAgICBzZWN1cml0eUdyb3VwOiB0aGlzLnNlY3VyaXR5R3JvdXAsXG4gICAgICBpbnN0YW5jZU5hbWU6IFwiQmFzdGlvblwiLFxuICAgICAgaW5zdGFuY2VUeXBlOiBlYzIuSW5zdGFuY2VUeXBlLm9mKFxuICAgICAgICBlYzIuSW5zdGFuY2VDbGFzcy5UMyxcbiAgICAgICAgZWMyLkluc3RhbmNlU2l6ZS5OQU5PLFxuICAgICAgKSxcbiAgICAgIG1hY2hpbmVJbWFnZTogZWMyLk1hY2hpbmVJbWFnZS5sYXRlc3RBbWF6b25MaW51eCh7XG4gICAgICAgIGdlbmVyYXRpb246IGVjMi5BbWF6b25MaW51eEdlbmVyYXRpb24uQU1BWk9OX0xJTlVYXzIsXG4gICAgICB9KSxcbiAgICB9KVxuXG4gICAgaW5zdGFuY2UuYWRkVXNlckRhdGEoXG4gICAgICBgeXVtIGluc3RhbGwgLXkgaHR0cHM6Ly9hbWF6b24tc3NtLSR7cmVnaW9ufS5zMy5hbWF6b25hd3MuY29tL2xhdGVzdC9saW51eF9hbWQ2NC9hbWF6b24tc3NtLWFnZW50LnJwbSBzb2NhdCBwb3N0Z3Jlc3FsIG1hcmlhZGJgLFxuICAgIClcblxuICAgIC8vIFNTTSBzdXBwb3J0LlxuICAgIGluc3RhbmNlLmFkZFRvUm9sZVBvbGljeShcbiAgICAgIC8vIFRoaXMgbWltaWNzIHRoZSBBbWF6b25FQzJSb2xlZm9yU1NNIHBvbGljeVxuICAgICAgLy8gd2hpbGUgZ3JhbnRpbmcgbGVhc3QgcHJpdmlsZWdlcyBuZWVkZWQuXG4gICAgICAvL1xuICAgICAgLy8gVGhlIGRlZmF1bHQgQW1hem9uRUMyUm9sZWZvclNTTSBwb2xpY3kgZ2l2ZXMgcmVhZC93cml0ZSBhY2Nlc3NcbiAgICAgIC8vIHRvIGFsbCBvYmplY3RzIGluIFMzLCBhbGwgcGFyYW1ldGVycyBpbiBQYXJhbWV0ZXIgU3RvcmUsIGFtb3VuZ1xuICAgICAgLy8gbW9yZS4gV2UgcHJpbWFyaWx5IHVzZSB0aGUgU1NNIGFnZW50IGZvciBsaW1pdGVkIHJlbW90ZSBjb250cm9sLFxuICAgICAgLy8gYW5kIHRoZSBwb2xpY3kgaGVyZSBjb3ZlcnMgdGhhdCBhcyB0aGUgcHJpbWFyeSB1c2UgY2FzZS5cbiAgICAgIC8vXG4gICAgICAvLyBTZWUgaHR0cHM6Ly93d3cuY2ZsZWUuY29tL3Bvc3RzL2F3cy1zc20taWFtLXBvbGljeS1jYXZlYXRzL1xuICAgICAgLy8gU2VlIGFsc28gaHR0cHM6Ly9kb2NzLmF3cy5hbWF6b24uY29tL3N5c3RlbXMtbWFuYWdlci9sYXRlc3QvdXNlcmd1aWRlL3NldHVwLWluc3RhbmNlLXByb2ZpbGUuaHRtbFxuICAgICAgbmV3IGlhbS5Qb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBhY3Rpb25zOiBbXG4gICAgICAgICAgLy8gaHR0cHM6Ly9kb2NzLmF3cy5hbWF6b24uY29tL3N5c3RlbXMtbWFuYWdlci9sYXRlc3QvdXNlcmd1aWRlL3N5c3RlbXMtbWFuYWdlci1zZXR0aW5nLXVwLW1lc3NhZ2VBUElzLmh0bWxcbiAgICAgICAgICAvLyBodHRwczovL2RvY3MuYXdzLmFtYXpvbi5jb20vSUFNL2xhdGVzdC9Vc2VyR3VpZGUvbGlzdF9hd3NzeXN0ZW1zbWFuYWdlci5odG1sXG4gICAgICAgICAgXCJzc206TGlzdEluc3RhbmNlQXNzb2NpYXRpb25zXCIsXG4gICAgICAgICAgXCJzc206VXBkYXRlSW5zdGFuY2VJbmZvcm1hdGlvblwiLFxuICAgICAgICAgIFwic3NtOkdldERvY3VtZW50XCIsXG4gICAgICAgICAgXCJzc206UHV0SW52ZW50b3J5XCIsXG4gICAgICAgICAgXCJzc206VXBkYXRlSW5zdGFuY2VBc3NvY2lhdGlvblN0YXR1c1wiLFxuICAgICAgICAgIC8vIGh0dHBzOi8vZG9jcy5hd3MuYW1hem9uLmNvbS9zeXN0ZW1zLW1hbmFnZXIvbGF0ZXN0L3VzZXJndWlkZS9zeXN0ZW1zLW1hbmFnZXItc2V0dGluZy11cC1tZXNzYWdlQVBJcy5odG1sXG4gICAgICAgICAgXCJzc21tZXNzYWdlczpDcmVhdGVDb250cm9sQ2hhbm5lbFwiLFxuICAgICAgICAgIFwic3NtbWVzc2FnZXM6Q3JlYXRlRGF0YUNoYW5uZWxcIixcbiAgICAgICAgICBcInNzbW1lc3NhZ2VzOk9wZW5Db250cm9sQ2hhbm5lbFwiLFxuICAgICAgICAgIFwic3NtbWVzc2FnZXM6T3BlbkRhdGFDaGFubmVsXCIsXG4gICAgICAgICAgLy8gaHR0cHM6Ly9kb2NzLmF3cy5hbWF6b24uY29tL0lBTS9sYXRlc3QvVXNlckd1aWRlL2xpc3RfYW1hem9ubWVzc2FnZWRlbGl2ZXJ5c2VydmljZS5odG1sXG4gICAgICAgICAgXCJlYzJtZXNzYWdlczpBY2tub3dsZWRnZU1lc3NhZ2VcIixcbiAgICAgICAgICBcImVjMm1lc3NhZ2VzOkRlbGV0ZU1lc3NhZ2VcIixcbiAgICAgICAgICBcImVjMm1lc3NhZ2VzOkZhaWxNZXNzYWdlXCIsXG4gICAgICAgICAgXCJlYzJtZXNzYWdlczpHZXRFbmRwb2ludFwiLFxuICAgICAgICAgIFwiZWMybWVzc2FnZXM6R2V0TWVzc2FnZXNcIixcbiAgICAgICAgICBcImVjMm1lc3NhZ2VzOlNlbmRSZXBseVwiLFxuICAgICAgICBdLFxuICAgICAgICAvLyBTZWVtcyB0aGlzIGlzIG5lZWRlZCBmb3IgdGhlIGdpdmVuIGFjdGlvbnMuXG4gICAgICAgIHJlc291cmNlczogW1wiKlwiXSxcbiAgICAgIH0pLFxuICAgIClcblxuICAgIG5ldyBjZGsuQ2ZuT3V0cHV0KHRoaXMsIFwiQmFzdGlvbkluc3RhbmNlSWRcIiwge1xuICAgICAgdmFsdWU6IGluc3RhbmNlLmluc3RhbmNlSWQsXG4gICAgfSlcbiAgfVxufVxuIl19

package/lib/bin/cdk-create-snapshots.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/lib/bin/fetch-pipeline-variables.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/lib/build-artifacts/index.d.ts

@@ -0,0 +1,68 @@
+import * as constructs from "constructs";
+import * as ecr from "aws-cdk-lib/aws-ecr";
+interface Props {
+    /**
+     * The name to use for the S3 Bucket. Should include both account and region
+     * so that it will not conflict with other accounts/regions.
+     *
+     * @default - no bucket will be created
+     */
+    bucketName?: string;
+    /**
+     * The name to use for the ECR Repository.
+     */
+    ecrRepositoryName: string;
+    /**
+     * The lifecycle rules to apply to images stored in the ECR repository.
+     *
+     * @default - Expire images after 180 days
+     */
+    ecrRepositoryLifecycleRules?: ecr.LifecycleRule[];
+    /**
+     * Reference to the IAM Role that will be granted permission to
+     * assume the CI role. This role must have permission to assume
+     * the CI role.
+     *
+     * @default - use Liflig Jenkins role
+     */
+    externalRoleArn?: string;
+    /**
+     * The name of the role that will be created that will be assumed
+     * from the CI system.
+     *
+     * @default - no role will be created
+     */
+    ciRoleName?: string;
+    /**
+     * The AWS Accounts that will be granted permission to read from
+     * the artifact repos.
+     */
+    targetAccountIds: string[];
+    /**
+     * Flag if Griid is bootstrapped and the account this construct is
+     * deployed to is the build account. Will attach policies and
+     * reference existing artifacts and roles.
+     *
+     * @default false
+     */
+    griid?: boolean;
+}
+/**
+ * Build artifacts.
+ *
+ * This holds a S3 Bucket, a ECR Repository and roles to be used
+ * from CI system for uploading.
+ *
+ * TODO: How can we cleanup stuff that goes into this S3 Bucket and
+ *  ECR Repository? Can we ever reliably cleanup? We probably need
+ *  some strategy for how we put stuff here to be able to do it.
+ *
+ * @experimental
+ */
+export declare class BuildArtifacts extends constructs.Construct {
+    readonly bucketName: string | undefined;
+    readonly ecrRepositoryArn: string;
+    readonly ecrRepositoryName: string;
+    constructor(scope: constructs.Construct, id: string, props: Props);
+}
+export {};

package/lib/build-artifacts/index.js

@@ -0,0 +1,118 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BuildArtifacts = void 0;
+const constructs = require("constructs");
+const ecr = require("aws-cdk-lib/aws-ecr");
+const iam = require("aws-cdk-lib/aws-iam");
+const s3 = require("aws-cdk-lib/aws-s3");
+const cdk = require("aws-cdk-lib");
+const griid_1 = require("../griid");
+/**
+ * Build artifacts.
+ *
+ * This holds a S3 Bucket, a ECR Repository and roles to be used
+ * from CI system for uploading.
+ *
+ * TODO: How can we cleanup stuff that goes into this S3 Bucket and
+ *  ECR Repository? Can we ever reliably cleanup? We probably need
+ *  some strategy for how we put stuff here to be able to do it.
+ *
+ * @experimental
+ */
+class BuildArtifacts extends constructs.Construct {
+    constructor(scope, id, props) {
+        var _a;
+        super(scope, id);
+        this.bucketName = props.bucketName;
+        this.ecrRepositoryName = props.ecrRepositoryName;
+        this.ecrRepositoryArn = cdk.Arn.format({
+            service: "ecr",
+            resource: "repository",
+            resourceName: this.ecrRepositoryName,
+        }, cdk.Stack.of(this));
+        const externalRoleArn = (_a = props.externalRoleArn) !== null && _a !== void 0 ? _a : "arn:aws:iam::923402097046:role/buildtools-jenkins-RoleJenkinsSlave-JQGYHR5WE6C5";
+        const ecrRepositoryName = props.ecrRepositoryName;
+        let bucket = undefined;
+        if (props.bucketName) {
+            bucket = new s3.Bucket(this, "S3Bucket", {
+                bucketName: props.bucketName,
+                encryption: s3.BucketEncryption.S3_MANAGED,
+                eventBridgeEnabled: true,
+                blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
+                versioned: true,
+                lifecycleRules: [
+                    {
+                        noncurrentVersionExpiration: cdk.Duration.days(10),
+                    },
+                ],
+            });
+        }
+        const ciRole = props.ciRoleName
+            ? new iam.Role(this, "CiRole", {
+                roleName: props.ciRoleName,
+                assumedBy: new iam.ArnPrincipal(externalRoleArn),
+            })
+            : undefined;
+        const griidCiRole = props.griid
+            ? (0, griid_1.getGriidCiRole)(this)
+            : undefined;
+        if (bucket && ciRole) {
+            bucket.grantReadWrite(ciRole);
+        }
+        if (bucket && griidCiRole) {
+            bucket.grantReadWrite(griidCiRole);
+        }
+        const ecrRepo = new ecr.Repository(this, "EcrRepository", {
+            repositoryName: ecrRepositoryName,
+            lifecycleRules: props.ecrRepositoryLifecycleRules || [
+                {
+                    maxImageAge: cdk.Duration.days(180),
+                    tagStatus: ecr.TagStatus.ANY,
+                },
+            ],
+        });
+        if (ciRole) {
+            ecrRepo.grantPullPush(ciRole);
+        }
+        if (griidCiRole) {
+            ecrRepo.grantPullPush(griidCiRole);
+        }
+        // Allow a target to read from the repos. As any specific roles need
+        // to exist before we can grant access, we delegate that responsibility
+        // to the target account.
+        for (const targetAccountId of props.targetAccountIds) {
+            if (bucket) {
+                bucket.grantRead(new iam.AccountPrincipal(targetAccountId));
+            }
+            ecrRepo.grantPull(new iam.AccountPrincipal(targetAccountId));
+        }
+        // Grant permissions to write pipeline variables.
+        if (ciRole || griidCiRole) {
+            const account = cdk.Stack.of(this).account;
+            const region = cdk.Stack.of(this).region;
+            const statement = new iam.PolicyStatement({
+                actions: ["ssm:PutParameter"],
+                resources: [
+                    `arn:aws:ssm:${region}:${account}:parameter/liflig-cdk/*/pipeline-variables/*`,
+                ],
+            });
+            ciRole === null || ciRole === void 0 ? void 0 : ciRole.grantPrincipal.addToPrincipalPolicy(statement);
+            griidCiRole === null || griidCiRole === void 0 ? void 0 : griidCiRole.grantPrincipal.addToPrincipalPolicy(statement);
+        }
+        new cdk.CfnOutput(this, "EcrRepoUri", {
+            value: ecrRepo.repositoryUri,
+        });
+        if (bucket) {
+            new cdk.CfnOutput(this, "BucketName", {
+                value: bucket.bucketName,
+            });
+        }
+        if (ciRole) {
+            new cdk.CfnOutput(this, "CiRoleArn", {
+                value: ciRole.roleArn,
+            });
+        }
+    }
+}
+exports.BuildArtifacts = BuildArtifacts;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvYnVpbGQtYXJ0aWZhY3RzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLHlDQUF3QztBQUN4QywyQ0FBMEM7QUFDMUMsMkNBQTBDO0FBQzFDLHlDQUF3QztBQUN4QyxtQ0FBa0M7QUFDbEMsb0NBQXlDO0FBa0R6Qzs7Ozs7Ozs7Ozs7R0FXRztBQUNILE1BQWEsY0FBZSxTQUFRLFVBQVUsQ0FBQyxTQUFTO0lBS3RELFlBQVksS0FBMkIsRUFBRSxFQUFVLEVBQUUsS0FBWTs7UUFDL0QsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQTtRQUVoQixJQUFJLENBQUMsVUFBVSxHQUFHLEtBQUssQ0FBQyxVQUFVLENBQUE7UUFDbEMsSUFBSSxDQUFDLGlCQUFpQixHQUFHLEtBQUssQ0FBQyxpQkFBaUIsQ0FBQTtRQUNoRCxJQUFJLENBQUMsZ0JBQWdCLEdBQUcsR0FBRyxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQ3BDO1lBQ0UsT0FBTyxFQUFFLEtBQUs7WUFDZCxRQUFRLEVBQUUsWUFBWTtZQUN0QixZQUFZLEVBQUUsSUFBSSxDQUFDLGlCQUFpQjtTQUNyQyxFQUNELEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUNuQixDQUFBO1FBRUQsTUFBTSxlQUFlLEdBQ25CLE1BQUEsS0FBSyxDQUFDLGVBQWUsbUNBQ3JCLGlGQUFpRixDQUFBO1FBRW5GLE1BQU0saUJBQWlCLEdBQUcsS0FBSyxDQUFDLGlCQUFpQixDQUFBO1FBRWpELElBQUksTUFBTSxHQUEwQixTQUFTLENBQUE7UUFFN0MsSUFBSSxLQUFLLENBQUMsVUFBVSxFQUFFLENBQUM7WUFDckIsTUFBTSxHQUFHLElBQUksRUFBRSxDQUFDLE1BQU0sQ0FBQyxJQUFJLEVBQUUsVUFBVSxFQUFFO2dCQUN2QyxVQUFVLEVBQUUsS0FBSyxDQUFDLFVBQVU7Z0JBQzVCLFVBQVUsRUFBRSxFQUFFLENBQUMsZ0JBQWdCLENBQUMsVUFBVTtnQkFDMUMsa0JBQWtCLEVBQUUsSUFBSTtnQkFDeEIsaUJBQWlCLEVBQUUsRUFBRSxDQUFDLGlCQUFpQixDQUFDLFNBQVM7Z0JBQ2pELFNBQVMsRUFBRSxJQUFJO2dCQUNmLGNBQWMsRUFBRTtvQkFDZDt3QkFDRSwyQkFBMkIsRUFBRSxHQUFHLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUM7cUJBQ25EO2lCQUNGO2FBQ0YsQ0FBQyxDQUFBO1FBQ0osQ0FBQztRQUVELE1BQU0sTUFBTSxHQUF5QixLQUFLLENBQUMsVUFBVTtZQUNuRCxDQUFDLENBQUMsSUFBSSxHQUFHLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRSxRQUFRLEVBQUU7Z0JBQzNCLFFBQVEsRUFBRSxLQUFLLENBQUMsVUFBVTtnQkFDMUIsU0FBUyxFQUFFLElBQUksR0FBRyxDQUFDLFlBQVksQ0FBQyxlQUFlLENBQUM7YUFDakQsQ0FBQztZQUNKLENBQUMsQ0FBQyxTQUFTLENBQUE7UUFFYixNQUFNLFdBQVcsR0FBMEIsS0FBSyxDQUFDLEtBQUs7WUFDcEQsQ0FBQyxDQUFDLElBQUEsc0JBQWMsRUFBQyxJQUFJLENBQUM7WUFDdEIsQ0FBQyxDQUFDLFNBQVMsQ0FBQTtRQUViLElBQUksTUFBTSxJQUFJLE1BQU0sRUFBRSxDQUFDO1lBQ3JCLE1BQU0sQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLENBQUE7UUFDL0IsQ0FBQztRQUVELElBQUksTUFBTSxJQUFJLFdBQVcsRUFBRSxDQUFDO1lBQzFCLE1BQU0sQ0FBQyxjQUFjLENBQUMsV0FBVyxDQUFDLENBQUE7UUFDcEMsQ0FBQztRQUVELE1BQU0sT0FBTyxHQUFHLElBQUksR0FBRyxDQUFDLFVBQVUsQ0FBQyxJQUFJLEVBQUUsZUFBZSxFQUFFO1lBQ3hELGNBQWMsRUFBRSxpQkFBaUI7WUFDakMsY0FBYyxFQUFFLEtBQUssQ0FBQywyQkFBMkIsSUFBSTtnQkFDbkQ7b0JBQ0UsV0FBVyxFQUFFLEdBQUcsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQztvQkFDbkMsU0FBUyxFQUFFLEdBQUcsQ0FBQyxTQUFTLENBQUMsR0FBRztpQkFDN0I7YUFDRjtTQUNGLENBQUMsQ0FBQTtRQUVGLElBQUksTUFBTSxFQUFFLENBQUM7WUFDWCxPQUFPLENBQUMsYUFBYSxDQUFDLE1BQU0sQ0FBQyxDQUFBO1FBQy9CLENBQUM7UUFFRCxJQUFJLFdBQVcsRUFBRSxDQUFDO1lBQ2hCLE9BQU8sQ0FBQyxhQUFhLENBQUMsV0FBVyxDQUFDLENBQUE7UUFDcEMsQ0FBQztRQUVELG9FQUFvRTtRQUNwRSx1RUFBdUU7UUFDdkUseUJBQXlCO1FBQ3pCLEtBQUssTUFBTSxlQUFlLElBQUksS0FBSyxDQUFDLGdCQUFnQixFQUFFLENBQUM7WUFDckQsSUFBSSxNQUFNLEVBQUUsQ0FBQztnQkFDWCxNQUFNLENBQUMsU0FBUyxDQUFDLElBQUksR0FBRyxDQUFDLGdCQUFnQixDQUFDLGVBQWUsQ0FBQyxDQUFDLENBQUE7WUFDN0QsQ0FBQztZQUNELE9BQU8sQ0FBQyxTQUFTLENBQUMsSUFBSSxHQUFHLENBQUMsZ0JBQWdCLENBQUMsZUFBZSxDQUFDLENBQUMsQ0FBQTtRQUM5RCxDQUFDO1FBRUQsaURBQWlEO1FBQ2pELElBQUksTUFBTSxJQUFJLFdBQVcsRUFBRSxDQUFDO1lBQzFCLE1BQU0sT0FBTyxHQUFHLEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE9BQU8sQ0FBQTtZQUMxQyxNQUFNLE1BQU0sR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxNQUFNLENBQUE7WUFDeEMsTUFBTSxTQUFTLEdBQUcsSUFBSSxHQUFHLENBQUMsZUFBZSxDQUFDO2dCQUN4QyxPQUFPLEVBQUUsQ0FBQyxrQkFBa0IsQ0FBQztnQkFDN0IsU0FBUyxFQUFFO29CQUNULGVBQWUsTUFBTSxJQUFJLE9BQU8sOENBQThDO2lCQUMvRTthQUNGLENBQUMsQ0FBQTtZQUVGLE1BQU0sYUFBTixNQUFNLHVCQUFOLE1BQU0sQ0FBRSxjQUFjLENBQUMsb0JBQW9CLENBQUMsU0FBUyxDQUFDLENBQUE7WUFDdEQsV0FBVyxhQUFYLFdBQVcsdUJBQVgsV0FBVyxDQUFFLGNBQWMsQ0FBQyxvQkFBb0IsQ0FBQyxTQUFTLENBQUMsQ0FBQTtRQUM3RCxDQUFDO1FBRUQsSUFBSSxHQUFHLENBQUMsU0FBUyxDQUFDLElBQUksRUFBRSxZQUFZLEVBQUU7WUFDcEMsS0FBSyxFQUFFLE9BQU8sQ0FBQyxhQUFhO1NBQzdCLENBQUMsQ0FBQTtRQUVGLElBQUksTUFBTSxFQUFFLENBQUM7WUFDWCxJQUFJLEdBQUcsQ0FBQyxTQUFTLENBQUMsSUFBSSxFQUFFLFlBQVksRUFBRTtnQkFDcEMsS0FBSyxFQUFFLE1BQU0sQ0FBQyxVQUFVO2FBQ3pCLENBQUMsQ0FBQTtRQUNKLENBQUM7UUFFRCxJQUFJLE1BQU0sRUFBRSxDQUFDO1lBQ1gsSUFBSSxHQUFHLENBQUMsU0FBUyxDQUFDLElBQUksRUFBRSxXQUFXLEVBQUU7Z0JBQ25DLEtBQUssRUFBRSxNQUFNLENBQUMsT0FBTzthQUN0QixDQUFDLENBQUE7UUFDSixDQUFDO0lBQ0gsQ0FBQztDQUNGO0FBeEhELHdDQXdIQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCAqIGFzIGNvbnN0cnVjdHMgZnJvbSBcImNvbnN0cnVjdHNcIlxuaW1wb3J0ICogYXMgZWNyIGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtZWNyXCJcbmltcG9ydCAqIGFzIGlhbSBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWlhbVwiXG5pbXBvcnQgKiBhcyBzMyBmcm9tIFwiYXdzLWNkay1saWIvYXdzLXMzXCJcbmltcG9ydCAqIGFzIGNkayBmcm9tIFwiYXdzLWNkay1saWJcIlxuaW1wb3J0IHsgZ2V0R3JpaWRDaVJvbGUgfSBmcm9tIFwiLi4vZ3JpaWRcIlxuXG5pbnRlcmZhY2UgUHJvcHMge1xuICAvKipcbiAgICogVGhlIG5hbWUgdG8gdXNlIGZvciB0aGUgUzMgQnVja2V0LiBTaG91bGQgaW5jbHVkZSBib3RoIGFjY291bnQgYW5kIHJlZ2lvblxuICAgKiBzbyB0aGF0IGl0IHdpbGwgbm90IGNvbmZsaWN0IHdpdGggb3RoZXIgYWNjb3VudHMvcmVnaW9ucy5cbiAgICpcbiAgICogQGRlZmF1bHQgLSBubyBidWNrZXQgd2lsbCBiZSBjcmVhdGVkXG4gICAqL1xuICBidWNrZXROYW1lPzogc3RyaW5nXG4gIC8qKlxuICAgKiBUaGUgbmFtZSB0byB1c2UgZm9yIHRoZSBFQ1IgUmVwb3NpdG9yeS5cbiAgICovXG4gIGVjclJlcG9zaXRvcnlOYW1lOiBzdHJpbmdcbiAgLyoqXG4gICAqIFRoZSBsaWZlY3ljbGUgcnVsZXMgdG8gYXBwbHkgdG8gaW1hZ2VzIHN0b3JlZCBpbiB0aGUgRUNSIHJlcG9zaXRvcnkuXG4gICAqXG4gICAqIEBkZWZhdWx0IC0gRXhwaXJlIGltYWdlcyBhZnRlciAxODAgZGF5c1xuICAgKi9cbiAgZWNyUmVwb3NpdG9yeUxpZmVjeWNsZVJ1bGVzPzogZWNyLkxpZmVjeWNsZVJ1bGVbXVxuICAvKipcbiAgICogUmVmZXJlbmNlIHRvIHRoZSBJQU0gUm9sZSB0aGF0IHdpbGwgYmUgZ3JhbnRlZCBwZXJtaXNzaW9uIHRvXG4gICAqIGFzc3VtZSB0aGUgQ0kgcm9sZS4gVGhpcyByb2xlIG11c3QgaGF2ZSBwZXJtaXNzaW9uIHRvIGFzc3VtZVxuICAgKiB0aGUgQ0kgcm9sZS5cbiAgICpcbiAgICogQGRlZmF1bHQgLSB1c2UgTGlmbGlnIEplbmtpbnMgcm9sZVxuICAgKi9cbiAgZXh0ZXJuYWxSb2xlQXJuPzogc3RyaW5nXG4gIC8qKlxuICAgKiBUaGUgbmFtZSBvZiB0aGUgcm9sZSB0aGF0IHdpbGwgYmUgY3JlYXRlZCB0aGF0IHdpbGwgYmUgYXNzdW1lZFxuICAgKiBmcm9tIHRoZSBDSSBzeXN0ZW0uXG4gICAqXG4gICAqIEBkZWZhdWx0IC0gbm8gcm9sZSB3aWxsIGJlIGNyZWF0ZWRcbiAgICovXG4gIGNpUm9sZU5hbWU/OiBzdHJpbmdcbiAgLyoqXG4gICAqIFRoZSBBV1MgQWNjb3VudHMgdGhhdCB3aWxsIGJlIGdyYW50ZWQgcGVybWlzc2lvbiB0byByZWFkIGZyb21cbiAgICogdGhlIGFydGlmYWN0IHJlcG9zLlxuICAgKi9cbiAgdGFyZ2V0QWNjb3VudElkczogc3RyaW5nW11cbiAgLyoqXG4gICAqIEZsYWcgaWYgR3JpaWQgaXMgYm9vdHN0cmFwcGVkIGFuZCB0aGUgYWNjb3VudCB0aGlzIGNvbnN0cnVjdCBpc1xuICAgKiBkZXBsb3llZCB0byBpcyB0aGUgYnVpbGQgYWNjb3VudC4gV2lsbCBhdHRhY2ggcG9saWNpZXMgYW5kXG4gICAqIHJlZmVyZW5jZSBleGlzdGluZyBhcnRpZmFjdHMgYW5kIHJvbGVzLlxuICAgKlxuICAgKiBAZGVmYXVsdCBmYWxzZVxuICAgKi9cbiAgZ3JpaWQ/OiBib29sZWFuXG59XG5cbi8qKlxuICogQnVpbGQgYXJ0aWZhY3RzLlxuICpcbiAqIFRoaXMgaG9sZHMgYSBTMyBCdWNrZXQsIGEgRUNSIFJlcG9zaXRvcnkgYW5kIHJvbGVzIHRvIGJlIHVzZWRcbiAqIGZyb20gQ0kgc3lzdGVtIGZvciB1cGxvYWRpbmcuXG4gKlxuICogVE9ETzogSG93IGNhbiB3ZSBjbGVhbnVwIHN0dWZmIHRoYXQgZ29lcyBpbnRvIHRoaXMgUzMgQnVja2V0IGFuZFxuICogIEVDUiBSZXBvc2l0b3J5PyBDYW4gd2UgZXZlciByZWxpYWJseSBjbGVhbnVwPyBXZSBwcm9iYWJseSBuZWVkXG4gKiAgc29tZSBzdHJhdGVneSBmb3IgaG93IHdlIHB1dCBzdHVmZiBoZXJlIHRvIGJlIGFibGUgdG8gZG8gaXQuXG4gKlxuICogQGV4cGVyaW1lbnRhbFxuICovXG5leHBvcnQgY2xhc3MgQnVpbGRBcnRpZmFjdHMgZXh0ZW5kcyBjb25zdHJ1Y3RzLkNvbnN0cnVjdCB7XG4gIHJlYWRvbmx5IGJ1Y2tldE5hbWU6IHN0cmluZyB8IHVuZGVmaW5lZFxuICByZWFkb25seSBlY3JSZXBvc2l0b3J5QXJuOiBzdHJpbmdcbiAgcmVhZG9ubHkgZWNyUmVwb3NpdG9yeU5hbWU6IHN0cmluZ1xuXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBjb25zdHJ1Y3RzLkNvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6IFByb3BzKSB7XG4gICAgc3VwZXIoc2NvcGUsIGlkKVxuXG4gICAgdGhpcy5idWNrZXROYW1lID0gcHJvcHMuYnVja2V0TmFtZVxuICAgIHRoaXMuZWNyUmVwb3NpdG9yeU5hbWUgPSBwcm9wcy5lY3JSZXBvc2l0b3J5TmFtZVxuICAgIHRoaXMuZWNyUmVwb3NpdG9yeUFybiA9IGNkay5Bcm4uZm9ybWF0KFxuICAgICAge1xuICAgICAgICBzZXJ2aWNlOiBcImVjclwiLFxuICAgICAgICByZXNvdXJjZTogXCJyZXBvc2l0b3J5XCIsXG4gICAgICAgIHJlc291cmNlTmFtZTogdGhpcy5lY3JSZXBvc2l0b3J5TmFtZSxcbiAgICAgIH0sXG4gICAgICBjZGsuU3RhY2sub2YodGhpcyksXG4gICAgKVxuXG4gICAgY29uc3QgZXh0ZXJuYWxSb2xlQXJuID1cbiAgICAgIHByb3BzLmV4dGVybmFsUm9sZUFybiA/P1xuICAgICAgXCJhcm46YXdzOmlhbTo6OTIzNDAyMDk3MDQ2OnJvbGUvYnVpbGR0b29scy1qZW5raW5zLVJvbGVKZW5raW5zU2xhdmUtSlFHWUhSNVdFNkM1XCJcblxuICAgIGNvbnN0IGVjclJlcG9zaXRvcnlOYW1lID0gcHJvcHMuZWNyUmVwb3NpdG9yeU5hbWVcblxuICAgIGxldCBidWNrZXQ6IHMzLkJ1Y2tldCB8IHVuZGVmaW5lZCA9IHVuZGVmaW5lZFxuXG4gICAgaWYgKHByb3BzLmJ1Y2tldE5hbWUpIHtcbiAgICAgIGJ1Y2tldCA9IG5ldyBzMy5CdWNrZXQodGhpcywgXCJTM0J1Y2tldFwiLCB7XG4gICAgICAgIGJ1Y2tldE5hbWU6IHByb3BzLmJ1Y2tldE5hbWUsXG4gICAgICAgIGVuY3J5cHRpb246IHMzLkJ1Y2tldEVuY3J5cHRpb24uUzNfTUFOQUdFRCxcbiAgICAgICAgZXZlbnRCcmlkZ2VFbmFibGVkOiB0cnVlLFxuICAgICAgICBibG9ja1B1YmxpY0FjY2VzczogczMuQmxvY2tQdWJsaWNBY2Nlc3MuQkxPQ0tfQUxMLFxuICAgICAgICB2ZXJzaW9uZWQ6IHRydWUsXG4gICAgICAgIGxpZmVjeWNsZVJ1bGVzOiBbXG4gICAgICAgICAge1xuICAgICAgICAgICAgbm9uY3VycmVudFZlcnNpb25FeHBpcmF0aW9uOiBjZGsuRHVyYXRpb24uZGF5cygxMCksXG4gICAgICAgICAgfSxcbiAgICAgICAgXSxcbiAgICAgIH0pXG4gICAgfVxuXG4gICAgY29uc3QgY2lSb2xlOiBpYW0uUm9sZSB8IHVuZGVmaW5lZCA9IHByb3BzLmNpUm9sZU5hbWVcbiAgICAgID8gbmV3IGlhbS5Sb2xlKHRoaXMsIFwiQ2lSb2xlXCIsIHtcbiAgICAgICAgICByb2xlTmFtZTogcHJvcHMuY2lSb2xlTmFtZSxcbiAgICAgICAgICBhc3N1bWVkQnk6IG5ldyBpYW0uQXJuUHJpbmNpcGFsKGV4dGVybmFsUm9sZUFybiksXG4gICAgICAgIH0pXG4gICAgICA6IHVuZGVmaW5lZFxuXG4gICAgY29uc3QgZ3JpaWRDaVJvbGU6IGlhbS5JUm9sZSB8IHVuZGVmaW5lZCA9IHByb3BzLmdyaWlkXG4gICAgICA/IGdldEdyaWlkQ2lSb2xlKHRoaXMpXG4gICAgICA6IHVuZGVmaW5lZFxuXG4gICAgaWYgKGJ1Y2tldCAmJiBjaVJvbGUpIHtcbiAgICAgIGJ1Y2tldC5ncmFudFJlYWRXcml0ZShjaVJvbGUpXG4gICAgfVxuXG4gICAgaWYgKGJ1Y2tldCAmJiBncmlpZENpUm9sZSkge1xuICAgICAgYnVja2V0LmdyYW50UmVhZFdyaXRlKGdyaWlkQ2lSb2xlKVxuICAgIH1cblxuICAgIGNvbnN0IGVjclJlcG8gPSBuZXcgZWNyLlJlcG9zaXRvcnkodGhpcywgXCJFY3JSZXBvc2l0b3J5XCIsIHtcbiAgICAgIHJlcG9zaXRvcnlOYW1lOiBlY3JSZXBvc2l0b3J5TmFtZSxcbiAgICAgIGxpZmVjeWNsZVJ1bGVzOiBwcm9wcy5lY3JSZXBvc2l0b3J5TGlmZWN5Y2xlUnVsZXMgfHwgW1xuICAgICAgICB7XG4gICAgICAgICAgbWF4SW1hZ2VBZ2U6IGNkay5EdXJhdGlvbi5kYXlzKDE4MCksXG4gICAgICAgICAgdGFnU3RhdHVzOiBlY3IuVGFnU3RhdHVzLkFOWSxcbiAgICAgICAgfSxcbiAgICAgIF0sXG4gICAgfSlcblxuICAgIGlmIChjaVJvbGUpIHtcbiAgICAgIGVjclJlcG8uZ3JhbnRQdWxsUHVzaChjaVJvbGUpXG4gICAgfVxuXG4gICAgaWYgKGdyaWlkQ2lSb2xlKSB7XG4gICAgICBlY3JSZXBvLmdyYW50UHVsbFB1c2goZ3JpaWRDaVJvbGUpXG4gICAgfVxuXG4gICAgLy8gQWxsb3cgYSB0YXJnZXQgdG8gcmVhZCBmcm9tIHRoZSByZXBvcy4gQXMgYW55IHNwZWNpZmljIHJvbGVzIG5lZWRcbiAgICAvLyB0byBleGlzdCBiZWZvcmUgd2UgY2FuIGdyYW50IGFjY2Vzcywgd2UgZGVsZWdhdGUgdGhhdCByZXNwb25zaWJpbGl0eVxuICAgIC8vIHRvIHRoZSB0YXJnZXQgYWNjb3VudC5cbiAgICBmb3IgKGNvbnN0IHRhcmdldEFjY291bnRJZCBvZiBwcm9wcy50YXJnZXRBY2NvdW50SWRzKSB7XG4gICAgICBpZiAoYnVja2V0KSB7XG4gICAgICAgIGJ1Y2tldC5ncmFudFJlYWQobmV3IGlhbS5BY2NvdW50UHJpbmNpcGFsKHRhcmdldEFjY291bnRJZCkpXG4gICAgICB9XG4gICAgICBlY3JSZXBvLmdyYW50UHVsbChuZXcgaWFtLkFjY291bnRQcmluY2lwYWwodGFyZ2V0QWNjb3VudElkKSlcbiAgICB9XG5cbiAgICAvLyBHcmFudCBwZXJtaXNzaW9ucyB0byB3cml0ZSBwaXBlbGluZSB2YXJpYWJsZXMuXG4gICAgaWYgKGNpUm9sZSB8fCBncmlpZENpUm9sZSkge1xuICAgICAgY29uc3QgYWNjb3VudCA9IGNkay5TdGFjay5vZih0aGlzKS5hY2NvdW50XG4gICAgICBjb25zdCByZWdpb24gPSBjZGsuU3RhY2sub2YodGhpcykucmVnaW9uXG4gICAgICBjb25zdCBzdGF0ZW1lbnQgPSBuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgIGFjdGlvbnM6IFtcInNzbTpQdXRQYXJhbWV0ZXJcIl0sXG4gICAgICAgIHJlc291cmNlczogW1xuICAgICAgICAgIGBhcm46YXdzOnNzbToke3JlZ2lvbn06JHthY2NvdW50fTpwYXJhbWV0ZXIvbGlmbGlnLWNkay8qL3BpcGVsaW5lLXZhcmlhYmxlcy8qYCxcbiAgICAgICAgXSxcbiAgICAgIH0pXG5cbiAgICAgIGNpUm9sZT8uZ3JhbnRQcmluY2lwYWwuYWRkVG9QcmluY2lwYWxQb2xpY3koc3RhdGVtZW50KVxuICAgICAgZ3JpaWRDaVJvbGU/LmdyYW50UHJpbmNpcGFsLmFkZFRvUHJpbmNpcGFsUG9saWN5KHN0YXRlbWVudClcbiAgICB9XG5cbiAgICBuZXcgY2RrLkNmbk91dHB1dCh0aGlzLCBcIkVjclJlcG9VcmlcIiwge1xuICAgICAgdmFsdWU6IGVjclJlcG8ucmVwb3NpdG9yeVVyaSxcbiAgICB9KVxuXG4gICAgaWYgKGJ1Y2tldCkge1xuICAgICAgbmV3IGNkay5DZm5PdXRwdXQodGhpcywgXCJCdWNrZXROYW1lXCIsIHtcbiAgICAgICAgdmFsdWU6IGJ1Y2tldC5idWNrZXROYW1lLFxuICAgICAgfSlcbiAgICB9XG5cbiAgICBpZiAoY2lSb2xlKSB7XG4gICAgICBuZXcgY2RrLkNmbk91dHB1dCh0aGlzLCBcIkNpUm9sZUFyblwiLCB7XG4gICAgICAgIHZhbHVlOiBjaVJvbGUucm9sZUFybixcbiAgICAgIH0pXG4gICAgfVxuICB9XG59XG4iXX0=

package/lib/cdk-deploy/cdk-deploy.d.ts

@@ -0,0 +1,63 @@
+import * as constructs from "constructs";
+import * as cdk from "aws-cdk-lib";
+interface Props extends cdk.StackProps {
+    /**
+     * The role that will be granted permission to assume the deploy
+     * role. This role must have permission to assume the deploy role.
+     */
+    callerRoleArn: string;
+    /**
+     * The name that will be used for the deploy role. This is the role
+     * that the caller will assume in order to have permission to invoke
+     * the Lambda Functions.
+     */
+    roleName: string;
+    /**
+     * The bucket used for storing artifacts. This is used to grant
+     * permission to the role to read artifact. If the bucket is in
+     * another account, it must have a policy which allows the target
+     * account to use IAM permissions from target account.
+     */
+    artifactsBucketName: string;
+    startDeployFunctionName: string;
+    statusFunctionName: string;
+    /**
+     * This is the stack name used with `cdk bootstrap` and can e
+     * found in cdk.json as "toolkitStackName".
+     */
+    cdkToolkitStackName: string;
+    /**
+     * We pass the CDK context values as they contain feature flags
+     * used by the CDK CLI.
+     */
+    cdkContext: Record<string, string | string[]>;
+    /**
+     * The secret containing username and password (or access token)
+     * for a valid docker user. This is used to access private
+     * repositories or to handle docker hub's pull rate limiting.
+     */
+    dockerCredentialsSecretName?: string;
+}
+/**
+ * This construct is responsible for the privileges and logic of
+ * automatically deploying stack resources in an account.
+ * Its resources are used from a deployment pipeline.
+ *
+ * The deployment is performed by invoking the "start deploy"
+ * lambda with details of what should be deployed. As this is
+ * responsible for deploying infrastructure, the principal invoking
+ * might be able to cause privilege escalation. The principal invoking
+ * should be assumed to have full administrator access.
+ *
+ * The process deploying the infrastructure is locked down so this
+ * is only possibly by deployment through CloudFormation, and as
+ * such removes a lot of possible escalation paths (e.g. no role
+ * can be created by direct API call).
+ *
+ * The "status" lambda can be used to poll for completion, and will
+ * also return logs from the job upon completion.
+ */
+export declare class CdkDeploy extends constructs.Construct {
+    constructor(scope: constructs.Construct, id: string, props: Props);
+}
+export {};

package/lib/cdk-deploy/cdk-deploy.js

@@ -0,0 +1,175 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CdkDeploy = void 0;
+const constructs = require("constructs");
+const codebuild = require("aws-cdk-lib/aws-codebuild");
+const iam = require("aws-cdk-lib/aws-iam");
+const lambda = require("aws-cdk-lib/aws-lambda");
+const s3 = require("aws-cdk-lib/aws-s3");
+const cdk = require("aws-cdk-lib");
+const secretsmanager = require("aws-cdk-lib/aws-secretsmanager");
+const start_deploy_handler_1 = require("./start-deploy-handler");
+const status_handler_1 = require("./status-handler");
+/**
+ * This construct is responsible for the privileges and logic of
+ * automatically deploying stack resources in an account.
+ * Its resources are used from a deployment pipeline.
+ *
+ * The deployment is performed by invoking the "start deploy"
+ * lambda with details of what should be deployed. As this is
+ * responsible for deploying infrastructure, the principal invoking
+ * might be able to cause privilege escalation. The principal invoking
+ * should be assumed to have full administrator access.
+ *
+ * The process deploying the infrastructure is locked down so this
+ * is only possibly by deployment through CloudFormation, and as
+ * such removes a lot of possible escalation paths (e.g. no role
+ * can be created by direct API call).
+ *
+ * The "status" lambda can be used to poll for completion, and will
+ * also return logs from the job upon completion.
+ */
+class CdkDeploy extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const account = cdk.Stack.of(this).account;
+        const region = cdk.Stack.of(this).region;
+        const artifactsBucket = s3.Bucket.fromBucketName(this, "ArtifactsBucket", props.artifactsBucketName);
+        const roleToBeAssumed = new iam.Role(this, "Role", {
+            roleName: props.roleName,
+            assumedBy: new iam.ArnPrincipal(props.callerRoleArn),
+        });
+        // Bucked used for input to CodeBuild.
+        // We let CloudFormation manage the bucket name.
+        const codebuildBucket = new s3.Bucket(this, "CodebuildSourceBucket", {
+            encryption: s3.BucketEncryption.S3_MANAGED,
+            blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
+            lifecycleRules: [
+                {
+                    expiration: cdk.Duration.days(5),
+                },
+            ],
+        });
+        // The role used for CloudFormation deployment.
+        const cloudFormationRole = new iam.Role(this, "CloudFormationRole", {
+            assumedBy: new iam.ServicePrincipal("cloudformation.amazonaws.com"),
+            managedPolicies: [
+                // TODO: Can we restrict this a bit more? E.g. look into how Griid has
+                //  limited what the individual stack deployments have permissions to do.
+                iam.ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess"),
+            ],
+        });
+        // Replace CodeBuild with ECS task?
+        // See https://aws.amazon.com/blogs/devops/using-aws-codebuild-to-execute-administrative-tasks/
+        const codebuildProject = new codebuild.Project(this, "CodebuildProject", {
+            environment: {
+                buildImage: props.dockerCredentialsSecretName == null
+                    ? codebuild.LinuxBuildImage.fromDockerRegistry("node:16")
+                    : codebuild.LinuxBuildImage.fromDockerRegistry("node:16", {
+                        secretsManagerCredentials: secretsmanager.Secret.fromSecretNameV2(this, "dockerCredentialsSecretName", props.dockerCredentialsSecretName),
+                    }),
+            },
+            buildSpec: codebuild.BuildSpec.fromObject({
+                version: "0.2",
+                env: {
+                    variables: {
+                        CDK_DEPLOY_ROLE_ARN: cloudFormationRole.roleArn,
+                        CDK_TOOLKIT_STACK_NAME: props.cdkToolkitStackName,
+                    },
+                },
+                phases: {
+                    build: {
+                        commands: [
+                            "npm install -g aws-cdk",
+                            'cdk --app "$CODEBUILD_SRC_DIR_CLOUDASSEMBLY" --role-arn "$CDK_DEPLOY_ROLE_ARN" --toolkit-stack-name "$CDK_TOOLKIT_STACK_NAME" --require-approval never deploy --exclusively $(cat stack-names.txt)',
+                        ],
+                    },
+                },
+            }),
+            timeout: cdk.Duration.hours(4),
+        });
+        // Grant access to CloudFormation.
+        codebuildProject.addToRolePolicy(new iam.PolicyStatement({
+            actions: [
+                // For diff.
+                "cloudformation:DescribeStacks",
+                "cloudformation:GetTemplate",
+                // For deploy.
+                "cloudformation:CreateChangeSet",
+                "cloudformation:DeleteStack",
+                "cloudformation:DescribeChangeSet",
+                "cloudformation:ExecuteChangeSet",
+                "cloudformation:DescribeStackEvents",
+                "cloudformation:DeleteChangeSet",
+            ],
+            resources: ["*"],
+        }));
+        // Grant access to the CDK Toolkit bucket.
+        codebuildProject.addToRolePolicy(new iam.PolicyStatement({
+            actions: [
+                "s3:GetObject*",
+                "s3:GetBucket*",
+                "s3:List*",
+                "s3:PutObject*",
+                "s3:Abort*",
+                "s3:DeleteObject*",
+            ],
+            resources: [
+                `arn:aws:s3:::${props.cdkToolkitStackName.toLowerCase()}-stagingbucket-*`,
+            ],
+        }));
+        artifactsBucket.grantRead(codebuildProject);
+        cloudFormationRole.grantPassRole(codebuildProject.role);
+        codebuildBucket.grantReadWrite(codebuildProject);
+        const startDeployFn = new lambda.Function(this, "StartDeployFunction", {
+            code: new lambda.InlineCode(`exports.handler = ${start_deploy_handler_1.startDeployHandler.toString()};`),
+            runtime: lambda.Runtime.NODEJS_16_X,
+            handler: "index.handler",
+            functionName: props.startDeployFunctionName,
+            environment: {
+                PROJECT_NAME: codebuildProject.projectName,
+                BUCKET_NAME: codebuildBucket.bucketName,
+                CDK_CONTEXT: JSON.stringify(props.cdkContext),
+            },
+            timeout: cdk.Duration.seconds(30),
+        });
+        startDeployFn.grantInvoke(roleToBeAssumed);
+        codebuildBucket.grantReadWrite(startDeployFn);
+        startDeployFn.addToRolePolicy(new iam.PolicyStatement({
+            actions: ["codebuild:StartBuild", "codebuild:BatchGetBuilds"],
+            resources: [codebuildProject.projectArn],
+        }));
+        const statusFn = new lambda.Function(this, "StatusFunction", {
+            code: new lambda.InlineCode(`exports.handler = ${status_handler_1.statusHandler.toString()};`),
+            runtime: lambda.Runtime.NODEJS_16_X,
+            handler: "index.handler",
+            functionName: props.statusFunctionName,
+            environment: {
+                PROJECT_NAME: codebuildProject.projectName,
+            },
+            timeout: cdk.Duration.seconds(30),
+        });
+        statusFn.grantInvoke(roleToBeAssumed);
+        statusFn.addToRolePolicy(new iam.PolicyStatement({
+            actions: ["codebuild:BatchGetBuilds"],
+            resources: [codebuildProject.projectArn],
+        }));
+        statusFn.addToRolePolicy(new iam.PolicyStatement({
+            actions: ["logs:GetLogEvents"],
+            resources: [
+                `arn:aws:logs:${region}:${account}:log-group:/aws/codebuild/${codebuildProject.projectName}:log-stream:*`,
+            ],
+        }));
+        new cdk.CfnOutput(this, "RoleToBeAssumedArn", {
+            value: roleToBeAssumed.roleArn,
+        });
+        new cdk.CfnOutput(this, "StatusFunctionArn", {
+            value: statusFn.functionArn,
+        });
+        new cdk.CfnOutput(this, "StartDeployFunctionArn", {
+            value: startDeployFn.functionArn,
+        });
+    }
+}
+exports.CdkDeploy = CdkDeploy;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2RrLWRlcGxveS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9jZGstZGVwbG95L2Nkay1kZXBsb3kudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEseUNBQXdDO0FBQ3hDLHVEQUFzRDtBQUN0RCwyQ0FBMEM7QUFDMUMsaURBQWdEO0FBQ2hELHlDQUF3QztBQUN4QyxtQ0FBa0M7QUFDbEMsaUVBQWdFO0FBQ2hFLGlFQUEyRDtBQUMzRCxxREFBZ0Q7QUF5Q2hEOzs7Ozs7Ozs7Ozs7Ozs7Ozs7R0FrQkc7QUFDSCxNQUFhLFNBQVUsU0FBUSxVQUFVLENBQUMsU0FBUztJQUNqRCxZQUFZLEtBQTJCLEVBQUUsRUFBVSxFQUFFLEtBQVk7UUFDL0QsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQTtRQUVoQixNQUFNLE9BQU8sR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxPQUFPLENBQUE7UUFDMUMsTUFBTSxNQUFNLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsTUFBTSxDQUFBO1FBRXhDLE1BQU0sZUFBZSxHQUFHLEVBQUUsQ0FBQyxNQUFNLENBQUMsY0FBYyxDQUM5QyxJQUFJLEVBQ0osaUJBQWlCLEVBQ2pCLEtBQUssQ0FBQyxtQkFBbUIsQ0FDMUIsQ0FBQTtRQUVELE1BQU0sZUFBZSxHQUFHLElBQUksR0FBRyxDQUFDLElBQUksQ0FBQyxJQUFJLEVBQUUsTUFBTSxFQUFFO1lBQ2pELFFBQVEsRUFBRSxLQUFLLENBQUMsUUFBUTtZQUN4QixTQUFTLEVBQUUsSUFBSSxHQUFHLENBQUMsWUFBWSxDQUFDLEtBQUssQ0FBQyxhQUFhLENBQUM7U0FDckQsQ0FBQyxDQUFBO1FBRUYsc0NBQXNDO1FBQ3RDLGdEQUFnRDtRQUNoRCxNQUFNLGVBQWUsR0FBRyxJQUFJLEVBQUUsQ0FBQyxNQUFNLENBQUMsSUFBSSxFQUFFLHVCQUF1QixFQUFFO1lBQ25FLFVBQVUsRUFBRSxFQUFFLENBQUMsZ0JBQWdCLENBQUMsVUFBVTtZQUMxQyxpQkFBaUIsRUFBRSxFQUFFLENBQUMsaUJBQWlCLENBQUMsU0FBUztZQUNqRCxjQUFjLEVBQUU7Z0JBQ2Q7b0JBQ0UsVUFBVSxFQUFFLEdBQUcsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQztpQkFDakM7YUFDRjtTQUNGLENBQUMsQ0FBQTtRQUVGLCtDQUErQztRQUMvQyxNQUFNLGtCQUFrQixHQUFHLElBQUksR0FBRyxDQUFDLElBQUksQ0FBQyxJQUFJLEVBQUUsb0JBQW9CLEVBQUU7WUFDbEUsU0FBUyxFQUFFLElBQUksR0FBRyxDQUFDLGdCQUFnQixDQUFDLDhCQUE4QixDQUFDO1lBQ25FLGVBQWUsRUFBRTtnQkFDZixzRUFBc0U7Z0JBQ3RFLHlFQUF5RTtnQkFDekUsR0FBRyxDQUFDLGFBQWEsQ0FBQyx3QkFBd0IsQ0FBQyxxQkFBcUIsQ0FBQzthQUNsRTtTQUNGLENBQUMsQ0FBQTtRQUVGLG1DQUFtQztRQUNuQywrRkFBK0Y7UUFDL0YsTUFBTSxnQkFBZ0IsR0FBRyxJQUFJLFNBQVMsQ0FBQyxPQUFPLENBQUMsSUFBSSxFQUFFLGtCQUFrQixFQUFFO1lBQ3ZFLFdBQVcsRUFBRTtnQkFDWCxVQUFVLEVBQ1IsS0FBSyxDQUFDLDJCQUEyQixJQUFJLElBQUk7b0JBQ3ZDLENBQUMsQ0FBQyxTQUFTLENBQUMsZUFBZSxDQUFDLGtCQUFrQixDQUFDLFNBQVMsQ0FBQztvQkFDekQsQ0FBQyxDQUFDLFNBQVMsQ0FBQyxlQUFlLENBQUMsa0JBQWtCLENBQUMsU0FBUyxFQUFFO3dCQUN0RCx5QkFBeUIsRUFDdkIsY0FBYyxDQUFDLE1BQU0sQ0FBQyxnQkFBZ0IsQ0FDcEMsSUFBSSxFQUNKLDZCQUE2QixFQUM3QixLQUFLLENBQUMsMkJBQTJCLENBQ2xDO3FCQUNKLENBQUM7YUFDVDtZQUNELFNBQVMsRUFBRSxTQUFTLENBQUMsU0FBUyxDQUFDLFVBQVUsQ0FBQztnQkFDeEMsT0FBTyxFQUFFLEtBQUs7Z0JBQ2QsR0FBRyxFQUFFO29CQUNILFNBQVMsRUFBRTt3QkFDVCxtQkFBbUIsRUFBRSxrQkFBa0IsQ0FBQyxPQUFPO3dCQUMvQyxzQkFBc0IsRUFBRSxLQUFLLENBQUMsbUJBQW1CO3FCQUNsRDtpQkFDRjtnQkFDRCxNQUFNLEVBQUU7b0JBQ04sS0FBSyxFQUFFO3dCQUNMLFFBQVEsRUFBRTs0QkFDUix3QkFBd0I7NEJBQ3hCLG9NQUFvTTt5QkFDck07cUJBQ0Y7aUJBQ0Y7YUFDRixDQUFDO1lBQ0YsT0FBTyxFQUFFLEdBQUcsQ0FBQyxRQUFRLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQztTQUMvQixDQUFDLENBQUE7UUFFRixrQ0FBa0M7UUFDbEMsZ0JBQWdCLENBQUMsZUFBZSxDQUM5QixJQUFJLEdBQUcsQ0FBQyxlQUFlLENBQUM7WUFDdEIsT0FBTyxFQUFFO2dCQUNQLFlBQVk7Z0JBQ1osK0JBQStCO2dCQUMvQiw0QkFBNEI7Z0JBQzVCLGNBQWM7Z0JBQ2QsZ0NBQWdDO2dCQUNoQyw0QkFBNEI7Z0JBQzVCLGtDQUFrQztnQkFDbEMsaUNBQWlDO2dCQUNqQyxvQ0FBb0M7Z0JBQ3BDLGdDQUFnQzthQUNqQztZQUNELFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztTQUNqQixDQUFDLENBQ0gsQ0FBQTtRQUVELDBDQUEwQztRQUMxQyxnQkFBZ0IsQ0FBQyxlQUFlLENBQzlCLElBQUksR0FBRyxDQUFDLGVBQWUsQ0FBQztZQUN0QixPQUFPLEVBQUU7Z0JBQ1AsZUFBZTtnQkFDZixlQUFlO2dCQUNmLFVBQVU7Z0JBQ1YsZUFBZTtnQkFDZixXQUFXO2dCQUNYLGtCQUFrQjthQUNuQjtZQUNELFNBQVMsRUFBRTtnQkFDVCxnQkFBZ0IsS0FBSyxDQUFDLG1CQUFtQixDQUFDLFdBQVcsRUFBRSxrQkFBa0I7YUFDMUU7U0FDRixDQUFDLENBQ0gsQ0FBQTtRQUVELGVBQWUsQ0FBQyxTQUFTLENBQUMsZ0JBQWdCLENBQUMsQ0FBQTtRQUUzQyxrQkFBa0IsQ0FBQyxhQUFhLENBQUMsZ0JBQWdCLENBQUMsSUFBSyxDQUFDLENBQUE7UUFFeEQsZUFBZSxDQUFDLGNBQWMsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFBO1FBRWhELE1BQU0sYUFBYSxHQUFHLElBQUksTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLEVBQUUscUJBQXFCLEVBQUU7WUFDckUsSUFBSSxFQUFFLElBQUksTUFBTSxDQUFDLFVBQVUsQ0FDekIscUJBQXFCLHlDQUFrQixDQUFDLFFBQVEsRUFBRSxHQUFHLENBQ3REO1lBQ0QsT0FBTyxFQUFFLE1BQU0sQ0FBQyxPQUFPLENBQUMsV0FBVztZQUNuQyxPQUFPLEVBQUUsZUFBZTtZQUN4QixZQUFZLEVBQUUsS0FBSyxDQUFDLHVCQUF1QjtZQUMzQyxXQUFXLEVBQUU7Z0JBQ1gsWUFBWSxFQUFFLGdCQUFnQixDQUFDLFdBQVc7Z0JBQzFDLFdBQVcsRUFBRSxlQUFlLENBQUMsVUFBVTtnQkFDdkMsV0FBVyxFQUFFLElBQUksQ0FBQyxTQUFTLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FBQzthQUM5QztZQUNELE9BQU8sRUFBRSxHQUFHLENBQUMsUUFBUSxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7U0FDbEMsQ0FBQyxDQUFBO1FBRUYsYUFBYSxDQUFDLFdBQVcsQ0FBQyxlQUFlLENBQUMsQ0FBQTtRQUMxQyxlQUFlLENBQUMsY0FBYyxDQUFDLGFBQWEsQ0FBQyxDQUFBO1FBRTdDLGFBQWEsQ0FBQyxlQUFlLENBQzNCLElBQUksR0FBRyxDQUFDLGVBQWUsQ0FBQztZQUN0QixPQUFPLEVBQUUsQ0FBQyxzQkFBc0IsRUFBRSwwQkFBMEIsQ0FBQztZQUM3RCxTQUFTLEVBQUUsQ0FBQyxnQkFBZ0IsQ0FBQyxVQUFVLENBQUM7U0FDekMsQ0FBQyxDQUNILENBQUE7UUFFRCxNQUFNLFFBQVEsR0FBRyxJQUFJLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxFQUFFLGdCQUFnQixFQUFFO1lBQzNELElBQUksRUFBRSxJQUFJLE1BQU0sQ0FBQyxVQUFVLENBQ3pCLHFCQUFxQiw4QkFBYSxDQUFDLFFBQVEsRUFBRSxHQUFHLENBQ2pEO1lBQ0QsT0FBTyxFQUFFLE1BQU0sQ0FBQyxPQUFPLENBQUMsV0FBVztZQUNuQyxPQUFPLEVBQUUsZUFBZTtZQUN4QixZQUFZLEVBQUUsS0FBSyxDQUFDLGtCQUFrQjtZQUN0QyxXQUFXLEVBQUU7Z0JBQ1gsWUFBWSxFQUFFLGdCQUFnQixDQUFDLFdBQVc7YUFDM0M7WUFDRCxPQUFPLEVBQUUsR0FBRyxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1NBQ2xDLENBQUMsQ0FBQTtRQUVGLFFBQVEsQ0FBQyxXQUFXLENBQUMsZUFBZSxDQUFDLENBQUE7UUFFckMsUUFBUSxDQUFDLGVBQWUsQ0FDdEIsSUFBSSxHQUFHLENBQUMsZUFBZSxDQUFDO1lBQ3RCLE9BQU8sRUFBRSxDQUFDLDBCQUEwQixDQUFDO1lBQ3JDLFNBQVMsRUFBRSxDQUFDLGdCQUFnQixDQUFDLFVBQVUsQ0FBQztTQUN6QyxDQUFDLENBQ0gsQ0FBQTtRQUVELFFBQVEsQ0FBQyxlQUFlLENBQ3RCLElBQUksR0FBRyxDQUFDLGVBQWUsQ0FBQztZQUN0QixPQUFPLEVBQUUsQ0FBQyxtQkFBbUIsQ0FBQztZQUM5QixTQUFTLEVBQUU7Z0JBQ1QsZ0JBQWdCLE1BQU0sSUFBSSxPQUFPLDZCQUE2QixnQkFBZ0IsQ0FBQyxXQUFXLGVBQWU7YUFDMUc7U0FDRixDQUFDLENBQ0gsQ0FBQTtRQUVELElBQUksR0FBRyxDQUFDLFNBQVMsQ0FBQyxJQUFJLEVBQUUsb0JBQW9CLEVBQUU7WUFDNUMsS0FBSyxFQUFFLGVBQWUsQ0FBQyxPQUFPO1NBQy9CLENBQUMsQ0FBQTtRQUNGLElBQUksR0FBRyxDQUFDLFNBQVMsQ0FBQyxJQUFJLEVBQUUsbUJBQW1CLEVBQUU7WUFDM0MsS0FBSyxFQUFFLFFBQVEsQ0FBQyxXQUFXO1NBQzVCLENBQUMsQ0FBQTtRQUNGLElBQUksR0FBRyxDQUFDLFNBQVMsQ0FBQyxJQUFJLEVBQUUsd0JBQXdCLEVBQUU7WUFDaEQsS0FBSyxFQUFFLGFBQWEsQ0FBQyxXQUFXO1NBQ2pDLENBQUMsQ0FBQTtJQUNKLENBQUM7Q0FDRjtBQXhMRCw4QkF3TEMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgKiBhcyBjb25zdHJ1Y3RzIGZyb20gXCJjb25zdHJ1Y3RzXCJcbmltcG9ydCAqIGFzIGNvZGVidWlsZCBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWNvZGVidWlsZFwiXG5pbXBvcnQgKiBhcyBpYW0gZnJvbSBcImF3cy1jZGstbGliL2F3cy1pYW1cIlxuaW1wb3J0ICogYXMgbGFtYmRhIGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtbGFtYmRhXCJcbmltcG9ydCAqIGFzIHMzIGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtczNcIlxuaW1wb3J0ICogYXMgY2RrIGZyb20gXCJhd3MtY2RrLWxpYlwiXG5pbXBvcnQgKiBhcyBzZWNyZXRzbWFuYWdlciBmcm9tIFwiYXdzLWNkay1saWIvYXdzLXNlY3JldHNtYW5hZ2VyXCJcbmltcG9ydCB7IHN0YXJ0RGVwbG95SGFuZGxlciB9IGZyb20gXCIuL3N0YXJ0LWRlcGxveS1oYW5kbGVyXCJcbmltcG9ydCB7IHN0YXR1c0hhbmRsZXIgfSBmcm9tIFwiLi9zdGF0dXMtaGFuZGxlclwiXG5cbmludGVyZmFjZSBQcm9wcyBleHRlbmRzIGNkay5TdGFja1Byb3BzIHtcbiAgLyoqXG4gICAqIFRoZSByb2xlIHRoYXQgd2lsbCBiZSBncmFudGVkIHBlcm1pc3Npb24gdG8gYXNzdW1lIHRoZSBkZXBsb3lcbiAgICogcm9sZS4gVGhpcyByb2xlIG11c3QgaGF2ZSBwZXJtaXNzaW9uIHRvIGFzc3VtZSB0aGUgZGVwbG95IHJvbGUuXG4gICAqL1xuICBjYWxsZXJSb2xlQXJuOiBzdHJpbmdcbiAgLyoqXG4gICAqIFRoZSBuYW1lIHRoYXQgd2lsbCBiZSB1c2VkIGZvciB0aGUgZGVwbG95IHJvbGUuIFRoaXMgaXMgdGhlIHJvbGVcbiAgICogdGhhdCB0aGUgY2FsbGVyIHdpbGwgYXNzdW1lIGluIG9yZGVyIHRvIGhhdmUgcGVybWlzc2lvbiB0byBpbnZva2VcbiAgICogdGhlIExhbWJkYSBGdW5jdGlvbnMuXG4gICAqL1xuICByb2xlTmFtZTogc3RyaW5nXG4gIC8qKlxuICAgKiBUaGUgYnVja2V0IHVzZWQgZm9yIHN0b3JpbmcgYXJ0aWZhY3RzLiBUaGlzIGlzIHVzZWQgdG8gZ3JhbnRcbiAgICogcGVybWlzc2lvbiB0byB0aGUgcm9sZSB0byByZWFkIGFydGlmYWN0LiBJZiB0aGUgYnVja2V0IGlzIGluXG4gICAqIGFub3RoZXIgYWNjb3VudCwgaXQgbXVzdCBoYXZlIGEgcG9saWN5IHdoaWNoIGFsbG93cyB0aGUgdGFyZ2V0XG4gICAqIGFjY291bnQgdG8gdXNlIElBTSBwZXJtaXNzaW9ucyBmcm9tIHRhcmdldCBhY2NvdW50LlxuICAgKi9cbiAgYXJ0aWZhY3RzQnVja2V0TmFtZTogc3RyaW5nXG4gIHN0YXJ0RGVwbG95RnVuY3Rpb25OYW1lOiBzdHJpbmdcbiAgc3RhdHVzRnVuY3Rpb25OYW1lOiBzdHJpbmdcbiAgLyoqXG4gICAqIFRoaXMgaXMgdGhlIHN0YWNrIG5hbWUgdXNlZCB3aXRoIGBjZGsgYm9vdHN0cmFwYCBhbmQgY2FuIGVcbiAgICogZm91bmQgaW4gY2RrLmpzb24gYXMgXCJ0b29sa2l0U3RhY2tOYW1lXCIuXG4gICAqL1xuICBjZGtUb29sa2l0U3RhY2tOYW1lOiBzdHJpbmdcbiAgLyoqXG4gICAqIFdlIHBhc3MgdGhlIENESyBjb250ZXh0IHZhbHVlcyBhcyB0aGV5IGNvbnRhaW4gZmVhdHVyZSBmbGFnc1xuICAgKiB1c2VkIGJ5IHRoZSBDREsgQ0xJLlxuICAgKi9cbiAgY2RrQ29udGV4dDogUmVjb3JkPHN0cmluZywgc3RyaW5nIHwgc3RyaW5nW10+XG4gIC8qKlxuICAgKiBUaGUgc2VjcmV0IGNvbnRhaW5pbmcgdXNlcm5hbWUgYW5kIHBhc3N3b3JkIChvciBhY2Nlc3MgdG9rZW4pXG4gICAqIGZvciBhIHZhbGlkIGRvY2tlciB1c2VyLiBUaGlzIGlzIHVzZWQgdG8gYWNjZXNzIHByaXZhdGVcbiAgICogcmVwb3NpdG9yaWVzIG9yIHRvIGhhbmRsZSBkb2NrZXIgaHViJ3MgcHVsbCByYXRlIGxpbWl0aW5nLlxuICAgKi9cbiAgZG9ja2VyQ3JlZGVudGlhbHNTZWNyZXROYW1lPzogc3RyaW5nXG59XG5cbi8qKlxuICogVGhpcyBjb25zdHJ1Y3QgaXMgcmVzcG9uc2libGUgZm9yIHRoZSBwcml2aWxlZ2VzIGFuZCBsb2dpYyBvZlxuICogYXV0b21hdGljYWxseSBkZXBsb3lpbmcgc3RhY2sgcmVzb3VyY2VzIGluIGFuIGFjY291bnQuXG4gKiBJdHMgcmVzb3VyY2VzIGFyZSB1c2VkIGZyb20gYSBkZXBsb3ltZW50IHBpcGVsaW5lLlxuICpcbiAqIFRoZSBkZXBsb3ltZW50IGlzIHBlcmZvcm1lZCBieSBpbnZva2luZyB0aGUgXCJzdGFydCBkZXBsb3lcIlxuICogbGFtYmRhIHdpdGggZGV0YWlscyBvZiB3aGF0IHNob3VsZCBiZSBkZXBsb3llZC4gQXMgdGhpcyBpc1xuICogcmVzcG9uc2libGUgZm9yIGRlcGxveWluZyBpbmZyYXN0cnVjdHVyZSwgdGhlIHByaW5jaXBhbCBpbnZva2luZ1xuICogbWlnaHQgYmUgYWJsZSB0byBjYXVzZSBwcml2aWxlZ2UgZXNjYWxhdGlvbi4gVGhlIHByaW5jaXBhbCBpbnZva2luZ1xuICogc2hvdWxkIGJlIGFzc3VtZWQgdG8gaGF2ZSBmdWxsIGFkbWluaXN0cmF0b3IgYWNjZXNzLlxuICpcbiAqIFRoZSBwcm9jZXNzIGRlcGxveWluZyB0aGUgaW5mcmFzdHJ1Y3R1cmUgaXMgbG9ja2VkIGRvd24gc28gdGhpc1xuICogaXMgb25seSBwb3NzaWJseSBieSBkZXBsb3ltZW50IHRocm91Z2ggQ2xvdWRGb3JtYXRpb24sIGFuZCBhc1xuICogc3VjaCByZW1vdmVzIGEgbG90IG9mIHBvc3NpYmxlIGVzY2FsYXRpb24gcGF0aHMgKGUuZy4gbm8gcm9sZVxuICogY2FuIGJlIGNyZWF0ZWQgYnkgZGlyZWN0IEFQSSBjYWxsKS5cbiAqXG4gKiBUaGUgXCJzdGF0dXNcIiBsYW1iZGEgY2FuIGJlIHVzZWQgdG8gcG9sbCBmb3IgY29tcGxldGlvbiwgYW5kIHdpbGxcbiAqIGFsc28gcmV0dXJuIGxvZ3MgZnJvbSB0aGUgam9iIHVwb24gY29tcGxldGlvbi5cbiAqL1xuZXhwb3J0IGNsYXNzIENka0RlcGxveSBleHRlbmRzIGNvbnN0cnVjdHMuQ29uc3RydWN0IHtcbiAgY29uc3RydWN0b3Ioc2NvcGU6IGNvbnN0cnVjdHMuQ29uc3RydWN0LCBpZDogc3RyaW5nLCBwcm9wczogUHJvcHMpIHtcbiAgICBzdXBlcihzY29wZSwgaWQpXG5cbiAgICBjb25zdCBhY2NvdW50ID0gY2RrLlN0YWNrLm9mKHRoaXMpLmFjY291bnRcbiAgICBjb25zdCByZWdpb24gPSBjZGsuU3RhY2sub2YodGhpcykucmVnaW9uXG5cbiAgICBjb25zdCBhcnRpZmFjdHNCdWNrZXQgPSBzMy5CdWNrZXQuZnJvbUJ1Y2tldE5hbWUoXG4gICAgICB0aGlzLFxuICAgICAgXCJBcnRpZmFjdHNCdWNrZXRcIixcbiAgICAgIHByb3BzLmFydGlmYWN0c0J1Y2tldE5hbWUsXG4gICAgKVxuXG4gICAgY29uc3Qgcm9sZVRvQmVBc3N1bWVkID0gbmV3IGlhbS5Sb2xlKHRoaXMsIFwiUm9sZVwiLCB7XG4gICAgICByb2xlTmFtZTogcHJvcHMucm9sZU5hbWUsXG4gICAgICBhc3N1bWVkQnk6IG5ldyBpYW0uQXJuUHJpbmNpcGFsKHByb3BzLmNhbGxlclJvbGVBcm4pLFxuICAgIH0pXG5cbiAgICAvLyBCdWNrZWQgdXNlZCBmb3IgaW5wdXQgdG8gQ29kZUJ1aWxkLlxuICAgIC8vIFdlIGxldCBDbG91ZEZvcm1hdGlvbiBtYW5hZ2UgdGhlIGJ1Y2tldCBuYW1lLlxuICAgIGNvbnN0IGNvZGVidWlsZEJ1Y2tldCA9IG5ldyBzMy5CdWNrZXQodGhpcywgXCJDb2RlYnVpbGRTb3VyY2VCdWNrZXRcIiwge1xuICAgICAgZW5jcnlwdGlvbjogczMuQnVja2V0RW5jcnlwdGlvbi5TM19NQU5BR0VELFxuICAgICAgYmxvY2tQdWJsaWNBY2Nlc3M6IHMzLkJsb2NrUHVibGljQWNjZXNzLkJMT0NLX0FMTCxcbiAgICAgIGxpZmVjeWNsZVJ1bGVzOiBbXG4gICAgICAgIHtcbiAgICAgICAgICBleHBpcmF0aW9uOiBjZGsuRHVyYXRpb24uZGF5cyg1KSxcbiAgICAgICAgfSxcbiAgICAgIF0sXG4gICAgfSlcblxuICAgIC8vIFRoZSByb2xlIHVzZWQgZm9yIENsb3VkRm9ybWF0aW9uIGRlcGxveW1lbnQuXG4gICAgY29uc3QgY2xvdWRGb3JtYXRpb25Sb2xlID0gbmV3IGlhbS5Sb2xlKHRoaXMsIFwiQ2xvdWRGb3JtYXRpb25Sb2xlXCIsIHtcbiAgICAgIGFzc3VtZWRCeTogbmV3IGlhbS5TZXJ2aWNlUHJpbmNpcGFsKFwiY2xvdWRmb3JtYXRpb24uYW1hem9uYXdzLmNvbVwiKSxcbiAgICAgIG1hbmFnZWRQb2xpY2llczogW1xuICAgICAgICAvLyBUT0RPOiBDYW4gd2UgcmVzdHJpY3QgdGhpcyBhIGJpdCBtb3JlPyBFLmcuIGxvb2sgaW50byBob3cgR3JpaWQgaGFzXG4gICAgICAgIC8vICBsaW1pdGVkIHdoYXQgdGhlIGluZGl2aWR1YWwgc3RhY2sgZGVwbG95bWVudHMgaGF2ZSBwZXJtaXNzaW9ucyB0byBkby5cbiAgICAgICAgaWFtLk1hbmFnZWRQb2xpY3kuZnJvbUF3c01hbmFnZWRQb2xpY3lOYW1lKFwiQWRtaW5pc3RyYXRvckFjY2Vzc1wiKSxcbiAgICAgIF0sXG4gICAgfSlcblxuICAgIC8vIFJlcGxhY2UgQ29kZUJ1aWxkIHdpdGggRUNTIHRhc2s/XG4gICAgLy8gU2VlIGh0dHBzOi8vYXdzLmFtYXpvbi5jb20vYmxvZ3MvZGV2b3BzL3VzaW5nLWF3cy1jb2RlYnVpbGQtdG8tZXhlY3V0ZS1hZG1pbmlzdHJhdGl2ZS10YXNrcy9cbiAgICBjb25zdCBjb2RlYnVpbGRQcm9qZWN0ID0gbmV3IGNvZGVidWlsZC5Qcm9qZWN0KHRoaXMsIFwiQ29kZWJ1aWxkUHJvamVjdFwiLCB7XG4gICAgICBlbnZpcm9ubWVudDoge1xuICAgICAgICBidWlsZEltYWdlOlxuICAgICAgICAgIHByb3BzLmRvY2tlckNyZWRlbnRpYWxzU2VjcmV0TmFtZSA9PSBudWxsXG4gICAgICAgICAgICA/IGNvZGVidWlsZC5MaW51eEJ1aWxkSW1hZ2UuZnJvbURvY2tlclJlZ2lzdHJ5KFwibm9kZToxNlwiKVxuICAgICAgICAgICAgOiBjb2RlYnVpbGQuTGludXhCdWlsZEltYWdlLmZyb21Eb2NrZXJSZWdpc3RyeShcIm5vZGU6MTZcIiwge1xuICAgICAgICAgICAgICAgIHNlY3JldHNNYW5hZ2VyQ3JlZGVudGlhbHM6XG4gICAgICAgICAgICAgICAgICBzZWNyZXRzbWFuYWdlci5TZWNyZXQuZnJvbVNlY3JldE5hbWVWMihcbiAgICAgICAgICAgICAgICAgICAgdGhpcyxcbiAgICAgICAgICAgICAgICAgICAgXCJkb2NrZXJDcmVkZW50aWFsc1NlY3JldE5hbWVcIixcbiAgICAgICAgICAgICAgICAgICAgcHJvcHMuZG9ja2VyQ3JlZGVudGlhbHNTZWNyZXROYW1lLFxuICAgICAgICAgICAgICAgICAgKSxcbiAgICAgICAgICAgICAgfSksXG4gICAgICB9LFxuICAgICAgYnVpbGRTcGVjOiBjb2RlYnVpbGQuQnVpbGRTcGVjLmZyb21PYmplY3Qoe1xuICAgICAgICB2ZXJzaW9uOiBcIjAuMlwiLFxuICAgICAgICBlbnY6IHtcbiAgICAgICAgICB2YXJpYWJsZXM6IHtcbiAgICAgICAgICAgIENES19ERVBMT1lfUk9MRV9BUk46IGNsb3VkRm9ybWF0aW9uUm9sZS5yb2xlQXJuLFxuICAgICAgICAgICAgQ0RLX1RPT0xLSVRfU1RBQ0tfTkFNRTogcHJvcHMuY2RrVG9vbGtpdFN0YWNrTmFtZSxcbiAgICAgICAgICB9LFxuICAgICAgICB9LFxuICAgICAgICBwaGFzZXM6IHtcbiAgICAgICAgICBidWlsZDoge1xuICAgICAgICAgICAgY29tbWFuZHM6IFtcbiAgICAgICAgICAgICAgXCJucG0gaW5zdGFsbCAtZyBhd3MtY2RrXCIsXG4gICAgICAgICAgICAgICdjZGsgLS1hcHAgXCIkQ09ERUJVSUxEX1NSQ19ESVJfQ0xPVURBU1NFTUJMWVwiIC0tcm9sZS1hcm4gXCIkQ0RLX0RFUExPWV9ST0xFX0FSTlwiIC0tdG9vbGtpdC1zdGFjay1uYW1lIFwiJENES19UT09MS0lUX1NUQUNLX05BTUVcIiAtLXJlcXVpcmUtYXBwcm92YWwgbmV2ZXIgZGVwbG95IC0tZXhjbHVzaXZlbHkgJChjYXQgc3RhY2stbmFtZXMudHh0KScsXG4gICAgICAgICAgICBdLFxuICAgICAgICAgIH0sXG4gICAgICAgIH0sXG4gICAgICB9KSxcbiAgICAgIHRpbWVvdXQ6IGNkay5EdXJhdGlvbi5ob3Vycyg0KSxcbiAgICB9KVxuXG4gICAgLy8gR3JhbnQgYWNjZXNzIHRvIENsb3VkRm9ybWF0aW9uLlxuICAgIGNvZGVidWlsZFByb2plY3QuYWRkVG9Sb2xlUG9saWN5KFxuICAgICAgbmV3IGlhbS5Qb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBhY3Rpb25zOiBbXG4gICAgICAgICAgLy8gRm9yIGRpZmYuXG4gICAgICAgICAgXCJjbG91ZGZvcm1hdGlvbjpEZXNjcmliZVN0YWNrc1wiLFxuICAgICAgICAgIFwiY2xvdWRmb3JtYXRpb246R2V0VGVtcGxhdGVcIixcbiAgICAgICAgICAvLyBGb3IgZGVwbG95LlxuICAgICAgICAgIFwiY2xvdWRmb3JtYXRpb246Q3JlYXRlQ2hhbmdlU2V0XCIsXG4gICAgICAgICAgXCJjbG91ZGZvcm1hdGlvbjpEZWxldGVTdGFja1wiLFxuICAgICAgICAgIFwiY2xvdWRmb3JtYXRpb246RGVzY3JpYmVDaGFuZ2VTZXRcIixcbiAgICAgICAgICBcImNsb3VkZm9ybWF0aW9uOkV4ZWN1dGVDaGFuZ2VTZXRcIixcbiAgICAgICAgICBcImNsb3VkZm9ybWF0aW9uOkRlc2NyaWJlU3RhY2tFdmVudHNcIixcbiAgICAgICAgICBcImNsb3VkZm9ybWF0aW9uOkRlbGV0ZUNoYW5nZVNldFwiLFxuICAgICAgICBdLFxuICAgICAgICByZXNvdXJjZXM6IFtcIipcIl0sXG4gICAgICB9KSxcbiAgICApXG5cbiAgICAvLyBHcmFudCBhY2Nlc3MgdG8gdGhlIENESyBUb29sa2l0IGJ1Y2tldC5cbiAgICBjb2RlYnVpbGRQcm9qZWN0LmFkZFRvUm9sZVBvbGljeShcbiAgICAgIG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgYWN0aW9uczogW1xuICAgICAgICAgIFwiczM6R2V0T2JqZWN0KlwiLFxuICAgICAgICAgIFwiczM6R2V0QnVja2V0KlwiLFxuICAgICAgICAgIFwiczM6TGlzdCpcIixcbiAgICAgICAgICBcInMzOlB1dE9iamVjdCpcIixcbiAgICAgICAgICBcInMzOkFib3J0KlwiLFxuICAgICAgICAgIFwiczM6RGVsZXRlT2JqZWN0KlwiLFxuICAgICAgICBdLFxuICAgICAgICByZXNvdXJjZXM6IFtcbiAgICAgICAgICBgYXJuOmF3czpzMzo6OiR7cHJvcHMuY2RrVG9vbGtpdFN0YWNrTmFtZS50b0xvd2VyQ2FzZSgpfS1zdGFnaW5nYnVja2V0LSpgLFxuICAgICAgICBdLFxuICAgICAgfSksXG4gICAgKVxuXG4gICAgYXJ0aWZhY3RzQnVja2V0LmdyYW50UmVhZChjb2RlYnVpbGRQcm9qZWN0KVxuXG4gICAgY2xvdWRGb3JtYXRpb25Sb2xlLmdyYW50UGFzc1JvbGUoY29kZWJ1aWxkUHJvamVjdC5yb2xlISlcblxuICAgIGNvZGVidWlsZEJ1Y2tldC5ncmFudFJlYWRXcml0ZShjb2RlYnVpbGRQcm9qZWN0KVxuXG4gICAgY29uc3Qgc3RhcnREZXBsb3lGbiA9IG5ldyBsYW1iZGEuRnVuY3Rpb24odGhpcywgXCJTdGFydERlcGxveUZ1bmN0aW9uXCIsIHtcbiAgICAgIGNvZGU6IG5ldyBsYW1iZGEuSW5saW5lQ29kZShcbiAgICAgICAgYGV4cG9ydHMuaGFuZGxlciA9ICR7c3RhcnREZXBsb3lIYW5kbGVyLnRvU3RyaW5nKCl9O2AsXG4gICAgICApLFxuICAgICAgcnVudGltZTogbGFtYmRhLlJ1bnRpbWUuTk9ERUpTXzE2X1gsXG4gICAgICBoYW5kbGVyOiBcImluZGV4LmhhbmRsZXJcIixcbiAgICAgIGZ1bmN0aW9uTmFtZTogcHJvcHMuc3RhcnREZXBsb3lGdW5jdGlvbk5hbWUsXG4gICAgICBlbnZpcm9ubWVudDoge1xuICAgICAgICBQUk9KRUNUX05BTUU6IGNvZGVidWlsZFByb2plY3QucHJvamVjdE5hbWUsXG4gICAgICAgIEJVQ0tFVF9OQU1FOiBjb2RlYnVpbGRCdWNrZXQuYnVja2V0TmFtZSxcbiAgICAgICAgQ0RLX0NPTlRFWFQ6IEpTT04uc3RyaW5naWZ5KHByb3BzLmNka0NvbnRleHQpLFxuICAgICAgfSxcbiAgICAgIHRpbWVvdXQ6IGNkay5EdXJhdGlvbi5zZWNvbmRzKDMwKSxcbiAgICB9KVxuXG4gICAgc3RhcnREZXBsb3lGbi5ncmFudEludm9rZShyb2xlVG9CZUFzc3VtZWQpXG4gICAgY29kZWJ1aWxkQnVja2V0LmdyYW50UmVhZFdyaXRlKHN0YXJ0RGVwbG95Rm4pXG5cbiAgICBzdGFydERlcGxveUZuLmFkZFRvUm9sZVBvbGljeShcbiAgICAgIG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgYWN0aW9uczogW1wiY29kZWJ1aWxkOlN0YXJ0QnVpbGRcIiwgXCJjb2RlYnVpbGQ6QmF0Y2hHZXRCdWlsZHNcIl0sXG4gICAgICAgIHJlc291cmNlczogW2NvZGVidWlsZFByb2plY3QucHJvamVjdEFybl0sXG4gICAgICB9KSxcbiAgICApXG5cbiAgICBjb25zdCBzdGF0dXNGbiA9IG5ldyBsYW1iZGEuRnVuY3Rpb24odGhpcywgXCJTdGF0dXNGdW5jdGlvblwiLCB7XG4gICAgICBjb2RlOiBuZXcgbGFtYmRhLklubGluZUNvZGUoXG4gICAgICAgIGBleHBvcnRzLmhhbmRsZXIgPSAke3N0YXR1c0hhbmRsZXIudG9TdHJpbmcoKX07YCxcbiAgICAgICksXG4gICAgICBydW50aW1lOiBsYW1iZGEuUnVudGltZS5OT0RFSlNfMTZfWCxcbiAgICAgIGhhbmRsZXI6IFwiaW5kZXguaGFuZGxlclwiLFxuICAgICAgZnVuY3Rpb25OYW1lOiBwcm9wcy5zdGF0dXNGdW5jdGlvbk5hbWUsXG4gICAgICBlbnZpcm9ubWVudDoge1xuICAgICAgICBQUk9KRUNUX05BTUU6IGNvZGVidWlsZFByb2plY3QucHJvamVjdE5hbWUsXG4gICAgICB9LFxuICAgICAgdGltZW91dDogY2RrLkR1cmF0aW9uLnNlY29uZHMoMzApLFxuICAgIH0pXG5cbiAgICBzdGF0dXNGbi5ncmFudEludm9rZShyb2xlVG9CZUFzc3VtZWQpXG5cbiAgICBzdGF0dXNGbi5hZGRUb1JvbGVQb2xpY3koXG4gICAgICBuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgIGFjdGlvbnM6IFtcImNvZGVidWlsZDpCYXRjaEdldEJ1aWxkc1wiXSxcbiAgICAgICAgcmVzb3VyY2VzOiBbY29kZWJ1aWxkUHJvamVjdC5wcm9qZWN0QXJuXSxcbiAgICAgIH0pLFxuICAgIClcblxuICAgIHN0YXR1c0ZuLmFkZFRvUm9sZVBvbGljeShcbiAgICAgIG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgYWN0aW9uczogW1wibG9nczpHZXRMb2dFdmVudHNcIl0sXG4gICAgICAgIHJlc291cmNlczogW1xuICAgICAgICAgIGBhcm46YXdzOmxvZ3M6JHtyZWdpb259OiR7YWNjb3VudH06bG9nLWdyb3VwOi9hd3MvY29kZWJ1aWxkLyR7Y29kZWJ1aWxkUHJvamVjdC5wcm9qZWN0TmFtZX06bG9nLXN0cmVhbToqYCxcbiAgICAgICAgXSxcbiAgICAgIH0pLFxuICAgIClcblxuICAgIG5ldyBjZGsuQ2ZuT3V0cHV0KHRoaXMsIFwiUm9sZVRvQmVBc3N1bWVkQXJuXCIsIHtcbiAgICAgIHZhbHVlOiByb2xlVG9CZUFzc3VtZWQucm9sZUFybixcbiAgICB9KVxuICAgIG5ldyBjZGsuQ2ZuT3V0cHV0KHRoaXMsIFwiU3RhdHVzRnVuY3Rpb25Bcm5cIiwge1xuICAgICAgdmFsdWU6IHN0YXR1c0ZuLmZ1bmN0aW9uQXJuLFxuICAgIH0pXG4gICAgbmV3IGNkay5DZm5PdXRwdXQodGhpcywgXCJTdGFydERlcGxveUZ1bmN0aW9uQXJuXCIsIHtcbiAgICAgIHZhbHVlOiBzdGFydERlcGxveUZuLmZ1bmN0aW9uQXJuLFxuICAgIH0pXG4gIH1cbn1cbiJdfQ==

package/lib/cdk-deploy/index.d.ts

@@ -0,0 +1 @@
+export { CdkDeploy } from "./cdk-deploy";

package/lib/cdk-deploy/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CdkDeploy = void 0;
+var cdk_deploy_1 = require("./cdk-deploy");
+Object.defineProperty(exports, "CdkDeploy", { enumerable: true, get: function () { return cdk_deploy_1.CdkDeploy; } });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvY2RrLWRlcGxveS9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSwyQ0FBd0M7QUFBL0IsdUdBQUEsU0FBUyxPQUFBIiwic291cmNlc0NvbnRlbnQiOlsiZXhwb3J0IHsgQ2RrRGVwbG95IH0gZnJvbSBcIi4vY2RrLWRlcGxveVwiXG4iXX0=

package/lib/cdk-deploy/start-deploy-handler.d.ts

@@ -0,0 +1,8 @@
+import { Handler } from "aws-lambda";
+interface StartDeployExpectedInput {
+    bucketName: string;
+    bucketKey: string;
+    stackNames: string[];
+}
+export declare const startDeployHandler: Handler<Partial<StartDeployExpectedInput>>;
+export {};