@linzjs/cdk-tags 1.0.3 → 1.1.0

package/build/src/build.d.ts

@@ -0,0 +1,30 @@
+interface GitBuildInfo {
+    /**
+     * Last git version tag
+     *
+     * @example
+     * "v6.45.0"
+     */
+    version: string;
+    /**
+     * Current git commit hash
+     *
+     * @example
+     * "e460a1bf611b9464f4c2c3feb48e4823277f14a4"
+     */
+    hash: string;
+    /**
+     * Github actions run id and attempt if it exists, otherwise ""
+     *
+     * @example
+     * "6228679664-1"
+     */
+    buildId: string;
+}
+/**
+ * Attempt to guess build information from the currently checked out version of the source code
+ *
+ * @returns Basic Git/Github build information
+ */
+export declare function getGitBuildInfo(): GitBuildInfo;
+export {};

package/build/src/build.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getGitBuildInfo = void 0;
+const node_child_process_1 = require("node:child_process");
+let buildInfo;
+/**
+ * Attempt to guess build information from the currently checked out version of the source code
+ *
+ * @returns Basic Git/Github build information
+ */
+function getGitBuildInfo() {
+    if (buildInfo == null) {
+        buildInfo = {
+            version: (0, node_child_process_1.execFileSync)('git', ['describe', '--tags', '--always', '--match', 'v*']).toString().trim(),
+            hash: (0, node_child_process_1.execFileSync)('git', ['rev-parse', 'HEAD']).toString().trim(),
+            buildId: process.env['GITHUB_RUN_ID']
+                ? `${process.env['GITHUB_RUN_ID']}-${process.env['GITHUB_RUN_ATTEMPT']}`
+                : '',
+        };
+    }
+    return buildInfo;
+}
+exports.getGitBuildInfo = getGitBuildInfo;
+//# sourceMappingURL=build.js.map

package/build/src/build.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"build.js","sourceRoot":"","sources":["../../src/build.ts"],"names":[],"mappings":";;;AAAA,2DAAkD;AA0BlD,IAAI,SAAmC,CAAC;AAExC;;;;GAIG;AACH,SAAgB,eAAe;IAC7B,IAAI,SAAS,IAAI,IAAI,EAAE,CAAC;QACtB,SAAS,GAAG;YACV,OAAO,EAAE,IAAA,iCAAY,EAAC,KAAK,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE;YACnG,IAAI,EAAE,IAAA,iCAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE;YAClE,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;gBACnC,CAAC,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE;gBACxE,CAAC,CAAC,EAAE;SACP,CAAC;IACJ,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAXD,0CAWC"}

package/build/src/data.d.ts

@@ -0,0 +1,28 @@
+export interface TagsData {
+    /**
+     * What is the highest importance data in this storage location
+     *
+     * For example a public master data archive s3://nz-imagery is `archive`
+     */
+    role: TagDataRole;
+    /**
+     * Is this data public,
+     *
+     * For example a public bucket such as `s3://nz-imagery`
+     *
+     * @defaultValue false
+     */
+    isPublic: boolean;
+    /**
+     * Does this construct contain the master source of data
+     *
+     * for example the public imagery archive `s3://nz-imagery`
+     *
+     * @defaultValue false
+     */
+    isMaster: boolean;
+}
+export declare enum TagDataRole {
+    Primary = "primary",
+    Archive = "archive"
+}

package/build/src/data.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TagDataRole = void 0;
+var TagDataRole;
+(function (TagDataRole) {
+    TagDataRole["Primary"] = "primary";
+    TagDataRole["Archive"] = "archive";
+})(TagDataRole || (exports.TagDataRole = TagDataRole = {}));
+//# sourceMappingURL=data.js.map

package/build/src/data.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"data.js","sourceRoot":"","sources":["../../src/data.ts"],"names":[],"mappings":";;;AA0BA,IAAY,WAGX;AAHD,WAAY,WAAW;IACrB,kCAAmB,CAAA;IACnB,kCAAmB,CAAA;AACrB,CAAC,EAHW,WAAW,2BAAX,WAAW,QAGtB"}

package/build/src/index.d.ts

@@ -0,0 +1,3 @@
+export { getGitBuildInfo } from './build.js';
+export { SecurityClassification } from './security.js';
+export { applyTags, applyTagsData } from './tags.js';

package/build/src/index.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyTagsData = exports.applyTags = exports.SecurityClassification = exports.getGitBuildInfo = void 0;
+var build_js_1 = require("./build.js");
+Object.defineProperty(exports, "getGitBuildInfo", { enumerable: true, get: function () { return build_js_1.getGitBuildInfo; } });
+var security_js_1 = require("./security.js");
+Object.defineProperty(exports, "SecurityClassification", { enumerable: true, get: function () { return security_js_1.SecurityClassification; } });
+var tags_js_1 = require("./tags.js");
+Object.defineProperty(exports, "applyTags", { enumerable: true, get: function () { return tags_js_1.applyTags; } });
+Object.defineProperty(exports, "applyTagsData", { enumerable: true, get: function () { return tags_js_1.applyTagsData; } });
+//# sourceMappingURL=index.js.map

package/build/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,uCAA6C;AAApC,2GAAA,eAAe,OAAA;AACxB,6CAAuD;AAA9C,qHAAA,sBAAsB,OAAA;AAC/B,qCAAqD;AAA5C,oGAAA,SAAS,OAAA;AAAE,wGAAA,aAAa,OAAA"}

package/build/src/security.d.ts

@@ -0,0 +1,13 @@
+/**
+ * NZ Security classification
+ * @see https://www.digital.govt.nz/standards-and-guidance/governance/managing-online-channels/security-and-privacy-for-websites/foundations/classify-information/
+ */
+export declare enum SecurityClassification {
+    Unclassified = "unclassified",
+    InConfidence = "in-confidence",
+    Sensitive = "sensitive",
+    Restricted = "restricted",
+    Confidential = "confidential",
+    Secret = "secret",
+    TopSecret = "top-secret"
+}

package/build/src/security.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurityClassification = void 0;
+/**
+ * NZ Security classification
+ * @see https://www.digital.govt.nz/standards-and-guidance/governance/managing-online-channels/security-and-privacy-for-websites/foundations/classify-information/
+ */
+var SecurityClassification;
+(function (SecurityClassification) {
+    SecurityClassification["Unclassified"] = "unclassified";
+    SecurityClassification["InConfidence"] = "in-confidence";
+    SecurityClassification["Sensitive"] = "sensitive";
+    SecurityClassification["Restricted"] = "restricted";
+    SecurityClassification["Confidential"] = "confidential";
+    SecurityClassification["Secret"] = "secret";
+    SecurityClassification["TopSecret"] = "top-secret";
+})(SecurityClassification || (exports.SecurityClassification = SecurityClassification = {}));
+//# sourceMappingURL=security.js.map

package/build/src/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/security.ts"],"names":[],"mappings":";;;AAAA;;;GAGG;AACH,IAAY,sBAQX;AARD,WAAY,sBAAsB;IAChC,uDAA6B,CAAA;IAC7B,wDAA8B,CAAA;IAC9B,iDAAuB,CAAA;IACvB,mDAAyB,CAAA;IACzB,uDAA6B,CAAA;IAC7B,2CAAiB,CAAA;IACjB,kDAAwB,CAAA;AAC1B,CAAC,EARW,sBAAsB,sCAAtB,sBAAsB,QAQjC"}

package/build/src/tags.d.ts

@@ -0,0 +1,49 @@
+import { IConstruct } from 'constructs';
+import { TagsData } from './data.js';
+import { SecurityClassification } from './security.js';
+export interface TagsBase {
+    /**
+     * Environment of the resource
+     *
+     * @example 'prod'
+     *
+     * @see AwsEnv in @linz/accounts
+     */
+    environment: 'nonprod' | 'preprod' | 'prod';
+    /**
+     * Application name
+     *
+     * @example "basemaps"
+     */
+    application: string;
+    /**
+     * Human friendly name for LINZ group that the resources belong to
+     *
+     * @example "step" or "li"
+     */
+    group: string;
+    /**
+     * Git repository that this construct belongs to
+     *
+     * @example
+     * ```typescript
+     * "linz/basemaps"
+     * "linz/lds-cache"
+     * ```
+     *
+     * Uses the $GITHUB_REPOSITORY env var by default
+     *
+     * @default "$GITHUB_REPOSITORY"
+     */
+    repository?: string;
+    /**
+     * Security classification of the construct
+     *
+     * @see https://www.digital.govt.nz/standards-and-guidance/governance/managing-online-channels/security-and-privacy-for-websites/foundations/classify-information/
+     */
+    classification: SecurityClassification;
+    /** Data classification tags */
+    data?: TagsData;
+}
+export declare function applyTags(construct: IConstruct, ctx: TagsBase): void;
+export declare function applyTagsData(construct: IConstruct, tags: TagsData): void;

package/build/src/tags.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyTagsData = exports.applyTags = void 0;
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const build_js_1 = require("./build.js");
+const security_js_1 = require("./security.js");
+// Apply a tag but skip application of tag if the value is undefined or empty
+function tag(construct, key, value) {
+    if (value == null)
+        return;
+    if (value === '')
+        return;
+    aws_cdk_lib_1.Tags.of(construct).add(key, value);
+}
+function applyTags(construct, ctx) {
+    // TODO is this check valid here?
+    if (ctx.data?.isPublic && ctx.classification !== security_js_1.SecurityClassification.Unclassified) {
+        throw new Error('Only unclassified constructs can be made public');
+    }
+    const buildInfo = (0, build_js_1.getGitBuildInfo)();
+    // applications tags
+    tag(construct, 'linz:app:name', ctx.application);
+    tag(construct, 'linz:app:version', buildInfo.version);
+    tag(construct, 'linz:environment', ctx.environment);
+    // Ownership tags
+    tag(construct, 'linz:group', ctx.group);
+    // Git Tags
+    tag(construct, 'linz:git:hash', buildInfo.hash);
+    tag(construct, 'linz:git:repository', process.env['GITHUB_REPOSITORY'] ?? ctx.repository);
+    // Github actions build information
+    tag(construct, 'linz:build:id', buildInfo.buildId);
+    // Security
+    tag(construct, 'linz:security:classification', ctx.classification);
+    if (ctx.data)
+        applyTagsData(construct, ctx.data);
+}
+exports.applyTags = applyTags;
+function applyTagsData(construct, tags) {
+    tag(construct, 'linz:data:role', tags.role);
+    tag(construct, 'linz:data:is-master', String(tags.isMaster ?? false));
+    tag(construct, 'linz:data:is-public', String(tags.isPublic ?? false));
+}
+exports.applyTagsData = applyTagsData;
+//# sourceMappingURL=tags.js.map

package/build/src/tags.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tags.js","sourceRoot":"","sources":["../../src/tags.ts"],"names":[],"mappings":";;;AAAA,6CAAmC;AAGnC,yCAA6C;AAE7C,+CAAuD;AAoDvD,6EAA6E;AAC7E,SAAS,GAAG,CAAC,SAAqB,EAAE,GAAW,EAAE,KAAgC;IAC/E,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO;IAC1B,IAAI,KAAK,KAAK,EAAE;QAAE,OAAO;IAEzB,kBAAI,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AACrC,CAAC;AAED,SAAgB,SAAS,CAAC,SAAqB,EAAE,GAAa;IAC5D,iCAAiC;IACjC,IAAI,GAAG,CAAC,IAAI,EAAE,QAAQ,IAAI,GAAG,CAAC,cAAc,KAAK,oCAAsB,CAAC,YAAY,EAAE,CAAC;QACrF,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,SAAS,GAAG,IAAA,0BAAe,GAAE,CAAC;IAEpC,oBAAoB;IACpB,GAAG,CAAC,SAAS,EAAE,eAAe,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;IACjD,GAAG,CAAC,SAAS,EAAE,kBAAkB,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC;IACtD,GAAG,CAAC,SAAS,EAAE,kBAAkB,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;IAEpD,iBAAiB;IACjB,GAAG,CAAC,SAAS,EAAE,YAAY,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;IAExC,WAAW;IACX,GAAG,CAAC,SAAS,EAAE,eAAe,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;IAChD,GAAG,CAAC,SAAS,EAAE,qBAAqB,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IAE1F,mCAAmC;IACnC,GAAG,CAAC,SAAS,EAAE,eAAe,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC;IAEnD,WAAW;IACX,GAAG,CAAC,SAAS,EAAE,8BAA8B,EAAE,GAAG,CAAC,cAAc,CAAC,CAAC;IACnE,IAAI,GAAG,CAAC,IAAI;QAAE,aAAa,CAAC,SAAS,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;AACnD,CAAC;AAzBD,8BAyBC;AAED,SAAgB,aAAa,CAAC,SAAqB,EAAE,IAAc;IACjE,GAAG,CAAC,SAAS,EAAE,gBAAgB,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5C,GAAG,CAAC,SAAS,EAAE,qBAAqB,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC;IACtE,GAAG,CAAC,SAAS,EAAE,qBAAqB,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC;AACxE,CAAC;AAJD,sCAIC"}