@lsts_tech/infra 1.0.0

package/dist/stacks/Pipeline.js

@@ -0,0 +1,311 @@
+/**
+ * Pipeline — AWS CodePipeline + CodeBuild CI/CD Construct
+ *
+ * Creates a fully managed CI/CD pipeline using AWS-native services:
+ * - CodeStar Connection → GitHub (source)
+ * - CodeBuild → builds & deploys via SST
+ * - CodePipeline → orchestrates source → build
+ *
+ * Each pipeline is branch-aware: push to a branch triggers deployment
+ * to the corresponding SST stage.
+ *
+ * Security:
+ * - No AWS credentials stored in GitHub
+ * - Secrets fetched from SSM Parameter Store at build time
+ * - IAM roles scoped per pipeline
+ *
+ * @example
+ * ```ts
+ * createPipeline({
+ *   name: "myapp-prod",
+ *   repo: "myorg/myapp",
+ *   branch: "main",
+ *   stage: "production",
+ *   region: "us-east-1",
+ * });
+ * ```
+ */
+/**
+ * Creates an AWS CodePipeline with CodeBuild for SST deployments.
+ *
+ * Architecture:
+ *   GitHub (push) → CodeStar Connection → CodePipeline → CodeBuild → SST Deploy
+ *
+ * The pipeline:
+ * 1. Detects push to the configured branch via webhook
+ * 2. Pulls source code from GitHub
+ * 3. CodeBuild installs dependencies, builds the monorepo, and runs `sst deploy`
+ * 4. SST deploys the Next.js app to Lambda + CloudFront + S3
+ */
+export function createPipeline(config) {
+    const { name, repo, branch, stage, region = "us-east-1", nodeVersion = "22", pnpmVersion = "9.15.0", infraPath = "packages/infra", buildEnv = {}, computeType = "BUILD_GENERAL1_MEDIUM", timeoutMinutes = 30, codestarConnectionArn, projectTag, } = config;
+    // ── 1. CodeStar Connection (GitHub) ──────────────────────────────────
+    // If no existing connection ARN is provided, create a new one.
+    // NOTE: New connections require manual confirmation in the AWS Console:
+    //   Developer Tools → Settings → Connections → Pending → Update pending connection
+    // Allow providing the connection ARN via config or environment for deterministic
+    // deployments. Prefer explicit `codestarConnectionArn`, then an env var, then
+    // create a new connection if neither is provided.
+    const envKey = `${name.toUpperCase().replace(/[^A-Z0-9]/g, "_")}_CODESTAR_CONNECTION_ARN`;
+    const envConnectionArn = process.env[envKey] || process.env.CODESTAR_CONNECTION_ARN;
+    const connection = codestarConnectionArn || envConnectionArn
+        ? { arn: (codestarConnectionArn || envConnectionArn) }
+        : (() => {
+            const conn = new aws.codestarconnections.Connection(`${name}-github-connection`, {
+                name: `${name}-github`,
+                providerType: "GitHub",
+            });
+            return { arn: conn.arn };
+        })();
+    // ── 2. S3 Artifact Bucket ───────────────────────────────────────────
+    const artifactBucket = new aws.s3.BucketV2(`${name}-artifacts`, {
+        bucketPrefix: `${name}-pipeline-artifacts`,
+        forceDestroy: true,
+    });
+    // tags to mark infra-managed critical resources so we can protect them
+    const commonTags = {
+        Project: projectTag ?? name.split("-")[0],
+        ManagedBy: "infra",
+        Stage: stage,
+        Protected: "true",
+    };
+    new aws.s3.BucketLifecycleConfigurationV2(`${name}-artifacts-lifecycle`, {
+        bucket: artifactBucket.id,
+        rules: [
+            {
+                id: "expire-artifacts",
+                status: "Enabled",
+                expiration: { days: 7 },
+            },
+        ],
+    });
+    // ── 3. IAM Role for CodeBuild ───────────────────────────────────────
+    const codebuildRole = new aws.iam.Role(`${name}-codebuild-role`, {
+        name: `${name}-codebuild-role`,
+        assumeRolePolicy: JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Principal: { Service: "codebuild.amazonaws.com" },
+                    Action: "sts:AssumeRole",
+                },
+            ],
+        }),
+    });
+    // CodeBuild needs broad permissions for SST deployments
+    // (CloudFormation, Lambda, S3, CloudFront, Route53, ACM, IAM, etc.)
+    new aws.iam.RolePolicyAttachment(`${name}-codebuild-admin`, {
+        role: codebuildRole.name,
+        policyArn: "arn:aws:iam::aws:policy/AdministratorAccess",
+    });
+    // ── 4. IAM Role for CodePipeline ────────────────────────────────────
+    const pipelineRole = new aws.iam.Role(`${name}-pipeline-role`, {
+        name: `${name}-pipeline-role`,
+        assumeRolePolicy: JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Principal: { Service: "codepipeline.amazonaws.com" },
+                    Action: "sts:AssumeRole",
+                },
+            ],
+        }),
+    });
+    const pipelinePolicy = new aws.iam.RolePolicy(`${name}-pipeline-policy`, {
+        role: pipelineRole.id,
+        policy: $jsonStringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Action: [
+                        "s3:GetObject",
+                        "s3:GetObjectVersion",
+                        "s3:GetBucketVersioning",
+                        "s3:PutObjectAcl",
+                        "s3:PutObject",
+                    ],
+                    Resource: [$interpolate `${artifactBucket.arn}`, $interpolate `${artifactBucket.arn}/*`],
+                },
+                {
+                    Effect: "Allow",
+                    Action: ["codestar-connections:UseConnection"],
+                    Resource: [connection.arn],
+                },
+                {
+                    Effect: "Allow",
+                    Action: [
+                        "codebuild:BatchGetBuilds",
+                        "codebuild:StartBuild",
+                    ],
+                    Resource: ["*"],
+                },
+            ],
+        }),
+    });
+    // ── 5. CodeBuild Project ────────────────────────────────────────────
+    const buildEnvVars = [
+        { name: "SST_STAGE", value: stage },
+        { name: "NODE_VERSION", value: nodeVersion },
+        { name: "PNPM_VERSION", value: pnpmVersion },
+        { name: "INFRA_PATH", value: infraPath },
+        ...Object.entries(buildEnv).map(([key, value]) => ({
+            name: key,
+            value,
+            type: value.startsWith("arn:aws:ssm:") ? "PARAMETER_STORE" : "PLAINTEXT",
+        })),
+    ];
+    const codebuildProject = new aws.codebuild.Project(`${name}-build`, {
+        name: `${name}-build`,
+        description: `Build & deploy ${name} (stage: ${stage}) via SST`,
+        serviceRole: codebuildRole.arn,
+        buildTimeout: timeoutMinutes,
+        environment: {
+            computeType,
+            image: "aws/codebuild/amazonlinux2-x86_64-standard:5.0",
+            type: "LINUX_CONTAINER",
+            environmentVariables: buildEnvVars,
+        },
+        source: {
+            type: "CODEPIPELINE",
+            buildspec: `${infraPath}/buildspec.yml`,
+        },
+        artifacts: {
+            type: "CODEPIPELINE",
+        },
+        logsConfig: {
+            cloudwatchLogs: {
+                groupName: `/codebuild/${name}`,
+                streamName: "build-log",
+            },
+        },
+        // tag build resources for ownership and automated checks
+        tags: commonTags,
+    });
+    // Ensure the pipeline role can start the CodeBuild project used by the pipeline.
+    // CodePipeline assumes `pipelineRole` and must be allowed to call `codebuild:StartBuild`.
+    new aws.iam.RolePolicy(`${name}-pipeline-codebuild-start`, {
+        role: pipelineRole.id,
+        policy: $jsonStringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Action: ["codebuild:StartBuild", "codebuild:BatchGetBuilds"],
+                    Resource: [$interpolate `${codebuildProject.arn}`],
+                },
+            ],
+        }),
+    });
+    // Ensure pipeline role can operate on the artifact S3 bucket (upload/download artifacts)
+    new aws.iam.RolePolicy(`${name}-pipeline-s3`, {
+        role: pipelineRole.id,
+        policy: $jsonStringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Action: ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectVersion"],
+                    Resource: [$interpolate `${artifactBucket.arn}/*`],
+                },
+                {
+                    Effect: "Allow",
+                    Action: ["s3:ListBucket", "s3:GetBucketLocation"],
+                    Resource: [$interpolate `${artifactBucket.arn}`],
+                },
+            ],
+        }),
+    });
+    // Ensure pipeline role can use the CodeStar Connection (GitHub) for source actions
+    new aws.iam.RolePolicy(`${name}-pipeline-codestar`, {
+        role: pipelineRole.id,
+        policy: $jsonStringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Action: ["codestar-connections:UseConnection", "codestar-connections:GetConnection"],
+                    Resource: [connection.arn],
+                },
+            ],
+        }),
+    });
+    // ── 6. CodePipeline ─────────────────────────────────────────────────
+    const pipeline = new aws.codepipeline.Pipeline(`${name}-pipeline`, {
+        name: `${name}-pipeline`,
+        roleArn: pipelineRole.arn,
+        pipelineType: "V2",
+        artifactStores: [
+            {
+                location: artifactBucket.bucket,
+                type: "S3",
+            },
+        ],
+        stages: [
+            {
+                name: "Source",
+                actions: [
+                    {
+                        name: "GitHub-Source",
+                        category: "Source",
+                        owner: "AWS",
+                        provider: "CodeStarSourceConnection",
+                        version: "1",
+                        outputArtifacts: ["source_output"],
+                        configuration: {
+                            ConnectionArn: connection.arn,
+                            FullRepositoryId: repo,
+                            BranchName: branch,
+                            OutputArtifactFormat: "CODE_ZIP",
+                            DetectChanges: "true",
+                        },
+                    },
+                ],
+            },
+            {
+                name: "Build-Deploy",
+                actions: [
+                    {
+                        name: "SST-Deploy",
+                        category: "Build",
+                        owner: "AWS",
+                        provider: "CodeBuild",
+                        inputArtifacts: ["source_output"],
+                        version: "1",
+                        configuration: {
+                            ProjectName: codebuildProject.name,
+                        },
+                    },
+                ],
+            },
+        ],
+        triggers: [
+            {
+                providerType: "CodeStarSourceConnection",
+                gitConfiguration: {
+                    sourceActionName: "GitHub-Source",
+                    pushes: [
+                        {
+                            branches: {
+                                includes: [branch],
+                            },
+                        },
+                    ],
+                },
+            },
+        ],
+        // ensure the pipeline is tagged so it can be identified
+        tags: commonTags,
+    });
+    return {
+        pipeline,
+        codebuildProject,
+        connection,
+        artifactBucket,
+        pipelineName: pipeline.name,
+        pipelineArn: pipeline.arn,
+    };
+}
+//# sourceMappingURL=Pipeline.js.map

package/dist/stacks/Pipeline.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Pipeline.js","sourceRoot":"","sources":["../../stacks/Pipeline.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAmFH;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAAC,MAAsB;IACnD,MAAM,EACJ,IAAI,EACJ,IAAI,EACJ,MAAM,EACN,KAAK,EACL,MAAM,GAAG,WAAW,EACpB,WAAW,GAAG,IAAI,EAClB,WAAW,GAAG,QAAQ,EACtB,SAAS,GAAG,gBAAgB,EAC5B,QAAQ,GAAG,EAAE,EACb,WAAW,GAAG,uBAAuB,EACrC,cAAc,GAAG,EAAE,EACnB,qBAAqB,EACrB,UAAU,GACX,GAAG,MAAM,CAAC;IAEX,wEAAwE;IACxE,+DAA+D;IAC/D,wEAAwE;IACxE,mFAAmF;IACnF,iFAAiF;IACjF,8EAA8E;IAC9E,kDAAkD;IAClD,MAAM,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC,0BAA0B,CAAC;IAC1F,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC;IAEpF,MAAM,UAAU,GAAG,qBAAqB,IAAI,gBAAgB;QAC1D,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,qBAAqB,IAAI,gBAAgB,CAAC,EAAE;QACtD,CAAC,CAAC,CAAC,GAAG,EAAE;YACN,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,mBAAmB,CAAC,UAAU,CACjD,GAAG,IAAI,oBAAoB,EAC3B;gBACE,IAAI,EAAE,GAAG,IAAI,SAAS;gBACtB,YAAY,EAAE,QAAQ;aACvB,CACF,CAAC;YACF,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;QAC3B,CAAC,CAAC,EAAE,CAAC;IAEP,uEAAuE;IACvE,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,IAAI,YAAY,EAAE;QAC9D,YAAY,EAAE,GAAG,IAAI,qBAAqB;QAC1C,YAAY,EAAE,IAAI;KACnB,CAAC,CAAC;IAEH,uEAAuE;IACvE,MAAM,UAAU,GAAG;QACjB,OAAO,EAAE,UAAU,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACzC,SAAS,EAAE,OAAO;QAClB,KAAK,EAAE,KAAK;QACZ,SAAS,EAAE,MAAM;KAClB,CAAC;IAEF,IAAI,GAAG,CAAC,EAAE,CAAC,8BAA8B,CAAC,GAAG,IAAI,sBAAsB,EAAE;QACvE,MAAM,EAAE,cAAc,CAAC,EAAE;QACzB,KAAK,EAAE;YACL;gBACE,EAAE,EAAE,kBAAkB;gBACtB,MAAM,EAAE,SAAS;gBACjB,UAAU,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE;aACxB;SACF;KACF,CAAC,CAAC;IAEH,uEAAuE;IACvE,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,iBAAiB,EAAE;QAC/D,IAAI,EAAE,GAAG,IAAI,iBAAiB;QAC9B,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC;YAC/B,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE;gBACT;oBACE,MAAM,EAAE,OAAO;oBACf,SAAS,EAAE,EAAE,OAAO,EAAE,yBAAyB,EAAE;oBACjD,MAAM,EAAE,gBAAgB;iBACzB;aACF;SACF,CAAC;KACH,CAAC,CAAC;IAEH,wDAAwD;IACxD,oEAAoE;IACpE,IAAI,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,IAAI,kBAAkB,EAAE;QAC1D,IAAI,EAAE,aAAa,CAAC,IAAI;QACxB,SAAS,EAAE,6CAA6C;KACzD,CAAC,CAAC;IAEH,uEAAuE;IACvE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,gBAAgB,EAAE;QAC7D,IAAI,EAAE,GAAG,IAAI,gBAAgB;QAC7B,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC;YAC/B,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE;gBACT;oBACE,MAAM,EAAE,OAAO;oBACf,SAAS,EAAE,EAAE,OAAO,EAAE,4BAA4B,EAAE;oBACpD,MAAM,EAAE,gBAAgB;iBACzB;aACF;SACF,CAAC;KACH,CAAC,CAAC;IAEH,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,kBAAkB,EAAE;QACvE,IAAI,EAAE,YAAY,CAAC,EAAE;QACrB,MAAM,EAAE,cAAc,CAAC;YACrB,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE;gBACT;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE;wBACN,cAAc;wBACd,qBAAqB;wBACrB,wBAAwB;wBACxB,iBAAiB;wBACjB,cAAc;qBACf;oBACD,QAAQ,EAAE,CAAC,YAAY,CAAA,GAAG,cAAc,CAAC,GAAG,EAAE,EAAE,YAAY,CAAA,GAAG,cAAc,CAAC,GAAG,IAAI,CAAC;iBACvF;gBACD;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,CAAC,oCAAoC,CAAC;oBAC9C,QAAQ,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;iBAC3B;gBACD;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE;wBACN,0BAA0B;wBAC1B,sBAAsB;qBACvB;oBACD,QAAQ,EAAE,CAAC,GAAG,CAAC;iBAChB;aACF;SACF,CAAC;KACH,CAAC,CAAC;IAEH,uEAAuE;IACvE,MAAM,YAAY,GAAG;QACnB,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK,EAAE;QACnC,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,WAAW,EAAE;QAC5C,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,WAAW,EAAE;QAC5C,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,SAAS,EAAE;QACxC,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YACjD,IAAI,EAAE,GAAG;YACT,KAAK;YACL,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,WAAW;SACzE,CAAC,CAAC;KACJ,CAAC;IAEF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,IAAI,QAAQ,EAAE;QAClE,IAAI,EAAE,GAAG,IAAI,QAAQ;QACrB,WAAW,EAAE,kBAAkB,IAAI,YAAY,KAAK,WAAW;QAC/D,WAAW,EAAE,aAAa,CAAC,GAAG;QAC9B,YAAY,EAAE,cAAc;QAC5B,WAAW,EAAE;YACX,WAAW;YACX,KAAK,EAAE,gDAAgD;YACvD,IAAI,EAAE,iBAAiB;YACvB,oBAAoB,EAAE,YAAY;SACnC;QACD,MAAM,EAAE;YACN,IAAI,EAAE,cAAc;YACpB,SAAS,EAAE,GAAG,SAAS,gBAAgB;SACxC;QACD,SAAS,EAAE;YACT,IAAI,EAAE,cAAc;SACrB;QACD,UAAU,EAAE;YACV,cAAc,EAAE;gBACd,SAAS,EAAE,cAAc,IAAI,EAAE;gBAC/B,UAAU,EAAE,WAAW;aACxB;SACF;QACD,yDAAyD;QACzD,IAAI,EAAE,UAAU;KACjB,CAAC,CAAC;IAEH,iFAAiF;IACjF,0FAA0F;IAC1F,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,2BAA2B,EAAE;QACzD,IAAI,EAAE,YAAY,CAAC,EAAE;QACrB,MAAM,EAAE,cAAc,CAAC;YACrB,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE;gBACT;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,CAAC,sBAAsB,EAAE,0BAA0B,CAAC;oBAC5D,QAAQ,EAAE,CAAC,YAAY,CAAA,GAAG,gBAAgB,CAAC,GAAG,EAAE,CAAC;iBAClD;aACF;SACF,CAAC;KACH,CAAC,CAAC;IAEH,yFAAyF;IACzF,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,cAAc,EAAE;QAC5C,IAAI,EAAE,YAAY,CAAC,EAAE;QACrB,MAAM,EAAE,cAAc,CAAC;YACrB,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE;gBACT;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,CAAC,cAAc,EAAE,iBAAiB,EAAE,cAAc,EAAE,qBAAqB,CAAC;oBAClF,QAAQ,EAAE,CAAC,YAAY,CAAA,GAAG,cAAc,CAAC,GAAG,IAAI,CAAC;iBAClD;gBACD;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,CAAC,eAAe,EAAE,sBAAsB,CAAC;oBACjD,QAAQ,EAAE,CAAC,YAAY,CAAA,GAAG,cAAc,CAAC,GAAG,EAAE,CAAC;iBAChD;aACF;SACF,CAAC;KACH,CAAC,CAAC;IAEH,mFAAmF;IACnF,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,oBAAoB,EAAE;QAClD,IAAI,EAAE,YAAY,CAAC,EAAE;QACrB,MAAM,EAAE,cAAc,CAAC;YACrB,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE;gBACT;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,CAAC,oCAAoC,EAAE,oCAAoC,CAAC;oBACpF,QAAQ,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;iBAC3B;aACF;SACF,CAAC;KACH,CAAC,CAAC;IAEH,uEAAuE;IACvE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,IAAI,WAAW,EAAE;QACjE,IAAI,EAAE,GAAG,IAAI,WAAW;QACxB,OAAO,EAAE,YAAY,CAAC,GAAG;QACzB,YAAY,EAAE,IAAI;QAClB,cAAc,EAAE;YACd;gBACE,QAAQ,EAAE,cAAc,CAAC,MAAM;gBAC/B,IAAI,EAAE,IAAI;aACX;SACF;QACD,MAAM,EAAE;YACN;gBACE,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,eAAe;wBACrB,QAAQ,EAAE,QAAQ;wBAClB,KAAK,EAAE,KAAK;wBACZ,QAAQ,EAAE,0BAA0B;wBACpC,OAAO,EAAE,GAAG;wBACZ,eAAe,EAAE,CAAC,eAAe,CAAC;wBAClC,aAAa,EAAE;4BACb,aAAa,EAAE,UAAU,CAAC,GAAG;4BAC7B,gBAAgB,EAAE,IAAI;4BACtB,UAAU,EAAE,MAAM;4BAClB,oBAAoB,EAAE,UAAU;4BAChC,aAAa,EAAE,MAAM;yBACtB;qBACF;iBACF;aACF;YACD;gBACE,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,YAAY;wBAClB,QAAQ,EAAE,OAAO;wBACjB,KAAK,EAAE,KAAK;wBACZ,QAAQ,EAAE,WAAW;wBACrB,cAAc,EAAE,CAAC,eAAe,CAAC;wBACjC,OAAO,EAAE,GAAG;wBACZ,aAAa,EAAE;4BACb,WAAW,EAAE,gBAAgB,CAAC,IAAI;yBACnC;qBACF;iBACF;aACF;SACF;QACD,QAAQ,EAAE;YACR;gBACE,YAAY,EAAE,0BAA0B;gBACxC,gBAAgB,EAAE;oBAChB,gBAAgB,EAAE,eAAe;oBACjC,MAAM,EAAE;wBACN;4BACE,QAAQ,EAAE;gCACR,QAAQ,EAAE,CAAC,MAAM,CAAC;6BACnB;yBACF;qBACF;iBACF;aACF;SACF;QACD,wDAAwD;QACxD,IAAI,EAAE,UAAU;KACjB,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ;QACR,gBAAgB;QAChB,UAAU;QACV,cAAc;QACd,YAAY,EAAE,QAAQ,CAAC,IAAI;QAC3B,WAAW,EAAE,QAAQ,CAAC,GAAG;KAC1B,CAAC;AACJ,CAAC"}

package/dist/stacks/index.d.ts

@@ -0,0 +1,41 @@
+/**
+ * @lsts_tech/infra — Opinionated SST v3 Infrastructure Constructs
+ *
+ * This package provides reusable, cloud-agnostic infrastructure primitives
+ * for deploying Next.js and Expo web apps from a pnpm/Turborepo monorepo
+ * using SST v3 and AWS CodePipeline.
+ *
+ * Configure your project-specific settings in an `infra.config.ts` file
+ * at your infra package root. Run `npx @lsts_tech/infra init` to scaffold one.
+ *
+ * @example
+ * ```ts
+ * // infra.config.ts (your project)
+ * import { resolveDomain, createNextSite, createPipeline } from "@lsts_tech/infra";
+ *
+ * export function createInfrastructure() {
+ *   const stage = $app.stage;
+ *   const { domain, domainName } = resolveDomain({
+ *     rootDomain: "example.com",
+ *     stage,
+ *   });
+ *
+ *   const { site, url } = createNextSite({
+ *     appPath: "../../apps/web",
+ *     id: `web-${stage}`,
+ *     domain,
+ *   });
+ *
+ *   return { siteUrl: url, domain: domainName };
+ * }
+ * ```
+ */
+export { resolveDomain } from "./Dns.js";
+export type { DnsConfig, DomainResult } from "./Dns.js";
+export { createNextSite } from "./NextSite.js";
+export type { NextSiteConfig } from "./NextSite.js";
+export { createExpoSite } from "./ExpoSite.js";
+export type { ExpoSiteConfig } from "./ExpoSite.js";
+export { createPipeline } from "./Pipeline.js";
+export type { PipelineConfig } from "./Pipeline.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/stacks/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../stacks/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAGH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAExD,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,YAAY,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEpD,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,YAAY,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEpD,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,YAAY,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC"}

package/dist/stacks/index.js

@@ -0,0 +1,38 @@
+/**
+ * @lsts_tech/infra — Opinionated SST v3 Infrastructure Constructs
+ *
+ * This package provides reusable, cloud-agnostic infrastructure primitives
+ * for deploying Next.js and Expo web apps from a pnpm/Turborepo monorepo
+ * using SST v3 and AWS CodePipeline.
+ *
+ * Configure your project-specific settings in an `infra.config.ts` file
+ * at your infra package root. Run `npx @lsts_tech/infra init` to scaffold one.
+ *
+ * @example
+ * ```ts
+ * // infra.config.ts (your project)
+ * import { resolveDomain, createNextSite, createPipeline } from "@lsts_tech/infra";
+ *
+ * export function createInfrastructure() {
+ *   const stage = $app.stage;
+ *   const { domain, domainName } = resolveDomain({
+ *     rootDomain: "example.com",
+ *     stage,
+ *   });
+ *
+ *   const { site, url } = createNextSite({
+ *     appPath: "../../apps/web",
+ *     id: `web-${stage}`,
+ *     domain,
+ *   });
+ *
+ *   return { siteUrl: url, domain: domainName };
+ * }
+ * ```
+ */
+// ── Re-exports ─────────────────────────────────────────────────────────
+export { resolveDomain } from "./Dns.js";
+export { createNextSite } from "./NextSite.js";
+export { createExpoSite } from "./ExpoSite.js";
+export { createPipeline } from "./Pipeline.js";
+//# sourceMappingURL=index.js.map

package/dist/stacks/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../stacks/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,0EAA0E;AAC1E,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAGzC,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAG/C,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAG/C,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC"}

package/docs/CLI.md

@@ -0,0 +1,59 @@
+# CLI Reference
+
+The package ships with a bootstrap CLI:
+
+```bash
+npx @lsts_tech/infra init [options]
+```
+
+Provider support in v1.0.0: AWS only.
+
+## Options
+
+| Option | Description | Default |
+|---|---|---|
+| `--provider <name>` | Cloud provider (`aws`) | `aws` |
+| `--project <slug>` | Project prefix for app/pipelines/tags | `myapp` |
+| `--app-name <name>` | SST app name | `--project` |
+| `--domain <domain>` | Root domain | `example.com` |
+| `--repo <owner/repo>` | GitHub repo for CodePipeline source | `myorg/myrepo` |
+| `--pipelines <list>` | Comma list: `production,dev,mobile` or `none` | `production,dev` |
+| `--branch-prod <branch>` | Production pipeline branch | `main` |
+| `--branch-dev <branch>` | Dev pipeline branch | `develop` |
+| `--branch-mobile <branch>` | Mobile pipeline branch | `mobile` |
+| `--with-expo` | Enable Expo web deployment defaults | `false` |
+| `--infra-path <path>` | Infra path from monorepo root | `packages/infra` |
+| `--target <path>` | Scaffold destination directory | `.` |
+| `--force` | Overwrite existing files | `false` |
+| `--help` | Print help | - |
+
+## Generated Files
+
+- `sst.config.ts`
+- `sst-env.d.ts`
+- `infra.config.ts`
+- `.env.example`
+- `buildspec.yml`
+- `schemas/secrets.schema.json`
+- `scripts/ensure-pipelines.sh`
+
+## Example Commands
+
+```bash
+# Next.js only, production+dev pipelines
+npx @lsts_tech/infra init \
+  --project acme \
+  --domain acme.com \
+  --repo acme/web
+
+# Next.js + Expo Web + mobile pipeline
+npx @lsts_tech/infra init \
+  --project acme \
+  --domain acme.com \
+  --repo acme/web \
+  --with-expo \
+  --pipelines production,dev,mobile
+
+# Re-generate into packages/infra and overwrite existing files
+npx @lsts_tech/infra init --target packages/infra --force
+```

package/docs/CONFIGURATION.md

@@ -0,0 +1,78 @@
+# Configuration Guide
+
+## Environment Variables
+
+The scaffolded `infra.config.ts` is environment-driven.
+
+| Variable | Required | Description |
+|---|---|---|
+| `INFRA_APP_NAME` | No | SST app name |
+| `INFRA_ROOT_DOMAIN` | Yes | Root domain for stage resolution |
+| `INFRA_PIPELINE_REPO` | No | GitHub repo in `owner/repo` format |
+| `INFRA_PIPELINE_PREFIX` | No | Prefix for pipeline names |
+| `INFRA_PROJECT_TAG` | No | Resource tag value |
+| `INFRA_PIPELINES` | No | Pipeline stages CSV: `production,dev,mobile` |
+| `INFRA_PIPELINE_BRANCH_PROD` | No | Branch for production pipeline |
+| `INFRA_PIPELINE_BRANCH_DEV` | No | Branch for dev pipeline |
+| `INFRA_PIPELINE_BRANCH_MOBILE` | No | Branch for mobile pipeline |
+| `INFRA_ENABLE_EXPO_SITE` | No | `true` enables Expo `StaticSite` deploy |
+
+### Domain Overrides (Optional)
+
+| Variable | Description |
+|---|---|
+| `INFRA_WEB_DOMAIN_PRODUCTION` | Web production domain |
+| `INFRA_WEB_DOMAIN_DEV` | Web dev domain |
+| `INFRA_WEB_DOMAIN_MOBILE` | Web mobile-stage domain |
+| `INFRA_EXPO_DOMAIN_PRODUCTION` | Expo production domain |
+| `INFRA_EXPO_DOMAIN_DEV` | Expo dev domain |
+| `INFRA_EXPO_DOMAIN_MOBILE` | Expo mobile-stage domain |
+
+## DNS Helper Script Overrides
+
+These are consumed by `predeploy-checks.sh` and `postdeploy-update-dns.sh` (typically via `buildspec.yml`):
+
+| Variable | Description |
+|---|---|
+| `DOMAIN_ROOT` | Base/root domain |
+| `DOMAIN_PRODUCTION` | Explicit production domain override |
+| `DOMAIN_DEV` | Explicit dev domain override |
+| `DOMAIN_MOBILE` | Explicit mobile domain override |
+| `DOMAIN_CUSTOM` | Explicit override for non-standard stage names |
+
+### Certificate Reuse (Optional)
+
+| Variable | Description |
+|---|---|
+| `INFRA_WEB_CERT_ARN_PRODUCTION` | Existing ACM cert ARN for web prod domain |
+| `INFRA_WEB_CERT_ARN_DEV` | Existing ACM cert ARN for web dev domain |
+| `INFRA_WEB_CERT_ARN_MOBILE` | Existing ACM cert ARN for web mobile-stage domain |
+| `INFRA_EXPO_CERT_ARN_PRODUCTION` | Existing ACM cert ARN for expo prod domain |
+| `INFRA_EXPO_CERT_ARN_DEV` | Existing ACM cert ARN for expo dev domain |
+| `INFRA_EXPO_CERT_ARN_MOBILE` | Existing ACM cert ARN for expo mobile-stage domain |
+
+## SST Secrets
+
+Minimum secrets from the default template:
+
+- `DatabaseUrl`
+- `AuthSecret`
+
+Set per stage:
+
+```bash
+npx sst secrets set DatabaseUrl "postgresql://..." --stage dev
+npx sst secrets set AuthSecret "your-secret" --stage dev
+```
+
+## Pipeline Provisioning
+
+1. Ensure your `INFRA_PIPELINES` and branch variables are correct.
+2. Deploy once (`sst deploy`) from the infra package.
+3. Run:
+
+```bash
+APPROVE=true bash scripts/ensure-pipelines.sh
+```
+
+This script checks for missing pipelines and creates them by running stage-specific SST deploys.

package/docs/EXAMPLES.md

@@ -0,0 +1,9 @@
+# Examples
+
+- [`next-only/infra.config.ts`](../examples/next-only/infra.config.ts)
+  Next.js site + optional production/dev pipelines.
+
+- [`next-and-expo/infra.config.ts`](../examples/next-and-expo/infra.config.ts)
+  Next.js + Expo web static site + production/dev/mobile pipelines.
+
+Both examples are provider-scoped to AWS for v1.0.0.

package/examples/next-and-expo/infra.config.ts

@@ -0,0 +1,104 @@
+import { resolveDomain, createNextSite, createExpoSite, createPipeline } from "@lsts_tech/infra";
+
+const secrets = {
+  DatabaseUrl: new sst.Secret("DatabaseUrl"),
+  AuthSecret: new sst.Secret("AuthSecret"),
+};
+
+export function createInfrastructure() {
+  const stage = $app.stage;
+  const rootDomain = process.env.INFRA_ROOT_DOMAIN ?? "example.com";
+  const repo = process.env.INFRA_PIPELINE_REPO ?? "myorg/myrepo";
+  const prefix = process.env.INFRA_PIPELINE_PREFIX ?? "myapp";
+
+  const webDomain = resolveDomain({
+    rootDomain,
+    stage,
+    stageMap: {
+      production: process.env.INFRA_WEB_DOMAIN_PRODUCTION ?? rootDomain,
+      dev: process.env.INFRA_WEB_DOMAIN_DEV ?? `dev.${rootDomain}`,
+      mobile: process.env.INFRA_WEB_DOMAIN_MOBILE ?? `api.${rootDomain}`,
+    },
+  });
+
+  const web = createNextSite({
+    appPath: "../../apps/web",
+    id: `web-${stage}`,
+    domain: webDomain.domain,
+    certificateArn: {
+      production: process.env.INFRA_WEB_CERT_ARN_PRODUCTION,
+      dev: process.env.INFRA_WEB_CERT_ARN_DEV,
+      mobile: process.env.INFRA_WEB_CERT_ARN_MOBILE,
+    }[stage],
+    environment: {
+      NEXT_PUBLIC_APP_URL: `https://${webDomain.domainName}`,
+      DATABASE_URL: secrets.DatabaseUrl.value,
+      AUTH_SECRET: secrets.AuthSecret.value,
+    },
+  });
+
+  const expoDomain = resolveDomain({
+    rootDomain,
+    stage,
+    stageMap: {
+      production: process.env.INFRA_EXPO_DOMAIN_PRODUCTION ?? `mobile.${rootDomain}`,
+      dev: process.env.INFRA_EXPO_DOMAIN_DEV ?? `dev.mobile.${rootDomain}`,
+      mobile: process.env.INFRA_EXPO_DOMAIN_MOBILE ?? `preview.mobile.${rootDomain}`,
+    },
+  });
+
+  const expo = createExpoSite({
+    appPath: "../../apps/mobile",
+    id: `mobile-${stage}`,
+    domain: expoDomain.domain,
+    certificateArn: {
+      production: process.env.INFRA_EXPO_CERT_ARN_PRODUCTION,
+      dev: process.env.INFRA_EXPO_CERT_ARN_DEV,
+      mobile: process.env.INFRA_EXPO_CERT_ARN_MOBILE,
+    }[stage],
+    environment: {
+      EXPO_PUBLIC_API_URL: `https://${webDomain.domainName}/api`,
+    },
+  });
+
+  const outputs: Record<string, unknown> = {
+    siteUrl: web.url,
+    domain: webDomain.domainName,
+    mobileUrl: expo.url,
+    mobileDomain: expoDomain.domainName,
+  };
+
+  if (stage === "production") {
+    const production = createPipeline({
+      name: `${prefix}-prod`,
+      repo,
+      branch: process.env.INFRA_PIPELINE_BRANCH_PROD ?? "main",
+      stage: "production",
+      projectTag: process.env.INFRA_PROJECT_TAG ?? prefix,
+    });
+
+    const dev = createPipeline({
+      name: `${prefix}-dev`,
+      repo,
+      branch: process.env.INFRA_PIPELINE_BRANCH_DEV ?? "develop",
+      stage: "dev",
+      projectTag: process.env.INFRA_PROJECT_TAG ?? prefix,
+    });
+
+    const mobile = createPipeline({
+      name: `${prefix}-mobile`,
+      repo,
+      branch: process.env.INFRA_PIPELINE_BRANCH_MOBILE ?? "mobile",
+      stage: "mobile",
+      projectTag: process.env.INFRA_PROJECT_TAG ?? prefix,
+    });
+
+    outputs.pipelines = {
+      production: production.pipelineName,
+      dev: dev.pipelineName,
+      mobile: mobile.pipelineName,
+    };
+  }
+
+  return outputs;
+}