npm - @medplum/cdk - Versions diffs - 3.1.10 → 3.2.0 - Mend

@medplum/cdk 3.1.10 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/cjs/index.cjs +1 -1
package/dist/cjs/index.cjs.map +4 -4
package/dist/esm/index.mjs +1 -1
package/dist/esm/index.mjs.map +4 -4
package/dist/types/backend.d.ts.map +1 -1
package/package.json +6 -6

package/dist/cjs/index.cjs CHANGED Viewed

@@ -1,2 +1,2 @@
-"use strict";var K=Object.defineProperty;var _e=Object.getOwnPropertyDescriptor;var Ue=Object.getOwnPropertyNames;var Be=Object.prototype.hasOwnProperty;var je=(e,t)=>{for(var r in t)K(e,r,{get:t[r],enumerable:!0})},Ge=(e,t,r,i)=>{if(t&&typeof t=="object"||typeof t=="function")for(let n of Ue(t))!Be.call(e,n)&&n!==r&&K(e,n,{get:()=>t[n],enumerable:!(i=_e(t,n))||i.enumerable});return e};var Fe=e=>Ge(K({},"__esModule",{value:!0}),e);var Vt={};je(Vt,{BackEnd:()=>j,CloudTrailAlarms:()=>$,FrontEnd:()=>L,MedplumGlobalStack:()=>J,MedplumPrimaryStack:()=>Q,MedplumStack:()=>G,Storage:()=>M,awsManagedRules:()=>O,main:()=>Me});module.exports=Fe(Vt);var Ne=require("aws-cdk-lib"),$e=require("fs"),Le=require("path");var V=require("@aws-sdk/client-ssm");var qe=class{constructor(e,t){this.operator=e,this.child=t}toString(){return`${this.operator}(${this.child.toString()})`}},B=class{constructor(e,t,r){this.operator=e,this.left=t,this.right=r}toString(){return`${this.left.toString()} ${this.operator} ${this.right.toString()}`}},We=class{constructor(){this.prefixParselets={},this.infixParselets={}}registerInfix(e,t){return this.infixParselets[e]=t,this}registerPrefix(e,t){return this.prefixParselets[e]=t,this}prefix(e,t,r){return this.registerPrefix(e,{parse(i,n){let s=i.consumeAndParse(t);return r(n,s)}})}infixLeft(e,t,r){return this.registerInfix(e,{parse(i,n,s){let a=i.consumeAndParse(t);return r(n,s,a)},precedence:t})}construct(e){return new He(e,this.prefixParselets,this.infixParselets)}},He=class{constructor(e,t,r){this.tokens=e,this.prefixParselets=t,this.infixParselets=r}hasMore(){return this.tokens.length>0}match(e){return this.peek()?.id!==e?!1:(this.consume(),!0)}consumeAndParse(e=1/0){let t=this.consume(),r=this.prefixParselets[t.id];if(!r)throw Error(`Parse error at "${t.value}" (line ${t.line}, column ${t.column}). No matching prefix parselet.`);let i=r.parse(this,t);for(;e>this.getPrecedence();){let n=this.consume();i=this.getInfixParselet(n).parse(this,i,n)}return i}getPrecedence(){let e=this.peek();if(!e)return 1/0;let t=this.getInfixParselet(e);return t?t.precedence:1/0}consume(e,t){if(!this.tokens.length)throw Error("Cant consume unknown more tokens.");if(e&&this.peek()?.id!==e){let r=this.peek();throw Error(`Expected ${e} but got "${r.id}" (${r.value}) at line ${r.line} column ${r.column}.`)}if(t&&this.peek()?.value!==t){let r=this.peek();throw Error(`Expected "${t}" but got "${r.value}" at line ${r.line} column ${r.column}.`)}return this.tokens.shift()}peek(){return this.tokens.length>0?this.tokens[0]:void 0}removeComments(){this.tokens=this.tokens.filter(e=>e.id!=="Comment")}getInfixParselet(e){return this.infixParselets[e.id==="Symbol"?e.value:e.id]}};function X(e,t){return{resourceType:"OperationOutcome",issue:[{severity:"error",code:"invalid",details:{text:e},...t?{expression:[t]}:void 0}]}}function k(e){return{resourceType:"OperationOutcome",issue:[{severity:"error",code:"structure",details:{text:e}}]}}var C=class extends Error{constructor(e,t){super(Ve(e)),this.outcome=e,this.cause=t}};function Ve(e){let t=e.issue?.map(ze)??[];return t.length>0?t.join("; "):"Unknown error"}function ze(e){let t;return e.details?.text?e.diagnostics?t=`${e.details.text} (${e.diagnostics})`:t=e.details.text:e.diagnostics?t=e.diagnostics:t="Unknown error",e.expression?.length&&(t+=` (${e.expression.join(", ")})`),t}function Qe(e,t){let r=t.max&&t.max===Number.MAX_SAFE_INTEGER?Number.POSITIVE_INFINITY:t.max;return{path:e,description:"",type:t.type??[],min:t.min??0,max:r??1,isArray:!!r&&r>1,constraints:[]}}function Je(e){let t=Object.create(null);for(let[r,i]of Object.entries(e))t[r]={name:r,elements:Object.fromEntries(Object.entries(i.elements).map(([n,s])=>[n,Qe(n,s)])),constraints:[],innerTypes:[]};return t}var Ye={Element:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]}}},BackboneElement:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},modifierExtension:{max:9007199254740991,type:[{code:"Extension"}]}}},Address:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},use:{type:[{code:"code"}]},type:{type:[{code:"code"}]},text:{type:[{code:"string"}]},line:{max:9007199254740991,type:[{code:"string"}]},city:{type:[{code:"string"}]},district:{type:[{code:"string"}]},state:{type:[{code:"string"}]},postalCode:{type:[{code:"string"}]},country:{type:[{code:"string"}]},period:{type:[{code:"Period"}]}}},Age:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},value:{type:[{code:"decimal"}]},comparator:{type:[{code:"code"}]},unit:{type:[{code:"string"}]},system:{type:[{code:"uri"}]},code:{type:[{code:"code"}]}}},Annotation:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},"author[x]":{type:[{code:"Reference",targetProfile:["http://hl7.org/fhir/StructureDefinition/Practitioner","http://hl7.org/fhir/StructureDefinition/Patient","http://hl7.org/fhir/StructureDefinition/RelatedPerson","http://hl7.org/fhir/StructureDefinition/Organization"]},{code:"string"}]},time:{type:[{code:"dateTime"}]},text:{min:1,type:[{code:"markdown"}]}}},Attachment:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},contentType:{type:[{code:"code"}]},language:{type:[{code:"code"}]},data:{type:[{code:"base64Binary"}]},url:{type:[{code:"url"}]},size:{type:[{code:"unsignedInt"}]},hash:{type:[{code:"base64Binary"}]},title:{type:[{code:"string"}]},creation:{type:[{code:"dateTime"}]}}},CodeableConcept:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},coding:{max:9007199254740991,type:[{code:"Coding"}]},text:{type:[{code:"string"}]}}},Coding:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},system:{type:[{code:"uri"}]},version:{type:[{code:"string"}]},code:{type:[{code:"code"}]},display:{type:[{code:"string"}]},userSelected:{type:[{code:"boolean"}]}}},ContactDetail:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},name:{type:[{code:"string"}]},telecom:{max:9007199254740991,type:[{code:"ContactPoint"}]}}},ContactPoint:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},system:{type:[{code:"code"}]},value:{type:[{code:"string"}]},use:{type:[{code:"code"}]},rank:{type:[{code:"positiveInt"}]},period:{type:[{code:"Period"}]}}},Contributor:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},type:{min:1,type:[{code:"code"}]},name:{min:1,type:[{code:"string"}]},contact:{max:9007199254740991,type:[{code:"ContactDetail"}]}}},Count:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},value:{type:[{code:"decimal"}]},comparator:{type:[{code:"code"}]},unit:{type:[{code:"string"}]},system:{type:[{code:"uri"}]},code:{type:[{code:"code"}]}}},DataRequirement:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},type:{min:1,type:[{code:"code"}]},profile:{max:9007199254740991,type:[{code:"canonical",targetProfile:["http://hl7.org/fhir/StructureDefinition/StructureDefinition"]}]},"subject[x]":{type:[{code:"CodeableConcept"},{code:"Reference",targetProfile:["http://hl7.org/fhir/StructureDefinition/Group"]}]},mustSupport:{max:9007199254740991,type:[{code:"string"}]},codeFilter:{max:9007199254740991,type:[{code:"DataRequirementCodeFilter"}]},dateFilter:{max:9007199254740991,type:[{code:"DataRequirementDateFilter"}]},limit:{type:[{code:"positiveInt"}]},sort:{max:9007199254740991,type:[{code:"DataRequirementSort"}]}}},Distance:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},value:{type:[{code:"decimal"}]},comparator:{type:[{code:"code"}]},unit:{type:[{code:"string"}]},system:{type:[{code:"uri"}]},code:{type:[{code:"code"}]}}},Dosage:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},modifierExtension:{max:9007199254740991,type:[{code:"Extension"}]},sequence:{type:[{code:"integer"}]},text:{type:[{code:"string"}]},additionalInstruction:{max:9007199254740991,type:[{code:"CodeableConcept"}]},patientInstruction:{type:[{code:"string"}]},timing:{type:[{code:"Timing"}]},"asNeeded[x]":{type:[{code:"boolean"},{code:"CodeableConcept"}]},site:{type:[{code:"CodeableConcept"}]},route:{type:[{code:"CodeableConcept"}]},method:{type:[{code:"CodeableConcept"}]},doseAndRate:{max:9007199254740991,type:[{code:"DosageDoseAndRate"}]},maxDosePerPeriod:{type:[{code:"Ratio"}]},maxDosePerAdministration:{type:[{code:"Quantity",profile:["http://hl7.org/fhir/StructureDefinition/SimpleQuantity"]}]},maxDosePerLifetime:{type:[{code:"Quantity",profile:["http://hl7.org/fhir/StructureDefinition/SimpleQuantity"]}]}}},Duration:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},value:{type:[{code:"decimal"}]},comparator:{type:[{code:"code"}]},unit:{type:[{code:"string"}]},system:{type:[{code:"uri"}]},code:{type:[{code:"code"}]}}},ElementDefinition:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},modifierExtension:{max:9007199254740991,type:[{code:"Extension"}]},path:{min:1,type:[{code:"string"}]},representation:{max:9007199254740991,type:[{code:"code"}]},sliceName:{type:[{code:"string"}]},sliceIsConstraining:{type:[{code:"boolean"}]},label:{type:[{code:"string"}]},code:{max:9007199254740991,type:[{code:"Coding"}]},slicing:{type:[{code:"ElementDefinitionSlicing"}]},short:{type:[{code:"string"}]},definition:{type:[{code:"markdown"}]},comment:{type:[{code:"markdown"}]},requirements:{type:[{code:"markdown"}]},alias:{max:9007199254740991,type:[{code:"string"}]},min:{type:[{code:"unsignedInt"}]},max:{type:[{code:"string"}]},base:{type:[{code:"ElementDefinitionBase"}]},contentReference:{type:[{code:"uri"}]},type:{max:9007199254740991,type:[{code:"ElementDefinitionType"}]},"defaultValue[x]":{type:[{code:"base64Binary"},{code:"boolean"},{code:"canonical"},{code:"code"},{code:"date"},{code:"dateTime"},{code:"decimal"},{code:"id"},{code:"instant"},{code:"integer"},{code:"markdown"},{code:"oid"},{code:"positiveInt"},{code:"string"},{code:"time"},{code:"unsignedInt"},{code:"uri"},{code:"url"},{code:"uuid"},{code:"Address"},{code:"Age"},{code:"Annotation"},{code:"Attachment"},{code:"CodeableConcept"},{code:"Coding"},{code:"ContactPoint"},{code:"Count"},{code:"Distance"},{code:"Duration"},{code:"HumanName"},{code:"Identifier"},{code:"Money"},{code:"Period"},{code:"Quantity"},{code:"Range"},{code:"Ratio"},{code:"Reference"},{code:"SampledData"},{code:"Signature"},{code:"Timing"},{code:"ContactDetail"},{code:"Contributor"},{code:"DataRequirement"},{code:"Expression"},{code:"ParameterDefinition"},{code:"RelatedArtifact"},{code:"TriggerDefinition"},{code:"UsageContext"},{code:"Dosage"},{code:"Meta"}]},meaningWhenMissing:{type:[{code:"markdown"}]},orderMeaning:{type:[{code:"string"}]},"fixed[x]":{type:[{code:"base64Binary"},{code:"boolean"},{code:"canonical"},{code:"code"},{code:"date"},{code:"dateTime"},{code:"decimal"},{code:"id"},{code:"instant"},{code:"integer"},{code:"markdown"},{code:"oid"},{code:"positiveInt"},{code:"string"},{code:"time"},{code:"unsignedInt"},{code:"uri"},{code:"url"},{code:"uuid"},{code:"Address"},{code:"Age"},{code:"Annotation"},{code:"Attachment"},{code:"CodeableConcept"},{code:"Coding"},{code:"ContactPoint"},{code:"Count"},{code:"Distance"},{code:"Duration"},{code:"HumanName"},{code:"Identifier"},{code:"Money"},{code:"Period"},{code:"Quantity"},{code:"Range"},{code:"Ratio"},{code:"Reference"},{code:"SampledData"},{code:"Signature"},{code:"Timing"},{code:"ContactDetail"},{code:"Contributor"},{code:"DataRequirement"},{code:"Expression"},{code:"ParameterDefinition"},{code:"RelatedArtifact"},{code:"TriggerDefinition"},{code:"UsageContext"},{code:"Dosage"},{code:"Meta"}]},"pattern[x]":{type:[{code:"base64Binary"},{code:"boolean"},{code:"canonical"},{code:"code"},{code:"date"},{code:"dateTime"},{code:"decimal"},{code:"id"},{code:"instant"},{code:"integer"},{code:"markdown"},{code:"oid"},{code:"positiveInt"},{code:"string"},{code:"time"},{code:"unsignedInt"},{code:"uri"},{code:"url"},{code:"uuid"},{code:"Address"},{code:"Age"},{code:"Annotation"},{code:"Attachment"},{code:"CodeableConcept"},{code:"Coding"},{code:"ContactPoint"},{code:"Count"},{code:"Distance"},{code:"Duration"},{code:"HumanName"},{code:"Identifier"},{code:"Money"},{code:"Period"},{code:"Quantity"},{code:"Range"},{code:"Ratio"},{code:"Reference"},{code:"SampledData"},{code:"Signature"},{code:"Timing"},{code:"ContactDetail"},{code:"Contributor"},{code:"DataRequirement"},{code:"Expression"},{code:"ParameterDefinition"},{code:"RelatedArtifact"},{code:"TriggerDefinition"},{code:"UsageContext"},{code:"Dosage"},{code:"Meta"}]},example:{max:9007199254740991,type:[{code:"ElementDefinitionExample"}]},"minValue[x]":{type:[{code:"date"},{code:"dateTime"},{code:"instant"},{code:"time"},{code:"decimal"},{code:"integer"},{code:"positiveInt"},{code:"unsignedInt"},{code:"Quantity"}]},"maxValue[x]":{type:[{code:"date"},{code:"dateTime"},{code:"instant"},{code:"time"},{code:"decimal"},{code:"integer"},{code:"positiveInt"},{code:"unsignedInt"},{code:"Quantity"}]},maxLength:{type:[{code:"integer"}]},condition:{max:9007199254740991,type:[{code:"id"}]},constraint:{max:9007199254740991,type:[{code:"ElementDefinitionConstraint"}]},mustSupport:{type:[{code:"boolean"}]},isModifier:{type:[{code:"boolean"}]},isModifierReason:{type:[{code:"string"}]},isSummary:{type:[{code:"boolean"}]},binding:{type:[{code:"ElementDefinitionBinding"}]},mapping:{max:9007199254740991,type:[{code:"ElementDefinitionMapping"}]}}},Expression:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},description:{type:[{code:"string"}]},name:{type:[{code:"id"}]},language:{min:1,type:[{code:"code"}]},expression:{type:[{code:"string"}]},reference:{type:[{code:"uri"}]}}},Extension:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},url:{min:1,type:[{code:"uri"}]},"value[x]":{type:[{code:"base64Binary"},{code:"boolean"},{code:"canonical"},{code:"code"},{code:"date"},{code:"dateTime"},{code:"decimal"},{code:"id"},{code:"instant"},{code:"integer"},{code:"markdown"},{code:"oid"},{code:"positiveInt"},{code:"string"},{code:"time"},{code:"unsignedInt"},{code:"uri"},{code:"url"},{code:"uuid"},{code:"Address"},{code:"Age"},{code:"Annotation"},{code:"Attachment"},{code:"CodeableConcept"},{code:"Coding"},{code:"ContactPoint"},{code:"Count"},{code:"Distance"},{code:"Duration"},{code:"HumanName"},{code:"Identifier"},{code:"Money"},{code:"Period"},{code:"Quantity"},{code:"Range"},{code:"Ratio"},{code:"Reference"},{code:"SampledData"},{code:"Signature"},{code:"Timing"},{code:"ContactDetail"},{code:"Contributor"},{code:"DataRequirement"},{code:"Expression"},{code:"ParameterDefinition"},{code:"RelatedArtifact"},{code:"TriggerDefinition"},{code:"UsageContext"},{code:"Dosage"},{code:"Meta"}]}}},HumanName:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},use:{type:[{code:"code"}]},text:{type:[{code:"string"}]},family:{type:[{code:"string"}]},given:{max:9007199254740991,type:[{code:"string"}]},prefix:{max:9007199254740991,type:[{code:"string"}]},suffix:{max:9007199254740991,type:[{code:"string"}]},period:{type:[{code:"Period"}]}}},Identifier:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},use:{type:[{code:"code"}]},type:{type:[{code:"CodeableConcept"}]},system:{type:[{code:"uri"}]},value:{type:[{code:"string"}]},period:{type:[{code:"Period"}]},assigner:{type:[{code:"Reference",targetProfile:["http://hl7.org/fhir/StructureDefinition/Organization"]}]}}},MarketingStatus:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},modifierExtension:{max:9007199254740991,type:[{code:"Extension"}]},country:{min:1,type:[{code:"CodeableConcept"}]},jurisdiction:{type:[{code:"CodeableConcept"}]},status:{min:1,type:[{code:"CodeableConcept"}]},dateRange:{min:1,type:[{code:"Period"}]},restoreDate:{type:[{code:"dateTime"}]}}},Meta:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},versionId:{type:[{code:"id"}]},lastUpdated:{type:[{code:"instant"}]},source:{type:[{code:"uri"}]},profile:{max:9007199254740991,type:[{code:"canonical",targetProfile:["http://hl7.org/fhir/StructureDefinition/StructureDefinition"]}]},security:{max:9007199254740991,type:[{code:"Coding"}]},tag:{max:9007199254740991,type:[{code:"Coding"}]},project:{type:[{code:"uri"}]},author:{type:[{code:"Reference"}]},account:{type:[{code:"Reference"}]},compartment:{max:9007199254740991,type:[{code:"Reference"}]}}},Money:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},value:{type:[{code:"decimal"}]},currency:{type:[{code:"code"}]}}},Narrative:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},status:{min:1,type:[{code:"code"}]},div:{min:1,type:[{code:"xhtml"}]}}},ParameterDefinition:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},name:{type:[{code:"code"}]},use:{min:1,type:[{code:"code"}]},min:{type:[{code:"integer"}]},max:{type:[{code:"string"}]},documentation:{type:[{code:"string"}]},type:{min:1,type:[{code:"code"}]},profile:{type:[{code:"canonical",targetProfile:["http://hl7.org/fhir/StructureDefinition/StructureDefinition"]}]}}},Period:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},start:{type:[{code:"dateTime"}]},end:{type:[{code:"dateTime"}]}}},Population:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},modifierExtension:{max:9007199254740991,type:[{code:"Extension"}]},"age[x]":{type:[{code:"Range"},{code:"CodeableConcept"}]},gender:{type:[{code:"CodeableConcept"}]},race:{type:[{code:"CodeableConcept"}]},physiologicalCondition:{type:[{code:"CodeableConcept"}]}}},ProdCharacteristic:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},modifierExtension:{max:9007199254740991,type:[{code:"Extension"}]},height:{type:[{code:"Quantity"}]},width:{type:[{code:"Quantity"}]},depth:{type:[{code:"Quantity"}]},weight:{type:[{code:"Quantity"}]},nominalVolume:{type:[{code:"Quantity"}]},externalDiameter:{type:[{code:"Quantity"}]},shape:{type:[{code:"string"}]},color:{max:9007199254740991,type:[{code:"string"}]},imprint:{max:9007199254740991,type:[{code:"string"}]},image:{max:9007199254740991,type:[{code:"Attachment"}]},scoring:{type:[{code:"CodeableConcept"}]}}},ProductShelfLife:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},modifierExtension:{max:9007199254740991,type:[{code:"Extension"}]},identifier:{type:[{code:"Identifier"}]},type:{min:1,type:[{code:"CodeableConcept"}]},period:{min:1,type:[{code:"Quantity"}]},specialPrecautionsForStorage:{max:9007199254740991,type:[{code:"CodeableConcept"}]}}},Quantity:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},value:{type:[{code:"decimal"}]},comparator:{type:[{code:"code"}]},unit:{type:[{code:"string"}]},system:{type:[{code:"uri"}]},code:{type:[{code:"code"}]}}},Range:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},low:{type:[{code:"Quantity",profile:["http://hl7.org/fhir/StructureDefinition/SimpleQuantity"]}]},high:{type:[{code:"Quantity",profile:["http://hl7.org/fhir/StructureDefinition/SimpleQuantity"]}]}}},Ratio:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},numerator:{type:[{code:"Quantity"}]},denominator:{type:[{code:"Quantity"}]}}},Reference:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},reference:{type:[{code:"string"}]},type:{type:[{code:"uri"}]},identifier:{type:[{code:"Identifier"}]},display:{type:[{code:"string"}]}}},RelatedArtifact:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},type:{min:1,type:[{code:"code"}]},label:{type:[{code:"string"}]},display:{type:[{code:"string"}]},citation:{type:[{code:"markdown"}]},url:{type:[{code:"url"}]},document:{type:[{code:"Attachment"}]},resource:{type:[{code:"canonical",targetProfile:["http://hl7.org/fhir/StructureDefinition/Resource"]}]}}},SampledData:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},origin:{min:1,type:[{code:"Quantity",profile:["http://hl7.org/fhir/StructureDefinition/SimpleQuantity"]}]},period:{min:1,type:[{code:"decimal"}]},factor:{type:[{code:"decimal"}]},lowerLimit:{type:[{code:"decimal"}]},upperLimit:{type:[{code:"decimal"}]},dimensions:{min:1,type:[{code:"positiveInt"}]},data:{type:[{code:"string"}]}}},Signature:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},type:{min:1,max:9007199254740991,type:[{code:"Coding"}]},when:{min:1,type:[{code:"instant"}]},who:{min:1,type:[{code:"Reference",targetProfile:["http://hl7.org/fhir/StructureDefinition/Practitioner","http://hl7.org/fhir/StructureDefinition/PractitionerRole","http://hl7.org/fhir/StructureDefinition/RelatedPerson","http://hl7.org/fhir/StructureDefinition/Patient","http://hl7.org/fhir/StructureDefinition/Device","http://hl7.org/fhir/StructureDefinition/Organization"]}]},onBehalfOf:{type:[{code:"Reference",targetProfile:["http://hl7.org/fhir/StructureDefinition/Practitioner","http://hl7.org/fhir/StructureDefinition/PractitionerRole","http://hl7.org/fhir/StructureDefinition/RelatedPerson","http://hl7.org/fhir/StructureDefinition/Patient","http://hl7.org/fhir/StructureDefinition/Device","http://hl7.org/fhir/StructureDefinition/Organization"]}]},targetFormat:{type:[{code:"code"}]},sigFormat:{type:[{code:"code"}]},data:{type:[{code:"base64Binary"}]}}},SubstanceAmount:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},modifierExtension:{max:9007199254740991,type:[{code:"Extension"}]},"amount[x]":{type:[{code:"Quantity"},{code:"Range"},{code:"string"}]},amountType:{type:[{code:"CodeableConcept"}]},amountText:{type:[{code:"string"}]},referenceRange:{type:[{code:"SubstanceAmountReferenceRange"}]}}},Timing:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},modifierExtension:{max:9007199254740991,type:[{code:"Extension"}]},event:{max:9007199254740991,type:[{code:"dateTime"}]},repeat:{type:[{code:"TimingRepeat"}]},code:{type:[{code:"CodeableConcept"}]}}},TriggerDefinition:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},type:{min:1,type:[{code:"code"}]},name:{type:[{code:"string"}]},"timing[x]":{type:[{code:"Timing"},{code:"Reference",targetProfile:["http://hl7.org/fhir/StructureDefinition/Schedule"]},{code:"date"},{code:"dateTime"}]},data:{max:9007199254740991,type:[{code:"DataRequirement"}]},condition:{type:[{code:"Expression"}]}}},UsageContext:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},code:{min:1,type:[{code:"Coding"}]},"value[x]":{min:1,type:[{code:"CodeableConcept"},{code:"Quantity"},{code:"Range"},{code:"Reference",targetProfile:["http://hl7.org/fhir/StructureDefinition/PlanDefinition","http://hl7.org/fhir/StructureDefinition/ResearchStudy","http://hl7.org/fhir/StructureDefinition/InsurancePlan","http://hl7.org/fhir/StructureDefinition/HealthcareService","http://hl7.org/fhir/StructureDefinition/Group","http://hl7.org/fhir/StructureDefinition/Location","http://hl7.org/fhir/StructureDefinition/Organization"]}]}}},MoneyQuantity:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},value:{type:[{code:"decimal"}]},comparator:{type:[{code:"code"}]},unit:{type:[{code:"string"}]},system:{type:[{code:"uri"}]},code:{type:[{code:"code"}]}}},SimpleQuantity:{elements:{id:{type:[{code:"string"}]},extension:{max:9007199254740991,type:[{code:"Extension"}]},value:{type:[{code:"decimal"}]},comparator:{max:0,type:[{code:"code"}]},unit:{type:[{code:"string"}]},system:{type:[{code:"uri"}]},code:{type:[{code:"code"}]}}},IdentityProvider:{elements:{authorizeUrl:{min:1,type:[{code:"string"}]},tokenUrl:{min:1,type:[{code:"string"}]},tokenAuthMethod:{type:[{code:"code"}]},userInfoUrl:{min:1,type:[{code:"string"}]},clientId:{min:1,type:[{code:"string"}]},clientSecret:{min:1,type:[{code:"string"}]},usePkce:{type:[{code:"boolean"}]},useSubject:{type:[{code:"boolean"}]}}}};var Ke=Je(Ye);var ae=Object.create(null);function ce(e){let t;return e?(t=ae[e],t||(t=ae[e]=Object.create(null))):t=Ke,t}function Ze(e,t){let r=ce(t)[e];return!r&&t&&(r=ce()[e]),r}var he={base64Binary:/^([A-Za-z\d+/]{4})*([A-Za-z\d+/]{2}==|[A-Za-z\d+/]{3}=)?$/,canonical:/^\S*$/,code:/^[^\s]+( [^\s]+)*$/,date:/^(\d(\d(\d[1-9]|[1-9]0)|[1-9]00)|[1-9]000)(-(0[1-9]|1[0-2])(-(0[1-9]|[1-2]\d|3[0-1]))?)?$/,dateTime:/^(\d(\d(\d[1-9]|[1-9]0)|[1-9]00)|[1-9]000)(-(0[1-9]|1[0-2])(-(0[1-9]|[1-2]\d|3[0-1])(T([01]\d|2[0-3])(:[0-5]\d:([0-5]\d|60)(\.\d{1,9})?)?)?)?(Z|[+-]((0\d|1[0-3]):[0-5]\d|14:00)?)?)?$/,id:/^[A-Za-z0-9\-.]{1,64}$/,instant:/^(\d(\d(\d[1-9]|[1-9]0)|[1-9]00)|[1-9]000)-(0[1-9]|1[0-2])-(0[1-9]|[1-2]\d|3[0-1])T([01]\d|2[0-3]):[0-5]\d:([0-5]\d|60)(\.\d{1,9})?(Z|[+-]((0\d|1[0-3]):[0-5]\d|14:00))$/,markdown:/^[\s\S]+$/,oid:/^urn:oid:[0-2](\.(0|[1-9]\d*))+$/,string:/^[\s\S]+$/,time:/^([01]\d|2[0-3]):[0-5]\d:([0-5]\d|60)(\.\d{1,9})?$/,uri:/^\S*$/,url:/^\S*$/,uuid:/^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/,xhtml:/.*/};function l(e){return[{type:u.boolean,value:e}]}function D(e){return e==null?{type:"undefined",value:void 0}:Number.isSafeInteger(e)?{type:u.integer,value:e}:typeof e=="number"?{type:u.decimal,value:e}:typeof e=="boolean"?{type:u.boolean,value:e}:typeof e=="string"?{type:u.string,value:e}:v(e)?{type:u.Quantity,value:e}:H(e)?{type:e.resourceType,value:e}:{type:u.BackboneElement,value:e}}function R(e){return e.length===0?!1:!!e[0].value}function A(e,t){if(e.length!==0){if(e.length===1&&(!t||e[0].type===t))return e[0];throw new Error(`Expected singleton of type ${t}, but found ${JSON.stringify(e)}`)}}function Xe(e,t,r){if(!e.value)return;let i=lt(e.type,t,r?.profileUrl);return i?et(e,t,i):tt(e,t)}function et(e,t,r){let i=e.value,n=r.type;if(!n||n.length===0)return;let s,a="undefined",c;if(r.path.endsWith("[x]")){let m=r.path.split(".").pop().replace("[x]","");for(let P of n){let b=m+be(P.code);if(s=i[b],c=i["_"+b],s!==void 0||c!==void 0){a=P.code;break}}}else console.assert(n.length===1,"Expected single type",r.path),s=i[t],a=n[0].code,c=i["_"+t];if(c)if(Array.isArray(s)){s=s.slice();for(let m=0;m<Math.max(s.length,c.length);m++)s[m]=pe(s[m],c[m])}else s=pe(s,c);if(!W(s))return(a==="Element"||a==="BackboneElement")&&(a=r.type[0].code),Array.isArray(s)?s.map(m=>le(m,a)):le(s,a)}function le(e,t){return t==="Resource"&&H(e)&&(t=e.resourceType),{type:t,value:e}}function tt(e,t){let r=e.value;if(!r||typeof r!="object")return;let i;if(t in r)i=r[t];else for(let n in u){let s=t+be(n);if(s in r){i=r[s];break}}if(!W(i))return Array.isArray(i)?i.map(D):D(i)}function me(e){let t=[];for(let r of e){let i=!1;for(let n of t)if(R(ge(r,n))){i=!0;break}i||t.push(r)}return t}function fe(e){return l(!R(e))}function ye(e,t){return e.length===0||t.length===0?[]:e.length!==t.length?l(!1):l(e.every((r,i)=>R(ge(r,t[i]))))}function ge(e,t){let r=e.value?.valueOf(),i=t.value?.valueOf();return typeof r=="number"&&typeof i=="number"?l(Math.abs(r-i)<1e-8):v(r)&&v(i)?l(we(r,i)):l(typeof r=="object"&&typeof i=="object"?ee(e,t):r===i)}function ve(e,t){return e.length===0&&t.length===0?l(!0):e.length!==t.length?l(!1):(e.sort(ue),t.sort(ue),l(e.every((r,i)=>R(rt(r,t[i])))))}function rt(e,t){let{type:r,value:i}=e,{type:n,value:s}=t,a=i?.valueOf(),c=s?.valueOf();return typeof a=="number"&&typeof c=="number"?l(Math.abs(a-c)<.01):v(a)&&v(c)?l(we(a,c)):l(r==="Coding"&&n==="Coding"?typeof a!="object"||typeof c!="object"?!1:a.code===c.code&&a.system===c.system:typeof a=="object"&&typeof c=="object"?ee({...a,id:void 0},{...c,id:void 0}):typeof a=="string"&&typeof c=="string"?a.toLowerCase()===c.toLowerCase():a===c)}function ue(e,t){let r=e.value?.valueOf(),i=t.value?.valueOf();return typeof r=="number"&&typeof i=="number"?r-i:typeof r=="string"&&typeof i=="string"?r.localeCompare(i):0}function Se(e,t){let{value:r}=e;if(r==null)return!1;switch(t){case"Boolean":return typeof r=="boolean";case"Decimal":case"Integer":return typeof r=="number";case"Date":return it(r);case"DateTime":return Z(r);case"Time":return typeof r=="string"&&!!/^T\d/.exec(r);case"Period":return nt(r);case"Quantity":return v(r);default:return typeof r=="object"&&r?.resourceType===t}}function it(e){return typeof e=="string"&&!!he.date.exec(e)}function Z(e){return typeof e=="string"&&!!he.dateTime.exec(e)}function nt(e){return!!(e&&typeof e=="object"&&("start"in e&&Z(e.start)||"end"in e&&Z(e.end)))}function v(e){return!!(e&&typeof e=="object"&&"value"in e&&typeof e.value=="number")}function we(e,t){return Math.abs(e.value-t.value)<.01&&(e.unit===t.unit||e.code===t.code||e.unit===t.code||e.code===t.unit)}function ee(e,t){let r=Object.keys(e),i=Object.keys(t);if(r.length!==i.length)return!1;for(let n of r){let s=e[n],a=t[n];if(de(s)&&de(a)){if(!ee(s,a))return!1}else if(s!==a)return!1}return!0}function de(e){return e!==null&&typeof e=="object"}function pe(e,t){if(t){if(typeof t!="object")throw new Error("Primitive extension must be an object");return st(e??{},t)}return e}function st(e,t){return delete t.__proto__,delete t.constructor,Object.assign(e,t)}function ot(e,t){let r=new Date(e);r.setUTCHours(0,0,0,0);let i=t?new Date(t):new Date;i.setUTCHours(0,0,0,0);let n=r.getUTCFullYear(),s=r.getUTCMonth(),a=r.getUTCDate(),c=i.getUTCFullYear(),m=i.getUTCMonth(),P=i.getUTCDate(),b=c-n;(m<s||m===s&&P<a)&&b--;let F=c*12+m-(n*12+s);P<a&&F--;let U=Math.floor((i.getTime()-r.getTime())/(1e3*60*60*24));return{years:b,months:F,days:U}}function W(e){if(e==null)return!0;let t=typeof e;return t==="string"||t==="object"?!at(e):!1}function at(e){if(e==null)return!1;let t=typeof e;return t==="string"&&e!==""||t==="object"&&("length"in e&&e.length>0||Object.keys(e).length>0)}var ct=[];for(let e=0;e<256;e++)ct.push(e.toString(16).padStart(2,"0"));function be(e){return e?e.charAt(0).toUpperCase()+e.substring(1):""}var u={Address:"Address",Age:"Age",Annotation:"Annotation",Attachment:"Attachment",BackboneElement:"BackboneElement",CodeableConcept:"CodeableConcept",Coding:"Coding",ContactDetail:"ContactDetail",ContactPoint:"ContactPoint",Contributor:"Contributor",Count:"Count",DataRequirement:"DataRequirement",Distance:"Distance",Dosage:"Dosage",Duration:"Duration",Expression:"Expression",Extension:"Extension",HumanName:"HumanName",Identifier:"Identifier",MarketingStatus:"MarketingStatus",Meta:"Meta",Money:"Money",Narrative:"Narrative",ParameterDefinition:"ParameterDefinition",Period:"Period",Population:"Population",ProdCharacteristic:"ProdCharacteristic",ProductShelfLife:"ProductShelfLife",Quantity:"Quantity",Range:"Range",Ratio:"Ratio",Reference:"Reference",RelatedArtifact:"RelatedArtifact",SampledData:"SampledData",Signature:"Signature",SubstanceAmount:"SubstanceAmount",SystemString:"http://hl7.org/fhirpath/System.String",Timing:"Timing",TriggerDefinition:"TriggerDefinition",UsageContext:"UsageContext",base64Binary:"base64Binary",boolean:"boolean",canonical:"canonical",code:"code",date:"date",dateTime:"dateTime",decimal:"decimal",id:"id",instant:"instant",integer:"integer",markdown:"markdown",oid:"oid",positiveInt:"positiveInt",string:"string",time:"time",unsignedInt:"unsignedInt",uri:"uri",url:"url",uuid:"uuid"};function lt(e,t,r){let i=Ze(e,r);if(i)return ut(i.elements,t)}function ut(e,t){let r=e[t]??e[t+"[x]"];if(r)return r;for(let i=0;i<t.length;i++){let n=t[i];if(n>="A"&&n<="Z"){let s=t.slice(0,i)+"[x]",a=e[s];if(a)return a}}}function H(e){return!!(e&&typeof e=="object"&&"resourceType"in e)}function q(e){if(e.startsWith("T"))return e+"T00:00:00.000Z".substring(e.length);if(e.length<=10)return e;try{return new Date(e).toISOString()}catch{return e}}var T=()=>[],y={empty:(e,t)=>l(t.length===0||t.every(r=>W(r.value))),hasValue:(e,t)=>l(t.length!==0),exists:(e,t,r)=>l(r?t.filter(i=>R(r.eval(e,[i]))).length>0:t.length>0&&t.every(i=>!W(i.value))),all:(e,t,r)=>l(t.every(i=>R(r.eval(e,[i])))),allTrue:(e,t)=>{for(let r of t)if(!r.value)return l(!1);return l(!0)},anyTrue:(e,t)=>{for(let r of t)if(r.value)return l(!0);return l(!1)},allFalse:(e,t)=>{for(let r of t)if(r.value)return l(!1);return l(!0)},anyFalse:(e,t)=>{for(let r of t)if(!r.value)return l(!0);return l(!1)},subsetOf:(e,t,r)=>{if(t.length===0)return l(!0);let i=r.eval(e,I(e));return i.length===0?l(!1):l(t.every(n=>i.some(s=>s.value===n.value)))},supersetOf:(e,t,r)=>{let i=r.eval(e,I(e));return i.length===0?l(!0):t.length===0?l(!1):l(i.every(n=>t.some(s=>s.value===n.value)))},count:(e,t)=>[{type:u.integer,value:t.length}],distinct:(e,t)=>{let r=[];for(let i of t)r.some(n=>n.value===i.value)||r.push(i);return r},isDistinct:(e,t)=>l(t.length===y.distinct(e,t).length),where:(e,t,r)=>t.filter(i=>R(r.eval(e,[i]))),select:(e,t,r)=>t.map(i=>r.eval(e,[i])).flat(),repeat:T,ofType:(e,t,r)=>t.filter(i=>i.type===r.name),single:(e,t)=>{if(t.length>1)throw new Error("Expected input length one for single()");return t.length===0?[]:t.slice(0,1)},first:(e,t)=>t.length===0?[]:t.slice(0,1),last:(e,t)=>t.length===0?[]:t.slice(t.length-1,t.length),tail:(e,t)=>t.length===0?[]:t.slice(1,t.length),skip:(e,t,r)=>{let i=r.eval(e,t)[0]?.value;if(typeof i!="number")throw new Error("Expected a number for skip(num)");return i>=t.length?[]:i<=0?t:t.slice(i,t.length)},take:(e,t,r)=>{let i=r.eval(e,t)[0]?.value;if(typeof i!="number")throw new Error("Expected a number for take(num)");return i>=t.length?t:i<=0?[]:t.slice(0,i)},intersect:(e,t,r)=>{if(!r)return t;let i=r.eval(e,I(e)),n=[];for(let s of t)!n.some(a=>a.value===s.value)&&i.some(a=>a.value===s.value)&&n.push(s);return n},exclude:(e,t,r)=>{if(!r)return t;let i=r.eval(e,I(e)),n=[];for(let s of t)i.some(a=>a.value===s.value)||n.push(s);return n},union:(e,t,r)=>{if(!r)return t;let i=r.eval(e,I(e));return me([...t,...i])},combine:(e,t,r)=>{if(!r)return t;let i=r.eval(e,I(e));return[...t,...i]},htmlChecks:(e,t,r)=>[D(!0)],iif:(e,t,r,i,n)=>{let s=r.eval(e,t);if(s.length>1||s.length===1&&typeof s[0].value!="boolean")throw new Error("Expected criterion to evaluate to a Boolean");return R(s)?i.eval(e,t):n?n.eval(e,t):[]},toBoolean:(e,t)=>{if(t.length===0)return[];let[{value:r}]=E(t,1);if(typeof r=="boolean")return[{type:u.boolean,value:r}];if(typeof r=="number"&&(r===0||r===1))return l(!!r);if(typeof r=="string"){let i=r.toLowerCase();if(["true","t","yes","y","1","1.0"].includes(i))return l(!0);if(["false","f","no","n","0","0.0"].includes(i))return l(!1)}return[]},convertsToBoolean:(e,t)=>t.length===0?[]:l(y.toBoolean(e,t).length===1),toInteger:(e,t)=>{if(t.length===0)return[];let[{value:r}]=E(t,1);return typeof r=="number"?[{type:u.integer,value:r}]:typeof r=="string"&&/^[+-]?\d+$/.exec(r)?[{type:u.integer,value:parseInt(r,10)}]:typeof r=="boolean"?[{type:u.integer,value:r?1:0}]:[]},convertsToInteger:(e,t)=>t.length===0?[]:l(y.toInteger(e,t).length===1),toDate:(e,t)=>{if(t.length===0)return[];let[{value:r}]=E(t,1);return typeof r=="string"&&/^\d{4}(-\d{2}(-\d{2})?)?/.exec(r)?[{type:u.date,value:q(r)}]:[]},convertsToDate:(e,t)=>t.length===0?[]:l(y.toDate(e,t).length===1),toDateTime:(e,t)=>{if(t.length===0)return[];let[{value:r}]=E(t,1);return typeof r=="string"&&/^\d{4}(-\d{2}(-\d{2})?)?/.exec(r)?[{type:u.dateTime,value:q(r)}]:[]},convertsToDateTime:(e,t)=>t.length===0?[]:l(y.toDateTime(e,t).length===1),toDecimal:(e,t)=>{if(t.length===0)return[];let[{value:r}]=E(t,1);return typeof r=="number"?[{type:u.decimal,value:r}]:typeof r=="string"&&/^-?\d{1,9}(\.\d{1,9})?$/.exec(r)?[{type:u.decimal,value:parseFloat(r)}]:typeof r=="boolean"?[{type:u.decimal,value:r?1:0}]:[]},convertsToDecimal:(e,t)=>t.length===0?[]:l(y.toDecimal(e,t).length===1),toQuantity:(e,t)=>{if(t.length===0)return[];let[{value:r}]=E(t,1);return v(r)?[{type:u.Quantity,value:r}]:typeof r=="number"?[{type:u.Quantity,value:{value:r,unit:"1"}}]:typeof r=="string"&&/^-?\d{1,9}(\.\d{1,9})?/.exec(r)?[{type:u.Quantity,value:{value:parseFloat(r),unit:"1"}}]:typeof r=="boolean"?[{type:u.Quantity,value:{value:r?1:0,unit:"1"}}]:[]},convertsToQuantity:(e,t)=>t.length===0?[]:l(y.toQuantity(e,t).length===1),toString:(e,t)=>{if(t.length===0)return[];let[{value:r}]=E(t,1);return r==null?[]:v(r)?[{type:u.string,value:`${r.value} '${r.unit}'`}]:[{type:u.string,value:r.toString()}]},convertsToString:(e,t)=>t.length===0?[]:l(y.toString(e,t).length===1),toTime:(e,t)=>{if(t.length===0)return[];let[{value:r}]=E(t,1);if(typeof r=="string"){let i=/^T?(\d{2}(:\d{2}(:\d{2})?)?)/.exec(r);if(i)return[{type:u.time,value:q("T"+i[1])}]}return[]},convertsToTime:(e,t)=>t.length===0?[]:l(y.toTime(e,t).length===1),indexOf:(e,t,r)=>g((i,n)=>i.indexOf(n),e,t,r),substring:(e,t,r,i)=>g((n,s,a)=>{let c=s,m=a?c+a:n.length;return c<0||c>=n.length?void 0:n.substring(c,m)},e,t,r,i),startsWith:(e,t,r)=>g((i,n)=>i.startsWith(n),e,t,r),endsWith:(e,t,r)=>g((i,n)=>i.endsWith(n),e,t,r),contains:(e,t,r)=>g((i,n)=>i.includes(n),e,t,r),upper:(e,t)=>g(r=>r.toUpperCase(),e,t),lower:(e,t)=>g(r=>r.toLowerCase(),e,t),replace:(e,t,r,i)=>g((n,s,a)=>n.replaceAll(s,a),e,t,r,i),matches:(e,t,r)=>g((i,n)=>!!new RegExp(n).exec(i),e,t,r),replaceMatches:(e,t,r,i)=>g((n,s,a)=>n.replaceAll(s,a),e,t,r,i),length:(e,t)=>g(r=>r.length,e,t),toChars:(e,t)=>g(r=>r?r.split(""):void 0,e,t),encode:T,decode:T,escape:T,unescape:T,trim:T,split:T,join:(e,t,r)=>{let i=r?.eval(e,I(e))[0]?.value??"";if(typeof i!="string")throw new Error("Separator must be a string.");return[{type:u.string,value:t.map(n=>n.value?.toString()??"").join(i)}]},abs:(e,t)=>x(Math.abs,e,t),ceiling:(e,t)=>x(Math.ceil,e,t),exp:(e,t)=>x(Math.exp,e,t),floor:(e,t)=>x(Math.floor,e,t),ln:(e,t)=>x(Math.log,e,t),log:(e,t,r)=>x((i,n)=>Math.log(i)/Math.log(n),e,t,r),power:(e,t,r)=>x(Math.pow,e,t,r),round:(e,t)=>x(Math.round,e,t),sqrt:(e,t)=>x(Math.sqrt,e,t),truncate:(e,t)=>x(r=>r|0,e,t),children:T,descendants:T,trace:(e,t,r)=>t,now:()=>[{type:u.dateTime,value:new Date().toISOString()}],timeOfDay:()=>[{type:u.time,value:new Date().toISOString().substring(11)}],today:()=>[{type:u.date,value:new Date().toISOString().substring(0,10)}],between:(e,t,r,i,n)=>{let s=y.toDateTime(e,r.eval(e,t));if(s.length===0)throw new Error("Invalid start date");let a=y.toDateTime(e,i.eval(e,t));if(a.length===0)throw new Error("Invalid end date");let c=n.eval(e,t)[0]?.value;if(c!=="years"&&c!=="months"&&c!=="days")throw new Error("Invalid units");let m=ot(s[0].value,a[0].value);return[{type:u.Quantity,value:{value:m[c],unit:c}}]},is:(e,t,r)=>{let i="";return r instanceof te?i=r.name:r instanceof xe&&(i=r.left.name+"."+r.right.name),i?t.map(n=>({type:u.boolean,value:Se(n,i)})):[]},not:(e,t)=>y.toBoolean(e,t).map(r=>({type:u.boolean,value:!r.value})),resolve:(e,t)=>t.map(r=>{let i=r.value,n;if(typeof i=="string")n=i;else if(typeof i=="object"){let s=i;if(s.resource)return D(s.resource);s.reference?n=s.reference:s.type&&s.identifier&&(n=`${s.type}?identifier=${s.identifier.system}|${s.identifier.value}`)}if(n?.includes("?")){let[s]=n.split("?");return{type:s,value:{resourceType:s}}}if(n?.includes("/")){let[s,a]=n.split("/");return{type:s,value:{resourceType:s,id:a}}}return{type:u.BackboneElement,value:void 0}}).filter(r=>!!r.value),as:(e,t)=>t,type:(e,t)=>t.map(({value:r})=>typeof r=="boolean"?{type:u.BackboneElement,value:{namespace:"System",name:"Boolean"}}:typeof r=="number"?{type:u.BackboneElement,value:{namespace:"System",name:"Integer"}}:H(r)?{type:u.BackboneElement,value:{namespace:"FHIR",name:r.resourceType}}:{type:u.BackboneElement,value:null}),conformsTo:(e,t,r)=>{let i=r.eval(e,t)[0].value;if(!i.startsWith("http://hl7.org/fhir/StructureDefinition/"))throw new Error("Expected a StructureDefinition URL");let n=i.replace("http://hl7.org/fhir/StructureDefinition/","");return t.map(s=>({type:u.boolean,value:s.value?.resourceType===n}))}};function g(e,t,r,...i){if(r.length===0)return[];let[{value:n}]=E(r,1);if(typeof n!="string")throw new Error("String function cannot be called with non-string");let s=e(n,...i.map(a=>a?.eval(t,r)[0]?.value));return s===void 0?[]:Array.isArray(s)?s.map(D):[D(s)]}function x(e,t,r,...i){if(r.length===0)return[];let[{value:n}]=E(r,1),s=v(n),a=s?n.value:n;if(typeof a!="number")throw new Error("Math function cannot be called with non-number");let c=e(a,...i.map(b=>b.eval(t,r)[0]?.value)),m=s?u.Quantity:r[0].type,P=s?{...n,value:c}:c;return[{type:m,value:P}]}function E(e,t){if(e.length!==t)throw new Error(`Expected ${t} arguments`);for(let r of e)if(r==null)throw new Error("Expected non-null argument");return e}function I(e){let t=e;for(;t.parent?.variables.$this;)t=t.parent;return[t.variables.$this]}var N=class{constructor(e){this.value=e}eval(){return[this.value]}toString(){let e=this.value.value;return typeof e=="string"?`'${e}'`:e.toString()}},te=class{constructor(e){this.name=e}eval(e,t){if(this.name==="$this")return t;let r=this.getVariable(e);if(r)return[r];if(this.name.startsWith("%"))throw new Error(`Undefined variable ${this.name}`);return t.flatMap(i=>this.evalValue(i)).filter(i=>i?.value!==void 0)}getVariable(e){let t=e.variables[this.name];if(t!==void 0)return t;if(e.parent)return this.getVariable(e.parent)}evalValue(e){let t=e.value;if(!(!t||typeof t!="object"))return H(t)&&t.resourceType===this.name?e:Xe(e,this.name)}toString(){return this.name}},dt=class{eval(){return[]}toString(){return"{}"}},pt=class extends qe{constructor(e,t,r){super(e,t),this.impl=r}eval(e,t){return this.impl(this.child.eval(e,t))}toString(){return this.operator+this.child.toString()}},ht=class extends B{constructor(e,t){super("as",e,t)}eval(e,t){return y.ofType(e,this.left.eval(e,t),this.right)}},S=class extends B{},w=class extends S{constructor(e,t,r,i){super(e,t,r),this.impl=i}eval(e,t){let r=this.left.eval(e,t);if(r.length!==1)return[];let i=this.right.eval(e,t);if(i.length!==1)return[];let n=r[0].value,s=i[0].value,a=v(n)?n.value:n,c=v(s)?s.value:s,m=this.impl(a,c);return typeof m=="boolean"?l(m):v(n)?[{type:u.Quantity,value:{...n,value:m}}]:[D(m)]}},mt=class extends B{constructor(e,t){super("&",e,t)}eval(e,t){let r=this.left.eval(e,t),i=this.right.eval(e,t),n=[...r,...i];return n.length>0&&n.every(s=>typeof s.value=="string")?[{type:u.string,value:n.map(s=>s.value).join("")}]:n}},ft=class extends S{constructor(e,t){super("contains",e,t)}eval(e,t){let r=this.left.eval(e,t),i=this.right.eval(e,t);return l(r.some(n=>n.value===i[0].value))}},yt=class extends S{constructor(e,t){super("in",e,t)}eval(e,t){let r=A(this.left.eval(e,t)),i=this.right.eval(e,t);return r?l(i.some(n=>n.value===r.value)):[]}},xe=class extends B{constructor(e,t){super(".",e,t)}eval(e,t){return this.right.eval(e,this.left.eval(e,t))}toString(){return`${this.left.toString()}.${this.right.toString()}`}},gt=class extends B{constructor(e,t){super("|",e,t)}eval(e,t){let r=this.left.eval(e,t),i=this.right.eval(e,t);return me([...r,...i])}},vt=class extends S{constructor(e,t){super("=",e,t)}eval(e,t){let r=this.left.eval(e,t),i=this.right.eval(e,t);return ye(r,i)}},St=class extends S{constructor(e,t){super("!=",e,t)}eval(e,t){let r=this.left.eval(e,t),i=this.right.eval(e,t);return fe(ye(r,i))}},wt=class extends S{constructor(e,t){super("~",e,t)}eval(e,t){let r=this.left.eval(e,t),i=this.right.eval(e,t);return ve(r,i)}},bt=class extends S{constructor(e,t){super("!~",e,t)}eval(e,t){let r=this.left.eval(e,t),i=this.right.eval(e,t);return fe(ve(r,i))}},xt=class extends S{constructor(e,t){super("is",e,t)}eval(e,t){let r=this.left.eval(e,t);if(r.length!==1)return[];let i=this.right.name;return l(Se(r[0],i))}},Et=class extends S{constructor(e,t){super("and",e,t)}eval(e,t){let r=A(this.left.eval(e,t),"boolean"),i=A(this.right.eval(e,t),"boolean");return r?.value===!0&&i?.value===!0?l(!0):r?.value===!1||i?.value===!1?l(!1):[]}},Ct=class extends S{constructor(e,t){super("or",e,t)}eval(e,t){let r=A(this.left.eval(e,t),"boolean"),i=A(this.right.eval(e,t),"boolean");return r?.value===!1&&i?.value===!1?l(!1):r?.value||i?.value?l(!0):[]}},Pt=class extends S{constructor(e,t){super("xor",e,t)}eval(e,t){let r=A(this.left.eval(e,t),"boolean"),i=A(this.right.eval(e,t),"boolean");return!r||!i?[]:l(r.value!==i.value)}},Tt=class extends S{constructor(e,t){super("implies",e,t)}eval(e,t){let r=A(this.left.eval(e,t),"boolean"),i=A(this.right.eval(e,t),"boolean");return i?.value===!0||r?.value===!1?l(!0):!r||!i?[]:l(!1)}},At=class{constructor(e,t){this.name=e,this.args=t}eval(e,t){let r=y[this.name];if(!r)throw new Error("Unrecognized function: "+this.name);return r(e,t,...this.args)}toString(){return`${this.name}(${this.args.map(e=>e.toString()).join(", ")})`}},Rt=class{constructor(e,t){this.left=e,this.expr=t}eval(e,t){let r=this.expr.eval(e,t);if(r.length!==1)return[];let i=r[0].value;if(typeof i!="number")throw new Error("Invalid indexer expression: should return integer}");let n=this.left.eval(e,t);return i in n?[n[i]]:[]}toString(){return`${this.left.toString()}[${this.expr.toString()}]`}};var Ee=["!=","!~","<=",">=","{}","->"];var p={FunctionCall:0,Dot:1,Indexer:2,UnaryAdd:3,UnarySubtract:3,Multiply:4,Divide:4,IntegerDivide:4,Modulo:4,Add:5,Subtract:5,Ampersand:5,Is:6,As:6,Union:7,GreaterThan:8,GreaterThanOrEquals:8,LessThan:8,LessThanOrEquals:8,Equals:9,Equivalent:9,NotEquals:9,NotEquivalent:9,In:10,Contains:10,And:11,Xor:12,Or:12,Implies:13,Arrow:100,Semicolon:200},kt={parse(e){let t=e.consumeAndParse();if(!e.match(")"))throw new Error("Parse error: expected `)` got `"+e.peek()?.value+"`");return t}},It={parse(e,t){let r=e.consumeAndParse();if(!e.match("]"))throw new Error("Parse error: expected `]`");return new Rt(t,r)},precedence:p.Indexer},Dt={parse(e,t){if(!(t instanceof te))throw new Error("Unexpected parentheses");let r=[];for(;!e.match(")");)r.push(e.consumeAndParse()),e.match(",");return new At(t.name,r)},precedence:p.FunctionCall};function Ot(e){let t=e.split(" "),r=parseFloat(t[0]),i=t[1];return i?.startsWith("'")&&i.endsWith("'")?i=i.substring(1,i.length-1):i="{"+i+"}",{value:r,unit:i}}function re(){return new We().registerPrefix("String",{parse:(e,t)=>new N({type:u.string,value:t.value})}).registerPrefix("DateTime",{parse:(e,t)=>new N({type:u.dateTime,value:q(t.value)})}).registerPrefix("Quantity",{parse:(e,t)=>new N({type:u.Quantity,value:Ot(t.value)})}).registerPrefix("Number",{parse:(e,t)=>new N({type:t.value.includes(".")?u.decimal:u.integer,value:parseFloat(t.value)})}).registerPrefix("true",{parse:()=>new N({type:u.boolean,value:!0})}).registerPrefix("false",{parse:()=>new N({type:u.boolean,value:!1})}).registerPrefix("Symbol",{parse:(e,t)=>new te(t.value)}).registerPrefix("{}",{parse:()=>new dt}).registerPrefix("(",kt).registerInfix("[",It).registerInfix("(",Dt).prefix("+",p.UnaryAdd,(e,t)=>new pt("+",t,r=>r)).prefix("-",p.UnarySubtract,(e,t)=>new w("-",t,t,(r,i)=>-i)).infixLeft(".",p.Dot,(e,t,r)=>new xe(e,r)).infixLeft("/",p.Divide,(e,t,r)=>new w("/",e,r,(i,n)=>i/n)).infixLeft("*",p.Multiply,(e,t,r)=>new w("*",e,r,(i,n)=>i*n)).infixLeft("+",p.Add,(e,t,r)=>new w("+",e,r,(i,n)=>i+n)).infixLeft("-",p.Subtract,(e,t,r)=>new w("-",e,r,(i,n)=>i-n)).infixLeft("|",p.Union,(e,t,r)=>new gt(e,r)).infixLeft("=",p.Equals,(e,t,r)=>new vt(e,r)).infixLeft("!=",p.NotEquals,(e,t,r)=>new St(e,r)).infixLeft("~",p.Equivalent,(e,t,r)=>new wt(e,r)).infixLeft("!~",p.NotEquivalent,(e,t,r)=>new bt(e,r)).infixLeft("<",p.LessThan,(e,t,r)=>new w("<",e,r,(i,n)=>i<n)).infixLeft("<=",p.LessThanOrEquals,(e,t,r)=>new w("<=",e,r,(i,n)=>i<=n)).infixLeft(">",p.GreaterThan,(e,t,r)=>new w(">",e,r,(i,n)=>i>n)).infixLeft(">=",p.GreaterThanOrEquals,(e,t,r)=>new w(">=",e,r,(i,n)=>i>=n)).infixLeft("&",p.Ampersand,(e,t,r)=>new mt(e,r)).infixLeft("and",p.And,(e,t,r)=>new Et(e,r)).infixLeft("as",p.As,(e,t,r)=>new ht(e,r)).infixLeft("contains",p.Contains,(e,t,r)=>new ft(e,r)).infixLeft("div",p.Divide,(e,t,r)=>new w("div",e,r,(i,n)=>i/n|0)).infixLeft("in",p.In,(e,t,r)=>new yt(e,r)).infixLeft("is",p.Is,(e,t,r)=>new xt(e,r)).infixLeft("mod",p.Modulo,(e,t,r)=>new w("mod",e,r,(i,n)=>i%n)).infixLeft("or",p.Or,(e,t,r)=>new Ct(e,r)).infixLeft("xor",p.Xor,(e,t,r)=>new Pt(e,r)).infixLeft("implies",p.Implies,(e,t,r)=>new Tt(e,r))}var Qt=re();var Nt=(e=>(e.BOOLEAN="BOOLEAN",e.NUMBER="NUMBER",e.QUANTITY="QUANTITY",e.TEXT="TEXT",e.REFERENCE="REFERENCE",e.CANONICAL="CANONICAL",e.DATE="DATE",e.DATETIME="DATETIME",e.PERIOD="PERIOD",e.UUID="UUID",e))(Nt||{});var $t=(e=>(e.EQUALS="eq",e.NOT_EQUALS="ne",e.GREATER_THAN="gt",e.LESS_THAN="lt",e.GREATER_THAN_OR_EQUALS="ge",e.LESS_THAN_OR_EQUALS="le",e.STARTS_AFTER="sa",e.ENDS_BEFORE="eb",e.APPROXIMATELY="ap",e.CONTAINS="contains",e.EXACT="exact",e.TEXT="text",e.NOT="not",e.ABOVE="above",e.BELOW="below",e.IN="in",e.NOT_IN="not-in",e.OF_TYPE="of-type",e.MISSING="missing",e.PRESENT="present",e.IDENTIFIER="identifier",e.ITERATE="iterate",e))($t||{});var Lt=(e=>(e.READ="read",e.VREAD="vread",e.UPDATE="update",e.PATCH="patch",e.DELETE="delete",e.HISTORY="history",e.HISTORY_INSTANCE="history-instance",e.HISTORY_TYPE="history-type",e.HISTORY_SYSTEM="history-system",e.CREATE="create",e.SEARCH="search",e.SEARCH_TYPE="search-type",e.SEARCH_SYSTEM="search-system",e.SEARCH_COMPARTMENT="search-compartment",e.CAPABILITIES="capabilities",e.TRANSACTION="transaction",e.BATCH="batch",e.OPERATION="operation",e))(Lt||{});var Mt={CSS:"text/css",DICOM:"application/dicom",FAVICON:"image/vnd.microsoft.icon",FHIR_JSON:"application/fhir+json",FORM_URL_ENCODED:"application/x-www-form-urlencoded",HL7_V2:"x-application/hl7-v2+er7",HTML:"text/html",JAVASCRIPT:"text/javascript",JSON:"application/json",JSON_PATCH:"application/json-patch+json",PNG:"image/png",SCIM_JSON:"application/scim+json",SVG:"image/svg+xml",TEXT:"text/plain",TYPESCRIPT:"text/typescript",PING:"x-application/ping"};var _t;_t=Symbol.toStringTag;var Jt=Mt.FHIR_JSON+", */*; q=0.1";var Ut=(e=>(e.ClientCredentials="client_credentials",e.AuthorizationCode="authorization_code",e.RefreshToken="refresh_token",e.JwtBearer="urn:ietf:params:oauth:grant-type:jwt-bearer",e.TokenExchange="urn:ietf:params:oauth:grant-type:token-exchange",e))(Ut||{}),Bt=(e=>(e.AccessToken="urn:ietf:params:oauth:token-type:access_token",e.RefreshToken="urn:ietf:params:oauth:token-type:refresh_token",e.IdToken="urn:ietf:params:oauth:token-type:id_token",e.Saml1Token="urn:ietf:params:oauth:token-type:saml1",e.Saml2Token="urn:ietf:params:oauth:token-type:saml2",e))(Bt||{}),jt=(e=>(e.ClientSecretBasic="client_secret_basic",e.ClientSecretPost="client_secret_post",e.ClientSecretJwt="client_secret_jwt",e.PrivateKeyJwt="private_key_jwt",e.None="none",e))(jt||{}),Gt=(e=>(e.JwtBearer="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",e))(Gt||{});var Yt=[...Ee,"->","<<",">>","=="];var Kt=re().registerInfix("->",{precedence:p.Arrow}).registerInfix(";",{precedence:p.Semicolon});var Zt=[...Ee,"eq","ne","co"];var Xt=re();var Ft=(e=>(e[e.NONE=0]="NONE",e[e.ERROR=1]="ERROR",e[e.WARN=2]="WARN",e[e.INFO=3]="INFO",e[e.DEBUG=4]="DEBUG",e))(Ft||{});var ne=["string","boolean","number"],ie={},se=class{constructor(t){let{region:r}=t;if(!r)throw new C(k("'region' must be defined as a string literal in config."));ie[r]||(ie[r]=new V.SSMClient({region:r})),this.config=t,this.clients={ssm:ie[r]}}async fetchParameterStoreSecret(t){let i=(await this.clients.ssm.send(new V.GetParameterCommand({Name:t,WithDecryption:!0}))).Parameter;if(!i)throw new C(X(`Key '${t}' not found. Make sure your key is correct and that it is defined in your Parameter Store.`));let n=i.Value;if(!n)throw new C(X(`Key '${t}' found but has no value. Make sure your key is correct and that it is defined in your Parameter Store.`));return n}async fetchExternalSecret(t){Ht(t);let{system:r,key:i,type:n}=t,s;switch(r){case"aws_ssm_parameter_store":{s=await this.fetchParameterStoreSecret(i);break}default:throw new C(k(`Unknown system '${r}' for ExternalSecret. Unable to fetch the secret for key '${i}'.`))}return qt(i,s,n)}async normalizeInfraConfigArray(t){let r=t[0],i;if(typeof r!="object"&&r!==null||Ce(r)){i=new Array(t.length);for(let n=0;n<t.length;n++){let s=t[n];if(typeof s!="object"){i[n]=s;continue}let a=await this.fetchExternalSecret(s);i[n]=a}}else{i=new Array(t.length);for(let n=0;n<t.length;n++)i[n]=await this.normalizeObjectInInfraConfig(t[n])}return i}async normalizeValueForKey(t,r){let i=t[r];typeof i!="object"?t[r]=i:Ce(i)?t[r]=await this.fetchExternalSecret(i):Array.isArray(i)&&i.length?t[r]=await this.normalizeInfraConfigArray(i):typeof i=="object"&&(t[r]=await this.normalizeObjectInInfraConfig(i))}async normalizeObjectInInfraConfig(t){let r={...t};for(let i of Object.keys(r))await this.normalizeValueForKey(r,i);return r}async normalizeConfig(){return this.normalizeObjectInInfraConfig(this.config)}};function qt(e,t,r){let i=typeof t;if(!ne.includes(i))throw new C(k(`Invalid value found for type; expected either ${ne.join(", or")} but got ${i}`));if(i===r)return t;if(i==="string"&&r==="boolean"){let n=t.toLowerCase();if(n!=="true"&&n!=="false")throw new C(k(`Invalid value found for key '${e}'; expected boolean value but got '${t}'`));return n==="true"}else if(i==="string"&&r==="number"){let n=parseInt(t,10);if(Number.isNaN(n))throw new C(k(`Invalid value found for key '${e}'; expected integer value but got '${t}'`));return n}else throw new C(k(`Invalid value found for type; expected ${r} value but got value of type ${i}`))}function Ce(e){return typeof e=="object"&&typeof e.system=="string"&&typeof e.key=="string"&&typeof e.type=="string"}function Wt(e){return typeof e=="object"&&typeof e.system=="string"&&typeof e.key=="string"&&ne.includes(e.type)}function Ht(e){if(!Wt(e))throw new C(k("obj is not a valid `ExternalSecret`, must contain a valid `system`, `key`, and `type` prop."))}async function Pe(e){return new se(e).normalizeConfig()}var _=require("aws-cdk-lib");var o=require("aws-cdk-lib"),Te=require("aws-cdk-lib/aws-ecr"),oe=require("aws-cdk-lib/aws-rds"),Ae=require("constructs");var O=[{name:"AWS-AWSManagedRulesCommonRuleSet",priority:10,statement:{managedRuleGroupStatement:{vendorName:"AWS",name:"AWSManagedRulesCommonRuleSet",excludedRules:[{name:"NoUserAgent_HEADER"},{name:"UserAgent_BadBots_HEADER"},{name:"SizeRestrictions_QUERYSTRING"},{name:"SizeRestrictions_Cookie_HEADER"},{name:"SizeRestrictions_BODY"},{name:"SizeRestrictions_URIPATH"},{name:"EC2MetaDataSSRF_BODY"},{name:"EC2MetaDataSSRF_COOKIE"},{name:"EC2MetaDataSSRF_URIPATH"},{name:"EC2MetaDataSSRF_QUERYARGUMENTS"},{name:"GenericLFI_QUERYARGUMENTS"},{name:"GenericLFI_URIPATH"},{name:"GenericLFI_BODY"},{name:"RestrictedExtensions_URIPATH"},{name:"RestrictedExtensions_QUERYARGUMENTS"},{name:"GenericRFI_QUERYARGUMENTS"},{name:"GenericRFI_BODY"},{name:"GenericRFI_URIPATH"},{name:"CrossSiteScripting_COOKIE"},{name:"CrossSiteScripting_QUERYARGUMENTS"},{name:"CrossSiteScripting_BODY"},{name:"CrossSiteScripting_URIPATH"}]}},overrideAction:{count:{}},visibilityConfig:{sampledRequestsEnabled:!0,cloudWatchMetricsEnabled:!0,metricName:"AWS-AWSManagedRulesCommonRuleSet"}},{name:"AWS-AWSManagedRulesAmazonIpReputationList",priority:20,statement:{managedRuleGroupStatement:{vendorName:"AWS",name:"AWSManagedRulesAmazonIpReputationList",excludedRules:[{name:"AWSManagedIPReputationList"},{name:"AWSManagedReconnaissanceList"}]}},overrideAction:{count:{}},visibilityConfig:{sampledRequestsEnabled:!0,cloudWatchMetricsEnabled:!0,metricName:"AWSManagedRulesAmazonIpReputationList"}},{name:"AWSManagedRulesSQLiRuleSet",priority:30,visibilityConfig:{sampledRequestsEnabled:!0,cloudWatchMetricsEnabled:!0,metricName:"AWSManagedRulesSQLiRuleSet"},overrideAction:{count:{}},statement:{managedRuleGroupStatement:{vendorName:"AWS",name:"AWSManagedRulesSQLiRuleSet",excludedRules:[{name:"SQLi_QUERYARGUMENTS"},{name:"SQLiExtendedPatterns_QUERYARGUMENTS"},{name:"SQLi_BODY"},{name:"SQLiExtendedPatterns_BODY"},{name:"SQLi_COOKIE"},{name:"SQLi_URIPATH"}]}}},{name:"AWSManagedRuleLinux",priority:40,visibilityConfig:{sampledRequestsEnabled:!0,cloudWatchMetricsEnabled:!0,metricName:"AWSManagedRuleLinux"},overrideAction:{count:{}},statement:{managedRuleGroupStatement:{vendorName:"AWS",name:"AWSManagedRulesLinuxRuleSet",excludedRules:[{name:"LFI_URIPATH"},{name:"LFI_QUERYSTRING"},{name:"LFI_COOKIE"}]}}}];var j=class extends Ae.Construct{constructor(t,r){super(t,"BackEnd");let i=r.name,n=r.accountNumber,s=r.region;if(r.vpcId)this.vpc=o.aws_ec2.Vpc.fromLookup(this,"VPC",{vpcId:r.vpcId});else{let c=new o.aws_logs.LogGroup(this,"VpcFlowLogs",{logGroupName:"/medplum/flowlogs/"+i,removalPolicy:o.RemovalPolicy.DESTROY});this.vpc=new o.aws_ec2.Vpc(this,"VPC",{maxAzs:r.maxAzs,flowLogs:{cloudwatch:{destination:o.aws_ec2.FlowLogDestination.toCloudWatchLogs(c),trafficType:o.aws_ec2.FlowLogTrafficType.ALL}}})}if(this.botLambdaRole=new o.aws_iam.Role(this,"BotLambdaRole",{assumedBy:new o.aws_iam.ServicePrincipal("lambda.amazonaws.com")}),this.rdsSecretsArn=r.rdsSecretsArn,!this.rdsSecretsArn){let c={enablePerformanceInsights:!0,isFromLegacyInstanceProps:!0},m=r.rdsReaderInstanceType??r.rdsInstanceType,P={...c,instanceType:m?new o.aws_ec2.InstanceType(m):void 0},b=r.rdsInstanceType,F={...c,instanceType:b?new o.aws_ec2.InstanceType(b):void 0},U;if(r.rdsInstances>1){U=[];for(let Y=1;Y<r.rdsInstances;Y++)U.push(oe.ClusterInstance.provisioned("Instance"+(Y+1),P))}this.rdsCluster=new o.aws_rds.DatabaseCluster(this,"DatabaseCluster",{engine:o.aws_rds.DatabaseClusterEngine.auroraPostgres({version:r.rdsInstanceVersion?o.aws_rds.AuroraPostgresEngineVersion.of(r.rdsInstanceVersion,r.rdsInstanceVersion.slice(0,r.rdsInstanceVersion.indexOf(".")),{s3Import:!0,s3Export:!0}):o.aws_rds.AuroraPostgresEngineVersion.VER_12_9}),credentials:o.aws_rds.Credentials.fromGeneratedSecret("clusteradmin"),defaultDatabaseName:"medplum",storageEncrypted:!0,vpc:this.vpc,vpcSubnets:{subnetType:o.aws_ec2.SubnetType.PRIVATE_WITH_EGRESS},writer:oe.ClusterInstance.provisioned("Instance1",F),readers:U,backup:{retention:o.Duration.days(7)},cloudwatchLogsExports:["postgresql"],instanceUpdateBehaviour:o.aws_rds.InstanceUpdateBehaviour.ROLLING}),this.rdsSecretsArn=this.rdsCluster.secret.secretArn,r.rdsProxyEnabled&&(this.rdsProxy=new o.aws_rds.DatabaseProxy(this,"DatabaseProxy",{proxyTarget:o.aws_rds.ProxyTarget.fromCluster(this.rdsCluster),secrets:[this.rdsCluster.secret],vpc:this.vpc}))}if(this.redisSubnetGroup=new o.aws_elasticache.CfnSubnetGroup(this,"RedisSubnetGroup",{description:"Redis Subnet Group",subnetIds:this.vpc.privateSubnets.map(c=>c.subnetId)}),r.cacheSecurityGroupId?this.redisSecurityGroup=o.aws_ec2.SecurityGroup.fromSecurityGroupId(this,"RedisSecurityGroup",r.cacheSecurityGroupId):this.redisSecurityGroup=new o.aws_ec2.SecurityGroup(this,"RedisSecurityGroup",{vpc:this.vpc,description:"Redis Security Group",allowAllOutbound:!1}),this.redisPassword=new o.aws_secretsmanager.Secret(this,"RedisPassword",{generateSecretString:{secretStringTemplate:"{}",generateStringKey:"password",excludeCharacters:"@%*()_+=`~{}|[]\\:\";'?,./"}}),this.redisCluster=new o.aws_elasticache.CfnReplicationGroup(this,"RedisCluster",{engine:"Redis",engineVersion:"6.x",cacheNodeType:r.cacheNodeType??"cache.t2.medium",replicationGroupDescription:"RedisReplicationGroup",authToken:this.redisPassword.secretValueFromJson("password").toString(),transitEncryptionEnabled:!0,atRestEncryptionEnabled:!0,multiAzEnabled:!0,cacheSubnetGroupName:this.redisSubnetGroup.ref,numNodeGroups:1,replicasPerNodeGroup:1,securityGroupIds:[this.redisSecurityGroup.securityGroupId]}),this.redisCluster.node.addDependency(this.redisPassword),this.redisSecrets=new o.aws_secretsmanager.Secret(this,"RedisSecrets",{generateSecretString:{secretStringTemplate:JSON.stringify({host:this.redisCluster.attrPrimaryEndPointAddress,port:this.redisCluster.attrPrimaryEndPointPort,password:this.redisPassword.secretValueFromJson("password").toString(),tls:{}}),generateStringKey:"unused"}}),this.redisSecrets.node.addDependency(this.redisPassword),this.redisSecrets.node.addDependency(this.redisCluster),this.ecsCluster=new o.aws_ecs.Cluster(this,"Cluster",{vpc:this.vpc}),this.taskRolePolicies=new o.aws_iam.PolicyDocument({statements:[new o.aws_iam.PolicyStatement({effect:o.aws_iam.Effect.ALLOW,actions:["logs:PutLogEvents","logs:CreateLogGroup","logs:CreateLogStream","logs:DescribeLogStreams","logs:DescribeLogGroups","logs:PutRetentionPolicy"],resources:[`arn:aws:logs:${s}:${n}:log-group:/ecs/medplum/${i}/*`]}),new o.aws_iam.PolicyStatement({effect:o.aws_iam.Effect.ALLOW,actions:["secretsmanager:GetResourcePolicy","secretsmanager:GetSecretValue","secretsmanager:DescribeSecret","secretsmanager:ListSecrets","secretsmanager:ListSecretVersionIds"],resources:[`arn:aws:secretsmanager:${s}:${n}:secret:*`]}),new o.aws_iam.PolicyStatement({effect:o.aws_iam.Effect.ALLOW,actions:["ssm:GetParametersByPath","ssm:GetParameters","ssm:GetParameter","ssm:DescribeParameters"],resources:[`arn:aws:ssm:${s}:${n}:parameter/medplum/${i}/*`]}),new o.aws_iam.PolicyStatement({effect:o.aws_iam.Effect.ALLOW,actions:["ses:SendEmail","ses:SendRawEmail"],resources:[`arn:aws:ses:${s}:${n}:identity/*`]}),new o.aws_iam.PolicyStatement({effect:o.aws_iam.Effect.ALLOW,actions:["s3:ListBucket"],resources:[`arn:aws:s3:::${r.storageBucketName}`]}),new o.aws_iam.PolicyStatement({effect:o.aws_iam.Effect.ALLOW,actions:["s3:GetObject","s3:PutObject","s3:DeleteObject"],resources:[`arn:aws:s3:::${r.storageBucketName}/*`]}),new o.aws_iam.PolicyStatement({effect:o.aws_iam.Effect.ALLOW,actions:["iam:ListRoles","iam:GetRole","iam:PassRole"],resources:[this.botLambdaRole.roleArn]}),new o.aws_iam.PolicyStatement({effect:o.aws_iam.Effect.ALLOW,actions:["lambda:CreateFunction","lambda:GetFunction","lambda:GetFunctionConfiguration","lambda:UpdateFunctionCode","lambda:UpdateFunctionConfiguration","lambda:InvokeFunction"],resources:[`arn:aws:lambda:${s}:${n}:function:medplum-bot-lambda-*`]}),new o.aws_iam.PolicyStatement({effect:o.aws_iam.Effect.ALLOW,actions:["lambda:ListLayerVersions"],resources:[`arn:aws:lambda:${s}:${n}:layer:medplum-bot-layer`]}),new o.aws_iam.PolicyStatement({effect:o.aws_iam.Effect.ALLOW,actions:["lambda:GetLayerVersion"],resources:[`arn:aws:lambda:${s}:${n}:layer:medplum-bot-layer:*`]}),new o.aws_iam.PolicyStatement({effect:o.aws_iam.Effect.ALLOW,actions:["xray:PutTraceSegments","xray:PutTelemetryRecords","xray:GetSamplingRules","xray:GetSamplingTargets","xray:GetSamplingStatisticSummaries"],resources:["*"]})]}),this.taskRole=new o.aws_iam.Role(this,"TaskExecutionRole",{assumedBy:new o.aws_iam.ServicePrincipal("ecs-tasks.amazonaws.com"),description:"Medplum Server Task Execution Role",inlinePolicies:{TaskExecutionPolicies:this.taskRolePolicies}}),this.taskDefinition=new o.aws_ecs.FargateTaskDefinition(this,"TaskDefinition",{memoryLimitMiB:r.serverMemory,cpu:r.serverCpu,taskRole:this.taskRole}),this.logGroup=new o.aws_logs.LogGroup(this,"LogGroup",{logGroupName:"/ecs/medplum/"+i,removalPolicy:o.RemovalPolicy.DESTROY}),this.logDriver=new o.aws_ecs.AwsLogDriver({logGroup:this.logGroup,streamPrefix:"Medplum"}),this.serviceContainer=this.taskDefinition.addContainer("MedplumTaskDefinition",{image:this.getContainerImage(r,r.serverImage),command:[s==="us-east-1"?`aws:/medplum/${i}/`:`aws:${s}:/medplum/${i}/`],logging:this.logDriver,environment:r.environment}),this.serviceContainer.addPortMappings({containerPort:r.apiPort,hostPort:r.apiPort}),r.additionalContainers)for(let c of r.additionalContainers)this.taskDefinition.addContainer("AdditionalContainer-"+c.name,{containerName:c.name,image:this.getContainerImage(r,c.image),command:c.command,environment:c.environment,logging:this.logDriver});this.fargateSecurityGroup=new o.aws_ec2.SecurityGroup(this,"ServiceSecurityGroup",{allowAllOutbound:!0,securityGroupName:"MedplumSecurityGroup",vpc:this.vpc}),this.fargateService=new o.aws_ecs.FargateService(this,"FargateService",{cluster:this.ecsCluster,taskDefinition:this.taskDefinition,assignPublicIp:!1,vpcSubnets:{subnetType:o.aws_ec2.SubnetType.PRIVATE_WITH_EGRESS},desiredCount:r.desiredServerCount,securityGroups:[this.fargateSecurityGroup],healthCheckGracePeriod:o.Duration.minutes(5)}),r.fargateAutoScaling&&this.fargateService.autoScaleTaskCount({minCapacity:r.fargateAutoScaling.minCapacity,maxCapacity:r.fargateAutoScaling.maxCapacity}).scaleOnCpuUtilization("CpuScaling",{targetUtilizationPercent:r.fargateAutoScaling.targetUtilizationPercent,scaleInCooldown:o.Duration.seconds(r.fargateAutoScaling.scaleInCooldown),scaleOutCooldown:o.Duration.seconds(r.fargateAutoScaling.scaleOutCooldown)}),this.rdsCluster&&this.fargateService.node.addDependency(this.rdsCluster),this.rdsProxy&&this.fargateService.node.addDependency(this.rdsProxy),this.fargateService.node.addDependency(this.redisCluster),this.targetGroup=new o.aws_elasticloadbalancingv2.ApplicationTargetGroup(this,"TargetGroup",{vpc:this.vpc,port:r.apiPort,protocol:o.aws_elasticloadbalancingv2.ApplicationProtocol.HTTP,healthCheck:{path:"/healthcheck",interval:o.Duration.seconds(30),timeout:o.Duration.seconds(3),healthyThresholdCount:2,unhealthyThresholdCount:5},targets:[this.fargateService]});let a;if(r.loadBalancerSecurityGroupId&&(a=o.aws_ec2.SecurityGroup.fromSecurityGroupId(this,"LoadBalancerSecurityGroup",r.loadBalancerSecurityGroupId)),this.loadBalancer=new o.aws_elasticloadbalancingv2.ApplicationLoadBalancer(this,"LoadBalancer",{vpc:this.vpc,internetFacing:r.apiInternetFacing!==!1,http2Enabled:!0,securityGroup:a}),r.loadBalancerLoggingBucket&&this.loadBalancer.logAccessLogs(o.aws_s3.Bucket.fromBucketName(this,"LoggingBucket",r.loadBalancerLoggingBucket),r.loadBalancerLoggingPrefix),this.loadBalancer.addListener("HttpsListener",{port:443,certificates:[{certificateArn:r.apiSslCertArn}],sslPolicy:o.aws_elasticloadbalancingv2.SslPolicy.FORWARD_SECRECY_TLS12_RES_GCM,defaultAction:o.aws_elasticloadbalancingv2.ListenerAction.forward([this.targetGroup])}),this.waf=new o.aws_wafv2.CfnWebACL(this,"BackEndWAF",{defaultAction:{allow:{}},scope:"REGIONAL",name:`${r.stackName}-BackEndWAF`,rules:O,visibilityConfig:{cloudWatchMetricsEnabled:!0,metricName:`${r.stackName}-BackEndWAF-Metric`,sampledRequestsEnabled:!1}}),this.wafAssociation=new o.aws_wafv2.CfnWebACLAssociation(this,"LoadBalancerAssociation",{resourceArn:this.loadBalancer.loadBalancerArn,webAclArn:this.waf.attrArn}),this.rdsCluster&&this.rdsCluster.connections.allowDefaultPortFrom(this.fargateSecurityGroup),this.rdsProxy&&this.rdsProxy.connections.allowFrom(this.fargateSecurityGroup,o.aws_ec2.Port.tcp(5432)),this.redisSecurityGroup.addIngressRule(this.fargateSecurityGroup,o.aws_ec2.Port.tcp(6379)),!r.skipDns){let c=r.hostedZoneName??r.domainName.split(".").slice(-2).join("."),m=o.aws_route53.HostedZone.fromLookup(this,"Zone",{domainName:c});this.dnsRecord=new o.aws_route53.ARecord(this,"LoadBalancerAliasRecord",{recordName:r.apiDomainName,target:o.aws_route53.RecordTarget.fromAlias(new o.aws_route53_targets.LoadBalancerTarget(this.loadBalancer)),zone:m})}this.regionParameter=new o.aws_ssm.StringParameter(this,"RegionParameter",{tier:o.aws_ssm.ParameterTier.STANDARD,parameterName:`/medplum/${i}/awsRegion`,description:"AWS region",stringValue:r.region}),this.databaseSecretsParameter=new o.aws_ssm.StringParameter(this,"DatabaseSecretsParameter",{tier:o.aws_ssm.ParameterTier.STANDARD,parameterName:`/medplum/${i}/DatabaseSecrets`,description:"Database secrets ARN",stringValue:this.rdsSecretsArn}),this.rdsProxy&&(this.databaseProxyEndpointParameter=new o.aws_ssm.StringParameter(this,"DatabaseProxyEndpointParameter",{tier:o.aws_ssm.ParameterTier.STANDARD,parameterName:`/medplum/${i}/databaseProxyEndpoint`,description:"Database proxy endpoint",stringValue:this.rdsProxy?.endpoint})),this.redisSecretsParameter=new o.aws_ssm.StringParameter(this,"RedisSecretsParameter",{tier:o.aws_ssm.ParameterTier.STANDARD,parameterName:`/medplum/${i}/RedisSecrets`,description:"Redis secrets ARN",stringValue:this.redisSecrets.secretArn}),this.botLambdaRoleParameter=new o.aws_ssm.StringParameter(this,"BotLambdaRoleParameter",{tier:o.aws_ssm.ParameterTier.STANDARD,parameterName:`/medplum/${i}/botLambdaRoleArn`,description:"Bot lambda execution role ARN",stringValue:this.botLambdaRole.roleArn})}getContainerImage(t,r){let n=new RegExp(`^${t.accountNumber}\\.dkr\\.ecr\\.${t.region}\\.amazonaws\\.com/(.*)[:@](.*)$`).exec(r),s=n?.[1],a=n?.[2];if(s&&a){let c=Te.Repository.fromRepositoryArn(this,"ServerImageRepo",`arn:aws:ecr:${t.region}:${t.accountNumber}:repository/${s}`);return o.aws_ecs.ContainerImage.fromEcrRepository(c,a)}return o.aws_ecs.ContainerImage.fromRegistry(r)}};var f=require("aws-cdk-lib"),Re=require("constructs"),$=class extends Re.Construct{constructor(t,r){if(super(t,"CloudTrailAlarms"),this.config=r,!r.cloudTrailAlarms)return;r.cloudTrailAlarms.logGroupCreate?(this.logGroup=new f.aws_logs.LogGroup(this,"CloudTrailLogGroup",{logGroupName:r.cloudTrailAlarms.logGroupName,retention:f.aws_logs.RetentionDays.ONE_YEAR}),this.cloudTrail=new f.aws_cloudtrail.Trail(this,"CloudTrail",{sendToCloudWatchLogs:!0,cloudWatchLogGroup:this.logGroup,includeGlobalServiceEvents:!0})):this.logGroup=f.aws_logs.LogGroup.fromLogGroupName(this,"CloudTrailLogGroup",r.cloudTrailAlarms.logGroupName),r.cloudTrailAlarms.snsTopicArn?this.alarmTopic=f.aws_sns.Topic.fromTopicArn(this,"AlarmTopic",r.cloudTrailAlarms.snsTopicArn):this.alarmTopic=new f.aws_sns.Topic(this,"AlarmTopic",{topicName:r.cloudTrailAlarms.snsTopicName});let i=[["UnauthorizedApiCalls","{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) }"],["SignInWithoutMfa","{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) }"],["RootAccountUsage","{ $.userIdentity.type = Root && $.userIdentity.invokedBy NOT EXISTS && $.eventType != AwsServiceEvent }"],["IamPolicyChanges","{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"],["CloudTrailConfigurationChanges","{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"],["SignInFailures",'{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }'],["DisabledCmks","{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }"],["S3PolicyChanges","{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"],["ConfigServiceChanges","{($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))}"],["SecurityGroupChanges","{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"],["NetworkAclChanges","{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"],["NetworkGatewayChanges","{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"],["RouteTableChanges","{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"],["VpcChanges","{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"],["OrganizationsChanges","{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUnit)) }"]];for(let[n,s]of i)this.createMetricAlarm(n,s)}createMetricAlarm(t,r){let i=`${this.config.stackName}${t}MetricFilter`,n=`${this.config.stackName}${t}Metric`,s=`${this.config.stackName}Metrics`,a=`${this.config.stackName}${t}Alarm`,c=new f.aws_logs.MetricFilter(this,i,{logGroup:this.logGroup,filterPattern:{logPatternString:r},metricNamespace:s,metricName:n});new f.aws_cloudwatch.Alarm(this,a,{metric:c.metric({}),threshold:1,evaluationPeriods:1,alarmName:a,actionsEnabled:!0,treatMissingData:f.aws_cloudwatch.TreatMissingData.NOT_BREACHING,comparisonOperator:f.aws_cloudwatch.ComparisonOperator.GREATER_THAN_THRESHOLD,datapointsToAlarm:1}).addAlarmAction(new f.aws_cloudwatch_actions.SnsAction(this.alarmTopic))}};var d=require("aws-cdk-lib"),Ie=require("constructs");var ke=require("aws-cdk-lib");function z(e,t){let r=new ke.aws_iam.PolicyStatement;return r.addActions("s3:GetObject*"),r.addActions("s3:GetBucket*"),r.addActions("s3:List*"),r.addResources(e.bucketArn),r.addResources(`${e.bucketArn}/*`),r.addCanonicalUserPrincipal(t.cloudFrontOriginAccessIdentityS3CanonicalUserId),e.addToResourcePolicy(r),r}var L=class extends Ie.Construct{constructor(t,r,i){if(super(t,"FrontEnd"),i===r.region?this.appBucket=new d.aws_s3.Bucket(this,"AppBucket",{bucketName:r.appDomainName,publicReadAccess:!1,blockPublicAccess:d.aws_s3.BlockPublicAccess.BLOCK_ALL,removalPolicy:d.RemovalPolicy.DESTROY,encryption:d.aws_s3.BucketEncryption.S3_MANAGED,enforceSSL:!0,versioned:!0}):this.appBucket=d.aws_s3.Bucket.fromBucketAttributes(this,"AppBucket",{bucketName:r.appDomainName,region:r.region}),i==="us-east-1"&&(this.responseHeadersPolicy=new d.aws_cloudfront.ResponseHeadersPolicy(this,"ResponseHeadersPolicy",{customHeadersBehavior:{customHeaders:[{header:"Permission-Policy",value:"accelerometer=(), camera=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()",override:!0}]},securityHeadersBehavior:{contentSecurityPolicy:{contentSecurityPolicy:["default-src 'none'","base-uri 'self'","child-src 'self'",`connect-src 'self' ${r.apiDomainName} *.google.com`,"font-src 'self' fonts.gstatic.com","form-action 'self' *.gstatic.com *.google.com","frame-ancestors 'none'",`frame-src 'self' ${r.storageDomainName} *.medplum.com *.gstatic.com *.google.com`,`img-src 'self' data: ${r.storageDomainName} *.gstatic.com *.google.com *.googleapis.com`,"manifest-src 'self'",`media-src 'self' ${r.storageDomainName}`,"script-src 'self' *.medplum.com *.gstatic.com *.google.com","style-src 'self' 'unsafe-inline' *.medplum.com *.gstatic.com *.google.com","worker-src 'self' blob: *.gstatic.com *.google.com","upgrade-insecure-requests"].join("; "),override:!0},contentTypeOptions:{override:!0},frameOptions:{frameOption:d.aws_cloudfront.HeadersFrameOption.DENY,override:!0},referrerPolicy:{referrerPolicy:d.aws_cloudfront.HeadersReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN,override:!0},strictTransportSecurity:{accessControlMaxAge:d.Duration.seconds(63072e3),includeSubdomains:!0,preload:!0,override:!0},xssProtection:{protection:!0,modeBlock:!0,override:!0}}}),this.waf=new d.aws_wafv2.CfnWebACL(this,"FrontEndWAF",{defaultAction:{allow:{}},scope:"CLOUDFRONT",name:`${r.stackName}-FrontEndWAF`,rules:O,visibilityConfig:{cloudWatchMetricsEnabled:!0,metricName:`${r.stackName}-FrontEndWAF-Metric`,sampledRequestsEnabled:!1}}),this.apiOriginCachePolicy=new d.aws_cloudfront.CachePolicy(this,"ApiOriginCachePolicy",{cachePolicyName:`${r.stackName}-ApiOriginCachePolicy`,cookieBehavior:d.aws_cloudfront.CacheCookieBehavior.all(),headerBehavior:d.aws_cloudfront.CacheHeaderBehavior.allowList("Authorization","Content-Encoding","Content-Type","If-None-Match","Origin","Referer","User-Agent","X-Medplum"),queryStringBehavior:d.aws_cloudfront.CacheQueryStringBehavior.all()}),this.originAccessIdentity=new d.aws_cloudfront.OriginAccessIdentity(this,"OriginAccessIdentity",{}),this.originAccessPolicyStatement=z(this.appBucket,this.originAccessIdentity),this.distribution=new d.aws_cloudfront.Distribution(this,"AppDistribution",{defaultRootObject:"index.html",defaultBehavior:{origin:new d.aws_cloudfront_origins.S3Origin(this.appBucket,{originAccessIdentity:this.originAccessIdentity}),responseHeadersPolicy:this.responseHeadersPolicy,viewerProtocolPolicy:d.aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS},additionalBehaviors:r.appApiProxy?{"/api/*":{origin:new d.aws_cloudfront_origins.HttpOrigin(r.apiDomainName),allowedMethods:d.aws_cloudfront.AllowedMethods.ALLOW_ALL,cachePolicy:this.apiOriginCachePolicy,viewerProtocolPolicy:d.aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS}}:void 0,certificate:d.aws_certificatemanager.Certificate.fromCertificateArn(this,"AppCertificate",r.appSslCertArn),domainNames:[r.appDomainName],errorResponses:[{httpStatus:403,responseHttpStatus:200,responsePagePath:"/index.html"},{httpStatus:404,responseHttpStatus:200,responsePagePath:"/index.html"}],webAclId:this.waf.attrArn,logBucket:r.appLoggingBucket?d.aws_s3.Bucket.fromBucketName(this,"LoggingBucket",r.appLoggingBucket):void 0,logFilePrefix:r.appLoggingPrefix}),!r.skipDns)){let n=r.hostedZoneName??r.domainName.split(".").slice(-2).join("."),s=d.aws_route53.HostedZone.fromLookup(this,"Zone",{domainName:n});this.dnsRecord=new d.aws_route53.ARecord(this,"AppAliasRecord",{recordName:r.appDomainName,target:d.aws_route53.RecordTarget.fromAlias(new d.aws_route53_targets.CloudFrontTarget(this.distribution)),zone:s})}}};var h=require("aws-cdk-lib"),De=require("cdk-serverless-clamscan"),Oe=require("constructs");var M=class extends Oe.Construct{constructor(t,r,i){if(super(t,"Storage"),i===r.region?(this.storageBucket=new h.aws_s3.Bucket(this,"StorageBucket",{bucketName:r.storageBucketName,publicReadAccess:!1,blockPublicAccess:h.aws_s3.BlockPublicAccess.BLOCK_ALL,encryption:h.aws_s3.BucketEncryption.S3_MANAGED,enforceSSL:!0,versioned:!0}),r.clamscanEnabled&&new De.ServerlessClamscan(this,"ServerlessClamscan",{defsBucketAccessLogsConfig:{logsBucket:h.aws_s3.Bucket.fromBucketName(this,"LoggingBucket",r.clamscanLoggingBucket),logsPrefix:r.clamscanLoggingPrefix}}).addSourceBucket(this.storageBucket)):this.storageBucket=h.aws_s3.Bucket.fromBucketAttributes(this,"StorageBucket",{bucketName:r.storageBucketName,region:r.region}),i==="us-east-1"){let n;if(r.signingKeyId?n=h.aws_cloudfront.PublicKey.fromPublicKeyId(this,"StoragePublicKey",r.signingKeyId):n=new h.aws_cloudfront.PublicKey(this,"StoragePublicKey",{encodedKey:r.storagePublicKey}),this.keyGroup=new h.aws_cloudfront.KeyGroup(this,"StorageKeyGroup",{items:[n]}),this.responseHeadersPolicy=new h.aws_cloudfront.ResponseHeadersPolicy(this,"ResponseHeadersPolicy",{customHeadersBehavior:{customHeaders:[{header:"Permission-Policy",value:"accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()",override:!0}]},securityHeadersBehavior:{contentSecurityPolicy:{contentSecurityPolicy:"default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors *;",override:!0},contentTypeOptions:{override:!0},frameOptions:{frameOption:h.aws_cloudfront.HeadersFrameOption.DENY,override:!0},referrerPolicy:{referrerPolicy:h.aws_cloudfront.HeadersReferrerPolicy.NO_REFERRER,override:!0},strictTransportSecurity:{accessControlMaxAge:h.Duration.seconds(63072e3),includeSubdomains:!0,preload:!0,override:!0},xssProtection:{protection:!0,modeBlock:!0,override:!0}}}),this.waf=new h.aws_wafv2.CfnWebACL(this,"StorageWAF",{defaultAction:{allow:{}},scope:"CLOUDFRONT",name:`${r.stackName}-StorageWAF`,rules:O,visibilityConfig:{cloudWatchMetricsEnabled:!0,metricName:`${r.stackName}-StorageWAF-Metric`,sampledRequestsEnabled:!1}}),this.originAccessIdentity=new h.aws_cloudfront.OriginAccessIdentity(this,"OriginAccessIdentity",{}),this.originAccessPolicyStatement=z(this.storageBucket,this.originAccessIdentity),this.distribution=new h.aws_cloudfront.Distribution(this,"StorageDistribution",{defaultBehavior:{origin:new h.aws_cloudfront_origins.S3Origin(this.storageBucket,{originAccessIdentity:this.originAccessIdentity}),responseHeadersPolicy:this.responseHeadersPolicy,viewerProtocolPolicy:h.aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,trustedKeyGroups:[this.keyGroup]},certificate:h.aws_certificatemanager.Certificate.fromCertificateArn(this,"StorageCertificate",r.storageSslCertArn),domainNames:[r.storageDomainName],webAclId:this.waf.attrArn,logBucket:r.storageLoggingBucket?h.aws_s3.Bucket.fromBucketName(this,"LoggingBucket",r.storageLoggingBucket):void 0,logFilePrefix:r.storageLoggingPrefix}),!r.skipDns){let s=r.hostedZoneName??r.domainName.split(".").slice(-2).join("."),a=h.aws_route53.HostedZone.fromLookup(this,"Zone",{domainName:s});this.dnsRecord=new h.aws_route53.ARecord(this,"StorageAliasRecord",{recordName:r.storageDomainName,target:h.aws_route53.RecordTarget.fromAlias(new h.aws_route53_targets.CloudFrontTarget(this.distribution)),zone:a})}}}};var G=class{constructor(t,r){this.primaryStack=new Q(t,r),r.region!=="us-east-1"&&(this.globalStack=new J(t,r),this.globalStack.addDependency(this.primaryStack))}},Q=class extends _.Stack{constructor(t,r){super(t,r.stackName,{env:{region:r.region,account:r.accountNumber}}),_.Tags.of(this).add("medplum:environment",r.name),this.backEnd=new j(this,r),this.frontEnd=new L(this,r,r.region),this.storage=new M(this,r,r.region),this.cloudTrail=new $(this,r)}},J=class extends _.Stack{constructor(t,r){super(t,r.stackName+"-us-east-1",{env:{region:"us-east-1",account:r.accountNumber}}),_.Tags.of(this).add("medplum:environment",r.name),this.frontEnd=new L(this,r,"us-east-1"),this.storage=new M(this,r,"us-east-1"),this.cloudTrail=new $(this,r)}};function Me(e){let t=new Ne.App({context:e}),r=t.node.tryGetContext("config");if(!r){console.log('Missing "config" context variable'),console.log("Usage: cdk deploy -c config=my-config.json");return}let i=JSON.parse((0,$e.readFileSync)((0,Le.resolve)(r),"utf-8"));Pe(i).then(n=>{let s=new G(t,n);console.log("Stack",s.primaryStack.stackId),t.synth()}).catch(n=>{console.error(n),process.exit(1)})}require.main===module&&Me();0&&(module.exports={BackEnd,CloudTrailAlarms,FrontEnd,MedplumGlobalStack,MedplumPrimaryStack,MedplumStack,Storage,awsManagedRules,main});
+"use strict";var I=Object.defineProperty;var Q=Object.getOwnPropertyDescriptor;var j=Object.getOwnPropertyNames;var q=Object.prototype.hasOwnProperty;var Z=(i,r)=>{for(var e in r)I(i,e,{get:r[e],enumerable:!0})},J=(i,r,e,a)=>{if(r&&typeof r=="object"||typeof r=="function")for(let s of j(r))!q.call(i,s)&&s!==e&&I(i,s,{get:()=>r[s],enumerable:!(a=Q(r,s))||a.enumerable});return i};var X=i=>J(I({},"__esModule",{value:!0}),i);var ae={};Z(ae,{BackEnd:()=>P,CloudTrailAlarms:()=>g,FrontEnd:()=>h,MedplumGlobalStack:()=>R,MedplumPrimaryStack:()=>C,MedplumStack:()=>A,Storage:()=>y,awsManagedRules:()=>p,main:()=>V});module.exports=X(ae);var U=require("aws-cdk-lib"),H=require("fs"),z=require("path");var v=require("@aws-sdk/client-ssm"),l=require("@medplum/core"),k=["string","boolean","number"],E={},T=class{constructor(r){let{region:e}=r;if(!e)throw new l.OperationOutcomeError((0,l.validationError)("'region' must be defined as a string literal in config."));E[e]||(E[e]=new v.SSMClient({region:e})),this.config=r,this.clients={ssm:E[e]}}async fetchParameterStoreSecret(r){let a=(await this.clients.ssm.send(new v.GetParameterCommand({Name:r,WithDecryption:!0}))).Parameter;if(!a)throw new l.OperationOutcomeError((0,l.badRequest)(`Key '${r}' not found. Make sure your key is correct and that it is defined in your Parameter Store.`));let s=a.Value;if(!s)throw new l.OperationOutcomeError((0,l.badRequest)(`Key '${r}' found but has no value. Make sure your key is correct and that it is defined in your Parameter Store.`));return s}async fetchExternalSecret(r){re(r);let{system:e,key:a,type:s}=r,c;switch(e){case"aws_ssm_parameter_store":{c=await this.fetchParameterStoreSecret(a);break}default:throw new l.OperationOutcomeError((0,l.validationError)(`Unknown system '${e}' for ExternalSecret. Unable to fetch the secret for key '${a}'.`))}return ee(a,c,s)}async normalizeInfraConfigArray(r){let e=r[0],a;if(typeof e!="object"&&e!==null||$(e)){a=new Array(r.length);for(let s=0;s<r.length;s++){let c=r[s];if(typeof c!="object"){a[s]=c;continue}let d=await this.fetchExternalSecret(c);a[s]=d}}else{a=new Array(r.length);for(let s=0;s<r.length;s++)a[s]=await this.normalizeObjectInInfraConfig(r[s])}return a}async normalizeValueForKey(r,e){let a=r[e];typeof a!="object"?r[e]=a:$(a)?r[e]=await this.fetchExternalSecret(a):Array.isArray(a)&&a.length?r[e]=await this.normalizeInfraConfigArray(a):typeof a=="object"&&(r[e]=await this.normalizeObjectInInfraConfig(a))}async normalizeObjectInInfraConfig(r){let e={...r};for(let a of Object.keys(e))await this.normalizeValueForKey(e,a);return e}async normalizeConfig(){return this.normalizeObjectInInfraConfig(this.config)}};function ee(i,r,e){let a=typeof r;if(!k.includes(a))throw new l.OperationOutcomeError((0,l.validationError)(`Invalid value found for type; expected either ${k.join(", or")} but got ${a}`));if(a===e)return r;if(a==="string"&&e==="boolean"){let s=r.toLowerCase();if(s!=="true"&&s!=="false")throw new l.OperationOutcomeError((0,l.validationError)(`Invalid value found for key '${i}'; expected boolean value but got '${r}'`));return s==="true"}else if(a==="string"&&e==="number"){let s=parseInt(r,10);if(Number.isNaN(s))throw new l.OperationOutcomeError((0,l.validationError)(`Invalid value found for key '${i}'; expected integer value but got '${r}'`));return s}else throw new l.OperationOutcomeError((0,l.validationError)(`Invalid value found for type; expected ${e} value but got value of type ${a}`))}function $(i){return typeof i=="object"&&typeof i.system=="string"&&typeof i.key=="string"&&typeof i.type=="string"}function te(i){return typeof i=="object"&&typeof i.system=="string"&&typeof i.key=="string"&&k.includes(i.type)}function re(i){if(!te(i))throw new l.OperationOutcomeError((0,l.validationError)("obj is not a valid `ExternalSecret`, must contain a valid `system`, `key`, and `type` prop."))}async function G(i){return new T(i).normalizeConfig()}var f=require("aws-cdk-lib");var t=require("aws-cdk-lib"),x=require("aws-cdk-lib/aws-ecr"),D=require("aws-cdk-lib/aws-rds"),B=require("constructs");var p=[{name:"AWS-AWSManagedRulesCommonRuleSet",priority:10,statement:{managedRuleGroupStatement:{vendorName:"AWS",name:"AWSManagedRulesCommonRuleSet",excludedRules:[{name:"NoUserAgent_HEADER"},{name:"UserAgent_BadBots_HEADER"},{name:"SizeRestrictions_QUERYSTRING"},{name:"SizeRestrictions_Cookie_HEADER"},{name:"SizeRestrictions_BODY"},{name:"SizeRestrictions_URIPATH"},{name:"EC2MetaDataSSRF_BODY"},{name:"EC2MetaDataSSRF_COOKIE"},{name:"EC2MetaDataSSRF_URIPATH"},{name:"EC2MetaDataSSRF_QUERYARGUMENTS"},{name:"GenericLFI_QUERYARGUMENTS"},{name:"GenericLFI_URIPATH"},{name:"GenericLFI_BODY"},{name:"RestrictedExtensions_URIPATH"},{name:"RestrictedExtensions_QUERYARGUMENTS"},{name:"GenericRFI_QUERYARGUMENTS"},{name:"GenericRFI_BODY"},{name:"GenericRFI_URIPATH"},{name:"CrossSiteScripting_COOKIE"},{name:"CrossSiteScripting_QUERYARGUMENTS"},{name:"CrossSiteScripting_BODY"},{name:"CrossSiteScripting_URIPATH"}]}},overrideAction:{count:{}},visibilityConfig:{sampledRequestsEnabled:!0,cloudWatchMetricsEnabled:!0,metricName:"AWS-AWSManagedRulesCommonRuleSet"}},{name:"AWS-AWSManagedRulesAmazonIpReputationList",priority:20,statement:{managedRuleGroupStatement:{vendorName:"AWS",name:"AWSManagedRulesAmazonIpReputationList",excludedRules:[{name:"AWSManagedIPReputationList"},{name:"AWSManagedReconnaissanceList"}]}},overrideAction:{count:{}},visibilityConfig:{sampledRequestsEnabled:!0,cloudWatchMetricsEnabled:!0,metricName:"AWSManagedRulesAmazonIpReputationList"}},{name:"AWSManagedRulesSQLiRuleSet",priority:30,visibilityConfig:{sampledRequestsEnabled:!0,cloudWatchMetricsEnabled:!0,metricName:"AWSManagedRulesSQLiRuleSet"},overrideAction:{count:{}},statement:{managedRuleGroupStatement:{vendorName:"AWS",name:"AWSManagedRulesSQLiRuleSet",excludedRules:[{name:"SQLi_QUERYARGUMENTS"},{name:"SQLiExtendedPatterns_QUERYARGUMENTS"},{name:"SQLi_BODY"},{name:"SQLiExtendedPatterns_BODY"},{name:"SQLi_COOKIE"},{name:"SQLi_URIPATH"}]}}},{name:"AWSManagedRuleLinux",priority:40,visibilityConfig:{sampledRequestsEnabled:!0,cloudWatchMetricsEnabled:!0,metricName:"AWSManagedRuleLinux"},overrideAction:{count:{}},statement:{managedRuleGroupStatement:{vendorName:"AWS",name:"AWSManagedRulesLinuxRuleSet",excludedRules:[{name:"LFI_URIPATH"},{name:"LFI_QUERYSTRING"},{name:"LFI_COOKIE"}]}}}];var P=class extends B.Construct{constructor(r,e){super(r,"BackEnd");let a=e.name,s=e.accountNumber,c=e.region;if(e.vpcId)this.vpc=t.aws_ec2.Vpc.fromLookup(this,"VPC",{vpcId:e.vpcId});else{let m=new t.aws_logs.LogGroup(this,"VpcFlowLogs",{logGroupName:"/medplum/flowlogs/"+a,removalPolicy:t.RemovalPolicy.DESTROY});this.vpc=new t.aws_ec2.Vpc(this,"VPC",{maxAzs:e.maxAzs,flowLogs:{cloudwatch:{destination:t.aws_ec2.FlowLogDestination.toCloudWatchLogs(m),trafficType:t.aws_ec2.FlowLogTrafficType.ALL}}})}if(this.botLambdaRole=new t.aws_iam.Role(this,"BotLambdaRole",{assumedBy:new t.aws_iam.ServicePrincipal("lambda.amazonaws.com")}),this.rdsSecretsArn=e.rdsSecretsArn,!this.rdsSecretsArn){let m={enablePerformanceInsights:!0,isFromLegacyInstanceProps:!0},S=e.rdsReaderInstanceType??e.rdsInstanceType,K={...m,instanceType:S?new t.aws_ec2.InstanceType(S):void 0},L=e.rdsInstanceType,Y={...m,instanceType:L?new t.aws_ec2.InstanceType(L):void 0},N;if(e.rdsInstances>1){N=[];for(let b=1;b<e.rdsInstances;b++)N.push(D.ClusterInstance.provisioned("Instance"+(b+1),K))}this.rdsCluster=new t.aws_rds.DatabaseCluster(this,"DatabaseCluster",{engine:t.aws_rds.DatabaseClusterEngine.auroraPostgres({version:e.rdsInstanceVersion?t.aws_rds.AuroraPostgresEngineVersion.of(e.rdsInstanceVersion,e.rdsInstanceVersion.slice(0,e.rdsInstanceVersion.indexOf(".")),{s3Import:!0,s3Export:!0}):t.aws_rds.AuroraPostgresEngineVersion.VER_12_9}),credentials:t.aws_rds.Credentials.fromGeneratedSecret("clusteradmin"),defaultDatabaseName:"medplum",storageEncrypted:!0,vpc:this.vpc,vpcSubnets:{subnetType:t.aws_ec2.SubnetType.PRIVATE_WITH_EGRESS},writer:D.ClusterInstance.provisioned("Instance1",Y),readers:N,backup:{retention:t.Duration.days(7)},cloudwatchLogsExports:["postgresql"],instanceUpdateBehaviour:t.aws_rds.InstanceUpdateBehaviour.ROLLING}),this.rdsSecretsArn=this.rdsCluster.secret.secretArn,e.rdsProxyEnabled&&(this.rdsProxy=new t.aws_rds.DatabaseProxy(this,"DatabaseProxy",{proxyTarget:t.aws_rds.ProxyTarget.fromCluster(this.rdsCluster),secrets:[this.rdsCluster.secret],vpc:this.vpc}))}if(this.redisSubnetGroup=new t.aws_elasticache.CfnSubnetGroup(this,"RedisSubnetGroup",{description:"Redis Subnet Group",subnetIds:this.vpc.privateSubnets.map(m=>m.subnetId)}),e.cacheSecurityGroupId?this.redisSecurityGroup=t.aws_ec2.SecurityGroup.fromSecurityGroupId(this,"RedisSecurityGroup",e.cacheSecurityGroupId):this.redisSecurityGroup=new t.aws_ec2.SecurityGroup(this,"RedisSecurityGroup",{vpc:this.vpc,description:"Redis Security Group",allowAllOutbound:!1}),this.redisPassword=new t.aws_secretsmanager.Secret(this,"RedisPassword",{generateSecretString:{secretStringTemplate:"{}",generateStringKey:"password",excludeCharacters:"@%*()_+=`~{}|[]\\:\";'?,./"}}),this.redisCluster=new t.aws_elasticache.CfnReplicationGroup(this,"RedisCluster",{engine:"Redis",engineVersion:"6.x",cacheNodeType:e.cacheNodeType??"cache.t2.medium",replicationGroupDescription:"RedisReplicationGroup",authToken:this.redisPassword.secretValueFromJson("password").toString(),transitEncryptionEnabled:!0,atRestEncryptionEnabled:!0,multiAzEnabled:!0,cacheSubnetGroupName:this.redisSubnetGroup.ref,numNodeGroups:1,replicasPerNodeGroup:1,securityGroupIds:[this.redisSecurityGroup.securityGroupId]}),this.redisCluster.node.addDependency(this.redisPassword),this.redisSecrets=new t.aws_secretsmanager.Secret(this,"RedisSecrets",{generateSecretString:{secretStringTemplate:JSON.stringify({host:this.redisCluster.attrPrimaryEndPointAddress,port:this.redisCluster.attrPrimaryEndPointPort,password:this.redisPassword.secretValueFromJson("password").toString(),tls:{}}),generateStringKey:"unused"}}),this.redisSecrets.node.addDependency(this.redisPassword),this.redisSecrets.node.addDependency(this.redisCluster),this.ecsCluster=new t.aws_ecs.Cluster(this,"Cluster",{vpc:this.vpc,containerInsights:e.containerInsights}),this.taskRolePolicies=new t.aws_iam.PolicyDocument({statements:[new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["logs:PutLogEvents","logs:CreateLogGroup","logs:CreateLogStream","logs:DescribeLogStreams","logs:DescribeLogGroups","logs:PutRetentionPolicy"],resources:[`arn:aws:logs:${c}:${s}:log-group:*`]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["secretsmanager:GetResourcePolicy","secretsmanager:GetSecretValue","secretsmanager:DescribeSecret","secretsmanager:ListSecrets","secretsmanager:ListSecretVersionIds"],resources:[`arn:aws:secretsmanager:${c}:${s}:secret:*`]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["ssm:GetParametersByPath","ssm:GetParameters","ssm:GetParameter","ssm:DescribeParameters"],resources:[`arn:aws:ssm:${c}:${s}:parameter/medplum/${a}/*`]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["ses:SendEmail","ses:SendRawEmail"],resources:[`arn:aws:ses:${c}:${s}:identity/*`]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["s3:ListBucket"],resources:[`arn:aws:s3:::${e.storageBucketName}`]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["s3:GetObject","s3:PutObject","s3:DeleteObject"],resources:[`arn:aws:s3:::${e.storageBucketName}/*`]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["iam:ListRoles","iam:GetRole","iam:PassRole"],resources:[this.botLambdaRole.roleArn]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["lambda:CreateFunction","lambda:GetFunction","lambda:GetFunctionConfiguration","lambda:UpdateFunctionCode","lambda:UpdateFunctionConfiguration","lambda:InvokeFunction"],resources:[`arn:aws:lambda:${c}:${s}:function:medplum-bot-lambda-*`]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["lambda:ListLayerVersions"],resources:[`arn:aws:lambda:${c}:${s}:layer:medplum-bot-layer`]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["lambda:GetLayerVersion"],resources:[`arn:aws:lambda:${c}:${s}:layer:medplum-bot-layer:*`]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["xray:PutTraceSegments","xray:PutTelemetryRecords","xray:GetSamplingRules","xray:GetSamplingTargets","xray:GetSamplingStatisticSummaries"],resources:["*"]}),new t.aws_iam.PolicyStatement({effect:t.aws_iam.Effect.ALLOW,actions:["comprehend:DetectEntities","comprehend:DetectKeyPhrases","comprehend:DetectDominantLanguage","comprehend:DetectSentiment","comprehend:DetectTargetedSentiment","comprehend:DetectSyntax","comprehendmedical:DetectEntitiesV2","textract:DetectDocumentText","textract:AnalyzeDocument","textract:StartDocumentTextDetection","textract:GetDocumentTextDetection"],resources:["*"]})]}),this.taskRole=new t.aws_iam.Role(this,"TaskExecutionRole",{assumedBy:new t.aws_iam.ServicePrincipal("ecs-tasks.amazonaws.com"),description:"Medplum Server Task Execution Role",inlinePolicies:{TaskExecutionPolicies:this.taskRolePolicies}}),this.taskDefinition=new t.aws_ecs.FargateTaskDefinition(this,"TaskDefinition",{memoryLimitMiB:e.serverMemory,cpu:e.serverCpu,taskRole:this.taskRole}),this.logGroup=new t.aws_logs.LogGroup(this,"LogGroup",{logGroupName:"/ecs/medplum/"+a,removalPolicy:t.RemovalPolicy.DESTROY}),this.logDriver=new t.aws_ecs.AwsLogDriver({logGroup:this.logGroup,streamPrefix:"Medplum"}),this.serviceContainer=this.taskDefinition.addContainer("MedplumTaskDefinition",{image:this.getContainerImage(e,e.serverImage),command:[c==="us-east-1"?`aws:/medplum/${a}/`:`aws:${c}:/medplum/${a}/`],logging:this.logDriver,environment:e.environment}),this.serviceContainer.addPortMappings({containerPort:e.apiPort,hostPort:e.apiPort}),e.additionalContainers)for(let m of e.additionalContainers)this.taskDefinition.addContainer("AdditionalContainer-"+m.name,{containerName:m.name,image:this.getContainerImage(e,m.image),command:m.command,environment:m.environment,logging:this.logDriver});this.fargateSecurityGroup=new t.aws_ec2.SecurityGroup(this,"ServiceSecurityGroup",{allowAllOutbound:!0,securityGroupName:"MedplumSecurityGroup",vpc:this.vpc}),this.fargateService=new t.aws_ecs.FargateService(this,"FargateService",{cluster:this.ecsCluster,taskDefinition:this.taskDefinition,assignPublicIp:!1,vpcSubnets:{subnetType:t.aws_ec2.SubnetType.PRIVATE_WITH_EGRESS},desiredCount:e.desiredServerCount,securityGroups:[this.fargateSecurityGroup],healthCheckGracePeriod:t.Duration.minutes(5)}),e.fargateAutoScaling&&this.fargateService.autoScaleTaskCount({minCapacity:e.fargateAutoScaling.minCapacity,maxCapacity:e.fargateAutoScaling.maxCapacity}).scaleOnCpuUtilization("CpuScaling",{targetUtilizationPercent:e.fargateAutoScaling.targetUtilizationPercent,scaleInCooldown:t.Duration.seconds(e.fargateAutoScaling.scaleInCooldown),scaleOutCooldown:t.Duration.seconds(e.fargateAutoScaling.scaleOutCooldown)}),this.rdsCluster&&this.fargateService.node.addDependency(this.rdsCluster),this.rdsProxy&&this.fargateService.node.addDependency(this.rdsProxy),this.fargateService.node.addDependency(this.redisCluster),this.targetGroup=new t.aws_elasticloadbalancingv2.ApplicationTargetGroup(this,"TargetGroup",{vpc:this.vpc,port:e.apiPort,protocol:t.aws_elasticloadbalancingv2.ApplicationProtocol.HTTP,healthCheck:{path:"/healthcheck",interval:t.Duration.seconds(30),timeout:t.Duration.seconds(3),healthyThresholdCount:2,unhealthyThresholdCount:5},targets:[this.fargateService]});let d;if(e.loadBalancerSecurityGroupId&&(d=t.aws_ec2.SecurityGroup.fromSecurityGroupId(this,"LoadBalancerSecurityGroup",e.loadBalancerSecurityGroupId)),this.loadBalancer=new t.aws_elasticloadbalancingv2.ApplicationLoadBalancer(this,"LoadBalancer",{vpc:this.vpc,internetFacing:e.apiInternetFacing!==!1,http2Enabled:!0,securityGroup:d}),e.loadBalancerLoggingBucket&&this.loadBalancer.logAccessLogs(t.aws_s3.Bucket.fromBucketName(this,"LoggingBucket",e.loadBalancerLoggingBucket),e.loadBalancerLoggingPrefix),this.loadBalancer.addListener("HttpsListener",{port:443,certificates:[{certificateArn:e.apiSslCertArn}],sslPolicy:t.aws_elasticloadbalancingv2.SslPolicy.FORWARD_SECRECY_TLS12_RES_GCM,defaultAction:t.aws_elasticloadbalancingv2.ListenerAction.forward([this.targetGroup])}),this.waf=new t.aws_wafv2.CfnWebACL(this,"BackEndWAF",{defaultAction:{allow:{}},scope:"REGIONAL",name:`${e.stackName}-BackEndWAF`,rules:p,visibilityConfig:{cloudWatchMetricsEnabled:!0,metricName:`${e.stackName}-BackEndWAF-Metric`,sampledRequestsEnabled:!1}}),this.wafAssociation=new t.aws_wafv2.CfnWebACLAssociation(this,"LoadBalancerAssociation",{resourceArn:this.loadBalancer.loadBalancerArn,webAclArn:this.waf.attrArn}),this.rdsCluster&&this.rdsCluster.connections.allowDefaultPortFrom(this.fargateSecurityGroup),this.rdsProxy&&this.rdsProxy.connections.allowFrom(this.fargateSecurityGroup,t.aws_ec2.Port.tcp(5432)),this.redisSecurityGroup.addIngressRule(this.fargateSecurityGroup,t.aws_ec2.Port.tcp(6379)),!e.skipDns){let m=e.hostedZoneName??e.domainName.split(".").slice(-2).join("."),S=t.aws_route53.HostedZone.fromLookup(this,"Zone",{domainName:m});this.dnsRecord=new t.aws_route53.ARecord(this,"LoadBalancerAliasRecord",{recordName:e.apiDomainName,target:t.aws_route53.RecordTarget.fromAlias(new t.aws_route53_targets.LoadBalancerTarget(this.loadBalancer)),zone:S})}this.regionParameter=new t.aws_ssm.StringParameter(this,"RegionParameter",{tier:t.aws_ssm.ParameterTier.STANDARD,parameterName:`/medplum/${a}/awsRegion`,description:"AWS region",stringValue:e.region}),this.databaseSecretsParameter=new t.aws_ssm.StringParameter(this,"DatabaseSecretsParameter",{tier:t.aws_ssm.ParameterTier.STANDARD,parameterName:`/medplum/${a}/DatabaseSecrets`,description:"Database secrets ARN",stringValue:this.rdsSecretsArn}),this.rdsProxy&&(this.databaseProxyEndpointParameter=new t.aws_ssm.StringParameter(this,"DatabaseProxyEndpointParameter",{tier:t.aws_ssm.ParameterTier.STANDARD,parameterName:`/medplum/${a}/databaseProxyEndpoint`,description:"Database proxy endpoint",stringValue:this.rdsProxy?.endpoint})),this.redisSecretsParameter=new t.aws_ssm.StringParameter(this,"RedisSecretsParameter",{tier:t.aws_ssm.ParameterTier.STANDARD,parameterName:`/medplum/${a}/RedisSecrets`,description:"Redis secrets ARN",stringValue:this.redisSecrets.secretArn}),this.botLambdaRoleParameter=new t.aws_ssm.StringParameter(this,"BotLambdaRoleParameter",{tier:t.aws_ssm.ParameterTier.STANDARD,parameterName:`/medplum/${a}/botLambdaRoleArn`,description:"Bot lambda execution role ARN",stringValue:this.botLambdaRole.roleArn})}getContainerImage(r,e){let s=new RegExp(`^${r.accountNumber}\\.dkr\\.ecr\\.${r.region}\\.amazonaws\\.com/(.*)[:@](.*)$`).exec(e),c=s?.[1],d=s?.[2];if(c&&d){let m=x.Repository.fromRepositoryArn(this,"ServerImageRepo",`arn:aws:ecr:${r.region}:${r.accountNumber}:repository/${c}`);return t.aws_ecs.ContainerImage.fromEcrRepository(m,d)}return t.aws_ecs.ContainerImage.fromRegistry(e)}};var u=require("aws-cdk-lib"),_=require("constructs"),g=class extends _.Construct{constructor(r,e){if(super(r,"CloudTrailAlarms"),this.config=e,!e.cloudTrailAlarms)return;e.cloudTrailAlarms.logGroupCreate?(this.logGroup=new u.aws_logs.LogGroup(this,"CloudTrailLogGroup",{logGroupName:e.cloudTrailAlarms.logGroupName,retention:u.aws_logs.RetentionDays.ONE_YEAR}),this.cloudTrail=new u.aws_cloudtrail.Trail(this,"CloudTrail",{sendToCloudWatchLogs:!0,cloudWatchLogGroup:this.logGroup,includeGlobalServiceEvents:!0})):this.logGroup=u.aws_logs.LogGroup.fromLogGroupName(this,"CloudTrailLogGroup",e.cloudTrailAlarms.logGroupName),e.cloudTrailAlarms.snsTopicArn?this.alarmTopic=u.aws_sns.Topic.fromTopicArn(this,"AlarmTopic",e.cloudTrailAlarms.snsTopicArn):this.alarmTopic=new u.aws_sns.Topic(this,"AlarmTopic",{topicName:e.cloudTrailAlarms.snsTopicName});let a=[["UnauthorizedApiCalls","{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) }"],["SignInWithoutMfa","{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) }"],["RootAccountUsage","{ $.userIdentity.type = Root && $.userIdentity.invokedBy NOT EXISTS && $.eventType != AwsServiceEvent }"],["IamPolicyChanges","{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"],["CloudTrailConfigurationChanges","{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"],["SignInFailures",'{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }'],["DisabledCmks","{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }"],["S3PolicyChanges","{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"],["ConfigServiceChanges","{($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))}"],["SecurityGroupChanges","{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"],["NetworkAclChanges","{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"],["NetworkGatewayChanges","{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"],["RouteTableChanges","{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"],["VpcChanges","{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"],["OrganizationsChanges","{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUnit)) }"]];for(let[s,c]of a)this.createMetricAlarm(s,c)}createMetricAlarm(r,e){let a=`${this.config.stackName}${r}MetricFilter`,s=`${this.config.stackName}${r}Metric`,c=`${this.config.stackName}Metrics`,d=`${this.config.stackName}${r}Alarm`,m=new u.aws_logs.MetricFilter(this,a,{logGroup:this.logGroup,filterPattern:{logPatternString:e},metricNamespace:c,metricName:s});new u.aws_cloudwatch.Alarm(this,d,{metric:m.metric({}),threshold:1,evaluationPeriods:1,alarmName:d,actionsEnabled:!0,treatMissingData:u.aws_cloudwatch.TreatMissingData.NOT_BREACHING,comparisonOperator:u.aws_cloudwatch.ComparisonOperator.GREATER_THAN_THRESHOLD,datapointsToAlarm:1}).addAlarmAction(new u.aws_cloudwatch_actions.SnsAction(this.alarmTopic))}};var o=require("aws-cdk-lib"),M=require("constructs");var O=require("aws-cdk-lib");function w(i,r){let e=new O.aws_iam.PolicyStatement;return e.addActions("s3:GetObject*"),e.addActions("s3:GetBucket*"),e.addActions("s3:List*"),e.addResources(i.bucketArn),e.addResources(`${i.bucketArn}/*`),e.addCanonicalUserPrincipal(r.cloudFrontOriginAccessIdentityS3CanonicalUserId),i.addToResourcePolicy(e),e}var h=class extends M.Construct{constructor(r,e,a){if(super(r,"FrontEnd"),a===e.region?this.appBucket=new o.aws_s3.Bucket(this,"AppBucket",{bucketName:e.appDomainName,publicReadAccess:!1,blockPublicAccess:o.aws_s3.BlockPublicAccess.BLOCK_ALL,removalPolicy:o.RemovalPolicy.DESTROY,encryption:o.aws_s3.BucketEncryption.S3_MANAGED,enforceSSL:!0,versioned:!0}):this.appBucket=o.aws_s3.Bucket.fromBucketAttributes(this,"AppBucket",{bucketName:e.appDomainName,region:e.region}),a==="us-east-1"&&(this.responseHeadersPolicy=new o.aws_cloudfront.ResponseHeadersPolicy(this,"ResponseHeadersPolicy",{customHeadersBehavior:{customHeaders:[{header:"Permission-Policy",value:"accelerometer=(), camera=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()",override:!0}]},securityHeadersBehavior:{contentSecurityPolicy:{contentSecurityPolicy:["default-src 'none'","base-uri 'self'","child-src 'self'",`connect-src 'self' ${e.apiDomainName} *.google.com`,"font-src 'self' fonts.gstatic.com","form-action 'self' *.gstatic.com *.google.com","frame-ancestors 'none'",`frame-src 'self' ${e.storageDomainName} *.medplum.com *.gstatic.com *.google.com`,`img-src 'self' data: ${e.storageDomainName} *.gstatic.com *.google.com *.googleapis.com`,"manifest-src 'self'",`media-src 'self' ${e.storageDomainName}`,"script-src 'self' *.medplum.com *.gstatic.com *.google.com","style-src 'self' 'unsafe-inline' *.medplum.com *.gstatic.com *.google.com","worker-src 'self' blob: *.gstatic.com *.google.com","upgrade-insecure-requests"].join("; "),override:!0},contentTypeOptions:{override:!0},frameOptions:{frameOption:o.aws_cloudfront.HeadersFrameOption.DENY,override:!0},referrerPolicy:{referrerPolicy:o.aws_cloudfront.HeadersReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN,override:!0},strictTransportSecurity:{accessControlMaxAge:o.Duration.seconds(63072e3),includeSubdomains:!0,preload:!0,override:!0},xssProtection:{protection:!0,modeBlock:!0,override:!0}}}),this.waf=new o.aws_wafv2.CfnWebACL(this,"FrontEndWAF",{defaultAction:{allow:{}},scope:"CLOUDFRONT",name:`${e.stackName}-FrontEndWAF`,rules:p,visibilityConfig:{cloudWatchMetricsEnabled:!0,metricName:`${e.stackName}-FrontEndWAF-Metric`,sampledRequestsEnabled:!1}}),this.apiOriginCachePolicy=new o.aws_cloudfront.CachePolicy(this,"ApiOriginCachePolicy",{cachePolicyName:`${e.stackName}-ApiOriginCachePolicy`,cookieBehavior:o.aws_cloudfront.CacheCookieBehavior.all(),headerBehavior:o.aws_cloudfront.CacheHeaderBehavior.allowList("Authorization","Content-Encoding","Content-Type","If-None-Match","Origin","Referer","User-Agent","X-Medplum"),queryStringBehavior:o.aws_cloudfront.CacheQueryStringBehavior.all()}),this.originAccessIdentity=new o.aws_cloudfront.OriginAccessIdentity(this,"OriginAccessIdentity",{}),this.originAccessPolicyStatement=w(this.appBucket,this.originAccessIdentity),this.distribution=new o.aws_cloudfront.Distribution(this,"AppDistribution",{defaultRootObject:"index.html",defaultBehavior:{origin:new o.aws_cloudfront_origins.S3Origin(this.appBucket,{originAccessIdentity:this.originAccessIdentity}),responseHeadersPolicy:this.responseHeadersPolicy,viewerProtocolPolicy:o.aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS},additionalBehaviors:e.appApiProxy?{"/api/*":{origin:new o.aws_cloudfront_origins.HttpOrigin(e.apiDomainName),allowedMethods:o.aws_cloudfront.AllowedMethods.ALLOW_ALL,cachePolicy:this.apiOriginCachePolicy,viewerProtocolPolicy:o.aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS}}:void 0,certificate:o.aws_certificatemanager.Certificate.fromCertificateArn(this,"AppCertificate",e.appSslCertArn),domainNames:[e.appDomainName],errorResponses:[{httpStatus:403,responseHttpStatus:200,responsePagePath:"/index.html"},{httpStatus:404,responseHttpStatus:200,responsePagePath:"/index.html"}],webAclId:this.waf.attrArn,logBucket:e.appLoggingBucket?o.aws_s3.Bucket.fromBucketName(this,"LoggingBucket",e.appLoggingBucket):void 0,logFilePrefix:e.appLoggingPrefix}),!e.skipDns)){let s=e.hostedZoneName??e.domainName.split(".").slice(-2).join("."),c=o.aws_route53.HostedZone.fromLookup(this,"Zone",{domainName:s});this.dnsRecord=new o.aws_route53.ARecord(this,"AppAliasRecord",{recordName:e.appDomainName,target:o.aws_route53.RecordTarget.fromAlias(new o.aws_route53_targets.CloudFrontTarget(this.distribution)),zone:c})}}};var n=require("aws-cdk-lib"),F=require("cdk-serverless-clamscan"),W=require("constructs");var y=class extends W.Construct{constructor(r,e,a){if(super(r,"Storage"),a===e.region?(this.storageBucket=new n.aws_s3.Bucket(this,"StorageBucket",{bucketName:e.storageBucketName,publicReadAccess:!1,blockPublicAccess:n.aws_s3.BlockPublicAccess.BLOCK_ALL,encryption:n.aws_s3.BucketEncryption.S3_MANAGED,enforceSSL:!0,versioned:!0}),e.clamscanEnabled&&new F.ServerlessClamscan(this,"ServerlessClamscan",{defsBucketAccessLogsConfig:{logsBucket:n.aws_s3.Bucket.fromBucketName(this,"LoggingBucket",e.clamscanLoggingBucket),logsPrefix:e.clamscanLoggingPrefix}}).addSourceBucket(this.storageBucket)):this.storageBucket=n.aws_s3.Bucket.fromBucketAttributes(this,"StorageBucket",{bucketName:e.storageBucketName,region:e.region}),a==="us-east-1"){let s;if(e.signingKeyId?s=n.aws_cloudfront.PublicKey.fromPublicKeyId(this,"StoragePublicKey",e.signingKeyId):s=new n.aws_cloudfront.PublicKey(this,"StoragePublicKey",{encodedKey:e.storagePublicKey}),this.keyGroup=new n.aws_cloudfront.KeyGroup(this,"StorageKeyGroup",{items:[s]}),this.responseHeadersPolicy=new n.aws_cloudfront.ResponseHeadersPolicy(this,"ResponseHeadersPolicy",{customHeadersBehavior:{customHeaders:[{header:"Permission-Policy",value:"accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()",override:!0}]},securityHeadersBehavior:{contentSecurityPolicy:{contentSecurityPolicy:"default-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors *;",override:!0},contentTypeOptions:{override:!0},frameOptions:{frameOption:n.aws_cloudfront.HeadersFrameOption.DENY,override:!0},referrerPolicy:{referrerPolicy:n.aws_cloudfront.HeadersReferrerPolicy.NO_REFERRER,override:!0},strictTransportSecurity:{accessControlMaxAge:n.Duration.seconds(63072e3),includeSubdomains:!0,preload:!0,override:!0},xssProtection:{protection:!0,modeBlock:!0,override:!0}}}),this.waf=new n.aws_wafv2.CfnWebACL(this,"StorageWAF",{defaultAction:{allow:{}},scope:"CLOUDFRONT",name:`${e.stackName}-StorageWAF`,rules:p,visibilityConfig:{cloudWatchMetricsEnabled:!0,metricName:`${e.stackName}-StorageWAF-Metric`,sampledRequestsEnabled:!1}}),this.originAccessIdentity=new n.aws_cloudfront.OriginAccessIdentity(this,"OriginAccessIdentity",{}),this.originAccessPolicyStatement=w(this.storageBucket,this.originAccessIdentity),this.distribution=new n.aws_cloudfront.Distribution(this,"StorageDistribution",{defaultBehavior:{origin:new n.aws_cloudfront_origins.S3Origin(this.storageBucket,{originAccessIdentity:this.originAccessIdentity}),responseHeadersPolicy:this.responseHeadersPolicy,viewerProtocolPolicy:n.aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,trustedKeyGroups:[this.keyGroup]},certificate:n.aws_certificatemanager.Certificate.fromCertificateArn(this,"StorageCertificate",e.storageSslCertArn),domainNames:[e.storageDomainName],webAclId:this.waf.attrArn,logBucket:e.storageLoggingBucket?n.aws_s3.Bucket.fromBucketName(this,"LoggingBucket",e.storageLoggingBucket):void 0,logFilePrefix:e.storageLoggingPrefix}),!e.skipDns){let c=e.hostedZoneName??e.domainName.split(".").slice(-2).join("."),d=n.aws_route53.HostedZone.fromLookup(this,"Zone",{domainName:c});this.dnsRecord=new n.aws_route53.ARecord(this,"StorageAliasRecord",{recordName:e.storageDomainName,target:n.aws_route53.RecordTarget.fromAlias(new n.aws_route53_targets.CloudFrontTarget(this.distribution)),zone:d})}}}};var A=class{constructor(r,e){this.primaryStack=new C(r,e),e.region!=="us-east-1"&&(this.globalStack=new R(r,e),this.globalStack.addDependency(this.primaryStack))}},C=class extends f.Stack{constructor(r,e){super(r,e.stackName,{env:{region:e.region,account:e.accountNumber}}),f.Tags.of(this).add("medplum:environment",e.name),this.backEnd=new P(this,e),this.frontEnd=new h(this,e,e.region),this.storage=new y(this,e,e.region),this.cloudTrail=new g(this,e)}},R=class extends f.Stack{constructor(r,e){super(r,e.stackName+"-us-east-1",{env:{region:"us-east-1",account:e.accountNumber}}),f.Tags.of(this).add("medplum:environment",e.name),this.frontEnd=new h(this,e,"us-east-1"),this.storage=new y(this,e,"us-east-1"),this.cloudTrail=new g(this,e)}};function V(i){let r=new U.App({context:i}),e=r.node.tryGetContext("config");if(!e){console.log('Missing "config" context variable'),console.log("Usage: cdk deploy -c config=my-config.json");return}let a=JSON.parse((0,H.readFileSync)((0,z.resolve)(e),"utf-8"));G(a).then(s=>{let c=new A(r,s);console.log("Stack",c.primaryStack.stackId),r.synth()}).catch(s=>{console.error(s),process.exit(1)})}require.main===module&&V();0&&(module.exports={BackEnd,CloudTrailAlarms,FrontEnd,MedplumGlobalStack,MedplumPrimaryStack,MedplumStack,Storage,awsManagedRules,main});
 //# sourceMappingURL=index.cjs.map