@openhi/constructs 0.0.104 → 0.0.105

package/lib/index.js

@@ -99,6 +99,7 @@ __export(src_exports, {
   CognitoUserPoolClient: () => CognitoUserPoolClient,
   CognitoUserPoolDomain: () => CognitoUserPoolDomain,
   CognitoUserPoolKmsKey: () => CognitoUserPoolKmsKey,
+  ControlEventBus: () => ControlEventBus,
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES: () => DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE: () => DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE: () => DATA_STORE_CHANGE_EVENT_SOURCE,
@@ -120,9 +121,11 @@ __export(src_exports, {
   POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME: () => POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME: () => POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME: () => POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+  PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE: () => PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE,
   PostAuthenticationLambda: () => PostAuthenticationLambda,
   PostConfirmationLambda: () => PostConfirmationLambda,
   PreTokenGenerationLambda: () => PreTokenGenerationLambda,
+  ProvisionDefaultWorkspaceLambda: () => ProvisionDefaultWorkspaceLambda,
   REST_API_BASE_URL_SSM_NAME: () => REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi: () => RootGraphqlApi,
   RootHostedZone: () => RootHostedZone,
@@ -130,7 +133,10 @@ __export(src_exports, {
   RootWildcardCertificate: () => RootWildcardCertificate,
   STATIC_HOSTING_SERVICE_TYPE: () => STATIC_HOSTING_SERVICE_TYPE,
   StaticHosting: () => StaticHosting,
+  USER_ONBOARDING_EVENT_SOURCE: () => USER_ONBOARDING_EVENT_SOURCE,
+  UserOnboardingWorkflow: () => UserOnboardingWorkflow,
   buildFhirCurrentResourceChangeDetail: () => buildFhirCurrentResourceChangeDetail,
+  buildProvisionDefaultWorkspaceRequestedDetail: () => buildProvisionDefaultWorkspaceRequestedDetail,
   getDynamoDbDataStoreTableName: () => getDynamoDbDataStoreTableName,
   getPostgresReplicaSchemaName: () => getPostgresReplicaSchemaName
 });
@@ -761,14 +767,13 @@ var import_aws_lambda2 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs2 = require("aws-cdk-lib/aws-lambda-nodejs");
 var import_constructs2 = require("constructs");
 var HANDLER_NAME2 = "post-confirmation.handler.js";
-function resolveHandlerEntry2(dirname) {
+var resolveHandlerEntry2 = (dirname) => {
   const sameDir = import_node_path2.default.join(dirname, HANDLER_NAME2);
   if (import_node_fs2.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path2.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
-  return fromLib;
-}
+  return import_node_path2.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
+};
 var PostConfirmationLambda = class extends import_constructs2.Construct {
   constructor(scope, props) {
     super(scope, "post-confirmation-lambda");
@@ -777,7 +782,7 @@ var PostConfirmationLambda = class extends import_constructs2.Construct {
       runtime: import_aws_lambda2.Runtime.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
-        DYNAMO_TABLE_NAME: props.dynamoTableName
+        CONTROL_EVENT_BUS_NAME: props.controlEventBusName
       }
     });
   }
@@ -1149,6 +1154,28 @@ var OpsEventBus = class _OpsEventBus extends import_aws_events2.EventBus {
   }
 };
 
+// src/components/event-bridge/control-event-bus.ts
+var import_aws_events3 = require("aws-cdk-lib/aws-events");
+var ControlEventBus = class _ControlEventBus extends import_aws_events3.EventBus {
+  /*****************************************************************************
+   *
+   * Return a name for this EventBus based on the stack environment hash. This
+   * name is common across all stacks since it's using the environment hash in
+   * its name.
+   *
+   ****************************************************************************/
+  static getEventBusName(scope) {
+    const stack = OpenHiService.of(scope);
+    return `controlv1${stack.branchHash}`;
+  }
+  constructor(scope, props) {
+    super(scope, "control-event-bus-v1", {
+      ...props,
+      eventBusName: _ControlEventBus.getEventBusName(scope)
+    });
+  }
+};
+
 // src/components/postgres/data-store-postgres-replica.ts
 var import_node_fs5 = __toESM(require("fs"));
 var import_node_path5 = __toESM(require("path"));
@@ -1398,7 +1425,7 @@ var StaticHosting = _StaticHosting;
 // src/services/open-hi-auth-service.ts
 var import_config4 = __toESM(require_lib());
 var import_aws_cognito5 = require("aws-cdk-lib/aws-cognito");
-var import_aws_iam = require("aws-cdk-lib/aws-iam");
+var import_aws_iam2 = require("aws-cdk-lib/aws-iam");
 var import_aws_kms2 = require("aws-cdk-lib/aws-kms");
 var import_core2 = require("aws-cdk-lib/core");
 
@@ -1408,7 +1435,7 @@ var kinesis = __toESM(require("aws-cdk-lib/aws-kinesis"));
 
 // src/services/open-hi-global-service.ts
 var import_aws_certificatemanager2 = require("aws-cdk-lib/aws-certificatemanager");
-var import_aws_events3 = require("aws-cdk-lib/aws-events");
+var import_aws_events4 = require("aws-cdk-lib/aws-events");
 var import_aws_route532 = require("aws-cdk-lib/aws-route53");
 var import_aws_ssm3 = require("aws-cdk-lib/aws-ssm");
 var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
@@ -1449,7 +1476,7 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
    * Returns the data event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
    */
   static dataEventBusFromConstruct(scope) {
-    return import_aws_events3.EventBus.fromEventBusName(
+    return import_aws_events4.EventBus.fromEventBusName(
       scope,
       "data-event-bus",
       DataEventBus.getEventBusName(scope)
@@ -1459,12 +1486,22 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
    * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
    */
   static opsEventBusFromConstruct(scope) {
-    return import_aws_events3.EventBus.fromEventBusName(
+    return import_aws_events4.EventBus.fromEventBusName(
       scope,
       "ops-event-bus",
       OpsEventBus.getEventBusName(scope)
     );
   }
+  /**
+   * Returns the control-plane event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static controlEventBusFromConstruct(scope) {
+    return import_aws_events4.EventBus.fromEventBusName(
+      scope,
+      "control-event-bus",
+      ControlEventBus.getEventBusName(scope)
+    );
+  }
   get serviceType() {
     return _OpenHiGlobalService.SERVICE_TYPE;
   }
@@ -1477,6 +1514,7 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
     this.rootWildcardCertificate = this.createRootWildcardCertificate();
     this.dataEventBus = this.createDataEventBus();
     this.opsEventBus = this.createOpsEventBus();
+    this.controlEventBus = this.createControlEventBus();
   }
   /**
    * Validates that config required for the Global stack is present.
@@ -1541,6 +1579,13 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
   createOpsEventBus() {
     return new OpsEventBus(this);
   }
+  /**
+   * Creates the control-plane event bus.
+   * Override to customize.
+   */
+  createControlEventBus() {
+    return new ControlEventBus(this);
+  }
 };
 _OpenHiGlobalService.SERVICE_TYPE = "global";
 var OpenHiGlobalService = _OpenHiGlobalService;
@@ -1607,6 +1652,100 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
 _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
 
+// src/workflows/control-plane/user-onboarding/events.ts
+var USER_ONBOARDING_EVENT_SOURCE = "openhi.control.user-onboarding";
+var PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE = "ProvisionDefaultWorkspaceRequested";
+var buildProvisionDefaultWorkspaceRequestedDetail = (event) => {
+  const attrs = event.request?.userAttributes ?? {};
+  const cognitoSub = attrs.sub?.trim();
+  if (!cognitoSub) {
+    return void 0;
+  }
+  const email = attrs.email?.trim();
+  const displayName = email || event.userName || cognitoSub;
+  return {
+    cognitoSub,
+    ...email ? { email } : {},
+    displayName,
+    trigger: {
+      source: "cognito.post-confirmation",
+      triggerSource: event.triggerSource,
+      userPoolId: event.userPoolId,
+      userName: event.userName,
+      clientId: event.callerContext?.clientId
+    }
+  };
+};
+
+// src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
+var import_node_fs6 = __toESM(require("fs"));
+var import_node_path6 = __toESM(require("path"));
+var import_aws_cdk_lib10 = require("aws-cdk-lib");
+var import_aws_events5 = require("aws-cdk-lib/aws-events");
+var import_aws_events_targets = require("aws-cdk-lib/aws-events-targets");
+var import_aws_iam = require("aws-cdk-lib/aws-iam");
+var import_aws_lambda6 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs6 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs8 = require("constructs");
+var HANDLER_NAME6 = "provision-default-workspace.handler.js";
+function resolveHandlerEntry6(dirname) {
+  const sameDir = import_node_path6.default.join(dirname, HANDLER_NAME6);
+  if (import_node_fs6.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return import_node_path6.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME6);
+}
+var ProvisionDefaultWorkspaceLambda = class extends import_constructs8.Construct {
+  constructor(scope, props) {
+    super(scope, "provision-default-workspace-lambda");
+    this.lambda = new import_aws_lambda_nodejs6.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry6(__dirname),
+      runtime: import_aws_lambda6.Runtime.NODEJS_LATEST,
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
+      }
+    });
+    props.dataStoreTable.grant(
+      this.lambda,
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem"
+    );
+    this.lambda.addToRolePolicy(
+      new import_aws_iam.PolicyStatement({
+        effect: import_aws_iam.Effect.ALLOW,
+        actions: ["dynamodb:Query"],
+        resources: [`${props.dataStoreTable.tableArn}/index/*`]
+      })
+    );
+    this.rule = new import_aws_events5.Rule(this, "rule", {
+      eventBus: props.controlEventBus,
+      eventPattern: {
+        source: [USER_ONBOARDING_EVENT_SOURCE],
+        detailType: [PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE]
+      },
+      targets: [
+        new import_aws_events_targets.LambdaFunction(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: import_aws_cdk_lib10.Duration.hours(2)
+        })
+      ]
+    });
+  }
+};
+
+// src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
+var import_constructs9 = require("constructs");
+var UserOnboardingWorkflow = class extends import_constructs9.Construct {
+  constructor(scope, props) {
+    super(scope, "user-onboarding-workflow");
+    this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
+      dataStoreTable: props.dataStoreTable,
+      controlEventBus: props.controlEventBus
+    });
+  }
+};
+
 // src/services/open-hi-auth-service.ts
 var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   constructor(ohEnv, props = {}) {
@@ -1618,11 +1757,13 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
      * would collide.
      */
     this._dataStoreTable = null;
+    this._controlEventBus = null;
     this.props = props;
     this.userPoolKmsKey = this.createUserPoolKmsKey();
     this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
     this.postAuthenticationLambda = this.createPostAuthenticationLambda();
     this.postConfirmationLambda = this.createPostConfirmationLambda();
+    this.userOnboardingWorkflow = this.createUserOnboardingWorkflow();
     this.userPool = this.createUserPool();
     this.grantPreTokenGenerationPermissions();
     this.grantPostAuthenticationPermissions();
@@ -1739,23 +1880,33 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   }
   /**
    * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
-   * confirmation, writes the new user's default Tenant, Workspace,
-   * Memberships, and `tenant-user` RoleAssignment, plus a User record
-   * carrying the Cognito `sub` and current tenant/workspace pointers
-   * (ADR 2026-03-17-01 invariants).
+   * confirmation, publishes a control-plane workflow event; provisioning lives
+   * behind EventBridge.
    */
   createPostConfirmationLambda() {
     const construct = new PostConfirmationLambda(this, {
-      dynamoTableName: this.dataStoreTable().tableName
+      controlEventBusName: this.controlEventBus().eventBusName
     });
     return construct.lambda;
   }
+  createUserOnboardingWorkflow() {
+    return new UserOnboardingWorkflow(this, {
+      controlEventBus: this.controlEventBus(),
+      dataStoreTable: this.dataStoreTable()
+    });
+  }
   dataStoreTable() {
     if (this._dataStoreTable === null) {
       this._dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
     }
     return this._dataStoreTable;
   }
+  controlEventBus() {
+    if (this._controlEventBus === null) {
+      this._controlEventBus = OpenHiGlobalService.controlEventBusFromConstruct(this);
+    }
+    return this._controlEventBus;
+  }
   /**
    * Creates the Cognito User Pool and exports its ID to SSM.
    * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -1800,8 +1951,8 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
     dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
     this.preTokenGenerationLambda.addToRolePolicy(
-      new import_aws_iam.PolicyStatement({
-        effect: import_aws_iam.Effect.ALLOW,
+      new import_aws_iam2.PolicyStatement({
+        effect: import_aws_iam2.Effect.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
@@ -1822,7 +1973,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
    */
   grantPostAuthenticationPermissions() {
     this.postAuthenticationLambda.addToRolePolicy(
-      new import_aws_iam.PolicyStatement({
+      new import_aws_iam2.PolicyStatement({
         actions: ["cognito-idp:AdminUserGlobalSignOut"],
         resources: [
           import_core2.Stack.of(this).formatArn({
@@ -1835,26 +1986,11 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     );
   }
   /**
-   * Grants the Post Confirmation Lambda write access to the data store
-   * table (and its GSIs) so it can seed the new user's Tenant, Workspace,
-   * Memberships, RoleAssignment, and User records on sign-up confirmation.
+   * Grants the Post Confirmation Lambda publish-only access to the
+   * control-plane event bus. Workflow Lambdas own DynamoDB writes.
    */
   grantPostConfirmationPermissions() {
-    const dataStoreTable = this.dataStoreTable();
-    const dynamoActions = [
-      "dynamodb:PutItem",
-      "dynamodb:UpdateItem",
-      "dynamodb:BatchWriteItem",
-      "dynamodb:DescribeTable"
-    ];
-    dataStoreTable.grant(this.postConfirmationLambda, ...dynamoActions);
-    this.postConfirmationLambda.addToRolePolicy(
-      new import_aws_iam.PolicyStatement({
-        effect: import_aws_iam.Effect.ALLOW,
-        actions: [...dynamoActions],
-        resources: [`${dataStoreTable.tableArn}/index/*`]
-      })
-    );
+    this.controlEventBus().grantPutEventsTo(this.postConfirmationLambda);
   }
   /**
    * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
@@ -1925,58 +2061,58 @@ var import_config5 = __toESM(require_lib());
 var import_aws_apigatewayv22 = require("aws-cdk-lib/aws-apigatewayv2");
 var import_aws_apigatewayv2_authorizers = require("aws-cdk-lib/aws-apigatewayv2-authorizers");
 var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2-integrations");
-var import_aws_iam2 = require("aws-cdk-lib/aws-iam");
+var import_aws_iam3 = require("aws-cdk-lib/aws-iam");
 var import_aws_route533 = require("aws-cdk-lib/aws-route53");
 var import_aws_route53_targets = require("aws-cdk-lib/aws-route53-targets");
 var import_core3 = require("aws-cdk-lib/core");
 
 // src/data/lambda/cors-options-lambda.ts
-var import_node_fs6 = __toESM(require("fs"));
-var import_node_path6 = __toESM(require("path"));
-var import_aws_lambda6 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs6 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs8 = require("constructs");
-var HANDLER_NAME6 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry6(dirname) {
-  const sameDir = import_node_path6.default.join(dirname, HANDLER_NAME6);
-  if (import_node_fs6.default.existsSync(sameDir)) {
+var import_node_fs7 = __toESM(require("fs"));
+var import_node_path7 = __toESM(require("path"));
+var import_aws_lambda7 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs7 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs10 = require("constructs");
+var HANDLER_NAME7 = "cors-options-lambda.handler.js";
+function resolveHandlerEntry7(dirname) {
+  const sameDir = import_node_path7.default.join(dirname, HANDLER_NAME7);
+  if (import_node_fs7.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path6.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME6);
+  const fromLib = import_node_path7.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME7);
   return fromLib;
 }
-var CorsOptionsLambda = class extends import_constructs8.Construct {
+var CorsOptionsLambda = class extends import_constructs10.Construct {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new import_aws_lambda_nodejs6.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry6(__dirname),
-      runtime: import_aws_lambda6.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs7.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry7(__dirname),
+      runtime: import_aws_lambda7.Runtime.NODEJS_LATEST,
       memorySize: 128
     });
   }
 };
 
 // src/data/lambda/rest-api-lambda.ts
-var import_node_fs7 = __toESM(require("fs"));
-var import_node_path7 = __toESM(require("path"));
-var import_aws_lambda7 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs7 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs9 = require("constructs");
-var HANDLER_NAME7 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry7(dirname) {
-  const sameDir = import_node_path7.default.join(dirname, HANDLER_NAME7);
-  if (import_node_fs7.default.existsSync(sameDir)) {
+var import_node_fs8 = __toESM(require("fs"));
+var import_node_path8 = __toESM(require("path"));
+var import_aws_lambda8 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs8 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs11 = require("constructs");
+var HANDLER_NAME8 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry8(dirname) {
+  const sameDir = import_node_path8.default.join(dirname, HANDLER_NAME8);
+  if (import_node_fs8.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path7.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME7);
+  const fromLib = import_node_path8.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME8);
   return fromLib;
 }
-var RestApiLambda = class extends import_constructs9.Construct {
+var RestApiLambda = class extends import_constructs11.Construct {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new import_aws_lambda_nodejs7.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry7(__dirname),
-      runtime: import_aws_lambda7.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs8.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry8(__dirname),
+      runtime: import_aws_lambda8.Runtime.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
@@ -2118,8 +2254,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       postgresSchema
     });
     lambda.addToRolePolicy(
-      new import_aws_iam2.PolicyStatement({
-        effect: import_aws_iam2.Effect.ALLOW,
+      new import_aws_iam3.PolicyStatement({
+        effect: import_aws_iam3.Effect.ALLOW,
         actions: [
           "rds-data:ExecuteStatement",
           "rds-data:BatchExecuteStatement"
@@ -2128,8 +2264,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       })
     );
     lambda.addToRolePolicy(
-      new import_aws_iam2.PolicyStatement({
-        effect: import_aws_iam2.Effect.ALLOW,
+      new import_aws_iam3.PolicyStatement({
+        effect: import_aws_iam3.Effect.ALLOW,
         actions: ["secretsmanager:GetSecretValue"],
         resources: [postgresSecretArn]
       })
@@ -2147,15 +2283,15 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     ];
     dataStoreTable.grant(lambda, ...dynamoActions);
     lambda.addToRolePolicy(
-      new import_aws_iam2.PolicyStatement({
-        effect: import_aws_iam2.Effect.ALLOW,
+      new import_aws_iam3.PolicyStatement({
+        effect: import_aws_iam3.Effect.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
     );
     lambda.addToRolePolicy(
-      new import_aws_iam2.PolicyStatement({
-        effect: import_aws_iam2.Effect.ALLOW,
+      new import_aws_iam3.PolicyStatement({
+        effect: import_aws_iam3.Effect.ALLOW,
         actions: [
           "ssm:GetParameter",
           "ssm:GetParameters",
@@ -2310,6 +2446,7 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   CognitoUserPoolClient,
   CognitoUserPoolDomain,
   CognitoUserPoolKmsKey,
+  ControlEventBus,
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE,
@@ -2331,9 +2468,11 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+  PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE,
   PostAuthenticationLambda,
   PostConfirmationLambda,
   PreTokenGenerationLambda,
+  ProvisionDefaultWorkspaceLambda,
   REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi,
   RootHostedZone,
@@ -2341,7 +2480,10 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   RootWildcardCertificate,
   STATIC_HOSTING_SERVICE_TYPE,
   StaticHosting,
+  USER_ONBOARDING_EVENT_SOURCE,
+  UserOnboardingWorkflow,
   buildFhirCurrentResourceChangeDetail,
+  buildProvisionDefaultWorkspaceRequestedDetail,
   getDynamoDbDataStoreTableName,
   getPostgresReplicaSchemaName
 });