@openhi/constructs 0.0.104 → 0.0.105

package/lib/index.mjs

@@ -1,3 +1,8 @@
+import {
+  PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE,
+  USER_ONBOARDING_EVENT_SOURCE,
+  buildProvisionDefaultWorkspaceRequestedDetail
+} from "./chunk-2PM2NGXI.mjs";
 import {
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE,
@@ -711,14 +716,13 @@ import { Runtime as Runtime2 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction2 } from "aws-cdk-lib/aws-lambda-nodejs";
 import { Construct as Construct2 } from "constructs";
 var HANDLER_NAME2 = "post-confirmation.handler.js";
-function resolveHandlerEntry2(dirname) {
+var resolveHandlerEntry2 = (dirname) => {
   const sameDir = path2.join(dirname, HANDLER_NAME2);
   if (fs2.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path2.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
-  return fromLib;
-}
+  return path2.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
+};
 var PostConfirmationLambda = class extends Construct2 {
   constructor(scope, props) {
     super(scope, "post-confirmation-lambda");
@@ -727,7 +731,7 @@ var PostConfirmationLambda = class extends Construct2 {
       runtime: Runtime2.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
-        DYNAMO_TABLE_NAME: props.dynamoTableName
+        CONTROL_EVENT_BUS_NAME: props.controlEventBusName
       }
     });
   }
@@ -983,6 +987,28 @@ var OpsEventBus = class _OpsEventBus extends EventBus2 {
   }
 };
 
+// src/components/event-bridge/control-event-bus.ts
+import { EventBus as EventBus3 } from "aws-cdk-lib/aws-events";
+var ControlEventBus = class _ControlEventBus extends EventBus3 {
+  /*****************************************************************************
+   *
+   * Return a name for this EventBus based on the stack environment hash. This
+   * name is common across all stacks since it's using the environment hash in
+   * its name.
+   *
+   ****************************************************************************/
+  static getEventBusName(scope) {
+    const stack = OpenHiService.of(scope);
+    return `controlv1${stack.branchHash}`;
+  }
+  constructor(scope, props) {
+    super(scope, "control-event-bus-v1", {
+      ...props,
+      eventBusName: _ControlEventBus.getEventBusName(scope)
+    });
+  }
+};
+
 // src/components/postgres/data-store-postgres-replica.ts
 import fs5 from "fs";
 import path5 from "path";
@@ -1244,7 +1270,7 @@ import {
   UserPoolDomain as UserPoolDomain2,
   UserPoolOperation
 } from "aws-cdk-lib/aws-cognito";
-import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { Effect as Effect2, PolicyStatement as PolicyStatement2 } from "aws-cdk-lib/aws-iam";
 import { Key as Key2 } from "aws-cdk-lib/aws-kms";
 import { Stack as Stack3 } from "aws-cdk-lib/core";
 
@@ -1257,7 +1283,7 @@ import {
   Certificate as Certificate2,
   CertificateValidation
 } from "aws-cdk-lib/aws-certificatemanager";
-import { EventBus as EventBus3 } from "aws-cdk-lib/aws-events";
+import { EventBus as EventBus4 } from "aws-cdk-lib/aws-events";
 import {
   HostedZone as HostedZone2
 } from "aws-cdk-lib/aws-route53";
@@ -1300,7 +1326,7 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
    * Returns the data event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
    */
   static dataEventBusFromConstruct(scope) {
-    return EventBus3.fromEventBusName(
+    return EventBus4.fromEventBusName(
       scope,
       "data-event-bus",
       DataEventBus.getEventBusName(scope)
@@ -1310,12 +1336,22 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
    * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
    */
   static opsEventBusFromConstruct(scope) {
-    return EventBus3.fromEventBusName(
+    return EventBus4.fromEventBusName(
       scope,
       "ops-event-bus",
       OpsEventBus.getEventBusName(scope)
     );
   }
+  /**
+   * Returns the control-plane event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static controlEventBusFromConstruct(scope) {
+    return EventBus4.fromEventBusName(
+      scope,
+      "control-event-bus",
+      ControlEventBus.getEventBusName(scope)
+    );
+  }
   get serviceType() {
     return _OpenHiGlobalService.SERVICE_TYPE;
   }
@@ -1328,6 +1364,7 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
     this.rootWildcardCertificate = this.createRootWildcardCertificate();
     this.dataEventBus = this.createDataEventBus();
     this.opsEventBus = this.createOpsEventBus();
+    this.controlEventBus = this.createControlEventBus();
   }
   /**
    * Validates that config required for the Global stack is present.
@@ -1392,6 +1429,13 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
   createOpsEventBus() {
     return new OpsEventBus(this);
   }
+  /**
+   * Creates the control-plane event bus.
+   * Override to customize.
+   */
+  createControlEventBus() {
+    return new ControlEventBus(this);
+  }
 };
 _OpenHiGlobalService.SERVICE_TYPE = "global";
 var OpenHiGlobalService = _OpenHiGlobalService;
@@ -1458,6 +1502,75 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
 _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
 
+// src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
+import fs6 from "fs";
+import path6 from "path";
+import { Duration as Duration6 } from "aws-cdk-lib";
+import { Rule } from "aws-cdk-lib/aws-events";
+import { LambdaFunction } from "aws-cdk-lib/aws-events-targets";
+import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { Runtime as Runtime6 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction6 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct8 } from "constructs";
+var HANDLER_NAME6 = "provision-default-workspace.handler.js";
+function resolveHandlerEntry6(dirname) {
+  const sameDir = path6.join(dirname, HANDLER_NAME6);
+  if (fs6.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return path6.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME6);
+}
+var ProvisionDefaultWorkspaceLambda = class extends Construct8 {
+  constructor(scope, props) {
+    super(scope, "provision-default-workspace-lambda");
+    this.lambda = new NodejsFunction6(this, "handler", {
+      entry: resolveHandlerEntry6(__dirname),
+      runtime: Runtime6.NODEJS_LATEST,
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
+      }
+    });
+    props.dataStoreTable.grant(
+      this.lambda,
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem"
+    );
+    this.lambda.addToRolePolicy(
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: ["dynamodb:Query"],
+        resources: [`${props.dataStoreTable.tableArn}/index/*`]
+      })
+    );
+    this.rule = new Rule(this, "rule", {
+      eventBus: props.controlEventBus,
+      eventPattern: {
+        source: [USER_ONBOARDING_EVENT_SOURCE],
+        detailType: [PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE]
+      },
+      targets: [
+        new LambdaFunction(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: Duration6.hours(2)
+        })
+      ]
+    });
+  }
+};
+
+// src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
+import { Construct as Construct9 } from "constructs";
+var UserOnboardingWorkflow = class extends Construct9 {
+  constructor(scope, props) {
+    super(scope, "user-onboarding-workflow");
+    this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
+      dataStoreTable: props.dataStoreTable,
+      controlEventBus: props.controlEventBus
+    });
+  }
+};
+
 // src/services/open-hi-auth-service.ts
 var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   constructor(ohEnv, props = {}) {
@@ -1469,11 +1582,13 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
      * would collide.
      */
     this._dataStoreTable = null;
+    this._controlEventBus = null;
     this.props = props;
     this.userPoolKmsKey = this.createUserPoolKmsKey();
     this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
     this.postAuthenticationLambda = this.createPostAuthenticationLambda();
     this.postConfirmationLambda = this.createPostConfirmationLambda();
+    this.userOnboardingWorkflow = this.createUserOnboardingWorkflow();
     this.userPool = this.createUserPool();
     this.grantPreTokenGenerationPermissions();
     this.grantPostAuthenticationPermissions();
@@ -1590,23 +1705,33 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   }
   /**
    * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
-   * confirmation, writes the new user's default Tenant, Workspace,
-   * Memberships, and `tenant-user` RoleAssignment, plus a User record
-   * carrying the Cognito `sub` and current tenant/workspace pointers
-   * (ADR 2026-03-17-01 invariants).
+   * confirmation, publishes a control-plane workflow event; provisioning lives
+   * behind EventBridge.
    */
   createPostConfirmationLambda() {
     const construct = new PostConfirmationLambda(this, {
-      dynamoTableName: this.dataStoreTable().tableName
+      controlEventBusName: this.controlEventBus().eventBusName
     });
     return construct.lambda;
   }
+  createUserOnboardingWorkflow() {
+    return new UserOnboardingWorkflow(this, {
+      controlEventBus: this.controlEventBus(),
+      dataStoreTable: this.dataStoreTable()
+    });
+  }
   dataStoreTable() {
     if (this._dataStoreTable === null) {
       this._dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
     }
     return this._dataStoreTable;
   }
+  controlEventBus() {
+    if (this._controlEventBus === null) {
+      this._controlEventBus = OpenHiGlobalService.controlEventBusFromConstruct(this);
+    }
+    return this._controlEventBus;
+  }
   /**
    * Creates the Cognito User Pool and exports its ID to SSM.
    * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -1651,8 +1776,8 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
     dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
     this.preTokenGenerationLambda.addToRolePolicy(
-      new PolicyStatement({
-        effect: Effect.ALLOW,
+      new PolicyStatement2({
+        effect: Effect2.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
@@ -1673,7 +1798,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
    */
   grantPostAuthenticationPermissions() {
     this.postAuthenticationLambda.addToRolePolicy(
-      new PolicyStatement({
+      new PolicyStatement2({
         actions: ["cognito-idp:AdminUserGlobalSignOut"],
         resources: [
           Stack3.of(this).formatArn({
@@ -1686,26 +1811,11 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     );
   }
   /**
-   * Grants the Post Confirmation Lambda write access to the data store
-   * table (and its GSIs) so it can seed the new user's Tenant, Workspace,
-   * Memberships, RoleAssignment, and User records on sign-up confirmation.
+   * Grants the Post Confirmation Lambda publish-only access to the
+   * control-plane event bus. Workflow Lambdas own DynamoDB writes.
    */
   grantPostConfirmationPermissions() {
-    const dataStoreTable = this.dataStoreTable();
-    const dynamoActions = [
-      "dynamodb:PutItem",
-      "dynamodb:UpdateItem",
-      "dynamodb:BatchWriteItem",
-      "dynamodb:DescribeTable"
-    ];
-    dataStoreTable.grant(this.postConfirmationLambda, ...dynamoActions);
-    this.postConfirmationLambda.addToRolePolicy(
-      new PolicyStatement({
-        effect: Effect.ALLOW,
-        actions: [...dynamoActions],
-        resources: [`${dataStoreTable.tableArn}/index/*`]
-      })
-    );
+    this.controlEventBus().grantPutEventsTo(this.postConfirmationLambda);
   }
   /**
    * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
@@ -1784,62 +1894,62 @@ import {
 } from "aws-cdk-lib/aws-apigatewayv2";
 import { HttpUserPoolAuthorizer } from "aws-cdk-lib/aws-apigatewayv2-authorizers";
 import { HttpLambdaIntegration } from "aws-cdk-lib/aws-apigatewayv2-integrations";
-import { Effect as Effect2, PolicyStatement as PolicyStatement2 } from "aws-cdk-lib/aws-iam";
+import { Effect as Effect3, PolicyStatement as PolicyStatement3 } from "aws-cdk-lib/aws-iam";
 import {
   ARecord,
   HostedZone as HostedZone3,
   RecordTarget
 } from "aws-cdk-lib/aws-route53";
 import { ApiGatewayv2DomainProperties } from "aws-cdk-lib/aws-route53-targets";
-import { Duration as Duration6 } from "aws-cdk-lib/core";
+import { Duration as Duration7 } from "aws-cdk-lib/core";
 
 // src/data/lambda/cors-options-lambda.ts
-import fs6 from "fs";
-import path6 from "path";
-import { Runtime as Runtime6 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction6 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct8 } from "constructs";
-var HANDLER_NAME6 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry6(dirname) {
-  const sameDir = path6.join(dirname, HANDLER_NAME6);
-  if (fs6.existsSync(sameDir)) {
+import fs7 from "fs";
+import path7 from "path";
+import { Runtime as Runtime7 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction7 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct10 } from "constructs";
+var HANDLER_NAME7 = "cors-options-lambda.handler.js";
+function resolveHandlerEntry7(dirname) {
+  const sameDir = path7.join(dirname, HANDLER_NAME7);
+  if (fs7.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path6.join(dirname, "..", "..", "..", "lib", HANDLER_NAME6);
+  const fromLib = path7.join(dirname, "..", "..", "..", "lib", HANDLER_NAME7);
   return fromLib;
 }
-var CorsOptionsLambda = class extends Construct8 {
+var CorsOptionsLambda = class extends Construct10 {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new NodejsFunction6(this, "handler", {
-      entry: resolveHandlerEntry6(__dirname),
-      runtime: Runtime6.NODEJS_LATEST,
+    this.lambda = new NodejsFunction7(this, "handler", {
+      entry: resolveHandlerEntry7(__dirname),
+      runtime: Runtime7.NODEJS_LATEST,
       memorySize: 128
     });
   }
 };
 
 // src/data/lambda/rest-api-lambda.ts
-import fs7 from "fs";
-import path7 from "path";
-import { Runtime as Runtime7 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction7 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct9 } from "constructs";
-var HANDLER_NAME7 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry7(dirname) {
-  const sameDir = path7.join(dirname, HANDLER_NAME7);
-  if (fs7.existsSync(sameDir)) {
+import fs8 from "fs";
+import path8 from "path";
+import { Runtime as Runtime8 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction8 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct11 } from "constructs";
+var HANDLER_NAME8 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry8(dirname) {
+  const sameDir = path8.join(dirname, HANDLER_NAME8);
+  if (fs8.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path7.join(dirname, "..", "..", "..", "lib", HANDLER_NAME7);
+  const fromLib = path8.join(dirname, "..", "..", "..", "lib", HANDLER_NAME8);
   return fromLib;
 }
-var RestApiLambda = class extends Construct9 {
+var RestApiLambda = class extends Construct11 {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new NodejsFunction7(this, "handler", {
-      entry: resolveHandlerEntry7(__dirname),
-      runtime: Runtime7.NODEJS_LATEST,
+    this.lambda = new NodejsFunction8(this, "handler", {
+      entry: resolveHandlerEntry8(__dirname),
+      runtime: Runtime8.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
@@ -1981,8 +2091,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       postgresSchema
     });
     lambda.addToRolePolicy(
-      new PolicyStatement2({
-        effect: Effect2.ALLOW,
+      new PolicyStatement3({
+        effect: Effect3.ALLOW,
         actions: [
           "rds-data:ExecuteStatement",
           "rds-data:BatchExecuteStatement"
@@ -1991,8 +2101,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       })
     );
     lambda.addToRolePolicy(
-      new PolicyStatement2({
-        effect: Effect2.ALLOW,
+      new PolicyStatement3({
+        effect: Effect3.ALLOW,
         actions: ["secretsmanager:GetSecretValue"],
         resources: [postgresSecretArn]
       })
@@ -2010,15 +2120,15 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     ];
     dataStoreTable.grant(lambda, ...dynamoActions);
     lambda.addToRolePolicy(
-      new PolicyStatement2({
-        effect: Effect2.ALLOW,
+      new PolicyStatement3({
+        effect: Effect3.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
     );
     lambda.addToRolePolicy(
-      new PolicyStatement2({
-        effect: Effect2.ALLOW,
+      new PolicyStatement3({
+        effect: Effect3.ALLOW,
         actions: [
           "ssm:GetParameter",
           "ssm:GetParameters",
@@ -2104,7 +2214,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
         "Authorization"
       ],
       allowCredentials: cors.allowCredentials ?? true,
-      maxAge: cors.maxAge ?? Duration6.days(1),
+      maxAge: cors.maxAge ?? Duration7.days(1),
       ...cors.exposeHeaders !== void 0 && {
         exposeHeaders: cors.exposeHeaders
       }
@@ -2175,6 +2285,7 @@ export {
   CognitoUserPoolClient,
   CognitoUserPoolDomain,
   CognitoUserPoolKmsKey,
+  ControlEventBus,
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE,
@@ -2196,9 +2307,11 @@ export {
   POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+  PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE,
   PostAuthenticationLambda,
   PostConfirmationLambda,
   PreTokenGenerationLambda,
+  ProvisionDefaultWorkspaceLambda,
   REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi,
   RootHostedZone,
@@ -2206,7 +2319,10 @@ export {
   RootWildcardCertificate,
   STATIC_HOSTING_SERVICE_TYPE,
   StaticHosting,
+  USER_ONBOARDING_EVENT_SOURCE,
+  UserOnboardingWorkflow,
   buildFhirCurrentResourceChangeDetail,
+  buildProvisionDefaultWorkspaceRequestedDetail,
   getDynamoDbDataStoreTableName,
   getPostgresReplicaSchemaName
 };