@openhi/constructs 0.0.11 → 0.0.13

package/lib/index.d.mts

@@ -2,7 +2,7 @@ import { OPEN_HI_STAGE, OPEN_HI_DEPLOYMENT_TARGET_ROLE, OpenHiEnvironmentConfig,
 import { Stage, StageProps, App, AppProps, Stack, StackProps, RemovalPolicy } from 'aws-cdk-lib';
 import { IConstruct, Construct } from 'constructs';
 import { Certificate, CertificateProps, ICertificate } from 'aws-cdk-lib/aws-certificatemanager';
-import { HttpApi, HttpApiProps, IHttpApi, DomainName } from 'aws-cdk-lib/aws-apigatewayv2';
+import { HttpApi, HttpApiProps, IHttpApi, CorsHttpMethod, DomainName } from 'aws-cdk-lib/aws-apigatewayv2';
 import { GraphqlApi, IGraphqlApi, GraphqlApiProps } from 'aws-cdk-lib/aws-appsync';
 import { UserPool, UserPoolProps, UserPoolClient, UserPoolClientProps, UserPoolDomain, UserPoolDomainProps, IUserPool, IUserPoolClient, IUserPoolDomain } from 'aws-cdk-lib/aws-cognito';
 import { Key, KeyProps, IKey } from 'aws-cdk-lib/aws-kms';
@@ -12,6 +12,7 @@ import { EventBus, EventBusProps, IEventBus } from 'aws-cdk-lib/aws-events';
 import { HostedZone, HostedZoneProps, IHostedZone, HostedZoneAttributes } from 'aws-cdk-lib/aws-route53';
 import { StringParameterProps, StringParameter } from 'aws-cdk-lib/aws-ssm';
 import { IFunction } from 'aws-cdk-lib/aws-lambda';
+import { Duration } from 'aws-cdk-lib/core';
 
 /**
  * Properties for creating an OpenHiStage instance.
@@ -613,7 +614,6 @@ interface OpenHiAuthServiceProps extends OpenHiServiceProps {
  * @public
  */
 declare class OpenHiAuthService extends OpenHiService {
-    props: OpenHiAuthServiceProps;
     static readonly SERVICE_TYPE = "auth";
     /**
      * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
@@ -632,6 +632,8 @@ declare class OpenHiAuthService extends OpenHiService {
      */
     static userPoolKmsKeyFromConstruct(scope: Construct): IKey;
     get serviceType(): string;
+    /** Override so this.props is typed with this service's options (e.g. userPoolProps). */
+    props: OpenHiAuthServiceProps;
     readonly userPoolKmsKey: IKey;
     readonly preTokenGenerationLambda: IFunction;
     readonly userPool: IUserPool;
@@ -697,6 +699,8 @@ declare class OpenHiGlobalService extends OpenHiService {
         serviceType?: OpenHiServiceType;
     }): IHostedZone;
     get serviceType(): string;
+    /** Override so this.props is typed with this service's options. */
+    props: OpenHiGlobalServiceProps;
     readonly rootHostedZone: IHostedZone;
     readonly childHostedZone?: IHostedZone;
     readonly rootWildcardCertificate: ICertificate;
@@ -728,7 +732,29 @@ declare class OpenHiGlobalService extends OpenHiService {
 /**
  * @see sites/www-docs/content/packages/@openhi/constructs/services/open-hi-rest-api-service.md
  */
+/**
+ * CORS configuration for the REST API HTTP API (API Gateway v2).
+ * When origins are set, API Gateway sends CORS headers; backend CORS headers are ignored for browser requests.
+ */
+interface RestApiCorsOptions {
+    /** Allowed origins (e.g. https://app.example.com, http://localhost:3000). Required when enabling CORS. */
+    readonly allowOrigins: string[];
+    /** Allowed HTTP methods. Defaults to GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS. */
+    readonly allowMethods?: CorsHttpMethod[];
+    /** Allowed request headers. Defaults to Content-Type, Authorization. */
+    readonly allowHeaders?: string[];
+    /** Whether to allow credentials (cookies, auth headers). Default true. */
+    readonly allowCredentials?: boolean;
+    /** How long preflight results can be cached. Default 1 day. */
+    readonly maxAge?: Duration;
+}
 interface OpenHiRestApiServiceProps extends OpenHiServiceProps {
+    /**
+     * Optional CORS configuration for the root HTTP API.
+     * When set, API Gateway will send CORS headers for the given origins.
+     * When omitted, no CORS is configured at the gateway (Express CORS in the Lambda still applies for direct or non-browser use).
+     */
+    readonly cors?: RestApiCorsOptions;
 }
 /**
  * SSM parameter name suffix for the REST API base URL.
@@ -751,6 +777,8 @@ declare class OpenHiRestApiService extends OpenHiService {
      */
     static restApiBaseUrlFromConstruct(scope: Construct): string;
     get serviceType(): string;
+    /** Override so this.props is typed with this service's options (e.g. cors). */
+    props: OpenHiRestApiServiceProps;
     readonly rootHttpApi: RootHttpApi;
     constructor(ohEnv: OpenHiEnvironment, props?: OpenHiRestApiServiceProps);
     /**
@@ -822,6 +850,8 @@ declare class OpenHiDataService extends OpenHiService {
      */
     static dynamoDbDataStoreFromConstruct(scope: Construct, id?: string): ITable;
     get serviceType(): string;
+    /** Override so this.props is typed with this service's options. */
+    props: OpenHiDataServiceProps;
     /**
      * Event bus for data-related events (ingestion, transformation, storage).
      * Other stacks obtain it via {@link OpenHiDataService.dataEventBusFromConstruct}.
@@ -855,4 +885,4 @@ declare class OpenHiDataService extends OpenHiService {
     protected createDataStore(): ITable;
 }
 
-export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DataEventBus, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpsEventBus, PreTokenGenerationLambda, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, RootWildcardCertificate, getDynamoDbDataStoreTableName };
+export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DataEventBus, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpsEventBus, PreTokenGenerationLambda, REST_API_BASE_URL_SSM_NAME, type RestApiCorsOptions, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, RootWildcardCertificate, getDynamoDbDataStoreTableName };

package/lib/index.d.ts

@@ -1,7 +1,7 @@
 import { RemovalPolicy, App, AppProps, Stage, StageProps, Stack, StackProps } from 'aws-cdk-lib';
 import { Construct, IConstruct } from 'constructs';
 import { ICertificate, Certificate, CertificateProps } from 'aws-cdk-lib/aws-certificatemanager';
-import { IHttpApi, HttpApi, HttpApiProps, DomainName } from 'aws-cdk-lib/aws-apigatewayv2';
+import { IHttpApi, CorsHttpMethod, HttpApi, HttpApiProps, DomainName } from 'aws-cdk-lib/aws-apigatewayv2';
 import { GraphqlApi, IGraphqlApi, GraphqlApiProps } from 'aws-cdk-lib/aws-appsync';
 import { UserPool, UserPoolProps, UserPoolClient, UserPoolClientProps, UserPoolDomain, UserPoolDomainProps, IUserPool, IUserPoolClient, IUserPoolDomain } from 'aws-cdk-lib/aws-cognito';
 import { Key, KeyProps, IKey } from 'aws-cdk-lib/aws-kms';
@@ -11,6 +11,7 @@ import { EventBus, EventBusProps, IEventBus } from 'aws-cdk-lib/aws-events';
 import { HostedZone, HostedZoneProps, IHostedZone, HostedZoneAttributes } from 'aws-cdk-lib/aws-route53';
 import { StringParameterProps, StringParameter } from 'aws-cdk-lib/aws-ssm';
 import { IFunction } from 'aws-cdk-lib/aws-lambda';
+import { Duration } from 'aws-cdk-lib/core';
 
 /*******************************************************************************
  *
@@ -693,7 +694,6 @@ interface OpenHiAuthServiceProps extends OpenHiServiceProps {
  * @public
  */
 declare class OpenHiAuthService extends OpenHiService {
-    props: OpenHiAuthServiceProps;
     static readonly SERVICE_TYPE = "auth";
     /**
      * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
@@ -712,6 +712,8 @@ declare class OpenHiAuthService extends OpenHiService {
      */
     static userPoolKmsKeyFromConstruct(scope: Construct): IKey;
     get serviceType(): string;
+    /** Override so this.props is typed with this service's options (e.g. userPoolProps). */
+    props: OpenHiAuthServiceProps;
     readonly userPoolKmsKey: IKey;
     readonly preTokenGenerationLambda: IFunction;
     readonly userPool: IUserPool;
@@ -777,6 +779,8 @@ declare class OpenHiGlobalService extends OpenHiService {
         serviceType?: OpenHiServiceType;
     }): IHostedZone;
     get serviceType(): string;
+    /** Override so this.props is typed with this service's options. */
+    props: OpenHiGlobalServiceProps;
     readonly rootHostedZone: IHostedZone;
     readonly childHostedZone?: IHostedZone;
     readonly rootWildcardCertificate: ICertificate;
@@ -808,7 +812,29 @@ declare class OpenHiGlobalService extends OpenHiService {
 /**
  * @see sites/www-docs/content/packages/@openhi/constructs/services/open-hi-rest-api-service.md
  */
+/**
+ * CORS configuration for the REST API HTTP API (API Gateway v2).
+ * When origins are set, API Gateway sends CORS headers; backend CORS headers are ignored for browser requests.
+ */
+interface RestApiCorsOptions {
+    /** Allowed origins (e.g. https://app.example.com, http://localhost:3000). Required when enabling CORS. */
+    readonly allowOrigins: string[];
+    /** Allowed HTTP methods. Defaults to GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS. */
+    readonly allowMethods?: CorsHttpMethod[];
+    /** Allowed request headers. Defaults to Content-Type, Authorization. */
+    readonly allowHeaders?: string[];
+    /** Whether to allow credentials (cookies, auth headers). Default true. */
+    readonly allowCredentials?: boolean;
+    /** How long preflight results can be cached. Default 1 day. */
+    readonly maxAge?: Duration;
+}
 interface OpenHiRestApiServiceProps extends OpenHiServiceProps {
+    /**
+     * Optional CORS configuration for the root HTTP API.
+     * When set, API Gateway will send CORS headers for the given origins.
+     * When omitted, no CORS is configured at the gateway (Express CORS in the Lambda still applies for direct or non-browser use).
+     */
+    readonly cors?: RestApiCorsOptions;
 }
 /**
  * SSM parameter name suffix for the REST API base URL.
@@ -831,6 +857,8 @@ declare class OpenHiRestApiService extends OpenHiService {
      */
     static restApiBaseUrlFromConstruct(scope: Construct): string;
     get serviceType(): string;
+    /** Override so this.props is typed with this service's options (e.g. cors). */
+    props: OpenHiRestApiServiceProps;
     readonly rootHttpApi: RootHttpApi;
     constructor(ohEnv: OpenHiEnvironment, props?: OpenHiRestApiServiceProps);
     /**
@@ -902,6 +930,8 @@ declare class OpenHiDataService extends OpenHiService {
      */
     static dynamoDbDataStoreFromConstruct(scope: Construct, id?: string): ITable;
     get serviceType(): string;
+    /** Override so this.props is typed with this service's options. */
+    props: OpenHiDataServiceProps;
     /**
      * Event bus for data-related events (ingestion, transformation, storage).
      * Other stacks obtain it via {@link OpenHiDataService.dataEventBusFromConstruct}.
@@ -936,4 +966,4 @@ declare class OpenHiDataService extends OpenHiService {
 }
 
 export { ChildHostedZone, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DataEventBus, DiscoverableStringParameter, DynamoDbDataStore, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpsEventBus, PreTokenGenerationLambda, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, getDynamoDbDataStoreTableName };
-export type { BuildParameterNameProps, ChildHostedZoneProps, DiscoverableStringParameterProps, DynamoDbDataStoreProps, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, RootGraphqlApiProps };
+export type { BuildParameterNameProps, ChildHostedZoneProps, DiscoverableStringParameterProps, DynamoDbDataStoreProps, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, RestApiCorsOptions, RootGraphqlApiProps };

package/lib/index.js

@@ -831,15 +831,6 @@ var RootHostedZone = class extends import_constructs2.Construct {
 var import_aws_cognito4 = require("aws-cdk-lib/aws-cognito");
 var import_aws_kms2 = require("aws-cdk-lib/aws-kms");
 var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
-    this.props = props;
-    this.userPoolKmsKey = this.createUserPoolKmsKey();
-    this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
-    this.userPool = this.createUserPool();
-    this.userPoolClient = this.createUserPoolClient();
-    this.userPoolDomain = this.createUserPoolDomain();
-  }
   /**
    * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
    */
@@ -890,6 +881,15 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   get serviceType() {
     return _OpenHiAuthService.SERVICE_TYPE;
   }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
+    this.props = props;
+    this.userPoolKmsKey = this.createUserPoolKmsKey();
+    this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
+    this.userPool = this.createUserPool();
+    this.userPoolClient = this.createUserPoolClient();
+    this.userPoolDomain = this.createUserPoolDomain();
+  }
   /**
    * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
    * Look up via {@link OpenHiAuthService.userPoolKmsKeyFromConstruct}.
@@ -1016,6 +1016,7 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
   }
   constructor(ohEnv, props = {}) {
     super(ohEnv, _OpenHiGlobalService.SERVICE_TYPE, props);
+    this.props = props;
     this.validateConfig(props);
     this.rootHostedZone = this.createRootHostedZone();
     this.childHostedZone = this.createChildHostedZone();
@@ -1081,6 +1082,7 @@ var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2
 var import_aws_iam = require("aws-cdk-lib/aws-iam");
 var import_aws_route533 = require("aws-cdk-lib/aws-route53");
 var import_aws_route53_targets = require("aws-cdk-lib/aws-route53-targets");
+var import_core = require("aws-cdk-lib/core");
 
 // src/services/open-hi-data-service.ts
 var import_aws_dynamodb2 = require("aws-cdk-lib/aws-dynamodb");
@@ -1117,6 +1119,7 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
   }
   constructor(ohEnv, props = {}) {
     super(ohEnv, _OpenHiDataService.SERVICE_TYPE, props);
+    this.props = props;
     this.dataEventBus = this.createDataEventBus();
     this.opsEventBus = this.createOpsEventBus();
     this.dataStore = this.createDataStore();
@@ -1194,6 +1197,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
   }
   constructor(ohEnv, props = {}) {
     super(ohEnv, _OpenHiRestApiService.SERVICE_TYPE, props);
+    this.props = props;
     this.validateConfig(props);
     const hostedZone = this.createHostedZone();
     const certificate = this.createCertificate();
@@ -1310,6 +1314,19 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       })
     );
     const integration = new import_aws_apigatewayv2_integrations.HttpLambdaIntegration("lambda-integration", lambda);
+    const noAuth = new import_aws_apigatewayv22.HttpNoneAuthorizer();
+    new import_aws_apigatewayv22.HttpRoute(this, "options-route-root", {
+      httpApi: this.rootHttpApi,
+      routeKey: import_aws_apigatewayv22.HttpRouteKey.with("/", import_aws_apigatewayv22.HttpMethod.OPTIONS),
+      integration,
+      authorizer: noAuth
+    });
+    new import_aws_apigatewayv22.HttpRoute(this, "options-route-proxy", {
+      httpApi: this.rootHttpApi,
+      routeKey: import_aws_apigatewayv22.HttpRouteKey.with("/{proxy+}", import_aws_apigatewayv22.HttpMethod.OPTIONS),
+      integration,
+      authorizer: noAuth
+    });
     new import_aws_apigatewayv22.HttpRoute(this, "proxy-route-root", {
       httpApi: this.rootHttpApi,
       routeKey: import_aws_apigatewayv22.HttpRouteKey.with("/", import_aws_apigatewayv22.HttpMethod.ANY),
@@ -1345,12 +1362,32 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       userPool,
       { userPoolClients: [userPoolClient] }
     );
+    const cors = this.props.cors;
+    const corsPreflight = cors && cors.allowOrigins.length > 0 ? {
+      allowOrigins: cors.allowOrigins,
+      allowMethods: cors.allowMethods ?? [
+        import_aws_apigatewayv22.CorsHttpMethod.GET,
+        import_aws_apigatewayv22.CorsHttpMethod.HEAD,
+        import_aws_apigatewayv22.CorsHttpMethod.POST,
+        import_aws_apigatewayv22.CorsHttpMethod.PUT,
+        import_aws_apigatewayv22.CorsHttpMethod.PATCH,
+        import_aws_apigatewayv22.CorsHttpMethod.DELETE,
+        import_aws_apigatewayv22.CorsHttpMethod.OPTIONS
+      ],
+      allowHeaders: cors.allowHeaders ?? [
+        "Content-Type",
+        "Authorization"
+      ],
+      allowCredentials: cors.allowCredentials ?? true,
+      maxAge: cors.maxAge ?? import_core.Duration.days(1)
+    } : void 0;
     const rootHttpApi = new RootHttpApi(this, {
       defaultDomainMapping: {
         domainName,
         mappingKey: void 0
       },
-      defaultAuthorizer: cognitoAuthorizer
+      defaultAuthorizer: cognitoAuthorizer,
+      ...corsPreflight && { corsPreflight }
     });
     new DiscoverableStringParameter(this, "http-api-url-param", {
       ssmParamName: RootHttpApi.SSM_PARAM_NAME,