@openhi/constructs 0.0.120 → 0.0.122

package/lib/index.mjs

@@ -134,6 +134,16 @@ var require_lib2 = __commonJS({
   }
 });
 
+// src/app/compute-branch-hash.ts
+import { hashString } from "@codedrifters/utils";
+var computeBranchHash = (options) => {
+  const { appName, deploymentTargetRole, account, region, branchName } = options;
+  return hashString(
+    [appName, deploymentTargetRole, account, region, branchName].join("-"),
+    6
+  );
+};
+
 // src/app/open-hi-app.ts
 var import_config2 = __toESM(require_lib2());
 import { App } from "aws-cdk-lib";
@@ -345,7 +355,7 @@ var import_config3 = __toESM(require_lib2());
 import {
   findGitBranch,
   findGitRepoName,
-  hashString
+  hashString as hashString2
 } from "@codedrifters/utils";
 import { RemovalPolicy, Stack, Tags } from "aws-cdk-lib";
 import { paramCase } from "change-case";
@@ -376,17 +386,18 @@ var OpenHiService = class extends Stack {
     const repoName = props.repoName ?? findGitRepoName();
     const defaultReleaseBranch = props.defaultReleaseBranch ?? "main";
     const branchName = props.branchName ?? (process.env.JEST_WORKER_ID ? "test-branch" : process.env.GIT_BRANCH_NAME?.trim() || (ohEnv.ohStage.stageType === import_config3.OPEN_HI_STAGE.DEV ? findGitBranch() : defaultReleaseBranch));
-    const environmentHash = hashString(
+    const environmentHash = hashString2(
       [appName, ohEnv.deploymentTargetRole, account, region].join("-"),
       6
     );
-    const branchHash = hashString(
-      [appName, ohEnv.deploymentTargetRole, account, region, branchName].join(
-        "-"
-      ),
-      6
-    );
-    const releaseBranchHash = hashString(
+    const branchHash = computeBranchHash({
+      appName,
+      deploymentTargetRole: ohEnv.deploymentTargetRole,
+      account,
+      region,
+      branchName
+    });
+    const releaseBranchHash = hashString2(
       [
         appName,
         ohEnv.deploymentTargetRole,
@@ -396,7 +407,7 @@ var OpenHiService = class extends Stack {
       ].join("-"),
       6
     );
-    const stackHash = hashString(
+    const stackHash = hashString2(
       [
         appName,
         ohEnv.deploymentTargetRole,
@@ -681,7 +692,10 @@ var CognitoUserPoolClient = class extends UserPoolClient {
           authorizationCodeGrant: true,
           implicitCodeGrant: true
         },
-        callbackUrls: [`https://localhost:3000/oauth/callback`]
+        callbackUrls: [
+          `http://localhost:3000/oauth/callback`,
+          `https://localhost:3000/oauth/callback`
+        ]
       },
       /**
        * Overrideable props
@@ -1343,6 +1357,7 @@ var DataStorePostgresReplica = class extends Construct6 {
     this.databaseName = props.databaseName ?? DEFAULT_DATABASE_NAME;
     this.schemaName = getPostgresReplicaSchemaName(props.branchHash);
     const region = Stack3.of(this).region;
+    const ownsVpc = props.vpc === void 0;
     this.vpc = props.vpc ?? new ec2.Vpc(this, "Vpc", {
       availabilityZones: [`${region}a`, `${region}b`],
       natGateways: 0,
@@ -1354,6 +1369,14 @@ var DataStorePostgresReplica = class extends Construct6 {
         }
       ]
     });
+    if (ownsVpc) {
+      new ec2.InterfaceVpcEndpoint(this, "SecretsManagerEndpoint", {
+        vpc: this.vpc,
+        service: ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
+        subnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+        privateDnsEnabled: true
+      });
+    }
     this.cluster = new rds.DatabaseCluster(this, "Cluster", {
       clusterIdentifier: `openhi-dstore-pg-${props.stackHash}`,
       engine: rds.DatabaseClusterEngine.auroraPostgres({
@@ -1504,11 +1527,13 @@ import {
   CacheQueryStringBehavior,
   Distribution,
   LambdaEdgeEventType,
+  OriginProtocolPolicy,
+  OriginRequestPolicy,
   S3OriginAccessControl,
   Signing,
   ViewerProtocolPolicy
 } from "aws-cdk-lib/aws-cloudfront";
-import { S3BucketOrigin } from "aws-cdk-lib/aws-cloudfront-origins";
+import { HttpOrigin, S3BucketOrigin } from "aws-cdk-lib/aws-cloudfront-origins";
 import { Runtime as Runtime6 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction6 } from "aws-cdk-lib/aws-lambda-nodejs";
 import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs";
@@ -1578,6 +1603,10 @@ var _StaticHosting = class _StaticHosting extends Construct9 {
       originAccessLevels: [AccessLevel.READ]
     });
     const hasCustomDomain = props.certificate !== void 0 && props.hostedZone !== void 0 && props.domainNames !== void 0 && props.domainNames.length > 0;
+    const additionalBehaviors = this.buildRestApiBehaviors(
+      stack.branchHash,
+      props.restApi
+    );
     this.distribution = new Distribution(this, "distribution", {
       comment: `Static hosting distribution for ${props.description ?? id}`,
       ...hasCustomDomain ? {
@@ -1598,6 +1627,7 @@ var _StaticHosting = class _StaticHosting extends Construct9 {
           }
         ]
       },
+      ...additionalBehaviors !== void 0 && { additionalBehaviors },
       ...props.distributionProps
     });
     if (hasCustomDomain) {
@@ -1636,6 +1666,51 @@ var _StaticHosting = class _StaticHosting extends Construct9 {
       description: `Static hosting distribution ID (${props.description ?? id})`
     });
   }
+  /**
+   * Builds the `/api/*` and `/api/control/runtime-config` behaviors backed
+   * by the REST API custom-domain origin. Returns `undefined` when no
+   * `restApi` prop is supplied so the Distribution stays S3-only.
+   */
+  buildRestApiBehaviors(branchHash, restApi) {
+    if (restApi === void 0) {
+      return void 0;
+    }
+    const apiOrigin = new HttpOrigin(restApi.domainName, {
+      protocolPolicy: OriginProtocolPolicy.HTTPS_ONLY
+    });
+    const runtimeConfigCachePolicy = new CachePolicy(
+      this,
+      "runtime-config-cache-policy",
+      {
+        cachePolicyName: `static-hosting-runtime-config-${branchHash}`,
+        comment: "/api/control/runtime-config: cache key includes only `v` so the bundle's deploy-hash bust works automatically.",
+        defaultTtl: restApi.runtimeConfigCacheTtl?.defaultTtl ?? Duration5.minutes(5),
+        minTtl: Duration5.seconds(0),
+        maxTtl: restApi.runtimeConfigCacheTtl?.maxTtl ?? Duration5.hours(1),
+        headerBehavior: CacheHeaderBehavior.none(),
+        queryStringBehavior: CacheQueryStringBehavior.allowList("v"),
+        cookieBehavior: CacheCookieBehavior.none(),
+        enableAcceptEncodingGzip: true,
+        enableAcceptEncodingBrotli: true
+      }
+    );
+    return {
+      "/api/control/runtime-config": {
+        origin: apiOrigin,
+        viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+        allowedMethods: AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
+        cachePolicy: runtimeConfigCachePolicy,
+        originRequestPolicy: OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER
+      },
+      "/api/*": {
+        origin: apiOrigin,
+        viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+        allowedMethods: AllowedMethods.ALLOW_ALL,
+        cachePolicy: CachePolicy.CACHING_DISABLED,
+        originRequestPolicy: OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER
+      }
+    };
+  }
 };
 /**
  * SSM parameter name for the S3 bucket ARN.
@@ -2598,6 +2673,7 @@ import {
 } from "aws-cdk-lib/aws-route53";
 import { ApiGatewayv2DomainProperties } from "aws-cdk-lib/aws-route53-targets";
 import { Duration as Duration10 } from "aws-cdk-lib/core";
+import { Construct as Construct20 } from "constructs";
 
 // src/data/lambda/cors-options-lambda.ts
 import fs11 from "fs";
@@ -2654,7 +2730,8 @@ var RestApiLambda = class extends Construct19 {
         OPENHI_PG_CLUSTER_ARN: props.postgresClusterArn,
         OPENHI_PG_SECRET_ARN: props.postgresSecretArn,
         OPENHI_PG_DATABASE: props.postgresDatabase,
-        OPENHI_PG_SCHEMA: props.postgresSchema
+        OPENHI_PG_SCHEMA: props.postgresSchema,
+        ...props.extraEnvironment
       },
       bundling: {
         minify: true,
@@ -2666,6 +2743,7 @@ var RestApiLambda = class extends Construct19 {
 
 // src/services/open-hi-rest-api-service.ts
 var REST_API_BASE_URL_SSM_NAME = "REST_API_BASE_URL";
+var REST_API_DOMAIN_NAME_SSM_NAME = "REST_API_DOMAIN_NAME";
 var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
   /**
    * Returns an IHttpApi by looking up the REST API stack's HTTP API ID from SSM.
@@ -2687,6 +2765,18 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       serviceType: _OpenHiRestApiService.SERVICE_TYPE
     });
   }
+  /**
+   * Returns the REST API's custom domain name (bare hostname, no scheme — e.g.
+   * `api.example.com`) by looking it up from SSM. Use as the host for a
+   * CloudFront `HttpOrigin` so the website's distribution can proxy `/api/*`
+   * to this stack's API Gateway without per-branch DNS knowledge.
+   */
+  static restApiDomainNameFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
+    });
+  }
   get serviceType() {
     return _OpenHiRestApiService.SERVICE_TYPE;
   }
@@ -2698,6 +2788,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     const certificate = this.createCertificate();
     const apiDomainName = this.createApiDomainNameString(hostedZone);
     this.createRestApiBaseUrlParameter(apiDomainName);
+    this.createRestApiDomainNameParameter(apiDomainName);
     const domainName = this.createDomainName(hostedZone, certificate);
     this.rootHttpApi = this.createRootHttpApi(domainName);
     this.createRestApiLambdaAndRoutes(hostedZone, domainName);
@@ -2756,6 +2847,20 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       description: "REST API base URL for this deployment (E2E, scripts)"
     });
   }
+  /**
+   * Creates the SSM parameter exposing the REST API's custom domain (bare
+   * hostname, no scheme). Consumed by the website service as the CloudFront
+   * `/api/*` origin host.
+   * Look up via {@link OpenHiRestApiService.restApiDomainNameFromConstruct}.
+   * Override to customize.
+   */
+  createRestApiDomainNameParameter(apiDomainName) {
+    new DiscoverableStringParameter(this, "rest-api-domain-name-param", {
+      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
+      stringValue: apiDomainName,
+      description: "REST API custom domain name (bare hostname) for cross-stack CloudFront origin lookup"
+    });
+  }
   /**
    * Creates the API Gateway custom domain name resource.
    * Override to customize.
@@ -2777,6 +2882,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     const postgresSecretArn = DataStorePostgresReplica.secretArnFromConstruct(this);
     const postgresDatabase = DataStorePostgresReplica.databaseNameFromConstruct(this);
     const postgresSchema = getPostgresReplicaSchemaName(this.branchHash);
+    const extraEnvironment = this.resolveRuntimeConfigEnvVars();
     const { lambda } = new RestApiLambda(this, {
       dynamoTableName: dataStoreTable.tableName,
       branchTagValue: this.branchName,
@@ -2784,7 +2890,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       postgresClusterArn,
       postgresSecretArn,
       postgresDatabase,
-      postgresSchema
+      postgresSchema,
+      ...extraEnvironment !== void 0 && { extraEnvironment }
     });
     lambda.addToRolePolicy(
       new PolicyStatement7({
@@ -2925,6 +3032,32 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     });
     return rootHttpApi;
   }
+  /**
+   * Builds the `OPENHI_RUNTIME_CONFIG_*` env-var map the REST API Lambda
+   * exposes through `GET /control/runtime-config`. Returns `undefined` when
+   * the `runtimeConfig` prop is omitted so no env vars are set.
+   *
+   * The three Cognito IDs are resolved via SSM lookups against the auth
+   * stack from a dedicated sub-scope (`runtime-config`) so they don't
+   * collide with the user-pool / user-pool-client constructs already
+   * created in {@link createRootHttpApi}.
+   */
+  resolveRuntimeConfigEnvVars() {
+    if (this.props.runtimeConfig === void 0) {
+      return void 0;
+    }
+    const cognitoScope = new Construct20(this, "runtime-config");
+    const userPool = OpenHiAuthService.userPoolFromConstruct(cognitoScope);
+    const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(cognitoScope);
+    const userPoolDomain = OpenHiAuthService.userPoolDomainFromConstruct(cognitoScope);
+    return {
+      OPENHI_RUNTIME_CONFIG_COGNITO_USER_POOL_ID: userPool.userPoolId,
+      OPENHI_RUNTIME_CONFIG_COGNITO_USER_POOL_CLIENT_ID: userPoolClient.userPoolClientId,
+      OPENHI_RUNTIME_CONFIG_COGNITO_DOMAIN: userPoolDomain.domainName,
+      OPENHI_RUNTIME_CONFIG_COGNITO_REDIRECT_URI: this.props.runtimeConfig.cognitoRedirectUri,
+      OPENHI_RUNTIME_CONFIG_API_BASE_URL: this.props.runtimeConfig.apiBaseUrl
+    };
+  }
 };
 _OpenHiRestApiService.SERVICE_TYPE = "rest-api";
 var OpenHiRestApiService = _OpenHiRestApiService;
@@ -3042,7 +3175,8 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
       this.createFullDomainParameter();
     }
     if (props.createStaticContent !== false) {
-      this.staticContent = this.createStaticContent();
+      const bucket = this.resolveStaticHostingBucket();
+      this.staticContent = this.createStaticContent(bucket);
     }
   }
   /**
@@ -3093,14 +3227,26 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
    * Lambda@Edge + 4 SSM params + DNS).
    */
   createStaticHosting(deps) {
+    const restApi = this.props.restApi === true ? this.resolveRestApi() : void 0;
     return new StaticHosting(this, "static-hosting", {
       serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
       certificate: deps.certificate,
       hostedZone: deps.hostedZone,
       domainNames: [this.fullDomain],
-      description: `OpenHI website (${this.fullDomain})`
+      description: `OpenHI website (${this.fullDomain})`,
+      ...restApi !== void 0 && { restApi }
     });
   }
+  /**
+   * Resolves the REST API custom-domain hostname from the rest-api stack's
+   * `REST_API_DOMAIN_NAME` SSM parameter. Wrapped in a private method so
+   * it can be overridden / stubbed in subclasses and tests.
+   */
+  resolveRestApi() {
+    return {
+      domainName: OpenHiRestApiService.restApiDomainNameFromConstruct(this)
+    };
+  }
   /**
    * Creates the SSM parameter that publishes the website's full domain.
    * Look up via {@link OpenHiWebsiteService.fullDomainFromConstruct}.
@@ -3114,21 +3260,18 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
     });
   }
   /**
-   * Creates the StaticContent uploader. Always created so feature-branch
-   * deploys can publish content to their own sub-domain folder against the
-   * release-branch bucket.
-   *
-   * The destination bucket is resolved here so the construct never has to
-   * branch on release-vs-feature: on the release branch we pass the
-   * just-created {@link staticHosting} bucket directly (no SSM round-trip
-   * within a single stack); on every other branch we look up the bucket
-   * ARN published by the release-branch deploy, addressed against
-   * {@link OpenHiService.releaseBranchHash}.
-   */
-  createStaticContent() {
+   * Creates the StaticContent uploader. Receives the resolved static-hosting
+   * bucket from the constructor — on the release-branch deploy this is the
+   * just-created {@link staticHosting} bucket (no SSM round-trip within a
+   * single stack); on every other deploy it is imported from the bucket ARN
+   * the release-branch deploy publishes to SSM, addressed against
+   * {@link OpenHiService.releaseBranchHash}. See
+   * {@link resolveStaticHostingBucket}.
+   */
+  createStaticContent(bucket) {
     const { contentSourceDirectory, contentDestinationDirectory } = this.props;
     return new StaticContent(this, "static-content", {
-      bucket: this.resolveStaticHostingBucket(),
+      bucket,
       contentSourceDirectory,
       contentDestinationDirectory,
       fullDomain: this.fullDomain
@@ -3136,7 +3279,7 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
   }
   /**
    * Returns an {@link IBucket} pointing at the static-hosting bucket the
-   * uploader writes to. On the release-branch deploy this is the bucket
+   * uploaders write to. On the release-branch deploy this is the bucket
    * just provisioned by {@link staticHosting}; on every other deploy it's
    * imported from the bucket ARN the release-branch deploy publishes to
    * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
@@ -3163,7 +3306,7 @@ import { Duration as Duration11 } from "aws-cdk-lib";
 import { Effect as Effect8, PolicyStatement as PolicyStatement8 } from "aws-cdk-lib/aws-iam";
 import { Runtime as Runtime13 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction13 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct20 } from "constructs";
+import { Construct as Construct21 } from "constructs";
 function resolveHandlerEntry12(dirname, handlerName) {
   const sameDir = path13.join(dirname, handlerName);
   if (fs13.existsSync(sameDir)) {
@@ -3172,7 +3315,7 @@ function resolveHandlerEntry12(dirname, handlerName) {
   const libDir = path13.join(dirname, "..", "..", "..", "..", "lib", handlerName);
   return { entry: libDir, handler: "handler" };
 }
-var OwningDeleteCascadeLambdas = class extends Construct20 {
+var OwningDeleteCascadeLambdas = class extends Construct21 {
   constructor(scope, props) {
     super(scope, "owning-delete-cascade-lambdas");
     const listResolved = resolveHandlerEntry12(
@@ -3250,8 +3393,8 @@ import {
   WaitTime
 } from "aws-cdk-lib/aws-stepfunctions";
 import { LambdaInvoke } from "aws-cdk-lib/aws-stepfunctions-tasks";
-import { Construct as Construct21 } from "constructs";
-var OwningDeleteCascadeWorkflow = class extends Construct21 {
+import { Construct as Construct22 } from "constructs";
+var OwningDeleteCascadeWorkflow = class extends Construct22 {
   constructor(scope, props) {
     super(scope, "owning-delete-cascade-workflow");
     this.lambdas = new OwningDeleteCascadeLambdas(this, {
@@ -3416,7 +3559,7 @@ import { Duration as Duration13 } from "aws-cdk-lib";
 import { Effect as Effect9, PolicyStatement as PolicyStatement9 } from "aws-cdk-lib/aws-iam";
 import { Runtime as Runtime14 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction14 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct22 } from "constructs";
+import { Construct as Construct23 } from "constructs";
 function resolveHandlerEntry13(dirname, handlerName) {
   const sameDir = path14.join(dirname, handlerName);
   if (fs14.existsSync(sameDir)) {
@@ -3425,7 +3568,7 @@ function resolveHandlerEntry13(dirname, handlerName) {
   const libDir = path14.join(dirname, "..", "..", "..", "..", "lib", handlerName);
   return { entry: libDir, handler: "handler" };
 }
-var RenameCascadeLambdas = class extends Construct22 {
+var RenameCascadeLambdas = class extends Construct23 {
   constructor(scope, props) {
     super(scope, "rename-cascade-lambdas");
     const listResolved = resolveHandlerEntry13(
@@ -3499,8 +3642,8 @@ import {
   TaskInput as TaskInput2
 } from "aws-cdk-lib/aws-stepfunctions";
 import { LambdaInvoke as LambdaInvoke2 } from "aws-cdk-lib/aws-stepfunctions-tasks";
-import { Construct as Construct23 } from "constructs";
-var RenameCascadeWorkflow = class extends Construct23 {
+import { Construct as Construct24 } from "constructs";
+var RenameCascadeWorkflow = class extends Construct24 {
   constructor(scope, props) {
     super(scope, "rename-cascade-workflow");
     this.lambdas = new RenameCascadeLambdas(this, {
@@ -3747,6 +3890,7 @@ export {
   RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR,
   RENAME_CASCADE_SLOW_THRESHOLD_SECONDS,
   REST_API_BASE_URL_SSM_NAME,
+  REST_API_DOMAIN_NAME_SSM_NAME,
   RenameCascadeLambdas,
   RenameCascadeWorkflow,
   RootGraphqlApi,
@@ -3772,6 +3916,7 @@ export {
   WorkflowDedupTableDuplicateError,
   buildFhirCurrentResourceChangeDetail,
   buildProvisionDefaultWorkspaceRequestedDetail,
+  computeBranchHash,
   demoMembershipId,
   demoRoleAssignmentId,
   demoRolesForUserInTenant,