@openhi/constructs 0.0.121 → 0.0.122

package/lib/index.js

@@ -842,6 +842,7 @@ __export(src_exports, {
   RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR: () => RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR,
   RENAME_CASCADE_SLOW_THRESHOLD_SECONDS: () => RENAME_CASCADE_SLOW_THRESHOLD_SECONDS,
   REST_API_BASE_URL_SSM_NAME: () => REST_API_BASE_URL_SSM_NAME,
+  REST_API_DOMAIN_NAME_SSM_NAME: () => REST_API_DOMAIN_NAME_SSM_NAME,
   RenameCascadeLambdas: () => RenameCascadeLambdas,
   RenameCascadeWorkflow: () => RenameCascadeWorkflow,
   RootGraphqlApi: () => RootGraphqlApi,
@@ -867,6 +868,7 @@ __export(src_exports, {
   WorkflowDedupTableDuplicateError: () => WorkflowDedupTableDuplicateError,
   buildFhirCurrentResourceChangeDetail: () => buildFhirCurrentResourceChangeDetail,
   buildProvisionDefaultWorkspaceRequestedDetail: () => buildProvisionDefaultWorkspaceRequestedDetail,
+  computeBranchHash: () => computeBranchHash,
   demoMembershipId: () => demoMembershipId,
   demoRoleAssignmentId: () => demoRoleAssignmentId,
   demoRolesForUserInTenant: () => demoRolesForUserInTenant,
@@ -879,6 +881,16 @@ __export(src_exports, {
 });
 module.exports = __toCommonJS(src_exports);
 
+// src/app/compute-branch-hash.ts
+var import_utils = require("@codedrifters/utils");
+var computeBranchHash = (options) => {
+  const { appName, deploymentTargetRole, account, region, branchName } = options;
+  return (0, import_utils.hashString)(
+    [appName, deploymentTargetRole, account, region, branchName].join("-"),
+    6
+  );
+};
+
 // src/app/open-hi-app.ts
 var import_config2 = __toESM(require_lib());
 var import_aws_cdk_lib3 = require("aws-cdk-lib");
@@ -1086,7 +1098,7 @@ var OpenHiApp = class _OpenHiApp extends import_aws_cdk_lib3.App {
 };
 
 // src/app/open-hi-service.ts
-var import_utils = require("@codedrifters/utils");
+var import_utils2 = require("@codedrifters/utils");
 var import_config3 = __toESM(require_lib());
 var import_aws_cdk_lib4 = require("aws-cdk-lib");
 var import_change_case = require("change-case");
@@ -1114,20 +1126,21 @@ var OpenHiService = class extends import_aws_cdk_lib4.Stack {
       );
     }
     const appName = props.appName ?? ohEnv.ohStage.ohApp.appName ?? "openhi";
-    const repoName = props.repoName ?? (0, import_utils.findGitRepoName)();
+    const repoName = props.repoName ?? (0, import_utils2.findGitRepoName)();
     const defaultReleaseBranch = props.defaultReleaseBranch ?? "main";
-    const branchName = props.branchName ?? (process.env.JEST_WORKER_ID ? "test-branch" : process.env.GIT_BRANCH_NAME?.trim() || (ohEnv.ohStage.stageType === import_config3.OPEN_HI_STAGE.DEV ? (0, import_utils.findGitBranch)() : defaultReleaseBranch));
-    const environmentHash = (0, import_utils.hashString)(
+    const branchName = props.branchName ?? (process.env.JEST_WORKER_ID ? "test-branch" : process.env.GIT_BRANCH_NAME?.trim() || (ohEnv.ohStage.stageType === import_config3.OPEN_HI_STAGE.DEV ? (0, import_utils2.findGitBranch)() : defaultReleaseBranch));
+    const environmentHash = (0, import_utils2.hashString)(
       [appName, ohEnv.deploymentTargetRole, account, region].join("-"),
       6
     );
-    const branchHash = (0, import_utils.hashString)(
-      [appName, ohEnv.deploymentTargetRole, account, region, branchName].join(
-        "-"
-      ),
-      6
-    );
-    const releaseBranchHash = (0, import_utils.hashString)(
+    const branchHash = computeBranchHash({
+      appName,
+      deploymentTargetRole: ohEnv.deploymentTargetRole,
+      account,
+      region,
+      branchName
+    });
+    const releaseBranchHash = (0, import_utils2.hashString)(
       [
         appName,
         ohEnv.deploymentTargetRole,
@@ -1137,7 +1150,7 @@ var OpenHiService = class extends import_aws_cdk_lib4.Stack {
       ].join("-"),
       6
     );
-    const stackHash = (0, import_utils.hashString)(
+    const stackHash = (0, import_utils2.hashString)(
       [
         appName,
         ohEnv.deploymentTargetRole,
@@ -1411,7 +1424,10 @@ var CognitoUserPoolClient = class extends import_aws_cognito2.UserPoolClient {
           authorizationCodeGrant: true,
           implicitCodeGrant: true
         },
-        callbackUrls: [`https://localhost:3000/oauth/callback`]
+        callbackUrls: [
+          `http://localhost:3000/oauth/callback`,
+          `https://localhost:3000/oauth/callback`
+        ]
       },
       /**
        * Overrideable props
@@ -2415,6 +2431,10 @@ var _StaticHosting = class _StaticHosting extends import_constructs9.Construct {
       originAccessLevels: [import_aws_cloudfront.AccessLevel.READ]
     });
     const hasCustomDomain = props.certificate !== void 0 && props.hostedZone !== void 0 && props.domainNames !== void 0 && props.domainNames.length > 0;
+    const additionalBehaviors = this.buildRestApiBehaviors(
+      stack.branchHash,
+      props.restApi
+    );
     this.distribution = new import_aws_cloudfront.Distribution(this, "distribution", {
       comment: `Static hosting distribution for ${props.description ?? id}`,
       ...hasCustomDomain ? {
@@ -2435,6 +2455,7 @@ var _StaticHosting = class _StaticHosting extends import_constructs9.Construct {
           }
         ]
       },
+      ...additionalBehaviors !== void 0 && { additionalBehaviors },
       ...props.distributionProps
     });
     if (hasCustomDomain) {
@@ -2473,6 +2494,51 @@ var _StaticHosting = class _StaticHosting extends import_constructs9.Construct {
       description: `Static hosting distribution ID (${props.description ?? id})`
     });
   }
+  /**
+   * Builds the `/api/*` and `/api/control/runtime-config` behaviors backed
+   * by the REST API custom-domain origin. Returns `undefined` when no
+   * `restApi` prop is supplied so the Distribution stays S3-only.
+   */
+  buildRestApiBehaviors(branchHash, restApi) {
+    if (restApi === void 0) {
+      return void 0;
+    }
+    const apiOrigin = new import_aws_cloudfront_origins.HttpOrigin(restApi.domainName, {
+      protocolPolicy: import_aws_cloudfront.OriginProtocolPolicy.HTTPS_ONLY
+    });
+    const runtimeConfigCachePolicy = new import_aws_cloudfront.CachePolicy(
+      this,
+      "runtime-config-cache-policy",
+      {
+        cachePolicyName: `static-hosting-runtime-config-${branchHash}`,
+        comment: "/api/control/runtime-config: cache key includes only `v` so the bundle's deploy-hash bust works automatically.",
+        defaultTtl: restApi.runtimeConfigCacheTtl?.defaultTtl ?? import_aws_cdk_lib11.Duration.minutes(5),
+        minTtl: import_aws_cdk_lib11.Duration.seconds(0),
+        maxTtl: restApi.runtimeConfigCacheTtl?.maxTtl ?? import_aws_cdk_lib11.Duration.hours(1),
+        headerBehavior: import_aws_cloudfront.CacheHeaderBehavior.none(),
+        queryStringBehavior: import_aws_cloudfront.CacheQueryStringBehavior.allowList("v"),
+        cookieBehavior: import_aws_cloudfront.CacheCookieBehavior.none(),
+        enableAcceptEncodingGzip: true,
+        enableAcceptEncodingBrotli: true
+      }
+    );
+    return {
+      "/api/control/runtime-config": {
+        origin: apiOrigin,
+        viewerProtocolPolicy: import_aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+        allowedMethods: import_aws_cloudfront.AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
+        cachePolicy: runtimeConfigCachePolicy,
+        originRequestPolicy: import_aws_cloudfront.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER
+      },
+      "/api/*": {
+        origin: apiOrigin,
+        viewerProtocolPolicy: import_aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+        allowedMethods: import_aws_cloudfront.AllowedMethods.ALLOW_ALL,
+        cachePolicy: import_aws_cloudfront.CachePolicy.CACHING_DISABLED,
+        originRequestPolicy: import_aws_cloudfront.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER
+      }
+    };
+  }
 };
 /**
  * SSM parameter name for the S3 bucket ARN.
@@ -6834,6 +6900,7 @@ var import_aws_iam7 = require("aws-cdk-lib/aws-iam");
 var import_aws_route534 = require("aws-cdk-lib/aws-route53");
 var import_aws_route53_targets2 = require("aws-cdk-lib/aws-route53-targets");
 var import_core2 = require("aws-cdk-lib/core");
+var import_constructs20 = require("constructs");
 
 // src/data/lambda/cors-options-lambda.ts
 var import_node_fs10 = __toESM(require("fs"));
@@ -6890,7 +6957,8 @@ var RestApiLambda = class extends import_constructs19.Construct {
         OPENHI_PG_CLUSTER_ARN: props.postgresClusterArn,
         OPENHI_PG_SECRET_ARN: props.postgresSecretArn,
         OPENHI_PG_DATABASE: props.postgresDatabase,
-        OPENHI_PG_SCHEMA: props.postgresSchema
+        OPENHI_PG_SCHEMA: props.postgresSchema,
+        ...props.extraEnvironment
       },
       bundling: {
         minify: true,
@@ -6902,6 +6970,7 @@ var RestApiLambda = class extends import_constructs19.Construct {
 
 // src/services/open-hi-rest-api-service.ts
 var REST_API_BASE_URL_SSM_NAME = "REST_API_BASE_URL";
+var REST_API_DOMAIN_NAME_SSM_NAME = "REST_API_DOMAIN_NAME";
 var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
   /**
    * Returns an IHttpApi by looking up the REST API stack's HTTP API ID from SSM.
@@ -6923,6 +6992,18 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       serviceType: _OpenHiRestApiService.SERVICE_TYPE
     });
   }
+  /**
+   * Returns the REST API's custom domain name (bare hostname, no scheme — e.g.
+   * `api.example.com`) by looking it up from SSM. Use as the host for a
+   * CloudFront `HttpOrigin` so the website's distribution can proxy `/api/*`
+   * to this stack's API Gateway without per-branch DNS knowledge.
+   */
+  static restApiDomainNameFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
+    });
+  }
   get serviceType() {
     return _OpenHiRestApiService.SERVICE_TYPE;
   }
@@ -6934,6 +7015,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     const certificate = this.createCertificate();
     const apiDomainName = this.createApiDomainNameString(hostedZone);
     this.createRestApiBaseUrlParameter(apiDomainName);
+    this.createRestApiDomainNameParameter(apiDomainName);
     const domainName = this.createDomainName(hostedZone, certificate);
     this.rootHttpApi = this.createRootHttpApi(domainName);
     this.createRestApiLambdaAndRoutes(hostedZone, domainName);
@@ -6992,6 +7074,20 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       description: "REST API base URL for this deployment (E2E, scripts)"
     });
   }
+  /**
+   * Creates the SSM parameter exposing the REST API's custom domain (bare
+   * hostname, no scheme). Consumed by the website service as the CloudFront
+   * `/api/*` origin host.
+   * Look up via {@link OpenHiRestApiService.restApiDomainNameFromConstruct}.
+   * Override to customize.
+   */
+  createRestApiDomainNameParameter(apiDomainName) {
+    new DiscoverableStringParameter(this, "rest-api-domain-name-param", {
+      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
+      stringValue: apiDomainName,
+      description: "REST API custom domain name (bare hostname) for cross-stack CloudFront origin lookup"
+    });
+  }
   /**
    * Creates the API Gateway custom domain name resource.
    * Override to customize.
@@ -7013,6 +7109,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     const postgresSecretArn = DataStorePostgresReplica.secretArnFromConstruct(this);
     const postgresDatabase = DataStorePostgresReplica.databaseNameFromConstruct(this);
     const postgresSchema = getPostgresReplicaSchemaName(this.branchHash);
+    const extraEnvironment = this.resolveRuntimeConfigEnvVars();
     const { lambda } = new RestApiLambda(this, {
       dynamoTableName: dataStoreTable.tableName,
       branchTagValue: this.branchName,
@@ -7020,7 +7117,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       postgresClusterArn,
       postgresSecretArn,
       postgresDatabase,
-      postgresSchema
+      postgresSchema,
+      ...extraEnvironment !== void 0 && { extraEnvironment }
     });
     lambda.addToRolePolicy(
       new import_aws_iam7.PolicyStatement({
@@ -7161,6 +7259,32 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     });
     return rootHttpApi;
   }
+  /**
+   * Builds the `OPENHI_RUNTIME_CONFIG_*` env-var map the REST API Lambda
+   * exposes through `GET /control/runtime-config`. Returns `undefined` when
+   * the `runtimeConfig` prop is omitted so no env vars are set.
+   *
+   * The three Cognito IDs are resolved via SSM lookups against the auth
+   * stack from a dedicated sub-scope (`runtime-config`) so they don't
+   * collide with the user-pool / user-pool-client constructs already
+   * created in {@link createRootHttpApi}.
+   */
+  resolveRuntimeConfigEnvVars() {
+    if (this.props.runtimeConfig === void 0) {
+      return void 0;
+    }
+    const cognitoScope = new import_constructs20.Construct(this, "runtime-config");
+    const userPool = OpenHiAuthService.userPoolFromConstruct(cognitoScope);
+    const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(cognitoScope);
+    const userPoolDomain = OpenHiAuthService.userPoolDomainFromConstruct(cognitoScope);
+    return {
+      OPENHI_RUNTIME_CONFIG_COGNITO_USER_POOL_ID: userPool.userPoolId,
+      OPENHI_RUNTIME_CONFIG_COGNITO_USER_POOL_CLIENT_ID: userPoolClient.userPoolClientId,
+      OPENHI_RUNTIME_CONFIG_COGNITO_DOMAIN: userPoolDomain.domainName,
+      OPENHI_RUNTIME_CONFIG_COGNITO_REDIRECT_URI: this.props.runtimeConfig.cognitoRedirectUri,
+      OPENHI_RUNTIME_CONFIG_API_BASE_URL: this.props.runtimeConfig.apiBaseUrl
+    };
+  }
 };
 _OpenHiRestApiService.SERVICE_TYPE = "rest-api";
 var OpenHiRestApiService = _OpenHiRestApiService;
@@ -7275,7 +7399,8 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
       this.createFullDomainParameter();
     }
     if (props.createStaticContent !== false) {
-      this.staticContent = this.createStaticContent();
+      const bucket = this.resolveStaticHostingBucket();
+      this.staticContent = this.createStaticContent(bucket);
     }
   }
   /**
@@ -7326,14 +7451,26 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
    * Lambda@Edge + 4 SSM params + DNS).
    */
   createStaticHosting(deps) {
+    const restApi = this.props.restApi === true ? this.resolveRestApi() : void 0;
     return new StaticHosting(this, "static-hosting", {
       serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
       certificate: deps.certificate,
       hostedZone: deps.hostedZone,
       domainNames: [this.fullDomain],
-      description: `OpenHI website (${this.fullDomain})`
+      description: `OpenHI website (${this.fullDomain})`,
+      ...restApi !== void 0 && { restApi }
     });
   }
+  /**
+   * Resolves the REST API custom-domain hostname from the rest-api stack's
+   * `REST_API_DOMAIN_NAME` SSM parameter. Wrapped in a private method so
+   * it can be overridden / stubbed in subclasses and tests.
+   */
+  resolveRestApi() {
+    return {
+      domainName: OpenHiRestApiService.restApiDomainNameFromConstruct(this)
+    };
+  }
   /**
    * Creates the SSM parameter that publishes the website's full domain.
    * Look up via {@link OpenHiWebsiteService.fullDomainFromConstruct}.
@@ -7347,21 +7484,18 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
     });
   }
   /**
-   * Creates the StaticContent uploader. Always created so feature-branch
-   * deploys can publish content to their own sub-domain folder against the
-   * release-branch bucket.
-   *
-   * The destination bucket is resolved here so the construct never has to
-   * branch on release-vs-feature: on the release branch we pass the
-   * just-created {@link staticHosting} bucket directly (no SSM round-trip
-   * within a single stack); on every other branch we look up the bucket
-   * ARN published by the release-branch deploy, addressed against
-   * {@link OpenHiService.releaseBranchHash}.
+   * Creates the StaticContent uploader. Receives the resolved static-hosting
+   * bucket from the constructor — on the release-branch deploy this is the
+   * just-created {@link staticHosting} bucket (no SSM round-trip within a
+   * single stack); on every other deploy it is imported from the bucket ARN
+   * the release-branch deploy publishes to SSM, addressed against
+   * {@link OpenHiService.releaseBranchHash}. See
+   * {@link resolveStaticHostingBucket}.
    */
-  createStaticContent() {
+  createStaticContent(bucket) {
     const { contentSourceDirectory, contentDestinationDirectory } = this.props;
     return new StaticContent(this, "static-content", {
-      bucket: this.resolveStaticHostingBucket(),
+      bucket,
       contentSourceDirectory,
       contentDestinationDirectory,
       fullDomain: this.fullDomain
@@ -7369,7 +7503,7 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
   }
   /**
    * Returns an {@link IBucket} pointing at the static-hosting bucket the
-   * uploader writes to. On the release-branch deploy this is the bucket
+   * uploaders write to. On the release-branch deploy this is the bucket
    * just provisioned by {@link staticHosting}; on every other deploy it's
    * imported from the bucket ARN the release-branch deploy publishes to
    * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
@@ -7403,7 +7537,7 @@ var import_aws_cdk_lib16 = require("aws-cdk-lib");
 var import_aws_iam8 = require("aws-cdk-lib/aws-iam");
 var import_aws_lambda13 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs13 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs20 = require("constructs");
+var import_constructs21 = require("constructs");
 function resolveHandlerEntry12(dirname, handlerName) {
   const sameDir = import_node_path12.default.join(dirname, handlerName);
   if (import_node_fs12.default.existsSync(sameDir)) {
@@ -7412,7 +7546,7 @@ function resolveHandlerEntry12(dirname, handlerName) {
   const libDir = import_node_path12.default.join(dirname, "..", "..", "..", "..", "lib", handlerName);
   return { entry: libDir, handler: "handler" };
 }
-var OwningDeleteCascadeLambdas = class extends import_constructs20.Construct {
+var OwningDeleteCascadeLambdas = class extends import_constructs21.Construct {
   constructor(scope, props) {
     super(scope, "owning-delete-cascade-lambdas");
     const listResolved = resolveHandlerEntry12(
@@ -7479,8 +7613,8 @@ var import_aws_events9 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets5 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_stepfunctions = require("aws-cdk-lib/aws-stepfunctions");
 var import_aws_stepfunctions_tasks = require("aws-cdk-lib/aws-stepfunctions-tasks");
-var import_constructs21 = require("constructs");
-var OwningDeleteCascadeWorkflow = class extends import_constructs21.Construct {
+var import_constructs22 = require("constructs");
+var OwningDeleteCascadeWorkflow = class extends import_constructs22.Construct {
   constructor(scope, props) {
     super(scope, "owning-delete-cascade-workflow");
     this.lambdas = new OwningDeleteCascadeLambdas(this, {
@@ -7653,7 +7787,7 @@ var import_aws_cdk_lib18 = require("aws-cdk-lib");
 var import_aws_iam9 = require("aws-cdk-lib/aws-iam");
 var import_aws_lambda14 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs14 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs22 = require("constructs");
+var import_constructs23 = require("constructs");
 function resolveHandlerEntry13(dirname, handlerName) {
   const sameDir = import_node_path13.default.join(dirname, handlerName);
   if (import_node_fs13.default.existsSync(sameDir)) {
@@ -7662,7 +7796,7 @@ function resolveHandlerEntry13(dirname, handlerName) {
   const libDir = import_node_path13.default.join(dirname, "..", "..", "..", "..", "lib", handlerName);
   return { entry: libDir, handler: "handler" };
 }
-var RenameCascadeLambdas = class extends import_constructs22.Construct {
+var RenameCascadeLambdas = class extends import_constructs23.Construct {
   constructor(scope, props) {
     super(scope, "rename-cascade-lambdas");
     const listResolved = resolveHandlerEntry13(
@@ -7727,8 +7861,8 @@ var import_aws_events10 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets6 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_stepfunctions2 = require("aws-cdk-lib/aws-stepfunctions");
 var import_aws_stepfunctions_tasks2 = require("aws-cdk-lib/aws-stepfunctions-tasks");
-var import_constructs23 = require("constructs");
-var RenameCascadeWorkflow = class extends import_constructs23.Construct {
+var import_constructs24 = require("constructs");
+var RenameCascadeWorkflow = class extends import_constructs24.Construct {
   constructor(scope, props) {
     super(scope, "rename-cascade-workflow");
     this.lambdas = new RenameCascadeLambdas(this, {
@@ -7967,6 +8101,7 @@ var RenameCascadeWorkflow = class extends import_constructs23.Construct {
   RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR,
   RENAME_CASCADE_SLOW_THRESHOLD_SECONDS,
   REST_API_BASE_URL_SSM_NAME,
+  REST_API_DOMAIN_NAME_SSM_NAME,
   RenameCascadeLambdas,
   RenameCascadeWorkflow,
   RootGraphqlApi,
@@ -7992,6 +8127,7 @@ var RenameCascadeWorkflow = class extends import_constructs23.Construct {
   WorkflowDedupTableDuplicateError,
   buildFhirCurrentResourceChangeDetail,
   buildProvisionDefaultWorkspaceRequestedDetail,
+  computeBranchHash,
   demoMembershipId,
   demoRoleAssignmentId,
   demoRolesForUserInTenant,