@openhi/constructs 0.0.128 → 0.0.130

package/lib/index.js

@@ -785,6 +785,7 @@ __export(src_exports, {
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES: () => DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE: () => DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE: () => DATA_STORE_CHANGE_EVENT_SOURCE,
+  DEFAULT_PREVIEW_EXPIRATION_DAYS: () => DEFAULT_PREVIEW_EXPIRATION_DAYS,
   DEMO_DATA_PLANE_FIXTURES: () => DEMO_DATA_PLANE_FIXTURES,
   DEMO_PERIOD: () => DEMO_PERIOD,
   DEMO_TENANT_SPECS: () => DEMO_TENANT_SPECS,
@@ -795,6 +796,7 @@ __export(src_exports, {
   DataStorePostgresReplica: () => DataStorePostgresReplica,
   DiscoverableStringParameter: () => DiscoverableStringParameter,
   DynamoDbDataStore: () => DynamoDbDataStore,
+  OPENHI_PR_NUMBER_ENV_VAR: () => OPENHI_PR_NUMBER_ENV_VAR,
   OPENHI_REPO_TAG_KEY_ENV_VAR: () => OPENHI_REPO_TAG_KEY_ENV_VAR,
   OPENHI_RESOURCE_URN_SYSTEM: () => OPENHI_RESOURCE_URN_SYSTEM,
   OPENHI_TAG_KEY_PREFIX_ENV_VAR: () => OPENHI_TAG_KEY_PREFIX_ENV_VAR,
@@ -820,6 +822,7 @@ __export(src_exports, {
   OpsEventBus: () => OpsEventBus,
   OwningDeleteCascadeLambdas: () => OwningDeleteCascadeLambdas,
   OwningDeleteCascadeWorkflow: () => OwningDeleteCascadeWorkflow,
+  PER_BRANCH_PREVIEW_PREFIX: () => PER_BRANCH_PREVIEW_PREFIX,
   PLACEHOLDER_TENANT_ID: () => PLACEHOLDER_TENANT_ID,
   PLACEHOLDER_WORKSPACE_ID: () => PLACEHOLDER_WORKSPACE_ID,
   PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM: () => PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM,
@@ -2352,6 +2355,8 @@ var import_aws_route53_targets = require("aws-cdk-lib/aws-route53-targets");
 var import_aws_s3 = require("aws-cdk-lib/aws-s3");
 var import_constructs8 = require("constructs");
 var STATIC_HOSTING_SERVICE_TYPE = "website";
+var PER_BRANCH_PREVIEW_PREFIX = "admin-pr-";
+var DEFAULT_PREVIEW_EXPIRATION_DAYS = 14;
 var _StaticHosting = class _StaticHosting extends import_constructs8.Construct {
   /**
    * Returns true when `domainName` begins with a wildcard label (`*.`),
@@ -2361,11 +2366,19 @@ var _StaticHosting = class _StaticHosting extends import_constructs8.Construct {
   static isWildcardDomain(domainName) {
     return domainName.startsWith("*.");
   }
-  constructor(scope, id, props = {}) {
+  constructor(scope, id, props) {
     super(scope, id);
     const stack = OpenHiService.of(scope);
     const serviceType = props.serviceType ?? STATIC_HOSTING_SERVICE_TYPE;
     const hostingMode = props.hostingMode ?? "spa";
+    const previewLifecycleRules = props.enablePreviewLifecycle ? [
+      {
+        id: "expire-pr-previews",
+        enabled: true,
+        prefix: props.prefixPattern,
+        expiration: props.previewExpiration ?? import_aws_cdk_lib11.Duration.days(DEFAULT_PREVIEW_EXPIRATION_DAYS)
+      }
+    ] : void 0;
     this.bucket = new import_aws_s3.Bucket(this, "bucket", {
       blockPublicAccess: {
         blockPublicAcls: true,
@@ -2373,6 +2386,9 @@ var _StaticHosting = class _StaticHosting extends import_constructs8.Construct {
         ignorePublicAcls: true,
         restrictPublicBuckets: true
       },
+      ...previewLifecycleRules !== void 0 && {
+        lifecycleRules: previewLifecycleRules
+      },
       ...props.bucketProps
     });
     const handlerJs = path6.join(
@@ -6747,6 +6763,26 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return import_aws_cognito4.UserPoolDomain.fromDomainName(scope, "user-pool-domain", domainName);
   }
+  /**
+   * Returns the full Cognito Hosted UI base URL (e.g.
+   * `https://auth-abc.auth.us-east-2.amazoncognito.com`) by looking up
+   * the Auth stack's User Pool Domain from SSM and composing it with the
+   * calling stack's region.
+   *
+   * Equivalent to `UserPoolDomain.baseUrl()` on the concrete construct,
+   * but works across stacks where the looked-up `IUserPoolDomain` is an
+   * `Import` and does not carry the `baseUrl()` method. Assumes the
+   * domain was created as a Cognito-managed prefix domain (the only
+   * variant `OpenHiAuthService.createUserPoolDomain` produces).
+   */
+  static userPoolDomainBaseUrlFromConstruct(scope) {
+    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    const region = import_core.Stack.of(scope).region;
+    return `https://${domainName}.auth.${region}.amazoncognito.com`;
+  }
   /**
    * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
    */
@@ -7344,11 +7380,11 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     const cognitoScope = new import_constructs21.Construct(this, "runtime-config");
     const userPool = OpenHiAuthService.userPoolFromConstruct(cognitoScope);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(cognitoScope);
-    const userPoolDomain = OpenHiAuthService.userPoolDomainFromConstruct(cognitoScope);
+    const cognitoDomainUrl = OpenHiAuthService.userPoolDomainBaseUrlFromConstruct(cognitoScope);
     return {
       OPENHI_RUNTIME_CONFIG_COGNITO_USER_POOL_ID: userPool.userPoolId,
       OPENHI_RUNTIME_CONFIG_COGNITO_USER_POOL_CLIENT_ID: userPoolClient.userPoolClientId,
-      OPENHI_RUNTIME_CONFIG_COGNITO_DOMAIN: userPoolDomain.domainName,
+      OPENHI_RUNTIME_CONFIG_COGNITO_DOMAIN_URL: cognitoDomainUrl,
       OPENHI_RUNTIME_CONFIG_COGNITO_REDIRECT_URI: this.props.runtimeConfig.cognitoRedirectUri,
       OPENHI_RUNTIME_CONFIG_API_BASE_URL: this.props.runtimeConfig.apiBaseUrl
     };
@@ -7395,7 +7431,9 @@ _OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
 var OpenHiGraphqlService = _OpenHiGraphqlService;
 
 // src/services/open-hi-website-service.ts
+var import_config5 = __toESM(require_lib());
 var import_aws_s32 = require("aws-cdk-lib/aws-s3");
+var OPENHI_PR_NUMBER_ENV_VAR = "OPENHI_PR_NUMBER";
 var SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
 var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
   /**
@@ -7455,9 +7493,16 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
     super(ohEnv, _OpenHiWebsiteService.SERVICE_TYPE, props);
     this.props = props;
     this.validateConfig(props);
+    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
+    this.prNumber = this.resolvePrNumber(props);
+    if (!isReleaseBranch && this.prNumber === void 0) {
+      throw new Error(
+        `OpenHiWebsiteService: prNumber is required on non-release-branch deploys (branchName="${this.branchName}", defaultReleaseBranch="${this.defaultReleaseBranch}"). Pass the \`prNumber\` prop or set the ${OPENHI_PR_NUMBER_ENV_VAR} env var.`
+      );
+    }
     const hostedZone = this.createHostedZone();
     this.fullDomain = this.computeFullDomain(hostedZone);
-    const shouldCreateHostingInfra = props.createHostingInfrastructure ?? this.branchName === this.defaultReleaseBranch;
+    const shouldCreateHostingInfra = props.createHostingInfrastructure ?? isReleaseBranch;
     if (shouldCreateHostingInfra) {
       const certificate = this.createCertificate();
       this.staticHosting = this.createStaticHosting({
@@ -7465,6 +7510,8 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
         hostedZone
       });
       this.createFullDomainParameter();
+    } else if (!isReleaseBranch) {
+      this.perBranchHostname = this.createPerBranchHostname(hostedZone);
     }
     if (props.createStaticContent !== false) {
       const bucket = this.resolveStaticHostingBucket();
@@ -7507,25 +7554,76 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
     return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
   }
   /**
-   * Computes the full website domain from `domainPrefix` and the child
-   * zone name.
+   * Resolves the PR number from props or the `OPENHI_PR_NUMBER` env var.
+   * Returns `undefined` on release-branch deploys where no PR number is
+   * needed.
+   */
+  resolvePrNumber(props) {
+    if (props.prNumber !== void 0) {
+      return props.prNumber;
+    }
+    const raw = process.env[OPENHI_PR_NUMBER_ENV_VAR]?.trim();
+    if (!raw) {
+      return void 0;
+    }
+    const parsed = Number.parseInt(raw, 10);
+    if (!Number.isInteger(parsed) || parsed <= 0) {
+      throw new Error(
+        `${OPENHI_PR_NUMBER_ENV_VAR} must be a positive integer; got "${raw}".`
+      );
+    }
+    return parsed;
+  }
+  /**
+   * Computes the full website domain from `domainPrefix`, the PR number,
+   * and the child zone name. Release-branch deploys serve at
+   * `\<domainPrefix\>.\<zone\>` (e.g. `admin.dev.openhi.org`); every other
+   * deploy serves a per-PR preview at `\<domainPrefix\>-pr-\<N\>.\<zone\>`
+   * (e.g. `admin-pr-123.dev.openhi.org`).
    */
   computeFullDomain(hostedZone) {
-    const prefix = this.props.domainPrefix ?? "www";
-    return [prefix, hostedZone.zoneName].join(".");
+    const subDomain = this.computeSubDomain();
+    return [subDomain, hostedZone.zoneName].join(".");
+  }
+  /**
+   * Returns the sub-domain label (left of the zone) for the current
+   * deploy. Used both for {@link fullDomain} and for the per-branch S3
+   * key prefix passed to {@link StaticContent} so the upload prefix
+   * always matches the served hostname.
+   *
+   * Non-release deploys compose the per-PR slug from
+   * {@link PER_BRANCH_PREVIEW_PREFIX} so the per-PR S3 key prefix
+   * matches what `StaticHosting`'s lifecycle rule expires.
+   */
+  computeSubDomain() {
+    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
+    if (isReleaseBranch) {
+      return this.props.domainPrefix ?? "www";
+    }
+    return `${PER_BRANCH_PREVIEW_PREFIX}${this.prNumber}`;
   }
   /**
    * Creates the StaticHosting infrastructure (bucket + distribution +
-   * Lambda@Edge + 4 SSM params + DNS).
+   * Lambda@Edge + 4 SSM params + DNS). The release-branch distribution
+   * adds `*.\<zone\>` as a wildcard alt-name on top of the canonical
+   * hostname so per-PR previews resolve via the same distribution.
+   *
+   * The bucket carries an S3 lifecycle rule that expires per-PR
+   * preview content (keys under {@link PER_BRANCH_PREVIEW_PREFIX})
+   * on non-production stages. PROD never gets the rule — see
+   * `enablePreviewLifecycle`.
    */
   createStaticHosting(deps) {
     const restApi = this.props.restApi === true ? this.resolveRestApi() : void 0;
+    const wildcardSan = `*.${deps.hostedZone.zoneName}`;
     return new StaticHosting(this, "static-hosting", {
       serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
       certificate: deps.certificate,
       hostedZone: deps.hostedZone,
-      domainNames: [this.fullDomain],
+      domainNames: [this.fullDomain, wildcardSan],
       description: `OpenHI website (${this.fullDomain})`,
+      prefixPattern: PER_BRANCH_PREVIEW_PREFIX,
+      enablePreviewLifecycle: this.ohEnv.ohStage.stageType !== import_config5.OPEN_HI_STAGE.PROD,
       ...restApi !== void 0 && { restApi }
     });
   }
@@ -7559,6 +7657,12 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
    * the release-branch deploy publishes to SSM, addressed against
    * {@link OpenHiService.releaseBranchHash}. See
    * {@link resolveStaticHostingBucket}.
+   *
+   * The S3 key prefix is `\<sub-domain\>.\<zone\>/\<contentDest\>` so the
+   * upload location matches the Host-header-derived folder the Lambda@Edge
+   * viewer-request handler prepends. Passing the zone name (rather than
+   * `this.fullDomain`) for the `fullDomain` prop keeps the prefix flat
+   * — `admin-pr-123.dev.openhi.org/`, not `admin-pr-123.admin.dev.openhi.org/`.
    */
   createStaticContent(bucket) {
     const { contentSourceDirectory, contentDestinationDirectory } = this.props;
@@ -7566,7 +7670,21 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
       bucket,
       contentSourceDirectory,
       contentDestinationDirectory,
-      fullDomain: this.fullDomain
+      subDomain: this.computeSubDomain(),
+      fullDomain: this.config.zoneName
+    });
+  }
+  /**
+   * Creates the per-PR `PerBranchHostname` alias record on non-release
+   * branch deploys. The record points `\<domainPrefix\>-pr-\<N\>.\<zone\>`
+   * at the release-branch CloudFront distribution (resolved from SSM
+   * against {@link OpenHiService.releaseBranchHash}).
+   */
+  createPerBranchHostname(hostedZone) {
+    return new PerBranchHostname(this, "per-branch-hostname", {
+      hostname: this.fullDomain,
+      hostedZone,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
     });
   }
   /**
@@ -8112,6 +8230,7 @@ var RenameCascadeWorkflow = class extends import_constructs25.Construct {
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE,
+  DEFAULT_PREVIEW_EXPIRATION_DAYS,
   DEMO_DATA_PLANE_FIXTURES,
   DEMO_PERIOD,
   DEMO_TENANT_SPECS,
@@ -8122,6 +8241,7 @@ var RenameCascadeWorkflow = class extends import_constructs25.Construct {
   DataStorePostgresReplica,
   DiscoverableStringParameter,
   DynamoDbDataStore,
+  OPENHI_PR_NUMBER_ENV_VAR,
   OPENHI_REPO_TAG_KEY_ENV_VAR,
   OPENHI_RESOURCE_URN_SYSTEM,
   OPENHI_TAG_KEY_PREFIX_ENV_VAR,
@@ -8147,6 +8267,7 @@ var RenameCascadeWorkflow = class extends import_constructs25.Construct {
   OpsEventBus,
   OwningDeleteCascadeLambdas,
   OwningDeleteCascadeWorkflow,
+  PER_BRANCH_PREVIEW_PREFIX,
   PLACEHOLDER_TENANT_ID,
   PLACEHOLDER_WORKSPACE_ID,
   PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM,