@openhi/constructs 0.0.128 → 0.0.130

package/lib/index.mjs

@@ -1526,6 +1526,8 @@ import { CloudFrontTarget } from "aws-cdk-lib/aws-route53-targets";
 import { Bucket as Bucket2 } from "aws-cdk-lib/aws-s3";
 import { Construct as Construct8 } from "constructs";
 var STATIC_HOSTING_SERVICE_TYPE = "website";
+var PER_BRANCH_PREVIEW_PREFIX = "admin-pr-";
+var DEFAULT_PREVIEW_EXPIRATION_DAYS = 14;
 var _StaticHosting = class _StaticHosting extends Construct8 {
   /**
    * Returns true when `domainName` begins with a wildcard label (`*.`),
@@ -1535,11 +1537,19 @@ var _StaticHosting = class _StaticHosting extends Construct8 {
   static isWildcardDomain(domainName) {
     return domainName.startsWith("*.");
   }
-  constructor(scope, id, props = {}) {
+  constructor(scope, id, props) {
     super(scope, id);
     const stack = OpenHiService.of(scope);
     const serviceType = props.serviceType ?? STATIC_HOSTING_SERVICE_TYPE;
     const hostingMode = props.hostingMode ?? "spa";
+    const previewLifecycleRules = props.enablePreviewLifecycle ? [
+      {
+        id: "expire-pr-previews",
+        enabled: true,
+        prefix: props.prefixPattern,
+        expiration: props.previewExpiration ?? Duration5.days(DEFAULT_PREVIEW_EXPIRATION_DAYS)
+      }
+    ] : void 0;
     this.bucket = new Bucket2(this, "bucket", {
       blockPublicAccess: {
         blockPublicAcls: true,
@@ -1547,6 +1557,9 @@ var _StaticHosting = class _StaticHosting extends Construct8 {
         ignorePublicAcls: true,
         restrictPublicBuckets: true
       },
+      ...previewLifecycleRules !== void 0 && {
+        lifecycleRules: previewLifecycleRules
+      },
       ...props.bucketProps
     });
     const handlerJs = path6.join(
@@ -2509,6 +2522,26 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return UserPoolDomain2.fromDomainName(scope, "user-pool-domain", domainName);
   }
+  /**
+   * Returns the full Cognito Hosted UI base URL (e.g.
+   * `https://auth-abc.auth.us-east-2.amazoncognito.com`) by looking up
+   * the Auth stack's User Pool Domain from SSM and composing it with the
+   * calling stack's region.
+   *
+   * Equivalent to `UserPoolDomain.baseUrl()` on the concrete construct,
+   * but works across stacks where the looked-up `IUserPoolDomain` is an
+   * `Import` and does not carry the `baseUrl()` method. Assumes the
+   * domain was created as a Cognito-managed prefix domain (the only
+   * variant `OpenHiAuthService.createUserPoolDomain` produces).
+   */
+  static userPoolDomainBaseUrlFromConstruct(scope) {
+    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    const region = Stack7.of(scope).region;
+    return `https://${domainName}.auth.${region}.amazoncognito.com`;
+  }
   /**
    * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
    */
@@ -3118,11 +3151,11 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     const cognitoScope = new Construct21(this, "runtime-config");
     const userPool = OpenHiAuthService.userPoolFromConstruct(cognitoScope);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(cognitoScope);
-    const userPoolDomain = OpenHiAuthService.userPoolDomainFromConstruct(cognitoScope);
+    const cognitoDomainUrl = OpenHiAuthService.userPoolDomainBaseUrlFromConstruct(cognitoScope);
     return {
       OPENHI_RUNTIME_CONFIG_COGNITO_USER_POOL_ID: userPool.userPoolId,
       OPENHI_RUNTIME_CONFIG_COGNITO_USER_POOL_CLIENT_ID: userPoolClient.userPoolClientId,
-      OPENHI_RUNTIME_CONFIG_COGNITO_DOMAIN: userPoolDomain.domainName,
+      OPENHI_RUNTIME_CONFIG_COGNITO_DOMAIN_URL: cognitoDomainUrl,
       OPENHI_RUNTIME_CONFIG_COGNITO_REDIRECT_URI: this.props.runtimeConfig.cognitoRedirectUri,
       OPENHI_RUNTIME_CONFIG_API_BASE_URL: this.props.runtimeConfig.apiBaseUrl
     };
@@ -3172,7 +3205,9 @@ _OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
 var OpenHiGraphqlService = _OpenHiGraphqlService;
 
 // src/services/open-hi-website-service.ts
+var import_config5 = __toESM(require_lib2());
 import { Bucket as Bucket3 } from "aws-cdk-lib/aws-s3";
+var OPENHI_PR_NUMBER_ENV_VAR = "OPENHI_PR_NUMBER";
 var SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
 var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
   /**
@@ -3232,9 +3267,16 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
     super(ohEnv, _OpenHiWebsiteService.SERVICE_TYPE, props);
     this.props = props;
     this.validateConfig(props);
+    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
+    this.prNumber = this.resolvePrNumber(props);
+    if (!isReleaseBranch && this.prNumber === void 0) {
+      throw new Error(
+        `OpenHiWebsiteService: prNumber is required on non-release-branch deploys (branchName="${this.branchName}", defaultReleaseBranch="${this.defaultReleaseBranch}"). Pass the \`prNumber\` prop or set the ${OPENHI_PR_NUMBER_ENV_VAR} env var.`
+      );
+    }
     const hostedZone = this.createHostedZone();
     this.fullDomain = this.computeFullDomain(hostedZone);
-    const shouldCreateHostingInfra = props.createHostingInfrastructure ?? this.branchName === this.defaultReleaseBranch;
+    const shouldCreateHostingInfra = props.createHostingInfrastructure ?? isReleaseBranch;
     if (shouldCreateHostingInfra) {
       const certificate = this.createCertificate();
       this.staticHosting = this.createStaticHosting({
@@ -3242,6 +3284,8 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
         hostedZone
       });
       this.createFullDomainParameter();
+    } else if (!isReleaseBranch) {
+      this.perBranchHostname = this.createPerBranchHostname(hostedZone);
     }
     if (props.createStaticContent !== false) {
       const bucket = this.resolveStaticHostingBucket();
@@ -3284,25 +3328,76 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
     return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
   }
   /**
-   * Computes the full website domain from `domainPrefix` and the child
-   * zone name.
+   * Resolves the PR number from props or the `OPENHI_PR_NUMBER` env var.
+   * Returns `undefined` on release-branch deploys where no PR number is
+   * needed.
+   */
+  resolvePrNumber(props) {
+    if (props.prNumber !== void 0) {
+      return props.prNumber;
+    }
+    const raw = process.env[OPENHI_PR_NUMBER_ENV_VAR]?.trim();
+    if (!raw) {
+      return void 0;
+    }
+    const parsed = Number.parseInt(raw, 10);
+    if (!Number.isInteger(parsed) || parsed <= 0) {
+      throw new Error(
+        `${OPENHI_PR_NUMBER_ENV_VAR} must be a positive integer; got "${raw}".`
+      );
+    }
+    return parsed;
+  }
+  /**
+   * Computes the full website domain from `domainPrefix`, the PR number,
+   * and the child zone name. Release-branch deploys serve at
+   * `\<domainPrefix\>.\<zone\>` (e.g. `admin.dev.openhi.org`); every other
+   * deploy serves a per-PR preview at `\<domainPrefix\>-pr-\<N\>.\<zone\>`
+   * (e.g. `admin-pr-123.dev.openhi.org`).
    */
   computeFullDomain(hostedZone) {
-    const prefix = this.props.domainPrefix ?? "www";
-    return [prefix, hostedZone.zoneName].join(".");
+    const subDomain = this.computeSubDomain();
+    return [subDomain, hostedZone.zoneName].join(".");
+  }
+  /**
+   * Returns the sub-domain label (left of the zone) for the current
+   * deploy. Used both for {@link fullDomain} and for the per-branch S3
+   * key prefix passed to {@link StaticContent} so the upload prefix
+   * always matches the served hostname.
+   *
+   * Non-release deploys compose the per-PR slug from
+   * {@link PER_BRANCH_PREVIEW_PREFIX} so the per-PR S3 key prefix
+   * matches what `StaticHosting`'s lifecycle rule expires.
+   */
+  computeSubDomain() {
+    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
+    if (isReleaseBranch) {
+      return this.props.domainPrefix ?? "www";
+    }
+    return `${PER_BRANCH_PREVIEW_PREFIX}${this.prNumber}`;
   }
   /**
    * Creates the StaticHosting infrastructure (bucket + distribution +
-   * Lambda@Edge + 4 SSM params + DNS).
+   * Lambda@Edge + 4 SSM params + DNS). The release-branch distribution
+   * adds `*.\<zone\>` as a wildcard alt-name on top of the canonical
+   * hostname so per-PR previews resolve via the same distribution.
+   *
+   * The bucket carries an S3 lifecycle rule that expires per-PR
+   * preview content (keys under {@link PER_BRANCH_PREVIEW_PREFIX})
+   * on non-production stages. PROD never gets the rule — see
+   * `enablePreviewLifecycle`.
    */
   createStaticHosting(deps) {
     const restApi = this.props.restApi === true ? this.resolveRestApi() : void 0;
+    const wildcardSan = `*.${deps.hostedZone.zoneName}`;
     return new StaticHosting(this, "static-hosting", {
       serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
       certificate: deps.certificate,
       hostedZone: deps.hostedZone,
-      domainNames: [this.fullDomain],
+      domainNames: [this.fullDomain, wildcardSan],
       description: `OpenHI website (${this.fullDomain})`,
+      prefixPattern: PER_BRANCH_PREVIEW_PREFIX,
+      enablePreviewLifecycle: this.ohEnv.ohStage.stageType !== import_config5.OPEN_HI_STAGE.PROD,
       ...restApi !== void 0 && { restApi }
     });
   }
@@ -3336,6 +3431,12 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
    * the release-branch deploy publishes to SSM, addressed against
    * {@link OpenHiService.releaseBranchHash}. See
    * {@link resolveStaticHostingBucket}.
+   *
+   * The S3 key prefix is `\<sub-domain\>.\<zone\>/\<contentDest\>` so the
+   * upload location matches the Host-header-derived folder the Lambda@Edge
+   * viewer-request handler prepends. Passing the zone name (rather than
+   * `this.fullDomain`) for the `fullDomain` prop keeps the prefix flat
+   * — `admin-pr-123.dev.openhi.org/`, not `admin-pr-123.admin.dev.openhi.org/`.
    */
   createStaticContent(bucket) {
     const { contentSourceDirectory, contentDestinationDirectory } = this.props;
@@ -3343,7 +3444,21 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
       bucket,
       contentSourceDirectory,
       contentDestinationDirectory,
-      fullDomain: this.fullDomain
+      subDomain: this.computeSubDomain(),
+      fullDomain: this.config.zoneName
+    });
+  }
+  /**
+   * Creates the per-PR `PerBranchHostname` alias record on non-release
+   * branch deploys. The record points `\<domainPrefix\>-pr-\<N\>.\<zone\>`
+   * at the release-branch CloudFront distribution (resolved from SSM
+   * against {@link OpenHiService.releaseBranchHash}).
+   */
+  createPerBranchHostname(hostedZone) {
+    return new PerBranchHostname(this, "per-branch-hostname", {
+      hostname: this.fullDomain,
+      hostedZone,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
     });
   }
   /**
@@ -3902,6 +4017,7 @@ export {
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE,
+  DEFAULT_PREVIEW_EXPIRATION_DAYS,
   DEMO_DATA_PLANE_FIXTURES,
   DEMO_PERIOD,
   DEMO_TENANT_SPECS,
@@ -3912,6 +4028,7 @@ export {
   DataStorePostgresReplica,
   DiscoverableStringParameter,
   DynamoDbDataStore,
+  OPENHI_PR_NUMBER_ENV_VAR,
   OPENHI_REPO_TAG_KEY_ENV_VAR,
   OPENHI_RESOURCE_URN_SYSTEM,
   OPENHI_TAG_KEY_PREFIX_ENV_VAR,
@@ -3937,6 +4054,7 @@ export {
   OpsEventBus,
   OwningDeleteCascadeLambdas,
   OwningDeleteCascadeWorkflow,
+  PER_BRANCH_PREVIEW_PREFIX,
   PLACEHOLDER_TENANT_ID,
   PLACEHOLDER_WORKSPACE_ID,
   PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM,