@openhi/constructs 0.0.151 → 0.0.153

package/lib/index.js

@@ -3101,11 +3101,15 @@ var OpenHiGlobalService = _OpenHiGlobalService;
 // src/workflows/control-plane/seed-demo-data/events.ts
 var import_types = require("@openhi/types");
 var import_workflows2 = __toESM(require_lib2());
+
+// src/data/operations/control/membership-constraints/platform-scope-tenant-id.ts
+var PLATFORM_SCOPE_TENANT_ID = "platform";
+
+// src/workflows/control-plane/seed-demo-data/events.ts
 var SEED_DEMO_DATA_CONSUMER_NAME = "seed-demo-data";
 var DEMO_URN_SYSTEM = "urn:openhi:demo";
 var OPENHI_RESOURCE_URN_SYSTEM = "http://openhi.org/";
 var DEMO_PERIOD = { start: "2026-01-01T00:00:00Z" };
-var PLATFORM_SCOPE_TENANT_ID = "platform";
 var PLACEHOLDER_TENANT_ID = "placeholder-tenant-id";
 var PLACEHOLDER_WORKSPACE_ID = "placeholder-workspace-id";
 var DEV_USERS = [
@@ -3620,9 +3624,9 @@ var import_aws_lambda_nodejs8 = require("aws-cdk-lib/aws-lambda-nodejs");
 var import_constructs13 = require("constructs");
 
 // src/workflows/control-plane/seed-demo-data/seed-demo-data.handler.ts
-var import_node_crypto = require("crypto");
 var import_client_cognito_identity_provider = require("@aws-sdk/client-cognito-identity-provider");
 var import_client_dynamodb2 = require("@aws-sdk/client-dynamodb");
+var import_client_ssm = require("@aws-sdk/client-ssm");
 var import_types12 = require("@openhi/types");
 var import_workflows3 = __toESM(require_lib2());
 
@@ -6522,7 +6526,7 @@ var SeedDemoDataLambda = class extends import_constructs13.Construct {
     this.lambda.addToRolePolicy(
       new import_aws_iam3.PolicyStatement({
         effect: import_aws_iam3.Effect.ALLOW,
-        actions: ["dynamodb:PutItem", "dynamodb:UpdateItem"],
+        actions: ["dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:Query"],
         resources: [props.dataStoreTable.tableArn]
       })
     );
@@ -6543,6 +6547,32 @@ var SeedDemoDataLambda = class extends import_constructs13.Construct {
         ]
       })
     );
+    this.lambda.addToRolePolicy(
+      new import_aws_iam3.PolicyStatement({
+        effect: import_aws_iam3.Effect.ALLOW,
+        actions: ["ssm:GetParameter"],
+        resources: [
+          import_aws_cdk_lib13.Stack.of(this).formatArn({
+            service: "ssm",
+            resource: "parameter",
+            resourceName: "openhi/seed/users/*/password"
+          })
+        ]
+      })
+    );
+    this.lambda.addToRolePolicy(
+      new import_aws_iam3.PolicyStatement({
+        effect: import_aws_iam3.Effect.ALLOW,
+        actions: ["kms:Decrypt"],
+        resources: [
+          import_aws_cdk_lib13.Stack.of(this).formatArn({
+            service: "kms",
+            resource: "alias",
+            resourceName: "aws/ssm"
+          })
+        ]
+      })
+    );
     this.rule = new import_aws_events6.Rule(this, "rule", {
       eventBus: props.controlEventBus,
       eventPattern: {
@@ -6784,6 +6814,7 @@ var OpenHiDataService = _OpenHiDataService;
 
 // src/services/open-hi-website-service.ts
 var import_config6 = __toESM(require_lib());
+var import_aws_cdk_lib15 = require("aws-cdk-lib");
 var import_aws_s32 = require("aws-cdk-lib/aws-s3");
 
 // src/services/open-hi-rest-api-service.ts
@@ -7360,6 +7391,7 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
     const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
     const hostedZone = this.createHostedZone();
     this.fullDomain = this.computeFullDomain(hostedZone);
+    this.createAdminConsoleEndpointOutput();
     const shouldCreateHostingInfra = props.createHostingInfrastructure ?? isReleaseBranch;
     if (shouldCreateHostingInfra) {
       const certificate = this.createCertificate();
@@ -7499,6 +7531,25 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
       description: "Full website domain (e.g. www.example.com)"
     });
   }
+  /**
+   * Adds a CloudFormation `AdminConsoleEndpoint` output exposing the
+   * admin-console invocation URL (`https://<fullDomain>`) on every
+   * deploy of this stack — release-branch and per-PR alike. The
+   * configulator `aws-deploy-workflow` filters CFN outputs by the
+   * `Endpoint$` logical-id suffix to surface them in the GitHub
+   * Actions run summary and sticky PR comment, so the logical id is
+   * pinned via {@link CfnOutput.overrideLogicalId} to keep the
+   * literal key stable across synths.
+   */
+  createAdminConsoleEndpointOutput() {
+    const output = new import_aws_cdk_lib15.CfnOutput(this, "admin-console-endpoint-output", {
+      value: `https://${this.fullDomain}`,
+      description: "Admin console endpoint for this deploy (https://<fullDomain>). Surfaced by the deploy workflow's sticky PR comment and job summary."
+    });
+    output.overrideLogicalId(
+      _OpenHiWebsiteService.ADMIN_CONSOLE_ENDPOINT_OUTPUT_NAME
+    );
+  }
   /**
    * Creates the StaticContent uploader. Receives the resolved static-hosting
    * bucket from the constructor — on the release-branch deploy this is the
@@ -7565,6 +7616,15 @@ _OpenHiWebsiteService.SERVICE_TYPE = "website";
  * `www-<childZonePrefix>.<zone>`.
  */
 _OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX = "www";
+/**
+ * CloudFormation logical key for the admin-console endpoint `CfnOutput`.
+ * The configulator deploy workflow filters outputs whose logical id
+ * matches the `Endpoint$` regex to surface them in the GitHub Actions
+ * run summary and sticky PR comment, so the suffix must be `Endpoint`.
+ * The logical id is pinned via {@link CfnOutput.overrideLogicalId} so
+ * it does not pick up a synth-time hash suffix.
+ */
+_OpenHiWebsiteService.ADMIN_CONSOLE_ENDPOINT_OUTPUT_NAME = "AdminConsoleEndpoint";
 var OpenHiWebsiteService = _OpenHiWebsiteService;
 
 // src/workflows/control-plane/user-onboarding/events.ts
@@ -7595,7 +7655,7 @@ var buildProvisionDefaultWorkspaceRequestedDetail = (event) => {
 // src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
 var import_node_fs11 = __toESM(require("fs"));
 var import_node_path11 = __toESM(require("path"));
-var import_aws_cdk_lib15 = require("aws-cdk-lib");
+var import_aws_cdk_lib16 = require("aws-cdk-lib");
 var import_aws_events8 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets4 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_iam6 = require("aws-cdk-lib/aws-iam");
@@ -7642,7 +7702,7 @@ var ProvisionDefaultWorkspaceLambda = class extends import_constructs20.Construc
       targets: [
         new import_aws_events_targets4.LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib15.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib16.Duration.hours(2)
         })
       ]
     });
@@ -8081,7 +8141,7 @@ var OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR = "OWNING_DELETE_OPS_EVENT_BUS_NAME";
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-lambdas.ts
 var import_node_fs12 = __toESM(require("fs"));
 var import_node_path12 = __toESM(require("path"));
-var import_aws_cdk_lib16 = require("aws-cdk-lib");
+var import_aws_cdk_lib17 = require("aws-cdk-lib");
 var import_aws_iam8 = require("aws-cdk-lib/aws-iam");
 var import_aws_lambda13 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs13 = require("aws-cdk-lib/aws-lambda-nodejs");
@@ -8105,7 +8165,7 @@ var OwningDeleteCascadeLambdas = class extends import_constructs22.Construct {
       entry: listResolved.entry,
       runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib16.Duration.minutes(1),
+      timeout: import_aws_cdk_lib17.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -8119,7 +8179,7 @@ var OwningDeleteCascadeLambdas = class extends import_constructs22.Construct {
       entry: deleteResolved.entry,
       runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib16.Duration.minutes(1),
+      timeout: import_aws_cdk_lib17.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -8138,7 +8198,7 @@ var OwningDeleteCascadeLambdas = class extends import_constructs22.Construct {
       entry: finalizeResolved.entry,
       runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib16.Duration.minutes(1),
+      timeout: import_aws_cdk_lib17.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
@@ -8156,7 +8216,7 @@ var OwningDeleteCascadeLambdas = class extends import_constructs22.Construct {
 };
 
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-workflow.ts
-var import_aws_cdk_lib17 = require("aws-cdk-lib");
+var import_aws_cdk_lib18 = require("aws-cdk-lib");
 var import_aws_events9 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets5 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_stepfunctions = require("aws-cdk-lib/aws-stepfunctions");
@@ -8271,7 +8331,7 @@ var OwningDeleteCascadeWorkflow = class extends import_constructs23.Construct {
       }
     });
     const interPageWait = new import_aws_stepfunctions.Wait(this, "inter-page-wait", {
-      time: import_aws_stepfunctions.WaitTime.duration(import_aws_cdk_lib17.Duration.seconds(0))
+      time: import_aws_stepfunctions.WaitTime.duration(import_aws_cdk_lib18.Duration.seconds(0))
     });
     const isExhausted = new import_aws_stepfunctions.Choice(this, "is-exhausted");
     const finalize = new import_aws_stepfunctions_tasks.LambdaInvoke(this, "finalize", {
@@ -8302,7 +8362,7 @@ var OwningDeleteCascadeWorkflow = class extends import_constructs23.Construct {
       // Long timeout because real-world cascades can run minutes when
       // a workspace has thousands of members. The stuck-cascade alarm
       // fires at 15 minutes; the state machine itself does not abort.
-      timeout: import_aws_cdk_lib17.Duration.hours(2)
+      timeout: import_aws_cdk_lib18.Duration.hours(2)
     });
     this.rule = new import_aws_events9.Rule(this, "rule", {
       eventBus: props.dataEventBus,
@@ -8313,7 +8373,7 @@ var OwningDeleteCascadeWorkflow = class extends import_constructs23.Construct {
       targets: [
         new import_aws_events_targets5.SfnStateMachine(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib17.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib18.Duration.hours(2)
         })
       ]
     });
@@ -8331,7 +8391,7 @@ var RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR = "RENAME_CASCADE_OPS_EVENT_BUS_NAME";
 // src/workflows/control-plane/rename-cascade/rename-cascade-lambdas.ts
 var import_node_fs13 = __toESM(require("fs"));
 var import_node_path13 = __toESM(require("path"));
-var import_aws_cdk_lib18 = require("aws-cdk-lib");
+var import_aws_cdk_lib19 = require("aws-cdk-lib");
 var import_aws_iam9 = require("aws-cdk-lib/aws-iam");
 var import_aws_lambda14 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs14 = require("aws-cdk-lib/aws-lambda-nodejs");
@@ -8355,7 +8415,7 @@ var RenameCascadeLambdas = class extends import_constructs24.Construct {
       entry: listResolved.entry,
       runtime: import_aws_lambda14.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib18.Duration.minutes(1),
+      timeout: import_aws_cdk_lib19.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -8369,7 +8429,7 @@ var RenameCascadeLambdas = class extends import_constructs24.Construct {
       entry: rewriteResolved.entry,
       runtime: import_aws_lambda14.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib18.Duration.minutes(1),
+      timeout: import_aws_cdk_lib19.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -8388,7 +8448,7 @@ var RenameCascadeLambdas = class extends import_constructs24.Construct {
       entry: finalizeResolved.entry,
       runtime: import_aws_lambda14.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib18.Duration.minutes(1),
+      timeout: import_aws_cdk_lib19.Duration.minutes(1),
       environment: {
         [RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
       }
@@ -8404,7 +8464,7 @@ var RenameCascadeLambdas = class extends import_constructs24.Construct {
 };
 
 // src/workflows/control-plane/rename-cascade/rename-cascade-workflow.ts
-var import_aws_cdk_lib19 = require("aws-cdk-lib");
+var import_aws_cdk_lib20 = require("aws-cdk-lib");
 var import_aws_events10 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets6 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_stepfunctions2 = require("aws-cdk-lib/aws-stepfunctions");
@@ -8554,7 +8614,7 @@ var RenameCascadeWorkflow = class extends import_constructs25.Construct {
       // Long timeout — large renames may rewrite thousands of rows;
       // the `CascadeSlow` alarm fires at 300s p99 but the state
       // machine itself does not abort.
-      timeout: import_aws_cdk_lib19.Duration.hours(2)
+      timeout: import_aws_cdk_lib20.Duration.hours(2)
     });
     this.rule = new import_aws_events10.Rule(this, "rule", {
       eventBus: props.dataEventBus,
@@ -8565,7 +8625,7 @@ var RenameCascadeWorkflow = class extends import_constructs25.Construct {
       targets: [
         new import_aws_events_targets6.SfnStateMachine(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib19.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib20.Duration.hours(2)
         })
       ]
     });