@openhi/constructs 0.0.6 → 0.0.7

package/lib/index.d.mts

@@ -6,10 +6,12 @@ import { HttpApi, HttpApiProps, IHttpApi, DomainName } from 'aws-cdk-lib/aws-api
 import { GraphqlApi, IGraphqlApi, GraphqlApiProps } from 'aws-cdk-lib/aws-appsync';
 import { UserPool, UserPoolProps, UserPoolClient, UserPoolClientProps, UserPoolDomain, UserPoolDomainProps, IUserPool, IUserPoolClient, IUserPoolDomain } from 'aws-cdk-lib/aws-cognito';
 import { Key, KeyProps, IKey } from 'aws-cdk-lib/aws-kms';
+import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { Table, TableProps, ITable } from 'aws-cdk-lib/aws-dynamodb';
 import { EventBus, EventBusProps, IEventBus } from 'aws-cdk-lib/aws-events';
 import { HostedZone, HostedZoneProps, IHostedZone, HostedZoneAttributes } from 'aws-cdk-lib/aws-route53';
 import { StringParameterProps, StringParameter } from 'aws-cdk-lib/aws-ssm';
+import { IFunction } from 'aws-cdk-lib/aws-lambda';
 
 /**
  * Properties for creating an OpenHiStage instance.
@@ -395,6 +397,14 @@ declare class CognitoUserPoolKmsKey extends Key {
     constructor(scope: Construct, props?: KeyProps);
 }
 
+/**
+ * Lambda used as Cognito Pre Token Generation trigger.
+ */
+declare class PreTokenGenerationLambda extends Construct {
+    readonly lambda: NodejsFunction;
+    constructor(scope: Construct);
+}
+
 /**
  * DynamoDB table name for the data store. Used for cross-stack reference and
  * deterministic naming per branch. The table backs multiple use cases (e.g.
@@ -578,6 +588,7 @@ declare class OpenHiAuthService extends OpenHiService {
     static userPoolKmsKeyFromConstruct(scope: Construct): IKey;
     get serviceType(): string;
     readonly userPoolKmsKey: IKey;
+    readonly preTokenGenerationLambda: IFunction;
     readonly userPool: IUserPool;
     readonly userPoolClient: IUserPoolClient;
     readonly userPoolDomain: IUserPoolDomain;
@@ -588,6 +599,11 @@ declare class OpenHiAuthService extends OpenHiService {
      * Override to customize.
      */
     protected createUserPoolKmsKey(): IKey;
+    /**
+     * Creates the Pre Token Generation Lambda (Cognito trigger). Phase 2 will add
+     * openhi_* claims to the access token only; trigger version V2_0 may be required.
+     */
+    protected createPreTokenGenerationLambda(): IFunction;
     /**
      * Creates the Cognito User Pool and exports its ID to SSM.
      * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -785,4 +801,4 @@ declare class OpenHiDataService extends OpenHiService {
     protected createDataStore(): ITable;
 }
 
-export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DataEventBus, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpsEventBus, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, RootWildcardCertificate, getDynamoDbDataStoreTableName };
+export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DataEventBus, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpsEventBus, PreTokenGenerationLambda, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, RootWildcardCertificate, getDynamoDbDataStoreTableName };

package/lib/index.d.ts

@@ -5,10 +5,12 @@ import { IHttpApi, HttpApi, HttpApiProps, DomainName } from 'aws-cdk-lib/aws-api
 import { GraphqlApi, IGraphqlApi, GraphqlApiProps } from 'aws-cdk-lib/aws-appsync';
 import { UserPool, UserPoolProps, UserPoolClient, UserPoolClientProps, UserPoolDomain, UserPoolDomainProps, IUserPool, IUserPoolClient, IUserPoolDomain } from 'aws-cdk-lib/aws-cognito';
 import { Key, KeyProps, IKey } from 'aws-cdk-lib/aws-kms';
+import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { Table, TableProps, ITable } from 'aws-cdk-lib/aws-dynamodb';
 import { EventBus, EventBusProps, IEventBus } from 'aws-cdk-lib/aws-events';
 import { HostedZone, HostedZoneProps, IHostedZone, HostedZoneAttributes } from 'aws-cdk-lib/aws-route53';
 import { StringParameterProps, StringParameter } from 'aws-cdk-lib/aws-ssm';
+import { IFunction } from 'aws-cdk-lib/aws-lambda';
 
 /*******************************************************************************
  *
@@ -475,6 +477,14 @@ declare class CognitoUserPoolKmsKey extends Key {
     constructor(scope: Construct, props?: KeyProps);
 }
 
+/**
+ * Lambda used as Cognito Pre Token Generation trigger.
+ */
+declare class PreTokenGenerationLambda extends Construct {
+    readonly lambda: NodejsFunction;
+    constructor(scope: Construct);
+}
+
 /**
  * DynamoDB table name for the data store. Used for cross-stack reference and
  * deterministic naming per branch. The table backs multiple use cases (e.g.
@@ -658,6 +668,7 @@ declare class OpenHiAuthService extends OpenHiService {
     static userPoolKmsKeyFromConstruct(scope: Construct): IKey;
     get serviceType(): string;
     readonly userPoolKmsKey: IKey;
+    readonly preTokenGenerationLambda: IFunction;
     readonly userPool: IUserPool;
     readonly userPoolClient: IUserPoolClient;
     readonly userPoolDomain: IUserPoolDomain;
@@ -668,6 +679,11 @@ declare class OpenHiAuthService extends OpenHiService {
      * Override to customize.
      */
     protected createUserPoolKmsKey(): IKey;
+    /**
+     * Creates the Pre Token Generation Lambda (Cognito trigger). Phase 2 will add
+     * openhi_* claims to the access token only; trigger version V2_0 may be required.
+     */
+    protected createPreTokenGenerationLambda(): IFunction;
     /**
      * Creates the Cognito User Pool and exports its ID to SSM.
      * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -865,5 +881,5 @@ declare class OpenHiDataService extends OpenHiService {
     protected createDataStore(): ITable;
 }
 
-export { ChildHostedZone, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DataEventBus, DiscoverableStringParameter, DynamoDbDataStore, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpsEventBus, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, getDynamoDbDataStoreTableName };
+export { ChildHostedZone, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DataEventBus, DiscoverableStringParameter, DynamoDbDataStore, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpsEventBus, PreTokenGenerationLambda, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, getDynamoDbDataStoreTableName };
 export type { BuildParameterNameProps, ChildHostedZoneProps, DiscoverableStringParameterProps, DynamoDbDataStoreProps, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, RootGraphqlApiProps };

package/lib/index.js

@@ -110,6 +110,7 @@ __export(src_exports, {
   OpenHiService: () => OpenHiService,
   OpenHiStage: () => OpenHiStage,
   OpsEventBus: () => OpsEventBus,
+  PreTokenGenerationLambda: () => PreTokenGenerationLambda,
   REST_API_BASE_URL_SSM_NAME: () => REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi: () => RootGraphqlApi,
   RootHostedZone: () => RootHostedZone,
@@ -656,6 +657,31 @@ var CognitoUserPoolKmsKey = class extends import_aws_kms.Key {
  */
 CognitoUserPoolKmsKey.SSM_PARAM_NAME = "COGNITO_USER_POOL_KMS_KEY";
 
+// src/components/cognito/pre-token-generation-lambda.ts
+var import_fs = __toESM(require("fs"));
+var import_path = __toESM(require("path"));
+var import_aws_lambda = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs = require("constructs");
+var HANDLER_NAME = "pre-token-generation.handler.js";
+function resolveHandlerEntry(dirname) {
+  const sameDir = import_path.default.join(dirname, HANDLER_NAME);
+  if (import_fs.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  const fromLib = import_path.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME);
+  return fromLib;
+}
+var PreTokenGenerationLambda = class extends import_constructs.Construct {
+  constructor(scope) {
+    super(scope, "pre-token-generation-lambda");
+    this.lambda = new import_aws_lambda_nodejs.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry(__dirname),
+      runtime: import_aws_lambda.Runtime.NODEJS_LATEST
+    });
+  }
+};
+
 // src/components/dynamodb/dynamo-db-data-store.ts
 var import_aws_dynamodb = require("aws-cdk-lib/aws-dynamodb");
 function getDynamoDbDataStoreTableName(scope) {
@@ -797,8 +823,8 @@ var ChildHostedZone = class extends import_aws_route53.HostedZone {
 ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
 
 // src/components/route-53/root-hosted-zone.ts
-var import_constructs = require("constructs");
-var RootHostedZone = class extends import_constructs.Construct {
+var import_constructs2 = require("constructs");
+var RootHostedZone = class extends import_constructs2.Construct {
 };
 
 // src/services/open-hi-auth-service.ts
@@ -809,6 +835,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
     this.props = props;
     this.userPoolKmsKey = this.createUserPoolKmsKey();
+    this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
     this.userPool = this.createUserPool();
     this.userPoolClient = this.createUserPoolClient();
     this.userPoolDomain = this.createUserPoolDomain();
@@ -877,6 +904,14 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return key;
   }
+  /**
+   * Creates the Pre Token Generation Lambda (Cognito trigger). Phase 2 will add
+   * openhi_* claims to the access token only; trigger version V2_0 may be required.
+   */
+  createPreTokenGenerationLambda() {
+    const construct = new PreTokenGenerationLambda(this);
+    return construct.lambda;
+  }
   /**
    * Creates the Cognito User Pool and exports its ID to SSM.
    * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -885,7 +920,10 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   createUserPool() {
     const userPool = new CognitoUserPool(this, {
       ...this.props.userPoolProps,
-      customSenderKmsKey: this.userPoolKmsKey
+      customSenderKmsKey: this.userPoolKmsKey,
+      lambdaTriggers: {
+        preTokenGeneration: this.preTokenGenerationLambda
+      }
     });
     new DiscoverableStringParameter(this, "user-pool-param", {
       ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
@@ -1106,16 +1144,16 @@ _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
 
 // src/data/lambda/rest-api-lambda.ts
-var import_path = __toESM(require("path"));
-var import_aws_lambda = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs2 = require("constructs");
-var RestApiLambda = class extends import_constructs2.Construct {
+var import_path2 = __toESM(require("path"));
+var import_aws_lambda2 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs2 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs3 = require("constructs");
+var RestApiLambda = class extends import_constructs3.Construct {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new import_aws_lambda_nodejs.NodejsFunction(this, "handler", {
-      entry: import_path.default.join(__dirname, "rest-api-lambda.handler.js"),
-      runtime: import_aws_lambda.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs2.NodejsFunction(this, "handler", {
+      entry: import_path2.default.join(__dirname, "rest-api-lambda.handler.js"),
+      runtime: import_aws_lambda2.Runtime.NODEJS_LATEST,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
         BRANCH_TAG_VALUE: props.branchTagValue,
@@ -1332,6 +1370,7 @@ var OpenHiRestApiService = _OpenHiRestApiService;
   OpenHiService,
   OpenHiStage,
   OpsEventBus,
+  PreTokenGenerationLambda,
   REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi,
   RootHostedZone,