npm - @pwrdrvr/microapps-cdk - Versions diffs - 0.0.29 → 0.2.6 - Mend

@pwrdrvr/microapps-cdk 0.0.29 → 0.2.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/.jsii +3108 -1362
package/API.md +240 -53
package/README.md +236 -135
package/lib/MicroApps.d.ts +86 -50
package/lib/MicroApps.js +30 -16
package/lib/MicroAppsAPIGwy.d.ts +42 -37
package/lib/MicroAppsAPIGwy.js +19 -18
package/lib/MicroAppsCF.d.ts +115 -57
package/lib/MicroAppsCF.js +31 -21
package/lib/MicroAppsS3.d.ts +51 -46
package/lib/MicroAppsS3.js +23 -22
package/lib/MicroAppsSvcs.d.ts +123 -44
package/lib/MicroAppsSvcs.js +112 -42
package/lib/microapps-deployer/index.js +93 -89
package/lib/microapps-deployer/index.js.map +3 -3
package/lib/microapps-router/index.js.map +2 -2
package/package.json +15 -36
package/patches/@aws-cdk+aws-apigatewayv2-alpha+2.8.0-alpha.0.patch +39 -0

package/lib/MicroAppsSvcs.d.ts CHANGED Viewed

@@ -1,87 +1,151 @@
-import * as apigwy from '@aws-cdk/aws-apigatewayv2';
-import * as cf from '@aws-cdk/aws-cloudfront';
-import * as dynamodb from '@aws-cdk/aws-dynamodb';
-import * as lambda from '@aws-cdk/aws-lambda';
-import * as s3 from '@aws-cdk/aws-s3';
-import * as cdk from '@aws-cdk/core';
+import * as apigwy from '@aws-cdk/aws-apigatewayv2-alpha';
+import { RemovalPolicy } from 'aws-cdk-lib';
+import * as cf from 'aws-cdk-lib/aws-cloudfront';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import { Construct } from 'constructs';
 /**
- * @stability stable
+ * (experimental) Properties to initialize an instance of `MicroAppsSvcs`.
+ *
+ * @experimental
  */
 export interface MicroAppsSvcsProps {
     /**
-     * RemovalPolicy override for child resources.
+     * (experimental) RemovalPolicy override for child resources.
      *
      * Note: if set to DESTROY the S3 buckes will have `autoDeleteObjects` set to `true`
      *
      * @default - per resource default
-     * @stability stable
+     * @experimental
      */
-    readonly removalPolicy?: cdk.RemovalPolicy;
+    readonly removalPolicy?: RemovalPolicy;
     /**
-     * S3 bucket for deployed applications.
+     * (experimental) S3 bucket for deployed applications.
      *
-     * @stability stable
+     * @experimental
      */
     readonly bucketApps: s3.IBucket;
     /**
-     * CloudFront Origin Access Identity for the deployed applications bucket.
+     * (experimental) CloudFront Origin Access Identity for the deployed applications bucket.
      *
-     * @stability stable
+     * @experimental
      */
     readonly bucketAppsOAI: cf.OriginAccessIdentity;
     /**
-     * S3 bucket for staged applications (prior to deploy).
+     * (experimental) S3 bucket for staged applications (prior to deploy).
      *
-     * @stability stable
+     * @experimental
      */
     readonly bucketAppsStaging: s3.IBucket;
     /**
-     * API Gateway v2 HTTP for Router and app.
+     * (experimental) API Gateway v2 HTTP for Router and app.
      *
-     * @stability stable
+     * @experimental
      */
     readonly httpApi: apigwy.HttpApi;
     /**
-     * @stability stable
+     * (experimental) Application environment, passed as `NODE_ENV` to the Router and Deployer Lambda functions.
+     *
+     * @experimental
      */
     readonly appEnv: string;
     /**
-     * Optional asset name root.
+     * (experimental) Optional asset name root.
      *
      * @default - resource names auto assigned
-     * @stability stable
+     * @experimental
      * @example
      *
      * microapps
      */
     readonly assetNameRoot?: string;
     /**
-     * Optional asset name suffix.
+     * (experimental) Optional asset name suffix.
      *
      * @default none
-     * @stability stable
+     * @experimental
      * @example
      *
      * -dev-pr-12
      */
     readonly assetNameSuffix?: string;
     /**
-     * @stability stable
+     * (experimental) Use a strict S3 Bucket Policy that prevents applications from reading/writing/modifying/deleting files in the S3 Bucket outside of the path that is specific to their app/version.
+     *
+     * This setting should be used when applications are less than
+     * fully trusted.
+     *
+     * @default false
+     * @experimental
      */
     readonly s3StrictBucketPolicy?: boolean;
     /**
-     * @stability stable
+     * (experimental) Applies when using s3StrictBucketPolicy = true.
+     *
+     * IAM Role or IAM User names to exclude from the DENY rules on the S3 Bucket Policy.
+     *
+     * Roles that are Assumed must instead have their AROA added to `s3PolicyBypassAROAs`.
+     *
+     * Typically any admin roles / users that need to view or manage the S3 Bucket
+     * would be added to this list.
+     *
+     * @see s3PolicyBypassAROAs
+     * @experimental
+     * @example
+     *
+     * ['arn:aws:iam::1234567890123:role/AdminAccess', 'arn:aws:iam::1234567890123:user/MyAdminUser']
      */
-    readonly s3PolicyBypassAROAs?: string[];
+    readonly s3PolicyBypassPrincipalARNs?: string[];
     /**
-     * @stability stable
+     * (experimental) Applies when using s3StrictBucketPolicy = true.
+     *
+     * AROAs of the IAM Role to exclude from the DENY rules on the S3 Bucket Policy.
+     * This allows sessions that assume the IAM Role to be excluded from the
+     * DENY rules on the S3 Bucket Policy.
+     *
+     * Typically any admin roles / users that need to view or manage the S3 Bucket
+     * would be added to this list.
+     *
+     * Roles / users that are used directly, not assumed, can be added to `s3PolicyBypassRoleNames` instead.
+     *
+     * Note: This AROA must be specified to prevent this policy from locking
+     * out non-root sessions that have assumed the admin role.
+     *
+     * The notPrincipals will only match the role name exactly and will not match
+     * any session that has assumed the role since notPrincipals does not allow
+     * wildcard matches and does not do wildcard matches implicitly either.
+     *
+     * The AROA must be used because there are only 3 Principal variables available:
+     *   https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable
+     *   aws:username, aws:userid, aws:PrincipalTag
+     *
+     * For an assumed role, aws:username is blank, aws:userid is:
+     *   [unique id AKA AROA for Role]:[session name]
+     *
+     * Table of unique ID prefixes such as AROA:
+     *   https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-prefixes
+     *
+     * The name of the role is simply not available for an assumed role and, if it was,
+     * a complicated comparison would be requierd to prevent exclusion
+     * of applying the Deny Rule to roles from other accounts.
+     *
+     * To get the AROA with the AWS CLI:
+     *    aws iam get-role --role-name ROLE-NAME
+     *    aws iam get-user -–user-name USER-NAME
+     *
+     * @see s3StrictBucketPolicy
+     * @experimental
+     * @example
+     *
+     * [ 'AROA1234567890123' ]
      */
-    readonly s3PolicyBypassPrincipalARNs?: string[];
+    readonly s3PolicyBypassAROAs?: string[];
     /**
-     * Path prefix on the root of the deployment.
+     * (experimental) Path prefix on the root of the deployment.
      *
      * @default none
-     * @stability stable
+     * @experimental
      * @example
      *
      * dev/
@@ -89,44 +153,59 @@ export interface MicroAppsSvcsProps {
     readonly rootPathPrefix?: string;
 }
 /**
- * @stability stable
+ * (experimental) Represents a MicroApps Services.
+ *
+ * @experimental
  */
 export interface IMicroAppsSvcs {
     /**
-     * DynamoDB table used by Router, Deployer, and Release console app.
+     * (experimental) DynamoDB table used by Router, Deployer, and Release console app.
      *
-     * @stability stable
+     * @experimental
      */
     readonly table: dynamodb.ITable;
     /**
-     * Lambda function for the Deployer.
+     * (experimental) Lambda function for the Deployer.
      *
-     * @stability stable
+     * @experimental
      */
     readonly deployerFunc: lambda.IFunction;
+    /**
+     * (experimental) Lambda function for the Router.
+     *
+     * @experimental
+     */
+    readonly routerFunc: lambda.IFunction;
 }
 /**
- * @stability stable
+ * (experimental) Create a new MicroApps Services construct, including the Deployer and Router Lambda Functions, and the DynamoDB Table used by both.
+ *
+ * @experimental
  */
-export declare class MicroAppsSvcs extends cdk.Construct implements IMicroAppsSvcs {
+export declare class MicroAppsSvcs extends Construct implements IMicroAppsSvcs {
     private _table;
     /**
-     * DynamoDB table used by Router, Deployer, and Release console app.
+     * (experimental) DynamoDB table used by Router, Deployer, and Release console app.
      *
-     * @stability stable
+     * @experimental
      */
     get table(): dynamodb.ITable;
     private _deployerFunc;
     /**
-     * Lambda function for the Deployer.
+     * (experimental) Lambda function for the Deployer.
      *
-     * @stability stable
+     * @experimental
      */
     get deployerFunc(): lambda.IFunction;
+    private _routerFunc;
     /**
-     * MicroApps - Create Lambda resources, DynamoDB, and grant S3 privs.
+     * (experimental) Lambda function for the Router.
      *
-     * @stability stable
+     * @experimental
+     */
+    get routerFunc(): lambda.IFunction;
+    /**
+     * @experimental
      */
-    constructor(scope: cdk.Construct, id: string, props?: MicroAppsSvcsProps);
+    constructor(scope: Construct, id: string, props?: MicroAppsSvcsProps);
 }