@resistdesign/voltra 3.0.0-alpha.2 → 3.0.0-alpha.21

package/iac/packs/index.js

@@ -0,0 +1,1622 @@
+import YAML from 'yaml';
+
+// src/iac/utils/patch-utils.ts
+var DEFAULT_MERGE_STRATEGY = "transpose";
+var getValuePathString = (valuePathArray = []) => valuePathArray.map((p) => encodeURIComponent(p)).join("/");
+var isConstructedFrom = (value, constructorReference) => value !== null && typeof value === "object" && "constructor" in value && value.constructor === constructorReference;
+var mergeValues = (valuePathArray = [], existingValue, newValue, mergeStrategyMap = {}) => {
+  const valuePathString = getValuePathString(valuePathArray);
+  const arrayIndexWildcardValuePathString = getValuePathString(
+    valuePathArray.map((p) => typeof p === "number" ? "#" : p)
+  );
+  const {
+    [valuePathString]: {
+      strategy: specificKeyMergeStrategy = DEFAULT_MERGE_STRATEGY,
+      data: specificKeyMergeStrategyData = void 0
+    } = {},
+    [arrayIndexWildcardValuePathString]: {
+      strategy: arrayIndexWildcardMergeStrategy = DEFAULT_MERGE_STRATEGY,
+      data: arrayIndexWildcardMergeStrategyData = void 0
+    } = {}
+  } = mergeStrategyMap;
+  const mergeStrategy = valuePathString in mergeStrategyMap ? specificKeyMergeStrategy : arrayIndexWildcardMergeStrategy;
+  const mergeStrategyData = valuePathString in mergeStrategyMap ? specificKeyMergeStrategyData : arrayIndexWildcardMergeStrategyData;
+  let mergedValue = typeof newValue !== "undefined" ? newValue : existingValue;
+  if (mergeStrategy !== "replace") {
+    if (isConstructedFrom(existingValue, Array) && isConstructedFrom(newValue, Array)) {
+      if (mergeStrategy === "accumulate") {
+        mergedValue = [...existingValue, ...newValue];
+      } else if (mergeStrategy === "accumulate-unique") {
+        mergedValue = [
+          ...existingValue,
+          ...newValue.filter((item) => existingValue.indexOf(item) === -1)
+        ];
+      } else if (mergeStrategy === "accumulate-unique-by") {
+        const existingItemMap = {};
+        const newItemMap = {};
+        for (let i = 0; i < existingValue.length; i++) {
+          const existingItem = existingValue[i];
+          if (existingItem && typeof existingItem === "object") {
+            const identifier = mergeStrategyData instanceof Function ? mergeStrategyData(existingItem) : existingItem[mergeStrategyData];
+            existingItemMap[identifier] = existingItem;
+          }
+        }
+        for (let j = 0; j < newValue.length; j++) {
+          const newItem = newValue[j];
+          if (newItem && typeof newItem === "object") {
+            const identifier = mergeStrategyData instanceof Function ? mergeStrategyData(newItem) : newItem[mergeStrategyData];
+            newItemMap[identifier] = newItem;
+          }
+        }
+        mergedValue = Object.keys({
+          ...existingItemMap,
+          ...newItemMap
+        }).map(
+          (id, index) => mergeValues(
+            [...valuePathArray, index],
+            existingItemMap[id],
+            newItemMap[id],
+            mergeStrategyMap
+          )
+        );
+      } else if (mergeStrategy === "transpose") {
+        const fullLength = Math.max(existingValue.length, newValue.length);
+        mergedValue = [...new Array(fullLength)].map(
+          (_empty, index) => mergeValues(
+            [...valuePathArray, index],
+            existingValue[index],
+            newValue[index],
+            mergeStrategyMap
+          )
+        );
+      }
+    } else if (isConstructedFrom(existingValue, Object) && isConstructedFrom(newValue, Object)) {
+      mergedValue = Object.keys({ ...existingValue, ...newValue }).reduce(
+        (acc, k) => ({
+          ...acc,
+          [k]: mergeValues(
+            [...valuePathArray, k],
+            existingValue[k],
+            newValue[k],
+            mergeStrategyMap
+          )
+        }),
+        {}
+      );
+    }
+  }
+  return mergedValue;
+};
+
+// src/iac/utils/index.ts
+var addParameter = (parameterInfo, template) => {
+  const { ParameterId, Parameter, Label, Group } = parameterInfo;
+  const {
+    Parameters,
+    Metadata: {
+      "AWS::CloudFormation::Interface": {
+        ParameterGroups = [],
+        ParameterLabels = {}
+      } = {}
+    } = {}
+  } = template;
+  let NewParameterGroups = ParameterGroups;
+  if (Group) {
+    const GroupObject = ParameterGroups.filter(
+      (g) => g.Label?.default === Group
+    )[0];
+    NewParameterGroups = GroupObject ? ParameterGroups.map(
+      (g) => g.Label?.default === Group ? {
+        ...g,
+        Parameters: [...g.Parameters || [], ParameterId]
+      } : g
+    ) : [
+      ...ParameterGroups,
+      {
+        Label: {
+          default: Group
+        },
+        Parameters: [ParameterId]
+      }
+    ];
+  }
+  return {
+    ...template,
+    Parameters: {
+      ...Parameters,
+      [ParameterId]: Parameter
+    },
+    Metadata: {
+      ...template.Metadata,
+      "AWS::CloudFormation::Interface": {
+        ...template?.Metadata?.["AWS::CloudFormation::Interface"],
+        ParameterGroups: NewParameterGroups,
+        ParameterLabels: {
+          ...ParameterLabels,
+          [ParameterId]: {
+            default: Label
+          }
+        }
+      }
+    }
+  };
+};
+var addParameters = (parameters, template) => parameters.reduce((acc, p) => addParameter(p, acc), template);
+var patchTemplate = (patch, template) => mergeValues([], template, patch, {
+  [getValuePathString([
+    // Parameter Groups
+    "Metadata",
+    "AWS::CloudFormation::Interface",
+    "ParameterGroups"
+  ])]: {
+    strategy: "accumulate-unique-by",
+    data: (pG) => pG?.Label?.default
+  },
+  [getValuePathString([
+    // Parameter Group Parameter Ids
+    "Metadata",
+    "AWS::CloudFormation::Interface",
+    "ParameterGroups",
+    "#",
+    "Parameters"
+  ])]: {
+    strategy: "accumulate-unique"
+  }
+});
+var createResourcePack = (creator) => (params, template) => {
+  const patch = creator(params);
+  return patchTemplate(patch, template);
+};
+
+// src/iac/packs/auth/user-management.ts
+var addUserManagement = createResourcePack(
+  (config) => {
+    const {
+      id,
+      authRoleName,
+      unauthRoleName,
+      callbackUrls,
+      logoutUrls,
+      apiGatewayRESTAPIId,
+      apiStageName
+    } = config;
+    const apiRoleConfig = apiGatewayRESTAPIId && apiStageName ? {
+      [`${id}IdentityPoolRoles`]: {
+        Type: "AWS::Cognito::IdentityPoolRoleAttachment",
+        Properties: {
+          IdentityPoolId: {
+            Ref: `${id}IdentityPool`
+          },
+          Roles: {
+            authenticated: {
+              "Fn::GetAtt": [`${id}AuthRole`, "Arn"]
+            },
+            unauthenticated: {
+              "Fn::GetAtt": [`${id}UnauthRole`, "Arn"]
+            }
+          }
+        }
+      },
+      [`${id}AuthRole`]: {
+        Type: "AWS::IAM::Role",
+        Properties: {
+          RoleName: authRoleName,
+          Path: "/",
+          AssumeRolePolicyDocument: {
+            Version: "2012-10-17",
+            Statement: [
+              {
+                Effect: "Allow",
+                Principal: {
+                  Federated: "cognito-identity.amazonaws.com"
+                },
+                Action: ["sts:AssumeRoleWithWebIdentity"],
+                Condition: {
+                  StringEquals: {
+                    "cognito-identity.amazonaws.com:aud": {
+                      Ref: `${id}IdentityPool`
+                    }
+                  },
+                  "ForAnyValue:StringLike": {
+                    "cognito-identity.amazonaws.com:amr": "authenticated"
+                  }
+                }
+              }
+            ]
+          },
+          Policies: [
+            {
+              PolicyName: "CognitoAuthorizedPolicy",
+              PolicyDocument: {
+                Version: "2012-10-17",
+                Statement: [
+                  {
+                    Effect: "Allow",
+                    Action: [
+                      "mobileanalytics:PutEvents",
+                      "cognito-sync:*",
+                      "cognito-identity:*"
+                    ],
+                    Resource: "*"
+                  },
+                  {
+                    Effect: "Allow",
+                    Action: ["execute-api:Invoke"],
+                    Resource: {
+                      "Fn::Sub": [
+                        "arn:aws:execute-api:${Region}:${AccountId}:${APIID}/${StageName}/${HTTPVerb}/api/*",
+                        {
+                          Region: {
+                            Ref: "AWS::Region"
+                          },
+                          AccountId: {
+                            Ref: "AWS::AccountId"
+                          },
+                          APIID: apiGatewayRESTAPIId,
+                          StageName: apiStageName,
+                          HTTPVerb: "*"
+                        }
+                      ]
+                    }
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      },
+      [`${id}UnauthRole`]: {
+        Type: "AWS::IAM::Role",
+        Properties: {
+          RoleName: unauthRoleName,
+          Path: "/",
+          AssumeRolePolicyDocument: {
+            Version: "2012-10-17",
+            Statement: [
+              {
+                Effect: "Allow",
+                Principal: {
+                  Federated: "cognito-identity.amazonaws.com"
+                },
+                Action: ["sts:AssumeRoleWithWebIdentity"],
+                Condition: {
+                  StringEquals: {
+                    "cognito-identity.amazonaws.com:aud": {
+                      Ref: `${id}IdentityPool`
+                    }
+                  },
+                  "ForAnyValue:StringLike": {
+                    "cognito-identity.amazonaws.com:amr": "unauthenticated"
+                  }
+                }
+              }
+            ]
+          },
+          Policies: [
+            {
+              PolicyName: "CognitoUnauthorizedPolicy",
+              PolicyDocument: {
+                Version: "2012-10-17",
+                Statement: [
+                  {
+                    Effect: "Allow",
+                    Action: [
+                      "mobileanalytics:PutEvents",
+                      "cognito-sync:*",
+                      "cognito-identity:*"
+                    ],
+                    Resource: "*"
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      }
+    } : {};
+    const userPoolDomainConfig = config.enableUserPoolDomain === false ? {} : {
+      [`${id}BaseDomainRecord`]: !!config.baseDomainRecordAliasTargetDNSName ? {
+        Type: "AWS::Route53::RecordSet",
+        DeletionPolicy: "Delete",
+        Properties: {
+          HostedZoneId: config.hostedZoneId,
+          Type: "A",
+          Name: config.domainName,
+          AliasTarget: {
+            HostedZoneId: "Z2FDTNDATAQYW2",
+            DNSName: config.baseDomainRecordAliasTargetDNSName
+          }
+        }
+      } : void 0,
+      [`${id}DomainRecord`]: {
+        Type: "AWS::Route53::RecordSet",
+        DeletionPolicy: "Delete",
+        Properties: {
+          HostedZoneId: config.hostedZoneId,
+          Type: "A",
+          Name: {
+            "Fn::Sub": [
+              "auth.${BaseDomainName}",
+              {
+                BaseDomainName: config.domainName
+              }
+            ]
+          },
+          AliasTarget: {
+            HostedZoneId: "Z2FDTNDATAQYW2",
+            DNSName: {
+              "Fn::GetAtt": [`${id}Domain`, "CloudFrontDistribution"]
+            }
+          }
+        }
+      },
+      [`${id}Domain`]: {
+        Type: "AWS::Cognito::UserPoolDomain",
+        DependsOn: !!config.baseDomainRecordAliasTargetDNSName ? `${id}BaseDomainRecord` : void 0,
+        Properties: {
+          Domain: {
+            "Fn::Sub": [
+              "auth.${BaseDomainName}",
+              {
+                BaseDomainName: config.domainName
+              }
+            ]
+          },
+          UserPoolId: {
+            Ref: id
+          },
+          CustomDomainConfig: {
+            CertificateArn: config.sslCertificateArn
+          }
+        }
+      }
+    };
+    return {
+      Resources: {
+        [id]: {
+          Type: "AWS::Cognito::UserPool",
+          Properties: {
+            UserPoolName: {
+              "Fn::Sub": [`\${AWS::StackName}${id}`, {}]
+            },
+            AccountRecoverySetting: {
+              RecoveryMechanisms: [
+                {
+                  Name: "verified_email",
+                  Priority: 1
+                }
+              ]
+            },
+            AdminCreateUserConfig: {
+              AllowAdminCreateUserOnly: false,
+              UnusedAccountValidityDays: 365
+            },
+            AutoVerifiedAttributes: ["email"],
+            AliasAttributes: ["phone_number", "email", "preferred_username"],
+            Schema: [
+              {
+                Name: "email",
+                Required: true,
+                Mutable: true
+              },
+              {
+                Name: "given_name",
+                Required: true,
+                Mutable: true
+              },
+              {
+                Name: "family_name",
+                Required: true,
+                Mutable: true
+              },
+              {
+                Name: "phone_number",
+                Required: true,
+                Mutable: true
+              }
+            ],
+            DeviceConfiguration: {
+              ChallengeRequiredOnNewDevice: true,
+              DeviceOnlyRememberedOnUserPrompt: false
+            },
+            UsernameConfiguration: {
+              CaseSensitive: false
+            }
+          }
+        },
+        [`${id}Client`]: {
+          Type: "AWS::Cognito::UserPoolClient",
+          Properties: {
+            ClientName: {
+              "Fn::Sub": [`\${AWS::StackName}${id}Client`, {}]
+            },
+            UserPoolId: {
+              Ref: id
+            },
+            AllowedOAuthFlowsUserPoolClient: true,
+            AllowedOAuthFlows: ["code", "implicit"],
+            AllowedOAuthScopes: [
+              "openid",
+              "email",
+              "phone",
+              "profile",
+              "aws.cognito.signin.user.admin"
+            ],
+            CallbackURLs: callbackUrls,
+            LogoutURLs: logoutUrls,
+            EnableTokenRevocation: true,
+            PreventUserExistenceErrors: "ENABLED",
+            SupportedIdentityProviders: ["COGNITO"]
+          }
+        },
+        [`${id}IdentityPool`]: {
+          Type: "AWS::Cognito::IdentityPool",
+          Properties: {
+            IdentityPoolName: {
+              "Fn::Sub": [`\${AWS::StackName}${id}IdentityPool`, {}]
+            },
+            AllowUnauthenticatedIdentities: false,
+            CognitoIdentityProviders: [
+              {
+                ClientId: {
+                  Ref: `${id}Client`
+                },
+                ProviderName: {
+                  "Fn::GetAtt": [id, "ProviderName"]
+                },
+                ServerSideTokenCheck: true
+              }
+            ]
+          }
+        },
+        ...userPoolDomainConfig,
+        ...apiRoleConfig
+      }
+    };
+  }
+);
+var SimpleCFT = class {
+  /**
+   * Create a SimpleCFT template wrapper.
+   *
+   * @param template - Initial CloudFormation template.
+   */
+  constructor(template = {
+    AWSTemplateFormatVersion: "2010-09-09"
+  }) {
+    this.template = template;
+  }
+  /**
+   * Apply a pack with configuration to the stack template.
+   * @see `@resistdesign/voltra/iac` and `@resistdesign/voltra/iac/packs` for examples.
+   * */
+  applyPack = (pack, params) => {
+    this.template = pack(params, this.template);
+    return this;
+  };
+  /**
+   * Apply a patch to the stack template.
+   *
+   * @param patch - Template patch to merge.
+   * */
+  patch = (patch) => {
+    this.template = patchTemplate(patch, this.template);
+    return this;
+  };
+  /**
+   * Add a stack parameter including its descriptive info and an optional parameter group.
+   *
+   * @param parameter - Parameter definition and metadata.
+   * */
+  addParameter = (parameter) => {
+    this.template = addParameter(parameter, this.template);
+    return this;
+  };
+  /**
+   * Add a group of stack parameters including their descriptive info and an optional parameter group.
+   *
+   * @param group - Parameter group definition.
+   * */
+  addParameterGroup = ({ Label: Group, Parameters }) => {
+    const parameterIds = Object.keys(Parameters);
+    const parameterList = parameterIds.map((ParameterId) => {
+      const { Label, ...Parameter } = Parameters[ParameterId];
+      return {
+        Group,
+        ParameterId,
+        Label,
+        Parameter
+      };
+    });
+    this.template = addParameters(parameterList, this.template);
+    return this;
+  };
+  /**
+   * Use a modification to dynamically apply various changes at once.
+   *
+   * @param modification - Modification callback to apply.
+   * */
+  modify = (modification) => {
+    modification(this);
+    return this;
+  };
+  /**
+   * Convert the stack template to a string.
+   *
+   * @returns JSON string representation of the template.
+   * */
+  toString = () => JSON.stringify(this.template, null, 2);
+  /**
+   * Convert the stack template to a JSON object.
+   *
+   * @returns Template JSON object.
+   * */
+  toJSON = () => this.template;
+  /**
+   * Convert the stack template to a YAML string.
+   *
+   * @returns YAML string representation of the template.
+   * */
+  toYAML = () => YAML.stringify(this.template, {
+    aliasDuplicateObjects: false
+  });
+};
+
+// src/iac/packs/auth.ts
+var addAuth = createResourcePack((config) => {
+  const {
+    userManagementId,
+    authRoleName,
+    unauthRoleName,
+    callbackUrls,
+    logoutUrls,
+    apiCloudFunctionGatewayId,
+    apiStageName,
+    adminGroupId,
+    userManagementAdminGroupName
+  } = config;
+  return new SimpleCFT().applyPack(addUserManagement, {
+    id: userManagementId,
+    authRoleName,
+    unauthRoleName,
+    callbackUrls,
+    logoutUrls,
+    apiGatewayRESTAPIId: {
+      Ref: apiCloudFunctionGatewayId
+    },
+    apiStageName,
+    ...config.enableUserPoolDomain === false ? {
+      enableUserPoolDomain: false
+    } : {
+      enableUserPoolDomain: true,
+      domainName: {
+        Ref: config.domainNameParameterName
+      },
+      hostedZoneId: {
+        Ref: config.hostedZoneIdParameterName
+      },
+      sslCertificateArn: {
+        Ref: config.sslCertificateId
+      },
+      baseDomainRecordAliasTargetDNSName: {
+        "Fn::GetAtt": [config.mainCDNCloudFrontId, "DomainName"]
+      }
+    }
+  }).patch({
+    Resources: {
+      [adminGroupId]: {
+        Type: "AWS::Cognito::UserPoolGroup",
+        Properties: {
+          GroupName: userManagementAdminGroupName,
+          UserPoolId: {
+            Ref: userManagementId
+          },
+          Description: "Application admin group."
+        }
+      }
+    }
+  }).template;
+});
+
+// src/iac/packs/build.ts
+var DEFAULT_BUILD_PIPELINE_REPO_PROVIDER = "GitHub";
+var addBuildPipeline = createResourcePack(
+  ({
+    id,
+    buildSpec,
+    dependsOn,
+    environmentVariables,
+    timeoutInMinutes = 10,
+    environmentType = "LINUX_CONTAINER",
+    environmentComputeType = "BUILD_GENERAL1_SMALL",
+    environmentImage = "aws/codebuild/nodejs:10.14.1",
+    repoConfig: {
+      provider = DEFAULT_BUILD_PIPELINE_REPO_PROVIDER,
+      owner,
+      repo,
+      branch,
+      oauthToken
+    }
+  }) => ({
+    Resources: {
+      [`${id}CodeBuildRole`]: {
+        Type: "AWS::IAM::Role",
+        Properties: {
+          AssumeRolePolicyDocument: {
+            Statement: [
+              {
+                Effect: "Allow",
+                Principal: {
+                  Service: ["codebuild.amazonaws.com"]
+                },
+                Action: ["sts:AssumeRole"]
+              }
+            ]
+          },
+          Path: "/",
+          Policies: [
+            {
+              PolicyName: "codebuild-service",
+              PolicyDocument: {
+                Statement: [
+                  {
+                    Effect: "Allow",
+                    Action: "*",
+                    Resource: "*"
+                  }
+                ],
+                Version: "2012-10-17"
+              }
+            }
+          ]
+        }
+      },
+      [`${id}CodePipelineRole`]: {
+        Type: "AWS::IAM::Role",
+        Properties: {
+          AssumeRolePolicyDocument: {
+            Statement: [
+              {
+                Effect: "Allow",
+                Principal: {
+                  Service: ["codepipeline.amazonaws.com"]
+                },
+                Action: ["sts:AssumeRole"]
+              }
+            ]
+          },
+          Path: "/",
+          Policies: [
+            {
+              PolicyName: "codepipeline-service",
+              PolicyDocument: {
+                Statement: [
+                  {
+                    Action: ["codebuild:*"],
+                    Resource: "*",
+                    Effect: "Allow"
+                  },
+                  {
+                    Action: [
+                      "s3:GetObject",
+                      "s3:GetObjectVersion",
+                      "s3:GetBucketVersioning"
+                    ],
+                    Resource: "*",
+                    Effect: "Allow"
+                  },
+                  {
+                    Action: ["s3:PutObject"],
+                    Resource: ["arn:aws:s3:::codepipeline*"],
+                    Effect: "Allow"
+                  },
+                  {
+                    Action: ["s3:*", "cloudformation:*", "iam:PassRole"],
+                    Resource: "*",
+                    Effect: "Allow"
+                  }
+                ],
+                Version: "2012-10-17"
+              }
+            }
+          ]
+        }
+      },
+      [`${id}PipelineBucket`]: {
+        Type: "AWS::S3::Bucket",
+        DeletionPolicy: "Delete",
+        Properties: {
+          BucketEncryption: {
+            ServerSideEncryptionConfiguration: [
+              {
+                ServerSideEncryptionByDefault: {
+                  SSEAlgorithm: "AES256"
+                }
+              }
+            ]
+          },
+          PublicAccessBlockConfiguration: {
+            BlockPublicAcls: true,
+            BlockPublicPolicy: true,
+            IgnorePublicAcls: true,
+            RestrictPublicBuckets: true
+          }
+        }
+      },
+      [`${id}CodeBuildAndDeploy`]: {
+        Type: "AWS::CodeBuild::Project",
+        DependsOn: dependsOn,
+        Properties: {
+          Name: {
+            "Fn::Sub": `\${AWS::StackName}-${id}CodeBuildAndDeploy`
+          },
+          Description: "Deploy site to S3",
+          ServiceRole: {
+            "Fn::GetAtt": [`${id}CodeBuildRole`, "Arn"]
+          },
+          Artifacts: {
+            Type: "CODEPIPELINE"
+          },
+          Environment: {
+            Type: environmentType,
+            ComputeType: environmentComputeType,
+            Image: environmentImage,
+            EnvironmentVariables: environmentVariables
+          },
+          Source: {
+            Type: "CODEPIPELINE",
+            BuildSpec: buildSpec
+          },
+          TimeoutInMinutes: timeoutInMinutes
+        }
+      },
+      [`${id}Pipeline`]: {
+        Type: "AWS::CodePipeline::Pipeline",
+        DependsOn: `${id}CodeBuildAndDeploy`,
+        Properties: {
+          RoleArn: {
+            "Fn::GetAtt": [`${id}CodePipelineRole`, "Arn"]
+          },
+          Stages: [
+            {
+              Name: "Acquire-Source",
+              Actions: [
+                {
+                  InputArtifacts: [],
+                  Name: "Source",
+                  ActionTypeId: {
+                    Category: "Source",
+                    Owner: "ThirdParty",
+                    Version: "1",
+                    Provider: provider
+                  },
+                  OutputArtifacts: [
+                    {
+                      Name: "SourceOutput"
+                    }
+                  ],
+                  Configuration: {
+                    Owner: owner,
+                    Repo: repo,
+                    Branch: branch,
+                    OAuthToken: oauthToken
+                  },
+                  RunOrder: 1
+                }
+              ]
+            },
+            {
+              Name: "Build-And-Deploy",
+              Actions: [
+                {
+                  Name: "Artifact",
+                  ActionTypeId: {
+                    Category: "Build",
+                    Owner: "AWS",
+                    Version: "1",
+                    Provider: "CodeBuild"
+                  },
+                  InputArtifacts: [
+                    {
+                      Name: "SourceOutput"
+                    }
+                  ],
+                  OutputArtifacts: [
+                    {
+                      Name: "DeployOutput"
+                    }
+                  ],
+                  Configuration: {
+                    ProjectName: {
+                      Ref: `${id}CodeBuildAndDeploy`
+                    }
+                  },
+                  RunOrder: 1
+                }
+              ]
+            }
+          ],
+          ArtifactStore: {
+            Type: "S3",
+            Location: {
+              Ref: `${id}PipelineBucket`
+            }
+          }
+        }
+      }
+    }
+  })
+);
+var COMMAND_HELPERS = {
+  updateFunction: ({
+    cloudFunctionArn,
+    codeZipFilePath
+  }) => `aws lambda update-function-code --function-name "${cloudFunctionArn}" --zip-file "fileb://${codeZipFilePath}"`,
+  copyDirectoryToS3: ({
+    s3Domain,
+    directoryPath
+  }) => `aws s3 cp --recursive --acl public-read ${directoryPath} s3://${s3Domain}/`,
+  cloudFrontInvalidation: ({
+    cloudFrontDistributionId,
+    pathsToInvalidate = ["/*"]
+  }) => `aws cloudfront create-invalidation --distribution-id "${cloudFrontDistributionId}" --paths "${pathsToInvalidate.join('" "')}"`,
+  addNPMTokenWithNPMRC: ({ npmToken }) => `echo '//registry.npmjs.org/:_authToken=${npmToken}' > .npmrc`
+};
+var createBuildSpec = ({ version = 0.2, phases }) => YAML.stringify(
+  // TRICKY: Removed all keys with a value of `undefined`.
+  JSON.parse(
+    JSON.stringify({
+      version,
+      phases
+    })
+  )
+);
+
+// src/iac/packs/cdn.ts
+var addCDN = createResourcePack(
+  ({
+    id,
+    hostedZoneId,
+    domainName,
+    certificateArn,
+    fileStorageId
+  }) => {
+    const oacId = `${id}OriginAccessControl`;
+    return {
+      Resources: {
+        [oacId]: {
+          Type: "AWS::CloudFront::OriginAccessControl",
+          Properties: {
+            OriginAccessControlConfig: {
+              Name: oacId,
+              OriginAccessControlOriginType: "s3",
+              SigningBehavior: "always",
+              SigningProtocol: "sigv4"
+            }
+          }
+        },
+        [id]: {
+          Type: "AWS::CloudFront::Distribution",
+          DependsOn: fileStorageId,
+          Properties: {
+            DistributionConfig: {
+              Aliases: [domainName],
+              ViewerCertificate: {
+                AcmCertificateArn: certificateArn,
+                SslSupportMethod: "sni-only",
+                MinimumProtocolVersion: "TLSv1.1_2016"
+              },
+              DefaultCacheBehavior: {
+                ForwardedValues: {
+                  QueryString: false
+                },
+                TargetOriginId: {
+                  "Fn::Sub": [
+                    "S3-${S3BucketName}",
+                    {
+                      S3BucketName: domainName
+                    }
+                  ]
+                },
+                ViewerProtocolPolicy: "redirect-to-https"
+              },
+              DefaultRootObject: "index.html",
+              Enabled: true,
+              IPV6Enabled: false,
+              HttpVersion: "http2",
+              Origins: [
+                {
+                  DomainName: {
+                    "Fn::Sub": [
+                      "${S3BucketName}.s3.amazonaws.com",
+                      {
+                        S3BucketName: domainName
+                      }
+                    ]
+                  },
+                  Id: {
+                    "Fn::Sub": [
+                      "S3-${S3BucketName}",
+                      {
+                        S3BucketName: domainName
+                      }
+                    ]
+                  },
+                  OriginAccessControlId: { Ref: oacId },
+                  S3OriginConfig: {
+                    OriginAccessIdentity: ""
+                  }
+                }
+              ],
+              CustomErrorResponses: [
+                {
+                  ErrorCachingMinTTL: 300,
+                  ErrorCode: 404,
+                  ResponseCode: 200,
+                  ResponsePagePath: "/index.html"
+                },
+                {
+                  ErrorCachingMinTTL: 300,
+                  ErrorCode: 403,
+                  ResponseCode: 200,
+                  ResponsePagePath: "/index.html"
+                }
+              ],
+              PriceClass: "PriceClass_All"
+            }
+          }
+        },
+        [`${id}Route53Record`]: {
+          Type: "AWS::Route53::RecordSet",
+          DependsOn: [id],
+          Properties: {
+            HostedZoneId: hostedZoneId,
+            Type: "A",
+            Name: {
+              "Fn::Sub": [
+                "${DomainName}.",
+                {
+                  DomainName: domainName
+                }
+              ]
+            },
+            AliasTarget: {
+              HostedZoneId: "Z2FDTNDATAQYW2",
+              DNSName: {
+                "Fn::Sub": [
+                  "${DomainName}.",
+                  {
+                    DomainName: {
+                      "Fn::GetAtt": [id, "DomainName"]
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+    };
+  }
+);
+
+// src/iac/packs/cloud-function.ts
+var PLACEHOLDER_FUNCTION_CODE = {
+  ZipFile: `module.exports = {handler: async () => ({
+            statusCode: 200,
+            headers: {'Content-Type': 'application/json'},
+            body: '"You did it!"'
+          })};
+`
+};
+var addCloudFunction = createResourcePack(
+  ({
+    id,
+    code = PLACEHOLDER_FUNCTION_CODE,
+    environment = {
+      Variables: {
+        NODE_ENV: "production"
+      }
+    },
+    handler = "index.handler",
+    runtime = "nodejs26.x",
+    timeout = 30,
+    policies = [
+      {
+        PolicyName: "lambda-parameter-store",
+        PolicyDocument: {
+          Version: "2012-10-17",
+          Statement: [
+            {
+              Effect: "Allow",
+              Action: ["*"],
+              Resource: "*"
+            }
+          ]
+        }
+      }
+    ],
+    memorySize = 128
+  }) => {
+    return {
+      Resources: {
+        [`${id}Role`]: {
+          Type: "AWS::IAM::Role",
+          Properties: {
+            ManagedPolicyArns: [
+              "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+            ],
+            AssumeRolePolicyDocument: {
+              Version: "2012-10-17",
+              Statement: [
+                {
+                  Action: ["sts:AssumeRole"],
+                  Effect: "Allow",
+                  Principal: {
+                    Service: ["lambda.amazonaws.com"]
+                  }
+                }
+              ]
+            },
+            Policies: policies
+          }
+        },
+        [id]: {
+          Type: "AWS::Lambda::Function",
+          Properties: {
+            Timeout: timeout,
+            Code: code,
+            Environment: environment,
+            Handler: handler,
+            Role: {
+              "Fn::GetAtt": [`${id}Role`, "Arn"]
+            },
+            Runtime: runtime,
+            MemorySize: memorySize
+          }
+        }
+      }
+    };
+  }
+);
+
+// src/iac/packs/database.ts
+var addDatabase = createResourcePack(
+  ({
+    tableId,
+    tableName,
+    keys,
+    attributes,
+    billingMode = "PAY_PER_REQUEST"
+  }) => new SimpleCFT().patch({
+    Resources: {
+      [tableId]: {
+        Type: "AWS::DynamoDB::Table",
+        Properties: {
+          TableName: tableName,
+          AttributeDefinitions: Object.keys(attributes).map(
+            (attributeName) => ({
+              AttributeName: attributeName,
+              AttributeType: attributes[attributeName]
+            })
+          ),
+          KeySchema: Object.keys(keys).map((keyName) => ({
+            AttributeName: keyName,
+            KeyType: keys[keyName]
+          })),
+          BillingMode: billingMode
+        }
+      }
+    }
+  }).template
+);
+
+// src/iac/packs/dns.ts
+var addDNS = createResourcePack(
+  ({
+    id,
+    hostedZoneId,
+    domainName,
+    resourceRecords,
+    recordType = "A"
+  }) => {
+    let cft = new SimpleCFT().patch({
+      Resources: {
+        [id]: {
+          Type: "AWS::Route53::RecordSet",
+          Properties: {
+            HostedZoneId: hostedZoneId,
+            Type: recordType,
+            Name: domainName,
+            ResourceRecords: resourceRecords,
+            TTL: "300"
+          }
+        }
+      }
+    });
+    return cft.template;
+  }
+);
+
+// src/iac/packs/file-storage.ts
+var addSecureFileStorage = createResourcePack(
+  ({
+    id,
+    bucketName,
+    shouldDelete = true,
+    blockPublicAccess = true,
+    cors = false,
+    accessControl = void 0,
+    allowACLs = false
+  }) => {
+    return {
+      Resources: {
+        [id]: {
+          Type: "AWS::S3::Bucket",
+          DeletionPolicy: shouldDelete ? "Delete" : "Retain",
+          Properties: {
+            BucketName: bucketName,
+            AccessControl: accessControl,
+            OwnershipControls: allowACLs ? {
+              Rules: [
+                {
+                  ObjectOwnership: "ObjectWriter"
+                }
+              ]
+            } : void 0,
+            CorsConfiguration: typeof cors === "object" ? cors : cors === true ? {
+              CorsRules: [
+                {
+                  AllowedHeaders: ["*"],
+                  AllowedMethods: [
+                    "GET",
+                    "PUT",
+                    "POST",
+                    "DELETE",
+                    "HEAD"
+                  ],
+                  AllowedOrigins: ["*"]
+                }
+              ]
+            } : void 0,
+            BucketEncryption: {
+              ServerSideEncryptionConfiguration: [
+                {
+                  ServerSideEncryptionByDefault: {
+                    SSEAlgorithm: "AES256"
+                  }
+                }
+              ]
+            },
+            PublicAccessBlockConfiguration: blockPublicAccess ? {
+              BlockPublicAcls: true,
+              BlockPublicPolicy: true,
+              IgnorePublicAcls: true,
+              RestrictPublicBuckets: true
+            } : {
+              BlockPublicAcls: false,
+              BlockPublicPolicy: false,
+              IgnorePublicAcls: false,
+              RestrictPublicBuckets: false
+            }
+          }
+        }
+      }
+    };
+  }
+);
+
+// src/iac/packs/gateway.ts
+var DEFAULT_AUTH_TYPE = "COGNITO_USER_POOLS";
+var addGateway = createResourcePack(
+  ({
+    id,
+    hostedZoneId,
+    domainName,
+    certificateArn,
+    cloudFunction: {
+      id: cloudFunctionId,
+      region: cloudFunctionRegion = "${AWS::Region}"
+    },
+    stageName = "production",
+    authorizer,
+    deploymentSuffix = ""
+  }) => {
+    const cloudFunctionUri = {
+      "Fn::Sub": `arn:aws:apigateway:${cloudFunctionRegion}:lambda:path/2015-03-31/functions/\${${cloudFunctionId}.Arn}/invocations`
+    };
+    const {
+      scopes: authScopes = ["phone", "email", "openid", "profile"],
+      type: authType = "COGNITO_USER_POOLS",
+      providerARNs,
+      identitySource = "method.request.header.authorization"
+    } = !!authorizer && typeof authorizer === "object" ? authorizer : {};
+    const authorizerId = `${id}CustomAuthorizer`;
+    const authProps = !!authorizer ? {
+      AuthorizationScopes: authScopes,
+      AuthorizationType: authType === DEFAULT_AUTH_TYPE ? DEFAULT_AUTH_TYPE : "CUSTOM",
+      AuthorizerId: {
+        Ref: authorizerId
+      }
+    } : {
+      AuthorizationType: "NONE"
+    };
+    const fullDeploymentId = `${id}GatewayRESTAPIDeployment${deploymentSuffix}`;
+    return new SimpleCFT().patch({
+      Resources: {
+        // REST API
+        [id]: {
+          Type: "AWS::ApiGateway::RestApi",
+          Properties: {
+            Name: {
+              "Fn::Sub": `\${AWS::StackName}-${id}GatewayRESTAPI`
+            },
+            EndpointConfiguration: {
+              Types: ["EDGE"]
+            }
+          }
+        },
+        [`${id}GatewayRESTAPIResource`]: {
+          Type: "AWS::ApiGateway::Resource",
+          DependsOn: id,
+          Properties: {
+            ParentId: {
+              "Fn::GetAtt": [id, "RootResourceId"]
+            },
+            PathPart: "{proxy+}",
+            RestApiId: {
+              Ref: id
+            }
+          }
+        },
+        [`${id}GatewayRESTAPIMethod`]: {
+          Type: "AWS::ApiGateway::Method",
+          DependsOn: `${id}GatewayRESTAPIResource`,
+          Properties: {
+            ...authProps,
+            HttpMethod: "ANY",
+            ResourceId: {
+              Ref: `${id}GatewayRESTAPIResource`
+            },
+            RestApiId: {
+              Ref: id
+            },
+            Integration: {
+              Type: "AWS_PROXY",
+              IntegrationHttpMethod: "POST",
+              Uri: cloudFunctionUri
+            }
+          }
+        },
+        [`${id}GatewayRESTAPIRootMethod`]: {
+          Type: "AWS::ApiGateway::Method",
+          DependsOn: `${id}GatewayRESTAPIResource`,
+          Properties: {
+            ...authProps,
+            HttpMethod: "ANY",
+            ResourceId: {
+              "Fn::GetAtt": [id, "RootResourceId"]
+            },
+            RestApiId: {
+              Ref: id
+            },
+            Integration: {
+              Type: "AWS_PROXY",
+              IntegrationHttpMethod: "POST",
+              Uri: cloudFunctionUri
+            }
+          }
+        }
+      }
+    }).patch({
+      Resources: {
+        // CORS
+        [`${id}GatewayRESTAPIOPTIONSMethod`]: {
+          Type: "AWS::ApiGateway::Method",
+          DependsOn: `${id}GatewayRESTAPIResource`,
+          Properties: {
+            AuthorizationType: "NONE",
+            HttpMethod: "OPTIONS",
+            ResourceId: {
+              Ref: `${id}GatewayRESTAPIResource`
+            },
+            RestApiId: {
+              Ref: id
+            },
+            Integration: {
+              Type: "AWS_PROXY",
+              IntegrationHttpMethod: "POST",
+              Uri: cloudFunctionUri
+            }
+          }
+        },
+        [`${id}GatewayRESTAPIRootOPTIONSMethod`]: {
+          Type: "AWS::ApiGateway::Method",
+          DependsOn: `${id}GatewayRESTAPIResource`,
+          Properties: {
+            AuthorizationType: "NONE",
+            HttpMethod: "OPTIONS",
+            ResourceId: {
+              "Fn::GetAtt": [id, "RootResourceId"]
+            },
+            RestApiId: {
+              Ref: id
+            },
+            Integration: {
+              Type: "AWS_PROXY",
+              IntegrationHttpMethod: "POST",
+              Uri: cloudFunctionUri
+            }
+          }
+        },
+        [`${id}GatewayResponseDefault4XX`]: {
+          Type: "AWS::ApiGateway::GatewayResponse",
+          Properties: {
+            ResponseParameters: {
+              // Not authorized, so just allow the current origin by mapping it into the header.
+              "gatewayresponse.header.Access-Control-Allow-Origin": "method.request.header.origin",
+              "gatewayresponse.header.Access-Control-Allow-Credentials": "'true'",
+              "gatewayresponse.header.Access-Control-Allow-Headers": "'*'"
+            },
+            ResponseType: "DEFAULT_4XX",
+            RestApiId: {
+              Ref: id
+            }
+          }
+        }
+      }
+    }).patch({
+      Resources: {
+        // SUPPORTING RESOURCES
+        [fullDeploymentId]: {
+          Type: "AWS::ApiGateway::Deployment",
+          DependsOn: [
+            `${id}GatewayRESTAPIResource`,
+            `${id}GatewayRESTAPIMethod`,
+            `${id}GatewayRESTAPIRootMethod`,
+            id,
+            cloudFunctionId
+          ],
+          Properties: {
+            RestApiId: {
+              Ref: id
+            }
+          }
+        },
+        [`${id}CloudWatch`]: {
+          Type: "AWS::Logs::LogGroup",
+          Properties: {
+            LogGroupName: {
+              "Fn::Sub": `\${AWS::StackName}-${id}GatewayLogs`
+            }
+          }
+        },
+        [`${id}CloudWatchRole`]: {
+          Type: "AWS::IAM::Role",
+          Properties: {
+            AssumeRolePolicyDocument: {
+              Version: "2012-10-17",
+              Statement: [
+                {
+                  Effect: "Allow",
+                  Principal: {
+                    Service: ["apigateway.amazonaws.com"]
+                  },
+                  Action: "sts:AssumeRole"
+                }
+              ]
+            },
+            Path: "/",
+            ManagedPolicyArns: [
+              "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+            ]
+          }
+        },
+        [`${id}CloudWatchAccount`]: {
+          Type: "AWS::ApiGateway::Account",
+          Properties: {
+            CloudWatchRoleArn: {
+              "Fn::GetAtt": [`${id}CloudWatchRole`, "Arn"]
+            }
+          }
+        },
+        [`${id}GatewayRESTAPIEnvironment`]: {
+          Type: "AWS::ApiGateway::Stage",
+          DependsOn: [`${id}CloudWatchAccount`, fullDeploymentId],
+          Properties: {
+            AccessLogSetting: {
+              DestinationArn: {
+                "Fn::GetAtt": [`${id}CloudWatch`, "Arn"]
+              },
+              Format: '{"requestId":"$context.requestId","ip":"$context.identity.sourceIp","caller":"$context.identity.caller","user":"$context.identity.user","requestTime":"$context.requestTime","httpMethod":"$context.httpMethod","resourcePath":"$context.resourcePath","status":"$context.status","protocol":"$context.protocol","responseLength":"$context.responseLength","apiGatewayErrorMessage":"$context.error.message"}'
+            },
+            DeploymentId: {
+              Ref: fullDeploymentId
+            },
+            RestApiId: {
+              Ref: id
+            },
+            StageName: stageName
+          }
+        }
+      }
+    }).patch({
+      Resources: {
+        // DNS
+        [`${id}DomainName`]: {
+          Type: "AWS::ApiGateway::DomainName",
+          Properties: {
+            CertificateArn: certificateArn,
+            DomainName: domainName,
+            EndpointConfiguration: {
+              Types: ["EDGE"]
+            }
+          }
+        },
+        [`${id}DomainNameBasePathMapping`]: {
+          Type: "AWS::ApiGateway::BasePathMapping",
+          DependsOn: [
+            id,
+            `${id}GatewayRESTAPIEnvironment`,
+            `${id}DomainName`
+          ],
+          Properties: {
+            DomainName: domainName,
+            RestApiId: {
+              Ref: id
+            },
+            Stage: stageName
+          }
+        },
+        [`${id}Route53Record`]: {
+          Type: "AWS::Route53::RecordSet",
+          DependsOn: `${id}DomainName`,
+          Properties: {
+            HostedZoneId: hostedZoneId,
+            Type: "A",
+            Name: {
+              "Fn::Sub": [
+                "${DomainName}.",
+                {
+                  DomainName: domainName
+                }
+              ]
+            },
+            AliasTarget: {
+              HostedZoneId: "Z2FDTNDATAQYW2",
+              DNSName: {
+                "Fn::Sub": [
+                  "${DomainName}.",
+                  {
+                    DomainName: {
+                      "Fn::GetAtt": [
+                        `${id}DomainName`,
+                        "DistributionDomainName"
+                      ]
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+    }).patch({
+      Resources: {
+        // PERMISSIONS
+        [`${id}CloudFunctionANYResourcePermission`]: {
+          Type: "AWS::Lambda::Permission",
+          Properties: {
+            Action: "lambda:InvokeFunction",
+            Principal: "apigateway.amazonaws.com",
+            FunctionName: {
+              "Fn::GetAtt": [cloudFunctionId, "Arn"]
+            },
+            SourceArn: {
+              "Fn::Sub": [
+                "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/*",
+                {
+                  __Stage__: stageName,
+                  __ApiId__: {
+                    Ref: id
+                  }
+                }
+              ]
+            }
+          }
+        }
+      }
+    }).patch(
+      !!authorizer ? {
+        Resources: {
+          // AUTHORIZER
+          [`${id}CustomAuthorizer`]: {
+            Type: "AWS::ApiGateway::Authorizer",
+            Properties: {
+              IdentitySource: identitySource,
+              Name: `${id}CustomAuthorizer`,
+              ProviderARNs: providerARNs,
+              RestApiId: {
+                Ref: id
+              },
+              Type: "COGNITO_USER_POOLS"
+            }
+          }
+        }
+      } : {}
+    ).template;
+  }
+);
+
+// src/iac/packs/repo.ts
+var addRepo = createResourcePack(
+  ({
+    repoOwnerParameterName,
+    repoNameParameterName,
+    repoBranchParameterName,
+    repoTokenParameterName
+  }) => new SimpleCFT().addParameterGroup({
+    Label: "Repository",
+    Parameters: {
+      [repoOwnerParameterName]: {
+        Label: "RepoOwner",
+        Type: "String",
+        Description: "The owner of the repository"
+      },
+      [repoNameParameterName]: {
+        Label: "RepoName",
+        Type: "String",
+        Description: "The name of the repository"
+      },
+      [repoBranchParameterName]: {
+        Label: "RepoBranch",
+        Type: "String",
+        Description: "The branch of the repository"
+      },
+      [repoTokenParameterName]: {
+        Label: "RepoToken",
+        Type: "String",
+        Description: "The token of the repository",
+        NoEcho: true
+      }
+    }
+  }).template
+);
+
+// src/iac/packs/ssl-certificate.ts
+var addSSLCertificate = createResourcePack(
+  ({
+    id,
+    domainName,
+    hostedZoneId,
+    includeWildCard = true
+  }) => ({
+    Resources: {
+      [id]: {
+        Type: "AWS::CertificateManager::Certificate",
+        Properties: {
+          DomainName: domainName,
+          ValidationMethod: "DNS",
+          DomainValidationOptions: [
+            {
+              DomainName: domainName,
+              HostedZoneId: hostedZoneId
+            }
+          ],
+          SubjectAlternativeNames: includeWildCard ? [
+            {
+              "Fn::Sub": [
+                "*.${BaseDomainName}",
+                {
+                  BaseDomainName: domainName
+                }
+              ]
+            }
+          ] : void 0
+        }
+      }
+    }
+  })
+);
+
+export { COMMAND_HELPERS, DEFAULT_AUTH_TYPE, DEFAULT_BUILD_PIPELINE_REPO_PROVIDER, PLACEHOLDER_FUNCTION_CODE, addAuth, addBuildPipeline, addCDN, addCloudFunction, addDNS, addDatabase, addGateway, addRepo, addSSLCertificate, addSecureFileStorage, createBuildSpec };