@resistdesign/voltra 3.0.0-alpha.3 → 3.0.0-alpha.30

package/iac/packs/index.js

@@ -0,0 +1,1370 @@
+import { createResourcePack, SimpleCFT } from '../../chunk-ATO2455Q.js';
+import '../../chunk-I2KLQ2HA.js';
+import YAML from 'yaml';
+
+// src/iac/packs/auth/user-management.ts
+var addUserManagement = createResourcePack(
+  (config) => {
+    const {
+      id,
+      authRoleName,
+      unauthRoleName,
+      callbackUrls,
+      logoutUrls,
+      apiGatewayRESTAPIId,
+      apiStageName
+    } = config;
+    const apiRoleConfig = apiGatewayRESTAPIId && apiStageName ? {
+      [`${id}IdentityPoolRoles`]: {
+        Type: "AWS::Cognito::IdentityPoolRoleAttachment",
+        Properties: {
+          IdentityPoolId: {
+            Ref: `${id}IdentityPool`
+          },
+          Roles: {
+            authenticated: {
+              "Fn::GetAtt": [`${id}AuthRole`, "Arn"]
+            },
+            unauthenticated: {
+              "Fn::GetAtt": [`${id}UnauthRole`, "Arn"]
+            }
+          }
+        }
+      },
+      [`${id}AuthRole`]: {
+        Type: "AWS::IAM::Role",
+        Properties: {
+          RoleName: authRoleName,
+          Path: "/",
+          AssumeRolePolicyDocument: {
+            Version: "2012-10-17",
+            Statement: [
+              {
+                Effect: "Allow",
+                Principal: {
+                  Federated: "cognito-identity.amazonaws.com"
+                },
+                Action: ["sts:AssumeRoleWithWebIdentity"],
+                Condition: {
+                  StringEquals: {
+                    "cognito-identity.amazonaws.com:aud": {
+                      Ref: `${id}IdentityPool`
+                    }
+                  },
+                  "ForAnyValue:StringLike": {
+                    "cognito-identity.amazonaws.com:amr": "authenticated"
+                  }
+                }
+              }
+            ]
+          },
+          Policies: [
+            {
+              PolicyName: "CognitoAuthorizedPolicy",
+              PolicyDocument: {
+                Version: "2012-10-17",
+                Statement: [
+                  {
+                    Effect: "Allow",
+                    Action: [
+                      "mobileanalytics:PutEvents",
+                      "cognito-sync:*",
+                      "cognito-identity:*"
+                    ],
+                    Resource: "*"
+                  },
+                  {
+                    Effect: "Allow",
+                    Action: ["execute-api:Invoke"],
+                    Resource: {
+                      "Fn::Sub": [
+                        "arn:aws:execute-api:${Region}:${AccountId}:${APIID}/${StageName}/${HTTPVerb}/api/*",
+                        {
+                          Region: {
+                            Ref: "AWS::Region"
+                          },
+                          AccountId: {
+                            Ref: "AWS::AccountId"
+                          },
+                          APIID: apiGatewayRESTAPIId,
+                          StageName: apiStageName,
+                          HTTPVerb: "*"
+                        }
+                      ]
+                    }
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      },
+      [`${id}UnauthRole`]: {
+        Type: "AWS::IAM::Role",
+        Properties: {
+          RoleName: unauthRoleName,
+          Path: "/",
+          AssumeRolePolicyDocument: {
+            Version: "2012-10-17",
+            Statement: [
+              {
+                Effect: "Allow",
+                Principal: {
+                  Federated: "cognito-identity.amazonaws.com"
+                },
+                Action: ["sts:AssumeRoleWithWebIdentity"],
+                Condition: {
+                  StringEquals: {
+                    "cognito-identity.amazonaws.com:aud": {
+                      Ref: `${id}IdentityPool`
+                    }
+                  },
+                  "ForAnyValue:StringLike": {
+                    "cognito-identity.amazonaws.com:amr": "unauthenticated"
+                  }
+                }
+              }
+            ]
+          },
+          Policies: [
+            {
+              PolicyName: "CognitoUnauthorizedPolicy",
+              PolicyDocument: {
+                Version: "2012-10-17",
+                Statement: [
+                  {
+                    Effect: "Allow",
+                    Action: [
+                      "mobileanalytics:PutEvents",
+                      "cognito-sync:*",
+                      "cognito-identity:*"
+                    ],
+                    Resource: "*"
+                  }
+                ]
+              }
+            }
+          ]
+        }
+      }
+    } : {};
+    const userPoolDomainConfig = config.enableUserPoolDomain === false ? {} : {
+      [`${id}BaseDomainRecord`]: !!config.baseDomainRecordAliasTargetDNSName ? {
+        Type: "AWS::Route53::RecordSet",
+        DeletionPolicy: "Delete",
+        Properties: {
+          HostedZoneId: config.hostedZoneId,
+          Type: "A",
+          Name: config.domainName,
+          AliasTarget: {
+            HostedZoneId: "Z2FDTNDATAQYW2",
+            DNSName: config.baseDomainRecordAliasTargetDNSName
+          }
+        }
+      } : void 0,
+      [`${id}DomainRecord`]: {
+        Type: "AWS::Route53::RecordSet",
+        DeletionPolicy: "Delete",
+        Properties: {
+          HostedZoneId: config.hostedZoneId,
+          Type: "A",
+          Name: {
+            "Fn::Sub": [
+              "auth.${BaseDomainName}",
+              {
+                BaseDomainName: config.domainName
+              }
+            ]
+          },
+          AliasTarget: {
+            HostedZoneId: "Z2FDTNDATAQYW2",
+            DNSName: {
+              "Fn::GetAtt": [`${id}Domain`, "CloudFrontDistribution"]
+            }
+          }
+        }
+      },
+      [`${id}Domain`]: {
+        Type: "AWS::Cognito::UserPoolDomain",
+        DependsOn: !!config.baseDomainRecordAliasTargetDNSName ? `${id}BaseDomainRecord` : void 0,
+        Properties: {
+          Domain: {
+            "Fn::Sub": [
+              "auth.${BaseDomainName}",
+              {
+                BaseDomainName: config.domainName
+              }
+            ]
+          },
+          UserPoolId: {
+            Ref: id
+          },
+          CustomDomainConfig: {
+            CertificateArn: config.sslCertificateArn
+          }
+        }
+      }
+    };
+    return {
+      Resources: {
+        [id]: {
+          Type: "AWS::Cognito::UserPool",
+          Properties: {
+            UserPoolName: {
+              "Fn::Sub": [`\${AWS::StackName}${id}`, {}]
+            },
+            AccountRecoverySetting: {
+              RecoveryMechanisms: [
+                {
+                  Name: "verified_email",
+                  Priority: 1
+                }
+              ]
+            },
+            AdminCreateUserConfig: {
+              AllowAdminCreateUserOnly: false,
+              UnusedAccountValidityDays: 365
+            },
+            AutoVerifiedAttributes: ["email"],
+            AliasAttributes: ["phone_number", "email", "preferred_username"],
+            Schema: [
+              {
+                Name: "email",
+                Required: true,
+                Mutable: true
+              },
+              {
+                Name: "given_name",
+                Required: true,
+                Mutable: true
+              },
+              {
+                Name: "family_name",
+                Required: true,
+                Mutable: true
+              },
+              {
+                Name: "phone_number",
+                Required: true,
+                Mutable: true
+              }
+            ],
+            DeviceConfiguration: {
+              ChallengeRequiredOnNewDevice: true,
+              DeviceOnlyRememberedOnUserPrompt: false
+            },
+            UsernameConfiguration: {
+              CaseSensitive: false
+            }
+          }
+        },
+        [`${id}Client`]: {
+          Type: "AWS::Cognito::UserPoolClient",
+          Properties: {
+            ClientName: {
+              "Fn::Sub": [`\${AWS::StackName}${id}Client`, {}]
+            },
+            UserPoolId: {
+              Ref: id
+            },
+            AllowedOAuthFlowsUserPoolClient: true,
+            AllowedOAuthFlows: ["code", "implicit"],
+            AllowedOAuthScopes: [
+              "openid",
+              "email",
+              "phone",
+              "profile",
+              "aws.cognito.signin.user.admin"
+            ],
+            EnableTokenRevocation: true,
+            PreventUserExistenceErrors: "ENABLED",
+            SupportedIdentityProviders: ["COGNITO"],
+            ...callbackUrls && callbackUrls.length > 0 ? { CallbackURLs: callbackUrls } : {},
+            ...logoutUrls && logoutUrls.length > 0 ? { LogoutURLs: logoutUrls } : {}
+          }
+        },
+        [`${id}IdentityPool`]: {
+          Type: "AWS::Cognito::IdentityPool",
+          Properties: {
+            IdentityPoolName: {
+              "Fn::Sub": [`\${AWS::StackName}${id}IdentityPool`, {}]
+            },
+            AllowUnauthenticatedIdentities: false,
+            CognitoIdentityProviders: [
+              {
+                ClientId: {
+                  Ref: `${id}Client`
+                },
+                ProviderName: {
+                  "Fn::GetAtt": [id, "ProviderName"]
+                },
+                ServerSideTokenCheck: true
+              }
+            ]
+          }
+        },
+        ...userPoolDomainConfig,
+        ...apiRoleConfig
+      }
+    };
+  }
+);
+
+// src/iac/packs/auth.ts
+var addAuth = createResourcePack((config) => {
+  const {
+    userManagementId,
+    authRoleName,
+    unauthRoleName,
+    callbackUrls,
+    logoutUrls,
+    apiCloudFunctionGatewayId,
+    apiStageName,
+    adminGroupId,
+    userManagementAdminGroupName
+  } = config;
+  return new SimpleCFT().applyPack(addUserManagement, {
+    id: userManagementId,
+    authRoleName,
+    unauthRoleName,
+    apiGatewayRESTAPIId: {
+      Ref: apiCloudFunctionGatewayId
+    },
+    apiStageName,
+    ...config.enableUserPoolDomain === false ? {
+      enableUserPoolDomain: false
+    } : {
+      enableUserPoolDomain: true,
+      domainName: {
+        Ref: config.domainNameParameterName
+      },
+      hostedZoneId: {
+        Ref: config.hostedZoneIdParameterName
+      },
+      sslCertificateArn: {
+        Ref: config.sslCertificateId
+      },
+      baseDomainRecordAliasTargetDNSName: {
+        "Fn::GetAtt": [config.mainCDNCloudFrontId, "DomainName"]
+      },
+      callbackUrls,
+      logoutUrls
+    }
+  }).patch({
+    Resources: {
+      [adminGroupId]: {
+        Type: "AWS::Cognito::UserPoolGroup",
+        Properties: {
+          GroupName: userManagementAdminGroupName,
+          UserPoolId: {
+            Ref: userManagementId
+          },
+          Description: "Application admin group."
+        }
+      }
+    }
+  }).template;
+});
+
+// src/iac/packs/build.ts
+var DEFAULT_BUILD_PIPELINE_REPO_PROVIDER = "GitHub";
+var addBuildPipeline = createResourcePack(
+  ({
+    id,
+    buildSpec,
+    dependsOn,
+    environmentVariables,
+    timeoutInMinutes = 10,
+    environmentType = "LINUX_CONTAINER",
+    environmentComputeType = "BUILD_GENERAL1_SMALL",
+    environmentImage = "aws/codebuild/nodejs:10.14.1",
+    repoConfig: {
+      provider = DEFAULT_BUILD_PIPELINE_REPO_PROVIDER,
+      owner,
+      repo,
+      branch,
+      oauthToken
+    }
+  }) => ({
+    Resources: {
+      [`${id}CodeBuildRole`]: {
+        Type: "AWS::IAM::Role",
+        Properties: {
+          AssumeRolePolicyDocument: {
+            Statement: [
+              {
+                Effect: "Allow",
+                Principal: {
+                  Service: ["codebuild.amazonaws.com"]
+                },
+                Action: ["sts:AssumeRole"]
+              }
+            ]
+          },
+          Path: "/",
+          Policies: [
+            {
+              PolicyName: "codebuild-service",
+              PolicyDocument: {
+                Statement: [
+                  {
+                    Effect: "Allow",
+                    Action: "*",
+                    Resource: "*"
+                  }
+                ],
+                Version: "2012-10-17"
+              }
+            }
+          ]
+        }
+      },
+      [`${id}CodePipelineRole`]: {
+        Type: "AWS::IAM::Role",
+        Properties: {
+          AssumeRolePolicyDocument: {
+            Statement: [
+              {
+                Effect: "Allow",
+                Principal: {
+                  Service: ["codepipeline.amazonaws.com"]
+                },
+                Action: ["sts:AssumeRole"]
+              }
+            ]
+          },
+          Path: "/",
+          Policies: [
+            {
+              PolicyName: "codepipeline-service",
+              PolicyDocument: {
+                Statement: [
+                  {
+                    Action: ["codebuild:*"],
+                    Resource: "*",
+                    Effect: "Allow"
+                  },
+                  {
+                    Action: [
+                      "s3:GetObject",
+                      "s3:GetObjectVersion",
+                      "s3:GetBucketVersioning"
+                    ],
+                    Resource: "*",
+                    Effect: "Allow"
+                  },
+                  {
+                    Action: ["s3:PutObject"],
+                    Resource: ["arn:aws:s3:::codepipeline*"],
+                    Effect: "Allow"
+                  },
+                  {
+                    Action: ["s3:*", "cloudformation:*", "iam:PassRole"],
+                    Resource: "*",
+                    Effect: "Allow"
+                  }
+                ],
+                Version: "2012-10-17"
+              }
+            }
+          ]
+        }
+      },
+      [`${id}PipelineBucket`]: {
+        Type: "AWS::S3::Bucket",
+        DeletionPolicy: "Delete",
+        Properties: {
+          BucketEncryption: {
+            ServerSideEncryptionConfiguration: [
+              {
+                ServerSideEncryptionByDefault: {
+                  SSEAlgorithm: "AES256"
+                }
+              }
+            ]
+          },
+          PublicAccessBlockConfiguration: {
+            BlockPublicAcls: true,
+            BlockPublicPolicy: true,
+            IgnorePublicAcls: true,
+            RestrictPublicBuckets: true
+          }
+        }
+      },
+      [`${id}CodeBuildAndDeploy`]: {
+        Type: "AWS::CodeBuild::Project",
+        DependsOn: dependsOn,
+        Properties: {
+          Name: {
+            "Fn::Sub": `\${AWS::StackName}-${id}CodeBuildAndDeploy`
+          },
+          Description: "Deploy site to S3",
+          ServiceRole: {
+            "Fn::GetAtt": [`${id}CodeBuildRole`, "Arn"]
+          },
+          Artifacts: {
+            Type: "CODEPIPELINE"
+          },
+          Environment: {
+            Type: environmentType,
+            ComputeType: environmentComputeType,
+            Image: environmentImage,
+            EnvironmentVariables: environmentVariables
+          },
+          Source: {
+            Type: "CODEPIPELINE",
+            BuildSpec: buildSpec
+          },
+          TimeoutInMinutes: timeoutInMinutes
+        }
+      },
+      [`${id}Pipeline`]: {
+        Type: "AWS::CodePipeline::Pipeline",
+        DependsOn: `${id}CodeBuildAndDeploy`,
+        Properties: {
+          RoleArn: {
+            "Fn::GetAtt": [`${id}CodePipelineRole`, "Arn"]
+          },
+          Stages: [
+            {
+              Name: "Acquire-Source",
+              Actions: [
+                {
+                  InputArtifacts: [],
+                  Name: "Source",
+                  ActionTypeId: {
+                    Category: "Source",
+                    Owner: "ThirdParty",
+                    Version: "1",
+                    Provider: provider
+                  },
+                  OutputArtifacts: [
+                    {
+                      Name: "SourceOutput"
+                    }
+                  ],
+                  Configuration: {
+                    Owner: owner,
+                    Repo: repo,
+                    Branch: branch,
+                    OAuthToken: oauthToken
+                  },
+                  RunOrder: 1
+                }
+              ]
+            },
+            {
+              Name: "Build-And-Deploy",
+              Actions: [
+                {
+                  Name: "Artifact",
+                  ActionTypeId: {
+                    Category: "Build",
+                    Owner: "AWS",
+                    Version: "1",
+                    Provider: "CodeBuild"
+                  },
+                  InputArtifacts: [
+                    {
+                      Name: "SourceOutput"
+                    }
+                  ],
+                  OutputArtifacts: [
+                    {
+                      Name: "DeployOutput"
+                    }
+                  ],
+                  Configuration: {
+                    ProjectName: {
+                      Ref: `${id}CodeBuildAndDeploy`
+                    }
+                  },
+                  RunOrder: 1
+                }
+              ]
+            }
+          ],
+          ArtifactStore: {
+            Type: "S3",
+            Location: {
+              Ref: `${id}PipelineBucket`
+            }
+          }
+        }
+      }
+    }
+  })
+);
+var COMMAND_HELPERS = {
+  updateFunction: ({
+    cloudFunctionArn,
+    codeZipFilePath
+  }) => `aws lambda update-function-code --function-name "${cloudFunctionArn}" --zip-file "fileb://${codeZipFilePath}"`,
+  copyDirectoryToS3: ({
+    s3Domain,
+    directoryPath
+  }) => `aws s3 cp --recursive --acl public-read ${directoryPath} s3://${s3Domain}/`,
+  cloudFrontInvalidation: ({
+    cloudFrontDistributionId,
+    pathsToInvalidate = ["/*"]
+  }) => `aws cloudfront create-invalidation --distribution-id "${cloudFrontDistributionId}" --paths "${pathsToInvalidate.join('" "')}"`,
+  addNPMTokenWithNPMRC: ({ npmToken }) => `echo '//registry.npmjs.org/:_authToken=${npmToken}' > .npmrc`
+};
+var createBuildSpec = ({ version = 0.2, phases }) => YAML.stringify(
+  // TRICKY: Removed all keys with a value of `undefined`.
+  JSON.parse(
+    JSON.stringify({
+      version,
+      phases
+    })
+  )
+);
+
+// src/iac/packs/cdn.ts
+var addCDN = createResourcePack(
+  ({
+    id,
+    hostedZoneId,
+    domainName,
+    certificateArn,
+    fileStorageId
+  }) => {
+    const oacId = `${id}OriginAccessControl`;
+    return {
+      Resources: {
+        [oacId]: {
+          Type: "AWS::CloudFront::OriginAccessControl",
+          Properties: {
+            OriginAccessControlConfig: {
+              Name: oacId,
+              OriginAccessControlOriginType: "s3",
+              SigningBehavior: "always",
+              SigningProtocol: "sigv4"
+            }
+          }
+        },
+        [id]: {
+          Type: "AWS::CloudFront::Distribution",
+          DependsOn: fileStorageId,
+          Properties: {
+            DistributionConfig: {
+              Aliases: [domainName],
+              ViewerCertificate: {
+                AcmCertificateArn: certificateArn,
+                SslSupportMethod: "sni-only",
+                MinimumProtocolVersion: "TLSv1.1_2016"
+              },
+              DefaultCacheBehavior: {
+                ForwardedValues: {
+                  QueryString: false
+                },
+                TargetOriginId: {
+                  "Fn::Sub": [
+                    "S3-${S3BucketName}",
+                    {
+                      S3BucketName: domainName
+                    }
+                  ]
+                },
+                ViewerProtocolPolicy: "redirect-to-https"
+              },
+              DefaultRootObject: "index.html",
+              Enabled: true,
+              IPV6Enabled: false,
+              HttpVersion: "http2",
+              Origins: [
+                {
+                  DomainName: {
+                    "Fn::Sub": [
+                      "${S3BucketName}.s3.amazonaws.com",
+                      {
+                        S3BucketName: domainName
+                      }
+                    ]
+                  },
+                  Id: {
+                    "Fn::Sub": [
+                      "S3-${S3BucketName}",
+                      {
+                        S3BucketName: domainName
+                      }
+                    ]
+                  },
+                  OriginAccessControlId: { Ref: oacId },
+                  S3OriginConfig: {
+                    OriginAccessIdentity: ""
+                  }
+                }
+              ],
+              CustomErrorResponses: [
+                {
+                  ErrorCachingMinTTL: 300,
+                  ErrorCode: 404,
+                  ResponseCode: 200,
+                  ResponsePagePath: "/index.html"
+                },
+                {
+                  ErrorCachingMinTTL: 300,
+                  ErrorCode: 403,
+                  ResponseCode: 200,
+                  ResponsePagePath: "/index.html"
+                }
+              ],
+              PriceClass: "PriceClass_All"
+            }
+          }
+        },
+        [`${id}Route53Record`]: {
+          Type: "AWS::Route53::RecordSet",
+          DependsOn: [id],
+          Properties: {
+            HostedZoneId: hostedZoneId,
+            Type: "A",
+            Name: {
+              "Fn::Sub": [
+                "${DomainName}.",
+                {
+                  DomainName: domainName
+                }
+              ]
+            },
+            AliasTarget: {
+              HostedZoneId: "Z2FDTNDATAQYW2",
+              DNSName: {
+                "Fn::Sub": [
+                  "${DomainName}.",
+                  {
+                    DomainName: {
+                      "Fn::GetAtt": [id, "DomainName"]
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+    };
+  }
+);
+
+// src/iac/packs/cloud-function.ts
+var PLACEHOLDER_FUNCTION_CODE = {
+  ZipFile: `module.exports = {handler: async () => ({
+            statusCode: 200,
+            headers: {'Content-Type': 'application/json'},
+            body: '"You did it!"'
+          })};
+`
+};
+var addCloudFunction = createResourcePack(
+  ({
+    id,
+    code = PLACEHOLDER_FUNCTION_CODE,
+    environment = {
+      Variables: {
+        NODE_ENV: "production"
+      }
+    },
+    handler = "index.handler",
+    runtime = "nodejs26.x",
+    timeout = 30,
+    policies = [
+      {
+        PolicyName: "lambda-parameter-store",
+        PolicyDocument: {
+          Version: "2012-10-17",
+          Statement: [
+            {
+              Effect: "Allow",
+              Action: ["*"],
+              Resource: "*"
+            }
+          ]
+        }
+      }
+    ],
+    memorySize = 128
+  }) => {
+    return {
+      Resources: {
+        [`${id}Role`]: {
+          Type: "AWS::IAM::Role",
+          Properties: {
+            ManagedPolicyArns: [
+              "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+            ],
+            AssumeRolePolicyDocument: {
+              Version: "2012-10-17",
+              Statement: [
+                {
+                  Action: ["sts:AssumeRole"],
+                  Effect: "Allow",
+                  Principal: {
+                    Service: ["lambda.amazonaws.com"]
+                  }
+                }
+              ]
+            },
+            Policies: policies
+          }
+        },
+        [id]: {
+          Type: "AWS::Lambda::Function",
+          Properties: {
+            Timeout: timeout,
+            Code: code,
+            Environment: environment,
+            Handler: handler,
+            Role: {
+              "Fn::GetAtt": [`${id}Role`, "Arn"]
+            },
+            Runtime: runtime,
+            MemorySize: memorySize
+          }
+        }
+      }
+    };
+  }
+);
+
+// src/iac/packs/database.ts
+var addDatabase = createResourcePack(
+  ({
+    tableId,
+    tableName,
+    keys,
+    attributes,
+    billingMode = "PAY_PER_REQUEST"
+  }) => new SimpleCFT().patch({
+    Resources: {
+      [tableId]: {
+        Type: "AWS::DynamoDB::Table",
+        Properties: {
+          TableName: tableName,
+          AttributeDefinitions: Object.keys(attributes).map(
+            (attributeName) => ({
+              AttributeName: attributeName,
+              AttributeType: attributes[attributeName]
+            })
+          ),
+          KeySchema: Object.keys(keys).map((keyName) => ({
+            AttributeName: keyName,
+            KeyType: keys[keyName]
+          })),
+          BillingMode: billingMode
+        }
+      }
+    }
+  }).template
+);
+
+// src/iac/packs/dns.ts
+var addDNS = createResourcePack(
+  ({
+    id,
+    hostedZoneId,
+    domainName,
+    resourceRecords,
+    recordType = "A"
+  }) => {
+    let cft = new SimpleCFT().patch({
+      Resources: {
+        [id]: {
+          Type: "AWS::Route53::RecordSet",
+          Properties: {
+            HostedZoneId: hostedZoneId,
+            Type: recordType,
+            Name: domainName,
+            ResourceRecords: resourceRecords,
+            TTL: "300"
+          }
+        }
+      }
+    });
+    return cft.template;
+  }
+);
+
+// src/iac/packs/file-storage.ts
+var addSecureFileStorage = createResourcePack(
+  ({
+    id,
+    bucketName,
+    shouldDelete = true,
+    blockPublicAccess = true,
+    cors = false,
+    accessControl = void 0,
+    allowACLs = false
+  }) => {
+    return {
+      Resources: {
+        [id]: {
+          Type: "AWS::S3::Bucket",
+          DeletionPolicy: shouldDelete ? "Delete" : "Retain",
+          Properties: {
+            BucketName: bucketName,
+            AccessControl: accessControl,
+            OwnershipControls: allowACLs ? {
+              Rules: [
+                {
+                  ObjectOwnership: "ObjectWriter"
+                }
+              ]
+            } : void 0,
+            CorsConfiguration: typeof cors === "object" ? cors : cors === true ? {
+              CorsRules: [
+                {
+                  AllowedHeaders: ["*"],
+                  AllowedMethods: [
+                    "GET",
+                    "PUT",
+                    "POST",
+                    "DELETE",
+                    "HEAD"
+                  ],
+                  AllowedOrigins: ["*"]
+                }
+              ]
+            } : void 0,
+            BucketEncryption: {
+              ServerSideEncryptionConfiguration: [
+                {
+                  ServerSideEncryptionByDefault: {
+                    SSEAlgorithm: "AES256"
+                  }
+                }
+              ]
+            },
+            PublicAccessBlockConfiguration: blockPublicAccess ? {
+              BlockPublicAcls: true,
+              BlockPublicPolicy: true,
+              IgnorePublicAcls: true,
+              RestrictPublicBuckets: true
+            } : {
+              BlockPublicAcls: false,
+              BlockPublicPolicy: false,
+              IgnorePublicAcls: false,
+              RestrictPublicBuckets: false
+            }
+          }
+        }
+      }
+    };
+  }
+);
+
+// src/iac/packs/gateway.ts
+var DEFAULT_AUTH_TYPE = "COGNITO_USER_POOLS";
+var addGateway = createResourcePack(
+  ({
+    id,
+    hostedZoneId,
+    domainName,
+    certificateArn,
+    cloudFunction: {
+      id: cloudFunctionId,
+      region: cloudFunctionRegion = "${AWS::Region}"
+    },
+    stageName = "production",
+    authorizer,
+    deploymentSuffix = ""
+  }) => {
+    const cloudFunctionUri = {
+      "Fn::Sub": `arn:aws:apigateway:${cloudFunctionRegion}:lambda:path/2015-03-31/functions/\${${cloudFunctionId}.Arn}/invocations`
+    };
+    const {
+      scopes: authScopes = ["phone", "email", "openid", "profile"],
+      type: authType = "COGNITO_USER_POOLS",
+      providerARNs,
+      identitySource = "method.request.header.authorization"
+    } = !!authorizer && typeof authorizer === "object" ? authorizer : {};
+    const authorizerId = `${id}CustomAuthorizer`;
+    const authProps = !!authorizer ? {
+      AuthorizationScopes: authScopes,
+      AuthorizationType: authType === DEFAULT_AUTH_TYPE ? DEFAULT_AUTH_TYPE : "CUSTOM",
+      AuthorizerId: {
+        Ref: authorizerId
+      }
+    } : {
+      AuthorizationType: "NONE"
+    };
+    const fullDeploymentId = `${id}GatewayRESTAPIDeployment${deploymentSuffix}`;
+    return new SimpleCFT().patch({
+      Resources: {
+        // REST API
+        [id]: {
+          Type: "AWS::ApiGateway::RestApi",
+          Properties: {
+            Name: {
+              "Fn::Sub": `\${AWS::StackName}-${id}GatewayRESTAPI`
+            },
+            EndpointConfiguration: {
+              Types: ["EDGE"]
+            }
+          }
+        },
+        [`${id}GatewayRESTAPIResource`]: {
+          Type: "AWS::ApiGateway::Resource",
+          DependsOn: id,
+          Properties: {
+            ParentId: {
+              "Fn::GetAtt": [id, "RootResourceId"]
+            },
+            PathPart: "{proxy+}",
+            RestApiId: {
+              Ref: id
+            }
+          }
+        },
+        [`${id}GatewayRESTAPIMethod`]: {
+          Type: "AWS::ApiGateway::Method",
+          DependsOn: `${id}GatewayRESTAPIResource`,
+          Properties: {
+            ...authProps,
+            HttpMethod: "ANY",
+            ResourceId: {
+              Ref: `${id}GatewayRESTAPIResource`
+            },
+            RestApiId: {
+              Ref: id
+            },
+            Integration: {
+              Type: "AWS_PROXY",
+              IntegrationHttpMethod: "POST",
+              Uri: cloudFunctionUri
+            }
+          }
+        },
+        [`${id}GatewayRESTAPIRootMethod`]: {
+          Type: "AWS::ApiGateway::Method",
+          DependsOn: `${id}GatewayRESTAPIResource`,
+          Properties: {
+            ...authProps,
+            HttpMethod: "ANY",
+            ResourceId: {
+              "Fn::GetAtt": [id, "RootResourceId"]
+            },
+            RestApiId: {
+              Ref: id
+            },
+            Integration: {
+              Type: "AWS_PROXY",
+              IntegrationHttpMethod: "POST",
+              Uri: cloudFunctionUri
+            }
+          }
+        }
+      }
+    }).patch({
+      Resources: {
+        // CORS
+        [`${id}GatewayRESTAPIOPTIONSMethod`]: {
+          Type: "AWS::ApiGateway::Method",
+          DependsOn: `${id}GatewayRESTAPIResource`,
+          Properties: {
+            AuthorizationType: "NONE",
+            HttpMethod: "OPTIONS",
+            ResourceId: {
+              Ref: `${id}GatewayRESTAPIResource`
+            },
+            RestApiId: {
+              Ref: id
+            },
+            Integration: {
+              Type: "AWS_PROXY",
+              IntegrationHttpMethod: "POST",
+              Uri: cloudFunctionUri
+            }
+          }
+        },
+        [`${id}GatewayRESTAPIRootOPTIONSMethod`]: {
+          Type: "AWS::ApiGateway::Method",
+          DependsOn: `${id}GatewayRESTAPIResource`,
+          Properties: {
+            AuthorizationType: "NONE",
+            HttpMethod: "OPTIONS",
+            ResourceId: {
+              "Fn::GetAtt": [id, "RootResourceId"]
+            },
+            RestApiId: {
+              Ref: id
+            },
+            Integration: {
+              Type: "AWS_PROXY",
+              IntegrationHttpMethod: "POST",
+              Uri: cloudFunctionUri
+            }
+          }
+        },
+        [`${id}GatewayResponseDefault4XX`]: {
+          Type: "AWS::ApiGateway::GatewayResponse",
+          Properties: {
+            ResponseParameters: {
+              // Not authorized, so just allow the current origin by mapping it into the header.
+              "gatewayresponse.header.Access-Control-Allow-Origin": "method.request.header.origin",
+              "gatewayresponse.header.Access-Control-Allow-Credentials": "'true'",
+              "gatewayresponse.header.Access-Control-Allow-Headers": "'*'"
+            },
+            ResponseType: "DEFAULT_4XX",
+            RestApiId: {
+              Ref: id
+            }
+          }
+        }
+      }
+    }).patch({
+      Resources: {
+        // SUPPORTING RESOURCES
+        [fullDeploymentId]: {
+          Type: "AWS::ApiGateway::Deployment",
+          DependsOn: [
+            `${id}GatewayRESTAPIResource`,
+            `${id}GatewayRESTAPIMethod`,
+            `${id}GatewayRESTAPIRootMethod`,
+            id,
+            cloudFunctionId
+          ],
+          Properties: {
+            RestApiId: {
+              Ref: id
+            }
+          }
+        },
+        [`${id}CloudWatch`]: {
+          Type: "AWS::Logs::LogGroup",
+          Properties: {
+            LogGroupName: {
+              "Fn::Sub": `\${AWS::StackName}-${id}GatewayLogs`
+            }
+          }
+        },
+        [`${id}CloudWatchRole`]: {
+          Type: "AWS::IAM::Role",
+          Properties: {
+            AssumeRolePolicyDocument: {
+              Version: "2012-10-17",
+              Statement: [
+                {
+                  Effect: "Allow",
+                  Principal: {
+                    Service: ["apigateway.amazonaws.com"]
+                  },
+                  Action: "sts:AssumeRole"
+                }
+              ]
+            },
+            Path: "/",
+            ManagedPolicyArns: [
+              "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+            ]
+          }
+        },
+        [`${id}CloudWatchAccount`]: {
+          Type: "AWS::ApiGateway::Account",
+          Properties: {
+            CloudWatchRoleArn: {
+              "Fn::GetAtt": [`${id}CloudWatchRole`, "Arn"]
+            }
+          }
+        },
+        [`${id}GatewayRESTAPIEnvironment`]: {
+          Type: "AWS::ApiGateway::Stage",
+          DependsOn: [`${id}CloudWatchAccount`, fullDeploymentId],
+          Properties: {
+            AccessLogSetting: {
+              DestinationArn: {
+                "Fn::GetAtt": [`${id}CloudWatch`, "Arn"]
+              },
+              Format: '{"requestId":"$context.requestId","ip":"$context.identity.sourceIp","caller":"$context.identity.caller","user":"$context.identity.user","requestTime":"$context.requestTime","httpMethod":"$context.httpMethod","resourcePath":"$context.resourcePath","status":"$context.status","protocol":"$context.protocol","responseLength":"$context.responseLength","apiGatewayErrorMessage":"$context.error.message"}'
+            },
+            DeploymentId: {
+              Ref: fullDeploymentId
+            },
+            RestApiId: {
+              Ref: id
+            },
+            StageName: stageName
+          }
+        }
+      }
+    }).patch({
+      Resources: {
+        // DNS
+        [`${id}DomainName`]: {
+          Type: "AWS::ApiGateway::DomainName",
+          Properties: {
+            CertificateArn: certificateArn,
+            DomainName: domainName,
+            EndpointConfiguration: {
+              Types: ["EDGE"]
+            }
+          }
+        },
+        [`${id}DomainNameBasePathMapping`]: {
+          Type: "AWS::ApiGateway::BasePathMapping",
+          DependsOn: [
+            id,
+            `${id}GatewayRESTAPIEnvironment`,
+            `${id}DomainName`
+          ],
+          Properties: {
+            DomainName: domainName,
+            RestApiId: {
+              Ref: id
+            },
+            Stage: stageName
+          }
+        },
+        [`${id}Route53Record`]: {
+          Type: "AWS::Route53::RecordSet",
+          DependsOn: `${id}DomainName`,
+          Properties: {
+            HostedZoneId: hostedZoneId,
+            Type: "A",
+            Name: {
+              "Fn::Sub": [
+                "${DomainName}.",
+                {
+                  DomainName: domainName
+                }
+              ]
+            },
+            AliasTarget: {
+              HostedZoneId: "Z2FDTNDATAQYW2",
+              DNSName: {
+                "Fn::Sub": [
+                  "${DomainName}.",
+                  {
+                    DomainName: {
+                      "Fn::GetAtt": [
+                        `${id}DomainName`,
+                        "DistributionDomainName"
+                      ]
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+    }).patch({
+      Resources: {
+        // PERMISSIONS
+        [`${id}CloudFunctionANYResourcePermission`]: {
+          Type: "AWS::Lambda::Permission",
+          Properties: {
+            Action: "lambda:InvokeFunction",
+            Principal: "apigateway.amazonaws.com",
+            FunctionName: {
+              "Fn::GetAtt": [cloudFunctionId, "Arn"]
+            },
+            SourceArn: {
+              "Fn::Sub": [
+                "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/*",
+                {
+                  __Stage__: stageName,
+                  __ApiId__: {
+                    Ref: id
+                  }
+                }
+              ]
+            }
+          }
+        }
+      }
+    }).patch(
+      !!authorizer ? {
+        Resources: {
+          // AUTHORIZER
+          [`${id}CustomAuthorizer`]: {
+            Type: "AWS::ApiGateway::Authorizer",
+            Properties: {
+              IdentitySource: identitySource,
+              Name: `${id}CustomAuthorizer`,
+              ProviderARNs: providerARNs,
+              RestApiId: {
+                Ref: id
+              },
+              Type: "COGNITO_USER_POOLS"
+            }
+          }
+        }
+      } : {}
+    ).template;
+  }
+);
+
+// src/iac/packs/repo.ts
+var addRepo = createResourcePack(
+  ({
+    repoOwnerParameterName,
+    repoNameParameterName,
+    repoBranchParameterName,
+    repoTokenParameterName
+  }) => new SimpleCFT().addParameterGroup({
+    Label: "Repository",
+    Parameters: {
+      [repoOwnerParameterName]: {
+        Label: "RepoOwner",
+        Type: "String",
+        Description: "The owner of the repository"
+      },
+      [repoNameParameterName]: {
+        Label: "RepoName",
+        Type: "String",
+        Description: "The name of the repository"
+      },
+      [repoBranchParameterName]: {
+        Label: "RepoBranch",
+        Type: "String",
+        Description: "The branch of the repository"
+      },
+      [repoTokenParameterName]: {
+        Label: "RepoToken",
+        Type: "String",
+        Description: "The token of the repository",
+        NoEcho: true
+      }
+    }
+  }).template
+);
+
+// src/iac/packs/ssl-certificate.ts
+var addSSLCertificate = createResourcePack(
+  ({
+    id,
+    domainName,
+    hostedZoneId,
+    includeWildCard = true
+  }) => ({
+    Resources: {
+      [id]: {
+        Type: "AWS::CertificateManager::Certificate",
+        Properties: {
+          DomainName: domainName,
+          ValidationMethod: "DNS",
+          DomainValidationOptions: [
+            {
+              DomainName: domainName,
+              HostedZoneId: hostedZoneId
+            }
+          ],
+          SubjectAlternativeNames: includeWildCard ? [
+            {
+              "Fn::Sub": [
+                "*.${BaseDomainName}",
+                {
+                  BaseDomainName: domainName
+                }
+              ]
+            }
+          ] : void 0
+        }
+      }
+    }
+  })
+);
+
+export { COMMAND_HELPERS, DEFAULT_AUTH_TYPE, DEFAULT_BUILD_PIPELINE_REPO_PROVIDER, PLACEHOLDER_FUNCTION_CODE, addAuth, addBuildPipeline, addCDN, addCloudFunction, addDNS, addDatabase, addGateway, addRepo, addSSLCertificate, addSecureFileStorage, createBuildSpec };