@resistdesign/voltra 3.0.0-alpha.4 → 3.0.0-alpha.40

package/iac/index.js

@@ -1,1661 +1,2 @@
-import YAML from 'yaml';
-
-var __defProp = Object.defineProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-
-// src/iac/packs/index.ts
-var packs_exports = {};
-__export(packs_exports, {
-  COMMAND_HELPERS: () => COMMAND_HELPERS,
-  DEFAULT_AUTH_TYPE: () => DEFAULT_AUTH_TYPE,
-  DEFAULT_BUILD_PIPELINE_REPO_PROVIDER: () => DEFAULT_BUILD_PIPELINE_REPO_PROVIDER,
-  PLACEHOLDER_FUNCTION_CODE: () => PLACEHOLDER_FUNCTION_CODE,
-  addAuth: () => addAuth,
-  addBuildPipeline: () => addBuildPipeline,
-  addCDN: () => addCDN,
-  addCloudFunction: () => addCloudFunction,
-  addDNS: () => addDNS,
-  addDatabase: () => addDatabase,
-  addGateway: () => addGateway,
-  addRepo: () => addRepo,
-  addSSLCertificate: () => addSSLCertificate,
-  addSecureFileStorage: () => addSecureFileStorage,
-  createBuildSpec: () => createBuildSpec
-});
-
-// src/iac/utils/index.ts
-var utils_exports = {};
-__export(utils_exports, {
-  DEFAULT_MERGE_STRATEGY: () => DEFAULT_MERGE_STRATEGY,
-  addParameter: () => addParameter,
-  addParameters: () => addParameters,
-  createResourcePack: () => createResourcePack,
-  getValuePathArray: () => getValuePathArray,
-  getValuePathString: () => getValuePathString,
-  isConstructedFrom: () => isConstructedFrom,
-  mergeValues: () => mergeValues,
-  patchTemplate: () => patchTemplate
-});
-
-// src/iac/utils/patch-utils.ts
-var DEFAULT_MERGE_STRATEGY = "transpose";
-var getValuePathString = (valuePathArray = []) => valuePathArray.map((p) => encodeURIComponent(p)).join("/");
-var getValuePathArray = (valuePathString = "") => valuePathString.split("/").map((p) => decodeURIComponent(p));
-var isConstructedFrom = (value, constructorReference) => value !== null && typeof value === "object" && "constructor" in value && value.constructor === constructorReference;
-var mergeValues = (valuePathArray = [], existingValue, newValue, mergeStrategyMap = {}) => {
-  const valuePathString = getValuePathString(valuePathArray);
-  const arrayIndexWildcardValuePathString = getValuePathString(
-    valuePathArray.map((p) => typeof p === "number" ? "#" : p)
-  );
-  const {
-    [valuePathString]: {
-      strategy: specificKeyMergeStrategy = DEFAULT_MERGE_STRATEGY,
-      data: specificKeyMergeStrategyData = void 0
-    } = {},
-    [arrayIndexWildcardValuePathString]: {
-      strategy: arrayIndexWildcardMergeStrategy = DEFAULT_MERGE_STRATEGY,
-      data: arrayIndexWildcardMergeStrategyData = void 0
-    } = {}
-  } = mergeStrategyMap;
-  const mergeStrategy = valuePathString in mergeStrategyMap ? specificKeyMergeStrategy : arrayIndexWildcardMergeStrategy;
-  const mergeStrategyData = valuePathString in mergeStrategyMap ? specificKeyMergeStrategyData : arrayIndexWildcardMergeStrategyData;
-  let mergedValue = typeof newValue !== "undefined" ? newValue : existingValue;
-  if (mergeStrategy !== "replace") {
-    if (isConstructedFrom(existingValue, Array) && isConstructedFrom(newValue, Array)) {
-      if (mergeStrategy === "accumulate") {
-        mergedValue = [...existingValue, ...newValue];
-      } else if (mergeStrategy === "accumulate-unique") {
-        mergedValue = [
-          ...existingValue,
-          ...newValue.filter(
-            (item) => existingValue.indexOf(item) === -1
-          )
-        ];
-      } else if (mergeStrategy === "accumulate-unique-by") {
-        const existingItemMap = {};
-        const newItemMap = {};
-        for (let i = 0; i < existingValue.length; i++) {
-          const existingItem = existingValue[i];
-          if (existingItem && typeof existingItem === "object") {
-            const identifier = mergeStrategyData instanceof Function ? mergeStrategyData(existingItem) : existingItem[mergeStrategyData];
-            existingItemMap[identifier] = existingItem;
-          }
-        }
-        for (let j = 0; j < newValue.length; j++) {
-          const newItem = newValue[j];
-          if (newItem && typeof newItem === "object") {
-            const identifier = mergeStrategyData instanceof Function ? mergeStrategyData(newItem) : newItem[mergeStrategyData];
-            newItemMap[identifier] = newItem;
-          }
-        }
-        mergedValue = Object.keys({
-          ...existingItemMap,
-          ...newItemMap
-        }).map(
-          (id, index) => mergeValues(
-            [...valuePathArray, index],
-            existingItemMap[id],
-            newItemMap[id],
-            mergeStrategyMap
-          )
-        );
-      } else if (mergeStrategy === "transpose") {
-        const fullLength = Math.max(existingValue.length, newValue.length);
-        mergedValue = [...new Array(fullLength)].map(
-          (_empty, index) => mergeValues(
-            [...valuePathArray, index],
-            existingValue[index],
-            newValue[index],
-            mergeStrategyMap
-          )
-        );
-      }
-    } else if (isConstructedFrom(existingValue, Object) && isConstructedFrom(newValue, Object)) {
-      mergedValue = Object.keys({ ...existingValue, ...newValue }).reduce(
-        (acc, k) => ({
-          ...acc,
-          [k]: mergeValues(
-            [...valuePathArray, k],
-            existingValue[k],
-            newValue[k],
-            mergeStrategyMap
-          )
-        }),
-        {}
-      );
-    }
-  }
-  return mergedValue;
-};
-
-// src/iac/utils/index.ts
-var addParameter = (parameterInfo, template) => {
-  const { ParameterId, Parameter, Label, Group } = parameterInfo;
-  const {
-    Parameters,
-    Metadata: {
-      "AWS::CloudFormation::Interface": {
-        ParameterGroups = [],
-        ParameterLabels = {}
-      } = {}
-    } = {}
-  } = template;
-  let NewParameterGroups = ParameterGroups;
-  if (Group) {
-    const GroupObject = ParameterGroups.filter(
-      (g) => g.Label?.default === Group
-    )[0];
-    NewParameterGroups = GroupObject ? ParameterGroups.map(
-      (g) => g.Label?.default === Group ? {
-        ...g,
-        Parameters: [...g.Parameters || [], ParameterId]
-      } : g
-    ) : [
-      ...ParameterGroups,
-      {
-        Label: {
-          default: Group
-        },
-        Parameters: [ParameterId]
-      }
-    ];
-  }
-  return {
-    ...template,
-    Parameters: {
-      ...Parameters,
-      [ParameterId]: Parameter
-    },
-    Metadata: {
-      ...template.Metadata,
-      "AWS::CloudFormation::Interface": {
-        ...template?.Metadata?.["AWS::CloudFormation::Interface"],
-        ParameterGroups: NewParameterGroups,
-        ParameterLabels: {
-          ...ParameterLabels,
-          [ParameterId]: {
-            default: Label
-          }
-        }
-      }
-    }
-  };
-};
-var addParameters = (parameters, template) => parameters.reduce((acc, p) => addParameter(p, acc), template);
-var patchTemplate = (patch, template) => mergeValues([], template, patch, {
-  [getValuePathString([
-    // Parameter Groups
-    "Metadata",
-    "AWS::CloudFormation::Interface",
-    "ParameterGroups"
-  ])]: {
-    strategy: "accumulate-unique-by",
-    data: (pG) => pG?.Label?.default
-  },
-  [getValuePathString([
-    // Parameter Group Parameter Ids
-    "Metadata",
-    "AWS::CloudFormation::Interface",
-    "ParameterGroups",
-    "#",
-    "Parameters"
-  ])]: {
-    strategy: "accumulate-unique"
-  }
-});
-var createResourcePack = (creator) => (params, template) => {
-  const patch = creator(params);
-  return patchTemplate(patch, template);
-};
-
-// src/iac/packs/auth/user-management.ts
-var addUserManagement = createResourcePack(
-  ({
-    id,
-    authRoleName,
-    unauthRoleName,
-    domainName,
-    hostedZoneId,
-    sslCertificateArn,
-    callbackUrls,
-    logoutUrls,
-    baseDomainRecordAliasTargetDNSName,
-    apiGatewayRESTAPIId,
-    apiStageName
-  }) => {
-    const apiRoleConfig = apiGatewayRESTAPIId && apiStageName ? {
-      [`${id}IdentityPoolRoles`]: {
-        Type: "AWS::Cognito::IdentityPoolRoleAttachment",
-        Properties: {
-          IdentityPoolId: {
-            Ref: `${id}IdentityPool`
-          },
-          Roles: {
-            authenticated: {
-              "Fn::GetAtt": [`${id}AuthRole`, "Arn"]
-            },
-            unauthenticated: {
-              "Fn::GetAtt": [`${id}UnauthRole`, "Arn"]
-            }
-          }
-        }
-      },
-      [`${id}AuthRole`]: {
-        Type: "AWS::IAM::Role",
-        Properties: {
-          RoleName: authRoleName,
-          Path: "/",
-          AssumeRolePolicyDocument: {
-            Version: "2012-10-17",
-            Statement: [
-              {
-                Effect: "Allow",
-                Principal: {
-                  Federated: "cognito-identity.amazonaws.com"
-                },
-                Action: ["sts:AssumeRoleWithWebIdentity"],
-                Condition: {
-                  StringEquals: {
-                    "cognito-identity.amazonaws.com:aud": {
-                      Ref: `${id}IdentityPool`
-                    }
-                  },
-                  "ForAnyValue:StringLike": {
-                    "cognito-identity.amazonaws.com:amr": "authenticated"
-                  }
-                }
-              }
-            ]
-          },
-          Policies: [
-            {
-              PolicyName: "CognitoAuthorizedPolicy",
-              PolicyDocument: {
-                Version: "2012-10-17",
-                Statement: [
-                  {
-                    Effect: "Allow",
-                    Action: [
-                      "mobileanalytics:PutEvents",
-                      "cognito-sync:*",
-                      "cognito-identity:*"
-                    ],
-                    Resource: "*"
-                  },
-                  {
-                    Effect: "Allow",
-                    Action: ["execute-api:Invoke"],
-                    Resource: {
-                      "Fn::Sub": [
-                        "arn:aws:execute-api:${Region}:${AccountId}:${APIID}/${StageName}/${HTTPVerb}/api/*",
-                        {
-                          Region: {
-                            Ref: "AWS::Region"
-                          },
-                          AccountId: {
-                            Ref: "AWS::AccountId"
-                          },
-                          APIID: apiGatewayRESTAPIId,
-                          StageName: apiStageName,
-                          HTTPVerb: "*"
-                        }
-                      ]
-                    }
-                  }
-                ]
-              }
-            }
-          ]
-        }
-      },
-      [`${id}UnauthRole`]: {
-        Type: "AWS::IAM::Role",
-        Properties: {
-          RoleName: unauthRoleName,
-          Path: "/",
-          AssumeRolePolicyDocument: {
-            Version: "2012-10-17",
-            Statement: [
-              {
-                Effect: "Allow",
-                Principal: {
-                  Federated: "cognito-identity.amazonaws.com"
-                },
-                Action: ["sts:AssumeRoleWithWebIdentity"],
-                Condition: {
-                  StringEquals: {
-                    "cognito-identity.amazonaws.com:aud": {
-                      Ref: `${id}IdentityPool`
-                    }
-                  },
-                  "ForAnyValue:StringLike": {
-                    "cognito-identity.amazonaws.com:amr": "unauthenticated"
-                  }
-                }
-              }
-            ]
-          },
-          Policies: [
-            {
-              PolicyName: "CognitoUnauthorizedPolicy",
-              PolicyDocument: {
-                Version: "2012-10-17",
-                Statement: [
-                  {
-                    Effect: "Allow",
-                    Action: [
-                      "mobileanalytics:PutEvents",
-                      "cognito-sync:*",
-                      "cognito-identity:*"
-                    ],
-                    Resource: "*"
-                  }
-                ]
-              }
-            }
-          ]
-        }
-      }
-    } : {};
-    return {
-      Resources: {
-        [id]: {
-          Type: "AWS::Cognito::UserPool",
-          Properties: {
-            UserPoolName: {
-              "Fn::Sub": [`\${AWS::StackName}${id}`, {}]
-            },
-            AccountRecoverySetting: {
-              RecoveryMechanisms: [
-                {
-                  Name: "verified_email",
-                  Priority: 1
-                }
-              ]
-            },
-            AdminCreateUserConfig: {
-              AllowAdminCreateUserOnly: false,
-              UnusedAccountValidityDays: 365
-            },
-            AutoVerifiedAttributes: ["email"],
-            AliasAttributes: ["phone_number", "email", "preferred_username"],
-            Schema: [
-              {
-                Name: "email",
-                Required: true,
-                Mutable: true
-              },
-              {
-                Name: "given_name",
-                Required: true,
-                Mutable: true
-              },
-              {
-                Name: "family_name",
-                Required: true,
-                Mutable: true
-              },
-              {
-                Name: "phone_number",
-                Required: true,
-                Mutable: true
-              }
-            ],
-            DeviceConfiguration: {
-              ChallengeRequiredOnNewDevice: true,
-              DeviceOnlyRememberedOnUserPrompt: false
-            },
-            UsernameConfiguration: {
-              CaseSensitive: false
-            }
-          }
-        },
-        [`${id}BaseDomainRecord`]: !!baseDomainRecordAliasTargetDNSName ? {
-          Type: "AWS::Route53::RecordSet",
-          DeletionPolicy: "Delete",
-          Properties: {
-            HostedZoneId: hostedZoneId,
-            Type: "A",
-            Name: domainName,
-            AliasTarget: {
-              HostedZoneId: "Z2FDTNDATAQYW2",
-              DNSName: baseDomainRecordAliasTargetDNSName
-            }
-          }
-        } : void 0,
-        [`${id}DomainRecord`]: {
-          Type: "AWS::Route53::RecordSet",
-          DeletionPolicy: "Delete",
-          Properties: {
-            HostedZoneId: hostedZoneId,
-            Type: "A",
-            Name: {
-              "Fn::Sub": [
-                "auth.${BaseDomainName}",
-                {
-                  BaseDomainName: domainName
-                }
-              ]
-            },
-            AliasTarget: {
-              HostedZoneId: "Z2FDTNDATAQYW2",
-              DNSName: {
-                "Fn::GetAtt": [`${id}Domain`, "CloudFrontDistribution"]
-              }
-            }
-          }
-        },
-        [`${id}Domain`]: {
-          Type: "AWS::Cognito::UserPoolDomain",
-          DependsOn: !!baseDomainRecordAliasTargetDNSName ? `${id}BaseDomainRecord` : void 0,
-          Properties: {
-            Domain: {
-              "Fn::Sub": [
-                "auth.${BaseDomainName}",
-                {
-                  BaseDomainName: domainName
-                }
-              ]
-            },
-            UserPoolId: {
-              Ref: id
-            },
-            CustomDomainConfig: {
-              CertificateArn: sslCertificateArn
-            }
-          }
-        },
-        [`${id}Client`]: {
-          Type: "AWS::Cognito::UserPoolClient",
-          Properties: {
-            ClientName: {
-              "Fn::Sub": [`\${AWS::StackName}${id}Client`, {}]
-            },
-            UserPoolId: {
-              Ref: id
-            },
-            AllowedOAuthFlowsUserPoolClient: true,
-            AllowedOAuthFlows: ["code", "implicit"],
-            AllowedOAuthScopes: [
-              "openid",
-              "email",
-              "phone",
-              "profile",
-              "aws.cognito.signin.user.admin"
-            ],
-            CallbackURLs: callbackUrls,
-            LogoutURLs: logoutUrls,
-            EnableTokenRevocation: true,
-            PreventUserExistenceErrors: "ENABLED",
-            SupportedIdentityProviders: ["COGNITO"]
-          }
-        },
-        [`${id}IdentityPool`]: {
-          Type: "AWS::Cognito::IdentityPool",
-          Properties: {
-            IdentityPoolName: {
-              "Fn::Sub": [`\${AWS::StackName}${id}IdentityPool`, {}]
-            },
-            AllowUnauthenticatedIdentities: false,
-            CognitoIdentityProviders: [
-              {
-                ClientId: {
-                  Ref: `${id}Client`
-                },
-                ProviderName: {
-                  "Fn::GetAtt": [id, "ProviderName"]
-                },
-                ServerSideTokenCheck: true
-              }
-            ]
-          }
-        },
-        ...apiRoleConfig
-      }
-    };
-  }
-);
-var SimpleCFT = class {
-  /**
-   * Create a SimpleCFT template wrapper.
-   *
-   * @param template - Initial CloudFormation template.
-   */
-  constructor(template = {
-    AWSTemplateFormatVersion: "2010-09-09"
-  }) {
-    this.template = template;
-  }
-  /**
-   * Apply a pack with configuration to the stack template.
-   * @see {@link IaC} for an example.
-   * */
-  applyPack = (pack, params) => {
-    this.template = pack(params, this.template);
-    return this;
-  };
-  /**
-   * Apply a patch to the stack template.
-   *
-   * @param patch - Template patch to merge.
-   * */
-  patch = (patch) => {
-    this.template = patchTemplate(patch, this.template);
-    return this;
-  };
-  /**
-   * Add a stack parameter including its descriptive info and an optional parameter group.
-   *
-   * @param parameter - Parameter definition and metadata.
-   * */
-  addParameter = (parameter) => {
-    this.template = addParameter(parameter, this.template);
-    return this;
-  };
-  /**
-   * Add a group of stack parameters including their descriptive info and an optional parameter group.
-   *
-   * @param group - Parameter group definition.
-   * */
-  addParameterGroup = ({ Label: Group, Parameters }) => {
-    const parameterIds = Object.keys(Parameters);
-    const parameterList = parameterIds.map((ParameterId) => {
-      const { Label, ...Parameter } = Parameters[ParameterId];
-      return {
-        Group,
-        ParameterId,
-        Label,
-        Parameter
-      };
-    });
-    this.template = addParameters(parameterList, this.template);
-    return this;
-  };
-  /**
-   * Use a modification to dynamically apply various changes at once.
-   *
-   * @param modification - Modification callback to apply.
-   * */
-  modify = (modification) => {
-    modification(this);
-    return this;
-  };
-  /**
-   * Convert the stack template to a string.
-   *
-   * @returns JSON string representation of the template.
-   * */
-  toString = () => JSON.stringify(this.template, null, 2);
-  /**
-   * Convert the stack template to a JSON object.
-   *
-   * @returns Template JSON object.
-   * */
-  toJSON = () => this.template;
-  /**
-   * Convert the stack template to a YAML string.
-   *
-   * @returns YAML string representation of the template.
-   * */
-  toYAML = () => YAML.stringify(this.template, {
-    aliasDuplicateObjects: false
-  });
-};
-
-// src/iac/packs/auth.ts
-var addAuth = createResourcePack(
-  ({
-    userManagementId,
-    authRoleName,
-    unauthRoleName,
-    hostedZoneIdParameterName,
-    domainNameParameterName,
-    sslCertificateId,
-    callbackUrls,
-    logoutUrls,
-    mainCDNCloudFrontId,
-    apiCloudFunctionGatewayId,
-    apiStageName,
-    adminGroupId,
-    userManagementAdminGroupName
-  }) => new SimpleCFT().applyPack(addUserManagement, {
-    id: userManagementId,
-    authRoleName,
-    unauthRoleName,
-    domainName: {
-      Ref: domainNameParameterName
-    },
-    hostedZoneId: {
-      Ref: hostedZoneIdParameterName
-    },
-    sslCertificateArn: {
-      Ref: sslCertificateId
-    },
-    callbackUrls,
-    logoutUrls,
-    baseDomainRecordAliasTargetDNSName: {
-      "Fn::GetAtt": [mainCDNCloudFrontId, "DomainName"]
-    },
-    apiGatewayRESTAPIId: {
-      Ref: apiCloudFunctionGatewayId
-    },
-    apiStageName
-  }).patch({
-    Resources: {
-      [adminGroupId]: {
-        Type: "AWS::Cognito::UserPoolGroup",
-        Properties: {
-          GroupName: userManagementAdminGroupName,
-          UserPoolId: {
-            Ref: userManagementId
-          },
-          Description: "Application admin group."
-        }
-      }
-    }
-  }).template
-);
-
-// src/iac/packs/build.ts
-var DEFAULT_BUILD_PIPELINE_REPO_PROVIDER = "GitHub";
-var addBuildPipeline = createResourcePack(
-  ({
-    id,
-    buildSpec,
-    dependsOn,
-    environmentVariables,
-    timeoutInMinutes = 10,
-    environmentType = "LINUX_CONTAINER",
-    environmentComputeType = "BUILD_GENERAL1_SMALL",
-    environmentImage = "aws/codebuild/nodejs:10.14.1",
-    repoConfig: {
-      provider = DEFAULT_BUILD_PIPELINE_REPO_PROVIDER,
-      owner,
-      repo,
-      branch,
-      oauthToken
-    }
-  }) => ({
-    Resources: {
-      [`${id}CodeBuildRole`]: {
-        Type: "AWS::IAM::Role",
-        Properties: {
-          AssumeRolePolicyDocument: {
-            Statement: [
-              {
-                Effect: "Allow",
-                Principal: {
-                  Service: ["codebuild.amazonaws.com"]
-                },
-                Action: ["sts:AssumeRole"]
-              }
-            ]
-          },
-          Path: "/",
-          Policies: [
-            {
-              PolicyName: "codebuild-service",
-              PolicyDocument: {
-                Statement: [
-                  {
-                    Effect: "Allow",
-                    Action: "*",
-                    Resource: "*"
-                  }
-                ],
-                Version: "2012-10-17"
-              }
-            }
-          ]
-        }
-      },
-      [`${id}CodePipelineRole`]: {
-        Type: "AWS::IAM::Role",
-        Properties: {
-          AssumeRolePolicyDocument: {
-            Statement: [
-              {
-                Effect: "Allow",
-                Principal: {
-                  Service: ["codepipeline.amazonaws.com"]
-                },
-                Action: ["sts:AssumeRole"]
-              }
-            ]
-          },
-          Path: "/",
-          Policies: [
-            {
-              PolicyName: "codepipeline-service",
-              PolicyDocument: {
-                Statement: [
-                  {
-                    Action: ["codebuild:*"],
-                    Resource: "*",
-                    Effect: "Allow"
-                  },
-                  {
-                    Action: [
-                      "s3:GetObject",
-                      "s3:GetObjectVersion",
-                      "s3:GetBucketVersioning"
-                    ],
-                    Resource: "*",
-                    Effect: "Allow"
-                  },
-                  {
-                    Action: ["s3:PutObject"],
-                    Resource: ["arn:aws:s3:::codepipeline*"],
-                    Effect: "Allow"
-                  },
-                  {
-                    Action: ["s3:*", "cloudformation:*", "iam:PassRole"],
-                    Resource: "*",
-                    Effect: "Allow"
-                  }
-                ],
-                Version: "2012-10-17"
-              }
-            }
-          ]
-        }
-      },
-      [`${id}PipelineBucket`]: {
-        Type: "AWS::S3::Bucket",
-        DeletionPolicy: "Delete",
-        Properties: {
-          BucketEncryption: {
-            ServerSideEncryptionConfiguration: [
-              {
-                ServerSideEncryptionByDefault: {
-                  SSEAlgorithm: "AES256"
-                }
-              }
-            ]
-          },
-          PublicAccessBlockConfiguration: {
-            BlockPublicAcls: true,
-            BlockPublicPolicy: true,
-            IgnorePublicAcls: true,
-            RestrictPublicBuckets: true
-          }
-        }
-      },
-      [`${id}CodeBuildAndDeploy`]: {
-        Type: "AWS::CodeBuild::Project",
-        DependsOn: dependsOn,
-        Properties: {
-          Name: {
-            "Fn::Sub": `\${AWS::StackName}-${id}CodeBuildAndDeploy`
-          },
-          Description: "Deploy site to S3",
-          ServiceRole: {
-            "Fn::GetAtt": [`${id}CodeBuildRole`, "Arn"]
-          },
-          Artifacts: {
-            Type: "CODEPIPELINE"
-          },
-          Environment: {
-            Type: environmentType,
-            ComputeType: environmentComputeType,
-            Image: environmentImage,
-            EnvironmentVariables: environmentVariables
-          },
-          Source: {
-            Type: "CODEPIPELINE",
-            BuildSpec: buildSpec
-          },
-          TimeoutInMinutes: timeoutInMinutes
-        }
-      },
-      [`${id}Pipeline`]: {
-        Type: "AWS::CodePipeline::Pipeline",
-        DependsOn: `${id}CodeBuildAndDeploy`,
-        Properties: {
-          RoleArn: {
-            "Fn::GetAtt": [`${id}CodePipelineRole`, "Arn"]
-          },
-          Stages: [
-            {
-              Name: "Acquire-Source",
-              Actions: [
-                {
-                  InputArtifacts: [],
-                  Name: "Source",
-                  ActionTypeId: {
-                    Category: "Source",
-                    Owner: "ThirdParty",
-                    Version: "1",
-                    Provider: provider
-                  },
-                  OutputArtifacts: [
-                    {
-                      Name: "SourceOutput"
-                    }
-                  ],
-                  Configuration: {
-                    Owner: owner,
-                    Repo: repo,
-                    Branch: branch,
-                    OAuthToken: oauthToken
-                  },
-                  RunOrder: 1
-                }
-              ]
-            },
-            {
-              Name: "Build-And-Deploy",
-              Actions: [
-                {
-                  Name: "Artifact",
-                  ActionTypeId: {
-                    Category: "Build",
-                    Owner: "AWS",
-                    Version: "1",
-                    Provider: "CodeBuild"
-                  },
-                  InputArtifacts: [
-                    {
-                      Name: "SourceOutput"
-                    }
-                  ],
-                  OutputArtifacts: [
-                    {
-                      Name: "DeployOutput"
-                    }
-                  ],
-                  Configuration: {
-                    ProjectName: {
-                      Ref: `${id}CodeBuildAndDeploy`
-                    }
-                  },
-                  RunOrder: 1
-                }
-              ]
-            }
-          ],
-          ArtifactStore: {
-            Type: "S3",
-            Location: {
-              Ref: `${id}PipelineBucket`
-            }
-          }
-        }
-      }
-    }
-  })
-);
-var COMMAND_HELPERS = {
-  updateFunction: ({
-    cloudFunctionArn,
-    codeZipFilePath
-  }) => `aws lambda update-function-code --function-name "${cloudFunctionArn}" --zip-file "fileb://${codeZipFilePath}"`,
-  copyDirectoryToS3: ({
-    s3Domain,
-    directoryPath
-  }) => `aws s3 cp --recursive --acl public-read ${directoryPath} s3://${s3Domain}/`,
-  cloudFrontInvalidation: ({
-    cloudFrontDistributionId,
-    pathsToInvalidate = ["/*"]
-  }) => `aws cloudfront create-invalidation --distribution-id "${cloudFrontDistributionId}" --paths "${pathsToInvalidate.join('" "')}"`,
-  addNPMTokenWithNPMRC: ({ npmToken }) => `echo '//registry.npmjs.org/:_authToken=${npmToken}' > .npmrc`
-};
-var createBuildSpec = ({ version = 0.2, phases }) => YAML.stringify(
-  // TRICKY: Removed all keys with a value of `undefined`.
-  JSON.parse(
-    JSON.stringify({
-      version,
-      phases
-    })
-  )
-);
-
-// src/iac/packs/cdn.ts
-var addCDN = createResourcePack(
-  ({
-    id,
-    hostedZoneId,
-    domainName,
-    certificateArn,
-    fileStorageId
-  }) => {
-    const oacId = `${id}OriginAccessControl`;
-    return {
-      Resources: {
-        [oacId]: {
-          Type: "AWS::CloudFront::OriginAccessControl",
-          Properties: {
-            OriginAccessControlConfig: {
-              Name: oacId,
-              OriginAccessControlOriginType: "s3",
-              SigningBehavior: "always",
-              SigningProtocol: "sigv4"
-            }
-          }
-        },
-        [id]: {
-          Type: "AWS::CloudFront::Distribution",
-          DependsOn: fileStorageId,
-          Properties: {
-            DistributionConfig: {
-              Aliases: [domainName],
-              ViewerCertificate: {
-                AcmCertificateArn: certificateArn,
-                SslSupportMethod: "sni-only",
-                MinimumProtocolVersion: "TLSv1.1_2016"
-              },
-              DefaultCacheBehavior: {
-                ForwardedValues: {
-                  QueryString: false
-                },
-                TargetOriginId: {
-                  "Fn::Sub": [
-                    "S3-${S3BucketName}",
-                    {
-                      S3BucketName: domainName
-                    }
-                  ]
-                },
-                ViewerProtocolPolicy: "redirect-to-https"
-              },
-              DefaultRootObject: "index.html",
-              Enabled: true,
-              IPV6Enabled: false,
-              HttpVersion: "http2",
-              Origins: [
-                {
-                  DomainName: {
-                    "Fn::Sub": [
-                      "${S3BucketName}.s3.amazonaws.com",
-                      {
-                        S3BucketName: domainName
-                      }
-                    ]
-                  },
-                  Id: {
-                    "Fn::Sub": [
-                      "S3-${S3BucketName}",
-                      {
-                        S3BucketName: domainName
-                      }
-                    ]
-                  },
-                  OriginAccessControlId: { Ref: oacId },
-                  S3OriginConfig: {
-                    OriginAccessIdentity: ""
-                  }
-                }
-              ],
-              CustomErrorResponses: [
-                {
-                  ErrorCachingMinTTL: 300,
-                  ErrorCode: 404,
-                  ResponseCode: 200,
-                  ResponsePagePath: "/index.html"
-                },
-                {
-                  ErrorCachingMinTTL: 300,
-                  ErrorCode: 403,
-                  ResponseCode: 200,
-                  ResponsePagePath: "/index.html"
-                }
-              ],
-              PriceClass: "PriceClass_All"
-            }
-          }
-        },
-        [`${id}Route53Record`]: {
-          Type: "AWS::Route53::RecordSet",
-          DependsOn: [id],
-          Properties: {
-            HostedZoneId: hostedZoneId,
-            Type: "A",
-            Name: {
-              "Fn::Sub": [
-                "${DomainName}.",
-                {
-                  DomainName: domainName
-                }
-              ]
-            },
-            AliasTarget: {
-              HostedZoneId: "Z2FDTNDATAQYW2",
-              DNSName: {
-                "Fn::Sub": [
-                  "${DomainName}.",
-                  {
-                    DomainName: {
-                      "Fn::GetAtt": [id, "DomainName"]
-                    }
-                  }
-                ]
-              }
-            }
-          }
-        }
-      }
-    };
-  }
-);
-
-// src/iac/packs/cloud-function.ts
-var PLACEHOLDER_FUNCTION_CODE = {
-  ZipFile: `module.exports = {handler: async () => ({
-            statusCode: 200,
-            headers: {'Content-Type': 'application/json'},
-            body: '"You did it!"'
-          })};
-`
-};
-var addCloudFunction = createResourcePack(
-  ({
-    id,
-    code = PLACEHOLDER_FUNCTION_CODE,
-    environment = {
-      Variables: {
-        NODE_ENV: "production"
-      }
-    },
-    handler = "index.handler",
-    runtime = "nodejs26.x",
-    timeout = 30,
-    policies = [
-      {
-        PolicyName: "lambda-parameter-store",
-        PolicyDocument: {
-          Version: "2012-10-17",
-          Statement: [
-            {
-              Effect: "Allow",
-              Action: ["*"],
-              Resource: "*"
-            }
-          ]
-        }
-      }
-    ]
-  }) => {
-    return {
-      Resources: {
-        [`${id}Role`]: {
-          Type: "AWS::IAM::Role",
-          Properties: {
-            ManagedPolicyArns: [
-              "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-            ],
-            AssumeRolePolicyDocument: {
-              Version: "2012-10-17",
-              Statement: [
-                {
-                  Action: ["sts:AssumeRole"],
-                  Effect: "Allow",
-                  Principal: {
-                    Service: ["lambda.amazonaws.com"]
-                  }
-                }
-              ]
-            },
-            Policies: policies
-          }
-        },
-        [id]: {
-          Type: "AWS::Lambda::Function",
-          Properties: {
-            Timeout: timeout,
-            Code: code,
-            Environment: environment,
-            Handler: handler,
-            Role: {
-              "Fn::GetAtt": [`${id}Role`, "Arn"]
-            },
-            Runtime: runtime
-          }
-        }
-      }
-    };
-  }
-);
-
-// src/iac/packs/database.ts
-var addDatabase = createResourcePack(
-  ({
-    tableId,
-    tableName,
-    keys,
-    attributes,
-    billingMode = "PAY_PER_REQUEST"
-  }) => new SimpleCFT().patch({
-    Resources: {
-      [tableId]: {
-        Type: "AWS::DynamoDB::Table",
-        Properties: {
-          TableName: tableName,
-          AttributeDefinitions: Object.keys(attributes).map(
-            (attributeName) => ({
-              AttributeName: attributeName,
-              AttributeType: attributes[attributeName]
-            })
-          ),
-          KeySchema: Object.keys(keys).map((keyName) => ({
-            AttributeName: keyName,
-            KeyType: keys[keyName]
-          })),
-          BillingMode: billingMode
-        }
-      }
-    }
-  }).template
-);
-
-// src/iac/packs/dns.ts
-var addDNS = createResourcePack(
-  ({
-    id,
-    hostedZoneId,
-    domainName,
-    resourceRecords,
-    recordType = "A"
-  }) => {
-    let cft = new SimpleCFT().patch({
-      Resources: {
-        [id]: {
-          Type: "AWS::Route53::RecordSet",
-          Properties: {
-            HostedZoneId: hostedZoneId,
-            Type: recordType,
-            Name: domainName,
-            ResourceRecords: resourceRecords,
-            TTL: "300"
-          }
-        }
-      }
-    });
-    return cft.template;
-  }
-);
-
-// src/iac/packs/file-storage.ts
-var addSecureFileStorage = createResourcePack(
-  ({
-    id,
-    bucketName,
-    shouldDelete = true,
-    blockPublicAccess = true,
-    cors = false,
-    accessControl = void 0,
-    allowACLs = false
-  }) => {
-    return {
-      Resources: {
-        [id]: {
-          Type: "AWS::S3::Bucket",
-          DeletionPolicy: shouldDelete ? "Delete" : "Retain",
-          Properties: {
-            BucketName: bucketName,
-            AccessControl: accessControl,
-            OwnershipControls: allowACLs ? {
-              Rules: [
-                {
-                  ObjectOwnership: "ObjectWriter"
-                }
-              ]
-            } : void 0,
-            CorsConfiguration: typeof cors === "object" ? cors : cors === true ? {
-              CorsRules: [
-                {
-                  AllowedHeaders: ["*"],
-                  AllowedMethods: [
-                    "GET",
-                    "PUT",
-                    "POST",
-                    "DELETE",
-                    "HEAD"
-                  ],
-                  AllowedOrigins: ["*"]
-                }
-              ]
-            } : void 0,
-            BucketEncryption: {
-              ServerSideEncryptionConfiguration: [
-                {
-                  ServerSideEncryptionByDefault: {
-                    SSEAlgorithm: "AES256"
-                  }
-                }
-              ]
-            },
-            PublicAccessBlockConfiguration: blockPublicAccess ? {
-              BlockPublicAcls: true,
-              BlockPublicPolicy: true,
-              IgnorePublicAcls: true,
-              RestrictPublicBuckets: true
-            } : {
-              BlockPublicAcls: false,
-              BlockPublicPolicy: false,
-              IgnorePublicAcls: false,
-              RestrictPublicBuckets: false
-            }
-          }
-        }
-      }
-    };
-  }
-);
-
-// src/iac/packs/gateway.ts
-var DEFAULT_AUTH_TYPE = "COGNITO_USER_POOLS";
-var addGateway = createResourcePack(
-  ({
-    id,
-    hostedZoneId,
-    domainName,
-    certificateArn,
-    cloudFunction: {
-      id: cloudFunctionId,
-      region: cloudFunctionRegion = "${AWS::Region}"
-    },
-    stageName = "production",
-    authorizer,
-    deploymentSuffix = ""
-  }) => {
-    const cloudFunctionUri = {
-      "Fn::Sub": `arn:aws:apigateway:${cloudFunctionRegion}:lambda:path/2015-03-31/functions/\${${cloudFunctionId}.Arn}/invocations`
-    };
-    const {
-      scopes: authScopes = ["phone", "email", "openid", "profile"],
-      type: authType = "COGNITO_USER_POOLS",
-      providerARNs,
-      identitySource = "method.request.header.authorization"
-    } = !!authorizer && typeof authorizer === "object" ? authorizer : {};
-    const authorizerId = `${id}CustomAuthorizer`;
-    const authProps = !!authorizer ? {
-      AuthorizationScopes: authScopes,
-      AuthorizationType: authType === DEFAULT_AUTH_TYPE ? DEFAULT_AUTH_TYPE : "CUSTOM",
-      AuthorizerId: {
-        Ref: authorizerId
-      }
-    } : {
-      AuthorizationType: "NONE"
-    };
-    const fullDeploymentId = `${id}GatewayRESTAPIDeployment${deploymentSuffix}`;
-    return new SimpleCFT().patch({
-      Resources: {
-        // REST API
-        [id]: {
-          Type: "AWS::ApiGateway::RestApi",
-          Properties: {
-            Name: {
-              "Fn::Sub": `\${AWS::StackName}-${id}GatewayRESTAPI`
-            },
-            EndpointConfiguration: {
-              Types: ["EDGE"]
-            }
-          }
-        },
-        [`${id}GatewayRESTAPIResource`]: {
-          Type: "AWS::ApiGateway::Resource",
-          DependsOn: id,
-          Properties: {
-            ParentId: {
-              "Fn::GetAtt": [id, "RootResourceId"]
-            },
-            PathPart: "{proxy+}",
-            RestApiId: {
-              Ref: id
-            }
-          }
-        },
-        [`${id}GatewayRESTAPIMethod`]: {
-          Type: "AWS::ApiGateway::Method",
-          DependsOn: `${id}GatewayRESTAPIResource`,
-          Properties: {
-            ...authProps,
-            HttpMethod: "ANY",
-            ResourceId: {
-              Ref: `${id}GatewayRESTAPIResource`
-            },
-            RestApiId: {
-              Ref: id
-            },
-            Integration: {
-              Type: "AWS_PROXY",
-              IntegrationHttpMethod: "POST",
-              Uri: cloudFunctionUri
-            }
-          }
-        },
-        [`${id}GatewayRESTAPIRootMethod`]: {
-          Type: "AWS::ApiGateway::Method",
-          DependsOn: `${id}GatewayRESTAPIResource`,
-          Properties: {
-            ...authProps,
-            HttpMethod: "ANY",
-            ResourceId: {
-              "Fn::GetAtt": [id, "RootResourceId"]
-            },
-            RestApiId: {
-              Ref: id
-            },
-            Integration: {
-              Type: "AWS_PROXY",
-              IntegrationHttpMethod: "POST",
-              Uri: cloudFunctionUri
-            }
-          }
-        }
-      }
-    }).patch({
-      Resources: {
-        // CORS
-        [`${id}GatewayRESTAPIOPTIONSMethod`]: {
-          Type: "AWS::ApiGateway::Method",
-          DependsOn: `${id}GatewayRESTAPIResource`,
-          Properties: {
-            AuthorizationType: "NONE",
-            HttpMethod: "OPTIONS",
-            ResourceId: {
-              Ref: `${id}GatewayRESTAPIResource`
-            },
-            RestApiId: {
-              Ref: id
-            },
-            Integration: {
-              Type: "AWS_PROXY",
-              IntegrationHttpMethod: "POST",
-              Uri: cloudFunctionUri
-            }
-          }
-        },
-        [`${id}GatewayRESTAPIRootOPTIONSMethod`]: {
-          Type: "AWS::ApiGateway::Method",
-          DependsOn: `${id}GatewayRESTAPIResource`,
-          Properties: {
-            AuthorizationType: "NONE",
-            HttpMethod: "OPTIONS",
-            ResourceId: {
-              "Fn::GetAtt": [id, "RootResourceId"]
-            },
-            RestApiId: {
-              Ref: id
-            },
-            Integration: {
-              Type: "AWS_PROXY",
-              IntegrationHttpMethod: "POST",
-              Uri: cloudFunctionUri
-            }
-          }
-        },
-        [`${id}GatewayResponseDefault4XX`]: {
-          Type: "AWS::ApiGateway::GatewayResponse",
-          Properties: {
-            ResponseParameters: {
-              // Not authorized, so just allow the current origin by mapping it into the header.
-              "gatewayresponse.header.Access-Control-Allow-Origin": "method.request.header.origin",
-              "gatewayresponse.header.Access-Control-Allow-Credentials": "'true'",
-              "gatewayresponse.header.Access-Control-Allow-Headers": "'*'"
-            },
-            ResponseType: "DEFAULT_4XX",
-            RestApiId: {
-              Ref: id
-            }
-          }
-        }
-      }
-    }).patch({
-      Resources: {
-        // SUPPORTING RESOURCES
-        [fullDeploymentId]: {
-          Type: "AWS::ApiGateway::Deployment",
-          DependsOn: [
-            `${id}GatewayRESTAPIResource`,
-            `${id}GatewayRESTAPIMethod`,
-            `${id}GatewayRESTAPIRootMethod`,
-            id,
-            cloudFunctionId
-          ],
-          Properties: {
-            RestApiId: {
-              Ref: id
-            }
-          }
-        },
-        [`${id}CloudWatch`]: {
-          Type: "AWS::Logs::LogGroup",
-          Properties: {
-            LogGroupName: {
-              "Fn::Sub": `\${AWS::StackName}-${id}GatewayLogs`
-            }
-          }
-        },
-        [`${id}CloudWatchRole`]: {
-          Type: "AWS::IAM::Role",
-          Properties: {
-            AssumeRolePolicyDocument: {
-              Version: "2012-10-17",
-              Statement: [
-                {
-                  Effect: "Allow",
-                  Principal: {
-                    Service: ["apigateway.amazonaws.com"]
-                  },
-                  Action: "sts:AssumeRole"
-                }
-              ]
-            },
-            Path: "/",
-            ManagedPolicyArns: [
-              "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
-            ]
-          }
-        },
-        [`${id}CloudWatchAccount`]: {
-          Type: "AWS::ApiGateway::Account",
-          Properties: {
-            CloudWatchRoleArn: {
-              "Fn::GetAtt": [`${id}CloudWatchRole`, "Arn"]
-            }
-          }
-        },
-        [`${id}GatewayRESTAPIEnvironment`]: {
-          Type: "AWS::ApiGateway::Stage",
-          DependsOn: [`${id}CloudWatchAccount`, fullDeploymentId],
-          Properties: {
-            AccessLogSetting: {
-              DestinationArn: {
-                "Fn::GetAtt": [`${id}CloudWatch`, "Arn"]
-              },
-              Format: '{"requestId":"$context.requestId","ip":"$context.identity.sourceIp","caller":"$context.identity.caller","user":"$context.identity.user","requestTime":"$context.requestTime","httpMethod":"$context.httpMethod","resourcePath":"$context.resourcePath","status":"$context.status","protocol":"$context.protocol","responseLength":"$context.responseLength","apiGatewayErrorMessage":"$context.error.message"}'
-            },
-            DeploymentId: {
-              Ref: fullDeploymentId
-            },
-            RestApiId: {
-              Ref: id
-            },
-            StageName: stageName
-          }
-        }
-      }
-    }).patch({
-      Resources: {
-        // DNS
-        [`${id}DomainName`]: {
-          Type: "AWS::ApiGateway::DomainName",
-          Properties: {
-            CertificateArn: certificateArn,
-            DomainName: domainName,
-            EndpointConfiguration: {
-              Types: ["EDGE"]
-            }
-          }
-        },
-        [`${id}DomainNameBasePathMapping`]: {
-          Type: "AWS::ApiGateway::BasePathMapping",
-          DependsOn: [
-            id,
-            `${id}GatewayRESTAPIEnvironment`,
-            `${id}DomainName`
-          ],
-          Properties: {
-            DomainName: domainName,
-            RestApiId: {
-              Ref: id
-            },
-            Stage: stageName
-          }
-        },
-        [`${id}Route53Record`]: {
-          Type: "AWS::Route53::RecordSet",
-          DependsOn: `${id}DomainName`,
-          Properties: {
-            HostedZoneId: hostedZoneId,
-            Type: "A",
-            Name: {
-              "Fn::Sub": [
-                "${DomainName}.",
-                {
-                  DomainName: domainName
-                }
-              ]
-            },
-            AliasTarget: {
-              HostedZoneId: "Z2FDTNDATAQYW2",
-              DNSName: {
-                "Fn::Sub": [
-                  "${DomainName}.",
-                  {
-                    DomainName: {
-                      "Fn::GetAtt": [
-                        `${id}DomainName`,
-                        "DistributionDomainName"
-                      ]
-                    }
-                  }
-                ]
-              }
-            }
-          }
-        }
-      }
-    }).patch({
-      Resources: {
-        // PERMISSIONS
-        [`${id}CloudFunctionANYResourcePermission`]: {
-          Type: "AWS::Lambda::Permission",
-          Properties: {
-            Action: "lambda:InvokeFunction",
-            Principal: "apigateway.amazonaws.com",
-            FunctionName: {
-              "Fn::GetAtt": [cloudFunctionId, "Arn"]
-            },
-            SourceArn: {
-              "Fn::Sub": [
-                "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/*",
-                {
-                  __Stage__: stageName,
-                  __ApiId__: {
-                    Ref: id
-                  }
-                }
-              ]
-            }
-          }
-        }
-      }
-    }).patch(
-      !!authorizer ? {
-        Resources: {
-          // AUTHORIZER
-          [`${id}CustomAuthorizer`]: {
-            Type: "AWS::ApiGateway::Authorizer",
-            Properties: {
-              IdentitySource: identitySource,
-              Name: `${id}CustomAuthorizer`,
-              ProviderARNs: providerARNs,
-              RestApiId: {
-                Ref: id
-              },
-              Type: "COGNITO_USER_POOLS"
-            }
-          }
-        }
-      } : {}
-    ).template;
-  }
-);
-
-// src/iac/packs/repo.ts
-var addRepo = createResourcePack(
-  ({
-    repoOwnerParameterName,
-    repoNameParameterName,
-    repoBranchParameterName,
-    repoTokenParameterName
-  }) => new SimpleCFT().addParameterGroup({
-    Label: "Repository",
-    Parameters: {
-      [repoOwnerParameterName]: {
-        Label: "RepoOwner",
-        Type: "String",
-        Description: "The owner of the repository"
-      },
-      [repoNameParameterName]: {
-        Label: "RepoName",
-        Type: "String",
-        Description: "The name of the repository"
-      },
-      [repoBranchParameterName]: {
-        Label: "RepoBranch",
-        Type: "String",
-        Description: "The branch of the repository"
-      },
-      [repoTokenParameterName]: {
-        Label: "RepoToken",
-        Type: "String",
-        Description: "The token of the repository",
-        NoEcho: true
-      }
-    }
-  }).template
-);
-
-// src/iac/packs/ssl-certificate.ts
-var addSSLCertificate = createResourcePack(
-  ({
-    id,
-    domainName,
-    hostedZoneId,
-    includeWildCard = true
-  }) => ({
-    Resources: {
-      [id]: {
-        Type: "AWS::CertificateManager::Certificate",
-        Properties: {
-          DomainName: domainName,
-          ValidationMethod: "DNS",
-          DomainValidationOptions: [
-            {
-              DomainName: domainName,
-              HostedZoneId: hostedZoneId
-            }
-          ],
-          SubjectAlternativeNames: includeWildCard ? [
-            {
-              "Fn::Sub": [
-                "*.${BaseDomainName}",
-                {
-                  BaseDomainName: domainName
-                }
-              ]
-            }
-          ] : void 0
-        }
-      }
-    }
-  })
-);
-
-export { packs_exports as Packs, SimpleCFT, utils_exports as Utils };
+export { DEFAULT_MERGE_STRATEGY, SimpleCFT, addParameter, addParameters, createResourcePack, getValuePathArray, getValuePathString, isConstructedFrom, mergeValues, patchTemplate } from '../chunk-ATO2455Q.js';
+import '../chunk-I2KLQ2HA.js';