@resistdesign/voltra 3.0.0-alpha.4 → 3.0.0-alpha.41

package/iac/packs/index.js

@@ -1,441 +1,308 @@
+import { createResourcePack, SimpleCFT } from '../../chunk-ATO2455Q.js';
+import '../../chunk-I2KLQ2HA.js';
 import YAML from 'yaml';
 
-// src/iac/utils/patch-utils.ts
-var DEFAULT_MERGE_STRATEGY = "transpose";
-var getValuePathString = (valuePathArray = []) => valuePathArray.map((p) => encodeURIComponent(p)).join("/");
-var isConstructedFrom = (value, constructorReference) => value !== null && typeof value === "object" && "constructor" in value && value.constructor === constructorReference;
-var mergeValues = (valuePathArray = [], existingValue, newValue, mergeStrategyMap = {}) => {
-  const valuePathString = getValuePathString(valuePathArray);
-  const arrayIndexWildcardValuePathString = getValuePathString(
-    valuePathArray.map((p) => typeof p === "number" ? "#" : p)
-  );
-  const {
-    [valuePathString]: {
-      strategy: specificKeyMergeStrategy = DEFAULT_MERGE_STRATEGY,
-      data: specificKeyMergeStrategyData = void 0
-    } = {},
-    [arrayIndexWildcardValuePathString]: {
-      strategy: arrayIndexWildcardMergeStrategy = DEFAULT_MERGE_STRATEGY,
-      data: arrayIndexWildcardMergeStrategyData = void 0
-    } = {}
-  } = mergeStrategyMap;
-  const mergeStrategy = valuePathString in mergeStrategyMap ? specificKeyMergeStrategy : arrayIndexWildcardMergeStrategy;
-  const mergeStrategyData = valuePathString in mergeStrategyMap ? specificKeyMergeStrategyData : arrayIndexWildcardMergeStrategyData;
-  let mergedValue = typeof newValue !== "undefined" ? newValue : existingValue;
-  if (mergeStrategy !== "replace") {
-    if (isConstructedFrom(existingValue, Array) && isConstructedFrom(newValue, Array)) {
-      if (mergeStrategy === "accumulate") {
-        mergedValue = [...existingValue, ...newValue];
-      } else if (mergeStrategy === "accumulate-unique") {
-        mergedValue = [
-          ...existingValue,
-          ...newValue.filter(
-            (item) => existingValue.indexOf(item) === -1
-          )
-        ];
-      } else if (mergeStrategy === "accumulate-unique-by") {
-        const existingItemMap = {};
-        const newItemMap = {};
-        for (let i = 0; i < existingValue.length; i++) {
-          const existingItem = existingValue[i];
-          if (existingItem && typeof existingItem === "object") {
-            const identifier = mergeStrategyData instanceof Function ? mergeStrategyData(existingItem) : existingItem[mergeStrategyData];
-            existingItemMap[identifier] = existingItem;
-          }
-        }
-        for (let j = 0; j < newValue.length; j++) {
-          const newItem = newValue[j];
-          if (newItem && typeof newItem === "object") {
-            const identifier = mergeStrategyData instanceof Function ? mergeStrategyData(newItem) : newItem[mergeStrategyData];
-            newItemMap[identifier] = newItem;
-          }
-        }
-        mergedValue = Object.keys({
-          ...existingItemMap,
-          ...newItemMap
-        }).map(
-          (id, index) => mergeValues(
-            [...valuePathArray, index],
-            existingItemMap[id],
-            newItemMap[id],
-            mergeStrategyMap
-          )
-        );
-      } else if (mergeStrategy === "transpose") {
-        const fullLength = Math.max(existingValue.length, newValue.length);
-        mergedValue = [...new Array(fullLength)].map(
-          (_empty, index) => mergeValues(
-            [...valuePathArray, index],
-            existingValue[index],
-            newValue[index],
-            mergeStrategyMap
-          )
-        );
-      }
-    } else if (isConstructedFrom(existingValue, Object) && isConstructedFrom(newValue, Object)) {
-      mergedValue = Object.keys({ ...existingValue, ...newValue }).reduce(
-        (acc, k) => ({
-          ...acc,
-          [k]: mergeValues(
-            [...valuePathArray, k],
-            existingValue[k],
-            newValue[k],
-            mergeStrategyMap
-          )
-        }),
-        {}
-      );
-    }
-  }
-  return mergedValue;
-};
-
-// src/iac/utils/index.ts
-var addParameter = (parameterInfo, template) => {
-  const { ParameterId, Parameter, Label, Group } = parameterInfo;
-  const {
-    Parameters,
-    Metadata: {
-      "AWS::CloudFormation::Interface": {
-        ParameterGroups = [],
-        ParameterLabels = {}
-      } = {}
-    } = {}
-  } = template;
-  let NewParameterGroups = ParameterGroups;
-  if (Group) {
-    const GroupObject = ParameterGroups.filter(
-      (g) => g.Label?.default === Group
-    )[0];
-    NewParameterGroups = GroupObject ? ParameterGroups.map(
-      (g) => g.Label?.default === Group ? {
-        ...g,
-        Parameters: [...g.Parameters || [], ParameterId]
-      } : g
-    ) : [
-      ...ParameterGroups,
-      {
-        Label: {
-          default: Group
-        },
-        Parameters: [ParameterId]
-      }
-    ];
-  }
-  return {
-    ...template,
-    Parameters: {
-      ...Parameters,
-      [ParameterId]: Parameter
-    },
-    Metadata: {
-      ...template.Metadata,
-      "AWS::CloudFormation::Interface": {
-        ...template?.Metadata?.["AWS::CloudFormation::Interface"],
-        ParameterGroups: NewParameterGroups,
-        ParameterLabels: {
-          ...ParameterLabels,
-          [ParameterId]: {
-            default: Label
-          }
-        }
-      }
-    }
-  };
-};
-var addParameters = (parameters, template) => parameters.reduce((acc, p) => addParameter(p, acc), template);
-var patchTemplate = (patch, template) => mergeValues([], template, patch, {
-  [getValuePathString([
-    // Parameter Groups
-    "Metadata",
-    "AWS::CloudFormation::Interface",
-    "ParameterGroups"
-  ])]: {
-    strategy: "accumulate-unique-by",
-    data: (pG) => pG?.Label?.default
-  },
-  [getValuePathString([
-    // Parameter Group Parameter Ids
-    "Metadata",
-    "AWS::CloudFormation::Interface",
-    "ParameterGroups",
-    "#",
-    "Parameters"
-  ])]: {
-    strategy: "accumulate-unique"
-  }
+// src/iac/packs/auth.ts
+var resolveUserManagementIds = (baseId, ids) => ({
+  userPool: ids?.userPool || baseId,
+  userPoolClient: ids?.userPoolClient || `${baseId}Client`,
+  identityPool: ids?.identityPool || `${baseId}IdentityPool`,
+  authRole: ids?.authRole || `${baseId}AuthRole`,
+  unauthRole: ids?.unauthRole || `${baseId}UnauthRole`,
+  roleAttachment: ids?.roleAttachment || `${baseId}IdentityPoolRoles`,
+  domain: ids?.domain || `${baseId}Domain`,
+  domainRecord: ids?.domainRecord || `${baseId}DomainRecord`,
+  baseDomainRecord: ids?.baseDomainRecord || `${baseId}BaseDomainRecord`
 });
-var createResourcePack = (creator) => (params, template) => {
-  const patch = creator(params);
-  return patchTemplate(patch, template);
-};
-
-// src/iac/packs/auth/user-management.ts
-var addUserManagement = createResourcePack(
-  ({
-    id,
+var addAuth = createResourcePack((config) => {
+  const {
+    userManagementId,
+    userManagementIds,
     authRoleName,
     unauthRoleName,
-    domainName,
-    hostedZoneId,
-    sslCertificateArn,
-    callbackUrls,
-    logoutUrls,
-    baseDomainRecordAliasTargetDNSName,
-    apiGatewayRESTAPIId,
-    apiStageName
-  }) => {
-    const apiRoleConfig = apiGatewayRESTAPIId && apiStageName ? {
-      [`${id}IdentityPoolRoles`]: {
-        Type: "AWS::Cognito::IdentityPoolRoleAttachment",
-        Properties: {
-          IdentityPoolId: {
-            Ref: `${id}IdentityPool`
+    apiCloudFunctionGatewayId,
+    apiStageName,
+    adminGroupId,
+    userManagementAdminGroupName
+  } = config;
+  const resolvedIds = resolveUserManagementIds(
+    userManagementId,
+    userManagementIds
+  );
+  const isUserPoolDomainEnabled = config.enableUserPoolDomain !== false;
+  const supportedIdentityProviders = isUserPoolDomainEnabled && "supportedIdentityProviders" in config && config.supportedIdentityProviders && config.supportedIdentityProviders.length > 0 ? config.supportedIdentityProviders : ["COGNITO"];
+  const apiRoleConfig = {
+    [resolvedIds.roleAttachment]: {
+      Type: "AWS::Cognito::IdentityPoolRoleAttachment",
+      Properties: {
+        IdentityPoolId: {
+          Ref: resolvedIds.identityPool
+        },
+        Roles: {
+          authenticated: {
+            "Fn::GetAtt": [resolvedIds.authRole, "Arn"]
           },
-          Roles: {
-            authenticated: {
-              "Fn::GetAtt": [`${id}AuthRole`, "Arn"]
-            },
-            unauthenticated: {
-              "Fn::GetAtt": [`${id}UnauthRole`, "Arn"]
-            }
+          unauthenticated: {
+            "Fn::GetAtt": [resolvedIds.unauthRole, "Arn"]
           }
         }
-      },
-      [`${id}AuthRole`]: {
-        Type: "AWS::IAM::Role",
-        Properties: {
-          RoleName: authRoleName,
-          Path: "/",
-          AssumeRolePolicyDocument: {
-            Version: "2012-10-17",
-            Statement: [
-              {
-                Effect: "Allow",
-                Principal: {
-                  Federated: "cognito-identity.amazonaws.com"
-                },
-                Action: ["sts:AssumeRoleWithWebIdentity"],
-                Condition: {
-                  StringEquals: {
-                    "cognito-identity.amazonaws.com:aud": {
-                      Ref: `${id}IdentityPool`
-                    }
-                  },
-                  "ForAnyValue:StringLike": {
-                    "cognito-identity.amazonaws.com:amr": "authenticated"
-                  }
-                }
-              }
-            ]
-          },
-          Policies: [
+      }
+    },
+    [resolvedIds.authRole]: {
+      Type: "AWS::IAM::Role",
+      Properties: {
+        RoleName: authRoleName,
+        Path: "/",
+        AssumeRolePolicyDocument: {
+          Version: "2012-10-17",
+          Statement: [
             {
-              PolicyName: "CognitoAuthorizedPolicy",
-              PolicyDocument: {
-                Version: "2012-10-17",
-                Statement: [
-                  {
-                    Effect: "Allow",
-                    Action: [
-                      "mobileanalytics:PutEvents",
-                      "cognito-sync:*",
-                      "cognito-identity:*"
-                    ],
-                    Resource: "*"
-                  },
-                  {
-                    Effect: "Allow",
-                    Action: ["execute-api:Invoke"],
-                    Resource: {
-                      "Fn::Sub": [
-                        "arn:aws:execute-api:${Region}:${AccountId}:${APIID}/${StageName}/${HTTPVerb}/api/*",
-                        {
-                          Region: {
-                            Ref: "AWS::Region"
-                          },
-                          AccountId: {
-                            Ref: "AWS::AccountId"
-                          },
-                          APIID: apiGatewayRESTAPIId,
-                          StageName: apiStageName,
-                          HTTPVerb: "*"
-                        }
-                      ]
-                    }
+              Effect: "Allow",
+              Principal: {
+                Federated: "cognito-identity.amazonaws.com"
+              },
+              Action: ["sts:AssumeRoleWithWebIdentity"],
+              Condition: {
+                StringEquals: {
+                  "cognito-identity.amazonaws.com:aud": {
+                    Ref: resolvedIds.identityPool
                   }
-                ]
+                },
+                "ForAnyValue:StringLike": {
+                  "cognito-identity.amazonaws.com:amr": "authenticated"
+                }
               }
             }
           ]
-        }
-      },
-      [`${id}UnauthRole`]: {
-        Type: "AWS::IAM::Role",
-        Properties: {
-          RoleName: unauthRoleName,
-          Path: "/",
-          AssumeRolePolicyDocument: {
-            Version: "2012-10-17",
-            Statement: [
-              {
-                Effect: "Allow",
-                Principal: {
-                  Federated: "cognito-identity.amazonaws.com"
+        },
+        Policies: [
+          {
+            PolicyName: "CognitoAuthorizedPolicy",
+            PolicyDocument: {
+              Version: "2012-10-17",
+              Statement: [
+                {
+                  Effect: "Allow",
+                  Action: [
+                    "mobileanalytics:PutEvents",
+                    "cognito-sync:*",
+                    "cognito-identity:*"
+                  ],
+                  Resource: "*"
                 },
-                Action: ["sts:AssumeRoleWithWebIdentity"],
-                Condition: {
-                  StringEquals: {
-                    "cognito-identity.amazonaws.com:aud": {
-                      Ref: `${id}IdentityPool`
-                    }
-                  },
-                  "ForAnyValue:StringLike": {
-                    "cognito-identity.amazonaws.com:amr": "unauthenticated"
+                {
+                  Effect: "Allow",
+                  Action: ["execute-api:Invoke"],
+                  Resource: {
+                    "Fn::Sub": [
+                      "arn:aws:execute-api:${Region}:${AccountId}:${APIID}/${StageName}/${HTTPVerb}/api/*",
+                      {
+                        Region: {
+                          Ref: "AWS::Region"
+                        },
+                        AccountId: {
+                          Ref: "AWS::AccountId"
+                        },
+                        APIID: {
+                          Ref: apiCloudFunctionGatewayId
+                        },
+                        StageName: apiStageName,
+                        HTTPVerb: "*"
+                      }
+                    ]
                   }
                 }
-              }
-            ]
-          },
-          Policies: [
+              ]
+            }
+          }
+        ]
+      }
+    },
+    [resolvedIds.unauthRole]: {
+      Type: "AWS::IAM::Role",
+      Properties: {
+        RoleName: unauthRoleName,
+        Path: "/",
+        AssumeRolePolicyDocument: {
+          Version: "2012-10-17",
+          Statement: [
             {
-              PolicyName: "CognitoUnauthorizedPolicy",
-              PolicyDocument: {
-                Version: "2012-10-17",
-                Statement: [
-                  {
-                    Effect: "Allow",
-                    Action: [
-                      "mobileanalytics:PutEvents",
-                      "cognito-sync:*",
-                      "cognito-identity:*"
-                    ],
-                    Resource: "*"
+              Effect: "Allow",
+              Principal: {
+                Federated: "cognito-identity.amazonaws.com"
+              },
+              Action: ["sts:AssumeRoleWithWebIdentity"],
+              Condition: {
+                StringEquals: {
+                  "cognito-identity.amazonaws.com:aud": {
+                    Ref: resolvedIds.identityPool
                   }
-                ]
+                },
+                "ForAnyValue:StringLike": {
+                  "cognito-identity.amazonaws.com:amr": "unauthenticated"
+                }
               }
             }
           ]
-        }
-      }
-    } : {};
-    return {
-      Resources: {
-        [id]: {
-          Type: "AWS::Cognito::UserPool",
-          Properties: {
-            UserPoolName: {
-              "Fn::Sub": [`\${AWS::StackName}${id}`, {}]
-            },
-            AccountRecoverySetting: {
-              RecoveryMechanisms: [
+        },
+        Policies: [
+          {
+            PolicyName: "CognitoUnauthorizedPolicy",
+            PolicyDocument: {
+              Version: "2012-10-17",
+              Statement: [
                 {
-                  Name: "verified_email",
-                  Priority: 1
+                  Effect: "Allow",
+                  Action: [
+                    "mobileanalytics:PutEvents",
+                    "cognito-sync:*",
+                    "cognito-identity:*"
+                  ],
+                  Resource: "*"
                 }
               ]
-            },
-            AdminCreateUserConfig: {
-              AllowAdminCreateUserOnly: false,
-              UnusedAccountValidityDays: 365
-            },
-            AutoVerifiedAttributes: ["email"],
-            AliasAttributes: ["phone_number", "email", "preferred_username"],
-            Schema: [
-              {
-                Name: "email",
-                Required: true,
-                Mutable: true
-              },
-              {
-                Name: "given_name",
-                Required: true,
-                Mutable: true
-              },
-              {
-                Name: "family_name",
-                Required: true,
-                Mutable: true
-              },
-              {
-                Name: "phone_number",
-                Required: true,
-                Mutable: true
-              }
-            ],
-            DeviceConfiguration: {
-              ChallengeRequiredOnNewDevice: true,
-              DeviceOnlyRememberedOnUserPrompt: false
-            },
-            UsernameConfiguration: {
-              CaseSensitive: false
             }
           }
+        ]
+      }
+    }
+  };
+  const userPoolDomainConfig = config.enableUserPoolDomain === false ? {} : {
+    [resolvedIds.baseDomainRecord]: {
+      Type: "AWS::Route53::RecordSet",
+      DeletionPolicy: "Delete",
+      Properties: {
+        HostedZoneId: {
+          Ref: config.hostedZoneIdParameterName
         },
-        [`${id}BaseDomainRecord`]: !!baseDomainRecordAliasTargetDNSName ? {
-          Type: "AWS::Route53::RecordSet",
-          DeletionPolicy: "Delete",
-          Properties: {
-            HostedZoneId: hostedZoneId,
-            Type: "A",
-            Name: domainName,
-            AliasTarget: {
-              HostedZoneId: "Z2FDTNDATAQYW2",
-              DNSName: baseDomainRecordAliasTargetDNSName
-            }
+        Type: "A",
+        Name: {
+          Ref: config.domainNameParameterName
+        },
+        AliasTarget: {
+          HostedZoneId: "Z2FDTNDATAQYW2",
+          DNSName: {
+            "Fn::GetAtt": [config.mainCDNCloudFrontId, "DomainName"]
           }
-        } : void 0,
-        [`${id}DomainRecord`]: {
-          Type: "AWS::Route53::RecordSet",
-          DeletionPolicy: "Delete",
-          Properties: {
-            HostedZoneId: hostedZoneId,
-            Type: "A",
-            Name: {
-              "Fn::Sub": [
-                "auth.${BaseDomainName}",
-                {
-                  BaseDomainName: domainName
-                }
-              ]
-            },
-            AliasTarget: {
-              HostedZoneId: "Z2FDTNDATAQYW2",
-              DNSName: {
-                "Fn::GetAtt": [`${id}Domain`, "CloudFrontDistribution"]
+        }
+      }
+    },
+    [resolvedIds.domainRecord]: {
+      Type: "AWS::Route53::RecordSet",
+      DeletionPolicy: "Delete",
+      Properties: {
+        HostedZoneId: {
+          Ref: config.hostedZoneIdParameterName
+        },
+        Type: "A",
+        Name: {
+          "Fn::Sub": [
+            "auth.${BaseDomainName}",
+            {
+              BaseDomainName: {
+                Ref: config.domainNameParameterName
               }
             }
+          ]
+        },
+        AliasTarget: {
+          HostedZoneId: "Z2FDTNDATAQYW2",
+          DNSName: {
+            "Fn::GetAtt": [resolvedIds.domain, "CloudFrontDistribution"]
           }
+        }
+      }
+    },
+    [resolvedIds.domain]: {
+      Type: "AWS::Cognito::UserPoolDomain",
+      DependsOn: resolvedIds.baseDomainRecord,
+      Properties: {
+        Domain: {
+          "Fn::Sub": [
+            "auth.${BaseDomainName}",
+            {
+              BaseDomainName: {
+                Ref: config.domainNameParameterName
+              }
+            }
+          ]
         },
-        [`${id}Domain`]: {
-          Type: "AWS::Cognito::UserPoolDomain",
-          DependsOn: !!baseDomainRecordAliasTargetDNSName ? `${id}BaseDomainRecord` : void 0,
-          Properties: {
-            Domain: {
-              "Fn::Sub": [
-                "auth.${BaseDomainName}",
-                {
-                  BaseDomainName: domainName
-                }
-              ]
+        UserPoolId: {
+          Ref: resolvedIds.userPool
+        },
+        CustomDomainConfig: {
+          CertificateArn: {
+            Ref: config.sslCertificateId
+          }
+        }
+      }
+    }
+  };
+  const callbackUrls = config.enableUserPoolDomain === false ? void 0 : config.callbackUrls;
+  const logoutUrls = config.enableUserPoolDomain === false ? void 0 : config.logoutUrls;
+  return new SimpleCFT().patch({
+    Resources: {
+      [resolvedIds.userPool]: {
+        Type: "AWS::Cognito::UserPool",
+        Properties: {
+          UserPoolName: {
+            "Fn::Sub": [`\${AWS::StackName}${userManagementId}`, {}]
+          },
+          AccountRecoverySetting: {
+            RecoveryMechanisms: [
+              {
+                Name: "verified_email",
+                Priority: 1
+              }
+            ]
+          },
+          AdminCreateUserConfig: {
+            AllowAdminCreateUserOnly: false,
+            UnusedAccountValidityDays: 365
+          },
+          AutoVerifiedAttributes: ["email"],
+          AliasAttributes: ["phone_number", "email", "preferred_username"],
+          Schema: [
+            {
+              Name: "email",
+              Required: true,
+              Mutable: true
             },
-            UserPoolId: {
-              Ref: id
+            {
+              Name: "given_name",
+              Required: true,
+              Mutable: true
+            },
+            {
+              Name: "family_name",
+              Required: true,
+              Mutable: true
             },
-            CustomDomainConfig: {
-              CertificateArn: sslCertificateArn
+            {
+              Name: "phone_number",
+              Required: true,
+              Mutable: true
             }
+          ],
+          DeviceConfiguration: {
+            ChallengeRequiredOnNewDevice: true,
+            DeviceOnlyRememberedOnUserPrompt: false
+          },
+          UsernameConfiguration: {
+            CaseSensitive: false
           }
-        },
-        [`${id}Client`]: {
-          Type: "AWS::Cognito::UserPoolClient",
-          Properties: {
-            ClientName: {
-              "Fn::Sub": [`\${AWS::StackName}${id}Client`, {}]
-            },
-            UserPoolId: {
-              Ref: id
-            },
+        }
+      },
+      [resolvedIds.userPoolClient]: {
+        Type: "AWS::Cognito::UserPoolClient",
+        Properties: {
+          ClientName: {
+            "Fn::Sub": [`\${AWS::StackName}${userManagementId}Client`, {}]
+          },
+          UserPoolId: {
+            Ref: resolvedIds.userPool
+          },
+          ...isUserPoolDomainEnabled ? {
             AllowedOAuthFlowsUserPoolClient: true,
             AllowedOAuthFlows: ["code", "implicit"],
             AllowedOAuthScopes: [
@@ -445,178 +312,54 @@ var addUserManagement = createResourcePack(
               "profile",
               "aws.cognito.signin.user.admin"
             ],
-            CallbackURLs: callbackUrls,
-            LogoutURLs: logoutUrls,
-            EnableTokenRevocation: true,
-            PreventUserExistenceErrors: "ENABLED",
-            SupportedIdentityProviders: ["COGNITO"]
-          }
-        },
-        [`${id}IdentityPool`]: {
-          Type: "AWS::Cognito::IdentityPool",
-          Properties: {
-            IdentityPoolName: {
-              "Fn::Sub": [`\${AWS::StackName}${id}IdentityPool`, {}]
-            },
-            AllowUnauthenticatedIdentities: false,
-            CognitoIdentityProviders: [
-              {
-                ClientId: {
-                  Ref: `${id}Client`
-                },
-                ProviderName: {
-                  "Fn::GetAtt": [id, "ProviderName"]
-                },
-                ServerSideTokenCheck: true
-              }
+            SupportedIdentityProviders: supportedIdentityProviders
+          } : {
+            AllowedOAuthFlowsUserPoolClient: false
+          },
+          EnableTokenRevocation: true,
+          PreventUserExistenceErrors: "ENABLED",
+          ...callbackUrls && callbackUrls.length > 0 ? { CallbackURLs: callbackUrls } : {},
+          ...logoutUrls && logoutUrls.length > 0 ? { LogoutURLs: logoutUrls } : {}
+        }
+      },
+      [resolvedIds.identityPool]: {
+        Type: "AWS::Cognito::IdentityPool",
+        Properties: {
+          IdentityPoolName: {
+            "Fn::Sub": [
+              `\${AWS::StackName}${userManagementId}IdentityPool`,
+              {}
             ]
-          }
-        },
-        ...apiRoleConfig
-      }
-    };
-  }
-);
-var SimpleCFT = class {
-  /**
-   * Create a SimpleCFT template wrapper.
-   *
-   * @param template - Initial CloudFormation template.
-   */
-  constructor(template = {
-    AWSTemplateFormatVersion: "2010-09-09"
-  }) {
-    this.template = template;
-  }
-  /**
-   * Apply a pack with configuration to the stack template.
-   * @see {@link IaC} for an example.
-   * */
-  applyPack = (pack, params) => {
-    this.template = pack(params, this.template);
-    return this;
-  };
-  /**
-   * Apply a patch to the stack template.
-   *
-   * @param patch - Template patch to merge.
-   * */
-  patch = (patch) => {
-    this.template = patchTemplate(patch, this.template);
-    return this;
-  };
-  /**
-   * Add a stack parameter including its descriptive info and an optional parameter group.
-   *
-   * @param parameter - Parameter definition and metadata.
-   * */
-  addParameter = (parameter) => {
-    this.template = addParameter(parameter, this.template);
-    return this;
-  };
-  /**
-   * Add a group of stack parameters including their descriptive info and an optional parameter group.
-   *
-   * @param group - Parameter group definition.
-   * */
-  addParameterGroup = ({ Label: Group, Parameters }) => {
-    const parameterIds = Object.keys(Parameters);
-    const parameterList = parameterIds.map((ParameterId) => {
-      const { Label, ...Parameter } = Parameters[ParameterId];
-      return {
-        Group,
-        ParameterId,
-        Label,
-        Parameter
-      };
-    });
-    this.template = addParameters(parameterList, this.template);
-    return this;
-  };
-  /**
-   * Use a modification to dynamically apply various changes at once.
-   *
-   * @param modification - Modification callback to apply.
-   * */
-  modify = (modification) => {
-    modification(this);
-    return this;
-  };
-  /**
-   * Convert the stack template to a string.
-   *
-   * @returns JSON string representation of the template.
-   * */
-  toString = () => JSON.stringify(this.template, null, 2);
-  /**
-   * Convert the stack template to a JSON object.
-   *
-   * @returns Template JSON object.
-   * */
-  toJSON = () => this.template;
-  /**
-   * Convert the stack template to a YAML string.
-   *
-   * @returns YAML string representation of the template.
-   * */
-  toYAML = () => YAML.stringify(this.template, {
-    aliasDuplicateObjects: false
-  });
-};
-
-// src/iac/packs/auth.ts
-var addAuth = createResourcePack(
-  ({
-    userManagementId,
-    authRoleName,
-    unauthRoleName,
-    hostedZoneIdParameterName,
-    domainNameParameterName,
-    sslCertificateId,
-    callbackUrls,
-    logoutUrls,
-    mainCDNCloudFrontId,
-    apiCloudFunctionGatewayId,
-    apiStageName,
-    adminGroupId,
-    userManagementAdminGroupName
-  }) => new SimpleCFT().applyPack(addUserManagement, {
-    id: userManagementId,
-    authRoleName,
-    unauthRoleName,
-    domainName: {
-      Ref: domainNameParameterName
-    },
-    hostedZoneId: {
-      Ref: hostedZoneIdParameterName
-    },
-    sslCertificateArn: {
-      Ref: sslCertificateId
-    },
-    callbackUrls,
-    logoutUrls,
-    baseDomainRecordAliasTargetDNSName: {
-      "Fn::GetAtt": [mainCDNCloudFrontId, "DomainName"]
-    },
-    apiGatewayRESTAPIId: {
-      Ref: apiCloudFunctionGatewayId
-    },
-    apiStageName
-  }).patch({
-    Resources: {
+          },
+          AllowUnauthenticatedIdentities: false,
+          CognitoIdentityProviders: [
+            {
+              ClientId: {
+                Ref: resolvedIds.userPoolClient
+              },
+              ProviderName: {
+                "Fn::GetAtt": [resolvedIds.userPool, "ProviderName"]
+              },
+              ServerSideTokenCheck: true
+            }
+          ]
+        }
+      },
+      ...userPoolDomainConfig,
+      ...apiRoleConfig,
       [adminGroupId]: {
         Type: "AWS::Cognito::UserPoolGroup",
         Properties: {
           GroupName: userManagementAdminGroupName,
           UserPoolId: {
-            Ref: userManagementId
+            Ref: resolvedIds.userPool
           },
           Description: "Application admin group."
         }
       }
     }
-  }).template
-);
+  }).template;
+});
 
 // src/iac/packs/build.ts
 var DEFAULT_BUILD_PIPELINE_REPO_PROVIDER = "GitHub";
@@ -1035,7 +778,8 @@ var addCloudFunction = createResourcePack(
           ]
         }
       }
-    ]
+    ],
+    memorySize = 128
   }) => {
     return {
       Resources: {
@@ -1070,7 +814,8 @@ var addCloudFunction = createResourcePack(
             Role: {
               "Fn::GetAtt": [`${id}Role`, "Arn"]
             },
-            Runtime: runtime
+            Runtime: runtime,
+            MemorySize: memorySize
           }
         }
       }
@@ -1205,6 +950,31 @@ var addSecureFileStorage = createResourcePack(
 );
 
 // src/iac/packs/gateway.ts
+var canonicalizeHashableValue = (value) => {
+  if (Array.isArray(value)) {
+    return value.map((item) => canonicalizeHashableValue(item));
+  }
+  if (value && typeof value === "object") {
+    const output = {};
+    Object.keys(value).sort().forEach((key) => {
+      output[key] = canonicalizeHashableValue(
+        value[key]
+      );
+    });
+    return output;
+  }
+  return value;
+};
+var getDeterministicHash = (value) => {
+  const canonical = JSON.stringify(canonicalizeHashableValue(value));
+  let hash = 2166136261;
+  for (let i = 0; i < canonical.length; i += 1) {
+    hash ^= canonical.charCodeAt(i);
+    hash = Math.imul(hash, 16777619);
+    hash >>>= 0;
+  }
+  return hash.toString(16).toUpperCase().padStart(8, "0");
+};
 var DEFAULT_AUTH_TYPE = "COGNITO_USER_POOLS";
 var addGateway = createResourcePack(
   ({
@@ -1227,8 +997,29 @@ var addGateway = createResourcePack(
       scopes: authScopes = ["phone", "email", "openid", "profile"],
       type: authType = "COGNITO_USER_POOLS",
       providerARNs,
-      identitySource = "method.request.header.authorization"
+      identitySource = "method.request.header.Authorization"
     } = !!authorizer && typeof authorizer === "object" ? authorizer : {};
+    const cloudFunctionIntegration = {
+      Type: "AWS_PROXY",
+      IntegrationHttpMethod: "POST",
+      Uri: cloudFunctionUri
+    };
+    const gatewayResponseParameters = {
+      "gatewayresponse.header.Access-Control-Allow-Origin": "method.request.header.origin",
+      "gatewayresponse.header.Access-Control-Allow-Credentials": "'true'",
+      "gatewayresponse.header.Access-Control-Allow-Headers": "'*'"
+    };
+    const cloudFunctionPermissionSourceArn = {
+      "Fn::Sub": [
+        "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/*",
+        {
+          __Stage__: stageName,
+          __ApiId__: {
+            Ref: id
+          }
+        }
+      ]
+    };
     const authorizerId = `${id}CustomAuthorizer`;
     const authProps = !!authorizer ? {
       AuthorizationScopes: authScopes,
@@ -1239,7 +1030,33 @@ var addGateway = createResourcePack(
     } : {
       AuthorizationType: "NONE"
     };
-    const fullDeploymentId = `${id}GatewayRESTAPIDeployment${deploymentSuffix}`;
+    const gatewayDeploymentFingerprint = {
+      restApiEndpointTypes: ["EDGE"],
+      proxyPathPart: "{proxy+}",
+      anyMethod: {
+        ...authProps,
+        HttpMethod: "ANY",
+        Integration: cloudFunctionIntegration
+      },
+      optionsMethod: {
+        AuthorizationType: "NONE",
+        HttpMethod: "OPTIONS",
+        Integration: cloudFunctionIntegration
+      },
+      gatewayResponseDefault4XX: {
+        ResponseParameters: gatewayResponseParameters,
+        ResponseType: "DEFAULT_4XX"
+      },
+      stageName,
+      cloudFunctionPermissionSourceArn,
+      authorizer: !!authorizer ? {
+        IdentitySource: identitySource,
+        ProviderARNs: providerARNs,
+        Type: "COGNITO_USER_POOLS"
+      } : null
+    };
+    const deploymentHash = getDeterministicHash(gatewayDeploymentFingerprint);
+    const fullDeploymentId = `${id}GatewayRESTAPIDeployment${deploymentHash}${deploymentSuffix}`;
     return new SimpleCFT().patch({
       Resources: {
         // REST API
@@ -1280,9 +1097,7 @@ var addGateway = createResourcePack(
               Ref: id
             },
             Integration: {
-              Type: "AWS_PROXY",
-              IntegrationHttpMethod: "POST",
-              Uri: cloudFunctionUri
+              ...cloudFunctionIntegration
             }
           }
         },
@@ -1299,9 +1114,7 @@ var addGateway = createResourcePack(
               Ref: id
             },
             Integration: {
-              Type: "AWS_PROXY",
-              IntegrationHttpMethod: "POST",
-              Uri: cloudFunctionUri
+              ...cloudFunctionIntegration
             }
           }
         }
@@ -1322,9 +1135,7 @@ var addGateway = createResourcePack(
               Ref: id
             },
             Integration: {
-              Type: "AWS_PROXY",
-              IntegrationHttpMethod: "POST",
-              Uri: cloudFunctionUri
+              ...cloudFunctionIntegration
             }
           }
         },
@@ -1341,21 +1152,15 @@ var addGateway = createResourcePack(
               Ref: id
             },
             Integration: {
-              Type: "AWS_PROXY",
-              IntegrationHttpMethod: "POST",
-              Uri: cloudFunctionUri
+              ...cloudFunctionIntegration
             }
           }
         },
         [`${id}GatewayResponseDefault4XX`]: {
           Type: "AWS::ApiGateway::GatewayResponse",
           Properties: {
-            ResponseParameters: {
-              // Not authorized, so just allow the current origin by mapping it into the header.
-              "gatewayresponse.header.Access-Control-Allow-Origin": "method.request.header.origin",
-              "gatewayresponse.header.Access-Control-Allow-Credentials": "'true'",
-              "gatewayresponse.header.Access-Control-Allow-Headers": "'*'"
-            },
+            // Not authorized, so just allow the current origin by mapping it into the header.
+            ResponseParameters: gatewayResponseParameters,
             ResponseType: "DEFAULT_4XX",
             RestApiId: {
               Ref: id
@@ -1511,15 +1316,7 @@ var addGateway = createResourcePack(
               "Fn::GetAtt": [cloudFunctionId, "Arn"]
             },
             SourceArn: {
-              "Fn::Sub": [
-                "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/*",
-                {
-                  __Stage__: stageName,
-                  __ApiId__: {
-                    Ref: id
-                  }
-                }
-              ]
+              ...cloudFunctionPermissionSourceArn
             }
           }
         }