@reyemtech/nimbus 0.1.0

package/dist/cjs/aws/dns.d.ts

@@ -0,0 +1,22 @@
+/**
+ * AWS Route 53 DNS implementation.
+ *
+ * @module aws/dns
+ */
+import type { IDns, IDnsConfig } from "../dns";
+/**
+ * Create a Route 53 hosted zone with optional initial records.
+ *
+ * @example
+ * ```typescript
+ * const dns = createRoute53Dns("prod", {
+ *   cloud: "aws",
+ *   zoneName: "example.com",
+ *   records: [
+ *     { name: "app", type: "A", values: ["1.2.3.4"], ttl: 300 },
+ *   ],
+ * });
+ * ```
+ */
+export declare function createRoute53Dns(name: string, config: IDnsConfig): IDns;
+//# sourceMappingURL=dns.d.ts.map

package/dist/cjs/aws/dns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dns.d.ts","sourceRoot":"","sources":["../../../src/aws/dns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,IAAI,EAAE,UAAU,EAAc,MAAM,QAAQ,CAAC;AAG3D;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,IAAI,CA6BvE"}

package/dist/cjs/aws/dns.js

@@ -0,0 +1,95 @@
+"use strict";
+/**
+ * AWS Route 53 DNS implementation.
+ *
+ * @module aws/dns
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createRoute53Dns = createRoute53Dns;
+const aws = __importStar(require("@pulumi/aws"));
+const types_1 = require("../types");
+/**
+ * Create a Route 53 hosted zone with optional initial records.
+ *
+ * @example
+ * ```typescript
+ * const dns = createRoute53Dns("prod", {
+ *   cloud: "aws",
+ *   zoneName: "example.com",
+ *   records: [
+ *     { name: "app", type: "A", values: ["1.2.3.4"], ttl: 300 },
+ *   ],
+ * });
+ * ```
+ */
+function createRoute53Dns(name, config) {
+    const cloud = Array.isArray(config.cloud) ? (config.cloud[0] ?? "aws") : config.cloud;
+    const target = (0, types_1.resolveCloudTarget)(cloud);
+    const tags = config.tags ?? {};
+    const zone = new aws.route53.Zone(`${name}-zone`, {
+        name: config.zoneName,
+        tags: { ...tags, Name: `${name}-zone` },
+    });
+    // Create initial records
+    if (config.records) {
+        for (const rec of config.records) {
+            createRecord(name, zone, rec);
+        }
+    }
+    return {
+        name,
+        cloud: target,
+        zoneId: zone.zoneId,
+        zoneName: config.zoneName,
+        nameServers: zone.nameServers,
+        nativeResource: zone,
+        addRecord(record) {
+            createRecord(name, zone, record);
+        },
+    };
+}
+function createRecord(name, zone, record) {
+    const fqdn = record.name === "@" ? "" : record.name ? `${record.name}.` : "";
+    const resourceName = `${name}-${record.name || "root"}-${record.type.toLowerCase()}`;
+    return new aws.route53.Record(resourceName, {
+        zoneId: zone.zoneId,
+        name: zone.name.apply((zoneName) => `${fqdn}${zoneName}`),
+        type: record.type,
+        ttl: record.ttl ?? 300,
+        records: [...record.values],
+    });
+}
+//# sourceMappingURL=dns.js.map

package/dist/cjs/aws/dns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dns.js","sourceRoot":"","sources":["../../../src/aws/dns.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqBH,4CA6BC;AAhDD,iDAAmC;AAGnC,oCAA8C;AAE9C;;;;;;;;;;;;;GAaG;AACH,SAAgB,gBAAgB,CAAC,IAAY,EAAE,MAAkB;IAC/D,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;IACtF,MAAM,MAAM,GAAG,IAAA,0BAAkB,EAAC,KAAK,CAAC,CAAC;IAEzC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;IAE/B,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,OAAO,EAAE;QAChD,IAAI,EAAE,MAAM,CAAC,QAAQ;QACrB,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,OAAO,EAAE;KACxC,CAAC,CAAC;IAEH,yBAAyB;IACzB,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACjC,YAAY,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,MAAM;QACb,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,IAAI,CAAC,WAAmD;QACrE,cAAc,EAAE,IAAI;QACpB,SAAS,CAAC,MAAkB;YAC1B,YAAY,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QACnC,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,IAAY,EACZ,IAAsB,EACtB,MAAkB;IAElB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7E,MAAM,YAAY,GAAG,GAAG,IAAI,IAAI,MAAM,CAAC,IAAI,IAAI,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;IAErF,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE;QAC1C,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,GAAG,IAAI,GAAG,QAAQ,EAAE,CAAC;QACzD,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,GAAG,EAAE,MAAM,CAAC,GAAG,IAAI,GAAG;QACtB,OAAO,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC;KAC5B,CAAC,CAAC;AACL,CAAC"}

package/dist/cjs/aws/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * AWS provider implementations for @reyemtech/nimbus.
+ *
+ * @module aws
+ */
+export { createAwsNetwork, type IAwsNetworkOptions } from "./network";
+export { createEksCluster, type IEksOptions } from "./cluster";
+export { createRoute53Dns } from "./dns";
+export { createAwsSecrets } from "./secrets";
+//# sourceMappingURL=index.d.ts.map

package/dist/cjs/aws/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/aws/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,gBAAgB,EAAE,KAAK,kBAAkB,EAAE,MAAM,WAAW,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,KAAK,WAAW,EAAE,MAAM,WAAW,CAAC;AAC/D,OAAO,EAAE,gBAAgB,EAAE,MAAM,OAAO,CAAC;AACzC,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC"}

package/dist/cjs/aws/index.js

@@ -0,0 +1,17 @@
+"use strict";
+/**
+ * AWS provider implementations for @reyemtech/nimbus.
+ *
+ * @module aws
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAwsSecrets = exports.createRoute53Dns = exports.createEksCluster = exports.createAwsNetwork = void 0;
+var network_1 = require("./network");
+Object.defineProperty(exports, "createAwsNetwork", { enumerable: true, get: function () { return network_1.createAwsNetwork; } });
+var cluster_1 = require("./cluster");
+Object.defineProperty(exports, "createEksCluster", { enumerable: true, get: function () { return cluster_1.createEksCluster; } });
+var dns_1 = require("./dns");
+Object.defineProperty(exports, "createRoute53Dns", { enumerable: true, get: function () { return dns_1.createRoute53Dns; } });
+var secrets_1 = require("./secrets");
+Object.defineProperty(exports, "createAwsSecrets", { enumerable: true, get: function () { return secrets_1.createAwsSecrets; } });
+//# sourceMappingURL=index.js.map

package/dist/cjs/aws/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/aws/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH,qCAAsE;AAA7D,2GAAA,gBAAgB,OAAA;AACzB,qCAA+D;AAAtD,2GAAA,gBAAgB,OAAA;AACzB,6BAAyC;AAAhC,uGAAA,gBAAgB,OAAA;AACzB,qCAA6C;AAApC,2GAAA,gBAAgB,OAAA"}

package/dist/cjs/aws/network.d.ts

@@ -0,0 +1,27 @@
+/**
+ * AWS network implementation — VPC, subnets, NAT (managed or fck-nat).
+ *
+ * @module aws/network
+ */
+import type { INetwork, INetworkConfig } from "../network";
+/** AWS-specific network options beyond the base config. */
+export interface IAwsNetworkOptions {
+    /** fck-nat instance type. Default: "t4g.nano". */
+    readonly fckNatInstanceType?: string;
+    /** Number of AZs to use. Default: 2. */
+    readonly availabilityZoneCount?: number;
+}
+/**
+ * Create an AWS VPC with public/private subnets and optional NAT.
+ *
+ * @example
+ * ```typescript
+ * const network = createAwsNetwork("prod", {
+ *   cloud: "aws",
+ *   cidr: "10.0.0.0/16",
+ *   natStrategy: "fck-nat",
+ * });
+ * ```
+ */
+export declare function createAwsNetwork(name: string, config: INetworkConfig, options?: IAwsNetworkOptions): INetwork;
+//# sourceMappingURL=network.d.ts.map

package/dist/cjs/aws/network.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"network.d.ts","sourceRoot":"","sources":["../../../src/aws/network.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,cAAc,EAAe,MAAM,YAAY,CAAC;AAGxE,2DAA2D;AAC3D,MAAM,WAAW,kBAAkB;IACjC,kDAAkD;IAClD,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC,wCAAwC;IACxC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,CAAC;CACzC;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,cAAc,EACtB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,QAAQ,CAmHV"}

package/dist/cjs/aws/network.js

@@ -0,0 +1,262 @@
+"use strict";
+/**
+ * AWS network implementation — VPC, subnets, NAT (managed or fck-nat).
+ *
+ * @module aws/network
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAwsNetwork = createAwsNetwork;
+const aws = __importStar(require("@pulumi/aws"));
+const pulumi = __importStar(require("@pulumi/pulumi"));
+const types_1 = require("../types");
+/**
+ * Create an AWS VPC with public/private subnets and optional NAT.
+ *
+ * @example
+ * ```typescript
+ * const network = createAwsNetwork("prod", {
+ *   cloud: "aws",
+ *   cidr: "10.0.0.0/16",
+ *   natStrategy: "fck-nat",
+ * });
+ * ```
+ */
+function createAwsNetwork(name, config, options) {
+    const cloud = Array.isArray(config.cloud) ? (config.cloud[0] ?? "aws") : config.cloud;
+    const target = (0, types_1.resolveCloudTarget)(cloud);
+    const cidr = config.cidr ?? "10.0.0.0/16";
+    const azCount = options?.availabilityZoneCount ?? 2;
+    const natStrategy = config.natStrategy ?? "managed";
+    const tags = config.tags ?? {};
+    const vpc = new aws.ec2.Vpc(`${name}-vpc`, {
+        cidrBlock: cidr,
+        enableDnsHostnames: config.enableDnsHostnames ?? true,
+        enableDnsSupport: config.enableDnsSupport ?? true,
+        tags: { ...tags, Name: `${name}-vpc` },
+    });
+    const igw = new aws.ec2.InternetGateway(`${name}-igw`, {
+        vpcId: vpc.id,
+        tags: { ...tags, Name: `${name}-igw` },
+    });
+    const azs = aws.getAvailabilityZonesOutput({ state: "available" });
+    const azNames = azs.names.apply((names) => names.slice(0, azCount));
+    // Public subnets
+    const publicSubnets = azNames.apply((names) => names.map((az, i) => new aws.ec2.Subnet(`${name}-public-${i}`, {
+        vpcId: vpc.id,
+        cidrBlock: `${cidr.split(".").slice(0, 2).join(".")}.${i + 1}.0/24`,
+        availabilityZone: az,
+        mapPublicIpOnLaunch: true,
+        tags: {
+            ...tags,
+            Name: `${name}-public-${az}`,
+            "kubernetes.io/role/elb": "1",
+        },
+    })));
+    // Private subnets
+    const privateSubnets = azNames.apply((names) => names.map((az, i) => new aws.ec2.Subnet(`${name}-private-${i}`, {
+        vpcId: vpc.id,
+        cidrBlock: `${cidr.split(".").slice(0, 2).join(".")}.${i + 10}.0/24`,
+        availabilityZone: az,
+        tags: {
+            ...tags,
+            Name: `${name}-private-${az}`,
+            "kubernetes.io/role/internal-elb": "1",
+        },
+    })));
+    // Public route table
+    const publicRt = new aws.ec2.RouteTable(`${name}-public-rt`, {
+        vpcId: vpc.id,
+        routes: [{ cidrBlock: "0.0.0.0/0", gatewayId: igw.id }],
+        tags: { ...tags, Name: `${name}-public-rt` },
+    });
+    publicSubnets.apply((subnets) => subnets.map((subnet, i) => new aws.ec2.RouteTableAssociation(`${name}-public-rta-${i}`, {
+        subnetId: subnet.id,
+        routeTableId: publicRt.id,
+    })));
+    // NAT setup
+    let natGatewayId;
+    if (natStrategy === "fck-nat") {
+        natGatewayId = createFckNat(name, vpc, publicSubnets, privateSubnets, cidr, tags, options);
+    }
+    else if (natStrategy === "managed") {
+        natGatewayId = createManagedNat(name, vpc, igw, publicSubnets, privateSubnets, tags);
+    }
+    else {
+        // natStrategy === "none" — no NAT, private subnets have no internet
+        const privateRt = new aws.ec2.RouteTable(`${name}-private-rt`, {
+            vpcId: vpc.id,
+            tags: { ...tags, Name: `${name}-private-rt` },
+        });
+        privateSubnets.apply((subnets) => subnets.map((subnet, i) => new aws.ec2.RouteTableAssociation(`${name}-private-rta-${i}`, {
+            subnetId: subnet.id,
+            routeTableId: privateRt.id,
+        })));
+    }
+    return {
+        name,
+        cloud: target,
+        vpcId: vpc.id,
+        cidr,
+        publicSubnetIds: publicSubnets.apply((s) => pulumi.all(s.map((sub) => sub.id))),
+        privateSubnetIds: privateSubnets.apply((s) => pulumi.all(s.map((sub) => sub.id))),
+        natGatewayId,
+        nativeResource: vpc,
+    };
+}
+function createFckNat(name, vpc, publicSubnets, privateSubnets, cidr, tags, options) {
+    const instanceType = options?.fckNatInstanceType ?? "t4g.nano";
+    const fckNatAmi = aws.ec2.getAmiOutput({
+        mostRecent: true,
+        owners: ["568608671756"],
+        filters: [
+            { name: "name", values: ["fck-nat-al2023-*-arm64-ebs"] },
+            { name: "architecture", values: ["arm64"] },
+        ],
+    });
+    const sg = new aws.ec2.SecurityGroup(`${name}-fck-nat-sg`, {
+        namePrefix: `${name}-fck-nat`,
+        vpcId: vpc.id,
+        description: "fck-nat instance security group",
+        ingress: [{ fromPort: 0, toPort: 0, protocol: "-1", cidrBlocks: [cidr] }],
+        egress: [{ fromPort: 0, toPort: 0, protocol: "-1", cidrBlocks: ["0.0.0.0/0"] }],
+        tags: { ...tags, Name: `${name}-fck-nat-sg` },
+    });
+    const eni = new aws.ec2.NetworkInterface(`${name}-fck-nat-eni`, {
+        subnetId: publicSubnets.apply((s) => s[0].id),
+        securityGroups: [sg.id],
+        sourceDestCheck: false,
+        tags: { ...tags, Name: `${name}-fck-nat-eni` },
+    });
+    new aws.ec2.Eip(`${name}-fck-nat-eip`, {
+        domain: "vpc",
+        networkInterface: eni.id,
+        tags: { ...tags, Name: `${name}-fck-nat-eip` },
+    });
+    const role = new aws.iam.Role(`${name}-fck-nat-role`, {
+        namePrefix: `${name}-fck-nat`,
+        assumeRolePolicy: JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Action: "sts:AssumeRole",
+                    Effect: "Allow",
+                    Principal: { Service: "ec2.amazonaws.com" },
+                },
+            ],
+        }),
+        inlinePolicies: [
+            {
+                name: "fck-nat-eni",
+                policy: JSON.stringify({
+                    Version: "2012-10-17",
+                    Statement: [
+                        {
+                            Effect: "Allow",
+                            Action: [
+                                "ec2:AttachNetworkInterface",
+                                "ec2:ModifyNetworkInterfaceAttribute",
+                                "ec2:AssociateAddress",
+                                "ec2:DisassociateAddress",
+                            ],
+                            Resource: "*",
+                        },
+                    ],
+                }),
+            },
+        ],
+        tags,
+    });
+    const instanceProfile = new aws.iam.InstanceProfile(`${name}-fck-nat-profile`, {
+        namePrefix: `${name}-fck-nat`,
+        role: role.name,
+    });
+    const lt = new aws.ec2.LaunchTemplate(`${name}-fck-nat-lt`, {
+        namePrefix: `${name}-fck-nat`,
+        imageId: fckNatAmi.id,
+        instanceType,
+        vpcSecurityGroupIds: [sg.id],
+        iamInstanceProfile: { name: instanceProfile.name },
+        userData: eni.id.apply((eniId) => Buffer.from(`#!/bin/bash\necho "eni_id=${eniId}" >> /etc/fck-nat.conf\nservice fck-nat restart\n`).toString("base64")),
+        tagSpecifications: [
+            {
+                resourceType: "instance",
+                tags: { ...tags, Name: `${name}-fck-nat` },
+            },
+        ],
+        tags,
+    });
+    new aws.autoscaling.Group(`${name}-fck-nat-asg`, {
+        name: `${name}-fck-nat-asg`,
+        vpcZoneIdentifiers: [publicSubnets.apply((s) => s[0].id)],
+        minSize: 1,
+        maxSize: 1,
+        desiredCapacity: 1,
+        launchTemplate: { id: lt.id, version: "$Latest" },
+    });
+    // Private route table through fck-nat ENI
+    const privateRt = new aws.ec2.RouteTable(`${name}-private-rt`, {
+        vpcId: vpc.id,
+        routes: [{ cidrBlock: "0.0.0.0/0", networkInterfaceId: eni.id }],
+        tags: { ...tags, Name: `${name}-private-rt` },
+    });
+    privateSubnets.apply((subnets) => subnets.map((subnet, i) => new aws.ec2.RouteTableAssociation(`${name}-private-rta-${i}`, {
+        subnetId: subnet.id,
+        routeTableId: privateRt.id,
+    })));
+    return eni.id;
+}
+function createManagedNat(name, _vpc, igw, publicSubnets, privateSubnets, tags) {
+    const eip = new aws.ec2.Eip(`${name}-nat-eip`, {
+        domain: "vpc",
+        tags: { ...tags, Name: `${name}-nat-eip` },
+    }, { dependsOn: [igw] });
+    const natGw = new aws.ec2.NatGateway(`${name}-nat`, {
+        allocationId: eip.id,
+        subnetId: publicSubnets.apply((s) => s[0].id),
+        tags: { ...tags, Name: `${name}-nat` },
+    });
+    const privateRt = new aws.ec2.RouteTable(`${name}-private-rt`, {
+        vpcId: _vpc.id,
+        routes: [{ cidrBlock: "0.0.0.0/0", natGatewayId: natGw.id }],
+        tags: { ...tags, Name: `${name}-private-rt` },
+    });
+    privateSubnets.apply((subnets) => subnets.map((subnet, i) => new aws.ec2.RouteTableAssociation(`${name}-private-rta-${i}`, {
+        subnetId: subnet.id,
+        routeTableId: privateRt.id,
+    })));
+    return natGw.id;
+}
+//# sourceMappingURL=network.js.map

package/dist/cjs/aws/network.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"network.js","sourceRoot":"","sources":["../../../src/aws/network.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2BH,4CAuHC;AAhJD,iDAAmC;AACnC,uDAAyC;AAEzC,oCAA8C;AAU9C;;;;;;;;;;;GAWG;AACH,SAAgB,gBAAgB,CAC9B,IAAY,EACZ,MAAsB,EACtB,OAA4B;IAE5B,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;IACtF,MAAM,MAAM,GAAG,IAAA,0BAAkB,EAAC,KAAK,CAAC,CAAC;IAEzC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,aAAa,CAAC;IAC1C,MAAM,OAAO,GAAG,OAAO,EAAE,qBAAqB,IAAI,CAAC,CAAC;IACpD,MAAM,WAAW,GAAgB,MAAM,CAAC,WAAW,IAAI,SAAS,CAAC;IACjE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;IAE/B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,MAAM,EAAE;QACzC,SAAS,EAAE,IAAI;QACf,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,IAAI;QACrD,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,IAAI;QACjD,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,MAAM,EAAE;KACvC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,GAAG,IAAI,MAAM,EAAE;QACrD,KAAK,EAAE,GAAG,CAAC,EAAE;QACb,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,MAAM,EAAE;KACvC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,GAAG,CAAC,0BAA0B,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;IACnE,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;IAEpE,iBAAiB;IACjB,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAC5C,KAAK,CAAC,GAAG,CACP,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CACR,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,WAAW,CAAC,EAAE,EAAE;QACxC,KAAK,EAAE,GAAG,CAAC,EAAE;QACb,SAAS,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO;QACnE,gBAAgB,EAAE,EAAE;QACpB,mBAAmB,EAAE,IAAI;QACzB,IAAI,EAAE;YACJ,GAAG,IAAI;YACP,IAAI,EAAE,GAAG,IAAI,WAAW,EAAE,EAAE;YAC5B,wBAAwB,EAAE,GAAG;SAC9B;KACF,CAAC,CACL,CACF,CAAC;IAEF,kBAAkB;IAClB,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAC7C,KAAK,CAAC,GAAG,CACP,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CACR,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,YAAY,CAAC,EAAE,EAAE;QACzC,KAAK,EAAE,GAAG,CAAC,EAAE;QACb,SAAS,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO;QACpE,gBAAgB,EAAE,EAAE;QACpB,IAAI,EAAE;YACJ,GAAG,IAAI;YACP,IAAI,EAAE,GAAG,IAAI,YAAY,EAAE,EAAE;YAC7B,iCAAiC,EAAE,GAAG;SACvC;KACF,CAAC,CACL,CACF,CAAC;IAEF,qBAAqB;IACrB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,YAAY,EAAE;QAC3D,KAAK,EAAE,GAAG,CAAC,EAAE;QACb,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC;QACvD,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,YAAY,EAAE;KAC7C,CAAC,CAAC;IAEH,aAAa,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,EAAE,CAC9B,OAAO,CAAC,GAAG,CACT,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CACZ,IAAI,GAAG,CAAC,GAAG,CAAC,qBAAqB,CAAC,GAAG,IAAI,eAAe,CAAC,EAAE,EAAE;QAC3D,QAAQ,EAAE,MAAM,CAAC,EAAE;QACnB,YAAY,EAAE,QAAQ,CAAC,EAAE;KAC1B,CAAC,CACL,CACF,CAAC;IAEF,YAAY;IACZ,IAAI,YAA+C,CAAC;IAEpD,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;QAC9B,YAAY,GAAG,YAAY,CAAC,IAAI,EAAE,GAAG,EAAE,aAAa,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAC7F,CAAC;SAAM,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;QACrC,YAAY,GAAG,gBAAgB,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,aAAa,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IACvF,CAAC;SAAM,CAAC;QACN,oEAAoE;QACpE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,aAAa,EAAE;YAC7D,KAAK,EAAE,GAAG,CAAC,EAAE;YACb,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,aAAa,EAAE;SAC9C,CAAC,CAAC;QAEH,cAAc,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,EAAE,CAC/B,OAAO,CAAC,GAAG,CACT,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CACZ,IAAI,GAAG,CAAC,GAAG,CAAC,qBAAqB,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAE,EAAE;YAC5D,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,YAAY,EAAE,SAAS,CAAC,EAAE;SAC3B,CAAC,CACL,CACF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,MAAM;QACb,KAAK,EAAE,GAAG,CAAC,EAAE;QACb,IAAI;QACJ,eAAe,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CACzC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CACK;QACzC,gBAAgB,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAC3C,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CACK;QACzC,YAAY;QACZ,cAAc,EAAE,GAAG;KACpB,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,IAAY,EACZ,GAAgB,EAChB,aAA8C,EAC9C,cAA+C,EAC/C,IAAY,EACZ,IAAsC,EACtC,OAA4B;IAE5B,MAAM,YAAY,GAAG,OAAO,EAAE,kBAAkB,IAAI,UAAU,CAAC;IAE/D,MAAM,SAAS,GAAG,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC;QACrC,UAAU,EAAE,IAAI;QAChB,MAAM,EAAE,CAAC,cAAc,CAAC;QACxB,OAAO,EAAE;YACP,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,4BAA4B,CAAC,EAAE;YACxD,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE;SAC5C;KACF,CAAC,CAAC;IAEH,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,IAAI,aAAa,EAAE;QACzD,UAAU,EAAE,GAAG,IAAI,UAAU;QAC7B,KAAK,EAAE,GAAG,CAAC,EAAE;QACb,WAAW,EAAE,iCAAiC;QAC9C,OAAO,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACzE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/E,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,aAAa,EAAE;KAC9C,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,IAAI,cAAc,EAAE;QAC9D,QAAQ,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAC,CAAC,CAAC,CAAoB,CAAC,EAAE,CAAC;QACjE,cAAc,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;QACvB,eAAe,EAAE,KAAK;QACtB,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,cAAc,EAAE;KAC/C,CAAC,CAAC;IAEH,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,cAAc,EAAE;QACrC,MAAM,EAAE,KAAK;QACb,gBAAgB,EAAE,GAAG,CAAC,EAAE;QACxB,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,cAAc,EAAE;KAC/C,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,eAAe,EAAE;QACpD,UAAU,EAAE,GAAG,IAAI,UAAU;QAC7B,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC;YAC/B,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE;gBACT;oBACE,MAAM,EAAE,gBAAgB;oBACxB,MAAM,EAAE,OAAO;oBACf,SAAS,EAAE,EAAE,OAAO,EAAE,mBAAmB,EAAE;iBAC5C;aACF;SACF,CAAC;QACF,cAAc,EAAE;YACd;gBACE,IAAI,EAAE,aAAa;gBACnB,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC;oBACrB,OAAO,EAAE,YAAY;oBACrB,SAAS,EAAE;wBACT;4BACE,MAAM,EAAE,OAAO;4BACf,MAAM,EAAE;gCACN,4BAA4B;gCAC5B,qCAAqC;gCACrC,sBAAsB;gCACtB,yBAAyB;6BAC1B;4BACD,QAAQ,EAAE,GAAG;yBACd;qBACF;iBACF,CAAC;aACH;SACF;QACD,IAAI;KACL,CAAC,CAAC;IAEH,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,GAAG,IAAI,kBAAkB,EAAE;QAC7E,UAAU,EAAE,GAAG,IAAI,UAAU;QAC7B,IAAI,EAAE,IAAI,CAAC,IAAI;KAChB,CAAC,CAAC;IAEH,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,GAAG,IAAI,aAAa,EAAE;QAC1D,UAAU,EAAE,GAAG,IAAI,UAAU;QAC7B,OAAO,EAAE,SAAS,CAAC,EAAE;QACrB,YAAY;QACZ,mBAAmB,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;QAC5B,kBAAkB,EAAE,EAAE,IAAI,EAAE,eAAe,CAAC,IAAI,EAAE;QAClD,QAAQ,EAAE,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAC/B,MAAM,CAAC,IAAI,CACT,6BAA6B,KAAK,mDAAmD,CACtF,CAAC,QAAQ,CAAC,QAAQ,CAAC,CACrB;QACD,iBAAiB,EAAE;YACjB;gBACE,YAAY,EAAE,UAAU;gBACxB,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,UAAU,EAAE;aAC3C;SACF;QACD,IAAI;KACL,CAAC,CAAC;IAEH,IAAI,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,IAAI,cAAc,EAAE;QAC/C,IAAI,EAAE,GAAG,IAAI,cAAc;QAC3B,kBAAkB,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAC,CAAC,CAAC,CAAoB,CAAC,EAAE,CAAC,CAAC;QAC7E,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,CAAC;QACV,eAAe,EAAE,CAAC;QAClB,cAAc,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE;KAClD,CAAC,CAAC;IAEH,0CAA0C;IAC1C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,aAAa,EAAE;QAC7D,KAAK,EAAE,GAAG,CAAC,EAAE;QACb,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,kBAAkB,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC;QAChE,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,aAAa,EAAE;KAC9C,CAAC,CAAC;IAEH,cAAc,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,EAAE,CAC/B,OAAO,CAAC,GAAG,CACT,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CACZ,IAAI,GAAG,CAAC,GAAG,CAAC,qBAAqB,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAE,EAAE;QAC5D,QAAQ,EAAE,MAAM,CAAC,EAAE;QACnB,YAAY,EAAE,SAAS,CAAC,EAAE;KAC3B,CAAC,CACL,CACF,CAAC;IAEF,OAAO,GAAG,CAAC,EAAE,CAAC;AAChB,CAAC;AAED,SAAS,gBAAgB,CACvB,IAAY,EACZ,IAAiB,EACjB,GAA4B,EAC5B,aAA8C,EAC9C,cAA+C,EAC/C,IAAsC;IAEtC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CACzB,GAAG,IAAI,UAAU,EACjB;QACE,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,UAAU,EAAE;KAC3C,EACD,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,CACrB,CAAC;IAEF,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE;QAClD,YAAY,EAAE,GAAG,CAAC,EAAE;QACpB,QAAQ,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAC,CAAC,CAAC,CAAoB,CAAC,EAAE,CAAC;QACjE,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,MAAM,EAAE;KACvC,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,aAAa,EAAE;QAC7D,KAAK,EAAE,IAAI,CAAC,EAAE;QACd,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,YAAY,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;QAC5D,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,aAAa,EAAE;KAC9C,CAAC,CAAC;IAEH,cAAc,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,EAAE,CAC/B,OAAO,CAAC,GAAG,CACT,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CACZ,IAAI,GAAG,CAAC,GAAG,CAAC,qBAAqB,CAAC,GAAG,IAAI,gBAAgB,CAAC,EAAE,EAAE;QAC5D,QAAQ,EAAE,MAAM,CAAC,EAAE;QACnB,YAAY,EAAE,SAAS,CAAC,EAAE;KAC3B,CAAC,CACL,CACF,CAAC;IAEF,OAAO,KAAK,CAAC,EAAE,CAAC;AAClB,CAAC"}

package/dist/cjs/aws/secrets.d.ts

@@ -0,0 +1,26 @@
+/**
+ * AWS Secrets Manager implementation.
+ *
+ * @module aws/secrets
+ */
+import type { ISecrets, ISecretsConfig } from "../secrets";
+/**
+ * Create an AWS Secrets Manager store.
+ *
+ * Each `putSecret(path, data)` call creates a Secret resource with
+ * JSON-encoded key-value pairs. `getSecretRef(ref)` retrieves a
+ * specific key from a stored secret.
+ *
+ * @example
+ * ```typescript
+ * const secrets = createAwsSecrets("prod", {
+ *   cloud: "aws",
+ *   backend: "aws-secrets-manager",
+ * });
+ *
+ * secrets.putSecret("database", { host: "db.example.com", password: dbPassword });
+ * const pw = secrets.getSecretRef({ path: "database", key: "password" });
+ * ```
+ */
+export declare function createAwsSecrets(name: string, config: ISecretsConfig): ISecrets;
+//# sourceMappingURL=secrets.d.ts.map

package/dist/cjs/aws/secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../../../src/aws/secrets.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAc,QAAQ,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAGvE;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,GAAG,QAAQ,CA6E/E"}

package/dist/cjs/aws/secrets.js

@@ -0,0 +1,127 @@
+"use strict";
+/**
+ * AWS Secrets Manager implementation.
+ *
+ * @module aws/secrets
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAwsSecrets = createAwsSecrets;
+const aws = __importStar(require("@pulumi/aws"));
+const pulumi = __importStar(require("@pulumi/pulumi"));
+const types_1 = require("../types");
+/**
+ * Create an AWS Secrets Manager store.
+ *
+ * Each `putSecret(path, data)` call creates a Secret resource with
+ * JSON-encoded key-value pairs. `getSecretRef(ref)` retrieves a
+ * specific key from a stored secret.
+ *
+ * @example
+ * ```typescript
+ * const secrets = createAwsSecrets("prod", {
+ *   cloud: "aws",
+ *   backend: "aws-secrets-manager",
+ * });
+ *
+ * secrets.putSecret("database", { host: "db.example.com", password: dbPassword });
+ * const pw = secrets.getSecretRef({ path: "database", key: "password" });
+ * ```
+ */
+function createAwsSecrets(name, config) {
+    const cloud = Array.isArray(config.cloud) ? (config.cloud[0] ?? "aws") : config.cloud;
+    const target = (0, types_1.resolveCloudTarget)(cloud);
+    const tags = config.tags ?? {};
+    // Track created secrets so getSecretRef can resolve them
+    const secretResources = new Map();
+    // A "store" resource to serve as the nativeResource escape hatch.
+    // We use a dummy SSM parameter to represent the store itself.
+    const store = new aws.ssm.Parameter(`${name}-secrets-store`, {
+        name: `/${name}/secrets-store`,
+        type: aws.ssm.ParameterType.String,
+        value: "managed-by-nimbus",
+        tags: { ...tags, Name: `${name}-secrets-store` },
+    });
+    return {
+        name,
+        cloud: target,
+        backend: "aws-secrets-manager",
+        nativeResource: store,
+        putSecret(path, data) {
+            const secretName = `${name}/${path}`;
+            const resourceName = `${name}-${path.replace(/\//g, "-")}`;
+            const secret = new aws.secretsmanager.Secret(resourceName, {
+                namePrefix: secretName,
+                tags: { ...tags, Name: secretName },
+            });
+            // Store data as JSON
+            const secretString = pulumi.all(data).apply((resolved) => JSON.stringify(resolved));
+            new aws.secretsmanager.SecretVersion(`${resourceName}-v`, {
+                secretId: secret.id,
+                secretString,
+            });
+            secretResources.set(path, secret);
+        },
+        getSecretRef(ref) {
+            const secret = secretResources.get(ref.path);
+            const { key } = ref;
+            if (!secret) {
+                // Secret not created via putSecret — look up by name convention
+                const lookup = aws.secretsmanager.getSecretVersionOutput({
+                    secretId: `${name}/${ref.path}`,
+                });
+                if (key) {
+                    return lookup.secretString.apply((s) => {
+                        const parsed = JSON.parse(s);
+                        return parsed[key] ?? "";
+                    });
+                }
+                return lookup.secretString;
+            }
+            // Get the current version of the secret
+            const version = aws.secretsmanager.getSecretVersionOutput({
+                secretId: secret.id,
+            });
+            if (key) {
+                return version.secretString.apply((s) => {
+                    const parsed = JSON.parse(s);
+                    return parsed[key] ?? "";
+                });
+            }
+            return version.secretString;
+        },
+    };
+}
+//# sourceMappingURL=secrets.js.map

package/dist/cjs/aws/secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../../src/aws/secrets.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyBH,4CA6EC;AApGD,iDAAmC;AACnC,uDAAyC;AAEzC,oCAA8C;AAE9C;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,gBAAgB,CAAC,IAAY,EAAE,MAAsB;IACnE,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;IACtF,MAAM,MAAM,GAAG,IAAA,0BAAkB,EAAC,KAAK,CAAC,CAAC;IAEzC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;IAE/B,yDAAyD;IACzD,MAAM,eAAe,GAAG,IAAI,GAAG,EAAqC,CAAC;IAErE,kEAAkE;IAClE,8DAA8D;IAC9D,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,IAAI,gBAAgB,EAAE;QAC3D,IAAI,EAAE,IAAI,IAAI,gBAAgB;QAC9B,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,MAAM;QAClC,KAAK,EAAE,mBAAmB;QAC1B,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,IAAI,gBAAgB,EAAE;KACjD,CAAC,CAAC;IAEH,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,MAAM;QACb,OAAO,EAAE,qBAAqB;QAC9B,cAAc,EAAE,KAAK;QAErB,SAAS,CAAC,IAAY,EAAE,IAA0C;YAChE,MAAM,UAAU,GAAG,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;YACrC,MAAM,YAAY,GAAG,GAAG,IAAI,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,CAAC;YAE3D,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,MAAM,CAAC,YAAY,EAAE;gBACzD,UAAU,EAAE,UAAU;gBACtB,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE;aACpC,CAAC,CAAC;YAEH,qBAAqB;YACrB,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;YAEpF,IAAI,GAAG,CAAC,cAAc,CAAC,aAAa,CAAC,GAAG,YAAY,IAAI,EAAE;gBACxD,QAAQ,EAAE,MAAM,CAAC,EAAE;gBACnB,YAAY;aACb,CAAC,CAAC;YAEH,eAAe,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACpC,CAAC;QAED,YAAY,CAAC,GAAe;YAC1B,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC7C,MAAM,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;YAEpB,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,gEAAgE;gBAChE,MAAM,MAAM,GAAG,GAAG,CAAC,cAAc,CAAC,sBAAsB,CAAC;oBACvD,QAAQ,EAAE,GAAG,IAAI,IAAI,GAAG,CAAC,IAAI,EAAE;iBAChC,CAAC,CAAC;gBAEH,IAAI,GAAG,EAAE,CAAC;oBACR,OAAO,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;wBACrC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAA2B,CAAC;wBACvD,OAAO,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;oBAC3B,CAAC,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,MAAM,CAAC,YAAY,CAAC;YAC7B,CAAC;YAED,wCAAwC;YACxC,MAAM,OAAO,GAAG,GAAG,CAAC,cAAc,CAAC,sBAAsB,CAAC;gBACxD,QAAQ,EAAE,MAAM,CAAC,EAAE;aACpB,CAAC,CAAC;YAEH,IAAI,GAAG,EAAE,CAAC;gBACR,OAAO,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;oBACtC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAA2B,CAAC;oBACvD,OAAO,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;gBAC3B,CAAC,CAAC,CAAC;YACL,CAAC;YACD,OAAO,OAAO,CAAC,YAAY,CAAC;QAC9B,CAAC;KACF,CAAC;AACJ,CAAC"}