npm - @stacksjs/ts-cloud-core - Versions diffs - 0.1.1 - Mend

@stacksjs/ts-cloud-core 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (251) hide show

package/LICENSE.md +21 -0
package/README.md +321 -0
package/package.json +31 -0
package/src/advanced-features.test.ts +465 -0
package/src/aws/cloudformation.ts +421 -0
package/src/aws/cloudfront.ts +158 -0
package/src/aws/credentials.test.ts +132 -0
package/src/aws/credentials.ts +545 -0
package/src/aws/index.ts +87 -0
package/src/aws/s3.test.ts +188 -0
package/src/aws/s3.ts +1088 -0
package/src/aws/signature.test.ts +670 -0
package/src/aws/signature.ts +1155 -0
package/src/backup/disaster-recovery.test.ts +726 -0
package/src/backup/disaster-recovery.ts +500 -0
package/src/backup/index.ts +34 -0
package/src/backup/manager.test.ts +498 -0
package/src/backup/manager.ts +432 -0
package/src/cicd/circleci.ts +430 -0
package/src/cicd/github-actions.ts +424 -0
package/src/cicd/gitlab-ci.ts +255 -0
package/src/cicd/index.ts +8 -0
package/src/cli/history.ts +396 -0
package/src/cli/index.ts +10 -0
package/src/cli/progress.ts +458 -0
package/src/cli/repl.ts +454 -0
package/src/cli/suggestions.ts +327 -0
package/src/cli/table.test.ts +319 -0
package/src/cli/table.ts +332 -0
package/src/cloudformation/builder.test.ts +327 -0
package/src/cloudformation/builder.ts +378 -0
package/src/cloudformation/builders/api-gateway.ts +449 -0
package/src/cloudformation/builders/cache.ts +334 -0
package/src/cloudformation/builders/cdn.ts +278 -0
package/src/cloudformation/builders/compute.ts +485 -0
package/src/cloudformation/builders/database.ts +392 -0
package/src/cloudformation/builders/functions.ts +343 -0
package/src/cloudformation/builders/messaging.ts +140 -0
package/src/cloudformation/builders/monitoring.ts +300 -0
package/src/cloudformation/builders/network.ts +264 -0
package/src/cloudformation/builders/queue.ts +147 -0
package/src/cloudformation/builders/security.ts +399 -0
package/src/cloudformation/builders/storage.ts +285 -0
package/src/cloudformation/index.ts +30 -0
package/src/cloudformation/types.ts +173 -0
package/src/compliance/aws-config.ts +543 -0
package/src/compliance/cloudtrail.ts +376 -0
package/src/compliance/compliance.test.ts +423 -0
package/src/compliance/guardduty.ts +446 -0
package/src/compliance/index.ts +66 -0
package/src/compliance/security-hub.ts +456 -0
package/src/containers/build-optimization.ts +416 -0
package/src/containers/containers.test.ts +508 -0
package/src/containers/image-scanning.ts +360 -0
package/src/containers/index.ts +9 -0
package/src/containers/registry.ts +293 -0
package/src/containers/service-mesh.ts +520 -0
package/src/database/database.test.ts +762 -0
package/src/database/index.ts +9 -0
package/src/database/migrations.ts +444 -0
package/src/database/performance.ts +528 -0
package/src/database/replicas.ts +534 -0
package/src/database/users.ts +494 -0
package/src/dependency-graph.ts +143 -0
package/src/deployment/ab-testing.ts +582 -0
package/src/deployment/blue-green.ts +452 -0
package/src/deployment/canary.ts +500 -0
package/src/deployment/deployment.test.ts +526 -0
package/src/deployment/index.ts +61 -0
package/src/deployment/progressive.ts +62 -0
package/src/dns/dns.test.ts +641 -0
package/src/dns/dnssec.ts +315 -0
package/src/dns/index.ts +8 -0
package/src/dns/resolver.ts +496 -0
package/src/dns/routing.ts +593 -0
package/src/email/advanced/analytics.ts +445 -0
package/src/email/advanced/index.ts +11 -0
package/src/email/advanced/rules.ts +465 -0
package/src/email/advanced/scheduling.ts +352 -0
package/src/email/advanced/search.ts +412 -0
package/src/email/advanced/shared-mailboxes.ts +404 -0
package/src/email/advanced/templates.ts +455 -0
package/src/email/advanced/threading.ts +281 -0
package/src/email/analytics.ts +467 -0
package/src/email/bounce-handling.ts +425 -0
package/src/email/email.test.ts +431 -0
package/src/email/handlers/__tests__/inbound.test.ts +38 -0
package/src/email/handlers/__tests__/outbound.test.ts +37 -0
package/src/email/handlers/converter.ts +227 -0
package/src/email/handlers/feedback.ts +228 -0
package/src/email/handlers/inbound.ts +169 -0
package/src/email/handlers/outbound.ts +178 -0
package/src/email/index.ts +15 -0
package/src/email/reputation.ts +303 -0
package/src/email/templates.ts +352 -0
package/src/errors/index.test.ts +434 -0
package/src/errors/index.ts +416 -0
package/src/health-checks/index.ts +40 -0
package/src/index.ts +360 -0
package/src/intrinsic-functions.ts +118 -0
package/src/lambda/concurrency.ts +330 -0
package/src/lambda/destinations.ts +345 -0
package/src/lambda/dlq.ts +425 -0
package/src/lambda/index.ts +11 -0
package/src/lambda/lambda.test.ts +840 -0
package/src/lambda/layers.ts +263 -0
package/src/lambda/versions.ts +376 -0
package/src/lambda/vpc.ts +399 -0
package/src/local/config.ts +114 -0
package/src/local/index.ts +6 -0
package/src/local/mock-aws.ts +351 -0
package/src/modules/ai.ts +340 -0
package/src/modules/api.ts +478 -0
package/src/modules/auth.ts +805 -0
package/src/modules/cache.ts +417 -0
package/src/modules/cdn.ts +1062 -0
package/src/modules/communication.ts +1094 -0
package/src/modules/compute.ts +3348 -0
package/src/modules/database.ts +554 -0
package/src/modules/deployment.ts +1079 -0
package/src/modules/dns.ts +337 -0
package/src/modules/email.ts +1538 -0
package/src/modules/filesystem.ts +515 -0
package/src/modules/index.ts +32 -0
package/src/modules/messaging.ts +486 -0
package/src/modules/monitoring.ts +2086 -0
package/src/modules/network.ts +664 -0
package/src/modules/parameter-store.ts +325 -0
package/src/modules/permissions.ts +1081 -0
package/src/modules/phone.ts +494 -0
package/src/modules/queue.ts +1260 -0
package/src/modules/redirects.ts +464 -0
package/src/modules/registry.ts +699 -0
package/src/modules/search.ts +401 -0
package/src/modules/secrets.ts +416 -0
package/src/modules/security.ts +731 -0
package/src/modules/sms.ts +389 -0
package/src/modules/storage.ts +1120 -0
package/src/modules/workflow.ts +680 -0
package/src/multi-account/config.ts +521 -0
package/src/multi-account/index.ts +7 -0
package/src/multi-account/manager.ts +427 -0
package/src/multi-region/cross-region.ts +410 -0
package/src/multi-region/index.ts +8 -0
package/src/multi-region/manager.ts +483 -0
package/src/multi-region/regions.ts +435 -0
package/src/network-security/index.ts +48 -0
package/src/observability/index.ts +9 -0
package/src/observability/logs.ts +522 -0
package/src/observability/metrics.ts +460 -0
package/src/observability/observability.test.ts +782 -0
package/src/observability/synthetics.ts +568 -0
package/src/observability/xray.ts +358 -0
package/src/phone/advanced/analytics.ts +349 -0
package/src/phone/advanced/callbacks.ts +428 -0
package/src/phone/advanced/index.ts +8 -0
package/src/phone/advanced/ivr-builder.ts +504 -0
package/src/phone/advanced/recording.ts +310 -0
package/src/phone/handlers/__tests__/incoming-call.test.ts +40 -0
package/src/phone/handlers/incoming-call.ts +117 -0
package/src/phone/handlers/missed-call.ts +116 -0
package/src/phone/handlers/voicemail.ts +179 -0
package/src/phone/index.ts +9 -0
package/src/presets/api-backend.ts +134 -0
package/src/presets/data-pipeline.ts +204 -0
package/src/presets/extend.test.ts +295 -0
package/src/presets/extend.ts +297 -0
package/src/presets/fullstack-app.ts +144 -0
package/src/presets/index.ts +27 -0
package/src/presets/jamstack.ts +135 -0
package/src/presets/microservices.ts +167 -0
package/src/presets/ml-api.ts +208 -0
package/src/presets/nodejs-server.ts +104 -0
package/src/presets/nodejs-serverless.ts +114 -0
package/src/presets/realtime-app.ts +184 -0
package/src/presets/static-site.ts +64 -0
package/src/presets/traditional-web-app.ts +339 -0
package/src/presets/wordpress.ts +138 -0
package/src/preview/github.test.ts +249 -0
package/src/preview/github.ts +297 -0
package/src/preview/index.ts +37 -0
package/src/preview/manager.test.ts +440 -0
package/src/preview/manager.ts +326 -0
package/src/preview/notifications.test.ts +582 -0
package/src/preview/notifications.ts +341 -0
package/src/queue/batch-processing.ts +402 -0
package/src/queue/dlq-monitoring.ts +402 -0
package/src/queue/fifo.ts +342 -0
package/src/queue/index.ts +9 -0
package/src/queue/management.ts +428 -0
package/src/queue/queue.test.ts +429 -0
package/src/resource-mgmt/index.ts +39 -0
package/src/resource-naming.ts +62 -0
package/src/s3/index.ts +523 -0
package/src/schema/cloud-config.schema.json +554 -0
package/src/schema/index.ts +68 -0
package/src/security/certificate-manager.ts +492 -0
package/src/security/index.ts +9 -0
package/src/security/scanning.ts +545 -0
package/src/security/secrets-manager.ts +476 -0
package/src/security/secrets-rotation.ts +456 -0
package/src/security/security.test.ts +738 -0
package/src/sms/advanced/ab-testing.ts +389 -0
package/src/sms/advanced/analytics.ts +336 -0
package/src/sms/advanced/campaigns.ts +523 -0
package/src/sms/advanced/chatbot.ts +224 -0
package/src/sms/advanced/index.ts +10 -0
package/src/sms/advanced/link-tracking.ts +248 -0
package/src/sms/advanced/mms.ts +308 -0
package/src/sms/handlers/__tests__/send.test.ts +40 -0
package/src/sms/handlers/delivery-status.ts +133 -0
package/src/sms/handlers/receive.ts +162 -0
package/src/sms/handlers/send.ts +174 -0
package/src/sms/index.ts +9 -0
package/src/stack-diff.ts +389 -0
package/src/static-site/index.ts +85 -0
package/src/template-builder.ts +110 -0
package/src/template-validator.ts +574 -0
package/src/utils/cache.ts +291 -0
package/src/utils/diff.ts +269 -0
package/src/utils/hash.ts +227 -0
package/src/utils/index.ts +8 -0
package/src/utils/parallel.ts +294 -0
package/src/validators/credentials.test.ts +274 -0
package/src/validators/credentials.ts +233 -0
package/src/validators/quotas.test.ts +434 -0
package/src/validators/quotas.ts +217 -0
package/test/ai.test.ts +327 -0
package/test/api.test.ts +511 -0
package/test/auth.test.ts +632 -0
package/test/cache.test.ts +406 -0
package/test/cdn.test.ts +247 -0
package/test/compute.test.ts +861 -0
package/test/database.test.ts +523 -0
package/test/deployment.test.ts +499 -0
package/test/dns.test.ts +270 -0
package/test/email.test.ts +439 -0
package/test/filesystem.test.ts +382 -0
package/test/integration.test.ts +350 -0
package/test/messaging.test.ts +514 -0
package/test/monitoring.test.ts +634 -0
package/test/network.test.ts +425 -0
package/test/permissions.test.ts +488 -0
package/test/queue.test.ts +484 -0
package/test/registry.test.ts +306 -0
package/test/security.test.ts +462 -0
package/test/storage.test.ts +463 -0
package/test/template-validator.test.ts +559 -0
package/test/workflow.test.ts +592 -0
package/tsconfig.json +16 -0
package/tsconfig.tsbuildinfo +1 -0

package/src/modules/permissions.ts ADDED Viewed

@@ -0,0 +1,1081 @@
+import type {
+  IAMAccessKey,
+  IAMGroup,
+  IAMInstanceProfile,
+  IAMManagedPolicy,
+  IAMRole,
+  IAMUser,
+} from '@stacksjs/ts-cloud-aws-types'
+import type { EnvironmentType } from '@stacksjs/ts-cloud-types'
+import { Fn } from '../intrinsic-functions'
+import { generateLogicalId, generateResourceName } from '../resource-naming'
+export interface PolicyStatement {
+  sid?: string
+  effect?: 'Allow' | 'Deny'
+  actions: string | string[]
+  resources: string | string[]
+  conditions?: Record<string, unknown>
+}
+export interface UserOptions {
+  slug: string
+  environment: EnvironmentType
+  userName?: string
+  groups?: string[]
+  managedPolicyArns?: string[]
+}
+export interface RoleOptions {
+  slug: string
+  environment: EnvironmentType
+  roleName?: string
+  servicePrincipal?: string | string[]
+  awsPrincipal?: string | string[]
+  managedPolicyArns?: string[]
+}
+export interface GroupOptions {
+  slug: string
+  environment: EnvironmentType
+  groupName?: string
+  managedPolicyArns?: string[]
+}
+export interface ManagedPolicyOptions {
+  slug: string
+  environment: EnvironmentType
+  policyName?: string
+  description?: string
+  statements: PolicyStatement[]
+}
+/**
+ * Permissions Module - IAM (Identity and Access Management)
+ * Provides clean API for creating users, roles, policies, and groups
+ */
+export class Permissions {
+  /**
+   * Create an IAM user
+   */
+  static createUser(options: UserOptions): {
+    user: IAMUser
+    logicalId: string
+  } {
+    const {
+      slug,
+      environment,
+      userName,
+      groups,
+      managedPolicyArns,
+    } = options
+    const resourceName = userName || generateResourceName({
+      slug,
+      environment,
+      resourceType: 'user',
+    })
+    const logicalId = generateLogicalId(resourceName)
+    const user: IAMUser = {
+      Type: 'AWS::IAM::User',
+      Properties: {
+        UserName: resourceName,
+        Tags: [
+          { Key: 'Name', Value: resourceName },
+          { Key: 'Environment', Value: environment },
+        ],
+      },
+    }
+    if (groups && groups.length > 0) {
+      user.Properties.Groups = groups
+    }
+    if (managedPolicyArns && managedPolicyArns.length > 0) {
+      user.Properties.ManagedPolicyArns = managedPolicyArns
+    }
+    return { user, logicalId }
+  }
+  /**
+   * Create an IAM role
+   */
+  static createRole(options: RoleOptions): {
+    role: IAMRole
+    logicalId: string
+  } {
+    const {
+      slug,
+      environment,
+      roleName,
+      servicePrincipal,
+      awsPrincipal,
+      managedPolicyArns,
+    } = options
+    const resourceName = roleName || generateResourceName({
+      slug,
+      environment,
+      resourceType: 'role',
+    })
+    const logicalId = generateLogicalId(resourceName)
+    const principal: IAMRole['Properties']['AssumeRolePolicyDocument']['Statement'][0]['Principal'] = {}
+    if (servicePrincipal) {
+      principal.Service = servicePrincipal
+    }
+    if (awsPrincipal) {
+      principal.AWS = awsPrincipal
+    }
+    const role: IAMRole = {
+      Type: 'AWS::IAM::Role',
+      Properties: {
+        RoleName: resourceName,
+        AssumeRolePolicyDocument: {
+          Version: '2012-10-17',
+          Statement: [
+            {
+              Effect: 'Allow',
+              Principal: principal,
+              Action: 'sts:AssumeRole',
+            },
+          ],
+        },
+        Tags: [
+          { Key: 'Name', Value: resourceName },
+          { Key: 'Environment', Value: environment },
+        ],
+      },
+    }
+    if (managedPolicyArns && managedPolicyArns.length > 0) {
+      role.Properties.ManagedPolicyArns = managedPolicyArns
+    }
+    return { role, logicalId }
+  }
+  /**
+   * Create an IAM group
+   */
+  static createGroup(options: GroupOptions): {
+    group: IAMGroup
+    logicalId: string
+  } {
+    const {
+      slug,
+      environment,
+      groupName,
+      managedPolicyArns,
+    } = options
+    const resourceName = groupName || generateResourceName({
+      slug,
+      environment,
+      resourceType: 'group',
+    })
+    const logicalId = generateLogicalId(resourceName)
+    const group: IAMGroup = {
+      Type: 'AWS::IAM::Group',
+      Properties: {
+        GroupName: resourceName,
+      },
+    }
+    if (managedPolicyArns && managedPolicyArns.length > 0) {
+      group.Properties.ManagedPolicyArns = managedPolicyArns
+    }
+    return { group, logicalId }
+  }
+  /**
+   * Create a managed policy
+   */
+  static createPolicy(options: ManagedPolicyOptions): {
+    policy: IAMManagedPolicy
+    logicalId: string
+  } {
+    const {
+      slug,
+      environment,
+      policyName,
+      description,
+      statements,
+    } = options
+    const resourceName = policyName || generateResourceName({
+      slug,
+      environment,
+      resourceType: 'policy',
+    })
+    const logicalId = generateLogicalId(resourceName)
+    const policyStatements = statements.map(stmt => ({
+      Sid: stmt.sid,
+      Effect: stmt.effect || 'Allow',
+      Action: stmt.actions,
+      Resource: stmt.resources,
+      Condition: stmt.conditions,
+    }))
+    const policy: IAMManagedPolicy = {
+      Type: 'AWS::IAM::ManagedPolicy',
+      Properties: {
+        ManagedPolicyName: resourceName,
+        Description: description || `Managed policy for ${resourceName}`,
+        PolicyDocument: {
+          Version: '2012-10-17',
+          Statement: policyStatements,
+        },
+      },
+    }
+    return { policy, logicalId }
+  }
+  /**
+   * Attach a policy to a role
+   */
+  static attachPolicyToRole(
+    role: IAMRole,
+    policyArn: string,
+  ): IAMRole {
+    if (!role.Properties.ManagedPolicyArns) {
+      role.Properties.ManagedPolicyArns = []
+    }
+    if (!role.Properties.ManagedPolicyArns.includes(policyArn)) {
+      role.Properties.ManagedPolicyArns.push(policyArn)
+    }
+    return role
+  }
+  /**
+   * Attach a policy to a user
+   */
+  static attachPolicyToUser(
+    user: IAMUser,
+    policyArn: string,
+  ): IAMUser {
+    if (!user.Properties.ManagedPolicyArns) {
+      user.Properties.ManagedPolicyArns = []
+    }
+    if (!user.Properties.ManagedPolicyArns.includes(policyArn)) {
+      user.Properties.ManagedPolicyArns.push(policyArn)
+    }
+    return user
+  }
+  /**
+   * Attach a policy to a group
+   */
+  static attachPolicyToGroup(
+    group: IAMGroup,
+    policyArn: string,
+  ): IAMGroup {
+    if (!group.Properties.ManagedPolicyArns) {
+      group.Properties.ManagedPolicyArns = []
+    }
+    if (!group.Properties.ManagedPolicyArns.includes(policyArn)) {
+      group.Properties.ManagedPolicyArns.push(policyArn)
+    }
+    return group
+  }
+  /**
+   * Add inline policy to a role
+   */
+  static addInlinePolicyToRole(
+    role: IAMRole,
+    policyName: string,
+    statements: PolicyStatement[],
+  ): IAMRole {
+    if (!role.Properties.Policies) {
+      role.Properties.Policies = []
+    }
+    const policyStatements = statements.map(stmt => ({
+      Effect: stmt.effect || 'Allow',
+      Action: stmt.actions,
+      Resource: stmt.resources,
+    }))
+    role.Properties.Policies.push({
+      PolicyName: policyName,
+      PolicyDocument: {
+        Version: '2012-10-17',
+        Statement: policyStatements,
+      },
+    })
+    return role
+  }
+  /**
+   * Add inline policy to a user
+   */
+  static addInlinePolicyToUser(
+    user: IAMUser,
+    policyName: string,
+    statements: PolicyStatement[],
+  ): IAMUser {
+    if (!user.Properties.Policies) {
+      user.Properties.Policies = []
+    }
+    const policyStatements = statements.map(stmt => ({
+      Effect: stmt.effect || 'Allow',
+      Action: stmt.actions,
+      Resource: stmt.resources,
+    }))
+    user.Properties.Policies.push({
+      PolicyName: policyName,
+      PolicyDocument: {
+        Version: '2012-10-17',
+        Statement: policyStatements,
+      },
+    })
+    return user
+  }
+  /**
+   * Create an access key for programmatic access
+   */
+  static createAccessKey(
+    userLogicalId: string,
+    options: {
+      slug: string
+      environment: EnvironmentType
+      status?: 'Active' | 'Inactive'
+    },
+  ): {
+      accessKey: IAMAccessKey
+      logicalId: string
+    } {
+    const { slug, environment, status = 'Active' } = options
+    const resourceName = generateResourceName({
+      slug,
+      environment,
+      resourceType: 'access-key',
+    })
+    const logicalId = generateLogicalId(resourceName)
+    const accessKey: IAMAccessKey = {
+      Type: 'AWS::IAM::AccessKey',
+      Properties: {
+        UserName: Fn.Ref(userLogicalId) as unknown as string,
+        Status: status,
+      },
+    }
+    return { accessKey, logicalId }
+  }
+  /**
+   * Create an instance profile for EC2
+   */
+  static createInstanceProfile(
+    roleLogicalId: string,
+    options: {
+      slug: string
+      environment: EnvironmentType
+      profileName?: string
+    },
+  ): {
+      instanceProfile: IAMInstanceProfile
+      logicalId: string
+    } {
+    const { slug, environment, profileName } = options
+    const resourceName = profileName || generateResourceName({
+      slug,
+      environment,
+      resourceType: 'instance-profile',
+    })
+    const logicalId = generateLogicalId(resourceName)
+    const instanceProfile: IAMInstanceProfile = {
+      Type: 'AWS::IAM::InstanceProfile',
+      Properties: {
+        InstanceProfileName: resourceName,
+        Roles: [Fn.Ref(roleLogicalId) as unknown as string],
+      },
+    }
+    return { instanceProfile, logicalId }
+  }
+  /**
+   * AWS Managed Policies (common)
+   */
+  static readonly ManagedPolicies = {
+    // Administrator Access
+    AdministratorAccess: 'arn:aws:iam::aws:policy/AdministratorAccess',
+    // Power User
+    PowerUserAccess: 'arn:aws:iam::aws:policy/PowerUserAccess',
+    // Read Only
+    ReadOnlyAccess: 'arn:aws:iam::aws:policy/ReadOnlyAccess',
+    // S3
+    S3FullAccess: 'arn:aws:iam::aws:policy/AmazonS3FullAccess',
+    S3ReadOnlyAccess: 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess',
+    // DynamoDB
+    DynamoDBFullAccess: 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess',
+    DynamoDBReadOnlyAccess: 'arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess',
+    // RDS
+    RDSFullAccess: 'arn:aws:iam::aws:policy/AmazonRDSFullAccess',
+    RDSReadOnlyAccess: 'arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess',
+    // Lambda
+    LambdaFullAccess: 'arn:aws:iam::aws:policy/AWSLambda_FullAccess',
+    LambdaReadOnlyAccess: 'arn:aws:iam::aws:policy/AWSLambda_ReadOnlyAccess',
+    LambdaBasicExecutionRole: 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
+    LambdaVPCAccessExecutionRole: 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole',
+    // EC2
+    EC2FullAccess: 'arn:aws:iam::aws:policy/AmazonEC2FullAccess',
+    EC2ReadOnlyAccess: 'arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess',
+    EC2ContainerRegistryReadOnly: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly',
+    EC2ContainerRegistryPowerUser: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser',
+    // ECS
+    ECSTaskExecutionRole: 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy',
+    ECSFullAccess: 'arn:aws:iam::aws:policy/AmazonECS_FullAccess',
+    // CloudWatch
+    CloudWatchFullAccess: 'arn:aws:iam::aws:policy/CloudWatchFullAccess',
+    CloudWatchLogsFullAccess: 'arn:aws:iam::aws:policy/CloudWatchLogsFullAccess',
+    // SES
+    SESFullAccess: 'arn:aws:iam::aws:policy/AmazonSESFullAccess',
+    // SNS
+    SNSFullAccess: 'arn:aws:iam::aws:policy/AmazonSNSFullAccess',
+    // SQS
+    SQSFullAccess: 'arn:aws:iam::aws:policy/AmazonSQSFullAccess',
+    // Secrets Manager
+    SecretsManagerReadWrite: 'arn:aws:iam::aws:policy/SecretsManagerReadWrite',
+  } as const
+  /**
+   * Common service principals
+   */
+  static readonly ServicePrincipals = {
+    Lambda: 'lambda.amazonaws.com',
+    EC2: 'ec2.amazonaws.com',
+    ECS: 'ecs.amazonaws.com',
+    ECSTaskExecution: 'ecs-tasks.amazonaws.com',
+    APIGateway: 'apigateway.amazonaws.com',
+    Events: 'events.amazonaws.com',
+    States: 'states.amazonaws.com',
+    CodeBuild: 'codebuild.amazonaws.com',
+    CodeDeploy: 'codedeploy.amazonaws.com',
+    CloudFormation: 'cloudformation.amazonaws.com',
+  } as const
+  /**
+   * Create a CI/CD user with deployment permissions
+   */
+  static createCiCdUser(options: {
+    slug: string
+    environment: EnvironmentType
+    permissions: {
+      s3Buckets?: string[]
+      cloudFrontDistributions?: string[]
+      ecrRepositories?: string[]
+      ecsServices?: string[]
+      cloudFormationStacks?: string[]
+      lambdaFunctions?: string[]
+      secretsManagerSecrets?: string[]
+    }
+    createAccessKey?: boolean
+  }): {
+    user: IAMUser
+    accessKey?: IAMAccessKey
+    policy: IAMManagedPolicy
+    userLogicalId: string
+    accessKeyLogicalId?: string
+    policyLogicalId: string
+    resources: Record<string, any>
+  } {
+    const {
+      slug,
+      environment,
+      permissions,
+      createAccessKey = true,
+    } = options
+    const resources: Record<string, any> = {}
+    // Build policy statements based on permissions
+    const statements: PolicyStatement[] = []
+    // S3 permissions
+    if (permissions.s3Buckets && permissions.s3Buckets.length > 0) {
+      statements.push({
+        sid: 'S3Access',
+        actions: [
+          's3:GetBucketLocation',
+          's3:ListBucket',
+          's3:GetObject',
+          's3:PutObject',
+          's3:DeleteObject',
+          's3:ListBucketMultipartUploads',
+          's3:AbortMultipartUpload',
+        ],
+        resources: [
+          ...permissions.s3Buckets,
+          ...permissions.s3Buckets.map(b => `${b}/*`),
+        ],
+      })
+    }
+    // CloudFront permissions
+    if (permissions.cloudFrontDistributions && permissions.cloudFrontDistributions.length > 0) {
+      statements.push({
+        sid: 'CloudFrontAccess',
+        actions: [
+          'cloudfront:CreateInvalidation',
+          'cloudfront:GetInvalidation',
+          'cloudfront:ListInvalidations',
+          'cloudfront:GetDistribution',
+        ],
+        resources: permissions.cloudFrontDistributions,
+      })
+    }
+    // ECR permissions
+    if (permissions.ecrRepositories && permissions.ecrRepositories.length > 0) {
+      statements.push({
+        sid: 'ECRAccess',
+        actions: [
+          'ecr:GetAuthorizationToken',
+          'ecr:BatchCheckLayerAvailability',
+          'ecr:GetDownloadUrlForLayer',
+          'ecr:GetRepositoryPolicy',
+          'ecr:DescribeRepositories',
+          'ecr:ListImages',
+          'ecr:DescribeImages',
+          'ecr:BatchGetImage',
+          'ecr:InitiateLayerUpload',
+          'ecr:UploadLayerPart',
+          'ecr:CompleteLayerUpload',
+          'ecr:PutImage',
+        ],
+        resources: permissions.ecrRepositories,
+      })
+      // ECR login requires permission on all resources
+      statements.push({
+        sid: 'ECRLogin',
+        actions: ['ecr:GetAuthorizationToken'],
+        resources: '*',
+      })
+    }
+    // ECS permissions
+    if (permissions.ecsServices && permissions.ecsServices.length > 0) {
+      statements.push({
+        sid: 'ECSAccess',
+        actions: [
+          'ecs:DescribeServices',
+          'ecs:DescribeTaskDefinition',
+          'ecs:DescribeTasks',
+          'ecs:ListTasks',
+          'ecs:RegisterTaskDefinition',
+          'ecs:UpdateService',
+          'ecs:RunTask',
+          'ecs:StopTask',
+        ],
+        resources: permissions.ecsServices,
+      })
+      // Task definition registration requires broader permissions
+      statements.push({
+        sid: 'ECSTaskDefinitions',
+        actions: [
+          'ecs:RegisterTaskDefinition',
+          'ecs:DeregisterTaskDefinition',
+        ],
+        resources: '*',
+      })
+      // IAM PassRole for ECS
+      statements.push({
+        sid: 'ECSPassRole',
+        actions: ['iam:PassRole'],
+        resources: '*',
+        conditions: {
+          StringLike: {
+            'iam:PassedToService': 'ecs-tasks.amazonaws.com',
+          },
+        },
+      })
+    }
+    // CloudFormation permissions
+    if (permissions.cloudFormationStacks && permissions.cloudFormationStacks.length > 0) {
+      statements.push({
+        sid: 'CloudFormationAccess',
+        actions: [
+          'cloudformation:CreateStack',
+          'cloudformation:UpdateStack',
+          'cloudformation:DeleteStack',
+          'cloudformation:DescribeStacks',
+          'cloudformation:DescribeStackEvents',
+          'cloudformation:DescribeStackResources',
+          'cloudformation:GetTemplate',
+          'cloudformation:ListStackResources',
+          'cloudformation:ValidateTemplate',
+        ],
+        resources: permissions.cloudFormationStacks,
+      })
+    }
+    // Lambda permissions
+    if (permissions.lambdaFunctions && permissions.lambdaFunctions.length > 0) {
+      statements.push({
+        sid: 'LambdaAccess',
+        actions: [
+          'lambda:GetFunction',
+          'lambda:UpdateFunctionCode',
+          'lambda:UpdateFunctionConfiguration',
+          'lambda:PublishVersion',
+          'lambda:UpdateAlias',
+          'lambda:CreateAlias',
+        ],
+        resources: permissions.lambdaFunctions,
+      })
+    }
+    // Secrets Manager permissions
+    if (permissions.secretsManagerSecrets && permissions.secretsManagerSecrets.length > 0) {
+      statements.push({
+        sid: 'SecretsManagerAccess',
+        actions: [
+          'secretsmanager:GetSecretValue',
+          'secretsmanager:DescribeSecret',
+        ],
+        resources: permissions.secretsManagerSecrets,
+      })
+    }
+    // Create the policy
+    const { policy, logicalId: policyLogicalId } = Permissions.createPolicy({
+      slug,
+      environment,
+      policyName: generateResourceName({
+        slug,
+        environment,
+        resourceType: 'cicd-policy',
+      }),
+      description: `CI/CD deployment policy for ${slug} (${environment})`,
+      statements,
+    })
+    resources[policyLogicalId] = policy
+    // Create the user
+    const { user, logicalId: userLogicalId } = Permissions.createUser({
+      slug,
+      environment,
+      userName: generateResourceName({
+        slug,
+        environment,
+        resourceType: 'cicd-user',
+      }),
+      managedPolicyArns: [Fn.Ref(policyLogicalId) as unknown as string],
+    })
+    resources[userLogicalId] = user
+    // Create access key if requested
+    let accessKey: IAMAccessKey | undefined
+    let accessKeyLogicalId: string | undefined
+    if (createAccessKey) {
+      const keyResult = Permissions.createAccessKey(userLogicalId, { slug, environment })
+      accessKey = keyResult.accessKey
+      accessKeyLogicalId = keyResult.logicalId
+      resources[accessKeyLogicalId] = accessKey
+    }
+    return {
+      user,
+      accessKey,
+      policy,
+      userLogicalId,
+      accessKeyLogicalId,
+      policyLogicalId,
+      resources,
+    }
+  }
+  /**
+   * Create a cross-account access role
+   */
+  static createCrossAccountRole(options: {
+    slug: string
+    environment: EnvironmentType
+    trustedAccountIds: string[]
+    externalId?: string
+    permissions: PolicyStatement[]
+    maxSessionDuration?: number
+  }): {
+    role: IAMRole
+    policy: IAMManagedPolicy
+    roleLogicalId: string
+    policyLogicalId: string
+    resources: Record<string, any>
+  } {
+    const {
+      slug,
+      environment,
+      trustedAccountIds,
+      externalId,
+      permissions,
+      maxSessionDuration = 3600,
+    } = options
+    const resources: Record<string, any> = {}
+    // Create the policy
+    const { policy, logicalId: policyLogicalId } = Permissions.createPolicy({
+      slug,
+      environment,
+      policyName: generateResourceName({
+        slug,
+        environment,
+        resourceType: 'cross-account-policy',
+      }),
+      description: `Cross-account access policy for ${slug} (${environment})`,
+      statements: permissions,
+    })
+    resources[policyLogicalId] = policy
+    const resourceName = generateResourceName({
+      slug,
+      environment,
+      resourceType: 'cross-account-role',
+    })
+    const roleLogicalId = generateLogicalId(resourceName)
+    // Build trust policy
+    const conditions: Record<string, any> = {}
+    if (externalId) {
+      conditions.StringEquals = {
+        'sts:ExternalId': externalId,
+      }
+    }
+    const role: IAMRole = {
+      Type: 'AWS::IAM::Role',
+      Properties: {
+        RoleName: resourceName,
+        MaxSessionDuration: maxSessionDuration,
+        AssumeRolePolicyDocument: {
+          Version: '2012-10-17',
+          Statement: [{
+            Effect: 'Allow',
+            Principal: {
+              AWS: trustedAccountIds.map(id => `arn:aws:iam::${id}:root`),
+            },
+            Action: 'sts:AssumeRole',
+            ...(Object.keys(conditions).length > 0 ? { Condition: conditions } : {}),
+          }],
+        },
+        ManagedPolicyArns: [Fn.Ref(policyLogicalId) as unknown as string],
+        Tags: [
+          { Key: 'Name', Value: resourceName },
+          { Key: 'Environment', Value: environment },
+          { Key: 'Purpose', Value: 'Cross-Account Access' },
+        ],
+      },
+    }
+    resources[roleLogicalId] = role
+    return {
+      role,
+      policy,
+      roleLogicalId,
+      policyLogicalId,
+      resources,
+    }
+  }
+  /**
+   * Create a CLI access user with minimal permissions
+   */
+  static createCliUser(options: {
+    slug: string
+    environment: EnvironmentType
+    permissions?: 'readonly' | 'deploy' | 'admin'
+  }): {
+    user: IAMUser
+    accessKey: IAMAccessKey
+    policy?: IAMManagedPolicy
+    userLogicalId: string
+    accessKeyLogicalId: string
+    policyLogicalId?: string
+    resources: Record<string, any>
+  } {
+    const {
+      slug,
+      environment,
+      permissions = 'readonly',
+    } = options
+    const resources: Record<string, any> = {}
+    // Define statements based on permission level
+    let statements: PolicyStatement[] = []
+    let managedPolicyArns: string[] = []
+    switch (permissions) {
+      case 'readonly':
+        managedPolicyArns = [Permissions.ManagedPolicies.ReadOnlyAccess]
+        break
+      case 'deploy':
+        statements = [
+          {
+            sid: 'S3Deploy',
+            actions: ['s3:*'],
+            resources: '*',
+          },
+          {
+            sid: 'CloudFrontDeploy',
+            actions: ['cloudfront:*'],
+            resources: '*',
+          },
+          {
+            sid: 'ECSDeploy',
+            actions: ['ecs:*'],
+            resources: '*',
+          },
+          {
+            sid: 'ECRDeploy',
+            actions: ['ecr:*'],
+            resources: '*',
+          },
+          {
+            sid: 'LambdaDeploy',
+            actions: ['lambda:*'],
+            resources: '*',
+          },
+          {
+            sid: 'CloudFormationDeploy',
+            actions: ['cloudformation:*'],
+            resources: '*',
+          },
+          {
+            sid: 'IAMPassRole',
+            actions: ['iam:PassRole'],
+            resources: '*',
+          },
+        ]
+        break
+      case 'admin':
+        managedPolicyArns = [Permissions.ManagedPolicies.AdministratorAccess]
+        break
+    }
+    // Create policy if needed
+    let policy: IAMManagedPolicy | undefined
+    let policyLogicalId: string | undefined
+    if (statements.length > 0) {
+      const policyResult = Permissions.createPolicy({
+        slug,
+        environment,
+        policyName: generateResourceName({
+          slug,
+          environment,
+          resourceType: 'cli-policy',
+        }),
+        description: `CLI access policy for ${slug} (${environment})`,
+        statements,
+      })
+      policy = policyResult.policy
+      policyLogicalId = policyResult.logicalId
+      resources[policyLogicalId] = policy
+      managedPolicyArns = [Fn.Ref(policyLogicalId) as unknown as string]
+    }
+    // Create user
+    const { user, logicalId: userLogicalId } = Permissions.createUser({
+      slug,
+      environment,
+      userName: generateResourceName({
+        slug,
+        environment,
+        resourceType: 'cli-user',
+      }),
+      managedPolicyArns,
+    })
+    resources[userLogicalId] = user
+    // Create access key
+    const { accessKey, logicalId: accessKeyLogicalId } = Permissions.createAccessKey(
+      userLogicalId,
+      { slug, environment },
+    )
+    resources[accessKeyLogicalId] = accessKey
+    return {
+      user,
+      accessKey,
+      policy,
+      userLogicalId,
+      accessKeyLogicalId,
+      policyLogicalId,
+      resources,
+    }
+  }
+  /**
+   * Common CI/CD policy templates
+   */
+  static readonly CiCdPolicies = {
+    /**
+     * S3 static site deployment policy
+     */
+    s3Deployment: (bucketArns: string[]): PolicyStatement[] => [
+      {
+        sid: 'S3ListBuckets',
+        actions: ['s3:ListBucket', 's3:GetBucketLocation'],
+        resources: bucketArns,
+      },
+      {
+        sid: 'S3Objects',
+        actions: ['s3:GetObject', 's3:PutObject', 's3:DeleteObject'],
+        resources: bucketArns.map(arn => `${arn}/*`),
+      },
+    ],
+    /**
+     * CloudFront invalidation policy
+     */
+    cloudFrontInvalidation: (distributionArns: string[]): PolicyStatement[] => [
+      {
+        sid: 'CloudFrontInvalidation',
+        actions: [
+          'cloudfront:CreateInvalidation',
+          'cloudfront:GetInvalidation',
+          'cloudfront:ListInvalidations',
+        ],
+        resources: distributionArns,
+      },
+    ],
+    /**
+     * ECS deployment policy
+     */
+    ecsDeployment: (): PolicyStatement[] => [
+      {
+        sid: 'ECSServices',
+        actions: [
+          'ecs:DescribeServices',
+          'ecs:UpdateService',
+          'ecs:DescribeTaskDefinition',
+          'ecs:RegisterTaskDefinition',
+        ],
+        resources: '*',
+      },
+      {
+        sid: 'ECSPassRole',
+        actions: ['iam:PassRole'],
+        resources: '*',
+        conditions: {
+          StringLike: {
+            'iam:PassedToService': 'ecs-tasks.amazonaws.com',
+          },
+        },
+      },
+    ],
+    /**
+     * ECR push policy
+     */
+    ecrPush: (repositoryArns: string[]): PolicyStatement[] => [
+      {
+        sid: 'ECRAuth',
+        actions: ['ecr:GetAuthorizationToken'],
+        resources: '*',
+      },
+      {
+        sid: 'ECRPush',
+        actions: [
+          'ecr:BatchCheckLayerAvailability',
+          'ecr:GetDownloadUrlForLayer',
+          'ecr:BatchGetImage',
+          'ecr:InitiateLayerUpload',
+          'ecr:UploadLayerPart',
+          'ecr:CompleteLayerUpload',
+          'ecr:PutImage',
+        ],
+        resources: repositoryArns,
+      },
+    ],
+    /**
+     * Lambda deployment policy
+     */
+    lambdaDeployment: (functionArns: string[]): PolicyStatement[] => [
+      {
+        sid: 'LambdaDeploy',
+        actions: [
+          'lambda:GetFunction',
+          'lambda:UpdateFunctionCode',
+          'lambda:UpdateFunctionConfiguration',
+          'lambda:PublishVersion',
+        ],
+        resources: functionArns,
+      },
+    ],
+    /**
+     * CloudFormation deployment policy
+     */
+    cloudFormationDeployment: (stackArns: string[]): PolicyStatement[] => [
+      {
+        sid: 'CloudFormationDeploy',
+        actions: [
+          'cloudformation:CreateStack',
+          'cloudformation:UpdateStack',
+          'cloudformation:DescribeStacks',
+          'cloudformation:DescribeStackEvents',
+          'cloudformation:GetTemplate',
+        ],
+        resources: stackArns,
+      },
+    ],
+  }
+}