@stacksjs/ts-cloud-core 0.1.3 → 0.1.7

package/dist/cloudformation/types.d.ts

@@ -0,0 +1,132 @@
+/**
+ * Helper functions for creating CloudFormation intrinsic functions
+ */
+export declare const Fn: {
+  ref: (logicalId: string) => unknown;
+  getAtt: (logicalId: string, attribute: string) => unknown;
+  join: (delimiter: string, values: any[]) => unknown;
+  sub: (template: string, variables?: Record<string, any>) => unknown;
+  select: (index: number, list: any[] | CloudFormationIntrinsicFunction) => unknown;
+  split: (delimiter: string, source: string) => unknown;
+  getAZs: (region: string?) => unknown;
+  importValue: (name: any) => unknown;
+  findInMap: (mapName: string, topLevelKey: any, secondLevelKey: any) => unknown;
+  base64: (value: any) => unknown;
+  cidr: (ipBlock: any, count: number, cidrBits: number) => unknown;
+  equals: (value1: any, value2: any) => unknown;
+  if: (conditionName: string, trueValue: any, falseValue: any) => unknown;
+  not: (condition: any) => unknown;
+  and: (...conditions: any[]) => unknown;
+  or: (...conditions: any[]) => unknown
+};
+/**
+ * Common AWS resource ARN patterns
+ */
+export declare const Arn: {
+  s3Bucket: (bucketName: any) => unknown;
+  s3Object: (bucketName: any, key: string?) => unknown;
+  lambda: (functionName: string, region?: string, account?: string) => unknown;
+  dynamodb: (tableName: string) => unknown;
+  sqs: (queueName: string) => unknown;
+  sns: (topicName: string) => unknown;
+  kinesis: (streamName: string) => unknown;
+  iam: (resourceType: 'role' | 'policy' | 'user' | 'group', name: string) => unknown;
+  secretsManager: (secretName: string) => unknown;
+  cloudwatch: (logGroup: string) => unknown
+};
+/**
+ * Common CloudFormation pseudo parameters
+ */
+export declare const AWS_PSEUDO_PARAMETERS: {
+  ACCOUNT_ID: {
+  Ref: 'AWS::AccountId'
+};
+  NOTIFICATION_ARNS: {
+  Ref: 'AWS::NotificationARNs'
+};
+  NO_VALUE: {
+  Ref: 'AWS::NoValue'
+};
+  PARTITION: {
+  Ref: 'AWS::Partition'
+};
+  REGION: {
+  Ref: 'AWS::Region'
+};
+  STACK_ID: {
+  Ref: 'AWS::StackId'
+};
+  STACK_NAME: {
+  Ref: 'AWS::StackName'
+};
+  URL_SUFFIX: {
+  Ref: 'AWS::URLSuffix'
+}
+};
+/**
+ * CloudFormation Template Types
+ * Based on AWS CloudFormation Resource Specification
+ */
+export declare interface CloudFormationTemplate {
+  AWSTemplateFormatVersion: '2010-09-09'
+  Description?: string
+  Metadata?: Record<string, any>
+  Parameters?: Record<string, CloudFormationParameter>
+  Mappings?: Record<string, Record<string, Record<string, string>>>
+  Conditions?: Record<string, CloudFormationCondition>
+  Resources: Record<string, CloudFormationResource>
+  Outputs?: Record<string, CloudFormationOutput>
+}
+export declare interface CloudFormationParameter {
+  Type: 'String' | 'Number' | 'List<Number>' | 'CommaDelimitedList' | 'AWS::EC2::AvailabilityZone::Name' | 'AWS::EC2::Image::Id' | 'AWS::EC2::Instance::Id' | 'AWS::EC2::KeyPair::KeyName' | 'AWS::EC2::SecurityGroup::GroupName' | 'AWS::EC2::SecurityGroup::Id' | 'AWS::EC2::Subnet::Id' | 'AWS::EC2::Volume::Id' | 'AWS::EC2::VPC::Id' | 'AWS::Route53::HostedZone::Id' | 'List<AWS::EC2::AvailabilityZone::Name>' | 'List<AWS::EC2::Image::Id>' | 'List<AWS::EC2::Instance::Id>' | 'List<AWS::EC2::SecurityGroup::GroupName>' | 'List<AWS::EC2::SecurityGroup::Id>' | 'List<AWS::EC2::Subnet::Id>' | 'List<AWS::EC2::Volume::Id>' | 'List<AWS::EC2::VPC::Id>' | 'List<AWS::Route53::HostedZone::Id>'
+  Default?: string | number
+  Description?: string
+  AllowedValues?: string[]
+  AllowedPattern?: string
+  MinLength?: number
+  MaxLength?: number
+  MinValue?: number
+  MaxValue?: number
+  ConstraintDescription?: string
+  NoEcho?: boolean
+}
+export declare interface CloudFormationResource {
+  Type: string
+  Properties?: Record<string, any>
+  DependsOn?: string | string[]
+  Condition?: string
+  Metadata?: Record<string, any>
+  CreationPolicy?: Record<string, any>
+  UpdatePolicy?: Record<string, any>
+  DeletionPolicy?: 'Delete' | 'Retain' | 'Snapshot'
+  UpdateReplacePolicy?: 'Delete' | 'Retain' | 'Snapshot'
+}
+export declare interface CloudFormationOutput {
+  Value: any
+  Description?: string
+  Export?: {
+    Name: any
+  }
+  Condition?: string
+}
+export type CloudFormationCondition = | CloudFormationIntrinsicFunction
+  | boolean
+/**
+ * CloudFormation Intrinsic Functions
+ */
+export type CloudFormationIntrinsicFunction = | { Ref: string }
+  | { 'Fn::GetAtt': [string, string] }
+  | { 'Fn::Join': [string, any[]] }
+  | { 'Fn::Sub': string | [string, Record<string, any>] }
+  | { 'Fn::Select': [number, any[] | CloudFormationIntrinsicFunction] }
+  | { 'Fn::Split': [string, string] }
+  | { 'Fn::GetAZs': string }
+  | { 'Fn::ImportValue': any }
+  | { 'Fn::FindInMap': [string, any, any] }
+  | { 'Fn::Base64': any }
+  | { 'Fn::Cidr': [any, number, number] }
+  | { 'Fn::Equals': [any, any] }
+  | { 'Fn::If': [string, any, any] }
+  | { 'Fn::Not': [any] }
+  | { 'Fn::And': any[] }
+  | { 'Fn::Or': any[] }

package/dist/compliance/aws-config.d.ts

@@ -0,0 +1,88 @@
+/**
+ * Global AWS Config manager instance
+ */
+export declare const awsConfigManager: AWSConfigManager;
+/**
+ * AWS Config Rules
+ * Automated compliance checking and configuration management
+ */
+export declare interface ConfigRule {
+  id: string
+  name: string
+  description: string
+  source: 'AWS_MANAGED' | 'CUSTOM_LAMBDA'
+  identifier?: string
+  lambdaFunctionArn?: string
+  inputParameters?: Record<string, any>
+  scope?: ConfigScope
+  maxExecutionFrequency?: 'One_Hour' | 'Three_Hours' | 'Six_Hours' | 'Twelve_Hours' | 'TwentyFour_Hours'
+}
+export declare interface ConfigScope {
+  complianceResourceTypes?: string[]
+  tagKey?: string
+  tagValue?: string
+}
+export declare interface ConfigRecorder {
+  name: string
+  roleArn: string
+  recordingGroup?: RecordingGroup
+}
+export declare interface RecordingGroup {
+  allSupported?: boolean
+  includeGlobalResourceTypes?: boolean
+  resourceTypes?: string[]
+}
+export declare interface DeliveryChannel {
+  name: string
+  s3BucketName: string
+  s3KeyPrefix?: string
+  snsTopicArn?: string
+  configSnapshotDeliveryProperties?: {
+    deliveryFrequency?: 'One_Hour' | 'Three_Hours' | 'Six_Hours' | 'Twelve_Hours' | 'TwentyFour_Hours'
+  }
+}
+/**
+ * AWS Config manager
+ */
+export declare class AWSConfigManager {
+  private configRules: Map<string, ConfigRule>;
+  private configRecorders: Map<string, ConfigRecorder>;
+  private deliveryChannels: Map<string, DeliveryChannel>;
+  private ruleCounter: any;
+  createConfigRecorder(recorder: ConfigRecorder): ConfigRecorder;
+  createDeliveryChannel(channel: DeliveryChannel): DeliveryChannel;
+  createConfigRule(rule: Omit<ConfigRule, 'id'>): ConfigRule;
+  createS3EncryptionRule(): ConfigRule;
+  createS3PublicAccessBlockRule(): ConfigRule;
+  createS3VersioningRule(): ConfigRule;
+  createRdsEncryptionRule(): ConfigRule;
+  createRdsSnapshotEncryptionRule(): ConfigRule;
+  createRdsBackupRule(retentionPeriod?: number): ConfigRule;
+  createEc2InstanceProfileRule(): ConfigRule;
+  createEbsEncryptionRule(): ConfigRule;
+  createIamPasswordPolicyRule(): ConfigRule;
+  createIamMfaRule(): ConfigRule;
+  createRootAccountMfaRule(): ConfigRule;
+  createVpcFlowLogsRule(): ConfigRule;
+  createCloudTrailEnabledRule(): ConfigRule;
+  createCloudWatchAlarmRule(): ConfigRule;
+  createCustomLambdaRule(options: {
+    name: string
+    description: string
+    lambdaFunctionArn: string
+    resourceTypes?: string[]
+    maxExecutionFrequency?: ConfigRule['maxExecutionFrequency']
+    inputParameters?: Record<string, any>
+  }): ConfigRule;
+  createCompliancePreset(preset: 'hipaa' | 'pci-dss' | 'sox' | 'gdpr' | 'basic'): ConfigRule[];
+  getConfigRule(id: string): ConfigRule | undefined;
+  listConfigRules(): ConfigRule[];
+  getConfigRecorder(name: string): ConfigRecorder | undefined;
+  listConfigRecorders(): ConfigRecorder[];
+  getDeliveryChannel(name: string): DeliveryChannel | undefined;
+  listDeliveryChannels(): DeliveryChannel[];
+  generateConfigRuleCF(rule: ConfigRule): any;
+  generateConfigRecorderCF(recorder: ConfigRecorder): any;
+  generateDeliveryChannelCF(channel: DeliveryChannel): any;
+  clear(): void;
+}

package/dist/compliance/cloudtrail.d.ts

@@ -0,0 +1,96 @@
+/**
+ * Global CloudTrail manager instance
+ */
+export declare const cloudTrailManager: CloudTrailManager;
+/**
+ * AWS CloudTrail Configuration
+ * API logging and auditing for security and compliance
+ */
+export declare interface CloudTrailConfig {
+  id: string
+  name: string
+  s3BucketName: string
+  s3KeyPrefix?: string
+  includeGlobalServiceEvents?: boolean
+  isMultiRegionTrail?: boolean
+  enableLogFileValidation?: boolean
+  cloudWatchLogsLogGroupArn?: string
+  cloudWatchLogsRoleArn?: string
+  snsTopicName?: string
+  kmsKeyId?: string
+  eventSelectors?: EventSelector[]
+  insightSelectors?: InsightSelector[]
+  advancedEventSelectors?: AdvancedEventSelector[]
+}
+export declare interface EventSelector {
+  readWriteType: 'ReadOnly' | 'WriteOnly' | 'All'
+  includeManagementEvents?: boolean
+  dataResources?: DataResource[]
+  excludeManagementEventSources?: string[]
+}
+export declare interface DataResource {
+  type: string
+  values: string[]
+}
+export declare interface InsightSelector {
+  insightType: 'ApiCallRateInsight' | 'ApiErrorRateInsight'
+}
+export declare interface AdvancedEventSelector {
+  name: string
+  fieldSelectors: FieldSelector[]
+}
+export declare interface FieldSelector {
+  field: string
+  equals?: string[]
+  startsWith?: string[]
+  endsWith?: string[]
+  notEquals?: string[]
+  notStartsWith?: string[]
+  notEndsWith?: string[]
+}
+/**
+ * CloudTrail manager
+ */
+export declare class CloudTrailManager {
+  private trails: Map<string, CloudTrailConfig>;
+  private trailCounter: any;
+  createTrail(trail: Omit<CloudTrailConfig, 'id'>): CloudTrailConfig;
+  createOrganizationTrail(options: {
+    name: string
+    s3BucketName: string
+    kmsKeyId?: string
+    cloudWatchLogsLogGroupArn?: string
+    cloudWatchLogsRoleArn?: string
+  }): CloudTrailConfig;
+  createSecurityAuditTrail(options: {
+    name: string
+    s3BucketName: string
+    kmsKeyId: string
+    cloudWatchLogsLogGroupArn: string
+    cloudWatchLogsRoleArn: string
+  }): CloudTrailConfig;
+  createDataEventsTrail(options: {
+    name: string
+    s3BucketName: string
+    s3DataBuckets?: string[]
+    lambdaFunctions?: string[]
+  }): CloudTrailConfig;
+  createAdvancedTrail(options: {
+    name: string
+    s3BucketName: string
+    selectors: AdvancedEventSelector[]
+  }): CloudTrailConfig;
+  createReadOnlyTrail(options: {
+    name: string
+    s3BucketName: string
+  }): CloudTrailConfig;
+  createWriteOnlyTrail(options: {
+    name: string
+    s3BucketName: string
+  }): CloudTrailConfig;
+  getTrail(id: string): CloudTrailConfig | undefined;
+  listTrails(): CloudTrailConfig[];
+  generateTrailCF(trail: CloudTrailConfig): any;
+  generateBucketPolicy(bucketName: string, trailAccountIds: string[]): any;
+  clear(): void;
+}

package/dist/compliance/guardduty.d.ts

@@ -0,0 +1,110 @@
+/**
+ * Global GuardDuty manager instance
+ */
+export declare const guardDutyManager: GuardDutyManager;
+/**
+ * AWS GuardDuty
+ * Intelligent threat detection and continuous monitoring
+ */
+export declare interface GuardDutyDetector {
+  id: string
+  enable: boolean
+  findingPublishingFrequency?: 'FIFTEEN_MINUTES' | 'ONE_HOUR' | 'SIX_HOURS'
+  dataSources?: DataSourceConfigurations
+  features?: DetectorFeature[]
+}
+export declare interface DataSourceConfigurations {
+  s3Logs?: {
+    enable: boolean
+  }
+  kubernetes?: {
+    auditLogs: {
+      enable: boolean
+    }
+  }
+  malwareProtection?: {
+    scanEc2InstanceWithFindings: {
+      ebsVolumes: {
+        enable: boolean
+      }
+    }
+  }
+}
+export declare interface DetectorFeature {
+  name: 'S3_DATA_EVENTS' | 'EKS_AUDIT_LOGS' | 'EBS_MALWARE_PROTECTION' | 'RDS_LOGIN_EVENTS' | 'LAMBDA_NETWORK_LOGS'
+  status: 'ENABLED' | 'DISABLED'
+  additionalConfiguration?: {
+    name: string
+    status: 'ENABLED' | 'DISABLED'
+  }[]
+}
+export declare interface ThreatIntelSet {
+  id: string
+  detectorId: string
+  name: string
+  format: 'TXT' | 'STIX' | 'OTX_CSV' | 'ALIEN_VAULT' | 'PROOF_POINT' | 'FIRE_EYE'
+  location: string
+  activate: boolean
+}
+export declare interface IPSet {
+  id: string
+  detectorId: string
+  name: string
+  format: 'TXT' | 'STIX' | 'OTX_CSV' | 'ALIEN_VAULT' | 'PROOF_POINT' | 'FIRE_EYE'
+  location: string
+  activate: boolean
+}
+export declare interface FindingFilter {
+  id: string
+  detectorId: string
+  name: string
+  description?: string
+  action: 'NOOP' | 'ARCHIVE'
+  rank: number
+  findingCriteria: FindingCriteria
+}
+export declare interface FindingCriteria {
+  criterion: Record<string, {
+    eq?: string[]
+    neq?: string[]
+    gt?: number
+    gte?: number
+    lt?: number
+    lte?: number
+  }>
+}
+/**
+ * GuardDuty manager
+ */
+export declare class GuardDutyManager {
+  private detectors: Map<string, GuardDutyDetector>;
+  private threatIntelSets: Map<string, ThreatIntelSet>;
+  private ipSets: Map<string, IPSet>;
+  private filters: Map<string, FindingFilter>;
+  private detectorCounter: any;
+  private threatIntelCounter: any;
+  private ipSetCounter: any;
+  private filterCounter: any;
+  createDetector(detector: Omit<GuardDutyDetector, 'id'>): GuardDutyDetector;
+  createComprehensiveDetector(): GuardDutyDetector;
+  createBasicDetector(): GuardDutyDetector;
+  createThreatIntelSet(set: Omit<ThreatIntelSet, 'id'>): ThreatIntelSet;
+  createIPSet(set: Omit<IPSet, 'id'>): IPSet;
+  createFindingFilter(filter: Omit<FindingFilter, 'id'>): FindingFilter;
+  createLowSeverityArchiveFilter(detectorId: string): FindingFilter;
+  createFindingTypeFilter(detectorId: string, findingTypes: string[], action: 'NOOP' | 'ARCHIVE'): FindingFilter;
+  createTrustedIPFilter(detectorId: string, ipAddresses: string[]): FindingFilter;
+  getDetector(id: string): GuardDutyDetector | undefined;
+  listDetectors(): GuardDutyDetector[];
+  getThreatIntelSet(id: string): ThreatIntelSet | undefined;
+  listThreatIntelSets(): ThreatIntelSet[];
+  getIPSet(id: string): IPSet | undefined;
+  listIPSets(): IPSet[];
+  getFindingFilter(id: string): FindingFilter | undefined;
+  listFindingFilters(): FindingFilter[];
+  generateDetectorCF(detector: GuardDutyDetector): any;
+  generateThreatIntelSetCF(set: ThreatIntelSet): any;
+  generateIPSetCF(set: IPSet): any;
+  generateFilterCF(filter: FindingFilter): any;
+  clear(): void;
+}

package/{src/compliance/index.ts → dist/compliance/index.d.ts}

@@ -1,28 +1,10 @@
-/**
- * Compliance & Governance
- * AWS Config, CloudTrail, GuardDuty, and Security Hub integrations
- */
-
-// AWS Config
-export {
-  AWSConfigManager,
-  awsConfigManager,
-} from './aws-config'
-
 export type {
   ConfigRule,
   ConfigScope,
   ConfigRecorder,
   RecordingGroup,
   DeliveryChannel,
-} from './aws-config'
-
-// CloudTrail
-export {
-  CloudTrailManager,
-  cloudTrailManager,
-} from './cloudtrail'
-
+} from './aws-config';
 export type {
   CloudTrailConfig,
   EventSelector,
@@ -30,14 +12,7 @@ export type {
   InsightSelector,
   AdvancedEventSelector,
   FieldSelector,
-} from './cloudtrail'
-
-// GuardDuty
-export {
-  GuardDutyManager,
-  guardDutyManager,
-} from './guardduty'
-
+} from './cloudtrail';
 export type {
   GuardDutyDetector,
   DataSourceConfigurations,
@@ -46,14 +21,7 @@ export type {
   IPSet,
   FindingFilter,
   FindingCriteria,
-} from './guardduty'
-
-// Security Hub
-export {
-  SecurityHubManager,
-  securityHubManager,
-} from './security-hub'
-
+} from './guardduty';
 export type {
   SecurityHubConfig,
   SecurityStandard,
@@ -63,4 +31,20 @@ export type {
   StringFilter,
   NumberFilter,
   MapFilter,
-} from './security-hub'
+} from './security-hub';
+export {
+  AWSConfigManager,
+  awsConfigManager,
+} from './aws-config';
+export {
+  CloudTrailManager,
+  cloudTrailManager,
+} from './cloudtrail';
+export {
+  GuardDutyManager,
+  guardDutyManager,
+} from './guardduty';
+export {
+  SecurityHubManager,
+  securityHubManager,
+} from './security-hub';

package/dist/compliance/security-hub.d.ts

@@ -0,0 +1,110 @@
+/**
+ * Global Security Hub manager instance
+ */
+export declare const securityHubManager: SecurityHubManager;
+/**
+ * AWS Security Hub
+ * Centralized security and compliance view across AWS accounts
+ */
+export declare interface SecurityHubConfig {
+  id: string
+  enable: boolean
+  controlFindingGenerator?: 'STANDARD_CONTROL' | 'SECURITY_CONTROL'
+  enableDefaultStandards?: boolean
+  standards?: SecurityStandard[]
+  automationRules?: AutomationRule[]
+}
+export declare interface SecurityStandard {
+  id: string
+  arn: string
+  name: string
+  description: string
+  enabled: boolean
+  disabledControls?: string[]
+}
+export declare interface AutomationRule {
+  id: string
+  ruleName: string
+  description?: string
+  actions: AutomationAction[]
+  criteria: AutomationCriteria
+  ruleStatus: 'ENABLED' | 'DISABLED'
+  ruleOrder: number
+}
+export declare interface AutomationAction {
+  type: 'FINDING_FIELDS_UPDATE'
+  findingFieldsUpdate: {
+    note?: {
+      text: string
+      updatedBy: string
+    }
+    severity?: {
+      label: 'INFORMATIONAL' | 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL'
+    }
+    workflow?: {
+      status: 'NEW' | 'NOTIFIED' | 'RESOLVED' | 'SUPPRESSED'
+    }
+    relatedFindings?: Array<{
+      productArn: string
+      id: string
+    }>
+    userDefinedFields?: Record<string, string>
+  }
+}
+export declare interface AutomationCriteria {
+  productName?: StringFilter[]
+  companyName?: StringFilter[]
+  severityLabel?: StringFilter[]
+  resourceType?: StringFilter[]
+  resourceId?: StringFilter[]
+  recordState?: StringFilter[]
+  workflowStatus?: StringFilter[]
+  complianceStatus?: StringFilter[]
+  verificationState?: StringFilter[]
+  confidence?: NumberFilter[]
+  criticality?: NumberFilter[]
+  title?: StringFilter[]
+  description?: StringFilter[]
+  sourceUrl?: StringFilter[]
+  productFields?: MapFilter[]
+  resourceTags?: MapFilter[]
+  userDefinedFields?: MapFilter[]
+}
+export declare interface StringFilter {
+  value: string
+  comparison: 'EQUALS' | 'PREFIX' | 'NOT_EQUALS' | 'PREFIX_NOT_EQUALS'
+}
+export declare interface NumberFilter {
+  gte?: number
+  lte?: number
+  eq?: number
+  gt?: number
+  lt?: number
+}
+export declare interface MapFilter {
+  key: string
+  value?: string
+  comparison: 'EQUALS' | 'NOT_EQUALS'
+}
+/**
+ * Security Hub manager
+ */
+export declare class SecurityHubManager {
+  private hubs: Map<string, SecurityHubConfig>;
+  private hubCounter: any;
+  private ruleCounter: any;
+  static readonly Standards: any;
+  createHub(hub: Omit<SecurityHubConfig, 'id'>): SecurityHubConfig;
+  createComprehensiveHub(): SecurityHubConfig;
+  createBasicHub(): SecurityHubConfig;
+  createLowSeveritySuppressionRule(): AutomationRule;
+  createResourceTypeNotificationRule(resourceTypes: string[]): AutomationRule;
+  createComplianceFailureRule(): AutomationRule;
+  createFalsePositiveSuppressionRule(productName: string, titlePatterns: string[]): AutomationRule;
+  getHub(id: string): SecurityHubConfig | undefined;
+  listHubs(): SecurityHubConfig[];
+  generateHubCF(hub: SecurityHubConfig): any;
+  generateStandardCF(standard: SecurityStandard): any;
+  generateAutomationRuleCF(rule: AutomationRule): any;
+  clear(): void;
+}