@stacksjs/ts-cloud-core 0.1.3 → 0.1.7

package/src/modules/compute.ts

@@ -1,3348 +0,0 @@
-import type {
-  ApplicationLoadBalancer,
-  AutoScalingGroup,
-  AutoScalingLaunchConfiguration,
-  AutoScalingScalingPolicy,
-  EC2Instance,
-  EC2SecurityGroup,
-  ECSCluster,
-  ECSService,
-  ECSTaskDefinition,
-  IAMRole,
-  LambdaFunction,
-  Listener,
-  TargetGroup,
-} from '@stacksjs/ts-cloud-aws-types'
-import type { EnvironmentType } from '@stacksjs/ts-cloud-types'
-import { Fn } from '../intrinsic-functions'
-import { generateLogicalId, generateResourceName } from '../resource-naming'
-
-export interface ServerOptions {
-  slug: string
-  environment: EnvironmentType
-  instanceType?: string
-  imageId?: string
-  keyName?: string
-  securityGroupIds?: string[]
-  subnetId?: string
-  userData?: string
-  volumeSize?: number
-  volumeType?: 'gp2' | 'gp3' | 'io1' | 'io2'
-  encrypted?: boolean
-}
-
-export interface SecurityGroupOptions {
-  slug: string
-  environment: EnvironmentType
-  vpcId?: string
-  description?: string
-  ingress?: SecurityGroupRule[]
-  egress?: SecurityGroupRule[]
-}
-
-export interface SecurityGroupRule {
-  protocol: string
-  fromPort?: number
-  toPort?: number
-  cidr?: string
-  sourceSecurityGroupId?: string
-}
-
-export interface LoadBalancerOptions {
-  slug: string
-  environment: EnvironmentType
-  scheme?: 'internet-facing' | 'internal'
-  subnets: string[]
-  securityGroups?: string[]
-  type?: 'application' | 'network'
-}
-
-export interface TargetGroupOptions {
-  slug: string
-  environment: EnvironmentType
-  port: number
-  protocol?: 'HTTP' | 'HTTPS' | 'TCP'
-  vpcId: string
-  targetType?: 'instance' | 'ip' | 'lambda'
-  healthCheckPath?: string
-  healthCheckInterval?: number
-  healthCheckTimeout?: number
-  healthyThreshold?: number
-  unhealthyThreshold?: number
-}
-
-export interface ListenerOptions {
-  port: number
-  protocol?: 'HTTP' | 'HTTPS'
-  certificateArn?: string
-  defaultTargetGroupArn: string
-}
-
-export interface FargateServiceOptions {
-  slug: string
-  environment: EnvironmentType
-  image: string
-  cpu?: string
-  memory?: string
-  desiredCount?: number
-  containerPort?: number
-  environmentVariables?: Record<string, string>
-  secrets?: Array<{ name: string, valueFrom: string }>
-  healthCheck?: {
-    command: string[]
-    interval?: number
-    timeout?: number
-    retries?: number
-  }
-  logGroup?: string
-  subnets: string[]
-  securityGroups: string[]
-  targetGroupArn?: string
-}
-
-export interface LambdaFunctionOptions {
-  slug: string
-  environment: EnvironmentType
-  functionName?: string
-  runtime: string
-  handler: string
-  code: {
-    s3Bucket?: string
-    s3Key?: string
-    zipFile?: string
-  }
-  role?: string
-  timeout?: number
-  memorySize?: number
-  environmentVariables?: Record<string, string>
-  vpcConfig?: {
-    securityGroupIds: string[]
-    subnetIds: string[]
-  }
-}
-
-export interface LaunchConfigurationOptions {
-  slug: string
-  environment: EnvironmentType
-  imageId: string
-  instanceType: string
-  keyName?: string
-  securityGroups?: Array<string | { Ref: string }>
-  userData?: string
-  volumeSize?: number
-  volumeType?: 'gp2' | 'gp3' | 'io1' | 'io2'
-  encrypted?: boolean
-  iamInstanceProfile?: string | { Ref: string }
-}
-
-export interface AutoScalingGroupOptions {
-  slug: string
-  environment: EnvironmentType
-  launchConfigurationName: string | { Ref: string }
-  minSize: number
-  maxSize: number
-  desiredCapacity?: number
-  vpcZoneIdentifier?: string[] | { Ref: string }
-  targetGroupArns?: Array<string | { Ref: string }>
-  healthCheckType?: 'EC2' | 'ELB'
-  healthCheckGracePeriod?: number
-  cooldown?: number
-  tags?: Record<string, string>
-}
-
-export interface ScalingPolicyOptions {
-  slug: string
-  environment: EnvironmentType
-  autoScalingGroupName: string | { Ref: string }
-  policyType?: 'TargetTrackingScaling' | 'StepScaling' | 'SimpleScaling'
-  targetValue?: number
-  predefinedMetricType?: 'ASGAverageCPUUtilization' | 'ASGAverageNetworkIn' | 'ASGAverageNetworkOut' | 'ALBRequestCountPerTarget'
-  scaleInCooldown?: number
-  scaleOutCooldown?: number
-}
-
-/**
- * Compute Module - EC2, ECS, Lambda Management
- * Provides clean API for both server (Forge-style) and serverless (Vapor-style) deployments
- */
-export class Compute {
-  /**
-   * Create an EC2 server instance (Server Mode - Forge-style)
-   */
-  static createServer(options: ServerOptions): {
-    instance: EC2Instance
-    logicalId: string
-  } {
-    const {
-      slug,
-      environment,
-      instanceType = 't3.micro',
-      imageId = 'ami-0c55b159cbfafe1f0', // Amazon Linux 2023
-      keyName,
-      securityGroupIds,
-      subnetId,
-      userData,
-      volumeSize = 20,
-      volumeType = 'gp3',
-      encrypted = true,
-    } = options
-
-    const resourceName = generateResourceName({
-      slug,
-      environment,
-      resourceType: 'ec2',
-    })
-
-    const logicalId = generateLogicalId(resourceName)
-
-    const instance: EC2Instance = {
-      Type: 'AWS::EC2::Instance',
-      Properties: {
-        ImageId: imageId,
-        InstanceType: instanceType,
-        Tags: [
-          { Key: 'Name', Value: resourceName },
-          { Key: 'Environment', Value: environment },
-        ],
-      },
-    }
-
-    if (keyName) {
-      instance.Properties.KeyName = keyName
-    }
-
-    if (securityGroupIds) {
-      instance.Properties.SecurityGroupIds = securityGroupIds
-    }
-
-    if (subnetId) {
-      instance.Properties.SubnetId = subnetId
-    }
-
-    if (userData) {
-      // Base64 encode user data
-      instance.Properties.UserData = Fn.Base64(userData) as any
-    }
-
-    // Configure EBS volume
-    instance.Properties.BlockDeviceMappings = [
-      {
-        DeviceName: '/dev/xvda',
-        Ebs: {
-          VolumeSize: volumeSize,
-          VolumeType: volumeType,
-          Encrypted: encrypted,
-          DeleteOnTermination: true,
-        },
-      },
-    ]
-
-    return { instance, logicalId }
-  }
-
-  /**
-   * Create a security group
-   */
-  static createSecurityGroup(options: SecurityGroupOptions): {
-    securityGroup: EC2SecurityGroup
-    logicalId: string
-  } {
-    const {
-      slug,
-      environment,
-      vpcId,
-      description,
-      ingress = [],
-      egress = [],
-    } = options
-
-    const resourceName = generateResourceName({
-      slug,
-      environment,
-      resourceType: 'sg',
-    })
-
-    const logicalId = generateLogicalId(resourceName)
-
-    const securityGroup: EC2SecurityGroup = {
-      Type: 'AWS::EC2::SecurityGroup',
-      Properties: {
-        GroupDescription: description || `Security group for ${slug} ${environment}`,
-        Tags: [
-          { Key: 'Name', Value: resourceName },
-          { Key: 'Environment', Value: environment },
-        ],
-      },
-    }
-
-    if (vpcId) {
-      securityGroup.Properties.VpcId = vpcId
-    }
-
-    if (ingress.length > 0) {
-      securityGroup.Properties.SecurityGroupIngress = ingress.map(rule => ({
-        IpProtocol: rule.protocol,
-        FromPort: rule.fromPort,
-        ToPort: rule.toPort,
-        CidrIp: rule.cidr,
-        SourceSecurityGroupId: rule.sourceSecurityGroupId,
-      }))
-    }
-
-    if (egress.length > 0) {
-      securityGroup.Properties.SecurityGroupEgress = egress.map(rule => ({
-        IpProtocol: rule.protocol,
-        FromPort: rule.fromPort,
-        ToPort: rule.toPort,
-        CidrIp: rule.cidr,
-        DestinationSecurityGroupId: rule.sourceSecurityGroupId,
-      }))
-    }
-
-    return { securityGroup, logicalId }
-  }
-
-  /**
-   * Create common security group rules for web servers
-   */
-  static createWebServerSecurityGroup(
-    slug: string,
-    environment: EnvironmentType,
-    vpcId?: string,
-  ): {
-      securityGroup: EC2SecurityGroup
-      logicalId: string
-    } {
-    return Compute.createSecurityGroup({
-      slug,
-      environment,
-      vpcId,
-      description: 'Security group for web servers - HTTP, HTTPS, SSH',
-      ingress: [
-        { protocol: 'tcp', fromPort: 80, toPort: 80, cidr: '0.0.0.0/0' }, // HTTP
-        { protocol: 'tcp', fromPort: 443, toPort: 443, cidr: '0.0.0.0/0' }, // HTTPS
-        { protocol: 'tcp', fromPort: 22, toPort: 22, cidr: '0.0.0.0/0' }, // SSH (restrict in production)
-      ],
-      egress: [
-        { protocol: '-1', fromPort: 0, toPort: 0, cidr: '0.0.0.0/0' }, // All outbound
-      ],
-    })
-  }
-
-  /**
-   * Create an Application Load Balancer
-   */
-  static createLoadBalancer(options: LoadBalancerOptions): {
-    loadBalancer: ApplicationLoadBalancer
-    logicalId: string
-  } {
-    const {
-      slug,
-      environment,
-      scheme = 'internet-facing',
-      subnets,
-      securityGroups,
-      type = 'application',
-    } = options
-
-    const resourceName = generateResourceName({
-      slug,
-      environment,
-      resourceType: 'alb',
-    })
-
-    const logicalId = generateLogicalId(resourceName)
-
-    const loadBalancer: ApplicationLoadBalancer = {
-      Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer',
-      Properties: {
-        Name: resourceName,
-        Scheme: scheme,
-        Type: type,
-        Subnets: subnets,
-        Tags: [
-          { Key: 'Name', Value: resourceName },
-          { Key: 'Environment', Value: environment },
-        ],
-      },
-    }
-
-    if (securityGroups) {
-      loadBalancer.Properties.SecurityGroups = securityGroups
-    }
-
-    return { loadBalancer, logicalId }
-  }
-
-  /**
-   * Create a target group
-   */
-  static createTargetGroup(options: TargetGroupOptions): {
-    targetGroup: TargetGroup
-    logicalId: string
-  } {
-    const {
-      slug,
-      environment,
-      port,
-      protocol = 'HTTP',
-      vpcId,
-      targetType = 'ip',
-      healthCheckPath = '/',
-      healthCheckInterval = 30,
-      healthCheckTimeout = 5,
-      healthyThreshold = 2,
-      unhealthyThreshold = 3,
-    } = options
-
-    const resourceName = generateResourceName({
-      slug,
-      environment,
-      resourceType: 'tg',
-    })
-
-    const logicalId = generateLogicalId(resourceName)
-
-    const targetGroup: TargetGroup = {
-      Type: 'AWS::ElasticLoadBalancingV2::TargetGroup',
-      Properties: {
-        Name: resourceName,
-        Port: port,
-        Protocol: protocol,
-        VpcId: vpcId,
-        TargetType: targetType,
-        HealthCheckEnabled: true,
-        HealthCheckProtocol: protocol,
-        HealthCheckPath: healthCheckPath,
-        HealthCheckIntervalSeconds: healthCheckInterval,
-        HealthCheckTimeoutSeconds: healthCheckTimeout,
-        HealthyThresholdCount: healthyThreshold,
-        UnhealthyThresholdCount: unhealthyThreshold,
-        Tags: [
-          { Key: 'Name', Value: resourceName },
-          { Key: 'Environment', Value: environment },
-        ],
-      },
-    }
-
-    return { targetGroup, logicalId }
-  }
-
-  /**
-   * Create an ALB listener
-   */
-  static createListener(
-    loadBalancerLogicalId: string,
-    options: ListenerOptions,
-  ): {
-      listener: Listener
-      logicalId: string
-    } {
-    const {
-      port,
-      protocol = 'HTTP',
-      certificateArn,
-      defaultTargetGroupArn,
-    } = options
-
-    const logicalId = generateLogicalId(`listener-${loadBalancerLogicalId}-${port}`)
-
-    const listener: Listener = {
-      Type: 'AWS::ElasticLoadBalancingV2::Listener',
-      Properties: {
-        LoadBalancerArn: Fn.Ref(loadBalancerLogicalId),
-        Port: port,
-        Protocol: protocol,
-        DefaultActions: [
-          {
-            Type: 'forward',
-            TargetGroupArn: defaultTargetGroupArn,
-          },
-        ],
-      },
-    }
-
-    if (protocol === 'HTTPS' && certificateArn) {
-      listener.Properties.Certificates = [{ CertificateArn: certificateArn }]
-      listener.Properties.SslPolicy = 'ELBSecurityPolicy-TLS13-1-2-2021-06'
-    }
-
-    return { listener, logicalId }
-  }
-
-  /**
-   * Create ECS cluster for Fargate (Serverless Mode - Vapor-style)
-   */
-  static createEcsCluster(
-    slug: string,
-    environment: EnvironmentType,
-  ): {
-      cluster: ECSCluster
-      logicalId: string
-    } {
-    const resourceName = generateResourceName({
-      slug,
-      environment,
-      resourceType: 'ecs-cluster',
-    })
-
-    const logicalId = generateLogicalId(resourceName)
-
-    const cluster: ECSCluster = {
-      Type: 'AWS::ECS::Cluster',
-      Properties: {
-        ClusterName: resourceName,
-        Tags: [
-          { Key: 'Name', Value: resourceName },
-          { Key: 'Environment', Value: environment },
-        ],
-      },
-    }
-
-    return { cluster, logicalId }
-  }
-
-  /**
-   * Create ECS Fargate task definition and service
-   */
-  static createFargateService(options: FargateServiceOptions): {
-    cluster: ECSCluster
-    taskDefinition: ECSTaskDefinition
-    service: ECSService
-    taskRole: IAMRole
-    executionRole: IAMRole
-    clusterLogicalId: string
-    taskDefinitionLogicalId: string
-    serviceLogicalId: string
-    taskRoleLogicalId: string
-    executionRoleLogicalId: string
-  } {
-    const {
-      slug,
-      environment,
-      image,
-      cpu = '256',
-      memory = '512',
-      desiredCount = 1,
-      containerPort = 8080,
-      environmentVariables = {},
-      secrets = [],
-      healthCheck,
-      logGroup,
-      subnets,
-      securityGroups,
-      targetGroupArn,
-    } = options
-
-    // Create ECS Cluster
-    const { cluster, logicalId: clusterLogicalId } = Compute.createEcsCluster(slug, environment)
-
-    const resourceName = generateResourceName({
-      slug,
-      environment,
-      resourceType: 'fargate',
-    })
-
-    // Create Task Execution Role (needed for pulling images, logging, etc.)
-    const executionRoleLogicalId = generateLogicalId(`${resourceName}-execution-role`)
-    const executionRole: IAMRole = {
-      Type: 'AWS::IAM::Role',
-      Properties: {
-        AssumeRolePolicyDocument: {
-          Version: '2012-10-17',
-          Statement: [
-            {
-              Effect: 'Allow',
-              Principal: {
-                Service: 'ecs-tasks.amazonaws.com',
-              },
-              Action: 'sts:AssumeRole',
-            },
-          ],
-        },
-        ManagedPolicyArns: [
-          'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy',
-        ],
-      },
-    }
-
-    // Create Task Role (for application permissions)
-    const taskRoleLogicalId = generateLogicalId(`${resourceName}-task-role`)
-    const taskRole: IAMRole = {
-      Type: 'AWS::IAM::Role',
-      Properties: {
-        AssumeRolePolicyDocument: {
-          Version: '2012-10-17',
-          Statement: [
-            {
-              Effect: 'Allow',
-              Principal: {
-                Service: 'ecs-tasks.amazonaws.com',
-              },
-              Action: 'sts:AssumeRole',
-            },
-          ],
-        },
-      },
-    }
-
-    // Create Task Definition
-    const taskDefinitionLogicalId = generateLogicalId(`${resourceName}-task`)
-    const taskDefinition: ECSTaskDefinition = {
-      Type: 'AWS::ECS::TaskDefinition',
-      Properties: {
-        Family: resourceName,
-        TaskRoleArn: Fn.GetAtt(taskRoleLogicalId, 'Arn') as any,
-        ExecutionRoleArn: Fn.GetAtt(executionRoleLogicalId, 'Arn') as any,
-        NetworkMode: 'awsvpc',
-        RequiresCompatibilities: ['FARGATE'],
-        Cpu: cpu,
-        Memory: memory,
-        ContainerDefinitions: [
-          {
-            Name: slug,
-            Image: image,
-            Essential: true,
-            PortMappings: [
-              {
-                ContainerPort: containerPort,
-                Protocol: 'tcp',
-              },
-            ],
-            Environment: Object.entries(environmentVariables).map(([Name, Value]) => ({
-              Name,
-              Value,
-            })),
-            Secrets: secrets.map(s => ({
-              Name: s.name,
-              ValueFrom: s.valueFrom,
-            })),
-          },
-        ],
-        Tags: [
-          { Key: 'Name', Value: resourceName },
-          { Key: 'Environment', Value: environment },
-        ],
-      },
-    }
-
-    // Add health check if provided
-    if (healthCheck) {
-      taskDefinition.Properties.ContainerDefinitions[0].HealthCheck = {
-        Command: healthCheck.command,
-        Interval: healthCheck.interval || 30,
-        Timeout: healthCheck.timeout || 5,
-        Retries: healthCheck.retries || 3,
-        StartPeriod: 60,
-      }
-    }
-
-    // Add logging configuration
-    if (logGroup) {
-      taskDefinition.Properties.ContainerDefinitions[0].LogConfiguration = {
-        LogDriver: 'awslogs',
-        Options: {
-          'awslogs-group': logGroup,
-          'awslogs-region': Fn.Ref('AWS::Region') as any,
-          'awslogs-stream-prefix': slug,
-        },
-      }
-    }
-
-    // Create ECS Service
-    const serviceLogicalId = generateLogicalId(`${resourceName}-service`)
-    const service: ECSService = {
-      Type: 'AWS::ECS::Service',
-      Properties: {
-        ServiceName: resourceName,
-        Cluster: Fn.Ref(clusterLogicalId),
-        TaskDefinition: Fn.Ref(taskDefinitionLogicalId),
-        DesiredCount: desiredCount,
-        LaunchType: 'FARGATE',
-        NetworkConfiguration: {
-          AwsvpcConfiguration: {
-            Subnets: subnets,
-            SecurityGroups: securityGroups,
-            AssignPublicIp: 'ENABLED',
-          },
-        },
-        Tags: [
-          { Key: 'Name', Value: resourceName },
-          { Key: 'Environment', Value: environment },
-        ],
-      },
-    }
-
-    // Add load balancer integration if target group provided
-    if (targetGroupArn) {
-      service.Properties.LoadBalancers = [
-        {
-          TargetGroupArn: targetGroupArn,
-          ContainerName: slug,
-          ContainerPort: containerPort,
-        },
-      ]
-    }
-
-    return {
-      cluster,
-      taskDefinition,
-      service,
-      taskRole,
-      executionRole,
-      clusterLogicalId,
-      taskDefinitionLogicalId,
-      serviceLogicalId,
-      taskRoleLogicalId,
-      executionRoleLogicalId,
-    }
-  }
-
-  /**
-   * Create a Lambda function
-   */
-  static createLambdaFunction(options: LambdaFunctionOptions): {
-    lambdaFunction: LambdaFunction
-    role: IAMRole
-    logicalId: string
-    roleLogicalId: string
-  } {
-    const {
-      slug,
-      environment,
-      runtime,
-      handler,
-      code,
-      timeout = 30,
-      memorySize = 128,
-      environmentVariables = {},
-      vpcConfig,
-    } = options
-
-    const resourceName = generateResourceName({
-      slug,
-      environment,
-      resourceType: 'lambda',
-    })
-
-    const logicalId = generateLogicalId(resourceName)
-
-    // Create Lambda execution role
-    const roleLogicalId = generateLogicalId(`${resourceName}-role`)
-    const role: IAMRole = {
-      Type: 'AWS::IAM::Role',
-      Properties: {
-        AssumeRolePolicyDocument: {
-          Version: '2012-10-17',
-          Statement: [
-            {
-              Effect: 'Allow',
-              Principal: {
-                Service: 'lambda.amazonaws.com',
-              },
-              Action: 'sts:AssumeRole',
-            },
-          ],
-        },
-        ManagedPolicyArns: [
-          'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
-        ],
-      },
-    }
-
-    // Add VPC execution role if VPC config provided
-    if (vpcConfig) {
-      role.Properties.ManagedPolicyArns!.push(
-        'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole',
-      )
-    }
-
-    const lambdaFunction: LambdaFunction = {
-      Type: 'AWS::Lambda::Function',
-      Properties: {
-        FunctionName: resourceName,
-        Runtime: runtime,
-        Role: Fn.GetAtt(roleLogicalId, 'Arn') as any,
-        Handler: handler,
-        Code: {
-          ...(code.s3Bucket && { S3Bucket: code.s3Bucket }),
-          ...(code.s3Key && { S3Key: code.s3Key }),
-          ...(code.zipFile && { ZipFile: code.zipFile }),
-        },
-        Timeout: timeout,
-        MemorySize: memorySize,
-        Tags: [
-          { Key: 'Name', Value: resourceName },
-          { Key: 'Environment', Value: environment },
-        ],
-      },
-    }
-
-    if (Object.keys(environmentVariables).length > 0) {
-      lambdaFunction.Properties.Environment = {
-        Variables: environmentVariables,
-      }
-    }
-
-    if (vpcConfig) {
-      lambdaFunction.Properties.VpcConfig = {
-        SecurityGroupIds: vpcConfig.securityGroupIds,
-        SubnetIds: vpcConfig.subnetIds,
-      }
-    }
-
-    return { lambdaFunction, role, logicalId, roleLogicalId }
-  }
-
-  /**
-   * Generate Node.js server user data script
-   */
-  static generateNodeServerUserData(options: {
-    nodeVersion?: string
-    appRepo?: string
-    environment?: Record<string, string>
-  } = {}): string {
-    const { nodeVersion = '20', appRepo, environment = {} } = options
-
-    const envVars = Object.entries(environment)
-      .map(([key, value]) => `echo "export ${key}='${value}'" >> /etc/environment`)
-      .join('\n')
-
-    return `#!/bin/bash
-# Update system
-yum update -y
-
-# Install Node.js ${nodeVersion}
-curl -fsSL https://rpm.nodesource.com/setup_${nodeVersion}.x | bash -
-yum install -y nodejs
-
-# Install PM2 for process management
-npm install -g pm2
-
-# Install Caddy for reverse proxy and automatic HTTPS
-yum install -y yum-plugin-copr
-yum copr enable -y @caddy/caddy
-yum install -y caddy
-
-# Set environment variables
-${envVars}
-
-# Clone application (if repo provided)
-${appRepo ? `
-cd /var/www
-git clone ${appRepo} app
-cd app
-npm install
-pm2 start npm --name 'app' -- start
-pm2 save
-pm2 startup systemd -u ec2-user --hp /home/ec2-user
-` : '# No repository specified'}
-
-# Configure Caddy
-cat > /etc/caddy/Caddyfile <<'EOF'
-:80 {
-    reverse_proxy localhost:3000
-}
-EOF
-
-# Start Caddy
-systemctl enable caddy
-systemctl start caddy
-
-echo "Server setup complete!"
-`
-  }
-
-  /**
-   * Generate Bun server user data script
-   */
-  static generateBunServerUserData(options: {
-    appRepo?: string
-    environment?: Record<string, string>
-  } = {}): string {
-    const { appRepo, environment = {} } = options
-
-    const envVars = Object.entries(environment)
-      .map(([key, value]) => `echo "export ${key}='${value}'" >> /etc/environment`)
-      .join('\n')
-
-    return `#!/bin/bash
-# Update system
-yum update -y
-
-# Install Bun
-curl -fsSL https://bun.sh/install | bash
-echo 'export BUN_INSTALL="/root/.bun"' >> /root/.bashrc
-echo 'export PATH="$BUN_INSTALL/bin:$PATH"' >> /root/.bashrc
-source /root/.bashrc
-
-# Install Caddy
-yum install -y yum-plugin-copr
-yum copr enable -y @caddy/caddy
-yum install -y caddy
-
-# Set environment variables
-${envVars}
-
-# Clone application (if repo provided)
-${appRepo ? `
-cd /var/www
-git clone ${appRepo} app
-cd app
-bun install
-
-# Create systemd service
-cat > /etc/systemd/system/app.service <<'SERVICE'
-[Unit]
-Description=Bun Application
-After=network.target
-
-[Service]
-Type=simple
-User=root
-WorkingDirectory=/var/www/app
-ExecStart=/root/.bun/bin/bun run start
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
-SERVICE
-
-systemctl enable app
-systemctl start app
-` : '# No repository specified'}
-
-# Configure Caddy
-cat > /etc/caddy/Caddyfile <<'EOF'
-:80 {
-    reverse_proxy localhost:3000
-}
-EOF
-
-systemctl enable caddy
-systemctl start caddy
-
-echo "Bun server setup complete!"
-`
-  }
-
-  /**
-   * Create a Launch Configuration for Auto Scaling
-   */
-  static createLaunchConfiguration(options: LaunchConfigurationOptions): {
-    launchConfiguration: AutoScalingLaunchConfiguration
-    logicalId: string
-  } {
-    const {
-      slug,
-      environment,
-      imageId,
-      instanceType,
-      keyName,
-      securityGroups,
-      userData,
-      volumeSize = 20,
-      volumeType = 'gp3',
-      encrypted = true,
-      iamInstanceProfile,
-    } = options
-
-    const resourceName = generateResourceName({
-      slug,
-      environment,
-      resourceType: 'launch-config',
-    })
-
-    const logicalId = generateLogicalId(resourceName)
-
-    const launchConfiguration: AutoScalingLaunchConfiguration = {
-      Type: 'AWS::AutoScaling::LaunchConfiguration',
-      Properties: {
-        ImageId: imageId,
-        InstanceType: instanceType,
-        BlockDeviceMappings: [
-          {
-            DeviceName: '/dev/xvda',
-            Ebs: {
-              VolumeSize: volumeSize,
-              VolumeType: volumeType,
-              Encrypted: encrypted,
-              DeleteOnTermination: true,
-            },
-          },
-        ],
-      },
-    }
-
-    if (keyName) {
-      launchConfiguration.Properties.KeyName = keyName
-    }
-
-    if (securityGroups) {
-      launchConfiguration.Properties.SecurityGroups = securityGroups
-    }
-
-    if (userData) {
-      launchConfiguration.Properties.UserData = Fn.Base64(userData)
-    }
-
-    if (iamInstanceProfile) {
-      launchConfiguration.Properties.IamInstanceProfile = iamInstanceProfile
-    }
-
-    return { launchConfiguration, logicalId }
-  }
-
-  /**
-   * Create an Auto Scaling Group
-   */
-  static createAutoScalingGroup(options: AutoScalingGroupOptions): {
-    autoScalingGroup: AutoScalingGroup
-    logicalId: string
-  } {
-    const {
-      slug,
-      environment,
-      launchConfigurationName,
-      minSize,
-      maxSize,
-      desiredCapacity,
-      vpcZoneIdentifier,
-      targetGroupArns,
-      healthCheckType = 'EC2',
-      healthCheckGracePeriod = 300,
-      cooldown = 300,
-      tags = {},
-    } = options
-
-    const resourceName = generateResourceName({
-      slug,
-      environment,
-      resourceType: 'asg',
-    })
-
-    const logicalId = generateLogicalId(resourceName)
-
-    const autoScalingGroup: AutoScalingGroup = {
-      Type: 'AWS::AutoScaling::AutoScalingGroup',
-      Properties: {
-        AutoScalingGroupName: resourceName,
-        LaunchConfigurationName: launchConfigurationName,
-        MinSize: minSize,
-        MaxSize: maxSize,
-        HealthCheckType: healthCheckType,
-        HealthCheckGracePeriod: healthCheckGracePeriod,
-        Cooldown: cooldown,
-        Tags: [
-          { Key: 'Name', Value: resourceName, PropagateAtLaunch: true },
-          { Key: 'Environment', Value: environment, PropagateAtLaunch: true },
-          ...Object.entries(tags).map(([key, value]) => ({
-            Key: key,
-            Value: value,
-            PropagateAtLaunch: true,
-          })),
-        ],
-      },
-    }
-
-    if (desiredCapacity !== undefined) {
-      autoScalingGroup.Properties.DesiredCapacity = desiredCapacity
-    }
-
-    if (vpcZoneIdentifier) {
-      autoScalingGroup.Properties.VPCZoneIdentifier = vpcZoneIdentifier
-    }
-
-    if (targetGroupArns) {
-      autoScalingGroup.Properties.TargetGroupARNs = targetGroupArns
-    }
-
-    // Add rolling update policy for safer deployments
-    autoScalingGroup.UpdatePolicy = {
-      AutoScalingRollingUpdate: {
-        MaxBatchSize: 1,
-        MinInstancesInService: Math.max(0, minSize - 1),
-        PauseTime: 'PT5M',
-        WaitOnResourceSignals: false,
-      },
-    }
-
-    return { autoScalingGroup, logicalId }
-  }
-
-  /**
-   * Create a Target Tracking Scaling Policy (CPU-based by default)
-   */
-  static createScalingPolicy(options: ScalingPolicyOptions): {
-    scalingPolicy: AutoScalingScalingPolicy
-    logicalId: string
-  } {
-    const {
-      slug,
-      environment,
-      autoScalingGroupName,
-      policyType = 'TargetTrackingScaling',
-      targetValue = 70, // 70% CPU by default
-      predefinedMetricType = 'ASGAverageCPUUtilization',
-    } = options
-
-    const resourceName = generateResourceName({
-      slug,
-      environment,
-      resourceType: 'scaling-policy',
-    })
-
-    const logicalId = generateLogicalId(resourceName)
-
-    const scalingPolicy: AutoScalingScalingPolicy = {
-      Type: 'AWS::AutoScaling::ScalingPolicy',
-      Properties: {
-        AutoScalingGroupName: autoScalingGroupName,
-        PolicyType: policyType,
-      },
-    }
-
-    if (policyType === 'TargetTrackingScaling') {
-      scalingPolicy.Properties.TargetTrackingConfiguration = {
-        PredefinedMetricSpecification: {
-          PredefinedMetricType: predefinedMetricType,
-        },
-        TargetValue: targetValue,
-      }
-    }
-
-    return { scalingPolicy, logicalId }
-  }
-
-  /**
-   * Common Auto Scaling configurations
-   */
-  static readonly AutoScaling = {
-    /**
-     * Small web server auto scaling (2-4 instances)
-     */
-    smallWebServer: (
-      slug: string,
-      environment: EnvironmentType,
-      launchConfigRef: string | { Ref: string },
-      subnetIds: string[],
-      targetGroupArns?: Array<string | { Ref: string }>,
-    ): { autoScalingGroup: AutoScalingGroup; logicalId: string } => {
-      return Compute.createAutoScalingGroup({
-        slug,
-        environment,
-        launchConfigurationName: launchConfigRef,
-        minSize: 2,
-        maxSize: 4,
-        desiredCapacity: 2,
-        vpcZoneIdentifier: subnetIds,
-        targetGroupArns,
-        healthCheckType: targetGroupArns ? 'ELB' : 'EC2',
-        healthCheckGracePeriod: 300,
-      })
-    },
-
-    /**
-     * Medium web server auto scaling (3-10 instances)
-     */
-    mediumWebServer: (
-      slug: string,
-      environment: EnvironmentType,
-      launchConfigRef: string | { Ref: string },
-      subnetIds: string[],
-      targetGroupArns?: Array<string | { Ref: string }>,
-    ): { autoScalingGroup: AutoScalingGroup; logicalId: string } => {
-      return Compute.createAutoScalingGroup({
-        slug,
-        environment,
-        launchConfigurationName: launchConfigRef,
-        minSize: 3,
-        maxSize: 10,
-        desiredCapacity: 3,
-        vpcZoneIdentifier: subnetIds,
-        targetGroupArns,
-        healthCheckType: targetGroupArns ? 'ELB' : 'EC2',
-        healthCheckGracePeriod: 300,
-      })
-    },
-
-    /**
-     * Large web server auto scaling (5-20 instances)
-     */
-    largeWebServer: (
-      slug: string,
-      environment: EnvironmentType,
-      launchConfigRef: string | { Ref: string },
-      subnetIds: string[],
-      targetGroupArns?: Array<string | { Ref: string }>,
-    ): { autoScalingGroup: AutoScalingGroup; logicalId: string } => {
-      return Compute.createAutoScalingGroup({
-        slug,
-        environment,
-        launchConfigurationName: launchConfigRef,
-        minSize: 5,
-        maxSize: 20,
-        desiredCapacity: 5,
-        vpcZoneIdentifier: subnetIds,
-        targetGroupArns,
-        healthCheckType: targetGroupArns ? 'ELB' : 'EC2',
-        healthCheckGracePeriod: 300,
-      })
-    },
-
-    /**
-     * CPU-based scaling policy (default 70%)
-     */
-    cpuScaling: (
-      slug: string,
-      environment: EnvironmentType,
-      asgName: string | { Ref: string },
-      targetCpu = 70,
-    ): { scalingPolicy: AutoScalingScalingPolicy; logicalId: string } => {
-      return Compute.createScalingPolicy({
-        slug,
-        environment,
-        autoScalingGroupName: asgName,
-        policyType: 'TargetTrackingScaling',
-        predefinedMetricType: 'ASGAverageCPUUtilization',
-        targetValue: targetCpu,
-      })
-    },
-
-    /**
-     * Request count scaling policy (ALB)
-     */
-    requestCountScaling: (
-      slug: string,
-      environment: EnvironmentType,
-      asgName: string | { Ref: string },
-      targetRequestCount = 1000,
-    ): { scalingPolicy: AutoScalingScalingPolicy; logicalId: string } => {
-      return Compute.createScalingPolicy({
-        slug,
-        environment,
-        autoScalingGroupName: asgName,
-        policyType: 'TargetTrackingScaling',
-        predefinedMetricType: 'ALBRequestCountPerTarget',
-        targetValue: targetRequestCount,
-      })
-    },
-  }
-
-  /**
-   * Secrets Manager integration utilities
-   */
-  static readonly Secrets = {
-    /**
-     * Convert environment variables to ECS secrets configuration
-     * This takes environment variable names and their corresponding Secrets Manager ARNs
-     */
-    fromSecretsManager: (secrets: Record<string, string>): Array<{ name: string, valueFrom: string }> => {
-      return Object.entries(secrets).map(([name, secretArn]) => ({
-        name,
-        valueFrom: secretArn,
-      }))
-    },
-
-    /**
-     * Reference a specific key from a JSON secret
-     * Format: arn:aws:secretsmanager:region:account:secret:name:json-key::
-     */
-    fromJsonSecret: (secretArn: string, jsonKey: string): string => {
-      return `${secretArn}:${jsonKey}::`
-    },
-
-    /**
-     * Reference a specific version of a secret
-     * Format: arn:aws:secretsmanager:region:account:secret:name::version-id:
-     */
-    fromSecretVersion: (secretArn: string, versionId: string): string => {
-      return `${secretArn}::${versionId}:`
-    },
-
-    /**
-     * Reference a specific version stage of a secret
-     * Format: arn:aws:secretsmanager:region:account:secret:name:::version-stage
-     */
-    fromSecretVersionStage: (secretArn: string, versionStage: string): string => {
-      return `${secretArn}:::${versionStage}`
-    },
-
-    /**
-     * Create IAM policy for Secrets Manager access
-     */
-    createAccessPolicy: (secretArns: string[]): {
-      PolicyName: string
-      PolicyDocument: {
-        Version: '2012-10-17'
-        Statement: Array<{
-          Effect: 'Allow' | 'Deny'
-          Action: string[]
-          Resource: string[]
-        }>
-      }
-    } => ({
-      PolicyName: 'SecretsManagerAccess',
-      PolicyDocument: {
-        Version: '2012-10-17' as const,
-        Statement: [{
-          Effect: 'Allow' as const,
-          Action: [
-            'secretsmanager:GetSecretValue',
-            'secretsmanager:DescribeSecret',
-          ],
-          Resource: secretArns,
-        }],
-      },
-    }),
-
-    /**
-     * Create IAM policy for KMS decryption (when secrets are encrypted with KMS)
-     */
-    createKmsPolicy: (kmsKeyArns: string[]): {
-      PolicyName: string
-      PolicyDocument: {
-        Version: '2012-10-17'
-        Statement: Array<{
-          Effect: 'Allow' | 'Deny'
-          Action: string[]
-          Resource: string[]
-        }>
-      }
-    } => ({
-      PolicyName: 'KMSDecryptAccess',
-      PolicyDocument: {
-        Version: '2012-10-17' as const,
-        Statement: [{
-          Effect: 'Allow' as const,
-          Action: ['kms:Decrypt'],
-          Resource: kmsKeyArns,
-        }],
-      },
-    }),
-
-    /**
-     * Build secret ARN from components
-     */
-    buildSecretArn: (params: {
-      region: string
-      accountId: string
-      secretName: string
-    }): string => {
-      return `arn:aws:secretsmanager:${params.region}:${params.accountId}:secret:${params.secretName}`
-    },
-
-    /**
-     * Build secret ARN pattern for wildcard matching
-     * Useful for IAM policies
-     */
-    buildSecretArnPattern: (params: {
-      region?: string
-      accountId?: string
-      secretNamePrefix: string
-    }): string => {
-      const region = params.region || '*'
-      const accountId = params.accountId || '*'
-      return `arn:aws:secretsmanager:${region}:${accountId}:secret:${params.secretNamePrefix}*`
-    },
-
-    /**
-     * Common environment secrets mapping
-     * Maps common application environment variable names to secrets
-     */
-    commonAppSecrets: (secretPrefix: string): Record<string, string> => ({
-      DATABASE_URL: `${secretPrefix}/database-url`,
-      DATABASE_PASSWORD: `${secretPrefix}/database-password`,
-      REDIS_URL: `${secretPrefix}/redis-url`,
-      REDIS_PASSWORD: `${secretPrefix}/redis-password`,
-      API_KEY: `${secretPrefix}/api-key`,
-      JWT_SECRET: `${secretPrefix}/jwt-secret`,
-      ENCRYPTION_KEY: `${secretPrefix}/encryption-key`,
-      AWS_ACCESS_KEY_ID: `${secretPrefix}/aws-access-key-id`,
-      AWS_SECRET_ACCESS_KEY: `${secretPrefix}/aws-secret-access-key`,
-      MAIL_PASSWORD: `${secretPrefix}/mail-password`,
-      STRIPE_SECRET_KEY: `${secretPrefix}/stripe-secret-key`,
-      STRIPE_WEBHOOK_SECRET: `${secretPrefix}/stripe-webhook-secret`,
-    }),
-  }
-
-  /**
-   * Create ECS Fargate service with full Secrets Manager integration
-   */
-  static createFargateServiceWithSecrets(options: FargateServiceOptions & {
-    secretArns?: string[]
-    kmsKeyArns?: string[]
-  }): {
-    cluster: ECSCluster
-    taskDefinition: ECSTaskDefinition
-    service: ECSService
-    taskRole: IAMRole
-    executionRole: IAMRole
-    clusterLogicalId: string
-    taskDefinitionLogicalId: string
-    serviceLogicalId: string
-    taskRoleLogicalId: string
-    executionRoleLogicalId: string
-  } {
-    const {
-      secretArns = [],
-      kmsKeyArns = [],
-      ...baseOptions
-    } = options
-
-    // Create base Fargate service
-    const result = Compute.createFargateService(baseOptions)
-
-    // Add Secrets Manager access policy to execution role if secrets are provided
-    if (secretArns.length > 0) {
-      if (!result.executionRole.Properties.Policies) {
-        result.executionRole.Properties.Policies = []
-      }
-
-      result.executionRole.Properties.Policies.push(
-        Compute.Secrets.createAccessPolicy(secretArns),
-      )
-
-      // Add KMS policy if KMS keys are specified
-      if (kmsKeyArns.length > 0) {
-        result.executionRole.Properties.Policies.push(
-          Compute.Secrets.createKmsPolicy(kmsKeyArns),
-        )
-      }
-    }
-
-    return result
-  }
-
-  /**
-   * Generate secret references for container environment
-   * This is a helper to convert secret names to full ARN references
-   */
-  static generateSecretReferences(params: {
-    region: string
-    accountId: string
-    secretPrefix: string
-    secrets: string[]
-  }): Array<{ name: string, valueFrom: string }> {
-    return params.secrets.map((secretName) => {
-      const secretArn = `arn:aws:secretsmanager:${params.region}:${params.accountId}:secret:${params.secretPrefix}/${secretName}`
-      return {
-        name: secretName.toUpperCase().replace(/-/g, '_'),
-        valueFrom: secretArn,
-      }
-    })
-  }
-
-  /**
-   * Create environment secrets configuration for common patterns
-   */
-  static readonly EnvSecrets = {
-    /**
-     * Database credentials as secrets
-     */
-    database: (secretArn: string): Array<{ name: string, valueFrom: string }> => ([
-      { name: 'DB_HOST', valueFrom: `${secretArn}:host::` },
-      { name: 'DB_PORT', valueFrom: `${secretArn}:port::` },
-      { name: 'DB_USERNAME', valueFrom: `${secretArn}:username::` },
-      { name: 'DB_PASSWORD', valueFrom: `${secretArn}:password::` },
-      { name: 'DB_NAME', valueFrom: `${secretArn}:dbname::` },
-    ]),
-
-    /**
-     * Redis credentials as secrets
-     */
-    redis: (secretArn: string): Array<{ name: string, valueFrom: string }> => ([
-      { name: 'REDIS_HOST', valueFrom: `${secretArn}:host::` },
-      { name: 'REDIS_PORT', valueFrom: `${secretArn}:port::` },
-      { name: 'REDIS_PASSWORD', valueFrom: `${secretArn}:password::` },
-    ]),
-
-    /**
-     * API credentials as secrets
-     */
-    apiCredentials: (secretArn: string): Array<{ name: string, valueFrom: string }> => ([
-      { name: 'API_KEY', valueFrom: `${secretArn}:apiKey::` },
-      { name: 'API_SECRET', valueFrom: `${secretArn}:apiSecret::` },
-    ]),
-
-    /**
-     * Mail credentials as secrets
-     */
-    mail: (secretArn: string): Array<{ name: string, valueFrom: string }> => ([
-      { name: 'MAIL_HOST', valueFrom: `${secretArn}:host::` },
-      { name: 'MAIL_PORT', valueFrom: `${secretArn}:port::` },
-      { name: 'MAIL_USERNAME', valueFrom: `${secretArn}:username::` },
-      { name: 'MAIL_PASSWORD', valueFrom: `${secretArn}:password::` },
-    ]),
-
-    /**
-     * AWS credentials as secrets (for cross-account access)
-     */
-    awsCredentials: (secretArn: string): Array<{ name: string, valueFrom: string }> => ([
-      { name: 'AWS_ACCESS_KEY_ID', valueFrom: `${secretArn}:accessKeyId::` },
-      { name: 'AWS_SECRET_ACCESS_KEY', valueFrom: `${secretArn}:secretAccessKey::` },
-    ]),
-  }
-
-  /**
-   * Create a JumpBox (Bastion Host) for SSH access to private resources
-   */
-  static createJumpBox(options: {
-    slug: string
-    environment: EnvironmentType
-    vpcId: string
-    subnetId: string
-    keyName: string
-    instanceType?: string
-    imageId?: string
-    allowedCidrs?: string[]
-    mountEfs?: {
-      fileSystemId: string
-      mountPath?: string
-    }
-  }): {
-    instance: EC2Instance
-    securityGroup: EC2SecurityGroup
-    instanceProfile: any
-    instanceRole: IAMRole
-    instanceLogicalId: string
-    securityGroupLogicalId: string
-    instanceProfileLogicalId: string
-    instanceRoleLogicalId: string
-    resources: Record<string, any>
-  } {
-    const {
-      slug,
-      environment,
-      vpcId,
-      subnetId,
-      keyName,
-      instanceType = 't3.micro',
-      imageId = 'ami-0c55b159cbfafe1f0', // Amazon Linux 2023
-      allowedCidrs = ['0.0.0.0/0'],
-      mountEfs,
-    } = options
-
-    const resourceName = generateResourceName({
-      slug,
-      environment,
-      resourceType: 'jumpbox',
-    })
-
-    // Create security group for SSH access
-    const securityGroupLogicalId = generateLogicalId(`${resourceName}-sg`)
-    const securityGroup: EC2SecurityGroup = {
-      Type: 'AWS::EC2::SecurityGroup',
-      Properties: {
-        GroupName: `${resourceName}-sg`,
-        GroupDescription: `Security group for ${resourceName} JumpBox SSH access`,
-        VpcId: vpcId,
-        SecurityGroupIngress: allowedCidrs.map(cidr => ({
-          IpProtocol: 'tcp',
-          FromPort: 22,
-          ToPort: 22,
-          CidrIp: cidr,
-          Description: `SSH access from ${cidr}`,
-        })),
-        SecurityGroupEgress: [{
-          IpProtocol: '-1',
-          CidrIp: '0.0.0.0/0',
-          Description: 'Allow all outbound traffic',
-        }],
-        Tags: [
-          { Key: 'Name', Value: `${resourceName}-sg` },
-          { Key: 'Environment', Value: environment },
-        ],
-      },
-    }
-
-    // Create IAM role for instance
-    const instanceRoleLogicalId = generateLogicalId(`${resourceName}-role`)
-    const instanceRole: IAMRole = {
-      Type: 'AWS::IAM::Role',
-      Properties: {
-        RoleName: `${resourceName}-role`,
-        AssumeRolePolicyDocument: {
-          Version: '2012-10-17',
-          Statement: [{
-            Effect: 'Allow',
-            Principal: {
-              Service: 'ec2.amazonaws.com',
-            },
-            Action: 'sts:AssumeRole',
-          }],
-        },
-        ManagedPolicyArns: [
-          'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore', // For SSM Session Manager
-        ],
-        Policies: mountEfs
-          ? [{
-              PolicyName: 'EFSAccess',
-              PolicyDocument: {
-                Version: '2012-10-17',
-                Statement: [{
-                  Effect: 'Allow',
-                  Action: [
-                    'elasticfilesystem:ClientMount',
-                    'elasticfilesystem:ClientWrite',
-                    'elasticfilesystem:ClientRootAccess',
-                  ],
-                  Resource: '*',
-                }],
-              },
-            }]
-          : undefined,
-      },
-    }
-
-    // Create instance profile
-    const instanceProfileLogicalId = generateLogicalId(`${resourceName}-profile`)
-    const instanceProfile = {
-      Type: 'AWS::IAM::InstanceProfile',
-      Properties: {
-        InstanceProfileName: `${resourceName}-profile`,
-        Roles: [Fn.Ref(instanceRoleLogicalId)],
-      },
-    }
-
-    // Build user data script
-    let userDataScript = `#!/bin/bash
-yum update -y
-yum install -y amazon-efs-utils nfs-utils jq curl wget htop
-`
-
-    // Add EFS mount if specified
-    if (mountEfs) {
-      const mountPath = mountEfs.mountPath || '/mnt/efs'
-      userDataScript += `
-# Mount EFS
-mkdir -p ${mountPath}
-mount -t efs ${mountEfs.fileSystemId}:/ ${mountPath}
-echo "${mountEfs.fileSystemId}:/ ${mountPath} efs defaults,_netdev 0 0" >> /etc/fstab
-`
-    }
-
-    // Create the JumpBox instance
-    const instanceLogicalId = generateLogicalId(resourceName)
-    const instance: EC2Instance = {
-      Type: 'AWS::EC2::Instance',
-      DependsOn: [instanceProfileLogicalId],
-      Properties: {
-        ImageId: imageId,
-        InstanceType: instanceType,
-        KeyName: keyName,
-        SubnetId: subnetId,
-        SecurityGroupIds: [Fn.Ref(securityGroupLogicalId)] as any,
-        IamInstanceProfile: Fn.Ref(instanceProfileLogicalId) as any,
-        UserData: Fn.Base64(userDataScript) as any,
-        BlockDeviceMappings: [{
-          DeviceName: '/dev/xvda',
-          Ebs: {
-            VolumeSize: 20,
-            VolumeType: 'gp3',
-            Encrypted: true,
-            DeleteOnTermination: true,
-          },
-        }],
-        Tags: [
-          { Key: 'Name', Value: resourceName },
-          { Key: 'Environment', Value: environment },
-          { Key: 'Purpose', Value: 'JumpBox/Bastion' },
-        ],
-      },
-    }
-
-    const resources: Record<string, any> = {
-      [securityGroupLogicalId]: securityGroup,
-      [instanceRoleLogicalId]: instanceRole,
-      [instanceProfileLogicalId]: instanceProfile,
-      [instanceLogicalId]: instance,
-    }
-
-    return {
-      instance,
-      securityGroup,
-      instanceProfile,
-      instanceRole,
-      instanceLogicalId,
-      securityGroupLogicalId,
-      instanceProfileLogicalId,
-      instanceRoleLogicalId,
-      resources,
-    }
-  }
-
-  /**
-   * JumpBox helper configurations
-   */
-  static readonly JumpBox = {
-    /**
-     * Create JumpBox with EFS mount for file access
-     */
-    withEfsMount: (params: {
-      slug: string
-      environment: EnvironmentType
-      vpcId: string
-      subnetId: string
-      keyName: string
-      fileSystemId: string
-      mountPath?: string
-      allowedCidrs?: string[]
-    }): {
-      instance: EC2Instance
-      securityGroup: EC2SecurityGroup
-      instanceProfile: any
-      instanceRole: IAMRole
-      instanceLogicalId: string
-      securityGroupLogicalId: string
-      instanceProfileLogicalId: string
-      instanceRoleLogicalId: string
-      resources: Record<string, any>
-    } => {
-      return Compute.createJumpBox({
-        slug: params.slug,
-        environment: params.environment,
-        vpcId: params.vpcId,
-        subnetId: params.subnetId,
-        keyName: params.keyName,
-        allowedCidrs: params.allowedCidrs,
-        mountEfs: {
-          fileSystemId: params.fileSystemId,
-          mountPath: params.mountPath || '/mnt/efs',
-        },
-      })
-    },
-
-    /**
-     * Create minimal JumpBox (SSH only)
-     */
-    minimal: (params: {
-      slug: string
-      environment: EnvironmentType
-      vpcId: string
-      subnetId: string
-      keyName: string
-      allowedCidrs?: string[]
-    }): {
-      instance: EC2Instance
-      securityGroup: EC2SecurityGroup
-      instanceProfile: any
-      instanceRole: IAMRole
-      instanceLogicalId: string
-      securityGroupLogicalId: string
-      instanceProfileLogicalId: string
-      instanceRoleLogicalId: string
-      resources: Record<string, any>
-    } => {
-      return Compute.createJumpBox({
-        slug: params.slug,
-        environment: params.environment,
-        vpcId: params.vpcId,
-        subnetId: params.subnetId,
-        keyName: params.keyName,
-        instanceType: 't3.nano',
-        allowedCidrs: params.allowedCidrs,
-      })
-    },
-
-    /**
-     * Create JumpBox with database tools
-     */
-    withDatabaseTools: (params: {
-      slug: string
-      environment: EnvironmentType
-      vpcId: string
-      subnetId: string
-      keyName: string
-      allowedCidrs?: string[]
-    }): {
-      instance: EC2Instance
-      securityGroup: EC2SecurityGroup
-      instanceProfile: any
-      instanceRole: IAMRole
-      instanceLogicalId: string
-      securityGroupLogicalId: string
-      instanceProfileLogicalId: string
-      instanceRoleLogicalId: string
-      resources: Record<string, any>
-    } => {
-      const result = Compute.createJumpBox({
-        slug: params.slug,
-        environment: params.environment,
-        vpcId: params.vpcId,
-        subnetId: params.subnetId,
-        keyName: params.keyName,
-        allowedCidrs: params.allowedCidrs,
-      })
-
-      // Modify user data to include database tools
-      const userDataScript = `#!/bin/bash
-yum update -y
-yum install -y amazon-efs-utils nfs-utils jq curl wget htop
-
-# Install PostgreSQL client
-amazon-linux-extras install postgresql14 -y
-
-# Install MySQL client
-yum install -y mysql
-
-# Install Redis CLI
-yum install -y redis
-
-echo "Database tools installed!"
-`
-
-      result.instance.Properties.UserData = Fn.Base64(userDataScript) as any
-
-      return result
-    },
-
-    /**
-     * Allowed CIDRs for corporate VPNs (common patterns)
-     */
-    commonCidrs: {
-      any: ['0.0.0.0/0'] as const,
-      privateOnly: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'] as const,
-    },
-  }
-
-  /**
-   * Instance size mapping - human-readable sizes to AWS instance types
-   * Provides Stacks configuration parity for "size" configuration option
-   */
-  static readonly InstanceSize = {
-    /**
-     * Map human-readable size to EC2 instance type
-     */
-    toInstanceType: (
-      size: 'nano' | 'micro' | 'small' | 'medium' | 'large' | 'xlarge' | '2xlarge' | '4xlarge' | '8xlarge',
-      family: 't3' | 't3a' | 'm6i' | 'c6i' | 'r6i' = 't3',
-    ): string => {
-      return `${family}.${size}`
-    },
-
-    /**
-     * Size configurations with CPU and memory specs
-     */
-    specs: {
-      nano: { vcpu: 2, memory: 0.5, instanceType: 't3.nano' },
-      micro: { vcpu: 2, memory: 1, instanceType: 't3.micro' },
-      small: { vcpu: 2, memory: 2, instanceType: 't3.small' },
-      medium: { vcpu: 2, memory: 4, instanceType: 't3.medium' },
-      large: { vcpu: 2, memory: 8, instanceType: 't3.large' },
-      xlarge: { vcpu: 4, memory: 16, instanceType: 't3.xlarge' },
-      '2xlarge': { vcpu: 8, memory: 32, instanceType: 't3.2xlarge' },
-    } as const,
-
-    /**
-     * Get Fargate CPU/memory from size
-     */
-    toFargateSpecs: (
-      size: 'nano' | 'micro' | 'small' | 'medium' | 'large' | 'xlarge' | '2xlarge',
-    ): { cpu: string, memory: string } => {
-      const mapping: Record<string, { cpu: string, memory: string }> = {
-        nano: { cpu: '256', memory: '512' },
-        micro: { cpu: '256', memory: '1024' },
-        small: { cpu: '512', memory: '1024' },
-        medium: { cpu: '1024', memory: '2048' },
-        large: { cpu: '2048', memory: '4096' },
-        xlarge: { cpu: '4096', memory: '8192' },
-        '2xlarge': { cpu: '4096', memory: '16384' },
-      }
-      return mapping[size] || mapping.medium
-    },
-
-    /**
-     * Get Lambda memory from size
-     */
-    toLambdaMemory: (
-      size: 'nano' | 'micro' | 'small' | 'medium' | 'large' | 'xlarge' | '2xlarge',
-    ): number => {
-      const mapping: Record<string, number> = {
-        nano: 128,
-        micro: 256,
-        small: 512,
-        medium: 1024,
-        large: 2048,
-        xlarge: 4096,
-        '2xlarge': 8192,
-      }
-      return mapping[size] || 1024
-    },
-
-    /**
-     * Presets for common workloads
-     */
-    presets: {
-      webServer: 't3.small',
-      apiServer: 't3.medium',
-      worker: 't3.medium',
-      database: 'r6i.large',
-      cache: 'r6i.medium',
-      compute: 'c6i.large',
-      general: 'm6i.medium',
-    } as const,
-  }
-
-  /**
-   * Disk configuration helpers
-   * Provides Stacks configuration parity for disk options
-   */
-  static readonly DiskConfig = {
-    /**
-     * Create EBS volume configuration
-     */
-    create: (options: {
-      size: number
-      type?: 'standard' | 'ssd' | 'premium' | 'gp2' | 'gp3' | 'io1' | 'io2'
-      encrypted?: boolean
-      iops?: number
-      throughput?: number
-      deleteOnTermination?: boolean
-    }): {
-      VolumeSize: number
-      VolumeType: string
-      Encrypted: boolean
-      Iops?: number
-      Throughput?: number
-      DeleteOnTermination: boolean
-    } => {
-      const { size, type = 'ssd', encrypted = true, iops, throughput, deleteOnTermination = true } = options
-
-      // Map human-readable types to AWS types
-      const typeMapping: Record<string, string> = {
-        standard: 'gp2',
-        ssd: 'gp3',
-        premium: 'io2',
-        gp2: 'gp2',
-        gp3: 'gp3',
-        io1: 'io1',
-        io2: 'io2',
-      }
-
-      const volumeType = typeMapping[type] || 'gp3'
-
-      const config: any = {
-        VolumeSize: size,
-        VolumeType: volumeType,
-        Encrypted: encrypted,
-        DeleteOnTermination: deleteOnTermination,
-      }
-
-      // Add IOPS for provisioned IOPS types
-      if ((volumeType === 'io1' || volumeType === 'io2' || volumeType === 'gp3') && iops) {
-        config.Iops = iops
-      }
-
-      // Add throughput for gp3
-      if (volumeType === 'gp3' && throughput) {
-        config.Throughput = throughput
-      }
-
-      return config
-    },
-
-    /**
-     * Common disk configurations
-     */
-    presets: {
-      /**
-       * Standard SSD (20GB gp3)
-       */
-      standard: {
-        VolumeSize: 20,
-        VolumeType: 'gp3',
-        Encrypted: true,
-        DeleteOnTermination: true,
-      },
-
-      /**
-       * Large storage (100GB gp3)
-       */
-      large: {
-        VolumeSize: 100,
-        VolumeType: 'gp3',
-        Encrypted: true,
-        DeleteOnTermination: true,
-      },
-
-      /**
-       * High performance (50GB io2)
-       */
-      highPerformance: {
-        VolumeSize: 50,
-        VolumeType: 'io2',
-        Iops: 3000,
-        Encrypted: true,
-        DeleteOnTermination: true,
-      },
-
-      /**
-       * Database optimized (100GB io2 with high IOPS)
-       */
-      database: {
-        VolumeSize: 100,
-        VolumeType: 'io2',
-        Iops: 10000,
-        Encrypted: true,
-        DeleteOnTermination: false,
-      },
-    },
-  }
-
-  /**
-   * Spot instance configuration
-   * Provides Stacks configuration parity for spot instances
-   */
-  static readonly SpotConfig = {
-    /**
-     * Create spot instance specification for Launch Template
-     */
-    create: (options: {
-      maxPrice?: string
-      spotInstanceType?: 'one-time' | 'persistent'
-      interruptionBehavior?: 'hibernate' | 'stop' | 'terminate'
-      blockDurationMinutes?: number
-    }): {
-      SpotOptions: {
-        MaxPrice?: string
-        SpotInstanceType?: string
-        InstanceInterruptionBehavior?: string
-        BlockDurationMinutes?: number
-      }
-    } => {
-      const {
-        maxPrice,
-        spotInstanceType = 'one-time',
-        interruptionBehavior = 'terminate',
-        blockDurationMinutes,
-      } = options
-
-      const spotOptions: any = {
-        SpotInstanceType: spotInstanceType,
-        InstanceInterruptionBehavior: interruptionBehavior,
-      }
-
-      if (maxPrice) {
-        spotOptions.MaxPrice = maxPrice
-      }
-
-      if (blockDurationMinutes) {
-        spotOptions.BlockDurationMinutes = blockDurationMinutes
-      }
-
-      return { SpotOptions: spotOptions }
-    },
-
-    /**
-     * Common spot instance configurations
-     */
-    presets: {
-      /**
-       * Standard spot (80% on-demand price)
-       */
-      standard: {
-        spotInstanceType: 'one-time',
-        interruptionBehavior: 'terminate',
-      },
-
-      /**
-       * Persistent spot (for long-running workloads)
-       */
-      persistent: {
-        spotInstanceType: 'persistent',
-        interruptionBehavior: 'stop',
-      },
-
-      /**
-       * Cost-optimized (lower max price)
-       */
-      costOptimized: {
-        maxPrice: '0.05',
-        spotInstanceType: 'one-time',
-        interruptionBehavior: 'terminate',
-      },
-    },
-  }
-
-  /**
-   * Mixed instances configuration for Auto Scaling Groups
-   * Provides Stacks configuration parity for mixed instance fleets
-   */
-  static readonly MixedInstances = {
-    /**
-     * Create mixed instances policy for ASG
-     */
-    create: (options: {
-      instanceTypes: Array<{ size: string, weight?: number }>
-      baseCapacity?: number
-      onDemandPercentage?: number
-      spotAllocationStrategy?: 'lowest-price' | 'capacity-optimized' | 'capacity-optimized-prioritized'
-      spotMaxPrice?: string
-    }): {
-      MixedInstancesPolicy: {
-        InstancesDistribution: {
-          OnDemandBaseCapacity: number
-          OnDemandPercentageAboveBaseCapacity: number
-          SpotAllocationStrategy: string
-          SpotMaxPrice?: string
-        }
-        LaunchTemplate: {
-          Overrides: Array<{
-            InstanceType: string
-            WeightedCapacity?: string
-          }>
-        }
-      }
-    } => {
-      const {
-        instanceTypes,
-        baseCapacity = 0,
-        onDemandPercentage = 20,
-        spotAllocationStrategy = 'capacity-optimized',
-        spotMaxPrice,
-      } = options
-
-      const distribution: any = {
-        OnDemandBaseCapacity: baseCapacity,
-        OnDemandPercentageAboveBaseCapacity: onDemandPercentage,
-        SpotAllocationStrategy: spotAllocationStrategy,
-      }
-
-      if (spotMaxPrice) {
-        distribution.SpotMaxPrice = spotMaxPrice
-      }
-
-      const overrides = instanceTypes.map(({ size, weight }) => {
-        const override: any = { InstanceType: Compute.InstanceSize.toInstanceType(size as any) }
-        if (weight) {
-          override.WeightedCapacity = String(weight)
-        }
-        return override
-      })
-
-      return {
-        MixedInstancesPolicy: {
-          InstancesDistribution: distribution,
-          LaunchTemplate: {
-            Overrides: overrides,
-          },
-        },
-      }
-    },
-
-    /**
-     * Common mixed instance configurations
-     */
-    presets: {
-      /**
-       * Cost-optimized (80% spot)
-       */
-      costOptimized: {
-        baseCapacity: 0,
-        onDemandPercentage: 20,
-        spotAllocationStrategy: 'lowest-price',
-        instanceTypes: [
-          { size: 'small', weight: 1 },
-          { size: 'medium', weight: 2 },
-        ] as const,
-      },
-
-      /**
-       * Balanced (50% spot)
-       */
-      balanced: {
-        baseCapacity: 1,
-        onDemandPercentage: 50,
-        spotAllocationStrategy: 'capacity-optimized',
-        instanceTypes: [
-          { size: 'medium', weight: 1 },
-          { size: 'large', weight: 2 },
-        ] as const,
-      },
-
-      /**
-       * High availability (20% spot)
-       */
-      highAvailability: {
-        baseCapacity: 2,
-        onDemandPercentage: 80,
-        spotAllocationStrategy: 'capacity-optimized-prioritized',
-        instanceTypes: [
-          { size: 'medium', weight: 1 },
-        ] as const,
-      },
-    },
-  }
-
-  /**
-   * Auto-scaling configuration helpers
-   * Provides Stacks configuration parity for auto-scaling options
-   */
-  static readonly AutoScalingConfig = {
-    /**
-     * Create auto-scaling configuration
-     */
-    create: (options: {
-      min: number
-      max: number
-      desired?: number
-      scaleUpThreshold?: number
-      scaleDownThreshold?: number
-      cooldownSeconds?: number
-      targetMetric?: 'cpu' | 'memory' | 'requests'
-    }): {
-      minSize: number
-      maxSize: number
-      desiredCapacity: number
-      scalingPolicies: Array<{
-        policyType: string
-        targetValue: number
-        predefinedMetricType: string
-        scaleInCooldown: number
-        scaleOutCooldown: number
-      }>
-    } => {
-      const {
-        min,
-        max,
-        desired = min,
-        scaleUpThreshold = 70,
-        scaleDownThreshold = 30,
-        cooldownSeconds = 300,
-        targetMetric = 'cpu',
-      } = options
-
-      const metricMapping: Record<string, string> = {
-        cpu: 'ASGAverageCPUUtilization',
-        memory: 'ASGAverageMemoryUtilization',
-        requests: 'ALBRequestCountPerTarget',
-      }
-
-      return {
-        minSize: min,
-        maxSize: max,
-        desiredCapacity: desired,
-        scalingPolicies: [
-          {
-            policyType: 'TargetTrackingScaling',
-            targetValue: scaleUpThreshold,
-            predefinedMetricType: metricMapping[targetMetric] || metricMapping.cpu,
-            scaleInCooldown: cooldownSeconds,
-            scaleOutCooldown: cooldownSeconds,
-          },
-        ],
-      }
-    },
-
-    /**
-     * ECS auto-scaling configuration
-     */
-    forEcs: (options: {
-      min: number
-      max: number
-      cpuTarget?: number
-      memoryTarget?: number
-    }): {
-      minCapacity: number
-      maxCapacity: number
-      targetTrackingPolicies: Array<{
-        predefinedMetricType: string
-        targetValue: number
-      }>
-    } => {
-      const { min, max, cpuTarget = 70, memoryTarget } = options
-
-      const policies: Array<{ predefinedMetricType: string, targetValue: number }> = [
-        {
-          predefinedMetricType: 'ECSServiceAverageCPUUtilization',
-          targetValue: cpuTarget,
-        },
-      ]
-
-      if (memoryTarget) {
-        policies.push({
-          predefinedMetricType: 'ECSServiceAverageMemoryUtilization',
-          targetValue: memoryTarget,
-        })
-      }
-
-      return {
-        minCapacity: min,
-        maxCapacity: max,
-        targetTrackingPolicies: policies,
-      }
-    },
-
-    /**
-     * Common auto-scaling configurations
-     */
-    presets: {
-      /**
-       * Small service (1-3 instances)
-       */
-      small: {
-        min: 1,
-        max: 3,
-        scaleUpThreshold: 70,
-        scaleDownThreshold: 30,
-      },
-
-      /**
-       * Medium service (2-10 instances)
-       */
-      medium: {
-        min: 2,
-        max: 10,
-        scaleUpThreshold: 70,
-        scaleDownThreshold: 30,
-      },
-
-      /**
-       * Large service (3-50 instances)
-       */
-      large: {
-        min: 3,
-        max: 50,
-        scaleUpThreshold: 60,
-        scaleDownThreshold: 40,
-      },
-
-      /**
-       * High availability (always 2+ instances)
-       */
-      highAvailability: {
-        min: 2,
-        max: 20,
-        scaleUpThreshold: 60,
-        scaleDownThreshold: 30,
-      },
-    },
-  }
-
-  /**
-   * Load balancer configuration helpers
-   * Provides Stacks configuration parity for load balancer options
-   */
-  static readonly LoadBalancerConfig = {
-    /**
-     * Create load balancer health check configuration
-     */
-    healthCheck: (options: {
-      path?: string
-      interval?: number
-      timeout?: number
-      healthyThreshold?: number
-      unhealthyThreshold?: number
-      protocol?: 'HTTP' | 'HTTPS' | 'TCP'
-    }): {
-      HealthCheckPath?: string
-      HealthCheckIntervalSeconds: number
-      HealthCheckTimeoutSeconds: number
-      HealthyThresholdCount: number
-      UnhealthyThresholdCount: number
-      HealthCheckProtocol?: string
-    } => {
-      const {
-        path = '/',
-        interval = 30,
-        timeout = 5,
-        healthyThreshold = 2,
-        unhealthyThreshold = 5,
-        protocol = 'HTTP',
-      } = options
-
-      const config: any = {
-        HealthCheckIntervalSeconds: interval,
-        HealthCheckTimeoutSeconds: timeout,
-        HealthyThresholdCount: healthyThreshold,
-        UnhealthyThresholdCount: unhealthyThreshold,
-      }
-
-      if (protocol !== 'TCP') {
-        config.HealthCheckPath = path
-        config.HealthCheckProtocol = protocol
-      }
-
-      return config
-    },
-
-    /**
-     * Common health check configurations
-     */
-    presets: {
-      /**
-       * Standard HTTP health check
-       */
-      standard: {
-        path: '/health',
-        interval: 30,
-        timeout: 5,
-        healthyThreshold: 2,
-        unhealthyThreshold: 5,
-      },
-
-      /**
-       * Fast health check (for quick failover)
-       */
-      fast: {
-        path: '/health',
-        interval: 10,
-        timeout: 3,
-        healthyThreshold: 2,
-        unhealthyThreshold: 2,
-      },
-
-      /**
-       * Relaxed health check (for slow-starting apps)
-       */
-      relaxed: {
-        path: '/health',
-        interval: 60,
-        timeout: 30,
-        healthyThreshold: 2,
-        unhealthyThreshold: 10,
-      },
-    },
-  }
-
-  /**
-   * SSL configuration helpers
-   * Provides Stacks configuration parity for SSL options
-   */
-  static readonly SslConfig = {
-    /**
-     * Create SSL listener configuration
-     */
-    httpsListener: (options: {
-      certificateArn: string
-      targetGroupArn: string
-      port?: number
-      sslPolicy?: string
-    }): {
-      Port: number
-      Protocol: string
-      Certificates: Array<{ CertificateArn: string }>
-      SslPolicy: string
-      DefaultActions: Array<{ Type: string, TargetGroupArn: string }>
-    } => {
-      const {
-        certificateArn,
-        targetGroupArn,
-        port = 443,
-        sslPolicy = 'ELBSecurityPolicy-TLS13-1-2-2021-06',
-      } = options
-
-      return {
-        Port: port,
-        Protocol: 'HTTPS',
-        Certificates: [{ CertificateArn: certificateArn }],
-        SslPolicy: sslPolicy,
-        DefaultActions: [{
-          Type: 'forward',
-          TargetGroupArn: targetGroupArn,
-        }],
-      }
-    },
-
-    /**
-     * Create HTTP to HTTPS redirect listener
-     */
-    httpRedirectListener: (port: number = 80): {
-      Port: number
-      Protocol: string
-      DefaultActions: Array<{
-        Type: string
-        RedirectConfig: {
-          Protocol: string
-          Port: string
-          StatusCode: string
-        }
-      }>
-    } => ({
-      Port: port,
-      Protocol: 'HTTP',
-      DefaultActions: [{
-        Type: 'redirect',
-        RedirectConfig: {
-          Protocol: 'HTTPS',
-          Port: '443',
-          StatusCode: 'HTTP_301',
-        },
-      }],
-    }),
-
-    /**
-     * SSL policies (TLS versions)
-     */
-    policies: {
-      tls13: 'ELBSecurityPolicy-TLS13-1-2-2021-06',
-      tls12: 'ELBSecurityPolicy-TLS-1-2-Ext-2018-06',
-      tls11: 'ELBSecurityPolicy-TLS-1-1-2017-01',
-      fips: 'ELBSecurityPolicy-TLS-1-2-Ext-FIPS-2022-05',
-    } as const,
-  }
-
-  /**
-   * Functions configuration helpers (Lambda)
-   * Provides Stacks configuration parity for functions configuration
-   */
-  static readonly FunctionConfig = {
-    /**
-     * Create Lambda function configuration
-     */
-    create: (options: {
-      handler: string
-      runtime?: string
-      timeout?: number
-      memorySize?: number
-      environmentVariables?: Record<string, string>
-      reservedConcurrency?: number
-    }): {
-      Handler: string
-      Runtime: string
-      Timeout: number
-      MemorySize: number
-      Environment?: { Variables: Record<string, string> }
-      ReservedConcurrentExecutions?: number
-    } => {
-      const {
-        handler,
-        runtime = 'nodejs20.x',
-        timeout = 30,
-        memorySize = 256,
-        environmentVariables,
-        reservedConcurrency,
-      } = options
-
-      const config: any = {
-        Handler: handler,
-        Runtime: runtime,
-        Timeout: timeout,
-        MemorySize: memorySize,
-      }
-
-      if (environmentVariables) {
-        config.Environment = { Variables: environmentVariables }
-      }
-
-      if (reservedConcurrency) {
-        config.ReservedConcurrentExecutions = reservedConcurrency
-      }
-
-      return config
-    },
-
-    /**
-     * Runtime options
-     */
-    runtimes: {
-      nodejs20: 'nodejs20.x',
-      nodejs18: 'nodejs18.x',
-      python312: 'python3.12',
-      python311: 'python3.11',
-      java21: 'java21',
-      java17: 'java17',
-      go: 'provided.al2023',
-      rust: 'provided.al2023',
-    } as const,
-
-    /**
-     * Common function configurations
-     */
-    presets: {
-      /**
-       * API handler (fast response)
-       */
-      api: {
-        runtime: 'nodejs20.x',
-        timeout: 30,
-        memorySize: 256,
-      },
-
-      /**
-       * Worker (background processing)
-       */
-      worker: {
-        runtime: 'nodejs20.x',
-        timeout: 300,
-        memorySize: 512,
-      },
-
-      /**
-       * Cron job (scheduled task)
-       */
-      cron: {
-        runtime: 'nodejs20.x',
-        timeout: 900,
-        memorySize: 1024,
-      },
-
-      /**
-       * Data processing (high memory)
-       */
-      dataProcessing: {
-        runtime: 'nodejs20.x',
-        timeout: 900,
-        memorySize: 3008,
-      },
-    },
-  }
-
-  /**
-   * User data scripts for EC2 Server Mode (Forge-style)
-   * Provides installation scripts for Bun, Node.js, Nginx, Caddy, PM2, etc.
-   */
-  static readonly UserData = {
-    /**
-     * Generate complete user data script for app server
-     */
-    generateAppServerScript: (options: {
-      runtime?: 'bun' | 'node'
-      runtimeVersion?: string
-      webServer?: 'nginx' | 'caddy' | 'none'
-      processManager?: 'pm2' | 'systemd'
-      enableSsl?: boolean
-      sslEmail?: string
-      domain?: string
-      appPort?: number
-      installDatabaseClients?: boolean
-      installRedis?: boolean
-      extraPackages?: string[]
-    }): string => {
-      const {
-        runtime = 'bun',
-        runtimeVersion = 'latest',
-        webServer = 'nginx',
-        processManager = 'systemd',
-        enableSsl = true,
-        sslEmail = 'admin@example.com',
-        domain,
-        appPort = 3000,
-        installDatabaseClients = false,
-        installRedis = false,
-        extraPackages = [],
-      } = options
-
-      let script = `#!/bin/bash
-set -e
-
-# Update system
-export DEBIAN_FRONTEND=noninteractive
-apt-get update && apt-get upgrade -y
-
-# Install basic tools
-apt-get install -y curl wget git jq htop unzip
-
-`
-
-      // Install runtime
-      if (runtime === 'bun') {
-        script += Compute.UserData.Scripts.bun(runtimeVersion)
-      }
-      else {
-        script += Compute.UserData.Scripts.nodeJs(runtimeVersion)
-      }
-
-      // Install web server
-      if (webServer === 'nginx') {
-        script += Compute.UserData.Scripts.nginx()
-        if (domain && enableSsl) {
-          script += Compute.UserData.Scripts.nginxProxy(domain, appPort)
-        }
-      }
-      else if (webServer === 'caddy') {
-        script += Compute.UserData.Scripts.caddy()
-        if (domain) {
-          script += Compute.UserData.Scripts.caddyProxy(domain, appPort)
-        }
-      }
-
-      // Install process manager
-      if (processManager === 'pm2' && runtime === 'node') {
-        script += Compute.UserData.Scripts.pm2()
-      }
-
-      // Install Let's Encrypt if enabled
-      if (enableSsl && webServer === 'nginx' && domain) {
-        script += Compute.UserData.Scripts.letsEncrypt(domain, sslEmail)
-      }
-
-      // Install database clients if requested
-      if (installDatabaseClients) {
-        script += Compute.UserData.Scripts.databaseClients()
-      }
-
-      // Install Redis if requested
-      if (installRedis) {
-        script += Compute.UserData.Scripts.redis()
-      }
-
-      // Install extra packages
-      if (extraPackages.length > 0) {
-        script += `\n# Install extra packages\napt-get install -y ${extraPackages.join(' ')}\n`
-      }
-
-      script += `\necho "Server setup complete!"\n`
-
-      return script
-    },
-
-    /**
-     * Individual installation scripts
-     */
-    Scripts: {
-      /**
-       * Install Bun
-       */
-      bun: (version: string = 'latest'): string => `
-# Install Bun
-curl -fsSL https://bun.sh/install | bash
-export BUN_INSTALL="$HOME/.bun"
-export PATH="$BUN_INSTALL/bin:$PATH"
-echo 'export BUN_INSTALL="$HOME/.bun"' >> /etc/profile.d/bun.sh
-echo 'export PATH="$BUN_INSTALL/bin:$PATH"' >> /etc/profile.d/bun.sh
-${version !== 'latest' ? `bun upgrade --version ${version}` : ''}
-bun --version
-`,
-
-      /**
-       * Install Node.js via nvm
-       */
-      nodeJs: (version: string = '20'): string => `
-# Install Node.js via nvm
-curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
-export NVM_DIR="$HOME/.nvm"
-[ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"
-nvm install ${version}
-nvm use ${version}
-nvm alias default ${version}
-echo 'export NVM_DIR="$HOME/.nvm"' >> /etc/profile.d/nvm.sh
-echo '[ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"' >> /etc/profile.d/nvm.sh
-node --version
-npm --version
-`,
-
-      /**
-       * Install Nginx
-       */
-      nginx: (): string => `
-# Install Nginx
-apt-get install -y nginx
-systemctl enable nginx
-systemctl start nginx
-`,
-
-      /**
-       * Configure Nginx as reverse proxy
-       */
-      nginxProxy: (domain: string, port: number = 3000): string => `
-# Configure Nginx reverse proxy
-cat > /etc/nginx/sites-available/${domain} << 'NGINX_CONFIG'
-server {
-    listen 80;
-    server_name ${domain};
-
-    location / {
-        proxy_pass http://127.0.0.1:${port};
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection 'upgrade';
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_cache_bypass $http_upgrade;
-    }
-}
-NGINX_CONFIG
-
-ln -sf /etc/nginx/sites-available/${domain} /etc/nginx/sites-enabled/
-rm -f /etc/nginx/sites-enabled/default
-nginx -t && systemctl reload nginx
-`,
-
-      /**
-       * Install Caddy
-       */
-      caddy: (): string => `
-# Install Caddy
-apt-get install -y debian-keyring debian-archive-keyring apt-transport-https
-curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
-curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
-apt-get update
-apt-get install -y caddy
-systemctl enable caddy
-`,
-
-      /**
-       * Configure Caddy as reverse proxy
-       */
-      caddyProxy: (domain: string, port: number = 3000): string => `
-# Configure Caddy reverse proxy
-cat > /etc/caddy/Caddyfile << 'CADDY_CONFIG'
-${domain} {
-    reverse_proxy localhost:${port}
-}
-CADDY_CONFIG
-
-systemctl restart caddy
-`,
-
-      /**
-       * Install PM2
-       */
-      pm2: (): string => `
-# Install PM2
-npm install -g pm2
-pm2 startup systemd -u root --hp /root
-`,
-
-      /**
-       * Install Let's Encrypt (certbot)
-       */
-      letsEncrypt: (domain: string, email: string, staging: boolean = false): string => `
-# Install Certbot
-apt-get install -y certbot python3-certbot-nginx
-# Obtain SSL certificate
-certbot --nginx -d ${domain} --non-interactive --agree-tos -m ${email} ${staging ? '--staging' : ''}
-# Setup auto-renewal
-echo "0 0 * * * root certbot renew --quiet" > /etc/cron.d/certbot-renew
-`,
-
-      /**
-       * Install database clients
-       */
-      databaseClients: (): string => `
-# Install database clients
-apt-get install -y postgresql-client mysql-client
-`,
-
-      /**
-       * Install Redis (server and cli)
-       */
-      redis: (): string => `
-# Install Redis
-apt-get install -y redis-server redis-tools
-systemctl enable redis-server
-systemctl start redis-server
-`,
-
-      /**
-       * Create systemd service for app
-       */
-      systemdService: (options: {
-        serviceName: string
-        description: string
-        workingDirectory: string
-        execStart: string
-        user?: string
-        environmentVars?: Record<string, string>
-      }): string => {
-        const {
-          serviceName,
-          description,
-          workingDirectory,
-          execStart,
-          user = 'root',
-          environmentVars = {},
-        } = options
-
-        const envLines = Object.entries(environmentVars)
-          .map(([key, value]) => `Environment="${key}=${value}"`)
-          .join('\n')
-
-        return `
-# Create systemd service for ${serviceName}
-cat > /etc/systemd/system/${serviceName}.service << 'SERVICE_FILE'
-[Unit]
-Description=${description}
-After=network.target
-
-[Service]
-Type=simple
-User=${user}
-WorkingDirectory=${workingDirectory}
-ExecStart=${execStart}
-Restart=on-failure
-RestartSec=10
-StandardOutput=syslog
-StandardError=syslog
-SyslogIdentifier=${serviceName}
-${envLines}
-
-[Install]
-WantedBy=multi-user.target
-SERVICE_FILE
-
-systemctl daemon-reload
-systemctl enable ${serviceName}
-systemctl start ${serviceName}
-`
-      },
-
-      /**
-       * Setup swap file
-       */
-      swapFile: (sizeGb: number = 2): string => `
-# Setup swap file
-fallocate -l ${sizeGb}G /swapfile
-chmod 600 /swapfile
-mkswap /swapfile
-swapon /swapfile
-echo '/swapfile none swap sw 0 0' >> /etc/fstab
-`,
-
-      /**
-       * Setup firewall (ufw)
-       */
-      firewall: (allowPorts: number[] = [22, 80, 443]): string => `
-# Setup firewall
-apt-get install -y ufw
-ufw default deny incoming
-ufw default allow outgoing
-${allowPorts.map(p => `ufw allow ${p}`).join('\n')}
-ufw --force enable
-`,
-    },
-
-    /**
-     * Preset user data configurations
-     */
-    Presets: {
-      /**
-       * Bun app server with Nginx
-       */
-      bunWithNginx: (domain: string, appPort: number = 3000): string =>
-        Compute.UserData.generateAppServerScript({
-          runtime: 'bun',
-          webServer: 'nginx',
-          processManager: 'systemd',
-          domain,
-          appPort,
-          enableSsl: true,
-        }),
-
-      /**
-       * Bun app server with Caddy (auto SSL)
-       */
-      bunWithCaddy: (domain: string, appPort: number = 3000): string =>
-        Compute.UserData.generateAppServerScript({
-          runtime: 'bun',
-          webServer: 'caddy',
-          processManager: 'systemd',
-          domain,
-          appPort,
-          enableSsl: false, // Caddy handles SSL automatically
-        }),
-
-      /**
-       * Node.js app server with PM2 and Nginx
-       */
-      nodeWithPm2: (domain: string, appPort: number = 3000): string =>
-        Compute.UserData.generateAppServerScript({
-          runtime: 'node',
-          webServer: 'nginx',
-          processManager: 'pm2',
-          domain,
-          appPort,
-          enableSsl: true,
-        }),
-
-      /**
-       * Minimal worker server (no web server)
-       */
-      worker: (runtime: 'bun' | 'node' = 'bun'): string =>
-        Compute.UserData.generateAppServerScript({
-          runtime,
-          webServer: 'none',
-          processManager: 'systemd',
-          enableSsl: false,
-        }),
-    },
-  }
-
-  /**
-   * Create Elastic IP allocation
-   */
-  static createElasticIp(options: {
-    slug: string
-    environment: EnvironmentType
-    domain?: string
-    instanceLogicalId?: string
-  }): {
-    eip: any
-    eipAssociation?: any
-    eipLogicalId: string
-    associationLogicalId?: string
-    resources: Record<string, any>
-  } {
-    const { slug, environment, domain, instanceLogicalId } = options
-
-    const resourceName = generateResourceName({
-      slug,
-      environment,
-      resourceType: 'eip',
-    })
-
-    const eipLogicalId = generateLogicalId(resourceName)
-
-    const eip = {
-      Type: 'AWS::EC2::EIP',
-      Properties: {
-        Domain: 'vpc',
-        Tags: [
-          { Key: 'Name', Value: resourceName },
-          { Key: 'Environment', Value: environment },
-          ...(domain ? [{ Key: 'Domain', Value: domain }] : []),
-        ],
-      },
-    }
-
-    const resources: Record<string, any> = {
-      [eipLogicalId]: eip,
-    }
-
-    let eipAssociation
-    let associationLogicalId
-
-    if (instanceLogicalId) {
-      associationLogicalId = generateLogicalId(`${resourceName}-assoc`)
-      eipAssociation = {
-        Type: 'AWS::EC2::EIPAssociation',
-        Properties: {
-          AllocationId: Fn.GetAtt(eipLogicalId, 'AllocationId'),
-          InstanceId: Fn.Ref(instanceLogicalId),
-        },
-      }
-      resources[associationLogicalId] = eipAssociation
-    }
-
-    return {
-      eip,
-      eipAssociation,
-      eipLogicalId,
-      associationLogicalId,
-      resources,
-    }
-  }
-
-  /**
-   * Create complete Server Mode stack (Forge-style)
-   * Creates EC2 instance with Elastic IP, security group, and IAM role
-   */
-  static createServerModeStack(options: {
-    slug: string
-    environment: EnvironmentType
-    vpcId: string
-    subnetId: string
-    instanceType?: string
-    imageId?: string
-    keyName: string
-    domain?: string
-    userData?: string
-    allowedPorts?: number[]
-    volumeSize?: number
-    volumeType?: 'gp2' | 'gp3' | 'io1' | 'io2'
-  }): {
-    instance: EC2Instance
-    securityGroup: EC2SecurityGroup
-    eip: any
-    eipAssociation: any
-    instanceRole: IAMRole
-    instanceProfile: any
-    resources: Record<string, any>
-    outputs: {
-      instanceLogicalId: string
-      securityGroupLogicalId: string
-      eipLogicalId: string
-      associationLogicalId: string
-      roleLogicalId: string
-      profileLogicalId: string
-    }
-  } {
-    const {
-      slug,
-      environment,
-      vpcId,
-      subnetId,
-      instanceType = 't3.small',
-      imageId = 'ami-0c55b159cbfafe1f0', // Amazon Linux 2023
-      keyName,
-      domain,
-      userData,
-      allowedPorts = [22, 80, 443],
-      volumeSize = 20,
-      volumeType = 'gp3',
-    } = options
-
-    const resources: Record<string, any> = {}
-
-    // Create security group
-    const sgResourceName = generateResourceName({ slug, environment, resourceType: 'server-sg' })
-    const securityGroupLogicalId = generateLogicalId(sgResourceName)
-
-    const securityGroup: EC2SecurityGroup = {
-      Type: 'AWS::EC2::SecurityGroup',
-      Properties: {
-        GroupName: sgResourceName,
-        GroupDescription: `Security group for ${slug} server`,
-        VpcId: vpcId,
-        SecurityGroupIngress: allowedPorts.map(port => ({
-          IpProtocol: 'tcp',
-          FromPort: port,
-          ToPort: port,
-          CidrIp: '0.0.0.0/0',
-          Description: `Port ${port}`,
-        })),
-        SecurityGroupEgress: [{
-          IpProtocol: '-1',
-          CidrIp: '0.0.0.0/0',
-          Description: 'Allow all outbound',
-        }],
-        Tags: [
-          { Key: 'Name', Value: sgResourceName },
-          { Key: 'Environment', Value: environment },
-        ],
-      },
-    }
-    resources[securityGroupLogicalId] = securityGroup
-
-    // Create IAM role for instance
-    const roleResourceName = generateResourceName({ slug, environment, resourceType: 'server-role' })
-    const roleLogicalId = generateLogicalId(roleResourceName)
-
-    const instanceRole: IAMRole = {
-      Type: 'AWS::IAM::Role',
-      Properties: {
-        RoleName: roleResourceName,
-        AssumeRolePolicyDocument: {
-          Version: '2012-10-17',
-          Statement: [{
-            Effect: 'Allow',
-            Principal: { Service: 'ec2.amazonaws.com' },
-            Action: 'sts:AssumeRole',
-          }],
-        },
-        ManagedPolicyArns: [
-          'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore',
-          'arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy',
-        ],
-      },
-    }
-    resources[roleLogicalId] = instanceRole
-
-    // Create instance profile
-    const profileResourceName = generateResourceName({ slug, environment, resourceType: 'server-profile' })
-    const profileLogicalId = generateLogicalId(profileResourceName)
-
-    const instanceProfile = {
-      Type: 'AWS::IAM::InstanceProfile',
-      Properties: {
-        InstanceProfileName: profileResourceName,
-        Roles: [Fn.Ref(roleLogicalId)],
-      },
-    }
-    resources[profileLogicalId] = instanceProfile
-
-    // Create EC2 instance
-    const instanceResourceName = generateResourceName({ slug, environment, resourceType: 'server' })
-    const instanceLogicalId = generateLogicalId(instanceResourceName)
-
-    const instance: EC2Instance = {
-      Type: 'AWS::EC2::Instance',
-      DependsOn: [profileLogicalId],
-      Properties: {
-        ImageId: imageId,
-        InstanceType: instanceType,
-        KeyName: keyName,
-        SubnetId: subnetId,
-        SecurityGroupIds: [Fn.Ref(securityGroupLogicalId) as unknown as string],
-        IamInstanceProfile: Fn.Ref(profileLogicalId) as unknown as string,
-        BlockDeviceMappings: [{
-          DeviceName: '/dev/xvda',
-          Ebs: {
-            VolumeSize: volumeSize,
-            VolumeType: volumeType,
-            Encrypted: true,
-            DeleteOnTermination: true,
-          },
-        }],
-        Tags: [
-          { Key: 'Name', Value: instanceResourceName },
-          { Key: 'Environment', Value: environment },
-          ...(domain ? [{ Key: 'Domain', Value: domain }] : []),
-        ],
-      },
-    }
-
-    if (userData) {
-      instance.Properties.UserData = Fn.Base64(userData) as any
-    }
-
-    resources[instanceLogicalId] = instance
-
-    // Create Elastic IP
-    const { eip, eipAssociation, eipLogicalId, associationLogicalId, resources: eipResources } = Compute.createElasticIp({
-      slug,
-      environment,
-      domain,
-      instanceLogicalId,
-    })
-
-    Object.assign(resources, eipResources)
-
-    return {
-      instance,
-      securityGroup,
-      eip,
-      eipAssociation,
-      instanceRole,
-      instanceProfile,
-      resources,
-      outputs: {
-        instanceLogicalId,
-        securityGroupLogicalId,
-        eipLogicalId,
-        associationLogicalId: associationLogicalId!,
-        roleLogicalId,
-        profileLogicalId,
-      },
-    }
-  }
-
-  /**
-   * Server Mode presets for common server types
-   */
-  static readonly ServerMode = {
-    /**
-     * Create web/app server
-     */
-    webServer: (options: {
-      slug: string
-      environment: EnvironmentType
-      vpcId: string
-      subnetId: string
-      keyName: string
-      domain: string
-      runtime?: 'bun' | 'node'
-      webServer?: 'nginx' | 'caddy'
-    }): {
-      instance: EC2Instance
-      securityGroup: EC2SecurityGroup
-      eip: any
-      eipAssociation: any
-      instanceRole: IAMRole
-      instanceProfile: any
-      resources: Record<string, any>
-      outputs: {
-        instanceLogicalId: string
-        securityGroupLogicalId: string
-        eipLogicalId: string
-        associationLogicalId: string
-        roleLogicalId: string
-        profileLogicalId: string
-      }
-    } => {
-      const userData = Compute.UserData.generateAppServerScript({
-        runtime: options.runtime || 'bun',
-        webServer: options.webServer || 'nginx',
-        domain: options.domain,
-        enableSsl: true,
-      })
-
-      return Compute.createServerModeStack({
-        ...options,
-        userData,
-        instanceType: 't3.small',
-        allowedPorts: [22, 80, 443],
-      })
-    },
-
-    /**
-     * Create worker server (no web server)
-     */
-    workerServer: (options: {
-      slug: string
-      environment: EnvironmentType
-      vpcId: string
-      subnetId: string
-      keyName: string
-      runtime?: 'bun' | 'node'
-      installRedis?: boolean
-    }): {
-      instance: EC2Instance
-      securityGroup: EC2SecurityGroup
-      eip: any
-      eipAssociation: any
-      instanceRole: IAMRole
-      instanceProfile: any
-      resources: Record<string, any>
-      outputs: {
-        instanceLogicalId: string
-        securityGroupLogicalId: string
-        eipLogicalId: string
-        associationLogicalId: string
-        roleLogicalId: string
-        profileLogicalId: string
-      }
-    } => {
-      const userData = Compute.UserData.generateAppServerScript({
-        runtime: options.runtime || 'bun',
-        webServer: 'none',
-        installRedis: options.installRedis,
-      })
-
-      return Compute.createServerModeStack({
-        ...options,
-        userData,
-        instanceType: 't3.medium',
-        allowedPorts: [22],
-      })
-    },
-
-    /**
-     * Create cache server (Redis)
-     */
-    cacheServer: (options: {
-      slug: string
-      environment: EnvironmentType
-      vpcId: string
-      subnetId: string
-      keyName: string
-    }): {
-      instance: EC2Instance
-      securityGroup: EC2SecurityGroup
-      eip: any
-      eipAssociation: any
-      instanceRole: IAMRole
-      instanceProfile: any
-      resources: Record<string, any>
-      outputs: {
-        instanceLogicalId: string
-        securityGroupLogicalId: string
-        eipLogicalId: string
-        associationLogicalId: string
-        roleLogicalId: string
-        profileLogicalId: string
-      }
-    } => {
-      const userData = `#!/bin/bash
-set -e
-apt-get update && apt-get upgrade -y
-apt-get install -y redis-server
-sed -i 's/bind 127.0.0.1/bind 0.0.0.0/' /etc/redis/redis.conf
-systemctl enable redis-server
-systemctl restart redis-server
-echo "Redis server setup complete!"
-`
-
-      return Compute.createServerModeStack({
-        ...options,
-        userData,
-        instanceType: 't3.medium',
-        allowedPorts: [22, 6379],
-      })
-    },
-  }
-}