@stacksjs/ts-cloud-core 0.1.6 → 0.1.7

package/dist/multi-account/config.d.ts

@@ -0,0 +1,315 @@
+import type { AWSAccount, CrossAccountRole } from './manager';
+/**
+ * Get recommended account structure
+ */
+export declare function getRecommendedStructure(size: 'basic' | 'standard' | 'enterprise'): AccountStructure;
+/**
+ * Generate cross-account role CloudFormation
+ */
+export declare function generateCrossAccountRoleCF(role: CrossAccountRole, managedPolicies?: string[]): any;
+/**
+ * Validate account structure
+ */
+export declare function validateAccountStructure(structure: AccountStructure): {
+  valid: boolean
+  errors: string[]
+  warnings: string[]
+};
+/**
+ * Format account structure for display
+ */
+export declare function formatAccountStructure(structure: AccountStructure): string;
+/**
+ * AWS best practices: Multi-account structure
+ * Based on AWS Well-Architected Framework
+ */
+export declare const RECOMMENDED_ACCOUNT_STRUCTURES: {
+  basic: {
+  name: 'Basic (3 Accounts)';
+  description: 'Simple structure for small teams';
+  accounts: readonly [{
+  alias: 'management';
+  email: 'aws+management@example.com';
+  role: 'management';
+  ou: 'root';
+  description: 'Management account for AWS Organizations'
+}, {
+  alias: 'production';
+  email: 'aws+production@example.com';
+  role: 'production';
+  ou: 'workloads';
+  description: 'Production workloads'
+}, {
+  alias: 'development';
+  email: 'aws+development@example.com';
+  role: 'development';
+  ou: 'workloads';
+  description: 'Development and testing'
+}];
+  organizationalUnits: readonly [{
+  name: 'root'
+}, {
+  name: 'workloads';
+  parent: 'root'
+}]
+};
+  standard: {
+  name: 'Standard (5 Accounts)';
+  description: 'Recommended for most organizations';
+  accounts: readonly [{
+  alias: 'management';
+  email: 'aws+management@example.com';
+  role: 'management';
+  ou: 'root';
+  description: 'Management account'
+}, {
+  alias: 'security';
+  email: 'aws+security@example.com';
+  role: 'security';
+  ou: 'security';
+  description: 'Security tooling and audit logs'
+}, {
+  alias: 'shared-services';
+  email: 'aws+shared@example.com';
+  role: 'shared-services';
+  ou: 'infrastructure';
+  description: 'Shared services (CI/CD, monitoring)'
+}, {
+  alias: 'production';
+  email: 'aws+production@example.com';
+  role: 'production';
+  ou: 'workloads';
+  description: 'Production environment'
+}, {
+  alias: 'staging';
+  email: 'aws+staging@example.com';
+  role: 'staging';
+  ou: 'workloads';
+  description: 'Staging environment'
+}, {
+  alias: 'development';
+  email: 'aws+development@example.com';
+  role: 'development';
+  ou: 'workloads';
+  description: 'Development environment'
+}];
+  organizationalUnits: readonly [{
+  name: 'root'
+}, {
+  name: 'security';
+  parent: 'root'
+}, {
+  name: 'infrastructure';
+  parent: 'root'
+}, {
+  name: 'workloads';
+  parent: 'root'
+}]
+};
+  enterprise: {
+  name: 'Enterprise (7+ Accounts)';
+  description: 'For large organizations with strict compliance requirements';
+  accounts: readonly [{
+  alias: 'management';
+  email: 'aws+management@example.com';
+  role: 'management';
+  ou: 'root';
+  description: 'Management account'
+}, {
+  alias: 'audit';
+  email: 'aws+audit@example.com';
+  role: 'security';
+  ou: 'security';
+  description: 'Audit and compliance'
+}, {
+  alias: 'log-archive';
+  email: 'aws+logs@example.com';
+  role: 'security';
+  ou: 'security';
+  description: 'Centralized log storage'
+}, {
+  alias: 'shared-services';
+  email: 'aws+shared@example.com';
+  role: 'shared-services';
+  ou: 'infrastructure';
+  description: 'Shared infrastructure'
+}, {
+  alias: 'network';
+  email: 'aws+network@example.com';
+  role: 'shared-services';
+  ou: 'infrastructure';
+  description: 'Network infrastructure (Transit Gateway)'
+}, {
+  alias: 'production';
+  email: 'aws+production@example.com';
+  role: 'production';
+  ou: 'production-ou';
+  description: 'Production workloads'
+}, {
+  alias: 'staging';
+  email: 'aws+staging@example.com';
+  role: 'staging';
+  ou: 'non-production-ou';
+  description: 'Staging environment'
+}, {
+  alias: 'development';
+  email: 'aws+development@example.com';
+  role: 'development';
+  ou: 'non-production-ou';
+  description: 'Development environment'
+}];
+  organizationalUnits: readonly [{
+  name: 'root'
+}, {
+  name: 'security';
+  parent: 'root';
+  policies: readonly ['deny-root-access']
+}, {
+  name: 'infrastructure';
+  parent: 'root'
+}, {
+  name: 'production-ou';
+  parent: 'root';
+  policies: readonly ['require-mfa']
+}, {
+  name: 'non-production-ou';
+  parent: 'root'
+}]
+}
+};
+/**
+ * Service Control Policies (SCPs) - AWS best practices
+ */
+export declare const RECOMMENDED_SCPS: {
+  denyRootAccess: {
+  name: 'Deny Root User Access';
+  description: 'Prevent root user from performing any actions';
+  policyDocument: {
+  Version: '2012-10-17';
+  Statement: readonly [{
+  Sid: 'DenyRootUser';
+  Effect: 'Deny';
+  Action: '*';
+  Resource: '*';
+  Condition: {
+  StringLike: {
+  'aws:PrincipalArn': 'arn:aws:iam::*:root'
+}
+}
+}]
+}
+};
+  requireMFA: {
+  name: 'Require MFA for All Actions';
+  description: 'Require MFA for console and API access';
+  policyDocument: {
+  Version: '2012-10-17';
+  Statement: readonly [{
+  Sid: 'RequireMFA';
+  Effect: 'Deny';
+  Action: '*';
+  Resource: '*';
+  Condition: {
+  BoolIfExists: {
+  'aws:MultiFactorAuthPresent': 'false'
+}
+}
+}]
+}
+};
+  denyRegions: {
+  name: 'Deny Access to Non-Approved Regions';
+  description: 'Restrict operations to specific regions';
+  policyDocument: {
+  Version: '2012-10-17';
+  Statement: readonly [{
+  Sid: 'DenyNonApprovedRegions';
+  Effect: 'Deny';
+  NotAction: readonly ['iam:*', 'organizations:*', 'route53:*', 'cloudfront:*', 'support:*', 's3:*'];
+  Resource: '*';
+  Condition: {
+  StringNotEquals: {
+  'aws:RequestedRegion': readonly ['us-east-1', 'us-west-2']
+}
+}
+}]
+}
+};
+  preventLeaving: {
+  name: 'Prevent Leaving Organization';
+  description: 'Prevent accounts from leaving the organization';
+  policyDocument: {
+  Version: '2012-10-17';
+  Statement: readonly [{
+  Sid: 'PreventLeaving';
+  Effect: 'Deny';
+  Action: 'organizations:LeaveOrganization';
+  Resource: '*'
+}]
+}
+};
+  denyS3Unencrypted: {
+  name: 'Deny Unencrypted S3 Uploads';
+  description: 'Require encryption for all S3 uploads';
+  policyDocument: {
+  Version: '2012-10-17';
+  Statement: readonly [{
+  Sid: 'DenyUnencryptedS3Uploads';
+  Effect: 'Deny';
+  Action: 's3:PutObject';
+  Resource: '*';
+  Condition: {
+  StringNotEquals: {
+  's3:x-amz-server-side-encryption': readonly ['AES256', 'aws:kms']
+}
+}
+}]
+}
+}
+};
+/**
+ * Common cross-account role configurations
+ */
+export declare const COMMON_CROSS_ACCOUNT_ROLES: {
+  deploymentRole: {
+  name: 'CrossAccountDeploymentRole';
+  description: 'Role for deploying infrastructure from CI/CD';
+  permissions: readonly ['cloudformation:*', 's3:*', 'ec2:*', 'ecs:*', 'lambda:*', 'iam:GetRole', 'iam:PassRole', 'logs:*', 'events:*']
+};
+  readOnlyRole: {
+  name: 'CrossAccountReadOnlyRole';
+  description: 'Read-only access for monitoring and auditing';
+  permissions: readonly ['cloudformation:Describe*', 'cloudformation:List*', 'ec2:Describe*', 'ecs:Describe*', 'lambda:Get*', 'lambda:List*', 's3:Get*', 's3:List*', 'logs:Get*', 'logs:Describe*']
+};
+  securityAuditRole: {
+  name: 'CrossAccountSecurityAuditRole';
+  description: 'Security audit and compliance checks';
+  permissions: readonly ['iam:Get*', 'iam:List*', 'iam:Generate*', 'access-analyzer:*', 'guardduty:Get*', 'guardduty:List*', 'securityhub:Get*', 'securityhub:List*', 'config:Describe*', 'config:Get*', 'config:List*']
+};
+  breakGlassRole: {
+  name: 'CrossAccountBreakGlassRole';
+  description: 'Emergency access role (use with caution)';
+  permissions: readonly ['*']
+}
+};
+/**
+ * Account structure presets
+ */
+export declare interface AccountStructure {
+  name: string
+  description: string
+  accounts: AccountStructureDefinition[]
+  organizationalUnits?: OUDefinition[]
+}
+export declare interface AccountStructureDefinition {
+  alias: string
+  email: string
+  role: AWSAccount['role']
+  ou?: string
+  description: string
+}
+export declare interface OUDefinition {
+  name: string
+  parent?: string
+  policies?: string[]
+}

package/dist/multi-account/index.d.ts

@@ -0,0 +1,2 @@
+export * from './manager';
+export * from './config';

package/dist/multi-account/manager.d.ts

@@ -0,0 +1,100 @@
+/**
+ * Global instances
+ */
+export declare const multiAccountManager: MultiAccountManager;
+export declare const organizationManager: OrganizationManager;
+/**
+ * Multi-Account Manager
+ * Manages deployments across multiple AWS accounts
+ */
+export declare interface AWSAccount {
+  id: string
+  alias?: string
+  email: string
+  role: 'management' | 'production' | 'staging' | 'development' | 'security' | 'shared-services'
+  organizationalUnit?: string
+  assumeRoleArn?: string
+}
+export declare interface CrossAccountRole {
+  roleArn: string
+  roleName: string
+  sourceAccountId: string
+  targetAccountId: string
+  permissions: string[]
+  externalId?: string
+  sessionDuration?: number
+}
+export declare interface AccountMapping {
+  environment: string
+  accountId: string
+  region: string
+}
+export declare interface OrganizationalUnit {
+  id: string
+  name: string
+  parentId?: string
+  accounts: string[]
+}
+export declare interface ServiceControlPolicy {
+  id: string
+  name: string
+  targetId: string
+  policyDocument: any
+}
+/**
+ * Multi-account deployment manager
+ */
+export declare class MultiAccountManager {
+  private accounts: Map<string, AWSAccount>;
+  private crossAccountRoles: CrossAccountRole[];
+  private accountMappings: AccountMapping[];
+  registerAccount(account: AWSAccount): void;
+  getAccount(accountId: string): AWSAccount | undefined;
+  getAccountByAlias(alias: string): AWSAccount | undefined;
+  listAccounts(): AWSAccount[];
+  getAccountsByRole(role: AWSAccount['role']): AWSAccount[];
+  createCrossAccountRole(sourceAccountId: string, targetAccountId: string, roleName: string, permissions: string[], options?: {
+      externalId?: string
+      sessionDuration?: number
+    }): CrossAccountRole;
+  getAssumeRolePolicyDocument(sourceAccountId: string, externalId?: string): any;
+  generateCrossAccountPolicy(permissions: string[]): any;
+  mapEnvironmentToAccount(environment: string, accountId: string, region: string): void;
+  getAccountForEnvironment(environment: string): AccountMapping | undefined;
+  assumeRole(roleArn: string, sessionName: string, externalId?: string): Promise<{
+    accessKeyId: string
+    secretAccessKey: string
+    sessionToken: string
+    expiration: Date
+  }>;
+  getCredentialsForAccount(accountId: string): Promise<{
+    accessKeyId: string
+    secretAccessKey: string
+    sessionToken?: string
+  }>;
+  listCrossAccountRoles(): CrossAccountRole[];
+  getCrossAccountRolesForAccount(accountId: string): CrossAccountRole[];
+  validateAccountAccess(accountId: string): Promise<boolean>;
+  getConsolidatedBilling(): Promise<{
+    totalCost: number
+    byAccount: Record<string, number>
+  }>;
+  clear(): void;
+}
+/**
+ * AWS Organizations helper
+ */
+export declare class OrganizationManager {
+  private organizationId?: string;
+  private organizationalUnits: Map<string, OrganizationalUnit>;
+  getOrganizationId(): string | undefined;
+  setOrganizationId(id: string): void;
+  createOrganizationalUnit(name: string, parentId?: string): OrganizationalUnit;
+  getOrganizationalUnit(id: string): OrganizationalUnit | undefined;
+  listOrganizationalUnits(): OrganizationalUnit[];
+  addAccountToOU(ouId: string, accountId: string): void;
+  removeAccountFromOU(ouId: string, accountId: string): void;
+  getAccountsInOU(ouId: string): string[];
+  applyServiceControlPolicy(targetId: string, policyDocument: any): ServiceControlPolicy;
+  clear(): void;
+}

package/dist/multi-region/cross-region.d.ts

@@ -0,0 +1,114 @@
+/**
+ * Global instances
+ */
+export declare const crossRegionReferenceManager: CrossRegionReferenceManager;
+export declare const globalResourceManager: GlobalResourceManager;
+export declare const regionPairManager: RegionPairManager;
+export declare const stackDependencyManager: StackDependencyManager;
+/**
+ * Cross-Region Resource Management
+ * Handles references and dependencies between regions
+ */
+export declare interface CrossRegionReference {
+  sourceRegion: string
+  targetRegion: string
+  resourceType: string
+  resourceId: string
+  value: string
+}
+export declare interface CrossRegionExport {
+  region: string
+  exportName: string
+  value: string
+  description?: string
+}
+/**
+ * Global resources that exist in one region but are accessible globally
+ */
+export declare interface GlobalResource {
+  type: 'cloudfront' | 'route53' | 'waf' | 'iam' | 's3-website'
+  id: string
+  region: string
+  arn: string
+  endpoint?: string
+}
+/**
+ * Region pairing for replication and failover
+ */
+export declare interface RegionPair {
+  primary: string
+  secondary: string
+  replicationConfig?: {
+    s3: boolean
+    dynamodb: boolean
+    rds: boolean
+  }
+  failoverConfig?: {
+    automatic: boolean
+    healthCheckInterval: number
+    failoverThreshold: number
+  }
+}
+/**
+ * Cross-region stack dependencies
+ */
+export declare interface StackDependency {
+  dependentStack: string
+  dependentRegion: string
+  dependsOnStack: string
+  dependsOnRegion: string
+  outputKey: string
+}
+/**
+ * Cross-region reference manager
+ */
+export declare class CrossRegionReferenceManager {
+  private references: CrossRegionReference[];
+  private exports: Map<string, CrossRegionExport[]>;
+  addExport(export_: CrossRegionExport): void;
+  getExport(region: string, exportName: string): string | undefined;
+  createReference(sourceRegion: string, targetRegion: string, resourceType: string, resourceId: string): string;
+  resolveReference(targetRegion: string, parameterName: string): Promise<string>;
+  getReferencesForRegion(region: string): CrossRegionReference[];
+  clear(): void;
+}
+/**
+ * Global resource manager
+ */
+export declare class GlobalResourceManager {
+  private resources: Map<string, GlobalResource>;
+  register(resource: GlobalResource): void;
+  get(id: string): GlobalResource | undefined;
+  getByType(type: GlobalResource['type']): GlobalResource[];
+  getCloudFrontDistributions(): GlobalResource[];
+  getRoute53HostedZones(): GlobalResource[];
+  getWAFWebACLs(): GlobalResource[];
+  remove(id: string): void;
+  clear(): void;
+}
+/**
+ * Region pair manager
+ */
+export declare class RegionPairManager {
+  private pairs: RegionPair[];
+  addPair(pair: RegionPair): void;
+  getPairedRegion(region: string): string | undefined;
+  getAllPairs(): RegionPair[];
+  getReplicatedPairs(): RegionPair[];
+  getFailoverPairs(): RegionPair[];
+  arePaired(region1: string, region2: string): boolean;
+  clear(): void;
+}
+/**
+ * Stack dependency manager
+ */
+export declare class StackDependencyManager {
+  private dependencies: StackDependency[];
+  addDependency(dependency: StackDependency): void;
+  getDependencies(stackName: string, region: string): StackDependency[];
+  getDependents(stackName: string, region: string): StackDependency[];
+  hasDependencies(stackName: string, region: string): boolean;
+  getDeploymentOrder(stacks: Array<{ name: string; region: string }>): Array<{ name: string; region: string }>;
+  detectCircularDependencies(): boolean;
+  clear(): void;
+}

package/dist/multi-region/index.d.ts

@@ -0,0 +1,3 @@
+export * from './manager';
+export * from './cross-region';
+export * from './regions';

package/dist/multi-region/manager.d.ts

@@ -0,0 +1,72 @@
+import type { CloudConfig } from '@stacksjs/ts-cloud-types';
+/**
+ * Global multi-region manager instance
+ */
+export declare const multiRegionManager: MultiRegionManager;
+export declare interface Region {
+  code: string
+  name: string
+  isPrimary?: boolean
+  weight?: number
+}
+export declare interface MultiRegionConfig {
+  regions: Region[]
+  globalResources?: {
+    route53?: boolean
+    cloudfront?: boolean
+    waf?: boolean
+  }
+  replication?: {
+    s3?: boolean
+    dynamodb?: boolean
+    secrets?: boolean
+  }
+  failover?: {
+    enabled: boolean
+    healthCheckPath?: string
+    failoverThreshold?: number
+  }
+}
+export declare interface RegionDeployment {
+  region: string
+  stackName: string
+  status: 'pending' | 'deploying' | 'deployed' | 'failed' | 'rolling-back'
+  outputs?: Record<string, string>
+  error?: string
+  startTime?: Date
+  endTime?: Date
+}
+export declare interface MultiRegionDeployment {
+  id: string
+  regions: RegionDeployment[]
+  globalResources?: Record<string, any>
+  status: 'pending' | 'deploying' | 'deployed' | 'failed' | 'rolling-back'
+  startTime: Date
+  endTime?: Date
+}
+/**
+ * Multi-region deployment manager
+ */
+export declare class MultiRegionManager {
+  private deployments: Map<string, MultiRegionDeployment>;
+  deploy(config: CloudConfig, multiRegionConfig: MultiRegionConfig): Promise<MultiRegionDeployment>;
+  private deployToRegion(config: CloudConfig, region: Region, deployment: MultiRegionDeployment): Promise<void>;
+  private deployGlobalResources(deployment: MultiRegionDeployment, config: MultiRegionConfig): Promise<void>;
+  private deployRoute53(deployment: MultiRegionDeployment, config: MultiRegionConfig): Promise<any>;
+  private deployCloudFront(deployment: MultiRegionDeployment, config: MultiRegionConfig): Promise<any>;
+  private deployWAF(deployment: MultiRegionDeployment): Promise<any>;
+  private setupReplication(deployment: MultiRegionDeployment, config: MultiRegionConfig): Promise<void>;
+  private setupS3Replication(deployment: MultiRegionDeployment): Promise<void>;
+  private setupDynamoDBReplication(deployment: MultiRegionDeployment): Promise<void>;
+  private setupSecretsReplication(deployment: MultiRegionDeployment): Promise<void>;
+  private setupFailover(deployment: MultiRegionDeployment, config: MultiRegionConfig): Promise<void>;
+  destroy(deploymentId: string): Promise<void>;
+  private destroyGlobalResources(globalResources: Record<string, any>): Promise<void>;
+  private destroyRegionStack(region: RegionDeployment): Promise<void>;
+  getDeployment(deploymentId: string): MultiRegionDeployment | undefined;
+  listDeployments(): MultiRegionDeployment[];
+  private getStackName(config: CloudConfig, region: string): string;
+  private createRegionConfig(config: CloudConfig, region: Region): CloudConfig;
+  private deployStack(stackName: string, config: CloudConfig, region: string): Promise<void>;
+  private generateDeploymentId(): string;
+}

package/dist/multi-region/regions.d.ts

@@ -0,0 +1,98 @@
+/**
+ * Get region by code
+ */
+export declare function getRegion(code: string): RegionInfo | undefined;
+/**
+ * Get all regions
+ */
+export declare function getAllRegions(): RegionInfo[];
+/**
+ * Get regions by location
+ */
+export declare function getRegionsByLocation(location: string): RegionInfo[];
+/**
+ * Get regions with specific compliance
+ */
+export declare function getRegionsByCompliance(compliance: string): RegionInfo[];
+/**
+ * Get regions by pricing tier
+ */
+export declare function getRegionsByPricingTier(tier: 'standard' | 'reduced' | 'premium'): RegionInfo[];
+/**
+ * Validate region code
+ */
+export declare function isValidRegion(code: string): boolean;
+/**
+ * Get closest region to user location
+ */
+export declare function getClosestRegion(userLocation: {
+  continent?: string
+  country?: string
+}): RegionInfo;
+export declare function suggestRegions(requirements: RegionRequirements): RegionInfo[];
+export declare function suggestRegionPairs(primaryRegion: string): RegionPairSuggestion[];
+/**
+ * Format region for display
+ */
+export declare function formatRegion(region: RegionInfo): string;
+/**
+ * Format region list for display
+ */
+export declare function formatRegionList(regions: RegionInfo[]): string;
+/**
+ * Get region statistics
+ */
+export declare function getRegionStats(): {
+  total: number
+  byContinent: Record<string, number>
+  byPricingTier: Record<string, number>
+};
+/**
+ * AWS Region database
+ */
+export declare const AWS_REGIONS: RegionInfo[];
+/**
+ * AWS Region utilities
+ * Region selection, validation, and configuration
+ */
+export declare interface RegionInfo {
+  code: string
+  name: string
+  location: string
+  launchYear: number
+  availabilityZones: number
+  localZones?: number
+  wavelengthZones?: number
+  services: {
+    compute: boolean
+    storage: boolean
+    database: boolean
+    networking: boolean
+    ml: boolean
+    analytics: boolean
+  }
+  pricing: {
+    tier: 'standard' | 'reduced' | 'premium'
+    multiplier: number
+  }
+  compliance: string[]
+}
+/**
+ * Suggest regions based on requirements
+ */
+export declare interface RegionRequirements {
+  compliance?: string[]
+  pricingSensitive?: boolean
+  lowLatency?: boolean
+  userLocations?: string[]
+  requiredServices?: Array<keyof RegionInfo['services']>
+}
+/**
+ * Calculate region pairs for failover
+ */
+export declare interface RegionPairSuggestion {
+  primary: RegionInfo
+  secondary: RegionInfo
+  distance: number
+  sameContinent: boolean
+}