@ts-cloud/core 0.2.3 → 0.2.4

package/dist/modules/registry.d.ts

@@ -0,0 +1,189 @@
+import type { ECRRepository } from '@ts-cloud/aws-types';
+import type { EnvironmentType } from '../types';
+export interface RegistryOptions {
+    name: string;
+    slug: string;
+    environment: EnvironmentType;
+    scanOnPush?: boolean;
+    imageMutability?: 'MUTABLE' | 'IMMUTABLE';
+    encryption?: 'AES256' | 'KMS';
+    kmsKey?: string;
+    lifecyclePolicy?: LifecyclePolicyConfig;
+    tags?: Record<string, string>;
+}
+export interface LifecyclePolicyConfig {
+    maxImageCount?: number;
+    maxImageAgeDays?: number;
+    untaggedImageExpireDays?: number;
+}
+/**
+ * Registry Module - ECR Container Registry Management
+ * Provides clean API for creating and configuring ECR repositories
+ */
+export declare class Registry {
+    /**
+     * Create an ECR repository with the specified options
+     */
+    static createRepository(options: RegistryOptions): {
+        repository: ECRRepository;
+        logicalId: string;
+    };
+    /**
+     * Generate lifecycle policy from config
+     */
+    private static generateLifecyclePolicy;
+    /**
+     * Common lifecycle policy presets
+     */
+    static readonly LifecyclePolicies: {
+        /**
+         * Keep only the 10 most recent images, delete untagged after 7 days
+         */
+        production: {
+            maxImageCount: number;
+            untaggedImageExpireDays: number;
+        };
+        /**
+         * Keep only the 5 most recent images, delete untagged after 3 days
+         */
+        development: {
+            maxImageCount: number;
+            untaggedImageExpireDays: number;
+        };
+        /**
+         * Aggressive cleanup - keep 3 images, delete untagged after 1 day
+         */
+        minimal: {
+            maxImageCount: number;
+            untaggedImageExpireDays: number;
+        };
+        /**
+         * Long-term storage - keep 50 images, delete untagged after 30 days
+         */
+        archive: {
+            maxImageCount: number;
+            untaggedImageExpireDays: number;
+        };
+    };
+    /**
+     * Enable immutable tags on an existing repository
+     */
+    static enableImmutableTags(repository: ECRRepository): ECRRepository;
+    /**
+     * Enable scan on push
+     */
+    static enableScanOnPush(repository: ECRRepository): ECRRepository;
+    /**
+     * Set lifecycle policy on an existing repository
+     */
+    static setLifecyclePolicy(repository: ECRRepository, config: LifecyclePolicyConfig): ECRRepository;
+    /**
+     * Add repository policy for cross-account access
+     */
+    static addCrossAccountAccess(repository: ECRRepository, accountIds: string[]): ECRRepository;
+    /**
+     * Add repository policy for Lambda service access
+     */
+    static addLambdaAccess(repository: ECRRepository): ECRRepository;
+    /**
+     * Generate a Dockerfile for Bun-based applications
+     */
+    static generateBunDockerfile(options: {
+        baseImage?: string;
+        serverPath: string;
+        port?: number;
+        additionalDirs?: string[];
+        healthCheckEndpoint?: string;
+        nodeCompatible?: boolean;
+        envVars?: Record<string, string>;
+        buildCommands?: string[];
+        runCommand?: string;
+    }): string;
+    /**
+     * Generate Docker build commands
+     */
+    static generateDockerBuildCommands(options: {
+        repositoryUri: string;
+        tag?: string;
+        dockerfilePath?: string;
+        context?: string;
+        additionalTags?: string[];
+        buildArgs?: Record<string, string>;
+        platform?: string;
+        noCache?: boolean;
+    }): {
+        build: string;
+        tag: string[];
+        push: string[];
+        all: string[];
+    };
+    /**
+     * Generate ECR login command
+     */
+    static generateEcrLoginCommand(region: string, accountId: string): string;
+    /**
+     * Build ECR repository URI
+     */
+    static buildRepositoryUri(options: {
+        accountId: string;
+        region: string;
+        repositoryName: string;
+    }): string;
+    /**
+     * Generate image tags based on deployment info
+     */
+    static generateImageTags(options: {
+        version?: string;
+        gitSha?: string;
+        gitBranch?: string;
+        environment?: string;
+        timestamp?: boolean;
+    }): string[];
+    /**
+     * Docker deployment workflow steps
+     */
+    static readonly DeploymentWorkflow: {
+        /**
+         * Generate a complete deployment script
+         */
+        generateDeployScript: (options: {
+            region: string;
+            accountId: string;
+            repositoryName: string;
+            dockerfilePath?: string;
+            serverPath: string;
+            tags?: string[];
+        }) => string;
+        /**
+         * Generate GitHub Actions workflow for ECR deployment
+         */
+        generateGitHubActionsWorkflow: (options: {
+            region: string;
+            repositoryName: string;
+            dockerfilePath?: string;
+            ecsCluster?: string;
+            ecsService?: string;
+        }) => string;
+    };
+    /**
+     * Common Dockerfile templates
+     */
+    static readonly DockerfileTemplates: {
+        /**
+         * Minimal Bun server
+         */
+        bunServer: (serverPath: string, port?: number) => string;
+        /**
+         * Bun with build step
+         */
+        bunWithBuild: (serverPath: string, buildCommand: string, port?: number) => string;
+        /**
+         * Full-stack Bun app with static files
+         */
+        bunFullStack: (serverPath: string, port?: number) => string;
+        /**
+         * API-only Bun server
+         */
+        bunApi: (serverPath: string, port?: number) => string;
+    };
+}

package/dist/modules/search.d.ts

@@ -0,0 +1,135 @@
+/**
+ * Search Module (OpenSearch/Elasticsearch)
+ * Clean API for AWS OpenSearch Service
+ */
+import type { OpenSearchDomain } from '@ts-cloud/aws-types';
+export interface SearchDomainOptions {
+    slug: string;
+    environment: string;
+    domainName?: string;
+    engineVersion?: string;
+    instanceType?: string;
+    instanceCount?: number;
+    volumeSize?: number;
+    volumeType?: 'gp2' | 'gp3' | 'io1';
+    dedicatedMaster?: boolean;
+    dedicatedMasterType?: string;
+    dedicatedMasterCount?: number;
+    multiAz?: boolean;
+    availabilityZoneCount?: number;
+    vpc?: {
+        subnetIds: Array<string | {
+            Ref: string;
+        }>;
+        securityGroupIds: Array<string | {
+            Ref: string;
+        }>;
+    };
+    encryption?: {
+        atRest?: boolean;
+        kmsKeyId?: string | {
+            Ref: string;
+        };
+        nodeToNode?: boolean;
+    };
+    enforceHttps?: boolean;
+    tlsSecurityPolicy?: 'Policy-Min-TLS-1-0-2019-07' | 'Policy-Min-TLS-1-2-2019-07';
+    advancedSecurity?: {
+        enabled: boolean;
+        internalUserDatabase?: boolean;
+        masterUserName?: string;
+        masterUserPassword?: string;
+        masterUserArn?: string | {
+            Ref: string;
+        };
+    };
+    autoSnapshotHour?: number;
+    autoTune?: boolean;
+    tags?: Record<string, string>;
+}
+export interface AccessPolicyOptions {
+    ipAddresses?: string[];
+    iamPrincipalArns?: Array<string | {
+        Ref: string;
+    }>;
+    allowAll?: boolean;
+    vpcEndpoint?: boolean;
+}
+/**
+ * Search class for OpenSearch/Elasticsearch operations
+ */
+export declare class Search {
+    /**
+     * Create an OpenSearch domain
+     */
+    static createDomain(options: SearchDomainOptions): {
+        domain: OpenSearchDomain;
+        logicalId: string;
+    };
+    /**
+     * Create access policy for OpenSearch domain
+     */
+    static createAccessPolicy(domainArn: string | {
+        'Fn::GetAtt': [string, string];
+    }, options: AccessPolicyOptions): Record<string, any>;
+    /**
+     * Common domain configurations
+     */
+    static readonly DomainPresets: {
+        /**
+         * Development domain (small, single node)
+         */
+        development: (slug: string, environment: string) => {
+            domain: OpenSearchDomain;
+            logicalId: string;
+        };
+        /**
+         * Production domain (HA, multi-AZ)
+         */
+        production: (slug: string, environment: string, vpc?: SearchDomainOptions["vpc"]) => {
+            domain: OpenSearchDomain;
+            logicalId: string;
+        };
+        /**
+         * Cost-optimized domain (bursting workloads)
+         */
+        costOptimized: (slug: string, environment: string) => {
+            domain: OpenSearchDomain;
+            logicalId: string;
+        };
+        /**
+         * High-performance domain (analytics, large datasets)
+         */
+        highPerformance: (slug: string, environment: string, vpc: SearchDomainOptions["vpc"]) => {
+            domain: OpenSearchDomain;
+            logicalId: string;
+        };
+    };
+    /**
+     * Common instance types
+     */
+    static readonly InstanceTypes: {
+        't3.small.search': string;
+        't3.medium.search': string;
+        'm6g.large.search': string;
+        'm6g.xlarge.search': string;
+        'm6g.2xlarge.search': string;
+        'r6g.large.search': string;
+        'r6g.xlarge.search': string;
+        'r6g.2xlarge.search': string;
+        'r6g.4xlarge.search': string;
+        'c6g.large.search': string;
+        'c6g.xlarge.search': string;
+        'c6g.2xlarge.search': string;
+    };
+    /**
+     * Common engine versions
+     */
+    static readonly EngineVersions: {
+        'OpenSearch_2.11': string;
+        'OpenSearch_2.9': string;
+        'OpenSearch_2.7': string;
+        'OpenSearch_1.3': string;
+        'Elasticsearch_7.10': string;
+    };
+}

package/dist/modules/secrets.d.ts

@@ -0,0 +1,149 @@
+/**
+ * Secrets Manager Module
+ * Clean API for AWS Secrets Manager
+ */
+import type { SecretsManagerSecret, SecretsManagerSecretTargetAttachment, SecretsManagerRotationSchedule } from '@ts-cloud/aws-types';
+export interface SecretOptions {
+    slug: string;
+    environment: string;
+    secretName?: string;
+    description?: string;
+    secretString?: string;
+    kmsKeyId?: string;
+    tags?: Record<string, string>;
+}
+export interface GeneratedSecretOptions {
+    slug: string;
+    environment: string;
+    secretName?: string;
+    description?: string;
+    excludeCharacters?: string;
+    excludeLowercase?: boolean;
+    excludeNumbers?: boolean;
+    excludePunctuation?: boolean;
+    excludeUppercase?: boolean;
+    passwordLength?: number;
+    requireEachIncludedType?: boolean;
+    kmsKeyId?: string;
+    tags?: Record<string, string>;
+}
+export interface SecretTargetAttachmentOptions {
+    slug: string;
+    environment: string;
+    secretId: string;
+    targetId: string;
+    targetType: 'AWS::RDS::DBInstance' | 'AWS::RDS::DBCluster' | 'AWS::Redshift::Cluster' | 'AWS::DocDB::DBInstance' | 'AWS::DocDB::DBCluster';
+}
+export interface SecretRotationOptions {
+    slug: string;
+    environment: string;
+    secretId: string;
+    rotationLambdaArn?: string;
+    automaticallyAfterDays?: number;
+    rotationType?: string;
+    kmsKeyArn?: string;
+    vpcSecurityGroupIds?: string;
+    vpcSubnetIds?: string;
+}
+/**
+ * Secrets Manager Module
+ */
+export declare class Secrets {
+    /**
+     * Create a secret with explicit value
+     */
+    static createSecret(options: SecretOptions): {
+        secret: SecretsManagerSecret;
+        logicalId: string;
+    };
+    /**
+     * Create a secret with auto-generated value
+     */
+    static createGeneratedSecret(options: GeneratedSecretOptions): {
+        secret: SecretsManagerSecret;
+        logicalId: string;
+    };
+    /**
+     * Create a database secret with username and password
+     */
+    static createDatabaseSecret(options: {
+        slug: string;
+        environment: string;
+        secretName?: string;
+        username: string;
+        dbname?: string;
+        engine?: string;
+        host?: string;
+        port?: number;
+        kmsKeyId?: string;
+    }): {
+        secret: SecretsManagerSecret;
+        logicalId: string;
+    };
+    /**
+     * Attach secret to RDS database for automatic rotation
+     */
+    static attachToDatabase(options: SecretTargetAttachmentOptions): {
+        attachment: SecretsManagerSecretTargetAttachment;
+        logicalId: string;
+    };
+    /**
+     * Enable automatic rotation for a secret
+     */
+    static enableRotation(options: SecretRotationOptions): {
+        rotation: SecretsManagerRotationSchedule;
+        logicalId: string;
+    };
+    /**
+     * Common secret types
+     */
+    static readonly SecretTypes: {
+        /**
+         * API key secret (32 chars, alphanumeric only)
+         */
+        apiKey: (slug: string, environment: string, serviceName: string) => {
+            secret: SecretsManagerSecret;
+            logicalId: string;
+        };
+        /**
+         * OAuth client secret (strong password)
+         */
+        oauthClientSecret: (slug: string, environment: string, clientName: string) => {
+            secret: SecretsManagerSecret;
+            logicalId: string;
+        };
+        /**
+         * JWT signing secret
+         */
+        jwtSecret: (slug: string, environment: string) => {
+            secret: SecretsManagerSecret;
+            logicalId: string;
+        };
+        /**
+         * Encryption key (base64-compatible)
+         */
+        encryptionKey: (slug: string, environment: string) => {
+            secret: SecretsManagerSecret;
+            logicalId: string;
+        };
+    };
+    /**
+     * Common rotation types for hosted rotation
+     */
+    static readonly RotationTypes: {
+        MySQLSingleUser: string;
+        MySQLMultiUser: string;
+        PostgreSQLSingleUser: string;
+        PostgreSQLMultiUser: string;
+        OracleSingleUser: string;
+        OracleMultiUser: string;
+        MariaDBSingleUser: string;
+        MariaDBMultiUser: string;
+        SQLServerSingleUser: string;
+        SQLServerMultiUser: string;
+        RedshiftSingleUser: string;
+        RedshiftMultiUser: string;
+        MongoDBSingleUser: string;
+        MongoDBMultiUser: string;
+    };
+}

package/dist/modules/security.d.ts

@@ -0,0 +1,219 @@
+import type { ACMCertificate, KMSAlias, KMSKey, WAFv2IPSet, WAFv2WebACL } from '@ts-cloud/aws-types';
+import type { EnvironmentType } from '../types';
+export interface CertificateOptions {
+    domain: string;
+    subdomains?: string[];
+    slug: string;
+    environment: EnvironmentType;
+    validationMethod?: 'DNS' | 'EMAIL';
+    hostedZoneId?: string;
+}
+export interface KmsKeyOptions {
+    description: string;
+    slug: string;
+    environment: EnvironmentType;
+    enableRotation?: boolean;
+    multiRegion?: boolean;
+}
+export interface FirewallOptions {
+    slug: string;
+    environment: EnvironmentType;
+    scope?: 'CLOUDFRONT' | 'REGIONAL';
+    defaultAction?: 'allow' | 'block';
+}
+export interface RateLimitRule {
+    name: string;
+    priority: number;
+    requestsPerWindow: number;
+    aggregateKeyType?: 'IP' | 'FORWARDED_IP';
+}
+export interface GeoBlockRule {
+    name: string;
+    priority: number;
+    countryCodes: string[];
+}
+export interface IpBlockRule {
+    name: string;
+    priority: number;
+    ipAddresses: string[];
+    ipVersion?: 'IPV4' | 'IPV6';
+}
+export interface ManagedRuleGroup {
+    name: string;
+    priority: number;
+    vendorName: string;
+    ruleName: string;
+    excludedRules?: string[];
+}
+/**
+ * Security Module - ACM, KMS, WAF Management
+ * Provides clean API for creating and configuring security resources
+ */
+export declare class Security {
+    /**
+     * Create an SSL/TLS certificate with ACM
+     */
+    static createCertificate(options: CertificateOptions): {
+        certificate: ACMCertificate;
+        logicalId: string;
+    };
+    /**
+     * Create a KMS encryption key
+     */
+    static createKmsKey(options: KmsKeyOptions): {
+        key: KMSKey;
+        alias?: KMSAlias;
+        logicalId: string;
+        aliasId?: string;
+    };
+    /**
+     * Create a WAF Web ACL
+     */
+    static createFirewall(options: FirewallOptions): {
+        webAcl: WAFv2WebACL;
+        logicalId: string;
+    };
+    /**
+     * Add rate limiting to a Web ACL
+     */
+    static setRateLimit(webAcl: WAFv2WebACL, rule: RateLimitRule): WAFv2WebACL;
+    /**
+     * Block specific countries
+     */
+    static blockCountries(webAcl: WAFv2WebACL, rule: GeoBlockRule): WAFv2WebACL;
+    /**
+     * Block specific IP addresses
+     */
+    static blockIpAddresses(webAcl: WAFv2WebACL, rule: IpBlockRule, slug: string, environment: EnvironmentType): {
+        webAcl: WAFv2WebACL;
+        ipSet: WAFv2IPSet;
+        ipSetLogicalId: string;
+    };
+    /**
+     * Add AWS Managed Rules
+     */
+    static addManagedRules(webAcl: WAFv2WebACL, rule: ManagedRuleGroup): WAFv2WebACL;
+    /**
+     * Common managed rule groups from AWS
+     */
+    static readonly ManagedRuleGroups: {
+        /**
+         * AWS Core Rule Set - protects against common threats
+         */
+        readonly CoreRuleSet: {
+            readonly vendorName: "AWS";
+            readonly ruleName: "AWSManagedRulesCommonRuleSet";
+        };
+        /**
+         * Known Bad Inputs - blocks patterns known to be invalid
+         */
+        readonly KnownBadInputs: {
+            readonly vendorName: "AWS";
+            readonly ruleName: "AWSManagedRulesKnownBadInputsRuleSet";
+        };
+        /**
+         * SQL Database - protects against SQL injection
+         */
+        readonly SqlDatabase: {
+            readonly vendorName: "AWS";
+            readonly ruleName: "AWSManagedRulesSQLiRuleSet";
+        };
+        /**
+         * Linux Operating System - protects against Linux-specific exploits
+         */
+        readonly LinuxOS: {
+            readonly vendorName: "AWS";
+            readonly ruleName: "AWSManagedRulesLinuxRuleSet";
+        };
+        /**
+         * POSIX Operating System - protects against POSIX-specific exploits
+         */
+        readonly PosixOS: {
+            readonly vendorName: "AWS";
+            readonly ruleName: "AWSManagedRulesUnixRuleSet";
+        };
+        /**
+         * Amazon IP Reputation List - blocks IPs with poor reputation
+         */
+        readonly AmazonIpReputation: {
+            readonly vendorName: "AWS";
+            readonly ruleName: "AWSManagedRulesAmazonIpReputationList";
+        };
+        /**
+         * Anonymous IP List - blocks requests from anonymizing services
+         */
+        readonly AnonymousIpList: {
+            readonly vendorName: "AWS";
+            readonly ruleName: "AWSManagedRulesAnonymousIpList";
+        };
+        /**
+         * Bot Control - protects against bots and scrapers
+         */
+        readonly BotControl: {
+            readonly vendorName: "AWS";
+            readonly ruleName: "AWSManagedRulesBotControlRuleSet";
+        };
+    };
+    /**
+     * Add path-based rate limiting
+     * Rate limit specific URL paths (e.g., login, API endpoints)
+     */
+    static setPathRateLimit(webAcl: WAFv2WebACL, rule: RateLimitRule & {
+        paths: string[];
+    }): WAFv2WebACL;
+    /**
+     * Add header-based rate limiting
+     * Useful for API key or user-based rate limiting
+     */
+    static setHeaderRateLimit(webAcl: WAFv2WebACL, rule: RateLimitRule & {
+        headerName: string;
+        headerValue?: string;
+    }): WAFv2WebACL;
+    /**
+     * Add login endpoint protection
+     * Combines rate limiting with common attack patterns
+     */
+    static protectLoginEndpoint(webAcl: WAFv2WebACL, options: {
+        loginPaths: string[];
+        priority: number;
+        requestsPerMinute?: number;
+    }): WAFv2WebACL;
+    /**
+     * Add API rate limiting
+     * Apply stricter limits on API endpoints
+     */
+    static protectApiEndpoints(webAcl: WAFv2WebACL, options: {
+        apiPaths: string[];
+        priority: number;
+        requestsPerMinute?: number;
+    }): WAFv2WebACL;
+    /**
+     * Create a comprehensive WAF with common protections
+     */
+    static createProtectedFirewall(options: {
+        slug: string;
+        environment: EnvironmentType;
+        scope?: 'CLOUDFRONT' | 'REGIONAL';
+        enableBotControl?: boolean;
+        enableRateLimiting?: boolean;
+        rateLimitPerMinute?: number;
+    }): {
+        webAcl: WAFv2WebACL;
+        logicalId: string;
+    };
+    /**
+     * Common rate limit presets
+     */
+    static readonly RateLimitPresets: {
+        /** Standard website: 2000 requests per minute per IP */
+        readonly STANDARD: 2000;
+        /** High-traffic API: 10000 requests per minute per IP */
+        readonly HIGH_TRAFFIC: 10000;
+        /** Aggressive protection: 100 requests per minute per IP */
+        readonly STRICT: 100;
+        /** Login protection: 10 requests per minute per IP */
+        readonly LOGIN: 10;
+        /** API endpoint: 100 requests per minute per IP */
+        readonly API: 100;
+    };
+}