npm - carlin - Versions diffs - 1.49.13 → 1.49.15 - Mend

carlin 1.49.13 → 1.49.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,4555 @@
+import { builtinModules, createRequire } from "node:module";
+import * as path$2 from "node:path";
+import path from "node:path";
+import * as fs$3 from "node:fs";
+import fs, { chmodSync, createReadStream, existsSync, statSync } from "node:fs";
+import yaml from "js-yaml";
+import * as esbuild from "esbuild";
+import AWS from "aws-sdk";
+import { camelCase, constantCase, kebabCase, pascalCase } from "change-case";
+import deepEqual from "deep-equal";
+import deepMerge from "deepmerge";
+import dotenv from "dotenv";
+import findUpSync from "findup-sync";
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+import log from "npmlog";
+import "uglify-js";
+import "prettier";
+import git from "simple-git";
+import * as fs$2 from "fs";
+import fs$1 from "fs";
+import { CloudFormationClient, CreateStackCommand, DeleteStackCommand, DescribeStackEventsCommand, DescribeStackResourceCommand, DescribeStacksCommand, UpdateStackCommand, UpdateTerminationProtectionCommand, ValidateTemplateCommand } from "@aws-sdk/client-cloudformation";
+import { CopyObjectCommand, DeleteObjectsCommand, HeadObjectCommand, ListObjectVersionsCommand, ListObjectsV2Command, S3Client } from "@aws-sdk/client-s3";
+import { Upload } from "@aws-sdk/lib-storage";
+import { glob } from "glob";
+import mime from "mime-types";
+import * as path$1 from "path";
+import { typescriptConfig } from "@ttoss/config";
+import AdmZip from "adm-zip";
+import { spawn } from "node:child_process";
+//#region \0rolldown/runtime.js
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+//#endregion
+//#region ../read-config-file/src/loadConfig.ts
+const nodeRequire = createRequire(import.meta.url);
+const loadConfig = (entryPoint) => {
+	const filename = entryPoint.split("/").pop()?.split(".")[0];
+	const entryFileStats = fs.statSync(entryPoint, { bigint: true });
+	const entryFileVersion = `${entryFileStats.mtimeNs}-${entryFileStats.size}`;
+	const outfile = path.resolve(process.cwd(), "out", `${filename}-${entryFileVersion}.cjs`);
+	const result = esbuild.buildSync({
+		bundle: true,
+		entryPoints: [entryPoint],
+		/**
+		* ttoss packages cannot be market as external because it'd break the CI.
+		* On CI, ttoss packages point to the TS main file, not the compiled
+		* ones. See more details here https://github.com/ttoss/ttoss/issues/541.
+		*/
+		external: [],
+		format: "cjs",
+		outfile,
+		platform: "node",
+		target: "ES2021",
+		treeShaking: true
+	});
+	if (result.errors.length > 0) {
+		console.error("Error building config file: ", filename);
+		throw result.errors;
+	}
+	try {
+		const resolvedOutfile = nodeRequire.resolve(outfile);
+		delete nodeRequire.cache[resolvedOutfile];
+		const config = nodeRequire(resolvedOutfile);
+		return config.default || config.config;
+	} catch (error) {
+		console.error("Failed importing build config file: ", filename);
+		throw error;
+	}
+};
+//#endregion
+//#region ../read-config-file/src/index.ts
+const readConfigFileSync = ({ configFilePath, options }) => {
+	const extension = configFilePath.split(".").pop();
+	if (extension === "yaml" || extension === "yml") {
+		const file = fs.readFileSync(configFilePath, "utf8");
+		return yaml.load(file);
+	}
+	if (extension === "json") {
+		const file = fs.readFileSync(configFilePath, "utf8");
+		return JSON.parse(file);
+	}
+	if (extension === "js") return __require(configFilePath);
+	if (extension === "ts") {
+		let result = loadConfig(configFilePath);
+		if (typeof result === "function") result = result(options);
+		return result;
+	}
+	throw new Error("Unsupported config file extension: " + extension);
+};
+const readConfigFile = async ({ configFilePath, options }) => {
+	if (configFilePath.split(".").pop() === "ts") {
+		let result = loadConfig(configFilePath);
+		if (typeof result === "function") result = result(options);
+		result = await Promise.resolve(result);
+		return result;
+	}
+	return readConfigFileSync({
+		configFilePath,
+		options
+	});
+};
+//#endregion
+//#region src/config.ts
+const NAME = "carlin";
+const AWS_DEFAULT_REGION = "us-east-1";
+/**
+* CloudFront triggers can be only in US East (N. Virginia) Region.
+* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-requirements-limits.html#lambda-requirements-cloudfront-triggers
+*/
+const CLOUDFRONT_REGION = "us-east-1";
+/**
+* Default Node.js runtime string.
+*/
+const DEFAULT_NODE_RUNTIME = `nodejs24.x`;
+//#endregion
+//#region src/deploy/cicd/ecsTaskReportCommand.ts
+const logPrefix$20 = "cicd-ecs-task-report";
+/**
+* This method create the payload to send to Lambda ECS task report handler.
+*
+* @param param.status execution status.
+*/
+const sendEcsTaskReport = async ({ status }) => {
+	if (!process.env.ECS_TASK_REPORT_HANDLER_NAME) {
+		log.info(logPrefix$20, "ECS_TASK_REPORT_HANDLER_NAME not defined.");
+		return;
+	}
+	const lambda = new AWS.Lambda();
+	const payload = { status };
+	if (process.env.ECS_TASK_ARN) payload.ecsTaskArn = process.env.ECS_TASK_ARN;
+	if (process.env.PIPELINE_NAME) payload.pipelineName = process.env.PIPELINE_NAME;
+	await lambda.invokeAsync({
+		FunctionName: process.env.ECS_TASK_REPORT_HANDLER_NAME,
+		InvokeArgs: JSON.stringify(payload)
+	}).promise();
+	log.info(logPrefix$20, "Report sent.");
+};
+const options$7 = { status: {
+	choices: [
+		"Approved",
+		"Rejected",
+		"MainTagFound"
+	],
+	demandOption: true,
+	type: "string"
+} };
+/**
+* Used to send report to ECS Task Report Handler Lambda.
+*/
+const ecsTaskReportCommand = {
+	command: "cicd-ecs-task-report",
+	describe: false,
+	builder: (yargs) => {
+		return yargs.options(options$7);
+	},
+	handler: async (args) => {
+		return sendEcsTaskReport(args);
+	}
+};
+//#endregion
+//#region src/utils/addGroupToOptions.ts
+const addGroupToOptions = (options, group) => {
+	Object.values(options).forEach((option) => {
+		option.group = group;
+	});
+	return options;
+};
+//#endregion
+//#region src/utils/codeBuild.ts
+const logPrefix$19 = "codebuild";
+const WAIT_TIME = 10 * 1e3;
+/**
+* @param param.name name used to identify the build.
+*/
+const waitCodeBuildFinish = async ({ buildId, name }) => {
+	const codeBuild = new AWS.CodeBuild();
+	let result;
+	const checkIfBuildIsFinished = async () => {
+		const { builds } = await codeBuild.batchGetBuilds({ ids: [buildId] }).promise();
+		return new Promise((resolve, reject) => {
+			setTimeout(() => {
+				const executedBuild = builds?.find(({ id }) => {
+					return id === buildId;
+				});
+				log.info(logPrefix$19, `Build status of ${name || buildId}: ${executedBuild?.buildStatus}`);
+				if (executedBuild && executedBuild.currentPhase === "COMPLETED") {
+					if (executedBuild.buildStatus === "SUCCEEDED") resolve(executedBuild);
+					else if (["FAILED", "FAILURE"].includes(executedBuild.buildStatus || "")) reject(/* @__PURE__ */ new Error(`Cannot execute build ${buildId}.`));
+				}
+				resolve(void 0);
+			}, WAIT_TIME);
+		});
+	};
+	while (!result) result = await checkIfBuildIsFinished();
+	return result;
+};
+const startCodeBuildBuild = async ({ projectName }) => {
+	const { build } = await new AWS.CodeBuild().startBuild({ projectName }).promise();
+	if (!build) throw new Error(`Cannot start ${projectName} build`);
+	return build;
+};
+//#endregion
+//#region src/utils/environmentVariables.ts
+const cache = /* @__PURE__ */ new Map();
+const getEnvVar = (key) => {
+	return cache.has(key) && cache.get(key) ? cache.get(key) : void 0;
+};
+const setEnvVar = (key, value) => {
+	if (!value) return cache.delete(key);
+	return cache.set(key, value);
+};
+//#endregion
+//#region src/utils/exec.ts
+log.heading = "exec";
+//#endregion
+//#region src/utils/getAwsAccountId.ts
+const getAwsAccountId = async () => {
+	const { Account } = await new AWS.STS().getCallerIdentity().promise();
+	return Account;
+};
+/**
+* Git current branch is used to determine the name of the stack when deploying
+* resources. If we provide a `CARLIN_BRANCH` through `process.env` or by
+* options, these values will be used instead of Git current branch. Example:
+*
+* ```
+* CARLIN_BRANCH=branch-name carlin deploy --destroy
+* carlin deploy --destroy --branch=branch-name
+* ```
+*
+* This parameters is useful when you need to delete a deployment related to
+* some branch but such branch has already beed deleted.
+*/
+const getCurrentBranch = async () => {
+	try {
+		if (getEnvVar("BRANCH")) return getEnvVar("BRANCH");
+		const { current } = await git().branch();
+		return current || "";
+	} catch (err) {
+		return "";
+	}
+};
+//#endregion
+//#region src/utils/getEnvironment.ts
+const getEnvironment = () => {
+	return getEnvVar("ENVIRONMENT");
+};
+//#endregion
+//#region src/utils/getIamPath.ts
+const getIamPath = () => `/${NAME}/`;
+//#endregion
+//#region src/utils/packageJson.ts
+const readPackageJson = () => {
+	const packageJsonDir = findUpSync("package.json");
+	if (!packageJsonDir) return {};
+	return JSON.parse(fs$1.readFileSync(packageJsonDir).toString());
+};
+const getPackageJsonProperty = ({ property }) => {
+	try {
+		return readPackageJson()[property];
+	} catch {
+		return "";
+	}
+};
+const getPackageName = () => {
+	return getPackageJsonProperty({ property: "name" });
+};
+const getPackageVersion = () => {
+	return getPackageJsonProperty({ property: "version" });
+};
+//#endregion
+//#region src/utils/getProjectName.ts
+/**
+* This variable is used to determine the name of the whole project. If the
+* project is a monorepo, the project name is considered as the
+* [scope](https://docs.npmjs.com/cli/v7/using-npm/scope) of the `package.json`
+* name property. If isn't a monorepo, is considered the package name.
+*
+* This variable is used to set some properties on CloudFormation tags and
+* defining the name of some stacks, for instance, the CICD stack.
+*/
+const getProjectName = () => {
+	if (getEnvVar("PROJECT")) return getEnvVar("PROJECT");
+	const name = getPackageName();
+	/**
+	* This case happens when user executes `carlin` outside of project.
+	* Even commands like `carlin --help` raise an error.
+	*/
+	if (!name) return "";
+	try {
+		return pascalCase(name.split(/[@/]/)[1]);
+	} catch (err) {
+		return pascalCase(name);
+	}
+};
+//#endregion
+//#region src/utils/spawn.ts
+log.heading = "exec";
+//#endregion
+//#region src/deploy/addDefaults.cloudformation.ts
+const addDefaultsParametersAndTagsToParams = async (params) => {
+	const branchName = await getCurrentBranch();
+	const environment = await getEnvironment();
+	const packageName = await getPackageName();
+	const packageVersion = await getPackageVersion();
+	const projectName = await getProjectName();
+	/**
+	* https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Tag.html
+	*/
+	const tagValuePattern = /[^a-zA-Z0-9_.:/=+\-@]/g;
+	return {
+		...params,
+		Parameters: [
+			...params.Parameters || [],
+			...environment ? [{
+				ParameterKey: "Environment",
+				ParameterValue: environment
+			}] : [],
+			{
+				ParameterKey: "Project",
+				ParameterValue: projectName
+			}
+		],
+		Tags: [
+			...params.Tags || [],
+			{
+				Key: "Branch",
+				Value: branchName
+			},
+			...environment ? [{
+				Key: "Environment",
+				Value: environment
+			}] : [],
+			{
+				Key: "Package",
+				Value: packageName
+			},
+			{
+				Key: "Project",
+				Value: projectName
+			},
+			{
+				Key: "Version",
+				Value: packageVersion
+			}
+		].filter(({ Value }) => {
+			return !!Value;
+		}).map(({ Key, Value }) => {
+			return {
+				Key,
+				Value: Value.replace(tagValuePattern, "")
+			};
+		})
+	};
+};
+const addDefaultParametersToTemplate = async (template) => {
+	const [environment, projectName] = await Promise.all([getEnvironment(), getProjectName()]);
+	const newParameters = { Project: {
+		Default: projectName,
+		Type: "String"
+	} };
+	if (environment) newParameters.Environment = {
+		Default: environment,
+		Type: "String"
+	};
+	template.Parameters = {
+		...newParameters,
+		...template.Parameters
+	};
+};
+const addLogGroupToResources = (template) => {
+	const { Resources } = template;
+	const resourcesEntries = Object.entries(Resources);
+	for (const [key, resource] of resourcesEntries) if (["AWS::Lambda::Function", "AWS::Serverless::Function"].includes(resource.Type)) {
+		if (!resourcesEntries.find(([, resource2]) => {
+			return JSON.stringify(resource2.Properties?.LogGroupName?.["Fn::Join"] || "").includes(key);
+		})) Resources[`${key}LogsLogGroup`] = {
+			Type: "AWS::Logs::LogGroup",
+			DeletionPolicy: "Delete",
+			Properties: {
+				LogGroupName: { "Fn::Join": ["/", ["/aws/lambda", { Ref: key }]] },
+				RetentionInDays: 14
+			}
+		};
+	}
+};
+const addEnvironmentsToLambdaResources = async (template) => {
+	const environment = getEnvironment();
+	const { Resources } = template;
+	const resourcesEntries = Object.entries(Resources);
+	for (const [, resource] of resourcesEntries) if (resource.Type === "AWS::Lambda::Function") {
+		if (!resource.Properties) resource.Properties = {};
+		/**
+		* Lambda@Edege does not support environment variables.
+		* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-requirements-limits.html#lambda-requirements-lambda-function-configuration
+		* Then every function that has "Lambda@Edge" in its description will not
+		* have the variables passed to Environment.Variables.
+		*/
+		if ((resource.Properties.Description || "").includes("Lambda@Edge")) continue;
+		if (!environment) continue;
+		if (!resource.Properties.Environment) resource.Properties.Environment = {};
+		if (!resource.Properties.Environment.Variables) resource.Properties.Environment.Variables = {};
+		resource.Properties.Environment.Variables.ENVIRONMENT = environment;
+	}
+};
+const CRITICAL_RESOURCES_TYPES = ["AWS::Cognito::UserPool", "AWS::DynamoDB::Table"];
+/**
+* Generally, critical resources are those that contain user data, such as
+* Amazon Cognito user pools or DynamoDB tables. If you delete these resources,
+* you might lose user data that cannot be recovered.
+*/
+const addRetainToCriticalResources = async (template) => {
+	const environment = getEnvironment();
+	for (const [, resource] of Object.entries(template.Resources)) if (CRITICAL_RESOURCES_TYPES.includes(resource.Type)) {
+		if (!resource.DeletionPolicy && environment) resource.DeletionPolicy = "Retain";
+	}
+};
+/**
+* Base URL for the AWS AppSync Console page.
+* Format: https://console.aws.amazon.com/appsync/home?region=<region>#/<apiId>/v1/home
+*/
+const AWS_APPSYNC_CONSOLE_BASE_URL = "https://console.aws.amazon.com/appsync/home?region=";
+const addAppSyncApiOutputs = async (template) => {
+	for (const [key, resource] of Object.entries(template.Resources)) if (resource.Type === "AWS::AppSync::GraphQLApi") template.Outputs = {
+		AppSyncApiArn: {
+			Description: `Automatically added by ${NAME}`,
+			Value: { "Fn::GetAtt": [key, "Arn"] }
+		},
+		AppSyncConsoleUrl: {
+			Description: `Automatically added by ${NAME}`,
+			Value: { "Fn::Join": ["", [
+				AWS_APPSYNC_CONSOLE_BASE_URL,
+				{ Ref: "AWS::Region" },
+				"#/",
+				{ "Fn::GetAtt": [key, "ApiId"] },
+				"/v1/home"
+			]] }
+		},
+		...template.Outputs
+	};
+};
+const addDefaults = async ({ params, template }) => {
+	const newTemplate = JSON.parse(JSON.stringify(template));
+	await addDefaultParametersToTemplate(newTemplate);
+	await addLogGroupToResources(newTemplate);
+	await addEnvironmentsToLambdaResources(newTemplate);
+	await addAppSyncApiOutputs(newTemplate);
+	await addRetainToCriticalResources(newTemplate);
+	return {
+		params: await addDefaultsParametersAndTagsToParams(params),
+		template: newTemplate
+	};
+};
+//#endregion
+//#region src/deploy/baseStack/config.ts
+const pascalCaseName = pascalCase(NAME);
+const BASE_STACK_NAME = `${pascalCaseName}BaseStack`;
+const BASE_STACK_BUCKET_TEMPLATES_FOLDER = "cloudformation-templates";
+/**
+* S3 Bucket.
+*/
+const BASE_STACK_BUCKET_LOGICAL_NAME = `${pascalCaseName}Bucket`;
+const BASE_STACK_BUCKET_NAME_EXPORTED_NAME = `${pascalCaseName}BucketNameExportedName`;
+/**
+* CloudFront.
+*/
+const BASE_STACK_CLOUDFRONT_FUNCTION_APPEND_INDEX_HTML_LOGICAL_NAME = `${pascalCaseName}CloudFrontFunctionAppendIndexHtml`;
+const BASE_STACK_CLOUDFRONT_FUNCTION_APPEND_INDEX_HTML_ARN = `${pascalCaseName}CloudFrontFunctionAppendIndexHtmlArn`;
+const BASE_STACK_CLOUDFRONT_FUNCTION_APPEND_INDEX_HTML_ARN_EXPORTED_NAME = `${pascalCaseName}CloudFrontFunctionAppendIndexHtmlArnExportedName`;
+/**
+* Lambda image builder.
+*/
+const BASE_STACK_LAMBDA_IMAGE_BUILDER_LOGICAL_NAME = `${pascalCaseName}LambdaImageBuilder`;
+const BASE_STACK_LAMBDA_IMAGE_BUILDER_EXPORTED_NAME = `${pascalCaseName}LambdaImageBuilderExportedName`;
+/**
+* Lambda layer builder.
+*/
+const BASE_STACK_LAMBDA_LAYER_BUILDER_LOGICAL_NAME = `${pascalCaseName}LambdaLayerBuilder`;
+/**
+* VPC
+*/
+const BASE_STACK_VPC_ID_EXPORTED_NAME = `${pascalCaseName}VPCIDExportedName`;
+const BASE_STACK_VPC_DEFAULT_SECURITY_GROUP_EXPORTED_NAME = `${pascalCaseName}DefaultSecurityGroupExportedName`;
+const BASE_STACK_VPC_PUBLIC_SUBNET_0_EXPORTED_NAME = `${pascalCaseName}VPCPublicSubnet0ExportedName`;
+const BASE_STACK_VPC_PUBLIC_SUBNET_1_EXPORTED_NAME = `${pascalCaseName}VPCPublicSubnet1ExportedName`;
+const BASE_STACK_VPC_PUBLIC_SUBNET_2_EXPORTED_NAME = `${pascalCaseName}VPCPublicSubnet2ExportedName`;
+//#endregion
+//#region src/deploy/baseStack/getBaseStackResource.ts
+const getBaseStackOutput = async (outputKey) => {
+	return (await getStackOutput({
+		stackName: BASE_STACK_NAME,
+		outputKey
+	})).OutputValue;
+};
+const resourcesKeys = {
+	BASE_STACK_BUCKET_LOGICAL_NAME,
+	BASE_STACK_LAMBDA_IMAGE_BUILDER_LOGICAL_NAME,
+	BASE_STACK_LAMBDA_LAYER_BUILDER_LOGICAL_NAME
+};
+const resources = {};
+const getBaseStackResource = async (resource) => {
+	if (!resources[resource]) resources[resource] = await getBaseStackOutput(resourcesKeys[resource]);
+	return resources[resource];
+};
+//#endregion
+//#region src/deploy/config.ts
+/**
+* Besides saving the deploy information in the `$STACK_NAME.json` file,
+* we also save in a "latest-deploy.json" file to be used by tests and other
+* packages that need to know the latest deploy information.
+*/
+const LATEST_DEPLOY_OUTPUTS_FILENAME = "latest-deploy.json";
+//#endregion
+//#region src/deploy/s3.ts
+const logPrefix$18 = "s3";
+/**
+* S3 client cache to avoid creating multiple clients.
+* Each client is created with different parameters.
+*/
+const s3Clients = {};
+const s3 = () => {
+	const s3ClientConfig = { region: getEnvVar("REGION") };
+	const key = JSON.stringify(s3ClientConfig);
+	if (!s3Clients[key]) s3Clients[key] = new S3Client(s3ClientConfig);
+	return s3Clients[key];
+};
+const getBucketKeyUrl = ({ bucket, key }) => {
+	return `https://s3.amazonaws.com/${bucket}/${key}`;
+};
+const uploadFileToS3 = async ({ bucket, contentType, file, filePath, key }) => {
+	if (!file && !filePath) throw new Error("file or filePath must be defined");
+	const params = {
+		Bucket: bucket,
+		Key: key.split(path.sep).join("/")
+	};
+	if (file) {
+		params.ContentType = contentType;
+		params.Body = file;
+	} else if (filePath) {
+		const readFile = await fs.promises.readFile(filePath);
+		params.ContentType = contentType || mime.contentType(path.extname(filePath)) || void 0;
+		params.Body = Buffer.from(readFile);
+	}
+	const result = await new Upload({
+		client: s3(),
+		params
+	}).done();
+	return {
+		bucket: result.Bucket,
+		key: result.Key,
+		versionId: result.VersionId,
+		url: getBucketKeyUrl({
+			bucket: result.Bucket,
+			key: result.Key
+		})
+	};
+};
+/**
+* Get all files inside $directory.
+*/
+const getAllFilesInsideADirectory = async ({ directory }) => {
+	return (await glob(`${directory}/**/*`)).filter((item) => {
+		return fs.lstatSync(item).isFile();
+	});
+};
+/**
+* Docusaurus 2 has a 404.html file in the root of the build folder. This
+* function copies it to 404/index.html so that it can be served by S3 and
+* CloudFront.
+*/
+const copyRoot404To404Index = async ({ bucket }) => {
+	try {
+		const headCommand = new HeadObjectCommand({
+			Bucket: bucket,
+			Key: "404.html"
+		});
+		if (await s3().send(headCommand).catch(() => {
+			return false;
+		})) {
+			const copyCommand = new CopyObjectCommand({
+				Bucket: bucket,
+				CopySource: `${bucket}/404.html`,
+				Key: "404/index.html"
+			});
+			await s3().send(copyCommand);
+		}
+	} catch (error) {
+		log.error(logPrefix$18, `Cannot copy 404.html to 404/index.html`);
+		throw error;
+	}
+};
+const uploadDirectoryToS3 = async ({ bucket, bucketKey = "", directory }) => {
+	log.info(logPrefix$18, `Uploading directory ${directory}/ to ${bucket}/${bucketKey}...`);
+	const allFiles = await getAllFilesInsideADirectory({ directory });
+	/**
+	* If the folder has no files (the folder name may be wrong), thrown an
+	* error. Discovered at #16 https://github.com/ttoss/carlin/issues/16.
+	*/
+	if (allFiles.length === 0) throw new Error(`Directory ${directory}/ has no files.`);
+	const numberOfGroups = Math.ceil(allFiles.length / 63);
+	/**
+	* Divide all files and create "numberOfGroups" groups of files whose max
+	* length is GROUP_MAX_LENGTH.
+	*/
+	const aoaOfFiles = allFiles.reduce((acc, file, index) => {
+		const groupIndex = index % numberOfGroups;
+		if (!acc[groupIndex]) acc[groupIndex] = [];
+		acc[index % numberOfGroups].push(file);
+		return acc;
+	}, []);
+	for (const [index, groupOfFiles] of aoaOfFiles.entries()) {
+		log.info(logPrefix$18, `Uploading group ${index + 1}/${aoaOfFiles.length}...`);
+		await Promise.all(groupOfFiles.map((file) => {
+			return uploadFileToS3({
+				bucket,
+				key: path.join(bucketKey, path.relative(directory, file)),
+				filePath: file
+			});
+		}));
+	}
+};
+const emptyS3Directory = async ({ bucket, directory = "" }) => {
+	log.info(logPrefix$18, `${bucket}/${directory} will be empty`);
+	try {
+		const listCommand = new ListObjectsV2Command({
+			Bucket: bucket,
+			Prefix: directory
+		});
+		const { Contents, IsTruncated } = await s3().send(listCommand);
+		if (Contents && Contents.length > 0) {
+			/**
+			* Get object versions
+			*/
+			const objectsPromises = Contents.filter(({ Key }) => {
+				return !!Key;
+			}).map(async ({ Key }) => {
+				const listVersionsCommand = new ListObjectVersionsCommand({
+					Bucket: bucket,
+					Prefix: Key
+				});
+				const { Versions = [] } = await s3().send(listVersionsCommand);
+				return {
+					Key,
+					Versions: Versions.map(({ VersionId }) => {
+						return VersionId || void 0;
+					})
+				};
+			});
+			const objectsWithVersionsIds = (await Promise.all(objectsPromises)).reduce((acc, { Key, Versions }) => {
+				const objectWithVersionsIds = Versions.map((VersionId) => {
+					return {
+						Key,
+						VersionId
+					};
+				});
+				return [...acc, ...objectWithVersionsIds];
+			}, []);
+			/**
+			* Batch delete operations in groups of 1000 (AWS limit)
+			* https://stackoverflow.com/a/61474768
+			*/
+			const BATCH_SIZE = 1e3;
+			for (let i = 0; i < objectsWithVersionsIds.length; i += BATCH_SIZE) {
+				const deleteCommand = new DeleteObjectsCommand({
+					Bucket: bucket,
+					Delete: { Objects: objectsWithVersionsIds.slice(i, i + BATCH_SIZE) }
+				});
+				const result = await s3().send(deleteCommand);
+				if (result.Errors && result.Errors.length > 0) {
+					const firstError = result.Errors[0];
+					throw new Error(`Error deleting objects from ${bucket}/${directory}: ${JSON.stringify(firstError)}`);
+				}
+			}
+		}
+		/**
+		* Truncated is files that exists but weren't listed from S3 API.
+		*/
+		if (IsTruncated) await emptyS3Directory({
+			bucket,
+			directory
+		});
+		log.info(logPrefix$18, `${bucket}/${directory} is empty.`);
+	} catch (error) {
+		log.error(logPrefix$18, `Cannot empty ${bucket}/${directory}.`);
+		throw error;
+	}
+};
+/**
+* Delete old S3 files based on retention period.
+* Files older than the specified number of days will be deleted.
+*/
+const deleteOldS3Files = async ({ bucket, continuationToken, directory = "", retentionDays, totalDeleted = 0 }) => {
+	if (!continuationToken) log.info(logPrefix$18, `Deleting files older than ${retentionDays} days from ${bucket}/${directory}...`);
+	try {
+		const listCommand = new ListObjectsV2Command({
+			Bucket: bucket,
+			Prefix: directory,
+			ContinuationToken: continuationToken
+		});
+		const { Contents, IsTruncated, NextContinuationToken } = await s3().send(listCommand);
+		let deletedCount = 0;
+		if (Contents && Contents.length > 0) {
+			const now = /* @__PURE__ */ new Date();
+			const retentionMs = retentionDays * 24 * 60 * 60 * 1e3;
+			const oldFiles = Contents.filter(({ Key, LastModified }) => {
+				if (!Key || !LastModified) return false;
+				return now.getTime() - LastModified.getTime() > retentionMs;
+			}).map(({ Key }) => {
+				return Key;
+			});
+			if (oldFiles.length > 0) {
+				/**
+				* Batch delete operations in groups of 1000 (AWS limit)
+				*/
+				const BATCH_SIZE = 1e3;
+				for (let i = 0; i < oldFiles.length; i += BATCH_SIZE) {
+					const deleteCommand = new DeleteObjectsCommand({
+						Bucket: bucket,
+						Delete: { Objects: oldFiles.slice(i, i + BATCH_SIZE).map((Key) => {
+							return { Key };
+						}) }
+					});
+					const result = await s3().send(deleteCommand);
+					if (result.Errors && result.Errors.length > 0) {
+						const firstError = result.Errors[0];
+						throw new Error(`Error deleting old files from ${bucket}/${directory}: ${JSON.stringify(firstError)}`);
+					}
+				}
+				deletedCount = oldFiles.length;
+			}
+		}
+		/**
+		* Handle pagination if results were truncated
+		*/
+		if (IsTruncated && NextContinuationToken) return await deleteOldS3Files({
+			bucket,
+			continuationToken: NextContinuationToken,
+			directory,
+			retentionDays,
+			totalDeleted: totalDeleted + deletedCount
+		});
+		const finalTotal = totalDeleted + deletedCount;
+		if (finalTotal === 0) log.info(logPrefix$18, `No files older than ${retentionDays} days found in ${bucket}/${directory}`);
+		else log.info(logPrefix$18, `Deleted ${finalTotal} old files from ${bucket}/${directory}`);
+		return finalTotal;
+	} catch (error) {
+		log.error(logPrefix$18, `Cannot delete old files from ${bucket}/${directory}.`);
+		throw error;
+	}
+};
+//#endregion
+//#region src/deploy/cloudformation.core.ts
+const logPrefix$17 = "cloudformation";
+log.addLevel("event", 1e4, { fg: "yellow" });
+log.addLevel("output", 1e4, { fg: "blue" });
+/**
+* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html
+*/
+const TEMPLATE_BODY_MAX_SIZE = 51200;
+const isTemplateBodyGreaterThanMaxSize = (template) => {
+	return Buffer.byteLength(JSON.stringify(template), "utf8") >= TEMPLATE_BODY_MAX_SIZE;
+};
+/**
+* Update CloudFormation template to base stack bucket.
+* @param input.stackName: CloudFormation stack name.
+* @param input.template: CloudFormation template.
+*/
+const uploadTemplateToBaseStackBucket = async ({ stackName, template }) => {
+	const { url } = await uploadFileToS3({
+		bucket: await getBaseStackResource("BASE_STACK_BUCKET_LOGICAL_NAME"),
+		contentType: "application/json",
+		key: `${BASE_STACK_BUCKET_TEMPLATES_FOLDER}/${stackName}.json`,
+		file: Buffer.from(JSON.stringify(template, null, 2))
+	});
+	return { url };
+};
+/**
+* CloudFormation client cache to avoid creating multiple clients.
+* Each client is created with different parameters.
+*/
+const cloudFormationClients = {};
+const cloudformation = () => {
+	const cloudFormationClientConfig = {
+		apiVersion: "2010-05-15",
+		region: getEnvVar("REGION")
+	};
+	const key = JSON.stringify(cloudFormationClientConfig);
+	if (!cloudFormationClients[key]) cloudFormationClients[key] = new CloudFormationClient({
+		apiVersion: "2010-05-15",
+		region: getEnvVar("REGION")
+	});
+	return cloudFormationClients[key];
+};
+const cloudFormationV2 = () => {
+	return new AWS.CloudFormation({ apiVersion: "2010-05-15" });
+};
+const describeStacks = async ({ stackName } = {}) => {
+	const { Stacks } = await cloudformation().send(new DescribeStacksCommand({ StackName: stackName }));
+	return Stacks;
+};
+const describeStackResource = async (input) => {
+	return cloudformation().send(new DescribeStackResourceCommand(input));
+};
+const doesStackExist = async ({ stackName }) => {
+	log.info(logPrefix$17, `Checking if stack ${stackName} already exists...`);
+	try {
+		await describeStacks({ stackName });
+		log.info(logPrefix$17, `Stack ${stackName} already exists.`);
+		return true;
+	} catch (error) {
+		if (error.Code === "ValidationError") {
+			log.info(logPrefix$17, `Stack ${stackName} does not exist.`);
+			return false;
+		}
+		throw error;
+	}
+};
+const describeStackEvents = async ({ stackName }) => {
+	log.error(logPrefix$17, "Stack events:");
+	const { StackEvents } = await cloudformation().send(new DescribeStackEventsCommand({ StackName: stackName }));
+	const events = (StackEvents || []).filter(({ Timestamp }) => {
+		return Date.now() - Number(Timestamp) < 600 * 1e3;
+	}).filter(({ ResourceStatusReason }) => {
+		return ResourceStatusReason;
+	}).reverse();
+	for (const { LogicalResourceId, ResourceStatusReason } of events) log.event(LogicalResourceId, ResourceStatusReason);
+	return events;
+};
+const describeStack = async ({ stackName }) => {
+	const stacks = await describeStacks({ stackName });
+	if (!stacks) throw new Error(`Stack ${stackName} not found and cannot be described.`);
+	return stacks[0];
+};
+const getStackOutput = async ({ stackName, outputKey }) => {
+	const { Outputs = [] } = await describeStack({ stackName });
+	const output = Outputs?.find(({ OutputKey }) => {
+		return OutputKey === outputKey;
+	});
+	if (!output) throw new Error(`Output ${outputKey} doesn't exist on ${stackName} stack`);
+	return output;
+};
+const saveEnvironmentOutput = async ({ outputs, stackName }) => {
+	const envFile = {
+		stackName,
+		environment: getEnvironment(),
+		projectName: getProjectName(),
+		packageName: getPackageName()
+	};
+	envFile.outputs = outputs.reduce((acc, output) => {
+		if (!output.OutputKey || !output) return acc;
+		return {
+			...acc,
+			[output.OutputKey]: output
+		};
+	}, {});
+	const dotCarlinFolderPath = path$2.join(process.cwd(), ".carlin");
+	if (!fs$3.existsSync(dotCarlinFolderPath)) await fs$3.promises.mkdir(dotCarlinFolderPath);
+	const filePath = path$2.join(dotCarlinFolderPath, `${stackName}.json`);
+	await fs$3.promises.writeFile(filePath, JSON.stringify(envFile, null, 2));
+	const latestFilePath = path$2.join(dotCarlinFolderPath, LATEST_DEPLOY_OUTPUTS_FILENAME);
+	await fs$3.promises.writeFile(latestFilePath, JSON.stringify(envFile, null, 2));
+};
+/**
+* After deployment, Carlin prints the outputs defined in your CloudFormation
+* template and saves them in two files:
+*
+* 1. `.carlin/$STACK_NAME.json` file.
+* 1. `.carlin/latest-deploy.json` file.
+*
+* _Note: The `.carlin` folder is created in the root of your project._
+*
+* The `latest-deploy.json` file is used by tests and other packages that need
+* to access the outputs of the last deployment, but don't have access to the
+* stack name. It's useful for end-to-end tests that need to access the outputs
+* of the last deployment and test the application.
+*/
+const printStackOutputsAfterDeploy = async ({ stackName }) => {
+	const { EnableTerminationProtection, StackName, Outputs = [] } = await describeStack({ stackName });
+	await saveEnvironmentOutput({
+		stackName,
+		outputs: Outputs
+	});
+	log.output("Describe Stack");
+	log.output("StackName", StackName);
+	log.output("EnableTerminationProtection", EnableTerminationProtection);
+	for (const { OutputKey, OutputValue, Description, ExportName } of Outputs) log.output(`${OutputKey}`, [
+		"",
+		`OutputKey: ${OutputKey}`,
+		`OutputValue: ${OutputValue}`,
+		`Description: ${Description}`,
+		`ExportName: ${ExportName}`,
+		""
+	].join("\n"));
+};
+const deleteStack = async ({ stackName }) => {
+	log.info(logPrefix$17, `Deleting stack ${stackName}...`);
+	await cloudformation().send(new DeleteStackCommand({ StackName: stackName }));
+	try {
+		await cloudFormationV2().waitFor("stackDeleteComplete", { StackName: stackName }).promise();
+	} catch (error) {
+		log.error(logPrefix$17, `An error occurred when deleting stack ${stackName}.`);
+		await describeStackEvents({ stackName });
+		throw error;
+	}
+	log.info(logPrefix$17, `Stack ${stackName} deleted.`);
+};
+const createStack = async ({ params }) => {
+	const { StackName: stackName = "" } = params;
+	log.info(logPrefix$17, `Creating stack ${stackName}...`);
+	await cloudformation().send(new CreateStackCommand(params));
+	try {
+		await cloudFormationV2().waitFor("stackCreateComplete", { StackName: stackName }).promise();
+	} catch (error) {
+		log.error(logPrefix$17, `An error occurred when creating stack ${stackName}.`);
+		await describeStackEvents({ stackName });
+		await deleteStack({ stackName });
+		throw error;
+	}
+	log.info(logPrefix$17, `Stack ${stackName} was created.`);
+};
+const updateStack = async ({ params }) => {
+	const { StackName: stackName = "" } = params;
+	log.info(logPrefix$17, `Updating stack ${stackName}...`);
+	try {
+		await cloudformation().send(new UpdateStackCommand(params));
+		await cloudFormationV2().waitFor("stackUpdateComplete", { StackName: stackName }).promise();
+	} catch (error) {
+		if (error.message === "No updates are to be performed.") {
+			log.info(logPrefix$17, error.message);
+			return;
+		}
+		log.error(logPrefix$17, "An error occurred when updating stack.");
+		await describeStackEvents({ stackName });
+		throw error;
+	}
+	log.info(logPrefix$17, `Stack ${stackName} was updated.`);
+};
+const enableTerminationProtection = async ({ stackName }) => {
+	log.info(logPrefix$17, `Enabling termination protection...`);
+	try {
+		await cloudformation().send(new UpdateTerminationProtectionCommand({
+			EnableTerminationProtection: true,
+			StackName: stackName
+		}));
+	} catch (error) {
+		log.error(logPrefix$17, "An error occurred when enabling termination protection");
+		throw error;
+	}
+};
+[
+	"ts",
+	"js",
+	"yaml",
+	"yml",
+	"json"
+].map((extension) => {
+	return `src/cloudformation.${extension}`;
+});
+/**
+* 1. Add defaults to CloudFormation template and parameters.
+* 1. Check is CloudFormation template body is greater than max size limit.
+*  1. If is greater, upload to S3 base stack.
+* 1. If stack exists, update the stack, else create a new stack.
+* 1. If `terminationProtection` option is true or `environment` is defined,
+* then stack termination protection will be enabled.
+*/
+const deploy = async ({ terminationProtection = false, ...paramsAndTemplate }) => {
+	const { params, template } = await addDefaults(paramsAndTemplate);
+	const stackName = params.StackName;
+	if (!stackName) throw new Error("StackName is required");
+	delete params.TemplateBody;
+	delete params.TemplateURL;
+	if (isTemplateBodyGreaterThanMaxSize(template)) {
+		const { url } = await uploadTemplateToBaseStackBucket({
+			stackName,
+			template
+		});
+		params.TemplateURL = url;
+	} else params.TemplateBody = JSON.stringify(template);
+	/**
+	* CAPABILITY_AUTO_EXPAND allows serverless transform.
+	*/
+	params.Capabilities = [
+		"CAPABILITY_AUTO_EXPAND",
+		"CAPABILITY_IAM",
+		"CAPABILITY_NAMED_IAM"
+	];
+	if (await doesStackExist({ stackName })) await updateStack({ params });
+	else await createStack({ params });
+	if (terminationProtection || !!getEnvironment()) await enableTerminationProtection({ stackName });
+	await printStackOutputsAfterDeploy({ stackName });
+	return describeStack({ stackName });
+};
+const canDestroyStack = async ({ stackName }) => {
+	const { EnableTerminationProtection } = await describeStack({ stackName });
+	if (EnableTerminationProtection) return false;
+	return true;
+};
+const validateTemplate = async ({ stackName, template }) => {
+	const validateTemplateCommandInput = {};
+	if (isTemplateBodyGreaterThanMaxSize(template)) {
+		const { url } = await uploadTemplateToBaseStackBucket({
+			stackName,
+			template
+		});
+		validateTemplateCommandInput.TemplateURL = url;
+	} else validateTemplateCommandInput.TemplateBody = JSON.stringify(template);
+	await cloudformation().send(new ValidateTemplateCommand(validateTemplateCommandInput));
+};
+//#endregion
+//#region src/deploy/stackName.ts
+/**
+* Used by CLI set stack name when it is defined.
+*/
+const setPreDefinedStackName = (stackName) => {
+	setEnvVar("STACK_NAME", stackName);
+};
+const limitStackName = (stackName) => {
+	return `${stackName}`.substring(0, 100);
+};
+/**
+* Sanitizes a stack name to satisfy the CloudFormation constraint:
+* `[a-zA-Z][-a-zA-Z0-9]*`
+*
+* Steps:
+* 1. Normalize Unicode (NFKD) to decompose accented characters (e.g. ç → c + combining cedilla).
+* 2. Strip combining diacritical marks so the base letters remain.
+* 3. Replace any remaining characters that are not letters, digits, or hyphens with a hyphen.
+* 4. Collapse consecutive hyphens into a single hyphen.
+* 5. Strip leading and trailing hyphens.
+* 6. If the result is empty, use `Stack` as a fallback.
+* 7. If the result does not start with a letter, prefix it with `Stack-`.
+*/
+const sanitizeStackName = (stackName) => {
+	const sanitized = stackName.normalize("NFKD").replace(/[\u0300-\u036f]/g, "").replace(/[^a-zA-Z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-+|-+$/g, "");
+	if (!sanitized) return "Stack";
+	if (!/^[a-zA-Z]/.test(sanitized)) return `Stack-${sanitized}`;
+	return sanitized;
+};
+/**
+* If stack name isn't previously defined, the name will be created accordingly
+* with the following rules:
+*
+* 1. The name has to parts.
+*
+* 1. The first part is defined by the package.json name, if it is defined.
+* Else, it'll be a random name starting with the string "Stack-", e.g. **Stack-96830**.
+*
+* 1. The second part will be defined by, whichever is defined first:
+*  1. environment,
+*  1. [branch name](https://carlin.ttoss.dev/docs/CLI#branchbranch_name) in param-case,
+*  1. `undefined`.
+*
+* Example:
+*
+* | Case | Package Name | Environment | Branch Name | `--stack-name` | Stack Name |
+* | ---- | ------------ | ----------- | ----------  | -------------- | ---------- |
+* | #1 | @package/name | Production | main | MyStackName | **MyStackName** |
+* | #2 | @package/name | Production | main | | **PackageName-Production** |
+* | #3 | @package/name | | main | | **PackageName-main** |
+* | #4 | @package/name | | | | **PackageName** |
+* | #5 | | Production | main | | **Stack-96820-Production** |
+* | #6 | | | main | | **Stack-96820-main** |
+* | #7 | | | | | **Stack-96820** |
+*
+* CAUTION!!!
+*
+* This method is a BREAKING CHANGE for **carlin**, I hope we never have to
+* change this algorithm, ever. Stack name is how we track the stacks on AWS.
+* Suppose we change this algorithm. If we perform an update or destroy
+* operation, **carlin** will create another stack or do nothing because the
+* old stack won't be found due to stack name changing.
+*
+*/
+const getStackName = async () => {
+	if (getEnvVar("STACK_NAME")) return getEnvVar("STACK_NAME");
+	const [currentBranch, environment, packageName] = await Promise.all([
+		getCurrentBranch(),
+		getEnvironment(),
+		getPackageName()
+	]);
+	return limitStackName(sanitizeStackName([packageName ? pascalCase(packageName) : `Stack-${Math.round(Math.random() * 1e5)}`, (() => {
+		if (environment) return environment;
+		if (currentBranch) return kebabCase(currentBranch);
+	})()].filter((word) => {
+		return !!word;
+	}).join("-")));
+};
+//#endregion
+//#region src/deploy/utils.ts
+const deployErrorLogs = ({ error, logPrefix }) => {
+	log.error(logPrefix, `An error occurred. Cannot deploy ${logPrefix}.`);
+	log.error(logPrefix, "Error message: %j", error?.message);
+};
+const handleDeployError = ({ error, logPrefix }) => {
+	deployErrorLogs({
+		error,
+		logPrefix
+	});
+	process.exit(1);
+};
+/**
+* @param param.stackName acts as a default stack name.
+*/
+const handleDeployInitialization = async ({ logPrefix, stackName: preDefinedStackName }) => {
+	log.info(logPrefix, `Starting deploy ${logPrefix}...`);
+	if (preDefinedStackName) setPreDefinedStackName(preDefinedStackName);
+	const stackName = await getStackName();
+	log.info(logPrefix, `stackName: ${stackName}`);
+	return { stackName };
+};
+//#endregion
+//#region src/deploy/baseStack/getBucketTemplate.ts
+const getBucketTemplate = () => {
+	return {
+		AWSTemplateFormatVersion: "2010-09-09",
+		Resources: { [BASE_STACK_BUCKET_LOGICAL_NAME]: {
+			Type: "AWS::S3::Bucket",
+			DeletionPolicy: "Retain",
+			Properties: {
+				LifecycleConfiguration: { Rules: [{
+					ExpirationInDays: 1,
+					Prefix: BASE_STACK_BUCKET_TEMPLATES_FOLDER,
+					Status: "Enabled"
+				}, {
+					NoncurrentVersionExpirationInDays: 3,
+					Status: "Enabled"
+				}] },
+				/**
+				* This is necessary because if we update Lambda code without change
+				* CloudFormation template, the Lambda will not be updated.
+				*/
+				VersioningConfiguration: { Status: "Enabled" }
+			}
+		} },
+		Outputs: { [BASE_STACK_BUCKET_LOGICAL_NAME]: {
+			Value: { Ref: BASE_STACK_BUCKET_LOGICAL_NAME },
+			Export: { Name: BASE_STACK_BUCKET_NAME_EXPORTED_NAME }
+		} }
+	};
+};
+//#endregion
+//#region src/deploy/baseStack/getCloudFrontTemplate.ts
+/**
+* https://juffalow.com/blog/other/how-to-deploy-docusaurus-page-using-aws-s3-and-cloudfront#cloudfront-functions
+*/
+const functionCode = `function handler(event) {
+  var request = event.request;
+  var uri = request.uri;
+  if (uri.endsWith('/')) {
+    request.uri += 'index.html';
+  } else if (!uri.includes('.')) {
+    request.uri += '/index.html';
+  }
+  return request;
+}`;
+const getCloudFrontTemplate$1 = () => {
+	return {
+		AWSTemplateFormatVersion: "2010-09-09",
+		Resources: { [BASE_STACK_CLOUDFRONT_FUNCTION_APPEND_INDEX_HTML_LOGICAL_NAME]: {
+			Type: "AWS::CloudFront::Function",
+			Properties: {
+				Name: "AppendIndexDotHtml",
+				FunctionConfig: {
+					Comment: "Append index.html to the request URI",
+					Runtime: "cloudfront-js-2.0"
+				},
+				FunctionCode: functionCode,
+				AutoPublish: true
+			}
+		} },
+		Outputs: { [BASE_STACK_CLOUDFRONT_FUNCTION_APPEND_INDEX_HTML_ARN]: {
+			Value: { "Fn::GetAtt": [BASE_STACK_CLOUDFRONT_FUNCTION_APPEND_INDEX_HTML_LOGICAL_NAME, "FunctionMetadata.FunctionARN"] },
+			Export: { Name: BASE_STACK_CLOUDFRONT_FUNCTION_APPEND_INDEX_HTML_ARN_EXPORTED_NAME }
+		} }
+	};
+};
+//#endregion
+//#region src/deploy/baseStack/getLambdaImageBuilderTemplate.ts
+const getLambdaImageBuilderTemplate = () => {
+	const CODE_BUILD_PROJECT_LOGS_LOGICAL_ID = "CodeBuildProjectLogsLogGroup";
+	const CODE_BUILD_PROJECT_SERVICE_ROLE_LOGICAL_ID = "ImageCodeBuildProjectIAMRole";
+	return {
+		AWSTemplateFormatVersion: "2010-09-09",
+		Resources: {
+			[CODE_BUILD_PROJECT_LOGS_LOGICAL_ID]: {
+				Type: "AWS::Logs::LogGroup",
+				DeletionPolicy: "Delete",
+				Properties: {}
+			},
+			[CODE_BUILD_PROJECT_SERVICE_ROLE_LOGICAL_ID]: {
+				Type: "AWS::IAM::Role",
+				Properties: {
+					AssumeRolePolicyDocument: {
+						Version: "2012-10-17",
+						Statement: [{
+							Effect: "Allow",
+							Principal: { Service: "codebuild.amazonaws.com" },
+							Action: "sts:AssumeRole"
+						}]
+					},
+					Path: getIamPath(),
+					Policies: [{
+						PolicyName: `${CODE_BUILD_PROJECT_SERVICE_ROLE_LOGICAL_ID}Policy`,
+						PolicyDocument: {
+							Version: "2012-10-17",
+							Statement: [
+								{
+									Effect: "Allow",
+									Action: ["logs:CreateLogStream", "logs:PutLogEvents"],
+									Resource: "*"
+								},
+								{
+									Effect: "Allow",
+									Action: ["ecr:GetAuthorizationToken"],
+									Resource: "*"
+								},
+								{
+									Effect: "Allow",
+									Action: [
+										"ecr:BatchCheckLayerAvailability",
+										"ecr:CompleteLayerUpload",
+										"ecr:InitiateLayerUpload",
+										"ecr:PutImage",
+										"ecr:UploadLayerPart"
+									],
+									Resource: "*"
+								},
+								{
+									Effect: "Allow",
+									Action: "s3:GetObject",
+									Resource: [{ "Fn::Sub": ["arn:aws:s3:::${BucketName}/*", { BucketName: { Ref: BASE_STACK_BUCKET_LOGICAL_NAME } }] }]
+								}
+							]
+						}
+					}]
+				}
+			},
+			[BASE_STACK_LAMBDA_IMAGE_BUILDER_LOGICAL_NAME]: {
+				Type: "AWS::CodeBuild::Project",
+				Properties: {
+					Artifacts: { Type: "NO_ARTIFACTS" },
+					Cache: {
+						Location: "LOCAL",
+						Modes: ["LOCAL_DOCKER_LAYER_CACHE"],
+						Type: "LOCAL"
+					},
+					Description: "Create Lambda image.",
+					Environment: {
+						ComputeType: "BUILD_GENERAL1_SMALL",
+						EnvironmentVariables: [
+							{
+								Name: "AWS_ACCOUNT_ID",
+								Value: { Ref: "AWS::AccountId" }
+							},
+							{
+								Name: "AWS_REGION",
+								Value: { Ref: "AWS::Region" }
+							},
+							{
+								Name: "IMAGE_TAG",
+								Value: "latest"
+							},
+							{
+								Name: "LAMBDA_EXTERNALS",
+								Value: ""
+							}
+						],
+						Image: "aws/codebuild/standard:3.0",
+						ImagePullCredentialsType: "CODEBUILD",
+						PrivilegedMode: true,
+						Type: "LINUX_CONTAINER"
+					},
+					LogsConfig: { CloudWatchLogs: {
+						Status: "ENABLED",
+						GroupName: { Ref: CODE_BUILD_PROJECT_LOGS_LOGICAL_ID }
+					} },
+					ServiceRole: { "Fn::GetAtt": [CODE_BUILD_PROJECT_SERVICE_ROLE_LOGICAL_ID, "Arn"] },
+					Source: {
+						BuildSpec: yaml.dump({
+							version: "0.2",
+							phases: {
+								install: { commands: [
+									"echo install started on `date`",
+									"npm init -y",
+									"npm install --save --package-lock-only --no-package-lock $LAMBDA_EXTERNALS",
+									"ls"
+								] },
+								pre_build: { commands: ["echo pre_build started on `date`", "$(aws ecr get-login --no-include-email --region $AWS_REGION)"] },
+								build: { commands: [
+									"echo build started on `date`",
+									"echo Building the repository image...",
+									"echo \"$DOCKERFILE\" > Dockerfile",
+									"docker build -t $REPOSITORY_ECR_REPOSITORY:$IMAGE_TAG -f Dockerfile .",
+									"docker tag $REPOSITORY_ECR_REPOSITORY:$IMAGE_TAG $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$REPOSITORY_ECR_REPOSITORY:$IMAGE_TAG"
+								] },
+								post_build: { commands: [
+									"echo post_build completed on `date`",
+									"echo Pushing the repository image...",
+									"docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$REPOSITORY_ECR_REPOSITORY:$IMAGE_TAG"
+								] }
+							}
+						}),
+						Type: "NO_SOURCE"
+					},
+					TimeoutInMinutes: 60
+				}
+			}
+		},
+		Outputs: { [BASE_STACK_LAMBDA_IMAGE_BUILDER_LOGICAL_NAME]: {
+			Value: { Ref: BASE_STACK_LAMBDA_IMAGE_BUILDER_LOGICAL_NAME },
+			Export: { Name: BASE_STACK_LAMBDA_IMAGE_BUILDER_EXPORTED_NAME }
+		} }
+	};
+};
+//#endregion
+//#region src/deploy/runtime.ts
+/**
+* Get the Node.js version number from runtime string.
+* @param options - Configuration options
+* @param options.runtime - The runtime string (e.g., 'nodejs20.x')
+* @returns The version number (e.g., '20')
+*/
+const getNodeVersion = ({ runtime = DEFAULT_NODE_RUNTIME } = {}) => {
+	return runtime.replace("nodejs", "").replace(".x", "");
+};
+//#endregion
+//#region src/deploy/baseStack/getLambdaLayerBuilderTemplate.ts
+const CODE_BUILD_PROJECT_LOGS_GROUP_LOGICAL_ID = `${BASE_STACK_LAMBDA_LAYER_BUILDER_LOGICAL_NAME}LogsLogGroup`;
+const CODE_BUILD_PROJECT_IAM_ROLE_LOGICAL_ID = `${BASE_STACK_LAMBDA_LAYER_BUILDER_LOGICAL_NAME}Role`;
+/**
+* https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html
+*/
+const getBuildSpec = ({ runtime } = {}) => {
+	return `
+version: 0.2
+phases:
+  install:
+    runtime-versions:
+      nodejs: ${runtime ? getNodeVersion({ runtime }) : "24"}
+    commands:
+      - npm i --no-bin-links --no-optional --no-package-lock --no-save --no-shrinkwrap $PACKAGE_NAME
+      - mkdir nodejs
+      - mv node_modules nodejs/node_modules
+artifacts:
+  files:
+    - nodejs/**/*
+  name: $PACKAGE_NAME.zip
+`.trim();
+};
+/**
+* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html
+*/
+const getLambdaLayerBuilderTemplate = ({ runtime } = {}) => {
+	return {
+		Resources: {
+			[CODE_BUILD_PROJECT_IAM_ROLE_LOGICAL_ID]: {
+				Type: "AWS::IAM::Role",
+				Properties: {
+					AssumeRolePolicyDocument: {
+						Version: "2012-10-17",
+						Statement: [{
+							Effect: "Allow",
+							Principal: { Service: ["codebuild.amazonaws.com"] },
+							Action: ["sts:AssumeRole"]
+						}]
+					},
+					Path: getIamPath(),
+					Policies: [{
+						PolicyName: `${CODE_BUILD_PROJECT_IAM_ROLE_LOGICAL_ID}Policy`,
+						PolicyDocument: {
+							Version: "2012-10-17",
+							Statement: [{
+								Effect: "Allow",
+								Action: ["logs:CreateLogStream", "logs:PutLogEvents"],
+								Resource: "*"
+							}, {
+								Effect: "Allow",
+								Action: ["s3:*"],
+								Resource: [{ "Fn::Sub": ["arn:aws:s3:::${BucketName}", { BucketName: { Ref: BASE_STACK_BUCKET_LOGICAL_NAME } }] }, { "Fn::Sub": ["arn:aws:s3:::${BucketName}/*", { BucketName: { Ref: BASE_STACK_BUCKET_LOGICAL_NAME } }] }]
+							}]
+						}
+					}]
+				}
+			},
+			[CODE_BUILD_PROJECT_LOGS_GROUP_LOGICAL_ID]: {
+				Type: "AWS::Logs::LogGroup",
+				DeletionPolicy: "Delete",
+				Properties: {}
+			},
+			[BASE_STACK_LAMBDA_LAYER_BUILDER_LOGICAL_NAME]: {
+				Type: "AWS::CodeBuild::Project",
+				Properties: {
+					Artifacts: {
+						Location: { Ref: BASE_STACK_BUCKET_LOGICAL_NAME },
+						NamespaceType: "NONE",
+						OverrideArtifactName: true,
+						Packaging: "ZIP",
+						Path: "lambda-layers/packages",
+						Type: "S3"
+					},
+					Environment: {
+						ComputeType: "BUILD_GENERAL1_SMALL",
+						/**
+						* Image should match the runtime of the buildspec.
+						* https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html
+						*/
+						Image: "aws/codebuild/standard:7.0",
+						Type: "LINUX_CONTAINER"
+					},
+					LogsConfig: { CloudWatchLogs: {
+						GroupName: { Ref: `${CODE_BUILD_PROJECT_LOGS_GROUP_LOGICAL_ID}` },
+						Status: "ENABLED"
+					} },
+					ServiceRole: { "Fn::GetAtt": `${CODE_BUILD_PROJECT_IAM_ROLE_LOGICAL_ID}.Arn` },
+					Source: {
+						BuildSpec: getBuildSpec({ runtime }),
+						Type: "NO_SOURCE"
+					}
+				}
+			}
+		},
+		Outputs: { [BASE_STACK_LAMBDA_LAYER_BUILDER_LOGICAL_NAME]: { Value: { Ref: BASE_STACK_LAMBDA_LAYER_BUILDER_LOGICAL_NAME } } }
+	};
+};
+//#endregion
+//#region src/deploy/baseStack/getVpcTemplate.ts
+const getVpcTemplate = () => {
+	const vpcName = `${pascalCase(NAME)}VPC`;
+	const EC2_INTERNET_GATEWAY_LOGICAL_ID = "EC2InternetGateway";
+	const EC2_ROUTE_TABLE_LOGICAL_ID = "EC2RouteTable";
+	const EC2_VPC_LOGICAL_ID = "EC2VCP";
+	const template = {
+		AWSTemplateFormatVersion: "2010-09-09",
+		Mappings: { CidrMappings: { VPC: { CIDR: "10.0.0.0/16" } } },
+		Resources: {
+			[EC2_VPC_LOGICAL_ID]: {
+				Type: "AWS::EC2::VPC",
+				Properties: {
+					CidrBlock: { "Fn::FindInMap": [
+						"CidrMappings",
+						"VPC",
+						"CIDR"
+					] },
+					EnableDnsHostnames: true,
+					EnableDnsSupport: true,
+					Tags: [{
+						Key: "Name",
+						Value: vpcName
+					}]
+				}
+			},
+			[EC2_INTERNET_GATEWAY_LOGICAL_ID]: {
+				Type: "AWS::EC2::InternetGateway",
+				Properties: {}
+			},
+			EC2VPCGatewayAttachment: {
+				Type: "AWS::EC2::VPCGatewayAttachment",
+				Properties: {
+					InternetGatewayId: { Ref: EC2_INTERNET_GATEWAY_LOGICAL_ID },
+					VpcId: { Ref: EC2_VPC_LOGICAL_ID }
+				}
+			},
+			[EC2_ROUTE_TABLE_LOGICAL_ID]: {
+				Type: "AWS::EC2::RouteTable",
+				Properties: {
+					Tags: [{
+						Key: "Name",
+						Value: { "Fn::Join": [" ", [
+							vpcName,
+							"-",
+							EC2_ROUTE_TABLE_LOGICAL_ID
+						]] }
+					}],
+					VpcId: { Ref: EC2_VPC_LOGICAL_ID }
+				}
+			},
+			EC2Route: {
+				Type: "AWS::EC2::Route",
+				Properties: {
+					DestinationCidrBlock: "0.0.0.0/0",
+					GatewayId: { Ref: EC2_INTERNET_GATEWAY_LOGICAL_ID },
+					RouteTableId: { Ref: EC2_ROUTE_TABLE_LOGICAL_ID }
+				}
+			}
+		},
+		Outputs: {
+			VPCId: {
+				Value: { Ref: EC2_VPC_LOGICAL_ID },
+				Export: { Name: BASE_STACK_VPC_ID_EXPORTED_NAME }
+			},
+			VPCDefaultSecurityGroup: {
+				Value: { "Fn::GetAtt": [EC2_VPC_LOGICAL_ID, "DefaultSecurityGroup"] },
+				Export: { Name: BASE_STACK_VPC_DEFAULT_SECURITY_GROUP_EXPORTED_NAME }
+			}
+		}
+	};
+	for (const [index, publicSubnetExportedName] of [
+		BASE_STACK_VPC_PUBLIC_SUBNET_0_EXPORTED_NAME,
+		BASE_STACK_VPC_PUBLIC_SUBNET_1_EXPORTED_NAME,
+		BASE_STACK_VPC_PUBLIC_SUBNET_2_EXPORTED_NAME
+	].entries()) {
+		const publicSubnetLogicalId = `PublicSubnet${index}EC2Subnet`;
+		const publicSubnetCidrMappings = `PublicSubnet${index}`;
+		if (!template.Mappings) template.Mappings = {};
+		template.Mappings.CidrMappings[publicSubnetCidrMappings] = { CIDR: `10.0.${index}.0/24` };
+		template.Resources[publicSubnetLogicalId] = {
+			Type: "AWS::EC2::Subnet",
+			Properties: {
+				AvailabilityZone: { "Fn::Select": [index, { "Fn::GetAZs": { Ref: "AWS::Region" } }] },
+				CidrBlock: { "Fn::FindInMap": [
+					"CidrMappings",
+					publicSubnetCidrMappings,
+					"CIDR"
+				] },
+				MapPublicIpOnLaunch: true,
+				Tags: [{
+					Key: "Name",
+					Value: { "Fn::Join": [" ", [
+						EC2_VPC_LOGICAL_ID,
+						"-",
+						publicSubnetLogicalId
+					]] }
+				}],
+				VpcId: { Ref: EC2_VPC_LOGICAL_ID }
+			}
+		};
+		template.Resources[`PublicSubnet${index}EC2SubnetRouteTableAssociation`] = {
+			Type: "AWS::EC2::SubnetRouteTableAssociation",
+			Properties: {
+				RouteTableId: { Ref: EC2_ROUTE_TABLE_LOGICAL_ID },
+				SubnetId: { Ref: publicSubnetLogicalId }
+			}
+		};
+		if (!template.Outputs) template.Outputs = {};
+		template.Outputs[publicSubnetLogicalId] = {
+			Value: { Ref: publicSubnetLogicalId },
+			Export: { Name: publicSubnetExportedName }
+		};
+	}
+	return template;
+};
+//#endregion
+//#region src/deploy/baseStack/deployBaseStack.ts
+const logPrefix$16 = "base-stack";
+const baseStackTemplate = deepMerge.all([
+	getBucketTemplate(),
+	getCloudFrontTemplate$1(),
+	getLambdaImageBuilderTemplate(),
+	getLambdaLayerBuilderTemplate(),
+	getVpcTemplate()
+]);
+/**
+* Base Stack is a set of auxiliary resources that will be used to help at the
+* deployment time. The resources that will be created are listed below.
+*
+* - **S3 bucket**. Deployment may need an auxiliary bucket to succeed. For
+* instance, to deploy resources that contain a
+* [Lambda](https://carlin.ttoss.dev/docs/commands/deploy#lambda), we need a S3
+* bucket to upload the zipped code. Or if the CloudFormation template has a
+* size greater than [the limit](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html),
+* we need to upload the template to a S3 bucket in order to create/update the
+* stack.
+*
+* - **CloudFront function**. This resource is used to append the `index.html`
+* to the request URI. This is useful when deploying a [Docusaurus](https://docusaurus.io/)
+* website, for example.
+*
+* - **Lambda Layer builder**. This resource is a CodeBuild project that is
+* used to create Lambda Layers when [--lambda-externals](/docs/api-reference/deploy#lambda-externals)
+* has values.
+*
+* - **Lambda Image builder**. This resource is a CodeBuild project that builds
+* Docker Images if Lambda is going to use them.
+*
+* - **VPC**. This resource is used when some network infrastructure is
+* required. For example, CICD needs a VPC to execute the [Fargate](https://aws.amazon.com/fargate/)
+* operations.
+*/
+const deployBaseStack = async () => {
+	try {
+		const { stackName } = await handleDeployInitialization({
+			logPrefix: logPrefix$16,
+			stackName: BASE_STACK_NAME
+		});
+		await deploy({
+			template: baseStackTemplate,
+			params: { StackName: stackName },
+			terminationProtection: true
+		});
+	} catch (error) {
+		handleDeployError({
+			error,
+			logPrefix: logPrefix$16
+		});
+	}
+};
+//#endregion
+//#region src/deploy/baseStack/command.ts
+const deployBaseStackCommand = {
+	command: "base-stack",
+	describe: "Create base resources.",
+	handler: deployBaseStack
+};
+//#endregion
+//#region src/deploy/cicd/config.ts
+const ECS_TASK_DEFAULT_CPU = "2048";
+const ECS_TASK_DEFAULT_MEMORY = "4096";
+const PIPELINE_ECS_TASK_EXECUTION_STAGE_NAME = `PipelineRunECSTasksStage`;
+const PIPELINE_ECS_TASK_EXECUTION_MANUAL_APPROVAL_ACTION_NAME = `PipelineRunECSTasksApproval`;
+//#endregion
+//#region src/deploy/cicd/command.options.ts
+const options$6 = {
+	cpu: { type: "string" },
+	memory: { type: "string" },
+	pipelines: {
+		choices: [
+			"pr",
+			"main",
+			"tag"
+		],
+		coerce: (values) => {
+			return values.map((value) => {
+				return camelCase(value);
+			});
+		},
+		default: [],
+		description: "Pipelines that will be implemented with the CICD stack.",
+		type: "array"
+	},
+	"update-repository": {
+		alias: ["ur"],
+		description: "Determine if the repository image will be updated.",
+		default: true,
+		type: "boolean"
+	},
+	"ssh-key": {
+		demandOption: true,
+		type: "string"
+	},
+	"ssh-url": {
+		demandOption: true,
+		type: "string"
+	},
+	"slack-webhook-url": { type: "string" },
+	/**
+	* This option has the format:
+	*
+	* ```ts
+	* Array<{
+	*  name: string,
+	*  value: string,
+	* }>
+	* ```
+	*/
+	"task-environment": {
+		alias: ["te"],
+		default: [],
+		describe: "A list of environment variables that will be passed to the ECS container task.",
+		type: "array"
+	}
+};
+const getCicdConfig = () => {
+	const { parsed } = yargs(hideBin(process.argv)).config();
+	if (!parsed) return false;
+	const { argv } = parsed;
+	return Object.keys(options$6).reduce((acc, key) => {
+		const value = argv[key];
+		if (value) acc[key] = value;
+		return acc;
+	}, {});
+};
+//#endregion
+//#region src/deploy/cicd/getTriggerPipelineObjectKey.ts
+/**
+* The file with this key inside the source S3 key of main and tag pipelines
+* will trigger those pipelines.
+*/
+const getTriggerPipelinesObjectKey = ({ prefix, pipeline }) => {
+	return `${prefix}/${pipeline}.zip`;
+};
+//#endregion
+//#region src/deploy/cicd/cicd.template.ts
+const API_LOGICAL_ID = "ApiV1ServerlessApi";
+const CODE_BUILD_PROJECT_LOGS_LOGICAL_ID = "RepositoryImageCodeBuildProjectLogsLogGroup";
+const CODE_BUILD_PROJECT_SERVICE_ROLE_LOGICAL_ID = "RepositoryImageCodeBuildProjectIAMRole";
+const ECR_REPOSITORY_LOGICAL_ID = "RepositoryECRRepository";
+const FUNCTION_IAM_ROLE_LOGICAL_ID = "ApiV1ServerlessFunctionIAMRole";
+const ECS_TASK_REPORT_HANDLER_LAMBDA_FUNCTION_LOGICAL_ID = "EcsTaskReportHandler";
+const PROCESS_ENV_REPOSITORY_IMAGE_CODE_BUILD_PROJECT_NAME = "REPOSITORY_IMAGE_CODE_BUILD_PROJECT_NAME";
+const REPOSITORY_ECS_TASK_CONTAINER_NAME = "RepositoryECSTaskContainerName";
+const REPOSITORY_ECS_TASK_DEFINITION_LOGICAL_ID = "RepositoryECSTaskDefinition";
+const REPOSITORY_IMAGE_CODE_BUILD_PROJECT_LOGICAL_ID = "RepositoryImageCodeBuildProject";
+const REPOSITORY_TASKS_ECS_CLUSTER_LOGICAL_ID = "RepositoryTasksECSCluster";
+const REPOSITORY_TASKS_ECS_CLUSTER_LOGS_LOG_GROUP_LOGICAL_ID = "RepositoryTasksECSClusterLogsLogGroup";
+const REPOSITORY_TASKS_ECS_TASK_DEFINITION_EXECUTION_ROLE_LOGICAL_ID = "RepositoryTasksECSTaskDefinitionExecutionRoleIAMRole";
+const REPOSITORY_TASKS_ECS_TASK_DEFINITION_TASK_ROLE_LOGICAL_ID = "RepositoryTasksECSTaskDefinitionTaskRoleIAMRole";
+const PIPELINES_ARTIFACT_STORE_S3_BUCKET_LOGICAL_ID = "PipelinesArtifactStoreS3Bucket";
+const PIPELINES_ROLE_LOGICAL_ID = "PipelinesMainIAMRole";
+const PIPELINES_MAIN_LOGICAL_ID = "PipelinesMainCodePipeline";
+const PIPELINES_TAG_LOGICAL_ID = "PipelinesTagCodePipeline";
+const PIPELINES_HANDLER_LAMBDA_FUNCTION_LOGICAL_ID = "PipelinesHandlerLambdaFunction";
+const IMAGE_UPDATER_SCHEDULE_SERVERLESS_FUNCTION_LOGICAL_ID = "ImageUpdaterScheduleServerlessFunction";
+/**
+* An [AWS CodeBuild](https://aws.amazon.com/codebuild/) project is created
+* to build (create and update) repository images. It uses a
+* [BUILD\_GENERAL1\_SMALL environment compute type](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html)
+* with Linux as operational system to build the image.
+*/
+const getRepositoryImageBuilder = () => {
+	return {
+		Type: "AWS::CodeBuild::Project",
+		Properties: {
+			Artifacts: { Type: "NO_ARTIFACTS" },
+			Cache: {
+				Location: "LOCAL",
+				Modes: ["LOCAL_DOCKER_LAYER_CACHE"],
+				Type: "LOCAL"
+			},
+			Description: "Create repository image.",
+			Environment: {
+				ComputeType: "BUILD_GENERAL1_SMALL",
+				EnvironmentVariables: [
+					{
+						Name: "AWS_ACCOUNT_ID",
+						Value: { Ref: "AWS::AccountId" }
+					},
+					{
+						Name: "AWS_REGION",
+						Value: { Ref: "AWS::Region" }
+					},
+					{
+						Name: "DOCKERFILE",
+						Value: { "Fn::Sub": [
+							"FROM public.ecr.aws/ubuntu/ubuntu:20.04_stable",
+							"ENV DEBIAN_FRONTEND noninteractive",
+							"RUN apt-get update --fix-missing",
+							"RUN apt-get install -y curl",
+							"RUN apt-get install -y git",
+							"RUN apt-get install -y jq",
+							`RUN curl -fsSL https://deb.nodesource.com/setup_${getNodeVersion({ runtime: DEFAULT_NODE_RUNTIME })}.x | bash -`,
+							"RUN apt-get install -y nodejs",
+							"RUN apt-get clean",
+							"RUN npm install -g yarn",
+							"RUN yarn global add carlin",
+							"RUN git config --global user.name carlin",
+							"RUN git config --global user.email carlin@ttoss.dev",
+							"RUN mkdir /root/.ssh/",
+							"COPY ./id_rsa /root/.ssh/id_rsa",
+							"RUN chmod 600 /root/.ssh/id_rsa",
+							"RUN touch /root/.ssh/known_hosts",
+							"RUN ssh-keyscan github.com >> /root/.ssh/known_hosts",
+							"COPY . /home",
+							"WORKDIR /home/repository",
+							"RUN mkdir -p /home/yarn-cache",
+							"RUN yarn config set cache-folder /home/yarn-cache",
+							"RUN yarn install",
+							"RUN git checkout -- yarn.lock"
+						].join("\n") }
+					},
+					{
+						Name: "IMAGE_TAG",
+						Value: "latest"
+					},
+					{
+						Name: "REPOSITORY_ECR_REPOSITORY",
+						Value: { Ref: ECR_REPOSITORY_LOGICAL_ID }
+					},
+					{
+						Name: "SSH_KEY",
+						Value: { Ref: "SSHKey" }
+					},
+					{
+						Name: "SSH_URL",
+						Value: { Ref: "SSHUrl" }
+					}
+				],
+				Image: "aws/codebuild/standard:3.0",
+				ImagePullCredentialsType: "CODEBUILD",
+				/**
+				* Enables running the Docker daemon inside a Docker container. Set to
+				* true only if the build project is used to build Docker images.
+				* Otherwise, a build that attempts to interact with the Docker daemon
+				* fails. The default setting is false."
+				* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-environment.html#cfn-codebuild-project-environment-privilegedmode
+				*/
+				PrivilegedMode: true,
+				Type: "LINUX_CONTAINER"
+			},
+			LogsConfig: { CloudWatchLogs: {
+				Status: "ENABLED",
+				GroupName: { Ref: CODE_BUILD_PROJECT_LOGS_LOGICAL_ID }
+			} },
+			ServiceRole: { "Fn::GetAtt": [CODE_BUILD_PROJECT_SERVICE_ROLE_LOGICAL_ID, "Arn"] },
+			Source: {
+				BuildSpec: yaml.dump({
+					version: "0.2",
+					phases: {
+						install: { commands: [
+							"echo install started on `date`",
+							`echo "$SSH_KEY" > ~/.ssh/id_rsa`,
+							"chmod 600 ~/.ssh/id_rsa",
+							"rm -rf repository",
+							"git clone $SSH_URL repository",
+							"cd repository",
+							"ls"
+						] },
+						pre_build: { commands: ["echo pre_build started on `date`"] },
+						build: { commands: [
+							"echo build started on `date`",
+							"$(aws ecr get-login --no-include-email --region $AWS_REGION)",
+							"echo Building the repository image...",
+							"cd ../",
+							"cp ~/.ssh/id_rsa .",
+							"echo \"$DOCKERFILE\" > Dockerfile",
+							"cat Dockerfile",
+							"docker build -t $REPOSITORY_ECR_REPOSITORY:$IMAGE_TAG -f Dockerfile .",
+							"docker tag $REPOSITORY_ECR_REPOSITORY:$IMAGE_TAG $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$REPOSITORY_ECR_REPOSITORY:$IMAGE_TAG",
+							"echo Pushing the repository image...",
+							"docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$REPOSITORY_ECR_REPOSITORY:$IMAGE_TAG"
+						] },
+						post_build: { commands: ["echo post_build completed on `date`"] }
+					}
+				}),
+				Type: "NO_SOURCE"
+			},
+			TimeoutInMinutes: 15
+		}
+	};
+};
+/**
+* This variable is used inside GitHub webhooks to identify the object key
+* prefix of the file that triggers the pipelines.
+*/
+const triggerPipelinesObjectKeyPrefix = [
+	"cicd",
+	"pipelines",
+	"triggers",
+	getProjectName()
+].join("/");
+const getCicdTemplate = ({ pipelines = [], cpu = ECS_TASK_DEFAULT_CPU, memory = ECS_TASK_DEFAULT_MEMORY, s3, slackWebhookUrl, taskEnvironment = [] }) => {
+	const resources = {};
+	const executeEcsTaskVariables = {
+		ECS_CLUSTER_ARN: { "Fn::GetAtt": [REPOSITORY_TASKS_ECS_CLUSTER_LOGICAL_ID, "Arn"] },
+		ECS_CONTAINER_NAME: REPOSITORY_ECS_TASK_CONTAINER_NAME,
+		ECS_TASK_DEFINITION: { Ref: REPOSITORY_ECS_TASK_DEFINITION_LOGICAL_ID },
+		VPC_SECURITY_GROUP: { "Fn::ImportValue": BASE_STACK_VPC_DEFAULT_SECURITY_GROUP_EXPORTED_NAME },
+		VPC_PUBLIC_SUBNET_0: { "Fn::ImportValue": BASE_STACK_VPC_PUBLIC_SUBNET_0_EXPORTED_NAME },
+		VPC_PUBLIC_SUBNET_1: { "Fn::ImportValue": BASE_STACK_VPC_PUBLIC_SUBNET_1_EXPORTED_NAME },
+		VPC_PUBLIC_SUBNET_2: { "Fn::ImportValue": BASE_STACK_VPC_PUBLIC_SUBNET_2_EXPORTED_NAME },
+		ECS_TASK_REPORT_HANDLER_NAME: { Ref: ECS_TASK_REPORT_HANDLER_LAMBDA_FUNCTION_LOGICAL_ID }
+	};
+	/**
+	* The algorithm will clone the repository and will create a Docker image
+	* to be used to perform your commands. [Yarn cache](https://classic.yarnpkg.com/en/docs/cli/cache/)
+	* will also be saved together with the code to reduce packages installation
+	* time. The created image will be pushed to [Amazon Elastic Container Registry](https://aws.amazon.com/ecr/).
+	* with a defined expiration rule is also defined. The registry only keeps
+	* the latest image.
+	*/
+	const getEcrRepositoryResource = () => {
+		return {
+			Type: "AWS::ECR::Repository",
+			Properties: { LifecyclePolicy: { LifecyclePolicyText: JSON.stringify({ rules: [{
+				rulePriority: 1,
+				description: "Only keep the latest image",
+				selection: {
+					tagStatus: "any",
+					countType: "imageCountMoreThan",
+					countNumber: 1
+				},
+				action: { type: "expire" }
+			}] }, null, 2) } }
+		};
+	};
+	resources[ECR_REPOSITORY_LOGICAL_ID] = getEcrRepositoryResource();
+	const commonFunctionProperties = {
+		CodeUri: {
+			Bucket: s3.bucket,
+			Key: s3.key,
+			Version: s3.versionId
+		},
+		Role: { "Fn::GetAtt": [FUNCTION_IAM_ROLE_LOGICAL_ID, "Arn"] },
+		Runtime: DEFAULT_NODE_RUNTIME,
+		Timeout: 60
+	};
+	/**
+	* CodeBuild
+	*/
+	(() => {
+		resources[CODE_BUILD_PROJECT_LOGS_LOGICAL_ID] = {
+			Type: "AWS::Logs::LogGroup",
+			DeletionPolicy: "Delete",
+			Properties: {}
+		};
+		resources[CODE_BUILD_PROJECT_SERVICE_ROLE_LOGICAL_ID] = {
+			Type: "AWS::IAM::Role",
+			Properties: {
+				AssumeRolePolicyDocument: {
+					Version: "2012-10-17",
+					Statement: [{
+						Effect: "Allow",
+						Principal: { Service: "codebuild.amazonaws.com" },
+						Action: "sts:AssumeRole"
+					}]
+				},
+				Path: getIamPath(),
+				Policies: [{
+					PolicyName: `${CODE_BUILD_PROJECT_SERVICE_ROLE_LOGICAL_ID}Policy`,
+					PolicyDocument: {
+						Version: "2012-10-17",
+						Statement: [
+							{
+								Effect: "Allow",
+								Action: ["logs:CreateLogStream", "logs:PutLogEvents"],
+								Resource: "*"
+							},
+							{
+								Effect: "Allow",
+								Action: ["ecr:GetAuthorizationToken"],
+								Resource: "*"
+							},
+							{
+								Effect: "Allow",
+								Action: [
+									"ecr:BatchCheckLayerAvailability",
+									"ecr:CompleteLayerUpload",
+									"ecr:InitiateLayerUpload",
+									"ecr:PutImage",
+									"ecr:UploadLayerPart"
+								],
+								Resource: { "Fn::GetAtt": [ECR_REPOSITORY_LOGICAL_ID, "Arn"] }
+							}
+						]
+					}
+				}]
+			}
+		};
+		resources[REPOSITORY_IMAGE_CODE_BUILD_PROJECT_LOGICAL_ID] = getRepositoryImageBuilder();
+		const cicdConfig = {
+			...getCicdConfig(),
+			"ssh-key": "/root/.ssh/id_rsa",
+			environment: getEnvironment()
+		};
+		resources[IMAGE_UPDATER_SCHEDULE_SERVERLESS_FUNCTION_LOGICAL_ID] = {
+			Type: "AWS::Serverless::Function",
+			Properties: {
+				...commonFunctionProperties,
+				Events: { Schedule: {
+					Type: "Schedule",
+					Properties: { Schedule: "rate(7 days)" }
+				} },
+				Environment: { Variables: {
+					[PROCESS_ENV_REPOSITORY_IMAGE_CODE_BUILD_PROJECT_NAME]: { Ref: REPOSITORY_IMAGE_CODE_BUILD_PROJECT_LOGICAL_ID },
+					CICD_CONFIG: JSON.stringify(cicdConfig),
+					...executeEcsTaskVariables
+				} },
+				Handler: "index.imageUpdaterScheduleHandler"
+			}
+		};
+	})();
+	const createApiResources = () => {
+		resources[API_LOGICAL_ID] = {
+			Type: "AWS::Serverless::Api",
+			Properties: {
+				Auth: { ApiKeyRequired: false },
+				StageName: "v1"
+			}
+		};
+		resources[FUNCTION_IAM_ROLE_LOGICAL_ID] = {
+			Type: "AWS::IAM::Role",
+			Properties: {
+				AssumeRolePolicyDocument: {
+					Version: "2012-10-17",
+					Statement: [{
+						Effect: "Allow",
+						Principal: { Service: "lambda.amazonaws.com" },
+						Action: ["sts:AssumeRole"]
+					}]
+				},
+				ManagedPolicyArns: ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"],
+				Path: getIamPath(),
+				Policies: [{
+					PolicyName: `${FUNCTION_IAM_ROLE_LOGICAL_ID}Policy`,
+					PolicyDocument: {
+						Version: "2012-10-17",
+						Statement: [
+							{
+								Effect: "Allow",
+								Action: ["codebuild:StartBuild"],
+								Resource: { "Fn::GetAtt": [REPOSITORY_IMAGE_CODE_BUILD_PROJECT_LOGICAL_ID, "Arn"] }
+							},
+							{
+								Effect: "Allow",
+								Action: ["iam:PassRole"],
+								Resource: [{ "Fn::GetAtt": [REPOSITORY_TASKS_ECS_TASK_DEFINITION_EXECUTION_ROLE_LOGICAL_ID, "Arn"] }, { "Fn::GetAtt": [REPOSITORY_TASKS_ECS_TASK_DEFINITION_TASK_ROLE_LOGICAL_ID, "Arn"] }]
+							},
+							{
+								Effect: "Allow",
+								Action: ["ecs:DescribeTasks"],
+								Resource: "*"
+							},
+							{
+								Effect: "Allow",
+								Action: ["ecs:RunTask"],
+								Resource: [{ Ref: REPOSITORY_ECS_TASK_DEFINITION_LOGICAL_ID }]
+							},
+							{
+								Action: [
+									"codepipeline:PutApprovalResult",
+									"codepipeline:GetJobDetails",
+									"codepipeline:GetPipelineState",
+									"codepipeline:PutJobSuccessResult",
+									"codepipeline:PutJobFailureResult"
+								],
+								Effect: "Allow",
+								Resource: "*"
+							},
+							{
+								Action: "s3:*",
+								Effect: "Allow",
+								Resource: { "Fn::Sub": [`arn:aws:s3:::\${BucketName}/${triggerPipelinesObjectKeyPrefix}*`, { BucketName: { "Fn::ImportValue": BASE_STACK_BUCKET_NAME_EXPORTED_NAME } }] }
+							}
+						]
+					}
+				}]
+			}
+		};
+		/**
+		* Called after ECS task execution success or failure.
+		*/
+		resources[ECS_TASK_REPORT_HANDLER_LAMBDA_FUNCTION_LOGICAL_ID] = {
+			Type: "AWS::Serverless::Function",
+			Properties: {
+				...commonFunctionProperties,
+				Environment: { Variables: {
+					ECS_TASK_LOGS_LOG_GROUP: { Ref: REPOSITORY_TASKS_ECS_CLUSTER_LOGS_LOG_GROUP_LOGICAL_ID },
+					ECS_TASK_CONTAINER_NAME: REPOSITORY_ECS_TASK_CONTAINER_NAME,
+					SLACK_WEBHOOK_URL: slackWebhookUrl
+				} },
+				Handler: "index.ecsTaskReportHandler"
+			}
+		};
+		resources.CicdApiV1ServerlessFunction = {
+			Type: "AWS::Serverless::Function",
+			Properties: {
+				...commonFunctionProperties,
+				Events: { ApiEvent: {
+					Type: "Api",
+					Properties: {
+						Method: "POST",
+						Path: "/cicd",
+						RestApiId: { Ref: API_LOGICAL_ID }
+					}
+				} },
+				Environment: { Variables: {
+					[PROCESS_ENV_REPOSITORY_IMAGE_CODE_BUILD_PROJECT_NAME]: { Ref: REPOSITORY_IMAGE_CODE_BUILD_PROJECT_LOGICAL_ID },
+					...executeEcsTaskVariables
+				} },
+				Handler: "index.cicdApiV1Handler"
+			}
+		};
+		resources.GitHubWebhooksApiV1ServerlessFunction = {
+			Type: "AWS::Serverless::Function",
+			Properties: {
+				...commonFunctionProperties,
+				Events: { ApiEvent: {
+					Type: "Api",
+					Properties: {
+						Method: "POST",
+						Path: "/github/webhooks",
+						RestApiId: { Ref: API_LOGICAL_ID }
+					}
+				} },
+				Environment: { Variables: {
+					BASE_STACK_BUCKET_NAME: { "Fn::ImportValue": BASE_STACK_BUCKET_NAME_EXPORTED_NAME },
+					TRIGGER_PIPELINES_OBJECT_KEY_PREFIX: triggerPipelinesObjectKeyPrefix,
+					PIPELINES_JSON: JSON.stringify(pipelines),
+					...executeEcsTaskVariables
+				} },
+				Handler: "index.githubWebhooksApiV1Handler"
+			}
+		};
+	};
+	createApiResources();
+	/**
+	* ECS
+	*/
+	(() => {
+		resources[REPOSITORY_TASKS_ECS_CLUSTER_LOGICAL_ID] = {
+			Type: "AWS::ECS::Cluster",
+			Properties: {}
+		};
+		resources[REPOSITORY_TASKS_ECS_CLUSTER_LOGS_LOG_GROUP_LOGICAL_ID] = {
+			Type: "AWS::Logs::LogGroup",
+			DeletionPolicy: "Delete",
+			Properties: {}
+		};
+		/**
+		* Used to start the container.
+		*/
+		resources[REPOSITORY_TASKS_ECS_TASK_DEFINITION_EXECUTION_ROLE_LOGICAL_ID] = {
+			Type: "AWS::IAM::Role",
+			Properties: {
+				AssumeRolePolicyDocument: {
+					Version: "2012-10-17",
+					Statement: [{
+						Effect: "Allow",
+						Principal: { Service: "ecs-tasks.amazonaws.com" },
+						Action: "sts:AssumeRole"
+					}]
+				},
+				ManagedPolicyArns: ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"],
+				Path: getIamPath()
+			}
+		};
+		/**
+		* Used inside de container execution.
+		*/
+		resources[REPOSITORY_TASKS_ECS_TASK_DEFINITION_TASK_ROLE_LOGICAL_ID] = {
+			Type: "AWS::IAM::Role",
+			Properties: {
+				AssumeRolePolicyDocument: {
+					Version: "2012-10-17",
+					Statement: [{
+						Effect: "Allow",
+						Principal: { Service: "ecs-tasks.amazonaws.com" },
+						Action: "sts:AssumeRole"
+					}]
+				},
+				ManagedPolicyArns: ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"],
+				Path: getIamPath(),
+				/**
+				* TODO: improve the policies rules.
+				*/
+				Policies: [{
+					PolicyName: `${REPOSITORY_TASKS_ECS_TASK_DEFINITION_TASK_ROLE_LOGICAL_ID}Policy`,
+					PolicyDocument: {
+						Version: "2012-10-17",
+						Statement: [{
+							Effect: "Allow",
+							Action: ["*"],
+							Resource: "*"
+						}]
+					}
+				}]
+			}
+		};
+		resources[REPOSITORY_ECS_TASK_DEFINITION_LOGICAL_ID] = {
+			Type: "AWS::ECS::TaskDefinition",
+			Properties: {
+				ContainerDefinitions: [{
+					Environment: [
+						{
+							/**
+							* https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-metadata.html#enable-metadata
+							*/
+							Name: "ECS_ENABLE_CONTAINER_METADATA",
+							Value: "true"
+						},
+						{
+							Name: "CI",
+							Value: "true"
+						},
+						...taskEnvironment.map((te) => {
+							return {
+								Name: te.name,
+								Value: te.value
+							};
+						})
+					],
+					Image: { "Fn::Sub": ["${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${RepositoryECR}:latest", { RepositoryECR: { Ref: ECR_REPOSITORY_LOGICAL_ID } }] },
+					LogConfiguration: {
+						LogDriver: "awslogs",
+						Options: {
+							"awslogs-group": { Ref: REPOSITORY_TASKS_ECS_CLUSTER_LOGS_LOG_GROUP_LOGICAL_ID },
+							"awslogs-region": { Ref: "AWS::Region" },
+							"awslogs-stream-prefix": "ecs"
+						}
+					},
+					Name: REPOSITORY_ECS_TASK_CONTAINER_NAME
+				}],
+				Cpu: cpu,
+				ExecutionRoleArn: { "Fn::GetAtt": [REPOSITORY_TASKS_ECS_TASK_DEFINITION_EXECUTION_ROLE_LOGICAL_ID, "Arn"] },
+				Memory: memory,
+				NetworkMode: "awsvpc",
+				RequiresCompatibilities: ["FARGATE"],
+				TaskRoleArn: { "Fn::GetAtt": [REPOSITORY_TASKS_ECS_TASK_DEFINITION_TASK_ROLE_LOGICAL_ID, "Arn"] }
+			}
+		};
+	})();
+	/**
+	* Pipelines
+	*/
+	if (pipelines.includes("main") || pipelines.includes("tag")) {
+		resources[PIPELINES_ARTIFACT_STORE_S3_BUCKET_LOGICAL_ID] = {
+			Type: "AWS::S3::Bucket",
+			Properties: { LifecycleConfiguration: { Rules: [{
+				/**
+				* We won't use the artifacts forever.
+				*/
+				ExpirationInDays: 7,
+				Status: "Enabled"
+			}] } }
+		};
+		resources[PIPELINES_HANDLER_LAMBDA_FUNCTION_LOGICAL_ID] = {
+			Type: "AWS::Lambda::Function",
+			Properties: {
+				Code: {
+					S3Bucket: s3.bucket,
+					S3Key: s3.key,
+					S3ObjectVersion: s3.versionId
+				},
+				Environment: { Variables: { ...executeEcsTaskVariables } },
+				Handler: "index.pipelinesHandler",
+				MemorySize: 128,
+				Role: { "Fn::GetAtt": [FUNCTION_IAM_ROLE_LOGICAL_ID, "Arn"] },
+				Runtime: DEFAULT_NODE_RUNTIME,
+				Timeout: 60
+			}
+		};
+		resources[PIPELINES_ROLE_LOGICAL_ID] = {
+			Type: "AWS::IAM::Role",
+			Properties: {
+				AssumeRolePolicyDocument: {
+					Version: "2012-10-17",
+					Statement: [{
+						Effect: "Allow",
+						Principal: { Service: "codepipeline.amazonaws.com" },
+						Action: "sts:AssumeRole"
+					}]
+				},
+				ManagedPolicyArns: [],
+				Path: getIamPath(),
+				Policies: [{
+					PolicyName: `${PIPELINES_ROLE_LOGICAL_ID}Policy`,
+					PolicyDocument: {
+						Version: "2012-10-17",
+						Statement: [
+							{
+								Effect: "Allow",
+								Action: "lambda:InvokeFunction",
+								Resource: [{ "Fn::GetAtt": [PIPELINES_HANDLER_LAMBDA_FUNCTION_LOGICAL_ID, "Arn"] }]
+							},
+							{
+								Effect: "Allow",
+								Action: "s3:*",
+								Resource: [{ "Fn::GetAtt": [PIPELINES_ARTIFACT_STORE_S3_BUCKET_LOGICAL_ID, "Arn"] }, { "Fn::Sub": `arn:aws:s3:::\${${PIPELINES_ARTIFACT_STORE_S3_BUCKET_LOGICAL_ID}}/*` }]
+							},
+							{
+								Effect: "Allow",
+								Action: "s3:*",
+								Resource: { "Fn::Sub": [`arn:aws:s3:::\${BucketName}/${triggerPipelinesObjectKeyPrefix}*`, { BucketName: { "Fn::ImportValue": BASE_STACK_BUCKET_NAME_EXPORTED_NAME } }] }
+							},
+							{
+								Effect: "Allow",
+								Action: ["s3:Get*", "s3:List*"],
+								Resource: { "Fn::Sub": [`arn:aws:s3:::\${BucketName}`, { BucketName: { "Fn::ImportValue": BASE_STACK_BUCKET_NAME_EXPORTED_NAME } }] }
+							}
+						]
+					}
+				}]
+			}
+		};
+		const getCodePipelinePipeline = (pipeline) => {
+			const pipelinePascalCase = pascalCase(pipeline);
+			const pipelineS3SourceOutputName = `Pipeline${pipelinePascalCase}S3SourceOutput`;
+			return {
+				Type: "AWS::CodePipeline::Pipeline",
+				Properties: {
+					ArtifactStore: {
+						Location: { Ref: PIPELINES_ARTIFACT_STORE_S3_BUCKET_LOGICAL_ID },
+						Type: "S3"
+					},
+					RestartExecutionOnUpdate: false,
+					RoleArn: { "Fn::GetAtt": [PIPELINES_ROLE_LOGICAL_ID, "Arn"] },
+					Stages: [{
+						Actions: [{
+							ActionTypeId: {
+								Category: "Source",
+								Owner: "AWS",
+								Provider: "S3",
+								Version: 1
+							},
+							Configuration: {
+								S3Bucket: { "Fn::ImportValue": BASE_STACK_BUCKET_NAME_EXPORTED_NAME },
+								S3ObjectKey: getTriggerPipelinesObjectKey({
+									prefix: triggerPipelinesObjectKeyPrefix,
+									pipeline
+								})
+							},
+							Name: `Pipeline${pipelinePascalCase}S3SourceAction`,
+							OutputArtifacts: [{ Name: pipelineS3SourceOutputName }]
+						}],
+						Name: `Pipeline${pipelinePascalCase}S3SourceStage`
+					}, {
+						Actions: [{
+							ActionTypeId: {
+								Category: "Invoke",
+								Owner: "AWS",
+								Provider: "Lambda",
+								Version: 1
+							},
+							Configuration: {
+								FunctionName: { Ref: PIPELINES_HANDLER_LAMBDA_FUNCTION_LOGICAL_ID },
+								UserParameters: (() => {
+									return pipeline;
+								})()
+							},
+							InputArtifacts: [{ Name: pipelineS3SourceOutputName }],
+							Name: `Pipeline${pipelinePascalCase}RunECSTasksAction`
+						}, {
+							ActionTypeId: {
+								Category: "Approval",
+								Owner: "AWS",
+								Provider: "Manual",
+								Version: 1
+							},
+							Name: PIPELINE_ECS_TASK_EXECUTION_MANUAL_APPROVAL_ACTION_NAME
+						}],
+						Name: PIPELINE_ECS_TASK_EXECUTION_STAGE_NAME
+					}]
+				}
+			};
+		};
+		if (pipelines.includes("main")) resources[PIPELINES_MAIN_LOGICAL_ID] = getCodePipelinePipeline("main");
+		if (pipelines.includes("tag")) resources[PIPELINES_TAG_LOGICAL_ID] = getCodePipelinePipeline("tag");
+	}
+	return {
+		AWSTemplateFormatVersion: "2010-09-09",
+		Transform: "AWS::Serverless-2016-10-31",
+		Resources: resources,
+		Parameters: {
+			SSHKey: {
+				NoEcho: true,
+				Type: "String"
+			},
+			SSHUrl: { Type: "String" }
+		},
+		Outputs: {
+			[REPOSITORY_IMAGE_CODE_BUILD_PROJECT_LOGICAL_ID]: { Value: { Ref: REPOSITORY_IMAGE_CODE_BUILD_PROJECT_LOGICAL_ID } },
+			ApiV1Endpoint: {
+				Description: "CICD API v1 stage endpoint.",
+				Value: { "Fn::Sub": `https://\${${API_LOGICAL_ID}}.execute-api.\${AWS::Region}.amazonaws.com/v1/` }
+			}
+		}
+	};
+};
+//#endregion
+//#region src/deploy/lambda/buildLambdaCode.ts
+const logPrefix$15 = "lambda";
+/**
+* Carlin builds the Lambda code using esbuild. It can build the code as ESM or
+* CJS format. When building as ESM, it will split the code into multiple files,
+* which reduces the payload size when deploying the Lambda function. The file
+* extension of the output files will be `.mjs` for ESM and `.cjs` for CJS.
+*/
+const buildLambdaCode = async ({ lambdaEntryPoints, lambdaEntryPointsBaseDir = ".", lambdaExternal = [], lambdaFormat = "esm", lambdaOutdir }) => {
+	log.info(logPrefix$15, "Building Lambda single file...");
+	/**
+	* Remove the output directory if it exists to not mix old files with the
+	* new ones.
+	*/
+	if (fs.existsSync(lambdaOutdir)) fs.rmSync(lambdaOutdir, { recursive: true });
+	const entryPoints = lambdaEntryPoints.map((entryPoint) => {
+		return path.resolve(process.cwd(), lambdaEntryPointsBaseDir, entryPoint);
+	});
+	const { errors } = esbuild.buildSync({
+		banner: { js: "// Powered by carlin (https://ttoss.dev/docs/carlin/)" },
+		bundle: true,
+		entryPoints,
+		external: [
+			"@aws-sdk/*",
+			...builtinModules,
+			...lambdaExternal
+		],
+		/**
+		* Some packages as `graphql` are not compatible with ESM yet.
+		* https://github.com/graphql/graphql-js/issues/3603
+		*/
+		format: lambdaFormat,
+		/**
+		* https://esbuild.github.io/api/#minify
+		*/
+		minifySyntax: true,
+		platform: "node",
+		splitting: lambdaFormat === "esm",
+		outbase: path.join(process.cwd(), lambdaEntryPointsBaseDir),
+		outdir: path.join(process.cwd(), lambdaOutdir),
+		outExtension: { ".js": lambdaFormat === "esm" ? ".mjs" : ".cjs" },
+		target: typescriptConfig.target,
+		treeShaking: true
+	});
+	if (errors.length > 0) throw errors;
+};
+//#endregion
+//#region src/deploy/lambdaLayer/getPackageLambdaLayerStackName.ts
+const lambdaLayerStackNamePrefix = `LambdaLayer`;
+const getPackageLambdaLayerStackName = (packageName) => {
+	const [scopedName, version] = packageName.split("@").filter((part) => {
+		return !!part;
+	});
+	return [
+		lambdaLayerStackNamePrefix,
+		pascalCase(scopedName),
+		version.replace(/[^0-9.]/g, "").replace(/\./g, "-")
+	].join("-");
+};
+//#endregion
+//#region src/deploy/lambdaLayer/deployLambdaLayer.ts
+const logPrefix$14 = "lambda-layer";
+const createLambdaLayerZipFile = async ({ codeBuildProjectName, packageName }) => {
+	log.info(logPrefix$14, `Creating zip file for package ${packageName}...`);
+	const { build } = await new AWS.CodeBuild().startBuild({
+		environmentVariablesOverride: [{
+			name: "PACKAGE_NAME",
+			value: packageName
+		}],
+		projectName: codeBuildProjectName
+	}).promise();
+	if (!build?.id) throw new Error("Cannot start build.");
+	const result = await waitCodeBuildFinish({
+		buildId: build.id,
+		name: packageName
+	});
+	if (result.artifacts?.location) {
+		const location = result.artifacts.location.split("/");
+		const bucket = location.shift()?.replace("arn:aws:s3:::", "");
+		if (!bucket) throw new Error("Cannot retrieve bucket name.");
+		return {
+			bucket,
+			key: location.join("/")
+		};
+	}
+	throw new Error(`Cannot get artifact location for package ${packageName}`);
+};
+/**
+* The CloudFormation template created to deploy a Lambda Layer.
+*
+* - The Layer name is the same as the Stack name.
+*/
+const getLambdaLayerTemplate = ({ bucket, key, packageName, runtime }) => {
+	const description = packageName.substring(0, 256);
+	return {
+		AWSTemplateFormatVersion: "2010-09-09",
+		Resources: { LambdaLayer: {
+			Type: "AWS::Lambda::LayerVersion",
+			Properties: {
+				CompatibleRuntimes: [runtime || DEFAULT_NODE_RUNTIME],
+				Content: {
+					S3Bucket: bucket,
+					S3Key: key
+				},
+				Description: description,
+				LayerName: { Ref: "AWS::StackName" }
+			}
+		} },
+		Outputs: { LambdaLayerVersion: {
+			Description: description,
+			Value: { Ref: "LambdaLayer" },
+			Export: { Name: { Ref: "AWS::StackName" } }
+		} }
+	};
+};
+const getPackagesThatAreNotDeployed = async ({ packages }) => {
+	return (await Promise.all(packages.map(async (packageName) => {
+		return await doesStackExist({ stackName: getPackageLambdaLayerStackName(packageName) }) ? "" : packageName;
+	}))).filter((packageName) => {
+		return !!packageName;
+	});
+};
+const deployLambdaLayer = async ({ packages, deployIfExists = true, runtime }) => {
+	try {
+		const packagesToBeDeployed = deployIfExists ? packages : await getPackagesThatAreNotDeployed({ packages });
+		if (packagesToBeDeployed.length === 0) return;
+		const codeBuildProjectName = await getBaseStackResource("BASE_STACK_LAMBDA_LAYER_BUILDER_LOGICAL_NAME");
+		if (!codeBuildProjectName) throw new Error("Cannot deploy lambda-layer because AWS CodeBuild project doesn't exist.");
+		const deployLambdaLayerSinglePackage = async (packageName) => {
+			try {
+				const { bucket, key } = await createLambdaLayerZipFile({
+					codeBuildProjectName,
+					packageName
+				});
+				await deploy({
+					template: getLambdaLayerTemplate({
+						packageName,
+						bucket,
+						key,
+						runtime
+					}),
+					terminationProtection: true,
+					params: { StackName: getPackageLambdaLayerStackName(packageName) }
+				});
+			} catch (error) {
+				handleDeployError({
+					error,
+					logPrefix: logPrefix$14
+				});
+			}
+		};
+		await Promise.all(packagesToBeDeployed.map((packageName) => {
+			return deployLambdaLayerSinglePackage(packageName);
+		}));
+	} catch (error) {
+		handleDeployError({
+			error,
+			logPrefix: logPrefix$14
+		});
+	}
+};
+//#endregion
+//#region src/deploy/lambda/deployLambdaLayers.ts
+const logPrefix$13 = "lambda";
+const deployLambdaLayers = async ({ lambdaExternal = [] }) => {
+	if (lambdaExternal.length === 0) return;
+	log.info(logPrefix$13, `--lambda-externals [${lambdaExternal.join(", ")}] was found. Creating other layers...`);
+	const { dependencies = {} } = (() => {
+		try {
+			return JSON.parse(fs$2.readFileSync(path$1.resolve(process.cwd(), "package.json"), "utf8"));
+		} catch (err) {
+			log.error(logPrefix$13, "Cannot read package.json. Error message: %j", err.message);
+			return {};
+		}
+	})();
+	await deployLambdaLayer({
+		packages: lambdaExternal.map((external) => {
+			try {
+				return `${external}@${dependencies[external].replace(/(~|\^)/g, "")}`;
+			} catch {
+				throw new Error(`Cannot find ${external} on package.json dependencies.`);
+			}
+		}),
+		deployIfExists: false
+	});
+};
+//#endregion
+//#region src/deploy/lambda/uploadCodeToECR.ts
+new AWS.CodeBuild({ region: AWS_DEFAULT_REGION });
+const uploadCodeToECR = async ({ bucket, key, lambdaExternal, lambdaDockerfile }) => {
+	throw new Error("uploadCodeToECR not finished yet.");
+};
+//#endregion
+//#region src/deploy/lambda/uploadCodeToS3.ts
+const logPrefix$12 = "lambda";
+const zipFileName = "lambda.zip";
+const uploadCodeToS3 = async ({ stackName, lambdaOutdir }) => {
+	log.info(logPrefix$12, `Uploading code to S3...`);
+	const zip = new AdmZip();
+	const zipFile = `${lambdaOutdir}/${zipFileName}`;
+	/**
+	* Check if the zip file already exists and delete it before creating a new.
+	*/
+	if (fs.existsSync(zipFile)) await fs.promises.rm(zipFile);
+	/**
+	* Zip entire directory.
+	*/
+	zip.addLocalFolder(lambdaOutdir);
+	zip.writeZip(`${lambdaOutdir}/${zipFileName}`);
+	return uploadFileToS3({
+		bucket: await getBaseStackResource("BASE_STACK_BUCKET_LOGICAL_NAME"),
+		contentType: "application/zip",
+		key: `lambdas/${stackName}/${zipFileName}`,
+		file: zip.toBuffer()
+	});
+};
+//#endregion
+//#region src/deploy/lambda/deployLambdaCode.ts
+const logPrefix$11 = "lambda";
+const deployLambdaCode = async ({ lambdaDockerfile, lambdaExternal = [], lambdaImage, lambdaEntryPoints, lambdaEntryPointsBaseDir = "src", lambdaFormat, lambdaOutdir = "out", stackName }) => {
+	if (!lambdaEntryPoints.length) return {};
+	log.info(logPrefix$11, "Deploying Lambda code...");
+	for (const entryPoint of lambdaEntryPoints) {
+		const entryPointPath = path.resolve(lambdaEntryPointsBaseDir, entryPoint);
+		if (!fs.existsSync(entryPointPath)) throw new Error(`Entry point ${entryPointPath} does not exist.`);
+	}
+	await buildLambdaCode({
+		lambdaExternal,
+		lambdaEntryPoints,
+		lambdaEntryPointsBaseDir,
+		lambdaFormat,
+		lambdaOutdir
+	});
+	const { bucket, key, versionId } = await uploadCodeToS3({
+		stackName,
+		lambdaOutdir
+	});
+	if (!lambdaImage) {
+		await deployLambdaLayers({ lambdaExternal });
+		return {
+			bucket,
+			key,
+			versionId
+		};
+	}
+	const { imageUri } = await uploadCodeToECR({
+		bucket,
+		key,
+		versionId,
+		lambdaDockerfile,
+		lambdaExternal
+	});
+	return { imageUri };
+};
+//#endregion
+//#region src/deploy/cicd/getCicdStackName.ts
+const getCicdStackName = () => {
+	return pascalCase([
+		NAME,
+		"Cicd",
+		getProjectName()
+	].join(" "));
+};
+//#endregion
+//#region src/deploy/cicd/deployCicd.ts
+const logPrefix$10 = "cicd";
+const getLambdaInput = (extension) => {
+	return path$1.resolve(__dirname, `lambdas/index.${extension}`);
+};
+const deployCicdLambdas = async ({ stackName }) => {
+	const s3 = await deployLambdaCode({
+		lambdaEntryPoints: [(() => {
+			/**
+			* This case happens when carlin command is executed when the package is
+			* built.
+			*/
+			if (fs$2.existsSync(getLambdaInput("js"))) return getLambdaInput("js");
+			/**
+			* The package isn't built.
+			*/
+			if (fs$2.existsSync(getLambdaInput("ts"))) return getLambdaInput("ts");
+			throw new Error("Cannot read CICD lambdas file.");
+		})()],
+		lambdaExternal: [],
+		/**
+		* Needs stackName to define the S3 key.
+		*/
+		stackName
+	});
+	if (!s3 || !s3.bucket) throw new Error("Cannot retrieve bucket in which Lambda code was deployed.");
+	return s3;
+};
+const waitRepositoryImageUpdate = async ({ stackName }) => {
+	log.info(logPrefix$10, "Starting repository image update...");
+	const { OutputValue: projectName } = await getStackOutput({
+		stackName,
+		outputKey: REPOSITORY_IMAGE_CODE_BUILD_PROJECT_LOGICAL_ID
+	});
+	if (!projectName) throw new Error(`Cannot retrieve repository image CodeBuild project name.`);
+	const build = await startCodeBuildBuild({ projectName });
+	if (build.id) await waitCodeBuildFinish({
+		buildId: build.id,
+		name: stackName
+	});
+};
+const deployCicd = async ({ cpu, memory, pipelines, updateRepository, slackWebhookUrl, sshKey, sshUrl, taskEnvironment }) => {
+	try {
+		const { stackName } = await handleDeployInitialization({
+			logPrefix: logPrefix$10,
+			stackName: getCicdStackName()
+		});
+		await deploy({
+			template: getCicdTemplate({
+				cpu,
+				memory,
+				pipelines,
+				s3: await deployCicdLambdas({ stackName }),
+				slackWebhookUrl,
+				taskEnvironment
+			}),
+			params: {
+				StackName: stackName,
+				Parameters: [{
+					ParameterKey: "SSHUrl",
+					ParameterValue: sshUrl
+				}, {
+					ParameterKey: "SSHKey",
+					ParameterValue: sshKey
+				}]
+			},
+			terminationProtection: true
+		});
+		if (updateRepository) await waitRepositoryImageUpdate({ stackName });
+	} catch (error) {
+		handleDeployError({
+			error,
+			logPrefix: logPrefix$10
+		});
+	}
+};
+//#endregion
+//#region src/deploy/cicd/readSSHKey.ts
+/**
+* Created to allow mocking.
+*/
+const readSSHKey = (dir) => {
+	return fs$2.readFileSync(dir, "utf-8");
+};
+//#endregion
+//#region src/deploy/cicd/command.ts
+const logPrefix$9 = "deploy-cicd";
+const deployCicdCommand = {
+	command: "cicd",
+	describe: "Deploy CICD.",
+	builder: (yargs) => {
+		return yargs.options(addGroupToOptions(options$6, "Deploy CICD Options"));
+	},
+	handler: ({ destroy, ...rest }) => {
+		if (destroy) log.info(logPrefix$9, `${NAME} doesn't destroy CICD stack.`);
+		else deployCicd({
+			...rest,
+			sshKey: readSSHKey(rest["ssh-key"])
+		});
+	}
+};
+//#endregion
+//#region ../cloudformation/src/cloudFormationYamlTemplate.ts
+const cloudFormationTypes = [
+	{
+		tag: "!Equals",
+		options: {
+			kind: "sequence",
+			construct: (data) => {
+				return { "Fn::Equals": data };
+			}
+		}
+	},
+	{
+		tag: "!FindInMap",
+		options: {
+			kind: "sequence",
+			construct: (data) => {
+				return { "Fn::FindInMap": data };
+			}
+		}
+	},
+	{
+		tag: "!GetAtt",
+		options: {
+			kind: "scalar",
+			construct: (data) => {
+				return { "Fn::GetAtt": data.split(".") };
+			}
+		}
+	},
+	{
+		tag: "!GetAtt",
+		options: {
+			kind: "sequence",
+			construct: (data) => {
+				return { "Fn::GetAtt": data };
+			}
+		}
+	},
+	{
+		tag: "!If",
+		options: {
+			kind: "sequence",
+			construct: (data) => {
+				return { "Fn::If": data };
+			}
+		}
+	},
+	{
+		tag: "!ImportValue",
+		options: {
+			kind: "scalar",
+			construct: (data) => {
+				return { "Fn::ImportValue": data };
+			}
+		}
+	},
+	{
+		tag: "!Join",
+		options: {
+			kind: "sequence",
+			construct: (data) => {
+				return { "Fn::Join": data };
+			}
+		}
+	},
+	{
+		tag: "!Not",
+		options: {
+			kind: "sequence",
+			construct: (data) => {
+				return { "Fn::Not": data };
+			}
+		}
+	},
+	{
+		tag: "!Ref",
+		options: {
+			kind: "scalar",
+			construct: (data) => {
+				return { Ref: data };
+			}
+		}
+	},
+	{
+		tag: "!Sub",
+		options: {
+			kind: "scalar",
+			construct: (data) => {
+				return { "Fn::Sub": data };
+			}
+		}
+	},
+	{
+		tag: "!Sub",
+		options: {
+			kind: "sequence",
+			construct: (data) => {
+				return { "Fn::Sub": data };
+			}
+		}
+	}
+];
+const getYamlTypes = (tagAndTypeArr) => {
+	return tagAndTypeArr.map(({ tag, options }) => {
+		return new yaml.Type(tag, options);
+	});
+};
+/**
+* Transform CloudFormation directives in objects. For example, transform
+* !Ref Something in { Ref: Something }.
+*/
+const getSchema = (tagAndTypeArr = []) => {
+	return yaml.DEFAULT_SCHEMA.extend(getYamlTypes([...tagAndTypeArr, ...cloudFormationTypes]));
+};
+/**
+* Transform YAML string in JSON object.
+*
+* @param template template in String format.
+* @param tagAndTypeArr YAML types.
+* @returns JSON template.
+*/
+const loadCloudFormationTemplate = (template, tagAndTypeArr = []) => {
+	return yaml.load(template, { schema: getSchema(tagAndTypeArr) });
+};
+//#endregion
+//#region ../cloudformation/src/readCloudFormationYamlTemplate.ts
+const getTypes = () => {
+	return [{
+		tag: `!SubString`,
+		options: {
+			kind: "scalar",
+			construct: (filePath) => {
+				return fs$3.readFileSync(path$2.resolve(process.cwd(), filePath)).toString();
+			}
+		}
+	}];
+};
+/**
+* CloudFormation
+* @param param0
+*/
+const readCloudFormationYamlTemplate = ({ templatePath }) => {
+	const parsed = loadCloudFormationTemplate(fs$3.readFileSync(templatePath).toString(), getTypes());
+	if (!parsed || typeof parsed === "string") throw new Error("Cannot parse CloudFormation template.");
+	return parsed;
+};
+//#endregion
+//#region ../cloudformation/src/findAndReadCloudFormationTemplate.ts
+const defaultTemplatePaths$1 = [
+	"ts",
+	"js",
+	"yaml",
+	"yml",
+	"json"
+].map((extension) => {
+	return `./src/cloudformation.${extension}`;
+});
+const findAndReadCloudFormationTemplate = async ({ templatePath: defaultTemplatePath, options = {} }) => {
+	const templatePath = defaultTemplatePath || defaultTemplatePaths$1.reduce((acc, cur) => {
+		if (acc) return acc;
+		return fs$3.existsSync(path$2.resolve(process.cwd(), cur)) ? cur : acc;
+	}, "");
+	if (!templatePath) throw new Error("Cannot find a CloudFormation template.");
+	const extension = templatePath?.split(".").pop();
+	/**
+	* We need to read Yaml first because CloudFormation specific tags aren't
+	* recognized when parsing a simple Yaml file. I.e., a possible error:
+	* "Error message: "unknown tag !<!Ref> at line 21, column 34:\n"
+	*/
+	if (["yaml", "yml"].includes(extension)) return readCloudFormationYamlTemplate({ templatePath });
+	return readConfigFile({
+		configFilePath: path$2.resolve(process.cwd(), templatePath),
+		options
+	});
+};
+//#endregion
+//#region src/deploy/lambda/getLambdaEntryPointsFromTemplate.ts
+const getLambdaEntryPointsFromTemplate = (template) => {
+	return Object.keys(template.Resources).filter((key) => {
+		return ["AWS::Lambda::Function", "AWS::Serverless::Function"].includes(template.Resources[key].Type);
+	}).map((key) => {
+		return template.Resources[key].Properties?.Handler;
+	}).filter((handler) => {
+		return !!handler;
+	}).map((handler) => {
+		return handler.split(".")[0] + ".ts";
+	});
+};
+//#endregion
+//#region src/deploy/cloudformation.ts
+const logPrefix$8 = "cloudformation";
+log.addLevel("event", 1e4, { fg: "yellow" });
+log.addLevel("output", 1e4, { fg: "blue" });
+[
+	"ts",
+	"js",
+	"yaml",
+	"yml",
+	"json"
+].map((extension) => {
+	return `./src/cloudformation.${extension}`;
+});
+/**
+* When you use a method to generate your CloudFormation template, you can
+* retrieve the options from the CLI plus the following variables after CLI
+* validations and middlewares logic:
+*
+* - `stackName`
+* - `environment`
+* - `packageName`
+* - `projectName`
+*
+* For example, in your `cloudformation.ts` file:
+*
+* ```typescript
+* export default async ({ environment, region, stackName }) => {
+*  // Do something with CLI options and the variables above.
+* }
+* ```
+*/
+const getCloudformationTemplateOptions = ({ cliOptions, stackName }) => {
+	return {
+		...cliOptions,
+		stackName,
+		environment: getEnvironment(),
+		packageName: getPackageName(),
+		projectName: getProjectName()
+	};
+};
+const deployCloudFormation = async (cliOptions) => {
+	try {
+		const { lambdaDockerfile, lambdaEntryPoints, lambdaEntryPointsBaseDir, lambdaImage, lambdaExternal, lambdaFormat, lambdaOutdir, parameters, template, templatePath } = cliOptions;
+		const { stackName } = await handleDeployInitialization({ logPrefix: logPrefix$8 });
+		const cloudFormationTemplate = await (async () => {
+			if (template) return { ...template };
+			return findAndReadCloudFormationTemplate({
+				templatePath,
+				options: getCloudformationTemplateOptions({
+					stackName,
+					cliOptions
+				})
+			});
+		})();
+		/**
+		* Add Parameters passed on CLI to CloudFormation template if they don't exist.
+		* Also, automatically add the Type of the parameter.
+		*/
+		if (parameters) for (const parameter of parameters) {
+			if (cloudFormationTemplate.Parameters?.[parameter.key]) continue;
+			if (!cloudFormationTemplate.Parameters) cloudFormationTemplate.Parameters = {};
+			const type = (() => {
+				if (typeof parameter.value === "string") return "String";
+				if (typeof parameter.value === "number") return "Number";
+				throw new Error(`Parameter assertion failed. Parameter ${parameter.key} value ${parameter.value} is not mapped.`);
+			})();
+			cloudFormationTemplate.Parameters[parameter.key] = { Type: type };
+		}
+		await validateTemplate({
+			stackName,
+			template: cloudFormationTemplate
+		});
+		const params = {
+			StackName: stackName,
+			Parameters: parameters?.map((parameter) => {
+				return {
+					ParameterKey: parameter.key,
+					ParameterValue: parameter.value,
+					UsePreviousValue: parameter.usePreviousValue,
+					ResolvedValue: parameter.resolvedValue
+				};
+			}) || []
+		};
+		const deployCloudFormationDeployLambdaCode = async () => {
+			const response = await deployLambdaCode({
+				lambdaDockerfile,
+				lambdaExternal,
+				lambdaEntryPoints: (() => {
+					if (lambdaEntryPoints && lambdaEntryPoints.length > 0) return lambdaEntryPoints;
+					return getLambdaEntryPointsFromTemplate(cloudFormationTemplate);
+				})(),
+				lambdaEntryPointsBaseDir,
+				lambdaFormat,
+				lambdaImage,
+				lambdaOutdir,
+				stackName
+			});
+			if (response) {
+				const { bucket, key, versionId, imageUri } = response;
+				if (imageUri) {
+					cloudFormationTemplate.Parameters = {
+						LambdaImageUri: { Type: "String" },
+						...cloudFormationTemplate.Parameters
+					};
+					params.Parameters.push({
+						ParameterKey: "LambdaImageUri",
+						ParameterValue: imageUri
+					});
+				} else if (bucket && key && versionId) {
+					/**
+					* Add Parameters to CloudFormation template.
+					*/
+					cloudFormationTemplate.Parameters = {
+						LambdaS3Bucket: { Type: "String" },
+						LambdaS3Key: { Type: "String" },
+						LambdaS3ObjectVersion: { Type: "String" },
+						...cloudFormationTemplate.Parameters
+					};
+					/**
+					* Add S3Bucket and S3Key to params.
+					*/
+					params.Parameters.push(
+						{
+							ParameterKey: "LambdaS3Bucket",
+							ParameterValue: bucket
+						},
+						{
+							ParameterKey: "LambdaS3Key",
+							ParameterValue: key
+						},
+						/**
+						* Used by CloudFormation AWS::Lambda::Function
+						* @see {@link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-code.html}
+						* and by CloudFormation AWS::Serverless::Function
+						* @see {@link https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-functioncode.html}
+						*/
+						{
+							ParameterKey: "LambdaS3ObjectVersion",
+							ParameterValue: versionId
+						}
+					);
+					/**
+					* Add `Code` property to every AWS::Lambda::Function resource or
+					* `CodeUri` property to every AWS::Serverless::Function resource if
+					* they are NOT already defined.
+					*/
+					for (const key of Object.keys(cloudFormationTemplate.Resources)) {
+						const resource = cloudFormationTemplate.Resources[key];
+						if (resource.Type === "AWS::Lambda::Function") {
+							if (!resource.Properties?.Code) resource.Properties = {
+								...resource.Properties,
+								Code: {
+									S3Bucket: { Ref: "LambdaS3Bucket" },
+									S3Key: { Ref: "LambdaS3Key" },
+									S3ObjectVersion: { Ref: "LambdaS3ObjectVersion" }
+								}
+							};
+						}
+						if (resource.Type === "AWS::Serverless::Function") {
+							if (!resource.Properties?.CodeUri) resource.Properties = {
+								...resource.Properties,
+								CodeUri: {
+									Bucket: { Ref: "LambdaS3Bucket" },
+									Key: { Ref: "LambdaS3Key" },
+									Version: { Ref: "LambdaS3ObjectVersion" }
+								}
+							};
+						}
+					}
+				}
+			}
+		};
+		await deployCloudFormationDeployLambdaCode();
+		return await deploy({
+			params,
+			template: cloudFormationTemplate
+		});
+	} catch (error) {
+		return handleDeployError({
+			error,
+			logPrefix: logPrefix$8
+		});
+	}
+};
+const emptyStackBuckets = async ({ stackName }) => {
+	const buckets = [];
+	await (async ({ nextToken }) => {
+		const { StackResourceSummaries } = await cloudFormationV2().listStackResources({
+			StackName: stackName,
+			NextToken: nextToken
+		}).promise();
+		for (const { ResourceType, PhysicalResourceId } of StackResourceSummaries || []) if (ResourceType === "AWS::S3::Bucket" && PhysicalResourceId) buckets.push(PhysicalResourceId);
+	})({});
+	return Promise.all(buckets.map((bucket) => {
+		return emptyS3Directory({ bucket });
+	}));
+};
+/**
+* 1. Check if `environment` is defined. If defined, do nothing. It doesn't
+* destroy stacks with defined `environment`.
+* 1. Check if termination protection is disabled.
+* 1. Empty all buckets in the stack (if any).
+* 1. Delete the stack.
+*/
+const destroy = async ({ stackName }) => {
+	const environment = getEnvironment();
+	if (environment) {
+		log.info(logPrefix$8, `Cannot destroy stack when environment (${environment}) is defined.`);
+		return;
+	}
+	if (!await doesStackExist({ stackName })) {
+		log.info(logPrefix$8, `Stack ${stackName} doesn't exist.`);
+		return;
+	}
+	if (!await canDestroyStack({ stackName })) {
+		const message = `Stack ${stackName} cannot be destroyed while TerminationProtection is enabled.`;
+		throw new Error(message);
+	}
+	try {
+		await emptyStackBuckets({ stackName });
+	} catch (error) {
+		log.warn(logPrefix$8, `Failed to empty buckets for stack ${stackName}: ${error?.message || error}. Proceeding with stack deletion.`);
+	}
+	await deleteStack({ stackName });
+};
+const destroyCloudFormation = async ({ stackName: defaultStackName } = {}) => {
+	try {
+		log.info(logPrefix$8, "CAUTION! Starting CloudFormation destroy...");
+		const stackName = defaultStackName || await getStackName();
+		log.info(logPrefix$8, `stackName: ${stackName}`);
+		await destroy({ stackName });
+	} catch (error) {
+		handleDeployError({
+			error,
+			logPrefix: logPrefix$8
+		});
+	}
+};
+//#endregion
+//#region src/deploy/lambdaLayer/command.ts
+const logPrefix$7 = "deploy-lambda-layer";
+/**
+* https://stackoverflow.com/a/64880672/8786986
+*/
+const packageNameRegex = /@[~^]?([\dvx*]+(?:[-.](?:[\dx*]+|alpha|beta))*)/;
+const options$5 = { packages: {
+	array: true,
+	describe: `NPM packages' names to be deployed as Lambda Layers. It must follow the format: ${packageNameRegex.toString()}.`,
+	required: true,
+	type: "string"
+} };
+const deployLambdaLayerCommand = {
+	command: "lambda-layer",
+	describe: "Deploy Lambda Layer.",
+	builder: (yargs) => {
+		return yargs.options(addGroupToOptions(options$5, "Deploy Lambda Layer Options")).check(({ packages }) => {
+			const invalidPackages = packages.map((packageName) => {
+				return packageNameRegex.test(packageName) ? void 0 : packageName;
+			}).filter((packageName) => {
+				return !!packageName;
+			});
+			if (invalidPackages.length > 0) throw new Error(`Some package names are invalid: ${invalidPackages.join(", ")}. The package must follow the pattern: ${packageNameRegex.toString()}.`);
+			else return true;
+		});
+	},
+	handler: ({ destroy, lambdaRuntime, ...rest }) => {
+		if (destroy) log.info(logPrefix$7, `${NAME} doesn't destroy lambda layers.`);
+		else deployLambdaLayer({
+			...rest,
+			runtime: lambdaRuntime
+		});
+	}
+};
+//#endregion
+//#region src/deploy/readDockerfile.ts
+/**
+* This method was created because fs.readFileSync cannot be mocked.
+*/
+const readDockerfile = (dockerfilePath) => {
+	try {
+		return fs$2.readFileSync(path$1.join(process.cwd(), dockerfilePath), "utf8");
+	} catch {
+		return "";
+	}
+};
+//#endregion
+//#region src/deploy/reportToGitHubPR.ts
+const logPrefix$6 = "report";
+const getGitHubErrorMessage = async (response) => {
+	try {
+		const body = await response.json();
+		if (body.message) return `${response.status} ${response.statusText} - ${body.message}`;
+	} catch {}
+	return `${response.status} ${response.statusText}`;
+};
+const GITHUB_PR_COMMENT_MARKER = "<!-- carlin-deploy-outputs -->";
+const readAllDeployFiles = async () => {
+	const files = await glob("**/.carlin/*.json", {
+		absolute: true,
+		ignore: ["**/node_modules/**", `**/.carlin/${LATEST_DEPLOY_OUTPUTS_FILENAME}`]
+	});
+	const results = [];
+	for (const file of files) try {
+		const raw = await fs$3.promises.readFile(file, "utf-8");
+		const content = JSON.parse(raw);
+		if (content.stackName && content.outputs) results.push(content);
+	} catch {
+		log.warn(logPrefix$6, `Could not read deploy file: ${path$2.basename(file)}`);
+	}
+	return results.sort((a, b) => {
+		return a.packageName.localeCompare(b.packageName);
+	});
+};
+const buildMarkdownComment = (deploys) => {
+	const header = `${GITHUB_PR_COMMENT_MARKER}\n\n## Deploy Outputs\n`;
+	if (deploys.length === 0) return `${header}\nNo deploy outputs found.`;
+	return `${header}\n${[
+		"| Package | Stack | Output Key | Output Value |",
+		"|---------|-------|------------|--------------|",
+		...deploys.flatMap(({ packageName, stackName, outputs }) => {
+			return Object.values(outputs).map(({ OutputKey, OutputValue }) => {
+				return `| \`${packageName}\` | \`${stackName}\` | \`${OutputKey}\` | ${OutputValue} |`;
+			});
+		})
+	].join("\n")}`;
+};
+const getPrNumber = async ({ branch, repo, token }) => {
+	const [owner] = repo.split("/");
+	const response = await fetch(`https://api.github.com/repos/${repo}/pulls?head=${owner}:${branch}&state=open&per_page=1`, { headers: {
+		Accept: "application/vnd.github+json",
+		Authorization: `Bearer ${token}`,
+		"X-GitHub-Api-Version": "2022-11-28"
+	} });
+	if (!response.ok) throw new Error(`GitHub API error fetching PR: ${await getGitHubErrorMessage(response)}`);
+	const prs = await response.json();
+	if (prs.length === 0) throw new Error(`No open PR found for branch: ${branch}`);
+	return prs[0].number;
+};
+const findExistingComment = async ({ prNumber, repo, token }) => {
+	const response = await fetch(`https://api.github.com/repos/${repo}/issues/${prNumber}/comments?per_page=100`, { headers: {
+		Accept: "application/vnd.github+json",
+		Authorization: `Bearer ${token}`,
+		"X-GitHub-Api-Version": "2022-11-28"
+	} });
+	if (!response.ok) throw new Error(`GitHub API error fetching comments: ${await getGitHubErrorMessage(response)}`);
+	return (await response.json()).find(({ body }) => {
+		return body.includes(GITHUB_PR_COMMENT_MARKER);
+	});
+};
+const createOrUpdateComment = async ({ body, existingCommentId, prNumber, repo, token }) => {
+	const url = existingCommentId ? `https://api.github.com/repos/${repo}/issues/comments/${existingCommentId}` : `https://api.github.com/repos/${repo}/issues/${prNumber}/comments`;
+	const method = existingCommentId ? "PATCH" : "POST";
+	const response = await fetch(url, {
+		body: JSON.stringify({ body }),
+		headers: {
+			Accept: "application/vnd.github+json",
+			Authorization: `Bearer ${token}`,
+			"Content-Type": "application/json",
+			"X-GitHub-Api-Version": "2022-11-28"
+		},
+		method
+	});
+	if (!response.ok) throw new Error(`GitHub API error ${method} comment: ${await getGitHubErrorMessage(response)}`);
+};
+const reportToGitHubPR = async () => {
+	const token = process.env.GH_TOKEN;
+	const repo = process.env.GITHUB_REPOSITORY;
+	const branch = process.env.CARLIN_BRANCH;
+	if (!token) throw new Error("GH_TOKEN environment variable is required for --channel=github-pr");
+	if (!repo) throw new Error("GITHUB_REPOSITORY environment variable is required for --channel=github-pr");
+	if (!branch) throw new Error("CARLIN_BRANCH environment variable is required for --channel=github-pr");
+	log.info(logPrefix$6, "Reading deploy outputs from workspace...");
+	const deploys = await readAllDeployFiles();
+	log.info(logPrefix$6, `Found ${deploys.length} deploy file(s).`);
+	const prNumber = await getPrNumber({
+		branch,
+		repo,
+		token
+	});
+	log.info(logPrefix$6, `Reporting to PR #${prNumber}...`);
+	const body = buildMarkdownComment(deploys);
+	const existingComment = await findExistingComment({
+		prNumber,
+		repo,
+		token
+	});
+	await createOrUpdateComment({
+		body,
+		existingCommentId: existingComment?.id,
+		prNumber,
+		repo,
+		token
+	});
+	log.info(logPrefix$6, existingComment ? "PR comment updated." : "PR comment created.");
+};
+//#endregion
+//#region src/deploy/staticApp/findDefaultBuildFolder.ts
+/**
+* Fixes #20 https://github.com/ttoss/carlin/issues/20
+*/
+const defaultBuildFolders = [
+	"build",
+	"out",
+	"storybook-static",
+	"dist"
+];
+const findDefaultBuildFolder = async () => {
+	return (await Promise.all(defaultBuildFolders.map(async (directory) => {
+		return {
+			directory,
+			isValid: (await getAllFilesInsideADirectory({ directory })).length !== 0
+		};
+	}))).reduce((acc, cur) => {
+		if (cur.isValid) return cur.directory;
+		return acc;
+	}, "");
+};
+//#endregion
+//#region src/deploy/staticApp/getStaticAppBucket.ts
+const STATIC_APP_BUCKET_LOGICAL_ID$1 = "StaticBucket";
+const getStaticAppBucket = async ({ stackName }) => {
+	const params = {
+		LogicalResourceId: STATIC_APP_BUCKET_LOGICAL_ID$1,
+		StackName: stackName
+	};
+	try {
+		const { StackResourceDetail } = await describeStackResource(params);
+		return StackResourceDetail?.PhysicalResourceId;
+	} catch {
+		return;
+	}
+};
+//#endregion
+//#region src/deploy/staticApp/invalidateCloudFront.ts
+const CLOUDFRONT_DISTRIBUTION_ID = "CloudFrontDistributionId";
+const logPrefix$5 = "static-app";
+const invalidateCloudFront = async ({ outputs }) => {
+	log.info(logPrefix$5, "Invalidating CloudFront...");
+	if (!outputs) {
+		log.info(logPrefix$5, "Invalidation: outputs do not exist.");
+		return;
+	}
+	const cloudFrontDistributionIDOutput = outputs.find((output) => {
+		return output.OutputKey === CLOUDFRONT_DISTRIBUTION_ID;
+	});
+	if (cloudFrontDistributionIDOutput?.OutputValue) {
+		const distributionId = cloudFrontDistributionIDOutput.OutputValue;
+		const params = {
+			DistributionId: distributionId,
+			InvalidationBatch: {
+				CallerReference: (/* @__PURE__ */ new Date()).toISOString(),
+				Paths: {
+					Items: ["/*"],
+					Quantity: 1
+				}
+			}
+		};
+		const cloudFront = new AWS.CloudFront();
+		try {
+			await cloudFront.createInvalidation(params).promise();
+			log.info(logPrefix$5, `CloudFront Distribution ID ${distributionId} invalidated with success.`);
+		} catch (err) {
+			log.error(logPrefix$5, `Error while trying to invalidate CloudFront distribution ${distributionId}.`);
+			log.error(logPrefix$5, err);
+		}
+	} else log.info(logPrefix$5, `Cannot invalidate because distribution does not exist.`);
+};
+//#endregion
+//#region src/deploy/staticApp/staticApp.template.ts
+const PACKAGE_VERSION = getPackageVersion();
+const STATIC_APP_BUCKET_LOGICAL_ID = "StaticBucket";
+const CLOUDFRONT_DISTRIBUTION_LOGICAL_ID = "CloudFrontDistribution";
+const CLOUDFRONT_ORIGIN_ACCESS_CONTROL_LOGICAL_ID = "OriginAccessControl";
+const ROUTE_53_RECORD_SET_GROUP_LOGICAL_ID = "Route53RecordSetGroup";
+const ERROR_DOCUMENT = "404/index.html";
+/**
+* Name: Managed-CachingDisabled
+* ID: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad
+* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html
+*/
+const CACHE_POLICY_ID = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad";
+/**
+* Name: Managed-CORS-S3Origin
+* ID: 88a5eaf4-2fd4-4709-b370-b4c650ea3fcf
+* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html
+*/
+const ORIGIN_REQUEST_POLICY_ID = "88a5eaf4-2fd4-4709-b370-b4c650ea3fcf";
+/**
+* Name: CORS-with-preflight-and-SecurityHeadersPolicy
+* ID: eaab4381-ed33-4a86-88ca-d9558dc6cd63
+* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-response-headers-policies.html
+*/
+const ORIGIN_RESPONSE_POLICY_ID = "eaab4381-ed33-4a86-88ca-d9558dc6cd63";
+const getBucketStaticWebsiteTemplate = ({ spa }) => {
+	return {
+		AWSTemplateFormatVersion: "2010-09-09",
+		Resources: {
+			[STATIC_APP_BUCKET_LOGICAL_ID]: {
+				Type: "AWS::S3::Bucket",
+				Properties: {
+					CorsConfiguration: { CorsRules: [{
+						AllowedHeaders: ["*"],
+						AllowedMethods: ["GET"],
+						AllowedOrigins: ["*"],
+						Id: "OpenCors",
+						MaxAge: 600
+					}] },
+					PublicAccessBlockConfiguration: { BlockPublicPolicy: false },
+					WebsiteConfiguration: {
+						IndexDocument: `index.html`,
+						ErrorDocument: spa ? "index.html" : ERROR_DOCUMENT
+					}
+				}
+			},
+			[`${STATIC_APP_BUCKET_LOGICAL_ID}S3BucketPolicy`]: {
+				Type: "AWS::S3::BucketPolicy",
+				Properties: {
+					Bucket: { Ref: STATIC_APP_BUCKET_LOGICAL_ID },
+					PolicyDocument: { Statement: [{
+						Action: ["s3:GetObject"],
+						Effect: "Allow",
+						Principal: "*",
+						Resource: { "Fn::Join": ["", [
+							"arn:aws:s3:::",
+							{ Ref: STATIC_APP_BUCKET_LOGICAL_ID },
+							"/*"
+						]] }
+					}] }
+				}
+			}
+		},
+		Outputs: { BucketWebsiteURL: {
+			Description: "Bucket static app website URL",
+			Value: { "Fn::GetAtt": [STATIC_APP_BUCKET_LOGICAL_ID, "WebsiteURL"] }
+		} }
+	};
+};
+const getCloudFrontTemplate = ({ acm, aliases = [], appendIndexHtml, spa, hostedZoneName }) => {
+	const template = {
+		AWSTemplateFormatVersion: "2010-09-09",
+		Resources: {
+			[STATIC_APP_BUCKET_LOGICAL_ID]: {
+				Type: "AWS::S3::Bucket",
+				Properties: { PublicAccessBlockConfiguration: { BlockPublicPolicy: false } }
+			},
+			[`${STATIC_APP_BUCKET_LOGICAL_ID}S3BucketPolicy`]: {
+				Type: "AWS::S3::BucketPolicy",
+				Properties: {
+					Bucket: { Ref: STATIC_APP_BUCKET_LOGICAL_ID },
+					PolicyDocument: { Statement: [(
+					/**
+					* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
+					*/
+					{
+						Sid: "AllowCloudFrontServicePrincipalReadOnly",
+						Effect: "Allow",
+						Principal: { Service: "cloudfront.amazonaws.com" },
+						Action: "s3:GetObject",
+						Resource: { "Fn::Join": ["", [
+							"arn:aws:s3:::",
+							{ Ref: STATIC_APP_BUCKET_LOGICAL_ID },
+							"/*"
+						]] },
+						Condition: { StringEquals: { "AWS:SourceArn": { "Fn::Join": ["", [
+							"arn:aws:cloudfront::",
+							{ Ref: "AWS::AccountId" },
+							":distribution/",
+							{ Ref: CLOUDFRONT_DISTRIBUTION_LOGICAL_ID }
+						]] } } }
+					})] }
+				}
+			}
+		}
+	};
+	const cloudFrontResources = {
+		[CLOUDFRONT_DISTRIBUTION_LOGICAL_ID]: {
+			Type: "AWS::CloudFront::Distribution",
+			Properties: { DistributionConfig: {
+				Comment: { "Fn::Sub": ["CloudFront Distribution for ${Project} project.", { Project: { Ref: "Project" } }] },
+				CustomErrorResponses: [403, 404].map((errorCode) => {
+					if (spa) return {
+						ErrorCachingMinTTL: 3600 * 24,
+						ErrorCode: errorCode,
+						ResponseCode: 200,
+						ResponsePagePath: "/index.html"
+					};
+					return {
+						ErrorCachingMinTTL: 0,
+						ErrorCode: errorCode,
+						ResponseCode: 404,
+						ResponsePagePath: "/404/index.html"
+					};
+				}),
+				DefaultCacheBehavior: {
+					AllowedMethods: [
+						"GET",
+						"HEAD",
+						"OPTIONS"
+					],
+					Compress: true,
+					CachedMethods: [
+						"GET",
+						"HEAD",
+						"OPTIONS"
+					],
+					/**
+					* Caching OPTIONS. Related to OriginRequestPolicyId property.
+					* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-cors
+					*/
+					OriginRequestPolicyId: ORIGIN_REQUEST_POLICY_ID,
+					/**
+					* CachePolicyId property:
+					* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-defaultcachebehavior.html#cfn-cloudfront-distribution-defaultcachebehavior-cachepolicyid
+					*/
+					CachePolicyId: CACHE_POLICY_ID,
+					ResponseHeadersPolicyId: ORIGIN_RESPONSE_POLICY_ID,
+					TargetOriginId: { Ref: STATIC_APP_BUCKET_LOGICAL_ID },
+					ViewerProtocolPolicy: "redirect-to-https"
+				},
+				DefaultRootObject: "index.html",
+				Enabled: true,
+				HttpVersion: "http2",
+				Origins: [{
+					DomainName: { "Fn::GetAtt": [STATIC_APP_BUCKET_LOGICAL_ID, "DomainName"] },
+					Id: { Ref: STATIC_APP_BUCKET_LOGICAL_ID },
+					OriginAccessControlId: { "Fn::GetAtt": [CLOUDFRONT_ORIGIN_ACCESS_CONTROL_LOGICAL_ID, "Id"] },
+					/**
+					* Note: As of September 2022, an empty OriginAccessIdentity must be specified in S3OriginConfig.
+					*/
+					S3OriginConfig: { OriginAccessIdentity: "" }
+				}]
+			} }
+		},
+		[CLOUDFRONT_ORIGIN_ACCESS_CONTROL_LOGICAL_ID]: {
+			Type: "AWS::CloudFront::OriginAccessControl",
+			Properties: { OriginAccessControlConfig: {
+				Description: { "Fn::Sub": ["Default Origin Access Control for ${Project} project.", { Project: { Ref: "Project" } }] },
+				Name: { Ref: "AWS::StackName" },
+				OriginAccessControlOriginType: "s3",
+				SigningBehavior: "always",
+				SigningProtocol: "sigv4"
+			} }
+		}
+	};
+	if (acm) {
+		const acmCertificateArn = /^arn:aws:acm:[-a-z0-9]+:\d{12}:certificate\/[-a-z0-9]+$/.test(acm) ? acm : { "Fn::ImportValue": acm };
+		/**
+		* Add ACM to CloudFront template.
+		*/
+		if (!cloudFrontResources.CloudFrontDistribution.Properties) cloudFrontResources.CloudFrontDistribution.Properties = {};
+		cloudFrontResources.CloudFrontDistribution.Properties.DistributionConfig = {
+			...cloudFrontResources.CloudFrontDistribution.Properties.DistributionConfig,
+			Aliases: aliases || { Ref: "AWS::NoValue" },
+			ViewerCertificate: {
+				AcmCertificateArn: acmCertificateArn,
+				/**
+				* AWS CloudFront recommendation.
+				*/
+				MinimumProtocolVersion: "TLSv1.2_2021",
+				SslSupportMethod: "sni-only"
+			}
+		};
+	}
+	/**
+	* Add aliases to Route 53 records.
+	*/
+	if (hostedZoneName && aliases) {
+		const recordSets = aliases.map((alias) => {
+			if (alias === hostedZoneName) return {
+				AliasTarget: {
+					DNSName: { "Fn::GetAtt": `${CLOUDFRONT_DISTRIBUTION_LOGICAL_ID}.DomainName` },
+					/**
+					* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html#cfn-route53-aliastarget-hostedzoneid
+					*/
+					HostedZoneId: "Z2FDTNDATAQYW2"
+				},
+				Name: alias,
+				Type: "A"
+			};
+			return {
+				Name: alias,
+				ResourceRecords: [{ "Fn::GetAtt": `${CLOUDFRONT_DISTRIBUTION_LOGICAL_ID}.DomainName` }],
+				TTL: 60,
+				Type: "CNAME"
+			};
+		});
+		const route53RecordSetGroupResources = { [ROUTE_53_RECORD_SET_GROUP_LOGICAL_ID]: {
+			Type: "AWS::Route53::RecordSetGroup",
+			DependsOn: [CLOUDFRONT_DISTRIBUTION_LOGICAL_ID],
+			Properties: {
+				HostedZoneName: `${hostedZoneName}${hostedZoneName.endsWith(".") ? "" : "."}`,
+				RecordSets: recordSets
+			}
+		} };
+		template.Resources = {
+			...template.Resources,
+			...route53RecordSetGroupResources
+		};
+	}
+	template.Resources = {
+		...template.Resources,
+		...cloudFrontResources
+	};
+	/**
+	* Add aliases output to template.
+	*/
+	const aliasesOutput = (aliases || []).reduce((acc, alias, index) => {
+		return {
+			...acc,
+			[`Alias${index}URL`]: { Value: `https://${alias}` }
+		};
+	}, {});
+	if (appendIndexHtml) {
+		if (!template.Resources["CloudFrontDistribution"].Properties) template.Resources[CLOUDFRONT_DISTRIBUTION_LOGICAL_ID].Properties = {};
+		template.Resources[CLOUDFRONT_DISTRIBUTION_LOGICAL_ID].Properties.DistributionConfig.DefaultCacheBehavior.FunctionAssociations = [(
+		/**
+		* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-lambdafunctionassociation.html
+		*/
+		{
+			EventType: "viewer-request",
+			FunctionARN: { "Fn::ImportValue": BASE_STACK_CLOUDFRONT_FUNCTION_APPEND_INDEX_HTML_ARN_EXPORTED_NAME }
+		})];
+	}
+	/**
+	* Add CloudFront Distribution ID and CloudFront URL to template.
+	*/
+	template.Outputs = {
+		...template.Outputs,
+		...aliasesOutput,
+		CloudFrontURL: { Value: { "Fn::Join": ["", ["https://", { "Fn::GetAtt": `${CLOUDFRONT_DISTRIBUTION_LOGICAL_ID}.DomainName` }]] } },
+		CloudFrontDistributionId: { Value: { Ref: CLOUDFRONT_DISTRIBUTION_LOGICAL_ID } },
+		CurrentVersion: { Value: PACKAGE_VERSION }
+	};
+	return template;
+};
+const getStaticAppTemplate = ({ acm, aliases, appendIndexHtml, cloudfront, spa, hostedZoneName, region }) => {
+	if (cloudfront) return getCloudFrontTemplate({
+		acm,
+		aliases,
+		appendIndexHtml,
+		cloudfront,
+		spa,
+		hostedZoneName,
+		region
+	});
+	return getBucketStaticWebsiteTemplate({ spa });
+};
+//#endregion
+//#region src/deploy/staticApp/uploadBuiltAppToS3.ts
+const uploadBuiltAppToS3 = async ({ buildFolder: directory, bucket }) => {
+	/**
+	* Only empty directory if the number of the files inside $directory.
+	* If the number of files is zero, uploadDirectoryToS3 will thrown.
+	*/
+	if (directory) {
+		if ((await getAllFilesInsideADirectory({ directory })).length > 0) await deleteOldS3Files({
+			bucket,
+			retentionDays: 7
+		});
+		await uploadDirectoryToS3({
+			bucket,
+			directory
+		});
+		return;
+	}
+	const defaultDirectory = await findDefaultBuildFolder();
+	if (defaultDirectory) {
+		await deleteOldS3Files({
+			bucket,
+			retentionDays: 7
+		});
+		await uploadDirectoryToS3({
+			bucket,
+			directory: defaultDirectory
+		});
+		await copyRoot404To404Index({ bucket });
+		return;
+	}
+	throw new Error(`build-folder option wasn't provided and files weren't found in ${defaultBuildFolders.join(", ")} directories.`);
+};
+//#endregion
+//#region src/deploy/staticApp/deployStaticApp.ts
+const logPrefix$4 = "static-app";
+/**
+* 1. Create the stack name that will be passed to CloudFormation.
+* 1. Create a CloudFormation template based on the type of the deployment, and
+*    the options, for instance, only S3, SPA, with hosted zone...
+* 1. Create AWS resources using the templated created.
+* 1. Upload static files to the host bucket S3.
+* 1. Remove old deployment versions. Keep only the 3 most recent ones.
+*/
+const deployStaticApp = async ({ acm, aliases, appendIndexHtml, buildFolder, cloudfront, spa, hostedZoneName, region, skipUpload }) => {
+	try {
+		const { stackName } = await handleDeployInitialization({ logPrefix: logPrefix$4 });
+		const params = { StackName: stackName };
+		const template = getStaticAppTemplate({
+			acm,
+			aliases,
+			appendIndexHtml,
+			cloudfront,
+			spa,
+			hostedZoneName,
+			region
+		});
+		const bucket = await getStaticAppBucket({ stackName });
+		/**
+		* Stack already exists. Upload files first after changing the files routes
+		* because of the version changing.
+		*/
+		if (bucket) {
+			if (!skipUpload) await uploadBuiltAppToS3({
+				buildFolder,
+				bucket,
+				cloudfront
+			});
+			const { Outputs } = await deploy({
+				params,
+				template
+			});
+			await invalidateCloudFront({ outputs: Outputs });
+		} else {
+			/**
+			* Stack doesn't exist. Deploy CloudFormation first, get the bucket name,
+			* and upload files to S3.
+			*/
+			await deploy({
+				params,
+				template
+			});
+			const newBucket = await getStaticAppBucket({ stackName });
+			if (!newBucket) throw new Error(`Cannot find bucket at ${stackName}.`);
+			await uploadBuiltAppToS3({
+				buildFolder,
+				bucket: newBucket,
+				cloudfront
+			});
+		}
+	} catch (error) {
+		handleDeployError({
+			error,
+			logPrefix: logPrefix$4
+		});
+	}
+};
+//#endregion
+//#region src/deploy/staticApp/command.ts
+const options$4 = {
+	acm: {
+		describe: "The ARN of the certificate or the name of the exported variable whose value is the ARN of the certificate that will be associated to CloudFront.",
+		type: "string"
+	},
+	aliases: {
+		describe: "The aliases that will be associated with the CloudFront. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html",
+		implies: ["acm"],
+		type: "array"
+	},
+	"append-index-html": {
+		default: false,
+		describe: "This option appends the `index.html` to the request URI. This is useful when deploying a Docusaurus website, for example.",
+		type: "boolean"
+	},
+	"build-folder": {
+		describe: `The folder that will be uploaded. If not provided, it'll search for the folders "${defaultBuildFolders.join(", ")}."`,
+		type: "string"
+	},
+	cloudfront: {
+		default: false,
+		describe: "A CloudFront resource is created along with S3 if this option is `true`.",
+		require: false,
+		type: "boolean"
+	},
+	"hosted-zone-name": {
+		required: false,
+		describe: `Is the name of a Route 53 hosted zone. If this value is provided, ${NAME} creates the subdomains defined on \`--aliases\` option. E.g. if you have a hosted zone named "sub.domain.com", the value provided may be "sub.domain.com".`,
+		type: "string"
+	},
+	/**
+	* CloudFront triggers can be only in US East (N. Virginia) Region.
+	* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-requirements-limits.html#lambda-requirements-cloudfront-triggers
+	*/
+	region: {
+		coerce: () => {
+			return CLOUDFRONT_REGION;
+		},
+		default: CLOUDFRONT_REGION,
+		hidden: true,
+		type: "string"
+	},
+	"skip-upload": {
+		default: false,
+		describe: "Skip files upload to S3. Useful when wanting update only CloudFormation.",
+		type: "boolean"
+	},
+	spa: {
+		default: false,
+		describe: "This option enables CloudFront to serve a single page application (SPA).",
+		require: false,
+		type: "boolean"
+	}
+};
+const deployStaticAppCommand = {
+	command: "static-app",
+	describe: "Deploy static app.",
+	builder: (yargs) => {
+		return yargs.options(addGroupToOptions(options$4, "Deploy Static App Options")).middleware(() => {
+			AWS.config.region = CLOUDFRONT_REGION;
+		});
+	},
+	handler: ({ destroy, ...rest }) => {
+		if (destroy) destroyCloudFormation();
+		else deployStaticApp(rest);
+	}
+};
+//#endregion
+//#region src/deploy/vm/command.options.ts
+const options$3 = {
+	"user-name": {
+		demandOption: true,
+		describe: "SSH user name to connect to the VM (e.g., ec2-user, ubuntu)",
+		type: "string"
+	},
+	host: {
+		demandOption: true,
+		describe: "VM host IP address or DNS name",
+		type: "string"
+	},
+	port: {
+		describe: "SSH port (default: 22)",
+		type: "number",
+		default: 22
+	},
+	"key-path": {
+		describe: "Path to the SSH private key file (.pem)",
+		type: "string"
+	},
+	password: {
+		describe: "SSH password (use key-path for better security)",
+		type: "string"
+	},
+	"script-path": {
+		demandOption: true,
+		describe: "Path to the deployment script to execute on the VM",
+		type: "string"
+	},
+	"fix-permissions": {
+		describe: "Automatically fix SSH key permissions if too open",
+		type: "boolean",
+		default: false
+	}
+};
+//#endregion
+//#region src/deploy/vm/VMconnection.ts
+/**
+* Generates an SSH command array for key-based authentication.
+* @param userName - SSH username for the connection.
+* @param host - Remote host address or hostname.
+* @param keyPath - Optional path to the SSH private key file.
+* @param port - SSH port (default: 22).
+* @returns Array of command parts for spawning SSH process.
+*/
+const generateSSHCommand = ({ userName, host, keyPath, port }) => {
+	const commandParts = ["ssh", "-T"];
+	if (keyPath) commandParts.push("-i", keyPath);
+	if (port && port !== 22) commandParts.push("-p", port.toString());
+	commandParts.push(`${userName}@${host}`, "bash -s");
+	return commandParts;
+};
+/**
+* Generate an SSH command configuration that uses password-based authentication
+* with the native `ssh` client.
+*
+* ⚠️ **IMPORTANT LIMITATION**: This implementation may not work reliably because
+* SSH's password prompt reads directly from `/dev/tty`, not from stdin. Writing
+* the password to stdin will likely fail. To support password authentication
+* properly, consider using utilities like `sshpass` or SSH libraries like
+* `node-ssh` or `ssh2` that handle interactive password prompts correctly.
+*
+* The password is **not** embedded in the command line; instead, it is returned
+* separately and is expected to be written to the SSH process stdin when the
+* client prompts for a password. This avoids exposing the password in process
+* listings but still relies on password authentication, which is generally less
+* secure than key-based authentication.
+*
+* **Recommendation**: Use key-based authentication with `generateSSHCommand` instead.
+*/
+const generateSSHCommandWithPwd = ({ userName, host, password, port }) => {
+	const commandParts = [
+		"ssh",
+		"-o",
+		"PubkeyAuthentication=no",
+		"-o",
+		"PreferredAuthentications=password"
+	];
+	if (port && port !== 22) commandParts.push("-p", port.toString());
+	commandParts.push(`${userName}@${host}`, "bash -s");
+	return {
+		command: commandParts,
+		password
+	};
+};
+//#endregion
+//#region src/deploy/vm/deployVM.ts
+const logPrefix$3 = "deploy-vm";
+const deployVM = async ({ userName, host, scriptPath, keyPath, password, port, fixPermissions = false }) => {
+	if (!userName || !host || !scriptPath) throw new Error("Missing required parameters: userName, host, scriptPath");
+	return new Promise((resolve, reject) => {
+		if (!keyPath && !password) throw new Error(`Authentication method required. Provide either --key-path for SSH key authentication or --password for password authentication.`);
+		if (keyPath && !existsSync(keyPath)) throw new Error(`SSH key not found at ${keyPath}`);
+		if (keyPath) try {
+			const permissions = statSync(keyPath).mode & 511;
+			if (!(permissions === 256 || permissions === 384)) {
+				const permissionStr = permissions.toString(8);
+				const fixCommand = `chmod 400 ${keyPath}`;
+				if (fixPermissions) {
+					log.info(logPrefix$3, `Fixing SSH key permissions: ${keyPath} (${permissionStr} → 400)`);
+					chmodSync(keyPath, 256);
+					log.info(logPrefix$3, `Permissions set to 400 (read-only by owner)`);
+				} else {
+					log.error(logPrefix$3, `SSH key permissions too open: ${permissionStr} (octal)`);
+					log.error(logPrefix$3, `SSH requires permissions 400 or 600`);
+					log.error(logPrefix$3, `Fix manually: ${fixCommand}`);
+					log.error(logPrefix$3, `Or run with: --fix-permissions`);
+					throw new Error(`Invalid SSH key permissions: ${permissionStr}. Expected 400 or 600.`);
+				}
+			} else log.info(logPrefix$3, `SSH key permissions OK: ${permissions.toString(8)}`);
+		} catch (error) {
+			if (error instanceof Error) {
+				if (error.message.includes("Invalid SSH key permissions")) throw error;
+				log.warn(logPrefix$3, `Warning: Could not check key permissions: ${error.message}`);
+			} else log.warn(logPrefix$3, "Warning: Could not check key permissions: Unknown error");
+		}
+		let sshCommand;
+		let sshPassword;
+		if (keyPath) sshCommand = generateSSHCommand({
+			userName,
+			host,
+			keyPath,
+			port
+		});
+		else {
+			if (!password) throw new Error("Password authentication selected but no password was provided.");
+			const result = generateSSHCommandWithPwd({
+				userName,
+				host,
+				password,
+				port
+			});
+			sshCommand = result.command;
+			sshPassword = result.password;
+		}
+		const sshProcess = spawn(sshCommand[0], sshCommand.slice(1), { stdio: [
+			"pipe",
+			"inherit",
+			"inherit"
+		] });
+		const validateStdin = (stdin) => {
+			if (!stdin) {
+				log.error(logPrefix$3, "SSH process stdin is null or undefined");
+				return false;
+			}
+			if (stdin.destroyed) {
+				log.error(logPrefix$3, "SSH process stdin has been destroyed");
+				return false;
+			}
+			if (!stdin.writable) {
+				log.error(logPrefix$3, "SSH process stdin is not writable");
+				return false;
+			}
+			return true;
+		};
+		if (!validateStdin(sshProcess.stdin)) {
+			reject(/* @__PURE__ */ new Error("SSH process stdin is not available or not writable"));
+			return;
+		}
+		if (!existsSync(scriptPath)) {
+			const message = `Deployment script not found at path: ${scriptPath}`;
+			log.error(logPrefix$3, message);
+			reject(new Error(message));
+			return;
+		}
+		const deployScript = createReadStream(scriptPath);
+		if (sshPassword) sshProcess.stdin.write(sshPassword + "\n");
+		deployScript.pipe(sshProcess.stdin);
+		const sigintHandler = () => {
+			log.info(logPrefix$3, "Interrupting deployment...");
+			sshProcess.kill("SIGINT");
+			process.exit(130);
+		};
+		process.on("SIGINT", sigintHandler);
+		const cleanup = () => {
+			process.removeListener("SIGINT", sigintHandler);
+		};
+		sshProcess.on("close", (code) => {
+			cleanup();
+			if (code === 0) resolve();
+			else reject(/* @__PURE__ */ new Error(`Deploy failed with code ${code}`));
+		});
+		sshProcess.on("error", (error) => {
+			cleanup();
+			reject(error);
+		});
+	});
+};
+//#endregion
+//#region src/deploy/vm/command.ts
+const logPrefix$2 = "deploy-vm";
+const deployVMCommand = {
+	command: "vm",
+	describe: "Deploy to a VM via SSH by executing a deployment script",
+	builder: (yargs) => {
+		return yargs.options(addGroupToOptions(options$3, "Deploy VM Options"));
+	},
+	handler: async ({ userName, host, port, keyPath, scriptPath, password, fixPermissions }) => {
+		try {
+			await deployVM({
+				userName,
+				host,
+				scriptPath,
+				keyPath,
+				password,
+				port,
+				fixPermissions
+			});
+			log.info(logPrefix$2, "Deployment completed successfully!");
+		} catch (error) {
+			log.error(logPrefix$2, "Deployment failed: %s", error.message);
+			process.exit(1);
+		}
+	}
+};
+//#endregion
+//#region src/deploy/command.ts
+const logPrefix$1 = "deploy";
+const checkAwsAccountId = async (awsAccountId) => {
+	try {
+		const currentAwsAccountId = await getAwsAccountId();
+		if (String(awsAccountId) !== String(currentAwsAccountId)) throw new Error(`AWS account id does not match. Current is "${currentAwsAccountId}" but the defined in configuration files is "${awsAccountId}".`);
+	} catch (error) {
+		if (error.code === "CredentialsError")
+ /**
+		* No credentials found.
+		*/
+		return;
+		log.error(logPrefix$1, error.message);
+		process.exit();
+	}
+};
+const reportDeployCommand = {
+	command: "report",
+	describe: "Report the outputs of the deployment.",
+	builder: (yargs) => {
+		return yargs.options({ channel: {
+			choices: ["github-pr"],
+			describe: "Report deploy outputs to the specified channel. Use \"github-pr\" to post or update a PR comment with all workspace deploy outputs.",
+			type: "string"
+		} });
+	},
+	handler: async ({ stackName, channel }) => {
+		try {
+			if (channel === "github-pr") {
+				await reportToGitHubPR();
+				return;
+			}
+			await printStackOutputsAfterDeploy({ stackName: stackName || await getStackName() });
+		} catch (error) {
+			log.info(logPrefix$1, "Cannot report stack. Message: %s", error.message);
+		}
+	}
+};
+const options$2 = {
+	"aws-account-id": {
+		describe: "AWS account id associated with the deployment.",
+		type: "string"
+	},
+	destroy: {
+		default: false,
+		describe: "Destroy the deployment. You cannot destroy a deploy when \"environment\" is defined.",
+		type: "boolean"
+	},
+	"lambda-dockerfile": {
+		coerce: (arg) => {
+			return readDockerfile(arg);
+		},
+		default: "Dockerfile",
+		describe: "Instructions to create the Lambda image.",
+		type: "string"
+	},
+	"lambda-image": {
+		default: false,
+		describe: "A Lambda image will be created instead using S3.",
+		type: "boolean"
+	},
+	"lambda-external": {
+		default: [],
+		describe: "External modules that will not be bundled in the Lambda code.",
+		type: "array"
+	},
+	"lambda-entry-points-base-dir": {
+		default: "src",
+		describe: "Base directory for Lambda entry points.",
+		type: "string"
+	},
+	"lambda-entry-points": {
+		default: [],
+		describe: "This is an array of files that each serve as an input to the bundling algorithm for Lambda functions.",
+		type: "string"
+	},
+	"lambda-format": {
+		choices: ["esm", "cjs"],
+		default: "esm",
+		describe: "Lambda code format.",
+		type: "string"
+	},
+	"lambda-outdir": {
+		default: "out",
+		describe: "Output directory for built Lambda code.",
+		type: "string"
+	},
+	"lambda-runtime": {
+		choices: [
+			"nodejs20.x",
+			"nodejs22.x",
+			"nodejs24.x"
+		],
+		default: "nodejs24.x",
+		describe: "Node.js runtime for Lambda functions.",
+		type: "string"
+	},
+	/**
+	* This option has the format to match [CloudFormation parameter](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_Parameter.html).
+	*
+	* ```ts
+	* {
+	*  key: string,
+	*  value: string,
+	*  usePreviousValue: boolean,
+	*  resolvedValue: string
+	* }[]
+	* ```
+	*
+	* For example:
+	*
+	* ```ts
+	* [
+	*  {
+	*    key: 'key1',
+	*    value: 'value1',
+	*  },
+	*  {
+	*    key: 'key2',
+	*    value: 'value2',
+	*  }
+	* ]
+	* ```
+	*
+	* If you want to simplify the usage, you can pass a object with key and value only:
+	*
+	* ```ts
+	* {
+	*  key1: 'value1',
+	*  key2: 'value2'
+	* }
+	* ```
+	*/
+	parameters: {
+		alias: "p",
+		coerce: (arg) => {
+			if (Array.isArray(arg)) return arg;
+			if (typeof arg === "object") return Object.entries(arg).map(([key, value]) => {
+				return {
+					key,
+					value
+				};
+			});
+			return [];
+		},
+		default: [],
+		describe: "A list of parameters that will be passed to CloudFormation Parameters when deploying."
+	},
+	"skip-deploy": {
+		alias: "skip",
+		default: false,
+		describe: "Skip the deploy command.",
+		type: "boolean"
+	},
+	"stack-name": {
+		describe: "Set the stack name.",
+		type: "string"
+	},
+	"template-path": {
+		alias: "t",
+		describe: "Path to the CloudFormation template.",
+		type: "string"
+	}
+};
+const examples = [
+	["carlin deploy -t src/cloudformation.template1.yml", "Change the CloudFormation template path."],
+	["carlin deploy -e Production", "Set environment."],
+	["carlin deploy --lambda-externals momentjs", "Lambda exists. Don't bundle momentjs."],
+	["carlin deploy --lambda-runtime nodejs20.x", "Use Node.js 20.x runtime for Lambda functions."],
+	["carlin deploy --destroy --stack-name StackToBeDeleted", "Destroy a specific stack."]
+];
+const deployCommand = {
+	command: "deploy [deploy]",
+	describe: "Deploy cloud resources.",
+	builder: (yargsBuilder) => {
+		yargsBuilder.example(examples).options(addGroupToOptions(options$2, "Deploy Options")).middleware(({ stackName }) => {
+			if (stackName) setPreDefinedStackName(stackName);
+		}).middleware((argv) => {
+			if (argv.lambdaDockerfile) Object.assign(argv, { lambdaImage: true });
+		}).middleware(async ({ environments, environment, awsAccountId: defaultAwsAccountId }) => {
+			const envAwsAccountId = (() => {
+				return environments && environment && environments[environment] ? environments[environment].awsAccountId : void 0;
+			})();
+			if (envAwsAccountId) await checkAwsAccountId(envAwsAccountId);
+			if (defaultAwsAccountId) await checkAwsAccountId(defaultAwsAccountId);
+		}).middleware(({ skipDeploy }) => {
+			if (skipDeploy) {
+				log.warn(logPrefix$1, "Skip deploy flag is true, then the deploy command wasn't executed.");
+				process.exit(0);
+			}
+		}).middleware(({ lambdaExternals, lambdaInput }) => {
+			if (lambdaInput) throw new Error("Option \"lambdaInput\" was removed. Please use \"lambdaEntryPoints\" instead.");
+			if (lambdaExternals) throw new Error("Option \"lambdaExternals\" was removed. Please use \"lambdaExternal\" instead.");
+		});
+		const commands = [
+			deployLambdaLayerCommand,
+			reportDeployCommand,
+			deployBaseStackCommand,
+			deployStaticAppCommand,
+			deployCicdCommand,
+			deployVMCommand
+		];
+		yargsBuilder.positional("deploy", {
+			choices: commands.map(({ command }) => {
+				return command;
+			}),
+			describe: "Deploy command.",
+			type: "string"
+		});
+		for (const command of commands) yargsBuilder.command(command);
+		return yargsBuilder;
+	},
+	handler: ({ destroy, ...rest }) => {
+		if (destroy) destroyCloudFormation();
+		else deployCloudFormation(rest);
+	}
+};
+//#endregion
+//#region src/generateEnv/generateEnv.ts
+const logPrefix = "generate-env";
+const readEnvFile = async ({ envFileName, envsPath }) => {
+	try {
+		return await fs$3.promises.readFile(path$2.resolve(process.cwd(), envsPath, envFileName), "utf8");
+	} catch {
+		return;
+	}
+};
+const writeEnvFile = async ({ envFileName, content }) => {
+	return fs$3.promises.writeFile(path$2.resolve(process.cwd(), envFileName), content);
+};
+const readDeployOutputLines = async ({ envFromDeployOutputs }) => {
+	const lines = [];
+	for (const { dir, variables } of envFromDeployOutputs) {
+		const latestDeployPath = path$2.resolve(process.cwd(), dir, ".carlin", LATEST_DEPLOY_OUTPUTS_FILENAME);
+		let latestDeploy;
+		try {
+			const raw = await fs$3.promises.readFile(latestDeployPath, "utf8");
+			latestDeploy = JSON.parse(raw);
+		} catch {
+			log.warn(logPrefix, "Could not read latest-deploy.json from %s. Skipping.", latestDeployPath);
+			continue;
+		}
+		const outputs = latestDeploy.outputs ?? {};
+		for (const [envVarName, outputPath] of Object.entries(variables)) {
+			const dotIndex = outputPath.indexOf(".");
+			const outputKey = dotIndex === -1 ? outputPath : outputPath.slice(0, dotIndex);
+			const field = dotIndex === -1 ? "OutputValue" : outputPath.slice(dotIndex + 1);
+			const outputValue = outputs[outputKey]?.[field];
+			if (outputValue === void 0) {
+				log.warn(logPrefix, "Output path \"%s\" not found in %s. Skipping %s.", outputPath, latestDeployPath, envVarName);
+				continue;
+			}
+			lines.push(`${envVarName}=${outputValue}`);
+		}
+	}
+	return lines;
+};
+/**
+* Generate environment for packages using `carlin`. If [environment](/docs/CLI#environment)
+* isn't defined, `carlin` will read `.env.Staging` file if exists and write
+* `.env` file. If it's `Environment`, it'll read `.env.Environment` file instead.
+* For example, if `environment` is `Production`, `carlin` will read `.env.Production`
+*/
+const generateEnv = async ({ defaultEnvironment, envFromDeployOutputs, path: envsPath }) => {
+	const envFileName = `.env.${getEnvironment() || defaultEnvironment}`;
+	const envFile = await readEnvFile({
+		envFileName,
+		envsPath
+	});
+	if (!envFile) {
+		log.info(logPrefix, "Env file %s doesn't exist. Skip generating env file.", envFileName);
+		return;
+	}
+	const deployOutputLines = envFromDeployOutputs && envFromDeployOutputs.length > 0 ? await readDeployOutputLines({ envFromDeployOutputs }) : [];
+	const deployOutputKeys = new Set(deployOutputLines.map((line) => {
+		return line.split("=")[0];
+	}));
+	const filteredEnvFile = envFile.split("\n").filter((line) => {
+		const trimmed = line.trim();
+		if (!trimmed || trimmed.startsWith("#")) return true;
+		const key = trimmed.split("=")[0].trim();
+		return !deployOutputKeys.has(key);
+	}).join("\n");
+	await writeEnvFile({
+		content: deployOutputLines.length > 0 ? `${filteredEnvFile}\n${deployOutputLines.join("\n")}\n` : envFile,
+		envFileName: ".env"
+	});
+	log.info(logPrefix, "Generate env file %s from %s successfully.", ".env", envFileName);
+};
+const options$1 = {
+	"default-environment": {
+		alias: "d",
+		type: "string",
+		describe: "Default environment.",
+		default: "Staging"
+	},
+	path: {
+		alias: "p",
+		type: "string",
+		describe: "Path to the directory where envs files are located.",
+		default: "./"
+	}
+};
+const generateEnvCommand = {
+	command: [
+		"generate-env",
+		"ge",
+		"env"
+	],
+	describe: "Generate environment files.",
+	builder: (yargs) => {
+		return yargs.options(options$1);
+	},
+	handler: (args) => {
+		return generateEnv(args);
+	}
+};
+//#endregion
+//#region src/cli.ts
+const coerceSetEnvVar = (env) => {
+	return (value) => {
+		setEnvVar(env, value);
+		return value;
+	};
+};
+const options = {
+	branch: {
+		coerce: coerceSetEnvVar("BRANCH"),
+		require: false,
+		type: "string"
+	},
+	config: {
+		alias: "c",
+		describe: "Path to config file. You can create a config file and set all options there. Valid extensions: .js, .json, .ts, .yml, or .yaml.",
+		require: false,
+		type: "string"
+	},
+	environment: {
+		alias: ["e", "env"],
+		coerce: coerceSetEnvVar("ENVIRONMENT"),
+		type: "string"
+	},
+	environments: {},
+	project: {
+		coerce: coerceSetEnvVar("PROJECT"),
+		require: false,
+		type: "string"
+	},
+	region: {
+		alias: "r",
+		default: AWS_DEFAULT_REGION,
+		describe: "AWS region.",
+		type: "string"
+	}
+};
+/**
+* You can also provide the options creating a property name `carlin`
+* inside your `package.json`.
+*/
+const getPkgConfig = () => {
+	return NAME;
+};
+/**
+* You can set the options as environment variables matching the prefix
+* `CARLIN`. The examples below are equivalent:
+*
+* - `carlin deploy --stack-name MyStackName`
+* - `CARLIN_STACK_NAME=MyStackName carlin deploy`
+*
+* `ENVIRONMENT` is a special case because it is used to set the `environment`
+* option, as well `CARLIN_ENVIRONMENT`. The examples below are
+* equivalent:
+*
+* - `carlin deploy --environment Production`
+* - `CARLIN_ENVIRONMENT=Production carlin deploy`
+* - `ENVIRONMENT=Production carlin deploy`
+*/
+const getEnv = () => {
+	return constantCase(NAME);
+};
+const normalizeConfigOptionValue = ({ value }) => {
+	if (!value || value === "undefined") return;
+	return value;
+};
+const getArgValue = ({ args, names }) => {
+	for (const [index, arg] of args.entries()) {
+		const equalSignName = names.find((name) => {
+			return arg.startsWith(`${name}=`);
+		});
+		if (equalSignName) return normalizeConfigOptionValue({ value: arg.slice(equalSignName.length + 1) });
+		if (names.includes(arg)) return normalizeConfigOptionValue({ value: args[index + 1] });
+	}
+};
+const getConfigFileOptions = ({ args = hideBin(process.argv) } = {}) => {
+	return {
+		branch: getArgValue({
+			args,
+			names: ["--branch"]
+		}) || process.env.CARLIN_BRANCH,
+		environment: getArgValue({
+			args,
+			names: [
+				"--environment",
+				"--env",
+				"-e"
+			]
+		}) || process.env.CARLIN_ENVIRONMENT || process.env.ENVIRONMENT,
+		project: getArgValue({
+			args,
+			names: ["--project"]
+		}) || process.env.CARLIN_PROJECT
+	};
+};
+const getConfigFileNames = () => {
+	return [
+		"ts",
+		"js",
+		"yml",
+		"yaml",
+		"json"
+	].map((ext) => {
+		return `${NAME}.${ext}`;
+	});
+};
+const findConfigFilePaths = () => {
+	const names = getConfigFileNames();
+	const paths = [];
+	let currentPath = process.cwd();
+	let findUpPath;
+	do {
+		findUpPath = findUpSync(names, { cwd: currentPath });
+		if (findUpPath) {
+			currentPath = path.resolve(findUpPath, "../..");
+			paths.push(findUpPath);
+		}
+	} while (findUpPath);
+	return paths;
+};
+/**
+* If `--config` isn't provided, Carlin searches for config files named
+* `carlin.ts`, `carlin.js`, `carlin.yml`, `carlin.yaml`, or `carlin.json`.
+* In monorepos, files from parent directories are merged first, so the nearest
+* config file takes precedence over shared root configuration.
+*/
+const readConfigFiles = () => {
+	const configs = findConfigFilePaths().map((configFilePath) => {
+		return readConfigFileSync({
+			configFilePath,
+			options: getConfigFileOptions()
+		}) || {};
+	});
+	return deepMerge.all(configs.reverse());
+};
+/**
+* Load the appropriate .env file. If an environment is specified (e.g. `-e
+* Production`) and a `.env.Production` file exists, load only that file so
+* environment-specific values are authoritative and nothing from a generic
+* `.env` can bleed through. Fall back to `.env` when no environment-specific
+* file is found or when no environment is specified.
+*/
+const loadDotEnv = () => {
+	const { environment } = getConfigFileOptions();
+	if (environment) {
+		if (dotenv.config({ path: path.resolve(process.cwd(), `.env.${environment}`) }).error) dotenv.config();
+	} else dotenv.config();
+};
+const syncEnvironmentOption = (argv) => {
+	const finalEnvironment = argv.environment || process.env.ENVIRONMENT;
+	if (finalEnvironment) {
+		setEnvVar("ENVIRONMENT", finalEnvironment);
+		const envEntries = ["environment", ...options.environment.alias].map((key) => {
+			return [key, finalEnvironment];
+		});
+		Object.assign(argv, Object.fromEntries(envEntries));
+	}
+};
+/**
+* Transformed to method because finalConfig was failing the tests because as
+* function we encapsulate the logic and it is not executed on the import.
+*/
+const cli = () => {
+	loadDotEnv();
+	let finalConfig;
+	const getConfig = () => {
+		return finalConfig = readConfigFiles();
+	};
+	const handleEnvironments = (argv, { parsed }) => {
+		const { environment, environments } = argv;
+		if (environment && environments && environments[environment]) {
+			for (const [key, value] of Object.entries(environments[environment])) if (!(() => {
+				const kebabCaseKey = kebabCase(key);
+				if (parsed?.defaulted?.[kebabCaseKey]) return false;
+				if (deepEqual(argv[key], finalConfig[key])) return false;
+				return true;
+			})()) argv[key] = value;
+		}
+	};
+	return yargs(hideBin(process.argv)).strictCommands().scriptName(NAME).env(getEnv()).options(addGroupToOptions(options, "Common Options")).middleware(syncEnvironmentOption).middleware(handleEnvironments).middleware(({ environment }) => {
+		if (!["string", "undefined"].includes(typeof environment)) throw new Error(`environment type is invalid. The value: ${JSON.stringify(environment)}`);
+	}).middleware(({ region }) => {
+		AWS.config.region = region;
+		setEnvVar("REGION", region);
+	}).pkgConf(getPkgConfig()).config(getConfig()).config("config", (configFilePath) => {
+		return readConfigFileSync({
+			configFilePath,
+			options: getConfigFileOptions()
+		});
+	}).command({
+		command: "print-args",
+		describe: false,
+		handler: (argv) => {
+			return console.log(JSON.stringify(argv, null, 2));
+		}
+	}).command(deployCommand).command(ecsTaskReportCommand).command(generateEnvCommand).epilogue("For more information, read our docs at https://ttoss.dev/docs/carlin/").help();
+};
+//#endregion
+//#region src/index.ts
+cli().parse();
+//#endregion
+export {};