raindancers-cloudfront 0.0.0

package/lib/cloudfront/auth/authLambdaFunctions.js

@@ -0,0 +1,159 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthLambdaFunctions = void 0;
+const path = __importStar(require("path"));
+const core = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const constructs = __importStar(require("constructs"));
+class AuthLambdaFunctions extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.logGroups = [];
+        const copySecretLogGroup = new aws_cdk_lib_1.aws_logs.LogGroup(this, 'CopySecretLogGroup', {
+            retention: props.logRetentionDays,
+            encryptionKey: props.kmsKey,
+        });
+        this.logGroups.push(copySecretLogGroup);
+        this.copySecretLambda = new aws_cdk_lib_1.aws_lambda.Function(this, 'CopySecretToKVS', {
+            runtime: aws_cdk_lib_1.aws_lambda.Runtime.PYTHON_3_12,
+            handler: 'index.handler',
+            timeout: core.Duration.seconds(30),
+            logGroup: copySecretLogGroup,
+            code: aws_cdk_lib_1.aws_lambda.Code.fromAsset(path.join(__dirname, '../lambda/hmacSecret'), {
+                bundling: {
+                    image: aws_cdk_lib_1.aws_lambda.Runtime.PYTHON_3_12.bundlingImage,
+                    command: [
+                        'bash', '-c',
+                        'pip install -r requirements.txt -t /asset-output && cp -au . /asset-output',
+                    ],
+                },
+            }),
+        });
+        props.configSecret.grantRead(this.copySecretLambda);
+        props.kmsKey.grantDecrypt(this.copySecretLambda);
+        this.copySecretLambda.addToRolePolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({
+            actions: ['cloudfront-keyvaluestore:PutKey', 'cloudfront-keyvaluestore:DescribeKeyValueStore'],
+            resources: [props.kvs.keyValueStoreArn],
+        }));
+        const secretCopyResource = new aws_cdk_lib_1.CustomResource(this, 'SecretCopyResource', {
+            serviceToken: this.copySecretLambda.functionArn,
+            properties: {
+                SecretArn: props.configSecret.secretArn,
+                KvsArn: props.kvs.keyValueStoreArn,
+                Timestamp: Date.now().toString(),
+            },
+        });
+        secretCopyResource.node.addDependency(props.kvs);
+        secretCopyResource.node.addDependency(props.configSecret);
+        const rotateSecretLogGroup = new aws_cdk_lib_1.aws_logs.LogGroup(this, 'RotateSecretLogGroup', {
+            retention: props.logRetentionDays,
+            encryptionKey: props.kmsKey,
+        });
+        this.logGroups.push(rotateSecretLogGroup);
+        const rotationSchedule = props.rotationSchedule ?? core.Duration.hours(6);
+        this.rotateSecretLambda = new aws_cdk_lib_1.aws_lambda.Function(this, 'RotateSecret', {
+            runtime: aws_cdk_lib_1.aws_lambda.Runtime.PYTHON_3_12,
+            handler: 'index.handler',
+            timeout: core.Duration.seconds(30),
+            logGroup: rotateSecretLogGroup,
+            code: aws_cdk_lib_1.aws_lambda.Code.fromAsset(path.join(__dirname, '../lambda/rotateSecret')),
+            environment: {
+                SECRET_ARN: props.configSecret.secretArn,
+                COPY_LAMBDA_ARN: this.copySecretLambda.functionArn,
+                KVS_ARN: props.kvs.keyValueStoreArn,
+            },
+        });
+        props.configSecret.grantRead(this.rotateSecretLambda);
+        props.configSecret.grantWrite(this.rotateSecretLambda);
+        props.kmsKey.grantEncryptDecrypt(this.rotateSecretLambda);
+        this.copySecretLambda.grantInvoke(this.rotateSecretLambda);
+        new aws_cdk_lib_1.aws_events.Rule(this, 'RotationSchedule', {
+            schedule: aws_cdk_lib_1.aws_events.Schedule.rate(rotationSchedule),
+            targets: [new aws_cdk_lib_1.aws_events_targets.LambdaFunction(this.rotateSecretLambda)],
+        });
+        const streamProcessorLogGroup = new aws_cdk_lib_1.aws_logs.LogGroup(this, 'StreamProcessorLogGroup', {
+            retention: props.logRetentionDays,
+            encryptionKey: props.kmsKey,
+        });
+        this.logGroups.push(streamProcessorLogGroup);
+        this.streamProcessorLambda = new aws_cdk_lib_1.aws_lambda.Function(this, 'StreamProcessor', {
+            runtime: aws_cdk_lib_1.aws_lambda.Runtime.PYTHON_3_12,
+            handler: 'index.lambda_handler',
+            timeout: core.Duration.seconds(60),
+            logGroup: streamProcessorLogGroup,
+            code: aws_cdk_lib_1.aws_lambda.Code.fromAsset(path.join(__dirname, '../lambda/stream-processor')),
+            environment: {
+                KVS_ARN: props.kvs.keyValueStoreArn,
+            },
+        });
+        this.streamProcessorLambda.addEventSource(new aws_cdk_lib_1.aws_lambda_event_sources.DynamoEventSource(props.authTable, {
+            startingPosition: aws_cdk_lib_1.aws_lambda.StartingPosition.LATEST,
+            batchSize: 100,
+            retryAttempts: 3,
+        }));
+        this.streamProcessorLambda.addToRolePolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({
+            actions: ['cloudfront-keyvaluestore:DeleteKey', 'cloudfront-keyvaluestore:DescribeKeyValueStore'],
+            resources: [props.kvs.keyValueStoreArn],
+        }));
+        if (props.sessionRevocationTopicArn) {
+            const sessionRevocationLogGroup = new aws_cdk_lib_1.aws_logs.LogGroup(this, 'SessionRevocationLogGroup', {
+                retention: props.logRetentionDays,
+                encryptionKey: props.kmsKey,
+            });
+            this.logGroups.push(sessionRevocationLogGroup);
+            this.sessionRevocationLambda = new aws_cdk_lib_1.aws_lambda.Function(this, 'SessionRevocation', {
+                runtime: aws_cdk_lib_1.aws_lambda.Runtime.PYTHON_3_12,
+                handler: 'index.lambda_handler',
+                timeout: core.Duration.seconds(60),
+                logGroup: sessionRevocationLogGroup,
+                code: aws_cdk_lib_1.aws_lambda.Code.fromAsset(path.join(__dirname, '../lambda/session-revocation')),
+                environment: {
+                    TABLE_NAME: props.authTable.tableName,
+                    KVS_ARN: props.kvs.keyValueStoreArn,
+                },
+            });
+            props.authTable.grantReadWriteData(this.sessionRevocationLambda);
+            this.sessionRevocationLambda.addToRolePolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({
+                actions: ['cloudfront-keyvaluestore:PutKey', 'cloudfront-keyvaluestore:DescribeKeyValueStore'],
+                resources: [props.kvs.keyValueStoreArn],
+            }));
+            const revocationTopic = aws_cdk_lib_1.aws_sns.Topic.fromTopicArn(this, 'RevocationTopic', props.sessionRevocationTopicArn);
+            revocationTopic.addSubscription(new aws_cdk_lib_1.aws_sns_subscriptions.LambdaSubscription(this.sessionRevocationLambda));
+        }
+    }
+}
+exports.AuthLambdaFunctions = AuthLambdaFunctions;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXV0aExhbWJkYUZ1bmN0aW9ucy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jbG91ZGZyb250L2F1dGgvYXV0aExhbWJkYUZ1bmN0aW9ucy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSwyQ0FBNkI7QUFDN0Isa0RBQW9DO0FBQ3BDLDZDQWNxQjtBQUNyQix1REFBeUM7QUFZekMsTUFBYSxtQkFBb0IsU0FBUSxVQUFVLENBQUMsU0FBUztJQU8zRCxZQUFZLEtBQTJCLEVBQUUsRUFBVSxFQUFFLEtBQStCO1FBQ2xGLEtBQUssQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFFakIsSUFBSSxDQUFDLFNBQVMsR0FBRyxFQUFFLENBQUM7UUFFcEIsTUFBTSxrQkFBa0IsR0FBRyxJQUFJLHNCQUFJLENBQUMsUUFBUSxDQUFDLElBQUksRUFBRSxvQkFBb0IsRUFBRTtZQUN2RSxTQUFTLEVBQUUsS0FBSyxDQUFDLGdCQUFzQztZQUN2RCxhQUFhLEVBQUUsS0FBSyxDQUFDLE1BQU07U0FDNUIsQ0FBQyxDQUFDO1FBQ0gsSUFBSSxDQUFDLFNBQVMsQ0FBQyxJQUFJLENBQUMsa0JBQWtCLENBQUMsQ0FBQztRQUV4QyxJQUFJLENBQUMsZ0JBQWdCLEdBQUcsSUFBSSx3QkFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLEVBQUUsaUJBQWlCLEVBQUU7WUFDbkUsT0FBTyxFQUFFLHdCQUFNLENBQUMsT0FBTyxDQUFDLFdBQVc7WUFDbkMsT0FBTyxFQUFFLGVBQWU7WUFDeEIsT0FBTyxFQUFFLElBQUksQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztZQUNsQyxRQUFRLEVBQUUsa0JBQWtCO1lBQzVCLElBQUksRUFBRSx3QkFBTSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxTQUFTLEVBQUUsc0JBQXNCLENBQUMsRUFBRTtnQkFDeEUsUUFBUSxFQUFFO29CQUNSLEtBQUssRUFBRSx3QkFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUMsYUFBYTtvQkFDL0MsT0FBTyxFQUFFO3dCQUNQLE1BQU0sRUFBRSxJQUFJO3dCQUNaLDRFQUE0RTtxQkFDN0U7aUJBQ0Y7YUFDRixDQUFDO1NBQ0gsQ0FBQyxDQUFDO1FBRUgsS0FBSyxDQUFDLFlBQVksQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLENBQUM7UUFDcEQsS0FBSyxDQUFDLE1BQU0sQ0FBQyxZQUFZLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLENBQUM7UUFDakQsSUFBSSxDQUFDLGdCQUFnQixDQUFDLGVBQWUsQ0FBQyxJQUFJLHFCQUFHLENBQUMsZUFBZSxDQUFDO1lBQzVELE9BQU8sRUFBRSxDQUFDLGlDQUFpQyxFQUFFLGdEQUFnRCxDQUFDO1lBQzlGLFNBQVMsRUFBRSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsZ0JBQWdCLENBQUM7U0FDeEMsQ0FBQyxDQUFDLENBQUM7UUFFSixNQUFNLGtCQUFrQixHQUFHLElBQUksNEJBQWMsQ0FBQyxJQUFJLEVBQUUsb0JBQW9CLEVBQUU7WUFDeEUsWUFBWSxFQUFFLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxXQUFXO1lBQy9DLFVBQVUsRUFBRTtnQkFDVixTQUFTLEVBQUUsS0FBSyxDQUFDLFlBQVksQ0FBQyxTQUFTO2dCQUN2QyxNQUFNLEVBQUUsS0FBSyxDQUFDLEdBQUcsQ0FBQyxnQkFBZ0I7Z0JBQ2xDLFNBQVMsRUFBRSxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUMsUUFBUSxFQUFFO2FBQ2pDO1NBQ0YsQ0FBQyxDQUFDO1FBRUgsa0JBQWtCLENBQUMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDakQsa0JBQWtCLENBQUMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxLQUFLLENBQUMsWUFBWSxDQUFDLENBQUM7UUFFMUQsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLHNCQUFJLENBQUMsUUFBUSxDQUFDLElBQUksRUFBRSxzQkFBc0IsRUFBRTtZQUMzRSxTQUFTLEVBQUUsS0FBSyxDQUFDLGdCQUFzQztZQUN2RCxhQUFhLEVBQUUsS0FBSyxDQUFDLE1BQU07U0FDNUIsQ0FBQyxDQUFDO1FBQ0gsSUFBSSxDQUFDLFNBQVMsQ0FBQyxJQUFJLENBQUMsb0JBQW9CLENBQUMsQ0FBQztRQUUxQyxNQUFNLGdCQUFnQixHQUFHLEtBQUssQ0FBQyxnQkFBZ0IsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUUxRSxJQUFJLENBQUMsa0JBQWtCLEdBQUcsSUFBSSx3QkFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLEVBQUUsY0FBYyxFQUFFO1lBQ2xFLE9BQU8sRUFBRSx3QkFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXO1lBQ25DLE9BQU8sRUFBRSxlQUFlO1lBQ3hCLE9BQU8sRUFBRSxJQUFJLENBQUMsUUFBUSxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDbEMsUUFBUSxFQUFFLG9CQUFvQjtZQUM5QixJQUFJLEVBQUUsd0JBQU0sQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFLHdCQUF3QixDQUFDLENBQUM7WUFDM0UsV0FBVyxFQUFFO2dCQUNYLFVBQVUsRUFBRSxLQUFLLENBQUMsWUFBWSxDQUFDLFNBQVM7Z0JBQ3hDLGVBQWUsRUFBRSxJQUFJLENBQUMsZ0JBQWdCLENBQUMsV0FBVztnQkFDbEQsT0FBTyxFQUFFLEtBQUssQ0FBQyxHQUFHLENBQUMsZ0JBQWdCO2FBQ3BDO1NBQ0YsQ0FBQyxDQUFDO1FBRUgsS0FBSyxDQUFDLFlBQVksQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLGtCQUFrQixDQUFDLENBQUM7UUFDdEQsS0FBSyxDQUFDLFlBQVksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLGtCQUFrQixDQUFDLENBQUM7UUFDdkQsS0FBSyxDQUFDLE1BQU0sQ0FBQyxtQkFBbUIsQ0FBQyxJQUFJLENBQUMsa0JBQWtCLENBQUMsQ0FBQztRQUMxRCxJQUFJLENBQUMsZ0JBQWdCLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDO1FBRTNELElBQUksd0JBQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxFQUFFLGtCQUFrQixFQUFFO1lBQ3hDLFFBQVEsRUFBRSx3QkFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUM7WUFDaEQsT0FBTyxFQUFFLENBQUMsSUFBSSxnQ0FBTyxDQUFDLGNBQWMsQ0FBQyxJQUFJLENBQUMsa0JBQWtCLENBQUMsQ0FBQztTQUMvRCxDQUFDLENBQUM7UUFFSCxNQUFNLHVCQUF1QixHQUFHLElBQUksc0JBQUksQ0FBQyxRQUFRLENBQUMsSUFBSSxFQUFFLHlCQUF5QixFQUFFO1lBQ2pGLFNBQVMsRUFBRSxLQUFLLENBQUMsZ0JBQXNDO1lBQ3ZELGFBQWEsRUFBRSxLQUFLLENBQUMsTUFBTTtTQUM1QixDQUFDLENBQUM7UUFDSCxJQUFJLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyx1QkFBdUIsQ0FBQyxDQUFDO1FBRTdDLElBQUksQ0FBQyxxQkFBcUIsR0FBRyxJQUFJLHdCQUFNLENBQUMsUUFBUSxDQUFDLElBQUksRUFBRSxpQkFBaUIsRUFBRTtZQUN4RSxPQUFPLEVBQUUsd0JBQU0sQ0FBQyxPQUFPLENBQUMsV0FBVztZQUNuQyxPQUFPLEVBQUUsc0JBQXNCO1lBQy9CLE9BQU8sRUFBRSxJQUFJLENBQUMsUUFBUSxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDbEMsUUFBUSxFQUFFLHVCQUF1QjtZQUNqQyxJQUFJLEVBQUUsd0JBQU0sQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFLDRCQUE0QixDQUFDLENBQUM7WUFDL0UsV0FBVyxFQUFFO2dCQUNYLE9BQU8sRUFBRSxLQUFLLENBQUMsR0FBRyxDQUFDLGdCQUFnQjthQUNwQztTQUNGLENBQUMsQ0FBQztRQUVILElBQUksQ0FBQyxxQkFBcUIsQ0FBQyxjQUFjLENBQUMsSUFBSSxzQ0FBb0IsQ0FBQyxpQkFBaUIsQ0FBQyxLQUFLLENBQUMsU0FBUyxFQUFFO1lBQ3BHLGdCQUFnQixFQUFFLHdCQUFNLENBQUMsZ0JBQWdCLENBQUMsTUFBTTtZQUNoRCxTQUFTLEVBQUUsR0FBRztZQUNkLGFBQWEsRUFBRSxDQUFDO1NBQ2pCLENBQUMsQ0FBQyxDQUFDO1FBRUosSUFBSSxDQUFDLHFCQUFxQixDQUFDLGVBQWUsQ0FBQyxJQUFJLHFCQUFHLENBQUMsZUFBZSxDQUFDO1lBQ2pFLE9BQU8sRUFBRSxDQUFDLG9DQUFvQyxFQUFFLGdEQUFnRCxDQUFDO1lBQ2pHLFNBQVMsRUFBRSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsZ0JBQWdCLENBQUM7U0FDeEMsQ0FBQyxDQUFDLENBQUM7UUFFSixJQUFJLEtBQUssQ0FBQyx5QkFBeUIsRUFBRSxDQUFDO1lBQ3BDLE1BQU0seUJBQXlCLEdBQUcsSUFBSSxzQkFBSSxDQUFDLFFBQVEsQ0FBQyxJQUFJLEVBQUUsMkJBQTJCLEVBQUU7Z0JBQ3JGLFNBQVMsRUFBRSxLQUFLLENBQUMsZ0JBQXNDO2dCQUN2RCxhQUFhLEVBQUUsS0FBSyxDQUFDLE1BQU07YUFDNUIsQ0FBQyxDQUFDO1lBQ0gsSUFBSSxDQUFDLFNBQVMsQ0FBQyxJQUFJLENBQUMseUJBQXlCLENBQUMsQ0FBQztZQUUvQyxJQUFJLENBQUMsdUJBQXVCLEdBQUcsSUFBSSx3QkFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLEVBQUUsbUJBQW1CLEVBQUU7Z0JBQzVFLE9BQU8sRUFBRSx3QkFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXO2dCQUNuQyxPQUFPLEVBQUUsc0JBQXNCO2dCQUMvQixPQUFPLEVBQUUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO2dCQUNsQyxRQUFRLEVBQUUseUJBQXlCO2dCQUNuQyxJQUFJLEVBQUUsd0JBQU0sQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFLDhCQUE4QixDQUFDLENBQUM7Z0JBQ2pGLFdBQVcsRUFBRTtvQkFDWCxVQUFVLEVBQUUsS0FBSyxDQUFDLFNBQVMsQ0FBQyxTQUFTO29CQUNyQyxPQUFPLEVBQUUsS0FBSyxDQUFDLEdBQUcsQ0FBQyxnQkFBZ0I7aUJBQ3BDO2FBQ0YsQ0FBQyxDQUFDO1lBRUgsS0FBSyxDQUFDLFNBQVMsQ0FBQyxrQkFBa0IsQ0FBQyxJQUFJLENBQUMsdUJBQXVCLENBQUMsQ0FBQztZQUNqRSxJQUFJLENBQUMsdUJBQXVCLENBQUMsZUFBZSxDQUFDLElBQUkscUJBQUcsQ0FBQyxlQUFlLENBQUM7Z0JBQ25FLE9BQU8sRUFBRSxDQUFDLGlDQUFpQyxFQUFFLGdEQUFnRCxDQUFDO2dCQUM5RixTQUFTLEVBQUUsQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLGdCQUFnQixDQUFDO2FBQ3hDLENBQUMsQ0FBQyxDQUFDO1lBRUosTUFBTSxlQUFlLEdBQUcscUJBQUcsQ0FBQyxLQUFLLENBQUMsWUFBWSxDQUFDLElBQUksRUFBRSxpQkFBaUIsRUFBRSxLQUFLLENBQUMseUJBQXlCLENBQUMsQ0FBQztZQUN6RyxlQUFlLENBQUMsZUFBZSxDQUFDLElBQUksbUNBQWlCLENBQUMsa0JBQWtCLENBQUMsSUFBSSxDQUFDLHVCQUF1QixDQUFDLENBQUMsQ0FBQztRQUMxRyxDQUFDO0lBQ0gsQ0FBQztDQUNGO0FBN0lELGtEQTZJQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCAqIGFzIHBhdGggZnJvbSAncGF0aCc7XG5pbXBvcnQgKiBhcyBjb3JlIGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCB7XG4gIGF3c19jbG91ZGZyb250IGFzIGNsb3VkZnJvbnQsXG4gIGF3c19sYW1iZGEgYXMgbGFtYmRhLFxuICBhd3NfaWFtIGFzIGlhbSxcbiAgYXdzX3NlY3JldHNtYW5hZ2VyIGFzIHNlY3JldHNtYW5hZ2VyLFxuICBhd3Nfa21zIGFzIGttcyxcbiAgYXdzX2xvZ3MgYXMgbG9ncyxcbiAgYXdzX2V2ZW50cyBhcyBldmVudHMsXG4gIGF3c19ldmVudHNfdGFyZ2V0cyBhcyB0YXJnZXRzLFxuICBhd3NfbGFtYmRhX2V2ZW50X3NvdXJjZXMgYXMgbGFtYmRhX2V2ZW50X3NvdXJjZXMsXG4gIGF3c19zbnMgYXMgc25zLFxuICBhd3Nfc25zX3N1YnNjcmlwdGlvbnMgYXMgc25zX3N1YnNjcmlwdGlvbnMsXG4gIGF3c19keW5hbW9kYiBhcyBkeW5hbW9kYixcbiAgQ3VzdG9tUmVzb3VyY2UsXG59IGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCAqIGFzIGNvbnN0cnVjdHMgZnJvbSAnY29uc3RydWN0cyc7XG5cbmV4cG9ydCBpbnRlcmZhY2UgQXV0aExhbWJkYUZ1bmN0aW9uc1Byb3BzIHtcbiAgcmVhZG9ubHkgY29uZmlnU2VjcmV0OiBzZWNyZXRzbWFuYWdlci5TZWNyZXQ7XG4gIHJlYWRvbmx5IGttc0tleToga21zLktleTtcbiAgcmVhZG9ubHkga3ZzOiBjbG91ZGZyb250LktleVZhbHVlU3RvcmU7XG4gIHJlYWRvbmx5IGF1dGhUYWJsZTogZHluYW1vZGIuSVRhYmxlO1xuICByZWFkb25seSByb3RhdGlvblNjaGVkdWxlPzogY29yZS5EdXJhdGlvbjtcbiAgcmVhZG9ubHkgc2Vzc2lvblJldm9jYXRpb25Ub3BpY0Fybj86IHN0cmluZztcbiAgcmVhZG9ubHkgbG9nUmV0ZW50aW9uRGF5czogbnVtYmVyO1xufVxuXG5leHBvcnQgY2xhc3MgQXV0aExhbWJkYUZ1bmN0aW9ucyBleHRlbmRzIGNvbnN0cnVjdHMuQ29uc3RydWN0IHtcbiAgcHVibGljIHJlYWRvbmx5IGNvcHlTZWNyZXRMYW1iZGE6IGxhbWJkYS5GdW5jdGlvbjtcbiAgcHVibGljIHJlYWRvbmx5IHJvdGF0ZVNlY3JldExhbWJkYTogbGFtYmRhLkZ1bmN0aW9uO1xuICBwdWJsaWMgcmVhZG9ubHkgc3RyZWFtUHJvY2Vzc29yTGFtYmRhOiBsYW1iZGEuRnVuY3Rpb247XG4gIHB1YmxpYyByZWFkb25seSBzZXNzaW9uUmV2b2NhdGlvbkxhbWJkYT86IGxhbWJkYS5GdW5jdGlvbjtcbiAgcHVibGljIHJlYWRvbmx5IGxvZ0dyb3VwczogbG9ncy5Mb2dHcm91cFtdO1xuXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBjb25zdHJ1Y3RzLkNvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6IEF1dGhMYW1iZGFGdW5jdGlvbnNQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZCk7XG5cbiAgICB0aGlzLmxvZ0dyb3VwcyA9IFtdO1xuXG4gICAgY29uc3QgY29weVNlY3JldExvZ0dyb3VwID0gbmV3IGxvZ3MuTG9nR3JvdXAodGhpcywgJ0NvcHlTZWNyZXRMb2dHcm91cCcsIHtcbiAgICAgIHJldGVudGlvbjogcHJvcHMubG9nUmV0ZW50aW9uRGF5cyBhcyBsb2dzLlJldGVudGlvbkRheXMsXG4gICAgICBlbmNyeXB0aW9uS2V5OiBwcm9wcy5rbXNLZXksXG4gICAgfSk7XG4gICAgdGhpcy5sb2dHcm91cHMucHVzaChjb3B5U2VjcmV0TG9nR3JvdXApO1xuXG4gICAgdGhpcy5jb3B5U2VjcmV0TGFtYmRhID0gbmV3IGxhbWJkYS5GdW5jdGlvbih0aGlzLCAnQ29weVNlY3JldFRvS1ZTJywge1xuICAgICAgcnVudGltZTogbGFtYmRhLlJ1bnRpbWUuUFlUSE9OXzNfMTIsXG4gICAgICBoYW5kbGVyOiAnaW5kZXguaGFuZGxlcicsXG4gICAgICB0aW1lb3V0OiBjb3JlLkR1cmF0aW9uLnNlY29uZHMoMzApLFxuICAgICAgbG9nR3JvdXA6IGNvcHlTZWNyZXRMb2dHcm91cCxcbiAgICAgIGNvZGU6IGxhbWJkYS5Db2RlLmZyb21Bc3NldChwYXRoLmpvaW4oX19kaXJuYW1lLCAnLi4vbGFtYmRhL2htYWNTZWNyZXQnKSwge1xuICAgICAgICBidW5kbGluZzoge1xuICAgICAgICAgIGltYWdlOiBsYW1iZGEuUnVudGltZS5QWVRIT05fM18xMi5idW5kbGluZ0ltYWdlLFxuICAgICAgICAgIGNvbW1hbmQ6IFtcbiAgICAgICAgICAgICdiYXNoJywgJy1jJyxcbiAgICAgICAgICAgICdwaXAgaW5zdGFsbCAtciByZXF1aXJlbWVudHMudHh0IC10IC9hc3NldC1vdXRwdXQgJiYgY3AgLWF1IC4gL2Fzc2V0LW91dHB1dCcsXG4gICAgICAgICAgXSxcbiAgICAgICAgfSxcbiAgICAgIH0pLFxuICAgIH0pO1xuXG4gICAgcHJvcHMuY29uZmlnU2VjcmV0LmdyYW50UmVhZCh0aGlzLmNvcHlTZWNyZXRMYW1iZGEpO1xuICAgIHByb3BzLmttc0tleS5ncmFudERlY3J5cHQodGhpcy5jb3B5U2VjcmV0TGFtYmRhKTtcbiAgICB0aGlzLmNvcHlTZWNyZXRMYW1iZGEuYWRkVG9Sb2xlUG9saWN5KG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgIGFjdGlvbnM6IFsnY2xvdWRmcm9udC1rZXl2YWx1ZXN0b3JlOlB1dEtleScsICdjbG91ZGZyb250LWtleXZhbHVlc3RvcmU6RGVzY3JpYmVLZXlWYWx1ZVN0b3JlJ10sXG4gICAgICByZXNvdXJjZXM6IFtwcm9wcy5rdnMua2V5VmFsdWVTdG9yZUFybl0sXG4gICAgfSkpO1xuXG4gICAgY29uc3Qgc2VjcmV0Q29weVJlc291cmNlID0gbmV3IEN1c3RvbVJlc291cmNlKHRoaXMsICdTZWNyZXRDb3B5UmVzb3VyY2UnLCB7XG4gICAgICBzZXJ2aWNlVG9rZW46IHRoaXMuY29weVNlY3JldExhbWJkYS5mdW5jdGlvbkFybixcbiAgICAgIHByb3BlcnRpZXM6IHtcbiAgICAgICAgU2VjcmV0QXJuOiBwcm9wcy5jb25maWdTZWNyZXQuc2VjcmV0QXJuLFxuICAgICAgICBLdnNBcm46IHByb3BzLmt2cy5rZXlWYWx1ZVN0b3JlQXJuLFxuICAgICAgICBUaW1lc3RhbXA6IERhdGUubm93KCkudG9TdHJpbmcoKSxcbiAgICAgIH0sXG4gICAgfSk7XG5cbiAgICBzZWNyZXRDb3B5UmVzb3VyY2Uubm9kZS5hZGREZXBlbmRlbmN5KHByb3BzLmt2cyk7XG4gICAgc2VjcmV0Q29weVJlc291cmNlLm5vZGUuYWRkRGVwZW5kZW5jeShwcm9wcy5jb25maWdTZWNyZXQpO1xuXG4gICAgY29uc3Qgcm90YXRlU2VjcmV0TG9nR3JvdXAgPSBuZXcgbG9ncy5Mb2dHcm91cCh0aGlzLCAnUm90YXRlU2VjcmV0TG9nR3JvdXAnLCB7XG4gICAgICByZXRlbnRpb246IHByb3BzLmxvZ1JldGVudGlvbkRheXMgYXMgbG9ncy5SZXRlbnRpb25EYXlzLFxuICAgICAgZW5jcnlwdGlvbktleTogcHJvcHMua21zS2V5LFxuICAgIH0pO1xuICAgIHRoaXMubG9nR3JvdXBzLnB1c2gocm90YXRlU2VjcmV0TG9nR3JvdXApO1xuXG4gICAgY29uc3Qgcm90YXRpb25TY2hlZHVsZSA9IHByb3BzLnJvdGF0aW9uU2NoZWR1bGUgPz8gY29yZS5EdXJhdGlvbi5ob3Vycyg2KTtcblxuICAgIHRoaXMucm90YXRlU2VjcmV0TGFtYmRhID0gbmV3IGxhbWJkYS5GdW5jdGlvbih0aGlzLCAnUm90YXRlU2VjcmV0Jywge1xuICAgICAgcnVudGltZTogbGFtYmRhLlJ1bnRpbWUuUFlUSE9OXzNfMTIsXG4gICAgICBoYW5kbGVyOiAnaW5kZXguaGFuZGxlcicsXG4gICAgICB0aW1lb3V0OiBjb3JlLkR1cmF0aW9uLnNlY29uZHMoMzApLFxuICAgICAgbG9nR3JvdXA6IHJvdGF0ZVNlY3JldExvZ0dyb3VwLFxuICAgICAgY29kZTogbGFtYmRhLkNvZGUuZnJvbUFzc2V0KHBhdGguam9pbihfX2Rpcm5hbWUsICcuLi9sYW1iZGEvcm90YXRlU2VjcmV0JykpLFxuICAgICAgZW52aXJvbm1lbnQ6IHtcbiAgICAgICAgU0VDUkVUX0FSTjogcHJvcHMuY29uZmlnU2VjcmV0LnNlY3JldEFybixcbiAgICAgICAgQ09QWV9MQU1CREFfQVJOOiB0aGlzLmNvcHlTZWNyZXRMYW1iZGEuZnVuY3Rpb25Bcm4sXG4gICAgICAgIEtWU19BUk46IHByb3BzLmt2cy5rZXlWYWx1ZVN0b3JlQXJuLFxuICAgICAgfSxcbiAgICB9KTtcblxuICAgIHByb3BzLmNvbmZpZ1NlY3JldC5ncmFudFJlYWQodGhpcy5yb3RhdGVTZWNyZXRMYW1iZGEpO1xuICAgIHByb3BzLmNvbmZpZ1NlY3JldC5ncmFudFdyaXRlKHRoaXMucm90YXRlU2VjcmV0TGFtYmRhKTtcbiAgICBwcm9wcy5rbXNLZXkuZ3JhbnRFbmNyeXB0RGVjcnlwdCh0aGlzLnJvdGF0ZVNlY3JldExhbWJkYSk7XG4gICAgdGhpcy5jb3B5U2VjcmV0TGFtYmRhLmdyYW50SW52b2tlKHRoaXMucm90YXRlU2VjcmV0TGFtYmRhKTtcblxuICAgIG5ldyBldmVudHMuUnVsZSh0aGlzLCAnUm90YXRpb25TY2hlZHVsZScsIHtcbiAgICAgIHNjaGVkdWxlOiBldmVudHMuU2NoZWR1bGUucmF0ZShyb3RhdGlvblNjaGVkdWxlKSxcbiAgICAgIHRhcmdldHM6IFtuZXcgdGFyZ2V0cy5MYW1iZGFGdW5jdGlvbih0aGlzLnJvdGF0ZVNlY3JldExhbWJkYSldLFxuICAgIH0pO1xuXG4gICAgY29uc3Qgc3RyZWFtUHJvY2Vzc29yTG9nR3JvdXAgPSBuZXcgbG9ncy5Mb2dHcm91cCh0aGlzLCAnU3RyZWFtUHJvY2Vzc29yTG9nR3JvdXAnLCB7XG4gICAgICByZXRlbnRpb246IHByb3BzLmxvZ1JldGVudGlvbkRheXMgYXMgbG9ncy5SZXRlbnRpb25EYXlzLFxuICAgICAgZW5jcnlwdGlvbktleTogcHJvcHMua21zS2V5LFxuICAgIH0pO1xuICAgIHRoaXMubG9nR3JvdXBzLnB1c2goc3RyZWFtUHJvY2Vzc29yTG9nR3JvdXApO1xuXG4gICAgdGhpcy5zdHJlYW1Qcm9jZXNzb3JMYW1iZGEgPSBuZXcgbGFtYmRhLkZ1bmN0aW9uKHRoaXMsICdTdHJlYW1Qcm9jZXNzb3InLCB7XG4gICAgICBydW50aW1lOiBsYW1iZGEuUnVudGltZS5QWVRIT05fM18xMixcbiAgICAgIGhhbmRsZXI6ICdpbmRleC5sYW1iZGFfaGFuZGxlcicsXG4gICAgICB0aW1lb3V0OiBjb3JlLkR1cmF0aW9uLnNlY29uZHMoNjApLFxuICAgICAgbG9nR3JvdXA6IHN0cmVhbVByb2Nlc3NvckxvZ0dyb3VwLFxuICAgICAgY29kZTogbGFtYmRhLkNvZGUuZnJvbUFzc2V0KHBhdGguam9pbihfX2Rpcm5hbWUsICcuLi9sYW1iZGEvc3RyZWFtLXByb2Nlc3NvcicpKSxcbiAgICAgIGVudmlyb25tZW50OiB7XG4gICAgICAgIEtWU19BUk46IHByb3BzLmt2cy5rZXlWYWx1ZVN0b3JlQXJuLFxuICAgICAgfSxcbiAgICB9KTtcblxuICAgIHRoaXMuc3RyZWFtUHJvY2Vzc29yTGFtYmRhLmFkZEV2ZW50U291cmNlKG5ldyBsYW1iZGFfZXZlbnRfc291cmNlcy5EeW5hbW9FdmVudFNvdXJjZShwcm9wcy5hdXRoVGFibGUsIHtcbiAgICAgIHN0YXJ0aW5nUG9zaXRpb246IGxhbWJkYS5TdGFydGluZ1Bvc2l0aW9uLkxBVEVTVCxcbiAgICAgIGJhdGNoU2l6ZTogMTAwLFxuICAgICAgcmV0cnlBdHRlbXB0czogMyxcbiAgICB9KSk7XG5cbiAgICB0aGlzLnN0cmVhbVByb2Nlc3NvckxhbWJkYS5hZGRUb1JvbGVQb2xpY3kobmV3IGlhbS5Qb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgYWN0aW9uczogWydjbG91ZGZyb250LWtleXZhbHVlc3RvcmU6RGVsZXRlS2V5JywgJ2Nsb3VkZnJvbnQta2V5dmFsdWVzdG9yZTpEZXNjcmliZUtleVZhbHVlU3RvcmUnXSxcbiAgICAgIHJlc291cmNlczogW3Byb3BzLmt2cy5rZXlWYWx1ZVN0b3JlQXJuXSxcbiAgICB9KSk7XG5cbiAgICBpZiAocHJvcHMuc2Vzc2lvblJldm9jYXRpb25Ub3BpY0Fybikge1xuICAgICAgY29uc3Qgc2Vzc2lvblJldm9jYXRpb25Mb2dHcm91cCA9IG5ldyBsb2dzLkxvZ0dyb3VwKHRoaXMsICdTZXNzaW9uUmV2b2NhdGlvbkxvZ0dyb3VwJywge1xuICAgICAgICByZXRlbnRpb246IHByb3BzLmxvZ1JldGVudGlvbkRheXMgYXMgbG9ncy5SZXRlbnRpb25EYXlzLFxuICAgICAgICBlbmNyeXB0aW9uS2V5OiBwcm9wcy5rbXNLZXksXG4gICAgICB9KTtcbiAgICAgIHRoaXMubG9nR3JvdXBzLnB1c2goc2Vzc2lvblJldm9jYXRpb25Mb2dHcm91cCk7XG5cbiAgICAgIHRoaXMuc2Vzc2lvblJldm9jYXRpb25MYW1iZGEgPSBuZXcgbGFtYmRhLkZ1bmN0aW9uKHRoaXMsICdTZXNzaW9uUmV2b2NhdGlvbicsIHtcbiAgICAgICAgcnVudGltZTogbGFtYmRhLlJ1bnRpbWUuUFlUSE9OXzNfMTIsXG4gICAgICAgIGhhbmRsZXI6ICdpbmRleC5sYW1iZGFfaGFuZGxlcicsXG4gICAgICAgIHRpbWVvdXQ6IGNvcmUuRHVyYXRpb24uc2Vjb25kcyg2MCksXG4gICAgICAgIGxvZ0dyb3VwOiBzZXNzaW9uUmV2b2NhdGlvbkxvZ0dyb3VwLFxuICAgICAgICBjb2RlOiBsYW1iZGEuQ29kZS5mcm9tQXNzZXQocGF0aC5qb2luKF9fZGlybmFtZSwgJy4uL2xhbWJkYS9zZXNzaW9uLXJldm9jYXRpb24nKSksXG4gICAgICAgIGVudmlyb25tZW50OiB7XG4gICAgICAgICAgVEFCTEVfTkFNRTogcHJvcHMuYXV0aFRhYmxlLnRhYmxlTmFtZSxcbiAgICAgICAgICBLVlNfQVJOOiBwcm9wcy5rdnMua2V5VmFsdWVTdG9yZUFybixcbiAgICAgICAgfSxcbiAgICAgIH0pO1xuXG4gICAgICBwcm9wcy5hdXRoVGFibGUuZ3JhbnRSZWFkV3JpdGVEYXRhKHRoaXMuc2Vzc2lvblJldm9jYXRpb25MYW1iZGEpO1xuICAgICAgdGhpcy5zZXNzaW9uUmV2b2NhdGlvbkxhbWJkYS5hZGRUb1JvbGVQb2xpY3kobmV3IGlhbS5Qb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBhY3Rpb25zOiBbJ2Nsb3VkZnJvbnQta2V5dmFsdWVzdG9yZTpQdXRLZXknLCAnY2xvdWRmcm9udC1rZXl2YWx1ZXN0b3JlOkRlc2NyaWJlS2V5VmFsdWVTdG9yZSddLFxuICAgICAgICByZXNvdXJjZXM6IFtwcm9wcy5rdnMua2V5VmFsdWVTdG9yZUFybl0sXG4gICAgICB9KSk7XG5cbiAgICAgIGNvbnN0IHJldm9jYXRpb25Ub3BpYyA9IHNucy5Ub3BpYy5mcm9tVG9waWNBcm4odGhpcywgJ1Jldm9jYXRpb25Ub3BpYycsIHByb3BzLnNlc3Npb25SZXZvY2F0aW9uVG9waWNBcm4pO1xuICAgICAgcmV2b2NhdGlvblRvcGljLmFkZFN1YnNjcmlwdGlvbihuZXcgc25zX3N1YnNjcmlwdGlvbnMuTGFtYmRhU3Vic2NyaXB0aW9uKHRoaXMuc2Vzc2lvblJldm9jYXRpb25MYW1iZGEpKTtcbiAgICB9XG4gIH1cbn1cbiJdfQ==

package/lib/cloudfront/auth/authSecretManager.d.ts

@@ -0,0 +1,19 @@
+import { aws_cloudfront as cloudfront, aws_secretsmanager as secretsmanager, aws_kms as kms } from 'aws-cdk-lib';
+import * as constructs from 'constructs';
+export interface AuthSecretManagerProps {
+    readonly domainName: string;
+    readonly tableName: string;
+    readonly tableRegion: string;
+    readonly azureTenantId: string;
+    readonly azureClientId: string;
+    readonly stsAudience: string;
+    readonly securityAlertsTopicArn?: string;
+    readonly autoRevokeOnReuse?: boolean;
+    readonly jwtClaimsWhitelist?: string[];
+}
+export declare class AuthSecretManager extends constructs.Construct {
+    readonly kmsKey: kms.Key;
+    readonly configSecret: secretsmanager.Secret;
+    readonly kvs: cloudfront.KeyValueStore;
+    constructor(scope: constructs.Construct, id: string, props: AuthSecretManagerProps);
+}

package/lib/cloudfront/auth/authSecretManager.js

@@ -0,0 +1,92 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthSecretManager = void 0;
+const core = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const constructs = __importStar(require("constructs"));
+class AuthSecretManager extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.kmsKey = new aws_cdk_lib_1.aws_kms.Key(this, 'KmsKey', {
+            description: 'KMS key for CloudFront auth secret encryption',
+            enableKeyRotation: true,
+            removalPolicy: aws_cdk_lib_1.RemovalPolicy.RETAIN,
+        });
+        this.kmsKey.addToResourcePolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({
+            sid: 'AllowCloudWatchLogs',
+            principals: [new aws_cdk_lib_1.aws_iam.ServicePrincipal(`logs.${core.Stack.of(this).region}.amazonaws.com`)],
+            actions: ['kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*', 'kms:CreateGrant', 'kms:DescribeKey'],
+            resources: ['*'],
+            conditions: {
+                ArnLike: {
+                    'kms:EncryptionContext:aws:logs:arn': `arn:aws:logs:${core.Stack.of(this).region}:${core.Stack.of(this).account}:log-group:*`,
+                },
+            },
+        }));
+        const jwtClaimsWhitelist = props.jwtClaimsWhitelist ?? [
+            'oid', 'tid', 'sub', 'email', 'name', 'preferred_username', 'groups', 'roles',
+        ];
+        const configSecretName = `cloudfront-auth-config-${props.domainName}`;
+        this.configSecret = new aws_cdk_lib_1.aws_secretsmanager.Secret(this, 'ConfigSecret', {
+            secretName: configSecretName,
+            encryptionKey: this.kmsKey,
+            generateSecretString: {
+                secretStringTemplate: JSON.stringify({
+                    azure_tenant_id: props.azureTenantId,
+                    azure_client_id: props.azureClientId,
+                    redirect_uri: `https://${props.domainName}/oauth2/callback`,
+                    sts_audience: props.stsAudience,
+                    dynamodb_table_name: props.tableName,
+                    dynamodb_region: props.tableRegion,
+                    security_alerts_topic_arn: props.securityAlertsTopicArn || '',
+                    auto_revoke_on_reuse: props.autoRevokeOnReuse ? 'true' : 'false',
+                    jwt_claims_whitelist: JSON.stringify(jwtClaimsWhitelist),
+                    allowed_domains: JSON.stringify([props.domainName]),
+                }),
+                generateStringKey: 'hmac_key',
+                excludePunctuation: true,
+                passwordLength: 64,
+                requireEachIncludedType: false,
+            },
+            description: 'Configuration and HMAC secret for CloudFront authentication',
+        });
+        this.kvs = new aws_cdk_lib_1.aws_cloudfront.KeyValueStore(this, 'AuthKVS', {
+            comment: 'HMAC secret and session revocation denylist',
+        });
+    }
+}
+exports.AuthSecretManager = AuthSecretManager;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXV0aFNlY3JldE1hbmFnZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY2xvdWRmcm9udC9hdXRoL2F1dGhTZWNyZXRNYW5hZ2VyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLGtEQUFvQztBQUNwQyw2Q0FNcUI7QUFDckIsdURBQXlDO0FBY3pDLE1BQWEsaUJBQWtCLFNBQVEsVUFBVSxDQUFDLFNBQVM7SUFLekQsWUFBWSxLQUEyQixFQUFFLEVBQVUsRUFBRSxLQUE2QjtRQUNoRixLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1FBRWpCLElBQUksQ0FBQyxNQUFNLEdBQUcsSUFBSSxxQkFBRyxDQUFDLEdBQUcsQ0FBQyxJQUFJLEVBQUUsUUFBUSxFQUFFO1lBQ3hDLFdBQVcsRUFBRSwrQ0FBK0M7WUFDNUQsaUJBQWlCLEVBQUUsSUFBSTtZQUN2QixhQUFhLEVBQUUsMkJBQWEsQ0FBQyxNQUFNO1NBQ3BDLENBQUMsQ0FBQztRQUVILElBQUksQ0FBQyxNQUFNLENBQUMsbUJBQW1CLENBQUMsSUFBSSxxQkFBRyxDQUFDLGVBQWUsQ0FBQztZQUN0RCxHQUFHLEVBQUUscUJBQXFCO1lBQzFCLFVBQVUsRUFBRSxDQUFDLElBQUkscUJBQUcsQ0FBQyxnQkFBZ0IsQ0FBQyxRQUFRLElBQUksQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE1BQU0sZ0JBQWdCLENBQUMsQ0FBQztZQUMxRixPQUFPLEVBQUUsQ0FBQyxhQUFhLEVBQUUsYUFBYSxFQUFFLGdCQUFnQixFQUFFLHNCQUFzQixFQUFFLGlCQUFpQixFQUFFLGlCQUFpQixDQUFDO1lBQ3ZILFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztZQUNoQixVQUFVLEVBQUU7Z0JBQ1YsT0FBTyxFQUFFO29CQUNQLG9DQUFvQyxFQUFFLGdCQUFnQixJQUFJLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxNQUFNLElBQUksSUFBSSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsT0FBTyxjQUFjO2lCQUM5SDthQUNGO1NBQ0YsQ0FBQyxDQUFDLENBQUM7UUFFSixNQUFNLGtCQUFrQixHQUFHLEtBQUssQ0FBQyxrQkFBa0IsSUFBSTtZQUNyRCxLQUFLLEVBQUUsS0FBSyxFQUFFLEtBQUssRUFBRSxPQUFPLEVBQUUsTUFBTSxFQUFFLG9CQUFvQixFQUFFLFFBQVEsRUFBRSxPQUFPO1NBQzlFLENBQUM7UUFFRixNQUFNLGdCQUFnQixHQUFHLDBCQUEwQixLQUFLLENBQUMsVUFBVSxFQUFFLENBQUM7UUFDdEUsSUFBSSxDQUFDLFlBQVksR0FBRyxJQUFJLGdDQUFjLENBQUMsTUFBTSxDQUFDLElBQUksRUFBRSxjQUFjLEVBQUU7WUFDbEUsVUFBVSxFQUFFLGdCQUFnQjtZQUM1QixhQUFhLEVBQUUsSUFBSSxDQUFDLE1BQU07WUFDMUIsb0JBQW9CLEVBQUU7Z0JBQ3BCLG9CQUFvQixFQUFFLElBQUksQ0FBQyxTQUFTLENBQUM7b0JBQ25DLGVBQWUsRUFBRSxLQUFLLENBQUMsYUFBYTtvQkFDcEMsZUFBZSxFQUFFLEtBQUssQ0FBQyxhQUFhO29CQUNwQyxZQUFZLEVBQUUsV0FBVyxLQUFLLENBQUMsVUFBVSxrQkFBa0I7b0JBQzNELFlBQVksRUFBRSxLQUFLLENBQUMsV0FBVztvQkFDL0IsbUJBQW1CLEVBQUUsS0FBSyxDQUFDLFNBQVM7b0JBQ3BDLGVBQWUsRUFBRSxLQUFLLENBQUMsV0FBVztvQkFDbEMseUJBQXlCLEVBQUUsS0FBSyxDQUFDLHNCQUFzQixJQUFJLEVBQUU7b0JBQzdELG9CQUFvQixFQUFFLEtBQUssQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxPQUFPO29CQUNoRSxvQkFBb0IsRUFBRSxJQUFJLENBQUMsU0FBUyxDQUFDLGtCQUFrQixDQUFDO29CQUN4RCxlQUFlLEVBQUUsSUFBSSxDQUFDLFNBQVMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxVQUFVLENBQUMsQ0FBQztpQkFDcEQsQ0FBQztnQkFDRixpQkFBaUIsRUFBRSxVQUFVO2dCQUM3QixrQkFBa0IsRUFBRSxJQUFJO2dCQUN4QixjQUFjLEVBQUUsRUFBRTtnQkFDbEIsdUJBQXVCLEVBQUUsS0FBSzthQUMvQjtZQUNELFdBQVcsRUFBRSw2REFBNkQ7U0FDM0UsQ0FBQyxDQUFDO1FBRUgsSUFBSSxDQUFDLEdBQUcsR0FBRyxJQUFJLDRCQUFVLENBQUMsYUFBYSxDQUFDLElBQUksRUFBRSxTQUFTLEVBQUU7WUFDdkQsT0FBTyxFQUFFLDZDQUE2QztTQUN2RCxDQUFDLENBQUM7SUFDTCxDQUFDO0NBQ0Y7QUEzREQsOENBMkRDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0ICogYXMgY29yZSBmcm9tICdhd3MtY2RrLWxpYic7XG5pbXBvcnQge1xuICBhd3NfY2xvdWRmcm9udCBhcyBjbG91ZGZyb250LFxuICBhd3Nfc2VjcmV0c21hbmFnZXIgYXMgc2VjcmV0c21hbmFnZXIsXG4gIGF3c19rbXMgYXMga21zLFxuICBhd3NfaWFtIGFzIGlhbSxcbiAgUmVtb3ZhbFBvbGljeSxcbn0gZnJvbSAnYXdzLWNkay1saWInO1xuaW1wb3J0ICogYXMgY29uc3RydWN0cyBmcm9tICdjb25zdHJ1Y3RzJztcblxuZXhwb3J0IGludGVyZmFjZSBBdXRoU2VjcmV0TWFuYWdlclByb3BzIHtcbiAgcmVhZG9ubHkgZG9tYWluTmFtZTogc3RyaW5nO1xuICByZWFkb25seSB0YWJsZU5hbWU6IHN0cmluZztcbiAgcmVhZG9ubHkgdGFibGVSZWdpb246IHN0cmluZztcbiAgcmVhZG9ubHkgYXp1cmVUZW5hbnRJZDogc3RyaW5nO1xuICByZWFkb25seSBhenVyZUNsaWVudElkOiBzdHJpbmc7XG4gIHJlYWRvbmx5IHN0c0F1ZGllbmNlOiBzdHJpbmc7XG4gIHJlYWRvbmx5IHNlY3VyaXR5QWxlcnRzVG9waWNBcm4/OiBzdHJpbmc7XG4gIHJlYWRvbmx5IGF1dG9SZXZva2VPblJldXNlPzogYm9vbGVhbjtcbiAgcmVhZG9ubHkgand0Q2xhaW1zV2hpdGVsaXN0Pzogc3RyaW5nW107XG59XG5cbmV4cG9ydCBjbGFzcyBBdXRoU2VjcmV0TWFuYWdlciBleHRlbmRzIGNvbnN0cnVjdHMuQ29uc3RydWN0IHtcbiAgcHVibGljIHJlYWRvbmx5IGttc0tleToga21zLktleTtcbiAgcHVibGljIHJlYWRvbmx5IGNvbmZpZ1NlY3JldDogc2VjcmV0c21hbmFnZXIuU2VjcmV0O1xuICBwdWJsaWMgcmVhZG9ubHkga3ZzOiBjbG91ZGZyb250LktleVZhbHVlU3RvcmU7XG5cbiAgY29uc3RydWN0b3Ioc2NvcGU6IGNvbnN0cnVjdHMuQ29uc3RydWN0LCBpZDogc3RyaW5nLCBwcm9wczogQXV0aFNlY3JldE1hbmFnZXJQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZCk7XG5cbiAgICB0aGlzLmttc0tleSA9IG5ldyBrbXMuS2V5KHRoaXMsICdLbXNLZXknLCB7XG4gICAgICBkZXNjcmlwdGlvbjogJ0tNUyBrZXkgZm9yIENsb3VkRnJvbnQgYXV0aCBzZWNyZXQgZW5jcnlwdGlvbicsXG4gICAgICBlbmFibGVLZXlSb3RhdGlvbjogdHJ1ZSxcbiAgICAgIHJlbW92YWxQb2xpY3k6IFJlbW92YWxQb2xpY3kuUkVUQUlOLFxuICAgIH0pO1xuXG4gICAgdGhpcy5rbXNLZXkuYWRkVG9SZXNvdXJjZVBvbGljeShuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICBzaWQ6ICdBbGxvd0Nsb3VkV2F0Y2hMb2dzJyxcbiAgICAgIHByaW5jaXBhbHM6IFtuZXcgaWFtLlNlcnZpY2VQcmluY2lwYWwoYGxvZ3MuJHtjb3JlLlN0YWNrLm9mKHRoaXMpLnJlZ2lvbn0uYW1hem9uYXdzLmNvbWApXSxcbiAgICAgIGFjdGlvbnM6IFsna21zOkVuY3J5cHQnLCAna21zOkRlY3J5cHQnLCAna21zOlJlRW5jcnlwdConLCAna21zOkdlbmVyYXRlRGF0YUtleSonLCAna21zOkNyZWF0ZUdyYW50JywgJ2ttczpEZXNjcmliZUtleSddLFxuICAgICAgcmVzb3VyY2VzOiBbJyonXSxcbiAgICAgIGNvbmRpdGlvbnM6IHtcbiAgICAgICAgQXJuTGlrZToge1xuICAgICAgICAgICdrbXM6RW5jcnlwdGlvbkNvbnRleHQ6YXdzOmxvZ3M6YXJuJzogYGFybjphd3M6bG9nczoke2NvcmUuU3RhY2sub2YodGhpcykucmVnaW9ufToke2NvcmUuU3RhY2sub2YodGhpcykuYWNjb3VudH06bG9nLWdyb3VwOipgLFxuICAgICAgICB9LFxuICAgICAgfSxcbiAgICB9KSk7XG5cbiAgICBjb25zdCBqd3RDbGFpbXNXaGl0ZWxpc3QgPSBwcm9wcy5qd3RDbGFpbXNXaGl0ZWxpc3QgPz8gW1xuICAgICAgJ29pZCcsICd0aWQnLCAnc3ViJywgJ2VtYWlsJywgJ25hbWUnLCAncHJlZmVycmVkX3VzZXJuYW1lJywgJ2dyb3VwcycsICdyb2xlcycsXG4gICAgXTtcblxuICAgIGNvbnN0IGNvbmZpZ1NlY3JldE5hbWUgPSBgY2xvdWRmcm9udC1hdXRoLWNvbmZpZy0ke3Byb3BzLmRvbWFpbk5hbWV9YDtcbiAgICB0aGlzLmNvbmZpZ1NlY3JldCA9IG5ldyBzZWNyZXRzbWFuYWdlci5TZWNyZXQodGhpcywgJ0NvbmZpZ1NlY3JldCcsIHtcbiAgICAgIHNlY3JldE5hbWU6IGNvbmZpZ1NlY3JldE5hbWUsXG4gICAgICBlbmNyeXB0aW9uS2V5OiB0aGlzLmttc0tleSxcbiAgICAgIGdlbmVyYXRlU2VjcmV0U3RyaW5nOiB7XG4gICAgICAgIHNlY3JldFN0cmluZ1RlbXBsYXRlOiBKU09OLnN0cmluZ2lmeSh7XG4gICAgICAgICAgYXp1cmVfdGVuYW50X2lkOiBwcm9wcy5henVyZVRlbmFudElkLFxuICAgICAgICAgIGF6dXJlX2NsaWVudF9pZDogcHJvcHMuYXp1cmVDbGllbnRJZCxcbiAgICAgICAgICByZWRpcmVjdF91cmk6IGBodHRwczovLyR7cHJvcHMuZG9tYWluTmFtZX0vb2F1dGgyL2NhbGxiYWNrYCxcbiAgICAgICAgICBzdHNfYXVkaWVuY2U6IHByb3BzLnN0c0F1ZGllbmNlLFxuICAgICAgICAgIGR5bmFtb2RiX3RhYmxlX25hbWU6IHByb3BzLnRhYmxlTmFtZSxcbiAgICAgICAgICBkeW5hbW9kYl9yZWdpb246IHByb3BzLnRhYmxlUmVnaW9uLFxuICAgICAgICAgIHNlY3VyaXR5X2FsZXJ0c190b3BpY19hcm46IHByb3BzLnNlY3VyaXR5QWxlcnRzVG9waWNBcm4gfHwgJycsXG4gICAgICAgICAgYXV0b19yZXZva2Vfb25fcmV1c2U6IHByb3BzLmF1dG9SZXZva2VPblJldXNlID8gJ3RydWUnIDogJ2ZhbHNlJyxcbiAgICAgICAgICBqd3RfY2xhaW1zX3doaXRlbGlzdDogSlNPTi5zdHJpbmdpZnkoand0Q2xhaW1zV2hpdGVsaXN0KSxcbiAgICAgICAgICBhbGxvd2VkX2RvbWFpbnM6IEpTT04uc3RyaW5naWZ5KFtwcm9wcy5kb21haW5OYW1lXSksXG4gICAgICAgIH0pLFxuICAgICAgICBnZW5lcmF0ZVN0cmluZ0tleTogJ2htYWNfa2V5JyxcbiAgICAgICAgZXhjbHVkZVB1bmN0dWF0aW9uOiB0cnVlLFxuICAgICAgICBwYXNzd29yZExlbmd0aDogNjQsXG4gICAgICAgIHJlcXVpcmVFYWNoSW5jbHVkZWRUeXBlOiBmYWxzZSxcbiAgICAgIH0sXG4gICAgICBkZXNjcmlwdGlvbjogJ0NvbmZpZ3VyYXRpb24gYW5kIEhNQUMgc2VjcmV0IGZvciBDbG91ZEZyb250IGF1dGhlbnRpY2F0aW9uJyxcbiAgICB9KTtcblxuICAgIHRoaXMua3ZzID0gbmV3IGNsb3VkZnJvbnQuS2V5VmFsdWVTdG9yZSh0aGlzLCAnQXV0aEtWUycsIHtcbiAgICAgIGNvbW1lbnQ6ICdITUFDIHNlY3JldCBhbmQgc2Vzc2lvbiByZXZvY2F0aW9uIGRlbnlsaXN0JyxcbiAgICB9KTtcbiAgfVxufVxuIl19

package/lib/cloudfront/auth/cognitoAuthSecretManager.d.ts

@@ -0,0 +1,20 @@
+import { aws_cloudfront as cloudfront, aws_secretsmanager as secretsmanager, aws_kms as kms } from 'aws-cdk-lib';
+import * as constructs from 'constructs';
+export interface CognitoAuthSecretManagerProps {
+    readonly domainName: string;
+    readonly tableName: string;
+    readonly tableRegion: string;
+    readonly userPoolId: string;
+    readonly clientId: string;
+    readonly cognitoDomain: string;
+    readonly cognitoRegion: string;
+    readonly securityAlertsTopicArn?: string;
+    readonly autoRevokeOnReuse?: boolean;
+    readonly jwtClaimsWhitelist?: string[];
+}
+export declare class CognitoAuthSecretManager extends constructs.Construct {
+    readonly kmsKey: kms.Key;
+    readonly configSecret: secretsmanager.Secret;
+    readonly kvs: cloudfront.KeyValueStore;
+    constructor(scope: constructs.Construct, id: string, props: CognitoAuthSecretManagerProps);
+}

package/lib/cloudfront/auth/cognitoAuthSecretManager.js

@@ -0,0 +1,93 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CognitoAuthSecretManager = void 0;
+const core = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const constructs = __importStar(require("constructs"));
+class CognitoAuthSecretManager extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.kmsKey = new aws_cdk_lib_1.aws_kms.Key(this, 'KmsKey', {
+            description: 'KMS key for CloudFront Cognito auth secret encryption',
+            enableKeyRotation: true,
+            removalPolicy: aws_cdk_lib_1.RemovalPolicy.RETAIN,
+        });
+        this.kmsKey.addToResourcePolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({
+            sid: 'AllowCloudWatchLogs',
+            principals: [new aws_cdk_lib_1.aws_iam.ServicePrincipal(`logs.${core.Stack.of(this).region}.amazonaws.com`)],
+            actions: ['kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*', 'kms:CreateGrant', 'kms:DescribeKey'],
+            resources: ['*'],
+            conditions: {
+                ArnLike: {
+                    'kms:EncryptionContext:aws:logs:arn': `arn:aws:logs:${core.Stack.of(this).region}:${core.Stack.of(this).account}:log-group:*`,
+                },
+            },
+        }));
+        const jwtClaimsWhitelist = props.jwtClaimsWhitelist ?? [
+            'sub', 'email', 'name', 'cognito:groups', 'roles',
+        ];
+        this.configSecret = new aws_cdk_lib_1.aws_secretsmanager.Secret(this, 'ConfigSecret', {
+            secretName: `cloudfront-auth-config-${props.domainName}`,
+            encryptionKey: this.kmsKey,
+            generateSecretString: {
+                secretStringTemplate: JSON.stringify({
+                    idp_type: 'cognito',
+                    cognito_user_pool_id: props.userPoolId,
+                    cognito_client_id: props.clientId,
+                    cognito_domain: props.cognitoDomain,
+                    cognito_region: props.cognitoRegion,
+                    redirect_uri: `https://${props.domainName}/oauth2/callback`,
+                    dynamodb_table_name: props.tableName,
+                    dynamodb_region: props.tableRegion,
+                    security_alerts_topic_arn: props.securityAlertsTopicArn ?? '',
+                    auto_revoke_on_reuse: props.autoRevokeOnReuse ? 'true' : 'false',
+                    jwt_claims_whitelist: JSON.stringify(jwtClaimsWhitelist),
+                    allowed_domains: JSON.stringify([props.domainName]),
+                }),
+                generateStringKey: 'hmac_key',
+                excludePunctuation: true,
+                passwordLength: 64,
+                requireEachIncludedType: false,
+            },
+            description: 'Configuration and HMAC secret for CloudFront Cognito authentication',
+        });
+        this.kvs = new aws_cdk_lib_1.aws_cloudfront.KeyValueStore(this, 'AuthKVS', {
+            comment: 'HMAC secret and session revocation denylist',
+        });
+    }
+}
+exports.CognitoAuthSecretManager = CognitoAuthSecretManager;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29nbml0b0F1dGhTZWNyZXRNYW5hZ2VyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2Nsb3VkZnJvbnQvYXV0aC9jb2duaXRvQXV0aFNlY3JldE1hbmFnZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBQUEsa0RBQW9DO0FBQ3BDLDZDQU1xQjtBQUNyQix1REFBeUM7QUFlekMsTUFBYSx3QkFBeUIsU0FBUSxVQUFVLENBQUMsU0FBUztJQUtoRSxZQUFZLEtBQTJCLEVBQUUsRUFBVSxFQUFFLEtBQW9DO1FBQ3ZGLEtBQUssQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFFakIsSUFBSSxDQUFDLE1BQU0sR0FBRyxJQUFJLHFCQUFHLENBQUMsR0FBRyxDQUFDLElBQUksRUFBRSxRQUFRLEVBQUU7WUFDeEMsV0FBVyxFQUFFLHVEQUF1RDtZQUNwRSxpQkFBaUIsRUFBRSxJQUFJO1lBQ3ZCLGFBQWEsRUFBRSwyQkFBYSxDQUFDLE1BQU07U0FDcEMsQ0FBQyxDQUFDO1FBRUgsSUFBSSxDQUFDLE1BQU0sQ0FBQyxtQkFBbUIsQ0FBQyxJQUFJLHFCQUFHLENBQUMsZUFBZSxDQUFDO1lBQ3RELEdBQUcsRUFBRSxxQkFBcUI7WUFDMUIsVUFBVSxFQUFFLENBQUMsSUFBSSxxQkFBRyxDQUFDLGdCQUFnQixDQUFDLFFBQVEsSUFBSSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsTUFBTSxnQkFBZ0IsQ0FBQyxDQUFDO1lBQzFGLE9BQU8sRUFBRSxDQUFDLGFBQWEsRUFBRSxhQUFhLEVBQUUsZ0JBQWdCLEVBQUUsc0JBQXNCLEVBQUUsaUJBQWlCLEVBQUUsaUJBQWlCLENBQUM7WUFDdkgsU0FBUyxFQUFFLENBQUMsR0FBRyxDQUFDO1lBQ2hCLFVBQVUsRUFBRTtnQkFDVixPQUFPLEVBQUU7b0JBQ1Asb0NBQW9DLEVBQUUsZ0JBQWdCLElBQUksQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE1BQU0sSUFBSSxJQUFJLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxPQUFPLGNBQWM7aUJBQzlIO2FBQ0Y7U0FDRixDQUFDLENBQUMsQ0FBQztRQUVKLE1BQU0sa0JBQWtCLEdBQUcsS0FBSyxDQUFDLGtCQUFrQixJQUFJO1lBQ3JELEtBQUssRUFBRSxPQUFPLEVBQUUsTUFBTSxFQUFFLGdCQUFnQixFQUFFLE9BQU87U0FDbEQsQ0FBQztRQUVGLElBQUksQ0FBQyxZQUFZLEdBQUcsSUFBSSxnQ0FBYyxDQUFDLE1BQU0sQ0FBQyxJQUFJLEVBQUUsY0FBYyxFQUFFO1lBQ2xFLFVBQVUsRUFBRSwwQkFBMEIsS0FBSyxDQUFDLFVBQVUsRUFBRTtZQUN4RCxhQUFhLEVBQUUsSUFBSSxDQUFDLE1BQU07WUFDMUIsb0JBQW9CLEVBQUU7Z0JBQ3BCLG9CQUFvQixFQUFFLElBQUksQ0FBQyxTQUFTLENBQUM7b0JBQ25DLFFBQVEsRUFBRSxTQUFTO29CQUNuQixvQkFBb0IsRUFBRSxLQUFLLENBQUMsVUFBVTtvQkFDdEMsaUJBQWlCLEVBQUUsS0FBSyxDQUFDLFFBQVE7b0JBQ2pDLGNBQWMsRUFBRSxLQUFLLENBQUMsYUFBYTtvQkFDbkMsY0FBYyxFQUFFLEtBQUssQ0FBQyxhQUFhO29CQUNuQyxZQUFZLEVBQUUsV0FBVyxLQUFLLENBQUMsVUFBVSxrQkFBa0I7b0JBQzNELG1CQUFtQixFQUFFLEtBQUssQ0FBQyxTQUFTO29CQUNwQyxlQUFlLEVBQUUsS0FBSyxDQUFDLFdBQVc7b0JBQ2xDLHlCQUF5QixFQUFFLEtBQUssQ0FBQyxzQkFBc0IsSUFBSSxFQUFFO29CQUM3RCxvQkFBb0IsRUFBRSxLQUFLLENBQUMsaUJBQWlCLENBQUMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsT0FBTztvQkFDaEUsb0JBQW9CLEVBQUUsSUFBSSxDQUFDLFNBQVMsQ0FBQyxrQkFBa0IsQ0FBQztvQkFDeEQsZUFBZSxFQUFFLElBQUksQ0FBQyxTQUFTLENBQUMsQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLENBQUM7aUJBQ3BELENBQUM7Z0JBQ0YsaUJBQWlCLEVBQUUsVUFBVTtnQkFDN0Isa0JBQWtCLEVBQUUsSUFBSTtnQkFDeEIsY0FBYyxFQUFFLEVBQUU7Z0JBQ2xCLHVCQUF1QixFQUFFLEtBQUs7YUFDL0I7WUFDRCxXQUFXLEVBQUUscUVBQXFFO1NBQ25GLENBQUMsQ0FBQztRQUVILElBQUksQ0FBQyxHQUFHLEdBQUcsSUFBSSw0QkFBVSxDQUFDLGFBQWEsQ0FBQyxJQUFJLEVBQUUsU0FBUyxFQUFFO1lBQ3ZELE9BQU8sRUFBRSw2Q0FBNkM7U0FDdkQsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztDQUNGO0FBNURELDREQTREQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCAqIGFzIGNvcmUgZnJvbSAnYXdzLWNkay1saWInO1xuaW1wb3J0IHtcbiAgYXdzX2Nsb3VkZnJvbnQgYXMgY2xvdWRmcm9udCxcbiAgYXdzX3NlY3JldHNtYW5hZ2VyIGFzIHNlY3JldHNtYW5hZ2VyLFxuICBhd3Nfa21zIGFzIGttcyxcbiAgYXdzX2lhbSBhcyBpYW0sXG4gIFJlbW92YWxQb2xpY3ksXG59IGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCAqIGFzIGNvbnN0cnVjdHMgZnJvbSAnY29uc3RydWN0cyc7XG5cbmV4cG9ydCBpbnRlcmZhY2UgQ29nbml0b0F1dGhTZWNyZXRNYW5hZ2VyUHJvcHMge1xuICByZWFkb25seSBkb21haW5OYW1lOiBzdHJpbmc7XG4gIHJlYWRvbmx5IHRhYmxlTmFtZTogc3RyaW5nO1xuICByZWFkb25seSB0YWJsZVJlZ2lvbjogc3RyaW5nO1xuICByZWFkb25seSB1c2VyUG9vbElkOiBzdHJpbmc7XG4gIHJlYWRvbmx5IGNsaWVudElkOiBzdHJpbmc7XG4gIHJlYWRvbmx5IGNvZ25pdG9Eb21haW46IHN0cmluZztcbiAgcmVhZG9ubHkgY29nbml0b1JlZ2lvbjogc3RyaW5nO1xuICByZWFkb25seSBzZWN1cml0eUFsZXJ0c1RvcGljQXJuPzogc3RyaW5nO1xuICByZWFkb25seSBhdXRvUmV2b2tlT25SZXVzZT86IGJvb2xlYW47XG4gIHJlYWRvbmx5IGp3dENsYWltc1doaXRlbGlzdD86IHN0cmluZ1tdO1xufVxuXG5leHBvcnQgY2xhc3MgQ29nbml0b0F1dGhTZWNyZXRNYW5hZ2VyIGV4dGVuZHMgY29uc3RydWN0cy5Db25zdHJ1Y3Qge1xuICBwdWJsaWMgcmVhZG9ubHkga21zS2V5OiBrbXMuS2V5O1xuICBwdWJsaWMgcmVhZG9ubHkgY29uZmlnU2VjcmV0OiBzZWNyZXRzbWFuYWdlci5TZWNyZXQ7XG4gIHB1YmxpYyByZWFkb25seSBrdnM6IGNsb3VkZnJvbnQuS2V5VmFsdWVTdG9yZTtcblxuICBjb25zdHJ1Y3RvcihzY29wZTogY29uc3RydWN0cy5Db25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzOiBDb2duaXRvQXV0aFNlY3JldE1hbmFnZXJQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZCk7XG5cbiAgICB0aGlzLmttc0tleSA9IG5ldyBrbXMuS2V5KHRoaXMsICdLbXNLZXknLCB7XG4gICAgICBkZXNjcmlwdGlvbjogJ0tNUyBrZXkgZm9yIENsb3VkRnJvbnQgQ29nbml0byBhdXRoIHNlY3JldCBlbmNyeXB0aW9uJyxcbiAgICAgIGVuYWJsZUtleVJvdGF0aW9uOiB0cnVlLFxuICAgICAgcmVtb3ZhbFBvbGljeTogUmVtb3ZhbFBvbGljeS5SRVRBSU4sXG4gICAgfSk7XG5cbiAgICB0aGlzLmttc0tleS5hZGRUb1Jlc291cmNlUG9saWN5KG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgIHNpZDogJ0FsbG93Q2xvdWRXYXRjaExvZ3MnLFxuICAgICAgcHJpbmNpcGFsczogW25ldyBpYW0uU2VydmljZVByaW5jaXBhbChgbG9ncy4ke2NvcmUuU3RhY2sub2YodGhpcykucmVnaW9ufS5hbWF6b25hd3MuY29tYCldLFxuICAgICAgYWN0aW9uczogWydrbXM6RW5jcnlwdCcsICdrbXM6RGVjcnlwdCcsICdrbXM6UmVFbmNyeXB0KicsICdrbXM6R2VuZXJhdGVEYXRhS2V5KicsICdrbXM6Q3JlYXRlR3JhbnQnLCAna21zOkRlc2NyaWJlS2V5J10sXG4gICAgICByZXNvdXJjZXM6IFsnKiddLFxuICAgICAgY29uZGl0aW9uczoge1xuICAgICAgICBBcm5MaWtlOiB7XG4gICAgICAgICAgJ2ttczpFbmNyeXB0aW9uQ29udGV4dDphd3M6bG9nczphcm4nOiBgYXJuOmF3czpsb2dzOiR7Y29yZS5TdGFjay5vZih0aGlzKS5yZWdpb259OiR7Y29yZS5TdGFjay5vZih0aGlzKS5hY2NvdW50fTpsb2ctZ3JvdXA6KmAsXG4gICAgICAgIH0sXG4gICAgICB9LFxuICAgIH0pKTtcblxuICAgIGNvbnN0IGp3dENsYWltc1doaXRlbGlzdCA9IHByb3BzLmp3dENsYWltc1doaXRlbGlzdCA/PyBbXG4gICAgICAnc3ViJywgJ2VtYWlsJywgJ25hbWUnLCAnY29nbml0bzpncm91cHMnLCAncm9sZXMnLFxuICAgIF07XG5cbiAgICB0aGlzLmNvbmZpZ1NlY3JldCA9IG5ldyBzZWNyZXRzbWFuYWdlci5TZWNyZXQodGhpcywgJ0NvbmZpZ1NlY3JldCcsIHtcbiAgICAgIHNlY3JldE5hbWU6IGBjbG91ZGZyb250LWF1dGgtY29uZmlnLSR7cHJvcHMuZG9tYWluTmFtZX1gLFxuICAgICAgZW5jcnlwdGlvbktleTogdGhpcy5rbXNLZXksXG4gICAgICBnZW5lcmF0ZVNlY3JldFN0cmluZzoge1xuICAgICAgICBzZWNyZXRTdHJpbmdUZW1wbGF0ZTogSlNPTi5zdHJpbmdpZnkoe1xuICAgICAgICAgIGlkcF90eXBlOiAnY29nbml0bycsXG4gICAgICAgICAgY29nbml0b191c2VyX3Bvb2xfaWQ6IHByb3BzLnVzZXJQb29sSWQsXG4gICAgICAgICAgY29nbml0b19jbGllbnRfaWQ6IHByb3BzLmNsaWVudElkLFxuICAgICAgICAgIGNvZ25pdG9fZG9tYWluOiBwcm9wcy5jb2duaXRvRG9tYWluLFxuICAgICAgICAgIGNvZ25pdG9fcmVnaW9uOiBwcm9wcy5jb2duaXRvUmVnaW9uLFxuICAgICAgICAgIHJlZGlyZWN0X3VyaTogYGh0dHBzOi8vJHtwcm9wcy5kb21haW5OYW1lfS9vYXV0aDIvY2FsbGJhY2tgLFxuICAgICAgICAgIGR5bmFtb2RiX3RhYmxlX25hbWU6IHByb3BzLnRhYmxlTmFtZSxcbiAgICAgICAgICBkeW5hbW9kYl9yZWdpb246IHByb3BzLnRhYmxlUmVnaW9uLFxuICAgICAgICAgIHNlY3VyaXR5X2FsZXJ0c190b3BpY19hcm46IHByb3BzLnNlY3VyaXR5QWxlcnRzVG9waWNBcm4gPz8gJycsXG4gICAgICAgICAgYXV0b19yZXZva2Vfb25fcmV1c2U6IHByb3BzLmF1dG9SZXZva2VPblJldXNlID8gJ3RydWUnIDogJ2ZhbHNlJyxcbiAgICAgICAgICBqd3RfY2xhaW1zX3doaXRlbGlzdDogSlNPTi5zdHJpbmdpZnkoand0Q2xhaW1zV2hpdGVsaXN0KSxcbiAgICAgICAgICBhbGxvd2VkX2RvbWFpbnM6IEpTT04uc3RyaW5naWZ5KFtwcm9wcy5kb21haW5OYW1lXSksXG4gICAgICAgIH0pLFxuICAgICAgICBnZW5lcmF0ZVN0cmluZ0tleTogJ2htYWNfa2V5JyxcbiAgICAgICAgZXhjbHVkZVB1bmN0dWF0aW9uOiB0cnVlLFxuICAgICAgICBwYXNzd29yZExlbmd0aDogNjQsXG4gICAgICAgIHJlcXVpcmVFYWNoSW5jbHVkZWRUeXBlOiBmYWxzZSxcbiAgICAgIH0sXG4gICAgICBkZXNjcmlwdGlvbjogJ0NvbmZpZ3VyYXRpb24gYW5kIEhNQUMgc2VjcmV0IGZvciBDbG91ZEZyb250IENvZ25pdG8gYXV0aGVudGljYXRpb24nLFxuICAgIH0pO1xuXG4gICAgdGhpcy5rdnMgPSBuZXcgY2xvdWRmcm9udC5LZXlWYWx1ZVN0b3JlKHRoaXMsICdBdXRoS1ZTJywge1xuICAgICAgY29tbWVudDogJ0hNQUMgc2VjcmV0IGFuZCBzZXNzaW9uIHJldm9jYXRpb24gZGVueWxpc3QnLFxuICAgIH0pO1xuICB9XG59XG4iXX0=

package/lib/cloudfront/auth/index.d.ts

@@ -0,0 +1,3 @@
+export * from './authSecretManager';
+export * from './authLambdaFunctions';
+export * from './cognitoAuthSecretManager';

package/lib/cloudfront/auth/index.js

@@ -0,0 +1,20 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./authSecretManager"), exports);
+__exportStar(require("./authLambdaFunctions"), exports);
+__exportStar(require("./cognitoAuthSecretManager"), exports);
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY2xvdWRmcm9udC9hdXRoL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSxzREFBb0M7QUFDcEMsd0RBQXNDO0FBQ3RDLDZEQUEyQyIsInNvdXJjZXNDb250ZW50IjpbImV4cG9ydCAqIGZyb20gJy4vYXV0aFNlY3JldE1hbmFnZXInO1xuZXhwb3J0ICogZnJvbSAnLi9hdXRoTGFtYmRhRnVuY3Rpb25zJztcbmV4cG9ydCAqIGZyb20gJy4vY29nbml0b0F1dGhTZWNyZXRNYW5hZ2VyJztcbiJdfQ==

package/lib/cloudfront/authSecurityTable.d.ts

@@ -0,0 +1,10 @@
+import { aws_dynamodb as dynamodb, RemovalPolicy } from 'aws-cdk-lib';
+import * as constructs from 'constructs';
+export interface AuthSecurityTableProps {
+    readonly tableName?: string;
+    readonly removalPolicy?: RemovalPolicy;
+}
+export declare class AuthSecurityTable extends constructs.Construct {
+    readonly table: dynamodb.ITable;
+    constructor(scope: constructs.Construct, id: string, props?: AuthSecurityTableProps);
+}

package/lib/cloudfront/authSecurityTable.js

@@ -0,0 +1,78 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthSecurityTable = void 0;
+const core = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const constructs = __importStar(require("constructs"));
+class AuthSecurityTable extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const table = new aws_cdk_lib_1.aws_dynamodb.Table(this, 'Table', {
+            tableName: props?.tableName,
+            partitionKey: { name: 'pk', type: aws_cdk_lib_1.aws_dynamodb.AttributeType.STRING },
+            sortKey: { name: 'sk', type: aws_cdk_lib_1.aws_dynamodb.AttributeType.STRING },
+            billingMode: aws_cdk_lib_1.aws_dynamodb.BillingMode.PAY_PER_REQUEST,
+            timeToLiveAttribute: 'expiresAt',
+            stream: aws_cdk_lib_1.aws_dynamodb.StreamViewType.NEW_AND_OLD_IMAGES,
+            removalPolicy: props?.removalPolicy ?? aws_cdk_lib_1.RemovalPolicy.RETAIN,
+            pointInTimeRecoverySpecification: { pointInTimeRecoveryEnabled: true },
+            encryption: aws_cdk_lib_1.aws_dynamodb.TableEncryption.AWS_MANAGED,
+        });
+        table.addGlobalSecondaryIndex({
+            indexName: 'GSI1',
+            partitionKey: { name: 'gsi1pk', type: aws_cdk_lib_1.aws_dynamodb.AttributeType.STRING },
+            sortKey: { name: 'gsi1sk', type: aws_cdk_lib_1.aws_dynamodb.AttributeType.STRING },
+            projectionType: aws_cdk_lib_1.aws_dynamodb.ProjectionType.ALL,
+        });
+        table.addGlobalSecondaryIndex({
+            indexName: 'GSI2',
+            partitionKey: { name: 'gsi2pk', type: aws_cdk_lib_1.aws_dynamodb.AttributeType.STRING },
+            sortKey: { name: 'gsi2sk', type: aws_cdk_lib_1.aws_dynamodb.AttributeType.STRING },
+            projectionType: aws_cdk_lib_1.aws_dynamodb.ProjectionType.ALL,
+        });
+        this.table = table;
+        new core.CfnOutput(this, 'TableName', {
+            value: this.table.tableName,
+            description: 'Auth Security DynamoDB Table Name',
+        });
+        new core.CfnOutput(this, 'TableArn', {
+            value: this.table.tableArn,
+            description: 'Auth Security DynamoDB Table ARN',
+        });
+    }
+}
+exports.AuthSecurityTable = AuthSecurityTable;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXV0aFNlY3VyaXR5VGFibGUuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvY2xvdWRmcm9udC9hdXRoU2VjdXJpdHlUYWJsZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSxrREFBb0M7QUFDcEMsNkNBR3FCO0FBQ3JCLHVEQUF5QztBQU96QyxNQUFhLGlCQUFrQixTQUFRLFVBQVUsQ0FBQyxTQUFTO0lBR3pELFlBQVksS0FBMkIsRUFBRSxFQUFVLEVBQUUsS0FBOEI7UUFDakYsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVqQixNQUFNLEtBQUssR0FBRyxJQUFJLDBCQUFRLENBQUMsS0FBSyxDQUFDLElBQUksRUFBRSxPQUFPLEVBQUU7WUFDOUMsU0FBUyxFQUFFLEtBQUssRUFBRSxTQUFTO1lBQzNCLFlBQVksRUFBRSxFQUFFLElBQUksRUFBRSxJQUFJLEVBQUUsSUFBSSxFQUFFLDBCQUFRLENBQUMsYUFBYSxDQUFDLE1BQU0sRUFBRTtZQUNqRSxPQUFPLEVBQUUsRUFBRSxJQUFJLEVBQUUsSUFBSSxFQUFFLElBQUksRUFBRSwwQkFBUSxDQUFDLGFBQWEsQ0FBQyxNQUFNLEVBQUU7WUFDNUQsV0FBVyxFQUFFLDBCQUFRLENBQUMsV0FBVyxDQUFDLGVBQWU7WUFDakQsbUJBQW1CLEVBQUUsV0FBVztZQUNoQyxNQUFNLEVBQUUsMEJBQVEsQ0FBQyxjQUFjLENBQUMsa0JBQWtCO1lBQ2xELGFBQWEsRUFBRSxLQUFLLEVBQUUsYUFBYSxJQUFJLDJCQUFhLENBQUMsTUFBTTtZQUMzRCxnQ0FBZ0MsRUFBRSxFQUFFLDBCQUEwQixFQUFFLElBQUksRUFBRTtZQUN0RSxVQUFVLEVBQUUsMEJBQVEsQ0FBQyxlQUFlLENBQUMsV0FBVztTQUNqRCxDQUFDLENBQUM7UUFFSCxLQUFLLENBQUMsdUJBQXVCLENBQUM7WUFDNUIsU0FBUyxFQUFFLE1BQU07WUFDakIsWUFBWSxFQUFFLEVBQUUsSUFBSSxFQUFFLFFBQVEsRUFBRSxJQUFJLEVBQUUsMEJBQVEsQ0FBQyxhQUFhLENBQUMsTUFBTSxFQUFFO1lBQ3JFLE9BQU8sRUFBRSxFQUFFLElBQUksRUFBRSxRQUFRLEVBQUUsSUFBSSxFQUFFLDBCQUFRLENBQUMsYUFBYSxDQUFDLE1BQU0sRUFBRTtZQUNoRSxjQUFjLEVBQUUsMEJBQVEsQ0FBQyxjQUFjLENBQUMsR0FBRztTQUM1QyxDQUFDLENBQUM7UUFFSCxLQUFLLENBQUMsdUJBQXVCLENBQUM7WUFDNUIsU0FBUyxFQUFFLE1BQU07WUFDakIsWUFBWSxFQUFFLEVBQUUsSUFBSSxFQUFFLFFBQVEsRUFBRSxJQUFJLEVBQUUsMEJBQVEsQ0FBQyxhQUFhLENBQUMsTUFBTSxFQUFFO1lBQ3JFLE9BQU8sRUFBRSxFQUFFLElBQUksRUFBRSxRQUFRLEVBQUUsSUFBSSxFQUFFLDBCQUFRLENBQUMsYUFBYSxDQUFDLE1BQU0sRUFBRTtZQUNoRSxjQUFjLEVBQUUsMEJBQVEsQ0FBQyxjQUFjLENBQUMsR0FBRztTQUM1QyxDQUFDLENBQUM7UUFFSCxJQUFJLENBQUMsS0FBSyxHQUFHLEtBQUssQ0FBQztRQUVuQixJQUFJLElBQUksQ0FBQyxTQUFTLENBQUMsSUFBSSxFQUFFLFdBQVcsRUFBRTtZQUNwQyxLQUFLLEVBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxTQUFTO1lBQzNCLFdBQVcsRUFBRSxtQ0FBbUM7U0FDakQsQ0FBQyxDQUFDO1FBRUgsSUFBSSxJQUFJLENBQUMsU0FBUyxDQUFDLElBQUksRUFBRSxVQUFVLEVBQUU7WUFDbkMsS0FBSyxFQUFFLElBQUksQ0FBQyxLQUFLLENBQUMsUUFBUTtZQUMxQixXQUFXLEVBQUUsa0NBQWtDO1NBQ2hELENBQUMsQ0FBQztJQUNMLENBQUM7Q0FDRjtBQTVDRCw4Q0E0Q0MiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgKiBhcyBjb3JlIGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCB7XG4gIGF3c19keW5hbW9kYiBhcyBkeW5hbW9kYixcbiAgUmVtb3ZhbFBvbGljeSxcbn0gZnJvbSAnYXdzLWNkay1saWInO1xuaW1wb3J0ICogYXMgY29uc3RydWN0cyBmcm9tICdjb25zdHJ1Y3RzJztcblxuZXhwb3J0IGludGVyZmFjZSBBdXRoU2VjdXJpdHlUYWJsZVByb3BzIHtcbiAgcmVhZG9ubHkgdGFibGVOYW1lPzogc3RyaW5nO1xuICByZWFkb25seSByZW1vdmFsUG9saWN5PzogUmVtb3ZhbFBvbGljeTtcbn1cblxuZXhwb3J0IGNsYXNzIEF1dGhTZWN1cml0eVRhYmxlIGV4dGVuZHMgY29uc3RydWN0cy5Db25zdHJ1Y3Qge1xuICBwdWJsaWMgcmVhZG9ubHkgdGFibGU6IGR5bmFtb2RiLklUYWJsZTtcblxuICBjb25zdHJ1Y3RvcihzY29wZTogY29uc3RydWN0cy5Db25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzPzogQXV0aFNlY3VyaXR5VGFibGVQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZCk7XG5cbiAgICBjb25zdCB0YWJsZSA9IG5ldyBkeW5hbW9kYi5UYWJsZSh0aGlzLCAnVGFibGUnLCB7XG4gICAgICB0YWJsZU5hbWU6IHByb3BzPy50YWJsZU5hbWUsXG4gICAgICBwYXJ0aXRpb25LZXk6IHsgbmFtZTogJ3BrJywgdHlwZTogZHluYW1vZGIuQXR0cmlidXRlVHlwZS5TVFJJTkcgfSxcbiAgICAgIHNvcnRLZXk6IHsgbmFtZTogJ3NrJywgdHlwZTogZHluYW1vZGIuQXR0cmlidXRlVHlwZS5TVFJJTkcgfSxcbiAgICAgIGJpbGxpbmdNb2RlOiBkeW5hbW9kYi5CaWxsaW5nTW9kZS5QQVlfUEVSX1JFUVVFU1QsXG4gICAgICB0aW1lVG9MaXZlQXR0cmlidXRlOiAnZXhwaXJlc0F0JyxcbiAgICAgIHN0cmVhbTogZHluYW1vZGIuU3RyZWFtVmlld1R5cGUuTkVXX0FORF9PTERfSU1BR0VTLFxuICAgICAgcmVtb3ZhbFBvbGljeTogcHJvcHM/LnJlbW92YWxQb2xpY3kgPz8gUmVtb3ZhbFBvbGljeS5SRVRBSU4sXG4gICAgICBwb2ludEluVGltZVJlY292ZXJ5U3BlY2lmaWNhdGlvbjogeyBwb2ludEluVGltZVJlY292ZXJ5RW5hYmxlZDogdHJ1ZSB9LFxuICAgICAgZW5jcnlwdGlvbjogZHluYW1vZGIuVGFibGVFbmNyeXB0aW9uLkFXU19NQU5BR0VELFxuICAgIH0pO1xuXG4gICAgdGFibGUuYWRkR2xvYmFsU2Vjb25kYXJ5SW5kZXgoe1xuICAgICAgaW5kZXhOYW1lOiAnR1NJMScsXG4gICAgICBwYXJ0aXRpb25LZXk6IHsgbmFtZTogJ2dzaTFwaycsIHR5cGU6IGR5bmFtb2RiLkF0dHJpYnV0ZVR5cGUuU1RSSU5HIH0sXG4gICAgICBzb3J0S2V5OiB7IG5hbWU6ICdnc2kxc2snLCB0eXBlOiBkeW5hbW9kYi5BdHRyaWJ1dGVUeXBlLlNUUklORyB9LFxuICAgICAgcHJvamVjdGlvblR5cGU6IGR5bmFtb2RiLlByb2plY3Rpb25UeXBlLkFMTCxcbiAgICB9KTtcblxuICAgIHRhYmxlLmFkZEdsb2JhbFNlY29uZGFyeUluZGV4KHtcbiAgICAgIGluZGV4TmFtZTogJ0dTSTInLFxuICAgICAgcGFydGl0aW9uS2V5OiB7IG5hbWU6ICdnc2kycGsnLCB0eXBlOiBkeW5hbW9kYi5BdHRyaWJ1dGVUeXBlLlNUUklORyB9LFxuICAgICAgc29ydEtleTogeyBuYW1lOiAnZ3NpMnNrJywgdHlwZTogZHluYW1vZGIuQXR0cmlidXRlVHlwZS5TVFJJTkcgfSxcbiAgICAgIHByb2plY3Rpb25UeXBlOiBkeW5hbW9kYi5Qcm9qZWN0aW9uVHlwZS5BTEwsXG4gICAgfSk7XG5cbiAgICB0aGlzLnRhYmxlID0gdGFibGU7XG5cbiAgICBuZXcgY29yZS5DZm5PdXRwdXQodGhpcywgJ1RhYmxlTmFtZScsIHtcbiAgICAgIHZhbHVlOiB0aGlzLnRhYmxlLnRhYmxlTmFtZSxcbiAgICAgIGRlc2NyaXB0aW9uOiAnQXV0aCBTZWN1cml0eSBEeW5hbW9EQiBUYWJsZSBOYW1lJyxcbiAgICB9KTtcblxuICAgIG5ldyBjb3JlLkNmbk91dHB1dCh0aGlzLCAnVGFibGVBcm4nLCB7XG4gICAgICB2YWx1ZTogdGhpcy50YWJsZS50YWJsZUFybixcbiAgICAgIGRlc2NyaXB0aW9uOiAnQXV0aCBTZWN1cml0eSBEeW5hbW9EQiBUYWJsZSBBUk4nLFxuICAgIH0pO1xuICB9XG59XG4iXX0=

package/lib/cloudfront/cloudfront-functions/function-composer.d.ts

@@ -0,0 +1,21 @@
+import { Extension, ExtensionConfig } from '../patterns/securedCloudFront';
+export interface ComposerConfig {
+    readonly tenantId?: string;
+    readonly cognitoDomain?: string;
+    readonly clientId?: string;
+    readonly redirectUri?: string;
+}
+/**
+ * Generates a combined CloudFront Function from modular check functions
+ * based on requested extensions
+ */
+export declare class FunctionComposer {
+    private readonly modulesDir;
+    constructor();
+    /**
+     * Generate combined function code based on requested extensions
+     */
+    compose(extensions: Extension[], config?: ExtensionConfig, composerConfig?: ComposerConfig): string;
+    private loadModule;
+    private generateHandler;
+}