npm - terruvim-core-test - Versions diffs - 0.0.1 - Mend

terruvim-core-test 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (199) hide show

package/dist/src/core/config.js +2 -0
package/dist/src/core/configMerge.js +266 -0
package/dist/src/core/configUtils.js +72 -0
package/dist/src/core/dependencyResolver.js +17 -0
package/dist/src/core/deployUtils.js +73 -0
package/dist/src/core/dynamicResourceManager.js +709 -0
package/dist/src/core/entrypoint.js +56 -0
package/dist/src/core/generateFinalConfig.js +45 -0
package/dist/src/core/index.js +24 -0
package/dist/src/core/resourceMap.js +99 -0
package/dist/src/factories/accountPermissions.js +134 -0
package/dist/src/factories/acmFactory.js +30 -0
package/dist/src/factories/albFactory.js +331 -0
package/dist/src/factories/attachSecretAccessPolicy.js +56 -0
package/dist/src/factories/auroraFactory.js +619 -0
package/dist/src/factories/backupPolicy.js +152 -0
package/dist/src/factories/bastionFactory.js +91 -0
package/dist/src/factories/bedrockFactory.js +334 -0
package/dist/src/factories/budgetFactory.js +64 -0
package/dist/src/factories/buildAlbCloudWatchAlarmsHelper.js +79 -0
package/dist/src/factories/buildAlbCloudWatchDashboardHelper.js +106 -0
package/dist/src/factories/buildAlbListenerRulesHelper.js +45 -0
package/dist/src/factories/buildAlbListenersHelper.js +64 -0
package/dist/src/factories/buildAlbResourceHelper.js +54 -0
package/dist/src/factories/buildAlbRoute53RecordHelper.js +49 -0
package/dist/src/factories/buildAlbTargetGroupsHelper.js +47 -0
package/dist/src/factories/buildAlbWafAssociationHelper.js +43 -0
package/dist/src/factories/buildAndPushDockerImage.js +57 -0
package/dist/src/factories/buildAwsCloudWatchAlarmsHelper.js +118 -0
package/dist/src/factories/buildCloudFrontRoute53RecordHelper.js +49 -0
package/dist/src/factories/buildEcsClusterArgs.js +32 -0
package/dist/src/factories/buildEcsSecrets.js +48 -0
package/dist/src/factories/buildForceRedeployEnv.js +8 -0
package/dist/src/factories/buildResourceOptions.js +11 -0
package/dist/src/factories/buildS3StaticHostingCicdHelper.js +142 -0
package/dist/src/factories/buildS3StaticHostingCloudWatchDashboardHelper.js +122 -0
package/dist/src/factories/cloudTrailFactory.js +22 -0
package/dist/src/factories/cloudWatchCompositeAlarmFactory.js +91 -0
package/dist/src/factories/cloudWatchInsightsQueryFactory.js +83 -0
package/dist/src/factories/cloudWatchLogGroupFactory.js +84 -0
package/dist/src/factories/cloudfrontCodePipelineFactory.js +357 -0
package/dist/src/factories/cloudwatchAlarmsFactory.js +121 -0
package/dist/src/factories/codePipelineNotificationFactory.js +193 -0
package/dist/src/factories/codePipelineNotificationRulesFactory.js +117 -0
package/dist/src/factories/codeStarConnectionFactory.js +56 -0
package/dist/src/factories/collectSecretKeys.js +18 -0
package/dist/src/factories/comprehensiveNotificationFactory.js +250 -0
package/dist/src/factories/costAndUsageReportFactory.js +32 -0
package/dist/src/factories/createAwsAcmCertificate.js +40 -0
package/dist/src/factories/createAwsBudget.js +40 -0
package/dist/src/factories/createAwsCloudTrail.js +59 -0
package/dist/src/factories/createAwsCloudwatchDashboard.js +59 -0
package/dist/src/factories/createAwsEc2Instance.js +40 -0
package/dist/src/factories/createAwsEventBridgeEventBus.js +40 -0
package/dist/src/factories/createAwsGuardDutyDetector.js +40 -0
package/dist/src/factories/createAwsGuardDutyDetectorFeature.js +45 -0
package/dist/src/factories/createAwsGuardDutyFilter.js +46 -0
package/dist/src/factories/createAwsGuardDutyPublishingDestination.js +50 -0
package/dist/src/factories/createAwsHostedZone.js +40 -0
package/dist/src/factories/createAwsIamRole.js +49 -0
package/dist/src/factories/createAwsIamRoleInlinePolicies.js +48 -0
package/dist/src/factories/createAwsIdentitystoreGroup.js +44 -0
package/dist/src/factories/createAwsIdentitystoreGroupMembership.js +56 -0
package/dist/src/factories/createAwsIdentitystoreUser.js +47 -0
package/dist/src/factories/createAwsInspectorAssessmentTarget.js +47 -0
package/dist/src/factories/createAwsInspectorDelegatedAdminAccount.js +47 -0
package/dist/src/factories/createAwsInspectorEnabler.js +49 -0
package/dist/src/factories/createAwsInspectorOrganizationConfiguration.js +55 -0
package/dist/src/factories/createAwsKmsAliases.js +47 -0
package/dist/src/factories/createAwsKmsKey.js +51 -0
package/dist/src/factories/createAwsMacieAccount.js +45 -0
package/dist/src/factories/createAwsMacieClassificationJob.js +53 -0
package/dist/src/factories/createAwsMacieMember.js +49 -0
package/dist/src/factories/createAwsMacieOrganizationConfiguration.js +44 -0
package/dist/src/factories/createAwsRdsCluster.js +40 -0
package/dist/src/factories/createAwsRdsClusterInstance.js +40 -0
package/dist/src/factories/createAwsRdsInstance.js +40 -0
package/dist/src/factories/createAwsRdsSubnetGroup.js +40 -0
package/dist/src/factories/createAwsRoute53Record.js +40 -0
package/dist/src/factories/createAwsSecret.js +40 -0
package/dist/src/factories/createAwsSecretRotation.js +40 -0
package/dist/src/factories/createAwsSecretVersion.js +40 -0
package/dist/src/factories/createAwsSecurityGroup.js +40 -0
package/dist/src/factories/createAwsSecurityGroupRule.js +40 -0
package/dist/src/factories/createAwsSecurityHubAccount.js +40 -0
package/dist/src/factories/createAwsSecurityHubAutomationRule.js +48 -0
package/dist/src/factories/createAwsSecurityHubStandardsControl.js +44 -0
package/dist/src/factories/createAwsSecurityHubStandardsSubscription.js +42 -0
package/dist/src/factories/createAwsSesDomainDkim.js +40 -0
package/dist/src/factories/createAwsSesDomainIdentity.js +40 -0
package/dist/src/factories/createAwsSesEmailIdentity.js +40 -0
package/dist/src/factories/createAwsSnsSubscription.js +62 -0
package/dist/src/factories/createAwsSnsTopic.js +41 -0
package/dist/src/factories/createAwsSqsQueue.js +40 -0
package/dist/src/factories/createAwsSsmParameters.js +66 -0
package/dist/src/factories/createAwsSsoAccountAssignment.js +66 -0
package/dist/src/factories/createAwsSsoPermissionSet.js +64 -0
package/dist/src/factories/createAwsStepFunctionsStateMachine.js +40 -0
package/dist/src/factories/createBudget.js +56 -0
package/dist/src/factories/createBudgetWithSnsAlert.js +79 -0
package/dist/src/factories/createCostAndUsageReport.js +40 -0
package/dist/src/factories/createEcrRepo.js +69 -0
package/dist/src/factories/createEcsRolesAndPolicies.js +84 -0
package/dist/src/factories/createEcsService.js +71 -0
package/dist/src/factories/createEnvSecret.js +60 -0
package/dist/src/factories/createGithubCodeStarConnection.js +44 -0
package/dist/src/factories/createIamUserWithAccessKey.js +44 -0
package/dist/src/factories/createLambdaFunction.js +89 -0
package/dist/src/factories/createLambdaPermission.js +57 -0
package/dist/src/factories/createListenerRule.js +68 -0
package/dist/src/factories/createLogGroup.js +44 -0
package/dist/src/factories/createSlackChannelConfiguration.js +49 -0
package/dist/src/factories/createTargetGroup.js +50 -0
package/dist/src/factories/createTaskDefinition.js +49 -0
package/dist/src/factories/createVpcEndpoint.js +49 -0
package/dist/src/factories/dashboardFactory.js +94 -0
package/dist/src/factories/dataProtectionPolicyBuilder.js +103 -0
package/dist/src/factories/ec2Factory.js +67 -0
package/dist/src/factories/ecsClusterFactory.js +90 -0
package/dist/src/factories/ecsCodePipelineFactory.js +308 -0
package/dist/src/factories/ecsServiceFactory.js +350 -0
package/dist/src/factories/enhancedCloudFrontCodePipelineFactory.js +205 -0
package/dist/src/factories/enhancedEcsCodePipelineFactory.js +189 -0
package/dist/src/factories/eventBridgeBusFactory.js +84 -0
package/dist/src/factories/eventBridgeFactory.js +26 -0
package/dist/src/factories/eventBridgeRuleFactory.js +114 -0
package/dist/src/factories/fetchAllSecrets.js +51 -0
package/dist/src/factories/getDeterministicPriority.js +13 -0
package/dist/src/factories/getOrCreateSshKeyPair.js +57 -0
package/dist/src/factories/guardDutyFactory.js +151 -0
package/dist/src/factories/hostedZoneFactory.js +30 -0
package/dist/src/factories/iamRoleFactory.js +29 -0
package/dist/src/factories/inspectorFactory.js +109 -0
package/dist/src/factories/kmsKeyFactory.js +32 -0
package/dist/src/factories/lambdaFactory.js +133 -0
package/dist/src/factories/lambdaPermissionFactory.js +32 -0
package/dist/src/factories/logDataProtectionPolicyFactory.js +81 -0
package/dist/src/factories/macieFactory.js +85 -0
package/dist/src/factories/networkingFactory.js +429 -0
package/dist/src/factories/opensearchCollectionFactory.js +109 -0
package/dist/src/factories/organizationFactory.js +221 -0
package/dist/src/factories/processReservedInstances.js +6 -0
package/dist/src/factories/processSavingsPlans.js +43 -0
package/dist/src/factories/rdsFactory.js +40 -0
package/dist/src/factories/recordFactory.js +36 -0
package/dist/src/factories/resolveEnvSecrets.js +14 -0
package/dist/src/factories/resourceFactory.js +12 -0
package/dist/src/factories/s3Factory.js +262 -0
package/dist/src/factories/s3StaticHostingFactory.backup.js +424 -0
package/dist/src/factories/s3StaticHostingFactory.js +348 -0
package/dist/src/factories/s3StaticHostingFactory.refactored.js +334 -0
package/dist/src/factories/savingsPlanFactory.js +26 -0
package/dist/src/factories/secretsManagerFactory.js +107 -0
package/dist/src/factories/securityGroupFactory.js +28 -0
package/dist/src/factories/securityGroupRuleFactory.js +43 -0
package/dist/src/factories/securityHubFactory.js +96 -0
package/dist/src/factories/sesDomainDkimFactory.js +25 -0
package/dist/src/factories/sesFactory.js +25 -0
package/dist/src/factories/sesIdentitiesFactory.js +134 -0
package/dist/src/factories/simpleNotificationFactory.js +112 -0
package/dist/src/factories/smtpUserFactory.js +108 -0
package/dist/src/factories/snsFactory.js +87 -0
package/dist/src/factories/sqsFactory.js +41 -0
package/dist/src/factories/ssmParameterFactory.js +67 -0
package/dist/src/factories/ssoFactory.js +32 -0
package/dist/src/factories/ssoGroupFactory.js +41 -0
package/dist/src/factories/ssoPermissionSetFactory.js +29 -0
package/dist/src/factories/ssoUserFactory.js +30 -0
package/dist/src/factories/stepFunctionsFactory.js +32 -0
package/dist/src/factories/tagPolicies.js +99 -0
package/dist/src/factories/transformBudgetCostFilters.js +8 -0
package/dist/src/factories/transformBudgetNotifications.js +12 -0
package/dist/src/factories/transformBudgetPlannedLimits.js +8 -0
package/dist/src/factories/types.js +2 -0
package/dist/src/factories/validateAcmConfig.js +26 -0
package/dist/src/factories/validateAuroraConfig.js +8 -0
package/dist/src/factories/validateBedrockConfig.js +124 -0
package/dist/src/factories/validateDashboardConfig.js +28 -0
package/dist/src/factories/validateEventBridgeConfig.js +14 -0
package/dist/src/factories/validateHostedZoneConfig.js +26 -0
package/dist/src/factories/validateIamRoleConfig.js +8 -0
package/dist/src/factories/validateKmsKeyConfig.js +8 -0
package/dist/src/factories/validateRdsConfig.js +17 -0
package/dist/src/factories/validateRoute53RecordConfig.js +41 -0
package/dist/src/factories/validateS3Config.js +8 -0
package/dist/src/factories/validateSecretsManagerConfig.js +8 -0
package/dist/src/factories/validateSecurityGroupConfig.js +8 -0
package/dist/src/factories/validateSecurityGroupRuleConfig.js +8 -0
package/dist/src/factories/validateSesDomainDkimConfig.js +8 -0
package/dist/src/factories/validateSesDomainIdentityConfig.js +8 -0
package/dist/src/factories/validateSesIdentitiesConfig.js +40 -0
package/dist/src/factories/validateSnsConfig.js +11 -0
package/dist/src/factories/validateSqsConfig.js +11 -0
package/dist/src/factories/validateSsmParameterFactoryConfig.js +9 -0
package/dist/src/factories/validateStepFunctionsConfig.js +8 -0
package/dist/src/factories/vpcEndpointFactory.js +98 -0
package/dist/src/factories/wafFactory.js +499 -0
package/package.json +71 -0
package/scripts/copy-assets.js +136 -0

package/dist/src/factories/logDataProtectionPolicyFactory.js ADDED Viewed

@@ -0,0 +1,81 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LogDataProtectionPolicyFactory = void 0;
+const aws = __importStar(require("@pulumi/aws"));
+const resourceFactory_1 = require("./resourceFactory");
+const dataProtectionPolicyBuilder_1 = require("./dataProtectionPolicyBuilder");
+class LogDataProtectionPolicyFactory extends resourceFactory_1.ResourceFactory {
+    async createResource(config, provider) {
+        this.validateConfig(config);
+        if (!config.configuration.dataProtection?.enabled) {
+            throw new Error(`Data protection must be enabled for ${config.id}`);
+        }
+        const dataProtectionPolicy = this.buildDataProtectionPolicy(config);
+        const policy = new aws.cloudwatch.LogDataProtectionPolicy(`${config.id}-data-protection-policy`, {
+            logGroupName: config.configuration.logGroupName,
+            policyDocument: JSON.stringify(dataProtectionPolicy),
+        }, provider ? { provider } : undefined);
+        return policy;
+    }
+    getOutputs(resource) {
+        return {
+            policyId: resource.id,
+            logGroupName: resource.logGroupName,
+        };
+    }
+    buildDataProtectionPolicy(config) {
+        const dataProtectionConfig = {
+            enabled: config.configuration.dataProtection.enabled,
+            policy: config.configuration.dataProtection.policy,
+            auditLogGroup: config.configuration.dataProtection.auditLogGroup,
+            enableAudit: config.configuration.dataProtection.enableAudit,
+            enableRedaction: config.configuration.dataProtection.enableRedaction,
+            dataIdentifiers: config.configuration.dataProtection.dataIdentifiers,
+            customDataIdentifiers: config.configuration.dataProtection.customDataIdentifiers,
+            operations: config.configuration.dataProtection.operations,
+        };
+        return (0, dataProtectionPolicyBuilder_1.buildDataProtectionPolicy)(dataProtectionConfig, config.configuration.logGroupName, dataProtectionPolicyBuilder_1.DEFAULT_DATA_IDENTIFIERS.GENERAL, "ALB WAF Logs");
+    }
+    validateConfig(config) {
+        if (!config.configuration.logGroupName) {
+            throw new Error(`Log group name is required for ${config.id}`);
+        }
+        if (!config.configuration.dataProtection) {
+            throw new Error(`Data protection configuration is required for ${config.id}`);
+        }
+    }
+}
+exports.LogDataProtectionPolicyFactory = LogDataProtectionPolicyFactory;

package/dist/src/factories/macieFactory.js ADDED Viewed

@@ -0,0 +1,85 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MacieFactory = void 0;
+const resourceFactory_1 = require("./resourceFactory");
+const createAwsMacieAccount_1 = require("./createAwsMacieAccount");
+const createAwsMacieClassificationJob_1 = require("./createAwsMacieClassificationJob");
+const createAwsMacieOrganizationConfiguration_1 = require("./createAwsMacieOrganizationConfiguration");
+const createAwsMacieMember_1 = require("./createAwsMacieMember");
+class MacieFactory extends resourceFactory_1.ResourceFactory {
+    async createResource(config) {
+        if (config.hooks?.beforeCreateResources)
+            await config.hooks.beforeCreateResources(config);
+        const resources = {};
+        if (config.configuration.account) {
+            resources.account = (0, createAwsMacieAccount_1.createAwsMacieAccount)(`${config.id}-account`, config.configuration.account);
+        }
+        if (config.configuration.organizationConfiguration && resources.account) {
+            resources.organizationConfiguration = (0, createAwsMacieOrganizationConfiguration_1.createAwsMacieOrganizationConfiguration)(`${config.id}-org-config`, config.configuration.organizationConfiguration, [resources.account]);
+        }
+        if (config.configuration.classificationJobs) {
+            resources.classificationJobs = config.configuration.classificationJobs.map((jobConfig, index) => {
+                const dependencies = resources.account ? [resources.account] : [];
+                return (0, createAwsMacieClassificationJob_1.createAwsMacieClassificationJob)({
+                    ...jobConfig,
+                    name: `${config.id}-${jobConfig.name || `job-${index}`}`,
+                }, dependencies);
+            });
+        }
+        if (config.configuration.members) {
+            resources.members = config.configuration.members.map((memberConfig, index) => {
+                const dependencies = resources.account ? [resources.account] : [];
+                return (0, createAwsMacieMember_1.createAwsMacieMember)(`${config.id}-member-${index}`, memberConfig, dependencies);
+            });
+        }
+        if (config.hooks?.afterCreateResources)
+            await config.hooks.afterCreateResources(resources, config);
+        return resources;
+    }
+    getOutputs(resources) {
+        const outputs = {};
+        if (resources.account) {
+            outputs.accountId = resources.account.id;
+            outputs.accountServiceRole = resources.account.serviceRole;
+            outputs.accountStatus = resources.account.status;
+        }
+        if (resources.organizationConfiguration) {
+            outputs.organizationConfigurationId = resources.organizationConfiguration.id;
+        }
+        if (resources.classificationJobs && resources.classificationJobs.length > 0) {
+            outputs.classificationJobIds = resources.classificationJobs.map((job) => job.jobId);
+            outputs.classificationJobArns = resources.classificationJobs.map((job) => job.jobArn);
+        }
+        if (resources.members && resources.members.length > 0) {
+            outputs.memberIds = resources.members.map((member) => member.id);
+            outputs.memberAccountIds = resources.members.map((member) => member.accountId);
+        }
+        return outputs;
+    }
+    validateConfig(config) {
+        if (!config.id) {
+            throw new Error("Macie factory configuration must include an 'id'");
+        }
+        if (!config.configuration) {
+            throw new Error("Macie factory configuration must include a 'configuration' object");
+        }
+        if (config.configuration.classificationJobs) {
+            config.configuration.classificationJobs.forEach((job, index) => {
+                if (!job.jobType) {
+                    throw new Error(`Classification job at index ${index} must specify jobType`);
+                }
+                if (!job.s3JobDefinition || !job.s3JobDefinition.bucketDefinitions) {
+                    throw new Error(`Classification job at index ${index} must include s3JobDefinition with bucketDefinitions`);
+                }
+            });
+        }
+        if (config.configuration.members) {
+            config.configuration.members.forEach((member, index) => {
+                if (!member.accountId || !member.email) {
+                    throw new Error(`Member at index ${index} must include both accountId and email`);
+                }
+            });
+        }
+    }
+}
+exports.MacieFactory = MacieFactory;

package/dist/src/factories/networkingFactory.js ADDED Viewed

@@ -0,0 +1,429 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdvancedNetworkingFactory = exports.NetworkingFactory = void 0;
+const aws = __importStar(require("@pulumi/aws"));
+const pulumi = __importStar(require("@pulumi/pulumi"));
+const resourceFactory_1 = require("./resourceFactory");
+const dataProtectionPolicyBuilder_1 = require("./dataProtectionPolicyBuilder");
+class NetworkingFactory extends resourceFactory_1.ResourceFactory {
+    createResource(config, provider) {
+        const vpc = new aws.ec2.Vpc(`${config.meta.environment}-${config.id}-vpc`, {
+            cidrBlock: config.configuration.vpc.cidrBlock,
+            enableDnsSupport: true,
+            enableDnsHostnames: true,
+        }, provider ? { provider } : undefined);
+        const subnets = (config.configuration.subnets || []).map((subnet) => {
+            return new aws.ec2.Subnet(`${config.meta.environment}-${subnet.name}`, {
+                vpcId: vpc.id,
+                cidrBlock: subnet.cidrBlock,
+                availabilityZone: subnet.availabilityZone,
+            }, provider ? { provider } : undefined);
+        });
+        const igw = new aws.ec2.InternetGateway(`${config.meta.environment}-${config.id}-igw`, {
+            vpcId: vpc.id,
+        }, provider ? { provider } : undefined);
+        const routeTable = new aws.ec2.RouteTable(`${config.meta.environment}-${config.id}-rt`, {
+            vpcId: vpc.id,
+            routes: [
+                {
+                    cidrBlock: "0.0.0.0/0",
+                    gatewayId: igw.id,
+                },
+            ],
+        }, provider ? { provider } : undefined);
+        subnets.forEach((subnet, idx) => {
+            new aws.ec2.RouteTableAssociation(`${config.meta.environment}-${config.id}-rta-${idx}`, {
+                subnetId: subnet.id,
+                routeTableId: routeTable.id,
+            }, provider ? { provider } : undefined);
+        });
+        return { vpc, subnets, igw, routeTable };
+    }
+    getOutputs(resource) {
+        console.log("[NetworkingFactory] getOutputs: subnets:", resource.subnets.map(s => s.id));
+        console.log("[NetworkingFactory] getOutputs: configSubnets:", resource.config?.configuration?.subnets || []);
+        const configSubnets = resource.config?.configuration?.subnets || [];
+        const subnets = resource.subnets;
+        const publicSubnetIds = subnets
+            .filter((_, idx) => configSubnets[idx]?.type === "public")
+            .map(s => s.id);
+        const privateSubnetIds = subnets
+            .filter((_, idx) => configSubnets[idx]?.type === "private")
+            .map(s => s.id);
+        const isolatedSubnetIds = subnets
+            .filter((_, idx) => configSubnets[idx]?.type === "isolated")
+            .map(s => s.id);
+        const subnetNameMap = {};
+        configSubnets.forEach((subnet, idx) => {
+            subnetNameMap[subnet.name] = subnets[idx].id;
+        });
+        console.log("[NetworkingFactory] getOutputs: subnetNameMap:", subnetNameMap);
+        return {
+            vpcId: resource.vpc.id,
+            subnetIds: subnets.map(s => s.id),
+            publicSubnetIds,
+            privateSubnetIds,
+            isolatedSubnetIds,
+            subnetNameMap,
+            internetGatewayId: resource.igw.id,
+            routeTableId: resource.routeTable.id,
+        };
+    }
+    validateConfig(config) {
+        if (!config.configuration?.vpc?.cidrBlock) {
+            throw new Error("Networking config must include vpc.cidrBlock");
+        }
+        if (!Array.isArray(config.configuration.subnets) || config.configuration.subnets.length === 0) {
+            throw new Error("Networking config must include at least one subnet");
+        }
+    }
+}
+exports.NetworkingFactory = NetworkingFactory;
+class AdvancedNetworkingFactory extends resourceFactory_1.ResourceFactory {
+    async createResource(config, provider) {
+        const { configuration } = config;
+        const environment = config.meta?.environment || 'dev';
+        const region = config.meta?.region || 'us-east-1';
+        const resourceId = config.id || 'networking';
+        if (config.hooks?.beforeCreateVpc)
+            await config.hooks.beforeCreateVpc(config);
+        const vpc = new aws.ec2.Vpc(`${environment}-${resourceId}-vpc`, {
+            cidrBlock: configuration.vpc.cidrBlock,
+            enableDnsSupport: configuration.vpc.enableDnsSupport ?? true,
+            enableDnsHostnames: configuration.vpc.enableDnsHostnames ?? true,
+            instanceTenancy: configuration.vpc.instanceTenancy ?? "default",
+            tags: configuration.vpc.tags,
+        }, provider ? { provider } : undefined);
+        const subnets = (configuration.subnets || []).map((subnet) => new aws.ec2.Subnet(`${environment}-${subnet.name}`, {
+            vpcId: vpc.id,
+            cidrBlock: subnet.cidrBlock,
+            availabilityZone: subnet.availabilityZone,
+            mapPublicIpOnLaunch: subnet.type === "public" ? true : subnet.mapPublicIpOnLaunch,
+            tags: subnet.tags,
+        }, provider ? { provider } : undefined));
+        if (config.hooks?.afterCreateSubnets)
+            await config.hooks.afterCreateSubnets(subnets, config);
+        let igw = undefined;
+        if (configuration.internetGateway?.enabled !== false) {
+            igw = new aws.ec2.InternetGateway(`${environment}-${resourceId}-igw`, { vpcId: vpc.id }, provider ? { provider } : undefined);
+        }
+        let natGateways = [];
+        let eips = [];
+        if (configuration.natGateways?.enabled) {
+            const azs = Array.from(new Set(configuration.subnets.filter(s => s.type === "public").map(s => s.availabilityZone)));
+            azs.forEach((az, idx) => {
+                const eip = new aws.ec2.Eip(`${config.meta.environment}-${config.id}-eip-${az}`, {}, provider ? { provider } : undefined);
+                eips.push(eip);
+                const publicSubnet = subnets.find(s => configuration.subnets[subnets.indexOf(s)].availabilityZone === az && configuration.subnets[subnets.indexOf(s)].type === "public");
+                if (publicSubnet) {
+                    natGateways.push(new aws.ec2.NatGateway(`${config.meta.environment}-${config.id}-natgw-${az}`, {
+                        subnetId: publicSubnet.id,
+                        allocationId: eip.id,
+                    }, provider ? { provider } : undefined));
+                }
+            });
+        }
+        const routeTables = (configuration.routeTables || []).map(rt => {
+            const routes = (rt.routes || []).map(route => {
+                let gatewayId = undefined;
+                if (route.gatewayType === "igw" && igw)
+                    gatewayId = igw.id;
+                if (route.gatewayType === "nat" && natGateways.length > 0) {
+                    const nat = route.natGatewayAz ? natGateways.find((ng, idx) => configuration.subnets[subnets.indexOf(subnets[idx])].availabilityZone === route.natGatewayAz) : natGateways[0];
+                    if (nat)
+                        gatewayId = nat.id;
+                }
+                return { cidrBlock: route.cidrBlock, gatewayId };
+            });
+            const rtRes = new aws.ec2.RouteTable(`${config.meta.environment}-${config.id}-rt-${rt.name}`, { vpcId: vpc.id, routes, tags: rt.tags }, provider ? { provider } : undefined);
+            rt.subnetNames.forEach(subnetName => {
+                const subnet = subnets.find((s, idx) => configuration.subnets[idx].name === subnetName);
+                if (subnet) {
+                    new aws.ec2.RouteTableAssociation(`${config.meta.environment}-${config.id}-rta-${rt.name}-${subnetName}`, { subnetId: subnet.id, routeTableId: rtRes.id }, provider ? { provider } : undefined);
+                }
+            });
+            return rtRes;
+        });
+        let securityGroups = [];
+        if (configuration.securityGroups) {
+            securityGroups = configuration.securityGroups.map(sg => new aws.ec2.SecurityGroup(`${config.meta.environment}-${config.id}-sg-${sg.name}`, {
+                vpcId: vpc.id,
+                description: sg.description,
+                ingress: sg.ingress,
+                egress: sg.egress,
+                tags: sg.tags,
+            }, provider ? { provider } : undefined));
+        }
+        let vpcEndpoints = [];
+        if (configuration.vpcEndpoints) {
+            vpcEndpoints = configuration.vpcEndpoints.map(ep => {
+                const subnetIds = ep.subnets
+                    ? ep.subnets
+                        .map(name => {
+                        const subnet = subnets.find((s, idx) => configuration.subnets[idx].name === name);
+                        return subnet ? subnet.id : undefined;
+                    })
+                        .filter((id) => !!id)
+                    : undefined;
+                let securityGroupIds = ep.securityGroupNames && securityGroups
+                    ? ep.securityGroupNames
+                        .map(name => {
+                        const sg = securityGroups.find((s, idx) => configuration.securityGroups && configuration.securityGroups[idx].name === name);
+                        return sg ? sg.id : undefined;
+                    })
+                        .filter((id) => !!id)
+                    : undefined;
+                if (ep.allowFromVpcCidr) {
+                    const vpcEndpointSg = new aws.ec2.SecurityGroup(`${environment}-${resourceId}-ep-${ep.service}-vpc-access-sg`, {
+                        vpcId: vpc.id,
+                        description: `VPC Endpoint security group for ${ep.service} with VPC-wide access`,
+                        ingress: [
+                            {
+                                protocol: "tcp",
+                                fromPort: 443,
+                                toPort: 443,
+                                cidrBlocks: [configuration.vpc.cidrBlock],
+                                description: `HTTPS access from VPC CIDR for ${ep.service}`,
+                            }
+                        ],
+                        egress: [
+                            {
+                                protocol: "-1",
+                                fromPort: 0,
+                                toPort: 0,
+                                cidrBlocks: ["0.0.0.0/0"],
+                                description: "All outbound traffic",
+                            }
+                        ],
+                        tags: {
+                            Name: `${ep.service}-vpc-endpoint-sg`,
+                            Purpose: "VPC Endpoint Access",
+                            Service: ep.service,
+                        },
+                    }, provider ? { provider } : undefined);
+                    if (securityGroupIds) {
+                        securityGroupIds = [...securityGroupIds, vpcEndpointSg.id];
+                    }
+                    else {
+                        securityGroupIds = [vpcEndpointSg.id];
+                    }
+                }
+                return new aws.ec2.VpcEndpoint(`${environment}-${resourceId}-ep-${ep.service}`, {
+                    vpcId: vpc.id,
+                    serviceName: pulumi.interpolate `com.amazonaws.${region}.${ep.service}`,
+                    vpcEndpointType: ep.type,
+                    subnetIds,
+                    securityGroupIds,
+                }, provider ? { provider } : undefined);
+            });
+        }
+        let flowLog = undefined;
+        let flowLogGroup = undefined;
+        let flowLogRole = undefined;
+        if (configuration.vpcFlowLogs?.enabled) {
+            const logGroupName = configuration.vpcFlowLogs.logGroupName || `${config.meta.environment}-${config.id}-vpc-flow-logs`;
+            flowLogGroup = new aws.cloudwatch.LogGroup(logGroupName, {
+                name: logGroupName,
+                retentionInDays: configuration.vpcFlowLogs.retentionInDays || 365,
+            }, provider ? { provider } : undefined);
+            if (configuration.vpcFlowLogs.dataProtection?.enabled) {
+                const dataProtectionPolicy = this.buildDataProtectionPolicy(configuration.vpcFlowLogs.dataProtection, logGroupName);
+                new aws.cloudwatch.LogDataProtectionPolicy(`${config.meta.environment}-${config.id}-vpc-flowlog-data-protection`, {
+                    logGroupName: flowLogGroup.name,
+                    policyDocument: JSON.stringify(dataProtectionPolicy),
+                }, {
+                    provider: provider,
+                    dependsOn: [flowLogGroup]
+                });
+            }
+            const assumeRole = aws.iam.getPolicyDocument({
+                statements: [{
+                        effect: "Allow",
+                        principals: [{ type: "Service", identifiers: ["vpc-flow-logs.amazonaws.com"] }],
+                        actions: ["sts:AssumeRole"],
+                    }],
+            });
+            flowLogRole = new aws.iam.Role(`${config.meta.environment}-${config.id}-vpc-flowlog-role`, {
+                name: configuration.vpcFlowLogs.iamRoleName || `${config.meta.environment}-${config.id}-vpc-flowlog-role`,
+                assumeRolePolicy: assumeRole.then(doc => doc.json),
+            }, provider ? { provider } : undefined);
+            const logPolicyDoc = aws.iam.getPolicyDocument({
+                statements: [{
+                        effect: "Allow",
+                        actions: [
+                            "logs:CreateLogGroup",
+                            "logs:CreateLogStream",
+                            "logs:PutLogEvents",
+                            "logs:DescribeLogGroups",
+                            "logs:DescribeLogStreams"
+                        ],
+                        resources: ["*"],
+                    }],
+            });
+            new aws.iam.RolePolicy(`${config.meta.environment}-${config.id}-vpc-flowlog-role-policy`, {
+                name: `${config.meta.environment}-${config.id}-vpc-flowlog-role-policy`,
+                role: flowLogRole.id,
+                policy: logPolicyDoc.then(doc => doc.json),
+            }, provider ? { provider } : undefined);
+            flowLog = new aws.ec2.FlowLog(`${config.meta.environment}-${config.id}-vpc-flowlog`, {
+                iamRoleArn: flowLogRole.arn,
+                logDestination: flowLogGroup.arn,
+                trafficType: configuration.vpcFlowLogs.trafficType || "ALL",
+                vpcId: vpc.id,
+            }, provider ? { provider } : undefined);
+        }
+        let networkAcls = [];
+        if (configuration.networkAcls && configuration.networkAcls.length > 0) {
+            networkAcls = configuration.networkAcls.map(naclConfig => {
+                const nacl = new aws.ec2.NetworkAcl(`${config.meta.environment}-${config.id}-nacl-${naclConfig.name}`, {
+                    vpcId: vpc.id,
+                    tags: { Name: naclConfig.name, ...naclConfig.tags },
+                }, provider ? { provider } : undefined);
+                naclConfig.ingress.forEach(rule => {
+                    new aws.ec2.NetworkAclRule(`${config.meta.environment}-${config.id}-nacl-${naclConfig.name}-ingress-${rule.ruleNumber}`, {
+                        networkAclId: nacl.id,
+                        ruleNumber: rule.ruleNumber,
+                        protocol: rule.protocol,
+                        ruleAction: rule.action,
+                        cidrBlock: rule.cidrBlock,
+                        fromPort: rule.fromPort,
+                        toPort: rule.toPort,
+                        icmpType: rule.icmpType,
+                        icmpCode: rule.icmpCode,
+                    }, provider ? { provider } : undefined);
+                });
+                naclConfig.egress.forEach(rule => {
+                    new aws.ec2.NetworkAclRule(`${config.meta.environment}-${config.id}-nacl-${naclConfig.name}-egress-${rule.ruleNumber}`, {
+                        networkAclId: nacl.id,
+                        ruleNumber: rule.ruleNumber,
+                        protocol: rule.protocol,
+                        ruleAction: rule.action,
+                        cidrBlock: rule.cidrBlock,
+                        fromPort: rule.fromPort,
+                        toPort: rule.toPort,
+                        icmpType: rule.icmpType,
+                        icmpCode: rule.icmpCode,
+                        egress: true,
+                    }, provider ? { provider } : undefined);
+                });
+                naclConfig.subnetNames.forEach(subnetName => {
+                    const subnet = subnets.find((s, idx) => configuration.subnets[idx].name === subnetName);
+                    if (subnet) {
+                        new aws.ec2.NetworkAclAssociation(`${config.meta.environment}-${config.id}-nacl-assoc-${naclConfig.name}-${subnetName}`, {
+                            networkAclId: nacl.id,
+                            subnetId: subnet.id,
+                        }, provider ? { provider } : undefined);
+                    }
+                });
+                return nacl;
+            });
+        }
+        let defaultSg = undefined;
+        if (configuration.securityEnhancements?.defaultSecurityGroupRestrictions) {
+            defaultSg = new aws.ec2.DefaultSecurityGroup(`${config.meta.environment}-${config.id}-default-sg`, {
+                vpcId: vpc.id,
+                ingress: [],
+                egress: [],
+                tags: { Name: "Default-Restricted" },
+            }, provider ? { provider } : undefined);
+        }
+        return {
+            vpc,
+            subnets,
+            natGateways,
+            eips,
+            igw,
+            routeTables,
+            securityGroups,
+            vpcEndpoints,
+            flowLog,
+            flowLogGroup,
+            flowLogRole,
+            networkAcls,
+            defaultSg,
+            config
+        };
+    }
+    getOutputs(resource) {
+        const configSubnets = resource.config?.configuration?.subnets || [];
+        const publicSubnetIds = resource.subnets
+            .filter((_, idx) => configSubnets[idx]?.type === "public")
+            .map(s => s.id);
+        const privateSubnetIds = resource.subnets
+            .filter((_, idx) => configSubnets[idx]?.type === "private")
+            .map(s => s.id);
+        const isolatedSubnetIds = resource.subnets
+            .filter((_, idx) => configSubnets[idx]?.type === "isolated")
+            .map(s => s.id);
+        const subnetNameMap = {};
+        configSubnets.forEach((subnet, idx) => {
+            if (resource.subnets[idx]) {
+                subnetNameMap[subnet.name] = resource.subnets[idx].id;
+            }
+        });
+        return {
+            vpcId: resource.vpc.id,
+            subnetIds: resource.subnets.map(s => s.id),
+            publicSubnetIds,
+            privateSubnetIds,
+            isolatedSubnetIds,
+            subnetNameMap,
+            natGatewayIds: resource.natGateways ? resource.natGateways.map(n => n.id) : undefined,
+            eipAllocationIds: resource.eips ? resource.eips.map(e => e.id) : undefined,
+            internetGatewayId: resource.igw ? resource.igw.id : undefined,
+            routeTableIds: resource.routeTables.map(rt => rt.id),
+            securityGroupIds: resource.securityGroups ? resource.securityGroups.map(sg => sg.id) : undefined,
+            vpcEndpointIds: resource.vpcEndpoints ? resource.vpcEndpoints.map(ep => ep.id) : undefined,
+            flowLogId: resource.flowLog ? resource.flowLog.id : undefined,
+            flowLogGroupName: resource.flowLogGroup ? resource.flowLogGroup.name : undefined,
+            flowLogRoleArn: resource.flowLogRole ? resource.flowLogRole.arn : undefined,
+            networkAclIds: resource.networkAcls ? resource.networkAcls.map(nacl => nacl.id) : undefined,
+            defaultSecurityGroupId: resource.defaultSg ? resource.defaultSg.id : undefined,
+        };
+    }
+    buildDataProtectionPolicy(dataProtectionConfig, logGroupName) {
+        return (0, dataProtectionPolicyBuilder_1.buildDataProtectionPolicy)(dataProtectionConfig, logGroupName, dataProtectionPolicyBuilder_1.DEFAULT_DATA_IDENTIFIERS.VPC_FLOW_LOGS, "VPC Flow Logs");
+    }
+    validateConfig(config) {
+        if (!config.configuration?.vpc?.cidrBlock)
+            throw new Error("Networking config must include vpc.cidrBlock");
+        if (!Array.isArray(config.configuration.subnets) || config.configuration.subnets.length === 0)
+            throw new Error("Networking config must include at least one subnet");
+        if (!Array.isArray(config.configuration.routeTables) || config.configuration.routeTables.length === 0)
+            throw new Error("Networking config must include at least one routeTable");
+    }
+}
+exports.AdvancedNetworkingFactory = AdvancedNetworkingFactory;