terruvim-core-test 0.0.1

package/dist/src/factories/s3StaticHostingFactory.js

@@ -0,0 +1,348 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.S3StaticHostingFactory = void 0;
+const aws = __importStar(require("@pulumi/aws"));
+const pulumi = __importStar(require("@pulumi/pulumi"));
+const resourceFactory_1 = require("./resourceFactory");
+const buildAwsCloudWatchAlarmsHelper_1 = require("./buildAwsCloudWatchAlarmsHelper");
+const buildS3StaticHostingCloudWatchDashboardHelper_1 = require("./buildS3StaticHostingCloudWatchDashboardHelper");
+const buildCloudFrontRoute53RecordHelper_1 = require("./buildCloudFrontRoute53RecordHelper");
+const wafFactory_1 = require("./wafFactory");
+class S3StaticHostingFactory extends resourceFactory_1.ResourceFactory {
+    static supportsProviderRegistry = true;
+    async createResource(config, provider, providerRegistry = {}) {
+        this.validateConfig(config);
+        const bucket = this.createS3Bucket(config, provider);
+        let cloudfrontDomain;
+        let distributionId;
+        if (config.configuration.cloudfront?.enabled) {
+            const route53Provider = this.resolveRoute53Provider(config, providerRegistry);
+            const { domain, distribution, route53Record } = await this.setupCloudFront(config, bucket, provider, route53Provider);
+            cloudfrontDomain = domain;
+            distributionId = distribution.id;
+            bucket.cloudfrontDomain = cloudfrontDomain;
+            bucket.distributionId = distributionId;
+            bucket.route53Record = route53Record;
+        }
+        this.setupMonitoring(config, bucket, distributionId, provider);
+        return bucket;
+    }
+    getOutputs(resource) {
+        return {
+            bucket: resource.bucket,
+            websiteUrl: resource.websiteUrl || resource.websiteEndpoint,
+            cloudfrontDomain: resource.cloudfrontDomain,
+            distributionId: resource.distributionId,
+            monitoringAlarmArns: resource.monitoringResources?.map((a) => a.arn),
+            dashboardName: resource.dashboardResource?.dashboardName,
+        };
+    }
+    validateConfig(config) {
+        if (!config.configuration?.bucket) {
+            throw new Error("S3StaticHosting config must include bucket name");
+        }
+        const cf = config.configuration.cloudfront;
+        if (cf?.enabled && cf.enableCertProvisioning && cf.aliases?.length && !config.inputs?.hostedZoneId) {
+            throw new Error("hostedZoneId is required for ACM certificate provisioning");
+        }
+    }
+    resolveRoute53Provider(config, registry) {
+        const ref = config.inputs?.route53Provider;
+        if (typeof ref === "object")
+            return ref;
+        if (typeof ref === "string") {
+            return registry[ref] || (() => {
+                throw new Error(`Route53 provider '${ref}' not found in registry`);
+            })();
+        }
+        return undefined;
+    }
+    createS3Bucket(config, provider) {
+        const { configuration } = config;
+        const envPrefix = `${config.meta.environment}-${configuration.bucket}`;
+        const bucket = new aws.s3.Bucket(envPrefix, {
+            bucket: configuration.bucket,
+            acl: configuration.acl || "private",
+            website: configuration.website,
+            tags: configuration.tags,
+            versioning: configuration.versioning ? { enabled: true } : undefined,
+            serverSideEncryptionConfiguration: configuration.encryption?.enabled ? {
+                rule: {
+                    applyServerSideEncryptionByDefault: {
+                        sseAlgorithm: configuration.encryption.type || "AES256",
+                        kmsMasterKeyId: configuration.encryption.kmsKeyId,
+                    },
+                },
+            } : undefined,
+            corsRules: configuration.cors ? [configuration.cors] : undefined,
+            lifecycleRules: configuration.lifecycleRules,
+            forceDestroy: true,
+        }, provider ? { provider } : undefined);
+        if (configuration.blockPublicAccess !== false) {
+            new aws.s3.BucketPublicAccessBlock(`${envPrefix}-block-public`, {
+                bucket: bucket.id,
+                blockPublicAcls: true,
+                blockPublicPolicy: true,
+                ignorePublicAcls: true,
+                restrictPublicBuckets: true,
+            }, provider ? { provider } : undefined);
+        }
+        return bucket;
+    }
+    async setupCloudFront(config, bucket, provider, route53Provider) {
+        const cfConfig = config.configuration.cloudfront;
+        const envPrefix = `${config.meta.environment}-${config.id}`;
+        const oai = new aws.cloudfront.OriginAccessIdentity(`${envPrefix}-oai`, {
+            comment: `OAI for ${config.configuration.bucket}`,
+        }, provider ? { provider } : undefined);
+        new aws.s3.BucketPolicy(`${envPrefix}-cf-policy`, {
+            bucket: bucket.id,
+            policy: pulumi.all([bucket.id, oai.iamArn]).apply(([bucketId, iamArn]) => JSON.stringify({
+                Version: "2012-10-17",
+                Statement: [
+                    {
+                        Effect: "Allow",
+                        Principal: { AWS: iamArn },
+                        Action: ["s3:GetObject"],
+                        Resource: `arn:aws:s3:::${config.configuration.bucket}/*`,
+                    },
+                ],
+            })),
+        }, provider ? { provider } : undefined);
+        const certificateArn = await this.setupAcmCertificate(config, cfConfig, envPrefix, provider, route53Provider);
+        const webAclId = await this.setupWaf(config, cfConfig, envPrefix, provider);
+        const loggingConfig = this.prepareLoggingConfig(cfConfig);
+        const distribution = new aws.cloudfront.Distribution(`${envPrefix}-cf`, {
+            enabled: true,
+            origins: [
+                {
+                    domainName: bucket.bucketRegionalDomainName,
+                    originId: bucket.arn,
+                    s3OriginConfig: {
+                        originAccessIdentity: oai.cloudfrontAccessIdentityPath,
+                    },
+                },
+            ],
+            defaultRootObject: cfConfig.defaultRootObject || config.configuration.website?.indexDocument || "index.html",
+            defaultCacheBehavior: {
+                targetOriginId: bucket.arn,
+                viewerProtocolPolicy: "redirect-to-https",
+                allowedMethods: ["GET", "HEAD", "OPTIONS"],
+                cachedMethods: ["GET", "HEAD"],
+                forwardedValues: {
+                    queryString: false,
+                    cookies: { forward: "none" },
+                    headers: ["Origin", "Access-Control-Request-Headers", "Access-Control-Request-Method"],
+                },
+                compress: true,
+                minTtl: 0,
+                defaultTtl: 86400,
+                maxTtl: 31536000,
+            },
+            aliases: cfConfig.aliases?.filter(alias => alias && !alias.includes("${")) || [],
+            restrictions: {
+                geoRestriction: cfConfig.geoRestriction || { restrictionType: "none" },
+            },
+            viewerCertificate: certificateArn ? {
+                acmCertificateArn: certificateArn,
+                sslSupportMethod: "sni-only",
+                minimumProtocolVersion: "TLSv1.2_2021",
+            } : {
+                cloudfrontDefaultCertificate: true
+            },
+            priceClass: cfConfig.priceClass || "PriceClass_100",
+            customErrorResponses: cfConfig.customErrorResponses || [
+                {
+                    errorCode: 404,
+                    responseCode: 200,
+                    responsePagePath: "/index.html",
+                },
+                {
+                    errorCode: 403,
+                    responseCode: 200,
+                    responsePagePath: "/index.html",
+                },
+            ],
+            orderedCacheBehaviors: cfConfig.cacheBehaviors,
+            loggingConfig,
+            webAclId,
+            tags: cfConfig.tags || config.configuration.tags,
+            comment: `CloudFront distribution for ${config.configuration.bucket}`,
+        }, provider ? { provider } : undefined);
+        let route53Record;
+        if (cfConfig.aliases?.length && config.inputs?.hostedZoneId) {
+            const primaryAlias = cfConfig.aliases[0];
+            if (primaryAlias && !primaryAlias.includes("$")) {
+                route53Record = (0, buildCloudFrontRoute53RecordHelper_1.buildCloudFrontRoute53RecordHelper)(envPrefix, primaryAlias, config.inputs.hostedZoneId, distribution.domainName, distribution.hostedZoneId, route53Provider);
+            }
+        }
+        return { domain: distribution.domainName, distribution, route53Record };
+    }
+    async setupAcmCertificate(config, cfConfig, envPrefix, provider, route53Provider) {
+        if (cfConfig.acmCertificateArn) {
+            return cfConfig.acmCertificateArn;
+        }
+        if (!cfConfig.enableCertProvisioning || !cfConfig.aliases?.length || !config.inputs?.hostedZoneId) {
+            return undefined;
+        }
+        const usEast1Provider = config.inputs?.providers?.["dev-us-east-1"];
+        if (!usEast1Provider) {
+            throw new Error("US East 1 provider required for ACM certificate with CloudFront");
+        }
+        const aliases = cfConfig.aliases.filter(alias => alias && !alias.includes("$"));
+        const cert = new aws.acm.Certificate(`${envPrefix}-cert`, {
+            domainName: aliases[0],
+            subjectAlternativeNames: aliases.slice(1),
+            validationMethod: "DNS",
+            tags: cfConfig.tags || config.configuration.tags,
+        }, { provider: usEast1Provider });
+        const validationRecords = cert.domainValidationOptions.apply(options => options.map((option, index) => new aws.route53.Record(`${envPrefix}-cert-validation-${index}`, {
+            name: option.resourceRecordName,
+            zoneId: config.inputs.hostedZoneId,
+            type: option.resourceRecordType,
+            records: [option.resourceRecordValue],
+            ttl: 300,
+        }, route53Provider ? { provider: route53Provider } : undefined)));
+        const certValidation = new aws.acm.CertificateValidation(`${envPrefix}-cert-validation`, {
+            certificateArn: cert.arn,
+            validationRecordFqdns: validationRecords.apply(records => records.map(record => record.fqdn)),
+        }, { provider: usEast1Provider });
+        return certValidation.certificateArn;
+    }
+    async setupWaf(config, cfConfig, envPrefix, provider) {
+        if (!cfConfig.enableWaf || cfConfig.wafArn) {
+            return cfConfig.wafArn;
+        }
+        const wafConfig = cfConfig.wafConfig;
+        if (!wafConfig?.enabled) {
+            return undefined;
+        }
+        const usEast1Provider = config.inputs?.providers?.["dev-us-east-1"];
+        if (!usEast1Provider) {
+            throw new Error("US East 1 provider required for WAF with CloudFront");
+        }
+        const wafName = `${envPrefix}-waf`;
+        const wafFactoryConfig = {
+            name: wafName,
+            scope: "CLOUDFRONT",
+            description: `WAF for CloudFront distribution ${envPrefix}`,
+            defaultAction: "allow",
+            rateLimiting: {
+                enabled: true,
+                limit: wafConfig.rateLimitRpm || 1000,
+                action: "block",
+            },
+            geoRestrictions: wafConfig.geoBlockedCountries?.length ? {
+                blockedCountries: wafConfig.geoBlockedCountries,
+            } : undefined,
+            managedRuleGroups: wafConfig.enableManagedRules !== false ? [
+                {
+                    name: "AWSManagedRulesCommonRuleSet",
+                    vendorName: "AWS",
+                    priority: 10,
+                    overrideAction: "count",
+                },
+                {
+                    name: "AWSManagedRulesKnownBadInputsRuleSet",
+                    vendorName: "AWS",
+                    priority: 20,
+                    overrideAction: "count",
+                },
+                {
+                    name: "AWSManagedRulesAmazonIpReputationList",
+                    vendorName: "AWS",
+                    priority: 30,
+                    overrideAction: "count",
+                },
+            ] : [],
+            customRegexRules: wafConfig.customRules?.map(rule => ({
+                name: rule.name,
+                priority: rule.priority,
+                regex: rule.regex || "/.*",
+                action: rule.action,
+                fieldToMatch: { type: "uri" },
+            })),
+            logging: {
+                enabled: true,
+                logGroupName: `aws-waf-logs-${wafName}`,
+                retentionDays: 365,
+            },
+            visibilityConfig: {
+                cloudwatchMetricsEnabled: true,
+                sampledRequestsEnabled: true,
+            },
+            tags: cfConfig.tags || config.configuration.tags,
+        };
+        const waf = wafFactory_1.WafFactory.createWaf(wafFactoryConfig, usEast1Provider);
+        return waf.arn;
+    }
+    prepareLoggingConfig(cfConfig) {
+        const logging = cfConfig.logging;
+        if (!logging?.enabled || !logging.bucket) {
+            return undefined;
+        }
+        return {
+            bucket: logging.bucket,
+            prefix: logging.prefix || "",
+            includeCookies: logging.includeCookies || false,
+        };
+    }
+    setupMonitoring(config, bucket, distributionId, provider) {
+        const monitoring = config.configuration.monitoring;
+        if (!monitoring?.enabled)
+            return;
+        if (monitoring.alarms?.length && distributionId) {
+            const distributionIdString = distributionId.apply ? distributionId.apply(id => id) : distributionId;
+            bucket.monitoringResources = (0, buildAwsCloudWatchAlarmsHelper_1.buildAwsCloudWatchAlarmsHelper)(`${config.meta.environment}-${config.id}`, {
+                resourceType: "cloudfront",
+                resourceId: distributionIdString,
+                alarms: monitoring.alarms,
+                alarmActions: monitoring.alarms.map(a => a.alarmActionArn).filter((v) => typeof v === "string"),
+                okActions: monitoring.alarms.map(a => a.okActionArn).filter((v) => typeof v === "string"),
+                tags: config.configuration.tags,
+                provider,
+            });
+        }
+        if (monitoring.dashboard) {
+            bucket.dashboardResource = (0, buildS3StaticHostingCloudWatchDashboardHelper_1.buildS3StaticHostingCloudWatchDashboardHelper)(`${config.meta.environment}-${config.id}`, {
+                bucketName: config.configuration.bucket,
+                cloudfrontDistributionId: distributionId,
+                tags: config.configuration.tags,
+            }, provider);
+        }
+    }
+}
+exports.S3StaticHostingFactory = S3StaticHostingFactory;

package/dist/src/factories/s3StaticHostingFactory.refactored.js

@@ -0,0 +1,334 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.S3StaticHostingFactory = void 0;
+const aws = __importStar(require("@pulumi/aws"));
+const pulumi = __importStar(require("@pulumi/pulumi"));
+const resourceFactory_1 = require("./resourceFactory");
+const buildAwsCloudWatchAlarmsHelper_1 = require("./buildAwsCloudWatchAlarmsHelper");
+const buildS3StaticHostingCloudWatchDashboardHelper_1 = require("./buildS3StaticHostingCloudWatchDashboardHelper");
+const wafFactory_1 = require("./wafFactory");
+class S3StaticHostingFactory extends resourceFactory_1.ResourceFactory {
+    static supportsProviderRegistry = true;
+    async createResource(config, provider, providerRegistry = {}) {
+        this.validateConfig(config);
+        const bucket = this.createS3Bucket(config, provider);
+        let cloudfrontDomain;
+        let distributionId;
+        if (config.configuration.cloudfront?.enabled) {
+            const route53Provider = this.resolveRoute53Provider(config, providerRegistry);
+            const { domain, distribution } = await this.setupCloudFront(config, bucket, provider, route53Provider);
+            cloudfrontDomain = domain;
+            distributionId = distribution.id;
+            bucket.cloudfrontDomain = cloudfrontDomain;
+            bucket.distributionId = distributionId;
+        }
+        this.setupMonitoring(config, bucket, distributionId, provider);
+        return bucket;
+    }
+    getOutputs(resource) {
+        return {
+            bucket: resource.bucket,
+            websiteUrl: resource.websiteUrl || resource.websiteEndpoint,
+            cloudfrontDomain: resource.cloudfrontDomain,
+            distributionId: resource.distributionId,
+            monitoringAlarmArns: resource.monitoringResources?.map((a) => a.arn),
+            dashboardName: resource.dashboardResource?.dashboardName,
+        };
+    }
+    validateConfig(config) {
+        if (!config.configuration?.bucket) {
+            throw new Error("S3StaticHosting config must include bucket name");
+        }
+        const cf = config.configuration.cloudfront;
+        if (cf?.enabled && cf.enableCertProvisioning && cf.aliases?.length && !config.inputs?.hostedZoneId) {
+            throw new Error("hostedZoneId is required for ACM certificate provisioning");
+        }
+    }
+    resolveRoute53Provider(config, registry) {
+        const ref = config.inputs?.route53Provider;
+        if (typeof ref === "object")
+            return ref;
+        if (typeof ref === "string") {
+            return registry[ref] || (() => {
+                throw new Error(`Route53 provider '${ref}' not found in registry`);
+            })();
+        }
+        return undefined;
+    }
+    createS3Bucket(config, provider) {
+        const { configuration } = config;
+        const envPrefix = `${config.meta.environment}-${configuration.bucket}`;
+        const bucket = new aws.s3.Bucket(envPrefix, {
+            bucket: configuration.bucket,
+            acl: configuration.acl || "private",
+            website: configuration.website,
+            tags: configuration.tags,
+            versioning: configuration.versioning ? { enabled: true } : undefined,
+            serverSideEncryptionConfiguration: configuration.encryption?.enabled ? {
+                rule: {
+                    applyServerSideEncryptionByDefault: {
+                        sseAlgorithm: configuration.encryption.type || "AES256",
+                        kmsMasterKeyId: configuration.encryption.kmsKeyId,
+                    },
+                },
+            } : undefined,
+            corsRules: configuration.cors ? [configuration.cors] : undefined,
+            lifecycleRules: configuration.lifecycleRules,
+            forceDestroy: true,
+        }, provider ? { provider } : undefined);
+        if (configuration.blockPublicAccess !== false) {
+            new aws.s3.BucketPublicAccessBlock(`${envPrefix}-block-public`, {
+                bucket: bucket.id,
+                blockPublicAcls: true,
+                blockPublicPolicy: true,
+                ignorePublicAcls: true,
+                restrictPublicBuckets: true,
+            }, provider ? { provider } : undefined);
+        }
+        return bucket;
+    }
+    async setupCloudFront(config, bucket, provider, route53Provider) {
+        const cfConfig = config.configuration.cloudfront;
+        const envPrefix = `${config.meta.environment}-${config.id}`;
+        const oai = new aws.cloudfront.OriginAccessIdentity(`${envPrefix}-oai`, {
+            comment: `OAI for ${config.configuration.bucket}`,
+        }, provider ? { provider } : undefined);
+        new aws.s3.BucketPolicy(`${envPrefix}-cf-policy`, {
+            bucket: bucket.id,
+            policy: pulumi.all([bucket.id, oai.iamArn]).apply(([bucketId, iamArn]) => JSON.stringify({
+                Version: "2012-10-17",
+                Statement: [
+                    {
+                        Effect: "Allow",
+                        Principal: { AWS: iamArn },
+                        Action: ["s3:GetObject"],
+                        Resource: `arn:aws:s3:::${config.configuration.bucket}/*`,
+                    },
+                ],
+            })),
+        }, provider ? { provider } : undefined);
+        const certificateArn = await this.setupAcmCertificate(config, cfConfig, envPrefix, provider, route53Provider);
+        const webAclId = await this.setupWaf(config, cfConfig, envPrefix, provider);
+        const loggingConfig = this.prepareLoggingConfig(cfConfig);
+        const distribution = new aws.cloudfront.Distribution(`${envPrefix}-cf`, {
+            enabled: true,
+            origins: [
+                {
+                    domainName: bucket.bucketRegionalDomainName,
+                    originId: bucket.arn,
+                    s3OriginConfig: {
+                        originAccessIdentity: oai.cloudfrontAccessIdentityPath,
+                    },
+                },
+            ],
+            defaultRootObject: cfConfig.defaultRootObject || config.configuration.website?.indexDocument || "index.html",
+            defaultCacheBehavior: {
+                targetOriginId: bucket.arn,
+                viewerProtocolPolicy: "redirect-to-https",
+                allowedMethods: ["GET", "HEAD", "OPTIONS"],
+                cachedMethods: ["GET", "HEAD"],
+                forwardedValues: {
+                    queryString: false,
+                    cookies: { forward: "none" },
+                    headers: ["Origin", "Access-Control-Request-Headers", "Access-Control-Request-Method"],
+                },
+                compress: true,
+                minTtl: 0,
+                defaultTtl: 86400,
+                maxTtl: 31536000,
+            },
+            aliases: cfConfig.aliases?.filter(alias => alias && !alias.includes("${")) || [],
+            restrictions: {
+                geoRestriction: cfConfig.geoRestriction || { restrictionType: "none" },
+            },
+            viewerCertificate: certificateArn ? {
+                acmCertificateArn: certificateArn,
+                sslSupportMethod: "sni-only",
+                minimumProtocolVersion: "TLSv1.2_2021",
+            } : {
+                cloudfrontDefaultCertificate: true
+            },
+            priceClass: cfConfig.priceClass || "PriceClass_100",
+            customErrorResponses: cfConfig.customErrorResponses || [
+                {
+                    errorCode: 404,
+                    responseCode: 200,
+                    responsePagePath: "/index.html",
+                },
+                {
+                    errorCode: 403,
+                    responseCode: 200,
+                    responsePagePath: "/index.html",
+                },
+            ],
+            orderedCacheBehaviors: cfConfig.cacheBehaviors,
+            loggingConfig,
+            webAclId,
+            tags: cfConfig.tags || config.configuration.tags,
+            comment: `CloudFront distribution for ${config.configuration.bucket}`,
+        }, provider ? { provider } : undefined);
+        return { domain: distribution.domainName, distribution };
+    }
+    async setupAcmCertificate(config, cfConfig, envPrefix, provider, route53Provider) {
+        if (cfConfig.acmCertificateArn) {
+            return cfConfig.acmCertificateArn;
+        }
+        if (!cfConfig.enableCertProvisioning || !cfConfig.aliases?.length || !config.inputs?.hostedZoneId) {
+            return undefined;
+        }
+        const usEast1Provider = config.inputs?.providers?.["dev-us-east-1"];
+        if (!usEast1Provider) {
+            throw new Error("US East 1 provider required for ACM certificate with CloudFront");
+        }
+        const aliases = cfConfig.aliases.filter(alias => alias && !alias.includes("$"));
+        const cert = new aws.acm.Certificate(`${envPrefix}-cert`, {
+            domainName: aliases[0],
+            subjectAlternativeNames: aliases.slice(1),
+            validationMethod: "DNS",
+            tags: cfConfig.tags || config.configuration.tags,
+        }, { provider: usEast1Provider });
+        const validationRecords = cert.domainValidationOptions.apply(options => options.map((option, index) => new aws.route53.Record(`${envPrefix}-cert-validation-${index}`, {
+            name: option.resourceRecordName,
+            zoneId: config.inputs.hostedZoneId,
+            type: option.resourceRecordType,
+            records: [option.resourceRecordValue],
+            ttl: 300,
+        }, route53Provider ? { provider: route53Provider } : undefined)));
+        const certValidation = new aws.acm.CertificateValidation(`${envPrefix}-cert-validation`, {
+            certificateArn: cert.arn,
+            validationRecordFqdns: validationRecords.apply(records => records.map(record => record.fqdn)),
+        }, { provider: usEast1Provider });
+        return certValidation.certificateArn;
+    }
+    async setupWaf(config, cfConfig, envPrefix, provider) {
+        if (!cfConfig.enableWaf || cfConfig.wafArn) {
+            return cfConfig.wafArn;
+        }
+        const wafConfig = cfConfig.wafConfig;
+        if (!wafConfig?.enabled) {
+            return undefined;
+        }
+        const usEast1Provider = config.inputs?.providers?.["dev-us-east-1"];
+        if (!usEast1Provider) {
+            throw new Error("US East 1 provider required for WAF with CloudFront");
+        }
+        const wafName = `${envPrefix}-waf`;
+        const wafFactoryConfig = {
+            name: wafName,
+            scope: "CLOUDFRONT",
+            description: `WAF for CloudFront distribution ${envPrefix}`,
+            defaultAction: "allow",
+            rateLimiting: {
+                enabled: true,
+                limit: wafConfig.rateLimitRpm || 1000,
+                action: "block",
+            },
+            geoRestrictions: wafConfig.geoBlockedCountries?.length ? {
+                blockedCountries: wafConfig.geoBlockedCountries,
+            } : undefined,
+            managedRuleGroups: wafConfig.enableManagedRules !== false ? [
+                {
+                    name: "AWSManagedRulesCommonRuleSet",
+                    vendorName: "AWS",
+                    priority: 10,
+                    overrideAction: "count",
+                },
+                {
+                    name: "AWSManagedRulesKnownBadInputsRuleSet",
+                    vendorName: "AWS",
+                    priority: 20,
+                    overrideAction: "count",
+                },
+                {
+                    name: "AWSManagedRulesAmazonIpReputationList",
+                    vendorName: "AWS",
+                    priority: 30,
+                    overrideAction: "count",
+                },
+            ] : [],
+            customRegexRules: wafConfig.customRules?.map(rule => ({
+                name: rule.name,
+                priority: rule.priority,
+                regex: rule.regex || "/.*",
+                action: rule.action,
+                fieldToMatch: { type: "uri" },
+            })),
+            visibilityConfig: {
+                cloudwatchMetricsEnabled: true,
+                sampledRequestsEnabled: true,
+            },
+            tags: cfConfig.tags || config.configuration.tags,
+        };
+        const waf = wafFactory_1.WafFactory.createWaf(wafFactoryConfig, usEast1Provider);
+        return waf.arn;
+    }
+    prepareLoggingConfig(cfConfig) {
+        const logging = cfConfig.logging;
+        if (!logging?.bucket || logging.bucket.includes("${")) {
+            return undefined;
+        }
+        return {
+            bucket: logging.bucket,
+            prefix: logging.prefix || "",
+            includeCookies: logging.includeCookies || false,
+        };
+    }
+    setupMonitoring(config, bucket, distributionId, provider) {
+        const monitoring = config.configuration.monitoring;
+        if (!monitoring?.enabled)
+            return;
+        if (monitoring.alarms?.length && distributionId) {
+            const distributionIdString = distributionId.apply ? distributionId.apply(id => id) : distributionId;
+            bucket.monitoringResources = (0, buildAwsCloudWatchAlarmsHelper_1.buildAwsCloudWatchAlarmsHelper)(`${config.meta.environment}-${config.id}`, {
+                resourceType: "cloudfront",
+                resourceId: distributionIdString,
+                alarms: monitoring.alarms,
+                alarmActions: monitoring.alarms.map(a => a.alarmActionArn).filter((v) => typeof v === "string"),
+                okActions: monitoring.alarms.map(a => a.okActionArn).filter((v) => typeof v === "string"),
+                tags: config.configuration.tags,
+                provider,
+            });
+        }
+        if (monitoring.dashboard) {
+            bucket.dashboardResource = (0, buildS3StaticHostingCloudWatchDashboardHelper_1.buildS3StaticHostingCloudWatchDashboardHelper)(`${config.meta.environment}-${config.id}`, {
+                bucketName: config.configuration.bucket,
+                cloudfrontDistributionId: distributionId,
+                tags: config.configuration.tags,
+            }, provider);
+        }
+    }
+}
+exports.S3StaticHostingFactory = S3StaticHostingFactory;