Package com.cloudforge.core.config

Class DeploymentConfig

java.lang.Object
com.cloudforge.core.config.DeploymentConfig
public class DeploymentConfig extends Object
Universal deployment configuration for CloudForge applications.

This is the canonical configuration structure used by both interactive deployers and non-interactive deployment tools. It maps directly to deployment-context.json and can be serialized/deserialized via Jackson.

Architecture: This class lives in cloudforge-core (the contract layer) as it defines the data model interface between libraries and consumers. This ensures cfc-testing and other consumers always use the latest configuration schema without duplication.

Since:
CloudForge 3.0.0

  • Field Details

    • stackName

      public String stackName
      CloudFormation stack name

    • environment

      public String environment
      Environment name (e.g., "dev", "staging", "production")

    • applicationId

      public String applicationId
      Application identifier (e.g., "jenkins", "gitlab", "vault")

    • applicationName

      public String applicationName
      Human-readable application name

    • applicationSpec

      public ApplicationSpec applicationSpec
      ApplicationSpec instance (not serialized to JSON)

    • domain

      public String domain
      Primary domain (e.g., "example.com")

    • subdomain

      public String subdomain
      Subdomain prefix (e.g., "ci", "gitlab")

    • fqdn

      public String fqdn
      Fully qualified domain name (computed from domain+subdomain if not provided)

    • enableSsl

      public Boolean enableSsl
      Enable SSL certificate via ACM

    • runtime

      public RuntimeType runtime
      Runtime type (FARGATE or EC2)

    • topology

      public TopologyType topology
      Topology type (APPLICATION_SERVICE, etc.)

    • securityProfile

      public SecurityProfile securityProfile
      Security profile (DEV, STAGING, PRODUCTION)

    • networkMode

      public NetworkMode networkMode
      Network mode for VPC topology

    • lbType

      public LoadBalancerType lbType
      Load balancer type

    • createZone

      public Boolean createZone
      Create Route53 hosted zone

    • enableFlowlogs

      public Boolean enableFlowlogs
      Enable VPC flow logs

    • wafEnabled

      public Boolean wafEnabled
      Enable AWS WAF

    • httpsStrictEnabled

      public Boolean httpsStrictEnabled
      HTTPS-only mode (no HTTP listener when SSL enabled)

    • albAccessLogging

      public Boolean albAccessLogging
      Enable ALB access logs to S3

    • cloudfrontEnabled

      public Boolean cloudfrontEnabled
      Enable CloudFront CDN

    • bastionCidr

      public String bastionCidr
      CIDR for bastion/VPN SSH access

    • minInstanceCapacity

      public int minInstanceCapacity
      Minimum instance capacity for auto-scaling

    • maxInstanceCapacity

      public int maxInstanceCapacity
      Maximum instance capacity for auto-scaling

    • cpuTargetUtilization

      public int cpuTargetUtilization
      CPU target utilization percentage for auto-scaling

    • cpu

      public int cpu
      Fargate CPU units (256, 512, 1024, 2048, 4096)

    • memory

      public int memory
      Fargate memory in MB

    • instanceType

      public String instanceType
      EC2 instance type (e.g., "t3.micro", "t3.small")

    • containerImage

      public String containerImage
      Override container image tag

    • retainStorage

      public Boolean retainStorage
      Retain EFS/EBS volumes on stack deletion

    • existingFileSystemId

      public String existingFileSystemId
      Reuse existing EFS by ID (for disaster recovery workflows)

    • artifactsBucket

      public String artifactsBucket
      S3 bucket for artifacts

    • artifactsPrefix

      public String artifactsPrefix
      S3 prefix for artifacts

    • authMode

      public AuthMode authMode
      Authentication mode

    • oidcProvider

      public String oidcProvider
      OIDC provider (none, cognito, identity-center, external-idp)

    • cognitoAutoProvision

      public Boolean cognitoAutoProvision
      Auto-provision new Cognito User Pool

    • cognitoUserPoolName

      public String cognitoUserPoolName
      Cognito User Pool name

    • cognitoDomainPrefix

      public String cognitoDomainPrefix
      Cognito domain prefix (must be globally unique)

    • cognitoMfaEnabled

      public Boolean cognitoMfaEnabled
      Enable MFA for Cognito

    • cognitoMfaMethod

      public String cognitoMfaMethod
      Cognito MFA method

    • cognitoCreateGroups

      public Boolean cognitoCreateGroups
      Create admin and user groups in Cognito

    • cognitoAdminGroupName

      public String cognitoAdminGroupName
      Admin group name

    • cognitoUserGroupName

      public String cognitoUserGroupName
      User group name

    • cognitoInitialAdminEmail

      public String cognitoInitialAdminEmail
      Initial admin email address

    • cognitoInitialAdminPhone

      public String cognitoInitialAdminPhone
      Initial admin phone number (E.164 format)

    • cognitoUserPoolId

      public String cognitoUserPoolId
      Existing Cognito User Pool ID

    • cognitoAppClientId

      public String cognitoAppClientId
      Existing Cognito App Client ID

    • oidcIssuer

      public String oidcIssuer
      OIDC issuer URL

    • oidcAuthorizationEndpoint

      public String oidcAuthorizationEndpoint
      OIDC authorization endpoint

    • oidcTokenEndpoint

      public String oidcTokenEndpoint
      OIDC token endpoint

    • oidcUserInfoEndpoint

      public String oidcUserInfoEndpoint
      OIDC user info endpoint

    • oidcClientId

      public String oidcClientId
      OIDC client ID

    • oidcClientSecretName

      public String oidcClientSecretName
      OIDC client secret name in Secrets Manager

    • enableAgents

      public boolean enableAgents
      Enable JNLP build agent port (Jenkins: 50000)

    • enableSsh

      public boolean enableSsh
      Enable Git SSH port (GitLab: 22, Gitea: 2222)

    • enableSmtp

      public boolean enableSmtp
      Enable SMTP email port (Mattermost: 587)

    • enableSmtps

      public boolean enableSmtps
      Enable SMTP TLS email port (Mattermost: 465)

    • enableClustering

      public boolean enableClustering
      Enable clustering ports (Mattermost: 8074-8075, Vault: 8201)

    • enableDockerRegistry

      public boolean enableDockerRegistry
      Enable container registry port (GitLab: 5050, Nexus: 5000-5002)

    • enableMetrics

      public boolean enableMetrics
      Enable Prometheus metrics port (GitLab: 9090)

    • enableNotary

      public boolean enableNotary
      Enable Notary content trust port (Harbor: 4443)

    • enableTrivy

      public boolean enableTrivy
      Enable Trivy vulnerability scanner port (Harbor: 8080)

    • enableSentinel

      public boolean enableSentinel
      Enable Redis Sentinel port (Redis: 26379)

    • enableCluster

      public boolean enableCluster
      Enable Redis Cluster bus port (Redis: 16379)

    • autoProvisionIdentityCenter

      public Boolean autoProvisionIdentityCenter
      Auto-provision SAML application in IAM Identity Center

    • ssoInstanceArn

      public String ssoInstanceArn
      IAM Identity Center (SSO) Instance ARN

    • ssoGroupId

      public String ssoGroupId
      SSO Group ID

    • ssoTargetAccountId

      public String ssoTargetAccountId
      SSO Target Account ID

    • identityCenterGroupName

      public String identityCenterGroupName
      Identity Center group name for user assignment

    • provisionDatabase

      public Boolean provisionDatabase
      Provision RDS database for application. Only shown for applications with optional database support (e.g., Metabase, Grafana). Applications requiring database (e.g., Mattermost, GitLab) always provision one.

    • databaseEngine

      public String databaseEngine
      Database engine (e.g., postgres, mysql, mariadb). Default comes from ApplicationSpec.databaseRequirement().engine()

    • databaseVersion

      public String databaseVersion
      Database engine version. Default comes from ApplicationSpec.databaseRequirement().version()

    • databaseInstanceClass

      public String databaseInstanceClass
      RDS instance class (e.g., db.t3.small, db.m5.large). DESTRUCTIVE: Changing this requires resource replacement. BILLING_IMPACT: Larger instances cost more.

    • databaseAllocatedStorageGB

      public Integer databaseAllocatedStorageGB
      Allocated storage in GB. BILLING_IMPACT: More storage costs more.

    • databaseMultiAz

      public Boolean databaseMultiAz
      Enable Multi-AZ deployment for high availability. BILLING_IMPACT: Multi-AZ doubles database costs.

    • databaseName

      public String databaseName
      Database name. IMMUTABLE: Cannot be changed after creation.

    • databaseBackupRetentionDays

      public Integer databaseBackupRetentionDays
      Backup retention period in days. Compliance frameworks may override: PCI-DSS (90 days), HIPAA (30 days), SOC2 (14 days).

    • enableRdsDeletionProtectionRemediation

      public Boolean enableRdsDeletionProtectionRemediation
      Enable RDS deletion protection remediation

    • enableRdsAutoMinorVersionUpgradeRemediation

      public Boolean enableRdsAutoMinorVersionUpgradeRemediation
      Enable RDS auto minor version upgrade remediation

    • complianceFrameworks

      public List<ComplianceFrameworkType> complianceFrameworks
      Compliance frameworks to enable.

      Supports comma-separated string format in JSON for backward compatibility: 

      {"complianceFrameworks": "soc2,pci-dss,hipaa"}

      In Java code, use the type-safe List: 

      config.complianceFrameworks.contains(ComplianceFrameworkType.HIPAA)

    • complianceMode

      public ComplianceMode complianceMode
      Compliance validation mode controlling how validation failures are handled.

    • logRetentionDays

      public String logRetentionDays
      CloudWatch Logs retention days

    • enableMonitoring

      public Boolean enableMonitoring
      Enable CloudWatch monitoring

    • enableEncryption

      public Boolean enableEncryption
      Enable encryption at rest

    • awsConfigEnabled

      public Boolean awsConfigEnabled
      Enable AWS Config

    • createConfigInfrastructure

      public Boolean createConfigInfrastructure
      Create AWS Config infrastructure

    • guardDutyEnabled

      public Boolean guardDutyEnabled
      Enable GuardDuty threat detection

    • createGuardDutyDetector

      public Boolean createGuardDutyDetector
      Create GuardDuty detector (account-region singleton)

    • guardDutyAlertsConfigured

      public Boolean guardDutyAlertsConfigured
      GuardDuty alerts configured (EventBridge to SNS/SIEM)

    • certificateExpirationMonitoring

      public Boolean certificateExpirationMonitoring
      Certificate expiration monitoring enabled

    • cloudTrailEnabled

      public Boolean cloudTrailEnabled
      Enable CloudTrail for API audit logging

    • securityMonitoringEnabled

      public Boolean securityMonitoringEnabled
      Enable security monitoring

    • efsEncryptionInTransitEnabled

      public Boolean efsEncryptionInTransitEnabled
      Enable EFS encryption in transit

    • restrictSecurityGroupEgress

      public Boolean restrictSecurityGroupEgress
      Restrict security group egress to VPC CIDR only (requires VPC endpoints for AWS service access)

    • automatedBackupEnabled

      public Boolean automatedBackupEnabled
      Enable automated backups (null = use security profile default)

    • crossRegionBackupEnabled

      public Boolean crossRegionBackupEnabled
      Enable cross-region backups (null = use security profile default)

    • macieEnabled

      public Boolean macieEnabled
      Enable Amazon Macie for PII/PHI discovery (HIPAA/GDPR)

    • macieAutomatedDiscovery

      public Boolean macieAutomatedDiscovery
      Enable Macie automated discovery jobs

    • securityHubEnabled

      public Boolean securityHubEnabled
      Enable AWS Security Hub for centralized security findings

    • inspectorEnabled

      public Boolean inspectorEnabled
      Enable Amazon Inspector for vulnerability scanning

    • antiMalwareEnabled

      public Boolean antiMalwareEnabled
      Enable anti-malware scanning

    • fileIntegrityMonitoring

      public Boolean fileIntegrityMonitoring
      Enable file integrity monitoring

    • containerRuntimeSecurity

      public Boolean containerRuntimeSecurity
      Enable container runtime security monitoring

    • containerImageScanning

      public Boolean containerImageScanning
      Enable container image vulnerability scanning

    • auditManagerEnabled

      public Boolean auditManagerEnabled
      Enable AWS Audit Manager

    • cloudWatchLogsKmsEncryptionEnabled

      public Boolean cloudWatchLogsKmsEncryptionEnabled
      Enable CloudWatch Logs KMS encryption

    • cloudTrailInsightsEnabled

      public Boolean cloudTrailInsightsEnabled
      Enable CloudTrail Insights

    • route53QueryLoggingEnabled

      public Boolean route53QueryLoggingEnabled
      Enable Route53 Query Logging

    • s3ObjectLockEnabled

      public Boolean s3ObjectLockEnabled
      Enable S3 Object Lock for audit buckets (HIPAA/PCI-DSS immutability requirement)

    • enableS3VersioningRemediation

      public Boolean enableS3VersioningRemediation
      Enable S3 versioning remediation

    • enableCloudTrailBucketAccessRemediation

      public Boolean enableCloudTrailBucketAccessRemediation
      Enable CloudTrail bucket access logging remediation

    • healthCheckGracePeriod

      public int healthCheckGracePeriod

    • healthCheckInterval

      public int healthCheckInterval

    • healthCheckTimeout

      public int healthCheckTimeout

    • healthyThreshold

      public int healthyThreshold

    • unhealthyThreshold

      public int unhealthyThreshold

    • region

      public String region
      AWS region (e.g., "us-east-1", "us-west-2")

    • gdprDataTransferApproved

      public Boolean gdprDataTransferApproved
      GDPR data transfer approval flag for non-EU deployments.

    • availabilityZones

      public String[] availabilityZones
      Availability zones for deployment

    • enableAutoScaling

      public Boolean enableAutoScaling
      Enable auto-scaling

  • Constructor Details

    • DeploymentConfig

      public DeploymentConfig()

  • Method Details

    • fromFile

      public static DeploymentConfig fromFile(Path path) throws IOException
      Load DeploymentConfig from a JSON file (e.g., deployment-context.json).
      Parameters:
      path - Path to the JSON file
      Returns:
      DeploymentConfig populated from JSON
      Throws:
      IOException - if file cannot be read or parsed

    • fromFile

      public static DeploymentConfig fromFile(String filePath) throws IOException
      Load DeploymentConfig from a JSON file path string.
      Parameters:
      filePath - Path to the JSON file
      Returns:
      DeploymentConfig populated from JSON
      Throws:
      IOException - if file cannot be read or parsed

    • fromJson

      public static DeploymentConfig fromJson(String json) throws com.fasterxml.jackson.core.JsonProcessingException
      Load DeploymentConfig from a JSON string.
      Parameters:
      json - JSON string
      Returns:
      DeploymentConfig populated from JSON
      Throws:
      com.fasterxml.jackson.core.JsonProcessingException - if JSON cannot be parsed

    • fromMap

      public static DeploymentConfig fromMap(Map<String,Object> map)
      Load DeploymentConfig from a Map (e.g., CDK context).

      Uses Jackson's type-safe conversion to handle:

      • String → Enum conversion via @JsonCreator methods
      • String/Number → Boolean conversion (supports "1", "yes", "0", "no")
      • Comma-separated strings → List conversion (complianceFrameworks)
      • Unknown properties are ignored for forward compatibility
      Parameters:
      map - Map containing configuration key-value pairs
      Returns:
      DeploymentConfig populated from the map

    • toJson

      public String toJson() throws com.fasterxml.jackson.core.JsonProcessingException
      Serialize this DeploymentConfig to a JSON string.
      Returns:
      JSON string representation
      Throws:
      com.fasterxml.jackson.core.JsonProcessingException - if serialization fails

    • toFile

      public void toFile(Path path) throws IOException
      Save this DeploymentConfig to a JSON file.
      Parameters:
      path - Path to write the JSON file
      Throws:
      IOException - if file cannot be written

    • toFile

      public void toFile(String filePath) throws IOException
      Save this DeploymentConfig to a JSON file path string.
      Parameters:
      filePath - Path to write the JSON file
      Throws:
      IOException - if file cannot be written

    • getComplianceFrameworksAsString

      public String getComplianceFrameworksAsString()
      Returns the compliance frameworks as a comma-separated string. Provided for backward compatibility with code expecting the old string format.
      Returns:
      comma-separated framework string (e.g., "soc2,pci-dss,hipaa")

    • hasComplianceFramework

      public boolean hasComplianceFramework(ComplianceFrameworkType framework)
      Checks if a specific compliance framework is enabled.
      Parameters:
      framework - the framework to check
      Returns:
      true if the framework is in the list

    • hasAnyComplianceFramework

      public boolean hasAnyComplianceFramework()
      Checks if any compliance framework is enabled.
      Returns:
      true if at least one framework is configured

    • toContextMap

      public Map<String,Object> toContextMap()
      Convert this DeploymentConfig to a Map for CDK context.

      Special handling:

      • Renames "environment" to "env" for CDK compatibility
      • Excludes null values
      Returns:
      Map suitable for CDK App context