Package com.cloudforgeci.api.core
Class DeploymentContext
java.lang.Object
com.cloudforgeci.api.core.DeploymentContext
Typed configuration interface for CDK deployment context.
Loads configuration from cdk.json "cfc" block or CLI flags (-c key = value). Provides type-safe access with validation and sensible defaults.
Quick Start Example (cdk.json):
{
"app": "...",
"context": {
"cfc": {
"runtime": "fargate",
"topology": "jenkins-service",
"env": "dev",
"domain": "example.com",
"subdomain": "jenkins",
"enableSsl": true,
"authMode": "alb-oidc",
"cognitoAutoProvision": true,
"cognitoDomainPrefix": "myapp-auth",
"cognitoMfaEnabled": true
}
}
}
Configuration Keys (all optional unless noted):
Core Settings:
- tier: "public" | "enterprise" (default: public)
- runtime: "ec2" | "fargate" (default: fargate)
- topology: "jenkins-single-node" | "jenkins-service" | "s3-website"
- env: "dev" | "stage" | "prod" (default: dev)
- securityProfile: "dev" | "staging" | "production" (default: dev)
- region: AWS region (default: us-east-1)
DNS & SSL:
- domain: Base domain (e.g., "example.com")
- subdomain: Subdomain prefix (e.g., "jenkins")
- fqdn: Full domain (e.g., "jenkins.example.com") - overrides domain+subdomain
- enableSsl: Enable HTTPS with ACM certificate (default: false)
- createZone: Create Route53 hosted zone (default: false)
Network & Security:
- networkMode: "public-no-nat" | "private-with-nat" (default: public-no-nat)
- wafEnabled: Enable AWS WAF (default: false)
- albAccessLogging: Enable ALB access logs to S3 (default: false)
- cloudfront: Enable CloudFront distribution (default: false)
- bastionCidr: CIDR for SSH bastion access (default: 10.0.1.0/24)
Authentication:
- authMode: "none" | "alb-oidc" | "jenkins-oidc" | "application-oidc" (default: none)
Cognito (Auto-provision User Pool):
- cognitoAutoProvision: Auto-create Cognito User Pool (default: false)
- cognitoDomainPrefix: Globally unique domain prefix (required if auto-provisioning)
- cognitoUserPoolName: User Pool name (optional)
- cognitoMfaEnabled: Enable MFA (default: false)
- cognitoMfaMethod: "totp" | "sms" | "both" (default: "both")
- cognitoCreateGroups: Create admin/user groups (default: true)
- cognitoAdminGroupName: Admin group name (default: "Jenkins-Admins")
- cognitoUserGroupName: User group name (default: "Jenkins-Users")
- cognitoUserPoolId: Existing User Pool ID (for reuse)
- cognitoAppClientId: Existing App Client ID (for reuse)
- cognitoInitialAdminEmail: Initial admin user email (optional)
- cognitoInitialAdminPhone: Initial admin user phone in E.164 format, e.g., +12025551234 (optional, required for SMS MFA)
Manual OIDC (Identity Center, Okta, Auth0):
- oidcIssuer: OIDC issuer URL
- oidcAuthorizationEndpoint: Authorization endpoint
- oidcTokenEndpoint: Token endpoint
- oidcUserInfoEndpoint: UserInfo endpoint
- oidcClientId: OIDC client ID
- oidcClientSecretName: Secrets Manager secret name (default: "jenkins/oidc/client-secret")
Legacy IAM Identity Center:
- ssoInstanceArn: IAM Identity Center instance ARN
- ssoGroupId: Group UUID
- ssoTargetAccountId: 12-digit account ID
- autoProvisionIdentityCenter: Auto-provision (default: false)
- identityCenterGroupName: Group name (default: "Jenkins-Users")
Compute & Scaling:
- lbType: "alb" | "nlb" (default: alb)
- instanceType: EC2 type (default: t3.micro)
- cpu: Fargate vCPU units (default: 1024)
- memory: Fargate memory MiB (default: 2048)
- containerImage: Override container image tag, e.g., "v1.2.3" or "2024.1" (default: uses tag from ApplicationSpec)
- minInstanceCapacity: Min instances (default: 1)
- maxInstanceCapacity: Max instances (default: 1)
- cpuTargetUtilization: CPU target % (default: 60)
Monitoring & Compliance:
- enableMonitoring: CloudWatch monitoring (default: true)
- enableEncryption: Encryption at rest (default: true)
- logRetentionDays: CloudWatch log retention (default: security profile default)
- awsConfigEnabled: AWS Config compliance (default: false)
- securityMonitoringEnabled: Enable security monitoring (default: false)
- efsEncryptionInTransitEnabled: Enable EFS encryption in transit (default: profile default)
- automatedBackupEnabled: Enable automated backups (default: profile default)
- crossRegionBackupEnabled: Enable cross-region backups (default: profile default)
- complianceMode: "enforce" | "advisory" (auto: enforce for PRODUCTION, advisory for DEV/STAGING)
- complianceFrameworks: "PCI-DSS,HIPAA,SOC2,GDPR" (comma-separated)
Health Checks:
- healthCheckGracePeriod: Grace period seconds (default: 300)
- healthCheckInterval: Interval seconds (default: 30)
- healthCheckTimeout: Timeout seconds (default: 5)
- healthyThreshold: Healthy count (default: 2)
- unhealthyThreshold: Unhealthy count (default: 3)
Storage:
- artifactsBucket: S3 bucket name (optional)
- artifactsPrefix: S3 prefix (default: "jenkins/job/${JOB_NAME}/${BUILD_NUMBER}")
- retainStorage: Retain EFS/EBS on deletion (default: false)
- existingFileSystemId: Reuse existing EFS (disaster recovery)
Usage:
// In CDK app DeploymentContext ctx = DeploymentContext.from(app); // In any Construct DeploymentContext ctx = DeploymentContext.from(scope);
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionauthMode()intcpu()booleandomain()booleanenv()fqdn()static DeploymentContextfrom(software.amazon.awscdk.App app) Build from the 'cfc' context object on the App.static DeploymentContextfrom(software.constructs.Construct scope) Build from the 'cfc' context object on any Construct scope.getContextValue(String key, String defaultValue) Get a context value by key with default.Get the runtime type.Get the topology type.booleanTrue if enterprise features should be enabled.booleanTrue if the service should run in private subnets without public IPs.lbType()intmemory()raw()Raw immutable view of all context keys.region()runtime()Canonical axes (preferred).Deprecated.Gets the security profile enum.tags()voidtagStack(software.amazon.awscdk.Stack stack) Tag a stack so you can see the config in the console.tier()Export all deployment context fields to a Map for serialization.topology()Deprecated.toString()
-
Constructor Details
-
DeploymentContext
-
-
Method Details
-
from
Build from the 'cfc' context object on the App. -
from
Build from the 'cfc' context object on any Construct scope. -
tier
-
env
-
securityProfile
Gets the security profile enum.- Returns:
- SecurityProfile enum value
-
region
-
gdprDataTransferApproved
-
domain
-
subdomain
-
fqdn
-
networkMode
-
wafEnabled
-
httpsStrictEnabled
-
albAccessLogging
-
guardDutyEnabled
-
createGuardDutyDetector
-
guardDutyAlertsConfigured
-
certificateExpirationMonitoring
-
macieEnabled
-
macieAutomatedDiscoveryEnabled
-
securityHubEnabled
-
inspectorEnabled
-
antiMalwareEnabled
-
fileIntegrityMonitoringEnabled
-
containerRuntimeSecurityEnabled
-
containerImageScanningEnabled
-
cloudWatchLogsKmsEncryptionEnabled
-
cloudTrailInsightsEnabled
-
route53QueryLoggingEnabled
-
s3ObjectLockEnabled
-
cloudfrontEnabled
-
lbType
-
cpuTargetUtilization
-
maxInstanceCapacity
-
minInstanceCapacity
-
enableFlowlogs
-
cloudTrailEnabled
-
securityMonitoringEnabled
-
efsEncryptionInTransitEnabled
-
restrictSecurityGroupEgress
-
automatedBackupEnabled
-
crossRegionBackupEnabled
-
bastionCidr
-
retainStorage
-
existingFileSystemId
-
enableMonitoring
-
enableEncryption
-
awsConfigEnabled
-
createConfigInfrastructure
-
auditManagerEnabled
-
complianceFrameworks
-
complianceMode
-
logRetentionDays
-
instanceType
-
provisionDatabase
-
enableS3VersioningRemediation
-
enableCloudTrailBucketAccessRemediation
-
enableRdsDeletionProtectionRemediation
-
enableRdsAutoMinorVersionUpgradeRemediation
-
healthCheckGracePeriod
-
healthCheckInterval
-
healthCheckTimeout
-
healthyThreshold
-
unhealthyThreshold
-
authMode
-
cognitoAutoProvision
-
cognitoDomainPrefix
-
cognitoUserPoolName
-
cognitoMfaEnabled
-
cognitoMfaMethod
-
cognitoCreateGroups
-
cognitoAdminGroupName
-
cognitoUserGroupName
-
cognitoUserPoolId
-
cognitoAppClientId
-
cognitoInitialAdminEmail
-
cognitoInitialAdminPhone
-
oidcIssuer
-
oidcAuthorizationEndpoint
-
oidcTokenEndpoint
-
oidcUserInfoEndpoint
-
oidcClientId
-
oidcClientSecretName
-
ssoInstanceArn
-
ssoGroupId
-
ssoTargetAccountId
-
autoProvisionIdentityCenter
-
identityCenterGroupName
-
deploymentId
-
deploymentVersion
-
tags
-
stackName
-
artifactsBucket
-
artifactsPrefix
-
cpu
public int cpu() -
memory
public int memory() -
containerImage
-
enableSsl
public boolean enableSsl() -
createZone
public boolean createZone() -
raw
Raw immutable view of all context keys. -
runtime
Canonical axes (preferred). -
topology
-
runtimeRaw
Deprecated.Legacy raw accessors (compat only). -
topologyRaw
Deprecated. -
isPrivateWithNat
public boolean isPrivateWithNat()True if the service should run in private subnets without public IPs. -
isEnterprise
public boolean isEnterprise()True if enterprise features should be enabled. -
getRuntime
Get the runtime type. -
getTopology
Get the topology type. -
getContextValue
Get a context value by key with default. -
toContextMap
Export all deployment context fields to a Map for serialization. This produces the same format as InteractiveDeployer's buildCfcContext. Delegates to DeploymentConfig.toContextMap() for consistency. -
tagStack
public void tagStack(software.amazon.awscdk.Stack stack) Tag a stack so you can see the config in the console. -
toString
-