BuzzerboyAWSLightsail 0.330.1__py3-none-any.whl → 0.332.1__py3-none-any.whl

BuzzerboyAWSLightsailStack/LightsailContainerStandalone.py

@@ -0,0 +1,385 @@
+"""
+AWS Lightsail Mini Infrastructure Stack
+======================================
+
+This module provides a comprehensive AWS Lightsail infrastructure deployment stack
+using CDKTF (Cloud Development Kit for Terraform) with Python.
+
+The stack includes:
+    * Lightsail Container Service with automatic custom domain attachment
+    * PostgreSQL Database (optional)
+    * DNS management with CNAME records
+    * SSL certificate management with automatic validation
+    * IAM resources for service access
+    * S3 bucket for application data
+    * Secrets Manager for credential storage
+
+:author: Generated with GitHub Copilot
+:version: 1.0.0
+:license: MIT
+"""
+
+
+#region specific imports
+
+import os
+import json
+from enum import Enum
+from constructs import Construct
+from cdktf import TerraformOutput
+
+# Import the base class
+from .LightsailBaseStandalone import LightsailBaseStandalone, BaseLightsailArchitectureFlags
+
+#endregion
+
+#region AWS Provider and Resources
+from cdktf_cdktf_provider_aws.provider import AwsProvider
+from cdktf_cdktf_provider_aws import (
+    lightsail_container_service,
+    lightsail_database,
+    cloudfront_distribution,
+    s3_bucket,
+)
+#endregion
+
+#region Random Provider and Resources
+from cdktf_cdktf_provider_random import password
+
+# AWS WAF (currently unused but imported for future use)
+from cdktf_cdktf_provider_aws.wafv2_web_acl import (
+    Wafv2WebAcl,
+    Wafv2WebAclDefaultAction,
+    Wafv2WebAclRule,
+    Wafv2WebAclVisibilityConfig,
+    Wafv2WebAclDefaultActionAllow,
+    Wafv2WebAclRuleOverrideAction,
+    Wafv2WebAclRuleOverrideActionNone,
+    Wafv2WebAclRuleOverrideActionCount,
+    Wafv2WebAclRuleVisibilityConfig,
+)
+from cdktf_cdktf_provider_aws.wafv2_web_acl_association import Wafv2WebAclAssociation
+from cdktf_cdktf_provider_aws.wafv2_rule_group import Wafv2RuleGroupRuleVisibilityConfig
+
+#endregion
+
+
+
+#region ArchitectureFlags 
+class ArchitectureFlags(Enum):
+    """
+    Architecture configuration flags for optional components.
+
+    Includes both base flags and container-specific flags.
+
+    Base flags:
+    :param SKIP_DEFAULT_POST_APPLY_SCRIPTS: Skip default post-apply scripts
+    :param PRESERVE_EXISTING_SECRETS: Don't overwrite existing secret versions (smart detection)
+    :param IGNORE_SECRET_CHANGES: Ignore all changes to secret after initial creation
+    
+    Container-specific flags:
+    :param SKIP_DATABASE: Skip database creation
+    :param SKIP_DOMAIN: Skip domain and DNS configuration
+    """
+    
+    # Base flags from BaseLightsailArchitectureFlags
+    SKIP_DEFAULT_POST_APPLY_SCRIPTS = "skip_default_post_apply_scripts"
+    PRESERVE_EXISTING_SECRETS = "preserve_existing_secrets"
+    IGNORE_SECRET_CHANGES = "ignore_secret_changes"
+    
+    # Container-specific flags
+    SKIP_DATABASE = "skip_database"
+    SKIP_DOMAIN = "skip_domain"
+
+#endregion
+
+
+class LightsailContainerStandaloneStack(LightsailBaseStandalone):
+    """
+    AWS Lightsail Mini Infrastructure Stack.
+
+    A comprehensive infrastructure stack that deploys:
+        * Lightsail Container Service with custom domain support
+        * PostgreSQL database (optional)
+        * IAM resources and S3 storage
+
+    :param scope: The construct scope
+    :param id: The construct ID
+    :param kwargs: Configuration parameters including region, domains, flags, etc.
+
+    Example:
+        >>> stack = LightsailContainerStandaloneStack(
+        ...     app, "my-stack",
+        ...     region="ca-central-1",
+        ...     domains=["app.example.com"],
+        ...     project_name="my-app",
+        ...     postApplyScripts=[
+        ...         "echo 'Deployment completed'",
+        ...         "curl -X POST https://webhook.example.com/notify"
+        ...     ]
+        ... )
+    """
+
+    @staticmethod
+    def get_architecture_flags():
+        """
+        Get the ArchitectureFlags enum for configuration.
+
+        :returns: ArchitectureFlags enum class
+        :rtype: type[ArchitectureFlags]
+        """
+        return ArchitectureFlags
+
+    def __init__(self, scope, id, **kwargs):
+        """
+        Initialize the AWS Lightsail Mini Infrastructure Stack.
+
+        :param scope: The construct scope
+        :param id: Unique identifier for this stack
+        :param kwargs: Configuration parameters
+
+        **Configuration Parameters:**
+
+        :param region: AWS region (default: "us-east-1")
+        :param environment: Environment name (default: "dev")
+        :param project_name: Project identifier (default: "bb-aws-lightsail-mini-v1a-app")
+        :param domain_name: Primary domain name
+        :param domains: List of custom domains to configure
+        :param flags: List of ArchitectureFlags to modify behavior
+        :param profile: AWS profile to use (default: "default")
+        :param postApplyScripts: List of shell commands to execute after deployment
+
+        .. warning::
+           Lightsail domain operations must use us-east-1 region regardless of
+           the main stack region.
+        """
+        # Set container-specific defaults
+        if "project_name" not in kwargs:
+            kwargs["project_name"] = "bb-aws-lightsail-mini-v1a-app"
+
+        # Set database defaults before base initialization
+        self.default_db_name = kwargs.get("default_db_name", kwargs["project_name"])
+        self.default_db_username = kwargs.get("default_db_username", "dbadmin")
+        
+        # Call parent constructor which handles all the base initialization
+        super().__init__(scope, id, **kwargs)
+
+        # ===== Container-Specific Configuration =====
+        self.domains = kwargs.get("domains", []) or []
+
+        # ===== Database Configuration =====
+        self.default_db_name = kwargs.get("default_db_name", self.project_name)
+        self.default_db_username = kwargs.get("default_db_username", "dbadmin")
+
+    def _initialize_providers(self):
+        """Initialize all required Terraform providers."""
+        # Call parent class to initialize base providers
+        super()._initialize_providers()
+        
+        # Add Lightsail-specific provider for domain operations (must be us-east-1)
+        self.aws_domain_provider = AwsProvider(
+            self, "aws_domain", region="us-east-1", profile=self.profile, alias="domain"
+        )
+        self.resources["aws_domain"] = self.aws_domain_provider
+
+    def _set_default_post_apply_scripts(self):
+        """
+        Set default post-apply scripts specific to container deployments.
+        """
+        # Call parent method for base scripts
+        super()._set_default_post_apply_scripts()
+
+        # Skip if flag is set
+        if BaseLightsailArchitectureFlags.SKIP_DEFAULT_POST_APPLY_SCRIPTS.value in self.flags:
+            return
+
+        # Add container-specific scripts
+        container_scripts = [
+            f"echo '🚀 Container Service URL: https://{self.project_name}.{self.region}.cs.amazonlightsail.com'",
+        ]
+
+        # Insert container-specific scripts before the final "execution started" message
+        if self.post_apply_scripts:
+            # Find the index of the last script and insert before it
+            insert_index = len(self.post_apply_scripts) - 1
+            for script in reversed(container_scripts):
+                self.post_apply_scripts.insert(insert_index, script)
+
+    def create_lightsail_resources(self):
+        """
+        Create core Lightsail resources.
+
+        Creates:
+            * Lightsail Container Service with nano power and scale of 1
+            * Random password for database authentication (if database not skipped)
+
+        .. note::
+           Custom domains are configured separately through DNS records and
+           post-deployment automation rather than the public_domain_names parameter
+           due to CDKTF type complexity.
+        """
+        # Lightsail Container Service
+        self.container_service = lightsail_container_service.LightsailContainerService(
+            self,
+            "app_container",
+            name=f"{self.project_name}",
+            power="nano",
+            region=self.region,
+            scale=1,
+            is_disabled=False,
+            # Note: Custom domains are configured separately via DNS records
+            # The public_domain_names parameter has complex type requirements
+            tags={"Environment": self.environment, "Project": self.project_name, "Stack": self.__class__.__name__},
+        )
+        self.container_service_url = self.get_lightsail_container_service_domain()
+
+        # Create Lightsail database if not skipped
+        if not self.has_flag(ArchitectureFlags.SKIP_DATABASE.value):
+            self.create_lightsail_database()
+
+        # Create S3 bucket for application data
+        self.create_s3_bucket()
+
+        self.resources["lightsail_container_service"] = self.container_service
+
+    def create_lightsail_database(self):
+        """
+        Create Lightsail PostgreSQL database (optional).
+
+        Creates a micro PostgreSQL 14 database instance if the SKIP_DATABASE flag
+        is not set. Also populates the secrets dictionary with database connection
+        information for use in Secrets Manager.
+
+        Database Configuration:
+            * Engine: PostgreSQL 14
+            * Size: micro_2_0
+            * Final snapshot: Disabled (skip_final_snapshot=True)
+
+        .. note::
+           Database creation can be skipped by including ArchitectureFlags.SKIP_DATABASE
+           in the flags parameter during stack initialization.
+        """
+        # Database Password Generation
+        self.db_password = password.Password(
+            self, "db_password", length=16, special=True, override_special="!#$%&*()-_=+[]{}<>:?"
+        )
+
+        self.database = lightsail_database.LightsailDatabase(
+            self,
+            "app_database",
+            relational_database_name=f"{self.project_name}-db",
+            blueprint_id="postgres_14",
+            bundle_id="micro_2_0",
+            master_database_name=self.clean_hyphens(f"{self.project_name}"),
+            master_username=self.default_db_username,
+            master_password=self.db_password.result,
+            skip_final_snapshot=True,
+            tags={"Environment": self.environment, "Project": self.project_name, "Stack": self.__class__.__name__},
+        )
+
+        # Populate secrets for database connection
+        self.secrets.update(
+            {
+                "password": self.db_password.result,
+                "username": self.default_db_username,
+                "dbname": self.default_db_name,
+                "host": self.database.master_endpoint_address,
+                "port": self.database.master_endpoint_port,
+            }
+        )
+
+    def create_s3_bucket(self, bucket_name=None):
+        """
+        Create S3 bucket for application data storage.
+
+        Creates a private S3 bucket with proper tagging for application data storage
+        and security configurations:
+        - Bucket versioning enabled
+        - Server-side encryption with Amazon S3 managed keys (SSE-S3)
+        - Bucket key enabled to reduce encryption costs
+        - Private ACL
+
+        The bucket name follows the pattern: {project_name}-s3
+
+        .. note::
+           The ACL parameter is deprecated in favor of aws_s3_bucket_acl resource
+           but is retained for backwards compatibility.
+        """
+        if bucket_name is None:
+            bucket_name = self.properize_s3_bucketname(f"{self.project_name}-s3")
+
+        self.s3_bucket = s3_bucket.S3Bucket(
+            self,
+            "app_data_bucket",
+            bucket=bucket_name,
+            acl="private",
+            versioning={"enabled": True},
+            server_side_encryption_configuration=({
+                "rule": ({
+                    "apply_server_side_encryption_by_default": {
+                        "sse_algorithm": "AES256"
+                    },
+                    "bucket_key_enabled": True
+                })
+            }),
+            tags={"Environment": self.environment, "Project": self.project_name, "Stack": self.__class__.__name__},
+        )
+
+        # Store the S3 bucket in resources registry
+        self.resources["s3_bucket"] = self.s3_bucket
+        self.bucket_name = bucket_name
+
+    def get_lightsail_container_service_domain(self):
+        """
+        Retrieve the actual Lightsail container service domain from AWS.
+
+        Returns a default format domain since we cannot query AWS at synthesis time.
+
+        :returns: The public domain URL for the container service
+        :rtype: str
+        """
+        return f"{self.project_name}.{self.region}.cs.amazonlightsail.com"
+
+    def create_outputs(self):
+        """
+        Create Terraform outputs for important resource information.
+
+        Generates outputs for:
+            * Container service public URL
+            * Database endpoint (if database is enabled)
+            * Database password (sensitive, if database is enabled)
+            * IAM access keys (sensitive)
+
+        .. note::
+           Sensitive outputs are marked as such and will be hidden in
+           Terraform output unless explicitly requested.
+        """
+        # Container service public URL
+        TerraformOutput(
+            self,
+            "container_service_url",
+            value=self.container_service_url,
+            description="Public URL of the Lightsail container service",
+        )
+
+        # Database outputs (if database is enabled)
+        if not self.has_flag(ArchitectureFlags.SKIP_DATABASE.value) and hasattr(self, 'database'):
+            TerraformOutput(
+                self,
+                "database_endpoint",
+                value=f"{self.database.master_endpoint_address}:{self.database.master_endpoint_port}",
+                description="Database connection endpoint",
+            )
+            TerraformOutput(
+                self,
+                "database_password",
+                value=self.database.master_password,
+                sensitive=True,
+                description="Database master password (sensitive)",
+            )
+
+        # Use the shared IAM output helper
+        self.create_iam_outputs()
+
+        """Placeholder for networking resources creation."""
+        pass

BuzzerboyAWSLightsailStack/LightsailDatabase.py

@@ -41,22 +41,28 @@ from cdktf_cdktf_provider_random import password
 
 #endregion
 
+#region Null Provider and Resources
+from cdktf_cdktf_provider_null.resource import Resource as NullResource
+
+#endregion
+
 #region ArchitectureFlags 
 class ArchitectureFlags(Enum):
     """
     Architecture configuration flags for optional components.
 
-    Includes both base and database-specific flags.
+    Includes both base flags and database-specific flags.
 
     Base flags:
     :param SKIP_DEFAULT_POST_APPLY_SCRIPTS: Skip default post-apply scripts
-    :param PRESERVE_EXISTING_SECRETS: Don't overwrite existing secret versions
+    :param PRESERVE_EXISTING_SECRETS: Don't overwrite existing secret versions (smart detection)
     :param IGNORE_SECRET_CHANGES: Ignore all changes to secret after initial creation
     
     Database-specific flags:
     :param SKIP_DATABASE_USERS: Skip creating individual database users (use master user only)
     """
-    # Base flags (from BaseLightsailArchitectureFlags)
+    
+    # Base flags from BaseLightsailArchitectureFlags
     SKIP_DEFAULT_POST_APPLY_SCRIPTS = "skip_default_post_apply_scripts"
     PRESERVE_EXISTING_SECRETS = "preserve_existing_secrets"
     IGNORE_SECRET_CHANGES = "ignore_secret_changes"
@@ -73,8 +79,8 @@ class LightsailDatabaseStack(LightsailBase):
 
     A comprehensive database stack that deploys:
         * Lightsail Database instance with PostgreSQL
-        * Multiple databases within the instance
-        * Individual database users with scoped permissions
+        * Multiple databases within the instance (automated creation)
+        * Individual database users with scoped permissions (automated creation)
         * Secrets Manager for storing all database credentials
         * IAM resources for programmatic access
 
@@ -126,6 +132,7 @@ class LightsailDatabaseStack(LightsailBase):
         :param db_instance_size: Database instance size (default: "micro_2_0")
         :param db_engine: Database engine version (default: "postgres_14")
         :param master_username: Master database username (default: "dbmasteruser")
+        :param db_publicly_accessible: Enable public access to database (default: True, required for automated provisioning)
         """
         # Set database-specific defaults
         if "project_name" not in kwargs:
@@ -135,7 +142,7 @@ class LightsailDatabaseStack(LightsailBase):
             environment = kwargs.get("environment", "dev")
             kwargs["secret_name"] = f"{project_name}/{environment}/database-credentials"
         
-        # ===== Database-Specific Configuration (set before parent init) =====
+        # ===== Database-Specific Configuration (MUST be set before super().__init__) =====
         self.databases = kwargs.get("databases", [])
 
         # Validate required parameters
@@ -146,12 +153,13 @@ class LightsailDatabaseStack(LightsailBase):
         self.master_username = kwargs.get("master_username", "dbmasteruser")
         self.db_instance_size = kwargs.get("db_instance_size", "micro_2_0")
         self.db_engine = kwargs.get("db_engine", "postgres_14")
+        self.db_publicly_accessible = kwargs.get("db_publicly_accessible", True)
 
         # ===== Internal State =====
         self.database_users = {}
         self.database_passwords = {}
         
-        # Call parent constructor
+        # Call parent constructor (this will call _set_default_post_apply_scripts)
         super().__init__(scope, id, **kwargs)
 
     def _set_default_post_apply_scripts(self):
@@ -162,7 +170,7 @@ class LightsailDatabaseStack(LightsailBase):
         super()._set_default_post_apply_scripts()
 
         # Skip if flag is set
-        if ArchitectureFlags.SKIP_DEFAULT_POST_APPLY_SCRIPTS.value in self.flags:
+        if BaseLightsailArchitectureFlags.SKIP_DEFAULT_POST_APPLY_SCRIPTS.value in self.flags:
             return
 
         # Add database-specific scripts before the final message
@@ -191,8 +199,9 @@ class LightsailDatabaseStack(LightsailBase):
 
         Creates:
             * Database passwords for master and individual users
-            * Lightsail PostgreSQL database instance
-            * Individual database user credentials (for later manual creation)
+            * Lightsail PostgreSQL database instance (with public access enabled)
+            * Individual databases within the instance (automated via SQL)
+            * Individual database users with scoped permissions (automated via SQL)
         """
         # Generate passwords first
         self.create_database_passwords()
@@ -241,7 +250,13 @@ class LightsailDatabaseStack(LightsailBase):
             * Engine: PostgreSQL (version specified by db_engine)
             * Size: Configurable (default: micro_2_0)
             * Master database: Uses first database name from the list
+            * Public Access: Configurable (default: True for automated provisioning)
             * Final snapshot: Disabled (skip_final_snapshot=True)
+            
+        .. note::
+           Public access is enabled by default to allow automated database creation
+           via local-exec provisioners. This can be disabled by setting
+           db_publicly_accessible=False, but will require manual database setup.
         """
         # Use the first database name as the master database name
         master_db_name = self.clean_hyphens(self.databases[0])
@@ -255,6 +270,7 @@ class LightsailDatabaseStack(LightsailBase):
             master_database_name=master_db_name,
             master_username=self.master_username,
             master_password=self.master_password.result,
+            publicly_accessible=self.db_publicly_accessible,
             skip_final_snapshot=True,
             tags={
                 "Environment": self.environment, 
@@ -280,28 +296,35 @@ class LightsailDatabaseStack(LightsailBase):
 
     def create_database_users(self):
         """
-        Prepare database user credentials for individual databases.
-
-        This method creates credentials for individual database users that would be
-        created manually or via external scripts after deployment. For each database 
-        in the databases list, it will:
-            1. Generate a password for the database user
-            2. Store credentials in the secrets dictionary
-            3. Create user information for reference
-
-        **Manual Database Setup Required:**
-        After deployment, you'll need to manually create databases and users:
+        Create individual databases and users within the Lightsail PostgreSQL instance.
+
+        This method automates the creation of databases and users using SQL commands
+        executed via null_resource provisioners. For each database in the databases list:
+            1. Generates a password for the database user
+            2. Stores credentials in the secrets dictionary
+            3. Creates the database (if not the first one - master database)
+            4. Creates a dedicated user with the generated password
+            5. Grants all privileges on the database to the user
+
+        **Automated Database Setup:**
+        The following operations are performed automatically for each database:
             * CREATE DATABASE {db_name};
             * CREATE USER "{db_name}-dbuser" WITH PASSWORD '{password}';
             * GRANT ALL PRIVILEGES ON DATABASE {db_name} TO "{db_name}-dbuser";
+            * GRANT ALL ON SCHEMA public TO "{db_name}-dbuser";
 
         .. note::
-           Database and user creation happens manually after deployment since
-           Lightsail doesn't provide Terraform resources for individual databases.
+           The first database in the list is created as the master database during
+           instance creation, so it's skipped in this automated provisioning process.
+           
+        .. note::
+           Requires publicly_accessible=True on the database instance for the
+           provisioner to connect from the local machine running Terraform.
         """
         if ArchitectureFlags.SKIP_DATABASE_USERS.value in self.flags:
             return
 
+        # Store credentials for all databases
         for db_name in self.databases:
             clean_db_name = self.clean_hyphens(db_name)
             username = f"{clean_db_name}-dbuser"
@@ -319,22 +342,67 @@ class LightsailDatabaseStack(LightsailBase):
                 "database": clean_db_name
             }
 
-        # Add manual setup instructions to post-terraform messages
-        if self.databases and not self.has_flag(ArchitectureFlags.SKIP_DATABASE_USERS.value):
-            setup_commands = []
-            for db_name in self.databases:
-                clean_db_name = self.clean_hyphens(db_name)
-                username = f"{clean_db_name}-dbuser"
-                setup_commands.extend([
-                    f"CREATE DATABASE IF NOT EXISTS \"{clean_db_name}\";",
-                    f"CREATE USER \"{username}\" WITH PASSWORD '<password_from_secrets>';",
-                    f"GRANT ALL PRIVILEGES ON DATABASE \"{clean_db_name}\" TO \"{username}\";"
-                ])
+        # Skip the first database as it's already created as the master database
+        databases_to_create = self.databases[1:] if len(self.databases) > 1 else []
+
+        # Create additional databases and users using null_resource
+        for db_name in databases_to_create:
+            clean_db_name = self.clean_hyphens(db_name)
+            username = f"{clean_db_name}-dbuser"
+            password_ref = self.database_passwords[db_name].result
             
-            self.post_terraform_messages.append(
-                f"Manual database setup required. Connect to the database instance and run:\n" +
-                "\n".join(setup_commands)
+            # SQL commands to create database and user
+            # Using environment variables to avoid Terraform interpolation issues
+            sql_commands = f"""#!/bin/bash
+set -e
+
+echo "Creating database: {clean_db_name}"
+
+# Wait for database to be ready (add retry logic)
+for i in {{1..30}}; do
+    if PGPASSWORD="$MASTER_PASSWORD" psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d postgres -c "SELECT 1" > /dev/null 2>&1; then
+        echo "Database is ready"
+        break
+    fi
+    echo "Waiting for database to be ready... ($i/30)"
+    sleep 10
+done
+
+# Create database
+PGPASSWORD="$MASTER_PASSWORD" psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d postgres -c "CREATE DATABASE \\"{clean_db_name}\\";" || echo "Database {clean_db_name} may already exist"
+
+# Create user
+PGPASSWORD="$MASTER_PASSWORD" psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d postgres -c "CREATE USER \\"{username}\\" WITH PASSWORD '$USER_PASSWORD';" || echo "User {username} may already exist"
+
+# Grant database privileges
+PGPASSWORD="$MASTER_PASSWORD" psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d postgres -c "GRANT ALL PRIVILEGES ON DATABASE \\"{clean_db_name}\\" TO \\"{username}\\";"
+
+# Grant schema privileges
+PGPASSWORD="$MASTER_PASSWORD" psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d {clean_db_name} -c "GRANT ALL ON SCHEMA public TO \\"{username}\\";"
+
+echo "Successfully created database: {clean_db_name} with user: {username}"
+"""
+
+            # Create null_resource to execute SQL commands
+            db_resource = NullResource(
+                self,
+                f"create_database_{clean_db_name}",
+                depends_on=[self.database]
             )
+            
+            # Add provisioner using override
+            db_resource.add_override("provisioner", [{
+                "local-exec": {
+                    "command": sql_commands,
+                    "environment": {
+                        "DB_HOST": self.database.master_endpoint_address,
+                        "DB_PORT": self.database.master_endpoint_port,
+                        "DB_USER": self.master_username,
+                        "MASTER_PASSWORD": self.master_password.result,
+                        "USER_PASSWORD": password_ref,
+                    }
+                }
+            }])
 
     def create_outputs(self):
         """