PyPI - BuzzerboyAWSLightsail - Versions diffs - 0.332.1__py3-none-any.whl → 0.333.1__py3-none-any.whl - Mend

BuzzerboyAWSLightsail 0.332.1py3-none-any.whl → 0.333.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

BuzzerboyAWSLightsailStack/LightsailBase.py CHANGED Viewed

@@ -24,11 +24,8 @@ This class should be extended by specific Lightsail implementations such as:
 #region specific imports
 import os
-import json
 from abc import ABC, abstractmethod
-from enum import Enum
 from constructs import Construct
-from cdktf import TerraformOutput
 # Import from the correct base architecture package
 import sys
@@ -39,47 +36,14 @@ from AWSArchitectureBase.AWSArchitectureBaseStack.AWSArchitectureBase import AWS
 #region AWS Provider and Resources
 from cdktf_cdktf_provider_aws.provider import AwsProvider
-from cdktf_cdktf_provider_aws import (
-    iam_user,
-    iam_access_key,
-    iam_user_policy,
-)
+from cdktf_cdktf_provider_aws import iam_access_key, iam_user, iam_user_policy
 #endregion
-#region Random Provider and Resources
-from cdktf_cdktf_provider_random import password
+from .LightsailFlags import BaseLightsailArchitectureFlags
+from .LightsailMixins import LightsailBaseMixin
-# AWS Secrets Manager
-from cdktf_cdktf_provider_aws.secretsmanager_secret import SecretsmanagerSecret
-from cdktf_cdktf_provider_aws.secretsmanager_secret_version import SecretsmanagerSecretVersion
-from cdktf_cdktf_provider_aws.data_aws_secretsmanager_secret_version import DataAwsSecretsmanagerSecretVersion
-# Null Provider for local-exec provisioner
-from cdktf_cdktf_provider_null.resource import Resource as NullResource
-#endregion
-#region Base ArchitectureFlags
-class BaseLightsailArchitectureFlags(Enum):
-    """
-    Base architecture configuration flags for optional components.
-    These flags are common to all Lightsail implementations and can be
-    extended by specific implementations with additional flags.
-    :param SKIP_DEFAULT_POST_APPLY_SCRIPTS: Skip default post-apply scripts
-    :param PRESERVE_EXISTING_SECRETS: Don't overwrite existing secret versions (smart detection)
-    :param IGNORE_SECRET_CHANGES: Ignore all changes to secret after initial creation
-    """
-    SKIP_DEFAULT_POST_APPLY_SCRIPTS = "skip_default_post_apply_scripts"
-    PRESERVE_EXISTING_SECRETS = "preserve_existing_secrets"
-    IGNORE_SECRET_CHANGES = "ignore_secret_changes"
-#endregion
-class LightsailBase(AWSArchitectureBase):
+class LightsailBase(LightsailBaseMixin, AWSArchitectureBase):
     """
     Abstract base class for AWS Lightsail Infrastructure Stacks.
@@ -377,294 +341,3 @@ class LightsailBase(AWSArchitectureBase):
             user=self.service_user.name,
             policy=policy,
         )
-    def get_extra_secret_env(self, env_var_name=None):
-        """
-        Load additional secrets from environment variable.
-        Attempts to load and parse a JSON string from the environment variable
-        specified in default_extra_secret_env. Any valid JSON key-value pairs
-        are added to the secrets dictionary if they don't already exist.
-        :param env_var_name: Environment variable name to load secrets from
-        :raises: No exceptions - silently continues if JSON parsing fails
-        """
-        if env_var_name is None:
-            env_var_name = self.default_extra_secret_env
-        extra_secret_env = os.environ.get(env_var_name, None)
-        if extra_secret_env:
-            try:
-                extra_secret_json = json.loads(extra_secret_env)
-                for key, value in extra_secret_json.items():
-                    if key not in self.secrets:
-                        self.secrets[key] = value
-            except json.JSONDecodeError:
-                # Silently continue if JSON parsing fails
-                pass
-    def create_security_resources(self):
-        """
-        Create AWS Secrets Manager resources for credential storage.
-        Creates:
-            * Secrets Manager secret for storing application credentials
-            * Secret version with JSON-formatted credential data (conditionally)
-        **Secret Management Strategy:**
-        If PRESERVE_EXISTING_SECRETS flag is set:
-        - Checks if secret already exists with content
-        - Only creates new version if secret is empty or doesn't exist
-        - Preserves manual secret updates and rotations
-        **Stored Credentials:**
-        * IAM access keys for service authentication
-        * AWS region and signature version configuration
-        * Any additional secrets from environment variables
-        * Subclass-specific credentials (added by create_lightsail_resources)
-        .. note::
-           All secrets are stored as a single JSON document in Secrets Manager
-           for easy retrieval by applications.
-        """
-        # Create Secrets Manager secret
-        self.secrets_manager_secret = SecretsmanagerSecret(self, self.secret_name, name=f"{self.secret_name}")
-        self.resources["secretsmanager_secret"] = self.secrets_manager_secret
-        # Populate IAM and AWS configuration secrets
-        self.secrets.update({
-            "service_user_access_key": self.service_key.id,
-            "service_user_secret_key": self.service_key.secret,
-            "access_key": self.service_key.id,
-            "secret_access_key": self.service_key.secret,
-            "region_name": self.region,
-            "signature_version": self.default_signature_version
-        })
-        # Load additional secrets from environment
-        self.get_extra_secret_env()
-        # Conditional secret version creation
-        if self.has_flag(BaseLightsailArchitectureFlags.PRESERVE_EXISTING_SECRETS.value):
-            self._create_secret_version_conditionally()
-        elif self.has_flag(BaseLightsailArchitectureFlags.IGNORE_SECRET_CHANGES.value):
-            self._create_secret_version_with_lifecycle_ignore()
-        else:
-            # Create secret version with all credentials (original behavior)
-            SecretsmanagerSecretVersion(
-                self,
-                self.secret_name + "_version",
-                secret_id=self.secrets_manager_secret.id,
-                secret_string=(json.dumps(self.secrets, indent=2, sort_keys=True) if self.secrets else None),
-            )
-    def _create_secret_version_conditionally(self):
-        """
-        Create secret version only if one doesn't already exist or is empty.
-        This method implements smart secret management:
-        1. Attempts to read existing secret using data source
-        2. Only creates new version if secret is empty or doesn't exist
-        3. Preserves manual updates and rotations made outside Terraform
-        **Use Cases:**
-        - Initial deployment when no secret exists
-        - Secret exists but has no content (empty)
-        - Avoid overwriting manually rotated credentials
-        - Preserve additional keys added through AWS console/CLI
-        """
-        try:
-            # Try to read existing secret version to check if it has content
-            existing_secret = DataAwsSecretsmanagerSecretVersion(
-                self,
-                self.secret_name + "_existing_check",
-                secret_id=self.secrets_manager_secret.id,
-                version_stage="AWSCURRENT"
-            )
-            # Create a conditional secret version
-            conditional_secret = SecretsmanagerSecretVersion(
-                self,
-                self.secret_name + "_version_conditional",
-                secret_id=self.secrets_manager_secret.id,
-                secret_string=json.dumps(self.secrets, indent=2, sort_keys=True) if self.secrets else None,
-                lifecycle={
-                    "ignore_changes": ["secret_string"],
-                    "create_before_destroy": False
-                }
-            )
-            # Add dependency to ensure secret exists before checking
-            conditional_secret.add_override("count",
-                "${length(try(jsondecode(data.aws_secretsmanager_secret_version." +
-                self.secret_name.replace("/", "_").replace("-", "_") + "_existing_check.secret_string), {})) == 0 ? 1 : 0}"
-            )
-        except Exception:
-            # If data source fails (secret doesn't exist), create the version
-            SecretsmanagerSecretVersion(
-                self,
-                self.secret_name + "_version_fallback",
-                secret_id=self.secrets_manager_secret.id,
-                secret_string=json.dumps(self.secrets, indent=2, sort_keys=True) if self.secrets else None,
-            )
-    def _create_secret_version_with_lifecycle_ignore(self):
-        """
-        Create secret version with lifecycle rule to ignore future changes.
-        This is a simpler approach that:
-        1. Creates the secret version with initial values on first deployment
-        2. Ignores all future changes to the secret_string
-        3. Allows manual updates in AWS console/CLI to persist
-        **Pros:**
-        - Simple implementation
-        - Reliable behavior
-        - Preserves manual changes after initial creation
-        **Cons:**
-        - Cannot update secrets through Terraform after initial deployment
-        - Requires manual secret management for infrastructure changes
-        """
-        secret_version = SecretsmanagerSecretVersion(
-            self,
-            self.secret_name + "_version_ignored",
-            secret_id=self.secrets_manager_secret.id,
-            secret_string=json.dumps(self.secrets, indent=2, sort_keys=True) if self.secrets else None,
-        )
-        # Add lifecycle rule to ignore changes to secret_string
-        secret_version.add_override("lifecycle", {
-            "ignore_changes": ["secret_string"]
-        })
-    def execute_post_apply_scripts(self):
-        """
-        Execute post-apply scripts using local-exec provisioners.
-        Creates a null resource with local-exec provisioner for each script
-        in the post_apply_scripts list. Scripts are executed sequentially
-        after all other infrastructure resources are created.
-        **Script Execution:**
-        * Each script runs as a separate null resource
-        * Scripts execute in the order they appear in the list
-        * Failures in scripts don't prevent deployment completion
-        * All scripts depend on core infrastructure being ready
-        **Error Handling:**
-        * Scripts use "on_failure: continue" to prevent deployment failures
-        * Failed scripts are logged but don't halt the deployment process
-        * Manual intervention may be required if critical scripts fail
-        .. note::
-           Post-apply scripts can be provided via the postApplyScripts parameter
-           during stack initialization. If no scripts are provided, this method
-           returns without creating any resources.
-        .. warning::
-           Scripts have access to the local environment where Terraform runs.
-           Ensure scripts are safe and don't expose sensitive information.
-        """
-        if not self.post_apply_scripts:
-            return
-        # Collect dependencies for post-apply scripts
-        dependencies = []
-        if hasattr(self, 'secrets_manager_secret'):
-            dependencies.append(self.secrets_manager_secret)
-        # Create a null resource for each post-apply script
-        for i, script in enumerate(self.post_apply_scripts):
-            script_resource = NullResource(
-                self,
-                f"post_apply_script_{i}",
-                depends_on=dependencies if dependencies else None
-            )
-            # Add provisioner using override
-            script_resource.add_override("provisioner", [{
-                "local-exec": {
-                    "command": script,
-                    "on_failure": "continue"
-                }
-            }])
-    # ==================== UTILITY METHODS ====================
-    def has_flag(self, flag_value):
-        """
-        Check if a specific flag is set in the configuration.
-        :param flag_value: The flag value to check for
-        :type flag_value: str
-        :returns: True if the flag is set, False otherwise
-        :rtype: bool
-        """
-        return flag_value in self.flags
-    def clean_hyphens(self, text):
-        """
-        Remove hyphens from text for database/resource naming.
-        :param text: Text to clean
-        :type text: str
-        :returns: Text with hyphens replaced by underscores
-        :rtype: str
-        """
-        return text.replace("-", "_")
-    def properize_s3_bucketname(self, bucket_name):
-        """
-        Ensure S3 bucket name follows AWS naming conventions.
-        :param bucket_name: Proposed bucket name
-        :type bucket_name: str
-        :returns: Properly formatted bucket name
-        :rtype: str
-        """
-        # Convert to lowercase and replace invalid characters
-        clean_name = bucket_name.lower().replace("_", "-")
-        # Ensure it starts and ends with alphanumeric characters
-        clean_name = clean_name.strip("-.")
-        return clean_name
-    # ==================== SHARED OUTPUT HELPERS ====================
-    def create_iam_outputs(self):
-        """
-        Create standard IAM-related Terraform outputs.
-        This helper method can be called by subclasses to create
-        consistent IAM outputs across all Lightsail implementations.
-        """
-        # IAM credentials (sensitive)
-        TerraformOutput(
-            self,
-            "iam_user_access_key",
-            value=self.service_key.id,
-            sensitive=True,
-            description="IAM user access key ID (sensitive)",
-        )
-        TerraformOutput(
-            self,
-            "iam_user_secret_key",
-            value=self.service_key.secret,
-            sensitive=True,
-            description="IAM user secret access key (sensitive)",
-        )
-        # Secret name for reference
-        TerraformOutput(
-            self,
-            "secrets_manager_secret_name",
-            value=self.secret_name,
-            description="AWS Secrets Manager secret name containing all credentials",
-        )

BuzzerboyAWSLightsailStack/LightsailBaseStandalone.py CHANGED Viewed

@@ -8,9 +8,7 @@ resources, while keeping IAM/Secrets/post-apply helpers used by Lightsail stacks
 """
 import os
-import json
-from enum import Enum
-from cdktf import TerraformStack, TerraformOutput
+from cdktf import TerraformStack
 from cdktf_cdktf_provider_aws.provider import AwsProvider
 from cdktf_cdktf_provider_aws import (
@@ -21,32 +19,15 @@ from cdktf_cdktf_provider_aws import (
     iam_group_policy,
 )
-from cdktf_cdktf_provider_random import password
 from cdktf_cdktf_provider_random.provider import RandomProvider
 from cdktf_cdktf_provider_null.provider import NullProvider
-from cdktf_cdktf_provider_null.resource import Resource as NullResource
-from cdktf_cdktf_provider_aws.secretsmanager_secret import SecretsmanagerSecret
-from cdktf_cdktf_provider_aws.secretsmanager_secret_version import SecretsmanagerSecretVersion
-from cdktf_cdktf_provider_aws.data_aws_secretsmanager_secret_version import DataAwsSecretsmanagerSecretVersion
+from .LightsailFlags import BaseLightsailArchitectureFlags
+from .LightsailMixins import LightsailBaseMixin
-class BaseLightsailArchitectureFlags(Enum):
-    """
-    Base architecture configuration flags for optional components.
-    :param SKIP_DEFAULT_POST_APPLY_SCRIPTS: Skip default post-apply scripts
-    :param PRESERVE_EXISTING_SECRETS: Don't overwrite existing secret versions
-    :param IGNORE_SECRET_CHANGES: Ignore all changes to secret after initial creation
-    """
-    SKIP_DEFAULT_POST_APPLY_SCRIPTS = "skip_default_post_apply_scripts"
-    PRESERVE_EXISTING_SECRETS = "preserve_existing_secrets"
-    IGNORE_SECRET_CHANGES = "ignore_secret_changes"
-class LightsailBaseStandalone(TerraformStack):
+class LightsailBaseStandalone(LightsailBaseMixin, TerraformStack):
     """
     Standalone base class for Lightsail stacks without AWSArchitectureBase.
     """
@@ -171,148 +152,3 @@ class LightsailBaseStandalone(TerraformStack):
             group=self.service_group.name,
             policy=policy,
         )
-    def get_extra_secret_env(self, env_var_name=None):
-        if env_var_name is None:
-            env_var_name = self.default_extra_secret_env
-        extra_secret_env = os.environ.get(env_var_name, None)
-        if extra_secret_env:
-            try:
-                extra_secret_json = json.loads(extra_secret_env)
-                for key, value in extra_secret_json.items():
-                    if key not in self.secrets:
-                        self.secrets[key] = value
-            except json.JSONDecodeError:
-                pass
-    def create_security_resources(self):
-        self.secrets_manager_secret = SecretsmanagerSecret(self, self.secret_name, name=f"{self.secret_name}")
-        self.resources["secretsmanager_secret"] = self.secrets_manager_secret
-        self.secrets.update({
-            "service_user_access_key": self.service_key.id,
-            "service_user_secret_key": self.service_key.secret,
-            "access_key": self.service_key.id,
-            "secret_access_key": self.service_key.secret,
-            "region_name": self.region,
-            "signature_version": self.default_signature_version
-        })
-        self.get_extra_secret_env()
-        if BaseLightsailArchitectureFlags.PRESERVE_EXISTING_SECRETS.value in self.flags:
-            self._create_secret_version_conditionally()
-        elif BaseLightsailArchitectureFlags.IGNORE_SECRET_CHANGES.value in self.flags:
-            self._create_secret_version_with_lifecycle_ignore()
-        else:
-            SecretsmanagerSecretVersion(
-                self,
-                self.secret_name + "_version",
-                secret_id=self.secrets_manager_secret.id,
-                secret_string=(json.dumps(self.secrets, indent=2, sort_keys=True) if self.secrets else None),
-            )
-    def _create_secret_version_conditionally(self):
-        try:
-            DataAwsSecretsmanagerSecretVersion(
-                self,
-                self.secret_name + "_existing_check",
-                secret_id=self.secrets_manager_secret.id,
-                version_stage="AWSCURRENT"
-            )
-            conditional_secret = SecretsmanagerSecretVersion(
-                self,
-                self.secret_name + "_version_conditional",
-                secret_id=self.secrets_manager_secret.id,
-                secret_string=json.dumps(self.secrets, indent=2, sort_keys=True) if self.secrets else None,
-                lifecycle={
-                    "ignore_changes": ["secret_string"],
-                    "create_before_destroy": False
-                }
-            )
-            conditional_secret.add_override(
-                "count",
-                "${length(try(jsondecode(data.aws_secretsmanager_secret_version." +
-                self.secret_name.replace("/", "_").replace("-", "_") + "_existing_check.secret_string), {})) == 0 ? 1 : 0}"
-            )
-        except Exception:
-            SecretsmanagerSecretVersion(
-                self,
-                self.secret_name + "_version_fallback",
-                secret_id=self.secrets_manager_secret.id,
-                secret_string=json.dumps(self.secrets, indent=2, sort_keys=True) if self.secrets else None,
-            )
-    def _create_secret_version_with_lifecycle_ignore(self):
-        secret_version = SecretsmanagerSecretVersion(
-            self,
-            self.secret_name + "_version_ignored",
-            secret_id=self.secrets_manager_secret.id,
-            secret_string=json.dumps(self.secrets, indent=2, sort_keys=True) if self.secrets else None,
-        )
-        secret_version.add_override("lifecycle", {
-            "ignore_changes": ["secret_string"]
-        })
-    def execute_post_apply_scripts(self):
-        if not self.post_apply_scripts:
-            return
-        dependencies = []
-        if hasattr(self, "secrets_manager_secret"):
-            dependencies.append(self.secrets_manager_secret)
-        for i, script in enumerate(self.post_apply_scripts):
-            script_resource = NullResource(
-                self,
-                f"post_apply_script_{i}",
-                depends_on=dependencies if dependencies else None
-            )
-            script_resource.add_override("provisioner", [{
-                "local-exec": {
-                    "command": script,
-                    "on_failure": "continue"
-                }
-            }])
-    def has_flag(self, flag_value):
-        return flag_value in self.flags
-    def clean_hyphens(self, text):
-        return text.replace("-", "_")
-    def properize_s3_bucketname(self, bucket_name):
-        clean_name = bucket_name.lower().replace("_", "-")
-        clean_name = clean_name.strip("-.")
-        return clean_name
-    def create_iam_outputs(self):
-        TerraformOutput(
-            self,
-            "iam_user_access_key",
-            value=self.service_key.id,
-            sensitive=True,
-            description="IAM user access key ID (sensitive)",
-        )
-        TerraformOutput(
-            self,
-            "iam_user_secret_key",
-            value=self.service_key.secret,
-            sensitive=True,
-            description="IAM user secret access key (sensitive)",
-        )
-        TerraformOutput(
-            self,
-            "secrets_manager_secret_name",
-            value=self.secret_name,
-            description="AWS Secrets Manager secret name containing all credentials",
-        )

BuzzerboyAWSLightsail 0.332.1__py3-none-any.whl → 0.333.1__py3-none-any.whl

BuzzerboyAWSLightsail 0.332.1py3-none-any.whl → 0.333.1py3-none-any.whl