cdk-factory 0.12.0__tar.gz → 0.13.1__tar.gz

{cdk_factory-0.12.0 → cdk_factory-0.13.1}/.gitignore

@@ -194,4 +194,7 @@ cdk.out
 .pysetup.json
 .delete
 activate.sh
-.lambda_package
+.lambda_package
+
+# Lambda runtime config (generated during CDK deployment)
+**/runtime_config.json

{cdk_factory-0.12.0 → cdk_factory-0.13.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.12.0
+Version: 0.13.1
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.12.0 → cdk_factory-0.13.1}/pyproject.toml

@@ -33,7 +33,7 @@ markers = [
 [project]
 
 name = "cdk_factory"
-version = "0.12.0"
+version = "0.13.1"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

cdk_factory-0.13.1/src/cdk_factory/lambdas/edge/ip_gate/handler.py

@@ -0,0 +1,187 @@
+"""
+Lambda@Edge function for IP-based access gating.
+Geek Cafe, LLC
+Maintainers: Eric Wilson
+
+Since Lambda@Edge does not support environment variables, configuration
+is fetched from SSM Parameter Store at runtime (with caching).
+"""
+import json
+import ipaddress
+import boto3
+from functools import lru_cache
+
+# SSM client - will be created in the region where the function executes
+ssm = None
+
+@lru_cache(maxsize=128)
+def get_ssm_parameter(parameter_name: str, region: str = 'us-east-1') -> str:
+    """
+    Fetch SSM parameter with caching.
+    Lambda@Edge cannot use environment variables, so we fetch from SSM.
+    
+    Args:
+        parameter_name: Name of the SSM parameter
+        region: AWS region (default us-east-1)
+    
+    Returns:
+        Parameter value
+    """
+    global ssm
+    if ssm is None:
+        ssm = boto3.client('ssm', region_name=region)
+    
+    try:
+        response = ssm.get_parameter(Name=parameter_name, WithDecryption=False)
+        return response['Parameter']['Value']
+    except Exception as e:
+        print(f"Error fetching SSM parameter {parameter_name}: {str(e)}")
+        raise
+
+
+def get_client_ip(request):
+    """Extract client IP from CloudFront request."""
+    if 'clientIp' in request:
+        return request['clientIp']
+    
+    # Fallback to headers
+    headers = request.get('headers', {})
+    if 'x-forwarded-for' in headers:
+        xff = headers['x-forwarded-for'][0]['value']
+        return xff.split(',')[0].strip()
+    
+    return None
+
+
+def is_ip_allowed(client_ip: str, allowed_cidrs: list) -> bool:
+    """
+    Check if client IP is in any of the allowed CIDR ranges.
+    
+    Args:
+        client_ip: Client IP address
+        allowed_cidrs: List of CIDR ranges (e.g., ['10.0.0.0/8', '192.168.1.0/24'])
+    
+    Returns:
+        True if IP is allowed, False otherwise
+    """
+    if not client_ip:
+        return False
+    
+    try:
+        client_ip_obj = ipaddress.ip_address(client_ip)
+    except ValueError as e:
+        print(f"Invalid client IP address: {e}")
+        return False
+    
+    # Check each CIDR individually, skipping invalid ones
+    for cidr in allowed_cidrs:
+        try:
+            network = ipaddress.ip_network(cidr.strip(), strict=False)
+            if client_ip_obj in network:
+                return True
+        except ValueError as e:
+            # Invalid CIDR, log and continue checking others
+            print(f"Invalid CIDR '{cidr}': {e}")
+            continue
+    
+    return False
+
+
+def lambda_handler(event, context):
+    """
+    Lambda@Edge function for IP-based gating.
+    
+    Configuration (fetched from SSM Parameter Store):
+    - GATE_ENABLED: Whether IP gating is enabled (true/false)
+    - ALLOW_CIDRS: Comma-separated list of allowed CIDR ranges
+    - MAINT_CF_HOST: CloudFront domain for maintenance/lockout page
+    
+    Runtime configuration is bundled in runtime_config.json by CDK.
+    SSM parameter paths are auto-generated by CDK as:
+    /{environment}/{full-function-name}/{env-var-name-kebab-case}
+    """
+    request = event['Records'][0]['cf']['request']
+    
+    # Load runtime configuration bundled by CDK
+    # This file is created during deployment and contains environment, function name, etc.
+    try:
+        with open('runtime_config.json', 'r') as f:
+            runtime_config = json.load(f)
+        
+        env = runtime_config.get('environment', 'dev')
+        function_base_name = runtime_config.get('function_name', 'ip-gate')
+        
+        print(f"Runtime config loaded: environment={env}, function_name={function_base_name}")
+    except FileNotFoundError:
+        # Fallback: extract from Lambda context (less reliable)
+        print("Warning: runtime_config.json not found, falling back to function name parsing")
+        function_full_name = context.function_name
+        
+        # Parse environment from function name as fallback
+        parts = function_full_name.split('-')
+        common_envs = ['dev', 'prod', 'staging', 'test', 'qa', 'uat']
+        env = 'dev'
+        
+        for part in parts:
+            if part in common_envs:
+                env = part
+                break
+        
+        function_base_name = 'ip-gate'
+        print(f"Fallback: environment={env}, function_name={function_base_name}")
+    
+    # Full function name for SSM paths
+    function_name = context.function_name
+    print(f"Lambda function ARN: {context.invoked_function_arn}")
+    
+    try:
+        # Fetch configuration from SSM Parameter Store
+        # Auto-generated paths: /{env}/{function-name}/{key}
+        gate_enabled = get_ssm_parameter(f'/{env}/{function_name}/gate-enabled', 'us-east-1')
+        
+        # If gating is disabled, allow all traffic
+        if gate_enabled.lower() not in ('true', '1', 'yes'):
+            print(f"IP gating is disabled (GATE_ENABLED={gate_enabled})")
+            return request
+        
+        # Get allowed CIDRs and maintenance host
+        allow_cidrs_str = get_ssm_parameter(f'/{env}/{function_name}/allow-cidrs', 'us-east-1')
+        maint_cf_host = get_ssm_parameter(f'/{env}/{function_name}/maint-cf-host', 'us-east-1')
+        
+        # Parse allowed CIDRs
+        allowed_cidrs = [cidr.strip() for cidr in allow_cidrs_str.split(',') if cidr.strip()]
+        
+        # Get client IP
+        client_ip = get_client_ip(request)
+        print(f"Client IP: {client_ip}")
+        
+        # Check if IP is allowed
+        if is_ip_allowed(client_ip, allowed_cidrs):
+            print(f"IP {client_ip} is allowed")
+            return request
+        
+        # IP not allowed - redirect to maintenance page
+        print(f"IP {client_ip} is NOT allowed, redirecting to {maint_cf_host}")
+        
+        response = {
+            'status': '302',
+            'statusDescription': 'Found',
+            'headers': {
+                'location': [{
+                    'key': 'Location',
+                    'value': f'https://{maint_cf_host}'
+                }],
+                'cache-control': [{
+                    'key': 'Cache-Control',
+                    'value': 'no-cache, no-store, must-revalidate'
+                }]
+            }
+        }
+        
+        return response
+        
+    except Exception as e:
+        print(f"Error in IP gating function: {str(e)}")
+        # On error, allow the request to proceed (fail open)
+        # Change this to fail closed if preferred
+        return request

{cdk_factory-0.12.0 → cdk_factory-0.13.1}/src/cdk_factory/stack_library/lambda_edge/lambda_edge_stack.py

@@ -8,6 +8,9 @@ MIT License. See Project Root for the license information.
 
 from typing import Optional, Dict
 from pathlib import Path
+import json
+import tempfile
+import shutil
 
 import aws_cdk as cdk
 from aws_cdk import aws_lambda as _lambda
@@ -139,6 +142,34 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
         
         logger.info(f"Loading Lambda code from: {code_path}")
         
+        # Create isolated temp directory for this function instance
+        # This prevents conflicts when multiple functions use the same handler code
+        temp_code_dir = Path(tempfile.mkdtemp(prefix=f"{function_name.replace('/', '-')}-"))
+        logger.info(f"Creating isolated code directory at: {temp_code_dir}")
+        
+        # Copy source code to temp directory
+        shutil.copytree(code_path, temp_code_dir, dirs_exist_ok=True)
+        logger.info(f"Copied code from {code_path} to {temp_code_dir}")
+        
+        # Create runtime configuration file for Lambda@Edge
+        # Since Lambda@Edge doesn't support environment variables, we bundle a config file
+        runtime_config = {
+            'environment': self.deployment.environment,
+            'function_name': self.edge_config.name,
+            'region': self.deployment.region
+        }
+        
+        runtime_config_path = temp_code_dir / 'runtime_config.json'
+        logger.info(f"Creating runtime config at: {runtime_config_path}")
+        
+        with open(runtime_config_path, 'w') as f:
+            json.dump(runtime_config, f, indent=2)
+        
+        logger.info(f"Runtime config: {runtime_config}")
+        
+        # Use the temp directory for the Lambda code asset
+        code_path = temp_code_dir
+        
         # Map runtime string to CDK Runtime
         runtime_map = {
             "python3.11": _lambda.Runtime.PYTHON_3_11,
@@ -154,10 +185,23 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
             _lambda.Runtime.PYTHON_3_11
         )
         
-        # Resolve environment variables (handles SSM parameter references)
-        resolved_environment = self._resolve_environment_variables()
+        # Lambda@Edge does NOT support environment variables
+        # Configuration must be handled via:
+        # 1. Hardcoded in the function code
+        # 2. Fetched from SSM Parameter Store at runtime
+        # 3. Other configuration mechanisms
+        
+        # Log warning if environment variables are configured
+        if self.edge_config.environment:
+            logger.warning(
+                f"Lambda@Edge function '{function_name}' has environment variables configured, "
+                "but Lambda@Edge does not support environment variables. "
+                "The function must fetch these values from SSM Parameter Store at runtime."
+            )
+            for key, value in self.edge_config.environment.items():
+                logger.warning(f"  - {key}: {value}")
         
-        # Create execution role with CloudWatch Logs permissions
+        # Create execution role with CloudWatch Logs and SSM permissions
         execution_role = iam.Role(
             self,
             f"{function_name}-Role",
@@ -173,7 +217,23 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
             ]
         )
         
-        # Create the Lambda function
+        # Add SSM read permissions if environment variables reference SSM parameters
+        if self.edge_config.environment:
+            execution_role.add_to_policy(
+                iam.PolicyStatement(
+                    effect=iam.Effect.ALLOW,
+                    actions=[
+                        "ssm:GetParameter",
+                        "ssm:GetParameters",
+                        "ssm:GetParametersByPath"
+                    ],
+                    resources=[
+                        f"arn:aws:ssm:*:{cdk.Aws.ACCOUNT_ID}:parameter/*"
+                    ]
+                )
+            )
+        
+        # Create the Lambda function WITHOUT environment variables
         self.function = _lambda.Function(
             self,
             function_name,
@@ -185,7 +245,7 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
             timeout=cdk.Duration.seconds(self.edge_config.timeout),
             description=self.edge_config.description,
             role=execution_role,
-            environment=resolved_environment,
+            # Lambda@Edge does NOT support environment variables
             log_retention=logs.RetentionDays.ONE_WEEK,
         )
         
@@ -256,3 +316,30 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
                         param_path,
                         description=f"{key} for Lambda@Edge function {function_name}"
                     )
+        
+        # Export environment variables as SSM parameters
+        # Since Lambda@Edge doesn't support environment variables, we export them
+        # to SSM so the Lambda function can fetch them at runtime
+        if self.edge_config.environment:
+            logger.info("Exporting Lambda@Edge environment variables as SSM parameters")
+            env_ssm_exports = self.edge_config.dictionary.get("environment_ssm_exports", {})
+            
+            # If no explicit environment_ssm_exports, create default SSM paths
+            if not env_ssm_exports:
+                # Auto-generate SSM parameter names based on environment variable names
+                for env_key in self.edge_config.environment.keys():
+                    # Use snake_case version of the key for SSM path
+                    ssm_key = env_key.lower().replace('_', '-')
+                    env_ssm_exports[env_key] = f"/{self.deployment.environment}/{function_name}/{ssm_key}"
+            
+            # Resolve and export environment variables to SSM
+            resolved_env = self._resolve_environment_variables()
+            for env_key, ssm_path in env_ssm_exports.items():
+                if env_key in resolved_env:
+                    self.export_ssm_parameter(
+                        self,
+                        f"env-{env_key}-param",
+                        resolved_env[env_key],
+                        ssm_path,
+                        description=f"Configuration for Lambda@Edge: {env_key}"
+                    )

cdk_factory-0.13.1/src/cdk_factory/version.py

@@ -0,0 +1 @@
+__version__ = "0.13.1"

cdk_factory-0.12.0/src/cdk_factory/lambdas/edge/ip_gate/handler.py

@@ -1,104 +0,0 @@
-"""
-Lambda@Edge Origin-Request Handler for IP-based Access Gating
-Geek Cafe, LLC
-Maintainers: Eric Wilson
-"""
-
-import ipaddress
-import json
-import os
-
-
-def lambda_handler(event, context):
-    """
-    Lambda@Edge origin-request handler that implements IP-based gating
-    with maintenance site fallback.
-    
-    Features:
-    - Inject X-Viewer-IP header for origin visibility
-    - Check viewer IP against allowlist when gate is enabled
-    - Rewrite blocked IPs to maintenance CloudFront distribution, and serve up maintenance site
-    - Toggle via GATE_ENABLED environment variable
-    """
-    
-    # Extract request from CloudFront event
-    request = event['Records'][0]['cf']['request']
-    client_ip = request['clientIp']
-    
-    # Configuration from environment variables
-    gate_enabled = os.environ.get('GATE_ENABLED', 'false').lower() == 'true'
-    allow_cidrs_str = os.environ.get('ALLOW_CIDRS', '')
-    maint_cf_host = os.environ.get('MAINT_CF_HOST', '')
-    
-    # Parse allowed CIDRs
-    allow_cidrs = [cidr.strip() for cidr in allow_cidrs_str.split(',') if cidr.strip()]
-    
-    # Always inject viewer IP header
-    if 'headers' not in request:
-        request['headers'] = {}
-    
-    request['headers']['x-viewer-ip'] = [{
-        'key': 'X-Viewer-IP',
-        'value': client_ip
-    }]
-    
-    # If gate is disabled, pass through to origin
-    if not gate_enabled:
-        return request
-    
-    # Check if IP is in allowlist
-    ip_allowed = False
-    try:
-        client_ip_obj = ipaddress.ip_address(client_ip)
-        for cidr in allow_cidrs:
-            try:
-                network = ipaddress.ip_network(cidr, strict=False)
-                if client_ip_obj in network:
-                    ip_allowed = True
-                    break
-            except (ValueError, ipaddress.AddressValueError):
-                # Invalid CIDR, skip
-                continue
-    except (ValueError, ipaddress.AddressValueError):
-        # Invalid client IP, block by default
-        ip_allowed = False
-    
-    # If IP is allowed, pass through to origin
-    if ip_allowed:
-        return request
-    
-    # IP not allowed - redirect to maintenance site
-    if not maint_cf_host:
-        # Safety: if maintenance host not configured, pass through with warning
-        # In production, you might want to return a fixed error response instead
-        return request
-    
-    # Rewrite origin to maintenance CloudFront distribution
-    request['origin'] = {
-        'custom': {
-            'domainName': maint_cf_host,
-            'port': 443,
-            'protocol': 'https',
-            'path': '',
-            'sslProtocols': ['TLSv1.2'],
-            'readTimeout': 30,
-            'keepaliveTimeout': 5,
-            'customHeaders': {}
-        }
-    }
-    
-    # Update Host header to match new origin
-    request['headers']['host'] = [{
-        'key': 'Host',
-        'value': maint_cf_host
-    }]
-    
-    # Normalize URI - redirect directory requests to index.html
-    uri = request.get('uri', '/')
-    if uri.endswith('/'):
-        request['uri'] = uri + 'index.html'
-    elif '.' not in uri.split('/')[-1]:
-        # No file extension, likely a directory
-        request['uri'] = uri + '/index.html'
-    
-    return request

cdk_factory-0.12.0/src/cdk_factory/version.py

@@ -1 +0,0 @@
-__version__ = "0.12.0"