cdk-factory 0.13.0__py3-none-any.whl → 0.13.1__py3-none-any.whl

cdk_factory/lambdas/edge/ip_gate/handler.py

@@ -1,104 +1,187 @@
 """
-Lambda@Edge Origin-Request Handler for IP-based Access Gating
+Lambda@Edge function for IP-based access gating.
 Geek Cafe, LLC
 Maintainers: Eric Wilson
-"""
 
-import ipaddress
+Since Lambda@Edge does not support environment variables, configuration
+is fetched from SSM Parameter Store at runtime (with caching).
+"""
 import json
-import os
+import ipaddress
+import boto3
+from functools import lru_cache
 
+# SSM client - will be created in the region where the function executes
+ssm = None
 
-def lambda_handler(event, context):
+@lru_cache(maxsize=128)
+def get_ssm_parameter(parameter_name: str, region: str = 'us-east-1') -> str:
     """
-    Lambda@Edge origin-request handler that implements IP-based gating
-    with maintenance site fallback.
+    Fetch SSM parameter with caching.
+    Lambda@Edge cannot use environment variables, so we fetch from SSM.
     
-    Features:
-    - Inject X-Viewer-IP header for origin visibility
-    - Check viewer IP against allowlist when gate is enabled
-    - Rewrite blocked IPs to maintenance CloudFront distribution, and serve up maintenance site
-    - Toggle via GATE_ENABLED environment variable
-    """
+    Args:
+        parameter_name: Name of the SSM parameter
+        region: AWS region (default us-east-1)
     
-    # Extract request from CloudFront event
-    request = event['Records'][0]['cf']['request']
-    client_ip = request['clientIp']
+    Returns:
+        Parameter value
+    """
+    global ssm
+    if ssm is None:
+        ssm = boto3.client('ssm', region_name=region)
     
-    # Configuration from environment variables
-    gate_enabled = os.environ.get('GATE_ENABLED', 'false').lower() == 'true'
-    allow_cidrs_str = os.environ.get('ALLOW_CIDRS', '')
-    maint_cf_host = os.environ.get('MAINT_CF_HOST', '')
+    try:
+        response = ssm.get_parameter(Name=parameter_name, WithDecryption=False)
+        return response['Parameter']['Value']
+    except Exception as e:
+        print(f"Error fetching SSM parameter {parameter_name}: {str(e)}")
+        raise
+
+
+def get_client_ip(request):
+    """Extract client IP from CloudFront request."""
+    if 'clientIp' in request:
+        return request['clientIp']
     
-    # Parse allowed CIDRs
-    allow_cidrs = [cidr.strip() for cidr in allow_cidrs_str.split(',') if cidr.strip()]
+    # Fallback to headers
+    headers = request.get('headers', {})
+    if 'x-forwarded-for' in headers:
+        xff = headers['x-forwarded-for'][0]['value']
+        return xff.split(',')[0].strip()
     
-    # Always inject viewer IP header
-    if 'headers' not in request:
-        request['headers'] = {}
+    return None
+
+
+def is_ip_allowed(client_ip: str, allowed_cidrs: list) -> bool:
+    """
+    Check if client IP is in any of the allowed CIDR ranges.
     
-    request['headers']['x-viewer-ip'] = [{
-        'key': 'X-Viewer-IP',
-        'value': client_ip
-    }]
+    Args:
+        client_ip: Client IP address
+        allowed_cidrs: List of CIDR ranges (e.g., ['10.0.0.0/8', '192.168.1.0/24'])
     
-    # If gate is disabled, pass through to origin
-    if not gate_enabled:
-        return request
+    Returns:
+        True if IP is allowed, False otherwise
+    """
+    if not client_ip:
+        return False
     
-    # Check if IP is in allowlist
-    ip_allowed = False
     try:
         client_ip_obj = ipaddress.ip_address(client_ip)
-        for cidr in allow_cidrs:
-            try:
-                network = ipaddress.ip_network(cidr, strict=False)
-                if client_ip_obj in network:
-                    ip_allowed = True
-                    break
-            except (ValueError, ipaddress.AddressValueError):
-                # Invalid CIDR, skip
-                continue
-    except (ValueError, ipaddress.AddressValueError):
-        # Invalid client IP, block by default
-        ip_allowed = False
+    except ValueError as e:
+        print(f"Invalid client IP address: {e}")
+        return False
     
-    # If IP is allowed, pass through to origin
-    if ip_allowed:
-        return request
+    # Check each CIDR individually, skipping invalid ones
+    for cidr in allowed_cidrs:
+        try:
+            network = ipaddress.ip_network(cidr.strip(), strict=False)
+            if client_ip_obj in network:
+                return True
+        except ValueError as e:
+            # Invalid CIDR, log and continue checking others
+            print(f"Invalid CIDR '{cidr}': {e}")
+            continue
     
-    # IP not allowed - redirect to maintenance site
-    if not maint_cf_host:
-        # Safety: if maintenance host not configured, pass through with warning
-        # In production, you might want to return a fixed error response instead
-        return request
+    return False
+
+
+def lambda_handler(event, context):
+    """
+    Lambda@Edge function for IP-based gating.
     
-    # Rewrite origin to maintenance CloudFront distribution
-    request['origin'] = {
-        'custom': {
-            'domainName': maint_cf_host,
-            'port': 443,
-            'protocol': 'https',
-            'path': '',
-            'sslProtocols': ['TLSv1.2'],
-            'readTimeout': 30,
-            'keepaliveTimeout': 5,
-            'customHeaders': {}
-        }
-    }
+    Configuration (fetched from SSM Parameter Store):
+    - GATE_ENABLED: Whether IP gating is enabled (true/false)
+    - ALLOW_CIDRS: Comma-separated list of allowed CIDR ranges
+    - MAINT_CF_HOST: CloudFront domain for maintenance/lockout page
     
-    # Update Host header to match new origin
-    request['headers']['host'] = [{
-        'key': 'Host',
-        'value': maint_cf_host
-    }]
+    Runtime configuration is bundled in runtime_config.json by CDK.
+    SSM parameter paths are auto-generated by CDK as:
+    /{environment}/{full-function-name}/{env-var-name-kebab-case}
+    """
+    request = event['Records'][0]['cf']['request']
+    
+    # Load runtime configuration bundled by CDK
+    # This file is created during deployment and contains environment, function name, etc.
+    try:
+        with open('runtime_config.json', 'r') as f:
+            runtime_config = json.load(f)
+        
+        env = runtime_config.get('environment', 'dev')
+        function_base_name = runtime_config.get('function_name', 'ip-gate')
+        
+        print(f"Runtime config loaded: environment={env}, function_name={function_base_name}")
+    except FileNotFoundError:
+        # Fallback: extract from Lambda context (less reliable)
+        print("Warning: runtime_config.json not found, falling back to function name parsing")
+        function_full_name = context.function_name
+        
+        # Parse environment from function name as fallback
+        parts = function_full_name.split('-')
+        common_envs = ['dev', 'prod', 'staging', 'test', 'qa', 'uat']
+        env = 'dev'
+        
+        for part in parts:
+            if part in common_envs:
+                env = part
+                break
+        
+        function_base_name = 'ip-gate'
+        print(f"Fallback: environment={env}, function_name={function_base_name}")
     
-    # Normalize URI - redirect directory requests to index.html
-    uri = request.get('uri', '/')
-    if uri.endswith('/'):
-        request['uri'] = uri + 'index.html'
-    elif '.' not in uri.split('/')[-1]:
-        # No file extension, likely a directory
-        request['uri'] = uri + '/index.html'
+    # Full function name for SSM paths
+    function_name = context.function_name
+    print(f"Lambda function ARN: {context.invoked_function_arn}")
     
-    return request
+    try:
+        # Fetch configuration from SSM Parameter Store
+        # Auto-generated paths: /{env}/{function-name}/{key}
+        gate_enabled = get_ssm_parameter(f'/{env}/{function_name}/gate-enabled', 'us-east-1')
+        
+        # If gating is disabled, allow all traffic
+        if gate_enabled.lower() not in ('true', '1', 'yes'):
+            print(f"IP gating is disabled (GATE_ENABLED={gate_enabled})")
+            return request
+        
+        # Get allowed CIDRs and maintenance host
+        allow_cidrs_str = get_ssm_parameter(f'/{env}/{function_name}/allow-cidrs', 'us-east-1')
+        maint_cf_host = get_ssm_parameter(f'/{env}/{function_name}/maint-cf-host', 'us-east-1')
+        
+        # Parse allowed CIDRs
+        allowed_cidrs = [cidr.strip() for cidr in allow_cidrs_str.split(',') if cidr.strip()]
+        
+        # Get client IP
+        client_ip = get_client_ip(request)
+        print(f"Client IP: {client_ip}")
+        
+        # Check if IP is allowed
+        if is_ip_allowed(client_ip, allowed_cidrs):
+            print(f"IP {client_ip} is allowed")
+            return request
+        
+        # IP not allowed - redirect to maintenance page
+        print(f"IP {client_ip} is NOT allowed, redirecting to {maint_cf_host}")
+        
+        response = {
+            'status': '302',
+            'statusDescription': 'Found',
+            'headers': {
+                'location': [{
+                    'key': 'Location',
+                    'value': f'https://{maint_cf_host}'
+                }],
+                'cache-control': [{
+                    'key': 'Cache-Control',
+                    'value': 'no-cache, no-store, must-revalidate'
+                }]
+            }
+        }
+        
+        return response
+        
+    except Exception as e:
+        print(f"Error in IP gating function: {str(e)}")
+        # On error, allow the request to proceed (fail open)
+        # Change this to fail closed if preferred
+        return request

cdk_factory/stack_library/lambda_edge/lambda_edge_stack.py

@@ -9,6 +9,8 @@ MIT License. See Project Root for the license information.
 from typing import Optional, Dict
 from pathlib import Path
 import json
+import tempfile
+import shutil
 
 import aws_cdk as cdk
 from aws_cdk import aws_lambda as _lambda
@@ -140,6 +142,15 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
         
         logger.info(f"Loading Lambda code from: {code_path}")
         
+        # Create isolated temp directory for this function instance
+        # This prevents conflicts when multiple functions use the same handler code
+        temp_code_dir = Path(tempfile.mkdtemp(prefix=f"{function_name.replace('/', '-')}-"))
+        logger.info(f"Creating isolated code directory at: {temp_code_dir}")
+        
+        # Copy source code to temp directory
+        shutil.copytree(code_path, temp_code_dir, dirs_exist_ok=True)
+        logger.info(f"Copied code from {code_path} to {temp_code_dir}")
+        
         # Create runtime configuration file for Lambda@Edge
         # Since Lambda@Edge doesn't support environment variables, we bundle a config file
         runtime_config = {
@@ -148,7 +159,7 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
             'region': self.deployment.region
         }
         
-        runtime_config_path = code_path / 'runtime_config.json'
+        runtime_config_path = temp_code_dir / 'runtime_config.json'
         logger.info(f"Creating runtime config at: {runtime_config_path}")
         
         with open(runtime_config_path, 'w') as f:
@@ -156,6 +167,9 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
         
         logger.info(f"Runtime config: {runtime_config}")
         
+        # Use the temp directory for the Lambda code asset
+        code_path = temp_code_dir
+        
         # Map runtime string to CDK Runtime
         runtime_map = {
             "python3.11": _lambda.Runtime.PYTHON_3_11,

cdk_factory/version.py

@@ -1 +1 @@
-__version__ = "0.13.0"
+__version__ = "0.13.1"

{cdk_factory-0.13.0.dist-info → cdk_factory-0.13.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.13.0
+Version: 0.13.1
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.13.0.dist-info → cdk_factory-0.13.1.dist-info}/RECORD

@@ -2,7 +2,7 @@ cdk_factory/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cdk_factory/app.py,sha256=RnX0-pwdTAPAdKJK_j13Zl8anf9zYKBwboR0KA8K8xM,10346
 cdk_factory/cdk.json,sha256=SKZKhJ2PBpFH78j-F8S3VDYW-lf76--Q2I3ON-ZIQfw,3106
 cdk_factory/cli.py,sha256=FGbCTS5dYCNsfp-etshzvFlGDCjC28r6rtzYbe7KoHI,6407
-cdk_factory/version.py,sha256=DgpLNbv0e1LIEOOe54Db8_390i9pelMEFEnsBsNmyhA,23
+cdk_factory/version.py,sha256=Zg3oo58_HXe_ieb_PwWnYkKGH2zTvu6G2jly-7GnPGo,23
 cdk_factory/builds/README.md,sha256=9BBWd7bXpyKdMU_g2UljhQwrC9i5O_Tvkb6oPvndoZk,90
 cdk_factory/commands/command_loader.py,sha256=QbLquuP_AdxtlxlDy-2IWCQ6D-7qa58aphnDPtp_uTs,3744
 cdk_factory/configurations/base_config.py,sha256=JKjhNsy0RCUZy1s8n5D_aXXI-upR9izaLtCTfKYiV9k,9624
@@ -66,7 +66,7 @@ cdk_factory/interfaces/istack.py,sha256=bhTBs-o9FgKwvJMSuwxjUV6D3nUlvZHVzfm27jP9
 cdk_factory/interfaces/live_ssm_resolver.py,sha256=3FIr9a02SXqZmbFs3RT0WxczWEQR_CF7QSt7kWbDrVE,8163
 cdk_factory/interfaces/ssm_parameter_mixin.py,sha256=uA2j8HmAOpuEA9ynRj51s0WjUHMVLsbLQN-QS9NKyHA,12089
 cdk_factory/lambdas/health_handler.py,sha256=dd40ykKMxWCFEIyp2ZdQvAGNjw_ylI9CSm1N24Hp2ME,196
-cdk_factory/lambdas/edge/ip_gate/handler.py,sha256=MPSAOQGYVMSALdH6f9QTXqMSKKJ1tva-yidtaDTbXsg,3241
+cdk_factory/lambdas/edge/ip_gate/handler.py,sha256=NCa16_B66zIczPb9whf_CaspnetuTYKTFpIX6Z7Wqjw,6393
 cdk_factory/pipeline/path_utils.py,sha256=fvWdrcb4onmpIu1APkHLhXg8zWfK74HcW3Ra2ynxfXM,2586
 cdk_factory/pipeline/pipeline_factory.py,sha256=rvtkdlTPJG477nTVRN8S2ksWt4bwpd9eVLFd9WO02pM,17248
 cdk_factory/pipeline/stage.py,sha256=Be7ExMB9A-linRM18IQDOzQ-cP_I2_ThRNzlT4FIrUg,437
@@ -95,7 +95,7 @@ cdk_factory/stack_library/ecr/ecr_stack.py,sha256=1xA68sxFVyqreYjXrP_7U9I8RF9RtF
 cdk_factory/stack_library/ecs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cdk_factory/stack_library/ecs/ecs_service_stack.py,sha256=zuGdZEP5KmeVDTJb-H47LYhvs-85-Fi4Xb78nsA-lF4,24685
 cdk_factory/stack_library/lambda_edge/__init__.py,sha256=ByBJ_CWdc4UtTmFBZH-6pzBMNkjkdtE65AmnB0Fs6lM,156
-cdk_factory/stack_library/lambda_edge/lambda_edge_stack.py,sha256=WDLoARmn-ehGnfm8m9Kt88Mp1GQ6ZdqkQaDWE65hXD4,13478
+cdk_factory/stack_library/lambda_edge/lambda_edge_stack.py,sha256=5MXYXFLVpLX2DNDU9doRfUciyS8h1KM6YdpiiEAkMqY,14141
 cdk_factory/stack_library/load_balancer/__init__.py,sha256=wZpKw2OecLJGdF5mPayCYAEhu2H3c2gJFFIxwXftGDU,52
 cdk_factory/stack_library/load_balancer/load_balancer_stack.py,sha256=t5JUe5lMUbQCRFZR08k8nO-g-53yWY8gKB9v8ZnedBs,24391
 cdk_factory/stack_library/monitoring/__init__.py,sha256=k1G_KDx47Aw0UugaL99PN_TKlyLK4nkJVApCaAK7GJg,153
@@ -129,8 +129,8 @@ cdk_factory/utilities/lambda_function_utilities.py,sha256=S1GvBsY_q2cyUiaud3HORJ
 cdk_factory/utilities/os_execute.py,sha256=5Op0LY_8Y-pUm04y1k8MTpNrmQvcLmQHPQITEP7EuSU,1019
 cdk_factory/utils/api_gateway_utilities.py,sha256=If7Xu5s_UxmuV-kL3JkXxPLBdSVUKoLtohm0IUFoiV8,4378
 cdk_factory/workload/workload_factory.py,sha256=mM8GU_5mKq_0OyK060T3JrUSUiGAcKf0eqNlT9mfaws,6028
-cdk_factory-0.13.0.dist-info/METADATA,sha256=u2EL937XENu8doeidJ_nCCJIY0h18_KGWwTk2nQ7ADQ,2451
-cdk_factory-0.13.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-cdk_factory-0.13.0.dist-info/entry_points.txt,sha256=S1DPe0ORcdiwEALMN_WIo3UQrW_g4YdQCLEsc_b0Swg,53
-cdk_factory-0.13.0.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
-cdk_factory-0.13.0.dist-info/RECORD,,
+cdk_factory-0.13.1.dist-info/METADATA,sha256=GC7Guc1LQ_wDzflKXg8VUxUj7ra97GYDF66Ugz3p0eE,2451
+cdk_factory-0.13.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+cdk_factory-0.13.1.dist-info/entry_points.txt,sha256=S1DPe0ORcdiwEALMN_WIo3UQrW_g4YdQCLEsc_b0Swg,53
+cdk_factory-0.13.1.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
+cdk_factory-0.13.1.dist-info/RECORD,,