cdk-factory 0.13.0__tar.gz → 0.13.2__tar.gz

{cdk_factory-0.13.0 → cdk_factory-0.13.2}/.gitignore

@@ -194,4 +194,7 @@ cdk.out
 .pysetup.json
 .delete
 activate.sh
-.lambda_package
+.lambda_package
+
+# Lambda runtime config (generated during CDK deployment)
+**/runtime_config.json

{cdk_factory-0.13.0 → cdk_factory-0.13.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.13.0
+Version: 0.13.2
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.13.0 → cdk_factory-0.13.2}/pyproject.toml

@@ -33,7 +33,7 @@ markers = [
 [project]
 
 name = "cdk_factory"
-version = "0.13.0"
+version = "0.13.2"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

cdk_factory-0.13.2/src/cdk_factory/lambdas/edge/ip_gate/handler.py

@@ -0,0 +1,187 @@
+"""
+Lambda@Edge function for IP-based access gating.
+Geek Cafe, LLC
+Maintainers: Eric Wilson
+
+Since Lambda@Edge does not support environment variables, configuration
+is fetched from SSM Parameter Store at runtime (with caching).
+"""
+import json
+import ipaddress
+import boto3
+from functools import lru_cache
+
+# SSM client - will be created in the region where the function executes
+ssm = None
+
+@lru_cache(maxsize=128)
+def get_ssm_parameter(parameter_name: str, region: str = 'us-east-1') -> str:
+    """
+    Fetch SSM parameter with caching.
+    Lambda@Edge cannot use environment variables, so we fetch from SSM.
+    
+    Args:
+        parameter_name: Name of the SSM parameter
+        region: AWS region (default us-east-1)
+    
+    Returns:
+        Parameter value
+    """
+    global ssm
+    if ssm is None:
+        ssm = boto3.client('ssm', region_name=region)
+    
+    try:
+        response = ssm.get_parameter(Name=parameter_name, WithDecryption=False)
+        return response['Parameter']['Value']
+    except Exception as e:
+        print(f"Error fetching SSM parameter {parameter_name}: {str(e)}")
+        raise
+
+
+def get_client_ip(request):
+    """Extract client IP from CloudFront request."""
+    if 'clientIp' in request:
+        return request['clientIp']
+    
+    # Fallback to headers
+    headers = request.get('headers', {})
+    if 'x-forwarded-for' in headers:
+        xff = headers['x-forwarded-for'][0]['value']
+        return xff.split(',')[0].strip()
+    
+    return None
+
+
+def is_ip_allowed(client_ip: str, allowed_cidrs: list) -> bool:
+    """
+    Check if client IP is in any of the allowed CIDR ranges.
+    
+    Args:
+        client_ip: Client IP address
+        allowed_cidrs: List of CIDR ranges (e.g., ['10.0.0.0/8', '192.168.1.0/24'])
+    
+    Returns:
+        True if IP is allowed, False otherwise
+    """
+    if not client_ip:
+        return False
+    
+    try:
+        client_ip_obj = ipaddress.ip_address(client_ip)
+    except ValueError as e:
+        print(f"Invalid client IP address: {e}")
+        return False
+    
+    # Check each CIDR individually, skipping invalid ones
+    for cidr in allowed_cidrs:
+        try:
+            network = ipaddress.ip_network(cidr.strip(), strict=False)
+            if client_ip_obj in network:
+                return True
+        except ValueError as e:
+            # Invalid CIDR, log and continue checking others
+            print(f"Invalid CIDR '{cidr}': {e}")
+            continue
+    
+    return False
+
+
+def lambda_handler(event, context):
+    """
+    Lambda@Edge function for IP-based gating.
+    
+    Configuration (fetched from SSM Parameter Store):
+    - GATE_ENABLED: Whether IP gating is enabled (true/false)
+    - ALLOW_CIDRS: Comma-separated list of allowed CIDR ranges
+    - MAINT_CF_HOST: CloudFront domain for maintenance/lockout page
+    
+    Runtime configuration is bundled in runtime_config.json by CDK.
+    SSM parameter paths are auto-generated by CDK as:
+    /{environment}/{full-function-name}/{env-var-name-kebab-case}
+    """
+    request = event['Records'][0]['cf']['request']
+    
+    # Load runtime configuration bundled by CDK
+    # This file is created during deployment and contains environment, function name, etc.
+    try:
+        with open('runtime_config.json', 'r') as f:
+            runtime_config = json.load(f)
+        
+        env = runtime_config.get('environment', 'dev')
+        function_base_name = runtime_config.get('function_name', 'ip-gate')
+        
+        print(f"Runtime config loaded: environment={env}, function_name={function_base_name}")
+    except FileNotFoundError:
+        # Fallback: extract from Lambda context (less reliable)
+        print("Warning: runtime_config.json not found, falling back to function name parsing")
+        function_full_name = context.function_name
+        
+        # Parse environment from function name as fallback
+        parts = function_full_name.split('-')
+        common_envs = ['dev', 'prod', 'staging', 'test', 'qa', 'uat']
+        env = 'dev'
+        
+        for part in parts:
+            if part in common_envs:
+                env = part
+                break
+        
+        function_base_name = 'ip-gate'
+        print(f"Fallback: environment={env}, function_name={function_base_name}")
+    
+    # Full function name for SSM paths
+    function_name = context.function_name
+    print(f"Lambda function ARN: {context.invoked_function_arn}")
+    
+    try:
+        # Fetch configuration from SSM Parameter Store
+        # Auto-generated paths: /{env}/{function-name}/{key}
+        gate_enabled = get_ssm_parameter(f'/{env}/{function_name}/gate-enabled', 'us-east-1')
+        
+        # If gating is disabled, allow all traffic
+        if gate_enabled.lower() not in ('true', '1', 'yes'):
+            print(f"IP gating is disabled (GATE_ENABLED={gate_enabled})")
+            return request
+        
+        # Get allowed CIDRs and maintenance host
+        allow_cidrs_str = get_ssm_parameter(f'/{env}/{function_name}/allow-cidrs', 'us-east-1')
+        maint_cf_host = get_ssm_parameter(f'/{env}/{function_name}/maint-cf-host', 'us-east-1')
+        
+        # Parse allowed CIDRs
+        allowed_cidrs = [cidr.strip() for cidr in allow_cidrs_str.split(',') if cidr.strip()]
+        
+        # Get client IP
+        client_ip = get_client_ip(request)
+        print(f"Client IP: {client_ip}")
+        
+        # Check if IP is allowed
+        if is_ip_allowed(client_ip, allowed_cidrs):
+            print(f"IP {client_ip} is allowed")
+            return request
+        
+        # IP not allowed - redirect to maintenance page
+        print(f"IP {client_ip} is NOT allowed, redirecting to {maint_cf_host}")
+        
+        response = {
+            'status': '302',
+            'statusDescription': 'Found',
+            'headers': {
+                'location': [{
+                    'key': 'Location',
+                    'value': f'https://{maint_cf_host}'
+                }],
+                'cache-control': [{
+                    'key': 'Cache-Control',
+                    'value': 'no-cache, no-store, must-revalidate'
+                }]
+            }
+        }
+        
+        return response
+        
+    except Exception as e:
+        print(f"Error in IP gating function: {str(e)}")
+        # On error, allow the request to proceed (fail open)
+        # Change this to fail closed if preferred
+        return request

{cdk_factory-0.13.0 → cdk_factory-0.13.2}/src/cdk_factory/stack_library/lambda_edge/lambda_edge_stack.py

@@ -9,6 +9,9 @@ MIT License. See Project Root for the license information.
 from typing import Optional, Dict
 from pathlib import Path
 import json
+import tempfile
+import shutil
+import importlib.resources
 
 import aws_cdk as cdk
 from aws_cdk import aws_lambda as _lambda
@@ -126,11 +129,38 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
     def _create_lambda_function(self, function_name: str) -> None:
         """Create the Lambda function"""
         
-        # Resolve code path (relative to runtime directory or absolute)
-        code_path = Path(self.edge_config.code_path)
-        if not code_path.is_absolute():
-            # Assume relative to the project root
-            code_path = Path.cwd() / code_path
+        # Resolve code path - support package references (e.g., "cdk_factory:lambdas/edge/ip_gate")
+        code_path_str = self.edge_config.code_path
+        
+        if ':' in code_path_str:
+            # Package reference format: "package_name:path/within/package"
+            package_name, package_path = code_path_str.split(':', 1)
+            logger.info(f"Resolving package reference: {package_name}:{package_path}")
+            
+            try:
+                # Get the package's installed location
+                if hasattr(importlib.resources, 'files'):
+                    # Python 3.9+
+                    package_root = importlib.resources.files(package_name)
+                    code_path = Path(str(package_root / package_path))
+                else:
+                    # Fallback for older Python
+                    import pkg_resources
+                    package_root = pkg_resources.resource_filename(package_name, '')
+                    code_path = Path(package_root) / package_path
+                
+                logger.info(f"Resolved package path to: {code_path}")
+            except Exception as e:
+                raise FileNotFoundError(
+                    f"Could not resolve package reference '{code_path_str}': {e}\n"
+                    f"Make sure package '{package_name}' is installed."
+                )
+        else:
+            # Regular file path
+            code_path = Path(code_path_str)
+            if not code_path.is_absolute():
+                # Assume relative to the project root
+                code_path = Path.cwd() / code_path
         
         if not code_path.exists():
             raise FileNotFoundError(
@@ -140,6 +170,15 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
         
         logger.info(f"Loading Lambda code from: {code_path}")
         
+        # Create isolated temp directory for this function instance
+        # This prevents conflicts when multiple functions use the same handler code
+        temp_code_dir = Path(tempfile.mkdtemp(prefix=f"{function_name.replace('/', '-')}-"))
+        logger.info(f"Creating isolated code directory at: {temp_code_dir}")
+        
+        # Copy source code to temp directory
+        shutil.copytree(code_path, temp_code_dir, dirs_exist_ok=True)
+        logger.info(f"Copied code from {code_path} to {temp_code_dir}")
+        
         # Create runtime configuration file for Lambda@Edge
         # Since Lambda@Edge doesn't support environment variables, we bundle a config file
         runtime_config = {
@@ -148,7 +187,7 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
             'region': self.deployment.region
         }
         
-        runtime_config_path = code_path / 'runtime_config.json'
+        runtime_config_path = temp_code_dir / 'runtime_config.json'
         logger.info(f"Creating runtime config at: {runtime_config_path}")
         
         with open(runtime_config_path, 'w') as f:
@@ -156,6 +195,9 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
         
         logger.info(f"Runtime config: {runtime_config}")
         
+        # Use the temp directory for the Lambda code asset
+        code_path = temp_code_dir
+        
         # Map runtime string to CDK Runtime
         runtime_map = {
             "python3.11": _lambda.Runtime.PYTHON_3_11,

cdk_factory-0.13.2/src/cdk_factory/version.py

@@ -0,0 +1 @@
+__version__ = "0.13.2"

cdk_factory-0.13.0/src/cdk_factory/lambdas/edge/ip_gate/handler.py

@@ -1,104 +0,0 @@
-"""
-Lambda@Edge Origin-Request Handler for IP-based Access Gating
-Geek Cafe, LLC
-Maintainers: Eric Wilson
-"""
-
-import ipaddress
-import json
-import os
-
-
-def lambda_handler(event, context):
-    """
-    Lambda@Edge origin-request handler that implements IP-based gating
-    with maintenance site fallback.
-    
-    Features:
-    - Inject X-Viewer-IP header for origin visibility
-    - Check viewer IP against allowlist when gate is enabled
-    - Rewrite blocked IPs to maintenance CloudFront distribution, and serve up maintenance site
-    - Toggle via GATE_ENABLED environment variable
-    """
-    
-    # Extract request from CloudFront event
-    request = event['Records'][0]['cf']['request']
-    client_ip = request['clientIp']
-    
-    # Configuration from environment variables
-    gate_enabled = os.environ.get('GATE_ENABLED', 'false').lower() == 'true'
-    allow_cidrs_str = os.environ.get('ALLOW_CIDRS', '')
-    maint_cf_host = os.environ.get('MAINT_CF_HOST', '')
-    
-    # Parse allowed CIDRs
-    allow_cidrs = [cidr.strip() for cidr in allow_cidrs_str.split(',') if cidr.strip()]
-    
-    # Always inject viewer IP header
-    if 'headers' not in request:
-        request['headers'] = {}
-    
-    request['headers']['x-viewer-ip'] = [{
-        'key': 'X-Viewer-IP',
-        'value': client_ip
-    }]
-    
-    # If gate is disabled, pass through to origin
-    if not gate_enabled:
-        return request
-    
-    # Check if IP is in allowlist
-    ip_allowed = False
-    try:
-        client_ip_obj = ipaddress.ip_address(client_ip)
-        for cidr in allow_cidrs:
-            try:
-                network = ipaddress.ip_network(cidr, strict=False)
-                if client_ip_obj in network:
-                    ip_allowed = True
-                    break
-            except (ValueError, ipaddress.AddressValueError):
-                # Invalid CIDR, skip
-                continue
-    except (ValueError, ipaddress.AddressValueError):
-        # Invalid client IP, block by default
-        ip_allowed = False
-    
-    # If IP is allowed, pass through to origin
-    if ip_allowed:
-        return request
-    
-    # IP not allowed - redirect to maintenance site
-    if not maint_cf_host:
-        # Safety: if maintenance host not configured, pass through with warning
-        # In production, you might want to return a fixed error response instead
-        return request
-    
-    # Rewrite origin to maintenance CloudFront distribution
-    request['origin'] = {
-        'custom': {
-            'domainName': maint_cf_host,
-            'port': 443,
-            'protocol': 'https',
-            'path': '',
-            'sslProtocols': ['TLSv1.2'],
-            'readTimeout': 30,
-            'keepaliveTimeout': 5,
-            'customHeaders': {}
-        }
-    }
-    
-    # Update Host header to match new origin
-    request['headers']['host'] = [{
-        'key': 'Host',
-        'value': maint_cf_host
-    }]
-    
-    # Normalize URI - redirect directory requests to index.html
-    uri = request.get('uri', '/')
-    if uri.endswith('/'):
-        request['uri'] = uri + 'index.html'
-    elif '.' not in uri.split('/')[-1]:
-        # No file extension, likely a directory
-        request['uri'] = uri + '/index.html'
-    
-    return request

cdk_factory-0.13.0/src/cdk_factory/version.py

@@ -1 +0,0 @@
-__version__ = "0.13.0"