cdk-factory 0.13.2__tar.gz → 0.13.5__tar.gz

{cdk_factory-0.13.2 → cdk_factory-0.13.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.13.2
+Version: 0.13.5
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.13.2 → cdk_factory-0.13.5}/pyproject.toml

@@ -33,7 +33,7 @@ markers = [
 [project]
 
 name = "cdk_factory"
-version = "0.13.2"
+version = "0.13.5"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

{cdk_factory-0.13.2 → cdk_factory-0.13.5}/src/cdk_factory/constructs/cloudfront/cloudfront_distribution_construct.py

@@ -118,11 +118,17 @@ class CloudFrontDistributionConstruct(Construct):
                 origin_access_identity=self.oai,
             )
 
+        # Get comment from config, or use default
+        comment = "CloudFront Distribution generated via the CDK Factory"
+        if self.stack_config and isinstance(self.stack_config, StackConfig):
+            cloudfront_config = self.stack_config.dictionary.get("cloudfront", {})
+            comment = cloudfront_config.get("comment", comment)
+        
         distribution = cloudfront.Distribution(
             self,
             "cloudfront-dist",
             domain_names=self.aliases,
-            comment="CloudFront Distribution generated via the CDK Factory",
+            comment=comment,
             certificate=self.certificate,
             default_behavior=cloudfront.BehaviorOptions(
                 origin=origin,
@@ -228,6 +234,15 @@ class CloudFrontDistributionConstruct(Construct):
         """
         Get the Lambda@Edge associations for the distribution from config.
         
+        Supports two configuration methods:
+        1. Convenience flag: "enable_ip_gating": true
+           - Automatically adds Lambda@Edge IP gating function
+           - Uses auto-derived SSM parameter path: /{env}/{workload}/lambda-edge/version-arn
+        
+        2. Manual configuration: "lambda_edge_associations": [...]
+           - Full control over Lambda@Edge associations
+           - Can specify custom ARNs, event types, etc.
+        
         Returns:
             List[cloudfront.EdgeLambda] or None: list of Lambda@Edge associations
         """
@@ -235,7 +250,33 @@ class CloudFrontDistributionConstruct(Construct):
         
         if self.stack_config and isinstance(self.stack_config, StackConfig):
             cloudfront_config = self.stack_config.dictionary.get("cloudfront", {})
-            lambda_edge_associations = cloudfront_config.get("lambda_edge_associations", [])
+            
+            # Check for convenience IP gating flag
+            enable_ip_gating = cloudfront_config.get("enable_ip_gating", False)
+            if enable_ip_gating:
+                logger.info("IP gating enabled via convenience flag - adding Lambda@Edge association")
+                
+                # Extract environment and workload name from config
+                # These come from the workload/deployment configuration
+                workload_dict = self.stack_config.workload
+                environment = workload_dict.get("deployment", {}).get("environment", "dev")
+                workload_name = workload_dict.get("name", "workload")
+                
+                # Auto-derive SSM parameter path or use override
+                default_ssm_path = f"/{environment}/{workload_name}/lambda-edge/version-arn"
+                ip_gate_ssm_path = cloudfront_config.get("ip_gate_function_ssm_path", default_ssm_path)
+                
+                logger.info(f"Using IP gate Lambda ARN from SSM: {ip_gate_ssm_path}")
+                
+                # Add the IP gating Lambda@Edge association
+                lambda_edge_associations = [{
+                    "event_type": "origin-request",
+                    "lambda_arn": f"{{{{ssm:{ip_gate_ssm_path}}}}}",
+                    "include_body": False
+                }]
+            else:
+                # Use manual configuration
+                lambda_edge_associations = cloudfront_config.get("lambda_edge_associations", [])
             
             for association in lambda_edge_associations:
                 event_type_str = association.get("event_type", "origin-request")

{cdk_factory-0.13.2 → cdk_factory-0.13.5}/src/cdk_factory/lambdas/edge/ip_gate/handler.py

@@ -20,12 +20,14 @@ def get_ssm_parameter(parameter_name: str, region: str = 'us-east-1') -> str:
     Fetch SSM parameter with caching.
     Lambda@Edge cannot use environment variables, so we fetch from SSM.
     
+    The sentinel value 'NONE' indicates an explicitly unset/disabled parameter.
+    
     Args:
         parameter_name: Name of the SSM parameter
         region: AWS region (default us-east-1)
     
     Returns:
-        Parameter value
+        Parameter value, or empty string if value is 'NONE'
     """
     global ssm
     if ssm is None:
@@ -33,7 +35,14 @@ def get_ssm_parameter(parameter_name: str, region: str = 'us-east-1') -> str:
     
     try:
         response = ssm.get_parameter(Name=parameter_name, WithDecryption=False)
-        return response['Parameter']['Value']
+        value = response['Parameter']['Value']
+        
+        # Treat 'NONE' sentinel as empty/unset
+        if value == 'NONE':
+            print(f"SSM parameter {parameter_name} is set to 'NONE' (explicitly disabled)")
+            return ''
+        
+        return value
     except Exception as e:
         print(f"Error fetching SSM parameter {parameter_name}: {str(e)}")
         raise
@@ -140,15 +149,16 @@ def lambda_handler(event, context):
         gate_enabled = get_ssm_parameter(f'/{env}/{function_name}/gate-enabled', 'us-east-1')
         
         # If gating is disabled, allow all traffic
-        if gate_enabled.lower() not in ('true', '1', 'yes'):
-            print(f"IP gating is disabled (GATE_ENABLED={gate_enabled})")
+        # Empty string (from 'NONE' sentinel) is treated as disabled
+        if not gate_enabled or gate_enabled.lower() not in ('true', '1', 'yes'):
+            print(f"IP gating is disabled (GATE_ENABLED={gate_enabled or 'NONE'})")
             return request
         
         # Get allowed CIDRs and maintenance host
         allow_cidrs_str = get_ssm_parameter(f'/{env}/{function_name}/allow-cidrs', 'us-east-1')
         maint_cf_host = get_ssm_parameter(f'/{env}/{function_name}/maint-cf-host', 'us-east-1')
         
-        # Parse allowed CIDRs
+        # Parse allowed CIDRs (empty string results in empty list)
         allowed_cidrs = [cidr.strip() for cidr in allow_cidrs_str.split(',') if cidr.strip()]
         
         # Get client IP

{cdk_factory-0.13.2 → cdk_factory-0.13.5}/src/cdk_factory/stack_library/lambda_edge/lambda_edge_stack.py

@@ -87,7 +87,10 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
             deployment
         )
         
-        function_name = deployment.build_resource_name(self.edge_config.name)
+        # Use the Lambda function name from config (supports template variables)
+        # e.g., "{{WORKLOAD_NAME}}-{{ENVIRONMENT}}-ip-gate" becomes "tech-talk-dev-ip-gate"
+        function_name = self.edge_config.name
+        logger.info(f"Lambda function name: '{function_name}'")
         
         # Create Lambda function
         self._create_lambda_function(function_name)
@@ -181,9 +184,10 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
         
         # Create runtime configuration file for Lambda@Edge
         # Since Lambda@Edge doesn't support environment variables, we bundle a config file
+        # Use the full function_name (e.g., "tech-talk-dev-ip-gate") not just the base name
         runtime_config = {
             'environment': self.deployment.environment,
-            'function_name': self.edge_config.name,
+            'function_name': function_name,
             'region': self.deployment.region
         }
         
@@ -364,10 +368,21 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
             resolved_env = self._resolve_environment_variables()
             for env_key, ssm_path in env_ssm_exports.items():
                 if env_key in resolved_env:
+                    env_value = resolved_env[env_key]
+                    
+                    # Handle empty values - SSM doesn't allow empty strings
+                    # Use sentinel value "NONE" to indicate explicitly unset
+                    if not env_value or (isinstance(env_value, str) and env_value.strip() == ""):
+                        env_value = "NONE"
+                        logger.info(
+                            f"Environment variable {env_key} is empty - setting SSM parameter to 'NONE'. "
+                            f"Lambda function should treat 'NONE' as unset/disabled."
+                        )
+                    
                     self.export_ssm_parameter(
                         self,
                         f"env-{env_key}-param",
-                        resolved_env[env_key],
+                        env_value,
                         ssm_path,
                         description=f"Configuration for Lambda@Edge: {env_key}"
                     )

cdk_factory-0.13.5/src/cdk_factory/version.py

@@ -0,0 +1 @@
+__version__ = "0.13.5"

cdk_factory-0.13.2/src/cdk_factory/version.py

@@ -1 +0,0 @@
-__version__ = "0.13.2"