cdk-factory 0.14.1__py3-none-any.whl → 0.15.1__py3-none-any.whl

cdk_factory/configurations/resources/rds.py

@@ -130,3 +130,8 @@ class RdsConfig(EnhancedBaseConfig):
     def vpc_id(self, value: str):
         """Sets the VPC ID for the Security Group"""
         self.__config["vpc_id"] = value
+
+    @property
+    def ssm_imports(self) -> Dict[str, str]:
+        """SSM parameter imports for the RDS instance"""
+        return self.__config.get("ssm_imports", {})

cdk_factory/configurations/resources/route53.py

@@ -26,11 +26,16 @@ class Route53Config:
     def hosted_zone_id(self) -> Optional[str]:
         """Hosted zone ID"""
         return self.__config.get("hosted_zone_id")
+    
+    @property
+    def existing_hosted_zone_id(self) -> Optional[str]:
+        """Existing hosted zone ID (alias for hosted_zone_id)"""
+        return self.__config.get("existing_hosted_zone_id") or self.__config.get("hosted_zone_id")
 
     @property
     def domain_name(self) -> Optional[str]:
-        """Domain name"""
-        return self.__config.get("domain_name")
+        """Domain name (also checks hosted_zone_name)"""
+        return self.__config.get("domain_name") or self.__config.get("hosted_zone_name")
 
     @property
     def record_names(self) -> List[str]:

cdk_factory/configurations/resources/security_group_full_stack.py

@@ -61,3 +61,8 @@ class SecurityGroupFullStackConfig:
     def tags(self) -> Dict[str, str]:
         """Tags to apply to the Security Group"""
         return self.__config.get("tags", {})
+
+    @property
+    def ssm_imports(self) -> Dict[str, str]:
+        """SSM parameter imports for the Security Group"""
+        return self.__config.get("ssm_imports", {})

cdk_factory/constructs/cloudfront/cloudfront_distribution_construct.py

@@ -292,8 +292,9 @@ class CloudFrontDistributionConstruct(Construct):
                 logger.info(f"Using IP gate Lambda ARN from SSM: {ip_gate_ssm_path}")
                 
                 # Add the IP gating Lambda@Edge association
+                # MUST use viewer-request to run BEFORE cache check!
                 lambda_edge_associations = [{
-                    "event_type": "origin-request",
+                    "event_type": "viewer-request",
                     "lambda_arn": f"{{{{ssm:{ip_gate_ssm_path}}}}}",
                     "include_body": False
                 }]

cdk_factory/lambdas/edge/ip_gate/handler.py

@@ -178,7 +178,58 @@ def lambda_handler(event, context):
             print(f"IP {client_ip} is allowed")
             return request
         
-        # IP not allowed - redirect to maintenance page
+        # IP not allowed - either redirect or proxy maintenance page
+        # Check response mode from SSM (default: redirect for backward compatibility)
+        response_mode_param = f"/{function_name}/response-mode"
+        response_mode = get_ssm_parameter(response_mode_param, default='redirect')
+        
+        if response_mode == 'proxy':
+            # Proxy mode: Fetch and return maintenance content (keeps URL the same)
+            print(f"IP {client_ip} is NOT allowed, proxying content from {maint_cf_host}")
+            
+            try:
+                import urllib3
+                http = urllib3.PoolManager()
+                
+                # Fetch the maintenance page
+                maint_response = http.request(
+                    'GET', 
+                    f'https://{maint_cf_host}',
+                    headers={'User-Agent': 'CloudFront-IP-Gate-Proxy'},
+                    timeout=3.0
+                )
+                
+                # Return the maintenance content
+                response = {
+                    'status': str(maint_response.status),
+                    'statusDescription': 'OK' if maint_response.status == 200 else 'Service Unavailable',
+                    'headers': {
+                        'content-type': [{
+                            'key': 'Content-Type',
+                            'value': maint_response.headers.get('Content-Type', 'text/html')
+                        }],
+                        'cache-control': [{
+                            'key': 'Cache-Control',
+                            'value': 'no-cache, no-store, must-revalidate, max-age=0'
+                        }],
+                        'x-ip-gate-mode': [{
+                            'key': 'X-IP-Gate-Mode',
+                            'value': 'proxy'
+                        }]
+                    },
+                    'body': maint_response.data.decode('utf-8')
+                }
+                
+                print(f"Successfully proxied maintenance page (status {maint_response.status})")
+                return response
+                
+            except Exception as proxy_error:
+                print(f"Error proxying maintenance content: {str(proxy_error)}")
+                # Fall back to redirect if proxy fails
+                print(f"Falling back to redirect mode")
+                response_mode = 'redirect'
+        
+        # Redirect mode (default): HTTP 302 redirect to maintenance site
         print(f"IP {client_ip} is NOT allowed, redirecting to {maint_cf_host}")
         
         response = {
@@ -192,6 +243,10 @@ def lambda_handler(event, context):
                 'cache-control': [{
                     'key': 'Cache-Control',
                     'value': 'no-cache, no-store, must-revalidate'
+                }],
+                'x-ip-gate-mode': [{
+                    'key': 'X-IP-Gate-Mode',
+                    'value': 'redirect'
                 }]
             }
         }