cdk-factory 0.15.10__py3-none-any.whl → 0.18.9__py3-none-any.whl

cdk_factory/stack_library/load_balancer/load_balancer_stack.py

@@ -6,6 +6,8 @@ MIT License.  See Project Root for the license information.
 
 from typing import Dict, Any, List, Optional
 
+import base64
+import hashlib
 import aws_cdk as cdk
 from aws_cdk import aws_elasticloadbalancingv2 as elbv2
 from aws_cdk import aws_ec2 as ec2
@@ -19,7 +21,8 @@ from cdk_factory.configurations.deployment import DeploymentConfig
 from cdk_factory.configurations.stack import StackConfig
 from cdk_factory.configurations.resources.load_balancer import LoadBalancerConfig
 from cdk_factory.interfaces.istack import IStack
-from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import EnhancedSsmParameterMixin
+from cdk_factory.interfaces.vpc_provider_mixin import VPCProviderMixin
+from cdk_factory.interfaces.standardized_ssm_mixin import StandardizedSsmMixin
 from cdk_factory.stack.stack_module_registry import register_stack
 from cdk_factory.workload.workload_factory import WorkloadConfig
 
@@ -30,7 +33,7 @@ logger = Logger(service="LoadBalancerStack")
 @register_stack("alb_stack")
 @register_stack("load_balancer_library_module")
 @register_stack("load_balancer_stack")
-class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
+class LoadBalancerStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
     """
     Reusable stack for AWS Load Balancers.
     Supports creating Application and Network Load Balancers with customizable configurations.
@@ -49,7 +52,7 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
         self._hosted_zone = None
         self._record_names = None
         # SSM imported values
-        self.ssm_imported_values: Dict[str, str] = {}
+        self._ssm_imported_values: Dict[str, str] = {}
 
     def build(
         self,
@@ -76,8 +79,18 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
         )
         lb_name = deployment.build_resource_name(self.lb_config.name)
 
-        # Process SSM imports first
-        self._process_ssm_imports()
+        # Setup standardized SSM integration
+        self.setup_ssm_integration(
+            scope=self,
+            config=self.lb_config,
+            resource_type="load_balancer",
+            resource_name=self.lb_config.name,
+            deployment=deployment,
+            workload=workload
+        )
+        
+        # Process SSM imports
+        self.process_ssm_imports()
 
         self._prep_dns()
 
@@ -112,34 +125,65 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
         # Get subnets
         subnets = self._get_subnets()
 
+        # Prepare vpc_subnets parameter
+        # If subnets is None, we'll handle it via escape hatch after creation
+        vpc_subnets_param = ec2.SubnetSelection(subnets=subnets) if subnets else None
+
         # Create the Load Balancer based on type
         if self.lb_config.type == "APPLICATION":
-            load_balancer = elbv2.ApplicationLoadBalancer(
-                self,
-                lb_name,
-                load_balancer_name=lb_name,
-                vpc=self.vpc,
-                internet_facing=self.lb_config.internet_facing,
-                security_group=(
+            # When vpc_subnets is None and we have token-based subnet_ids,
+            # we need to create the ALB without vpc_subnets to avoid VPC subnet lookup errors
+            alb_props = {
+                "load_balancer_name": lb_name,
+                "vpc": self.vpc,
+                "internet_facing": self.lb_config.internet_facing,
+                "security_group": (
                     security_groups[0]
                     if security_groups and len(security_groups) > 0
                     else None
                 ),
-                deletion_protection=self.lb_config.deletion_protection,
-                idle_timeout=cdk.Duration.seconds(self.lb_config.idle_timeout),
-                http2_enabled=self.lb_config.http2_enabled,
-                vpc_subnets=ec2.SubnetSelection(subnets=subnets) if subnets else None,
-            )
+                "deletion_protection": self.lb_config.deletion_protection,
+                "idle_timeout": cdk.Duration.seconds(self.lb_config.idle_timeout),
+                "http2_enabled": self.lb_config.http2_enabled,
+            }
+            
+            # Only add vpc_subnets if we have concrete subnet objects
+            if vpc_subnets_param:
+                alb_props["vpc_subnets"] = vpc_subnets_param
+            
+            load_balancer = elbv2.ApplicationLoadBalancer(self, lb_name, **alb_props)
         else:  # NETWORK
-            load_balancer = elbv2.NetworkLoadBalancer(
-                self,
-                lb_name,
-                load_balancer_name=lb_name,
-                vpc=self.vpc,
-                internet_facing=self.lb_config.internet_facing,
-                deletion_protection=self.lb_config.deletion_protection,
-                vpc_subnets=ec2.SubnetSelection(subnets=subnets) if subnets else None,
-            )
+            nlb_props = {
+                "load_balancer_name": lb_name,
+                "vpc": self.vpc,
+                "internet_facing": self.lb_config.internet_facing,
+                "deletion_protection": self.lb_config.deletion_protection,
+            }
+            
+            # Only add vpc_subnets if we have concrete subnet objects
+            if vpc_subnets_param:
+                nlb_props["vpc_subnets"] = vpc_subnets_param
+            
+            load_balancer = elbv2.NetworkLoadBalancer(self, lb_name, **nlb_props)
+
+        # If subnets is None, check if we have SSM-imported subnet_ids as a token
+        # We need to use Fn.Split to convert the comma-separated string to an array
+        if subnets is None:
+            subnet_ids = self.get_subnet_ids(self.lb_config)
+            if subnet_ids:
+                # For CloudFormation token resolution, we still need Fn.split
+                # but we use the helper to determine if subnet IDs are available
+                ssm_imports = self.get_all_ssm_imports()
+                if "subnet_ids" in ssm_imports:
+                    subnet_ids_value = ssm_imports["subnet_ids"]
+                    if cdk.Token.is_unresolved(subnet_ids_value):
+                        logger.info("Using Fn.Split to convert comma-separated subnet IDs token to array")
+                        # Use CloudFormation escape hatch to set Subnets property with Fn.Split
+                        cfn_lb = load_balancer.node.default_child
+                        cfn_lb.add_property_override(
+                            "Subnets",
+                            cdk.Fn.split(",", subnet_ids_value)
+                        )
 
         # Add tags
         for key, value in self.lb_config.tags.items():
@@ -149,93 +193,25 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
 
     @property
     def vpc(self) -> ec2.IVpc:
-        """Get the VPC for the Load Balancer"""
+        """Get the VPC for the Load Balancer using centralized VPC provider mixin."""
         if self._vpc:
             return self._vpc
-
-        # Check SSM imported values first (tokens from SSM parameters)
-        if "vpc_id" in self.ssm_imported_values:
-            vpc_id = self.ssm_imported_values["vpc_id"]
-            
-            # Build VPC attributes
-            vpc_attrs = {
-                "vpc_id": vpc_id,
-                "availability_zones": ["us-east-1a", "us-east-1b"]
-            }
-            
-            # Use from_vpc_attributes() instead of from_lookup() because SSM imports return tokens
-            self._vpc = ec2.Vpc.from_vpc_attributes(self, "VPC", **vpc_attrs)
-        elif self.lb_config.vpc_id:
-            self._vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id=self.lb_config.vpc_id)
-        elif self.workload.vpc_id:
-            self._vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id=self.workload.vpc_id)
-        else:
-            # Use default VPC if not provided
-            raise ValueError(
-                "VPC is not defined in the configuration.  "
-                "You can provide it a the load_balancer.vpc_id in the configuration "
-                "or a top level workload.vpc_id in the workload configuration."
-            )
-
-        return self._vpc
-
-    def _process_ssm_imports(self) -> None:
-        """
-        Process SSM imports from configuration.
-        Follows the same pattern as RDS and Security Group stacks.
-        """
-        from aws_cdk import aws_ssm as ssm
-        
-        ssm_imports = self.lb_config.ssm_imports
         
-        if not ssm_imports:
-            logger.debug("No SSM imports configured for Load Balancer")
-            return
-        
-        logger.info(f"Processing {len(ssm_imports)} SSM imports for Load Balancer")
-        
-        for param_key, param_value in ssm_imports.items():
-            try:
-                # Handle list values (like security_groups)
-                if isinstance(param_value, list):
-                    imported_list = []
-                    for idx, param_path in enumerate(param_value):
-                        if not param_path.startswith('/'):
-                            param_path = f"/{param_path}"
-                        
-                        construct_id = f"ssm-import-{param_key}-{idx}-{hash(param_path) % 10000}"
-                        param = ssm.StringParameter.from_string_parameter_name(
-                            self, construct_id, param_path
-                        )
-                        imported_list.append(param.string_value)
-                    
-                    self.ssm_imported_values[param_key] = imported_list
-                    logger.info(f"Imported SSM parameter list: {param_key} with {len(imported_list)} items")
-                else:
-                    # Handle string values
-                    param_path = param_value
-                    if not param_path.startswith('/'):
-                        param_path = f"/{param_path}"
-                    
-                    construct_id = f"ssm-import-{param_key}-{hash(param_path) % 10000}"
-                    param = ssm.StringParameter.from_string_parameter_name(
-                        self, construct_id, param_path
-                    )
-                    
-                    self.ssm_imported_values[param_key] = param.string_value
-                    logger.info(f"Imported SSM parameter: {param_key} from {param_path}")
-                    
-            except Exception as e:
-                logger.error(f"Failed to import SSM parameter {param_key}: {e}")
-                raise
+        # Use the centralized VPC resolution from VPCProviderMixin
+        self._vpc = self.resolve_vpc(
+            config=self.lb_config,
+            deployment=self.deployment,
+            workload=self.workload
+        )
+        return self._vpc
 
     def _get_security_groups(self) -> List[ec2.ISecurityGroup]:
         """Get security groups for the Load Balancer"""
         security_groups = []
         
         # Check SSM imported values first
-        if "security_groups" in self.ssm_imported_values:
-            sg_ids = self.ssm_imported_values["security_groups"]
+        if "security_groups" in self._ssm_imported_values:
+            sg_ids = self._ssm_imported_values["security_groups"]
             if not isinstance(sg_ids, list):
                 sg_ids = [sg_ids]
         else:
@@ -253,23 +229,58 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
         """Get subnets for the Load Balancer"""
         subnets = []
         
-        # Check SSM imported values first
-        if "subnet_ids" in self.ssm_imported_values:
-            subnet_ids = self.ssm_imported_values["subnet_ids"]
-            # SSM returns comma-separated string for StringList, need to split
-            if isinstance(subnet_ids, str):
-                subnet_ids = [s.strip() for s in subnet_ids.split(',')]
-            elif not isinstance(subnet_ids, list):
-                subnet_ids = [subnet_ids]
-        else:
-            subnet_ids = self.lb_config.subnets
+        # Use the standardized helper function to get subnet IDs
+        subnet_ids = self.get_subnet_ids(self.lb_config)
+        
+        if not subnet_ids:
+            return None
         
+        # Check if we have unresolved tokens from SSM
+        ssm_imports = self.get_all_ssm_imports()
+        if "subnet_ids" in ssm_imports:
+            subnet_ids_value = ssm_imports["subnet_ids"]
+            
+            # Check if this is a CDK token (unresolved SSM parameter)
+            if cdk.Token.is_unresolved(subnet_ids_value):
+                # For tokens, we can't split at synth time
+                # Return None to signal that subnets should be resolved via SubnetSelection
+                # The ALB construct will handle the token-based subnet IDs
+                logger.info("Subnet IDs are unresolved tokens, will use vpc_subnets with token resolution")
+                return None
+            
+        # Convert subnet IDs to subnet objects
         for idx, subnet_id in enumerate(subnet_ids):
             subnets.append(
                 ec2.Subnet.from_subnet_id(self, f"Subnet-{idx}", subnet_id)
             )
         return subnets
 
+    def _generate_target_group_name(self, lb_name: str, tg_name: str, max_length: int = 32) -> str:
+        """Generate a unique target group name that doesn't begin/end with hyphens"""
+        full_name = f"{lb_name}-{tg_name}"
+        
+        if len(full_name) <= max_length:
+            # No truncation needed, just ensure no leading/trailing hyphens
+            return full_name.strip('-')
+        
+        # Need to truncate - use hash suffix for uniqueness
+        # Reserve space for hash (typically 8 chars) and separator
+        hash_length = 8
+        separator_length = 1
+        max_name_length = max_length - hash_length - separator_length
+        
+        # Take the prefix and ensure it doesn't end with hyphen
+        prefix = full_name[:max_name_length].rstrip('-')
+        
+        # Generate hash of the full name for uniqueness
+        hash_bytes = hashlib.sha256(full_name.encode()).digest()
+        hash_suffix = base64.urlsafe_b64encode(hash_bytes).decode()[:hash_length]
+        
+        # Ensure hash doesn't start with hyphen (replace any non-alphanumeric chars)
+        hash_suffix = ''.join(c for c in hash_suffix if c.isalnum())[:hash_length]
+        
+        return f"{prefix}-{hash_suffix}"
+
     def _create_target_groups(self, lb_name: str) -> None:
         """Create target groups for the Load Balancer"""
 
@@ -277,6 +288,9 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
             tg_name = tg_config.get("name", f"tg-{idx}")
             tg_id = f"{lb_name}-{tg_name}"
 
+            # Generate a unique target group name that doesn't begin/end with hyphens
+            tg_name_sanitized = self._generate_target_group_name(lb_name, tg_name)
+
             # Configure health check
             health_check = self._configure_health_check(
                 tg_config.get("health_check", {})
@@ -287,7 +301,7 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
                 target_group = elbv2.ApplicationTargetGroup(
                     self,
                     tg_id,
-                    target_group_name=tg_id[:32],  # Ensure name is within AWS limits
+                    target_group_name=tg_name_sanitized,
                     vpc=self.vpc,
                     port=tg_config.get("port", 80),
                     protocol=elbv2.ApplicationProtocol(
@@ -302,7 +316,7 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
                 target_group = elbv2.NetworkTargetGroup(
                     self,
                     tg_id,
-                    target_group_name=tg_id[:32],  # Ensure name is within AWS limits
+                    target_group_name=tg_name_sanitized,
                     vpc=self.vpc,
                     port=tg_config.get("port", 80),
                     protocol=elbv2.Protocol(tg_config.get("protocol", "TCP")),
@@ -312,6 +326,8 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
                     health_check=health_check,
                 )
 
+
+            
             # Store target group for later use
             self.target_groups[tg_name] = target_group
 
@@ -352,6 +368,11 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
                 if protocol.upper() == "HTTPS":
                     certificates = self._get_certificates()
 
+                if not certificates and protocol.upper() == "HTTPS":
+                    message = "No certificates found for HTTPS listener. Please attach a certificate or create a certificate stack."
+                    logger.warning(message)
+                    raise ValueError(message)
+
                 listener = elbv2.ApplicationListener(
                     self,
                     listener_id,
@@ -402,8 +423,20 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
     def _get_certificates(self) -> List[elbv2.ListenerCertificate]:
         """Get certificates for HTTPS listeners"""
         certificates = []
-        for cert_arn in self.lb_config.certificate_arns:
-            certificates.append(elbv2.ListenerCertificate.from_arn(cert_arn))
+        
+        # Check SSM imported values first (takes priority)
+        ssm_imports = self.get_all_ssm_imports()
+        if "certificate_arns" in ssm_imports:
+            cert_arns = ssm_imports["certificate_arns"]
+            if not isinstance(cert_arns, list):
+                cert_arns = [cert_arns]
+            for cert_arn in cert_arns:
+                certificates.append(elbv2.ListenerCertificate.from_arn(cert_arn))
+            logger.info(f"Using {len(cert_arns)} certificate(s) from SSM")
+        else:
+            # Fall back to config values
+            for cert_arn in self.lb_config.certificate_arns:
+                certificates.append(elbv2.ListenerCertificate.from_arn(cert_arn))
 
         if self.ssl_certificate:
             certificates.append(

cdk_factory/stack_library/rds/rds_stack.py

@@ -18,7 +18,8 @@ from cdk_factory.configurations.deployment import DeploymentConfig
 from cdk_factory.configurations.stack import StackConfig
 from cdk_factory.configurations.resources.rds import RdsConfig
 from cdk_factory.interfaces.istack import IStack
-from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import EnhancedSsmParameterMixin
+from cdk_factory.interfaces.vpc_provider_mixin import VPCProviderMixin
+from cdk_factory.interfaces.standardized_ssm_mixin import StandardizedSsmMixin
 from cdk_factory.stack.stack_module_registry import register_stack
 from cdk_factory.workload.workload_factory import WorkloadConfig
 
@@ -27,7 +28,7 @@ logger = Logger(service="RdsStack")
 
 @register_stack("rds_library_module")
 @register_stack("rds_stack")
-class RdsStack(IStack, EnhancedSsmParameterMixin):
+class RdsStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
     """
     Reusable stack for AWS RDS.
     Supports creating RDS instances with customizable configurations.
@@ -68,8 +69,18 @@ class RdsStack(IStack, EnhancedSsmParameterMixin):
         self.rds_config = RdsConfig(stack_config.dictionary.get("rds", {}), deployment)
         db_name = deployment.build_resource_name(self.rds_config.name)
 
-        # Process SSM imports first
-        self._process_ssm_imports()
+        # Setup standardized SSM integration
+        self.setup_ssm_integration(
+            scope=self,
+            config=self.rds_config,
+            resource_type="rds",
+            resource_name=self.rds_config.name,
+            deployment=deployment,
+            workload=workload
+        )
+        
+        # Process SSM imports
+        self.process_ssm_imports()
 
         # Get VPC and security groups
         self.security_groups = self._get_security_groups()
@@ -86,63 +97,18 @@ class RdsStack(IStack, EnhancedSsmParameterMixin):
         # Export to SSM Parameter Store
         self._export_ssm_parameters(db_name)
 
-    def _process_ssm_imports(self) -> None:
-        """Process SSM imports from configuration"""
-        ssm_imports = self.rds_config.ssm_imports
-        
-        if not ssm_imports:
-            logger.debug("No SSM imports configured for RDS")
-            return
-        
-        logger.info(f"Processing {len(ssm_imports)} SSM imports for RDS")
-        
-        for param_key, param_path in ssm_imports.items():
-            try:
-                if not param_path.startswith('/'):
-                    param_path = f"/{param_path}"
-                
-                construct_id = f"ssm-import-{param_key}-{hash(param_path) % 10000}"
-                param = ssm.StringParameter.from_string_parameter_name(
-                    self, construct_id, param_path
-                )
-                
-                self.ssm_imported_values[param_key] = param.string_value
-                logger.info(f"Imported SSM parameter: {param_key} from {param_path}")
-                
-            except Exception as e:
-                logger.error(f"Failed to import SSM parameter {param_key} from {param_path}: {e}")
-                raise
-
     @property
     def vpc(self) -> ec2.IVpc:
-        """Get the VPC for the RDS instance"""
-        if self._vpc:
+        """Get the VPC for the RDS instance using centralized VPC provider mixin."""
+        if hasattr(self, '_vpc') and self._vpc:
             return self._vpc
         
-        # Check SSM imported values first (tokens from SSM parameters)
-        if "vpc_id" in self.ssm_imported_values:
-            vpc_id = self.ssm_imported_values["vpc_id"]
-            
-            # When using tokens, we can't provide subnet lists to from_vpc_attributes
-            # because CDK validates subnet count against AZ count at synthesis time
-            # We'll create a DB subnet group separately instead
-            vpc_attrs = {
-                "vpc_id": vpc_id,
-                "availability_zones": ["us-east-1a", "us-east-1b"]
-            }
-            
-            # Use from_vpc_attributes() for SSM tokens
-            self._vpc = ec2.Vpc.from_vpc_attributes(self, "VPC", **vpc_attrs)
-        elif self.rds_config.vpc_id:
-            self._vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id=self.rds_config.vpc_id)
-        elif self.workload.vpc_id:
-            self._vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id=self.workload.vpc_id)
-        else:
-            raise ValueError(
-                "VPC is not defined in the configuration.  "
-                "You can provide it a the rds.vpc_id in the configuration "
-                "or a top level workload.vpc_id in the workload configuration."
-            )
+        # Resolve VPC using the centralized VPC provider mixin
+        self._vpc = self.resolve_vpc(
+            config=self.rds_config,
+            deployment=self.deployment,
+            workload=self.workload
+        )
         return self._vpc
 
     def _get_security_groups(self) -> List[ec2.ISecurityGroup]:
@@ -150,8 +116,9 @@ class RdsStack(IStack, EnhancedSsmParameterMixin):
         security_groups = []
         
         # Check SSM imports first for security group ID
-        if "security_group_rds_id" in self.ssm_imported_values:
-            sg_id = self.ssm_imported_values["security_group_rds_id"]
+        ssm_imports = self.get_all_ssm_imports()
+        if "security_group_rds_id" in ssm_imports:
+            sg_id = ssm_imports["security_group_rds_id"]
             security_groups.append(
                 ec2.SecurityGroup.from_security_group_id(
                     self, "RDSSecurityGroup", sg_id
@@ -168,27 +135,60 @@ class RdsStack(IStack, EnhancedSsmParameterMixin):
         
         return security_groups
 
+    def _get_subnet_selection(self) -> ec2.SubnetSelection:
+        """
+        Get subnet selection based on available subnet types in the VPC.
+        
+        RDS instances require private subnets for security, but we'll fall back
+        to available subnets if the preferred types aren't available.
+        """
+        vpc = self.vpc
+        
+        # Check for isolated subnets first (most secure for RDS)
+        if vpc.isolated_subnets:
+            logger.info("Using isolated subnets for RDS instance")
+            return ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
+        
+        # Check for private subnets next
+        elif vpc.private_subnets:
+            logger.info("Using private subnets for RDS instance")
+            return ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS)
+        
+        # Fall back to public subnets (not recommended for production)
+        elif vpc.public_subnets:
+            logger.warning("Using public subnets for RDS instance - not recommended for production")
+            return ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC)
+        
+        else:
+            raise ValueError("No subnets available in VPC for RDS instance")
+
     def _create_db_instance(self, db_name: str) -> rds.DatabaseInstance:
         """Create a new RDS instance"""
         # Configure subnet group
         # If we have subnet IDs from SSM, create a DB subnet group explicitly
         db_subnet_group = None
-        if "subnet_ids" in self.ssm_imported_values:
-            subnet_ids_str = self.ssm_imported_values["subnet_ids"]
-            # Split the comma-separated token into a list
-            subnet_ids_list = cdk.Fn.split(",", subnet_ids_str)
-            
-            # Create DB subnet group with the token-based subnet list
-            db_subnet_group = rds.CfnDBSubnetGroup(
-                self,
-                "DBSubnetGroup",
-                db_subnet_group_description=f"Subnet group for {db_name}",
-                subnet_ids=subnet_ids_list,
-                db_subnet_group_name=f"{db_name}-subnet-group"
-            )
+        subnet_ids = self.get_subnet_ids(self.rds_config)
+        
+        if subnet_ids:
+            # For CloudFormation token resolution, we need to get the raw SSM value
+            # Use the standardized SSM imports
+            ssm_imports = self.get_all_ssm_imports()
+            if "subnet_ids" in ssm_imports:
+                subnet_ids_str = ssm_imports["subnet_ids"]
+                # Split the comma-separated token into a list for CloudFormation
+                subnet_ids_list = cdk.Fn.split(",", subnet_ids_str)
+                
+                # Create DB subnet group with the token-based subnet list
+                db_subnet_group = rds.CfnDBSubnetGroup(
+                    self,
+                    "DBSubnetGroup",
+                    db_subnet_group_description=f"Subnet group for {db_name}",
+                    subnet_ids=subnet_ids_list,
+                    db_subnet_group_name=f"{db_name}-subnet-group"
+                )
         
         # Configure subnet selection for VPC (when not using SSM imports)
-        subnets = None if db_subnet_group else ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
+        subnets = None if db_subnet_group else self._get_subnet_selection()
 
         # Configure engine
         engine_version = None
@@ -211,8 +211,10 @@ class RdsStack(IStack, EnhancedSsmParameterMixin):
             raise ValueError(f"Unsupported database engine: {self.rds_config.engine}")
 
         # Configure instance type
+        # Strip 'db.' prefix if present since ec2.InstanceType expects just the instance family/size
         instance_class = self.rds_config.instance_class
-        instance_type = ec2.InstanceType(instance_class)
+        instance_class_name = instance_class.replace("db.", "") if instance_class.startswith("db.") else instance_class
+        instance_type = ec2.InstanceType(instance_class_name)
 
         # Configure removal policy
         removal_policy = None
@@ -242,9 +244,18 @@ class RdsStack(IStack, EnhancedSsmParameterMixin):
             "backup_retention": Duration.days(self.rds_config.backup_retention),
             "cloudwatch_logs_exports": self.rds_config.cloudwatch_logs_exports,
             "enable_performance_insights": self.rds_config.enable_performance_insights,
+            "allow_major_version_upgrade": self.rds_config.allow_major_version_upgrade,
             "removal_policy": removal_policy,
         }
         
+        # Add storage auto-scaling if max_allocated_storage is configured
+        if self.rds_config.max_allocated_storage:
+            db_props["max_allocated_storage"] = self.rds_config.max_allocated_storage
+            logger.info(
+                f"Storage auto-scaling enabled: {self.rds_config.allocated_storage}GB "
+                f"-> {self.rds_config.max_allocated_storage}GB"
+            )
+        
         # Use either subnet group or vpc_subnets depending on what's available
         if db_subnet_group:
             db_props["subnet_group"] = rds.SubnetGroup.from_subnet_group_name(

cdk_factory/stack_library/route53/route53_stack.py

@@ -18,7 +18,7 @@ from cdk_factory.configurations.deployment import DeploymentConfig
 from cdk_factory.configurations.stack import StackConfig
 from cdk_factory.configurations.resources.route53 import Route53Config
 from cdk_factory.interfaces.istack import IStack
-from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import EnhancedSsmParameterMixin
+from cdk_factory.interfaces.standardized_ssm_mixin import StandardizedSsmMixin
 from cdk_factory.stack.stack_module_registry import register_stack
 from cdk_factory.workload.workload_factory import WorkloadConfig
 
@@ -27,7 +27,7 @@ logger = Logger(service="Route53Stack")
 
 @register_stack("route53_library_module")
 @register_stack("route53_stack")
-class Route53Stack(IStack, EnhancedSsmParameterMixin):
+class Route53Stack(IStack, StandardizedSsmMixin):
     """
     Reusable stack for AWS Route53.
     Supports creating hosted zones, DNS records, and certificate validation.
@@ -58,8 +58,13 @@ class Route53Stack(IStack, EnhancedSsmParameterMixin):
         # Get or create hosted zone
         self.hosted_zone = self._get_or_create_hosted_zone()
         
-        # Create certificate if needed
+        # Create certificate if needed (DEPRECATED - use dedicated ACM stack)
         if self.route53_config.create_certificate:
+            logger.warning(
+                "Creating certificates in Route53Stack is deprecated. "
+                "Please use the dedicated 'acm_stack' module for certificate management. "
+                "This feature will be maintained for backward compatibility."
+            )
             self.certificate = self._create_certificate()
             
         # Create DNS records