cdk-factory 0.15.10__py3-none-any.whl → 0.18.9__py3-none-any.whl

cdk_factory/interfaces/vpc_provider_mixin.py

@@ -0,0 +1,210 @@
+"""
+VPC Provider Mixin - Reusable VPC resolution functionality
+Maintainers: Eric Wilson
+MIT License. See Project Root for license information.
+"""
+
+from typing import Optional, List, Any
+from aws_lambda_powertools import Logger
+from aws_cdk import aws_ec2 as ec2, aws_ssm as ssm
+from constructs import Construct
+
+logger = Logger(__name__)
+
+
+class VPCProviderMixin:
+    """
+    Mixin class that provides reusable VPC resolution functionality for stacks.
+    
+    This mixin eliminates code duplication across stacks that need to resolve
+    VPC references, providing a standardized way to handle:
+    - SSM imported VPC parameters (works with enhanced StandardizedSsmMixin)
+    - Configuration-based VPC resolution
+    - Workload-level VPC fallback
+    - Error handling and validation
+    
+    Note: This mixin does NOT handle SSM imports directly - it expects
+    the SSM values to be available via the enhanced StandardizedSsmMixin.
+    """
+
+    def _initialize_vpc_cache(self) -> None:
+        """Initialize the VPC cache attribute"""
+        if not hasattr(self, '_vpc'):
+            self._vpc: Optional[ec2.IVpc] = None
+
+    def resolve_vpc(
+        self,
+        config: Any,
+        deployment: Any,
+        workload: Any,
+        availability_zones: Optional[List[str]] = None
+    ) -> ec2.IVpc:
+        """
+        Resolve VPC from multiple sources with standardized priority order.
+        
+        Priority order:
+        1. SSM imported VPC ID (from config.ssm.imports)
+        2. Config-level VPC ID
+        3. Workload-level VPC ID
+        4. Raise error if none found
+        
+        Args:
+            config: The stack configuration
+            deployment: The deployment configuration
+            workload: The workload configuration
+            availability_zones: Optional AZ list for VPC attributes
+            
+        Returns:
+            Resolved VPC reference
+            
+        Raises:
+            ValueError: If no VPC configuration is found
+        """
+        if self._vpc:
+            return self._vpc
+
+        # Default availability zones if not provided - use region-appropriate defaults
+        if not availability_zones:
+            region = getattr(deployment, 'region', 'us-east-1')
+            availability_zones = self._get_default_azs_for_region(region)
+
+        # Check SSM imports directly from config (source of truth)
+        ssm_config = getattr(config, 'ssm', {})
+        ssm_imports = ssm_config.get('imports', {})
+        
+        if ssm_imports and "vpc_id" in ssm_imports:
+            vpc_id = ssm_imports["vpc_id"]
+            
+            # Get subnet IDs first to determine AZ count
+            subnet_ids = []
+            if "subnet_ids" in ssm_imports:
+                imported_subnets = ssm_imports["subnet_ids"]
+                if isinstance(imported_subnets, str):
+                    subnet_ids = [s.strip() for s in imported_subnets.split(",") if s.strip()]
+                elif isinstance(imported_subnets, list):
+                    subnet_ids = imported_subnets
+            
+            # Adjust availability zones to match subnet count
+            if subnet_ids and availability_zones:
+                region = getattr(deployment, 'region', 'us-east-1')
+                region_code = region.split('-')[0] + '-' + region.split('-')[1]
+                availability_zones = [f"{region_code}{chr(97+i)}" for i in range(len(subnet_ids))]
+            
+            return self._create_vpc_from_ssm(vpc_id, availability_zones, subnet_ids if subnet_ids else None)
+        
+        # Check config-level VPC ID
+        if hasattr(config, 'vpc_id') and config.vpc_id:
+            return ec2.Vpc.from_lookup(self, f"{self.stack_name}-VPC", vpc_id=config.vpc_id)
+        
+        # Check workload-level VPC ID
+        if hasattr(workload, 'vpc_id') and workload.vpc_id:
+            return ec2.Vpc.from_lookup(self, f"{self.stack_name}-VPC", vpc_id=workload.vpc_id)
+        
+        # No VPC found - raise descriptive error
+        raise self._create_vpc_not_found_error(config, workload)
+
+    def _create_vpc_from_ssm(
+        self, 
+        vpc_id: str, 
+        availability_zones: List[str],
+        subnet_ids: Optional[List[str]] = None
+    ) -> ec2.IVpc:
+        """
+        Create VPC reference from SSM imported VPC ID.
+        
+        Args:
+            vpc_id: The VPC ID from SSM (can be SSM path or actual VPC ID)
+            availability_zones: List of availability zones
+            subnet_ids: Optional list of subnet IDs from SSM
+            
+        Returns:
+            VPC reference created from attributes
+        """
+        # Check if vpc_id is an SSM path (starts with /) or actual VPC ID
+        if vpc_id.startswith('/'):
+            # Create CDK token for VPC ID from SSM parameter
+            vpc_id_token = ssm.StringParameter.from_string_parameter_name(
+                self, f"{self.stack_name}-VPC-ID-Token", vpc_id
+            ).string_value
+        else:
+            # Use the VPC ID directly (for testing or direct configuration)
+            vpc_id_token = vpc_id
+        
+        # Build VPC attributes
+        vpc_attrs = {
+            "vpc_id": vpc_id_token,
+            "availability_zones": availability_zones,
+        }
+        
+        # If we have subnet_ids from SSM, add them to the attributes
+        if subnet_ids:
+            # Use the actual subnet IDs from SSM
+            vpc_attrs["public_subnet_ids"] = subnet_ids
+        
+        # Use from_vpc_attributes() for SSM tokens with unique construct name
+        self._vpc = ec2.Vpc.from_vpc_attributes(self, f"{self.stack_name}-VPC", **vpc_attrs)
+        return self._vpc
+
+    def _create_vpc_not_found_error(self, config: Any, workload: Any) -> ValueError:
+        """
+        Create a descriptive error message for missing VPC configuration.
+        
+        Args:
+            config: The stack configuration
+            workload: The workload configuration
+            
+        Returns:
+            ValueError with descriptive message
+        """
+        config_name = getattr(config, 'name', 'unknown')
+        workload_name = getattr(workload, 'name', 'unknown')
+        
+        return ValueError(
+            f"VPC is not defined in the configuration for {config_name}. "
+            f"You can provide it at the following locations:\n"
+            f"  1. As an SSM import: config.ssm_imports.vpc_id\n"
+            f"  2. At the config level: config.vpc_id\n"
+            f"  3. At the workload level: workload.vpc_id\n"
+            f"Current workload: {workload_name}"
+        )
+
+    def get_vpc_property(self, config: Any, deployment: Any, workload: Any) -> ec2.IVpc:
+        """
+        Standard VPC property implementation that can be used by stacks.
+        
+        Args:
+            config: The stack configuration
+            deployment: The deployment configuration
+            workload: The workload configuration
+            
+        Returns:
+            Resolved VPC reference
+        """
+        return self.resolve_vpc(config, deployment, workload)
+
+    def _get_default_azs_for_region(self, region: str) -> List[str]:
+        """
+        Get default availability zones for a given region.
+        
+        Args:
+            region: AWS region name (e.g., 'us-east-1', 'us-west-2')
+            
+        Returns:
+            List of availability zone names for the region
+        """
+        # Common AZ mappings for major AWS regions
+        region_az_map = {
+            'us-east-1': ['us-east-1a', 'us-east-1b'],
+            'us-east-2': ['us-east-2a', 'us-east-2b'],
+            'us-west-1': ['us-west-1a', 'us-west-1b'],
+            'us-west-2': ['us-west-2a', 'us-west-2b'],
+            'eu-west-1': ['eu-west-1a', 'eu-west-1b'],
+            'eu-west-2': ['eu-west-2a', 'eu-west-2b'],
+            'eu-central-1': ['eu-central-1a', 'eu-central-1b'],
+            'ap-southeast-1': ['ap-southeast-1a', 'ap-southeast-1b'],
+            'ap-southeast-2': ['ap-southeast-2a', 'ap-southeast-2b'],
+            'ap-northeast-1': ['ap-northeast-1a', 'ap-northeast-1b'],
+        }
+        
+        # Return region-specific AZs if available, otherwise fall back to us-east-1
+        return region_az_map.get(region, ['us-east-1a', 'us-east-1b'])

cdk_factory/lambdas/edge/ip_gate/handler.py

@@ -11,11 +11,18 @@ import ipaddress
 import boto3
 from functools import lru_cache
 
+# Simple logging for Lambda@Edge (since we can't use external logging libraries)
+import logging
+
+# Configure basic logging
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
 # SSM client - will be created in the region where the function executes
 ssm = None
 
 @lru_cache(maxsize=128)
-def get_ssm_parameter(parameter_name: str, region: str = 'us-east-1', default: str = None) -> str:
+def get_ssm_parameter(parameter_name: str, region: str = None, default: str = None) -> str:
     """
     Fetch SSM parameter with caching.
     Lambda@Edge cannot use environment variables, so we fetch from SSM.
@@ -23,14 +30,18 @@ def get_ssm_parameter(parameter_name: str, region: str = 'us-east-1', default: s
     The sentinel value 'NONE' indicates an explicitly unset/disabled parameter.
     
     Args:
-        parameter_name: Name of the SSM parameter
-        region: AWS region (default us-east-1)
-        default: Default value to return if parameter not found (optional)
+        parameter_name: SSM parameter name
+        region: AWS region (defaults to us-east-1 for Lambda@Edge compatibility)
+        default: Default value if parameter not found
     
     Returns:
         Parameter value, default value if parameter not found, or empty string if value is 'NONE'
     """
     global ssm
+    # Default to us-east-1 for Lambda@Edge compatibility if no region specified
+    if region is None:
+        region = 'us-east-1'
+    
     if ssm is None:
         ssm = boto3.client('ssm', region_name=region)
     
@@ -40,20 +51,20 @@ def get_ssm_parameter(parameter_name: str, region: str = 'us-east-1', default: s
         
         # Treat 'NONE' sentinel as empty/unset
         if value == 'NONE':
-            print(f"SSM parameter {parameter_name} is set to 'NONE' (explicitly disabled)")
+            logger.info(f"SSM parameter {parameter_name} is set to 'NONE' (explicitly disabled)")
             return ''
         
         return value
     except ssm.exceptions.ParameterNotFound:
         if default is not None:
-            print(f"SSM parameter {parameter_name} not found, using default: {default}")
+            logger.info(f"SSM parameter {parameter_name} not found, using default: {default}")
             return default
-        print(f"SSM parameter {parameter_name} not found and no default provided")
+        logger.error(f"SSM parameter {parameter_name} not found and no default provided")
         raise
     except Exception as e:
-        print(f"Error fetching SSM parameter {parameter_name}: {str(e)}")
+        logger.error(f"Error fetching SSM parameter {parameter_name}: {str(e)}")
         if default is not None:
-            print(f"Returning default value due to error: {default}")
+            logger.info(f"Returning default value due to error: {default}")
             return default
         raise
 
@@ -89,7 +100,7 @@ def is_ip_allowed(client_ip: str, allowed_cidrs: list) -> bool:
     try:
         client_ip_obj = ipaddress.ip_address(client_ip)
     except ValueError as e:
-        print(f"Invalid client IP address: {e}")
+        logger.error(f"Invalid client IP address: {e}")
         return False
     
     # Check each CIDR individually, skipping invalid ones
@@ -100,7 +111,7 @@ def is_ip_allowed(client_ip: str, allowed_cidrs: list) -> bool:
                 return True
         except ValueError as e:
             # Invalid CIDR, log and continue checking others
-            print(f"Invalid CIDR '{cidr}': {e}")
+            logger.warning(f"Invalid CIDR '{cidr}': {e}")
             continue
     
     return False
@@ -130,24 +141,23 @@ def lambda_handler(event, context):
         env = runtime_config.get('environment', 'dev')
         function_base_name = runtime_config.get('function_name', 'ip-gate')
         
-        print(f"Runtime config loaded: environment={env}, function_name={function_base_name}")
+        logger.info(f"Runtime config loaded: environment={env}, function_name={function_base_name}")
     except FileNotFoundError:
         # Fallback: extract from Lambda context (less reliable)
-        print("Warning: runtime_config.json not found, falling back to function name parsing")
+        logger.warning("runtime_config.json not found, falling back to function name parsing")
         function_full_name = context.function_name
         
         # Parse environment from function name as fallback
         parts = function_full_name.split('-')
         common_envs = ['dev', 'prod', 'staging', 'test', 'qa', 'uat']
-        env = 'dev'
-        
+        env = 'dev'  # Default fallback
         for part in parts:
             if part in common_envs:
                 env = part
                 break
         
         function_base_name = 'ip-gate'
-        print(f"Fallback: environment={env}, function_name={function_base_name}")
+        logger.info(f"Fallback: environment={env}, function_name={function_base_name}")
     
     # Full function name for SSM paths
     # Lambda@Edge replicas prepend region (e.g., "us-east-1.tech-talk-dev-ip-gate")
@@ -156,46 +166,46 @@ def lambda_handler(event, context):
     if '.' in function_name and function_name.split('.')[0].startswith('us-'):
         # Strip region prefix (e.g., "us-east-1." -> "tech-talk-dev-ip-gate")
         function_name = '.'.join(function_name.split('.')[1:])
-        print(f"Stripped region prefix from function name: {function_name}")
+        logger.info(f"Stripped region prefix from function name: {function_name}")
     
-    print(f"Lambda function ARN: {context.invoked_function_arn}")
-    print(f"Using function name for SSM lookups: {function_name}")
+    logger.info(f"Lambda function ARN: {context.invoked_function_arn}")
+    logger.info(f"Using function name for SSM lookups: {function_name}")
     
     try:
         # Fetch configuration from SSM Parameter Store
         # Auto-generated paths: /{env}/{function-name}/{key}
-        gate_enabled = get_ssm_parameter(f'/{env}/{function_name}/gate-enabled', 'us-east-1')
+        gate_enabled = get_ssm_parameter(f'/{env}/{function_name}/gate-enabled', region='us-east-1')
         
         # If gating is disabled, allow all traffic
         # Empty string (from 'NONE' sentinel) is treated as disabled
         if not gate_enabled or gate_enabled.lower() not in ('true', '1', 'yes'):
-            print(f"IP gating is disabled (GATE_ENABLED={gate_enabled or 'NONE'})")
+            logger.info(f"IP gating is disabled (GATE_ENABLED={gate_enabled or 'NONE'})")
             return request
         
         # Get allowed CIDRs and backup host
-        allow_cidrs_str = get_ssm_parameter(f'/{env}/{function_name}/allow-cidrs', 'us-east-1')
-        dns_alias = get_ssm_parameter(f'/{env}/{function_name}/dns-alias', 'us-east-1')
+        allow_cidrs_str = get_ssm_parameter(f'/{env}/{function_name}/allow-cidrs', region='us-east-1')
+        dns_alias = get_ssm_parameter(f'/{env}/{function_name}/dns-alias', region='us-east-1')
         
         # Parse allowed CIDRs (empty string results in empty list)
         allowed_cidrs = [cidr.strip() for cidr in allow_cidrs_str.split(',') if cidr.strip()]
         
         # Get client IP
         client_ip = get_client_ip(request)
-        print(f"Client IP: {client_ip}")
+        logger.info(f"Client IP: {client_ip}")
         
         # Check if IP is allowed
         if is_ip_allowed(client_ip, allowed_cidrs):
-            print(f"IP {client_ip} is allowed")
+            logger.info(f"IP {client_ip} is allowed")
             return request
         
         # IP not allowed - either redirect or proxy backup page
         # Check response mode from SSM (default: redirect for backward compatibility)
         response_mode_param = f"/{env}/{function_name}/response-mode"
-        response_mode = get_ssm_parameter(response_mode_param, 'us-east-1', default='redirect')
+        response_mode = get_ssm_parameter(response_mode_param, region='us-east-1', default='redirect')
         
         if response_mode == 'proxy':
             # Proxy mode: Fetch and return backup content (keeps URL the same)
-            print(f"IP {client_ip} is NOT allowed, proxying content from {dns_alias}")
+            logger.info(f"IP {client_ip} is NOT allowed, proxying content from {dns_alias}")
             
             try:
                 import urllib3
@@ -230,17 +240,17 @@ def lambda_handler(event, context):
                     'body': alias_response.data.decode('utf-8')
                 }
                 
-                print(f"Successfully proxied backup page (status {alias_response.status})")
+                logger.info(f"Successfully proxied backup page (status {alias_response.status})")
                 return response
                 
             except Exception as proxy_error:
-                print(f"Error proxying backup content: {str(proxy_error)}")
+                logger.error(f"Error proxying backup content: {str(proxy_error)}")
                 # Fall back to redirect if proxy fails
-                print(f"Falling back to redirect mode")
+                logger.info(f"Falling back to redirect mode")
                 response_mode = 'redirect'
         
         # Redirect mode (default): HTTP 302 redirect to backup site
-        print(f"IP {client_ip} is NOT allowed, redirecting to {dns_alias}")
+        logger.info(f"IP {client_ip} is NOT allowed, redirecting to {dns_alias}")
         
         response = {
             'status': '302',
@@ -249,14 +259,6 @@ def lambda_handler(event, context):
                 'location': [{
                     'key': 'Location',
                     'value': f'https://{dns_alias}'
-                }],
-                'cache-control': [{
-                    'key': 'Cache-Control',
-                    'value': 'no-cache, no-store, must-revalidate'
-                }],
-                'x-ip-gate-mode': [{
-                    'key': 'X-IP-Gate-Mode',
-                    'value': 'redirect'
                 }]
             }
         }
@@ -264,7 +266,7 @@ def lambda_handler(event, context):
         return response
         
     except Exception as e:
-        print(f"Error in IP gating function: {str(e)}")
+        logger.error(f"Error in IP gating function: {str(e)}")
         # On error, allow the request to proceed (fail open)
         # Change this to fail closed if preferred
         return request