cdk-factory 0.15.7__tar.gz → 0.15.9__tar.gz

{cdk_factory-0.15.7 → cdk_factory-0.15.9}/.gitignore

@@ -197,4 +197,5 @@ activate.sh
 .lambda_package
 
 # Lambda runtime config (generated during CDK deployment)
-**/runtime_config.json
+**/runtime_config.json
+.pip/

{cdk_factory-0.15.7 → cdk_factory-0.15.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.15.7
+Version: 0.15.9
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.15.7 → cdk_factory-0.15.9}/pyproject.toml

@@ -33,7 +33,7 @@ markers = [
 [project]
 
 name = "cdk_factory"
-version = "0.15.7"
+version = "0.15.9"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

{cdk_factory-0.15.7 → cdk_factory-0.15.9}/src/cdk_factory/configurations/resources/security_group_full_stack.py

@@ -69,3 +69,16 @@ class SecurityGroupFullStackConfig:
         if "ssm" in self.__config and "imports" in self.__config["ssm"]:
             return self.__config["ssm"]["imports"]
         return self.__config.get("ssm_imports", {})
+
+    @property
+    def ssm_exports(self) -> Dict[str, str]:
+        """SSM parameter exports for the Security Group"""
+        # Check both nested and flat structures for backwards compatibility
+        if "ssm" in self.__config and "exports" in self.__config["ssm"]:
+            return self.__config["ssm"]["exports"]
+        return self.__config.get("ssm_exports", {})
+
+    @property
+    def security_groups(self) -> List[Dict[str, Any]]:
+        """List of security groups to create"""
+        return self.__config.get("security_groups", [])

{cdk_factory-0.15.7 → cdk_factory-0.15.9}/src/cdk_factory/lambdas/edge/ip_gate/handler.py

@@ -113,7 +113,7 @@ def lambda_handler(event, context):
     Configuration (fetched from SSM Parameter Store):
     - GATE_ENABLED: Whether IP gating is enabled (true/false)
     - ALLOW_CIDRS: Comma-separated list of allowed CIDR ranges
-    - MAINT_CF_HOST: CloudFront domain for maintenance/lockout page
+    - DNS_ALIAS: CloudFront domain for backup/lockout page
     
     Runtime configuration is bundled in runtime_config.json by CDK.
     SSM parameter paths are auto-generated by CDK as:
@@ -172,9 +172,9 @@ def lambda_handler(event, context):
             print(f"IP gating is disabled (GATE_ENABLED={gate_enabled or 'NONE'})")
             return request
         
-        # Get allowed CIDRs and maintenance host
+        # Get allowed CIDRs and backup host
         allow_cidrs_str = get_ssm_parameter(f'/{env}/{function_name}/allow-cidrs', 'us-east-1')
-        maint_cf_host = get_ssm_parameter(f'/{env}/{function_name}/maint-cf-host', 'us-east-1')
+        dns_alias = get_ssm_parameter(f'/{env}/{function_name}/dns-alias', 'us-east-1')
         
         # Parse allowed CIDRs (empty string results in empty list)
         allowed_cidrs = [cidr.strip() for cidr in allow_cidrs_str.split(',') if cidr.strip()]
@@ -188,35 +188,35 @@ def lambda_handler(event, context):
             print(f"IP {client_ip} is allowed")
             return request
         
-        # IP not allowed - either redirect or proxy maintenance page
+        # IP not allowed - either redirect or proxy backup page
         # Check response mode from SSM (default: redirect for backward compatibility)
         response_mode_param = f"/{env}/{function_name}/response-mode"
         response_mode = get_ssm_parameter(response_mode_param, 'us-east-1', default='redirect')
         
         if response_mode == 'proxy':
-            # Proxy mode: Fetch and return maintenance content (keeps URL the same)
-            print(f"IP {client_ip} is NOT allowed, proxying content from {maint_cf_host}")
+            # Proxy mode: Fetch and return backup content (keeps URL the same)
+            print(f"IP {client_ip} is NOT allowed, proxying content from {dns_alias}")
             
             try:
                 import urllib3
                 http = urllib3.PoolManager()
                 
-                # Fetch the maintenance page
-                maint_response = http.request(
+                # Fetch the backup page - always request /index.html
+                alias_response = http.request(
                     'GET', 
-                    f'https://{maint_cf_host}',
+                    f'https://{dns_alias}/index.html',
                     headers={'User-Agent': 'CloudFront-IP-Gate-Proxy'},
                     timeout=3.0
                 )
                 
-                # Return the maintenance content
+                # Return the backup content
                 response = {
-                    'status': str(maint_response.status),
-                    'statusDescription': 'OK' if maint_response.status == 200 else 'Service Unavailable',
+                    'status': str(alias_response.status),
+                    'statusDescription': 'OK' if alias_response.status == 200 else 'Service Unavailable',
                     'headers': {
                         'content-type': [{
                             'key': 'Content-Type',
-                            'value': maint_response.headers.get('Content-Type', 'text/html')
+                            'value': alias_response.headers.get('Content-Type', 'text/html')
                         }],
                         'cache-control': [{
                             'key': 'Cache-Control',
@@ -227,20 +227,20 @@ def lambda_handler(event, context):
                             'value': 'proxy'
                         }]
                     },
-                    'body': maint_response.data.decode('utf-8')
+                    'body': alias_response.data.decode('utf-8')
                 }
                 
-                print(f"Successfully proxied maintenance page (status {maint_response.status})")
+                print(f"Successfully proxied backup page (status {alias_response.status})")
                 return response
                 
             except Exception as proxy_error:
-                print(f"Error proxying maintenance content: {str(proxy_error)}")
+                print(f"Error proxying backup content: {str(proxy_error)}")
                 # Fall back to redirect if proxy fails
                 print(f"Falling back to redirect mode")
                 response_mode = 'redirect'
         
-        # Redirect mode (default): HTTP 302 redirect to maintenance site
-        print(f"IP {client_ip} is NOT allowed, redirecting to {maint_cf_host}")
+        # Redirect mode (default): HTTP 302 redirect to backup site
+        print(f"IP {client_ip} is NOT allowed, redirecting to {dns_alias}")
         
         response = {
             'status': '302',
@@ -248,7 +248,7 @@ def lambda_handler(event, context):
             'headers': {
                 'location': [{
                     'key': 'Location',
-                    'value': f'https://{maint_cf_host}'
+                    'value': f'https://{dns_alias}'
                 }],
                 'cache-control': [{
                     'key': 'Cache-Control',

{cdk_factory-0.15.7 → cdk_factory-0.15.9}/src/cdk_factory/stack_library/security_group/security_group_full_stack.py

@@ -225,6 +225,18 @@ class SecurityGroupsStack(IStack):
             export_name=f"{self.deployment.environment}-{self.workload.name}-WebMonitoringSecurityGroup",
         )
 
+        # =========================================================
+        # SSM Parameter Store Exports
+        # =========================================================
+        self._export_ssm_parameters(
+            security_groups_map={
+                "alb": alb_sg,
+                "ecs": web_fleet_sg,
+                "rds": mysql_sg,
+                "monitoring": monitoring_sg,
+            }
+        )
+
     def _process_ssm_imports(self) -> None:
         """
         Process SSM imports from configuration.
@@ -287,3 +299,64 @@ class SecurityGroupsStack(IStack):
             raise ValueError("VPC ID is not defined in the configuration or SSM imports.")
 
         return self._vpc
+
+    def _export_ssm_parameters(self, security_groups_map: Dict[str, ec2.CfnSecurityGroup]) -> None:
+        """
+        Export security group IDs to SSM Parameter Store based on configuration.
+        
+        Args:
+            security_groups_map: Dictionary mapping security group types to their CDK resources
+        """
+        # Get the security groups configuration list from the config
+        security_groups_config = self.sg_config.security_groups
+        
+        if not security_groups_config:
+            logger.debug("No security groups configuration found for SSM exports")
+            return
+        
+        logger.info(f"Processing SSM exports for {len(security_groups_config)} security groups")
+        
+        # Process each security group configuration
+        for sg_config in security_groups_config:
+            # Get the security group name and SSM exports
+            sg_name = sg_config.get("name", "")
+            ssm_config = sg_config.get("ssm", {})
+            ssm_exports = ssm_config.get("exports", {})
+            
+            if not ssm_exports:
+                logger.debug(f"No SSM exports configured for security group: {sg_name}")
+                continue
+            
+            # Determine which security group this config refers to based on the name pattern
+            # The config uses patterns like "{{WORKLOAD_NAME}}-{{ENVIRONMENT}}-rds-sg"
+            sg_resource = None
+            sg_type = None
+            
+            if "-rds-sg" in sg_name or "-rds" in sg_name:
+                sg_resource = security_groups_map.get("rds")
+                sg_type = "rds"
+            elif "-ecs-sg" in sg_name or "instances" in sg_name:
+                sg_resource = security_groups_map.get("ecs")
+                sg_type = "ecs"
+            elif "-alb-sg" in sg_name or "alb" in sg_name:
+                sg_resource = security_groups_map.get("alb")
+                sg_type = "alb"
+            elif "monitoring" in sg_name:
+                sg_resource = security_groups_map.get("monitoring")
+                sg_type = "monitoring"
+            
+            if not sg_resource:
+                logger.warning(f"Could not map security group configuration to resource: {sg_name}")
+                continue
+            
+            # Export the security group ID if configured
+            security_group_id_path = ssm_exports.get("security_group_id")
+            if security_group_id_path:
+                self.export_ssm_parameter(
+                    scope=self,
+                    id=f"SsmExport{sg_type.upper()}SecurityGroupId",
+                    value=sg_resource.ref,
+                    parameter_name=security_group_id_path,
+                    description=f"Security Group ID for {sg_type} ({sg_name})",
+                )
+                logger.info(f"Exported SSM parameter: {security_group_id_path} for {sg_type} security group")

{cdk_factory-0.15.7 → cdk_factory-0.15.9}/src/cdk_factory/stack_library/websites/static_website_stack.py

@@ -261,6 +261,18 @@ class StaticWebSiteStack(IStack):
                 description=f"CloudFront distribution ID for {stack_config.name}",
             )
         
+        # Export DNS alias (first alias) if configured
+        if "dns_alias" in ssm_exports and cloudfront_distribution.aliases:
+            # Export the first alias (primary domain)
+            primary_alias = cloudfront_distribution.aliases[0] if isinstance(cloudfront_distribution.aliases, list) else cloudfront_distribution.aliases
+            self.export_ssm_parameter(
+                scope=self,
+                id="SsmExportDnsAlias",
+                value=primary_alias,
+                parameter_name=ssm_exports["dns_alias"],
+                description=f"Primary DNS alias for {stack_config.name}",
+            )
+        
         logger.info(f"Exported {len(ssm_exports)} SSM parameters for stack {stack_config.name}")
 
     def __get_version_number(self, assets_path: str) -> str:

{cdk_factory-0.15.7 → cdk_factory-0.15.9}/src/cdk_factory/utilities/api_gateway_integration_utility.py

@@ -1425,7 +1425,9 @@ class ApiGatewayIntegrationUtility:
                 f"   2. Add 'allow_public_override': true to explicitly allow public access\n"
                 f"   3. Remove 'authorization_type': 'NONE' to use secure Cognito auth\n\n"
                 f"🔒 This prevents accidental public endpoints when authentication is available.\n\n"
-                f"👉 ApiGatewayIntegrationUtility documentation for more details: https://github.com/your-repo/api-gateway-stack"
+                f"👉 ApiGatewayIntegrationUtility documentation for more details: \n\n "
+                "\t https://github.com/geekcafe/cdk-factory/blob/main/src/cdk_factory/utilities/api_gateway_integration_utility.py \n\n"
+                "\t and https://github.com/geekcafe/cdk-factory/blob/main/src/cdk_factory/stack_library/api_gateway/api_gateway_stack.py"
             )
             raise ValueError(error_msg)
 

cdk_factory-0.15.9/src/cdk_factory/version.py

@@ -0,0 +1 @@
+__version__ = "0.15.9"

cdk_factory-0.15.7/src/cdk_factory/version.py

@@ -1 +0,0 @@
-__version__ = "0.15.7"