cdk-factory 0.16.15__py3-none-any.whl → 0.18.9__py3-none-any.whl

cdk_factory/stack_library/load_balancer/load_balancer_stack.py

@@ -6,6 +6,8 @@ MIT License.  See Project Root for the license information.
 
 from typing import Dict, Any, List, Optional
 
+import base64
+import hashlib
 import aws_cdk as cdk
 from aws_cdk import aws_elasticloadbalancingv2 as elbv2
 from aws_cdk import aws_ec2 as ec2
@@ -19,7 +21,8 @@ from cdk_factory.configurations.deployment import DeploymentConfig
 from cdk_factory.configurations.stack import StackConfig
 from cdk_factory.configurations.resources.load_balancer import LoadBalancerConfig
 from cdk_factory.interfaces.istack import IStack
-from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import EnhancedSsmParameterMixin
+from cdk_factory.interfaces.vpc_provider_mixin import VPCProviderMixin
+from cdk_factory.interfaces.standardized_ssm_mixin import StandardizedSsmMixin
 from cdk_factory.stack.stack_module_registry import register_stack
 from cdk_factory.workload.workload_factory import WorkloadConfig
 
@@ -30,7 +33,7 @@ logger = Logger(service="LoadBalancerStack")
 @register_stack("alb_stack")
 @register_stack("load_balancer_library_module")
 @register_stack("load_balancer_stack")
-class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
+class LoadBalancerStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
     """
     Reusable stack for AWS Load Balancers.
     Supports creating Application and Network Load Balancers with customizable configurations.
@@ -49,7 +52,7 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
         self._hosted_zone = None
         self._record_names = None
         # SSM imported values
-        self.ssm_imported_values: Dict[str, str] = {}
+        self._ssm_imported_values: Dict[str, str] = {}
 
     def build(
         self,
@@ -76,8 +79,18 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
         )
         lb_name = deployment.build_resource_name(self.lb_config.name)
 
-        # Process SSM imports first
-        self._process_ssm_imports()
+        # Setup standardized SSM integration
+        self.setup_ssm_integration(
+            scope=self,
+            config=self.lb_config,
+            resource_type="load_balancer",
+            resource_name=self.lb_config.name,
+            deployment=deployment,
+            workload=workload
+        )
+        
+        # Process SSM imports
+        self.process_ssm_imports()
 
         self._prep_dns()
 
@@ -155,16 +168,22 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
 
         # If subnets is None, check if we have SSM-imported subnet_ids as a token
         # We need to use Fn.Split to convert the comma-separated string to an array
-        if subnets is None and "subnet_ids" in self.ssm_imported_values:
-            subnet_ids_value = self.ssm_imported_values["subnet_ids"]
-            if cdk.Token.is_unresolved(subnet_ids_value):
-                logger.info("Using Fn.Split to convert comma-separated subnet IDs token to array")
-                # Use CloudFormation escape hatch to set Subnets property with Fn.Split
-                cfn_lb = load_balancer.node.default_child
-                cfn_lb.add_property_override(
-                    "Subnets",
-                    cdk.Fn.split(",", subnet_ids_value)
-                )
+        if subnets is None:
+            subnet_ids = self.get_subnet_ids(self.lb_config)
+            if subnet_ids:
+                # For CloudFormation token resolution, we still need Fn.split
+                # but we use the helper to determine if subnet IDs are available
+                ssm_imports = self.get_all_ssm_imports()
+                if "subnet_ids" in ssm_imports:
+                    subnet_ids_value = ssm_imports["subnet_ids"]
+                    if cdk.Token.is_unresolved(subnet_ids_value):
+                        logger.info("Using Fn.Split to convert comma-separated subnet IDs token to array")
+                        # Use CloudFormation escape hatch to set Subnets property with Fn.Split
+                        cfn_lb = load_balancer.node.default_child
+                        cfn_lb.add_property_override(
+                            "Subnets",
+                            cdk.Fn.split(",", subnet_ids_value)
+                        )
 
         # Add tags
         for key, value in self.lb_config.tags.items():
@@ -174,100 +193,25 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
 
     @property
     def vpc(self) -> ec2.IVpc:
-        """Get the VPC for the Load Balancer"""
+        """Get the VPC for the Load Balancer using centralized VPC provider mixin."""
         if self._vpc:
             return self._vpc
-
-        # Check SSM imported values first (tokens from SSM parameters)
-        if "vpc_id" in self.ssm_imported_values:
-            vpc_id = self.ssm_imported_values["vpc_id"]
-            
-            # Build VPC attributes
-            vpc_attrs = {
-                "vpc_id": vpc_id,
-                "availability_zones": ["us-east-1a", "us-east-1b"],
-            }
-            
-            # If we have subnet_ids from SSM, provide dummy public subnets
-            # The actual subnets will be set via CloudFormation escape hatch
-            if "subnet_ids" in self.ssm_imported_values:
-                # Provide dummy subnet IDs - these will be overridden by the escape hatch
-                # We need at least one dummy subnet per AZ to satisfy CDK's validation
-                vpc_attrs["public_subnet_ids"] = ["subnet-dummy1", "subnet-dummy2"]
-            
-            # Use from_vpc_attributes() instead of from_lookup() because SSM imports return tokens
-            self._vpc = ec2.Vpc.from_vpc_attributes(self, "VPC", **vpc_attrs)
-        elif self.lb_config.vpc_id:
-            self._vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id=self.lb_config.vpc_id)
-        elif self.workload.vpc_id:
-            self._vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id=self.workload.vpc_id)
-        else:
-            # Use default VPC if not provided
-            raise ValueError(
-                "VPC is not defined in the configuration.  "
-                "You can provide it a the load_balancer.vpc_id in the configuration "
-                "or a top level workload.vpc_id in the workload configuration."
-            )
-
-        return self._vpc
-
-    def _process_ssm_imports(self) -> None:
-        """
-        Process SSM imports from configuration.
-        Follows the same pattern as RDS and Security Group stacks.
-        """
-        from aws_cdk import aws_ssm as ssm
-        
-        ssm_imports = self.lb_config.ssm_imports
         
-        if not ssm_imports:
-            logger.debug("No SSM imports configured for Load Balancer")
-            return
-        
-        logger.info(f"Processing {len(ssm_imports)} SSM imports for Load Balancer")
-        
-        for param_key, param_value in ssm_imports.items():
-            try:
-                # Handle list values (like security_groups)
-                if isinstance(param_value, list):
-                    imported_list = []
-                    for idx, param_path in enumerate(param_value):
-                        if not param_path.startswith('/'):
-                            param_path = f"/{param_path}"
-                        
-                        construct_id = f"ssm-import-{param_key}-{idx}-{hash(param_path) % 10000}"
-                        param = ssm.StringParameter.from_string_parameter_name(
-                            self, construct_id, param_path
-                        )
-                        imported_list.append(param.string_value)
-                    
-                    self.ssm_imported_values[param_key] = imported_list
-                    logger.info(f"Imported SSM parameter list: {param_key} with {len(imported_list)} items")
-                else:
-                    # Handle string values
-                    param_path = param_value
-                    if not param_path.startswith('/'):
-                        param_path = f"/{param_path}"
-                    
-                    construct_id = f"ssm-import-{param_key}-{hash(param_path) % 10000}"
-                    param = ssm.StringParameter.from_string_parameter_name(
-                        self, construct_id, param_path
-                    )
-                    
-                    self.ssm_imported_values[param_key] = param.string_value
-                    logger.info(f"Imported SSM parameter: {param_key} from {param_path}")
-                    
-            except Exception as e:
-                logger.error(f"Failed to import SSM parameter {param_key}: {e}")
-                raise
+        # Use the centralized VPC resolution from VPCProviderMixin
+        self._vpc = self.resolve_vpc(
+            config=self.lb_config,
+            deployment=self.deployment,
+            workload=self.workload
+        )
+        return self._vpc
 
     def _get_security_groups(self) -> List[ec2.ISecurityGroup]:
         """Get security groups for the Load Balancer"""
         security_groups = []
         
         # Check SSM imported values first
-        if "security_groups" in self.ssm_imported_values:
-            sg_ids = self.ssm_imported_values["security_groups"]
+        if "security_groups" in self._ssm_imported_values:
+            sg_ids = self._ssm_imported_values["security_groups"]
             if not isinstance(sg_ids, list):
                 sg_ids = [sg_ids]
         else:
@@ -285,9 +229,16 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
         """Get subnets for the Load Balancer"""
         subnets = []
         
-        # Check SSM imported values first
-        if "subnet_ids" in self.ssm_imported_values:
-            subnet_ids_value = self.ssm_imported_values["subnet_ids"]
+        # Use the standardized helper function to get subnet IDs
+        subnet_ids = self.get_subnet_ids(self.lb_config)
+        
+        if not subnet_ids:
+            return None
+        
+        # Check if we have unresolved tokens from SSM
+        ssm_imports = self.get_all_ssm_imports()
+        if "subnet_ids" in ssm_imports:
+            subnet_ids_value = ssm_imports["subnet_ids"]
             
             # Check if this is a CDK token (unresolved SSM parameter)
             if cdk.Token.is_unresolved(subnet_ids_value):
@@ -296,25 +247,40 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
                 # The ALB construct will handle the token-based subnet IDs
                 logger.info("Subnet IDs are unresolved tokens, will use vpc_subnets with token resolution")
                 return None
-            elif isinstance(subnet_ids_value, str):
-                # If it's a resolved string, split it
-                subnet_ids = [s.strip() for s in subnet_ids_value.split(',')]
-            elif isinstance(subnet_ids_value, list):
-                subnet_ids = subnet_ids_value
-            else:
-                subnet_ids = [subnet_ids_value]
-        else:
-            subnet_ids = self.lb_config.subnets
-        
-        if not subnet_ids:
-            return None
             
+        # Convert subnet IDs to subnet objects
         for idx, subnet_id in enumerate(subnet_ids):
             subnets.append(
                 ec2.Subnet.from_subnet_id(self, f"Subnet-{idx}", subnet_id)
             )
         return subnets
 
+    def _generate_target_group_name(self, lb_name: str, tg_name: str, max_length: int = 32) -> str:
+        """Generate a unique target group name that doesn't begin/end with hyphens"""
+        full_name = f"{lb_name}-{tg_name}"
+        
+        if len(full_name) <= max_length:
+            # No truncation needed, just ensure no leading/trailing hyphens
+            return full_name.strip('-')
+        
+        # Need to truncate - use hash suffix for uniqueness
+        # Reserve space for hash (typically 8 chars) and separator
+        hash_length = 8
+        separator_length = 1
+        max_name_length = max_length - hash_length - separator_length
+        
+        # Take the prefix and ensure it doesn't end with hyphen
+        prefix = full_name[:max_name_length].rstrip('-')
+        
+        # Generate hash of the full name for uniqueness
+        hash_bytes = hashlib.sha256(full_name.encode()).digest()
+        hash_suffix = base64.urlsafe_b64encode(hash_bytes).decode()[:hash_length]
+        
+        # Ensure hash doesn't start with hyphen (replace any non-alphanumeric chars)
+        hash_suffix = ''.join(c for c in hash_suffix if c.isalnum())[:hash_length]
+        
+        return f"{prefix}-{hash_suffix}"
+
     def _create_target_groups(self, lb_name: str) -> None:
         """Create target groups for the Load Balancer"""
 
@@ -322,6 +288,9 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
             tg_name = tg_config.get("name", f"tg-{idx}")
             tg_id = f"{lb_name}-{tg_name}"
 
+            # Generate a unique target group name that doesn't begin/end with hyphens
+            tg_name_sanitized = self._generate_target_group_name(lb_name, tg_name)
+
             # Configure health check
             health_check = self._configure_health_check(
                 tg_config.get("health_check", {})
@@ -332,7 +301,7 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
                 target_group = elbv2.ApplicationTargetGroup(
                     self,
                     tg_id,
-                    target_group_name=tg_id[:32],  # Ensure name is within AWS limits
+                    target_group_name=tg_name_sanitized,
                     vpc=self.vpc,
                     port=tg_config.get("port", 80),
                     protocol=elbv2.ApplicationProtocol(
@@ -347,7 +316,7 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
                 target_group = elbv2.NetworkTargetGroup(
                     self,
                     tg_id,
-                    target_group_name=tg_id[:32],  # Ensure name is within AWS limits
+                    target_group_name=tg_name_sanitized,
                     vpc=self.vpc,
                     port=tg_config.get("port", 80),
                     protocol=elbv2.Protocol(tg_config.get("protocol", "TCP")),
@@ -357,6 +326,8 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
                     health_check=health_check,
                 )
 
+
+            
             # Store target group for later use
             self.target_groups[tg_name] = target_group
 
@@ -397,6 +368,11 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
                 if protocol.upper() == "HTTPS":
                     certificates = self._get_certificates()
 
+                if not certificates and protocol.upper() == "HTTPS":
+                    message = "No certificates found for HTTPS listener. Please attach a certificate or create a certificate stack."
+                    logger.warning(message)
+                    raise ValueError(message)
+
                 listener = elbv2.ApplicationListener(
                     self,
                     listener_id,
@@ -449,8 +425,9 @@ class LoadBalancerStack(IStack, EnhancedSsmParameterMixin):
         certificates = []
         
         # Check SSM imported values first (takes priority)
-        if "certificate_arns" in self.ssm_imported_values:
-            cert_arns = self.ssm_imported_values["certificate_arns"]
+        ssm_imports = self.get_all_ssm_imports()
+        if "certificate_arns" in ssm_imports:
+            cert_arns = ssm_imports["certificate_arns"]
             if not isinstance(cert_arns, list):
                 cert_arns = [cert_arns]
             for cert_arn in cert_arns:

cdk_factory/stack_library/rds/rds_stack.py

@@ -18,7 +18,8 @@ from cdk_factory.configurations.deployment import DeploymentConfig
 from cdk_factory.configurations.stack import StackConfig
 from cdk_factory.configurations.resources.rds import RdsConfig
 from cdk_factory.interfaces.istack import IStack
-from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import EnhancedSsmParameterMixin
+from cdk_factory.interfaces.vpc_provider_mixin import VPCProviderMixin
+from cdk_factory.interfaces.standardized_ssm_mixin import StandardizedSsmMixin
 from cdk_factory.stack.stack_module_registry import register_stack
 from cdk_factory.workload.workload_factory import WorkloadConfig
 
@@ -27,7 +28,7 @@ logger = Logger(service="RdsStack")
 
 @register_stack("rds_library_module")
 @register_stack("rds_stack")
-class RdsStack(IStack, EnhancedSsmParameterMixin):
+class RdsStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
     """
     Reusable stack for AWS RDS.
     Supports creating RDS instances with customizable configurations.
@@ -68,8 +69,18 @@ class RdsStack(IStack, EnhancedSsmParameterMixin):
         self.rds_config = RdsConfig(stack_config.dictionary.get("rds", {}), deployment)
         db_name = deployment.build_resource_name(self.rds_config.name)
 
-        # Process SSM imports first
-        self._process_ssm_imports()
+        # Setup standardized SSM integration
+        self.setup_ssm_integration(
+            scope=self,
+            config=self.rds_config,
+            resource_type="rds",
+            resource_name=self.rds_config.name,
+            deployment=deployment,
+            workload=workload
+        )
+        
+        # Process SSM imports
+        self.process_ssm_imports()
 
         # Get VPC and security groups
         self.security_groups = self._get_security_groups()
@@ -86,63 +97,18 @@ class RdsStack(IStack, EnhancedSsmParameterMixin):
         # Export to SSM Parameter Store
         self._export_ssm_parameters(db_name)
 
-    def _process_ssm_imports(self) -> None:
-        """Process SSM imports from configuration"""
-        ssm_imports = self.rds_config.ssm_imports
-        
-        if not ssm_imports:
-            logger.debug("No SSM imports configured for RDS")
-            return
-        
-        logger.info(f"Processing {len(ssm_imports)} SSM imports for RDS")
-        
-        for param_key, param_path in ssm_imports.items():
-            try:
-                if not param_path.startswith('/'):
-                    param_path = f"/{param_path}"
-                
-                construct_id = f"ssm-import-{param_key}-{hash(param_path) % 10000}"
-                param = ssm.StringParameter.from_string_parameter_name(
-                    self, construct_id, param_path
-                )
-                
-                self.ssm_imported_values[param_key] = param.string_value
-                logger.info(f"Imported SSM parameter: {param_key} from {param_path}")
-                
-            except Exception as e:
-                logger.error(f"Failed to import SSM parameter {param_key} from {param_path}: {e}")
-                raise
-
     @property
     def vpc(self) -> ec2.IVpc:
-        """Get the VPC for the RDS instance"""
-        if self._vpc:
+        """Get the VPC for the RDS instance using centralized VPC provider mixin."""
+        if hasattr(self, '_vpc') and self._vpc:
             return self._vpc
         
-        # Check SSM imported values first (tokens from SSM parameters)
-        if "vpc_id" in self.ssm_imported_values:
-            vpc_id = self.ssm_imported_values["vpc_id"]
-            
-            # When using tokens, we can't provide subnet lists to from_vpc_attributes
-            # because CDK validates subnet count against AZ count at synthesis time
-            # We'll create a DB subnet group separately instead
-            vpc_attrs = {
-                "vpc_id": vpc_id,
-                "availability_zones": ["us-east-1a", "us-east-1b"]
-            }
-            
-            # Use from_vpc_attributes() for SSM tokens
-            self._vpc = ec2.Vpc.from_vpc_attributes(self, "VPC", **vpc_attrs)
-        elif self.rds_config.vpc_id:
-            self._vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id=self.rds_config.vpc_id)
-        elif self.workload.vpc_id:
-            self._vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id=self.workload.vpc_id)
-        else:
-            raise ValueError(
-                "VPC is not defined in the configuration.  "
-                "You can provide it a the rds.vpc_id in the configuration "
-                "or a top level workload.vpc_id in the workload configuration."
-            )
+        # Resolve VPC using the centralized VPC provider mixin
+        self._vpc = self.resolve_vpc(
+            config=self.rds_config,
+            deployment=self.deployment,
+            workload=self.workload
+        )
         return self._vpc
 
     def _get_security_groups(self) -> List[ec2.ISecurityGroup]:
@@ -150,8 +116,9 @@ class RdsStack(IStack, EnhancedSsmParameterMixin):
         security_groups = []
         
         # Check SSM imports first for security group ID
-        if "security_group_rds_id" in self.ssm_imported_values:
-            sg_id = self.ssm_imported_values["security_group_rds_id"]
+        ssm_imports = self.get_all_ssm_imports()
+        if "security_group_rds_id" in ssm_imports:
+            sg_id = ssm_imports["security_group_rds_id"]
             security_groups.append(
                 ec2.SecurityGroup.from_security_group_id(
                     self, "RDSSecurityGroup", sg_id
@@ -168,27 +135,60 @@ class RdsStack(IStack, EnhancedSsmParameterMixin):
         
         return security_groups
 
+    def _get_subnet_selection(self) -> ec2.SubnetSelection:
+        """
+        Get subnet selection based on available subnet types in the VPC.
+        
+        RDS instances require private subnets for security, but we'll fall back
+        to available subnets if the preferred types aren't available.
+        """
+        vpc = self.vpc
+        
+        # Check for isolated subnets first (most secure for RDS)
+        if vpc.isolated_subnets:
+            logger.info("Using isolated subnets for RDS instance")
+            return ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
+        
+        # Check for private subnets next
+        elif vpc.private_subnets:
+            logger.info("Using private subnets for RDS instance")
+            return ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS)
+        
+        # Fall back to public subnets (not recommended for production)
+        elif vpc.public_subnets:
+            logger.warning("Using public subnets for RDS instance - not recommended for production")
+            return ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC)
+        
+        else:
+            raise ValueError("No subnets available in VPC for RDS instance")
+
     def _create_db_instance(self, db_name: str) -> rds.DatabaseInstance:
         """Create a new RDS instance"""
         # Configure subnet group
         # If we have subnet IDs from SSM, create a DB subnet group explicitly
         db_subnet_group = None
-        if "subnet_ids" in self.ssm_imported_values:
-            subnet_ids_str = self.ssm_imported_values["subnet_ids"]
-            # Split the comma-separated token into a list
-            subnet_ids_list = cdk.Fn.split(",", subnet_ids_str)
-            
-            # Create DB subnet group with the token-based subnet list
-            db_subnet_group = rds.CfnDBSubnetGroup(
-                self,
-                "DBSubnetGroup",
-                db_subnet_group_description=f"Subnet group for {db_name}",
-                subnet_ids=subnet_ids_list,
-                db_subnet_group_name=f"{db_name}-subnet-group"
-            )
+        subnet_ids = self.get_subnet_ids(self.rds_config)
+        
+        if subnet_ids:
+            # For CloudFormation token resolution, we need to get the raw SSM value
+            # Use the standardized SSM imports
+            ssm_imports = self.get_all_ssm_imports()
+            if "subnet_ids" in ssm_imports:
+                subnet_ids_str = ssm_imports["subnet_ids"]
+                # Split the comma-separated token into a list for CloudFormation
+                subnet_ids_list = cdk.Fn.split(",", subnet_ids_str)
+                
+                # Create DB subnet group with the token-based subnet list
+                db_subnet_group = rds.CfnDBSubnetGroup(
+                    self,
+                    "DBSubnetGroup",
+                    db_subnet_group_description=f"Subnet group for {db_name}",
+                    subnet_ids=subnet_ids_list,
+                    db_subnet_group_name=f"{db_name}-subnet-group"
+                )
         
         # Configure subnet selection for VPC (when not using SSM imports)
-        subnets = None if db_subnet_group else ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
+        subnets = None if db_subnet_group else self._get_subnet_selection()
 
         # Configure engine
         engine_version = None

cdk_factory/stack_library/route53/route53_stack.py

@@ -18,7 +18,7 @@ from cdk_factory.configurations.deployment import DeploymentConfig
 from cdk_factory.configurations.stack import StackConfig
 from cdk_factory.configurations.resources.route53 import Route53Config
 from cdk_factory.interfaces.istack import IStack
-from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import EnhancedSsmParameterMixin
+from cdk_factory.interfaces.standardized_ssm_mixin import StandardizedSsmMixin
 from cdk_factory.stack.stack_module_registry import register_stack
 from cdk_factory.workload.workload_factory import WorkloadConfig
 
@@ -27,7 +27,7 @@ logger = Logger(service="Route53Stack")
 
 @register_stack("route53_library_module")
 @register_stack("route53_stack")
-class Route53Stack(IStack, EnhancedSsmParameterMixin):
+class Route53Stack(IStack, StandardizedSsmMixin):
     """
     Reusable stack for AWS Route53.
     Supports creating hosted zones, DNS records, and certificate validation.