cdk-factory 0.16.15__py3-none-any.whl → 0.20.0__py3-none-any.whl

cdk_factory/stack_library/lambda_edge/lambda_edge_stack.py

@@ -25,7 +25,7 @@ from cdk_factory.configurations.deployment import DeploymentConfig
 from cdk_factory.configurations.stack import StackConfig
 from cdk_factory.configurations.resources.lambda_edge import LambdaEdgeConfig
 from cdk_factory.interfaces.istack import IStack
-from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import EnhancedSsmParameterMixin
+from cdk_factory.interfaces.standardized_ssm_mixin import StandardizedSsmMixin
 from cdk_factory.stack.stack_module_registry import register_stack
 from cdk_factory.workload.workload_factory import WorkloadConfig
 
@@ -34,7 +34,7 @@ logger = Logger(service="LambdaEdgeStack")
 
 @register_stack("lambda_edge_library_module")
 @register_stack("lambda_edge_stack")
-class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
+class LambdaEdgeStack(IStack, StandardizedSsmMixin):
     """
     Reusable stack for Lambda@Edge functions.
     
@@ -53,6 +53,8 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
         self.workload: Optional[WorkloadConfig] = None
         self.function: Optional[_lambda.Function] = None
         self.function_version: Optional[_lambda.Version] = None
+        # Cache for resolved environment variables to prevent duplicate construct creation
+        self._resolved_env_cache: Optional[Dict[str, str]] = None
 
     def build(
         self,
@@ -98,41 +100,74 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
         # Create version (required for Lambda@Edge)
         self._create_function_version(function_name)
         
+        # Configure edge log retention for regional logs
+        self._configure_edge_log_retention(function_name)
+        
         # Add outputs
         self._add_outputs(function_name)
 
+    def _sanitize_construct_name(self, name: str) -> str:
+        """
+        Create a deterministic, valid CDK construct name from any string.
+        Replaces non-alphanumeric characters with dashes and limits length.
+        """
+        # Replace non-alphanumeric characters with dashes
+        sanitized = ''.join(c if c.isalnum() else '-' for c in name)
+        # Remove consecutive dashes
+        while '--' in sanitized:
+            sanitized = sanitized.replace('--', '-')
+        # Remove leading/trailing dashes
+        sanitized = sanitized.strip('-')
+        # Limit to 255 characters (CDK limit)
+        return sanitized[:255]
+
     def _resolve_environment_variables(self) -> Dict[str, str]:
         """
         Resolve environment variables, including SSM parameter references.
         Supports {{ssm:parameter-path}} syntax for dynamic SSM lookups.
         Uses CDK tokens that resolve at deployment time, not synthesis time.
+        Caches results to prevent duplicate construct creation.
         """
+        # Return cached result if available
+        if self._resolved_env_cache is not None:
+            return self._resolved_env_cache
+        
         resolved_env = {}
         
-        for key, value in self.edge_config.environment.items():
+        # Use the new simplified configuration structure
+        configuration = self.edge_config.dictionary.get("configuration", {})
+        runtime_config = configuration.get("runtime", {})
+        ui_config = configuration.get("ui", {})
+        
+        for key, value in runtime_config.items():
             # Check if value is an SSM parameter reference
             if isinstance(value, str) and value.startswith("{{ssm:") and value.endswith("}}"):
                 # Extract SSM parameter path
                 ssm_param_path = value[6:-2]  # Remove {{ssm: and }}
                 
+                # Create deterministic construct name from parameter path
+                construct_name = self._sanitize_construct_name(f"env-{key}-{ssm_param_path}")
+                
                 # Import SSM parameter - this creates a token that resolves at deployment time
                 param = ssm.StringParameter.from_string_parameter_name(
                     self,
-                    f"env-{key}-{hash(ssm_param_path) % 10000}",
+                    construct_name,
                     ssm_param_path
                 )
                 resolved_value = param.string_value
-                logger.info(f"Resolved environment variable {key} from SSM {ssm_param_path}")
+                logger.info(f"Resolved environment variable {key} from SSM {ssm_param_path} as {construct_name}")
                 resolved_env[key] = resolved_value
             else:
                 resolved_env[key] = value
         
+        # Cache the result
+        self._resolved_env_cache = resolved_env
         return resolved_env
 
     def _create_lambda_function(self, function_name: str) -> None:
         """Create the Lambda function"""
         
-        # Resolve code path - support package references (e.g., "cdk_factory:lambdas/edge/ip_gate")
+        # Resolve code path - support package references (e.g., "cdk_factory:lambdas/cloudfront/ip_gate")
         code_path_str = self.edge_config.code_path
         
         if ':' in code_path_str:
@@ -185,10 +220,19 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
         # Create runtime configuration file for Lambda@Edge
         # Since Lambda@Edge doesn't support environment variables, we bundle a config file
         # Use the full function_name (e.g., "tech-talk-dev-ip-gate") not just the base name
+        resolved_env = self._resolve_environment_variables()
+        
+        # Get the UI configuration
+        configuration = self.edge_config.dictionary.get("configuration", {})
+        ui_config = configuration.get("ui", {})
+        
         runtime_config = {
             'environment': self.deployment.environment,
+            'workload': self.deployment.workload,
             'function_name': function_name,
-            'region': self.deployment.region
+            'region': self.deployment.region,
+            'runtime': resolved_env,  # Runtime variables (SSM, etc.)
+            'ui': ui_config  # UI configuration (colors, messages, etc.)
         }
         
         runtime_config_path = temp_code_dir / 'runtime_config.json'
@@ -216,21 +260,17 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
             self.edge_config.runtime,
             _lambda.Runtime.PYTHON_3_11
         )
-        
-        # Lambda@Edge does NOT support environment variables
-        # Configuration must be handled via:
-        # 1. Hardcoded in the function code
-        # 2. Fetched from SSM Parameter Store at runtime
-        # 3. Other configuration mechanisms
-        
+
         # Log warning if environment variables are configured
-        if self.edge_config.environment:
+        configuration = self.edge_config.dictionary.get("configuration", {})
+        runtime_config = configuration.get("runtime", {})
+        
+        if runtime_config:
             logger.warning(
                 f"Lambda@Edge function '{function_name}' has environment variables configured, "
-                "but Lambda@Edge does not support environment variables. "
-                "The function must fetch these values from SSM Parameter Store at runtime."
+                "but Lambda@Edge does not support environment variables. The function must fetch these values from SSM Parameter Store at runtime."
             )
-            for key, value in self.edge_config.environment.items():
+            for key, value in runtime_config.items():
                 logger.warning(f"  - {key}: {value}")
         
         # Create execution role with CloudWatch Logs and SSM permissions
@@ -239,7 +279,8 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
             f"{function_name}-Role",
             assumed_by=iam.CompositePrincipal(
                 iam.ServicePrincipal("lambda.amazonaws.com"),
-                iam.ServicePrincipal("edgelambda.amazonaws.com")
+                iam.ServicePrincipal("edgelambda.amazonaws.com"),
+                iam.ServicePrincipal("cloudfront.amazonaws.com")  # Add CloudFront service principal
             ),
             description=f"Execution role for Lambda@Edge function {function_name}",
             managed_policies=[
@@ -250,7 +291,7 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
         )
         
         # Add SSM read permissions if environment variables reference SSM parameters
-        if self.edge_config.environment:
+        if runtime_config:
             execution_role.add_to_policy(
                 iam.PolicyStatement(
                     effect=iam.Effect.ALLOW,
@@ -260,12 +301,90 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
                         "ssm:GetParametersByPath"
                     ],
                     resources=[
-                        f"arn:aws:ssm:*:{cdk.Aws.ACCOUNT_ID}:parameter/*"
+                        f"arn:aws:ssm:*:{self.deployment.account}:parameter/*"
                     ]
                 )
             )
         
-        # Create the Lambda function WITHOUT environment variables
+        # Add Secrets Manager permissions for origin secret access
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "secretsmanager:GetSecretValue",
+                    "secretsmanager:DescribeSecret"
+                ],
+                resources=[
+                    f"arn:aws:secretsmanager:*:{self.deployment.account}:secret:{self.deployment.environment}/{self.workload.name}/origin-secret*"
+                ]
+            )
+        )
+        
+        # Add ELB permissions for target health API access
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "elasticloadbalancing:DescribeTargetHealth",
+                    "elasticloadbalancing:DescribeTargetGroups",
+                    "elasticloadbalancing:DescribeLoadBalancers",
+                    "elasticloadbalancing:DescribeListeners",
+                    "elasticloadbalancing:DescribeTags"
+                ],
+                resources=[
+                    f"arn:aws:elasticloadbalancing:*:{self.deployment.account}:targetgroup/*/*",
+                    f"arn:aws:elasticloadbalancing:*:{self.deployment.account}:loadbalancer/*/*",
+                    f"arn:aws:elasticloadbalancing:*:{self.deployment.account}:listener/*/*/*/*"
+                ]
+            )
+        )
+        
+        # Add ACM permissions for certificate validation
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "acm:DescribeCertificate",
+                    "acm:ListCertificates"
+                ],
+                resources=[
+                    f"arn:aws:acm:*:{self.deployment.account}:certificate/*"
+                ]
+            )
+        )
+        
+        # Add Route 53 permissions for health check access
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "route53:GetHealthCheckStatus",
+                    "route53:ListHealthChecks",
+                    "route53:GetHealthCheck"
+                ],
+                resources=[
+                    f"arn:aws:route53:::{self.deployment.account}:health-check/*"
+                ]
+            )
+        )
+        
+        # Add CloudWatch permissions for enhanced logging and metrics
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "logs:CreateLogGroup",
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents",
+                    "cloudwatch:PutMetricData"
+                ],
+                resources=[
+                    f"arn:aws:logs:*:{self.deployment.account}:log-group:/aws/lambda/*",
+                    f"arn:aws:cloudwatch:*:{self.deployment.account}:metric:*"
+                ]
+            )
+        )
+    
         self.function = _lambda.Function(
             self,
             function_name,
@@ -278,6 +397,7 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
             description=self.edge_config.description,
             role=execution_role,
             # Lambda@Edge does NOT support environment variables
+            # Configuration must be fetched from SSM at runtime
             log_retention=logs.RetentionDays.ONE_WEEK,
         )
         
@@ -285,6 +405,36 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
         for key, value in self.edge_config.tags.items():
             cdk.Tags.of(self.function).add(key, value)
 
+        # Add resource-based policy allowing CloudFront to invoke the Lambda function
+        # This is REQUIRED for Lambda@Edge to work properly
+        permission_kwargs = {
+            "principal": iam.ServicePrincipal("cloudfront.amazonaws.com"),
+            "action": "lambda:InvokeFunction",
+        }
+        
+        # Optional: Add source ARN restriction if CloudFront distribution ARN is available
+        # This provides more secure permission scoping
+        distribution_arn_path = f"/{self.deployment.environment}/{self.workload.name}/cloudfront/arn"
+        try:
+            distribution_arn = ssm.StringParameter.from_string_parameter_name(
+                self,
+                "cloudfront-distribution-arn",
+                distribution_arn_path
+            ).string_value
+            
+            # Add source ARN condition for more secure permission scoping
+            permission_kwargs["source_arn"] = distribution_arn
+            logger.info(f"Adding CloudFront permission with source ARN restriction: {distribution_arn}")
+        except Exception:
+            # Distribution ARN not available (common during initial deployment)
+            # CloudFront will scope the permission appropriately when it associates the Lambda
+            logger.warning(f"CloudFront distribution ARN not found at {distribution_arn_path}, using open permission")
+        
+        self.function.add_permission(
+            "CloudFrontInvokePermission",
+            **permission_kwargs
+        )
+
     def _create_function_version(self, function_name: str) -> None:
         """
         Create a version of the Lambda function.
@@ -300,36 +450,49 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
                 f"Version for Lambda@Edge deployment - {self.edge_config.description}"
             )
 
-    def _add_outputs(self, function_name: str) -> None:
-        """Add CloudFormation outputs and SSM exports"""
+    def _configure_edge_log_retention(self, function_name: str) -> None:
+        """
+        Configure log retention for Lambda@Edge log groups in all edge regions
         
-        # CloudFormation outputs
-        cdk.CfnOutput(
-            self,
-            "FunctionName",
-            value=self.function.function_name,
-            description="Lambda function name",
-            export_name=f"{function_name}-name"
-        )
+        TODO: IMPLEMENT POST-DEPLOYMENT SOLUTION
+        --------------------------------------
+        Lambda@Edge log groups are created on-demand when the function is invoked
+        at edge locations, not during deployment. This means we cannot set retention
+        policies during CloudFormation deployment.
         
-        cdk.CfnOutput(
-            self,
-            "FunctionArn",
-            value=self.function.function_arn,
-            description="Lambda function ARN (unversioned)",
-            export_name=f"{function_name}-arn"
-        )
+        Possible solutions to implement:
+        1. EventBridge rule that triggers on log group creation
+        2. Custom Lambda function that runs periodically to set retention
+        3. Post-deployment script that waits for log groups to appear
+        4. CloudWatch Logs subscription filter that handles new log groups
         
-        cdk.CfnOutput(
-            self,
-            "FunctionVersionArn",
-            value=self.function_version.function_arn,
-            description="Lambda function version ARN (use this for Lambda@Edge)",
-            export_name=f"{function_name}-version-arn"
+        Current behavior: DISABLED to prevent deployment failures
+        """
+        
+        # DISABLED: Edge log groups don't exist during deployment
+        # Lambda@Edge creates log groups on-demand at edge locations
+        # Setting retention policies during deployment fails with "log group does not exist"
+        
+        edge_retention_days = self.edge_config.dictionary.get("edge_log_retention_days", 7)
+        logger.warning(
+            f"Edge log retention configuration disabled - log groups are created on-demand. "
+            f"Desired retention: {edge_retention_days} days. "
+            f"See TODO in _configure_edge_log_retention() for implementation approach."
         )
         
+        # TODO: Implement one of these solutions:
+        # 1. EventBridge + Lambda: Trigger on log group creation and set retention
+        # 2. Periodic Lambda: Scan for edge log groups and apply retention policies  
+        # 3. Post-deployment script: Wait for log groups to appear after edge replication
+        # 4. CloudWatch Logs subscription: Process new log group events
+        
+        return
+
+    def _add_outputs(self, function_name: str) -> None:
+        """Add CloudFormation outputs and SSM exports"""
+        
         # SSM Parameter Store exports (if configured)
-        ssm_exports = self.edge_config.dictionary.get("ssm_exports", {})
+        ssm_exports = self.edge_config.dictionary.get("ssm", {}).get("exports", {})
         if ssm_exports:
             export_values = {
                 "function_name": self.function.function_name,
@@ -349,40 +512,34 @@ class LambdaEdgeStack(IStack, EnhancedSsmParameterMixin):
                         description=f"{key} for Lambda@Edge function {function_name}"
                     )
         
-        # Export environment variables as SSM parameters
-        # Since Lambda@Edge doesn't support environment variables, we export them
-        # to SSM so the Lambda function can fetch them at runtime
-        if self.edge_config.environment:
-            logger.info("Exporting Lambda@Edge environment variables as SSM parameters")
-            env_ssm_exports = self.edge_config.dictionary.get("environment_ssm_exports", {})
-            
-            # If no explicit environment_ssm_exports, create default SSM paths
-            if not env_ssm_exports:
-                # Auto-generate SSM parameter names based on environment variable names
-                for env_key in self.edge_config.environment.keys():
-                    # Use snake_case version of the key for SSM path
-                    ssm_key = env_key.lower().replace('_', '-')
-                    env_ssm_exports[env_key] = f"/{self.deployment.environment}/{function_name}/{ssm_key}"
-            
-            # Resolve and export environment variables to SSM
-            resolved_env = self._resolve_environment_variables()
-            for env_key, ssm_path in env_ssm_exports.items():
-                if env_key in resolved_env:
-                    env_value = resolved_env[env_key]
-                    
-                    # Handle empty values - SSM doesn't allow empty strings
-                    # Use sentinel value "NONE" to indicate explicitly unset
-                    if not env_value or (isinstance(env_value, str) and env_value.strip() == ""):
-                        env_value = "NONE"
-                        logger.info(
-                            f"Environment variable {env_key} is empty - setting SSM parameter to 'NONE'. "
-                            f"Lambda function should treat 'NONE' as unset/disabled."
-                        )
-                    
-                    self.export_ssm_parameter(
-                        self,
-                        f"env-{env_key}-param",
-                        env_value,
-                        ssm_path,
-                        description=f"Configuration for Lambda@Edge: {env_key}"
-                    )
+        # Export the complete configuration as a single SSM parameter
+        config_ssm_path = f"/{self.deployment.environment}/{self.workload.name}/lambda-edge/config"
+        configuration = self.edge_config.dictionary.get("configuration", {})
+        environment_variables = configuration.get("environment_variables", {})
+        
+        # Build full configuration that Lambda@Edge expects
+        full_config = {
+            "environment_variables": environment_variables,
+            "runtime": configuration.get("runtime", {}),
+            "ui": configuration.get("ui", {})
+        }
+        
+        self.export_ssm_parameter(
+            self,
+            "full-config-param",
+            json.dumps(full_config),
+            config_ssm_path,
+            description=f"Complete Lambda@Edge configuration for {function_name} - update this for dynamic changes"
+        )
+        
+        # Export cache TTL parameter for dynamic cache control
+        cache_ttl_ssm_path = f"/{self.deployment.environment}/{self.workload.name}/lambda-edge/cache-ttl"
+        default_cache_ttl = self.edge_config.dictionary.get("cache_ttl_seconds", 300)  # Default 5 minutes
+        
+        self.export_ssm_parameter(
+            self,
+            "cache-ttl-param",
+            str(default_cache_ttl),
+            cache_ttl_ssm_path,
+            description=f"Lambda@Edge configuration cache TTL in seconds for {function_name} - adjust for maintenance windows (30-3600)"
+        )