cdk-factory 0.16.15__py3-none-any.whl → 0.20.0__py3-none-any.whl

cdk_factory/stack_library/vpc/vpc_stack.py

@@ -1,5 +1,5 @@
 """
-VPC Stack Pattern for CDK-Factory
+VPC Stack Pattern for CDK-Factory (Standardized SSM Version)
 Maintainers: Eric Wilson
 MIT License.  See Project Root for the license information.
 """
@@ -15,23 +15,35 @@ from cdk_factory.configurations.deployment import DeploymentConfig
 from cdk_factory.configurations.stack import StackConfig
 from cdk_factory.configurations.resources.vpc import VpcConfig
 from cdk_factory.interfaces.istack import IStack
-from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import EnhancedSsmParameterMixin
+from cdk_factory.interfaces.standardized_ssm_mixin import StandardizedSsmMixin
 from cdk_factory.stack.stack_module_registry import register_stack
 from cdk_factory.workload.workload_factory import WorkloadConfig
 
-logger = Logger(service="VpcStack")
+logger = Logger(service="VpcStackStandardized")
 
 
 @register_stack("vpc_library_module")
 @register_stack("vpc_stack")
-class VpcStack(IStack, EnhancedSsmParameterMixin):
+class VpcStack(IStack, StandardizedSsmMixin):
     """
-    Reusable stack for AWS VPC.
-    Supports creating VPCs with customizable CIDR blocks, subnets, and networking components.
+    Reusable stack for AWS VPC with standardized SSM integration.
+    
+    This version uses the StandardizedSsmMixin to provide consistent SSM parameter
+    handling across all CDK Factory modules.
+    
+    Key Features:
+    - Standardized SSM import/export patterns
+    - Template variable resolution
+    - Comprehensive validation
+    - Clear error handling
+    - Backward compatibility
     """
 
     def __init__(self, scope: Construct, id: str, **kwargs) -> None:
+        # Initialize parent classes properly
         super().__init__(scope, id, **kwargs)
+        
+        # Initialize module attributes
         self.vpc_config = None
         self.stack_config = None
         self.deployment = None
@@ -61,15 +73,21 @@ class VpcStack(IStack, EnhancedSsmParameterMixin):
         self.vpc_config = VpcConfig(stack_config.dictionary.get("vpc", {}), deployment)
         vpc_name = deployment.build_resource_name(self.vpc_config.name)
 
-        # Setup enhanced SSM integration
-        self.setup_enhanced_ssm_integration(self, self.vpc_config)
+        # Setup standardized SSM integration
+        self.setup_ssm_integration(
+            scope=self,
+            config=self.vpc_config,
+            resource_type="vpc",
+            resource_name=vpc_name,
+            deployment=deployment,
+            workload=workload
+        )
+
+        # Process SSM imports using standardized method
+        self.process_ssm_imports()
 
         # Import any required resources from SSM
-        imported_resources = self.auto_import_resources({
-            "deployment_name": deployment.name,
-            "environment": deployment.environment,
-            "workload_name": workload.name
-        })
+        imported_resources = self.get_all_ssm_imports()
         
         if imported_resources:
             logger.info(f"Imported resources from SSM: {list(imported_resources.keys())}")
@@ -79,6 +97,11 @@ class VpcStack(IStack, EnhancedSsmParameterMixin):
 
         # Add outputs
         self._add_outputs(vpc_name)
+        
+        # Export SSM parameters
+        self._export_ssm_parameters()
+
+        logger.info(f"VPC {vpc_name} built successfully")
 
     def _create_vpc(self, vpc_name: str) -> ec2.Vpc:
         """Create a VPC with the specified configuration"""
@@ -97,23 +120,25 @@ class VpcStack(IStack, EnhancedSsmParameterMixin):
             # Explicitly list AZs for the region to avoid dummy values
             max_azs = self.vpc_config.max_azs or 2
             if region == "us-east-1":
-                availability_zones = [f"us-east-1{chr(97+i)}" for i in range(max_azs)]  # us-east-1a, us-east-1b, etc.
+                availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"][:max_azs]
             elif region == "us-east-2":
-                availability_zones = [f"us-east-2{chr(97+i)}" for i in range(max_azs)]
+                availability_zones = ["us-east-2a", "us-east-2b", "us-east-2c"][:max_azs]
             elif region == "us-west-1":
-                availability_zones = [f"us-west-1{chr(97+i)}" for i in range(max_azs)]
+                availability_zones = ["us-west-1a", "us-west-1c"][:max_azs]
             elif region == "us-west-2":
-                availability_zones = [f"us-west-2{chr(97+i)}" for i in range(max_azs)]
-        
+                availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"][:max_azs]
+
         # Build VPC properties
-        # Note: CDK doesn't allow both 'availability_zones' and 'max_azs' - use one or the other
         vpc_props = {
             "vpc_name": vpc_name,
-            "cidr": self.vpc_config.cidr,
+            "ip_addresses": ec2.IpAddresses.cidr(self.vpc_config.cidr),
             "nat_gateways": nat_gateway_count,
             "subnet_configuration": subnet_configuration,
             "enable_dns_hostnames": self.vpc_config.enable_dns_hostnames,
             "enable_dns_support": self.vpc_config.enable_dns_support,
+            "max_azs": self.vpc_config.max_azs if not availability_zones else None,
+            "availability_zones": availability_zones,  # Use explicit AZs when available
+            "restrict_default_security_group": self.vpc_config.get("restrict_default_security_group", False),
             "gateway_endpoints": (
                 {
                     "S3": ec2.GatewayVpcEndpointOptions(
@@ -125,15 +150,19 @@ class VpcStack(IStack, EnhancedSsmParameterMixin):
             ),
         }
         
-        # Use either availability_zones or max_azs, not both
-        if availability_zones:
-            vpc_props["availability_zones"] = availability_zones
-        else:
-            vpc_props["max_azs"] = self.vpc_config.max_azs
-        
         # Create the VPC
         vpc = ec2.Vpc(self, vpc_name, **vpc_props)
 
+        # Add IAM permissions for default security group restriction if enabled
+        if self.vpc_config.get("restrict_default_security_group", False):
+            self._add_default_sg_restriction_permissions(vpc)
+        else:
+            # Note: When disabling, existing restrictions remain
+            # This is AWS CDK's behavior - custom resources clean up themselves,
+            # but security group rules they created persist
+            # Users can manually clean up if needed via AWS Console
+            pass
+
         # Add interface endpoints if specified
         if self.vpc_config.enable_interface_endpoints:
             self._add_interface_endpoints(vpc, self.vpc_config.interface_endpoints)
@@ -147,152 +176,164 @@ class VpcStack(IStack, EnhancedSsmParameterMixin):
     def _get_subnet_configuration(self) -> List[ec2.SubnetConfiguration]:
         """Configure the subnets for the VPC"""
         subnet_configs = []
-
+        
         # Public subnets
-        if self.vpc_config.public_subnets:
+        if self.vpc_config.subnets.get("public", {}).get("enabled", True):
+            public_config = self.vpc_config.subnets["public"]
             subnet_configs.append(
                 ec2.SubnetConfiguration(
                     name=self.vpc_config.public_subnet_name,
                     subnet_type=ec2.SubnetType.PUBLIC,
-                    cidr_mask=self.vpc_config.public_subnet_mask,
+                    cidr_mask=public_config.get("cidr_mask", 24),
+                    map_public_ip_on_launch=public_config.get("map_public_ip", True),
                 )
             )
-
+        
         # Private subnets
-        if self.vpc_config.private_subnets:
+        if self.vpc_config.subnets.get("private", {}).get("enabled", True):
+            private_config = self.vpc_config.subnets["private"]
             subnet_configs.append(
                 ec2.SubnetConfiguration(
                     name=self.vpc_config.private_subnet_name,
                     subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS,
-                    cidr_mask=self.vpc_config.private_subnet_mask,
+                    cidr_mask=private_config.get("cidr_mask", 24),
                 )
             )
-
+        
         # Isolated subnets
-        if self.vpc_config.isolated_subnets:
+        if self.vpc_config.subnets.get("isolated", {}).get("enabled", False):
+            isolated_config = self.vpc_config.subnets["isolated"]
             subnet_configs.append(
                 ec2.SubnetConfiguration(
                     name=self.vpc_config.isolated_subnet_name,
                     subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
-                    cidr_mask=self.vpc_config.isolated_subnet_mask,
+                    cidr_mask=isolated_config.get("cidr_mask", 24),
                 )
             )
-
+        
         return subnet_configs
 
-    def _get_nat_gateway_configuration(self) -> Dict[str, Any]:
-        """Configure NAT gateways for the VPC"""
-        return self.vpc_config.nat_gateways
-
     def _add_interface_endpoints(self, vpc: ec2.Vpc, endpoints: List[str]) -> None:
-        """Add interface endpoints to the VPC"""
-        # Common interface endpoints
+        """Add VPC interface endpoints"""
         endpoint_services = {
             "ecr.api": ec2.InterfaceVpcEndpointAwsService.ECR,
             "ecr.dkr": ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,
-            "logs": ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS,
-            "ssm": ec2.InterfaceVpcEndpointAwsService.SSM,
+            "ec2": ec2.InterfaceVpcEndpointAwsService.EC2,
+            "ecs": ec2.InterfaceVpcEndpointAwsService.ECS,
+            "lambda": ec2.InterfaceVpcEndpointAwsService.LAMBDA,
             "secretsmanager": ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
-            "lambda": ec2.InterfaceVpcEndpointAwsService.LAMBDA_,
-            "sts": ec2.InterfaceVpcEndpointAwsService.STS,
+            "ssm": ec2.InterfaceVpcEndpointAwsService.SSM,
+            "kms": ec2.InterfaceVpcEndpointAwsService.KMS,
         }
-
-        # Add specified endpoints
-        for endpoint in endpoints:
-            if endpoint in endpoint_services:
+        
+        for endpoint_name in endpoints:
+            if endpoint_name in endpoint_services:
                 vpc.add_interface_endpoint(
-                    f"{endpoint}-endpoint", service=endpoint_services[endpoint]
+                    f"{endpoint_name}-endpoint",
+                    service=endpoint_services[endpoint_name],
+                    subnets=ec2.SubnetSelection(
+                        subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS
+                    ),
                 )
+                logger.info(f"Added interface endpoint: {endpoint_name}")
             else:
-                logger.warning(f"Unsupported interface endpoint: {endpoint}")
+                logger.warning(f"Unknown interface endpoint: {endpoint_name}")
 
     def _add_outputs(self, vpc_name: str) -> None:
         """Add CloudFormation outputs for the VPC"""
-        if self.vpc:
-            cdk.CfnOutput(
-                self,
-                f"{vpc_name}-id",
-                value=self.vpc.vpc_id,
-                export_name=f"{self.deployment.build_resource_name(vpc_name)}-id",
-            )
-
-            cdk.CfnOutput(
-                self,
-                f"{vpc_name}-public-subnets",
-                value=",".join(
-                    [subnet.subnet_id for subnet in self.vpc.public_subnets]
-                ),
-                export_name=f"{self.deployment.build_resource_name(vpc_name)}-public-subnets",
-            )
-
-            if self.vpc.private_subnets:
-                cdk.CfnOutput(
-                    self,
-                    f"{vpc_name}-private-subnets",
-                    value=",".join(
-                        [subnet.subnet_id for subnet in self.vpc.private_subnets]
-                    ),
-                    export_name=f"{self.deployment.build_resource_name(vpc_name)}-private-subnets",
-                )
+        return
+       
 
-            if hasattr(self.vpc, "isolated_subnets") and self.vpc.isolated_subnets:
-                cdk.CfnOutput(
-                    self,
-                    f"{vpc_name}-isolated-subnets",
-                    value=",".join(
-                        [subnet.subnet_id for subnet in self.vpc.isolated_subnets]
-                    ),
-                    export_name=f"{self.deployment.build_resource_name(vpc_name)}-isolated-subnets",
-                )
-
-            # Export SSM parameters if configured
-            self._export_ssm_parameters(vpc_name)
-
-    def _export_ssm_parameters(self, vpc_name: str) -> None:
-        """Export VPC resources to SSM Parameter Store using enhanced auto-export"""
+    def _export_ssm_parameters(self) -> None:
+        """Export SSM parameters using standardized approach"""
         if not self.vpc:
+            logger.warning("No VPC to export")
             return
 
-        # Create a dictionary of VPC resources to export
-        vpc_resources = {
+        # Prepare resource values for export
+        resource_values = {
             "vpc_id": self.vpc.vpc_id,
-            "vpc_cidr": self.vpc.vpc_cidr_block,
+            "public_subnet_ids": ",".join([subnet.subnet_id for subnet in self.vpc.public_subnets]) if self.vpc.public_subnets else "",
+            "private_subnet_ids": ",".join([subnet.subnet_id for subnet in self.vpc.private_subnets]) if self.vpc.private_subnets else "",
+            "isolated_subnet_ids": ",".join([subnet.subnet_id for subnet in self.vpc.isolated_subnets]) if self.vpc.isolated_subnets else "",
         }
+        
+        # Add route table IDs if available - commented out due to CDK API issues
+        # public_route_table_ids = []
+        # if self.vpc.public_subnets:
+        #     for subnet in self.vpc.public_subnets:
+        #         # Access route table through the subnet's route table association
+        #         for association in subnet.node.children:
+        #             if hasattr(association, 'route_table_id') and association.route_table_id:
+        #                 public_route_table_ids.append(association.route_table_id)
+        # 
+        # if public_route_table_ids:
+        #     resource_values["public_route_table_ids"] = public_route_table_ids
+        # 
+        # private_route_table_ids = []
+        # if self.vpc.private_subnets:
+        #     for subnet in self.vpc.private_subnets:
+        #         # Access route table through the subnet's route table association
+        #         for association in subnet.node.children:
+        #             if hasattr(association, 'route_table_id') and association.route_table_id:
+        #                 private_route_table_ids.append(association.route_table_id)
+        # 
+        # if private_route_table_ids:
+        #     resource_values["private_route_table_ids"] = private_route_table_ids
+        
+        # Add NAT Gateway IDs if available - simplified to avoid None values
+        nat_gateway_ids = []
+        for subnet in self.vpc.public_subnets:
+            if hasattr(subnet, 'node') and subnet.node:
+                for child in subnet.node.children:
+                    if hasattr(child, 'nat_gateway_id') and child.nat_gateway_id:
+                        nat_gateway_ids.append(child.nat_gateway_id)
+        if nat_gateway_ids:
+            resource_values["nat_gateway_ids"] = ",".join(nat_gateway_ids)
+        
+        # Add Internet Gateway ID if available
+        if hasattr(self.vpc, 'internet_gateway_id') and self.vpc.internet_gateway_id:
+            resource_values["internet_gateway_id"] = self.vpc.internet_gateway_id
 
-        # Add subnet IDs as comma-separated lists
-        if self.vpc.public_subnets:
-            vpc_resources["public_subnet_ids"] = ",".join(
-                [subnet.subnet_id for subnet in self.vpc.public_subnets]
-            )
-
-        if self.vpc.private_subnets:
-            vpc_resources["private_subnet_ids"] = ",".join(
-                [subnet.subnet_id for subnet in self.vpc.private_subnets]
-            )
-
-        if hasattr(self.vpc, "isolated_subnets") and self.vpc.isolated_subnets:
-            vpc_resources["isolated_subnet_ids"] = ",".join(
-                [subnet.subnet_id for subnet in self.vpc.isolated_subnets]
-            )
+        # Export using standardized SSM mixin
+        exported_params = self.export_ssm_parameters(resource_values)
+        
+        logger.info(f"Exported SSM parameters: {exported_params}")
 
-        # Use enhanced auto-export with context
-        context = {
-            "deployment_name": self.deployment.name,
-            "environment": self.deployment.environment,
-            "workload_name": self.workload.name
-        }
+    def _add_default_sg_restriction_permissions(self, vpc: ec2.Vpc) -> None:
+        """
+        Add IAM permissions required for default security group restriction.
         
-        exported_params = self.auto_export_resources(vpc_resources, context)
+        CDK creates a custom resource that needs ec2:AuthorizeSecurityGroupIngress
+        permission to restrict the default security group.
+        """
+        from aws_cdk import aws_iam as iam
         
-        if exported_params:
-            logger.info(f"Auto-exported VPC resources to SSM: {list(exported_params.keys())}")
-        else:
-            # Fall back to legacy method for backward compatibility
-            self.export_resource_to_ssm(
-                scope=self,
-                resource_values=vpc_resources,
-                config=self.vpc_config,
-                resource_name=vpc_name,
-                resource_type="vpc",
-                context=context
-            )
+        # Find the custom resource role that CDK creates for default SG restriction
+        # The role follows a naming pattern: {VpcName}-CustomVpcRestrictDefaultSGCustomResource*
+        
+        # Grant the required permissions to all roles in this stack that might need it
+        # This is a broad approach since we can't easily predict the exact role name
+        for child in self.node.children:
+            if hasattr(child, 'role') and hasattr(child.role, 'add_to_policy'):
+                child.role.add_to_policy(iam.PolicyStatement(
+                    actions=[
+                        "ec2:AuthorizeSecurityGroupIngress",
+                        "ec2:RevokeSecurityGroupIngress", 
+                        "ec2:UpdateSecurityGroupRuleDescriptionsIngress"
+                    ],
+                    resources=[vpc.vpc_default_security_group.security_group_arn]
+                ))
+
+    # Backward compatibility methods
+    def auto_export_resources(self, resource_values: Dict[str, Any], context: Dict[str, Any] = None) -> Dict[str, str]:
+        """Backward compatibility method for existing modules."""
+        return self.export_ssm_parameters(resource_values)
+
+    def auto_import_resources(self, context: Dict[str, Any] = None) -> Dict[str, Any]:
+        """Backward compatibility method for existing modules."""
+        return self.get_all_ssm_imports()
+
+
+# Backward compatibility alias
+VpcStackStandardized = VpcStack

cdk_factory/stack_library/websites/static_website_stack.py

@@ -113,12 +113,16 @@ class StaticWebSiteStack(IStack):
         self, stack_config: StackConfig, workload: WorkloadConfig
     ) -> str:
         source = stack_config.dictionary.get("src", {}).get("path")
+        if not source:
+            raise ValueError("Source path is required for static website stack")
         for base in workload.paths:
-            candidate = Path(os.path.join(Path(base), source)).resolve()
+            if base is None:
+                continue
+            candidate = Path(os.path.join(str(Path(base)), source)).resolve()
 
             if candidate.exists():
                 return str(candidate)
-        raise ValueError(f"Could not find the source path: {source}")
+        raise ValueError(f"Could not find the source path for static site: {source}")
 
     def __setup_cloudfront_distribution(
         self,
@@ -225,7 +229,7 @@ class StaticWebSiteStack(IStack):
             bucket: The S3 bucket
             cloudfront_distribution: The CloudFront distribution construct
         """
-        ssm_exports = stack_config.dictionary.get("ssm_exports", {})
+        ssm_exports = stack_config.dictionary.get("ssm", {}).get("exports", {})
         
         if not ssm_exports:
             logger.debug("No SSM exports configured for this stack")

cdk_factory/utilities/api_gateway_integration_utility.py

@@ -537,34 +537,42 @@ class ApiGatewayIntegrationUtility:
 
                 if ssm_path:
                     # Use enhanced SSM parameter import with auto-discovery support
-                    from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import (
-                        EnhancedSsmParameterMixin,
+                    from cdk_factory.interfaces.standardized_ssm_mixin import (
+                        StandardizedSsmMixin,
                     )
 
-                    ssm_mixin = EnhancedSsmParameterMixin()
+                    ssm_mixin = StandardizedSsmMixin()
 
                     # Setup enhanced SSM integration for auto-import
                     # Use "user-pool" as resource identifier for SSM paths to match cognito exports
-                    ssm_mixin.setup_enhanced_ssm_integration(
+                    api_gateway_config = stack_config.dictionary.get("api_gateway", {}).copy()
+                    
+                    # Configure SSM imports for auto-discovery
+                    if ssm_path == "auto":
+                        if "ssm" not in api_gateway_config:
+                            api_gateway_config["ssm"] = {}
+                        if "imports" not in api_gateway_config["ssm"]:
+                            api_gateway_config["ssm"]["imports"] = {}
+                        api_gateway_config["ssm"]["imports"]["user_pool_arn"] = "/{{ORGANIZATION}}/{{ENVIRONMENT}}/cognito/user-pool/arn"
+                    
+                    ssm_mixin.setup_ssm_integration(
                         scope=self.scope,
-                        config=stack_config.dictionary.get("api_gateway", {}),
+                        config=api_gateway_config,
                         resource_type="cognito",
                         resource_name="user-pool",
                     )
 
-                    # If ssm_path is "auto", use auto-import mechanism
+                    # Get user pool ARN using new pattern - read directly from config
                     if ssm_path == "auto":
                         logger.info("Using auto-import for user pool ARN")
-                        imported_values = ssm_mixin.auto_import_resources()
-                        user_pool_arn = imported_values.get("user_pool_arn")
+                        ssm_imports = api_gateway_config.get("ssm", {}).get("imports", {})
+                        user_pool_arn = ssm_imports.get("user_pool_arn")
                     else:
                         # Use direct parameter import for specific SSM path
                         logger.info(
                             f"Looking up user pool ARN from SSM parameter: {ssm_path}"
                         )
-                        user_pool_arn = ssm_mixin._import_enhanced_ssm_parameter(
-                            ssm_path, "user_pool_arn"
-                        )
+                        user_pool_arn = ssm_mixin._resolve_single_ssm_import(ssm_path, "user_pool_arn")
 
             # Extract user pool ID from ARN if we have it
             if user_pool_arn and not user_pool_id:
@@ -866,15 +874,15 @@ class ApiGatewayIntegrationUtility:
 
         if ssm_config.get("enabled", False):
             try:
-                from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import (
-                    EnhancedSsmParameterMixin,
+                from cdk_factory.interfaces.standardized_ssm_mixin import (
+                    StandardizedSsmMixin,
                 )
 
-                ssm_mixin = EnhancedSsmParameterMixin()
+                ssm_mixin = StandardizedSsmMixin()
 
                 # Setup enhanced SSM integration for auto-import
                 # Use consistent resource name for cross-stack compatibility
-                ssm_mixin.setup_enhanced_ssm_integration(
+                ssm_mixin.setup_ssm_integration(
                     scope=self.scope,
                     config=api_gateway_config,
                     resource_type="api-gateway",
@@ -900,7 +908,7 @@ class ApiGatewayIntegrationUtility:
                         logger.info(
                             f"Looking up authorizer ID from SSM parameter: {import_value}"
                         )
-                        authorizer_id = ssm_mixin._import_enhanced_ssm_parameter(
+                        authorizer_id = ssm_mixin._resolve_single_ssm_import(
                             import_value, "authorizer_id"
                         )
                         if authorizer_id:

cdk_factory/utilities/environment_services.py

@@ -23,9 +23,9 @@ logger = Logger(__name__)
 
 class EnvironmentVariables:
     """
-    Easy access to allo the environment variables we use in the appliction.
-    It's a best practice to use this vs doing and os.getevn in each application.
-    This helps us track all the enviroment variables in use
+    Easy access to allow the environment variables we use in the application.
+    It's a best practice to use this vs doing and os.getenv in each application.
+    This helps us track all the environment variables in use
     """
 
     @staticmethod
@@ -173,9 +173,9 @@ class EnvironmentServices:
             environment = {}
         # more verbose
         environment["WORKLOAD_NAME"] = deployment.workload.get("name", "NA")
-        environment["ENVIRONMENT_NAME"] = deployment.environment
+        environment["ENVIRONMENT_NAME"] = deployment.workload.get("environment", deployment.environment)
         environment["DEPLOYMENT_NAME"] = deployment.name
-        environment["ENVIRONMENT"] = deployment.environment
+        environment["ENVIRONMENT"] = deployment.workload.get("environment", deployment.environment)
         environment["PIPELINE"] = deployment.pipeline.get("name", "NA")
         environment["ACCOUNT"] = deployment.account
         environment["DEPLOYMENT"] = deployment.name

cdk_factory/utilities/json_loading_utility.py

@@ -212,7 +212,7 @@ class JsonLoadingUtility:
             replacements = {
                 "{{workload-name}}": "geekcafe",
                 "{{deployment-name}}": "dev",
-                "{{awsAccount}}": "123456789012",
+                "{{awsAccount}}": os.environ.get("AWS_ACCOUNT", "123456789012"),
                 "{{hostedZoneName}}": "sandbox.geekcafe.com",
                 "{{placeholder}}": "DYNAMIC_VALUE"
             }