cdk-factory 0.16.15__py3-none-any.whl → 0.20.0__py3-none-any.whl

cdk_factory/interfaces/vpc_provider_mixin.py

@@ -6,7 +6,7 @@ MIT License. See Project Root for license information.
 
 from typing import Optional, List, Any
 from aws_lambda_powertools import Logger
-from aws_cdk import aws_ec2 as ec2
+from aws_cdk import aws_ec2 as ec2, aws_ssm as ssm
 from constructs import Construct
 
 logger = Logger(__name__)
@@ -18,13 +18,13 @@ class VPCProviderMixin:
     
     This mixin eliminates code duplication across stacks that need to resolve
     VPC references, providing a standardized way to handle:
-    - SSM imported VPC parameters (works with enhanced SsmParameterMixin)
+    - SSM imported VPC parameters (works with enhanced StandardizedSsmMixin)
     - Configuration-based VPC resolution
     - Workload-level VPC fallback
     - Error handling and validation
     
     Note: This mixin does NOT handle SSM imports directly - it expects
-    the SSM values to be available via the enhanced SsmParameterMixin.
+    the SSM values to be available via the enhanced StandardizedSsmMixin.
     """
 
     def _initialize_vpc_cache(self) -> None:
@@ -43,7 +43,7 @@ class VPCProviderMixin:
         Resolve VPC from multiple sources with standardized priority order.
         
         Priority order:
-        1. SSM imported VPC ID (from enhanced SsmParameterMixin)
+        1. SSM imported VPC ID (from config.ssm.imports)
         2. Config-level VPC ID
         3. Workload-level VPC ID
         4. Raise error if none found
@@ -63,19 +63,22 @@ class VPCProviderMixin:
         if self._vpc:
             return self._vpc
 
-        # Default availability zones if not provided
+        # Default availability zones if not provided - use region-appropriate defaults
         if not availability_zones:
-            availability_zones = ["us-east-1a", "us-east-1b"]
+            region = getattr(deployment, 'region', 'us-east-1')
+            availability_zones = self._get_default_azs_for_region(region)
 
-        # Check SSM imported values first (tokens from SSM parameters)
-        # This works with the enhanced SsmParameterMixin
-        if hasattr(self, '_ssm_imported_values') and "vpc_id" in self._ssm_imported_values:
-            vpc_id = self._ssm_imported_values["vpc_id"]
+        # Check SSM imports directly from config (source of truth)
+        ssm_config = getattr(config, 'ssm', {})
+        ssm_imports = ssm_config.get('imports', {})
+        
+        if ssm_imports and "vpc_id" in ssm_imports:
+            vpc_id = ssm_imports["vpc_id"]
             
             # Get subnet IDs first to determine AZ count
             subnet_ids = []
-            if hasattr(self, '_ssm_imported_values') and "subnet_ids" in self._ssm_imported_values:
-                imported_subnets = self._ssm_imported_values["subnet_ids"]
+            if "subnet_ids" in ssm_imports:
+                imported_subnets = ssm_imports["subnet_ids"]
                 if isinstance(imported_subnets, str):
                     subnet_ids = [s.strip() for s in imported_subnets.split(",") if s.strip()]
                 elif isinstance(imported_subnets, list):
@@ -83,9 +86,11 @@ class VPCProviderMixin:
             
             # Adjust availability zones to match subnet count
             if subnet_ids and availability_zones:
-                availability_zones = [f"us-east-1{chr(97+i)}" for i in range(len(subnet_ids))]
+                region = getattr(deployment, 'region', 'us-east-1')
+                region_code = region.split('-')[0] + '-' + region.split('-')[1]
+                availability_zones = [f"{region_code}{chr(97+i)}" for i in range(len(subnet_ids))]
             
-            return self._create_vpc_from_ssm(vpc_id, availability_zones)
+            return self._create_vpc_from_ssm(vpc_id, availability_zones, subnet_ids if subnet_ids else None)
         
         # Check config-level VPC ID
         if hasattr(config, 'vpc_id') and config.vpc_id:
@@ -101,41 +106,40 @@ class VPCProviderMixin:
     def _create_vpc_from_ssm(
         self, 
         vpc_id: str, 
-        availability_zones: List[str]
+        availability_zones: List[str],
+        subnet_ids: Optional[List[str]] = None
     ) -> ec2.IVpc:
         """
         Create VPC reference from SSM imported VPC ID.
         
         Args:
-            vpc_id: The VPC ID from SSM
+            vpc_id: The VPC ID from SSM (can be SSM path or actual VPC ID)
             availability_zones: List of availability zones
+            subnet_ids: Optional list of subnet IDs from SSM
             
         Returns:
             VPC reference created from attributes
         """
+        # Check if vpc_id is an SSM path (starts with /) or actual VPC ID
+        if vpc_id.startswith('/'):
+            # Create CDK token for VPC ID from SSM parameter
+            vpc_id_token = ssm.StringParameter.from_string_parameter_name(
+                self, f"{self.stack_name}-VPC-ID-Token", vpc_id
+            ).string_value
+        else:
+            # Use the VPC ID directly (for testing or direct configuration)
+            vpc_id_token = vpc_id
+        
         # Build VPC attributes
         vpc_attrs = {
-            "vpc_id": vpc_id,
+            "vpc_id": vpc_id_token,
             "availability_zones": availability_zones,
         }
         
-        # If we have subnet_ids from SSM, use the actual subnet IDs
-        if hasattr(self, '_ssm_imported_values') and "subnet_ids" in self._ssm_imported_values:
-            imported_subnets = self._ssm_imported_values["subnet_ids"]
-            if isinstance(imported_subnets, str):
-                # Split comma-separated subnet IDs
-                subnet_ids = [s.strip() for s in imported_subnets.split(",") if s.strip()]
-            elif isinstance(imported_subnets, list):
-                subnet_ids = imported_subnets
-            else:
-                subnet_ids = []
-            
+        # If we have subnet_ids from SSM, add them to the attributes
+        if subnet_ids:
             # Use the actual subnet IDs from SSM
-            if subnet_ids:
-                vpc_attrs["public_subnet_ids"] = subnet_ids
-            else:
-                # Fallback to dummy subnets if no valid subnet IDs
-                vpc_attrs["public_subnet_ids"] = ["subnet-dummy1", "subnet-dummy2"]
+            vpc_attrs["public_subnet_ids"] = subnet_ids
         
         # Use from_vpc_attributes() for SSM tokens with unique construct name
         self._vpc = ec2.Vpc.from_vpc_attributes(self, f"{self.stack_name}-VPC", **vpc_attrs)
@@ -177,3 +181,30 @@ class VPCProviderMixin:
             Resolved VPC reference
         """
         return self.resolve_vpc(config, deployment, workload)
+
+    def _get_default_azs_for_region(self, region: str) -> List[str]:
+        """
+        Get default availability zones for a given region.
+        
+        Args:
+            region: AWS region name (e.g., 'us-east-1', 'us-west-2')
+            
+        Returns:
+            List of availability zone names for the region
+        """
+        # Common AZ mappings for major AWS regions
+        region_az_map = {
+            'us-east-1': ['us-east-1a', 'us-east-1b'],
+            'us-east-2': ['us-east-2a', 'us-east-2b'],
+            'us-west-1': ['us-west-1a', 'us-west-1b'],
+            'us-west-2': ['us-west-2a', 'us-west-2b'],
+            'eu-west-1': ['eu-west-1a', 'eu-west-1b'],
+            'eu-west-2': ['eu-west-2a', 'eu-west-2b'],
+            'eu-central-1': ['eu-central-1a', 'eu-central-1b'],
+            'ap-southeast-1': ['ap-southeast-1a', 'ap-southeast-1b'],
+            'ap-southeast-2': ['ap-southeast-2a', 'ap-southeast-2b'],
+            'ap-northeast-1': ['ap-northeast-1a', 'ap-northeast-1b'],
+        }
+        
+        # Return region-specific AZs if available, otherwise fall back to us-east-1
+        return region_az_map.get(region, ['us-east-1a', 'us-east-1b'])

cdk_factory/lambdas/edge/ip_gate/handler.py

@@ -11,11 +11,18 @@ import ipaddress
 import boto3
 from functools import lru_cache
 
+# Simple logging for Lambda@Edge (since we can't use external logging libraries)
+import logging
+
+# Configure basic logging
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
 # SSM client - will be created in the region where the function executes
 ssm = None
 
 @lru_cache(maxsize=128)
-def get_ssm_parameter(parameter_name: str, region: str = 'us-east-1', default: str = None) -> str:
+def get_ssm_parameter(parameter_name: str, region: str = None, default: str = None) -> str:
     """
     Fetch SSM parameter with caching.
     Lambda@Edge cannot use environment variables, so we fetch from SSM.
@@ -23,14 +30,18 @@ def get_ssm_parameter(parameter_name: str, region: str = 'us-east-1', default: s
     The sentinel value 'NONE' indicates an explicitly unset/disabled parameter.
     
     Args:
-        parameter_name: Name of the SSM parameter
-        region: AWS region (default us-east-1)
-        default: Default value to return if parameter not found (optional)
+        parameter_name: SSM parameter name
+        region: AWS region (defaults to us-east-1 for Lambda@Edge compatibility)
+        default: Default value if parameter not found
     
     Returns:
         Parameter value, default value if parameter not found, or empty string if value is 'NONE'
     """
     global ssm
+    # Default to us-east-1 for Lambda@Edge compatibility if no region specified
+    if region is None:
+        region = 'us-east-1'
+    
     if ssm is None:
         ssm = boto3.client('ssm', region_name=region)
     
@@ -40,20 +51,20 @@ def get_ssm_parameter(parameter_name: str, region: str = 'us-east-1', default: s
         
         # Treat 'NONE' sentinel as empty/unset
         if value == 'NONE':
-            print(f"SSM parameter {parameter_name} is set to 'NONE' (explicitly disabled)")
+            logger.info(f"SSM parameter {parameter_name} is set to 'NONE' (explicitly disabled)")
             return ''
         
         return value
     except ssm.exceptions.ParameterNotFound:
         if default is not None:
-            print(f"SSM parameter {parameter_name} not found, using default: {default}")
+            logger.info(f"SSM parameter {parameter_name} not found, using default: {default}")
             return default
-        print(f"SSM parameter {parameter_name} not found and no default provided")
+        logger.error(f"SSM parameter {parameter_name} not found and no default provided")
         raise
     except Exception as e:
-        print(f"Error fetching SSM parameter {parameter_name}: {str(e)}")
+        logger.error(f"Error fetching SSM parameter {parameter_name}: {str(e)}")
         if default is not None:
-            print(f"Returning default value due to error: {default}")
+            logger.info(f"Returning default value due to error: {default}")
             return default
         raise
 
@@ -89,7 +100,7 @@ def is_ip_allowed(client_ip: str, allowed_cidrs: list) -> bool:
     try:
         client_ip_obj = ipaddress.ip_address(client_ip)
     except ValueError as e:
-        print(f"Invalid client IP address: {e}")
+        logger.error(f"Invalid client IP address: {e}")
         return False
     
     # Check each CIDR individually, skipping invalid ones
@@ -100,7 +111,7 @@ def is_ip_allowed(client_ip: str, allowed_cidrs: list) -> bool:
                 return True
         except ValueError as e:
             # Invalid CIDR, log and continue checking others
-            print(f"Invalid CIDR '{cidr}': {e}")
+            logger.warning(f"Invalid CIDR '{cidr}': {e}")
             continue
     
     return False
@@ -130,24 +141,23 @@ def lambda_handler(event, context):
         env = runtime_config.get('environment', 'dev')
         function_base_name = runtime_config.get('function_name', 'ip-gate')
         
-        print(f"Runtime config loaded: environment={env}, function_name={function_base_name}")
+        logger.info(f"Runtime config loaded: environment={env}, function_name={function_base_name}")
     except FileNotFoundError:
         # Fallback: extract from Lambda context (less reliable)
-        print("Warning: runtime_config.json not found, falling back to function name parsing")
+        logger.warning("runtime_config.json not found, falling back to function name parsing")
         function_full_name = context.function_name
         
         # Parse environment from function name as fallback
         parts = function_full_name.split('-')
         common_envs = ['dev', 'prod', 'staging', 'test', 'qa', 'uat']
-        env = 'dev'
-        
+        env = 'dev'  # Default fallback
         for part in parts:
             if part in common_envs:
                 env = part
                 break
         
         function_base_name = 'ip-gate'
-        print(f"Fallback: environment={env}, function_name={function_base_name}")
+        logger.info(f"Fallback: environment={env}, function_name={function_base_name}")
     
     # Full function name for SSM paths
     # Lambda@Edge replicas prepend region (e.g., "us-east-1.tech-talk-dev-ip-gate")
@@ -156,46 +166,46 @@ def lambda_handler(event, context):
     if '.' in function_name and function_name.split('.')[0].startswith('us-'):
         # Strip region prefix (e.g., "us-east-1." -> "tech-talk-dev-ip-gate")
         function_name = '.'.join(function_name.split('.')[1:])
-        print(f"Stripped region prefix from function name: {function_name}")
+        logger.info(f"Stripped region prefix from function name: {function_name}")
     
-    print(f"Lambda function ARN: {context.invoked_function_arn}")
-    print(f"Using function name for SSM lookups: {function_name}")
+    logger.info(f"Lambda function ARN: {context.invoked_function_arn}")
+    logger.info(f"Using function name for SSM lookups: {function_name}")
     
     try:
         # Fetch configuration from SSM Parameter Store
         # Auto-generated paths: /{env}/{function-name}/{key}
-        gate_enabled = get_ssm_parameter(f'/{env}/{function_name}/gate-enabled', 'us-east-1')
+        gate_enabled = get_ssm_parameter(f'/{env}/{function_name}/gate-enabled', region='us-east-1')
         
         # If gating is disabled, allow all traffic
         # Empty string (from 'NONE' sentinel) is treated as disabled
         if not gate_enabled or gate_enabled.lower() not in ('true', '1', 'yes'):
-            print(f"IP gating is disabled (GATE_ENABLED={gate_enabled or 'NONE'})")
+            logger.info(f"IP gating is disabled (GATE_ENABLED={gate_enabled or 'NONE'})")
             return request
         
         # Get allowed CIDRs and backup host
-        allow_cidrs_str = get_ssm_parameter(f'/{env}/{function_name}/allow-cidrs', 'us-east-1')
-        dns_alias = get_ssm_parameter(f'/{env}/{function_name}/dns-alias', 'us-east-1')
+        allow_cidrs_str = get_ssm_parameter(f'/{env}/{function_name}/allow-cidrs', region='us-east-1')
+        dns_alias = get_ssm_parameter(f'/{env}/{function_name}/dns-alias', region='us-east-1')
         
         # Parse allowed CIDRs (empty string results in empty list)
         allowed_cidrs = [cidr.strip() for cidr in allow_cidrs_str.split(',') if cidr.strip()]
         
         # Get client IP
         client_ip = get_client_ip(request)
-        print(f"Client IP: {client_ip}")
+        logger.info(f"Client IP: {client_ip}")
         
         # Check if IP is allowed
         if is_ip_allowed(client_ip, allowed_cidrs):
-            print(f"IP {client_ip} is allowed")
+            logger.info(f"IP {client_ip} is allowed")
             return request
         
         # IP not allowed - either redirect or proxy backup page
         # Check response mode from SSM (default: redirect for backward compatibility)
         response_mode_param = f"/{env}/{function_name}/response-mode"
-        response_mode = get_ssm_parameter(response_mode_param, 'us-east-1', default='redirect')
+        response_mode = get_ssm_parameter(response_mode_param, region='us-east-1', default='redirect')
         
         if response_mode == 'proxy':
             # Proxy mode: Fetch and return backup content (keeps URL the same)
-            print(f"IP {client_ip} is NOT allowed, proxying content from {dns_alias}")
+            logger.info(f"IP {client_ip} is NOT allowed, proxying content from {dns_alias}")
             
             try:
                 import urllib3
@@ -230,17 +240,17 @@ def lambda_handler(event, context):
                     'body': alias_response.data.decode('utf-8')
                 }
                 
-                print(f"Successfully proxied backup page (status {alias_response.status})")
+                logger.info(f"Successfully proxied backup page (status {alias_response.status})")
                 return response
                 
             except Exception as proxy_error:
-                print(f"Error proxying backup content: {str(proxy_error)}")
+                logger.error(f"Error proxying backup content: {str(proxy_error)}")
                 # Fall back to redirect if proxy fails
-                print(f"Falling back to redirect mode")
+                logger.info(f"Falling back to redirect mode")
                 response_mode = 'redirect'
         
         # Redirect mode (default): HTTP 302 redirect to backup site
-        print(f"IP {client_ip} is NOT allowed, redirecting to {dns_alias}")
+        logger.info(f"IP {client_ip} is NOT allowed, redirecting to {dns_alias}")
         
         response = {
             'status': '302',
@@ -249,14 +259,6 @@ def lambda_handler(event, context):
                 'location': [{
                     'key': 'Location',
                     'value': f'https://{dns_alias}'
-                }],
-                'cache-control': [{
-                    'key': 'Cache-Control',
-                    'value': 'no-cache, no-store, must-revalidate'
-                }],
-                'x-ip-gate-mode': [{
-                    'key': 'X-IP-Gate-Mode',
-                    'value': 'redirect'
                 }]
             }
         }
@@ -264,7 +266,7 @@ def lambda_handler(event, context):
         return response
         
     except Exception as e:
-        print(f"Error in IP gating function: {str(e)}")
+        logger.error(f"Error in IP gating function: {str(e)}")
         # On error, allow the request to proceed (fail open)
         # Change this to fail closed if preferred
         return request

cdk_factory/pipeline/pipeline_factory.py

@@ -118,7 +118,7 @@ class PipelineFactoryStack(IStack):
                     f"\t🚨 Deployment for Environment: {deployment.environment} "
                     f"is disabled."
                 )
-        if len(pipeline_deployments) == 0:
+        if not pipeline_deployments:
             print(f"\t⛔️ No Pipeline Deployments configured for {self.workload.name}.")
 
         return len(pipeline_deployments)
@@ -216,7 +216,7 @@ class PipelineFactoryStack(IStack):
             wave_name = stage.wave_name
 
             # if we don't have any stacks we'll need to use the wave
-            if len(stage.stacks) == 0:
+            if not stage.stacks:
                 wave_name = stage.name
 
             if wave_name:
@@ -519,7 +519,7 @@ class PipelineFactoryStack(IStack):
                     f"\t\t ⚠️ Stack {stack_config.name} is disabled in stage: {stage_config.name}"
                 )
 
-        if len(cf_stacks) == 0:
+        if not cf_stacks:
             print(f"\t\t ⚠️ No stacks added to stage: {stage_config.name}")
             print(f"\t\t ⚠️ Internal Stack Count: {len(stage_config.stacks)}")
 

cdk_factory/stack_library/__init__.py

@@ -12,9 +12,10 @@ paths = []
 
 try:
     paths = __path__
-except:  # noqa: E722, pylint: disable=bare-except
+except (AttributeError, ImportError) as e:
+    # Fallback to using os.path if __path__ is not available
     import os
-
+    
     paths.append(os.path.dirname(__file__))
 
 

cdk_factory/stack_library/acm/acm_stack.py

@@ -16,7 +16,7 @@ from cdk_factory.configurations.deployment import DeploymentConfig
 from cdk_factory.configurations.stack import StackConfig
 from cdk_factory.configurations.resources.acm import AcmConfig
 from cdk_factory.interfaces.istack import IStack
-from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import EnhancedSsmParameterMixin
+from cdk_factory.interfaces.standardized_ssm_mixin import StandardizedSsmMixin
 from cdk_factory.stack.stack_module_registry import register_stack
 from cdk_factory.workload.workload_factory import WorkloadConfig
 
@@ -25,7 +25,8 @@ logger = Logger(service="AcmStack")
 
 @register_stack("acm_stack")
 @register_stack("certificate_stack")
-class AcmStack(IStack, EnhancedSsmParameterMixin):
+@register_stack("certificate_library_module")
+class AcmStack(IStack, StandardizedSsmMixin):
     """
     Reusable stack for AWS Certificate Manager.
     Supports creating ACM certificates with DNS validation via Route53.
@@ -152,18 +153,7 @@ class AcmStack(IStack, EnhancedSsmParameterMixin):
 
     def _add_outputs(self, cert_name: str) -> None:
         """Add CloudFormation outputs"""
-        cdk.CfnOutput(
-            self,
-            "CertificateArn",
-            value=self.certificate.certificate_arn,
-            description=f"Certificate ARN for {self.acm_config.domain_name}",
-            export_name=f"{cert_name}-arn",
-        )
-        
-        cdk.CfnOutput(
-            self,
-            "DomainName",
-            value=self.acm_config.domain_name,
-            description="Primary domain name for the certificate",
-            export_name=f"{cert_name}-domain",
-        )
+
+        return
+
+