cdk-factory 0.17.3__py3-none-any.whl → 0.17.5__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- cdk_factory/interfaces/vpc_provider_mixin.py +1 -4
- cdk_factory/stack_library/vpc/vpc_stack_standardized.py +49 -1
- cdk_factory/version.py +1 -1
- {cdk_factory-0.17.3.dist-info → cdk_factory-0.17.5.dist-info}/METADATA +1 -1
- {cdk_factory-0.17.3.dist-info → cdk_factory-0.17.5.dist-info}/RECORD +8 -8
- {cdk_factory-0.17.3.dist-info → cdk_factory-0.17.5.dist-info}/WHEEL +0 -0
- {cdk_factory-0.17.3.dist-info → cdk_factory-0.17.5.dist-info}/entry_points.txt +0 -0
- {cdk_factory-0.17.3.dist-info → cdk_factory-0.17.5.dist-info}/licenses/LICENSE +0 -0
|
@@ -136,13 +136,10 @@ class VPCProviderMixin:
|
|
|
136
136
|
"availability_zones": availability_zones,
|
|
137
137
|
}
|
|
138
138
|
|
|
139
|
-
# If we have subnet_ids from SSM,
|
|
139
|
+
# If we have subnet_ids from SSM, add them to the attributes
|
|
140
140
|
if subnet_ids:
|
|
141
141
|
# Use the actual subnet IDs from SSM
|
|
142
142
|
vpc_attrs["public_subnet_ids"] = subnet_ids
|
|
143
|
-
else:
|
|
144
|
-
# Fallback to dummy subnets if no valid subnet IDs
|
|
145
|
-
vpc_attrs["public_subnet_ids"] = ["subnet-dummy1", "subnet-dummy2"]
|
|
146
143
|
|
|
147
144
|
# Use from_vpc_attributes() for SSM tokens with unique construct name
|
|
148
145
|
self._vpc = ec2.Vpc.from_vpc_attributes(self, f"{self.stack_name}-VPC", **vpc_attrs)
|
|
@@ -111,6 +111,23 @@ class VpcStack(IStack, StandardizedSsmMixin):
|
|
|
111
111
|
# Configure NAT gateways
|
|
112
112
|
nat_gateway_count = self.vpc_config.nat_gateways.get("count", 1)
|
|
113
113
|
|
|
114
|
+
# Get explicit availability zones to avoid dummy AZs in pipeline synthesis
|
|
115
|
+
# When CDK synthesizes in a pipeline context, it doesn't have access to real AZs
|
|
116
|
+
# So we explicitly specify them based on the deployment region
|
|
117
|
+
availability_zones = None
|
|
118
|
+
if self.deployment:
|
|
119
|
+
region = self.deployment.region or "us-east-1"
|
|
120
|
+
# Explicitly list AZs for the region to avoid dummy values
|
|
121
|
+
max_azs = self.vpc_config.max_azs or 2
|
|
122
|
+
if region == "us-east-1":
|
|
123
|
+
availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"][:max_azs]
|
|
124
|
+
elif region == "us-east-2":
|
|
125
|
+
availability_zones = ["us-east-2a", "us-east-2b", "us-east-2c"][:max_azs]
|
|
126
|
+
elif region == "us-west-1":
|
|
127
|
+
availability_zones = ["us-west-1a", "us-west-1c"][:max_azs]
|
|
128
|
+
elif region == "us-west-2":
|
|
129
|
+
availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"][:max_azs]
|
|
130
|
+
|
|
114
131
|
# Build VPC properties
|
|
115
132
|
vpc_props = {
|
|
116
133
|
"vpc_name": vpc_name,
|
|
@@ -119,7 +136,9 @@ class VpcStack(IStack, StandardizedSsmMixin):
|
|
|
119
136
|
"subnet_configuration": subnet_configuration,
|
|
120
137
|
"enable_dns_hostnames": self.vpc_config.enable_dns_hostnames,
|
|
121
138
|
"enable_dns_support": self.vpc_config.enable_dns_support,
|
|
122
|
-
"max_azs": self.vpc_config.max_azs
|
|
139
|
+
"max_azs": self.vpc_config.max_azs if not availability_zones else None,
|
|
140
|
+
"availability_zones": availability_zones, # Use explicit AZs when available
|
|
141
|
+
"restrict_default_security_group": self.vpc_config.get("restrict_default_security_group", False),
|
|
123
142
|
"gateway_endpoints": (
|
|
124
143
|
{
|
|
125
144
|
"S3": ec2.GatewayVpcEndpointOptions(
|
|
@@ -134,6 +153,10 @@ class VpcStack(IStack, StandardizedSsmMixin):
|
|
|
134
153
|
# Create the VPC
|
|
135
154
|
vpc = ec2.Vpc(self, vpc_name, **vpc_props)
|
|
136
155
|
|
|
156
|
+
# Add IAM permissions for default security group restriction if enabled
|
|
157
|
+
if self.vpc_config.get("restrict_default_security_group", False):
|
|
158
|
+
self._add_default_sg_restriction_permissions(vpc)
|
|
159
|
+
|
|
137
160
|
# Add interface endpoints if specified
|
|
138
161
|
if self.vpc_config.enable_interface_endpoints:
|
|
139
162
|
self._add_interface_endpoints(vpc, self.vpc_config.interface_endpoints)
|
|
@@ -374,6 +397,31 @@ class VpcStack(IStack, StandardizedSsmMixin):
|
|
|
374
397
|
|
|
375
398
|
logger.info(f"Exported SSM parameters: {exported_params}")
|
|
376
399
|
|
|
400
|
+
def _add_default_sg_restriction_permissions(self, vpc: ec2.Vpc) -> None:
|
|
401
|
+
"""
|
|
402
|
+
Add IAM permissions required for default security group restriction.
|
|
403
|
+
|
|
404
|
+
CDK creates a custom resource that needs ec2:AuthorizeSecurityGroupIngress
|
|
405
|
+
permission to restrict the default security group.
|
|
406
|
+
"""
|
|
407
|
+
from aws_cdk import aws_iam as iam
|
|
408
|
+
|
|
409
|
+
# Find the custom resource role that CDK creates for default SG restriction
|
|
410
|
+
# The role follows a naming pattern: {VpcName}-CustomVpcRestrictDefaultSGCustomResource*
|
|
411
|
+
|
|
412
|
+
# Grant the required permissions to all roles in this stack that might need it
|
|
413
|
+
# This is a broad approach since we can't easily predict the exact role name
|
|
414
|
+
for child in self.node.children:
|
|
415
|
+
if hasattr(child, 'role') and hasattr(child.role, 'add_to_policy'):
|
|
416
|
+
child.role.add_to_policy(iam.PolicyStatement(
|
|
417
|
+
actions=[
|
|
418
|
+
"ec2:AuthorizeSecurityGroupIngress",
|
|
419
|
+
"ec2:RevokeSecurityGroupIngress",
|
|
420
|
+
"ec2:UpdateSecurityGroupRuleDescriptionsIngress"
|
|
421
|
+
],
|
|
422
|
+
resources=[vpc.vpc_default_security_group.security_group_arn]
|
|
423
|
+
))
|
|
424
|
+
|
|
377
425
|
# Backward compatibility methods
|
|
378
426
|
def auto_export_resources(self, resource_values: Dict[str, Any], context: Dict[str, Any] = None) -> Dict[str, str]:
|
|
379
427
|
"""Backward compatibility method for existing modules."""
|
cdk_factory/version.py
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
__version__ = "0.17.
|
|
1
|
+
__version__ = "0.17.5"
|
|
@@ -2,7 +2,7 @@ cdk_factory/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
|
2
2
|
cdk_factory/app.py,sha256=RnX0-pwdTAPAdKJK_j13Zl8anf9zYKBwboR0KA8K8xM,10346
|
|
3
3
|
cdk_factory/cdk.json,sha256=SKZKhJ2PBpFH78j-F8S3VDYW-lf76--Q2I3ON-ZIQfw,3106
|
|
4
4
|
cdk_factory/cli.py,sha256=FGbCTS5dYCNsfp-etshzvFlGDCjC28r6rtzYbe7KoHI,6407
|
|
5
|
-
cdk_factory/version.py,sha256=
|
|
5
|
+
cdk_factory/version.py,sha256=ZIYpuZI41Jfj-0NfW9-SGHVIJ9A014nURtKnLa84glc,23
|
|
6
6
|
cdk_factory/builds/README.md,sha256=9BBWd7bXpyKdMU_g2UljhQwrC9i5O_Tvkb6oPvndoZk,90
|
|
7
7
|
cdk_factory/commands/command_loader.py,sha256=QbLquuP_AdxtlxlDy-2IWCQ6D-7qa58aphnDPtp_uTs,3744
|
|
8
8
|
cdk_factory/configurations/base_config.py,sha256=eJ3Pl3GWk1jVr_bYQaaWlw4_-ZiFGaiXllI_fOOX1i0,9323
|
|
@@ -67,7 +67,7 @@ cdk_factory/interfaces/istack.py,sha256=3xqGw5kNTt_KeLHdMxI7rIR0YORqcWQOqsacmDlT
|
|
|
67
67
|
cdk_factory/interfaces/live_ssm_resolver.py,sha256=3FIr9a02SXqZmbFs3RT0WxczWEQR_CF7QSt7kWbDrVE,8163
|
|
68
68
|
cdk_factory/interfaces/networked_stack_mixin.py,sha256=69pJp4IE1n_tdHh2UZQ08O6ZW-v5P4uJJ_fleNaj6Nw,2897
|
|
69
69
|
cdk_factory/interfaces/standardized_ssm_mixin.py,sha256=-BT-K7mro2f3taS7biAm_oaxC7z2lurUfNUpryvahXk,22680
|
|
70
|
-
cdk_factory/interfaces/vpc_provider_mixin.py,sha256=
|
|
70
|
+
cdk_factory/interfaces/vpc_provider_mixin.py,sha256=Kj0mmZd54NINprixJLs8zL-WWiSd0AQBtGdwNg8cz14,8207
|
|
71
71
|
cdk_factory/lambdas/health_handler.py,sha256=dd40ykKMxWCFEIyp2ZdQvAGNjw_ylI9CSm1N24Hp2ME,196
|
|
72
72
|
cdk_factory/lambdas/edge/ip_gate/handler.py,sha256=gUevgX462mqGYddtQIyJ1-Jk3oXhFmbmd46jlqjai9E,10657
|
|
73
73
|
cdk_factory/pipeline/path_utils.py,sha256=fvWdrcb4onmpIu1APkHLhXg8zWfK74HcW3Ra2ynxfXM,2586
|
|
@@ -117,7 +117,7 @@ cdk_factory/stack_library/security_group/security_group_full_stack.py,sha256=yvZ
|
|
|
117
117
|
cdk_factory/stack_library/security_group/security_group_stack.py,sha256=Zv9FCEHvSBT1cM9bXOtyIUFwhRHKCSTgvaqOyhGj0wg,14456
|
|
118
118
|
cdk_factory/stack_library/simple_queue_service/sqs_stack.py,sha256=jJksWrvrvgZUMM01RZ317DOIxqIJbkYYSYu38w0jHpc,6039
|
|
119
119
|
cdk_factory/stack_library/vpc/__init__.py,sha256=7pIqP97Gf2AJbv9Ebp1WbQGHYhgEbWJ52L1MzeXBybA,42
|
|
120
|
-
cdk_factory/stack_library/vpc/vpc_stack_standardized.py,sha256=
|
|
120
|
+
cdk_factory/stack_library/vpc/vpc_stack_standardized.py,sha256=7vd_n6L7VYusIdnXREicJ2HUlxWbk3cOgzffH5nD1Mw,19136
|
|
121
121
|
cdk_factory/stack_library/websites/static_website_stack.py,sha256=A292BlKDof0JnVewkK_3JiRB04rX7J9Na0a-iz3JWzw,11243
|
|
122
122
|
cdk_factory/stages/websites/static_website_stage.py,sha256=X4fpKXkhb0zIbSHx3QyddBhVSLBryb1vf1Cg2fMTqog,755
|
|
123
123
|
cdk_factory/templates/README.md,sha256=ATBEjG6beYvbEAdLtZ_8xnxgFD5X0cgZoI_6pToqH90,2679
|
|
@@ -136,8 +136,8 @@ cdk_factory/utilities/os_execute.py,sha256=5Op0LY_8Y-pUm04y1k8MTpNrmQvcLmQHPQITE
|
|
|
136
136
|
cdk_factory/utils/api_gateway_utilities.py,sha256=If7Xu5s_UxmuV-kL3JkXxPLBdSVUKoLtohm0IUFoiV8,4378
|
|
137
137
|
cdk_factory/validation/config_validator.py,sha256=Pb0TkLiPFzUplBOgMorhRCVm08vEzZhRU5xXCDTa5CA,17602
|
|
138
138
|
cdk_factory/workload/workload_factory.py,sha256=yDI3cRhVI5ELNDcJPLpk9UY54Uind1xQoV3spzT4z7E,6068
|
|
139
|
-
cdk_factory-0.17.
|
|
140
|
-
cdk_factory-0.17.
|
|
141
|
-
cdk_factory-0.17.
|
|
142
|
-
cdk_factory-0.17.
|
|
143
|
-
cdk_factory-0.17.
|
|
139
|
+
cdk_factory-0.17.5.dist-info/METADATA,sha256=R2L5fuA3X_oTcd-wwZoLOk0tpzAf-jkmoEAdiANmf_I,2451
|
|
140
|
+
cdk_factory-0.17.5.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
|
|
141
|
+
cdk_factory-0.17.5.dist-info/entry_points.txt,sha256=S1DPe0ORcdiwEALMN_WIo3UQrW_g4YdQCLEsc_b0Swg,53
|
|
142
|
+
cdk_factory-0.17.5.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
|
|
143
|
+
cdk_factory-0.17.5.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|