cdk-factory 0.17.4__py3-none-any.whl → 0.17.6__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of cdk-factory might be problematic. Click here for more details.

Files changed (8) hide show
  1. cdk_factory/stack_library/ecs/ecs_cluster_stack_standardized.py +1 -1
  2. cdk_factory/stack_library/vpc/vpc_stack_standardized.py +36 -0
  3. cdk_factory/version.py +1 -1
  4. {cdk_factory-0.17.4.dist-info → cdk_factory-0.17.6.dist-info}/METADATA +1 -1
  5. {cdk_factory-0.17.4.dist-info → cdk_factory-0.17.6.dist-info}/RECORD +8 -8
  6. {cdk_factory-0.17.4.dist-info → cdk_factory-0.17.6.dist-info}/WHEEL +0 -0
  7. {cdk_factory-0.17.4.dist-info → cdk_factory-0.17.6.dist-info}/entry_points.txt +0 -0
  8. {cdk_factory-0.17.4.dist-info → cdk_factory-0.17.6.dist-info}/licenses/LICENSE +0 -0
cdk_factory/stack_library/ecs/ecs_cluster_stack_standardized.py CHANGED
@@ -186,7 +186,7 @@ class EcsClusterStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
186
186
  "ECSInstanceRole",
187
187
  assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"),
188
188
  managed_policies=[
189
- iam.ManagedPolicy.from_aws_managed_policy_name("AmazonECSWorkerNodePolicy"),
189
+ iam.ManagedPolicy.from_aws_managed_policy_name("AmazonEC2ContainerServiceforEC2Role"),
190
190
  iam.ManagedPolicy.from_aws_managed_policy_name("AmazonEC2ContainerRegistryReadOnly"),
191
191
  iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore"),
192
192
  ],
cdk_factory/stack_library/vpc/vpc_stack_standardized.py CHANGED
@@ -138,6 +138,7 @@ class VpcStack(IStack, StandardizedSsmMixin):
138
138
  "enable_dns_support": self.vpc_config.enable_dns_support,
139
139
  "max_azs": self.vpc_config.max_azs if not availability_zones else None,
140
140
  "availability_zones": availability_zones, # Use explicit AZs when available
141
+ "restrict_default_security_group": self.vpc_config.get("restrict_default_security_group", False),
141
142
  "gateway_endpoints": (
142
143
  {
143
144
  "S3": ec2.GatewayVpcEndpointOptions(
@@ -152,6 +153,16 @@ class VpcStack(IStack, StandardizedSsmMixin):
152
153
  # Create the VPC
153
154
  vpc = ec2.Vpc(self, vpc_name, **vpc_props)
154
155
 
156
+ # Add IAM permissions for default security group restriction if enabled
157
+ if self.vpc_config.get("restrict_default_security_group", False):
158
+ self._add_default_sg_restriction_permissions(vpc)
159
+ else:
160
+ # Note: When disabling, existing restrictions remain
161
+ # This is AWS CDK's behavior - custom resources clean up themselves,
162
+ # but security group rules they created persist
163
+ # Users can manually clean up if needed via AWS Console
164
+ pass
165
+
155
166
  # Add interface endpoints if specified
156
167
  if self.vpc_config.enable_interface_endpoints:
157
168
  self._add_interface_endpoints(vpc, self.vpc_config.interface_endpoints)
@@ -392,6 +403,31 @@ class VpcStack(IStack, StandardizedSsmMixin):
392
403
 
393
404
  logger.info(f"Exported SSM parameters: {exported_params}")
394
405
 
406
+ def _add_default_sg_restriction_permissions(self, vpc: ec2.Vpc) -> None:
407
+ """
408
+ Add IAM permissions required for default security group restriction.
409
+
410
+ CDK creates a custom resource that needs ec2:AuthorizeSecurityGroupIngress
411
+ permission to restrict the default security group.
412
+ """
413
+ from aws_cdk import aws_iam as iam
414
+
415
+ # Find the custom resource role that CDK creates for default SG restriction
416
+ # The role follows a naming pattern: {VpcName}-CustomVpcRestrictDefaultSGCustomResource*
417
+
418
+ # Grant the required permissions to all roles in this stack that might need it
419
+ # This is a broad approach since we can't easily predict the exact role name
420
+ for child in self.node.children:
421
+ if hasattr(child, 'role') and hasattr(child.role, 'add_to_policy'):
422
+ child.role.add_to_policy(iam.PolicyStatement(
423
+ actions=[
424
+ "ec2:AuthorizeSecurityGroupIngress",
425
+ "ec2:RevokeSecurityGroupIngress",
426
+ "ec2:UpdateSecurityGroupRuleDescriptionsIngress"
427
+ ],
428
+ resources=[vpc.vpc_default_security_group.security_group_arn]
429
+ ))
430
+
395
431
  # Backward compatibility methods
396
432
  def auto_export_resources(self, resource_values: Dict[str, Any], context: Dict[str, Any] = None) -> Dict[str, str]:
397
433
  """Backward compatibility method for existing modules."""
cdk_factory/version.py CHANGED
@@ -1 +1 @@
1
- __version__ = "0.17.4"
1
+ __version__ = "0.17.6"
{cdk_factory-0.17.4.dist-info → cdk_factory-0.17.6.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: cdk_factory
3
- Version: 0.17.4
3
+ Version: 0.17.6
4
4
  Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
5
5
  Author-email: Eric Wilson <eric.wilson@geekcafe.com>
6
6
  License: MIT License
{cdk_factory-0.17.4.dist-info → cdk_factory-0.17.6.dist-info}/RECORD RENAMED
@@ -2,7 +2,7 @@ cdk_factory/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
2
2
  cdk_factory/app.py,sha256=RnX0-pwdTAPAdKJK_j13Zl8anf9zYKBwboR0KA8K8xM,10346
3
3
  cdk_factory/cdk.json,sha256=SKZKhJ2PBpFH78j-F8S3VDYW-lf76--Q2I3ON-ZIQfw,3106
4
4
  cdk_factory/cli.py,sha256=FGbCTS5dYCNsfp-etshzvFlGDCjC28r6rtzYbe7KoHI,6407
5
- cdk_factory/version.py,sha256=LisYi6U4jD61j06adgCNdZJfR0RhF_Im0hPrka6lSjc,23
5
+ cdk_factory/version.py,sha256=mmrB6n6zH1c3iHQ4iJcecY24GV6KoBQ8Vbb5t5vYe3E,23
6
6
  cdk_factory/builds/README.md,sha256=9BBWd7bXpyKdMU_g2UljhQwrC9i5O_Tvkb6oPvndoZk,90
7
7
  cdk_factory/commands/command_loader.py,sha256=QbLquuP_AdxtlxlDy-2IWCQ6D-7qa58aphnDPtp_uTs,3744
8
8
  cdk_factory/configurations/base_config.py,sha256=eJ3Pl3GWk1jVr_bYQaaWlw4_-ZiFGaiXllI_fOOX1i0,9323
@@ -98,7 +98,7 @@ cdk_factory/stack_library/dynamodb/dynamodb_stack.py,sha256=3_8lQP91GnBY77-61mtn
98
98
  cdk_factory/stack_library/ecr/README.md,sha256=xw2wPx9WN03Y4BBwqvbi9lAFGNyaD1FUNpqxVJX14Oo,179
99
99
  cdk_factory/stack_library/ecr/ecr_stack.py,sha256=KLbd5WN5-ZiojsS5wJ4PX-tIL0cCylCSvXjO6sVrgWY,2102
100
100
  cdk_factory/stack_library/ecs/__init__.py,sha256=ebM8vVboNBplK0ua6bMSpNjewcFFkdvJ5wvVYEL1ONQ,302
101
- cdk_factory/stack_library/ecs/ecs_cluster_stack_standardized.py,sha256=1nZig37AG3ZAkWKalYnqKlSqY_8gEPDCIorruAX_6P4,11318
101
+ cdk_factory/stack_library/ecs/ecs_cluster_stack_standardized.py,sha256=4zB89HNp5n6GrL8nHUppXckdQqNrOJ13keKgr6P9uSk,11328
102
102
  cdk_factory/stack_library/ecs/ecs_service_stack.py,sha256=3en447kWBOqd0d_i2C8mRRBscO2GqN9-B2l_PW7kZuM,27409
103
103
  cdk_factory/stack_library/lambda_edge/__init__.py,sha256=ByBJ_CWdc4UtTmFBZH-6pzBMNkjkdtE65AmnB0Fs6lM,156
104
104
  cdk_factory/stack_library/lambda_edge/lambda_edge_stack.py,sha256=ft5AxHy8__F90ZYDaoJwTjACGIfrn2Sd9Zr2CdHO7GE,16398
@@ -117,7 +117,7 @@ cdk_factory/stack_library/security_group/security_group_full_stack.py,sha256=yvZ
117
117
  cdk_factory/stack_library/security_group/security_group_stack.py,sha256=Zv9FCEHvSBT1cM9bXOtyIUFwhRHKCSTgvaqOyhGj0wg,14456
118
118
  cdk_factory/stack_library/simple_queue_service/sqs_stack.py,sha256=jJksWrvrvgZUMM01RZ317DOIxqIJbkYYSYu38w0jHpc,6039
119
119
  cdk_factory/stack_library/vpc/__init__.py,sha256=7pIqP97Gf2AJbv9Ebp1WbQGHYhgEbWJ52L1MzeXBybA,42
120
- cdk_factory/stack_library/vpc/vpc_stack_standardized.py,sha256=pMFzNJUEwhI2i-ikM_SNnagT5SQGdKipoaJPqbYXpBw,17535
120
+ cdk_factory/stack_library/vpc/vpc_stack_standardized.py,sha256=aifwTPGbWoDsWBlsBkCIdsvz29blm4gaHMKxh4g1M2E,19441
121
121
  cdk_factory/stack_library/websites/static_website_stack.py,sha256=A292BlKDof0JnVewkK_3JiRB04rX7J9Na0a-iz3JWzw,11243
122
122
  cdk_factory/stages/websites/static_website_stage.py,sha256=X4fpKXkhb0zIbSHx3QyddBhVSLBryb1vf1Cg2fMTqog,755
123
123
  cdk_factory/templates/README.md,sha256=ATBEjG6beYvbEAdLtZ_8xnxgFD5X0cgZoI_6pToqH90,2679
@@ -136,8 +136,8 @@ cdk_factory/utilities/os_execute.py,sha256=5Op0LY_8Y-pUm04y1k8MTpNrmQvcLmQHPQITE
136
136
  cdk_factory/utils/api_gateway_utilities.py,sha256=If7Xu5s_UxmuV-kL3JkXxPLBdSVUKoLtohm0IUFoiV8,4378
137
137
  cdk_factory/validation/config_validator.py,sha256=Pb0TkLiPFzUplBOgMorhRCVm08vEzZhRU5xXCDTa5CA,17602
138
138
  cdk_factory/workload/workload_factory.py,sha256=yDI3cRhVI5ELNDcJPLpk9UY54Uind1xQoV3spzT4z7E,6068
139
- cdk_factory-0.17.4.dist-info/METADATA,sha256=cBM2_WWn_BuKqhtAmw9QPghfq9kGLKWdAF3DDHZbJio,2451
140
- cdk_factory-0.17.4.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
141
- cdk_factory-0.17.4.dist-info/entry_points.txt,sha256=S1DPe0ORcdiwEALMN_WIo3UQrW_g4YdQCLEsc_b0Swg,53
142
- cdk_factory-0.17.4.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
143
- cdk_factory-0.17.4.dist-info/RECORD,,
139
+ cdk_factory-0.17.6.dist-info/METADATA,sha256=e_HqvqS9J3KYXTtblXdbbJq3rLgNr9Oq_lsG-jK38P8,2451
140
+ cdk_factory-0.17.6.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
141
+ cdk_factory-0.17.6.dist-info/entry_points.txt,sha256=S1DPe0ORcdiwEALMN_WIo3UQrW_g4YdQCLEsc_b0Swg,53
142
+ cdk_factory-0.17.6.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
143
+ cdk_factory-0.17.6.dist-info/RECORD,,