cdk-factory 0.17.6__py3-none-any.whl → 0.20.2__py3-none-any.whl

cdk_factory/stack_library/cloudfront/cloudfront_stack.py

@@ -13,6 +13,8 @@ from aws_cdk import (
     aws_cloudfront as cloudfront,
     aws_cloudfront_origins as origins,
     aws_certificatemanager as acm,
+    aws_route53 as route53,
+    aws_s3 as s3,
     aws_lambda as _lambda,
     aws_ssm as ssm,
     CfnOutput,
@@ -143,7 +145,7 @@ class CloudFrontStack(IStack):
             return
 
         # Check if certificate ARN is provided
-        cert_arn = cert_config.get("arn")
+        cert_arn = self.resolve_ssm_value(self, cert_config.get("arn"), "CertificateARN")
         if cert_arn:
             self.certificate = acm.Certificate.from_certificate_arn(
                 self, "Certificate", certificate_arn=cert_arn
@@ -161,8 +163,36 @@ class CloudFrontStack(IStack):
             logger.info(f"Using certificate from SSM: {ssm_param}")
             return
 
+        # Create new certificate from domain name
+        domain_name = cert_config.get("domain_name")
+        if domain_name and self.cf_config.aliases:
+            # CloudFront certificates must be in us-east-1
+            if self.region != "us-east-1":
+                logger.warning(
+                    f"Certificate creation requested but stack is in {self.region}. "
+                    "CloudFront certificates must be created in us-east-1"
+                )
+                return
+
+            # Create the certificate
+            # Get hosted zone from SSM imports
+            hosted_zone_id = cert_config.get("hosted_zone_id")
+            hosted_zone = route53.HostedZone.from_hosted_zone_id(
+                self, "HostedZone", hosted_zone_id
+            )
+
+            self.certificate = acm.Certificate(
+                self,
+                "Certificate",
+                domain_name=domain_name,
+                subject_alternative_names=self.cf_config.aliases,
+                validation=acm.CertificateValidation.from_dns(hosted_zone=hosted_zone),
+            )
+            logger.info(f"Created new ACM certificate for domain: {domain_name}")
+            return
+
         logger.warning(
-            "No certificate ARN provided - CloudFront will use default certificate"
+            "No certificate ARN or domain name provided - CloudFront will use default certificate"
         )
 
     def _create_origins(self) -> None:
@@ -193,27 +223,29 @@ class CloudFrontStack(IStack):
 
     def _create_custom_origin(self, config: Dict[str, Any]) -> cloudfront.IOrigin:
         """Create custom origin (ALB, API Gateway, etc.)"""
-        domain_name = config.get("domain_name")
+        domain_name = self.resolve_ssm_value(
+            self, config.get("domain_name"), config.get("domain_name")
+        )
         origin_id = config.get("id")
 
         if not domain_name:
             raise ValueError("domain_name is required for custom origin")
 
-        # Check if domain name is a placeholder from ssm_imports
-        if domain_name.startswith("{{") and domain_name.endswith("}}"):
-            placeholder_key = domain_name[2:-2]  # Remove {{ and }}
-            if placeholder_key in self.ssm_imported_values:
-                domain_name = self.ssm_imported_values[placeholder_key]
-                logger.info(f"Resolved domain from SSM import: {placeholder_key}")
-            else:
-                logger.warning(f"Placeholder {domain_name} not found in SSM imports")
-
-        # Legacy support: Check if domain name is an SSM parameter reference
-        elif domain_name.startswith("{{ssm:") and domain_name.endswith("}}"):
-            # Extract SSM parameter name
-            ssm_param = domain_name[6:-2]  # Remove {{ssm: and }}
-            domain_name = ssm.StringParameter.value_from_lookup(self, ssm_param)
-            logger.info(f"Resolved domain from SSM lookup {ssm_param}: {domain_name}")
+        # # Check if domain name is a placeholder from ssm_imports
+        # if domain_name.startswith("{{") and domain_name.endswith("}}"):
+        #     placeholder_key = domain_name[2:-2]  # Remove {{ and }}
+        #     if placeholder_key in self.ssm_imported_values:
+        #         domain_name = self.ssm_imported_values[placeholder_key]
+        #         logger.info(f"Resolved domain from SSM import: {placeholder_key}")
+        #     else:
+        #         logger.warning(f"Placeholder {domain_name} not found in SSM imports")
+
+        # # Legacy support: Check if domain name is an SSM parameter reference
+        # elif domain_name.startswith("{{ssm:") and domain_name.endswith("}}"):
+        #     # Extract SSM parameter name
+        #     ssm_param = domain_name[6:-2]  # Remove {{ssm: and }}
+        #     domain_name = ssm.StringParameter.value_from_lookup(self, ssm_param)
+        #     logger.info(f"Resolved domain from SSM lookup {ssm_param}: {domain_name}")
 
         # Build custom headers (e.g., X-Origin-Secret)
         custom_headers = {}
@@ -267,12 +299,34 @@ class CloudFrontStack(IStack):
 
     def _create_s3_origin(self, config: Dict[str, Any]) -> cloudfront.IOrigin:
         """Create S3 origin"""
-        # S3 origin implementation
-        # This would use origins.S3Origin
-        raise NotImplementedError(
-            "S3 origin support - use existing static_website_stack for S3"
+        bucket_name = self.resolve_ssm_value(
+            self, config.get("bucket_name"), config.get("bucket_name")
+        )
+
+        origin_path = config.get("origin_path", "")
+
+        if not bucket_name:
+            raise ValueError("S3 origin requires 'bucket_name' configuration")
+
+        # For S3 origins, we need to import the bucket by name
+        bucket = s3.Bucket.from_bucket_name(
+            self,
+            id=f"S3OriginBucket-{config.get('id', 'unknown')}",
+            bucket_name=bucket_name,
         )
 
+        # Create S3 origin with OAC (Origin Access Control) for security
+        origin = origins.S3BucketOrigin.with_origin_access_control(
+            bucket,
+            origin_path=origin_path,
+            origin_access_levels=[
+                cloudfront.AccessLevel.READ,
+                cloudfront.AccessLevel.LIST,
+            ],
+        )
+
+        return origin
+
     def _create_distribution(self) -> None:
         """Create CloudFront distribution"""
 

cdk_factory/stack_library/code_artifact/code_artifact_stack.py

@@ -140,32 +140,10 @@ class CodeArtifactStack(IStack, StandardizedSsmMixin):
 
     def _add_outputs(self) -> None:
         """Add CloudFormation outputs for the CodeArtifact resources"""
+
+        
         # Domain outputs
         if self.domain:
             domain_name = self.code_artifact_config.domain_name
             
-            # Domain ARN
-            cdk.CfnOutput(
-                self,
-                f"{domain_name}-domain-arn",
-                value=self.domain.attr_arn,
-                export_name=f"{self.deployment.build_resource_name(domain_name)}-domain-arn"
-            )
-            
-            # Domain URL
-            cdk.CfnOutput(
-                self,
-                f"{domain_name}-domain-url",
-                value=f"https://{self.code_artifact_config.account}.d.codeartifact.{self.code_artifact_config.region}.amazonaws.com/",
-                export_name=f"{self.deployment.build_resource_name(domain_name)}-domain-url"
-            )
-        
-        # Repository outputs
-        for repo_name, repo in self.repositories.items():
-            # Repository ARN
-            cdk.CfnOutput(
-                self,
-                f"{repo_name}-repo-arn",
-                value=repo.attr_arn,
-                export_name=f"{self.deployment.build_resource_name(repo_name)}-repo-arn"
-            )
+            

cdk_factory/stack_library/cognito/cognito_stack.py

@@ -564,7 +564,7 @@ class CognitoStack(IStack, StandardizedSsmMixin):
         # Setup enhanced SSM integration with proper resource type and name
         # Use "user-pool" as resource identifier for SSM paths, not the full pool name
 
-        self.setup_standardized_ssm_integration(
+        self.setup_ssm_integration(
             scope=self,
             config=self.stack_config.dictionary.get("cognito", {}),
             resource_type="cognito",
@@ -591,7 +591,7 @@ class CognitoStack(IStack, StandardizedSsmMixin):
             # or retrieve via AWS Console/CLI if needed.
 
         # Use enhanced SSM parameter export
-        exported_params = self.export_standardized_ssm_parameters(resource_values)
+        exported_params = self.export_ssm_parameters(resource_values)
 
         if exported_params:
             logger.info(f"Exported {len(exported_params)} Cognito parameters to SSM")

cdk_factory/stack_library/dynamodb/dynamodb_stack.py

@@ -152,7 +152,7 @@ class DynamoDBStack(IStack, StandardizedSsmMixin):
         # Setup enhanced SSM integration with proper resource type and name
         # Use "app-table" as resource identifier for SSM paths, not the full table name
 
-        self.setup_standardized_ssm_integration(
+        self.setup_ssm_integration(
             scope=self,
             config=self.stack_config.dictionary.get("dynamodb", {}),
             resource_type="dynamodb",
@@ -178,7 +178,7 @@ class DynamoDBStack(IStack, StandardizedSsmMixin):
         resource_values = {k: v for k, v in resource_values.items() if v is not None}
 
         # Use enhanced SSM parameter export
-        exported_params = self.export_standardized_ssm_parameters(resource_values)
+        exported_params = self.export_ssm_parameters(resource_values)
 
         if exported_params:
             logger.info(f"Exported {len(exported_params)} DynamoDB parameters to SSM")

cdk_factory/stack_library/ecs/__init__.py

@@ -5,10 +5,8 @@ Contains ECS-related stack modules for creating and managing
 ECS clusters, services, and related resources.
 """
 
-from .ecs_cluster_stack_standardized import EcsClusterStack
-from .ecs_service_stack import EcsServiceStack
+from .ecs_cluster_stack import EcsClusterStack
 
 __all__ = [
-    "EcsClusterStack",
-    "EcsServiceStack"
+    "EcsClusterStack"
 ]

cdk_factory/stack_library/ecs/{ecs_cluster_stack_standardized.py → ecs_cluster_stack.py}

@@ -86,17 +86,20 @@ class EcsClusterStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
         # Initialize VPC cache from mixin
         self._initialize_vpc_cache()
         
-        # Load ECS cluster configuration
-        self.ecs_config: EcsClusterConfig = EcsClusterConfig(
-            stack_config.dictionary.get("ecs_cluster", {})
-        )
+        # Load ECS cluster configuration with full stack config for SSM access
+        ecs_cluster_dict = stack_config.dictionary.get("ecs_cluster", {})
+        # Merge SSM config from root level into ECS config for VPC resolution
+        if "ssm" in stack_config.dictionary:
+            ecs_cluster_dict["ssm"] = stack_config.dictionary["ssm"]
+        
+        self.ecs_config: EcsClusterConfig = EcsClusterConfig(ecs_cluster_dict)
         
         cluster_name = deployment.build_resource_name(self.ecs_config.name)
         
         logger.info(f"Creating ECS Cluster stack: {cluster_name}")
         
         # Setup standardized SSM integration
-        self.setup_standardized_ssm_integration(
+        self.setup_ssm_integration(
             scope=self,
             config=self.ecs_config,
             resource_type="ecs_cluster",
@@ -106,7 +109,7 @@ class EcsClusterStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
         )
 
         # Process SSM imports using standardized method
-        self.process_standardized_ssm_imports()
+        self.process_ssm_imports()
         
         # Create the ECS cluster
         self._create_ecs_cluster()
@@ -118,7 +121,9 @@ class EcsClusterStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
         self._export_cluster_info()
         
         # Export SSM parameters
+        logger.info("Starting SSM parameter export for ECS cluster")
         self._export_ssm_parameters()
+        logger.info("Completed SSM parameter export for ECS cluster")
         
         logger.info(f"ECS Cluster stack created: {cluster_name}")
 
@@ -131,7 +136,7 @@ class EcsClusterStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
 
         # Add container insights if enabled
         if self.ecs_config.container_insights:
-            cluster_settings.append({"name": "containerInsights", "value": "enabled"})
+            cluster_settings.append({"name": "containerInsightsV2", "value": "enabled"})
 
         # Add custom cluster settings
         if self.ecs_config.cluster_settings:
@@ -146,7 +151,7 @@ class EcsClusterStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
             "ECSCluster",
             cluster_name=self.ecs_config.name,
             vpc=self.vpc,
-            container_insights=self.ecs_config.container_insights,
+            container_insights_v2=ecs.ContainerInsights.ENABLED if self.ecs_config.container_insights else ecs.ContainerInsights.DISABLED,
             default_cloud_map_namespace=(
                 self.ecs_config.cloud_map_namespace
                 if self.ecs_config.cloud_map_namespace
@@ -165,7 +170,8 @@ class EcsClusterStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
         """
         Get VPC using the centralized VPC provider mixin.
         """
-        # Use the centralized VPC resolution from VPCProviderMixin
+        
+        # Use the stack_config (not ecs_config) to ensure SSM imports are available
         return self.resolve_vpc(
             config=self.ecs_config,
             deployment=self.deployment,
@@ -174,6 +180,8 @@ class EcsClusterStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
 
     def _create_iam_roles(self):
         """Create IAM roles for the ECS cluster if configured."""
+        logger.info(f"create_instance_role setting: {self.ecs_config.create_instance_role}")
+        
         if not self.ecs_config.create_instance_role:
             logger.info("Skipping instance role creation (disabled in config)")
             return
@@ -186,21 +194,25 @@ class EcsClusterStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
             "ECSInstanceRole",
             assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"),
             managed_policies=[
-                iam.ManagedPolicy.from_aws_managed_policy_name("AmazonEC2ContainerServiceforEC2Role"),
+                iam.ManagedPolicy.from_aws_managed_policy_name("service-role/AmazonEC2ContainerServiceforEC2Role"),
                 iam.ManagedPolicy.from_aws_managed_policy_name("AmazonEC2ContainerRegistryReadOnly"),
                 iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore"),
             ],
             role_name=f"{self.ecs_config.name}-ecs-instance-role",
         )
 
+        logger.info(f"Created ECS instance role: {self.instance_role.role_name}")
+
         # Create instance profile
         self.instance_profile = iam.CfnInstanceProfile(
             self,
             "ECSInstanceProfile",
-            roles=[self.instance_role.role_name],
             instance_profile_name=f"{self.ecs_config.name}-ecs-instance-profile",
+            roles=[self.instance_role.role_name],
         )
 
+        logger.info(f"Created ECS instance profile: {self.instance_profile.instance_profile_name}")
+
         logger.info("ECS instance role and profile created")
 
     def _export_cluster_info(self):
@@ -254,52 +266,51 @@ class EcsClusterStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
 
     def _export_ssm_parameters(self) -> None:
         """Export SSM parameters using standardized approach"""
+        logger.info("=== Starting SSM Parameter Export ===")
+        
         if not self.ecs_cluster:
             logger.warning("No ECS cluster to export")
             return
 
+        logger.info(f"ECS cluster found: {self.ecs_cluster.cluster_name}")
+        logger.info(f"SSM exports configured: {self.ssm_config.get('exports', {})}")
+
         # Prepare resource values for export
         resource_values = {
-            "ecs_cluster_name": self.ecs_cluster.cluster_name,
-            "ecs_cluster_arn": self.ecs_cluster.cluster_arn,
+            "cluster_name": self.ecs_cluster.cluster_name,
+            "cluster_arn": self.ecs_cluster.cluster_arn,
         }
         
+        # Add instance role ARN if created
+        if self.instance_role:
+            resource_values["instance_role_arn"] = self.instance_role.role_arn
+            logger.info(f"Instance role ARN added: {self.instance_role.role_name}")
+        else:
+            logger.info("No instance role to export")
+        
         # Add security group ID if available
         if hasattr(self.ecs_cluster, 'connections') and self.ecs_cluster.connections:
             security_groups = self.ecs_cluster.connections.security_groups
             if security_groups:
-                resource_values["ecs_cluster_security_group_id"] = security_groups[0].security_group_id
+                resource_values["security_group_id"] = security_groups[0].security_group_id
+                logger.info(f"Security group ID added: {security_groups[0].security_group_id}")
         
         # Add instance profile ARN if created
         if self.instance_profile:
-            resource_values["ecs_instance_profile_arn"] = self.instance_profile.attr_arn
+            resource_values["instance_profile_arn"] = self.instance_profile.attr_arn
+            logger.info(f"Instance profile ARN added: {self.instance_profile.instance_profile_name}")
 
         # Export using standardized SSM mixin
-        exported_params = self.export_standardized_ssm_parameters(resource_values)
-        
-        logger.info(f"Exported SSM parameters: {exported_params}")
-
-    # Backward compatibility methods
-    def process_ssm_imports(self, config: Any, deployment: DeploymentConfig, resource_type: str = "resource") -> None:
-        """Backward compatibility method for existing modules."""
-        # Extract SSM configuration from old format
-        if hasattr(config, 'ssm_imports'):
-            # Convert old ssm_imports format to new format
-            old_imports = config.ssm_imports
-            new_imports = {}
+        logger.info(f"Resource values available for export: {list(resource_values.keys())}")
+        for key, value in resource_values.items():
+            logger.info(f"  {key}: {value}")
             
-            for key, value in old_imports.items():
-                # Resolve template variables using old method
-                if isinstance(value, str) and not value.startswith('/'):
-                    value = f"/{deployment.environment}/{deployment.workload_name}/{value}"
-                new_imports[key] = value
-            
-            # Update SSM config
-            self.ssm_config = {"imports": new_imports}
-        
-        # Process imports using standardized method
-        self.process_standardized_ssm_imports()
-
-
-# Backward compatibility alias
+        try:
+            exported_params = self.export_ssm_parameters(resource_values)
+            logger.info(f"Successfully exported SSM parameters: {exported_params}")
+        except Exception as e:
+            logger.error(f"Failed to export SSM parameters: {str(e)}")
+            raise
+
+    # Backward compatibility alias
 EcsClusterStackStandardized = EcsClusterStack

cdk_factory/stack_library/ecs/ecs_service_stack.py

@@ -101,6 +101,7 @@ class EcsServiceStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
         
         # Add outputs
         self._add_outputs(service_name)
+        self._export_to_ssm(service_name)
 
     def _load_vpc(self) -> None:
         """Load VPC using the centralized VPC provider mixin."""
@@ -225,6 +226,9 @@ class EcsServiceStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
                     "CloudWatchAgentServerPolicy"
                 )
             )
+
+        # add any custom policies
+        self._add_custom_task_policies(task_role)
         
         # Create task definition based on launch type
         if self.ecs_config.launch_type == "EC2":
@@ -237,6 +241,7 @@ class EcsServiceStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
                 network_mode=ecs.NetworkMode(network_mode.upper()) if network_mode else ecs.NetworkMode.BRIDGE,
                 execution_role=execution_role,
                 task_role=task_role,
+                inference_accelerators=None
             )
         else:
             # Fargate task definition
@@ -248,6 +253,7 @@ class EcsServiceStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
                 memory_limit_mib=int(self.ecs_config.memory),
                 execution_role=execution_role,
                 task_role=task_role,
+                inference_accelerators=None
             )
         
         # Add volumes to task definition
@@ -256,6 +262,37 @@ class EcsServiceStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
         # Add containers
         self._add_containers_to_task()
 
+    def _add_custom_task_policies(self, task_role: iam.Role) -> None:
+        """
+        Add custom task policies to the task definition.
+        """
+        for policy in self.ecs_config.task_definition.get("policies", []):
+
+            effect = policy.get("effect", "Allow")
+            action = policy.get("action", None)
+            actions = policy.get("actions", [])
+            if action:
+                actions.append(action)
+            resources = policy.get("resources", [])
+            resource = policy.get("resource", None)
+            if resource:
+                resources.append(resource)
+
+            if effect == "Allow" and actions:
+                effect = iam.Effect.ALLOW
+            if effect == "Deny" and actions:
+                effect = iam.Effect.DENY
+
+            sid = policy.get("sid", None)
+            task_role.add_to_policy(
+                iam.PolicyStatement(
+                    effect=effect,
+                    actions=actions,
+                    resources=resources,
+                    sid=sid,
+                )
+            )
+
     def _add_volumes_to_task(self) -> None:
         """
         Add volumes to the task definition.
@@ -540,6 +577,14 @@ class EcsServiceStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
         """Attach service to load balancer target groups"""
         target_group_arns = self.ecs_config.target_group_arns
         
+        if target_group_arns:
+            tmp = []
+            for tg_arn in target_group_arns:
+                import hashlib
+                unique_id = hashlib.md5(tg_arn.encode()).hexdigest()
+                tmp.append(self.resolve_ssm_value(self, tg_arn, unique_id))
+            target_group_arns = tmp
+        
         if not target_group_arns:
             # Try to load from SSM if configured
             target_group_arns = self._load_target_groups_from_ssm()
@@ -563,7 +608,7 @@ class EcsServiceStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
         for param_key, param_name in ssm_imports.items():
             if 'target_group' in param_key.lower() or 'tg' in param_key.lower():
                 try:
-                    param_value = self.get_ssm_parameter_value(param_name)
+                    param_value = self.get_ssm_imported_value(param_name)
                     if param_value and param_value.startswith('arn:'):
                         target_group_arns.append(param_value)
                 except Exception as e:
@@ -595,35 +640,13 @@ class EcsServiceStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
             scale_out_cooldown=cdk.Duration.seconds(60),
         )
 
+    
+
     def _add_outputs(self, service_name: str) -> None:
         """Add CloudFormation outputs"""
+        return
         
-        # Service name output
-        cdk.CfnOutput(
-            self,
-            "ServiceName",
-            value=self.service.service_name,
-            description=f"ECS Service Name: {service_name}",
-        )
         
-        # Service ARN output
-        cdk.CfnOutput(
-            self,
-            "ServiceArn",
-            value=self.service.service_arn,
-            description=f"ECS Service ARN: {service_name}",
-        )
-        
-        # Cluster name output
-        cdk.CfnOutput(
-            self,
-            "ClusterName",
-            value=self.cluster.cluster_name,
-            description=f"ECS Cluster Name for {service_name}",
-        )
-        
-        # Export to SSM if configured
-        self._export_to_ssm(service_name)
 
     def _export_to_ssm(self, service_name: str) -> None:
         """Export resource ARNs and names to SSM Parameter Store"""