PyPI - cdk-factory - Versions diffs - 0.19.19__py3-none-any.whl → 0.20.5__py3-none-any.whl - Mend

cdk-factory 0.19.19py3-none-any.whl → 0.20.5py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

cdk_factory/stack_library/lambda_edge/functions/log_retention_manager/edge_log_retention.py ADDED Viewed

@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+import boto3
+from botocore.exceptions import ClientError
+import os
+profile_name = os.getenv('AWS_PROFILE')
+session = boto3.Session(region_name='us-east-1', profile_name=profile_name)
+ec2 = session.client('ec2')
+def set_edge_log_retention(retention_days=7, dry_run=True):
+    """
+    Find Lambda@Edge log groups across all regions and set retention policies.
+    Args:
+        retention_days (int): Number of days to retain logs
+        dry_run (bool): If True, only show what would be changed
+    """
+    # Get all AWS regions
+    regions = [region['RegionName'] for region in ec2.describe_regions()['Regions']]
+    edge_log_groups = []
+    total_changed = 0
+    print(f"🔍 Hunting for Lambda@Edge log groups across {len(regions)} regions...")
+    print(f"🎯 Target retention: {retention_days} days")
+    print(f"🧪 Dry run: {dry_run}")
+    print("=" * 60)
+    for region in regions:
+        try:
+            logs = session.client('logs', region_name=region)
+            # Find log groups with us-east-1 prefix (indicating Edge functions)
+            paginator = logs.get_paginator('describe_log_groups')
+            for page in paginator.paginate():
+                for log_group in page.get('logGroups', []):
+                    log_group_name = log_group['logGroupName']
+                    # Check if it's a Lambda@Edge log group
+                    if '/aws/lambda/us-east-1.' in log_group_name:
+                        current_retention = log_group.get('retentionInDays')
+                        edge_log_groups.append({
+                            'region': region,
+                            'name': log_group_name,
+                            'current_retention': current_retention,
+                            'stored_bytes': log_group.get('storedBytes', 0)
+                        })
+                        # Set retention if needed
+                        if current_retention != retention_days:
+                            if dry_run:
+                                print(f"📍 {region}: Would set {log_group_name} to {retention_days} days (current: {current_retention})")
+                            else:
+                                try:
+                                    logs.put_retention_policy(
+                                        logGroupName=log_group_name,
+                                        retentionInDays=retention_days
+                                    )
+                                    print(f"✅ {region}: Set {log_group_name} to {retention_days} days")
+                                    total_changed += 1
+                                except ClientError as e:
+                                    print(f"❌ {region}: Failed to set {log_group_name} - {e}")
+                        else:
+                            print(f"✓ {region}: {log_group_name} already has {retention_days} days retention")
+        except ClientError as e:
+            # Skip regions where CloudWatch Logs isn't available
+            continue
+    print("=" * 60)
+    print(f"📊 Summary:")
+    print(f"   Found {len(edge_log_groups)} Lambda@Edge log groups")
+    print(f"   Total storage: {sum(g['stored_bytes'] for g in edge_log_groups) / (1024**3):.2f} GB")
+    if not dry_run:
+        print(f"   Changed {total_changed} log groups")
+    return edge_log_groups
+if __name__ == "__main__":
+    # Dry run first to see what would be changed
+    edge_logs = set_edge_log_retention(retention_days=7, dry_run=True)
+    # Uncomment the line below to actually make changes
+    # set_edge_log_retention(retention_days=7, dry_run=False)

cdk_factory/stack_library/lambda_edge/functions/log_retention_manager/requirements.txt ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ # aws-lambda-powertools
2	+ aws-lambda-powertools

cdk_factory/stack_library/lambda_edge/functions/log_retention_manager/test.py ADDED Viewed

@@ -0,0 +1,22 @@
+from app import lambda_handler
+if __name__ == "__main__":
+    event = {
+        "version": "0",
+        "id": "12345678-1234-1234-1234-123456789012",
+        "detail-type": "Scheduled Event",
+        "source": "aws.events",
+        "account": "123456789012",
+        "time": "2024-01-15T10:00:00Z",
+        "region": "us-east-1",
+        "resources": [
+            "arn:aws:events:us-east-1:123456789012:rule/LogRetentionManager"
+        ],
+        "detail": {
+            "days": 7,
+            "dry_run": False
+        }
+    }
+    lambda_handler(event, None)

cdk_factory/stack_library/lambda_edge/lambda_edge_log_retention_stack.py ADDED Viewed

File without changes

cdk_factory/stack_library/lambda_edge/lambda_edge_stack.py CHANGED Viewed

@@ -134,7 +134,12 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         resolved_env = {}
-        for key, value in self.edge_config.environment.items():
+        # Use the new simplified configuration structure
+        configuration = self.edge_config.dictionary.get("configuration", {})
+        runtime_config = configuration.get("runtime", {})
+        ui_config = configuration.get("ui", {})
+        for key, value in runtime_config.items():
             # Check if value is an SSM parameter reference
             if isinstance(value, str) and value.startswith("{{ssm:") and value.endswith("}}"):
                 # Extract SSM parameter path
@@ -216,11 +221,23 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         # Since Lambda@Edge doesn't support environment variables, we bundle a config file
         # Use the full function_name (e.g., "tech-talk-dev-ip-gate") not just the base name
         resolved_env = self._resolve_environment_variables()
+        # Get the UI configuration
+        configuration = self.edge_config.dictionary.get("configuration", {})
+        ui_config = configuration.get("ui", {})
+        workload_name = self.deployment.workload.get("name")
+        if not workload_name:
+            raise ValueError("Workload name is required for Lambda@Edge function")
         runtime_config = {
             'environment': self.deployment.environment,
+            'workload': workload_name,
             'function_name': function_name,
             'region': self.deployment.region,
-            'environment_variables': resolved_env  # Add actual environment variables
+            'runtime': resolved_env,  # Runtime variables (SSM, etc.)
+            'ui': ui_config  # UI configuration (colors, messages, etc.)
         }
         runtime_config_path = temp_code_dir / 'runtime_config.json'
@@ -250,12 +267,15 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         )
         # Log warning if environment variables are configured
-        if self.edge_config.environment:
+        configuration = self.edge_config.dictionary.get("configuration", {})
+        runtime_config = configuration.get("runtime", {})
+        if runtime_config:
             logger.warning(
                 f"Lambda@Edge function '{function_name}' has environment variables configured, "
                 "but Lambda@Edge does not support environment variables. The function must fetch these values from SSM Parameter Store at runtime."
             )
-            for key, value in self.edge_config.environment.items():
+            for key, value in runtime_config.items():
                 logger.warning(f"  - {key}: {value}")
         # Create execution role with CloudWatch Logs and SSM permissions
@@ -276,7 +296,7 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         )
         # Add SSM read permissions if environment variables reference SSM parameters
-        if self.edge_config.environment:
+        if runtime_config:
             execution_role.add_to_policy(
                 iam.PolicyStatement(
                     effect=iam.Effect.ALLOW,
@@ -286,7 +306,7 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
                         "ssm:GetParametersByPath"
                     ],
                     resources=[
-                        f"arn:aws:ssm:*:{cdk.Aws.ACCOUNT_ID}:parameter/*"
+                        f"arn:aws:ssm:*:{self.deployment.account}:parameter/*"
                     ]
                 )
             )
@@ -300,7 +320,70 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
                     "secretsmanager:DescribeSecret"
                 ],
                 resources=[
-                    f"arn:aws:secretsmanager:*:{cdk.Aws.ACCOUNT_ID}:secret:{self.deployment.environment}/{self.workload.name}/origin-secret*"
+                    f"arn:aws:secretsmanager:*:{self.deployment.account}:secret:{self.deployment.environment}/{self.workload.name}/origin-secret*"
+                ]
+            )
+        )
+        # Add ELB permissions for target health API access
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "elasticloadbalancing:DescribeTargetHealth",
+                    "elasticloadbalancing:DescribeTargetGroups",
+                    "elasticloadbalancing:DescribeLoadBalancers",
+                    "elasticloadbalancing:DescribeListeners",
+                    "elasticloadbalancing:DescribeTags"
+                ],
+                resources=[
+                    "*"
+                ]
+            )
+        )
+        # Add ACM permissions for certificate validation
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "acm:DescribeCertificate",
+                    "acm:ListCertificates"
+                ],
+                resources=[
+                    f"arn:aws:acm:*:{self.deployment.account}:certificate/*"
+                ]
+            )
+        )
+        # Add Route 53 permissions for health check access
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "route53:GetHealthCheckStatus",
+                    "route53:ListHealthChecks",
+                    "route53:GetHealthCheck"
+                ],
+                resources=[
+                    f"arn:aws:route53:::{self.deployment.account}:health-check/*"
+                ]
+            )
+        )
+        # Add CloudWatch permissions for enhanced logging and metrics
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "logs:CreateLogGroup",
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents",
+                    "cloudwatch:PutMetricData"
+                ],
+                resources=[
+                    f"arn:aws:logs:*:{self.deployment.account}:log-group:/aws/lambda/*",
+                    f"arn:aws:cloudwatch:*:{self.deployment.account}:metric:*"
                 ]
             )
         )
@@ -437,8 +520,11 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         configuration = self.edge_config.dictionary.get("configuration", {})
         environment_variables = configuration.get("environment_variables", {})
+        # Build full configuration that Lambda@Edge expects
         full_config = {
-            "environment_variables": environment_variables
+            "environment_variables": environment_variables,
+            "runtime": configuration.get("runtime", {}),
+            "ui": configuration.get("ui", {})
         }
         self.export_ssm_parameter(

cdk_factory/stack_library/load_balancer/load_balancer_stack.py CHANGED Viewed

@@ -459,6 +459,10 @@ class LoadBalancerStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
             # Parse AWS ALB conditions format
             aws_conditions = rule_config.get("conditions", [])
             for condition in aws_conditions:
+                enabled = str(condition.get("enabled", True)).lower()
+                if enabled != "true":
+                    continue
                 field = condition.get("field")
                 if field == "http-header" and "http_header_config" in condition:
                     header_config = condition["http_header_config"]

cdk_factory/stack_library/route53/route53_stack.py CHANGED Viewed

@@ -27,6 +27,7 @@ from cdk_factory.interfaces.standardized_ssm_mixin import StandardizedSsmMixin
 from cdk_factory.stack.stack_module_registry import register_stack
 from cdk_factory.workload.workload_factory import WorkloadConfig
 logger = Logger(service="Route53Stack")
@@ -48,7 +49,8 @@ class Route53Stack(IStack, StandardizedSsmMixin):
         self.hosted_zone = None
         self.certificate = None
         self.records = {}
-        self._distribution_cache = {}  # Cache for reusing distributions
+        self._local_cache = {}  # Cache for reusing distributions
+        self._missing_configurations = []
     def build(self, stack_config: StackConfig, deployment: DeploymentConfig, workload: WorkloadConfig) -> None:
         """Build the Route53 stack"""
@@ -119,7 +121,7 @@ class Route53Stack(IStack, StandardizedSsmMixin):
         return certificate
     def _create_dns_records(self) -> None:
-        self._create_dns_records_old()
+        # self._create_dns_records_old()
         self._create_dns_records_new()
@@ -128,7 +130,7 @@ class Route53Stack(IStack, StandardizedSsmMixin):
         # Create a unique cache key from distribution domain and ID
         cache_key = f"{distribution_domain}-{distribution_id}"
-        if cache_key not in self._distribution_cache:
+        if cache_key not in self._local_cache:
             # Create the distribution construct with a unique ID
             unique_id = f"CF-{distribution_domain.replace('.', '-').replace('*', 'wildcard')}-{hash(cache_key) % 10000}"
             distribution = cloudfront.Distribution.from_distribution_attributes(
@@ -136,104 +138,108 @@ class Route53Stack(IStack, StandardizedSsmMixin):
                 domain_name=distribution_domain,
                 distribution_id=distribution_id
             )
-            self._distribution_cache[cache_key] = distribution
+            self._local_cache[cache_key] = distribution
             logger.info(f"Created CloudFront distribution construct for {distribution_domain}")
-        return self._distribution_cache[cache_key]
+        return self._local_cache[cache_key]
+    def _get_or_create_alb_target(self, record_name: str, target_value: str, load_balancer_zone_id: str, security_group_id: str, load_balancer_dns_name: str) -> targets.LoadBalancerTarget:
+        """Get or create a CloudFront distribution, reusing if already created"""
+        # Create a unique cache key from distribution domain and ID
+        cache_key = f"{record_name}-alb"
+        if cache_key not in self._local_cache:
+            # Create the distribution construct with a unique ID
+            target = targets.LoadBalancerTarget(
+                elbv2.ApplicationLoadBalancer.from_application_load_balancer_attributes(
+                    self, f"ALB-{record_name}",
+                    load_balancer_arn=target_value,
+                    load_balancer_canonical_hosted_zone_id=load_balancer_zone_id,
+                    security_group_id=security_group_id,
+                    load_balancer_dns_name=load_balancer_dns_name,
+                )
+            )
+            self._local_cache[cache_key] = target
+            logger.info(f"Created ALB target construct for ALB-{record_name}")
+        return self._local_cache[cache_key]
     def _create_dns_records_new(self) -> None:
         """Create DNS records based on configuration - generic implementation"""
-        missing_configurations = []
         for record in self.route53_config.records:
-            record_name = record.get("name", "")
-            record_type = record.get("type", "")
+            t = record.get("type")
+            record_name = self._get_resolved_value(config=record, key="name", record_type=t)
+            record_type = self._get_resolved_value(config=record, key="type", record_type=t)
-            if not record_name or not record_type:
-                message = f"Record missing name or type: {record}"
-                logger.warning(message)
-                missing_configurations.append(message)
-                continue
             # Handle alias records
             if "alias" in record:
                 alias_config = record["alias"]
-                target_type = alias_config.get("target_type", "")
-                target_value = alias_config.get("target_value", "")
-                hosted_zone_id = alias_config.get("hosted_zone_id", "")
-                unique_id = f"{record_name}-{record_type}"
-                # Handle SSM parameter references in target_value
-                target_value = self.resolve_ssm_value(self, target_value, unique_id=unique_id)
+                target_type = self._get_resolved_value(config=alias_config, key="target_type", record_type=record_type)
+                target_value = self._get_resolved_value(config=alias_config, key="target_value", record_type=record_type)
-                if not target_type or not target_value:
-                    message = f"Alias record missing target_type or target_value: {record}"
-                    logger.warning(message)
-                    missing_configurations.append(message)
-                    continue
                 # Create appropriate target based on type
                 alias_target = None
                 if target_type == "cloudfront":
                     # CloudFront distribution target
                     distribution_domain = target_value
-                    distribution_id = alias_config.get("distribution_id", "")
-                    if not distribution_id:
-                        message = f"Alias record missing distribution_id: {record}"
-                        logger.warning(message)
-                        missing_configurations.append(message)
-                        continue
+                    distribution_id = self._get_resolved_value(config=alias_config, key="distribution_id", record_type=record_type)
                     # Get or create the distribution (reuses if already created)
                     distribution = self._get_or_create_cloudfront_distribution(distribution_domain, distribution_id)
                     alias_target = route53.RecordTarget.from_alias(
                         targets.CloudFrontTarget(distribution)
                     )
-                elif target_type == "loadbalancer" or target_type == "alb":
-                    # Load Balancer target
-                    alias_target = route53.RecordTarget.from_alias(
-                        targets.LoadBalancerTarget(
-                            elbv2.ApplicationLoadBalancer.from_load_balancer_attributes(
-                                self, f"ALB-{record_name}",
-                                load_balancer_dns_name=target_value,
-                                load_balancer_canonical_hosted_zone_id=hosted_zone_id
-                            )
-                        )
-                    )
-                elif target_type == "elbv2":
-                    # Generic ELBv2 target
-                    alias_target = route53.RecordTarget.from_alias(
-                        targets.LoadBalancerTarget(
-                            elbv2.ApplicationLoadBalancer.from_load_balancer_attributes(
-                                self, f"ELB-{record_name}",
-                                load_balancer_dns_name=target_value,
-                                load_balancer_canonical_hosted_zone_id=hosted_zone_id
-                            )
-                        )
-                    )
+                elif target_type == "loadbalancer" or target_type == "alb" or target_type == "elbv2":
+                    # ALB alias target using imported load balancer attributes
+                    security_group_id=self._get_resolved_value(config=alias_config, key="security_group_id", record_type=record_type)
+                    load_balancer_dns_name = self._get_resolved_value(config=alias_config, key="load_balancer_dns_name", record_type=record_type)
+                    load_balancer_zone_id = self._get_resolved_value(config=alias_config, key="load_balancer_zone_id", record_type=record_type)
+                    target = self._get_or_create_alb_target(record_name, target_value, load_balancer_zone_id, security_group_id, load_balancer_dns_name)
+                    alias_target = route53.RecordTarget.from_alias(target)
                 else:
                     message = f"Unsupported alias target type: {target_type}"
                     logger.warning(message)
                     missing_configurations.append(message)
                     continue
-                # Create the alias record
-                route53.ARecord(
-                    self,
-                    f"AliasRecord-{record_name}-{record_type}",
-                    zone=self.hosted_zone,
-                    record_name=record_name,
-                    target=alias_target,
-                    ttl=cdk.Duration.seconds(record.get("ttl", 300))
-                ) if record_type == "A" else route53.AaaaRecord(
-                    self,
-                    f"AliasRecord-{record_name}-{record_type}",
-                    zone=self.hosted_zone,
+                route_53_record = None
+                id = f"AliasRecord-{record_name}-{record_type}"
+                print(f"creating record {id}")
+                if record_type == "A":
+                    route_53_record = route53.ARecord(
+                        self,
+                        id,
+                        zone=self.hosted_zone,
                     record_name=record_name,
                     target=alias_target,
                     ttl=cdk.Duration.seconds(record.get("ttl", 300))
                 )
+                elif record_type == "AAAA":
+                    route_53_record = route53.AaaaRecord(
+                        self,
+                        id,
+                        zone=self.hosted_zone,
+                        record_name=record_name,
+                        target=alias_target,
+                        ttl=cdk.Duration.seconds(record.get("ttl", 300))
+                    )
             # Handle standard records with values
             elif "values" in record:
@@ -326,89 +332,47 @@ class Route53Stack(IStack, StandardizedSsmMixin):
                 else:
                     message = f"Unsupported record type: {record_type}"
                     logger.warning(message)
-                    missing_configurations.append(message)
+                    self._missing_configurations.append(message)
                     continue
             else:
                 message = f"Record missing 'alias' or 'values' configuration: {record}"
                 logger.warning(message)
-                missing_configurations.append(message)
+                self._missing_configurations.append(message)
                 continue
-        if missing_configurations and len(missing_configurations) > 0:
+        if self._missing_configurations and len(self._missing_configurations) > 0:
             # print all missing configurations
             print("Missing configurations:")
-            for message in missing_configurations:
+            for message in self._missing_configurations:
                 print(message)
-            messages = "\n".join(missing_configurations)
+            messages = "\n".join(self._missing_configurations)
             raise ValueError(f"Missing Configurations:\n{messages}")
-    def _create_dns_records_old(self) -> None:
-        """Create DNS records based on configuration"""
-        # Create alias records
-        for alias_record in self.route53_config.aliases:
-            record_name = alias_record.get("name", "")
-            target_type = alias_record.get("target_type", "")
-            target_value = alias_record.get("target_value", "")
-            # target value needs to handle SSM parameters
-            if "{{ssm:" in target_value and "}}" in target_value:
-                # Extract SSM parameter path from template like {{ssm:/path/to/parameter}}
-                ssm_path = target_value.split("{{ssm:")[1].split("}}")[0]
-                target_value = self.get_ssm_imported_value(ssm_path)
+    def _get_resolved_value(self, *, config: dict, key: str, required: bool = True, record_type: str = ""   ) -> str:
+        value = config.get(key, "")
+        x = str(value).replace("{", "").replace("}", "").replace(":", "")
+        unique_id = f"{key}-id-{record_type}-{x}"
-            if not record_name or not target_type or not target_value:
-                continue
-            # Determine the alias target
-            alias_target = None
-            if target_type == "alb":
-                # Get the ALB from the workload if available
-                if hasattr(self.workload, "load_balancer"):
-                    alb = self.workload.load_balancer
-                    alias_target = route53.RecordTarget.from_alias(targets.LoadBalancerTarget(alb))
-                else:
-                    # Try to get ALB from target value
-                    alb = elbv2.ApplicationLoadBalancer.from_lookup(
-                        self,
-                        f"ALB-{record_name}",
-                        load_balancer_arn=target_value
-                    )
-                    alias_target = route53.RecordTarget.from_alias(targets.LoadBalancerTarget(alb))
-            elif target_type == "cloudfront":
-                # For CloudFront, we would need the distribution
-                # This is a simplified implementation
-                pass
-            if alias_target:
-                record = route53.ARecord(
-                    self,
-                    f"AliasRecord-{record_name}",
-                    zone=self.hosted_zone,
-                    record_name=record_name,
-                    target=alias_target
-                )
-                self.records[record_name] = record
-        # Create CNAME records
-        for cname_record in self.route53_config.cname_records:
-            record_name = cname_record.get("name", "")
-            target_domain = cname_record.get("target_domain", "")
-            ttl = cname_record.get("ttl", 300)
-            if not record_name or not target_domain:
-                continue
-            record = route53.CnameRecord(
-                self,
-                f"CnameRecord-{record_name}",
-                zone=self.hosted_zone,
-                record_name=record_name,
-                domain_name=target_domain,
-                ttl=cdk.Duration.seconds(ttl)
-            )
-            self.records[record_name] = record
+        if unique_id in self._local_cache:
+            return self._local_cache[unique_id]
+        # Handle SSM parameter references in target_value
+        value = self.resolve_ssm_value(self, value, unique_id=unique_id)
+        if required and not value:
+            self._missing_configurations.append(f"Missing required value for key: {key}")
+        self._local_cache[unique_id] = value
+        return value
     def _add_outputs(self) -> None:
         """Add CloudFormation outputs for the Route53 resources"""

cdk_factory/version.py CHANGED Viewed

	@@ -1 +1 @@
1	- __version__ = "0.19.19"
1	+ __version__ = "0.20.5"

{cdk_factory-0.19.19.dist-info → cdk_factory-0.20.5.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.19.19
+Version: 0.20.5
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

cdk-factory 0.19.19__py3-none-any.whl → 0.20.5__py3-none-any.whl

cdk-factory 0.19.19py3-none-any.whl → 0.20.5py3-none-any.whl