cdk-factory 0.19.19__py3-none-any.whl → 0.21.1__py3-none-any.whl

cdk_factory/stack_library/lambda_edge/functions/log_retention_manager/edge_log_retention.py

@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+import boto3
+from botocore.exceptions import ClientError
+import os
+
+profile_name = os.getenv('AWS_PROFILE')
+session = boto3.Session(region_name='us-east-1', profile_name=profile_name)
+ec2 = session.client('ec2')
+
+def set_edge_log_retention(retention_days=7, dry_run=True):
+    """
+    Find Lambda@Edge log groups across all regions and set retention policies.
+    
+    Args:
+        retention_days (int): Number of days to retain logs
+        dry_run (bool): If True, only show what would be changed
+    """
+    # Get all AWS regions
+    regions = [region['RegionName'] for region in ec2.describe_regions()['Regions']]
+    
+    edge_log_groups = []
+    total_changed = 0
+    
+    print(f"🔍 Hunting for Lambda@Edge log groups across {len(regions)} regions...")
+    print(f"🎯 Target retention: {retention_days} days")
+    print(f"🧪 Dry run: {dry_run}")
+    print("=" * 60)
+    
+    for region in regions:
+        try:
+            logs = session.client('logs', region_name=region)
+            
+            # Find log groups with us-east-1 prefix (indicating Edge functions)
+            paginator = logs.get_paginator('describe_log_groups')
+            for page in paginator.paginate():
+                for log_group in page.get('logGroups', []):
+                    log_group_name = log_group['logGroupName']
+                    
+                    # Check if it's a Lambda@Edge log group
+                    if '/aws/lambda/us-east-1.' in log_group_name:
+                        current_retention = log_group.get('retentionInDays')
+                        
+                        edge_log_groups.append({
+                            'region': region,
+                            'name': log_group_name,
+                            'current_retention': current_retention,
+                            'stored_bytes': log_group.get('storedBytes', 0)
+                        })
+                        
+                        # Set retention if needed
+                        if current_retention != retention_days:
+                            if dry_run:
+                                print(f"📍 {region}: Would set {log_group_name} to {retention_days} days (current: {current_retention})")
+                            else:
+                                try:
+                                    logs.put_retention_policy(
+                                        logGroupName=log_group_name,
+                                        retentionInDays=retention_days
+                                    )
+                                    print(f"✅ {region}: Set {log_group_name} to {retention_days} days")
+                                    total_changed += 1
+                                except ClientError as e:
+                                    print(f"❌ {region}: Failed to set {log_group_name} - {e}")
+                        else:
+                            print(f"✓ {region}: {log_group_name} already has {retention_days} days retention")
+                            
+        except ClientError as e:
+            # Skip regions where CloudWatch Logs isn't available
+            continue
+    
+    print("=" * 60)
+    print(f"📊 Summary:")
+    print(f"   Found {len(edge_log_groups)} Lambda@Edge log groups")
+    print(f"   Total storage: {sum(g['stored_bytes'] for g in edge_log_groups) / (1024**3):.2f} GB")
+    if not dry_run:
+        print(f"   Changed {total_changed} log groups")
+    
+    return edge_log_groups
+
+if __name__ == "__main__":
+    # Dry run first to see what would be changed
+    edge_logs = set_edge_log_retention(retention_days=7, dry_run=True)
+    
+    # Uncomment the line below to actually make changes
+    # set_edge_log_retention(retention_days=7, dry_run=False)

cdk_factory/stack_library/lambda_edge/functions/log_retention_manager/requirements.txt

@@ -0,0 +1,2 @@
+# aws-lambda-powertools
+aws-lambda-powertools

cdk_factory/stack_library/lambda_edge/functions/log_retention_manager/test.py

@@ -0,0 +1,22 @@
+from app import lambda_handler
+
+if __name__ == "__main__":
+
+    event = {
+        "version": "0",
+        "id": "12345678-1234-1234-1234-123456789012",
+        "detail-type": "Scheduled Event",
+        "source": "aws.events",
+        "account": "123456789012",
+        "time": "2024-01-15T10:00:00Z",
+        "region": "us-east-1",
+        "resources": [
+            "arn:aws:events:us-east-1:123456789012:rule/LogRetentionManager"
+        ],
+        "detail": {
+            "days": 7,
+            "dry_run": False
+        }
+    }
+    
+    lambda_handler(event, None)

cdk_factory/stack_library/lambda_edge/lambda_edge_stack.py

@@ -134,7 +134,12 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         
         resolved_env = {}
         
-        for key, value in self.edge_config.environment.items():
+        # Use the new simplified configuration structure
+        configuration = self.edge_config.dictionary.get("configuration", {})
+        runtime_config = configuration.get("runtime", {})
+        ui_config = configuration.get("ui", {})
+        
+        for key, value in runtime_config.items():
             # Check if value is an SSM parameter reference
             if isinstance(value, str) and value.startswith("{{ssm:") and value.endswith("}}"):
                 # Extract SSM parameter path
@@ -216,11 +221,23 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         # Since Lambda@Edge doesn't support environment variables, we bundle a config file
         # Use the full function_name (e.g., "tech-talk-dev-ip-gate") not just the base name
         resolved_env = self._resolve_environment_variables()
+        
+        # Get the UI configuration
+        configuration = self.edge_config.dictionary.get("configuration", {})
+        ui_config = configuration.get("ui", {})
+        
+
+        workload_name = self.deployment.workload.get("name")
+
+        if not workload_name:
+            raise ValueError("Workload name is required for Lambda@Edge function")
         runtime_config = {
             'environment': self.deployment.environment,
+            'workload': workload_name,
             'function_name': function_name,
             'region': self.deployment.region,
-            'environment_variables': resolved_env  # Add actual environment variables
+            'runtime': resolved_env,  # Runtime variables (SSM, etc.)
+            'ui': ui_config  # UI configuration (colors, messages, etc.)
         }
         
         runtime_config_path = temp_code_dir / 'runtime_config.json'
@@ -250,12 +267,15 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         )
 
         # Log warning if environment variables are configured
-        if self.edge_config.environment:
+        configuration = self.edge_config.dictionary.get("configuration", {})
+        runtime_config = configuration.get("runtime", {})
+        
+        if runtime_config:
             logger.warning(
                 f"Lambda@Edge function '{function_name}' has environment variables configured, "
                 "but Lambda@Edge does not support environment variables. The function must fetch these values from SSM Parameter Store at runtime."
             )
-            for key, value in self.edge_config.environment.items():
+            for key, value in runtime_config.items():
                 logger.warning(f"  - {key}: {value}")
         
         # Create execution role with CloudWatch Logs and SSM permissions
@@ -276,7 +296,7 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         )
         
         # Add SSM read permissions if environment variables reference SSM parameters
-        if self.edge_config.environment:
+        if runtime_config:
             execution_role.add_to_policy(
                 iam.PolicyStatement(
                     effect=iam.Effect.ALLOW,
@@ -286,7 +306,7 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
                         "ssm:GetParametersByPath"
                     ],
                     resources=[
-                        f"arn:aws:ssm:*:{cdk.Aws.ACCOUNT_ID}:parameter/*"
+                        f"arn:aws:ssm:*:{self.deployment.account}:parameter/*"
                     ]
                 )
             )
@@ -300,7 +320,70 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
                     "secretsmanager:DescribeSecret"
                 ],
                 resources=[
-                    f"arn:aws:secretsmanager:*:{cdk.Aws.ACCOUNT_ID}:secret:{self.deployment.environment}/{self.workload.name}/origin-secret*"
+                    f"arn:aws:secretsmanager:*:{self.deployment.account}:secret:{self.deployment.environment}/{self.workload.name}/origin-secret*"
+                ]
+            )
+        )
+        
+        # Add ELB permissions for target health API access
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "elasticloadbalancing:DescribeTargetHealth",
+                    "elasticloadbalancing:DescribeTargetGroups",
+                    "elasticloadbalancing:DescribeLoadBalancers",
+                    "elasticloadbalancing:DescribeListeners",
+                    "elasticloadbalancing:DescribeTags"
+                ],
+                resources=[
+                    "*"
+                ]
+            )
+        )
+        
+        # Add ACM permissions for certificate validation
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "acm:DescribeCertificate",
+                    "acm:ListCertificates"
+                ],
+                resources=[
+                    f"arn:aws:acm:*:{self.deployment.account}:certificate/*"
+                ]
+            )
+        )
+        
+        # Add Route 53 permissions for health check access
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "route53:GetHealthCheckStatus",
+                    "route53:ListHealthChecks",
+                    "route53:GetHealthCheck"
+                ],
+                resources=[
+                    f"arn:aws:route53:::{self.deployment.account}:health-check/*"
+                ]
+            )
+        )
+        
+        # Add CloudWatch permissions for enhanced logging and metrics
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "logs:CreateLogGroup",
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents",
+                    "cloudwatch:PutMetricData"
+                ],
+                resources=[
+                    f"arn:aws:logs:*:{self.deployment.account}:log-group:/aws/lambda/*",
+                    f"arn:aws:cloudwatch:*:{self.deployment.account}:metric:*"
                 ]
             )
         )
@@ -437,8 +520,11 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         configuration = self.edge_config.dictionary.get("configuration", {})
         environment_variables = configuration.get("environment_variables", {})
         
+        # Build full configuration that Lambda@Edge expects
         full_config = {
-            "environment_variables": environment_variables
+            "environment_variables": environment_variables,
+            "runtime": configuration.get("runtime", {}),
+            "ui": configuration.get("ui", {})
         }
         
         self.export_ssm_parameter(

cdk_factory/stack_library/load_balancer/load_balancer_stack.py

@@ -459,6 +459,10 @@ class LoadBalancerStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
             # Parse AWS ALB conditions format
             aws_conditions = rule_config.get("conditions", [])
             for condition in aws_conditions:
+                enabled = str(condition.get("enabled", True)).lower()
+                if enabled != "true":
+                    continue
+                
                 field = condition.get("field")
                 if field == "http-header" and "http_header_config" in condition:
                     header_config = condition["http_header_config"]

cdk_factory/stack_library/rds/rds_stack.py

@@ -67,14 +67,16 @@ class RdsStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
         self.workload = workload
 
         self.rds_config = RdsConfig(stack_config.dictionary.get("rds", {}), deployment)
-        db_name = deployment.build_resource_name(self.rds_config.name)
+        # Use stable construct ID to prevent CloudFormation logical ID changes on pipeline rename
+        # The construct ID determines the CloudFormation logical ID, not the physical resource names
+        instance_identifier = self.rds_config.instance_identifier
 
         # Setup standardized SSM integration
         self.setup_ssm_integration(
             scope=self,
             config=self.rds_config,
             resource_type="rds",
-            resource_name=self.rds_config.name,
+            resource_name=instance_identifier,
             deployment=deployment,
             workload=workload
         )
@@ -87,15 +89,15 @@ class RdsStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
 
         # Create RDS instance or import existing
         if self.rds_config.existing_instance_id:
-            self.db_instance = self._import_existing_db(db_name)
+            self.db_instance = self._import_existing_db(instance_identifier)
         else:
-            self.db_instance = self._create_db_instance(db_name)
+            self.db_instance = self._create_db_instance(instance_identifier, instance_identifier)
 
         # Add outputs
-        self._add_outputs(db_name)
+        self._add_outputs(instance_identifier)
         
         # Export to SSM Parameter Store
-        self._export_ssm_parameters(db_name)
+        self._export_ssm_parameters(instance_identifier)
 
     @property
     def vpc(self) -> ec2.IVpc:
@@ -162,7 +164,7 @@ class RdsStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
         else:
             raise ValueError("No subnets available in VPC for RDS instance")
 
-    def _create_db_instance(self, db_name: str) -> rds.DatabaseInstance:
+    def _create_db_instance(self, db_name: str, stable_db_id: str) -> rds.DatabaseInstance:
         """Create a new RDS instance"""
         # Configure subnet group
         # If we have subnet IDs from SSM, create a DB subnet group explicitly
@@ -232,7 +234,7 @@ class RdsStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
             "vpc": self.vpc,
             "instance_type": instance_type,
             "credentials": rds.Credentials.from_generated_secret(
-                username=self.rds_config.username,
+                username=self.rds_config.master_username,
                 secret_name=self.rds_config.secret_name,
             ),
             "database_name": self.rds_config.database_name,
@@ -264,7 +266,7 @@ class RdsStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
         else:
             db_props["vpc_subnets"] = subnets
         
-        db_instance = rds.DatabaseInstance(self, db_name, **db_props)
+        db_instance = rds.DatabaseInstance(self, stable_db_id, **db_props)
 
         # Add tags
         for key, value in self.rds_config.tags.items():
@@ -320,15 +322,15 @@ class RdsStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
             logger.info(f"Exported SSM parameter: {ssm_exports['db_port']}")
         
         # Export database name
-        if "db_name" in ssm_exports and self.rds_config.database_name:
+        if "db_instance_identifier" in ssm_exports and self.rds_config.instance_identifier:
             self.export_ssm_parameter(
                 scope=self,
                 id="SsmExportDbName",
-                value=self.rds_config.database_name,
-                parameter_name=ssm_exports["db_name"],
+                value=self.rds_config.instance_identifier,
+                parameter_name=ssm_exports["db_instance_identifier"],
                 description=f"RDS database name for {db_name}",
             )
-            logger.info(f"Exported SSM parameter: {ssm_exports['db_name']}")
+            logger.info(f"Exported SSM parameter: {ssm_exports['db_instance_identifier']}")
         
         # Export secret ARN (contains username and password)
         if "db_secret_arn" in ssm_exports: