cdk-factory 0.19.7__tar.gz → 0.19.14__tar.gz

{cdk_factory-0.19.7 → cdk_factory-0.19.14}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.19.7
+Version: 0.19.14
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.19.7 → cdk_factory-0.19.14}/pyproject.toml

@@ -33,7 +33,7 @@ markers = [
 [project]
 
 name = "cdk_factory"
-version = "0.19.7"
+version = "0.19.14"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

{cdk_factory-0.19.7 → cdk_factory-0.19.14}/src/cdk_factory/configurations/resources/lambda_edge.py

@@ -49,10 +49,24 @@ class LambdaEdgeConfig(EnhancedBaseConfig):
 
     @property
     def timeout(self) -> int:
-        """Timeout in seconds (max 5 for origin-request)"""
+        """Timeout in seconds
+        viewer-request: 5s
+        viewer-response: 5s
+        ---
+        origin-request: 30s
+        origin-response: 30s
+        
+        
+        """
         timeout = int(self._config.get("timeout", 5))
-        if timeout > 5:
-            raise ValueError("Lambda@Edge origin-request timeout cannot exceed 5 seconds. Value was set to {}".format(timeout))
+
+        event_type = self.event_type
+        if event_type == "viewer-request" or event_type == "viewer-response":
+            if timeout > 5:
+                raise ValueError("Lambda@Edge viewer timeout cannot exceed 5 seconds. Value was set to {}".format(timeout))
+        else:
+            if timeout > 30:
+                raise ValueError("Lambda@Edge origin timeout cannot exceed 30 seconds. Value was set to {}".format(timeout))
         return timeout
 
     @property

{cdk_factory-0.19.7 → cdk_factory-0.19.14}/src/cdk_factory/stack_library/cloudfront/cloudfront_stack.py

@@ -145,7 +145,7 @@ class CloudFrontStack(IStack):
             return
 
         # Check if certificate ARN is provided
-        cert_arn = cert_config.get("arn")
+        cert_arn = self.resolve_ssm_value(self, cert_config.get("arn"), "CertificateARN")
         if cert_arn:
             self.certificate = acm.Certificate.from_certificate_arn(
                 self, "Certificate", certificate_arn=cert_arn
@@ -173,14 +173,14 @@ class CloudFrontStack(IStack):
                     "CloudFront certificates must be created in us-east-1"
                 )
                 return
-            
+
             # Create the certificate
             # Get hosted zone from SSM imports
             hosted_zone_id = cert_config.get("hosted_zone_id")
             hosted_zone = route53.HostedZone.from_hosted_zone_id(
                 self, "HostedZone", hosted_zone_id
             )
-            
+
             self.certificate = acm.Certificate(
                 self,
                 "Certificate",
@@ -223,7 +223,9 @@ class CloudFrontStack(IStack):
 
     def _create_custom_origin(self, config: Dict[str, Any]) -> cloudfront.IOrigin:
         """Create custom origin (ALB, API Gateway, etc.)"""
-        domain_name = self.resolve_ssm_value(self, config.get("domain_name"), config.get("domain_name"))
+        domain_name = self.resolve_ssm_value(
+            self, config.get("domain_name"), config.get("domain_name")
+        )
         origin_id = config.get("id")
 
         if not domain_name:
@@ -297,21 +299,22 @@ class CloudFrontStack(IStack):
 
     def _create_s3_origin(self, config: Dict[str, Any]) -> cloudfront.IOrigin:
         """Create S3 origin"""
-        bucket_name = self.resolve_ssm_value(self, config.get("bucket_name"), config.get("bucket_name"))
-        
+        bucket_name = self.resolve_ssm_value(
+            self, config.get("bucket_name"), config.get("bucket_name")
+        )
 
         origin_path = config.get("origin_path", "")
-        
+
         if not bucket_name:
             raise ValueError("S3 origin requires 'bucket_name' configuration")
-        
+
         # For S3 origins, we need to import the bucket by name
         bucket = s3.Bucket.from_bucket_name(
             self,
             id=f"S3OriginBucket-{config.get('id', 'unknown')}",
-            bucket_name=bucket_name
+            bucket_name=bucket_name,
         )
-        
+
         # Create S3 origin with OAC (Origin Access Control) for security
         origin = origins.S3BucketOrigin.with_origin_access_control(
             bucket,
@@ -321,7 +324,7 @@ class CloudFrontStack(IStack):
                 cloudfront.AccessLevel.LIST,
             ],
         )
-        
+
         return origin
 
     def _create_distribution(self) -> None:

{cdk_factory-0.19.7 → cdk_factory-0.19.14}/src/cdk_factory/stack_library/ecs/ecs_service_stack.py

@@ -226,6 +226,9 @@ class EcsServiceStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
                     "CloudWatchAgentServerPolicy"
                 )
             )
+
+        # add any custom policies
+        self._add_custom_task_policies(task_role)
         
         # Create task definition based on launch type
         if self.ecs_config.launch_type == "EC2":
@@ -257,6 +260,37 @@ class EcsServiceStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
         # Add containers
         self._add_containers_to_task()
 
+    def _add_custom_task_policies(self, task_role: iam.Role) -> None:
+        """
+        Add custom task policies to the task definition.
+        """
+        for policy in self.ecs_config.task_definition.get("policies", []):
+
+            effect = policy.get("effect", "Allow")
+            action = policy.get("action", None)
+            actions = policy.get("actions", [])
+            if action:
+                actions.append(action)
+            resources = policy.get("resources", [])
+            resource = policy.get("resource", None)
+            if resource:
+                resources.append(resource)
+
+            if effect == "Allow" and actions:
+                effect = iam.Effect.ALLOW
+            if effect == "Deny" and actions:
+                effect = iam.Effect.DENY
+
+            sid = policy.get("sid", None)
+            task_role.add_to_policy(
+                iam.PolicyStatement(
+                    effect=effect,
+                    actions=actions,
+                    resources=resources,
+                    sid=sid,
+                )
+            )
+
     def _add_volumes_to_task(self) -> None:
         """
         Add volumes to the task definition.

{cdk_factory-0.19.7 → cdk_factory-0.19.14}/src/cdk_factory/stack_library/lambda_edge/lambda_edge_stack.py

@@ -53,6 +53,8 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         self.workload: Optional[WorkloadConfig] = None
         self.function: Optional[_lambda.Function] = None
         self.function_version: Optional[_lambda.Version] = None
+        # Cache for resolved environment variables to prevent duplicate construct creation
+        self._resolved_env_cache: Optional[Dict[str, str]] = None
 
     def build(
         self,
@@ -98,15 +100,38 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         # Create version (required for Lambda@Edge)
         self._create_function_version(function_name)
         
+        # Configure edge log retention for regional logs
+        self._configure_edge_log_retention(function_name)
+        
         # Add outputs
         self._add_outputs(function_name)
 
+    def _sanitize_construct_name(self, name: str) -> str:
+        """
+        Create a deterministic, valid CDK construct name from any string.
+        Replaces non-alphanumeric characters with dashes and limits length.
+        """
+        # Replace non-alphanumeric characters with dashes
+        sanitized = ''.join(c if c.isalnum() else '-' for c in name)
+        # Remove consecutive dashes
+        while '--' in sanitized:
+            sanitized = sanitized.replace('--', '-')
+        # Remove leading/trailing dashes
+        sanitized = sanitized.strip('-')
+        # Limit to 255 characters (CDK limit)
+        return sanitized[:255]
+
     def _resolve_environment_variables(self) -> Dict[str, str]:
         """
         Resolve environment variables, including SSM parameter references.
         Supports {{ssm:parameter-path}} syntax for dynamic SSM lookups.
         Uses CDK tokens that resolve at deployment time, not synthesis time.
+        Caches results to prevent duplicate construct creation.
         """
+        # Return cached result if available
+        if self._resolved_env_cache is not None:
+            return self._resolved_env_cache
+        
         resolved_env = {}
         
         for key, value in self.edge_config.environment.items():
@@ -115,18 +140,23 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
                 # Extract SSM parameter path
                 ssm_param_path = value[6:-2]  # Remove {{ssm: and }}
                 
+                # Create deterministic construct name from parameter path
+                construct_name = self._sanitize_construct_name(f"env-{key}-{ssm_param_path}")
+                
                 # Import SSM parameter - this creates a token that resolves at deployment time
                 param = ssm.StringParameter.from_string_parameter_name(
                     self,
-                    f"env-{key}-{hash(ssm_param_path) % 10000}",
+                    construct_name,
                     ssm_param_path
                 )
                 resolved_value = param.string_value
-                logger.info(f"Resolved environment variable {key} from SSM {ssm_param_path}")
+                logger.info(f"Resolved environment variable {key} from SSM {ssm_param_path} as {construct_name}")
                 resolved_env[key] = resolved_value
             else:
                 resolved_env[key] = value
         
+        # Cache the result
+        self._resolved_env_cache = resolved_env
         return resolved_env
 
     def _create_lambda_function(self, function_name: str) -> None:
@@ -185,10 +215,12 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         # Create runtime configuration file for Lambda@Edge
         # Since Lambda@Edge doesn't support environment variables, we bundle a config file
         # Use the full function_name (e.g., "tech-talk-dev-ip-gate") not just the base name
+        resolved_env = self._resolve_environment_variables()
         runtime_config = {
             'environment': self.deployment.environment,
             'function_name': function_name,
-            'region': self.deployment.region
+            'region': self.deployment.region,
+            'environment_variables': resolved_env  # Add actual environment variables
         }
         
         runtime_config_path = temp_code_dir / 'runtime_config.json'
@@ -216,19 +248,12 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
             self.edge_config.runtime,
             _lambda.Runtime.PYTHON_3_11
         )
-        
-        # Lambda@Edge does NOT support environment variables
-        # Configuration must be handled via:
-        # 1. Hardcoded in the function code
-        # 2. Fetched from SSM Parameter Store at runtime
-        # 3. Other configuration mechanisms
-        
+
         # Log warning if environment variables are configured
         if self.edge_config.environment:
             logger.warning(
                 f"Lambda@Edge function '{function_name}' has environment variables configured, "
-                "but Lambda@Edge does not support environment variables. "
-                "The function must fetch these values from SSM Parameter Store at runtime."
+                "but Lambda@Edge does not support environment variables. The function must fetch these values from SSM Parameter Store at runtime."
             )
             for key, value in self.edge_config.environment.items():
                 logger.warning(f"  - {key}: {value}")
@@ -239,7 +264,8 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
             f"{function_name}-Role",
             assumed_by=iam.CompositePrincipal(
                 iam.ServicePrincipal("lambda.amazonaws.com"),
-                iam.ServicePrincipal("edgelambda.amazonaws.com")
+                iam.ServicePrincipal("edgelambda.amazonaws.com"),
+                iam.ServicePrincipal("cloudfront.amazonaws.com")  # Add CloudFront service principal
             ),
             description=f"Execution role for Lambda@Edge function {function_name}",
             managed_policies=[
@@ -264,8 +290,8 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
                     ]
                 )
             )
+                
         
-        # Create the Lambda function WITHOUT environment variables
         self.function = _lambda.Function(
             self,
             function_name,
@@ -278,6 +304,7 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
             description=self.edge_config.description,
             role=execution_role,
             # Lambda@Edge does NOT support environment variables
+            # Configuration must be fetched from SSM at runtime
             log_retention=logs.RetentionDays.ONE_WEEK,
         )
         
@@ -285,6 +312,36 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         for key, value in self.edge_config.tags.items():
             cdk.Tags.of(self.function).add(key, value)
 
+        # Add resource-based policy allowing CloudFront to invoke the Lambda function
+        # This is REQUIRED for Lambda@Edge to work properly
+        permission_kwargs = {
+            "principal": iam.ServicePrincipal("cloudfront.amazonaws.com"),
+            "action": "lambda:InvokeFunction",
+        }
+        
+        # Optional: Add source ARN restriction if CloudFront distribution ARN is available
+        # This provides more secure permission scoping
+        distribution_arn_path = f"/{self.deployment.environment}/{self.workload.name}/cloudfront/arn"
+        try:
+            distribution_arn = ssm.StringParameter.from_string_parameter_name(
+                self,
+                "cloudfront-distribution-arn",
+                distribution_arn_path
+            ).string_value
+            
+            # Add source ARN condition for more secure permission scoping
+            permission_kwargs["source_arn"] = distribution_arn
+            logger.info(f"Adding CloudFront permission with source ARN restriction: {distribution_arn}")
+        except Exception:
+            # Distribution ARN not available (common during initial deployment)
+            # CloudFront will scope the permission appropriately when it associates the Lambda
+            logger.warning(f"CloudFront distribution ARN not found at {distribution_arn_path}, using open permission")
+        
+        self.function.add_permission(
+            "CloudFrontInvokePermission",
+            **permission_kwargs
+        )
+
     def _create_function_version(self, function_name: str) -> None:
         """
         Create a version of the Lambda function.
@@ -300,6 +357,57 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
                 f"Version for Lambda@Edge deployment - {self.edge_config.description}"
             )
 
+    def _configure_edge_log_retention(self, function_name: str) -> None:
+        """
+        Configure log retention for Lambda@Edge regional logs.
+        
+        Lambda@Edge creates log groups in multiple regions that need
+        separate retention configuration from the primary log group.
+        """
+        from aws_cdk import custom_resources as cr
+        
+        # Get edge log retention from config (default to same as primary logs)
+        edge_retention_days = self.edge_config.dictionary.get("edge_log_retention_days", 7)
+        
+        # List of common Lambda@Edge regions
+        edge_regions = [
+            'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2',
+            'eu-west-1', 'eu-west-2', 'eu-central-1',
+            'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1',
+            'ca-central-1', 'sa-east-1'
+        ]
+        
+        # Create custom resource to set log retention for each region
+        for region in edge_regions:
+            log_group_name = f"/aws/lambda/{region}.{function_name}"
+            
+            # Use AwsCustomResource to set log retention
+            cr.AwsCustomResource(
+                self, f"EdgeLogRetention-{region}",
+                on_update={
+                    "service": "Logs",
+                    "action": "putRetentionPolicy",
+                    "parameters": {
+                        "logGroupName": log_group_name,
+                        "retentionInDays": edge_retention_days
+                    },
+                    "physical_resource_id": cr.PhysicalResourceId.from_response("logGroupName")
+                },
+                on_delete={
+                    "service": "Logs", 
+                    "action": "deleteRetentionPolicy",
+                    "parameters": {
+                        "logGroupName": log_group_name
+                    },
+                    "physical_resource_id": cr.PhysicalResourceId.from_response("logGroupName")
+                },
+                policy=cr.AwsCustomResourcePolicy.from_sdk_calls(
+                    resources=[f"arn:aws:logs:{region}:*:log-group:{log_group_name}*"]
+                )
+            )
+        
+        logger.info(f"Configured edge log retention to {edge_retention_days} days for {len(edge_regions)} regions")
+
     def _add_outputs(self, function_name: str) -> None:
         """Add CloudFormation outputs and SSM exports"""
         
@@ -335,18 +443,86 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
             
             # If no explicit environment_ssm_exports, create default SSM paths
             if not env_ssm_exports:
-                # Auto-generate SSM parameter names based on environment variable names
-                for env_key in self.edge_config.environment.keys():
-                    # Use snake_case version of the key for SSM path
-                    ssm_key = env_key.lower().replace('_', '-')
-                    env_ssm_exports[env_key] = f"/{self.deployment.environment}/{function_name}/{ssm_key}"
+                env_ssm_exports = {
+                    key: f"/{self.deployment.environment}/{self.workload.name}/lambda-edge/{key.lower()}"
+                    for key in self.edge_config.environment.keys()
+                }
             
-            # Resolve and export environment variables to SSM
-            resolved_env = self._resolve_environment_variables()
-            for env_key, ssm_path in env_ssm_exports.items():
-                if env_key in resolved_env:
-                    env_value = resolved_env[env_key]
-                    
+            # Export each environment variable to SSM
+            for var_name, var_value in self.edge_config.environment.items():
+                ssm_path = env_ssm_exports.get(var_name, f"/{self.deployment.environment}/{self.workload.name}/lambda-edge/{var_name.lower()}")
+                self.export_ssm_parameter(
+                    self,
+                    f"{var_name}-env-param",
+                    var_value,
+                    ssm_path,
+                    description=f"Lambda@Edge environment variable: {var_name} for {function_name}"
+                )
+        
+        # Export the complete configuration as a single SSM parameter for dynamic updates
+        config_ssm_path = f"/{self.deployment.environment}/{self.workload.name}/lambda-edge/config"
+        full_config = {
+            "environment_variables": self.edge_config.environment or {}
+        }
+        
+        self.export_ssm_parameter(
+            self,
+            "full-config-param",
+            json.dumps(full_config),
+            config_ssm_path,
+            description=f"Complete Lambda@Edge configuration for {function_name} - update this for dynamic changes"
+        )
+        
+        # Export cache TTL parameter for dynamic cache control
+        cache_ttl_ssm_path = f"/{self.deployment.environment}/{self.workload.name}/lambda-edge/cache-ttl"
+        default_cache_ttl = self.edge_config.dictionary.get("cache_ttl_seconds", 300)  # Default 5 minutes
+        
+        self.export_ssm_parameter(
+            self,
+            "cache-ttl-param",
+            str(default_cache_ttl),
+            cache_ttl_ssm_path,
+            description=f"Lambda@Edge configuration cache TTL in seconds for {function_name} - adjust for maintenance windows (30-3600)"
+        )
+        
+        # Create additional default parameters if configured
+        default_params = self.edge_config.dictionary.get("default_parameters", {})
+        if default_params:
+            logger.info(f"Creating {len(default_params)} default SSM parameters")
+            
+            for param_name, param_value in default_params.items():
+                param_path = f"/{self.deployment.environment}/{self.workload.name}/lambda-edge/defaults/{param_name}"
+                
+                # Create descriptive parameter description
+                descriptions = {
+                    "CACHE_TTL": f"Configuration cache TTL in seconds for {function_name}",
+                    "HEALTH_CHECK_TIMEOUT": f"ALB health check timeout in seconds for {function_name}",
+                    "HEALTH_CHECK_CACHE_TTL": f"Health check result cache TTL in seconds for {function_name}",
+                    "MAINTENANCE_MODE": f"Maintenance mode toggle for {function_name}",
+                    "GATE_ENABLED": f"IP gate toggle for {function_name}",
+                    "ALLOW_CIDRS": f"Allowed CIDR blocks for {function_name}",
+                    "HEALTH_CHECK_PATH": f"Health check endpoint path for {function_name}",
+                    "ALB_DOMAIN": f"ALB DNS name for {function_name}",
+                    "DEBUG_MODE": f"Debug mode toggle for {function_name}",
+                    "CIRCUIT_BREAKER_THRESHOLD": f"Circuit breaker failure threshold for {function_name}",
+                    "CIRCUIT_BREAKER_TIMEOUT": f"Circuit breaker timeout in seconds for {function_name}"
+                }
+                
+                description = descriptions.get(param_name, f"Default parameter '{param_name}' for Lambda@Edge function {function_name}")
+                
+                self.export_ssm_parameter(
+                    scope=self,
+                    id=f"default-{param_name.lower()}-param",
+                    value=str(param_value),
+                    parameter_name=param_path,
+                    description=description
+                )
+
+        # Resolve and export environment variables to SSM
+        resolved_env = self._resolve_environment_variables()
+        for env_key, env_value in resolved_env.items():
+              if env_key in resolved_env:
+                    env_value = resolved_env[env_key]      
                     # Handle empty values - SSM doesn't allow empty strings
                     # Use sentinel value "NONE" to indicate explicitly unset
                     if not env_value or (isinstance(env_value, str) and env_value.strip() == ""):
@@ -357,9 +533,9 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
                         )
                     
                     self.export_ssm_parameter(
-                        self,
-                        f"env-{env_key}-param",
-                        env_value,
-                        ssm_path,
+                        scope=self,
+                        id=f"env-{env_key}-param",
+                        value=env_value,
+                        parameter_name=ssm_path,
                         description=f"Configuration for Lambda@Edge: {env_key}"
                     )

cdk_factory-0.19.14/src/cdk_factory/version.py

@@ -0,0 +1 @@
+__version__ = "0.19.14"

cdk_factory-0.19.7/src/cdk_factory/version.py

@@ -1 +0,0 @@
-__version__ = "0.19.7"