cdk-factory 0.19.9__tar.gz → 0.19.18__tar.gz

{cdk_factory-0.19.9 → cdk_factory-0.19.18}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.19.9
+Version: 0.19.18
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.19.9 → cdk_factory-0.19.18}/pyproject.toml

@@ -33,7 +33,7 @@ markers = [
 [project]
 
 name = "cdk_factory"
-version = "0.19.9"
+version = "0.19.18"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

{cdk_factory-0.19.9 → cdk_factory-0.19.18}/src/cdk_factory/configurations/resources/lambda_edge.py

@@ -49,10 +49,24 @@ class LambdaEdgeConfig(EnhancedBaseConfig):
 
     @property
     def timeout(self) -> int:
-        """Timeout in seconds (max 5 for origin-request)"""
+        """Timeout in seconds
+        viewer-request: 5s
+        viewer-response: 5s
+        ---
+        origin-request: 30s
+        origin-response: 30s
+        
+        
+        """
         timeout = int(self._config.get("timeout", 5))
-        if timeout > 5:
-            raise ValueError("Lambda@Edge origin-request timeout cannot exceed 5 seconds. Value was set to {}".format(timeout))
+
+        event_type = self.event_type
+        if event_type == "viewer-request" or event_type == "viewer-response":
+            if timeout > 5:
+                raise ValueError("Lambda@Edge viewer timeout cannot exceed 5 seconds. Value was set to {}".format(timeout))
+        else:
+            if timeout > 30:
+                raise ValueError("Lambda@Edge origin timeout cannot exceed 30 seconds. Value was set to {}".format(timeout))
         return timeout
 
     @property

{cdk_factory-0.19.9 → cdk_factory-0.19.18}/src/cdk_factory/stack_library/cloudfront/cloudfront_stack.py

@@ -145,7 +145,7 @@ class CloudFrontStack(IStack):
             return
 
         # Check if certificate ARN is provided
-        cert_arn = cert_config.get("arn")
+        cert_arn = self.resolve_ssm_value(self, cert_config.get("arn"), "CertificateARN")
         if cert_arn:
             self.certificate = acm.Certificate.from_certificate_arn(
                 self, "Certificate", certificate_arn=cert_arn
@@ -173,14 +173,14 @@ class CloudFrontStack(IStack):
                     "CloudFront certificates must be created in us-east-1"
                 )
                 return
-            
+
             # Create the certificate
             # Get hosted zone from SSM imports
             hosted_zone_id = cert_config.get("hosted_zone_id")
             hosted_zone = route53.HostedZone.from_hosted_zone_id(
                 self, "HostedZone", hosted_zone_id
             )
-            
+
             self.certificate = acm.Certificate(
                 self,
                 "Certificate",
@@ -223,7 +223,9 @@ class CloudFrontStack(IStack):
 
     def _create_custom_origin(self, config: Dict[str, Any]) -> cloudfront.IOrigin:
         """Create custom origin (ALB, API Gateway, etc.)"""
-        domain_name = self.resolve_ssm_value(self, config.get("domain_name"), config.get("domain_name"))
+        domain_name = self.resolve_ssm_value(
+            self, config.get("domain_name"), config.get("domain_name")
+        )
         origin_id = config.get("id")
 
         if not domain_name:
@@ -297,21 +299,22 @@ class CloudFrontStack(IStack):
 
     def _create_s3_origin(self, config: Dict[str, Any]) -> cloudfront.IOrigin:
         """Create S3 origin"""
-        bucket_name = self.resolve_ssm_value(self, config.get("bucket_name"), config.get("bucket_name"))
-        
+        bucket_name = self.resolve_ssm_value(
+            self, config.get("bucket_name"), config.get("bucket_name")
+        )
 
         origin_path = config.get("origin_path", "")
-        
+
         if not bucket_name:
             raise ValueError("S3 origin requires 'bucket_name' configuration")
-        
+
         # For S3 origins, we need to import the bucket by name
         bucket = s3.Bucket.from_bucket_name(
             self,
             id=f"S3OriginBucket-{config.get('id', 'unknown')}",
-            bucket_name=bucket_name
+            bucket_name=bucket_name,
         )
-        
+
         # Create S3 origin with OAC (Origin Access Control) for security
         origin = origins.S3BucketOrigin.with_origin_access_control(
             bucket,
@@ -321,7 +324,7 @@ class CloudFrontStack(IStack):
                 cloudfront.AccessLevel.LIST,
             ],
         )
-        
+
         return origin
 
     def _create_distribution(self) -> None:

{cdk_factory-0.19.9 → cdk_factory-0.19.18}/src/cdk_factory/stack_library/ecs/ecs_service_stack.py

@@ -226,6 +226,9 @@ class EcsServiceStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
                     "CloudWatchAgentServerPolicy"
                 )
             )
+
+        # add any custom policies
+        self._add_custom_task_policies(task_role)
         
         # Create task definition based on launch type
         if self.ecs_config.launch_type == "EC2":
@@ -257,6 +260,37 @@ class EcsServiceStack(IStack, VPCProviderMixin, StandardizedSsmMixin):
         # Add containers
         self._add_containers_to_task()
 
+    def _add_custom_task_policies(self, task_role: iam.Role) -> None:
+        """
+        Add custom task policies to the task definition.
+        """
+        for policy in self.ecs_config.task_definition.get("policies", []):
+
+            effect = policy.get("effect", "Allow")
+            action = policy.get("action", None)
+            actions = policy.get("actions", [])
+            if action:
+                actions.append(action)
+            resources = policy.get("resources", [])
+            resource = policy.get("resource", None)
+            if resource:
+                resources.append(resource)
+
+            if effect == "Allow" and actions:
+                effect = iam.Effect.ALLOW
+            if effect == "Deny" and actions:
+                effect = iam.Effect.DENY
+
+            sid = policy.get("sid", None)
+            task_role.add_to_policy(
+                iam.PolicyStatement(
+                    effect=effect,
+                    actions=actions,
+                    resources=resources,
+                    sid=sid,
+                )
+            )
+
     def _add_volumes_to_task(self) -> None:
         """
         Add volumes to the task definition.

{cdk_factory-0.19.9 → cdk_factory-0.19.18}/src/cdk_factory/stack_library/lambda_edge/lambda_edge_stack.py

@@ -100,6 +100,9 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         # Create version (required for Lambda@Edge)
         self._create_function_version(function_name)
         
+        # Configure edge log retention for regional logs
+        self._configure_edge_log_retention(function_name)
+        
         # Add outputs
         self._add_outputs(function_name)
 
@@ -245,19 +248,12 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
             self.edge_config.runtime,
             _lambda.Runtime.PYTHON_3_11
         )
-        
-        # Lambda@Edge does NOT support environment variables
-        # Configuration must be handled via:
-        # 1. Hardcoded in the function code
-        # 2. Fetched from SSM Parameter Store at runtime
-        # 3. Other configuration mechanisms
-        
+
         # Log warning if environment variables are configured
         if self.edge_config.environment:
             logger.warning(
                 f"Lambda@Edge function '{function_name}' has environment variables configured, "
-                "but Lambda@Edge does not support environment variables. "
-                "The function must fetch these values from SSM Parameter Store at runtime."
+                "but Lambda@Edge does not support environment variables. The function must fetch these values from SSM Parameter Store at runtime."
             )
             for key, value in self.edge_config.environment.items():
                 logger.warning(f"  - {key}: {value}")
@@ -268,7 +264,8 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
             f"{function_name}-Role",
             assumed_by=iam.CompositePrincipal(
                 iam.ServicePrincipal("lambda.amazonaws.com"),
-                iam.ServicePrincipal("edgelambda.amazonaws.com")
+                iam.ServicePrincipal("edgelambda.amazonaws.com"),
+                iam.ServicePrincipal("cloudfront.amazonaws.com")  # Add CloudFront service principal
             ),
             description=f"Execution role for Lambda@Edge function {function_name}",
             managed_policies=[
@@ -294,7 +291,20 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
                 )
             )
         
-        # Create the Lambda function WITHOUT environment variables
+        # Add Secrets Manager permissions for origin secret access
+        execution_role.add_to_policy(
+            iam.PolicyStatement(
+                effect=iam.Effect.ALLOW,
+                actions=[
+                    "secretsmanager:GetSecretValue",
+                    "secretsmanager:DescribeSecret"
+                ],
+                resources=[
+                    f"arn:aws:secretsmanager:*:{cdk.Aws.ACCOUNT_ID}:secret:{self.deployment.environment}/{self.workload.name}/origin-secret*"
+                ]
+            )
+        )
+    
         self.function = _lambda.Function(
             self,
             function_name,
@@ -307,6 +317,7 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
             description=self.edge_config.description,
             role=execution_role,
             # Lambda@Edge does NOT support environment variables
+            # Configuration must be fetched from SSM at runtime
             log_retention=logs.RetentionDays.ONE_WEEK,
         )
         
@@ -314,6 +325,36 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
         for key, value in self.edge_config.tags.items():
             cdk.Tags.of(self.function).add(key, value)
 
+        # Add resource-based policy allowing CloudFront to invoke the Lambda function
+        # This is REQUIRED for Lambda@Edge to work properly
+        permission_kwargs = {
+            "principal": iam.ServicePrincipal("cloudfront.amazonaws.com"),
+            "action": "lambda:InvokeFunction",
+        }
+        
+        # Optional: Add source ARN restriction if CloudFront distribution ARN is available
+        # This provides more secure permission scoping
+        distribution_arn_path = f"/{self.deployment.environment}/{self.workload.name}/cloudfront/arn"
+        try:
+            distribution_arn = ssm.StringParameter.from_string_parameter_name(
+                self,
+                "cloudfront-distribution-arn",
+                distribution_arn_path
+            ).string_value
+            
+            # Add source ARN condition for more secure permission scoping
+            permission_kwargs["source_arn"] = distribution_arn
+            logger.info(f"Adding CloudFront permission with source ARN restriction: {distribution_arn}")
+        except Exception:
+            # Distribution ARN not available (common during initial deployment)
+            # CloudFront will scope the permission appropriately when it associates the Lambda
+            logger.warning(f"CloudFront distribution ARN not found at {distribution_arn_path}, using open permission")
+        
+        self.function.add_permission(
+            "CloudFrontInvokePermission",
+            **permission_kwargs
+        )
+
     def _create_function_version(self, function_name: str) -> None:
         """
         Create a version of the Lambda function.
@@ -329,10 +370,69 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
                 f"Version for Lambda@Edge deployment - {self.edge_config.description}"
             )
 
-    def _add_outputs(self, function_name: str) -> None:
-        """Add CloudFormation outputs and SSM exports"""
+    def _configure_edge_log_retention(self, function_name: str) -> None:
+        """
+        Configure log retention for Lambda@Edge log groups in all edge regions
+        """
+        from aws_cdk import custom_resources as cr
+        
+        # Get edge log retention from config (default to same as primary logs)
+        edge_retention_days = self.edge_config.dictionary.get("edge_log_retention_days", 7)
+        
+        # List of common Lambda@Edge regions
+        edge_regions = [
+            'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2',
+            'eu-west-1', 'eu-west-2', 'eu-central-1',
+            'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1',
+            'ca-central-1', 'sa-east-1'
+        ]
         
+        # Lambda@Edge log groups are created in us-east-1 with region prefix
+        # Pattern: /aws/lambda/{edge-region}.{function-name}
+        # But they're all located in us-east-1
+        
+        for edge_region in edge_regions:
+            log_group_name = f"/aws/lambda/{edge_region}.{function_name}"
+            
+            # Use AwsCustomResource to set log retention
+            cr.AwsCustomResource(
+                self, f"EdgeLogRetention-{edge_region}",
+                on_update={
+                    "service": "CloudWatchLogs",
+                    "action": "putRetentionPolicy",
+                    "parameters": {
+                        "logGroupName": log_group_name,
+                        "retentionInDays": edge_retention_days
+                    },
+                    "physical_resource_id": cr.PhysicalResourceId.from_response("logGroupName")
+                },
+                on_delete={
+                    "service": "CloudWatchLogs", 
+                    "action": "deleteRetentionPolicy",
+                    "parameters": {
+                        "logGroupName": log_group_name
+                    },
+                    "physical_resource_id": cr.PhysicalResourceId.from_response("logGroupName")
+                },
+                policy=cr.AwsCustomResourcePolicy.from_statements([
+                    iam.PolicyStatement(
+                        effect=iam.Effect.ALLOW,
+                        actions=[
+                            "logs:PutRetentionPolicy",
+                            "logs:DeleteRetentionPolicy",
+                            "logs:DescribeLogGroups",
+                            "logs:DescribeLogStreams"
+                        ],
+                        # All Lambda@Edge log groups are in us-east-1
+                        resources=[f"arn:aws:logs:us-east-1:*:log-group:{log_group_name}*"]
+                    )
+                ])
+            )
         
+        logger.info(f"Configured edge log retention to {edge_retention_days} days for {len(edge_regions)} regions")
+
+    def _add_outputs(self, function_name: str) -> None:
+        """Add CloudFormation outputs and SSM exports"""
         
         # SSM Parameter Store exports (if configured)
         ssm_exports = self.edge_config.dictionary.get("ssm", {}).get("exports", {})
@@ -355,40 +455,31 @@ class LambdaEdgeStack(IStack, StandardizedSsmMixin):
                         description=f"{key} for Lambda@Edge function {function_name}"
                     )
         
-        # Export environment variables as SSM parameters
-        # Since Lambda@Edge doesn't support environment variables, we export them
-        # to SSM so the Lambda function can fetch them at runtime
-        if self.edge_config.environment:
-            logger.info("Exporting Lambda@Edge environment variables as SSM parameters")
-            env_ssm_exports = self.edge_config.dictionary.get("environment_ssm_exports", {})
-            
-            # If no explicit environment_ssm_exports, create default SSM paths
-            if not env_ssm_exports:
-                # Auto-generate SSM parameter names based on environment variable names
-                for env_key in self.edge_config.environment.keys():
-                    # Use snake_case version of the key for SSM path
-                    ssm_key = env_key.lower().replace('_', '-')
-                    env_ssm_exports[env_key] = f"/{self.deployment.environment}/{function_name}/{ssm_key}"
-            
-            # Resolve and export environment variables to SSM
-            resolved_env = self._resolve_environment_variables()
-            for env_key, ssm_path in env_ssm_exports.items():
-                if env_key in resolved_env:
-                    env_value = resolved_env[env_key]
-                    
-                    # Handle empty values - SSM doesn't allow empty strings
-                    # Use sentinel value "NONE" to indicate explicitly unset
-                    if not env_value or (isinstance(env_value, str) and env_value.strip() == ""):
-                        env_value = "NONE"
-                        logger.info(
-                            f"Environment variable {env_key} is empty - setting SSM parameter to 'NONE'. "
-                            f"Lambda function should treat 'NONE' as unset/disabled."
-                        )
-                    
-                    self.export_ssm_parameter(
-                        self,
-                        f"env-{env_key}-param",
-                        env_value,
-                        ssm_path,
-                        description=f"Configuration for Lambda@Edge: {env_key}"
-                    )
+        # Export the complete configuration as a single SSM parameter
+        config_ssm_path = f"/{self.deployment.environment}/{self.workload.name}/lambda-edge/config"
+        configuration = self.edge_config.dictionary.get("configuration", {})
+        environment_variables = configuration.get("environment_variables", {})
+        
+        full_config = {
+            "environment_variables": environment_variables
+        }
+        
+        self.export_ssm_parameter(
+            self,
+            "full-config-param",
+            json.dumps(full_config),
+            config_ssm_path,
+            description=f"Complete Lambda@Edge configuration for {function_name} - update this for dynamic changes"
+        )
+        
+        # Export cache TTL parameter for dynamic cache control
+        cache_ttl_ssm_path = f"/{self.deployment.environment}/{self.workload.name}/lambda-edge/cache-ttl"
+        default_cache_ttl = self.edge_config.dictionary.get("cache_ttl_seconds", 300)  # Default 5 minutes
+        
+        self.export_ssm_parameter(
+            self,
+            "cache-ttl-param",
+            str(default_cache_ttl),
+            cache_ttl_ssm_path,
+            description=f"Lambda@Edge configuration cache TTL in seconds for {function_name} - adjust for maintenance windows (30-3600)"
+        )

cdk_factory-0.19.18/src/cdk_factory/version.py

@@ -0,0 +1 @@
+__version__ = "0.19.18"

cdk_factory-0.19.9/src/cdk_factory/version.py

@@ -1 +0,0 @@
-__version__ = "0.19.9"