cdk-factory 0.7.22__py3-none-any.whl → 0.7.24__py3-none-any.whl

cdk_factory/interfaces/live_ssm_resolver.py

@@ -60,7 +60,7 @@ class LiveSsmResolver:
         Resolve SSM parameter with live API call.
 
         Args:
-            parameter_path: SSM parameter path (e.g., /movatra/dev/cognito/user-pool/user-pool-arn)
+            parameter_path: SSM parameter path (e.g., /workload/dev/cognito/user-pool/user-pool-arn)
             fallback_value: Value to return if live resolution fails
 
         Returns:

cdk_factory/stack_library/api_gateway/api_gateway_stack.py

@@ -347,15 +347,125 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
         # Setup CORS using centralized utility
         self.integration_utility.setup_route_cors(resource, route_path, route)
 
+    def _validate_authorization_configuration(self, route, has_cognito_authorizer):
+        """
+        Validate authorization configuration for security and clarity.
+        
+        This method implements 'secure by default' with explicit overrides:
+        - If Cognito is available and route wants NONE auth, requires explicit override
+        - If Cognito is not available and route wants COGNITO auth, raises error
+        - Provides verbose warnings for monitoring and security awareness
+        
+        Args:
+            route (dict): Route configuration
+            has_cognito_authorizer (bool): Whether a Cognito authorizer is configured
+            
+        Raises:
+            ValueError: When there are security conflicts without explicit overrides
+        """
+        import logging
+        
+        auth_type = route.get("authorization_type", "COGNITO")
+        explicit_override = route.get("allow_public_override", False)
+        route_path = route.get("path", "unknown")
+        method = route.get("method", "unknown")
+        
+        logger = logging.getLogger(__name__)
+        
+        # Case 1: Cognito available + NONE requested + No explicit override = ERROR
+        if has_cognito_authorizer and auth_type == "NONE" and not explicit_override:
+            error_msg = (
+                f"🚨 SECURITY CONFLICT DETECTED for route {route_path} ({method}):\n"
+                f"   ❌ Cognito authorizer is configured (manual or auto-import)\n"
+                f"   ❌ authorization_type is set to 'NONE' (public access)\n"
+                f"   ❌ This creates a security risk - public endpoint with auth available\n\n"
+                f"💡 SOLUTIONS:\n"
+                f"   1. Remove Cognito configuration if you want public access\n"
+                f"   2. Add 'allow_public_override': true to explicitly allow public access\n"
+                f"   3. Remove 'authorization_type': 'NONE' to use secure Cognito auth\n\n"
+                f"🔒 This prevents accidental public endpoints when authentication is available."
+            )
+            raise ValueError(error_msg)
+        
+        # Case 2: No Cognito + COGNITO explicitly requested = ERROR  
+        # Only error if COGNITO was explicitly requested, not if it's the default
+        if not has_cognito_authorizer and route.get("authorization_type") == "COGNITO":
+            error_msg = (
+                f"🚨 CONFIGURATION ERROR for route {route_path} ({method}):\n"
+                f"   ❌ authorization_type is explicitly set to 'COGNITO' but no Cognito authorizer configured\n"
+                f"   ❌ Cannot secure endpoint without authentication provider\n\n"
+                f"💡 SOLUTIONS:\n"
+                f"   1. Add Cognito configuration to enable authentication\n"
+                f"   2. Set authorization_type to 'NONE' for public access\n"
+                f"   3. Configure SSM auto-import for user_pool_arn\n"
+                f"   4. Remove explicit authorization_type to use default behavior"
+            )
+            raise ValueError(error_msg)
+        
+        # Case 3: Cognito available + NONE requested + Explicit override = WARN
+        if has_cognito_authorizer and auth_type == "NONE" and explicit_override:
+            warning_msg = (
+                f"⚠️  PUBLIC ENDPOINT CONFIGURED: {route_path} ({method})\n"
+                f"   🔓 This endpoint is intentionally public (allow_public_override: true)\n"
+                f"   🔐 Cognito authentication is available but overridden\n"
+                f"   📊 Consider monitoring this endpoint for unexpected usage patterns\n"
+                f"   🔍 Review periodically: Should this endpoint be secured?"
+            )
+            
+            # Print to console during deployment for visibility
+            print(warning_msg)
+            
+            # Structured logging for monitoring and metrics
+            logger.warning(
+                "Public endpoint configured with Cognito available",
+                extra={
+                    "route": route_path,
+                    "method": method,
+                    "security_override": True,
+                    "cognito_available": True,
+                    "authorization_type": "NONE",
+                    "metric_name": "public_endpoint_with_cognito",
+                    "security_decision": "intentional_public",
+                    "recommendation": "review_periodically"
+                }
+            )
+        
+        # Case 4: No Cognito + NONE = INFO (expected for public-only APIs)
+        if not has_cognito_authorizer and auth_type == "NONE":
+            logger.info(
+                f"Public endpoint configured (no Cognito available): {route_path} ({method})",
+                extra={
+                    "route": route_path,
+                    "method": method,
+                    "authorization_type": "NONE",
+                    "cognito_available": False,
+                    "security_decision": "public_only_api"
+                }
+            )
+
     def _setup_lambda_integration(
         self, api_gateway, api_id, route, lambda_fn, authorizer, suffix
     ):
         """Setup Lambda integration for a route"""
+        import logging
+        
         route_path = route["path"]
         # Secure by default: require Cognito authorization unless explicitly set to NONE
         authorization_type = route.get("authorization_type", "COGNITO")
         
-        # If explicitly set to NONE, skip authorization
+        # If no Cognito authorizer available and default COGNITO, fall back to NONE
+        if not authorizer and authorization_type == "COGNITO" and "authorization_type" not in route:
+            authorization_type = "NONE"
+            logger = logging.getLogger(__name__)
+            logger.info(
+                f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
+                f"defaulting to public access (NONE authorization)"
+            )
+        
+        # Validate authorization configuration for security
+        self._validate_authorization_configuration(route, authorizer is not None)
+        
+        # If set to NONE (explicitly or by fallback), skip authorization
         if authorization_type == "NONE":
             authorizer = None
 
@@ -391,9 +501,23 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
         self, api_gateway, route, lambda_fn, authorizer, api_id, suffix
     ):
         """Setup fallback Lambda integration for routes without src"""
+        import logging
+        
         route_path = route["path"]
         # Secure by default: require Cognito authorization unless explicitly set to NONE
         authorization_type = route.get("authorization_type", "COGNITO")
+        
+        # If no Cognito authorizer available and default COGNITO, fall back to NONE
+        if not authorizer and authorization_type == "COGNITO" and "authorization_type" not in route:
+            authorization_type = "NONE"
+            logger = logging.getLogger(__name__)
+            logger.info(
+                f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
+                f"defaulting to public access (NONE authorization)"
+            )
+        
+        # Validate authorization configuration for security
+        self._validate_authorization_configuration(route, authorizer is not None)
 
         resource = (
             api_gateway.root.resource_for_path(route_path)

cdk_factory/utilities/api_gateway_integration_utility.py

@@ -68,7 +68,7 @@ class ApiGatewayIntegrationUtility:
         )
 
         # Add method to API Gateway
-        resource = self.get_or_create_resource(api_gateway, api_config.routes)
+        resource = self.get_or_create_resource(api_gateway, api_config.routes, stack_config)
 
         # Handle existing authorizer ID using L1 constructs
         if self._get_existing_authorizer_id_with_ssm_fallback(api_config, stack_config):
@@ -602,12 +602,20 @@ class ApiGatewayIntegrationUtility:
         return self.authorizer
 
     def get_or_create_resource(
-        self, api_gateway: apigateway.RestApi, route_path: str
+        self, api_gateway: apigateway.RestApi, route_path: str, stack_config=None
     ) -> apigateway.Resource:
-        """Get or create API Gateway resource for the given route path"""
+        """Get or create API Gateway resource for the given route path with cross-stack support"""
         if not route_path or route_path == "/":
             return api_gateway.root
 
+        # Check for existing resource import configuration
+        if stack_config:
+            api_gateway_config = stack_config.dictionary.get("api_gateway", {})
+            existing_resources = api_gateway_config.get("existing_resources", {})
+            
+            if existing_resources:
+                return self._create_resource_with_imports(api_gateway, route_path, existing_resources)
+
         # Use the built-in resource_for_path method which handles existing resources correctly
         try:
             # This method automatically creates the full path and reuses existing resources
@@ -658,6 +666,94 @@ class ApiGatewayIntegrationUtility:
 
         return current_resource
 
+    def _create_resource_with_imports(
+        self, api_gateway: apigateway.RestApi, route_path: str, existing_resources: dict
+    ) -> apigateway.Resource:
+        """Create resource path using existing resource imports to avoid conflicts"""
+        from aws_cdk import aws_apigateway as apigateway
+        
+        # Remove leading slash and split path
+        path_parts = route_path.lstrip("/").split("/")
+        current_resource = api_gateway.root
+        current_path = ""
+        
+        # Navigate through path parts, importing existing resources where configured
+        for i, part in enumerate(path_parts):
+            if not part:  # Skip empty parts
+                continue
+                
+            current_path = "/" + "/".join(path_parts[:i+1])
+            
+            # Check if this path segment should be imported from existing resources
+            if current_path in existing_resources:
+                resource_config = existing_resources[current_path]
+                resource_id = resource_config.get("resource_id")
+                
+                if resource_id:
+                    logger.info(f"Importing existing resource for path {current_path} with ID: {resource_id}")
+                    
+                    # Import the existing resource using L1 constructs
+                    current_resource = self._import_existing_resource(
+                        api_gateway, current_resource, part, resource_id, current_path
+                    )
+                else:
+                    # Create normally if no resource_id specified
+                    current_resource = self._add_resource_safely(current_resource, part)
+            else:
+                # Create normally for non-imported paths
+                current_resource = self._add_resource_safely(current_resource, part)
+        
+        return current_resource
+    
+    def _import_existing_resource(
+        self, api_gateway: apigateway.RestApi, parent_resource: apigateway.Resource, 
+        path_part: str, resource_id: str, full_path: str
+    ) -> apigateway.Resource:
+        """Import an existing API Gateway resource by ID"""
+        from aws_cdk import aws_apigateway as apigateway
+        
+        try:
+            # Use CfnResource to reference existing resource
+            # This creates a reference without trying to create the resource
+            imported_resource = apigateway.Resource.from_resource_id(
+                self.scope,
+                f"imported-resource-{hash(full_path) % 10000}",
+                resource_id
+            )
+            
+            logger.info(f"Successfully imported existing resource: {path_part} (ID: {resource_id})")
+            return imported_resource
+            
+        except Exception as e:
+            logger.warning(f"Failed to import resource {path_part} with ID {resource_id}: {e}")
+            # Fallback to normal creation
+            return self._add_resource_safely(parent_resource, path_part)
+    
+    def _add_resource_safely(
+        self, parent_resource: apigateway.Resource, path_part: str
+    ) -> apigateway.Resource:
+        """Add resource with conflict handling"""
+        try:
+            return parent_resource.add_resource(path_part)
+        except Exception as e:
+            if "AlreadyExists" in str(e) or "same parent already has this name" in str(e):
+                logger.warning(f"Resource {path_part} already exists, attempting to find existing resource")
+                
+                # Try to find the existing resource in children
+                for child in parent_resource.node.children:
+                    if (
+                        hasattr(child, "path_part")
+                        and getattr(child, "path_part", None) == path_part
+                    ):
+                        logger.info(f"Found existing resource: {path_part}")
+                        return child
+                
+                # If not found in children, re-raise the error
+                logger.error(f"Could not find or create resource: {path_part}")
+                raise e
+            else:
+                raise e
+
     def _get_existing_api_gateway_id_with_ssm_fallback(
         self, api_config: ApiGatewayConfigRouteConfig, stack_config
     ) -> Optional[str]:

cdk_factory/version.py

@@ -1 +1 @@
-__version__ = "0.7.22"
+__version__ = "0.7.24"

{cdk_factory-0.7.22.dist-info → cdk_factory-0.7.24.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.7.22
+Version: 0.7.24
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.7.22.dist-info → cdk_factory-0.7.24.dist-info}/RECORD

@@ -1,7 +1,7 @@
 cdk_factory/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cdk_factory/app.py,sha256=xv863N7O6HPKznB68_t7O4la9JacrkG87t9TjoDUk7s,2827
 cdk_factory/cdk.json,sha256=SKZKhJ2PBpFH78j-F8S3VDYW-lf76--Q2I3ON-ZIQfw,3106
-cdk_factory/version.py,sha256=05OpHzT8pDPhLRXPkdqyUUquJk9jolNT5B2C6ovgfac,23
+cdk_factory/version.py,sha256=6LhdCdekRyhf1ou0xLzDta4kGS27Isdvy5haWR1XJoc,23
 cdk_factory/builds/README.md,sha256=9BBWd7bXpyKdMU_g2UljhQwrC9i5O_Tvkb6oPvndoZk,90
 cdk_factory/commands/command_loader.py,sha256=QbLquuP_AdxtlxlDy-2IWCQ6D-7qa58aphnDPtp_uTs,3744
 cdk_factory/configurations/base_config.py,sha256=JKjhNsy0RCUZy1s8n5D_aXXI-upR9izaLtCTfKYiV9k,9624
@@ -58,7 +58,7 @@ cdk_factory/constructs/s3_buckets/s3_bucket_replication_source_construct.py,sha2
 cdk_factory/constructs/sqs/policies/sqs_policies.py,sha256=4p0G8G-fqNKSr68I55fvqH-DkhIeXyGaFBKkICIJ-qM,1277
 cdk_factory/interfaces/enhanced_ssm_parameter_mixin.py,sha256=k-jfwRJhIs6sxifmh7rFaX92tpHMdxiZ8mgPP4NNu5E,13041
 cdk_factory/interfaces/istack.py,sha256=bhTBs-o9FgKwvJMSuwxjUV6D3nUlvZHVzfm27jP9x9Y,987
-cdk_factory/interfaces/live_ssm_resolver.py,sha256=UjKeubz-05zlHcqsaYA6Vx-XuTCKRWVkURXRkVvgqzo,8162
+cdk_factory/interfaces/live_ssm_resolver.py,sha256=3FIr9a02SXqZmbFs3RT0WxczWEQR_CF7QSt7kWbDrVE,8163
 cdk_factory/interfaces/ssm_parameter_mixin.py,sha256=uA2j8HmAOpuEA9ynRj51s0WjUHMVLsbLQN-QS9NKyHA,12089
 cdk_factory/lambdas/health_handler.py,sha256=dd40ykKMxWCFEIyp2ZdQvAGNjw_ylI9CSm1N24Hp2ME,196
 cdk_factory/pipeline/pipeline_factory.py,sha256=DtvGlCjq1uNafwtNevbpwgIR4Du8UoaTVqfgqC_FePU,15430
@@ -72,7 +72,7 @@ cdk_factory/stack/stack_module_registry.py,sha256=J14-A75VZESzRQa8p-Fepdap7Z8T7m
 cdk_factory/stack/stack_modules.py,sha256=kgEK-j0smZPozVwTCfM1g1V17EyTBT0TXAQZq4vZz0o,784
 cdk_factory/stack_library/__init__.py,sha256=5Y9TpIe8ZK1688G60PGcuP-hM0RvYEY_3Hl2qJCJJrw,581
 cdk_factory/stack_library/stack_base.py,sha256=tTleSFmlf26DuKVF_ytftf8P7IVWb5iex8cYfYupfvQ,4940
-cdk_factory/stack_library/api_gateway/api_gateway_stack.py,sha256=LEjDNcCXpD2rqdi66ef1rbg6uTdt18WnZZcr__Wxjzw,29106
+cdk_factory/stack_library/api_gateway/api_gateway_stack.py,sha256=i87MGWAqRJBrayQaXVf-R90_NKVZpbOf3QNibnOIsBM,35507
 cdk_factory/stack_library/auto_scaling/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cdk_factory/stack_library/auto_scaling/auto_scaling_stack.py,sha256=UsFqUb_3XPJAlmZ6F75nXna3elOggD1KuFmmdmhi0Lg,19070
 cdk_factory/stack_library/aws_lambdas/lambda_stack.py,sha256=xT8-799fSXMpYaRhRKytxsbpb5EG3g2h6L822_RpRSk,22956
@@ -97,7 +97,7 @@ cdk_factory/stack_library/vpc/__init__.py,sha256=7pIqP97Gf2AJbv9Ebp1WbQGHYhgEbWJ
 cdk_factory/stack_library/vpc/vpc_stack.py,sha256=zdDiGilf03esxuya5Z8zVYSVMAIuZBeD-ZKgfnEd6aw,10077
 cdk_factory/stack_library/websites/static_website_stack.py,sha256=KBQiV6PI09mpHGtH-So5Hk3uhfFLDepoXInGbfin0cY,7938
 cdk_factory/stages/websites/static_website_stage.py,sha256=X4fpKXkhb0zIbSHx3QyddBhVSLBryb1vf1Cg2fMTqog,755
-cdk_factory/utilities/api_gateway_integration_utility.py,sha256=g6BPg3gSRTijPlUzYvWt0ctnYazDtzUtfqGHvdvpQHQ,50668
+cdk_factory/utilities/api_gateway_integration_utility.py,sha256=RdStGFueFFDR_j1zHX-d55czZKf_lP-_Ty_5-XLPQXg,55224
 cdk_factory/utilities/commandline_args.py,sha256=0FiNEJFbWVN8Ct7r0VHnJEx7rhUlaRKT7R7HMNJBSTI,2216
 cdk_factory/utilities/configuration_loader.py,sha256=z0ZdGLNbTO4_yfluB9zUh_i_Poc9qj-7oRyjMRlNkN8,1522
 cdk_factory/utilities/docker_utilities.py,sha256=9r8C-lXYpymqEfi3gTeWCQzHldvfjttPqn6p3j2khTE,8111
@@ -109,7 +109,7 @@ cdk_factory/utilities/lambda_function_utilities.py,sha256=j3tBdv_gC2MdEwBINDwAqY
 cdk_factory/utilities/os_execute.py,sha256=5Op0LY_8Y-pUm04y1k8MTpNrmQvcLmQHPQITEP7EuSU,1019
 cdk_factory/utils/api_gateway_utilities.py,sha256=If7Xu5s_UxmuV-kL3JkXxPLBdSVUKoLtohm0IUFoiV8,4378
 cdk_factory/workload/workload_factory.py,sha256=yBUDGIuB8-5p_mGcVFxsD2ZoZIziak3yh3LL3JvS0M4,5903
-cdk_factory-0.7.22.dist-info/METADATA,sha256=B5DMrfGsL7hszQJO41UIS0fzbhfwuUqIMgAizfCiEIs,2451
-cdk_factory-0.7.22.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-cdk_factory-0.7.22.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
-cdk_factory-0.7.22.dist-info/RECORD,,
+cdk_factory-0.7.24.dist-info/METADATA,sha256=arpwSUyP9MEQqdJM6dkFtxxq0Q3o3PvjutwymPmzV8g,2451
+cdk_factory-0.7.24.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+cdk_factory-0.7.24.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
+cdk_factory-0.7.24.dist-info/RECORD,,