cdk-factory 0.7.22__tar.gz → 0.7.25__tar.gz

{cdk_factory-0.7.22 → cdk_factory-0.7.25}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.7.22
+Version: 0.7.25
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.7.22 → cdk_factory-0.7.25}/pyproject.toml

@@ -33,7 +33,7 @@ markers = [
 [project]
 
 name = "cdk_factory"
-version = "0.7.22"
+version = "0.7.25"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

{cdk_factory-0.7.22 → cdk_factory-0.7.25}/src/cdk_factory/interfaces/live_ssm_resolver.py

@@ -60,7 +60,7 @@ class LiveSsmResolver:
         Resolve SSM parameter with live API call.
 
         Args:
-            parameter_path: SSM parameter path (e.g., /movatra/dev/cognito/user-pool/user-pool-arn)
+            parameter_path: SSM parameter path (e.g., /workload/dev/cognito/user-pool/user-pool-arn)
             fallback_value: Value to return if live resolution fails
 
         Returns:

{cdk_factory-0.7.22 → cdk_factory-0.7.25}/src/cdk_factory/stack_library/api_gateway/api_gateway_stack.py

@@ -347,15 +347,125 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
         # Setup CORS using centralized utility
         self.integration_utility.setup_route_cors(resource, route_path, route)
 
+    def _validate_authorization_configuration(self, route, has_cognito_authorizer):
+        """
+        Validate authorization configuration for security and clarity.
+        
+        This method implements 'secure by default' with explicit overrides:
+        - If Cognito is available and route wants NONE auth, requires explicit override
+        - If Cognito is not available and route wants COGNITO auth, raises error
+        - Provides verbose warnings for monitoring and security awareness
+        
+        Args:
+            route (dict): Route configuration
+            has_cognito_authorizer (bool): Whether a Cognito authorizer is configured
+            
+        Raises:
+            ValueError: When there are security conflicts without explicit overrides
+        """
+        import logging
+        
+        auth_type = route.get("authorization_type", "COGNITO")
+        explicit_override = route.get("allow_public_override", False)
+        route_path = route.get("path", "unknown")
+        method = route.get("method", "unknown")
+        
+        logger = logging.getLogger(__name__)
+        
+        # Case 1: Cognito available + NONE requested + No explicit override = ERROR
+        if has_cognito_authorizer and auth_type == "NONE" and not explicit_override:
+            error_msg = (
+                f"🚨 SECURITY CONFLICT DETECTED for route {route_path} ({method}):\n"
+                f"   ❌ Cognito authorizer is configured (manual or auto-import)\n"
+                f"   ❌ authorization_type is set to 'NONE' (public access)\n"
+                f"   ❌ This creates a security risk - public endpoint with auth available\n\n"
+                f"💡 SOLUTIONS:\n"
+                f"   1. Remove Cognito configuration if you want public access\n"
+                f"   2. Add 'allow_public_override': true to explicitly allow public access\n"
+                f"   3. Remove 'authorization_type': 'NONE' to use secure Cognito auth\n\n"
+                f"🔒 This prevents accidental public endpoints when authentication is available."
+            )
+            raise ValueError(error_msg)
+        
+        # Case 2: No Cognito + COGNITO explicitly requested = ERROR  
+        # Only error if COGNITO was explicitly requested, not if it's the default
+        if not has_cognito_authorizer and route.get("authorization_type") == "COGNITO":
+            error_msg = (
+                f"🚨 CONFIGURATION ERROR for route {route_path} ({method}):\n"
+                f"   ❌ authorization_type is explicitly set to 'COGNITO' but no Cognito authorizer configured\n"
+                f"   ❌ Cannot secure endpoint without authentication provider\n\n"
+                f"💡 SOLUTIONS:\n"
+                f"   1. Add Cognito configuration to enable authentication\n"
+                f"   2. Set authorization_type to 'NONE' for public access\n"
+                f"   3. Configure SSM auto-import for user_pool_arn\n"
+                f"   4. Remove explicit authorization_type to use default behavior"
+            )
+            raise ValueError(error_msg)
+        
+        # Case 3: Cognito available + NONE requested + Explicit override = WARN
+        if has_cognito_authorizer and auth_type == "NONE" and explicit_override:
+            warning_msg = (
+                f"⚠️  PUBLIC ENDPOINT CONFIGURED: {route_path} ({method})\n"
+                f"   🔓 This endpoint is intentionally public (allow_public_override: true)\n"
+                f"   🔐 Cognito authentication is available but overridden\n"
+                f"   📊 Consider monitoring this endpoint for unexpected usage patterns\n"
+                f"   🔍 Review periodically: Should this endpoint be secured?"
+            )
+            
+            # Print to console during deployment for visibility
+            print(warning_msg)
+            
+            # Structured logging for monitoring and metrics
+            logger.warning(
+                "Public endpoint configured with Cognito available",
+                extra={
+                    "route": route_path,
+                    "method": method,
+                    "security_override": True,
+                    "cognito_available": True,
+                    "authorization_type": "NONE",
+                    "metric_name": "public_endpoint_with_cognito",
+                    "security_decision": "intentional_public",
+                    "recommendation": "review_periodically"
+                }
+            )
+        
+        # Case 4: No Cognito + NONE = INFO (expected for public-only APIs)
+        if not has_cognito_authorizer and auth_type == "NONE":
+            logger.info(
+                f"Public endpoint configured (no Cognito available): {route_path} ({method})",
+                extra={
+                    "route": route_path,
+                    "method": method,
+                    "authorization_type": "NONE",
+                    "cognito_available": False,
+                    "security_decision": "public_only_api"
+                }
+            )
+
     def _setup_lambda_integration(
         self, api_gateway, api_id, route, lambda_fn, authorizer, suffix
     ):
         """Setup Lambda integration for a route"""
+        import logging
+        
         route_path = route["path"]
         # Secure by default: require Cognito authorization unless explicitly set to NONE
         authorization_type = route.get("authorization_type", "COGNITO")
         
-        # If explicitly set to NONE, skip authorization
+        # If no Cognito authorizer available and default COGNITO, fall back to NONE
+        if not authorizer and authorization_type == "COGNITO" and "authorization_type" not in route:
+            authorization_type = "NONE"
+            logger = logging.getLogger(__name__)
+            logger.info(
+                f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
+                f"defaulting to public access (NONE authorization)"
+            )
+        
+        # Validate authorization configuration for security
+        self._validate_authorization_configuration(route, authorizer is not None)
+        
+        # If set to NONE (explicitly or by fallback), skip authorization
         if authorization_type == "NONE":
             authorizer = None
 
@@ -391,9 +501,23 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
         self, api_gateway, route, lambda_fn, authorizer, api_id, suffix
     ):
         """Setup fallback Lambda integration for routes without src"""
+        import logging
+        
         route_path = route["path"]
         # Secure by default: require Cognito authorization unless explicitly set to NONE
         authorization_type = route.get("authorization_type", "COGNITO")
+        
+        # If no Cognito authorizer available and default COGNITO, fall back to NONE
+        if not authorizer and authorization_type == "COGNITO" and "authorization_type" not in route:
+            authorization_type = "NONE"
+            logger = logging.getLogger(__name__)
+            logger.info(
+                f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
+                f"defaulting to public access (NONE authorization)"
+            )
+        
+        # Validate authorization configuration for security
+        self._validate_authorization_configuration(route, authorizer is not None)
 
         resource = (
             api_gateway.root.resource_for_path(route_path)

{cdk_factory-0.7.22 → cdk_factory-0.7.25}/src/cdk_factory/utilities/api_gateway_integration_utility.py

@@ -54,6 +54,17 @@ class ApiGatewayIntegrationUtility:
         if not api_config:
             raise ValueError("API Gateway config is missing in Lambda function config")
 
+        # Validate authorization configuration for security
+        has_cognito_authorizer = (
+            self.authorizer is not None or 
+            self._get_existing_authorizer_id_with_ssm_fallback(api_config, stack_config) is not None
+        )
+        
+        # Apply enhanced authorization validation and fallback logic
+        api_config = self._validate_and_adjust_authorization_configuration(
+            api_config, has_cognito_authorizer
+        )
+
         # Get or create authorizer if needed (only for COGNITO_USER_POOLS authorization)
         if api_config.authorization_type != "NONE" and not self.authorizer:
             self.authorizer = self.get_or_create_authorizer(
@@ -68,7 +79,7 @@ class ApiGatewayIntegrationUtility:
         )
 
         # Add method to API Gateway
-        resource = self.get_or_create_resource(api_gateway, api_config.routes)
+        resource = self.get_or_create_resource(api_gateway, api_config.routes, stack_config)
 
         # Handle existing authorizer ID using L1 constructs
         if self._get_existing_authorizer_id_with_ssm_fallback(api_config, stack_config):
@@ -602,12 +613,20 @@ class ApiGatewayIntegrationUtility:
         return self.authorizer
 
     def get_or_create_resource(
-        self, api_gateway: apigateway.RestApi, route_path: str
+        self, api_gateway: apigateway.RestApi, route_path: str, stack_config=None
     ) -> apigateway.Resource:
-        """Get or create API Gateway resource for the given route path"""
+        """Get or create API Gateway resource for the given route path with cross-stack support"""
         if not route_path or route_path == "/":
             return api_gateway.root
 
+        # Check for existing resource import configuration
+        if stack_config:
+            api_gateway_config = stack_config.dictionary.get("api_gateway", {})
+            existing_resources = api_gateway_config.get("existing_resources", {})
+            
+            if existing_resources:
+                return self._create_resource_with_imports(api_gateway, route_path, existing_resources)
+
         # Use the built-in resource_for_path method which handles existing resources correctly
         try:
             # This method automatically creates the full path and reuses existing resources
@@ -658,6 +677,94 @@ class ApiGatewayIntegrationUtility:
 
         return current_resource
 
+    def _create_resource_with_imports(
+        self, api_gateway: apigateway.RestApi, route_path: str, existing_resources: dict
+    ) -> apigateway.Resource:
+        """Create resource path using existing resource imports to avoid conflicts"""
+        from aws_cdk import aws_apigateway as apigateway
+        
+        # Remove leading slash and split path
+        path_parts = route_path.lstrip("/").split("/")
+        current_resource = api_gateway.root
+        current_path = ""
+        
+        # Navigate through path parts, importing existing resources where configured
+        for i, part in enumerate(path_parts):
+            if not part:  # Skip empty parts
+                continue
+                
+            current_path = "/" + "/".join(path_parts[:i+1])
+            
+            # Check if this path segment should be imported from existing resources
+            if current_path in existing_resources:
+                resource_config = existing_resources[current_path]
+                resource_id = resource_config.get("resource_id")
+                
+                if resource_id:
+                    logger.info(f"Importing existing resource for path {current_path} with ID: {resource_id}")
+                    
+                    # Import the existing resource using L1 constructs
+                    current_resource = self._import_existing_resource(
+                        api_gateway, current_resource, part, resource_id, current_path
+                    )
+                else:
+                    # Create normally if no resource_id specified
+                    current_resource = self._add_resource_safely(current_resource, part)
+            else:
+                # Create normally for non-imported paths
+                current_resource = self._add_resource_safely(current_resource, part)
+        
+        return current_resource
+    
+    def _import_existing_resource(
+        self, api_gateway: apigateway.RestApi, parent_resource: apigateway.Resource, 
+        path_part: str, resource_id: str, full_path: str
+    ) -> apigateway.Resource:
+        """Import an existing API Gateway resource by ID"""
+        from aws_cdk import aws_apigateway as apigateway
+        
+        try:
+            # Use CfnResource to reference existing resource
+            # This creates a reference without trying to create the resource
+            imported_resource = apigateway.Resource.from_resource_id(
+                self.scope,
+                f"imported-resource-{hash(full_path) % 10000}",
+                resource_id
+            )
+            
+            logger.info(f"Successfully imported existing resource: {path_part} (ID: {resource_id})")
+            return imported_resource
+            
+        except Exception as e:
+            logger.warning(f"Failed to import resource {path_part} with ID {resource_id}: {e}")
+            # Fallback to normal creation
+            return self._add_resource_safely(parent_resource, path_part)
+    
+    def _add_resource_safely(
+        self, parent_resource: apigateway.Resource, path_part: str
+    ) -> apigateway.Resource:
+        """Add resource with conflict handling"""
+        try:
+            return parent_resource.add_resource(path_part)
+        except Exception as e:
+            if "AlreadyExists" in str(e) or "same parent already has this name" in str(e):
+                logger.warning(f"Resource {path_part} already exists, attempting to find existing resource")
+                
+                # Try to find the existing resource in children
+                for child in parent_resource.node.children:
+                    if (
+                        hasattr(child, "path_part")
+                        and getattr(child, "path_part", None) == path_part
+                    ):
+                        logger.info(f"Found existing resource: {path_part}")
+                        return child
+                
+                # If not found in children, re-raise the error
+                logger.error(f"Could not find or create resource: {path_part}")
+                raise e
+            else:
+                raise e
+
     def _get_existing_api_gateway_id_with_ssm_fallback(
         self, api_config: ApiGatewayConfigRouteConfig, stack_config
     ) -> Optional[str]:
@@ -1198,3 +1305,128 @@ class ApiGatewayIntegrationUtility:
                 api_gateways[api_key]['integrations'].append(integration)
         
         return api_gateways
+
+    def _validate_and_adjust_authorization_configuration(
+        self, api_config: ApiGatewayConfigRouteConfig, has_cognito_authorizer: bool
+    ) -> ApiGatewayConfigRouteConfig:
+        """
+        Validate and adjust authorization configuration for security and clarity.
+        
+        This method implements 'secure by default' with explicit overrides:
+        - If Cognito is available and route wants NONE auth, requires explicit override
+        - If Cognito is not available and route wants COGNITO auth, raises error
+        - Provides verbose warnings for monitoring and security awareness
+        - Returns a potentially modified api_config with adjusted authorization_type
+        
+        Args:
+            api_config (ApiGatewayConfigRouteConfig): Route configuration
+            has_cognito_authorizer (bool): Whether a Cognito authorizer is configured
+            
+        Returns:
+            ApiGatewayConfigRouteConfig: Potentially modified configuration
+            
+        Raises:
+            ValueError: When there are security conflicts without explicit overrides
+        """
+        import logging
+        from copy import deepcopy
+        
+        # Create a copy to avoid modifying the original
+        modified_config = deepcopy(api_config)
+        
+        auth_type = getattr(api_config, 'authorization_type', 'COGNITO')
+        
+        # Check for explicit override flag (need to check the original route dictionary)
+        explicit_override = False
+        if hasattr(api_config, 'dictionary') and api_config.dictionary:
+            explicit_override = api_config.dictionary.get('allow_public_override', False)
+        
+        route_path = getattr(api_config, 'routes', 'unknown')
+        method = getattr(api_config, 'method', 'unknown')
+        
+        logger = logging.getLogger(__name__)
+        
+        # Case 1: Cognito available + NONE requested + No explicit override = ERROR
+        if has_cognito_authorizer and auth_type == "NONE" and not explicit_override:
+            error_msg = (
+                f"🚨 SECURITY CONFLICT DETECTED for route {route_path} ({method}):\n"
+                f"   ❌ Cognito authorizer is configured (manual or auto-import)\n"
+                f"   ❌ authorization_type is set to 'NONE' (public access)\n"
+                f"   ❌ This creates a security risk - public endpoint with auth available\n\n"
+                f"💡 SOLUTIONS:\n"
+                f"   1. Remove Cognito configuration if you want public access\n"
+                f"   2. Add 'allow_public_override': true to explicitly allow public access\n"
+                f"   3. Remove 'authorization_type': 'NONE' to use secure Cognito auth\n\n"
+                f"🔒 This prevents accidental public endpoints when authentication is available."
+            )
+            raise ValueError(error_msg)
+        
+        # Case 2: No Cognito + COGNITO explicitly requested = ERROR  
+        # Only error if COGNITO was explicitly requested, not if it's the default
+        original_auth_type = None
+        if hasattr(api_config, 'dictionary') and api_config.dictionary:
+            original_auth_type = api_config.dictionary.get('authorization_type')
+        
+        if not has_cognito_authorizer and original_auth_type == "COGNITO":
+            error_msg = (
+                f"🚨 CONFIGURATION ERROR for route {route_path} ({method}):\n"
+                f"   ❌ authorization_type is explicitly set to 'COGNITO' but no Cognito authorizer configured\n"
+                f"   ❌ Cannot secure endpoint without authentication provider\n\n"
+                f"💡 SOLUTIONS:\n"
+                f"   1. Add Cognito configuration to enable authentication\n"
+                f"   2. Set authorization_type to 'NONE' for public access\n"
+                f"   3. Configure SSM auto-import for user_pool_arn\n"
+                f"   4. Remove explicit authorization_type to use default behavior"
+            )
+            raise ValueError(error_msg)
+        
+        # Case 3: Cognito available + NONE requested + Explicit override = WARN
+        if has_cognito_authorizer and auth_type == "NONE" and explicit_override:
+            warning_msg = (
+                f"⚠️  PUBLIC ENDPOINT CONFIGURED: {route_path} ({method})\n"
+                f"   🔓 This endpoint is intentionally public (allow_public_override: true)\n"
+                f"   🔐 Cognito authentication is available but overridden\n"
+                f"   📊 Consider monitoring this endpoint for unexpected usage patterns\n"
+                f"   🔍 Review periodically: Should this endpoint be secured?"
+            )
+            
+            # Print to console during deployment for visibility
+            print(warning_msg)
+            
+            # Structured logging for monitoring and metrics
+            logger.warning(
+                "Public endpoint configured with Cognito available",
+                extra={
+                    "route": route_path,
+                    "method": method,
+                    "security_override": True,
+                    "cognito_available": True,
+                    "authorization_type": "NONE",
+                    "metric_name": "public_endpoint_with_cognito",
+                    "security_decision": "intentional_public",
+                    "recommendation": "review_periodically"
+                }
+            )
+        
+        # Case 4: No Cognito + default COGNITO = Fall back to NONE
+        if not has_cognito_authorizer and auth_type == "COGNITO" and original_auth_type is None:
+            modified_config.authorization_type = "NONE"
+            logger.info(
+                f"No Cognito authorizer available for route {route_path} ({method}), "
+                f"defaulting to public access (NONE authorization)"
+            )
+        
+        # Case 5: No Cognito + NONE = INFO (expected for public-only APIs)
+        if not has_cognito_authorizer and auth_type == "NONE":
+            logger.info(
+                f"Public endpoint configured (no Cognito available): {route_path} ({method})",
+                extra={
+                    "route": route_path,
+                    "method": method,
+                    "authorization_type": "NONE",
+                    "cognito_available": False,
+                    "security_decision": "public_only_api"
+                }
+            )
+        
+        return modified_config

cdk_factory-0.7.25/src/cdk_factory/version.py

@@ -0,0 +1 @@
+__version__ = "0.7.25"

cdk_factory-0.7.22/src/cdk_factory/version.py

@@ -1 +0,0 @@
-__version__ = "0.7.22"