PyPI - cdk-factory - Versions diffs - 0.7.26__py3-none-any.whl → 0.7.27__py3-none-any.whl - Mend

cdk-factory 0.7.26py3-none-any.whl → 0.7.27py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

cdk_factory/configurations/resources/apigateway_route_config.py CHANGED Viewed

@@ -72,7 +72,7 @@ class ApiGatewayConfigRouteConfig:
     @property
     def allow_public_override(self) -> bool:
         """Whether to allow public access when Cognito is available"""
-        return self._config.get("allow_public_override", False)
+        return str(self._config.get("allow_public_override", False)).lower() == "true"
     @property
     def dictionary(self) -> Dict[str, Any]:

cdk_factory/stack_library/api_gateway/api_gateway_stack.py CHANGED Viewed

@@ -350,28 +350,30 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
     def _validate_authorization_configuration(self, route, has_cognito_authorizer):
         """
         Validate authorization configuration for security and clarity.
         This method implements 'secure by default' with explicit overrides:
         - If Cognito is available and route wants NONE auth, requires explicit override
         - If Cognito is not available and route wants COGNITO auth, raises error
         - Provides verbose warnings for monitoring and security awareness
         Args:
             route (dict): Route configuration
             has_cognito_authorizer (bool): Whether a Cognito authorizer is configured
         Raises:
             ValueError: When there are security conflicts without explicit overrides
         """
         import logging
-        auth_type = route.get("authorization_type", "COGNITO")
-        explicit_override = route.get("allow_public_override", False)
+        auth_type = str(route.get("authorization_type", "COGNITO")).upper()
+        explicit_override = (
+            str(route.get("allow_public_override", False)).lower() == "true"
+        )
         route_path = route.get("path", "unknown")
         method = route.get("method", "unknown")
         logger = logging.getLogger(__name__)
         # Case 1: Cognito available + NONE requested + No explicit override = ERROR
         if has_cognito_authorizer and auth_type == "NONE" and not explicit_override:
             error_msg = (
@@ -383,11 +385,12 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
                 f"   1. Remove Cognito configuration if you want public access\n"
                 f"   2. Add 'allow_public_override': true to explicitly allow public access\n"
                 f"   3. Remove 'authorization_type': 'NONE' to use secure Cognito auth\n\n"
-                f"🔒 This prevents accidental public endpoints when authentication is available."
+                f"🔒 This prevents accidental public endpoints when authentication is available.\n\n"
+                f"👉 ApiGatewayStack documentation for more details: https://github.com/your-repo/api-gateway-stack"
             )
             raise ValueError(error_msg)
-        # Case 2: No Cognito + COGNITO explicitly requested = ERROR
+        # Case 2: No Cognito + COGNITO explicitly requested = ERROR
         # Only error if COGNITO was explicitly requested, not if it's the default
         if not has_cognito_authorizer and route.get("authorization_type") == "COGNITO":
             error_msg = (
@@ -401,7 +404,7 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
                 f"   4. Remove explicit authorization_type to use default behavior"
             )
             raise ValueError(error_msg)
         # Case 3: Cognito available + NONE requested + Explicit override = WARN
         if has_cognito_authorizer and auth_type == "NONE" and explicit_override:
             warning_msg = (
@@ -411,10 +414,10 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
                 f"   📊 Consider monitoring this endpoint for unexpected usage patterns\n"
                 f"   🔍 Review periodically: Should this endpoint be secured?"
             )
             # Print to console during deployment for visibility
             print(warning_msg)
             # Structured logging for monitoring and metrics
             logger.warning(
                 "Public endpoint configured with Cognito available",
@@ -426,10 +429,10 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
                     "authorization_type": "NONE",
                     "metric_name": "public_endpoint_with_cognito",
                     "security_decision": "intentional_public",
-                    "recommendation": "review_periodically"
-                }
+                    "recommendation": "review_periodically",
+                },
             )
         # Case 4: No Cognito + NONE = INFO (expected for public-only APIs)
         if not has_cognito_authorizer and auth_type == "NONE":
             logger.info(
@@ -439,8 +442,8 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
                     "method": method,
                     "authorization_type": "NONE",
                     "cognito_available": False,
-                    "security_decision": "public_only_api"
-                }
+                    "security_decision": "public_only_api",
+                },
             )
     def _setup_lambda_integration(
@@ -448,23 +451,27 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
     ):
         """Setup Lambda integration for a route"""
         import logging
         route_path = route["path"]
         # Secure by default: require Cognito authorization unless explicitly set to NONE
         authorization_type = route.get("authorization_type", "COGNITO")
         # If no Cognito authorizer available and default COGNITO, fall back to NONE
-        if not authorizer and authorization_type == "COGNITO" and "authorization_type" not in route:
+        if (
+            not authorizer
+            and authorization_type == "COGNITO"
+            and "authorization_type" not in route
+        ):
             authorization_type = "NONE"
             logger = logging.getLogger(__name__)
             logger.info(
                 f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
                 f"defaulting to public access (NONE authorization)"
             )
         # Validate authorization configuration for security
         self._validate_authorization_configuration(route, authorizer is not None)
         # If set to NONE (explicitly or by fallback), skip authorization
         if authorization_type == "NONE":
             authorizer = None
@@ -502,20 +509,24 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
     ):
         """Setup fallback Lambda integration for routes without src"""
         import logging
         route_path = route["path"]
         # Secure by default: require Cognito authorization unless explicitly set to NONE
         authorization_type = route.get("authorization_type", "COGNITO")
         # If no Cognito authorizer available and default COGNITO, fall back to NONE
-        if not authorizer and authorization_type == "COGNITO" and "authorization_type" not in route:
+        if (
+            not authorizer
+            and authorization_type == "COGNITO"
+            and "authorization_type" not in route
+        ):
             authorization_type = "NONE"
             logger = logging.getLogger(__name__)
             logger.info(
                 f"No Cognito authorizer available for route {route_path} ({route.get('method', 'unknown')}), "
                 f"defaulting to public access (NONE authorization)"
             )
         # Validate authorization configuration for security
         self._validate_authorization_configuration(route, authorizer is not None)

cdk_factory/utilities/api_gateway_integration_utility.py CHANGED Viewed

@@ -56,10 +56,13 @@ class ApiGatewayIntegrationUtility:
         # Validate authorization configuration for security
         has_cognito_authorizer = (
-            self.authorizer is not None or
-            self._get_existing_authorizer_id_with_ssm_fallback(api_config, stack_config) is not None
+            self.authorizer is not None
+            or self._get_existing_authorizer_id_with_ssm_fallback(
+                api_config, stack_config
+            )
+            is not None
         )
         # Apply enhanced authorization validation and fallback logic
         api_config = self._validate_and_adjust_authorization_configuration(
             api_config, has_cognito_authorizer
@@ -79,7 +82,9 @@ class ApiGatewayIntegrationUtility:
         )
         # Add method to API Gateway
-        resource = self.get_or_create_resource(api_gateway, api_config.routes, stack_config)
+        resource = self.get_or_create_resource(
+            api_gateway, api_config.routes, stack_config
+        )
         # Handle existing authorizer ID using L1 constructs
         if self._get_existing_authorizer_id_with_ssm_fallback(api_config, stack_config):
@@ -101,7 +106,7 @@ class ApiGatewayIntegrationUtility:
                 # Use configured authorization type
                 auth_type = apigateway.AuthorizationType[api_config.authorization_type]
                 authorizer_to_use = None
             method = None
             try:
                 method = resource.add_method(
@@ -623,9 +628,11 @@ class ApiGatewayIntegrationUtility:
         if stack_config:
             api_gateway_config = stack_config.dictionary.get("api_gateway", {})
             existing_resources = api_gateway_config.get("existing_resources", {})
             if existing_resources:
-                return self._create_resource_with_imports(api_gateway, route_path, existing_resources)
+                return self._create_resource_with_imports(
+                    api_gateway, route_path, existing_resources
+                )
         # Use the built-in resource_for_path method which handles existing resources correctly
         try:
@@ -682,27 +689,29 @@ class ApiGatewayIntegrationUtility:
     ) -> apigateway.Resource:
         """Create resource path using existing resource imports to avoid conflicts"""
         from aws_cdk import aws_apigateway as apigateway
         # Remove leading slash and split path
         path_parts = route_path.lstrip("/").split("/")
         current_resource = api_gateway.root
         current_path = ""
         # Navigate through path parts, importing existing resources where configured
         for i, part in enumerate(path_parts):
             if not part:  # Skip empty parts
                 continue
-            current_path = "/" + "/".join(path_parts[:i+1])
+            current_path = "/" + "/".join(path_parts[: i + 1])
             # Check if this path segment should be imported from existing resources
             if current_path in existing_resources:
                 resource_config = existing_resources[current_path]
                 resource_id = resource_config.get("resource_id")
                 if resource_id:
-                    logger.info(f"Importing existing resource for path {current_path} with ID: {resource_id}")
+                    logger.info(
+                        f"Importing existing resource for path {current_path} with ID: {resource_id}"
+                    )
                     # Import the existing resource using L1 constructs
                     current_resource = self._import_existing_resource(
                         api_gateway, current_resource, part, resource_id, current_path
@@ -713,33 +722,39 @@ class ApiGatewayIntegrationUtility:
             else:
                 # Create normally for non-imported paths
                 current_resource = self._add_resource_safely(current_resource, part)
         return current_resource
     def _import_existing_resource(
-        self, api_gateway: apigateway.RestApi, parent_resource: apigateway.Resource,
-        path_part: str, resource_id: str, full_path: str
+        self,
+        api_gateway: apigateway.RestApi,
+        parent_resource: apigateway.Resource,
+        path_part: str,
+        resource_id: str,
+        full_path: str,
     ) -> apigateway.Resource:
         """Import an existing API Gateway resource by ID"""
         from aws_cdk import aws_apigateway as apigateway
         try:
             # Use CfnResource to reference existing resource
             # This creates a reference without trying to create the resource
             imported_resource = apigateway.Resource.from_resource_id(
-                self.scope,
-                f"imported-resource-{hash(full_path) % 10000}",
-                resource_id
+                self.scope, f"imported-resource-{hash(full_path) % 10000}", resource_id
+            )
+            logger.info(
+                f"Successfully imported existing resource: {path_part} (ID: {resource_id})"
             )
-            logger.info(f"Successfully imported existing resource: {path_part} (ID: {resource_id})")
             return imported_resource
         except Exception as e:
-            logger.warning(f"Failed to import resource {path_part} with ID {resource_id}: {e}")
+            logger.warning(
+                f"Failed to import resource {path_part} with ID {resource_id}: {e}"
+            )
             # Fallback to normal creation
             return self._add_resource_safely(parent_resource, path_part)
     def _add_resource_safely(
         self, parent_resource: apigateway.Resource, path_part: str
     ) -> apigateway.Resource:
@@ -747,9 +762,13 @@ class ApiGatewayIntegrationUtility:
         try:
             return parent_resource.add_resource(path_part)
         except Exception as e:
-            if "AlreadyExists" in str(e) or "same parent already has this name" in str(e):
-                logger.warning(f"Resource {path_part} already exists, attempting to find existing resource")
+            if "AlreadyExists" in str(e) or "same parent already has this name" in str(
+                e
+            ):
+                logger.warning(
+                    f"Resource {path_part} already exists, attempting to find existing resource"
+                )
                 # Try to find the existing resource in children
                 for child in parent_resource.node.children:
                     if (
@@ -758,7 +777,7 @@ class ApiGatewayIntegrationUtility:
                     ):
                         logger.info(f"Found existing resource: {path_part}")
                         return child
                 # If not found in children, re-raise the error
                 logger.error(f"Could not find or create resource: {path_part}")
                 raise e
@@ -837,7 +856,7 @@ class ApiGatewayIntegrationUtility:
         # Try enhanced SSM parameter lookup with auto-discovery
         api_gateway_config = stack_config.dictionary.get("api_gateway", {})
         ssm_config = api_gateway_config.get("ssm", {})
         if ssm_config.get("enabled", False):
             try:
                 from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import (
@@ -859,26 +878,34 @@ class ApiGatewayIntegrationUtility:
                 imports_config = ssm_config.get("imports", {})
                 if "authorizer_id" in imports_config:
                     import_value = imports_config["authorizer_id"]
                     if import_value == "auto":
                         logger.info("Using auto-import for authorizer ID")
                         imported_values = ssm_mixin.auto_import_resources()
                         authorizer_id = imported_values.get("authorizer_id")
                         if authorizer_id:
-                            logger.info(f"Found authorizer ID via auto-import: {authorizer_id}")
+                            logger.info(
+                                f"Found authorizer ID via auto-import: {authorizer_id}"
+                            )
                             return authorizer_id
                     else:
                         # Use direct parameter import for specific SSM path
-                        logger.info(f"Looking up authorizer ID from SSM parameter: {import_value}")
+                        logger.info(
+                            f"Looking up authorizer ID from SSM parameter: {import_value}"
+                        )
                         authorizer_id = ssm_mixin._import_enhanced_ssm_parameter(
                             import_value, "authorizer_id"
                         )
                         if authorizer_id:
-                            logger.info(f"Found authorizer ID from SSM: {authorizer_id}")
+                            logger.info(
+                                f"Found authorizer ID from SSM: {authorizer_id}"
+                            )
                             return authorizer_id
             except Exception as e:
-                logger.warning(f"Failed to retrieve authorizer ID via enhanced SSM: {e}")
+                logger.warning(
+                    f"Failed to retrieve authorizer ID via enhanced SSM: {e}"
+                )
         # Fallback to traditional SSM parameter lookup
         authorizer_config = stack_config.dictionary.get("api_gateway", {}).get(
@@ -1041,7 +1068,9 @@ class ApiGatewayIntegrationUtility:
         return exported_params
-    def setup_route_cors(self, resource: apigateway.Resource, route_path: str, route: dict):
+    def setup_route_cors(
+        self, resource: apigateway.Resource, route_path: str, route: dict
+    ):
         """Setup CORS for a route - centralized method for both API Gateway and Lambda stacks"""
         cors_cfg = route.get("cors")
         methods = cors_cfg.get("methods") if cors_cfg else None
@@ -1114,28 +1143,30 @@ class ApiGatewayIntegrationUtility:
         stack_config: StackConfig,
         api_config: Optional[ApiGatewayConfig] = None,
         construct_scope: Optional[Construct] = None,
-        counter: int = 1
+        counter: int = 1,
     ) -> apigateway.Stage:
         """
         Create deployment and stage for API Gateway with all integrations.
         Consolidates logic from both API Gateway and Lambda stacks.
         """
         scope = construct_scope or self.scope
         # Determine stage name with fallback logic
         stage_name = self._get_stage_name(stack_config, api_config)
         # Check if using existing stage
         use_existing = self._should_use_existing_stage(stack_config)
-        logger.info(f"Creating deployment for API Gateway with {len(integrations)} integrations")
+        logger.info(
+            f"Creating deployment for API Gateway with {len(integrations)} integrations"
+        )
         # Create deployment
         deployment_id = f"api-gateway-{counter}-deployment-final"
         if len(integrations) == 1 and integrations[0].get("function_name"):
             # Lambda stack deployment
             deployment_id = "api-gateway-deployment"
         deployment = apigateway.Deployment(
             scope,
             deployment_id,
@@ -1145,83 +1176,95 @@ class ApiGatewayIntegrationUtility:
         )
         # Add timestamp to deployment logical ID to prevent conflicts and force new deployment
         deployment.add_to_logical_id(datetime.now(UTC).isoformat())
         # Create stage if not using existing
         stage = None
         if not use_existing:
-            stage_options = self._create_stage_options(api_config) if api_config else None
+            stage_options = (
+                self._create_stage_options(api_config) if api_config else None
+            )
             stage_id = f"{api_gateway.rest_api_name}-{stage_name}-stage"
             if len(integrations) == 1 and integrations[0].get("function_name"):
                 # Lambda stack stage
                 stage_id = f"{api_gateway.rest_api_name}-{stage_name}-stage-lambdas"
             stage_kwargs = {
                 "deployment": deployment,
                 "stage_name": stage_name,
-                "description": f"Stage {stage_name} with {len(integrations)} integrations"
+                "description": f"Stage {stage_name} with {len(integrations)} integrations",
             }
             # Add stage options if available
             if stage_options:
-                stage_kwargs.update({
-                    "access_log_destination": stage_options.access_log_destination,
-                    "access_log_format": stage_options.access_log_format,
-                    "logging_level": stage_options.logging_level,
-                    "data_trace_enabled": stage_options.data_trace_enabled,
-                    "metrics_enabled": stage_options.metrics_enabled,
-                    "tracing_enabled": stage_options.tracing_enabled,
-                    "throttling_rate_limit": stage_options.throttling_rate_limit,
-                    "throttling_burst_limit": stage_options.throttling_burst_limit
-                })
+                stage_kwargs.update(
+                    {
+                        "access_log_destination": stage_options.access_log_destination,
+                        "access_log_format": stage_options.access_log_format,
+                        "logging_level": stage_options.logging_level,
+                        "data_trace_enabled": stage_options.data_trace_enabled,
+                        "metrics_enabled": stage_options.metrics_enabled,
+                        "tracing_enabled": stage_options.tracing_enabled,
+                        "throttling_rate_limit": stage_options.throttling_rate_limit,
+                        "throttling_burst_limit": stage_options.throttling_burst_limit,
+                    }
+                )
             stage = apigateway.Stage(scope, stage_id, **stage_kwargs)
-        logger.info(f"Created deployment and stage '{stage_name}' for API Gateway: {api_gateway.rest_api_name}")
-        logger.info(f"Routes available at: https://{api_gateway.rest_api_id}.execute-api.{scope.region}.amazonaws.com/{stage_name}")
+        logger.info(
+            f"Created deployment and stage '{stage_name}' for API Gateway: {api_gateway.rest_api_name}"
+        )
+        logger.info(
+            f"Routes available at: https://{api_gateway.rest_api_id}.execute-api.{scope.region}.amazonaws.com/{stage_name}"
+        )
         return stage
-    def _get_stage_name(self, stack_config: StackConfig, api_config: Optional[ApiGatewayConfig] = None) -> str:
+    def _get_stage_name(
+        self, stack_config: StackConfig, api_config: Optional[ApiGatewayConfig] = None
+    ) -> str:
         """Get stage name with fallback logic from both stacks"""
         # Try Lambda stack config format first
         api_gateway_config = stack_config.dictionary.get("api_gateway", {})
         stage_name = api_gateway_config.get("stage", {}).get("name")
         if stage_name:
             return stage_name
         # Try API Gateway stack config format
-        if api_config and hasattr(api_config, 'stage_name') and api_config.stage_name:
+        if api_config and hasattr(api_config, "stage_name") and api_config.stage_name:
             stage_name = api_config.stage_name
         else:
             # Fallback to legacy format
             stage_name = api_gateway_config.get("stage_name", "prod")
         # Handle special cases
         if stage_name is None:
             raise ValueError("Stage name is required in API Gateway config")
         if stage_name.lower() == "auto":
             try:
                 stage_name = stack_config.name
             except Exception as e:
                 raise ValueError("Stage name is required in API Gateway config") from e
         return stage_name
     def _should_use_existing_stage(self, stack_config: StackConfig) -> bool:
         """Check if should use existing stage"""
         api_gateway_config = stack_config.dictionary.get("api_gateway", {})
         use_existing = api_gateway_config.get("stage", {}).get("use_existing", False)
         return str(use_existing).lower() == "true"
-    def _create_stage_options(self, api_config: ApiGatewayConfig) -> apigateway.StageOptions:
+    def _create_stage_options(
+        self, api_config: ApiGatewayConfig
+    ) -> apigateway.StageOptions:
         """Create stage options with full configuration"""
         log_group = self._setup_log_group()
         access_log_format = self._get_log_format()
         deploy_options = api_config.deploy_options or {}
         return apigateway.StageOptions(
             access_log_destination=apigateway.LogGroupLogDestination(log_group),
             access_log_format=access_log_format,
@@ -1230,32 +1273,32 @@ class ApiGatewayIntegrationUtility:
             metrics_enabled=deploy_options.get("metrics_enabled", False),
             tracing_enabled=deploy_options.get("tracing_enabled", True),
             throttling_rate_limit=deploy_options.get("throttling_rate_limit", 1000),
-            throttling_burst_limit=deploy_options.get("throttling_burst_limit", 2000)
+            throttling_burst_limit=deploy_options.get("throttling_burst_limit", 2000),
         )
     def _setup_log_group(self) -> logs.LogGroup:
         """Setup CloudWatch log group for API Gateway"""
         if self._log_group:
             return self._log_group
         self._log_group = logs.LogGroup(
             self.scope,
             "ApiGatewayLogGroup",
             removal_policy=RemovalPolicy.DESTROY,
             retention=logs.RetentionDays.ONE_MONTH,
         )
         self._log_group.grant_write(iam.ServicePrincipal("apigateway.amazonaws.com"))
         log_role = self._setup_log_role()
         self._log_group.grant_write(log_role)
         return self._log_group
     def _setup_log_role(self) -> iam.Role:
         """Setup IAM role for API Gateway logging"""
         if self._log_role:
             return self._log_role
         self._log_role = iam.Role(
             self.scope,
             "ApiGatewayLogRole",
@@ -1266,44 +1309,48 @@ class ApiGatewayIntegrationUtility:
                 )
             ],
         )
         return self._log_role
     def _get_log_format(self) -> apigateway.AccessLogFormat:
         """Get access log format for API Gateway"""
         return apigateway.AccessLogFormat.custom(
-            json.dumps({
-                "requestId": "$context.requestId",
-                "extendedRequestId": "$context.extendedRequestId",
-                "method": "$context.httpMethod",
-                "route": "$context.resourcePath",
-                "status": "$context.status",
-                "requestBody": "$input.body",
-                "responseBody": "$context.responseLength",
-                "headers": "$context.requestHeaders",
-                "requestContext": "$context.requestContext",
-            })
+            json.dumps(
+                {
+                    "requestId": "$context.requestId",
+                    "extendedRequestId": "$context.extendedRequestId",
+                    "method": "$context.httpMethod",
+                    "route": "$context.resourcePath",
+                    "status": "$context.status",
+                    "requestBody": "$input.body",
+                    "responseBody": "$context.responseLength",
+                    "headers": "$context.requestHeaders",
+                    "requestContext": "$context.requestContext",
+                }
+            )
         )
-    def group_integrations_by_api_gateway(self, integrations: List[Dict[str, Any]]) -> Dict[int, Dict[str, Any]]:
+    def group_integrations_by_api_gateway(
+        self, integrations: List[Dict[str, Any]]
+    ) -> Dict[int, Dict[str, Any]]:
         """Group integrations by API Gateway using object identity"""
         api_gateways = {}
         api_counter = 0
         for integration in integrations:
-            api_gateway = integration.get('api_gateway')
+            api_gateway = integration.get("api_gateway")
             if api_gateway:
                 # Use object identity as key instead of CDK token
                 api_key = id(api_gateway)
                 if api_key not in api_gateways:
                     api_counter += 1
                     api_gateways[api_key] = {
-                        'api_gateway': api_gateway,
-                        'integrations': [],
-                        'counter': api_counter
+                        "api_gateway": api_gateway,
+                        "integrations": [],
+                        "counter": api_counter,
                     }
-                api_gateways[api_key]['integrations'].append(integration)
+                api_gateways[api_key]["integrations"].append(integration)
         return api_gateways
     def _validate_and_adjust_authorization_configuration(
@@ -1311,39 +1358,41 @@ class ApiGatewayIntegrationUtility:
     ) -> ApiGatewayConfigRouteConfig:
         """
         Validate and adjust authorization configuration for security and clarity.
         This method implements 'secure by default' with explicit overrides:
         - If Cognito is available and route wants NONE auth, requires explicit override
         - If Cognito is not available and route wants COGNITO auth, raises error
         - Provides verbose warnings for monitoring and security awareness
         - Returns a potentially modified api_config with adjusted authorization_type
         Args:
             api_config (ApiGatewayConfigRouteConfig): Route configuration
             has_cognito_authorizer (bool): Whether a Cognito authorizer is configured
         Returns:
             ApiGatewayConfigRouteConfig: Potentially modified configuration
         Raises:
             ValueError: When there are security conflicts without explicit overrides
         """
         import logging
         from copy import deepcopy
         # Create a copy to avoid modifying the original
         modified_config = deepcopy(api_config)
-        auth_type = getattr(api_config, 'authorization_type', 'COGNITO')
+        auth_type = str(getattr(api_config, "authorization_type", "COGNITO")).upper()
         # Check for explicit override flag
-        explicit_override = getattr(api_config, 'allow_public_override', False)
-        route_path = getattr(api_config, 'routes', 'unknown')
-        method = getattr(api_config, 'method', 'unknown')
+        explicit_override = (
+            str(getattr(api_config, "allow_public_override", False)).lower() == "true"
+        )
+        route_path = getattr(api_config, "routes", "unknown")
+        method = getattr(api_config, "method", "unknown")
         logger = logging.getLogger(__name__)
         # Case 1: Cognito available + NONE requested + No explicit override = ERROR
         if has_cognito_authorizer and auth_type == "NONE" and not explicit_override:
             error_msg = (
@@ -1355,16 +1404,17 @@ class ApiGatewayIntegrationUtility:
                 f"   1. Remove Cognito configuration if you want public access\n"
                 f"   2. Add 'allow_public_override': true to explicitly allow public access\n"
                 f"   3. Remove 'authorization_type': 'NONE' to use secure Cognito auth\n\n"
-                f"🔒 This prevents accidental public endpoints when authentication is available."
+                f"🔒 This prevents accidental public endpoints when authentication is available.\n\n"
+                f"👉 ApiGatewayIntegrationUtility documentation for more details: https://github.com/your-repo/api-gateway-stack"
             )
             raise ValueError(error_msg)
-        # Case 2: No Cognito + COGNITO explicitly requested = ERROR
+        # Case 2: No Cognito + COGNITO explicitly requested = ERROR
         # Only error if COGNITO was explicitly requested, not if it's the default
         original_auth_type = None
-        if hasattr(api_config, 'dictionary') and api_config.dictionary:
-            original_auth_type = api_config.dictionary.get('authorization_type')
+        if hasattr(api_config, "dictionary") and api_config.dictionary:
+            original_auth_type = api_config.dictionary.get("authorization_type")
         if not has_cognito_authorizer and original_auth_type == "COGNITO":
             error_msg = (
                 f"🚨 CONFIGURATION ERROR for route {route_path} ({method}):\n"
@@ -1377,7 +1427,7 @@ class ApiGatewayIntegrationUtility:
                 f"   4. Remove explicit authorization_type to use default behavior"
             )
             raise ValueError(error_msg)
         # Case 3: Cognito available + NONE requested + Explicit override = WARN
         if has_cognito_authorizer and auth_type == "NONE" and explicit_override:
             warning_msg = (
@@ -1387,10 +1437,10 @@ class ApiGatewayIntegrationUtility:
                 f"   📊 Consider monitoring this endpoint for unexpected usage patterns\n"
                 f"   🔍 Review periodically: Should this endpoint be secured?"
             )
             # Print to console during deployment for visibility
             print(warning_msg)
             # Structured logging for monitoring and metrics
             logger.warning(
                 "Public endpoint configured with Cognito available",
@@ -1402,18 +1452,22 @@ class ApiGatewayIntegrationUtility:
                     "authorization_type": "NONE",
                     "metric_name": "public_endpoint_with_cognito",
                     "security_decision": "intentional_public",
-                    "recommendation": "review_periodically"
-                }
+                    "recommendation": "review_periodically",
+                },
             )
         # Case 4: No Cognito + default COGNITO = Fall back to NONE
-        if not has_cognito_authorizer and auth_type == "COGNITO" and original_auth_type is None:
+        if (
+            not has_cognito_authorizer
+            and auth_type == "COGNITO"
+            and original_auth_type is None
+        ):
             modified_config.authorization_type = "NONE"
             logger.info(
                 f"No Cognito authorizer available for route {route_path} ({method}), "
                 f"defaulting to public access (NONE authorization)"
             )
         # Case 5: No Cognito + NONE = INFO (expected for public-only APIs)
         if not has_cognito_authorizer and auth_type == "NONE":
             logger.info(
@@ -1423,8 +1477,8 @@ class ApiGatewayIntegrationUtility:
                     "method": method,
                     "authorization_type": "NONE",
                     "cognito_available": False,
-                    "security_decision": "public_only_api"
-                }
+                    "security_decision": "public_only_api",
+                },
             )
         return modified_config

cdk_factory/version.py CHANGED Viewed

	@@ -1 +1 @@
1	- __version__ = "0.7.26"
1	+ __version__ = "0.7.27"

{cdk_factory-0.7.26.dist-info → cdk_factory-0.7.27.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.7.26
+Version: 0.7.27
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.7.26.dist-info → cdk_factory-0.7.27.dist-info}/RECORD RENAMED Viewed

@@ -1,7 +1,7 @@
 cdk_factory/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cdk_factory/app.py,sha256=xv863N7O6HPKznB68_t7O4la9JacrkG87t9TjoDUk7s,2827
 cdk_factory/cdk.json,sha256=SKZKhJ2PBpFH78j-F8S3VDYW-lf76--Q2I3ON-ZIQfw,3106
-cdk_factory/version.py,sha256=bdHnwFVnv19lO1d9o0Rjk5Js7MqJglg3CX1USYBiklY,23
+cdk_factory/version.py,sha256=fHi3FiqQRMkjl3o8ATyV9gZrBSNTVvt5m0WxJ-NYHTA,23
 cdk_factory/builds/README.md,sha256=9BBWd7bXpyKdMU_g2UljhQwrC9i5O_Tvkb6oPvndoZk,90
 cdk_factory/commands/command_loader.py,sha256=QbLquuP_AdxtlxlDy-2IWCQ6D-7qa58aphnDPtp_uTs,3744
 cdk_factory/configurations/base_config.py,sha256=JKjhNsy0RCUZy1s8n5D_aXXI-upR9izaLtCTfKYiV9k,9624
@@ -18,7 +18,7 @@ cdk_factory/configurations/stack.py,sha256=7whhC48dUYw7BBFV49zM1Q3AghTNkaiDfy4kK
 cdk_factory/configurations/workload.py,sha256=sM-B6UKOdOn5_H-eWmW03J9oa8YZZmO0bvQ69wbCM0Q,7756
 cdk_factory/configurations/resources/_resources.py,sha256=tnXGn4kEC0JPQaTWB3QpAZG-2hIGBtugHTzuKn1OTvE,2548
 cdk_factory/configurations/resources/api_gateway.py,sha256=-k4hMGszIdQLb5DGmWBIPy49YGutp8zczafRh-Vob0I,4904
-cdk_factory/configurations/resources/apigateway_route_config.py,sha256=fESVFKEKBj-EdkxB-iyDcA43FY1fX9Ow1QedH6UCm2I,2328
+cdk_factory/configurations/resources/apigateway_route_config.py,sha256=6ytn_nwKwlfpBtHL5sV6gxMpgAJ3p6QFGumMoW4CTHM,2351
 cdk_factory/configurations/resources/auto_scaling.py,sha256=OAVl8iUdHiOYVzme1qNDwA3w2raxDNUo_W2_Vebqtx8,5005
 cdk_factory/configurations/resources/cloudfront.py,sha256=xwDIrYQDqQMgekXSJ5vrgNXIUCfY6O8aiybE5ewwijw,1055
 cdk_factory/configurations/resources/cloudwatch_widget.py,sha256=EdEQSXUkDtoY_Mg_cJBWo1Hp84jSiK7U9tsd3k1VhKI,1271
@@ -72,7 +72,7 @@ cdk_factory/stack/stack_module_registry.py,sha256=J14-A75VZESzRQa8p-Fepdap7Z8T7m
 cdk_factory/stack/stack_modules.py,sha256=kgEK-j0smZPozVwTCfM1g1V17EyTBT0TXAQZq4vZz0o,784
 cdk_factory/stack_library/__init__.py,sha256=5Y9TpIe8ZK1688G60PGcuP-hM0RvYEY_3Hl2qJCJJrw,581
 cdk_factory/stack_library/stack_base.py,sha256=tTleSFmlf26DuKVF_ytftf8P7IVWb5iex8cYfYupfvQ,4940
-cdk_factory/stack_library/api_gateway/api_gateway_stack.py,sha256=i87MGWAqRJBrayQaXVf-R90_NKVZpbOf3QNibnOIsBM,35507
+cdk_factory/stack_library/api_gateway/api_gateway_stack.py,sha256=-K9ybNHpjycw4wtaiWbMm9dLCYPYoaqlakgBIQyotCk,35632
 cdk_factory/stack_library/auto_scaling/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cdk_factory/stack_library/auto_scaling/auto_scaling_stack.py,sha256=UsFqUb_3XPJAlmZ6F75nXna3elOggD1KuFmmdmhi0Lg,19070
 cdk_factory/stack_library/aws_lambdas/lambda_stack.py,sha256=xT8-799fSXMpYaRhRKytxsbpb5EG3g2h6L822_RpRSk,22956
@@ -97,7 +97,7 @@ cdk_factory/stack_library/vpc/__init__.py,sha256=7pIqP97Gf2AJbv9Ebp1WbQGHYhgEbWJ
 cdk_factory/stack_library/vpc/vpc_stack.py,sha256=zdDiGilf03esxuya5Z8zVYSVMAIuZBeD-ZKgfnEd6aw,10077
 cdk_factory/stack_library/websites/static_website_stack.py,sha256=KBQiV6PI09mpHGtH-So5Hk3uhfFLDepoXInGbfin0cY,7938
 cdk_factory/stages/websites/static_website_stage.py,sha256=X4fpKXkhb0zIbSHx3QyddBhVSLBryb1vf1Cg2fMTqog,755
-cdk_factory/utilities/api_gateway_integration_utility.py,sha256=QlIGmWAJShDMTy7mIJeQDyHr59jP7EKQQOFXTNCQJA4,61923
+cdk_factory/utilities/api_gateway_integration_utility.py,sha256=LSfw2lNtJWMsRiaHf4FLiGHRgFPm-fOUhN2YJNHtxnI,62346
 cdk_factory/utilities/commandline_args.py,sha256=0FiNEJFbWVN8Ct7r0VHnJEx7rhUlaRKT7R7HMNJBSTI,2216
 cdk_factory/utilities/configuration_loader.py,sha256=z0ZdGLNbTO4_yfluB9zUh_i_Poc9qj-7oRyjMRlNkN8,1522
 cdk_factory/utilities/docker_utilities.py,sha256=9r8C-lXYpymqEfi3gTeWCQzHldvfjttPqn6p3j2khTE,8111
@@ -109,7 +109,7 @@ cdk_factory/utilities/lambda_function_utilities.py,sha256=j3tBdv_gC2MdEwBINDwAqY
 cdk_factory/utilities/os_execute.py,sha256=5Op0LY_8Y-pUm04y1k8MTpNrmQvcLmQHPQITEP7EuSU,1019
 cdk_factory/utils/api_gateway_utilities.py,sha256=If7Xu5s_UxmuV-kL3JkXxPLBdSVUKoLtohm0IUFoiV8,4378
 cdk_factory/workload/workload_factory.py,sha256=yBUDGIuB8-5p_mGcVFxsD2ZoZIziak3yh3LL3JvS0M4,5903
-cdk_factory-0.7.26.dist-info/METADATA,sha256=33JcY3G617lMyKEaMalJobLMN5SQdNSqCSdHp5pgeDc,2451
-cdk_factory-0.7.26.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-cdk_factory-0.7.26.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
-cdk_factory-0.7.26.dist-info/RECORD,,
+cdk_factory-0.7.27.dist-info/METADATA,sha256=kkqu-N4uFgjOYSenuas-fjiwtIcTNoxmRK8NR6CBsyw,2451
+cdk_factory-0.7.27.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+cdk_factory-0.7.27.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
+cdk_factory-0.7.27.dist-info/RECORD,,

{cdk_factory-0.7.26.dist-info → cdk_factory-0.7.27.dist-info}/WHEEL RENAMED Viewed

File without changes

{cdk_factory-0.7.26.dist-info → cdk_factory-0.7.27.dist-info}/licenses/LICENSE RENAMED Viewed

File without changes

cdk-factory 0.7.26__py3-none-any.whl → 0.7.27__py3-none-any.whl

cdk-factory 0.7.26py3-none-any.whl → 0.7.27py3-none-any.whl