cdk-factory 0.8.0__tar.gz → 0.8.1__tar.gz

cdk_factory-0.8.1/GEEK_CAFE_FIX.md

@@ -0,0 +1,241 @@
+# Fix for geek-cafe Cognito Error
+
+## The Problem
+
+```
+ValueError: User pool ID is required for API Gateway authorizer.
+```
+
+Your API Gateway stack can't find the Cognito User Pool because the new separated pattern requires **SSM imports** instead of environment variables.
+
+## Quick Fix
+
+In your `/Users/eric.wilson/Projects/geek-cafe/geek-cafe-web/geek-cafe-lambdas/cdk` config:
+
+### Option 1: Add SSM Import (Recommended)
+
+**api-gateway-stack.json:**
+```json
+{
+  "name": "geek-cafe-prod-api-gateway",
+  "module": "api_gateway_stack",
+  "api_gateway": {
+    "name": "geek-cafe-prod-api",
+    "api_type": "REST",
+    "stage_name": "prod",
+    "ssm": {
+      "enabled": true,
+      "auto_export": true,
+      "workload": "geek-cafe",
+      "environment": "prod",
+      "imports": {
+        "workload": "geek-cafe",
+        "environment": "prod",
+        "user_pool_arn": "auto"  // ✅ ADD THIS - imports from Cognito stack
+      }
+    },
+    "cognito_authorizer": {
+      "authorizer_name": "geek-cafe-cognito-authorizer"
+    },
+    "routes": [...]
+  }
+}
+```
+
+This assumes your Cognito stack is configured to export:
+```json
+{
+  "name": "geek-cafe-prod-cognito",
+  "module": "cognito_stack",
+  "ssm": {
+    "enabled": true,
+    "auto_export": true,  // ✅ Must be enabled
+    "workload": "geek-cafe",
+    "environment": "prod"
+  }
+}
+```
+
+### Option 2: Use Explicit SSM Path
+
+If auto-discovery doesn't work, find the exact SSM parameter:
+
+```bash
+# Find the parameter
+aws ssm get-parameters-by-path --path "/geek-cafe/prod/cognito" --recursive
+```
+
+Then use the explicit path:
+```json
+{
+  "api_gateway": {
+    "ssm": {
+      "imports": {
+        "user_pool_arn": "/geek-cafe/prod/cognito/user-pool/user-pool-arn"
+      }
+    }
+  }
+}
+```
+
+### Option 3: Direct ARN (Quick Temporary Fix)
+
+If you just need to deploy NOW and fix properly later:
+
+```json
+{
+  "api_gateway": {
+    "cognito_authorizer": {
+      "authorizer_name": "geek-cafe-authorizer",
+      "user_pool_arn": "arn:aws:cognito-idp:us-east-1:ACCOUNT_ID:userpool/us-east-1_XXXXX"
+    }
+  }
+}
+```
+
+Get the ARN from AWS Console → Cognito → User Pools → geek-cafe-prod → ARN
+
+## Deployment Order
+
+With the new pattern, deploy in this order:
+
+```bash
+# 1. Deploy Cognito (if separate stack)
+cdk deploy geek-cafe-prod-cognito
+
+# 2. Deploy Lambdas
+cdk deploy geek-cafe-prod-lambdas
+
+# 3. Deploy API Gateway (imports from both above)
+cdk deploy geek-cafe-prod-api-gateway
+```
+
+Or set up a pipeline with stages:
+```json
+{
+  "pipeline": {
+    "stages": [
+      {"name": "infrastructure", "stacks": ["cognito-stack"]},
+      {"name": "lambdas", "stacks": ["lambda-stack"]},
+      {"name": "api-gateway", "stacks": ["api-gateway-stack"]}
+    ]
+  }
+}
+```
+
+## Verify SSM Parameters Exist
+
+```bash
+# Check what Cognito exported
+aws ssm get-parameter --name "/geek-cafe/prod/cognito/user-pool/user-pool-arn"
+
+# Check what Lambda exported
+aws ssm get-parameters-by-path --path "/geek-cafe/prod/lambda" --recursive
+
+# Check what API Gateway exported
+aws ssm get-parameters-by-path --path "/geek-cafe/prod/api-gateway" --recursive
+```
+
+## Complete Example Config
+
+**cognito-stack.json:**
+```json
+{
+  "name": "geek-cafe-prod-cognito",
+  "module": "cognito_stack",
+  "ssm": {
+    "enabled": true,
+    "auto_export": true,
+    "workload": "geek-cafe",
+    "environment": "prod"
+  },
+  "cognito": {
+    "user_pool_name": "geek-cafe-prod",
+    "exists": false
+  }
+}
+```
+
+**lambda-stack.json:**
+```json
+{
+  "name": "geek-cafe-prod-lambdas",
+  "module": "lambda_stack",
+  "ssm": {
+    "enabled": true,
+    "workload": "geek-cafe",
+    "environment": "prod"
+  },
+  "resources": [
+    {
+      "name": "geek-cafe-prod-get-cafes",
+      "src": "./src/handlers/cafes",
+      "handler": "get_cafes.lambda_handler"
+    }
+  ]
+}
+```
+
+**api-gateway-stack.json:**
+```json
+{
+  "name": "geek-cafe-prod-api-gateway",
+  "module": "api_gateway_stack",
+  "api_gateway": {
+    "name": "geek-cafe-prod-api",
+    "api_type": "REST",
+    "stage_name": "prod",
+    "ssm": {
+      "enabled": true,
+      "auto_export": true,
+      "workload": "geek-cafe",
+      "environment": "prod",
+      "imports": {
+        "workload": "geek-cafe",
+        "environment": "prod",
+        "user_pool_arn": "auto"  // ✅ This is the key fix
+      }
+    },
+    "cognito_authorizer": {
+      "authorizer_name": "geek-cafe-cognito-authorizer"
+    },
+    "routes": [
+      {
+        "path": "/cafes",
+        "method": "GET",
+        "lambda_name": "geek-cafe-prod-get-cafes",
+        "authorization_type": "COGNITO_USER_POOLS"
+      }
+    ]
+  }
+}
+```
+
+## Summary of Changes
+
+| Old Pattern (Combined) | New Pattern (Separated) |
+|------------------------|-------------------------|
+| `COGNITO_USER_POOL_ID` env var | SSM import with `user_pool_arn: "auto"` |
+| Single stack with Lambda + API | Three stacks: Cognito → Lambda → API Gateway |
+| Environment vars in CI/CD | Config-driven SSM parameters |
+| `"exports": {"enabled": true}` ❌ | `"auto_export": true` ✅ |
+
+## If Still Having Issues
+
+1. **Check CDK Factory version:**
+   ```bash
+   pip show cdk-factory
+   # Should be v0.8.0 or higher
+   ```
+
+2. **Enable debug logging:**
+   ```bash
+   export LOG_LEVEL=DEBUG
+   cdk deploy
+   ```
+
+3. **Verify workload/environment match** in all three stacks
+
+4. **Check SSM permissions** in your deployment role
+
+5. **Use explicit path** as fallback if auto-discovery fails

{cdk_factory-0.8.0 → cdk_factory-0.8.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.8.0
+Version: 0.8.1
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.8.0 → cdk_factory-0.8.1}/examples/separate-api-gateway/api-gateway-stack.json

@@ -9,11 +9,9 @@
     "stage_name": "prod",
     "ssm": {
       "enabled": true,
+      "auto_export": true,
       "workload": "{{WORKLOAD_NAME}}",
       "environment": "{{ENVIRONMENT}}",
-      "exports": {
-        "enabled": true
-      },
       "imports": {
         "workload": "{{WORKLOAD_NAME}}",
         "environment": "{{ENVIRONMENT}}"

{cdk_factory-0.8.0 → cdk_factory-0.8.1}/pyproject.toml

@@ -33,7 +33,7 @@ markers = [
 [project]
 
 name = "cdk_factory"
-version = "0.8.0"
+version = "0.8.1"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

{cdk_factory-0.8.0 → cdk_factory-0.8.1}/src/cdk_factory/configurations/enhanced_ssm_config.py

@@ -86,7 +86,9 @@ class EnhancedSsmConfig:
         self, attribute: str, custom_path: Optional[str] = None
     ) -> str:
         """Generate SSM parameter path using pattern or custom path"""
-        if custom_path and custom_path.startswith("/"):
+        # Handle custom_path - must be a string starting with "/"
+        # Protect against incorrect config like: "exports": {"enabled": true}
+        if custom_path and isinstance(custom_path, str) and custom_path.startswith("/"):
             return custom_path
 
         # Convert underscore attribute names to hyphen format for consistent SSM paths

{cdk_factory-0.8.0 → cdk_factory-0.8.1}/src/cdk_factory/stack_library/api_gateway/api_gateway_stack.py

@@ -304,9 +304,28 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
         )
 
     def _setup_cognito_authorizer(self, api_gateway, api_id):
-        """Setup Cognito authorizer if configured"""
+        """Setup Cognito authorizer if configured AND if any routes need it"""
         if not self.api_config.cognito_authorizer:
             return None
+        
+        # Check if any routes actually need the authorizer
+        # Don't create it if all routes are public (authorization_type: NONE)
+        routes = self.api_config.routes or []
+        needs_authorizer = any(
+            route.get("authorization_type") != "NONE" 
+            for route in routes
+        )
+        
+        # If we're not creating an authorizer but Cognito is configured,
+        # inform the integration utility so it can still perform security validations
+        if not needs_authorizer:
+            logger.info(
+                "Cognito authorizer configured but no routes require authorization. "
+                "Skipping authorizer creation but maintaining security validation context."
+            )
+            # Set a flag so the integration utility knows Cognito was available
+            self.integration_utility.cognito_configured = True
+            return None
 
         route_config = ApiGatewayConfigRouteConfig({})
         return self.integration_utility.get_or_create_authorizer(

{cdk_factory-0.8.0 → cdk_factory-0.8.1}/src/cdk_factory/utilities/api_gateway_integration_utility.py

@@ -40,6 +40,7 @@ class ApiGatewayIntegrationUtility:
         self.account = scope.account
         self.api_gateway = None
         self.authorizer = None
+        self.cognito_configured = False  # Flag for when Cognito is configured but authorizer not created
         self._log_group = None
         self._log_role = None
 
@@ -55,8 +56,10 @@ class ApiGatewayIntegrationUtility:
             raise ValueError("API Gateway config is missing in Lambda function config")
 
         # Validate authorization configuration for security
+        # Check if Cognito is available (either authorizer created OR configured but not created)
         has_cognito_authorizer = (
             self.authorizer is not None
+            or self.cognito_configured
             or self._get_existing_authorizer_id_with_ssm_fallback(
                 api_config, stack_config
             )
@@ -614,6 +617,10 @@ class ApiGatewayIntegrationUtility:
             authorizer_name=authorizer_name,
             identity_source=identity_source,
         )
+        
+        # The authorizer is automatically attached to the API Gateway when used in a method
+        # But we need to ensure it's created in the context of the API's scope
+        # The actual attachment happens when the authorizer is referenced in method creation
 
         return self.authorizer
 

cdk_factory-0.8.1/src/cdk_factory/version.py

@@ -0,0 +1 @@
+__version__ = "0.8.1"

cdk_factory-0.8.0/src/cdk_factory/version.py

@@ -1 +0,0 @@
-__version__ = "0.8.0"