cdk-factory 0.8.0__tar.gz → 0.8.2__tar.gz

cdk_factory-0.8.2/CHANGELOG_v0.8.1.md

@@ -0,0 +1,148 @@
+# CDK Factory v0.8.1 Release Notes
+
+Released: 2025-10-09
+
+## Bug Fixes
+
+### 1. Fixed SSM Export Configuration Bug
+**Issue**: Documentation showed incorrect pattern `"exports": {"enabled": true}` which caused `AttributeError: 'bool' object has no attribute 'startswith'`
+
+**Fix**: 
+- Added type validation in `enhanced_ssm_config.py` to handle non-string values
+- Updated documentation to show correct pattern: `"auto_export": true`
+- Created comprehensive documentation in `docs/SSM_EXPORT_FIX.md`
+
+**Impact**: Prevents crashes when using incorrect SSM export configuration
+
+### 2. Fixed Cognito User Pool SSM Import for API Gateway
+**Issue**: API Gateway couldn't find Cognito User Pool ARN, causing `ValueError: User pool ID is required for API Gateway authorizer`
+
+**Fix**:
+- Enhanced SSM-based import pattern for `user_pool_arn`
+- Created comprehensive guide in `docs/API_GATEWAY_COGNITO_SSM.md`
+- Added auto-discovery support via `"user_pool_arn": "auto"`
+
+**Impact**: Enables seamless cross-stack Cognito + API Gateway integration
+
+### 3. Fixed Authorizer Creation When Not Needed
+**Issue**: API Gateway authorizer was created even when all routes were public (`authorization_type: "NONE"`), causing CDK validation error: `ValidationError: Authorizer must be attached to a RestApi`
+
+**Fix**:
+- Modified `_setup_cognito_authorizer()` to only create authorizer when at least one route requires it
+- Added `cognito_configured` flag to maintain security validation context
+- Security warnings still emitted for public endpoints when Cognito is available
+
+**Impact**: 
+- Prevents CDK synthesis errors for public-only APIs
+- Maintains security validation without creating unused resources
+- Reduces AWS resource overhead
+
+### 4. Removed Deprecated SSM Parameter Types
+**Issue**: Using deprecated `ssm.ParameterType.STRING`, `ssm.ParameterType.STRING_LIST`, and `type` parameter caused AWS CDK deprecation warnings
+
+**Fix**:
+- Replaced deprecated `ParameterType` enum with appropriate CDK constructs:
+  - `StringParameter` for regular strings (no `type` parameter needed)
+  - `StringListParameter` for string lists
+  - `CfnParameter` with `type="SecureString"` for secure strings
+- Updated `enhanced_ssm_parameter_mixin.py` to use CDK v2 best practices
+
+**Impact**: 
+- Eliminates deprecation warnings
+- Future-proofs code for CDK v3
+- Follows AWS CDK v2 best practices
+
+## Test Coverage
+
+- **153 tests passing** ✅
+- New test coverage:
+  - `test_api_gateway_export_config.py` (6 tests)
+  - `test_api_gateway_authorizer_ssm_integration.py` (5 tests)
+  - `test_cross_stack_ssm_integration.py` (3 tests)
+  - `test_api_gateway_enhanced_authorization_validation.py` (6 tests)
+
+## Documentation Added
+
+1. **docs/SSM_EXPORT_FIX.md** - SSM export configuration bug fix guide
+2. **docs/API_GATEWAY_COGNITO_SSM.md** - Comprehensive Cognito + API Gateway SSM integration guide
+3. **GEEK_CAFE_FIX.md** - Quick fix guide for geek-cafe project (example usage)
+
+## Breaking Changes
+
+None - all changes are backward compatible
+
+## Migration Guide
+
+### If you're using the old export pattern:
+
+**Before (v0.8.0 - incorrect docs):**
+```json
+{
+  "ssm": {
+    "enabled": true,
+    "exports": {
+      "enabled": true  // ❌ Wrong
+    }
+  }
+}
+```
+
+**After (v0.8.1):**
+```json
+{
+  "ssm": {
+    "enabled": true,
+    "auto_export": true  // ✅ Correct
+  }
+}
+```
+
+### If you're getting Cognito User Pool errors:
+
+Add to your API Gateway stack config:
+```json
+{
+  "api_gateway": {
+    "ssm": {
+      "imports": {
+        "user_pool_arn": "auto"  // ✅ Add this
+      }
+    }
+  }
+}
+```
+
+### If you have public-only API routes:
+
+Your config should work without changes. The authorizer will only be created if needed:
+```json
+{
+  "cognito_authorizer": {
+    "authorizer_name": "my-authorizer"  // Config present but not used
+  },
+  "routes": [
+    {
+      "path": "/public",
+      "method": "GET",
+      "authorization_type": "NONE",  // ✅ Authorizer won't be created
+      "allow_public_override": true
+    }
+  ]
+}
+```
+
+## Deployment Flow (v0.8.1+)
+
+```
+1. Cognito Stack       → Exports user_pool_arn to SSM
+2. Lambda Stack        → Exports Lambda ARNs to SSM
+3. API Gateway Stack   → Imports both, creates authorizer only if needed
+```
+
+## Known Issues
+
+None
+
+## Contributors
+
+- Eric Wilson (@geekcafe)

cdk_factory-0.8.2/GEEK_CAFE_FIX.md

@@ -0,0 +1,241 @@
+# Fix for geek-cafe Cognito Error
+
+## The Problem
+
+```
+ValueError: User pool ID is required for API Gateway authorizer.
+```
+
+Your API Gateway stack can't find the Cognito User Pool because the new separated pattern requires **SSM imports** instead of environment variables.
+
+## Quick Fix
+
+In your `/Users/eric.wilson/Projects/geek-cafe/geek-cafe-web/geek-cafe-lambdas/cdk` config:
+
+### Option 1: Add SSM Import (Recommended)
+
+**api-gateway-stack.json:**
+```json
+{
+  "name": "geek-cafe-prod-api-gateway",
+  "module": "api_gateway_stack",
+  "api_gateway": {
+    "name": "geek-cafe-prod-api",
+    "api_type": "REST",
+    "stage_name": "prod",
+    "ssm": {
+      "enabled": true,
+      "auto_export": true,
+      "workload": "geek-cafe",
+      "environment": "prod",
+      "imports": {
+        "workload": "geek-cafe",
+        "environment": "prod",
+        "user_pool_arn": "auto"  // ✅ ADD THIS - imports from Cognito stack
+      }
+    },
+    "cognito_authorizer": {
+      "authorizer_name": "geek-cafe-cognito-authorizer"
+    },
+    "routes": [...]
+  }
+}
+```
+
+This assumes your Cognito stack is configured to export:
+```json
+{
+  "name": "geek-cafe-prod-cognito",
+  "module": "cognito_stack",
+  "ssm": {
+    "enabled": true,
+    "auto_export": true,  // ✅ Must be enabled
+    "workload": "geek-cafe",
+    "environment": "prod"
+  }
+}
+```
+
+### Option 2: Use Explicit SSM Path
+
+If auto-discovery doesn't work, find the exact SSM parameter:
+
+```bash
+# Find the parameter
+aws ssm get-parameters-by-path --path "/geek-cafe/prod/cognito" --recursive
+```
+
+Then use the explicit path:
+```json
+{
+  "api_gateway": {
+    "ssm": {
+      "imports": {
+        "user_pool_arn": "/geek-cafe/prod/cognito/user-pool/user-pool-arn"
+      }
+    }
+  }
+}
+```
+
+### Option 3: Direct ARN (Quick Temporary Fix)
+
+If you just need to deploy NOW and fix properly later:
+
+```json
+{
+  "api_gateway": {
+    "cognito_authorizer": {
+      "authorizer_name": "geek-cafe-authorizer",
+      "user_pool_arn": "arn:aws:cognito-idp:us-east-1:ACCOUNT_ID:userpool/us-east-1_XXXXX"
+    }
+  }
+}
+```
+
+Get the ARN from AWS Console → Cognito → User Pools → geek-cafe-prod → ARN
+
+## Deployment Order
+
+With the new pattern, deploy in this order:
+
+```bash
+# 1. Deploy Cognito (if separate stack)
+cdk deploy geek-cafe-prod-cognito
+
+# 2. Deploy Lambdas
+cdk deploy geek-cafe-prod-lambdas
+
+# 3. Deploy API Gateway (imports from both above)
+cdk deploy geek-cafe-prod-api-gateway
+```
+
+Or set up a pipeline with stages:
+```json
+{
+  "pipeline": {
+    "stages": [
+      {"name": "infrastructure", "stacks": ["cognito-stack"]},
+      {"name": "lambdas", "stacks": ["lambda-stack"]},
+      {"name": "api-gateway", "stacks": ["api-gateway-stack"]}
+    ]
+  }
+}
+```
+
+## Verify SSM Parameters Exist
+
+```bash
+# Check what Cognito exported
+aws ssm get-parameter --name "/geek-cafe/prod/cognito/user-pool/user-pool-arn"
+
+# Check what Lambda exported
+aws ssm get-parameters-by-path --path "/geek-cafe/prod/lambda" --recursive
+
+# Check what API Gateway exported
+aws ssm get-parameters-by-path --path "/geek-cafe/prod/api-gateway" --recursive
+```
+
+## Complete Example Config
+
+**cognito-stack.json:**
+```json
+{
+  "name": "geek-cafe-prod-cognito",
+  "module": "cognito_stack",
+  "ssm": {
+    "enabled": true,
+    "auto_export": true,
+    "workload": "geek-cafe",
+    "environment": "prod"
+  },
+  "cognito": {
+    "user_pool_name": "geek-cafe-prod",
+    "exists": false
+  }
+}
+```
+
+**lambda-stack.json:**
+```json
+{
+  "name": "geek-cafe-prod-lambdas",
+  "module": "lambda_stack",
+  "ssm": {
+    "enabled": true,
+    "workload": "geek-cafe",
+    "environment": "prod"
+  },
+  "resources": [
+    {
+      "name": "geek-cafe-prod-get-cafes",
+      "src": "./src/handlers/cafes",
+      "handler": "get_cafes.lambda_handler"
+    }
+  ]
+}
+```
+
+**api-gateway-stack.json:**
+```json
+{
+  "name": "geek-cafe-prod-api-gateway",
+  "module": "api_gateway_stack",
+  "api_gateway": {
+    "name": "geek-cafe-prod-api",
+    "api_type": "REST",
+    "stage_name": "prod",
+    "ssm": {
+      "enabled": true,
+      "auto_export": true,
+      "workload": "geek-cafe",
+      "environment": "prod",
+      "imports": {
+        "workload": "geek-cafe",
+        "environment": "prod",
+        "user_pool_arn": "auto"  // ✅ This is the key fix
+      }
+    },
+    "cognito_authorizer": {
+      "authorizer_name": "geek-cafe-cognito-authorizer"
+    },
+    "routes": [
+      {
+        "path": "/cafes",
+        "method": "GET",
+        "lambda_name": "geek-cafe-prod-get-cafes",
+        "authorization_type": "COGNITO_USER_POOLS"
+      }
+    ]
+  }
+}
+```
+
+## Summary of Changes
+
+| Old Pattern (Combined) | New Pattern (Separated) |
+|------------------------|-------------------------|
+| `COGNITO_USER_POOL_ID` env var | SSM import with `user_pool_arn: "auto"` |
+| Single stack with Lambda + API | Three stacks: Cognito → Lambda → API Gateway |
+| Environment vars in CI/CD | Config-driven SSM parameters |
+| `"exports": {"enabled": true}` ❌ | `"auto_export": true` ✅ |
+
+## If Still Having Issues
+
+1. **Check CDK Factory version:**
+   ```bash
+   pip show cdk-factory
+   # Should be v0.8.0 or higher
+   ```
+
+2. **Enable debug logging:**
+   ```bash
+   export LOG_LEVEL=DEBUG
+   cdk deploy
+   ```
+
+3. **Verify workload/environment match** in all three stacks
+
+4. **Check SSM permissions** in your deployment role
+
+5. **Use explicit path** as fallback if auto-discovery fails

{cdk_factory-0.8.0 → cdk_factory-0.8.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.8.0
+Version: 0.8.2
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.8.0 → cdk_factory-0.8.2}/examples/separate-api-gateway/api-gateway-stack.json

@@ -9,11 +9,9 @@
     "stage_name": "prod",
     "ssm": {
       "enabled": true,
+      "auto_export": true,
       "workload": "{{WORKLOAD_NAME}}",
       "environment": "{{ENVIRONMENT}}",
-      "exports": {
-        "enabled": true
-      },
       "imports": {
         "workload": "{{WORKLOAD_NAME}}",
         "environment": "{{ENVIRONMENT}}"

{cdk_factory-0.8.0 → cdk_factory-0.8.2}/pyproject.toml

@@ -33,7 +33,7 @@ markers = [
 [project]
 
 name = "cdk_factory"
-version = "0.8.0"
+version = "0.8.2"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

{cdk_factory-0.8.0 → cdk_factory-0.8.2}/src/cdk_factory/configurations/enhanced_ssm_config.py

@@ -86,7 +86,9 @@ class EnhancedSsmConfig:
         self, attribute: str, custom_path: Optional[str] = None
     ) -> str:
         """Generate SSM parameter path using pattern or custom path"""
-        if custom_path and custom_path.startswith("/"):
+        # Handle custom_path - must be a string starting with "/"
+        # Protect against incorrect config like: "exports": {"enabled": true}
+        if custom_path and isinstance(custom_path, str) and custom_path.startswith("/"):
             return custom_path
 
         # Convert underscore attribute names to hyphen format for consistent SSM paths

{cdk_factory-0.8.0 → cdk_factory-0.8.2}/src/cdk_factory/interfaces/enhanced_ssm_parameter_mixin.py

@@ -142,28 +142,39 @@ class EnhancedSsmParameterMixin:
         Returns:
             Created SSM parameter
         """
-        # Handle different value types
-        if isinstance(value, list):
-            string_value = ",".join(str(v) for v in value)
-            cdk_param_type = ssm.ParameterType.STRING_LIST
-        elif param_type == "SecureString":
-            string_value = str(value)
-            cdk_param_type = ssm.ParameterType.SECURE_STRING
-        else:
-            string_value = str(value)
-            cdk_param_type = ssm.ParameterType.STRING
-            
         # Generate a unique construct ID from the path
         construct_id = f"ssm-param-{path.replace('/', '-').replace('_', '-')}"
         
-        return ssm.StringParameter(
-            self.scope,
-            construct_id,
-            parameter_name=path,
-            string_value=string_value,
-            description=description,
-            type=cdk_param_type
-        )
+        # Handle different value types - use appropriate CDK constructs
+        if isinstance(value, list):
+            # For list values, use StringListParameter
+            return ssm.StringListParameter(
+                self.scope,
+                construct_id,
+                parameter_name=path,
+                string_list_value=value,
+                description=description
+            )
+        elif param_type == "SecureString":
+            # For secure strings, use L1 CfnParameter with Type=SecureString
+            return ssm.CfnParameter(
+                self.scope,
+                construct_id,
+                name=path,
+                value=str(value),
+                type="SecureString",
+                description=description
+            )
+        else:
+            # For regular strings, use StringParameter (no type parameter needed in CDK v2)
+            return ssm.StringParameter(
+                self.scope,
+                construct_id,
+                parameter_name=path,
+                string_value=str(value),
+                description=description
+                # Note: 'type' parameter removed - deprecated in CDK v2
+            )
     
     def _import_enhanced_ssm_parameter(self, path: str, attribute: str) -> Optional[str]:
         """

{cdk_factory-0.8.0 → cdk_factory-0.8.2}/src/cdk_factory/stack_library/api_gateway/api_gateway_stack.py

@@ -304,9 +304,28 @@ class ApiGatewayStack(IStack, EnhancedSsmParameterMixin):
         )
 
     def _setup_cognito_authorizer(self, api_gateway, api_id):
-        """Setup Cognito authorizer if configured"""
+        """Setup Cognito authorizer if configured AND if any routes need it"""
         if not self.api_config.cognito_authorizer:
             return None
+        
+        # Check if any routes actually need the authorizer
+        # Don't create it if all routes are public (authorization_type: NONE)
+        routes = self.api_config.routes or []
+        needs_authorizer = any(
+            route.get("authorization_type") != "NONE" 
+            for route in routes
+        )
+        
+        # If we're not creating an authorizer but Cognito is configured,
+        # inform the integration utility so it can still perform security validations
+        if not needs_authorizer:
+            logger.info(
+                "Cognito authorizer configured but no routes require authorization. "
+                "Skipping authorizer creation but maintaining security validation context."
+            )
+            # Set a flag so the integration utility knows Cognito was available
+            self.integration_utility.cognito_configured = True
+            return None
 
         route_config = ApiGatewayConfigRouteConfig({})
         return self.integration_utility.get_or_create_authorizer(

{cdk_factory-0.8.0 → cdk_factory-0.8.2}/src/cdk_factory/utilities/api_gateway_integration_utility.py

@@ -40,6 +40,7 @@ class ApiGatewayIntegrationUtility:
         self.account = scope.account
         self.api_gateway = None
         self.authorizer = None
+        self.cognito_configured = False  # Flag for when Cognito is configured but authorizer not created
         self._log_group = None
         self._log_role = None
 
@@ -55,8 +56,10 @@ class ApiGatewayIntegrationUtility:
             raise ValueError("API Gateway config is missing in Lambda function config")
 
         # Validate authorization configuration for security
+        # Check if Cognito is available (either authorizer created OR configured but not created)
         has_cognito_authorizer = (
             self.authorizer is not None
+            or self.cognito_configured
             or self._get_existing_authorizer_id_with_ssm_fallback(
                 api_config, stack_config
             )
@@ -614,6 +617,10 @@ class ApiGatewayIntegrationUtility:
             authorizer_name=authorizer_name,
             identity_source=identity_source,
         )
+        
+        # The authorizer is automatically attached to the API Gateway when used in a method
+        # But we need to ensure it's created in the context of the API's scope
+        # The actual attachment happens when the authorizer is referenced in method creation
 
         return self.authorizer
 

{cdk_factory-0.8.0 → cdk_factory-0.8.2}/src/cdk_factory/utilities/json_loading_utility.py

@@ -61,35 +61,63 @@ class JsonLoadingUtility:
         """Resolve references in a configuration section."""
         if isinstance(section, dict):
             if self.nested_key in section:
-                nested_path = str(section.pop(self.nested_key))
-                # print(f"Resolving parent path: {nested_path}")
-                if nested_path.endswith(".json"):
-                    nested_root_path = os.path.join(self.base_path, nested_path)
-                    nested_section = self.__load_json_file(nested_root_path)
-                elif os.path.isdir(os.path.join(self.base_path, nested_path)):
-                    nested_section = []
-                    dir_path = os.path.join(self.base_path, nested_path)
-                    for filename in os.listdir(dir_path):
-                        if filename.endswith(".json"):
-                            file_path = os.path.join(dir_path, filename)
-                            # print(f"Loading file: {file_path}")
-                            file_section = self.__load_json_file(file_path)
-                            nested_section.append(file_section)
-
-                    # print("done with nested sections")
-                else:
-                    nested_section = self.get_nested_config(root_config, nested_path)
-
-                nested_section_resolved = self.resolve_references(
-                    nested_section, root_config
-                )
-                if len(section) > 0 and isinstance(nested_section_resolved, dict):
-                    nested_section_resolved.update(section)
-                elif len(section) > 0 and isinstance(nested_section_resolved, list):
+                nested_paths = section.pop(self.nested_key)
+                
+                # Support both single path (string) and multiple paths (list)
+                if isinstance(nested_paths, str):
+                    nested_paths = [nested_paths]
+                elif not isinstance(nested_paths, list):
+                    raise ValueError(f"__inherits__ must be a string or list, got {type(nested_paths)}")
+                
+                # Process each path and merge results
+                merged_section = None
+                
+                for nested_path in nested_paths:
+                    nested_path = str(nested_path)
+                    # print(f"Resolving parent path: {nested_path}")
+                    
+                    if nested_path.endswith(".json"):
+                        nested_root_path = os.path.join(self.base_path, nested_path)
+                        nested_section = self.__load_json_file(nested_root_path)
+                    elif os.path.isdir(os.path.join(self.base_path, nested_path)):
+                        nested_section = []
+                        dir_path = os.path.join(self.base_path, nested_path)
+                        for filename in os.listdir(dir_path):
+                            if filename.endswith(".json"):
+                                file_path = os.path.join(dir_path, filename)
+                                # print(f"Loading file: {file_path}")
+                                file_section = self.__load_json_file(file_path)
+                                nested_section.append(file_section)
+                        # print("done with nested sections")
+                    else:
+                        nested_section = self.get_nested_config(root_config, nested_path)
+
+                    nested_section_resolved = self.resolve_references(
+                        nested_section, root_config
+                    )
+                    
+                    # Merge resolved sections
+                    if merged_section is None:
+                        merged_section = nested_section_resolved
+                    else:
+                        # Merge logic based on type
+                        if isinstance(merged_section, dict) and isinstance(nested_section_resolved, dict):
+                            self.merge_sections(merged_section, nested_section_resolved)
+                        elif isinstance(merged_section, list) and isinstance(nested_section_resolved, list):
+                            merged_section.extend(nested_section_resolved)
+                        else:
+                            raise RuntimeError(
+                                f"Cannot merge incompatible types: {type(merged_section)} and {type(nested_section_resolved)}"
+                            )
+                
+                # Apply any additional properties from the section
+                if len(section) > 0 and isinstance(merged_section, dict):
+                    merged_section.update(section)
+                elif len(section) > 0 and isinstance(merged_section, list):
                     raise RuntimeError("we need to resolve this section")
-                    # nested_section_resolved.append(section)
+                    # merged_section.append(section)
 
-                section = nested_section_resolved
+                section = merged_section
 
             if isinstance(section, dict):
                 for key, value in section.items():

cdk_factory-0.8.2/src/cdk_factory/version.py

@@ -0,0 +1 @@
+__version__ = "0.8.2"

cdk_factory-0.8.0/src/cdk_factory/version.py

@@ -1 +0,0 @@
-__version__ = "0.8.0"