cdk-factory 0.8.6__py3-none-any.whl → 0.8.8__py3-none-any.whl

cdk_factory/configurations/resources/cognito.py

@@ -243,3 +243,66 @@ class CognitoConfig(EnhancedBaseConfig):
     def ssm(self) -> Dict[str, Any]:
         """Whether to export the user pool name (default: False)"""
         return self.__config.get("ssm", {})
+
+    @property
+    def app_clients(self) -> list | None:
+        """
+        App clients for the user pool.
+        Supports multiple clients with different auth flows and OAuth settings.
+        
+        Structure:
+            [{
+                "name": "web-client",
+                "generate_secret": False,
+                "auth_flows": {
+                    "user_password": True,
+                    "user_srp": True,
+                    "custom": False,
+                    "admin_user_password": False
+                },
+                "oauth": {
+                    "flows": {
+                        "authorization_code_grant": True,
+                        "implicit_code_grant": False,
+                        "client_credentials": False
+                    },
+                    "scopes": ["email", "openid", "profile"],
+                    "callback_urls": ["https://example.com/callback"],
+                    "logout_urls": ["https://example.com/logout"]
+                },
+                "supported_identity_providers": ["COGNITO"],
+                "prevent_user_existence_errors": True,
+                "enable_token_revocation": True,
+                "access_token_validity": {"minutes": 60},
+                "id_token_validity": {"minutes": 60},
+                "refresh_token_validity": {"days": 30},
+                "read_attributes": ["email", "name"],
+                "write_attributes": ["name"]
+            }]
+        
+        Example:
+            [
+                {
+                    "name": "web-app",
+                    "generate_secret": False,
+                    "auth_flows": {
+                        "user_password": True,
+                        "user_srp": True
+                    }
+                },
+                {
+                    "name": "backend-service",
+                    "generate_secret": True,
+                    "oauth": {
+                        "flows": {
+                            "client_credentials": True
+                        },
+                        "scopes": ["api/read", "api/write"]
+                    }
+                }
+            ]
+        
+        Returns:
+            list: List of app client configurations
+        """
+        return self.__config.get("app_clients")

cdk_factory/configurations/resources/ecr.py

@@ -16,7 +16,7 @@ class ECRConfig(EnhancedBaseConfig):
     ) -> None:
         super().__init__(config, resource_type="ecr", resource_name=config.get("name", "ecr") if config else "ecr")
         self.__config = config
-        self.__deployment = config
+        self.__deployment = deployment
         self.__ssm_prefix_template = config.get("ssm_prefix_template", None)
 
     @property
@@ -74,12 +74,13 @@ class ECRConfig(EnhancedBaseConfig):
         Clear out untagged images after x days.  This helps save costs.
         Untagged images will stay forever if you don't clean them out.
         """
+        days = None
         if self.__config and isinstance(self.__config, dict):
             days = self.__config.get("auto_delete_untagged_images_in_days")
             if days:
                 days = int(days)
 
-        return None
+        return days
 
     @property
     def use_existing(self) -> bool:
@@ -118,6 +119,50 @@ class ECRConfig(EnhancedBaseConfig):
         if not value:
             raise RuntimeError("Region is not defined")
         return value
+
+    @property
+    def cross_account_access(self) -> dict:
+        """
+        Cross-account access configuration.
+        
+        Example:
+        {
+            "enabled": true,
+            "accounts": ["123456789012", "987654321098"],
+            "services": [
+                {
+                    "name": "lambda",
+                    "actions": ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"],
+                    "condition": {
+                        "StringLike": {
+                            "aws:sourceArn": "arn:aws:lambda:*:*:function:*"
+                        }
+                    }
+                },
+                {
+                    "name": "ecs-tasks",
+                    "service_principal": "ecs-tasks.amazonaws.com",
+                    "actions": ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"]
+                },
+                {
+                    "name": "codebuild",
+                    "service_principal": "codebuild.amazonaws.com",
+                    "actions": ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:BatchCheckLayerAvailability"]
+                }
+            ]
+        }
+        """
+        if self.__config and isinstance(self.__config, dict):
+            return self.__config.get("cross_account_access", {})
+        return {}
+
+    @property
+    def cross_account_enabled(self) -> bool:
+        """Whether cross-account access is explicitly enabled"""
+        access_config = self.cross_account_access
+        if access_config:
+            return str(access_config.get("enabled", "true")).lower() == "true"
+        return True  # Default to enabled for backward compatibility
         
     # SSM properties are now inherited from EnhancedBaseConfig
     # Keeping these for any direct access patterns in existing code

cdk_factory/configurations/resources/ecs_service.py

@@ -0,0 +1,144 @@
+"""
+ECS Service Configuration
+Maintainers: Eric Wilson
+MIT License. See Project Root for the license information.
+"""
+
+from typing import Dict, Any, List, Optional
+
+
+class EcsServiceConfig:
+    """ECS Service Configuration"""
+
+    def __init__(self, config: Dict[str, Any]) -> None:
+        self._config = config
+
+    @property
+    def name(self) -> str:
+        """Service name"""
+        return self._config.get("name", "")
+
+    @property
+    def cluster_name(self) -> Optional[str]:
+        """ECS Cluster name"""
+        return self._config.get("cluster_name")
+
+    @property
+    def task_definition(self) -> Dict[str, Any]:
+        """Task definition configuration"""
+        return self._config.get("task_definition", {})
+
+    @property
+    def container_definitions(self) -> List[Dict[str, Any]]:
+        """Container definitions"""
+        return self.task_definition.get("containers", [])
+
+    @property
+    def cpu(self) -> str:
+        """Task CPU units"""
+        return self.task_definition.get("cpu", "256")
+
+    @property
+    def memory(self) -> str:
+        """Task memory (MB)"""
+        return self.task_definition.get("memory", "512")
+
+    @property
+    def launch_type(self) -> str:
+        """Launch type: FARGATE or EC2"""
+        return self._config.get("launch_type", "FARGATE")
+
+    @property
+    def desired_count(self) -> int:
+        """Desired number of tasks"""
+        return self._config.get("desired_count", 2)
+
+    @property
+    def min_capacity(self) -> int:
+        """Minimum number of tasks"""
+        return self._config.get("min_capacity", 1)
+
+    @property
+    def max_capacity(self) -> int:
+        """Maximum number of tasks"""
+        return self._config.get("max_capacity", 4)
+
+    @property
+    def vpc_id(self) -> Optional[str]:
+        """VPC ID"""
+        return self._config.get("vpc_id")
+
+    @property
+    def subnet_group_name(self) -> Optional[str]:
+        """Subnet group name for service placement"""
+        return self._config.get("subnet_group_name")
+
+    @property
+    def security_group_ids(self) -> List[str]:
+        """Security group IDs"""
+        return self._config.get("security_group_ids", [])
+
+    @property
+    def assign_public_ip(self) -> bool:
+        """Whether to assign public IP addresses"""
+        return self._config.get("assign_public_ip", False)
+
+    @property
+    def target_group_arns(self) -> List[str]:
+        """Target group ARNs for load balancing"""
+        return self._config.get("target_group_arns", [])
+
+    @property
+    def container_port(self) -> int:
+        """Container port for load balancer"""
+        return self._config.get("container_port", 80)
+
+    @property
+    def health_check_grace_period(self) -> int:
+        """Health check grace period in seconds"""
+        return self._config.get("health_check_grace_period", 60)
+
+    @property
+    def enable_execute_command(self) -> bool:
+        """Enable ECS Exec for debugging"""
+        return self._config.get("enable_execute_command", False)
+
+    @property
+    def enable_auto_scaling(self) -> bool:
+        """Enable auto-scaling"""
+        return self._config.get("enable_auto_scaling", True)
+
+    @property
+    def auto_scaling_target_cpu(self) -> int:
+        """Target CPU utilization percentage for auto-scaling"""
+        return self._config.get("auto_scaling_target_cpu", 70)
+
+    @property
+    def auto_scaling_target_memory(self) -> int:
+        """Target memory utilization percentage for auto-scaling"""
+        return self._config.get("auto_scaling_target_memory", 80)
+
+    @property
+    def tags(self) -> Dict[str, str]:
+        """Resource tags"""
+        return self._config.get("tags", {})
+
+    @property
+    def ssm_exports(self) -> Dict[str, str]:
+        """SSM parameter exports"""
+        return self._config.get("ssm_exports", {})
+
+    @property
+    def ssm_imports(self) -> Dict[str, str]:
+        """SSM parameter imports"""
+        return self._config.get("ssm_imports", {})
+
+    @property
+    def deployment_type(self) -> str:
+        """Deployment type: production, maintenance, or blue-green"""
+        return self._config.get("deployment_type", "production")
+
+    @property
+    def is_maintenance_mode(self) -> bool:
+        """Whether this is a maintenance mode deployment"""
+        return self.deployment_type == "maintenance"

cdk_factory/constructs/ecr/ecr_construct.py

@@ -33,6 +33,7 @@ class ECRConstruct(Construct, SsmParameterMixin):
 
         self.scope = scope
         self.deployment = deployment
+        self.repo = repo
         self.ecr_name = repo.name
         self.image_scan_on_push = repo.image_scan_on_push
         self.empty_on_delete = repo.empty_on_delete
@@ -98,28 +99,17 @@ class ECRConstruct(Construct, SsmParameterMixin):
         )
         
         # Add dependencies to ensure SSM parameters are created after the ECR repository
-        for param in params.values():
-            if param and param.node.default_child and isinstance(param.node.default_child, CfnResource):
-                param.node.default_child.add_dependency(
-                    cast(CfnResource, self.ecr.node.default_child)
-                )
+        if params:
+            for param in params.values():
+                if param and hasattr(param, 'node') and param.node.default_child and isinstance(param.node.default_child, CfnResource):
+                    param.node.default_child.add_dependency(
+                        cast(CfnResource, self.ecr.node.default_child)
+                    )
 
     def __set_life_cycle_rules(self) -> None:
-        # ToDo/FixMe: tag_pattern_list is not recognized in the current version in AWS
-
-        try:
-            # always keep images tagged as prod
-            self.ecr.add_lifecycle_rule(
-                tag_pattern_list=["prod*"], max_image_count=9999
-            )
-        except Exception as e:  # pylint: disable=w0718
-            if "unexpected keyword argument" in str(e):
-                logger.warning(
-                    "tag_pattern_list is not available in this version of the aws cdk"
-                )
-            else:
-                raise
-
+        # Note: tag_pattern_list is deprecated and causes circular dependencies in CDK synthesis
+        # Only add lifecycle rule for untagged images if configured
+        
         if not self.auto_delete_untagged_images_in_days:
             return None
 
@@ -143,49 +133,131 @@ class ECRConstruct(Construct, SsmParameterMixin):
         )
 
     def __setup_cross_account_access_permissions(self):
-        # Cross-account access policy
+        """
+        Setup cross-account access permissions with flexible configuration support.
+        
+        Supports both legacy (default Lambda access) and new configurable approach.
+        """
+        # Check if cross-account access is disabled
+        if not self.repo.cross_account_enabled:
+            logger.info(f"Cross-account access disabled for {self.ecr_name}")
+            return
 
-        if self.deployment.account == self.deployment.workload.get("devops", {}).get(
-            "account"
-        ):
-            # we're in the same account as the "devops" so we don't need cross account
-            # permisions
+        # Check if we're in the same account as devops
+        if self.deployment.account == self.deployment.workload.get("devops", {}).get("account"):
+            logger.info(f"Same account as devops, skipping cross-account permissions for {self.ecr_name}")
             return
 
-        ecr = self.ecr or self.__get_ecr()
-        cross_account_policy_statement = iam.PolicyStatement(
+        access_config = self.repo.cross_account_access
+        
+        if access_config and access_config.get("services"):
+            # New configurable approach
+            logger.info(f"Setting up configurable cross-account access for {self.ecr_name}")
+            self.__setup_configurable_access(access_config)
+        else:
+            # Legacy approach - default Lambda access for backward compatibility
+            logger.info(f"Setting up legacy cross-account access (Lambda only) for {self.ecr_name}")
+            self.__setup_legacy_lambda_access()
+
+    def __setup_configurable_access(self, access_config: dict):
+        """Setup cross-account access using configuration"""
+        
+        # Get list of accounts (default to deployment account)
+        accounts = access_config.get("accounts", [self.deployment.account])
+        
+        # Add account principal policies if accounts are specified
+        if accounts:
+            self.__add_account_principal_policy(accounts)
+        
+        # Add service-specific policies
+        services = access_config.get("services", [])
+        for service_config in services:
+            self.__add_service_principal_policy(service_config)
+
+    def __add_account_principal_policy(self, accounts: list):
+        """Add policy for AWS account principals"""
+        principals = [iam.AccountPrincipal(account) for account in accounts]
+        
+        policy_statement = iam.PolicyStatement(
             actions=[
                 "ecr:GetDownloadUrlForLayer",
                 "ecr:BatchGetImage",
                 "ecr:BatchCheckLayerAvailability",
             ],
-            principals=[
-                iam.AccountPrincipal(self.deployment.account)
-            ],  # Replace with the account ID of the Lambda function
-            resources=[ecr.repository_arn],
+            principals=principals,
             effect=iam.Effect.ALLOW,
         )
 
-        # Attach the policy to the ECR repository
-        response = ecr.add_to_resource_policy(cross_account_policy_statement)
-
-        # fails, we're not adding it this way
-        assert response.statement_added
-
-        response = self.ecr.add_to_resource_policy(
-            iam.PolicyStatement(
-                effect=iam.Effect.ALLOW,
-                actions=["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"],
-                principals=[iam.ServicePrincipal("lambda.amazonaws.com")],
-                conditions={
-                    "StringLike": {
-                        "aws:sourceArn": [
-                            f"arn:aws:lambda:{self.deployment.region}:{self.deployment.account}:function:*"
-                        ]
-                    }
-                },
-                resources=[ecr.repository_arn],
-            )
+        response = self.ecr.add_to_resource_policy(policy_statement)
+        if not response.statement_added:
+            logger.warning(f"Failed to add account principal policy for {', '.join(accounts)}")
+        else:
+            logger.info(f"Added account principal policy for accounts: {', '.join(accounts)}")
+
+    def __add_service_principal_policy(self, service_config: dict):
+        """Add policy for service principal (Lambda, ECS, CodeBuild, etc.)"""
+        service_name = service_config.get("name", "unknown")
+        service_principal = service_config.get("service_principal")
+        actions = service_config.get("actions", ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"])
+        conditions = service_config.get("condition")
+
+        if not service_principal:
+            # Infer service principal from common service names
+            service_principal_map = {
+                "lambda": "lambda.amazonaws.com",
+                "ecs": "ecs-tasks.amazonaws.com",
+                "ecs-tasks": "ecs-tasks.amazonaws.com",
+                "codebuild": "codebuild.amazonaws.com",
+                "codepipeline": "codepipeline.amazonaws.com",
+                "ec2": "ec2.amazonaws.com",
+            }
+            service_principal = service_principal_map.get(service_name.lower())
+            
+        if not service_principal:
+            logger.warning(f"Unknown service principal for service: {service_name}")
+            return
+
+        policy_statement = iam.PolicyStatement(
+            effect=iam.Effect.ALLOW,
+            actions=actions,
+            principals=[iam.ServicePrincipal(service_principal)],
+        )
+        
+        # Add conditions if specified
+        if conditions:
+            for condition_key, condition_value in conditions.items():
+                policy_statement.add_condition(condition_key, condition_value)
+
+        response = self.ecr.add_to_resource_policy(policy_statement)
+        if not response.statement_added:
+            logger.warning(f"Failed to add service principal policy for {service_name}")
+        else:
+            logger.info(f"Added service principal policy for {service_name} ({service_principal})")
+
+    def __setup_legacy_lambda_access(self):
+        """Legacy method: Setup default Lambda-only cross-account access"""
+        
+        # Add account principal policy
+        self.__add_account_principal_policy([self.deployment.account])
+        
+        # Add Lambda service principal policy with default condition
+        lambda_policy = iam.PolicyStatement(
+            effect=iam.Effect.ALLOW,
+            actions=["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"],
+            principals=[iam.ServicePrincipal("lambda.amazonaws.com")],
+        )
+        
+        lambda_policy.add_condition(
+            "StringLike",
+            {
+                "aws:sourceArn": [
+                    f"arn:aws:lambda:{self.deployment.region}:{self.deployment.account}:function:*"
+                ]
+            }
         )
 
-        assert response.statement_added
+        response = self.ecr.add_to_resource_policy(lambda_policy)
+        if not response.statement_added:
+            logger.warning("Failed to add Lambda service principal policy")
+        else:
+            logger.info("Added legacy Lambda service principal policy")

cdk_factory/pipeline/pipeline_factory.py

@@ -246,7 +246,13 @@ class PipelineFactoryStack(cdk.Stack):
 
     def _get_steps(self, key: str, stage_config: PipelineStageConfig):
         """
-        Gets the build steps from the config.json
+        Gets the build steps from the config.json.
+        
+        Commands can be:
+        - A list of strings (each string is a separate command)
+        - A single multi-line string (treated as a single script block)
+        
+        This allows support for complex shell constructs like if blocks, loops, etc.
         """
         shell_steps: List[pipelines.ShellStep] = []
 
@@ -257,6 +263,12 @@ class PipelineFactoryStack(cdk.Stack):
                 for step in steps:
                     step_id = step.get("id") or step.get("name")
                     commands = step.get("commands", [])
+                    
+                    # Normalize commands to a list
+                    # If commands is a single string, wrap it in a list
+                    if isinstance(commands, str):
+                        commands = [commands]
+                    
                     shell_step = pipelines.ShellStep(
                         id=step_id,
                         commands=commands,