cdk-factory 0.8.7__py3-none-any.whl → 0.8.8__py3-none-any.whl

cdk_factory/configurations/resources/ecr.py

@@ -16,7 +16,7 @@ class ECRConfig(EnhancedBaseConfig):
     ) -> None:
         super().__init__(config, resource_type="ecr", resource_name=config.get("name", "ecr") if config else "ecr")
         self.__config = config
-        self.__deployment = config
+        self.__deployment = deployment
         self.__ssm_prefix_template = config.get("ssm_prefix_template", None)
 
     @property
@@ -74,12 +74,13 @@ class ECRConfig(EnhancedBaseConfig):
         Clear out untagged images after x days.  This helps save costs.
         Untagged images will stay forever if you don't clean them out.
         """
+        days = None
         if self.__config and isinstance(self.__config, dict):
             days = self.__config.get("auto_delete_untagged_images_in_days")
             if days:
                 days = int(days)
 
-        return None
+        return days
 
     @property
     def use_existing(self) -> bool:
@@ -118,6 +119,50 @@ class ECRConfig(EnhancedBaseConfig):
         if not value:
             raise RuntimeError("Region is not defined")
         return value
+
+    @property
+    def cross_account_access(self) -> dict:
+        """
+        Cross-account access configuration.
+        
+        Example:
+        {
+            "enabled": true,
+            "accounts": ["123456789012", "987654321098"],
+            "services": [
+                {
+                    "name": "lambda",
+                    "actions": ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"],
+                    "condition": {
+                        "StringLike": {
+                            "aws:sourceArn": "arn:aws:lambda:*:*:function:*"
+                        }
+                    }
+                },
+                {
+                    "name": "ecs-tasks",
+                    "service_principal": "ecs-tasks.amazonaws.com",
+                    "actions": ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"]
+                },
+                {
+                    "name": "codebuild",
+                    "service_principal": "codebuild.amazonaws.com",
+                    "actions": ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:BatchCheckLayerAvailability"]
+                }
+            ]
+        }
+        """
+        if self.__config and isinstance(self.__config, dict):
+            return self.__config.get("cross_account_access", {})
+        return {}
+
+    @property
+    def cross_account_enabled(self) -> bool:
+        """Whether cross-account access is explicitly enabled"""
+        access_config = self.cross_account_access
+        if access_config:
+            return str(access_config.get("enabled", "true")).lower() == "true"
+        return True  # Default to enabled for backward compatibility
         
     # SSM properties are now inherited from EnhancedBaseConfig
     # Keeping these for any direct access patterns in existing code

cdk_factory/configurations/resources/ecs_service.py

@@ -0,0 +1,144 @@
+"""
+ECS Service Configuration
+Maintainers: Eric Wilson
+MIT License. See Project Root for the license information.
+"""
+
+from typing import Dict, Any, List, Optional
+
+
+class EcsServiceConfig:
+    """ECS Service Configuration"""
+
+    def __init__(self, config: Dict[str, Any]) -> None:
+        self._config = config
+
+    @property
+    def name(self) -> str:
+        """Service name"""
+        return self._config.get("name", "")
+
+    @property
+    def cluster_name(self) -> Optional[str]:
+        """ECS Cluster name"""
+        return self._config.get("cluster_name")
+
+    @property
+    def task_definition(self) -> Dict[str, Any]:
+        """Task definition configuration"""
+        return self._config.get("task_definition", {})
+
+    @property
+    def container_definitions(self) -> List[Dict[str, Any]]:
+        """Container definitions"""
+        return self.task_definition.get("containers", [])
+
+    @property
+    def cpu(self) -> str:
+        """Task CPU units"""
+        return self.task_definition.get("cpu", "256")
+
+    @property
+    def memory(self) -> str:
+        """Task memory (MB)"""
+        return self.task_definition.get("memory", "512")
+
+    @property
+    def launch_type(self) -> str:
+        """Launch type: FARGATE or EC2"""
+        return self._config.get("launch_type", "FARGATE")
+
+    @property
+    def desired_count(self) -> int:
+        """Desired number of tasks"""
+        return self._config.get("desired_count", 2)
+
+    @property
+    def min_capacity(self) -> int:
+        """Minimum number of tasks"""
+        return self._config.get("min_capacity", 1)
+
+    @property
+    def max_capacity(self) -> int:
+        """Maximum number of tasks"""
+        return self._config.get("max_capacity", 4)
+
+    @property
+    def vpc_id(self) -> Optional[str]:
+        """VPC ID"""
+        return self._config.get("vpc_id")
+
+    @property
+    def subnet_group_name(self) -> Optional[str]:
+        """Subnet group name for service placement"""
+        return self._config.get("subnet_group_name")
+
+    @property
+    def security_group_ids(self) -> List[str]:
+        """Security group IDs"""
+        return self._config.get("security_group_ids", [])
+
+    @property
+    def assign_public_ip(self) -> bool:
+        """Whether to assign public IP addresses"""
+        return self._config.get("assign_public_ip", False)
+
+    @property
+    def target_group_arns(self) -> List[str]:
+        """Target group ARNs for load balancing"""
+        return self._config.get("target_group_arns", [])
+
+    @property
+    def container_port(self) -> int:
+        """Container port for load balancer"""
+        return self._config.get("container_port", 80)
+
+    @property
+    def health_check_grace_period(self) -> int:
+        """Health check grace period in seconds"""
+        return self._config.get("health_check_grace_period", 60)
+
+    @property
+    def enable_execute_command(self) -> bool:
+        """Enable ECS Exec for debugging"""
+        return self._config.get("enable_execute_command", False)
+
+    @property
+    def enable_auto_scaling(self) -> bool:
+        """Enable auto-scaling"""
+        return self._config.get("enable_auto_scaling", True)
+
+    @property
+    def auto_scaling_target_cpu(self) -> int:
+        """Target CPU utilization percentage for auto-scaling"""
+        return self._config.get("auto_scaling_target_cpu", 70)
+
+    @property
+    def auto_scaling_target_memory(self) -> int:
+        """Target memory utilization percentage for auto-scaling"""
+        return self._config.get("auto_scaling_target_memory", 80)
+
+    @property
+    def tags(self) -> Dict[str, str]:
+        """Resource tags"""
+        return self._config.get("tags", {})
+
+    @property
+    def ssm_exports(self) -> Dict[str, str]:
+        """SSM parameter exports"""
+        return self._config.get("ssm_exports", {})
+
+    @property
+    def ssm_imports(self) -> Dict[str, str]:
+        """SSM parameter imports"""
+        return self._config.get("ssm_imports", {})
+
+    @property
+    def deployment_type(self) -> str:
+        """Deployment type: production, maintenance, or blue-green"""
+        return self._config.get("deployment_type", "production")
+
+    @property
+    def is_maintenance_mode(self) -> bool:
+        """Whether this is a maintenance mode deployment"""
+        return self.deployment_type == "maintenance"

cdk_factory/constructs/ecr/ecr_construct.py

@@ -33,6 +33,7 @@ class ECRConstruct(Construct, SsmParameterMixin):
 
         self.scope = scope
         self.deployment = deployment
+        self.repo = repo
         self.ecr_name = repo.name
         self.image_scan_on_push = repo.image_scan_on_push
         self.empty_on_delete = repo.empty_on_delete
@@ -98,28 +99,17 @@ class ECRConstruct(Construct, SsmParameterMixin):
         )
         
         # Add dependencies to ensure SSM parameters are created after the ECR repository
-        for param in params.values():
-            if param and param.node.default_child and isinstance(param.node.default_child, CfnResource):
-                param.node.default_child.add_dependency(
-                    cast(CfnResource, self.ecr.node.default_child)
-                )
+        if params:
+            for param in params.values():
+                if param and hasattr(param, 'node') and param.node.default_child and isinstance(param.node.default_child, CfnResource):
+                    param.node.default_child.add_dependency(
+                        cast(CfnResource, self.ecr.node.default_child)
+                    )
 
     def __set_life_cycle_rules(self) -> None:
-        # ToDo/FixMe: tag_pattern_list is not recognized in the current version in AWS
-
-        try:
-            # always keep images tagged as prod
-            self.ecr.add_lifecycle_rule(
-                tag_pattern_list=["prod*"], max_image_count=9999
-            )
-        except Exception as e:  # pylint: disable=w0718
-            if "unexpected keyword argument" in str(e):
-                logger.warning(
-                    "tag_pattern_list is not available in this version of the aws cdk"
-                )
-            else:
-                raise
-
+        # Note: tag_pattern_list is deprecated and causes circular dependencies in CDK synthesis
+        # Only add lifecycle rule for untagged images if configured
+        
         if not self.auto_delete_untagged_images_in_days:
             return None
 
@@ -143,49 +133,131 @@ class ECRConstruct(Construct, SsmParameterMixin):
         )
 
     def __setup_cross_account_access_permissions(self):
-        # Cross-account access policy
+        """
+        Setup cross-account access permissions with flexible configuration support.
+        
+        Supports both legacy (default Lambda access) and new configurable approach.
+        """
+        # Check if cross-account access is disabled
+        if not self.repo.cross_account_enabled:
+            logger.info(f"Cross-account access disabled for {self.ecr_name}")
+            return
 
-        if self.deployment.account == self.deployment.workload.get("devops", {}).get(
-            "account"
-        ):
-            # we're in the same account as the "devops" so we don't need cross account
-            # permisions
+        # Check if we're in the same account as devops
+        if self.deployment.account == self.deployment.workload.get("devops", {}).get("account"):
+            logger.info(f"Same account as devops, skipping cross-account permissions for {self.ecr_name}")
             return
 
-        ecr = self.ecr or self.__get_ecr()
-        cross_account_policy_statement = iam.PolicyStatement(
+        access_config = self.repo.cross_account_access
+        
+        if access_config and access_config.get("services"):
+            # New configurable approach
+            logger.info(f"Setting up configurable cross-account access for {self.ecr_name}")
+            self.__setup_configurable_access(access_config)
+        else:
+            # Legacy approach - default Lambda access for backward compatibility
+            logger.info(f"Setting up legacy cross-account access (Lambda only) for {self.ecr_name}")
+            self.__setup_legacy_lambda_access()
+
+    def __setup_configurable_access(self, access_config: dict):
+        """Setup cross-account access using configuration"""
+        
+        # Get list of accounts (default to deployment account)
+        accounts = access_config.get("accounts", [self.deployment.account])
+        
+        # Add account principal policies if accounts are specified
+        if accounts:
+            self.__add_account_principal_policy(accounts)
+        
+        # Add service-specific policies
+        services = access_config.get("services", [])
+        for service_config in services:
+            self.__add_service_principal_policy(service_config)
+
+    def __add_account_principal_policy(self, accounts: list):
+        """Add policy for AWS account principals"""
+        principals = [iam.AccountPrincipal(account) for account in accounts]
+        
+        policy_statement = iam.PolicyStatement(
             actions=[
                 "ecr:GetDownloadUrlForLayer",
                 "ecr:BatchGetImage",
                 "ecr:BatchCheckLayerAvailability",
             ],
-            principals=[
-                iam.AccountPrincipal(self.deployment.account)
-            ],  # Replace with the account ID of the Lambda function
-            resources=[ecr.repository_arn],
+            principals=principals,
             effect=iam.Effect.ALLOW,
         )
 
-        # Attach the policy to the ECR repository
-        response = ecr.add_to_resource_policy(cross_account_policy_statement)
-
-        # fails, we're not adding it this way
-        assert response.statement_added
-
-        response = self.ecr.add_to_resource_policy(
-            iam.PolicyStatement(
-                effect=iam.Effect.ALLOW,
-                actions=["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"],
-                principals=[iam.ServicePrincipal("lambda.amazonaws.com")],
-                conditions={
-                    "StringLike": {
-                        "aws:sourceArn": [
-                            f"arn:aws:lambda:{self.deployment.region}:{self.deployment.account}:function:*"
-                        ]
-                    }
-                },
-                resources=[ecr.repository_arn],
-            )
+        response = self.ecr.add_to_resource_policy(policy_statement)
+        if not response.statement_added:
+            logger.warning(f"Failed to add account principal policy for {', '.join(accounts)}")
+        else:
+            logger.info(f"Added account principal policy for accounts: {', '.join(accounts)}")
+
+    def __add_service_principal_policy(self, service_config: dict):
+        """Add policy for service principal (Lambda, ECS, CodeBuild, etc.)"""
+        service_name = service_config.get("name", "unknown")
+        service_principal = service_config.get("service_principal")
+        actions = service_config.get("actions", ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"])
+        conditions = service_config.get("condition")
+
+        if not service_principal:
+            # Infer service principal from common service names
+            service_principal_map = {
+                "lambda": "lambda.amazonaws.com",
+                "ecs": "ecs-tasks.amazonaws.com",
+                "ecs-tasks": "ecs-tasks.amazonaws.com",
+                "codebuild": "codebuild.amazonaws.com",
+                "codepipeline": "codepipeline.amazonaws.com",
+                "ec2": "ec2.amazonaws.com",
+            }
+            service_principal = service_principal_map.get(service_name.lower())
+            
+        if not service_principal:
+            logger.warning(f"Unknown service principal for service: {service_name}")
+            return
+
+        policy_statement = iam.PolicyStatement(
+            effect=iam.Effect.ALLOW,
+            actions=actions,
+            principals=[iam.ServicePrincipal(service_principal)],
+        )
+        
+        # Add conditions if specified
+        if conditions:
+            for condition_key, condition_value in conditions.items():
+                policy_statement.add_condition(condition_key, condition_value)
+
+        response = self.ecr.add_to_resource_policy(policy_statement)
+        if not response.statement_added:
+            logger.warning(f"Failed to add service principal policy for {service_name}")
+        else:
+            logger.info(f"Added service principal policy for {service_name} ({service_principal})")
+
+    def __setup_legacy_lambda_access(self):
+        """Legacy method: Setup default Lambda-only cross-account access"""
+        
+        # Add account principal policy
+        self.__add_account_principal_policy([self.deployment.account])
+        
+        # Add Lambda service principal policy with default condition
+        lambda_policy = iam.PolicyStatement(
+            effect=iam.Effect.ALLOW,
+            actions=["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"],
+            principals=[iam.ServicePrincipal("lambda.amazonaws.com")],
+        )
+        
+        lambda_policy.add_condition(
+            "StringLike",
+            {
+                "aws:sourceArn": [
+                    f"arn:aws:lambda:{self.deployment.region}:{self.deployment.account}:function:*"
+                ]
+            }
         )
 
-        assert response.statement_added
+        response = self.ecr.add_to_resource_policy(lambda_policy)
+        if not response.statement_added:
+            logger.warning("Failed to add Lambda service principal policy")
+        else:
+            logger.info("Added legacy Lambda service principal policy")

cdk_factory/pipeline/pipeline_factory.py

@@ -246,7 +246,13 @@ class PipelineFactoryStack(cdk.Stack):
 
     def _get_steps(self, key: str, stage_config: PipelineStageConfig):
         """
-        Gets the build steps from the config.json
+        Gets the build steps from the config.json.
+        
+        Commands can be:
+        - A list of strings (each string is a separate command)
+        - A single multi-line string (treated as a single script block)
+        
+        This allows support for complex shell constructs like if blocks, loops, etc.
         """
         shell_steps: List[pipelines.ShellStep] = []
 
@@ -257,6 +263,12 @@ class PipelineFactoryStack(cdk.Stack):
                 for step in steps:
                     step_id = step.get("id") or step.get("name")
                     commands = step.get("commands", [])
+                    
+                    # Normalize commands to a list
+                    # If commands is a single string, wrap it in a list
+                    if isinstance(commands, str):
+                        commands = [commands]
+                    
                     shell_step = pipelines.ShellStep(
                         id=step_id,
                         commands=commands,

cdk_factory/stack_library/ecs/ecs_service_stack.py

@@ -0,0 +1,525 @@
+"""
+ECS Service Stack Pattern for CDK-Factory
+Supports Fargate and EC2 launch types with auto-scaling, load balancing, and blue-green deployments.
+Maintainers: Eric Wilson
+MIT License. See Project Root for the license information.
+"""
+
+from typing import Dict, Any, List, Optional
+
+import aws_cdk as cdk
+from aws_cdk import (
+    aws_ecs as ecs,
+    aws_ec2 as ec2,
+    aws_logs as logs,
+    aws_iam as iam,
+    aws_elasticloadbalancingv2 as elbv2,
+    aws_applicationautoscaling as appscaling,
+)
+from aws_lambda_powertools import Logger
+from constructs import Construct
+
+from cdk_factory.configurations.deployment import DeploymentConfig
+from cdk_factory.configurations.stack import StackConfig
+from cdk_factory.configurations.resources.ecs_service import EcsServiceConfig
+from cdk_factory.interfaces.istack import IStack
+from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import EnhancedSsmParameterMixin
+from cdk_factory.stack.stack_module_registry import register_stack
+from cdk_factory.workload.workload_factory import WorkloadConfig
+
+logger = Logger(service="EcsServiceStack")
+
+
+@register_stack("ecs_service_library_module")
+@register_stack("ecs_service_stack")
+@register_stack("fargate_service_stack")
+class EcsServiceStack(IStack, EnhancedSsmParameterMixin):
+    """
+    Reusable stack for ECS/Fargate services with Docker container support.
+    Supports blue-green deployments, maintenance mode, and auto-scaling.
+    """
+
+    def __init__(self, scope: Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+        self.ecs_config: Optional[EcsServiceConfig] = None
+        self.stack_config: Optional[StackConfig] = None
+        self.deployment: Optional[DeploymentConfig] = None
+        self.workload: Optional[WorkloadConfig] = None
+        self.cluster: Optional[ecs.ICluster] = None
+        self.service: Optional[ecs.FargateService] = None
+        self.task_definition: Optional[ecs.FargateTaskDefinition] = None
+        self._vpc: Optional[ec2.IVpc] = None
+
+    def build(
+        self,
+        stack_config: StackConfig,
+        deployment: DeploymentConfig,
+        workload: WorkloadConfig,
+    ) -> None:
+        """Build the ECS Service stack"""
+        self._build(stack_config, deployment, workload)
+
+    def _build(
+        self,
+        stack_config: StackConfig,
+        deployment: DeploymentConfig,
+        workload: WorkloadConfig,
+    ) -> None:
+        """Internal build method for the ECS Service stack"""
+        self.stack_config = stack_config
+        self.deployment = deployment
+        self.workload = workload
+        
+        # Load ECS configuration
+        self.ecs_config = EcsServiceConfig(
+            stack_config.dictionary.get("ecs_service", {})
+        )
+        
+        service_name = deployment.build_resource_name(self.ecs_config.name)
+        
+        # Load VPC
+        self._load_vpc()
+        
+        # Create or load ECS cluster
+        self._create_or_load_cluster()
+        
+        # Create task definition
+        self._create_task_definition(service_name)
+        
+        # Create ECS service
+        self._create_service(service_name)
+        
+        # Setup auto-scaling
+        if self.ecs_config.enable_auto_scaling:
+            self._setup_auto_scaling()
+        
+        # Add outputs
+        self._add_outputs(service_name)
+
+    def _load_vpc(self) -> None:
+        """Load VPC from configuration"""
+        vpc_id = self.ecs_config.vpc_id or self.workload.vpc_id
+        
+        if not vpc_id:
+            raise ValueError("VPC ID is required for ECS service")
+        
+        self._vpc = ec2.Vpc.from_lookup(
+            self,
+            "VPC",
+            vpc_id=vpc_id
+        )
+
+    def _create_or_load_cluster(self) -> None:
+        """Create a new ECS cluster or load an existing one"""
+        cluster_name = self.ecs_config.cluster_name
+        
+        if cluster_name:
+            # Try to load existing cluster
+            try:
+                self.cluster = ecs.Cluster.from_cluster_attributes(
+                    self,
+                    "Cluster",
+                    cluster_name=cluster_name,
+                    vpc=self._vpc,
+                )
+                logger.info(f"Using existing cluster: {cluster_name}")
+            except Exception as e:
+                logger.warning(f"Could not load cluster {cluster_name}, creating new one: {e}")
+                self._create_new_cluster(cluster_name)
+        else:
+            # Create a new cluster with auto-generated name
+            cluster_name = f"{self.deployment.workload_name}-{self.deployment.environment}-cluster"
+            self._create_new_cluster(cluster_name)
+
+    def _create_new_cluster(self, cluster_name: str) -> None:
+        """Create a new ECS cluster"""
+        self.cluster = ecs.Cluster(
+            self,
+            "Cluster",
+            cluster_name=cluster_name,
+            vpc=self._vpc,
+            container_insights=True,
+        )
+        
+        cdk.Tags.of(self.cluster).add("Name", cluster_name)
+        cdk.Tags.of(self.cluster).add("Environment", self.deployment.environment)
+
+    def _create_task_definition(self, service_name: str) -> None:
+        """Create ECS task definition with container definitions"""
+        
+        # Create task execution role
+        execution_role = iam.Role(
+            self,
+            "TaskExecutionRole",
+            assumed_by=iam.ServicePrincipal("ecs-tasks.amazonaws.com"),
+            managed_policies=[
+                iam.ManagedPolicy.from_aws_managed_policy_name(
+                    "service-role/AmazonECSTaskExecutionRolePolicy"
+                ),
+            ],
+        )
+        
+        # Create task role for application permissions
+        task_role = iam.Role(
+            self,
+            "TaskRole",
+            assumed_by=iam.ServicePrincipal("ecs-tasks.amazonaws.com"),
+        )
+        
+        # Enable ECS Exec if configured
+        if self.ecs_config.enable_execute_command:
+            task_role.add_managed_policy(
+                iam.ManagedPolicy.from_aws_managed_policy_name(
+                    "CloudWatchAgentServerPolicy"
+                )
+            )
+        
+        # Create task definition based on launch type
+        if self.ecs_config.launch_type == "EC2":
+            # EC2 task definition
+            network_mode = self.ecs_config.task_definition.get("network_mode", "bridge")
+            self.task_definition = ecs.Ec2TaskDefinition(
+                self,
+                "TaskDefinition",
+                family=f"{service_name}-task",
+                network_mode=ecs.NetworkMode(network_mode.upper()) if network_mode else ecs.NetworkMode.BRIDGE,
+                execution_role=execution_role,
+                task_role=task_role,
+            )
+        else:
+            # Fargate task definition
+            self.task_definition = ecs.FargateTaskDefinition(
+                self,
+                "TaskDefinition",
+                family=f"{service_name}-task",
+                cpu=int(self.ecs_config.cpu),
+                memory_limit_mib=int(self.ecs_config.memory),
+                execution_role=execution_role,
+                task_role=task_role,
+            )
+        
+        # Add containers
+        self._add_containers_to_task()
+
+    def _add_containers_to_task(self) -> None:
+        """Add container definitions to the task"""
+        container_definitions = self.ecs_config.container_definitions
+        
+        if not container_definitions:
+            raise ValueError("At least one container definition is required")
+        
+        for idx, container_config in enumerate(container_definitions):
+            container_name = container_config.get("name", f"container-{idx}")
+            image_uri = container_config.get("image")
+            
+            if not image_uri:
+                raise ValueError(f"Container image is required for {container_name}")
+            
+            # Create log group for container
+            log_group = logs.LogGroup(
+                self,
+                f"LogGroup-{container_name}",
+                log_group_name=f"/ecs/{self.deployment.workload_name}/{self.deployment.environment}/{container_name}",
+                retention=logs.RetentionDays.ONE_WEEK,
+                removal_policy=cdk.RemovalPolicy.DESTROY,
+            )
+            
+            # Build health check if configured
+            health_check_config = container_config.get("health_check")
+            health_check = None
+            if health_check_config:
+                health_check = ecs.HealthCheck(
+                    command=health_check_config.get("command", ["CMD-SHELL", "exit 0"]),
+                    interval=cdk.Duration.seconds(health_check_config.get("interval", 30)),
+                    timeout=cdk.Duration.seconds(health_check_config.get("timeout", 5)),
+                    retries=health_check_config.get("retries", 3),
+                    start_period=cdk.Duration.seconds(health_check_config.get("start_period", 0)),
+                )
+            
+            # Add container to task definition
+            container = self.task_definition.add_container(
+                container_name,
+                image=ecs.ContainerImage.from_registry(image_uri),
+                logging=ecs.LogDriver.aws_logs(
+                    stream_prefix=container_name,
+                    log_group=log_group,
+                ),
+                environment=container_config.get("environment", {}),
+                secrets=self._load_secrets(container_config.get("secrets", {})),
+                cpu=container_config.get("cpu"),
+                memory_limit_mib=container_config.get("memory"),
+                memory_reservation_mib=container_config.get("memory_reservation"),
+                essential=container_config.get("essential", True),
+                health_check=health_check,
+            )
+            
+            # Add port mappings
+            port_mappings = container_config.get("port_mappings", [])
+            for port_mapping in port_mappings:
+                container.add_port_mappings(
+                    ecs.PortMapping(
+                        container_port=port_mapping.get("container_port", 80),
+                        protocol=ecs.Protocol.TCP,
+                    )
+                )
+
+    def _load_secrets(self, secrets_config: Dict[str, str]) -> Dict[str, ecs.Secret]:
+        """Load secrets from Secrets Manager or SSM Parameter Store"""
+        secrets = {}
+        # Implement secret loading logic here
+        # This would integrate with AWS Secrets Manager or SSM Parameter Store
+        return secrets
+
+    def _create_service(self, service_name: str) -> None:
+        """Create ECS service (Fargate or EC2)"""
+        
+        # Load security groups
+        security_groups = self._load_security_groups()
+        
+        # Load subnets
+        subnets = self._load_subnets()
+        
+        # Create service based on launch type
+        if self.ecs_config.launch_type == "EC2":
+            self.service = ecs.Ec2Service(
+                self,
+                "Service",
+                service_name=service_name,
+                cluster=self.cluster,
+                task_definition=self.task_definition,
+                desired_count=self.ecs_config.desired_count,
+                enable_execute_command=self.ecs_config.enable_execute_command,
+                health_check_grace_period=cdk.Duration.seconds(
+                    self.ecs_config.health_check_grace_period
+                ) if self.ecs_config.target_group_arns else None,
+                circuit_breaker=ecs.DeploymentCircuitBreaker(rollback=True),
+                placement_strategies=self._get_placement_strategies(),
+                placement_constraints=self._get_placement_constraints(),
+            )
+        else:
+            # Fargate service
+            self.service = ecs.FargateService(
+                self,
+                "Service",
+                service_name=service_name,
+                cluster=self.cluster,
+                task_definition=self.task_definition,
+                desired_count=self.ecs_config.desired_count,
+                security_groups=security_groups,
+                vpc_subnets=ec2.SubnetSelection(subnets=subnets) if subnets else None,
+                assign_public_ip=self.ecs_config.assign_public_ip,
+                enable_execute_command=self.ecs_config.enable_execute_command,
+                health_check_grace_period=cdk.Duration.seconds(
+                    self.ecs_config.health_check_grace_period
+                ) if self.ecs_config.target_group_arns else None,
+                circuit_breaker=ecs.DeploymentCircuitBreaker(rollback=True),
+            )
+        
+        # Attach to load balancer target groups
+        self._attach_to_load_balancer()
+        
+        # Apply tags
+        for key, value in self.ecs_config.tags.items():
+            cdk.Tags.of(self.service).add(key, value)
+    
+    def _get_placement_strategies(self) -> List[ecs.PlacementStrategy]:
+        """Get placement strategies for EC2 launch type"""
+        strategies = []
+        placement_config = self.ecs_config._config.get("placement_strategies", [])
+        
+        for strategy in placement_config:
+            strategy_type = strategy.get("type", "spread")
+            field = strategy.get("field", "instanceId")
+            
+            if strategy_type == "spread":
+                strategies.append(ecs.PlacementStrategy.spread_across(field))
+            elif strategy_type == "binpack":
+                strategies.append(ecs.PlacementStrategy.packed_by(field))
+            elif strategy_type == "random":
+                strategies.append(ecs.PlacementStrategy.randomly())
+        
+        # Default strategy if none specified
+        if not strategies:
+            strategies = [
+                ecs.PlacementStrategy.spread_across_instances(),
+                ecs.PlacementStrategy.spread_across("attribute:ecs.availability-zone"),
+            ]
+        
+        return strategies
+    
+    def _get_placement_constraints(self) -> List[ecs.PlacementConstraint]:
+        """Get placement constraints for EC2 launch type"""
+        constraints = []
+        constraint_config = self.ecs_config._config.get("placement_constraints", [])
+        
+        for constraint in constraint_config:
+            constraint_type = constraint.get("type")
+            expression = constraint.get("expression", "")
+            
+            if constraint_type == "distinctInstance":
+                constraints.append(ecs.PlacementConstraint.distinct_instances())
+            elif constraint_type == "memberOf" and expression:
+                constraints.append(ecs.PlacementConstraint.member_of(expression))
+        
+        return constraints
+
+    def _load_security_groups(self) -> List[ec2.ISecurityGroup]:
+        """Load security groups from IDs"""
+        security_groups = []
+        
+        for sg_id in self.ecs_config.security_group_ids:
+            sg = ec2.SecurityGroup.from_security_group_id(
+                self,
+                f"SG-{sg_id[:8]}",
+                security_group_id=sg_id,
+            )
+            security_groups.append(sg)
+        
+        return security_groups
+
+    def _load_subnets(self) -> Optional[List[ec2.ISubnet]]:
+        """Load subnets by subnet group name"""
+        subnet_group_name = self.ecs_config.subnet_group_name
+        
+        if not subnet_group_name:
+            return None
+        
+        # This would need to be implemented based on your subnet naming convention
+        # For now, returning None to use default VPC subnets
+        return None
+
+    def _attach_to_load_balancer(self) -> None:
+        """Attach service to load balancer target groups"""
+        target_group_arns = self.ecs_config.target_group_arns
+        
+        if not target_group_arns:
+            # Try to load from SSM if configured
+            target_group_arns = self._load_target_groups_from_ssm()
+        
+        for tg_arn in target_group_arns:
+            target_group = elbv2.ApplicationTargetGroup.from_target_group_attributes(
+                self,
+                f"TG-{tg_arn.split('/')[-1][:8]}",
+                target_group_arn=tg_arn,
+            )
+            
+            self.service.attach_to_application_target_group(target_group)
+
+    def _load_target_groups_from_ssm(self) -> List[str]:
+        """Load target group ARNs from SSM parameters"""
+        target_group_arns = []
+        
+        # Load SSM imports and look for target group ARNs
+        ssm_imports = self.ecs_config.ssm_imports
+        
+        for param_key, param_name in ssm_imports.items():
+            if 'target_group' in param_key.lower() or 'tg' in param_key.lower():
+                try:
+                    param_value = self.get_ssm_parameter_value(param_name)
+                    if param_value and param_value.startswith('arn:'):
+                        target_group_arns.append(param_value)
+                except Exception as e:
+                    logger.warning(f"Could not load target group from SSM {param_name}: {e}")
+        
+        return target_group_arns
+
+    def _setup_auto_scaling(self) -> None:
+        """Configure auto-scaling for the ECS service"""
+        
+        scalable_target = self.service.auto_scale_task_count(
+            min_capacity=self.ecs_config.min_capacity,
+            max_capacity=self.ecs_config.max_capacity,
+        )
+        
+        # CPU-based scaling
+        scalable_target.scale_on_cpu_utilization(
+            "CpuScaling",
+            target_utilization_percent=self.ecs_config.auto_scaling_target_cpu,
+            scale_in_cooldown=cdk.Duration.seconds(60),
+            scale_out_cooldown=cdk.Duration.seconds(60),
+        )
+        
+        # Memory-based scaling
+        scalable_target.scale_on_memory_utilization(
+            "MemoryScaling",
+            target_utilization_percent=self.ecs_config.auto_scaling_target_memory,
+            scale_in_cooldown=cdk.Duration.seconds(60),
+            scale_out_cooldown=cdk.Duration.seconds(60),
+        )
+
+    def _add_outputs(self, service_name: str) -> None:
+        """Add CloudFormation outputs"""
+        
+        # Service name output
+        cdk.CfnOutput(
+            self,
+            "ServiceName",
+            value=self.service.service_name,
+            description=f"ECS Service Name: {service_name}",
+        )
+        
+        # Service ARN output
+        cdk.CfnOutput(
+            self,
+            "ServiceArn",
+            value=self.service.service_arn,
+            description=f"ECS Service ARN: {service_name}",
+        )
+        
+        # Cluster name output
+        cdk.CfnOutput(
+            self,
+            "ClusterName",
+            value=self.cluster.cluster_name,
+            description=f"ECS Cluster Name for {service_name}",
+        )
+        
+        # Export to SSM if configured
+        self._export_to_ssm(service_name)
+
+    def _export_to_ssm(self, service_name: str) -> None:
+        """Export resource ARNs and names to SSM Parameter Store"""
+        ssm_exports = self.ecs_config.ssm_exports
+        
+        if not ssm_exports:
+            return
+        
+        # Service name
+        if "service_name" in ssm_exports:
+            self.export_ssm_parameter(
+                scope=self,
+                id="ServiceNameParam",
+                value=self.service.service_name,
+                parameter_name=ssm_exports["service_name"],
+                description=f"ECS Service Name: {service_name}",
+            )
+        
+        # Service ARN
+        if "service_arn" in ssm_exports:
+            self.export_ssm_parameter(
+                scope=self,
+                id="ServiceArnParam",
+                value=self.service.service_arn,
+                parameter_name=ssm_exports["service_arn"],
+                description=f"ECS Service ARN: {service_name}",
+            )
+        
+        # Cluster name
+        if "cluster_name" in ssm_exports:
+            self.export_ssm_parameter(
+                scope=self,
+                id="ClusterNameParam",
+                value=self.cluster.cluster_name,
+                parameter_name=ssm_exports["cluster_name"],
+                description=f"ECS Cluster Name for {service_name}",
+            )
+        
+        # Task definition ARN
+        if "task_definition_arn" in ssm_exports:
+            self.export_ssm_parameter(
+                scope=self,
+                id="TaskDefinitionArnParam",
+                value=self.task_definition.task_definition_arn,
+                parameter_name=ssm_exports["task_definition_arn"],
+                description=f"ECS Task Definition ARN for {service_name}",
+            )

cdk_factory/version.py

@@ -1 +1 @@
-__version__ = "0.8.7"
+__version__ = "0.8.8"

{cdk_factory-0.8.7.dist-info → cdk_factory-0.8.8.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.8.7
+Version: 0.8.8
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.8.7.dist-info → cdk_factory-0.8.8.dist-info}/RECORD

@@ -1,7 +1,7 @@
 cdk_factory/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cdk_factory/app.py,sha256=xv863N7O6HPKznB68_t7O4la9JacrkG87t9TjoDUk7s,2827
 cdk_factory/cdk.json,sha256=SKZKhJ2PBpFH78j-F8S3VDYW-lf76--Q2I3ON-ZIQfw,3106
-cdk_factory/version.py,sha256=vTwvdJOZi8jZb9U-Em7-d50qNDNPS2z51IXqRoojeNM,22
+cdk_factory/version.py,sha256=S5bBAK8bL7bybaXGJQuNE98fa3H65zGjTASMiyKGJGw,22
 cdk_factory/builds/README.md,sha256=9BBWd7bXpyKdMU_g2UljhQwrC9i5O_Tvkb6oPvndoZk,90
 cdk_factory/commands/command_loader.py,sha256=QbLquuP_AdxtlxlDy-2IWCQ6D-7qa58aphnDPtp_uTs,3744
 cdk_factory/configurations/base_config.py,sha256=JKjhNsy0RCUZy1s8n5D_aXXI-upR9izaLtCTfKYiV9k,9624
@@ -28,7 +28,8 @@ cdk_factory/configurations/resources/code_repository.py,sha256=rAM6cbMtNR_S4TfiB
 cdk_factory/configurations/resources/cognito.py,sha256=udX2AJ1ITLhy4f1XiJQwrva6F4i9NdbSm0zTg5PGku8,10649
 cdk_factory/configurations/resources/docker.py,sha256=hUbuxkuhcQu9LnLX7I8_57eTmHefEAGVnOHO37MkqC4,2166
 cdk_factory/configurations/resources/dynamodb.py,sha256=HsZMOaRwfuNPwKIzokeeE3f5zAQLTB5hRb_GzYq2ibg,2903
-cdk_factory/configurations/resources/ecr.py,sha256=LT2m13SsmxymaQXOtYTEbXwNWXIPURkoAR6py8pNrTE,6584
+cdk_factory/configurations/resources/ecr.py,sha256=o9hHzEBVPoxUvWZGXGbRJ-98FmP6fMLY5a1-qg42jL0,8253
+cdk_factory/configurations/resources/ecs_service.py,sha256=kEzSlasDejobl1ZxZtgtM7kVYF11AT3vCGsDInQNY3I,4319
 cdk_factory/configurations/resources/exisiting.py,sha256=EVOLnkB-DGfTlmDgyQ5DD5k2zYfpFxqI3gugDR7mifI,478
 cdk_factory/configurations/resources/lambda_function.py,sha256=VENZ9-ABJ5mjcN8J8wdLH4KHDYr1kWO0iFDH0B2mJXA,14659
 cdk_factory/configurations/resources/lambda_layers.py,sha256=gVeP_-LC3Eq0lkPaG_JfFUwboM5evRPr99SfKj53m7A,633
@@ -47,7 +48,7 @@ cdk_factory/configurations/resources/security_group_full_stack.py,sha256=x5MIMCa
 cdk_factory/configurations/resources/sqs.py,sha256=fAh2dqttJ6PX46enFRULuiLEu3TEj0Vb2xntAOgUpYE,4346
 cdk_factory/configurations/resources/vpc.py,sha256=sNn6w76bHFwmt6N76gZZhqpsuNB9860C1SZu6tebaXY,3835
 cdk_factory/constructs/cloudfront/cloudfront_distribution_construct.py,sha256=7uDkDbFigeUOuYgsQ9ghA4dGlx63rUCa6Iiq4RWokEA,14627
-cdk_factory/constructs/ecr/ecr_construct.py,sha256=s0egnh4U7qgCSn_LLq1soRLWSxsFjrTx8P591AjkN84,7025
+cdk_factory/constructs/ecr/ecr_construct.py,sha256=JLz3gWrsjlM0XghvbgxuoGlF-VIo_7IYxtgX7mTkidE,10660
 cdk_factory/constructs/lambdas/lambda_function_construct.py,sha256=SQ5SEXn4kezVAzXuv_A_JB3o_svyBXOMi-htvfB9HQs,4516
 cdk_factory/constructs/lambdas/lambda_function_docker_construct.py,sha256=aSyn3eh1YnuIahZ7CbZ5WswwPL8u70ZibMoS24QQifc,9907
 cdk_factory/constructs/lambdas/lambda_function_role_construct.py,sha256=nJoxKv-4CWugX-ZkAzoG8wrfSsHqXqiMZnGRqSyS4Po,1453
@@ -62,7 +63,7 @@ cdk_factory/interfaces/istack.py,sha256=bhTBs-o9FgKwvJMSuwxjUV6D3nUlvZHVzfm27jP9
 cdk_factory/interfaces/live_ssm_resolver.py,sha256=3FIr9a02SXqZmbFs3RT0WxczWEQR_CF7QSt7kWbDrVE,8163
 cdk_factory/interfaces/ssm_parameter_mixin.py,sha256=uA2j8HmAOpuEA9ynRj51s0WjUHMVLsbLQN-QS9NKyHA,12089
 cdk_factory/lambdas/health_handler.py,sha256=dd40ykKMxWCFEIyp2ZdQvAGNjw_ylI9CSm1N24Hp2ME,196
-cdk_factory/pipeline/pipeline_factory.py,sha256=DtvGlCjq1uNafwtNevbpwgIR4Du8UoaTVqfgqC_FePU,15430
+cdk_factory/pipeline/pipeline_factory.py,sha256=OuL1pOWjThIMDYqZEBbqLzg8KK9A84qtjRMPJwnX-kk,15956
 cdk_factory/pipeline/stage.py,sha256=Be7ExMB9A-linRM18IQDOzQ-cP_I2_ThRNzlT4FIrUg,437
 cdk_factory/pipeline/security/policies.py,sha256=H3-S6nipz3UtF9Pc5eJYr4-aREUTCaJWMjOUyd6Rdv4,4406
 cdk_factory/pipeline/security/roles.py,sha256=ZB_O5H_BXgotvVspS2kVad9EMcY-a_-vU7Nm1_Z5MB8,4985
@@ -84,6 +85,8 @@ cdk_factory/stack_library/cognito/cognito_stack.py,sha256=zEHkKVCIeyZywPs_GIMXCX
 cdk_factory/stack_library/dynamodb/dynamodb_stack.py,sha256=TVyOrUhgaSuN8uymkpaQcpOaSA0lkYJ8QUMgakTCKus,6771
 cdk_factory/stack_library/ecr/README.md,sha256=xw2wPx9WN03Y4BBwqvbi9lAFGNyaD1FUNpqxVJX14Oo,179
 cdk_factory/stack_library/ecr/ecr_stack.py,sha256=1xA68sxFVyqreYjXrP_7U9I8RF9RtFeR6KeEfSWuC2U,2118
+cdk_factory/stack_library/ecs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+cdk_factory/stack_library/ecs/ecs_service_stack.py,sha256=mFanYtkZ9GpgT8g31D9tj-2yYbmmcuHN7ADaRD-ri9o,20638
 cdk_factory/stack_library/load_balancer/__init__.py,sha256=wZpKw2OecLJGdF5mPayCYAEhu2H3c2gJFFIxwXftGDU,52
 cdk_factory/stack_library/load_balancer/load_balancer_stack.py,sha256=t5JUe5lMUbQCRFZR08k8nO-g-53yWY8gKB9v8ZnedBs,24391
 cdk_factory/stack_library/rds/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -112,7 +115,7 @@ cdk_factory/utilities/lambda_function_utilities.py,sha256=S1GvBsY_q2cyUiaud3HORJ
 cdk_factory/utilities/os_execute.py,sha256=5Op0LY_8Y-pUm04y1k8MTpNrmQvcLmQHPQITEP7EuSU,1019
 cdk_factory/utils/api_gateway_utilities.py,sha256=If7Xu5s_UxmuV-kL3JkXxPLBdSVUKoLtohm0IUFoiV8,4378
 cdk_factory/workload/workload_factory.py,sha256=yBUDGIuB8-5p_mGcVFxsD2ZoZIziak3yh3LL3JvS0M4,5903
-cdk_factory-0.8.7.dist-info/METADATA,sha256=WGWpDzr9pYOJtD_F35pKGQZF9Fb-BUBI5AAhj652bOw,2450
-cdk_factory-0.8.7.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-cdk_factory-0.8.7.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
-cdk_factory-0.8.7.dist-info/RECORD,,
+cdk_factory-0.8.8.dist-info/METADATA,sha256=snclFyCZwqRqLmxauiDny56lUUnERMnVSNYvMGKZWG8,2450
+cdk_factory-0.8.8.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+cdk_factory-0.8.8.dist-info/licenses/LICENSE,sha256=NOtdOeLwg2il_XBJdXUPFPX8JlV4dqTdDGAd2-khxT8,1066
+cdk_factory-0.8.8.dist-info/RECORD,,