cdk-factory 0.8.7__tar.gz → 0.8.8__tar.gz

{cdk_factory-0.8.7 → cdk_factory-0.8.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.8.7
+Version: 0.8.8
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.8.7 → cdk_factory-0.8.8}/pyproject.toml

@@ -33,7 +33,7 @@ markers = [
 [project]
 
 name = "cdk_factory"
-version = "0.8.7"
+version = "0.8.8"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

{cdk_factory-0.8.7 → cdk_factory-0.8.8}/src/cdk_factory/configurations/resources/ecr.py

@@ -16,7 +16,7 @@ class ECRConfig(EnhancedBaseConfig):
     ) -> None:
         super().__init__(config, resource_type="ecr", resource_name=config.get("name", "ecr") if config else "ecr")
         self.__config = config
-        self.__deployment = config
+        self.__deployment = deployment
         self.__ssm_prefix_template = config.get("ssm_prefix_template", None)
 
     @property
@@ -74,12 +74,13 @@ class ECRConfig(EnhancedBaseConfig):
         Clear out untagged images after x days.  This helps save costs.
         Untagged images will stay forever if you don't clean them out.
         """
+        days = None
         if self.__config and isinstance(self.__config, dict):
             days = self.__config.get("auto_delete_untagged_images_in_days")
             if days:
                 days = int(days)
 
-        return None
+        return days
 
     @property
     def use_existing(self) -> bool:
@@ -118,6 +119,50 @@ class ECRConfig(EnhancedBaseConfig):
         if not value:
             raise RuntimeError("Region is not defined")
         return value
+
+    @property
+    def cross_account_access(self) -> dict:
+        """
+        Cross-account access configuration.
+        
+        Example:
+        {
+            "enabled": true,
+            "accounts": ["123456789012", "987654321098"],
+            "services": [
+                {
+                    "name": "lambda",
+                    "actions": ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"],
+                    "condition": {
+                        "StringLike": {
+                            "aws:sourceArn": "arn:aws:lambda:*:*:function:*"
+                        }
+                    }
+                },
+                {
+                    "name": "ecs-tasks",
+                    "service_principal": "ecs-tasks.amazonaws.com",
+                    "actions": ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"]
+                },
+                {
+                    "name": "codebuild",
+                    "service_principal": "codebuild.amazonaws.com",
+                    "actions": ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:BatchCheckLayerAvailability"]
+                }
+            ]
+        }
+        """
+        if self.__config and isinstance(self.__config, dict):
+            return self.__config.get("cross_account_access", {})
+        return {}
+
+    @property
+    def cross_account_enabled(self) -> bool:
+        """Whether cross-account access is explicitly enabled"""
+        access_config = self.cross_account_access
+        if access_config:
+            return str(access_config.get("enabled", "true")).lower() == "true"
+        return True  # Default to enabled for backward compatibility
         
     # SSM properties are now inherited from EnhancedBaseConfig
     # Keeping these for any direct access patterns in existing code

cdk_factory-0.8.8/src/cdk_factory/configurations/resources/ecs_service.py

@@ -0,0 +1,144 @@
+"""
+ECS Service Configuration
+Maintainers: Eric Wilson
+MIT License. See Project Root for the license information.
+"""
+
+from typing import Dict, Any, List, Optional
+
+
+class EcsServiceConfig:
+    """ECS Service Configuration"""
+
+    def __init__(self, config: Dict[str, Any]) -> None:
+        self._config = config
+
+    @property
+    def name(self) -> str:
+        """Service name"""
+        return self._config.get("name", "")
+
+    @property
+    def cluster_name(self) -> Optional[str]:
+        """ECS Cluster name"""
+        return self._config.get("cluster_name")
+
+    @property
+    def task_definition(self) -> Dict[str, Any]:
+        """Task definition configuration"""
+        return self._config.get("task_definition", {})
+
+    @property
+    def container_definitions(self) -> List[Dict[str, Any]]:
+        """Container definitions"""
+        return self.task_definition.get("containers", [])
+
+    @property
+    def cpu(self) -> str:
+        """Task CPU units"""
+        return self.task_definition.get("cpu", "256")
+
+    @property
+    def memory(self) -> str:
+        """Task memory (MB)"""
+        return self.task_definition.get("memory", "512")
+
+    @property
+    def launch_type(self) -> str:
+        """Launch type: FARGATE or EC2"""
+        return self._config.get("launch_type", "FARGATE")
+
+    @property
+    def desired_count(self) -> int:
+        """Desired number of tasks"""
+        return self._config.get("desired_count", 2)
+
+    @property
+    def min_capacity(self) -> int:
+        """Minimum number of tasks"""
+        return self._config.get("min_capacity", 1)
+
+    @property
+    def max_capacity(self) -> int:
+        """Maximum number of tasks"""
+        return self._config.get("max_capacity", 4)
+
+    @property
+    def vpc_id(self) -> Optional[str]:
+        """VPC ID"""
+        return self._config.get("vpc_id")
+
+    @property
+    def subnet_group_name(self) -> Optional[str]:
+        """Subnet group name for service placement"""
+        return self._config.get("subnet_group_name")
+
+    @property
+    def security_group_ids(self) -> List[str]:
+        """Security group IDs"""
+        return self._config.get("security_group_ids", [])
+
+    @property
+    def assign_public_ip(self) -> bool:
+        """Whether to assign public IP addresses"""
+        return self._config.get("assign_public_ip", False)
+
+    @property
+    def target_group_arns(self) -> List[str]:
+        """Target group ARNs for load balancing"""
+        return self._config.get("target_group_arns", [])
+
+    @property
+    def container_port(self) -> int:
+        """Container port for load balancer"""
+        return self._config.get("container_port", 80)
+
+    @property
+    def health_check_grace_period(self) -> int:
+        """Health check grace period in seconds"""
+        return self._config.get("health_check_grace_period", 60)
+
+    @property
+    def enable_execute_command(self) -> bool:
+        """Enable ECS Exec for debugging"""
+        return self._config.get("enable_execute_command", False)
+
+    @property
+    def enable_auto_scaling(self) -> bool:
+        """Enable auto-scaling"""
+        return self._config.get("enable_auto_scaling", True)
+
+    @property
+    def auto_scaling_target_cpu(self) -> int:
+        """Target CPU utilization percentage for auto-scaling"""
+        return self._config.get("auto_scaling_target_cpu", 70)
+
+    @property
+    def auto_scaling_target_memory(self) -> int:
+        """Target memory utilization percentage for auto-scaling"""
+        return self._config.get("auto_scaling_target_memory", 80)
+
+    @property
+    def tags(self) -> Dict[str, str]:
+        """Resource tags"""
+        return self._config.get("tags", {})
+
+    @property
+    def ssm_exports(self) -> Dict[str, str]:
+        """SSM parameter exports"""
+        return self._config.get("ssm_exports", {})
+
+    @property
+    def ssm_imports(self) -> Dict[str, str]:
+        """SSM parameter imports"""
+        return self._config.get("ssm_imports", {})
+
+    @property
+    def deployment_type(self) -> str:
+        """Deployment type: production, maintenance, or blue-green"""
+        return self._config.get("deployment_type", "production")
+
+    @property
+    def is_maintenance_mode(self) -> bool:
+        """Whether this is a maintenance mode deployment"""
+        return self.deployment_type == "maintenance"

cdk_factory-0.8.8/src/cdk_factory/constructs/ecr/ecr_construct.py

@@ -0,0 +1,263 @@
+"""
+Geek Cafe, LLC
+Maintainers: Eric Wilson
+MIT License.  See Project Root for the license information.
+"""
+
+from typing import cast, Dict
+from aws_cdk import Duration, RemovalPolicy, aws_ecr
+from aws_cdk import CfnResource
+from aws_cdk import aws_iam as iam
+from aws_cdk import aws_ssm as ssm
+from aws_lambda_powertools import Logger
+from constructs import Construct, IConstruct
+from cdk_factory.configurations.resources.resource_types import ResourceTypes
+from cdk_factory.configurations.resources.ecr import ECRConfig as ECR
+from cdk_factory.configurations.deployment import DeploymentConfig as Deployment
+from cdk_factory.interfaces.ssm_parameter_mixin import SsmParameterMixin
+
+logger = Logger(__name__)
+
+
+class ECRConstruct(Construct, SsmParameterMixin):
+    def __init__(
+        self,
+        scope: Construct,
+        id: str,
+        *,
+        deployment: Deployment,
+        repo: ECR,
+        **kwargs,
+    ) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        self.scope = scope
+        self.deployment = deployment
+        self.repo = repo
+        self.ecr_name = repo.name
+        self.image_scan_on_push = repo.image_scan_on_push
+        self.empty_on_delete = repo.empty_on_delete
+        self.auto_delete_untagged_images_in_days = (
+            repo.auto_delete_untagged_images_in_days
+        )
+
+        # set it all up
+        self.ecr = self.__create_ecr()
+        self.__set_life_cycle_rules()
+        self.__create_parameter_store_values()
+        self.__setup_cross_account_access_permissions()
+
+    def __create_ecr(self) -> aws_ecr.Repository:
+        # create the ecr repo
+        name = self.deployment.build_resource_name(
+            self.ecr_name, ResourceTypes.ECR_REPOSITORY
+        )
+        ecr_repository = aws_ecr.Repository(
+            scope=self,
+            id=self.deployment.build_resource_name(self.ecr_name),
+            repository_name=name,
+            # auto delete images after x days
+            # auto_delete_images=self.empty_on_delete,
+            # delete images when repo is destroyed
+            empty_on_delete=self.empty_on_delete,
+            # scan on push true/false
+            image_scan_on_push=self.image_scan_on_push,
+            # removal policy on delete destroy if empty on delete otherwise retain
+            removal_policy=(
+                RemovalPolicy.DESTROY if self.empty_on_delete else RemovalPolicy.RETAIN
+            ),
+        )
+
+        return ecr_repository
+
+    def __create_parameter_store_values(self):
+        """
+        Stores the ecr info in the parameter store for consumption in
+        other cdk stacks using the SsmParameterMixin.
+
+        This method uses the new configurable SSM parameter prefix system.
+        """
+        # Create a dictionary of resource values to export
+        resource_values = {
+            "name": self.ecr.repository_name,
+            "uri": self.ecr.repository_uri,
+            "arn": self.ecr.repository_arn
+        }
+        
+        # Use the export_resource_to_ssm method from SsmParameterMixin
+        params = self.export_resource_to_ssm(
+            scope=self,
+            resource_values=resource_values,
+            config=self.repo,  # Pass the ECRConfig object which has ssm_exports
+            resource_name=self.ecr_name,
+            resource_type="ecr",
+            context={
+                "deployment_name": self.deployment.name,
+                "environment": self.deployment.environment,
+                "workload_name": self.deployment.workload_name
+            }
+        )
+        
+        # Add dependencies to ensure SSM parameters are created after the ECR repository
+        if params:
+            for param in params.values():
+                if param and hasattr(param, 'node') and param.node.default_child and isinstance(param.node.default_child, CfnResource):
+                    param.node.default_child.add_dependency(
+                        cast(CfnResource, self.ecr.node.default_child)
+                    )
+
+    def __set_life_cycle_rules(self) -> None:
+        # Note: tag_pattern_list is deprecated and causes circular dependencies in CDK synthesis
+        # Only add lifecycle rule for untagged images if configured
+        
+        if not self.auto_delete_untagged_images_in_days:
+            return None
+
+        days = self.auto_delete_untagged_images_in_days
+
+        logger.info(
+            f"Adding life cycle policy.  Removing untagged images after {days} days"
+        )
+        # remove any untagged images after x days
+        self.ecr.add_lifecycle_rule(
+            tag_status=aws_ecr.TagStatus.UNTAGGED, max_image_age=Duration.days(days)
+        )
+
+    def __get_ecr(self) -> aws_ecr.IRepository:
+
+        return aws_ecr.Repository.from_repository_arn(
+            scope=self,
+            id=f"{self.deployment.build_resource_name(self.ecr_name)}-by-attribute",
+            # repository_name=self.ecr.repository_name,
+            repository_arn=self.ecr.repository_arn,
+        )
+
+    def __setup_cross_account_access_permissions(self):
+        """
+        Setup cross-account access permissions with flexible configuration support.
+        
+        Supports both legacy (default Lambda access) and new configurable approach.
+        """
+        # Check if cross-account access is disabled
+        if not self.repo.cross_account_enabled:
+            logger.info(f"Cross-account access disabled for {self.ecr_name}")
+            return
+
+        # Check if we're in the same account as devops
+        if self.deployment.account == self.deployment.workload.get("devops", {}).get("account"):
+            logger.info(f"Same account as devops, skipping cross-account permissions for {self.ecr_name}")
+            return
+
+        access_config = self.repo.cross_account_access
+        
+        if access_config and access_config.get("services"):
+            # New configurable approach
+            logger.info(f"Setting up configurable cross-account access for {self.ecr_name}")
+            self.__setup_configurable_access(access_config)
+        else:
+            # Legacy approach - default Lambda access for backward compatibility
+            logger.info(f"Setting up legacy cross-account access (Lambda only) for {self.ecr_name}")
+            self.__setup_legacy_lambda_access()
+
+    def __setup_configurable_access(self, access_config: dict):
+        """Setup cross-account access using configuration"""
+        
+        # Get list of accounts (default to deployment account)
+        accounts = access_config.get("accounts", [self.deployment.account])
+        
+        # Add account principal policies if accounts are specified
+        if accounts:
+            self.__add_account_principal_policy(accounts)
+        
+        # Add service-specific policies
+        services = access_config.get("services", [])
+        for service_config in services:
+            self.__add_service_principal_policy(service_config)
+
+    def __add_account_principal_policy(self, accounts: list):
+        """Add policy for AWS account principals"""
+        principals = [iam.AccountPrincipal(account) for account in accounts]
+        
+        policy_statement = iam.PolicyStatement(
+            actions=[
+                "ecr:GetDownloadUrlForLayer",
+                "ecr:BatchGetImage",
+                "ecr:BatchCheckLayerAvailability",
+            ],
+            principals=principals,
+            effect=iam.Effect.ALLOW,
+        )
+
+        response = self.ecr.add_to_resource_policy(policy_statement)
+        if not response.statement_added:
+            logger.warning(f"Failed to add account principal policy for {', '.join(accounts)}")
+        else:
+            logger.info(f"Added account principal policy for accounts: {', '.join(accounts)}")
+
+    def __add_service_principal_policy(self, service_config: dict):
+        """Add policy for service principal (Lambda, ECS, CodeBuild, etc.)"""
+        service_name = service_config.get("name", "unknown")
+        service_principal = service_config.get("service_principal")
+        actions = service_config.get("actions", ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"])
+        conditions = service_config.get("condition")
+
+        if not service_principal:
+            # Infer service principal from common service names
+            service_principal_map = {
+                "lambda": "lambda.amazonaws.com",
+                "ecs": "ecs-tasks.amazonaws.com",
+                "ecs-tasks": "ecs-tasks.amazonaws.com",
+                "codebuild": "codebuild.amazonaws.com",
+                "codepipeline": "codepipeline.amazonaws.com",
+                "ec2": "ec2.amazonaws.com",
+            }
+            service_principal = service_principal_map.get(service_name.lower())
+            
+        if not service_principal:
+            logger.warning(f"Unknown service principal for service: {service_name}")
+            return
+
+        policy_statement = iam.PolicyStatement(
+            effect=iam.Effect.ALLOW,
+            actions=actions,
+            principals=[iam.ServicePrincipal(service_principal)],
+        )
+        
+        # Add conditions if specified
+        if conditions:
+            for condition_key, condition_value in conditions.items():
+                policy_statement.add_condition(condition_key, condition_value)
+
+        response = self.ecr.add_to_resource_policy(policy_statement)
+        if not response.statement_added:
+            logger.warning(f"Failed to add service principal policy for {service_name}")
+        else:
+            logger.info(f"Added service principal policy for {service_name} ({service_principal})")
+
+    def __setup_legacy_lambda_access(self):
+        """Legacy method: Setup default Lambda-only cross-account access"""
+        
+        # Add account principal policy
+        self.__add_account_principal_policy([self.deployment.account])
+        
+        # Add Lambda service principal policy with default condition
+        lambda_policy = iam.PolicyStatement(
+            effect=iam.Effect.ALLOW,
+            actions=["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"],
+            principals=[iam.ServicePrincipal("lambda.amazonaws.com")],
+        )
+        
+        lambda_policy.add_condition(
+            "StringLike",
+            {
+                "aws:sourceArn": [
+                    f"arn:aws:lambda:{self.deployment.region}:{self.deployment.account}:function:*"
+                ]
+            }
+        )
+
+        response = self.ecr.add_to_resource_policy(lambda_policy)
+        if not response.statement_added:
+            logger.warning("Failed to add Lambda service principal policy")
+        else:
+            logger.info("Added legacy Lambda service principal policy")

{cdk_factory-0.8.7 → cdk_factory-0.8.8}/src/cdk_factory/pipeline/pipeline_factory.py

@@ -246,7 +246,13 @@ class PipelineFactoryStack(cdk.Stack):
 
     def _get_steps(self, key: str, stage_config: PipelineStageConfig):
         """
-        Gets the build steps from the config.json
+        Gets the build steps from the config.json.
+        
+        Commands can be:
+        - A list of strings (each string is a separate command)
+        - A single multi-line string (treated as a single script block)
+        
+        This allows support for complex shell constructs like if blocks, loops, etc.
         """
         shell_steps: List[pipelines.ShellStep] = []
 
@@ -257,6 +263,12 @@ class PipelineFactoryStack(cdk.Stack):
                 for step in steps:
                     step_id = step.get("id") or step.get("name")
                     commands = step.get("commands", [])
+                    
+                    # Normalize commands to a list
+                    # If commands is a single string, wrap it in a list
+                    if isinstance(commands, str):
+                        commands = [commands]
+                    
                     shell_step = pipelines.ShellStep(
                         id=step_id,
                         commands=commands,