cdk-factory 0.9.12__tar.gz → 0.10.0__tar.gz

{cdk_factory-0.9.12 → cdk_factory-0.10.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cdk_factory
-Version: 0.9.12
+Version: 0.10.0
 Summary: CDK Factory. A QuickStarter and best practices setup for CDK projects
 Author-email: Eric Wilson <eric.wilson@geekcafe.com>
 License: MIT License

{cdk_factory-0.9.12 → cdk_factory-0.10.0}/pyproject.toml

@@ -33,7 +33,7 @@ markers = [
 [project]
 
 name = "cdk_factory"
-version = "0.9.12"
+version = "0.10.0"
 authors = [
   { name="Eric Wilson", email="eric.wilson@geekcafe.com" }
 ]

{cdk_factory-0.9.12 → cdk_factory-0.10.0}/run-tests.sh

@@ -24,15 +24,19 @@ echo "=================================="
 if [ ! -d ".venv" ]; then
     echo -e "${YELLOW}Creating virtual environment...${NC}"
     python3 -m venv .venv
+    # Install dependencies
+    echo -e "${YELLOW}Installing dependencies...${NC}"
+    pip install -q -r requirements.dev.txt
+    pip install -q -r requirements.tests.txt
+fi
+
+# see if it's activated
+if [ ! -f ".venv/bin/activate" ]; then
+    echo -e "${YELLOW}Activating virtual environment...${NC}"
+    source ./.venv/bin/activate
 fi
 
-echo -e "${YELLOW}Activating virtual environment...${NC}"
-source ./.venv/bin/activate
 
-# Install dependencies
-echo -e "${YELLOW}Installing dependencies...${NC}"
-pip install -q -r requirements.dev.txt
-pip install -q -r requirements.tests.txt
 
 # Check if pytest is installed in the virtual environment
 if ! command -v pytest &> /dev/null; then

{cdk_factory-0.9.12 → cdk_factory-0.10.0}/src/cdk_factory/configurations/resources/auto_scaling.py

@@ -148,3 +148,30 @@ class AutoScalingConfig(EnhancedBaseConfig):
     def target_group_arns(self) -> List[str]:
         """Target group ARNs for the Auto Scaling Group"""
         return self.__config.get("target_group_arns", [])
+
+    @property
+    def user_data_scripts(self) -> List[Dict[str, Any]]:
+        """
+        User data scripts to inject from files.
+        Each script should have:
+        - type: 'file' or 'inline'
+        - path: path to script file (if type is 'file')
+        - content: script content (if type is 'inline')
+        - variables: dict of variables for substitution
+        """
+        return self.__config.get("user_data_scripts", [])
+
+    @property
+    def iam_inline_policies(self) -> List[Dict[str, Any]]:
+        """
+        IAM inline policies to attach to the instance role.
+        Each policy should have:
+        - name: policy name
+        - statements: list of IAM policy statements
+        """
+        return self.__config.get("iam_inline_policies", [])
+
+    @property
+    def key_name(self) -> Optional[str]:
+        """EC2 key pair name for SSH access"""
+        return self.__config.get("key_name")

cdk_factory-0.10.0/src/cdk_factory/configurations/resources/cloudfront.py

@@ -0,0 +1,124 @@
+"""
+Geek Cafe, LLC
+Maintainers: Eric Wilson
+MIT License.  See Project Root for the license information.
+"""
+from typing import Dict, List, Any, Optional
+from cdk_factory.configurations.enhanced_base_config import EnhancedBaseConfig
+
+
+class CloudFrontConfig(EnhancedBaseConfig):
+    """
+    CloudFront Distribution Configuration
+    Supports both S3 origins (static sites) and custom origins (ALB, API Gateway, etc.)
+    """
+
+    def __init__(self, config: dict = None, deployment=None) -> None:
+        super().__init__(
+            config or {}, 
+            resource_type="cloudfront", 
+            resource_name=config.get("name", "cloudfront") if config else "cloudfront"
+        )
+        self._config = config or {}
+        self._deployment = deployment
+
+    @property
+    def name(self) -> str:
+        """Distribution name"""
+        return self._config.get("name", "cloudfront")
+
+    @property
+    def description(self) -> str:
+        """Distribution description"""
+        return self._config.get("description", "CloudFront Distribution")
+
+    @property
+    def comment(self) -> str:
+        """Distribution comment"""
+        return self._config.get("comment", "")
+
+    @property
+    def enabled(self) -> bool:
+        """Whether distribution is enabled"""
+        return self._config.get("enabled", True)
+
+    @property
+    def aliases(self) -> List[str]:
+        """Alternate domain names (CNAMEs)"""
+        return self._config.get("aliases", [])
+
+    @property
+    def price_class(self) -> str:
+        """Price class for edge locations"""
+        return self._config.get("price_class", "PriceClass_100")
+
+    @property
+    def http_version(self) -> str:
+        """HTTP version (http2, http2_and_3)"""
+        return self._config.get("http_version", "http2_and_3")
+
+    @property
+    def certificate(self) -> Optional[Dict[str, Any]]:
+        """ACM certificate configuration"""
+        return self._config.get("certificate")
+
+    @property
+    def origins(self) -> List[Dict[str, Any]]:
+        """Origin configurations"""
+        return self._config.get("origins", [])
+
+    @property
+    def default_cache_behavior(self) -> Dict[str, Any]:
+        """Default cache behavior"""
+        return self._config.get("default_cache_behavior", {})
+
+    @property
+    def cache_behaviors(self) -> List[Dict[str, Any]]:
+        """Additional cache behaviors"""
+        return self._config.get("cache_behaviors", [])
+
+    @property
+    def custom_error_responses(self) -> List[Dict[str, Any]]:
+        """Custom error responses"""
+        return self._config.get("custom_error_responses", [])
+
+    @property
+    def logging(self) -> Optional[Dict[str, Any]]:
+        """Logging configuration"""
+        return self._config.get("logging")
+
+    @property
+    def waf_web_acl_id(self) -> Optional[str]:
+        """WAF Web ACL ID"""
+        return self._config.get("waf_web_acl_id")
+
+    @property
+    def default_root_object(self) -> str:
+        """Default root object"""
+        return self._config.get("default_root_object", "index.html")
+
+    @property
+    def tags(self) -> Dict[str, str]:
+        """Resource tags"""
+        return self._config.get("tags", {})
+
+    @property
+    def ssm_exports(self) -> Dict[str, str]:
+        """SSM parameter exports"""
+        return self._config.get("ssm_exports", {})
+
+    @property
+    def ssm_imports(self) -> Dict[str, str]:
+        """SSM parameter imports"""
+        return self._config.get("ssm_imports", {})
+
+    @property
+    def hosted_zone_id(self) -> str:
+        """
+        Returns the hosted_zone_id for cloudfront
+        Use this when making dns changes when you want your custom domain
+        to be route through cloudfront.
+
+        As far as I know this Id is static and used for all of cloudfront
+        """
+        return self._config.get("hosted_zone_id", "Z2FDTNDATAQYW2")

{cdk_factory-0.9.12 → cdk_factory-0.10.0}/src/cdk_factory/configurations/resources/ecs_service.py

@@ -142,3 +142,15 @@ class EcsServiceConfig:
     def is_maintenance_mode(self) -> bool:
         """Whether this is a maintenance mode deployment"""
         return self.deployment_type == "maintenance"
+
+    @property
+    def volumes(self) -> List[Dict[str, Any]]:
+        """
+        Volume definitions for the task.
+        Supports host volumes for EC2 launch type and EFS volumes.
+        Each volume should have:
+        - name: volume name
+        - host: {source_path: "/path/on/host"} for bind mounts
+        - efs: {...} for EFS volumes
+        """
+        return self.task_definition.get("volumes", [])

cdk_factory-0.10.0/src/cdk_factory/configurations/resources/lambda_edge.py

@@ -0,0 +1,92 @@
+"""
+Lambda@Edge Configuration for CDK-Factory
+Geek Cafe, LLC
+Maintainers: Eric Wilson
+MIT License. See Project Root for the license information.
+"""
+from typing import Dict, Optional
+from cdk_factory.configurations.enhanced_base_config import EnhancedBaseConfig
+
+
+class LambdaEdgeConfig(EnhancedBaseConfig):
+    """
+    Configuration class for Lambda@Edge functions.
+    Lambda@Edge has specific constraints:
+    - Must be deployed in us-east-1
+    - Max timeout: 5 seconds for origin-request/response, 30s for viewer-request/response
+    - Max memory: 10GB (but typically use 128-512MB for edge functions)
+    - Must use versioned functions (not $LATEST)
+    """
+
+    def __init__(self, config: dict = None, deployment=None) -> None:
+        super().__init__(
+            config or {},
+            resource_type="lambda_edge",
+            resource_name=config.get("name", "lambda-edge") if config else "lambda-edge"
+        )
+        self._config = config or {}
+        self._deployment = deployment
+
+    @property
+    def name(self) -> str:
+        """Function name"""
+        return self._config.get("name", "lambda-edge")
+
+    @property
+    def handler(self) -> str:
+        """Handler function (e.g., 'handler.lambda_handler')"""
+        return self._config.get("handler", "handler.lambda_handler")
+
+    @property
+    def runtime(self) -> str:
+        """Lambda runtime (e.g., 'python3.11')"""
+        return self._config.get("runtime", "python3.11")
+
+    @property
+    def memory_size(self) -> int:
+        """Memory size in MB (128-10240)"""
+        return int(self._config.get("memory_size", 128))
+
+    @property
+    def timeout(self) -> int:
+        """Timeout in seconds (max 5 for origin-request)"""
+        timeout = int(self._config.get("timeout", 5))
+        if timeout > 5:
+            raise ValueError("Lambda@Edge origin-request timeout cannot exceed 5 seconds")
+        return timeout
+
+    @property
+    def code_path(self) -> str:
+        """Path to Lambda function code directory"""
+        return self._config.get("code_path", "./lambdas/edge/ip_gate")
+
+    @property
+    def environment(self) -> Dict[str, str]:
+        """Environment variables for the Lambda function"""
+        return self._config.get("environment", {})
+
+    @property
+    def description(self) -> str:
+        """Function description"""
+        return self._config.get("description", "Lambda@Edge function")
+
+    @property
+    def event_type(self) -> str:
+        """
+        Lambda@Edge event type:
+        - viewer-request: Executes when CloudFront receives a request from viewer
+        - origin-request: Executes before CloudFront forwards request to origin
+        - origin-response: Executes after CloudFront receives response from origin
+        - viewer-response: Executes before CloudFront returns response to viewer
+        """
+        return self._config.get("event_type", "origin-request")
+
+    @property
+    def publish_version(self) -> bool:
+        """Whether to publish a new version (required for Lambda@Edge)"""
+        return self._config.get("publish_version", True)
+
+    @property
+    def include_body(self) -> bool:
+        """Whether to include request body in origin-request events"""
+        return self._config.get("include_body", False)

cdk_factory-0.10.0/src/cdk_factory/configurations/resources/monitoring.py

@@ -0,0 +1,74 @@
+"""
+Monitoring Configuration
+Geek Cafe, LLC
+Maintainers: Eric Wilson
+MIT License. See Project Root for the license information.
+"""
+
+from typing import Dict, List, Any, Optional
+from cdk_factory.configurations.enhanced_base_config import EnhancedBaseConfig
+
+
+class MonitoringConfig(EnhancedBaseConfig):
+    """
+    Monitoring Configuration for CloudWatch Alarms and Dashboards
+    """
+
+    def __init__(self, config: dict = None, deployment=None) -> None:
+        super().__init__(
+            config or {},
+            resource_type="monitoring",
+            resource_name=config.get("name", "monitoring") if config else "monitoring"
+        )
+        self._config = config or {}
+        self._deployment = deployment
+
+    @property
+    def name(self) -> str:
+        """Monitoring stack name"""
+        return self._config.get("name", "monitoring")
+
+    @property
+    def sns_topics(self) -> List[Dict[str, Any]]:
+        """SNS topics for alarm notifications"""
+        return self._config.get("sns_topics", [])
+
+    @property
+    def alarms(self) -> List[Dict[str, Any]]:
+        """CloudWatch alarms configuration"""
+        return self._config.get("alarms", [])
+
+    @property
+    def dashboards(self) -> List[Dict[str, Any]]:
+        """CloudWatch dashboards configuration"""
+        return self._config.get("dashboards", [])
+
+    @property
+    def composite_alarms(self) -> List[Dict[str, Any]]:
+        """Composite alarms (combine multiple alarms)"""
+        return self._config.get("composite_alarms", [])
+
+    @property
+    def log_metric_filters(self) -> List[Dict[str, Any]]:
+        """CloudWatch Logs metric filters"""
+        return self._config.get("log_metric_filters", [])
+
+    @property
+    def enable_anomaly_detection(self) -> bool:
+        """Enable CloudWatch anomaly detection"""
+        return self._config.get("enable_anomaly_detection", False)
+
+    @property
+    def tags(self) -> Dict[str, str]:
+        """Resource tags"""
+        return self._config.get("tags", {})
+
+    @property
+    def ssm_exports(self) -> Dict[str, str]:
+        """SSM parameter exports"""
+        return self._config.get("ssm_exports", {})
+
+    @property
+    def ssm_imports(self) -> Dict[str, str]:
+        """SSM parameter imports for resource ARNs"""
+        return self._config.get("ssm_imports", {})

{cdk_factory-0.9.12 → cdk_factory-0.10.0}/src/cdk_factory/constructs/cloudfront/cloudfront_distribution_construct.py

@@ -1,10 +1,11 @@
-from typing import Any, List, Mapping
+from typing import Any, List, Mapping, Optional
 
 from aws_cdk import Duration
 from aws_cdk import aws_certificatemanager as acm
 from aws_cdk import aws_cloudfront as cloudfront
 from aws_cdk import aws_cloudfront_origins as origins
 from aws_cdk import aws_iam as iam
+from aws_cdk import aws_lambda as _lambda
 from aws_cdk import aws_s3 as s3
 from constructs import Construct
 from cdk_factory.configurations.stack import StackConfig
@@ -123,6 +124,7 @@ class CloudFrontDistributionConstruct(Construct):
                 origin=origin,
                 viewer_protocol_policy=cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
                 function_associations=self.__get_function_associations(),
+                edge_lambdas=self.__get_lambda_edge_associations(),
             ),
             default_root_object="index.html",
             error_responses=self._error_responses(),
@@ -218,6 +220,54 @@ class CloudFrontDistributionConstruct(Construct):
 
         return function_associations
 
+    def __get_lambda_edge_associations(self) -> Optional[List[cloudfront.EdgeLambda]]:
+        """
+        Get the Lambda@Edge associations for the distribution from config.
+        
+        Returns:
+            List[cloudfront.EdgeLambda] or None: list of Lambda@Edge associations
+        """
+        edge_lambdas = []
+        
+        if self.stack_config and isinstance(self.stack_config, StackConfig):
+            cloudfront_config = self.stack_config.dictionary.get("cloudfront", {})
+            lambda_edge_associations = cloudfront_config.get("lambda_edge_associations", [])
+            
+            for association in lambda_edge_associations:
+                event_type_str = association.get("event_type", "origin-request")
+                lambda_arn = association.get("lambda_arn")
+                include_body = association.get("include_body", False)
+                
+                if not lambda_arn:
+                    continue  # Skip if no ARN provided
+                
+                # Map event type string to CloudFront enum
+                event_type_map = {
+                    "viewer-request": cloudfront.LambdaEdgeEventType.VIEWER_REQUEST,
+                    "origin-request": cloudfront.LambdaEdgeEventType.ORIGIN_REQUEST,
+                    "origin-response": cloudfront.LambdaEdgeEventType.ORIGIN_RESPONSE,
+                    "viewer-response": cloudfront.LambdaEdgeEventType.VIEWER_RESPONSE,
+                }
+                
+                event_type = event_type_map.get(event_type_str, cloudfront.LambdaEdgeEventType.ORIGIN_REQUEST)
+                
+                # Import the Lambda function version by ARN
+                lambda_version = _lambda.Version.from_version_arn(
+                    self,
+                    f"LambdaEdge-{event_type_str}",
+                    version_arn=lambda_arn
+                )
+                
+                edge_lambdas.append(
+                    cloudfront.EdgeLambda(
+                        function_version=lambda_version,
+                        event_type=event_type,
+                        include_body=include_body
+                    )
+                )
+        
+        return edge_lambdas if edge_lambdas else None
+
     def __get_combined_function(self, hosts: List[str]) -> cloudfront.Function:
         """
         Creates a combined CloudFront function that does both URL rewriting and host restrictions.

cdk_factory-0.10.0/src/cdk_factory/lambdas/edge/ip_gate/handler.py

@@ -0,0 +1,104 @@
+"""
+Lambda@Edge Origin-Request Handler for IP-based Access Gating
+Geek Cafe, LLC
+Maintainers: Eric Wilson
+"""
+
+import ipaddress
+import json
+import os
+
+
+def lambda_handler(event, context):
+    """
+    Lambda@Edge origin-request handler that implements IP-based gating
+    with maintenance site fallback.
+    
+    Features:
+    - Inject X-Viewer-IP header for origin visibility
+    - Check viewer IP against allowlist when gate is enabled
+    - Rewrite blocked IPs to maintenance CloudFront distribution, and serve up maintenance site
+    - Toggle via GATE_ENABLED environment variable
+    """
+    
+    # Extract request from CloudFront event
+    request = event['Records'][0]['cf']['request']
+    client_ip = request['clientIp']
+    
+    # Configuration from environment variables
+    gate_enabled = os.environ.get('GATE_ENABLED', 'false').lower() == 'true'
+    allow_cidrs_str = os.environ.get('ALLOW_CIDRS', '')
+    maint_cf_host = os.environ.get('MAINT_CF_HOST', '')
+    
+    # Parse allowed CIDRs
+    allow_cidrs = [cidr.strip() for cidr in allow_cidrs_str.split(',') if cidr.strip()]
+    
+    # Always inject viewer IP header
+    if 'headers' not in request:
+        request['headers'] = {}
+    
+    request['headers']['x-viewer-ip'] = [{
+        'key': 'X-Viewer-IP',
+        'value': client_ip
+    }]
+    
+    # If gate is disabled, pass through to origin
+    if not gate_enabled:
+        return request
+    
+    # Check if IP is in allowlist
+    ip_allowed = False
+    try:
+        client_ip_obj = ipaddress.ip_address(client_ip)
+        for cidr in allow_cidrs:
+            try:
+                network = ipaddress.ip_network(cidr, strict=False)
+                if client_ip_obj in network:
+                    ip_allowed = True
+                    break
+            except (ValueError, ipaddress.AddressValueError):
+                # Invalid CIDR, skip
+                continue
+    except (ValueError, ipaddress.AddressValueError):
+        # Invalid client IP, block by default
+        ip_allowed = False
+    
+    # If IP is allowed, pass through to origin
+    if ip_allowed:
+        return request
+    
+    # IP not allowed - redirect to maintenance site
+    if not maint_cf_host:
+        # Safety: if maintenance host not configured, pass through with warning
+        # In production, you might want to return a fixed error response instead
+        return request
+    
+    # Rewrite origin to maintenance CloudFront distribution
+    request['origin'] = {
+        'custom': {
+            'domainName': maint_cf_host,
+            'port': 443,
+            'protocol': 'https',
+            'path': '',
+            'sslProtocols': ['TLSv1.2'],
+            'readTimeout': 30,
+            'keepaliveTimeout': 5,
+            'customHeaders': {}
+        }
+    }
+    
+    # Update Host header to match new origin
+    request['headers']['host'] = [{
+        'key': 'Host',
+        'value': maint_cf_host
+    }]
+    
+    # Normalize URI - redirect directory requests to index.html
+    uri = request.get('uri', '/')
+    if uri.endswith('/'):
+        request['uri'] = uri + 'index.html'
+    elif '.' not in uri.split('/')[-1]:
+        # No file extension, likely a directory
+        request['uri'] = uri + '/index.html'
+    
+    return request

{cdk_factory-0.9.12 → cdk_factory-0.10.0}/src/cdk_factory/stack_library/auto_scaling/auto_scaling_stack.py

@@ -193,6 +193,41 @@ class AutoScalingStack(IStack, EnhancedSsmParameterMixin):
                 iam.ManagedPolicy.from_aws_managed_policy_name(policy_name)
             )
 
+        # Add inline policies (for custom permissions like S3 bucket access)
+        for policy_config in self.asg_config.iam_inline_policies:
+            policy_name = policy_config.get("name", "CustomPolicy")
+            statements = policy_config.get("statements", [])
+            
+            if not statements:
+                logger.warning(f"No statements found for inline policy {policy_name}, skipping")
+                continue
+            
+            # Build policy statements
+            policy_statements = []
+            for stmt in statements:
+                effect = iam.Effect.ALLOW if stmt.get("effect", "Allow") == "Allow" else iam.Effect.DENY
+                actions = stmt.get("actions", [])
+                resources = stmt.get("resources", [])
+                
+                if not actions or not resources:
+                    logger.warning(f"Incomplete statement in policy {policy_name}, skipping")
+                    continue
+                
+                policy_statements.append(
+                    iam.PolicyStatement(
+                        effect=effect,
+                        actions=actions,
+                        resources=resources
+                    )
+                )
+            
+            if policy_statements:
+                role.add_to_principal_policy(policy_statements[0])
+                for stmt in policy_statements[1:]:
+                    role.add_to_principal_policy(stmt)
+                
+                logger.info(f"Added inline policy {policy_name} with {len(policy_statements)} statements")
+
         return role
 
     def _create_user_data(self) -> ec2.UserData:
@@ -206,6 +241,10 @@ class AutoScalingStack(IStack, EnhancedSsmParameterMixin):
         for command in self.asg_config.user_data_commands:
             user_data.add_commands(command)
 
+        # Add user data scripts from files (with variable substitution)
+        if self.asg_config.user_data_scripts:
+            self._add_user_data_scripts_from_files(user_data)
+
         # Add container configuration if specified
         container_config = self.asg_config.container_config
         if container_config:
@@ -213,6 +252,66 @@ class AutoScalingStack(IStack, EnhancedSsmParameterMixin):
 
         return user_data
 
+    def _add_user_data_scripts_from_files(self, user_data: ec2.UserData) -> None:
+        """
+        Add user data scripts from external files with variable substitution.
+        Supports loading shell scripts and injecting them into user data with
+        placeholder replacement.
+        """
+        from pathlib import Path
+        
+        for script_config in self.asg_config.user_data_scripts:
+            script_type = script_config.get("type", "file")
+            
+            if script_type == "file":
+                # Load script from file
+                script_path = script_config.get("path")
+                if not script_path:
+                    logger.warning("Script path not specified, skipping")
+                    continue
+                
+                # Resolve path (relative to project root or absolute)
+                path = Path(script_path)
+                if not path.is_absolute():
+                    # Try relative to current working directory
+                    path = Path.cwd() / script_path
+                
+                if not path.exists():
+                    logger.warning(f"Script file not found: {path}, skipping")
+                    continue
+                
+                # Read script content
+                try:
+                    with open(path, 'r') as f:
+                        script_content = f.read()
+                except Exception as e:
+                    logger.error(f"Failed to read script file {path}: {e}")
+                    continue
+                    
+            elif script_type == "inline":
+                # Use inline script content
+                script_content = script_config.get("content", "")
+                if not script_content:
+                    logger.warning("Inline script content is empty, skipping")
+                    continue
+            else:
+                logger.warning(f"Unknown script type: {script_type}, skipping")
+                continue
+            
+            # Perform variable substitution
+            variables = script_config.get("variables", {})
+            for var_name, var_value in variables.items():
+                placeholder = f"{{{{{var_name}}}}}"  # {{VAR_NAME}}
+                script_content = script_content.replace(placeholder, str(var_value))
+            
+            # Add script to user data
+            # Split by lines and add each line as a command
+            for line in script_content.split('\n'):
+                if line.strip():  # Skip empty lines
+                    user_data.add_commands(line)
+            
+            logger.info(f"Added user data script from {script_type}: {script_config.get('path', 'inline')}")
+
     def _add_container_user_data(
         self, user_data: ec2.UserData, container_config: Dict[str, Any]
     ) -> None: