refactor(ci): align kinesis E2E infra with repo patterns

ekjotmultani · ekjotmultani · commit 72a4d589bb21 · 2026-03-05T23:37:13.000-08:00
- Revert unrelated whitespace changes to infra/lib/stack.ts and
  infra/lib/github/github.ts
- Replace manual pubspec_overrides.yaml with aft bootstrap
- Update workflow to match repo conventions (action versions,
  submodule init, log_cw_metric_wrapper, timeout, defaults)
- Remove IAM user, access key, and Secrets Manager secret from
  backend.ts (credentials managed outside stack)
diff --git a/.github/workflows/kinesis_e2e.yaml b/.github/workflows/kinesis_e2e.yaml
@@ -1,30 +1,64 @@
 name: Kinesis E2E Tests
 on:
+  push:
+    branches:
+      - main
+      - stable
+    paths:
+      - "packages/kinesis/**"
+      - ".github/workflows/kinesis_e2e.yaml"
   pull_request:
     paths:
       - "packages/kinesis/**"
       - ".github/workflows/kinesis_e2e.yaml"
   workflow_dispatch:
 
+defaults:
+  run:
+    shell: bash
+
+# These permissions are needed to interact with GitHub's OIDC Token endpoint.
+permissions:
+  id-token: write
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   kinesis-data-streams-e2e:
     runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
+    timeout-minutes: 30
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # 4.0.0
+      - name: Git Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+
+      - name: Git Submodules
+        run: git submodule update --init
+
+      - name: Setup Flutter
+        uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # 2.21.0
         with:
-          persist-credentials: false
+          cache: true
+          channel: stable
 
-      - uses: dart-lang/setup-dart@e630b99d28a3b71860378cafdc2a067c71107f94 # v1
+      - name: Setup Dart
+        uses: dart-lang/setup-dart@03a180dbe1de8ea7fb700663cbb7d24ca4bbe82c # main
         with:
           sdk: stable
 
+      - name: Install native sqlite3
+        run: sudo apt-get update && sudo apt-get install -y libsqlite3-dev
+
+      - name: Setup aft
+        run: dart pub global activate -spath packages/aft
+
+      - name: Bootstrap
+        id: bootstrap
+        timeout-minutes: 20
+        run: aft bootstrap --fail-fast --include=aws_kinesis_datastreams --verbose
+
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # 3.0.1
         with:
@@ -38,38 +72,6 @@ jobs:
             KINESIS_E2E,${{ secrets.KINESIS_E2E_SECRET_ARN }}
           parse-json-secrets: true
 
-      - name: Install native sqlite3
-        run: sudo apt-get update && sudo apt-get install -y libsqlite3-dev
-
-      - name: Create pubspec overrides
-        working-directory: packages/kinesis/aws_kinesis_datastreams
-        run: |
-          cat > pubspec_overrides.yaml << 'EOF'
-          dependency_overrides:
-            amplify_core:
-              path: ../../amplify_core
-            amplify_db_common_dart:
-              path: ../../common/amplify_db_common_dart
-            amplify_foundation_dart:
-              path: ../../amplify_foundation/amplify_foundation_dart
-            amplify_foundation_dart_bridge:
-              path: ../../amplify_foundation/amplify_foundation_dart_bridge
-            amplify_lints:
-              path: ../../amplify_lints
-            aws_common:
-              path: ../../aws_common
-            aws_signature_v4:
-              path: ../../aws_signature_v4
-            smithy:
-              path: ../../smithy/smithy
-            smithy_aws:
-              path: ../../smithy/smithy_aws
-          EOF
-
-      - name: Install dependencies
-        run: dart pub get
-        working-directory: packages/kinesis/aws_kinesis_datastreams
-
       - name: Run E2E tests
         working-directory: packages/kinesis/aws_kinesis_datastreams
         env:
@@ -79,20 +81,55 @@ jobs:
           TEST_STREAM_NAME: ${{ env.KINESIS_E2E_STREAM_NAME }}
         run: dart test test/e2e/ --tags=e2e
 
+      - name: Log success/failure
+        if: always()
+        uses: ./.github/composite_actions/log_cw_metric_wrapper
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+          job-status: ${{ job.status }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+          test-type: e2e
+          working-directory: packages/kinesis/aws_kinesis_datastreams
+
+          framework: dart
+          flutter-dart-channel: stable
+          dart-compiler: vm
+
   firehose-e2e:
     runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
+    timeout-minutes: 30
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # 4.0.0
+      - name: Git Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+
+      - name: Git Submodules
+        run: git submodule update --init
+
+      - name: Setup Flutter
+        uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # 2.21.0
         with:
-          persist-credentials: false
+          cache: true
+          channel: stable
 
-      - uses: dart-lang/setup-dart@e630b99d28a3b71860378cafdc2a067c71107f94 # v1
+      - name: Setup Dart
+        uses: dart-lang/setup-dart@03a180dbe1de8ea7fb700663cbb7d24ca4bbe82c # main
         with:
           sdk: stable
 
+      - name: Install native sqlite3
+        run: sudo apt-get update && sudo apt-get install -y libsqlite3-dev
+
+      - name: Setup aft
+        run: dart pub global activate -spath packages/aft
+
+      - name: Bootstrap
+        id: bootstrap
+        timeout-minutes: 20
+        run: aft bootstrap --fail-fast --include=aws_amazon_firehose --verbose
+
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # 3.0.1
         with:
@@ -106,34 +143,6 @@ jobs:
             KINESIS_E2E,${{ secrets.KINESIS_E2E_SECRET_ARN }}
           parse-json-secrets: true
 
-      - name: Install native sqlite3
-        run: sudo apt-get update && sudo apt-get install -y libsqlite3-dev
-
-      - name: Create pubspec overrides
-        working-directory: packages/kinesis/aws_amazon_firehose
-        run: |
-          cat > pubspec_overrides.yaml << 'EOF'
-          dependency_overrides:
-            amplify_core:
-              path: ../../amplify_core
-            amplify_foundation_dart:
-              path: ../../amplify_foundation/amplify_foundation_dart
-            amplify_foundation_dart_bridge:
-              path: ../../amplify_foundation/amplify_foundation_dart_bridge
-            aws_common:
-              path: ../../aws_common
-            aws_signature_v4:
-              path: ../../aws_signature_v4
-            smithy:
-              path: ../../smithy/smithy
-            smithy_aws:
-              path: ../../smithy/smithy_aws
-          EOF
-
-      - name: Install dependencies
-        run: dart pub get
-        working-directory: packages/kinesis/aws_amazon_firehose
-
       - name: Run E2E tests
         working-directory: packages/kinesis/aws_amazon_firehose
         env:
@@ -142,3 +151,20 @@ jobs:
           TEST_REGION: ${{ secrets.AWS_REGION }}
           TEST_DELIVERY_STREAM_NAME: ${{ env.KINESIS_E2E_DELIVERY_STREAM_NAME }}
         run: dart test test/e2e/ --tags=e2e
+
+      - name: Log success/failure
+        if: always()
+        uses: ./.github/composite_actions/log_cw_metric_wrapper
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+          job-status: ${{ job.status }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+          test-type: e2e
+          working-directory: packages/kinesis/aws_amazon_firehose
+
+          framework: dart
+          flutter-dart-channel: stable
+          dart-compiler: vm
diff --git a/infra-gen2/backends/kinesis/main/amplify/backend.ts b/infra-gen2/backends/kinesis/main/amplify/backend.ts
@@ -7,21 +7,23 @@ import * as iam from "aws-cdk-lib/aws-iam";
 import * as kinesis from "aws-cdk-lib/aws-kinesis";
 import * as firehose from "aws-cdk-lib/aws-kinesisfirehose";
 import * as s3 from "aws-cdk-lib/aws-s3";
-import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";
 
 /**
  * Kinesis E2E test backend.
  *
- * No Amplify categories (auth, storage, etc.) are needed — we only use the
- * Amplify backend as an entry-point into CDK to provision Kinesis Data
- * Streams and Amazon Data Firehose resources for E2E testing.
+ * Provisions Kinesis Data Streams and Amazon Data Firehose resources
+ * for E2E testing. No Amplify categories are needed — the Amplify
+ * backend is used only as a CDK entry-point.
+ *
+ * Test credentials and resource names are stored in a dedicated
+ * Secrets Manager secret managed outside this stack.
  */
 const backend = defineBackend({});
 
 const kinesisStack = backend.createStack("KinesisTestResources");
 
 // --- Kinesis Data Stream ---
-const stream = new kinesis.Stream(kinesisStack, "TestStream", {
+new kinesis.Stream(kinesisStack, "TestStream", {
   streamName: "kinesis-e2e-data-stream",
   shardCount: 1,
   retentionPeriod: cdk.Duration.hours(24),
@@ -42,7 +44,7 @@ const firehoseRole = new iam.Role(kinesisStack, "FirehoseS3Role", {
 bucket.grantReadWrite(firehoseRole);
 
 // --- Firehose delivery stream ---
-const deliveryStream = new firehose.CfnDeliveryStream(
+new firehose.CfnDeliveryStream(
   kinesisStack,
   "TestDeliveryStream",
   {
@@ -58,50 +60,3 @@ const deliveryStream = new firehose.CfnDeliveryStream(
     },
   },
 );
-
-// --- IAM user for E2E tests ---
-const testUser = new iam.User(kinesisStack, "TestUser", {
-  userName: "kinesis-e2e-test-user",
-});
-
-testUser.addToPolicy(
-  new iam.PolicyStatement({
-    effect: iam.Effect.ALLOW,
-    actions: [
-      "kinesis:PutRecords",
-      "kinesis:DescribeStream",
-      "kinesis:ListShards",
-    ],
-    resources: [stream.streamArn],
-  }),
-);
-
-testUser.addToPolicy(
-  new iam.PolicyStatement({
-    effect: iam.Effect.ALLOW,
-    actions: [
-      "firehose:PutRecordBatch",
-      "firehose:DescribeDeliveryStream",
-    ],
-    resources: [deliveryStream.attrArn],
-  }),
-);
-
-const accessKey = new iam.AccessKey(kinesisStack, "TestAccessKey", {
-  user: testUser,
-});
-
-// Store all E2E config in a single Secrets Manager secret.
-// Keys are prefixed with KINESIS_E2E_ after parse-json-secrets expansion in CI.
-new secretsmanager.Secret(kinesisStack, "KinesisE2ESecret", {
-  secretName: "kinesis-e2e",
-  description: "Kinesis E2E test credentials and resource names",
-  secretObjectValue: {
-    ACCESS_KEY_ID: cdk.SecretValue.unsafePlainText(accessKey.accessKeyId),
-    SECRET_ACCESS_KEY: accessKey.secretAccessKey,
-    STREAM_NAME: cdk.SecretValue.unsafePlainText(stream.streamName),
-    DELIVERY_STREAM_NAME: cdk.SecretValue.unsafePlainText(
-      deliveryStream.deliveryStreamName!,
-    ),
-  },
-});
diff --git a/infra/lib/github/github.ts b/infra/lib/github/github.ts
@@ -32,6 +32,7 @@ export class GitHubStack extends Stack {
   constructor(scope: Construct, id: string, props: GitHubStackProps) {
     super(scope, id, props);
 
+    // const { analytics, auth, storage } = props;
     const { auth } = props;
 
     const afsSecrets = new secrets.Secret(this, "AfsSecrets", {
diff --git a/infra/lib/stack.ts b/infra/lib/stack.ts
@@ -5,8 +5,8 @@ import * as cdk from "aws-cdk-lib";
 import * as cognito from "aws-cdk-lib/aws-cognito";
 import { Construct } from "constructs";
 import {
-    AuthIntegrationTestStack,
-    AuthIntegrationTestStackEnvironmentProps,
+  AuthIntegrationTestStack,
+  AuthIntegrationTestStackEnvironmentProps,
 } from "./auth/stack";
 import { env } from "./common";
 import { GitHubStack } from "./github/github";
@@ -284,7 +284,6 @@ export class AmplifyFlutterIntegStack extends cdk.Stack {
       }
     );
 
-
     new cdk.CfnOutput(this, "Categories", {
       value: JSON.stringify({
         auth: {
